diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-05-07 05:34:26 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-07 05:34:26 -0400 |
| commit | 141ba94f9735d88a494f252ad7aa78fd4b86d8ea (patch) | |
| tree | 6381cf512d4e9d99747e90004d4be024036687d8 /libpod | |
| parent | 41ac68d197b53f3c151b81e2eddbc00bcf1a117f (diff) | |
| parent | 2634cb234f1500b76a2fd89351b9ad8a737a24ea (diff) | |
| download | podman-141ba94f9735d88a494f252ad7aa78fd4b86d8ea.tar.gz podman-141ba94f9735d88a494f252ad7aa78fd4b86d8ea.tar.bz2 podman-141ba94f9735d88a494f252ad7aa78fd4b86d8ea.zip | |
Merge pull request #10221 from ashley-cui/envsec
Add support for environment variable secrets
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_config.go | 2 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 14 | ||||
| -rw-r--r-- | libpod/options.go | 22 |
3 files changed, 38 insertions, 0 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go index a508b96ee..904c03f9b 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -373,4 +373,6 @@ type ContainerMiscConfig struct { PidFile string `json:"pid_file,omitempty"` // CDIDevices contains devices that use the CDI CDIDevices []string `json:"cdiDevices,omitempty"` + // EnvSecrets are secrets that are set as environment variables + EnvSecrets map[string]*secrets.Secret `json:"secret_env,omitempty"` } diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 14816f6aa..7d57e8965 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -29,6 +29,7 @@ import ( "github.com/containers/common/pkg/apparmor" "github.com/containers/common/pkg/chown" "github.com/containers/common/pkg/config" + "github.com/containers/common/pkg/secrets" "github.com/containers/common/pkg/subscriptions" "github.com/containers/common/pkg/umask" "github.com/containers/podman/v3/libpod/define" @@ -757,6 +758,19 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil { return nil, errors.Wrapf(err, "error setting up OCI Hooks") } + if len(c.config.EnvSecrets) > 0 { + manager, err := secrets.NewManager(c.runtime.GetSecretsStorageDir()) + if err != nil { + return nil, err + } + for name, secr := range c.config.EnvSecrets { + _, data, err := manager.LookupSecretData(secr.Name) + if err != nil { + return nil, err + } + g.AddProcessEnv(name, string(data)) + } + } return g.Config, nil } diff --git a/libpod/options.go b/libpod/options.go index 391cf0147..be26ced99 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1716,6 +1716,28 @@ func WithSecrets(secretNames []string) CtrCreateOption { } } +// WithSecrets adds environment variable secrets to the container +func WithEnvSecrets(envSecrets map[string]string) CtrCreateOption { + return func(ctr *Container) error { + ctr.config.EnvSecrets = make(map[string]*secrets.Secret) + if ctr.valid { + return define.ErrCtrFinalized + } + manager, err := secrets.NewManager(ctr.runtime.GetSecretsStorageDir()) + if err != nil { + return err + } + for target, src := range envSecrets { + secr, err := manager.Lookup(src) + if err != nil { + return err + } + ctr.config.EnvSecrets[target] = secr + } + return nil + } +} + // WithPidFile adds pidFile to the container func WithPidFile(pidFile string) CtrCreateOption { return func(ctr *Container) error { |