The root cause seemingly is missing #include <include/version/pki-version.xml.i> in sagitta's xml-component-version.xml.in
Unlike rolling/circinus (which use a glob #include <include/version/*>), sagitta's file is an explicit include list. So pki@1 is never compiled into the component-version cache.
Sagitta config before migration:
configure
run generate pki ca install TEST-CA
# rsa / 2048 / accept subject defaults / days 1825 / passphrase: No
run generate pki certificate sign TEST-CA install test-leaf
# rsa / 2048 / SAN: No / type: client / passphrase: No
set pki certificate test-leaf revoke
commit
run generate pki crl TEST-CA install
commit
saveChecking migrations execution log after upgrade:
$ grep -i pki /opt/vyatta/etc/config/vyos-migrate.log /opt/vyatta/etc/config-migrate/migrate/rpki/0-to-1 /opt/vyatta/etc/config-migrate/migrate/rpki/1-to-2 # rpki only; no pki/0-to-1