CertHandler stores keys in peer data even when juju has secrets

[grobbie]

When running juju show-unit traefik-k8s/0 on a traefik charm integrated with manual-tls-certificates-operator, I noticed that there's a field private_key on the peers relation which contains the private key material related to the CSR that the unit has outstanding. This seems like too much information to me - the private key shouldn't be on display like this in an unprotected form.

[PietroPasotti]

What juju version are you on? Looking at the tls-certificates lib we're using, if on a modern-enough juju, we'll use a secret instead.
Please attach full version information of your juju snap, juju agent version in the model, and charm revision information.

[PietroPasotti]

ah never mind, if this is peer data we might be indeed storing that in the clear.
Issue is we need to support juju 2.9

We could at the cost of some extra complexity use secrets instead of peer storage where juju supports it.
Updating the title to match.

(This is in fact a bug for observability-libs: CertHandler)

[mmkay]

CertHandler was bumped to v1.5 that uses secrets in #332. Do you use juju 3 or juju 2.9? If it's 3.x then you should be able to update to latest traefik and key should already be in secrets.

We can't do much about juju 2.9 as it doesn't have the notion of the secret at all.

Closing this issue - feel free to reopen if you feel our answer is not enough.