summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorAshley Cui <acui@redhat.com>2021-05-05 10:34:13 -0400
committerAshley Cui <acui@redhat.com>2021-05-06 14:00:57 -0400
commit2634cb234f1500b76a2fd89351b9ad8a737a24ea (patch)
tree10fb9e9dc38ef35ecd9390b43effe5dc667578b0 /libpod
parent476c76f580d5cd092ff958765af36857b2a68d6c (diff)
downloadpodman-2634cb234f1500b76a2fd89351b9ad8a737a24ea.tar.gz
podman-2634cb234f1500b76a2fd89351b9ad8a737a24ea.tar.bz2
podman-2634cb234f1500b76a2fd89351b9ad8a737a24ea.zip
Add support for environment variable secrets
Env var secrets are env vars that are set inside the container but not commited to and image. Also support reading from env var when creating a secret. Signed-off-by: Ashley Cui <acui@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_config.go2
-rw-r--r--libpod/container_internal_linux.go14
-rw-r--r--libpod/options.go22
3 files changed, 38 insertions, 0 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go
index d0572fbc2..ac17a2c4f 100644
--- a/libpod/container_config.go
+++ b/libpod/container_config.go
@@ -368,4 +368,6 @@ type ContainerMiscConfig struct {
PidFile string `json:"pid_file,omitempty"`
// CDIDevices contains devices that use the CDI
CDIDevices []string `json:"cdiDevices,omitempty"`
+ // EnvSecrets are secrets that are set as environment variables
+ EnvSecrets map[string]*secrets.Secret `json:"secret_env,omitempty"`
}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index f4762b5ff..c6839ffd0 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -29,6 +29,7 @@ import (
"github.com/containers/common/pkg/apparmor"
"github.com/containers/common/pkg/chown"
"github.com/containers/common/pkg/config"
+ "github.com/containers/common/pkg/secrets"
"github.com/containers/common/pkg/subscriptions"
"github.com/containers/common/pkg/umask"
"github.com/containers/podman/v3/libpod/define"
@@ -763,6 +764,19 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil {
return nil, errors.Wrapf(err, "error setting up OCI Hooks")
}
+ if len(c.config.EnvSecrets) > 0 {
+ manager, err := secrets.NewManager(c.runtime.GetSecretsStorageDir())
+ if err != nil {
+ return nil, err
+ }
+ for name, secr := range c.config.EnvSecrets {
+ _, data, err := manager.LookupSecretData(secr.Name)
+ if err != nil {
+ return nil, err
+ }
+ g.AddProcessEnv(name, string(data))
+ }
+ }
return g.Config, nil
}
diff --git a/libpod/options.go b/libpod/options.go
index 103a9a80a..7c574df75 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1703,6 +1703,28 @@ func WithSecrets(secretNames []string) CtrCreateOption {
}
}
+// WithSecrets adds environment variable secrets to the container
+func WithEnvSecrets(envSecrets map[string]string) CtrCreateOption {
+ return func(ctr *Container) error {
+ ctr.config.EnvSecrets = make(map[string]*secrets.Secret)
+ if ctr.valid {
+ return define.ErrCtrFinalized
+ }
+ manager, err := secrets.NewManager(ctr.runtime.GetSecretsStorageDir())
+ if err != nil {
+ return err
+ }
+ for target, src := range envSecrets {
+ secr, err := manager.Lookup(src)
+ if err != nil {
+ return err
+ }
+ ctr.config.EnvSecrets[target] = secr
+ }
+ return nil
+ }
+}
+
// WithPidFile adds pidFile to the container
func WithPidFile(pidFile string) CtrCreateOption {
return func(ctr *Container) error {