Regular expression error when adding a secret
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Committed
|
High
|
Ian Booth | ||
3.4 |
Fix Released
|
High
|
Ian Booth | ||
3.5 |
Fix Released
|
High
|
Ian Booth |
Bug Description
Hi team,
juju: 3.4.0
Microk8s: v1.27.11
ubuntu: 23.04
In rare cases when adding a secret in a charm, for example using the following code:
```
secret = self.charm.
{"certificate": certificate.
label=
expire=
)
```
We get the following error: `ERROR juju.worker.
I have seen this error 3 times so far, in two cases it has been followed by another error message:
`ERROR juju.worker.
I am unable to reproduce the bug, I have been trying to do so by running the following command with different inputs in a loop:
`juju exec --unit tls-certificate
I'm not sure where is the regex error coming from or if it can be caused by the content of the secret itself, so here is an example secret if creation was successful:
```
juju show-secret cnpbnjvmp25c77k
cnpbnjvmp25c77k
revision: 1
owner: tls-certificate
label: |-
afd8c2bccf8
MIICbjCCAVY
LTAuYnVnMII
OWA1xBEmwHw
R5gqD0skc4h
bKvFi4C/
AMf82IxpHlg
PD/
0oe9oLKufQI
TDE84y9evfn
yoWxTdZthiM
8rH3LpoNBdq
HM6vLPKl21p
sDOKn49LKbQ
88E=
-----END CERTIFICATE REQUEST-----
created: 2024-03-
updated: 2024-03-
content:
certificate: |-
-----BEGIN CERTIFICATE-----
MIIC0TCCA
CzAJBgNVB
WhcNMjUwM
dWlyZXItM
ebQ9Jno5Y
Uqw/
J+
Mue1OHUAx
PfU4axU8P
SekzNX3Sh
UJcad5vnB
ccnFv2uOe
q5R3i9XAk
P60UyUzvs
jQ3G/
ro/qiR8=
-----END CERTIFICATE-----
```
tags: | added: intermittent-failure secrets |
Changed in juju: | |
importance: | Undecided → Medium |
status: | New → Triaged |
tags: | added: canonical-data-platform-eng |
tags: | added: cdo-qa |
Changed in juju: | |
assignee: | nobody → Ian Booth (wallyworld) |
importance: | Medium → High |
milestone: | none → 3.4.4 |
Changed in juju: | |
status: | In Progress → Fix Committed |
milestone: | 3.4.4 → 3.4.3 |
Changed in juju: | |
milestone: | 3.6-beta1 → 3.6-beta2 |
Changed in juju: | |
status: | In Progress → Fix Committed |
The label is using the certificate.csr itself in its composition. Now, x509 may have chars that can be considered special (\n, /, +, etc). I guess you fail whenever the CSR contains a char that the label itself cannot have.
Now, I cannot find where the label is passed through a regex. I see two regexes across the `secret-add` path: /github. com/juju/ juju/blob/ 3.6/core/ secrets/ createsecret. go#L19 /github. com/juju/ juju/blob/ 3.6/core/ secrets/ secret. go#L47- L53
1. https:/
2. Within the agent's uniter, for the URI: https:/
Still, I cannot find where the label is checked against a regex. So, this is just a hypothesis rn.
@yazansalti can you point us to the charm that is using the CSR as a label?
In any case, would be easier to hash the CSR and use the hash as a label instead.