diff options
author | Ashley Cui <acui@redhat.com> | 2021-05-05 10:34:13 -0400 |
---|---|---|
committer | Ashley Cui <acui@redhat.com> | 2021-05-06 14:00:57 -0400 |
commit | 2634cb234f1500b76a2fd89351b9ad8a737a24ea (patch) | |
tree | 10fb9e9dc38ef35ecd9390b43effe5dc667578b0 /libpod | |
parent | 476c76f580d5cd092ff958765af36857b2a68d6c (diff) | |
download | podman-2634cb234f1500b76a2fd89351b9ad8a737a24ea.tar.gz podman-2634cb234f1500b76a2fd89351b9ad8a737a24ea.tar.bz2 podman-2634cb234f1500b76a2fd89351b9ad8a737a24ea.zip |
Add support for environment variable secrets
Env var secrets are env vars that are set inside the container but not
commited to and image. Also support reading from env var when creating a
secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r-- | libpod/container_config.go | 2 | ||||
-rw-r--r-- | libpod/container_internal_linux.go | 14 | ||||
-rw-r--r-- | libpod/options.go | 22 |
3 files changed, 38 insertions, 0 deletions
diff --git a/libpod/container_config.go b/libpod/container_config.go index d0572fbc2..ac17a2c4f 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -368,4 +368,6 @@ type ContainerMiscConfig struct { PidFile string `json:"pid_file,omitempty"` // CDIDevices contains devices that use the CDI CDIDevices []string `json:"cdiDevices,omitempty"` + // EnvSecrets are secrets that are set as environment variables + EnvSecrets map[string]*secrets.Secret `json:"secret_env,omitempty"` } diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index f4762b5ff..c6839ffd0 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -29,6 +29,7 @@ import ( "github.com/containers/common/pkg/apparmor" "github.com/containers/common/pkg/chown" "github.com/containers/common/pkg/config" + "github.com/containers/common/pkg/secrets" "github.com/containers/common/pkg/subscriptions" "github.com/containers/common/pkg/umask" "github.com/containers/podman/v3/libpod/define" @@ -763,6 +764,19 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil { return nil, errors.Wrapf(err, "error setting up OCI Hooks") } + if len(c.config.EnvSecrets) > 0 { + manager, err := secrets.NewManager(c.runtime.GetSecretsStorageDir()) + if err != nil { + return nil, err + } + for name, secr := range c.config.EnvSecrets { + _, data, err := manager.LookupSecretData(secr.Name) + if err != nil { + return nil, err + } + g.AddProcessEnv(name, string(data)) + } + } return g.Config, nil } diff --git a/libpod/options.go b/libpod/options.go index 103a9a80a..7c574df75 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1703,6 +1703,28 @@ func WithSecrets(secretNames []string) CtrCreateOption { } } +// WithSecrets adds environment variable secrets to the container +func WithEnvSecrets(envSecrets map[string]string) CtrCreateOption { + return func(ctr *Container) error { + ctr.config.EnvSecrets = make(map[string]*secrets.Secret) + if ctr.valid { + return define.ErrCtrFinalized + } + manager, err := secrets.NewManager(ctr.runtime.GetSecretsStorageDir()) + if err != nil { + return err + } + for target, src := range envSecrets { + secr, err := manager.Lookup(src) + if err != nil { + return err + } + ctr.config.EnvSecrets[target] = secr + } + return nil + } +} + // WithPidFile adds pidFile to the container func WithPidFile(pidFile string) CtrCreateOption { return func(ctr *Container) error { |