Attempting to use secret.get_content(refresh=True) on a secret that has a label, results in the error below. (self.meta reference below is pointing to a Secret object that has a label stuck on it)
self._secret_content = self.meta.get_content(refresh=True)
File "/var/lib/juju/agents/unit-kafka-0/charm/venv/ops/model.py", line 1298, in get_content
self._content = self._backend.secret_get(
File "/var/lib/juju/agents/unit-kafka-0/charm/venv/ops/model.py", line 3302, in secret_get
result = self._run('secret-get', *args, return_output=True, use_json=True)
File "/var/lib/juju/agents/unit-kafka-0/charm/venv/ops/model.py", line 2948, in _run
raise ModelError(e.stderr) from e
ops.model.ModelError: ERROR either URI or label should be used for getting an owned secret but not both
unit-kafka-0: 22:05:24 ERROR unit.kafka/0.juju-log kafka-client:1: Uncaught exception while in charm code:
Traceback (most recent call last):
File "/var/lib/juju/agents/unit-kafka-0/charm/venv/ops/model.py", line 2946, in _run
result = subprocess.run(args, **kwargs) # type: ignore
File "/usr/lib/python3.10/subprocess.py", line 526, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('/var/lib/juju/tools/unit-kafka-0/secret-get', 'secret://8957bebf-81c7-44d4-8241-e28353398a53/cl21q91lrvcs76kf7rag', '--label', 'kafka-client.1.tls.secret', '--refresh', '--format=json')' returned non-zero exit status 1.
This is because the secret-get command is being called with both the URI and label. Only one should be used. This I think is an ops bug rather than a juju bug - ops needs to correctly invoke secret-get.