Comment 23 for bug 1940549

From my comment in matrix: [1]

I helped write some of that code in the fix, but I admit that it is a little hard to follow.

When a charm is refreshed/upgraded to one that has this code, the first thing the leader does (during the upgrade/refresh hook) is populate the cert cache: [2]

This means that from then on, if a leadership election takes place, then the new leader will use the same cert cache. The cert cache is in leader settings and only the leader can set them.

So to answer your question; yes, it should work. Note, only the leader (at the time of upgrade) can populate the cache. It's possible that under some very rare failure mode that a non-leader could be elected during a refresh, but I'm struggling to see if it would happen due to the way that the hooks are sequenced (i.e. leadership election ought to come after upgrade even if there is a unit failure during the refresh.

[1] https://matrix.to/#/!OqcMODbAeESdsqrXYq:ubuntu.com/$uoNhceqoOM9z_d_M2jdPbklTyyJAPtZmXGr5zyOgfk0?via=ubuntu.com&via=matrix.org&via=mx.aouss.it
[2] https://opendev.org/openstack/charm-vault/src/commit/56ca825332964a58961f6df3a1ca52df394f2d2c/src/reactive/vault_handlers.py#L1116