juju debug-hooks on CAAS does not support for a shared controller by `juju register`

Bug #1903803 reported by Yang Kelvin Liu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Triaged
High
Unassigned

Bug Description

For a registered controller, juju debug-hook will fail for CAAS model.
Because the user doesn't have the permission to get the model credential to exec into the pod/container.

$ juju debug-hook --debug -m ckkf:fae8dc2b-c6f2-47ac-8890-b58d4de98a80 istio-ingressgateway/0 config-changed
15:24:41 INFO juju.cmd supercommand.go:56 running juju [2.9-rc3 0 3ddbc4de92c48453f5923013a836deef7edbd729 gc go1.14.11]
15:24:41 DEBUG juju.cmd supercommand.go:57 args: []string{"juju", "debug-hook", "--debug", "-m", "ckkf:fae8dc2b-c6f2-47ac-8890-b58d4de98a80", "istio-ingressgateway/0", "config-changed"}
15:24:41 INFO juju.juju api.go:76 connecting to API addresses: [52.207.222.155:17070 172.31.35.123:17070 252.35.123.1:17070]
15:24:42 DEBUG juju.api apiclient.go:1107 successfully dialed "wss://52.207.222.155:17070/model/fae8dc2b-c6f2-47ac-8890-b58d4de98a80/api"
15:24:42 INFO juju.api apiclient.go:639 connection established to "wss://52.207.222.155:17070/model/fae8dc2b-c6f2-47ac-8890-b58d4de98a80/api"
15:24:42 INFO juju.juju api.go:314 API endpoints changed from [52.207.222.155:17070 252.35.123.1:17070 172.31.35.123:17070] to [52.207.222.155:17070 172.31.35.123:17070 252.35.123.1:17070]
15:24:43 INFO juju.juju api.go:76 connecting to API addresses: [52.207.222.155:17070 172.31.35.123:17070 252.35.123.1:17070]
15:24:44 DEBUG juju.api apiclient.go:1107 successfully dialed "wss://52.207.222.155:17070/api"
15:24:44 INFO juju.api apiclient.go:639 connection established to "wss://52.207.222.155:17070/api"
15:24:44 INFO juju.juju api.go:314 API endpoints changed from [252.35.123.1:17070 52.207.222.155:17070 172.31.35.123:17070] to [52.207.222.155:17070 172.31.35.123:17070 252.35.123.1:17070]
15:24:45 DEBUG juju.api monitor.go:35 RPC connection died
ERROR getting credential: cloud credential "ckkf/kelvin/ckkf" not found
15:24:45 DEBUG cmd supercommand.go:537 error stack:
cloud credential "ckkf/kelvin/ckkf" not found
github.com/juju/juju/cmd/juju/commands/ssh_container.go:313: getting credential
github.com/juju/juju/cmd/juju/commands/ssh_container.go:121:
github.com/juju/juju/cmd/juju/commands/ssh.go:172:

Tags: k8s multiuser
Changed in juju:
importance: Undecided → High
status: New → Triaged
milestone: none → 2.9.1
Ian Booth (wallyworld)
Changed in juju:
milestone: 2.9.1 → 2.9.2
Changed in juju:
milestone: 2.9.2 → 2.9.3
Changed in juju:
milestone: 2.9.3 → 2.9.4
Changed in juju:
milestone: 2.9.4 → 2.9.5
Revision history for this message
John A Meinel (jameinel) wrote :

If you have 'write' permission on a model, we should be generating a credential for the user that includes Exec permissions.

tags: added: k8s multiuser
Changed in juju:
milestone: 2.9.5 → 2.9-next
Harry Pidcock (hpidcock)
Changed in juju:
milestone: 2.9-next → 3.1-beta1
Changed in juju:
milestone: 3.1-beta1 → 3.2-beta1
Changed in juju:
milestone: 3.2-beta1 → 3.2-rc1
Changed in juju:
milestone: 3.2-rc1 → 3.2.0
Changed in juju:
milestone: 3.2.0 → 3.2.1
Changed in juju:
milestone: 3.2.1 → 3.2.2
Changed in juju:
milestone: 3.2.2 → 3.2.3
Changed in juju:
milestone: 3.2.3 → 3.2.4
Changed in juju:
milestone: 3.2.4 → 3.2.5
Ian Booth (wallyworld)
Changed in juju:
milestone: 3.2.5 → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.