Update upgrade guide for app mode#728
Conversation
| juju ssh --container traefik traefik-k8s/0 cat /opt/traefik/juju/<hostname>.crt | ||
| ``` | ||
|
|
||
| **2. Restore the private key on the leader unit.** |
There was a problem hiding this comment.
To be discussed if we turn this into an action.
| juju secrets --format json \ | ||
| | jq -r '.[] | select(.label | test("private-key"; "i")) | select(.owner | test("/")) | .id' \ | ||
| | xargs -I{} juju remove-secret {} | ||
| ``` |
There was a problem hiding this comment.
We will also see the CSRs in the unit databag which must be cleaned up, we need to think about how to clean them.
Co-authored-by: Sébastien Georget <sebastien.georget@canonical.com>
erinecon
left a comment
There was a problem hiding this comment.
Thank you for adding more context and information about upgrading!
|
|
||
| Revision 308 officially switch the certificates management in Traefik from UNIT mode to APP mode. If your deployment was running any revision before 308, follow these steps. | ||
|
|
||
| #### Important: Preserving TLS certificates |
There was a problem hiding this comment.
| #### Important: Preserving TLS certificates | |
| #### Preserve TLS certificates |
I'm not totally opposed to including Important: in the section header, but I do want to avoid using gerunds so that the header is more action-oriented.
If you think that we should include Important in the header, let's discuss more! I would love to understand why this section would benefit from including an Important flag.
| > Note: In some cases, a bug might occur during a node restart or a leader change that causes the leader unit to wipe out the certificates information in | ||
| `/opt/traefik/juju`, you can look at other units to see if they still contain the original certificate and private key. In an HA deployment, you can also get them by looking at the `peer` relation data. |
There was a problem hiding this comment.
how would they know which unit has the right private key? If they have 2 other units with different private key which one would they pick?
| ```bash | ||
| juju ssh --container traefik traefik-k8s/0 cat /opt/traefik/juju/<hostname>.key | ||
| juju ssh --container traefik traefik-k8s/0 cat /opt/traefik/juju/<hostname>.crt | ||
| ``` |
There was a problem hiding this comment.
instead of 0 i think we should specify the leader. The 0th unit might not be the right private key.
|
|
||
| #### Steps | ||
|
|
||
| After running `juju refresh traefik-k8s --revision 308` (or later), check whether stale unit-scoped secrets remain: |
There was a problem hiding this comment.
swetha.swaminathan@canonical.com@zbook:~/Canonical/hrms-operator$(feat/frappe-hrms-charm)juju refresh traefik-k8s --revision 308
ERROR cannot upgrade from single base "ubuntu@20.04" charm to a charm supporting ["ubuntu@26.04"]. Use --force-series to override.
This fails and sunbeam is using amd64 so maybe we should lose the revision number
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
Co-authored-by: Erin Conley <erin.conley@canonical.com>
| After deletion, trigger a reconciliation on the leader unit so the charm creates a new application-scoped secret: | ||
|
|
||
| ```bash | ||
| jhack fire traefik-k8s/leader config-changed |
There was a problem hiding this comment.
with my changes i expect the charm to go into ErrorState, if thats the case they can just run juju resolve and a new private key and CSR will be created.
What this PR does
Add a revision specific upgrade guide due to the certificate management change from UNIT mode to APP mode
Checklist
docs/changelog.mdwith user-relevant changesdocs/release-notes/artifactsaccording to the contributing guidelines. If no change artifact is necessary, I tagged the PR with the labelno-release-note.terraform fmtpasses andtflintreports no errorsLIBAPIandLIBPATCHvalues