- Notifications
You must be signed in to change notification settings - Fork563
Open
Description
Description
On a Kubernetes model, in Juju 3.6.9, when an application is removed, all its secrets are also removed.
However, in Juju 3.6.11, the secret owned by the application is left behind.
Juju version
3.6.11
Cloud
Kubernetes
Expected behaviour
Juju should remove the secret owned by the application when that is removed.
Reproduce / Test
In a Juju 3.6.11 controller's model:
# Build the test charm.git clone https://github.com/marceloneppel/secret-left-behind-k8s-operatorcd secret-left-behind-k8s-operatorcharmcraft pack# Deploy the charm and wait for it to become active (that's when it creates a secret).juju deploy ./secret-left-behind-k8s-operator_amd64.charm --resource some-container-image=nginx# Remove the application.juju remove-application secret-left-behind-k8s-operator# Check that the secret still exists.juju secrets# Check that Juju tells us that the secret doesn't exist anymore.juju show-secret --reveal SECRET-ID
Notes & References
Example output from the output of thejuju show-secret command after the application was removed.
d41irjvmp25c7acblrjg: revision: 1 owner: secret-left-behind-k8s-operator label: secret-left-behind created: 2025-10-30T09:20:16Z updated: 2025-10-30T09:20:16Z error: secret "d41irjvmp25c7acblrjg-1" not foundIf a new deployment of the charm tries to retrieve the "existing" secret by label, it will raiseops.model.ModelError: ERROR permission denied.