Merge branch 'upstream/3.4' into 3.4-into-3.5

.github/workflows/cla.yml

@@ -11,6 +11,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check if CLA signed
-        uses: canonical/has-signed-canonical-cla@1.2.0
+        uses: canonical/has-signed-canonical-cla@v1
         with:
           accept-existing-contributors: true

.github/workflows/client-tests.yml

@@ -42,12 +42,21 @@ jobs:
       run: |
         make install-mongo-dependencies
 
-    - name: "Install musl & dqlite  (Ubuntu)"
+    - name: "Install musl & dqlite (Ubuntu)"
       if: (matrix.os == 'ubuntu-latest')
       shell: bash
       run: |
         sudo make MUSL_CROSS_COMPILE=0 musl-install dqlite-install
 
+    - name: "Install Mongo Dependencies (macOS)"
+      if: (matrix.os == 'macOS-latest')
+      run: |
+        brew tap mongodb/brew
+        brew update
+        brew install [email protected]
+        brew link [email protected]
+        brew services start mongodb/brew/[email protected]
+
     - name: "Test client (Ubuntu)"
       if: (matrix.os == 'ubuntu-latest')
       shell: bash

.github/workflows/terraform-smoke.yml

@@ -75,6 +75,7 @@ jobs:
     - name: Set environment to configure provider for test
       run: |
         CONTROLLER=$(juju whoami --format yaml | yq .controller)
+        echo "JUJU_AGENT_VERSION=$(juju show-controller | yq -r .$CONTROLLER.details.agent-version)" >> $GITHUB_ENV
         echo "JUJU_CONTROLLER_ADDRESSES=$(juju show-controller | yq .$CONTROLLER.details.api-endpoints | yq -r '. | join(",")')" >> $GITHUB_ENV
         echo "JUJU_USERNAME=$(juju show-controller | yq .$CONTROLLER.account.user)"  >> $GITHUB_ENV
         echo "JUJU_PASSWORD=$(cat ~/.local/share/juju/accounts.yaml | yq .controllers.$CONTROLLER.password)"  >> $GITHUB_ENV

allowed_signers

@@ -2,7 +2,8 @@ [email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5A
 [email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPKjQDDaO24INaGFnUdVebD1wYcDXmm/cLKH+27S2SnC wallyworld-git-signing-key
 [email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINP0LQkkiiHuMdVz4aF7ypsxNLQscgGd1UrmHrjyEd9F jack-w-shaw-git-signing-key
 [email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdk2GDbpmHUP/FQVunGu6Bl9TD1Hh5Z8oYAD17CzPP6 joe-signing-key
-[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFk9Tf6k0uZaUEYpeY49rJQvwxCTf05EyCuaf63pTGfB joe-signing-key-notebook
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFk9Tf6k0uZaUEYpeY49rJQvwxCTf05EyCuaf63pTGfB joe-signing-key-t440p
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICzxkC8I7x1mNrTuuuMlezc8a+xTi84ScECdqAhisvp joe-signing-key-s76
 [email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHu5ROyG1P7OQnNE5uNw0JVjKzZdbqGg3cHqywTt/Ynb jameinel-git-signing-key
 [email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHu5ROyG1P7OQnNE5uNw0JVjKzZdbqGg3cHqywTt/Ynb jameinel-git-signing-key
 [email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPqO5HpXaSh6MJ9FVt8nyoxhWN+AqlFxIXE68JGrRysb [email protected]

api/controller/caasunitprovisioner/client.go

@@ -96,7 +96,10 @@ func (c *Client) ApplicationConfig(applicationName string) (config.ConfigAttribu
 	if len(results.Results) != len(args.Entities) {
 		return nil, errors.Errorf("expected %d result(s), got %d", len(args.Entities), len(results.Results))
 	}
-	return config.ConfigAttributes(results.Results[0].Config), nil
+	if err := results.Results[0].Error; err != nil {
+		return nil, params.TranslateWellKnownError(err)
+	}
+	return results.Results[0].Config, nil
 }
 
 // WatchApplicationScale returns a NotifyWatcher that notifies of

api/controller/crossmodelrelations/crossmodelrelations.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/juju/juju/api/base"
 	apiwatcher "github.com/juju/juju/api/watcher"
-	apiservererrors "github.com/juju/juju/apiserver/errors"
 	"github.com/juju/juju/core/watcher"
 	"github.com/juju/juju/rpc/params"
 )
@@ -466,6 +465,10 @@ func (c *Client) WatchOfferStatus(arg params.OfferArg) (watcher.OfferStatusWatch
 // WatchConsumedSecretsChanges returns a watcher which notifies of new secret revisions consumed by the
 // app with the specified token.
 func (c *Client) WatchConsumedSecretsChanges(applicationToken, relationToken string, mac *macaroon.Macaroon) (watcher.SecretsRevisionWatcher, error) {
+	// TODO(wallyworld) - when juju 3.4 is no longer supported, we can change this to < 3.
+	if c.BestAPIVersion() < 2 {
+		return nil, errors.NotImplemented
+	}
 	var macs macaroon.Slice
 	if mac != nil {
 		macs = macaroon.Slice{mac}
@@ -489,7 +492,7 @@ func (c *Client) WatchConsumedSecretsChanges(applicationToken, relationToken str
 		// Reset the results struct before each api call.
 		results = params.SecretRevisionWatchResults{}
 		if err := c.facade.FacadeCall("WatchConsumedSecretsChanges", args, &results); err != nil {
-			return errors.Trace(err)
+			return params.TranslateWellKnownError(err)
 		}
 		if len(results.Results) != 1 {
 			return errors.Errorf("expected 1 result, got %d", len(results.Results))
@@ -519,7 +522,7 @@ func (c *Client) WatchConsumedSecretsChanges(applicationToken, relationToken str
 		result = results.Results[0]
 	}
 	if result.Error != nil {
-		return nil, apiservererrors.RestoreError(result.Error)
+		return nil, params.TranslateWellKnownError(result.Error)
 	}
 
 	w := apiwatcher.NewSecretsRevisionWatcher(c.facade.RawAPICaller(), result)

api/controller/crossmodelrelations/crossmodelrelations_test.go

@@ -720,9 +720,9 @@ func (s *CrossModelRelationsSuite) TestWatchConsumedSecretsChanges(c *gc.C) {
 	mac, err := apitesting.NewMacaroon("id")
 	c.Assert(err, jc.ErrorIsNil)
 	var callCount int
-	apiCaller := testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
+	apiCaller := testing.BestVersionCaller{APICallerFunc: testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
 		c.Check(objType, gc.Equals, "CrossModelRelations")
-		c.Check(version, gc.Equals, 0)
+		c.Check(version, gc.Equals, 3)
 		c.Check(id, gc.Equals, "")
 		c.Check(arg, jc.DeepEquals, params.WatchRemoteSecretChangesArgs{Args: []params.WatchRemoteSecretChangesArg{{
 			ApplicationToken: appToken, RelationToken: relToken, Macaroons: macaroon.Slice{mac},
@@ -737,7 +737,7 @@ func (s *CrossModelRelationsSuite) TestWatchConsumedSecretsChanges(c *gc.C) {
 		}
 		callCount++
 		return nil
-	})
+	}), BestVersion: 3}
 	client := crossmodelrelations.NewClientWithCache(apiCaller, s.cache)
 	_, err = client.WatchConsumedSecretsChanges(appToken, relToken, mac)
 	c.Check(err, gc.ErrorMatches, "FAIL")
@@ -756,7 +756,7 @@ func (s *CrossModelRelationsSuite) TestWatchConsumedSecretsChangesDischargeRequi
 		callCount    int
 		dischargeMac macaroon.Slice
 	)
-	apiCaller := testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
+	apiCaller := testing.BestVersionCaller{APICallerFunc: testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
 		var resultErr *params.Error
 		switch callCount {
 		case 2, 3: //Watcher Next, Stop
@@ -779,7 +779,7 @@ func (s *CrossModelRelationsSuite) TestWatchConsumedSecretsChangesDischargeRequi
 		s.fillResponse(c, result, resp)
 		callCount++
 		return nil
-	})
+	}), BestVersion: 3}
 	acquirer := &mockDischargeAcquirer{}
 	callerWithBakery := testing.APICallerWithBakery(apiCaller, acquirer)
 	client := crossmodelrelations.NewClientWithCache(callerWithBakery, s.cache)

api/facadeversions.go

@@ -57,7 +57,7 @@ var facadeVersions = facades.FacadeVersions{
 	"CredentialManager":            {1},
 	"CredentialValidator":          {2},
 	"CrossController":              {1},
-	"CrossModelRelations":          {2},
+	"CrossModelRelations":          {2, 3},
 	"CrossModelSecrets":            {1},
 	"Deployer":                     {1},
 	"DiskManager":                  {2},

apiserver/admin_test.go

@@ -624,7 +624,7 @@ func (s *loginSuite) TestAnonymousModelLogin(c *gc.C) {
 	c.Assert(result.ControllerTag, gc.Equals, s.State.ControllerTag().String())
 	c.Assert(result.ModelTag, gc.Equals, s.Model.ModelTag().String())
 	c.Assert(result.Facades, jc.DeepEquals, []params.FacadeVersions{
-		{Name: "CrossModelRelations", Versions: []int{2}},
+		{Name: "CrossModelRelations", Versions: []int{2, 3}},
 		{Name: "CrossModelSecrets", Versions: []int{1}},
 		{Name: "NotifyWatcher", Versions: []int{1}},
 		{Name: "OfferStatusWatcher", Versions: []int{1}},

apiserver/facades/agent/secretsmanager/secrets.go

@@ -691,10 +691,9 @@ func (s *SecretsManagerAPI) getSecretContent(arg params.GetSecretContentArg) (
 		if md != nil {
 			// If the label has is to be changed by the secret owner, update the secret metadata.
 			// TODO(wallyworld) - the label staying the same should be asserted in a txn.
-			isOwner := true
 			if labelToUpdate != nil && *labelToUpdate != md.Label {
-				var err error
-				if isOwner, err = s.canUpdateAppOwnedOrUnitOwnedSecretLabel(md.OwnerTag); err != nil {
+				isOwner, err := s.canUpdateAppOwnedOrUnitOwnedSecretLabel(md.OwnerTag)
+				if err != nil {
 					return nil, nil, false, errors.Trace(err)
 				}
 				if isOwner {
@@ -709,9 +708,10 @@ func (s *SecretsManagerAPI) getSecretContent(arg params.GetSecretContentArg) (
 			uri = md.URI
 			// We don't update the consumer label in this case since the label comes
 			// from the owner metadata and we don't want to violate uniqueness checks.
-			if isOwner {
-				labelToUpdate = nil
-			}
+			// 1. owners use owner label;
+			// 2. the leader and peer units use the owner label for application-owned secrets.
+			// So, no need to update the consumer label.
+			labelToUpdate = nil
 		}
 	}
 

apiserver/facades/agent/secretsmanager/secrets_test.go

@@ -938,7 +938,7 @@ func (s *SecretsManagerSuite) TestGetSecretContentForAppSecretUpdateLabelNotLead
 		Return(nil, errors.NotFoundf("secret consumer"))
 	s.secretsState.EXPECT().GetSecret(uri).Return(&coresecrets.SecretMetadata{LatestRevision: 668}, nil)
 	s.secretsConsumer.EXPECT().SaveSecretConsumer(
-		uri, names.NewUnitTag("mariadb/0"), &coresecrets.SecretConsumerMetadata{Label: "foo", LatestRevision: 668, CurrentRevision: 668}).Return(nil)
+		uri, names.NewUnitTag("mariadb/0"), &coresecrets.SecretConsumerMetadata{LatestRevision: 668, CurrentRevision: 668}).Return(nil)
 	s.secretsState.EXPECT().GetSecretValue(uri, 668).Return(
 		val, nil, nil,
 	)

apiserver/facades/client/application/backend.go

@@ -148,6 +148,7 @@ type CharmMeta interface {
 type Machine interface {
 	Base() state.Base
 	HardwareCharacteristics() (*instance.HardwareCharacteristics, error)
+	Id() string
 	PublicAddress() (network.SpaceAddress, error)
 	IsLockedForSeriesUpgrade() (bool, error)
 	IsParentLockedForSeriesUpgrade() (bool, error)

apiserver/facades/client/application/deploy_test.go

@@ -77,7 +77,7 @@ func (s *DeployLocalSuite) TestDeployMinimal(c *gc.C) {
 	c.Assert(err, jc.ErrorIsNil)
 	s.assertCharm(c, app, s.charm.URL())
 	s.assertSettings(c, app, charm.Settings{})
-	s.assertApplicationConfig(c, app, coreconfig.ConfigAttributes(nil))
+	s.assertApplicationConfig(c, app, coreconfig.ConfigAttributes{})
 	s.assertConstraints(c, app, constraints.MustParse("arch=amd64"))
 	s.assertMachines(c, app, constraints.Value{})
 }