Comment 1 for bug 1935577

Triaging this as wishlist because it is a request for a new feature, that should not be used as a gauge for prioritization of how important that feature is.

The charm itself should not take on the responsibility of managing secrets or life cycle of the CA certificates.

What we would need to do to support this is to extend the Vault charm and its relations with support for issuing CA certificates with attributes and chain of trust appropriate for the use case.

The upstream Octavia documentation [0] recommends using CAs from different chain of trust to avoid a situation where a compromised amphora could impersonate the controller. And this of course complicates the requirements for this feature.

0: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html