Skip to content

fix(upgrades): grant k8s cluster trust before refreshing octavia-k8s#798

Merged
hemanthnakkina merged 1 commit into
canonical:mainfrom
hemanthnakkina:octavia-refresh
May 21, 2026
Merged

fix(upgrades): grant k8s cluster trust before refreshing octavia-k8s#798
hemanthnakkina merged 1 commit into
canonical:mainfrom
hemanthnakkina:octavia-refresh

Conversation

@hemanthnakkina
Copy link
Copy Markdown
Collaborator

@hemanthnakkina hemanthnakkina commented May 20, 2026

On k8s models, juju refresh --trust does not create a ClusterRoleBinding. The octavia-k8s upgrade-charm hook calls _remove_legacy_containers() which needs GET/PATCH access on StatefulSets, resulting in HTTP 403 without the binding in place.

Fix this by:

  • Adding charm_trust() to JujuHelper that calls juju.trust(app, scope="cluster"), creating the ClusterRoleBinding
  • Updating charm_refresh() to call charm_trust() first when trust=True
  • Adding CHARMS_REQUIRING_TRUST = {"octavia-k8s"} in intra_channel.py so refresh_apps() passes trust=True for octavia during cluster refresh

Closes: https://bugs.launchpad.net/snap-openstack/+bug/2152670

Assisted-by: Claude:claude-4.6-sonnet

@hemanthnakkina hemanthnakkina requested a review from Copilot May 20, 2026 10:20
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses k8s charm refresh failures where juju refresh --trust does not create the required Kubernetes ClusterRoleBinding, causing octavia-k8s upgrade hooks to hit RBAC 403s. It introduces an explicit juju trust --scope=cluster call before refresh for charms that require cluster-scoped RBAC.

Changes:

  • Added JujuHelper.charm_trust() (cluster-scoped) and updated charm_refresh() to call it first when trust=True.
  • Introduced CHARMS_REQUIRING_TRUST = {"octavia-k8s"} and ensured refresh_apps() passes trust=True for those charms.
  • Updated/expanded unit tests to validate trust propagation and ordering.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
sunbeam-python/sunbeam/core/juju.py Adds charm_trust() and makes charm_refresh(trust=True) grant cluster trust before refreshing.
sunbeam-python/sunbeam/steps/upgrades/intra_channel.py Passes trust=True during refresh for octavia-k8s (and trust=False for others).
sunbeam-python/tests/unit/sunbeam/core/test_juju.py Adds coverage ensuring juju.trust(..., scope="cluster") is invoked before refresh when requested.
sunbeam-python/tests/unit/sunbeam/steps/upgrades/test_intra_channel.py Updates assertions to include trust and adds cases for octavia trust behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread sunbeam-python/sunbeam/core/juju.py Outdated
@hemanthnakkina
fix(upgrades): grant k8s cluster trust before refreshing octavia-k8s
656381c 
On k8s models, `juju refresh --trust` does not create a
ClusterRoleBinding. The octavia-k8s upgrade-charm hook calls
_remove_legacy_containers() which needs GET/PATCH access on
StatefulSets, resulting in HTTP 403 without the binding in place.

Fix this by:
- Adding charm_trust() to JujuHelper that calls
  juju.trust(app, scope="cluster"), creating the ClusterRoleBinding
  if the cloud is of type caas
- Updating charm_refresh() to call charm_trust() first when trust=True
- Adding CHARMS_REQUIRING_TRUST = {"octavia-k8s"} in intra_channel.py
  so refresh_apps() passes trust=True for octavia during cluster refresh

Closes: https://bugs.launchpad.net/snap-openstack/+bug/2152670

Assisted-by: Claude:claude-4.6-sonnet
Signed-off-by: Hemanth Nakkina <hemanth.nakkina@canonical.com>
@hemanthnakkina hemanthnakkina requested a review from gboutry May 20, 2026 10:43
gboutry
gboutry approved these changes May 20, 2026
View reviewed changes
Comment thread sunbeam-python/sunbeam/core/juju.py
def charm_trust(self, application_name: str, model: str) -> None:
"""Grant cluster-scoped trust to a k8s charm application.

On k8s models, ``juju refresh --trust`` does not create a
Copy link
Copy Markdown
Collaborator

@gboutry gboutry May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that expected? Should we raise a bug on Juju?

Copy link
Copy Markdown
Collaborator Author

@hemanthnakkina hemanthnakkina May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checking with juju team

@hemanthnakkina hemanthnakkina merged commit 4be1832 into canonical:main May 21, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gboutry gboutry gboutry approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hemanthnakkina @gboutry