Improvement error messages on secret not granted for config option

[javierdelapuente]

Enhancement Proposal

Suggestion from @cbartz , a secret in a config option without granting the permission will put the charm in error state, with ops.model.ModelError: ERROR permission denied.

Improve the error log to avoid  the need of reading the stack trace , so there is a error log line indicating what the operator should do? "Not able to access the secret <secret-name>. Operator should run a grant command" 

[syncronize-issues-to-jira]

Thank you for reporting your feedback to us!

The internal ticket has been created: https://warthogs.atlassian.net/browse/ISD-4476.

This message was autogenerated

[florentianayuwono]

Related to this issue as well for PR canonical/github-runner-operators#13

• when I set the secret to be empty string "", the workflow will pass the terraform test but timed out in deleting the application (https://github.com/canonical/github-runner-operators/actions/runs/18771653852/job/53557238734?pr=13) and this is because currently paas charm put the charm in error state for invalid secret config, instead of putting it in blocked state.

• when I don't set the secret at all, the workflow will pass everything (https://github.com/canonical/github-runner-operators/actions/runs/18772893915/job/53560846913?pr=13).

So paas charm should prevent putting charm in error state.

[javierdelapuente]

@florentianayuwono can you share a debug-log of the error? Thanks!

[florentianayuwono]

terraform test:

ubuntu@my-juju-vm:~/terraform-webhook/tests$ terraform test --verbose
main.tftest.hcl... in progress
  run "basic_deploy"... pass

# juju_application.rabbitmq:
resource "juju_application" "rabbitmq" {
    config      = {}
    constraints = ""
    id          = "stg-deploy-webhook-gateway:rabbitmq"
    machines    = []
    model       = "stg-deploy-webhook-gateway"
    model_type  = "caas"
    name        = "rabbitmq"
    placement   = ""
    storage     = [
        {
            count = 1
            label = "rabbitmq-data"
            pool  = "kubernetes"
            size  = "1G"
        },
    ]
    trust       = true
    units       = 1

    charm {
        base     = "ubuntu@24.04"
        channel  = "3.12/stable"
        name     = "rabbitmq-k8s"
        revision = 54
        series   = "noble"
    }
}

# juju_integration.webhook_rabbitmq:
resource "juju_integration" "webhook_rabbitmq" {
    id    = "stg-deploy-webhook-gateway:rabbitmq:amqp:github-runner-webhook-gateway:rabbitmq"
    model = "stg-deploy-webhook-gateway"

    application {
        endpoint = "amqp"
        name     = "rabbitmq"
    }
    application {
        endpoint = "rabbitmq"
        name     = "github-runner-webhook-gateway"
    }
}


# module.github_runner_webhook_gateway.juju_application.github_runner_webhook_gateway:
resource "juju_application" "github_runner_webhook_gateway" {
    config             = {
        "metrics-port"   = "9464"
        "webhook-secret" = ""
    }
    constraints        = ""
    id                 = "stg-deploy-webhook-gateway:github-runner-webhook-gateway"
    machines           = []
    model              = "stg-deploy-webhook-gateway"
    model_type         = "caas"
    name               = "github-runner-webhook-gateway"
    placement          = ""
    storage_directives = {}
    trust              = false
    units              = 1

    charm {
        base     = "ubuntu@24.04"
        channel  = "latest/edge"
        name     = "github-runner-webhook-gateway"
        revision = 1
        series   = "noble"
    }
}

Outputs:

app_name = "github-runner-webhook-gateway"
endpoints = {
    rabbitmq = "rabbitmq"
}

main.tftest.hcl... tearing down
Terraform encountered an error destroying resources created while executing
main.tftest.hcl/basic_deploy.
╷
│ Error: Client Error
│ 
│ Unable to complete application "github-runner-webhook-gateway" deletion: max duration
│ exceeded: retrying: no error returned
│ 
╵

Terraform left the following resources in state after executing
main.tftest.hcl/basic_deploy, and they need to be cleaned up manually:
  - module.github_runner_webhook_gateway.juju_application.github_runner_webhook_gateway
main.tftest.hcl... fail

Failure! 1 passed, 0 failed.

juju debug-log:

unit-github-runner-webhook-gateway-0: 19:21:27 INFO juju.worker.uniter awaiting error resolution for "install" hook
unit-github-runner-webhook-gateway-0: 19:21:27 INFO unit.github-runner-webhook-gateway/0.juju-log Running legacy hooks/install.
unit-github-runner-webhook-gateway-0: 19:21:27 ERROR unit.github-runner-webhook-gateway/0.juju-log Uncaught exception while in charm code:
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/./src/charm.py", line 29, in <module>
    ops.main(GithubRunnerWebhookGatewayCharm)
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/venv/ops/__init__.py", line 356, in __call__
    return _main.main(charm_class=charm_class, use_juju_for_storage=use_juju_for_storage)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/venv/ops/_main.py", line 500, in main
    manager = _Manager(charm_class, use_juju_for_storage=use_juju_for_storage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/venv/ops/_main.py", line 313, in __init__
    self.charm = self._charm_class(self.framework)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/./src/charm.py", line 25, in __init__
    super().__init__(*args)
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/venv/paas_charm/go/charm.py", line 52, in __init__
    super().__init__(framework=framework, framework_name="go")
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/venv/paas_charm/charm.py", line 141, in __init__
    container=self.unit.get_container(self._workload_config.container_name),
                                      ^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/venv/paas_charm/go/charm.py", line 59, in _workload_config
    framework_config = typing.cast(GoConfig, self.get_framework_config())
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/venv/paas_charm/charm.py", line 398, in get_framework_config
    charm_config = {k: config_get_with_secret(self, k) for k in self.config.keys()}
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/venv/paas_charm/utils.py", line 144, in config_get_with_secret
    return charm.model.get_secret(id=typing.cast(str, secret_id))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/juju/agents/unit-github-runner-webhook-gateway-0/charm/venv/ops/model.py", line 321, in get_secret
    raise TypeError('Must provide an id or label, or both')
TypeError: Must provide an id or label, or both
unit-github-runner-webhook-gateway-0: 19:21:27 ERROR juju.worker.uniter.operation hook "install" (via hook dispatching script: dispatch) failed: exit status 1
unit-github-runner-webhook-gateway-0: 19:21:27 INFO juju.worker.uniter awaiting error resolution for "install" hook

[javierdelapuente]

Thanks @florentianayuwono

That is really interesting, as in this case as you say we do not want to error, and instead just block the charm. So this situation is different from the previous one. I mean, in the previous one, if we grant the secret, and we do not go to error state, the charm will not handle it (no event for that).

[florentianayuwono]

Oh ok so it's better to open new issue?

[javierdelapuente]

No problem, I think they are close, so they can be tackled together.