grant secrets on the requested relation

charmed-kubernetes · Nov 8, 2024 · 4e30a9c · 4e30a9c
1 parent a337b98
commit 4e30a9c
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 13 deletions.
diff --git a/ops/ops/interface_kube_control/provides.py b/ops/ops/interface_kube_control/provides.py
@@ -154,18 +154,15 @@ def sign_auth_request(
         self, request: AuthRequest, client_token, kubelet_token, proxy_token
     ) -> None:
         """Send authorization tokens to the requesting unit."""
-        creds = {}
+        creds, request_relation = {}, None
+        request_unit = self.charm.model.get_unit(request.unit)
+
         for relation in self.relations:
             creds.update(json.loads(relation.data[self.unit].get("creds", "{}")))
+            if request_unit in relation.units:
+                request_relation = relation
 
-        if not request.schema_vers:
-            tokens = Creds(
-                client_token=client_token,
-                kubelet_token=kubelet_token,
-                proxy_token=proxy_token,
-                scope=request.unit,
-            )
-        elif max(request.schema_vers) == 1:
+        if 1 in request.schema_vers and request_relation:
             # Requesting unit can use schema 1, use juju secrets
             content = {
                 "client-token": client_token,
@@ -175,8 +172,7 @@ def sign_auth_request(
             label = f"{request.user}-creds"
             description = f"Credentials for {request.user}"
             secret = self.refresh_secret_content(label, content, description)
-            unit = self.charm.model.get_unit(request.unit)
-            secret.grant(relation, unit=unit)
+            secret.grant(request_relation, unit=request_unit)
 
             tokens = Creds(
                 client_token="",
@@ -185,6 +181,13 @@ def sign_auth_request(
                 scope=request.unit,
             )
             tokens.secret_id = secret.id
+        else:
+            tokens = Creds(
+                client_token=client_token,
+                kubelet_token=kubelet_token,
+                proxy_token=proxy_token,
+                scope=request.unit,
+            )
 
         creds[request.user] = {
             "scope": request.unit,

diff --git a/ops/tests/unit/test_ops_provides.py b/ops/tests/unit/test_ops_provides.py
@@ -40,12 +40,15 @@ class Relation(mock.MagicMock):
         yield mock_prop
 
 
-def mock_units(relation, data):
+def mock_units(model, relation, data):
+    relation._units_by_name = {}
     for unit_data in data:
         unit = mock.MagicMock()
         unit.name = unit_data["unit"]
+        relation._units_by_name[unit.name] = unit
         relation.data[unit] = unit_data["data"]
         relation.units.append(unit)
+    model.get_unit.side_effect = relation._units_by_name.__getitem__
 
 
 def test_set_default_cni(kube_control_provider):
@@ -162,7 +165,7 @@ def test_sign_auth_requests(
 ):
     with mock_relations(1) as relations:
         relation = relations.return_value[0]
-        mock_units(relation, relation_data)
+        mock_units(kube_control_provider.charm.model, relation, relation_data)
         mock_secret = refresh_secret_content.return_value
         mock_secret.id = "abcd::1234"