[DPE-8498] Remove secret's old revision

src/charm.py

@@ -65,6 +65,7 @@
     RelationDepartedEvent,
     SecretChangedEvent,
     SecretNotFoundError,
+    SecretRemoveEvent,
     Unit,
     UnknownStatus,
     WaitingStatus,
@@ -247,6 +248,7 @@ def __init__(self, *args):
         self.framework.observe(self.on.promote_to_primary_action, self._on_promote_to_primary)
         self.framework.observe(self.on.get_primary_action, self._on_get_primary)
         self.framework.observe(self.on.update_status, self._on_update_status)
+        self.framework.observe(self.on.secret_remove, self._on_secret_remove)
 
         self._certs_path = "/usr/local/share/ca-certificates"
         self._storage_path = str(self.meta.storages["data"].location)
@@ -1439,6 +1441,17 @@ def promote_primary_unit(self, event: ActionEvent) -> None:
             except SwitchoverFailedError:
                 event.fail("Switchover failed or timed out, check the logs for details")
 
+    def _on_secret_remove(self, event: SecretRemoveEvent) -> None:
+        # A secret removal (entire removal, not just a revision removal) causes
+        # https://github.com/juju/juju/issues/20794. This check is to avoid the
+        # errors that would happen if we tried to remove the revision in that case
+        # (in the revision removal, the label is present).
+        if event.secret.label is None:
+            logger.debug("Secret with no label cannot be removed")
+            return
+        logger.debug(f"Removing secret with label {event.secret.label} revision {event.revision}")
+        event.remove_revision()
+
     def _on_get_primary(self, event: ActionEvent) -> None:
         """Get primary instance."""
         try:

tests/unit/test_charm.py

@@ -1691,3 +1691,15 @@ def test_get_ldap_parameters(harness):
         harness.charm.get_ldap_parameters()
         _get_relation_data.assert_called_once()
         _get_relation_data.reset_mock()
+
+
+def test_on_secret_remove(harness):
+    event = Mock()
+    harness.charm._on_secret_remove(event)
+    event.remove_revision.assert_called_once_with()
+    event.reset_mock()
+
+    # No secret
+    event.secret.label = None
+    harness.charm._on_secret_remove(event)
+    assert not event.remove_revision.called