Upgrade from 1.16 to 1.19¶

This guide covers the upgrade path from Vault charm 1.16 to 1.19. For general upgrade instructions, see the upgrade guide.

Pre-requisites¶

Vault 1.16 is deployed and in active/idle state.
In the case of upgrading vault-k8s, it is recommended to have at least 5 units deployed and active to ensure minimal to no downtime.
Access to S3 storage for creating a backup.

The charm base changes from ubuntu@22.04 to ubuntu@24.04. The juju refresh command must include the --base ubuntu@24.04 flag to allow the base change. Without it, Juju will reject the upgrade.
The common_name configuration option has been removed and replaced by pki_ca_common_name. If you are using the vault-pki relation, you must record the current value before upgrading and re-apply it after the upgrade using the new key. Failing to do so will cause the PKI secrets engine to enter a blocked state.

If you are using the vault-pki relation, save your current common_name value:

juju config vault common_name

Create a backup of your Vault data following this guide in case anything goes wrong during the upgrade.

Make sure to save your unseal key(s), as the upgrade operation will seal all units. You will need these keys to unseal Vault after the upgrade.

juju refresh vault --channel=1.19/stable --base ubuntu@24.04

If you were using the vault-pki relation, set the new configuration key with the value you saved in step 1:

juju config vault-k8s pki_ca_common_name=<your-common-name>

Unseal all Vault units using your saved unseal keys. See the unseal guide for detailed instructions.

Wait for all units to settle and verify the deployment is healthy:

juju status

All units should reach active/idle state.