Ensure we clear the ca.ready flag when we generate a CA

Previously, configuring any kind of CA, and then generating a new
CA with CSR will cause the charm to have hook errors, as well
as an error in the action to generate a CSR as a result of
expecting a fully setup CA elsewhere in the charm. This change
adds removal of that ca.ready flag from the charm when a CSR
(and accompanying CA) are generated.

Change-Id: I802f31c853df4a69f6a4c1529e2acb1543e21831
Closes-Bug: #1866150

src/actions/actions.py

@@ -67,6 +67,12 @@ def get_intermediate_csrs(*args):
         province=action_config.get('province'),
         organization=action_config.get('organization'),
         organizational_unit=action_config.get('organizational-unit'))
+    # We have to clear both the reactive flag, as well as the leadership
+    # managed root-ca option, otherwise, we will end up with the flag being
+    # reset in the reactive handler after this is run.
+    clear_flag('charm.vault.ca.ready')
+    hookenv.leader_set(
+        {'root-ca': None})
     hookenv.action_set({'output': csrs})
 
 

src/tests/tests.yaml

@@ -31,6 +31,10 @@ target_deploy_status:
     workload-status-message: "Monitor bootstrapped but waiting for number of OSDs to reach expected-osd-count (3)"
 tests:
 - zaza.openstack.charm_tests.vault.tests.VaultTest
+# This second run of the tests is to ensure that Vault can handle updating the
+# root CA in Vault with a refreshed CSR and won't end up in a hook-error
+# state. (LP: #1866150).
+- zaza.openstack.charm_tests.vault.tests.VaultTest
 tests_options:
   force_deploy:
     - groovy-mysql8