Add ability to determine if a charm application has been deployed with the --trust flag

[shayancanonical]

In our K8s charms, we often require that our charms are deployed with the --trust flag (as this will allow the charm the correct authorization to create entities like Services in K8s). We currently have no way to determine if the application has been deployed with the --trust flag without using lightkube to access the K8s control plane (which is tedious).

It would be ideal if we had a way to check whether an ops.Application has trust. This would enable us to move the charm into BlockedStatus and notify the user that they need to run juju trust

[dimaqq]

Earlier discussion:

Hi team,
Is there a way to get the trusted status of an application from within the charm itself? I'd like to have different code paths depending on whether the app is trusted or not. Is this "feature request" material? Thanks

Simon Richardson
I don't believe we expose that.

John A Meinel
I believe that we do not expose that information.

Carl Csaposs
in case it helps, here's what we're using to detect if an app is trusted: https://github.com/canonical/charm-refresh/blob/874ed93bbca3c9873c336010d3a98313b018d6d0/charm_refresh/_main.py#L1586-L1610

[benhoyt]

This is a duplicate of #532, which had a bunch of discussion, a Juju issue, and even a (rejected) spec. The charm actually gets a config-changed hook when this value changes ... unfortunately because of the odd way that trust is modelling in Juju, there's no way to fetch what the current trust setting is.

Because this isn't modelled in Juju (unless the Juju feature is added, but I doubt that's going to be anytime soon), I think we'll likely close this. Your best bet is to use EAFP (Easier to Ask Forgiveness than Permission), in other words, when you hit the lightkube API, wrap that in a try/except that catches the permission error and sets the status to blocked.