Merge branch '3.3' into 3.3-to-main

Conflicts:
	apiserver/facades/agent/secretsmanager/package_test.go
	apiserver/facades/agent/secretsmanager/register.go
	apiserver/facades/agent/secretsmanager/secrets.go
	apiserver/facades/agent/secretsmanager/secrets_test.go
	cmd/juju/application/deploy_test.go
	cmd/juju/application/deployer/deployer_test.go
	cmd/juju/application/export_test.go
	cmd/juju/application/refresh_test.go
	cmd/juju/application/unexpose_test.go
	cmd/juju/machine/upgrademachine_test.go
	core/base/supported.go
	core/base/supportedbases_test.go
	core/base/supportedseries.go
	core/base/supportedseries_linux_test.go
	core/base/supportedseries_test.go
	core/os/os.go
	worker/uniter/runner/context/env_test.go

.github/discourse-topic-ids.yaml

@@ -122,6 +122,7 @@ remove-machine: 10163
 remove-offer: 10235
 remove-relation: 10110
 remove-saas: 10087
+remove-secret: 11414
 remove-secret-backend: 10194
 remove-space: 10084
 remove-ssh-key: 10119
@@ -187,6 +188,7 @@ update-credential: 10065
 update-credentials: 10231
 update-k8s: 10155
 update-public-clouds: 10115
+update-secret: 11413
 update-secret-backend: 10176
 update-storage-pool: 10217
 upgrade-controller: 10058

api/client/secrets/client.go

@@ -126,6 +126,68 @@ func (c *Client) CreateSecret(label, description string, data map[string]string)
 	return result.Result, nil
 }
 
+// UpdateSecret updates an existing secret.
+func (c *Client) UpdateSecret(
+	uri *secrets.URI, autoPrune *bool,
+	label, description string, data map[string]string,
+) error {
+	if c.BestAPIVersion() < 2 {
+		return errors.NotSupportedf("user secrets")
+	}
+	var results params.ErrorResults
+	arg := params.UpdateUserSecretArg{
+		URI:       uri.String(),
+		AutoPrune: autoPrune,
+		UpsertSecretArg: params.UpsertSecretArg{
+			Content: params.SecretContentParams{Data: data},
+		},
+	}
+	if label != "" {
+		arg.UpsertSecretArg.Label = &label
+	}
+	if description != "" {
+		arg.UpsertSecretArg.Description = &description
+	}
+	err := c.facade.FacadeCall("UpdateSecrets", params.UpdateUserSecretArgs{Args: []params.UpdateUserSecretArg{arg}}, &results)
+	if err != nil {
+		return errors.Trace(err)
+	}
+	if len(results.Results) != 1 {
+		return errors.Errorf("expected 1 result, got %d", len(results.Results))
+	}
+	result := results.Results[0]
+	if result.Error != nil {
+		return params.TranslateWellKnownError(result.Error)
+	}
+	return nil
+}
+
+func (c *Client) RemoveSecret(uri *secrets.URI, revision *int) error {
+	if c.BestAPIVersion() < 2 {
+		return errors.NotSupportedf("user secrets")
+	}
+	arg := params.DeleteSecretArg{
+		URI: uri.String(),
+	}
+	if revision != nil {
+		arg.Revisions = append(arg.Revisions, *revision)
+	}
+
+	var results params.ErrorResults
+	err := c.facade.FacadeCall("RemoveSecrets", params.DeleteSecretArgs{Args: []params.DeleteSecretArg{arg}}, &results)
+	if err != nil {
+		return errors.Trace(err)
+	}
+	if len(results.Results) != 1 {
+		return errors.Errorf("expected 1 result, got %d", len(results.Results))
+	}
+	result := results.Results[0]
+	if result.Error != nil {
+		return params.TranslateWellKnownError(result.Error)
+	}
+	return nil
+}
+
 // GrantSecret grants access to a secret to the specified applications.
 func (c *Client) GrantSecret(uri *secrets.URI, apps []string) ([]error, error) {
 	if c.BestAPIVersion() < 2 {

api/client/secrets/client_test.go

@@ -175,6 +175,123 @@ func (s *SecretsSuite) TestCreateSecret(c *gc.C) {
 	c.Assert(result, gc.DeepEquals, uri.String())
 }
 
+func (s *SecretsSuite) TestUpdateSecretError(c *gc.C) {
+	apiCaller := testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
+		return nil
+	})
+	caller := testing.BestVersionCaller{apiCaller, 1}
+	client := apisecrets.NewClient(caller)
+	uri := secrets.NewURI()
+	err := client.UpdateSecret(uri, ptr(true), "label", "this is a secret.", map[string]string{"foo": "bar"})
+	c.Assert(err, gc.ErrorMatches, "user secrets not supported")
+}
+
+func (s *SecretsSuite) TestUpdateSecretWithoutContent(c *gc.C) {
+	uri := secrets.NewURI()
+	apiCaller := testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
+		c.Assert(objType, gc.Equals, "Secrets")
+		c.Assert(request, gc.Equals, "UpdateSecrets")
+		c.Assert(arg, gc.DeepEquals, params.UpdateUserSecretArgs{
+			Args: []params.UpdateUserSecretArg{
+				{
+					URI:       uri.String(),
+					AutoPrune: ptr(true),
+					UpsertSecretArg: params.UpsertSecretArg{
+						Label:       ptr("label"),
+						Description: ptr("this is a secret."),
+					},
+				},
+			},
+		})
+		*(result.(*params.ErrorResults)) = params.ErrorResults{Results: []params.ErrorResult{{}}}
+		return nil
+	})
+	caller := testing.BestVersionCaller{apiCaller, 2}
+	client := apisecrets.NewClient(caller)
+	err := client.UpdateSecret(uri, ptr(true), "label", "this is a secret.", nil)
+	c.Assert(err, jc.ErrorIsNil)
+}
+
+func (s *SecretsSuite) TestUpdateSecret(c *gc.C) {
+	uri := secrets.NewURI()
+	apiCaller := testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
+		c.Assert(objType, gc.Equals, "Secrets")
+		c.Assert(request, gc.Equals, "UpdateSecrets")
+		c.Assert(arg, gc.DeepEquals, params.UpdateUserSecretArgs{
+			Args: []params.UpdateUserSecretArg{
+				{
+					URI:       uri.String(),
+					AutoPrune: ptr(true),
+					UpsertSecretArg: params.UpsertSecretArg{
+						Label:       ptr("label"),
+						Description: ptr("this is a secret."),
+						Content:     params.SecretContentParams{Data: map[string]string{"foo": "bar"}},
+					},
+				},
+			},
+		})
+		*(result.(*params.ErrorResults)) = params.ErrorResults{Results: []params.ErrorResult{{}}}
+		return nil
+	})
+	caller := testing.BestVersionCaller{apiCaller, 2}
+	client := apisecrets.NewClient(caller)
+	err := client.UpdateSecret(uri, ptr(true), "label", "this is a secret.", map[string]string{"foo": "bar"})
+	c.Assert(err, jc.ErrorIsNil)
+}
+
+func (s *SecretsSuite) TestRemoveSecretError(c *gc.C) {
+	apiCaller := testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
+		return nil
+	})
+	caller := testing.BestVersionCaller{apiCaller, 1}
+	client := apisecrets.NewClient(caller)
+	uri := secrets.NewURI()
+	err := client.RemoveSecret(uri, ptr(1))
+	c.Assert(err, gc.ErrorMatches, "user secrets not supported")
+}
+
+func (s *SecretsSuite) TestRemoveSecret(c *gc.C) {
+	uri := secrets.NewURI()
+	apiCaller := testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
+		c.Assert(objType, gc.Equals, "Secrets")
+		c.Assert(request, gc.Equals, "RemoveSecrets")
+		c.Assert(arg, gc.DeepEquals, params.DeleteSecretArgs{
+			Args: []params.DeleteSecretArg{
+				{URI: uri.String()},
+			},
+		})
+		*(result.(*params.ErrorResults)) = params.ErrorResults{
+			Results: []params.ErrorResult{{}},
+		}
+		return nil
+	})
+	caller := testing.BestVersionCaller{apiCaller, 2}
+	client := apisecrets.NewClient(caller)
+	err := client.RemoveSecret(uri, nil)
+	c.Assert(err, jc.ErrorIsNil)
+}
+
+func (s *SecretsSuite) TestRemoveSecretWithRevision(c *gc.C) {
+	uri := secrets.NewURI()
+	apiCaller := testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
+		c.Assert(objType, gc.Equals, "Secrets")
+		c.Assert(request, gc.Equals, "RemoveSecrets")
+		c.Assert(arg, gc.DeepEquals, params.DeleteSecretArgs{
+			Args: []params.DeleteSecretArg{
+				{URI: uri.String(), Revisions: []int{1}},
+			},
+		})
+		*(result.(*params.ErrorResults)) = params.ErrorResults{
+			Results: []params.ErrorResult{{}},
+		}
+		return nil
+	})
+	caller := testing.BestVersionCaller{apiCaller, 2}
+	client := apisecrets.NewClient(caller)
+	err := client.RemoveSecret(uri, ptr(1))
+	c.Assert(err, jc.ErrorIsNil)
+}
+
 func (s *SecretsSuite) TestGrantSecretError(c *gc.C) {
 	apiCaller := testing.APICallerFunc(func(objType string, version int, id, request string, arg, result interface{}) error {
 		return nil