Upgrading the Kubernetes charms from 1.18 to 1.19 and the switch from basic auth to secrets does not properly update the credentials across Kubernetes workers.
Repro:
1) Deploy CK 1.18+ck1 with HA kubernetes-master
2) juju status kubernetes-master [1]
3) Check the kube-control relation data on all masters [2]
4) Shut down the kubernetes-master/leader
5) wait for a new leader to be elected
6) After things have had a chance to settle, power on the kubernetes-master that was shut down
7) deploy a new worker (don't know if this is required or not)
8) note that 2 kubernetes-masters now show the credentials [3]
9) juju upgrade-charm kubernetes-master --revision 891
let it settle
10) notice that only one of the masters got updated with the new credentials [4]
11) juju upgrade-charm kubernetes-worker --revision 704
and allow it to settle
12) login to a kubernetes-worker and look at /home/ubuntu/.kube/config and /root/cdk/kubeconfig
Experince here varies, but the credentials are not updated to the new tokens
[1] https://paste.ubuntu.com/p/NpsbWHG8Z2/
[2] https://paste.ubuntu.com/p/MZfFHf2WRS/
[3] https://paste.ubuntu.com/p/qfp99Ngrh8/
[4] https://paste.ubuntu.com/p/mrC7pBZbyS/
[5] https://paste.ubuntu.com/p/dh9gfDk49C/
This might be related to https:/ /bugs.launchpad .net/charm- kubernetes- master/ +bug/1839704 where in comment #7 it was said that this wasn't going to need to changes on the k8s-master side, where I do believe it should.
k8s-master should keep the data in the relation synced, clear the data from the non-leader units, or take advantage of "relation-set --app", although this last option would still require some safe fallback for older versions of juju.