-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DPE-2677] Avoid setting secret upon tls relation broken if using juju secrets #360
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #360 +/- ##
==========================================
+ Coverage 65.43% 65.90% +0.47%
==========================================
Files 17 17
Lines 3127 3121 -6
Branches 415 411 -4
==========================================
+ Hits 2046 2057 +11
+ Misses 950 936 -14
+ Partials 131 128 -3 ☔ View full report in Codecov by Sentry. |
wait what? is this intended behavior by juju? also, should we be cleaning up the secret on relation broken? |
it make sense to do so for relation secrets, could not find documentation for that. @tmihoc here's a shameless plug for you!
Do you see any reason to keep it? imo we should go fwd with the solution, and refactor if needed. |
Here's the documentation we have on secret events: https://juju.is/docs/sdk/secret-events . What do you think we should add to it to make it clearer for what you need here? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given the behavior, that's an appropriated solution
Hi @tmihoc , basically the secret availability under a relation departure. See convo |
I'm still quite confused—do we own this secret? if so, why are we losing access to it during relation broken? |
So, from the chat, since the charm owns the secret, it should not lose access? That does not seem to be what was observed |
yes, that's my understanding was the unit/app also dying? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulomach please merge to include the next stable. Tnx!
checking behavior with juju team here: https://chat.charmhub.io/charmhub/pl/8u7d138khpdypmbxfw4uetxjbo if the behavior is expected, I think this PR is probably a simpler workaround than checking if the unit is dying @paulomach will the changes in this PR be okay if the relation with tls is removed and re-added? (the secret won't be cleaned up) if so, PR lgtm |
for history, @taurus-forever tried removing the relation instead of removing the unit and this error did not occur—seems to indicate this error is from setting the secret while the unit is dying (relation breaking not relevant) |
It should, as the secret will always be overwritten (or written for 2.9) on relation re-added, with a new value. |
Issue
We do not have access to a juju secret upon relation-broken event. However, the tls relation code in MySQL is setting tls related secrets to None. This is necessary for secrets stored in the databag (as they are reset to None), but causes the trace in the Jira ticket as the secret is deleted from the secrets backend
Solution
Do not attempt to reset the tls secrets upon relation broken if using juju secrets