I also note that the barbican-vault charm used the same token twice successfully:
2019-11-29 16:30:38 INFO juju-log secrets-storage:53: Retrieving secret-id from vault (http://10.5.100.15:8200)
2019-11-29 16:57:05 INFO juju-log secrets-storage:53: Retrieving secret-id from vault (http://10.5.100.15:8200)
So this shows that the leader will always present the current tokens but non-leader units can still have old values e.g. if i then ran refresh-secrets, vault/1 would present the new values and vault/2 would remain with the old. The solution in [1] currently proposes to clear the settings from a unit if leader-changed fires and the unit is non-leader and that is fine but will still mean eventual consistency which is a problem for charms that don't implement the use-once policy when there is a mix of old and new tokens.
I also note that the barbican-vault charm used the same token twice successfully:
2019-11-29 16:30:38 INFO juju-log secrets-storage:53: Retrieving secret-id from vault (http:// 10.5.100. 15:8200) 10.5.100. 15:8200)
2019-11-29 16:57:05 INFO juju-log secrets-storage:53: Retrieving secret-id from vault (http://
So this shows that the leader will always present the current tokens but non-leader units can still have old values e.g. if i then ran refresh-secrets, vault/1 would present the new values and vault/2 would remain with the old. The solution in [1] currently proposes to clear the settings from a unit if leader-changed fires and the unit is non-leader and that is fine but will still mean eventual consistency which is a problem for charms that don't implement the use-once policy when there is a mix of old and new tokens.
[1] https:/ /github. com/openstack- charmers/ charm-interface -vault- kv/pull/ 8