There were changes in behavior with the 20.01 release.
As we can see in the config.yaml :
enforce-ssl:
type: boolean
default: False
enforce-ssl should default to "False" unless it is explicitely set to "True" in your deployment.
I never set it and it worked as expected with a Vault provided cert.
To be clear, I never set it and did the relation for certificates with Vault and I always had Horizon working in HTTPS with a Vault certificate.
Since 21.01, "enforce-ssl" seemsto default to "True" (I can see the "WARNING juju-log Enforce ssl redirect requested but ssl not configured - skipping redirect" message in the logs which clearly says this configuration is set while I don't have it in my yaml file) *BUT* HTTPS is not working anymore with my Vault certificate.
The workaround to restore SSL with Vault is to explicitely set "enforce-ssl: False" in the deployment configuration but in that case, HTTPS is working again but HTTP is working too, there is no forced redirect.
So please, make sure "enforce-ssl" default is consistent with config.yaml and make it work with Vault certificates.
There were changes in behavior with the 20.01 release.
As we can see in the config.yaml :
enforce-ssl:
type: boolean
default: False
enforce-ssl should default to "False" unless it is explicitely set to "True" in your deployment.
I never set it and it worked as expected with a Vault provided cert.
To be clear, I never set it and did the relation for certificates with Vault and I always had Horizon working in HTTPS with a Vault certificate.
Since 21.01, "enforce-ssl" seemsto default to "True" (I can see the "WARNING juju-log Enforce ssl redirect requested but ssl not configured - skipping redirect" message in the logs which clearly says this configuration is set while I don't have it in my yaml file) *BUT* HTTPS is not working anymore with my Vault certificate.
The workaround to restore SSL with Vault is to explicitely set "enforce-ssl: False" in the deployment configuration but in that case, HTTPS is working again but HTTP is working too, there is no forced redirect.
So please, make sure "enforce-ssl" default is consistent with config.yaml and make it work with Vault certificates.