on a deployment using vault, every time refresh-secrets is issued, the tokens are refreshed and the leader sends the new tokens through relation-data.
If the vault is deployed in HA, upon switching vault leaders (let's say new leader is vault/2 and old leader is vault/0), the old token will remain in the relation data between the units that require secrets-storage (barbican-vault, ceph-osd, ...) and the old leader (vault/0). The new leader (vault/2) will issue new tokens on refresh-secrets action and provide them through relation (vault/2 <=> barbican-vault, ceph-osd), but the requiring units will read the old tokens from the relation-data of the old leader (vault/0 <=> barbican-vault, ceph-osd). Then, it causes the exception below.
The tokens should be read from the new leader (vault/2) instead. The code sections that are suspected to cause the problem are:
on a deployment using vault, every time refresh-secrets is issued, the tokens are refreshed and the leader sends the new tokens through relation-data.
If the vault is deployed in HA, upon switching vault leaders (let's say new leader is vault/2 and old leader is vault/0), the old token will remain in the relation data between the units that require secrets-storage (barbican-vault, ceph-osd, ...) and the old leader (vault/0). The new leader (vault/2) will issue new tokens on refresh-secrets action and provide them through relation (vault/2 <=> barbican-vault, ceph-osd), but the requiring units will read the old tokens from the relation-data of the old leader (vault/0 <=> barbican-vault, ceph-osd). Then, it causes the exception below.
The tokens should be read from the new leader (vault/2) instead. The code sections that are suspected to cause the problem are:
barbican-vault: https:/ /github. com/juju- solutions/ charms. reactive/ blob/1ff9c47669 3d834bc0fcc284f f1a89302d084c91 /charms/ reactive/ endpoints. py#L748
ceph-osd and other classic charms: https:/ /github. com/openstack/ charm-ceph- osd/blob/ ec8bcd5f9de981f 9bf262c08ffd4a5 dd440a8e12/ hooks/charmhelp ers/contrib/ openstack/ vaultlocker. py#L44
2019-10-10 14:10:34 DEBUG secrets- storage- relation- joined lib/charm/ vault_utils. py:22: DeprecationWarning: Call to deprecated function '_post'. This method will be removed in version '0.8.0' Please use the 'post' method on the 'hvac.adapters' class moving forward. storage- relation- joined response = client. _post(' /v1/sys/ wrapping/ unwrap' ) storage- relation- joined Traceback (most recent call last): storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ charm/hooks/ secrets- storage- relation- joined" , line 22, in <module> storage- relation- joined main() storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ .venv/lib/ python3. 6/site- packages/ charms/ reactive/ __init_ _.py", line 73, in main storage- relation- joined bus.dispatch( restricted= restricted_ mode) storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ .venv/lib/ python3. 6/site- packages/ charms/ reactive/ bus.py" , line 390, in dispatch storage- relation- joined _invoke( other_handlers) storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ .venv/lib/ python3. 6/site- packages/ charms/ reactive/ bus.py" , line 359, in _invoke storage- relation- joined handler.invoke() storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ .venv/lib/ python3. 6/site- packages/ charms/ reactive/ bus.py" , line 181, in invoke storage- relation- joined self._action(*args) storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ charm/reactive/ barbican_ vault_handlers. py", line 63, in plugin_ info_barbican_ publish storage- relation- joined secrets_ storage. unit_token) storage- relation- joined File "lib/charm/ vault_utils. py", line 22, in retrieve_secret_id storage- relation- joined response = client. _post(' /v1/sys/ wrapping/ unwrap' ) storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ .venv/lib/ python3. 6/site- packages/ hvac/utils. py", line 170, in new_func storage- relation- joined return method(*args, **kwargs) storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ .venv/lib/ python3. 6/site- packages/ hvac/v1/ __init_ _.py", line 2577, in _post storage- relation- joined return self._adapter. post(*args, **kwargs) storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ .venv/lib/ python3. 6/site- packages/ hvac/adapters. py", line 103, in post storage- relation- joined return self.request( 'post', url, **kwargs) storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ .venv/lib/ python3. 6/site- packages/ hvac/adapters. py", line 272, in request storage- relation- joined utils.raise_ for_error( response. status_ code, text, errors=errors) storage- relation- joined File "/var/lib/ juju/agents/ unit-barbican- vault-8/ .venv/lib/ python3. 6/site- packages/ hvac/utils. py", line 30, in raise_for_error storage- relation- joined raise exceptions. InvalidRequest( message, errors=errors) storage- relation- joined hvac.exceptions .InvalidRequest : wrapping token is not valid or does not exist uniter. operation runhook.go:132 hook "secrets- storage- relation- joined" failed: exit status 1
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:34 DEBUG secrets-
2019-10-10 14:10:35 ERROR juju.worker.