aboutsummaryrefslogtreecommitdiff
path: root/pkg/specgen
diff options
context:
space:
mode:
authorcdoern <cdoern@redhat.com>2022-06-07 16:37:59 -0400
committerCharlie Doern <cdoern@redhat.com>2022-07-20 12:55:33 -0400
commit438fef1caa26a1f09cd7be341e854d4bd5726c2b (patch)
treee449aceae653fcce93fe38aa38a60d08a95bda1e /pkg/specgen
parent8c9eff5b12eebe318be1f905562be6a236285caa (diff)
downloadpodman-438fef1caa26a1f09cd7be341e854d4bd5726c2b.tar.gz
podman-438fef1caa26a1f09cd7be341e854d4bd5726c2b.tar.bz2
podman-438fef1caa26a1f09cd7be341e854d4bd5726c2b.zip
kube secret handling for podman play kube
add support for both creating a secret using yaml and mounting a secret as a volume given a yaml file. Kubernetes secrets have a different structure than podman and therefore have to be handeled differently. In this PR, I have introduced the basic usecases of kube secrets with more implementations like env secrets to come! resolves #12396 Signed-off-by: Charlie Doern <cdoern@redhat.com>
Diffstat (limited to 'pkg/specgen')
-rw-r--r--pkg/specgen/generate/kube/kube.go10
-rw-r--r--pkg/specgen/generate/kube/play_test.go2
-rw-r--r--pkg/specgen/generate/kube/volume.go56
3 files changed, 64 insertions, 4 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index 454a1e1d0..e9abf419b 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -398,6 +398,16 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
Type: "b",
}
s.Devices = append(s.Devices, device)
+ case KubeVolumeTypeSecret:
+ // in podman play kube we need to add these secrets as volumes rather than as
+ // specgen.Secrets. Adding them as volumes allows for all key: value pairs to be mounted
+ secretVolume := specgen.NamedVolume{
+ Dest: volume.MountPath,
+ Name: volumeSource.Source,
+ Options: options,
+ }
+
+ s.Volumes = append(s.Volumes, &secretVolume)
default:
return nil, errors.New("unsupported volume source type")
}
diff --git a/pkg/specgen/generate/kube/play_test.go b/pkg/specgen/generate/kube/play_test.go
index 466dab610..470c0c39c 100644
--- a/pkg/specgen/generate/kube/play_test.go
+++ b/pkg/specgen/generate/kube/play_test.go
@@ -28,7 +28,7 @@ func createSecrets(t *testing.T, d string) *secrets.SecretsManager {
data, err := json.Marshal(s.Data)
assert.NoError(t, err)
- _, err = secretsManager.Store(s.ObjectMeta.Name, data, driver, driverOpts)
+ _, err = secretsManager.Store(s.ObjectMeta.Name, data, driver, driverOpts, nil)
assert.NoError(t, err)
}
diff --git a/pkg/specgen/generate/kube/volume.go b/pkg/specgen/generate/kube/volume.go
index f5c0c241d..c12adadd8 100644
--- a/pkg/specgen/generate/kube/volume.go
+++ b/pkg/specgen/generate/kube/volume.go
@@ -6,9 +6,13 @@ import (
"os"
"github.com/containers/common/pkg/parse"
+ "github.com/containers/common/pkg/secrets"
"github.com/containers/podman/v4/libpod"
v1 "github.com/containers/podman/v4/pkg/k8s.io/api/core/v1"
+ metav1 "github.com/containers/podman/v4/pkg/k8s.io/apimachinery/pkg/apis/meta/v1"
+
"github.com/sirupsen/logrus"
+ "gopkg.in/yaml.v3"
)
const (
@@ -27,6 +31,7 @@ const (
KubeVolumeTypeConfigMap
KubeVolumeTypeBlockDevice
KubeVolumeTypeCharDevice
+ KubeVolumeTypeSecret
)
//nolint:revive
@@ -125,6 +130,49 @@ func VolumeFromHostPath(hostPath *v1.HostPathVolumeSource) (*KubeVolume, error)
}, nil
}
+// VolumeFromSecret creates a new kube volume from a kube secret.
+func VolumeFromSecret(secretSource *v1.SecretVolumeSource, secretsManager *secrets.SecretsManager) (*KubeVolume, error) {
+ // returns a byte array of a kube secret data, meaning this needs to go into a string map
+ _, secretByte, err := secretsManager.LookupSecretData(secretSource.SecretName)
+ if err != nil {
+ return nil, err
+ }
+
+ // unmarshaling directly into a v1.secret creates type mismatch errors
+ // use a more friendly, string only secret struct.
+ type KubeSecret struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+ // +optional
+ Immutable *bool `json:"immutable,omitempty"`
+ Data map[string]string `json:"data,omitempty"`
+ // +optional
+ StringData map[string]string `json:"stringData,omitempty"`
+ // +optional
+ Type string `json:"type,omitempty"`
+ }
+
+ data := &KubeSecret{}
+
+ err = yaml.Unmarshal(secretByte, data)
+ if err != nil {
+ return nil, err
+ }
+
+ kv := &KubeVolume{}
+ kv.Type = KubeVolumeTypeSecret
+ kv.Source = secretSource.SecretName
+ kv.Optional = *secretSource.Optional
+ kv.Items = make(map[string]string)
+
+ // add key: value pairs to the items array
+ for key, entry := range data.Data {
+ kv.Items[key] = entry
+ }
+ return kv, nil
+}
+
// Create a KubeVolume from a PersistentVolumeClaimVolumeSource
func VolumeFromPersistentVolumeClaim(claim *v1.PersistentVolumeClaimVolumeSource) (*KubeVolume, error) {
return &KubeVolume{
@@ -172,7 +220,7 @@ func VolumeFromConfigMap(configMapVolumeSource *v1.ConfigMapVolumeSource, config
}
// Create a KubeVolume from one of the supported VolumeSource
-func VolumeFromSource(volumeSource v1.VolumeSource, configMaps []v1.ConfigMap) (*KubeVolume, error) {
+func VolumeFromSource(volumeSource v1.VolumeSource, configMaps []v1.ConfigMap, secretsManager *secrets.SecretsManager) (*KubeVolume, error) {
switch {
case volumeSource.HostPath != nil:
return VolumeFromHostPath(volumeSource.HostPath)
@@ -180,17 +228,19 @@ func VolumeFromSource(volumeSource v1.VolumeSource, configMaps []v1.ConfigMap) (
return VolumeFromPersistentVolumeClaim(volumeSource.PersistentVolumeClaim)
case volumeSource.ConfigMap != nil:
return VolumeFromConfigMap(volumeSource.ConfigMap, configMaps)
+ case volumeSource.Secret != nil:
+ return VolumeFromSecret(volumeSource.Secret, secretsManager)
default:
return nil, errors.New("HostPath, ConfigMap, and PersistentVolumeClaim are currently the only supported VolumeSource")
}
}
// Create a map of volume name to KubeVolume
-func InitializeVolumes(specVolumes []v1.Volume, configMaps []v1.ConfigMap) (map[string]*KubeVolume, error) {
+func InitializeVolumes(specVolumes []v1.Volume, configMaps []v1.ConfigMap, secretsManager *secrets.SecretsManager) (map[string]*KubeVolume, error) {
volumes := make(map[string]*KubeVolume)
for _, specVolume := range specVolumes {
- volume, err := VolumeFromSource(specVolume.VolumeSource, configMaps)
+ volume, err := VolumeFromSource(specVolume.VolumeSource, configMaps, secretsManager)
if err != nil {
return nil, fmt.Errorf("failed to create volume %q: %w", specVolume.Name, err)
}