Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

feat: expand the secret ID out to the full URI when only given the ID #1358

Merged
merged 8 commits into from
Sep 10, 2024

Conversation

tonyandrewmeyer
Copy link
Contributor

Adjust the rules for getting the 'canonical' form of the Secret URI:

  • If the passed ID starts with secret:, leave it as-is (unchanged)
  • Otherwise, if the model UUID is unknown, add the secret: prefix to end up with the form secret:id (unchanged)
  • Otherwise, change to the full secret://{model UUID}/{secret ID form (new)

Also adjust the code that calls the canonicalization [sic] method so that the model UUID is always available in regular ops use. If someone is creating SecretInfo objects themselves then a None value for the UUID is the default, for backwards compatibility (but a warning is issued in that case).

Fixes #1312.

Copy link
Collaborator

@benhoyt benhoyt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this. Do you envision this breaking anyone's tests? Hopefully not, but would be worth a super tox run.

Could we also run this on a real charm on Juju, for an end-to-end test?

self.id = Secret._canonicalize_id(id)
if model_uuid is None:
warnings.warn(
'`model_uuid` should always be provided when creating a '
Copy link
Collaborator

@benhoyt benhoyt Sep 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In what cases can this happen? Only if people manually create a SecretInfo object? (Which they shouldn't be doing.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In what cases can this happen? Only if people manually create a Secret object? (Which they shouldn't be doing.)

Manually create a SecretInfo, yes. And yes, I don't know why they would, although we don't tell them not to (as we do with Secret, for example). This is probably overly cautious - I can't find any charm doing this (Scenario does, but we can fix that in advance of a release), but seemed better than just having None work and then in some future version (3.0?) suddenly not work.

@tonyandrewmeyer
Copy link
Contributor Author

Do you envision this breaking anyone's tests?

Good question. I don't see it breaking anyone's charms, since it's already the case that the id might be in this format, and the Juju tools all accept this form, and I couldn't find anyone using id for e.g. constructing strings. However, tests might indeed be expecting specific strings.

Hopefully not, but would be worth a super tox run.

Good call: 112 charms' tests passed with main, 110 with this branch. One of the failures was charm-simple-streams, which is because my branch is a little behind main and so is missing the fix in 2.16.1 (I checked there was nothing else). The other is temporal-worker-k8s-operator:

FAILED tests/unit/test_charm.py::TestCharm::test_valid_environment_config - AssertionError: {'ser[55 chars]r', 'startup': 'enabled', 'override': 'replace[867 chars...

And this is a legitimate bug 😞. Harness isn't properly getting the secret because it can't handle the different types of URI like Juju can. I'll fix that and re-run.

Could we also run this on a real charm on Juju, for an end-to-end test?

Sorry, I always forget to mention I've done that. Juju 3.6b2, LXD (I don't think either of those should matter). With main:

unit-secret-full-id-1: 11:53:12 INFO unit.secret-full-id/1.juju-log id: secret:crf3hi1tvhl39c5lur5g, identifier crf3hi1tvhl39c5lur5g

With this branch:

unit-secret-full-id-1: 11:57:06 INFO unit.secret-full-id/1.juju-log id: secret://7e7c1d98-03ed-46de-804e-8275c52d5fe3/crf3hi1tvhl39c5lur5g, identifier crf3hi1tvhl39c5lur5g

@tonyandrewmeyer
Copy link
Contributor Author

And this is a legitimate bug 😞. Harness isn't properly getting the secret because it can't handle the different types of URI like Juju can. I'll fix that and re-run.

They pass now, so this doesn't break the unit tests of at least those 112 charms, which makes me fairly confident it won't break for anyone.

Copy link
Contributor

@dimaqq dimaqq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pls remove coverage.xml from the PR

@tonyandrewmeyer
Copy link
Contributor Author

pls remove coverage.xml from the PR

Thanks! Guess which PR I worked on immediately prior to this 😆.

Copy link
Contributor

@dimaqq dimaqq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good, only small technical issues/notes.

test/test_testing.py Show resolved Hide resolved
test/test_testing.py Show resolved Hide resolved
@tonyandrewmeyer tonyandrewmeyer merged commit f43ac80 into canonical:main Sep 10, 2024
32 checks passed
@tonyandrewmeyer tonyandrewmeyer deleted the full-secret-id-1312 branch September 10, 2024 00:30
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Ensure Secret.id includes model UUID
3 participants