Canonical Juju

ops secret.get_content(refresh=True) doesn't work if secret has a label

Bug #2042596 reported by Judit Novak
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Incomplete
Undecided
Unassigned

Bug Description

Attempting to use secret.get_content(refresh=True) on a secret that has a label, results in the error below. (self.meta reference below is pointing to a Secret object that has a label stuck on it)

    self._secret_content = self.meta.get_content(refresh=True)
  File "/var/lib/juju/agents/unit-kafka-0/charm/venv/ops/model.py", line 1298, in get_content
    self._content = self._backend.secret_get(
  File "/var/lib/juju/agents/unit-kafka-0/charm/venv/ops/model.py", line 3302, in secret_get
    result = self._run('secret-get', *args, return_output=True, use_json=True)
  File "/var/lib/juju/agents/unit-kafka-0/charm/venv/ops/model.py", line 2948, in _run
    raise ModelError(e.stderr) from e
ops.model.ModelError: ERROR either URI or label should be used for getting an owned secret but not both

unit-kafka-0: 22:05:24 ERROR unit.kafka/0.juju-log kafka-client:1: Uncaught exception while in charm code:
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-kafka-0/charm/venv/ops/model.py", line 2946, in _run
    result = subprocess.run(args, **kwargs) # type: ignore
  File "/usr/lib/python3.10/subprocess.py", line 526, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('/var/lib/juju/tools/unit-kafka-0/secret-get', 'secret://8957bebf-81c7-44d4-8241-e28353398a53/cl21q91lrvcs76kf7rag', '--label', 'kafka-client.1.tls.secret', '--refresh', '--format=json')' returned non-zero exit status 1.

Revision history for this message
Ian Booth (wallyworld) wrote :

This is because the secret-get command is being called with both the URI and label. Only one should be used. This I think is an ops bug rather than a juju bug - ops needs to correctly invoke secret-get.

Revision history for this message
Ian Booth (wallyworld) wrote :

I think you need to raise a bug here https://github.com/canonical/operator/

Changed in juju:
status: New → Invalid
Revision history for this message
Ian Booth (wallyworld) wrote :

Note that we may revisit this when we look at solving this bug https://bugs.launchpad.net/juju/+bug/2037120

But the current expectation is that either URI or label is passed for owned secrets.

Revision history for this message
Judit Novak (juditnovak) wrote :

Huh, feels like the circle is closing :-)

We opened an `ops` bug for this, but that one got closed suggesting that the issue is to be resolved in Juju: https://github.com/canonical/operator/issues/1058

Pedro Guimarães (pguimaraes)
tags: added: canonical-data-platform-eng
Revision history for this message
Tony Meyer (tony-meyer) wrote :

@jameinel [said](https://github.com/canonical/operator/pull/1060#issuecomment-1810157027):

> I feel like Juju should only error if both label and id are supplied and they don't match the existing recorded information.
> You have to supply both the first time in order to establish a correspondence. eg, the first time you ask about a secret, if you want it to be labeled, you clearly must supply both the id and the label. Once you've established that relationship, it is probably incorrect to supply a different label and id pair (because then there is ambiguity in whether you want the content of the id, or the content of the label). But as long as they match, why would we error?

And that and other discussion in that PR lead to the conclusion that this should change in Juju rather than in ops. Happy to sync on this in the fortnightly Juju cross-team if that would help?

summary: - ops secret.get_content(refresh=True) doesn't work if secret has a lable
+ ops secret.get_content(refresh=True) doesn't work if secret has a label
Changed in juju:
status: Invalid → New
Revision history for this message
Joseph Phillips (manadart) wrote :

What version was this observed in. According to https://bugs.launchpad.net/juju/+bug/2042594, it appears to have been fixed.

Changed in juju:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.