Juju secret doesn't exist in cross-cloud relation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
High
|
Ian Booth | ||
3.3 |
Fix Released
|
High
|
Ian Booth |
Bug Description
Hi Juju team!
When testing a cross-cloud relation between two charms, I receive an error telling me that the secret shared by one side doesn't exist for the other side to consume.
The following setup uses Istio to connect two K8S clusters (one in AKS and the other in GKE): https:/
Locally, with two K8S clusters spawned by Kind (Kubernetes in Docker), I could use a hacky workaround (create some roles and give access to the secret that was offloaded to a namespace in the consumer cluster with the same name as the namespace where the secret was created in the first cluster). However, in this case, even with a workaround I still get an error telling me that the secret doesn't exist.
I could test a cross-cloud relation for VM between controllers bootstrapped in EC2 and GCE. Secrets worked there.
Using the above document, you can bootstrap the environment and deploy the secrets demo charms from https:/
juju switch aks:dev1
juju deploy ./owner_
juju offer owner:secret_id secret-id
juju switch gke:dev
juju deploy ./holder_
juju consume aks:admin/
juju relate holder secret-id
Then you can see the following errors:
unit-holder-0: 16:24:39 INFO juju.worker.
unit-holder-0: 16:24:40 ERROR unit.holder/
Traceback (most recent call last):
File "/var/lib/
result = run(args, **kwargs)
File "/usr/lib/
raise CalledProcessEr
subprocess.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/lib/
content = self._backend.
File "/var/lib/
result = self._run(
File "/var/lib/
raise ModelError(
ops.model.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/lib/
result = run(args, **kwargs)
File "/usr/lib/
raise CalledProcessEr
subprocess.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/lib/
return self._run(*args, return_
File "/var/lib/
raise ModelError(
ops.model.
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "./src/charm.py", line 83, in <module>
main(
File "/var/lib/
_emit_
File "/var/lib/
event_
File "/var/lib/
framework.
File "/var/lib/
self.
File "/var/lib/
custom_
File "./src/charm.py", line 62, in _on_update_status
secret = self._obtain_
File "./src/charm.py", line 35, in _obtain_secret
return self.model.
File "/var/lib/
info = self._backend.
File "/var/lib/
result = self._run_
File "/var/lib/
raise SecretNotFoundE
ops.model.
unit-holder-0: 16:24:40 ERROR juju.worker.
unit-holder-0: 16:24:40 INFO juju.worker.uniter awaiting error resolution for "relation-changed" hook
Is something missing in the cross-cloud configuration to make secrets work?
description: | updated |
description: | updated |
description: | updated |
Changed in juju: | |
assignee: | nobody → Ian Booth (wallyworld) |
Changed in juju: | |
status: | In Progress → Fix Committed |
tags: | added: canonical-data-platform-eng |
Changed in juju: | |
status: | Fix Committed → Fix Released |
What version of juju are you using?
The root cause looks to be this error
ops.model. ModelError: ERROR getting cluster client: unable to determine legacy status for namespace "dev1": namespaces "dev1" is forbidden: User "system: serviceaccount: dev:holder" cannot get resource "namespaces" in API group "" in the namespace "dev1"
From memory, at one point there was a missing role binding that was needed but that should have been fixed.