-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot call Secret.set_info and Secret.set_content in the same hook #1288
Comments
This seems non-trivial to fix - ops would need to keep the data passed to both At minimum, we should document this restriction so that it's easier to figure out what's happening. |
Thanks for the report. It does seem odd to me that the second |
We discussed this in daily sync today, and decided this is probably is worth fixing. You'd be likely to call Our idea is to keep a cache on the backend (dict of secret id to something), and whenever set_info or set_content is called, it updates the info, merging info and content. But setting content a second time would replace. |
Interestingly, the tls-certificates-interface lib does have a It would be good if whoever works on this ticket takes a closer look at that, before and after the change. |
I looked into this, and it appears to be dead code that will no longer be executed due to some changes introduced to the library. I'll investigate this further to confirm. |
I came across this issue and I was about to open a bug, happy that you are aware if it. |
Thanks for letting us know - I'll see if we can get a fix in for the next release.
Unfortunately, I think the only workaround would be to call the hook tool yourself - basically, add a method to your charm that does what |
… hook (#1373) Each call to `secret-set` replaces the values in any previous `secret-set` call in the same hook. Since both `Secret.set_content` and `Secret.set_info` use `secret-set`, this means that doing both in the same hook would only retain the change from whichever was done last. This PR changes the model backend to cache the secret metadata (from `set_info`) and add it into any subsequent `secret-set` calls. Although the metadata is only available to the secret owner, it does not seem so private that it is unsafe to keep it in memory for the duration of the hook execution. There is an additional behaviour change here: previously calling `set_info` twice in the same hook would 'undo' setting metadata. For example: ```python secret.set_info(label="foo") secret.set_info(description="bar") # With main, the secret will end up with a description and no label # With the PR branch, the secret will end up with a description and a label ``` I believe this is a bug fix also, because it seems likely that a charmer would expect both values to be set with code such as the above, and the documentation states: > Once attributes are set, they cannot be unset. For the secret content, I believe we should not cache this in the charm process's memory, so this PR only sets a sentinel that the content has been set, and if there is a subsequent `set_info` call, the content is retrieved via a `secret-get` call (I believe this is from the in-memory cache in the unit agent, but, in any case, it's the un-committed value in an existing location, so does not increase the secret content exposure). There is an example charm in #1288 that can be used to verify the behaviour in a real Juju model. No updates to Harness because it already has the behaviour that we're changing to. Fixes #1288
If
Secret.set_info()
andSecret.set_content()
are both called in the same hook, then whichever is first is ignored.I expect that from a Juju point of view, this is because
secret_set
has been called twice and so it assumes that the later call replaces the earlier one, rather than trying to merge the two together. This is particularly unexpected behaviour in ops because we have two different methods exposing parts ofsecret_set
, so a charmer doesn't necessarily know that it's the same underlying Juju hook tool.This can be reproduced with this small charm:
If you call the action (
juju run unit-name/0 set one=two
) with the code like it is above, then the description will be set, but the content will not. If you swap the code so that theset_content
andset_info
calls are around the other way, then the action will set the content but not the description.The text was updated successfully, but these errors were encountered: