Questions from Americas community workshop on Secrets

Some questions on the new Secrets specification where raise during a recent Americas community workshop. The presentation was based off the JU040 spec.

  1. What is the use case for the --peek option for secret-get?
  2. What is the ACL for juju show-secret --reveal?
  3. Why not always return the latest secret with secret-get?

@wallyworld perhaps you can respond to these?

1 Like

Great that you got this through! I couldn’t attend this time but I intend to be there next workshop!

When a secret is updated to have a new revision added, consumers of that secret are notified via a secret-changed hook. eg revision 3 gets added and a given charm may currently be using revision 2. Just because revision 3 gets added, it doesn’t mean a particular consumer is ready to use it. secret-get returns a stable value ie the last revision opted into by the caller. A charm may be ready to consume the latest revision, in which case secret-get --update is used to set the revision pointer for that charm to the current latest. Or the charm may be interested in preparing to use the new revision without committing to making it the default so it calls secret-get --peek.

We don’t currently have user level ACLs specifically on secrets, so the show-secret --reveal option will currently require model admin on the model containing the entity to which the secret’s lifetime is scoped. It’s better to start restricted IMO and we can revisit later.


Thanks for the follow up.

It struck me that… I was thinking about the secrets feature completely wrong… since I have some secrets in the config… and was thinking this feature coming up was about encrypting the configs/inputs to my charms.

Thanks @hmlanigan for the ping and meetup

1 Like