Comment 11 for bug 1832883

Thanks. Right now it looks like easyrsa isn't sending the client cert and key to etcd like it's supposed to. This is done by easyrsa's publish_global_client_cert handler[1], which only ever runs once. That's a problem if the relation between etcd and easyrsa has ever been removed. Do you know if that's ever happened in this deployment?

I was able to reproduce the symptom by removing and re-adding the relation between easyrsa and etcd:

juju deploy charmed-kubernetes
# wait for deployment to settle
juju remove-relation easyrsa etcd
juju add-relation easyrsa etcd
juju add-unit etcd

After doing this, the new unit of etcd came up with "Missing relation to certificate authority." status and got stuck.

Here is a workaround:

juju run --unit easyrsa/0 -- charms.reactive clear_flag easyrsa.global-client-cert.created

This forces the easyrsa charm to publish the client cert again. Can you try that and see if it helps?

[1]: https://github.com/charmed-kubernetes/layer-easyrsa/blob/eb064667bc052a123a0e04b8d5545e87a0265ff8/reactive/easyrsa.py#L211