Thanks. Right now it looks like easyrsa isn't sending the client cert and key to etcd like it's supposed to. This is done by easyrsa's publish_global_client_cert handler[1], which only ever runs once. That's a problem if the relation between etcd and easyrsa has ever been removed. Do you know if that's ever happened in this deployment?
I was able to reproduce the symptom by removing and re-adding the relation between easyrsa and etcd:
juju deploy charmed-kubernetes
# wait for deployment to settle
juju remove-relation easyrsa etcd
juju add-relation easyrsa etcd
juju add-unit etcd
After doing this, the new unit of etcd came up with "Missing relation to certificate authority." status and got stuck.
Here is a workaround:
juju run --unit easyrsa/0 -- charms.reactive clear_flag easyrsa.global-client-cert.created
This forces the easyrsa charm to publish the client cert again. Can you try that and see if it helps?
Thanks. Right now it looks like easyrsa isn't sending the client cert and key to etcd like it's supposed to. This is done by easyrsa's publish_ global_ client_ cert handler[1], which only ever runs once. That's a problem if the relation between etcd and easyrsa has ever been removed. Do you know if that's ever happened in this deployment?
I was able to reproduce the symptom by removing and re-adding the relation between easyrsa and etcd:
juju deploy charmed-kubernetes
# wait for deployment to settle
juju remove-relation easyrsa etcd
juju add-relation easyrsa etcd
juju add-unit etcd
After doing this, the new unit of etcd came up with "Missing relation to certificate authority." status and got stuck.
Here is a workaround:
juju run --unit easyrsa/0 -- charms.reactive clear_flag easyrsa. global- client- cert.created
This forces the easyrsa charm to publish the client cert again. Can you try that and see if it helps?
[1]: https:/ /github. com/charmed- kubernetes/ layer-easyrsa/ blob/eb064667bc 052a123a0e04b8d 5545e87a0265ff8 /reactive/ easyrsa. py#L211