Implement Secrets

Implement podman secret create, inspect, ls, rm
Implement podman run/create --secret
Secrets are blobs of data that are sensitive.
Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file.
After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname]
This secret will not be commited to an image on a podman commit

Signed-off-by: Ashley Cui <acui@redhat.com>

2 files changed, 7 insertions, 0 deletions

diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 1bc050b00..74291325c 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -359,6 +359,10 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 		options = append(options, libpod.WithHealthCheck(s.ContainerHealthCheckConfig.HealthConfig))
 		logrus.Debugf("New container has a health check")
 	}
+
+	if len(s.Secrets) != 0 {
+		options = append(options, libpod.WithSecrets(s.Secrets))
+	}
 	return options, nil
 }
 
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index a6cc0a730..732579bf0 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -237,6 +237,9 @@ type ContainerStorageConfig struct {
 	// If not set, the default of rslave will be used.
 	// Optional.
 	RootfsPropagation string `json:"rootfs_propagation,omitempty"`
+	// Secrets are the secrets that will be added to the container
+	// Optional.
+	Secrets []string `json:"secrets,omitempty"`
 }
 
 // ContainerSecurityConfig is a container's security features, including