I was playing with open-port on a K8s sidecar charm, and apparently K8s doesn't support the ICMP protocol (VM charms do). However, open-port didn't return a failure, and even later there was no visible sign that something was wrong, except in the controller logs:
$ juju debug-log -m controller
...
controller-0: 15:00:50 ERROR juju.worker.dependency "caas-firewaller-embedded" manifold worker returned unexpected error: cannot update service port for application "database": protocol "icmp" for service "icmp" not valid
...
So I think there are two things we could do here to improve this:
1) Have the open-port / close-port hook tools reject protocol "icmp" early if it's a K8s sidecar charm.
2) In general, have a way for Juju to report firewaller worker errors more visibly. For example, setting a short error message in application status?
As it was, it took me a while to figure out what was going on, because "kubectl get svc" didn't show any of the ports opened (because K8s rejected the ICMP port, it rejected all the ports I asked for, so no changes were made -- that's probably good though that it does it atomically).
Thanks for the report. I think it makes sense for the hook tool to error, as a means to create robust charms.