Skip to content

Update upgrade guide for app mode#728

Open
Thanhphan1147 wants to merge 19 commits into
mainfrom
upgrade-docs-rev281-to-rev308
Open

Update upgrade guide for app mode#728
Thanhphan1147 wants to merge 19 commits into
mainfrom
upgrade-docs-rev281-to-rev308

Conversation

@Thanhphan1147

@Thanhphan1147 Thanhphan1147 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What this PR does

Add a revision specific upgrade guide due to the certificate management change from UNIT mode to APP mode

Checklist

  • I followed the contributing guide
  • I added or updated the documentation (if applicable)
  • I updated docs/changelog.md with user-relevant changes
  • I added a change artifact for user-relevant changes in docs/release-notes/artifacts according to the contributing guidelines. If no change artifact is necessary, I tagged the PR with the label no-release-note.
  • I used AI to assist with preparing this PR
  • I added or updated tests as needed (unit and integration)
  • If this PR involves a Grafana dashboard: I added a screenshot of the dashboard
  • If this PR involves Terraform: terraform fmt passes and tflint reports no errors
  • If this PR modifies charm libraries owned by this project: I incremented the LIBAPI and LIBPATCH values

@Thanhphan1147 Thanhphan1147 requested a review from a team as a code owner July 3, 2026 07:37
Comment thread docs/how-to/upgrade.md
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
juju ssh --container traefik traefik-k8s/0 cat /opt/traefik/juju/<hostname>.crt
```

**2. Restore the private key on the leader unit.**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be discussed if we turn this into an action.

Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md
juju secrets --format json \
| jq -r '.[] | select(.label | test("private-key"; "i")) | select(.owner | test("/")) | .id' \
| xargs -I{} juju remove-secret {}
```

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will also see the CSRs in the unit databag which must be cleaned up, we need to think about how to clean them.

Co-authored-by: Sébastien Georget <sebastien.georget@canonical.com>
@Thanhphan1147 Thanhphan1147 added documentation Improvements or additions to documentation no-release-note This PR does not require a change artifact labels Jul 3, 2026

@erinecon erinecon left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding more context and information about upgrading!

Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md

Revision 308 officially switch the certificates management in Traefik from UNIT mode to APP mode. If your deployment was running any revision before 308, follow these steps.

#### Important: Preserving TLS certificates

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#### Important: Preserving TLS certificates
#### Preserve TLS certificates

I'm not totally opposed to including Important: in the section header, but I do want to avoid using gerunds so that the header is more action-oriented.

If you think that we should include Important in the header, let's discuss more! I would love to understand why this section would benefit from including an Important flag.

Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment thread docs/how-to/upgrade.md Outdated
Comment on lines +34 to +35
> Note: In some cases, a bug might occur during a node restart or a leader change that causes the leader unit to wipe out the certificates information in
`/opt/traefik/juju`, you can look at other units to see if they still contain the original certificate and private key. In an HA deployment, you can also get them by looking at the `peer` relation data.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how would they know which unit has the right private key? If they have 2 other units with different private key which one would they pick?

Comment thread docs/how-to/upgrade.md
Comment on lines +29 to +32
```bash
juju ssh --container traefik traefik-k8s/0 cat /opt/traefik/juju/<hostname>.key
juju ssh --container traefik traefik-k8s/0 cat /opt/traefik/juju/<hostname>.crt
```

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of 0 i think we should specify the leader. The 0th unit might not be the right private key.

Comment thread docs/how-to/upgrade.md

#### Steps

After running `juju refresh traefik-k8s --revision 308` (or later), check whether stale unit-scoped secrets remain:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

swetha.swaminathan@canonical.com@zbook:~/Canonical/hrms-operator$(feat/frappe-hrms-charm)juju refresh traefik-k8s --revision 308
ERROR cannot upgrade from single base "ubuntu@20.04" charm to a charm supporting ["ubuntu@26.04"]. Use --force-series to override.

This fails and sunbeam is using amd64 so maybe we should lose the revision number

Thanhphan1147 and others added 3 commits July 3, 2026 17:35
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Thanhphan1147 and others added 8 commits July 3, 2026 17:36
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Comment thread docs/how-to/upgrade.md
After deletion, trigger a reconciliation on the leader unit so the charm creates a new application-scoped secret:

```bash
jhack fire traefik-k8s/leader config-changed

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with my changes i expect the charm to go into ErrorState, if thats the case they can just run juju resolve and a new private key and CSR will be created.

Comment thread docs/how-to/upgrade.md Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Charm Libraries: Out of sync documentation Improvements or additions to documentation no-release-note This PR does not require a change artifact

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants