summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorAshley Cui <acui@redhat.com>2021-01-15 01:27:23 -0500
committerAshley Cui <acui@redhat.com>2021-02-09 09:13:21 -0500
commit832a69b0bee6ec289521fbd59ddd480372493ee3 (patch)
tree4c8a14b7fad879dc454c37f8b59120cf74ceafd1 /pkg
parent2aaf631586e82192e6b7b992e6b5c8717eb792d7 (diff)
downloadpodman-832a69b0bee6ec289521fbd59ddd480372493ee3.tar.gz
podman-832a69b0bee6ec289521fbd59ddd480372493ee3.tar.bz2
podman-832a69b0bee6ec289521fbd59ddd480372493ee3.zip
Implement Secrets
Implement podman secret create, inspect, ls, rm Implement podman run/create --secret Secrets are blobs of data that are sensitive. Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file. After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname] This secret will not be commited to an image on a podman commit Signed-off-by: Ashley Cui <acui@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/api/handlers/compat/secrets.go121
-rw-r--r--pkg/api/handlers/libpod/secrets.go40
-rw-r--r--pkg/api/handlers/utils/errors.go8
-rw-r--r--pkg/api/server/register_secrets.go194
-rw-r--r--pkg/api/server/server.go1
-rw-r--r--pkg/api/tags.yaml4
-rw-r--r--pkg/bindings/secrets/secrets.go78
-rw-r--r--pkg/bindings/secrets/types.go23
-rw-r--r--pkg/bindings/secrets/types_create_options.go107
-rw-r--r--pkg/bindings/secrets/types_inspect_options.go75
-rw-r--r--pkg/bindings/secrets/types_list_options.go75
-rw-r--r--pkg/bindings/secrets/types_remove_options.go75
-rw-r--r--pkg/bindings/test/secrets_test.go133
-rw-r--r--pkg/domain/entities/engine_container.go4
-rw-r--r--pkg/domain/entities/secrets.go104
-rw-r--r--pkg/domain/infra/abi/secrets.go138
-rw-r--r--pkg/domain/infra/tunnel/secrets.go82
-rw-r--r--pkg/specgen/generate/container_create.go4
-rw-r--r--pkg/specgen/specgen.go3
19 files changed, 1269 insertions, 0 deletions
diff --git a/pkg/api/handlers/compat/secrets.go b/pkg/api/handlers/compat/secrets.go
new file mode 100644
index 000000000..ea2dfc707
--- /dev/null
+++ b/pkg/api/handlers/compat/secrets.go
@@ -0,0 +1,121 @@
+package compat
+
+import (
+ "bytes"
+ "encoding/base64"
+ "encoding/json"
+ "fmt"
+ "net/http"
+
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/pkg/api/handlers/utils"
+ "github.com/containers/podman/v2/pkg/domain/entities"
+ "github.com/containers/podman/v2/pkg/domain/infra/abi"
+ "github.com/gorilla/schema"
+ "github.com/pkg/errors"
+)
+
+func ListSecrets(w http.ResponseWriter, r *http.Request) {
+ var (
+ runtime = r.Context().Value("runtime").(*libpod.Runtime)
+ decoder = r.Context().Value("decoder").(*schema.Decoder)
+ )
+ query := struct {
+ Filters map[string][]string `schema:"filters"`
+ }{}
+
+ if err := decoder.Decode(&query, r.URL.Query()); err != nil {
+ utils.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest,
+ errors.Wrapf(err, "failed to parse parameters for %s", r.URL.String()))
+ return
+ }
+ if len(query.Filters) > 0 {
+ utils.Error(w, "filters not supported", http.StatusBadRequest, errors.New("bad parameter"))
+ }
+ ic := abi.ContainerEngine{Libpod: runtime}
+ reports, err := ic.SecretList(r.Context())
+ if err != nil {
+ utils.InternalServerError(w, err)
+ return
+ }
+ utils.WriteResponse(w, http.StatusOK, reports)
+}
+
+func InspectSecret(w http.ResponseWriter, r *http.Request) {
+ var (
+ runtime = r.Context().Value("runtime").(*libpod.Runtime)
+ )
+ name := utils.GetName(r)
+ names := []string{name}
+ ic := abi.ContainerEngine{Libpod: runtime}
+ reports, errs, err := ic.SecretInspect(r.Context(), names)
+ if err != nil {
+ utils.InternalServerError(w, err)
+ return
+ }
+ if len(errs) > 0 {
+ utils.SecretNotFound(w, name, errs[0])
+ return
+ }
+ utils.WriteResponse(w, http.StatusOK, reports[0])
+
+}
+
+func RemoveSecret(w http.ResponseWriter, r *http.Request) {
+ var (
+ runtime = r.Context().Value("runtime").(*libpod.Runtime)
+ )
+
+ opts := entities.SecretRmOptions{}
+ name := utils.GetName(r)
+ ic := abi.ContainerEngine{Libpod: runtime}
+ reports, err := ic.SecretRm(r.Context(), []string{name}, opts)
+ if err != nil {
+ utils.InternalServerError(w, err)
+ return
+ }
+ if reports[0].Err != nil {
+ utils.SecretNotFound(w, name, reports[0].Err)
+ return
+ }
+ utils.WriteResponse(w, http.StatusNoContent, nil)
+}
+
+func CreateSecret(w http.ResponseWriter, r *http.Request) {
+ var (
+ runtime = r.Context().Value("runtime").(*libpod.Runtime)
+ )
+ opts := entities.SecretCreateOptions{}
+ createParams := struct {
+ *entities.SecretCreateRequest
+ Labels map[string]string `schema:"labels"`
+ }{}
+
+ if err := json.NewDecoder(r.Body).Decode(&createParams); err != nil {
+ utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "Decode()"))
+ return
+ }
+ if len(createParams.Labels) > 0 {
+ utils.Error(w, "labels not supported", http.StatusBadRequest, errors.New("bad parameter"))
+ }
+
+ decoded, _ := base64.StdEncoding.DecodeString(createParams.Data)
+ reader := bytes.NewReader(decoded)
+ opts.Driver = createParams.Driver.Name
+
+ ic := abi.ContainerEngine{Libpod: runtime}
+ report, err := ic.SecretCreate(r.Context(), createParams.Name, reader, opts)
+ if err != nil {
+ if errors.Cause(err).Error() == "secret name in use" {
+ utils.Error(w, "name conflicts with an existing object", http.StatusConflict, err)
+ return
+ }
+ utils.InternalServerError(w, err)
+ return
+ }
+ utils.WriteResponse(w, http.StatusOK, report)
+}
+
+func UpdateSecret(w http.ResponseWriter, r *http.Request) {
+ utils.Error(w, fmt.Sprintf("unsupported endpoint: %v", r.Method), http.StatusNotImplemented, errors.New("update is not supported"))
+}
diff --git a/pkg/api/handlers/libpod/secrets.go b/pkg/api/handlers/libpod/secrets.go
new file mode 100644
index 000000000..447a5d021
--- /dev/null
+++ b/pkg/api/handlers/libpod/secrets.go
@@ -0,0 +1,40 @@
+package libpod
+
+import (
+ "net/http"
+
+ "github.com/containers/podman/v2/libpod"
+ "github.com/containers/podman/v2/pkg/api/handlers/utils"
+ "github.com/containers/podman/v2/pkg/domain/entities"
+ "github.com/containers/podman/v2/pkg/domain/infra/abi"
+ "github.com/gorilla/schema"
+ "github.com/pkg/errors"
+)
+
+func CreateSecret(w http.ResponseWriter, r *http.Request) {
+ var (
+ runtime = r.Context().Value("runtime").(*libpod.Runtime)
+ decoder = r.Context().Value("decoder").(*schema.Decoder)
+ )
+ query := struct {
+ Name string `schema:"name"`
+ Driver string `schema:"driver"`
+ }{
+ // override any golang type defaults
+ }
+ opts := entities.SecretCreateOptions{}
+ if err := decoder.Decode(&query, r.URL.Query()); err != nil {
+ utils.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest,
+ errors.Wrapf(err, "failed to parse parameters for %s", r.URL.String()))
+ return
+ }
+ opts.Driver = query.Driver
+
+ ic := abi.ContainerEngine{Libpod: runtime}
+ report, err := ic.SecretCreate(r.Context(), query.Name, r.Body, opts)
+ if err != nil {
+ utils.InternalServerError(w, err)
+ return
+ }
+ utils.WriteResponse(w, http.StatusOK, report)
+}
diff --git a/pkg/api/handlers/utils/errors.go b/pkg/api/handlers/utils/errors.go
index e2c287c45..c8785fb89 100644
--- a/pkg/api/handlers/utils/errors.go
+++ b/pkg/api/handlers/utils/errors.go
@@ -80,6 +80,14 @@ func SessionNotFound(w http.ResponseWriter, name string, err error) {
Error(w, msg, http.StatusNotFound, err)
}
+func SecretNotFound(w http.ResponseWriter, nameOrID string, err error) {
+ if errors.Cause(err).Error() != "no such secret" {
+ InternalServerError(w, err)
+ }
+ msg := fmt.Sprintf("No such secret: %s", nameOrID)
+ Error(w, msg, http.StatusNotFound, err)
+}
+
func ContainerNotRunning(w http.ResponseWriter, containerID string, err error) {
msg := fmt.Sprintf("Container %s is not running", containerID)
Error(w, msg, http.StatusConflict, err)
diff --git a/pkg/api/server/register_secrets.go b/pkg/api/server/register_secrets.go
new file mode 100644
index 000000000..95abf83e8
--- /dev/null
+++ b/pkg/api/server/register_secrets.go
@@ -0,0 +1,194 @@
+package server
+
+import (
+ "net/http"
+
+ "github.com/containers/podman/v2/pkg/api/handlers/compat"
+ "github.com/containers/podman/v2/pkg/api/handlers/libpod"
+ "github.com/gorilla/mux"
+)
+
+func (s *APIServer) registerSecretHandlers(r *mux.Router) error {
+ // swagger:operation POST /libpod/secrets/create libpod libpodCreateSecret
+ // ---
+ // tags:
+ // - secrets
+ // summary: Create a secret
+ // parameters:
+ // - in: query
+ // name: name
+ // type: string
+ // description: User-defined name of the secret.
+ // required: true
+ // - in: query
+ // name: driver
+ // type: string
+ // description: Secret driver
+ // default: "file"
+ // - in: body
+ // name: request
+ // description: Secret
+ // schema:
+ // type: string
+ // produces:
+ // - application/json
+ // responses:
+ // '201':
+ // $ref: "#/responses/SecretCreateResponse"
+ // '500':
+ // "$ref": "#/responses/InternalError"
+ r.Handle(VersionedPath("/libpod/secrets/create"), s.APIHandler(libpod.CreateSecret)).Methods(http.MethodPost)
+ // swagger:operation GET /libpod/secrets/json libpod libpodListSecret
+ // ---
+ // tags:
+ // - secrets
+ // summary: List secrets
+ // description: Returns a list of secrets
+ // produces:
+ // - application/json
+ // parameters:
+ // responses:
+ // '200':
+ // "$ref": "#/responses/SecretListResponse"
+ // '500':
+ // "$ref": "#/responses/InternalError"
+ r.Handle(VersionedPath("/libpod/secrets/json"), s.APIHandler(compat.ListSecrets)).Methods(http.MethodGet)
+ // swagger:operation GET /libpod/secrets/{name}/json libpod libpodInspectSecret
+ // ---
+ // tags:
+ // - secrets
+ // summary: Inspect secret
+ // parameters:
+ // - in: path
+ // name: name
+ // type: string
+ // required: true
+ // description: the name or ID of the secret
+ // produces:
+ // - application/json
+ // responses:
+ // '200':
+ // "$ref": "#/responses/SecretInspectResponse"
+ // '404':
+ // "$ref": "#/responses/NoSuchSecret"
+ // '500':
+ // "$ref": "#/responses/InternalError"
+ r.Handle(VersionedPath("/libpod/secrets/{name}/json"), s.APIHandler(compat.InspectSecret)).Methods(http.MethodGet)
+ // swagger:operation DELETE /libpod/secrets/{name} libpod libpodRemoveSecret
+ // ---
+ // tags:
+ // - secrets
+ // summary: Remove secret
+ // parameters:
+ // - in: path
+ // name: name
+ // type: string
+ // required: true
+ // description: the name or ID of the secret
+ // - in: query
+ // name: all
+ // type: boolean
+ // description: Remove all secrets
+ // default: false
+ // produces:
+ // - application/json
+ // responses:
+ // '204':
+ // description: no error
+ // '404':
+ // "$ref": "#/responses/NoSuchSecret"
+ // '500':
+ // "$ref": "#/responses/InternalError"
+ r.Handle(VersionedPath("/libpod/secrets/{name}"), s.APIHandler(compat.RemoveSecret)).Methods(http.MethodDelete)
+
+ /*
+ * Docker compatibility endpoints
+ */
+ // swagger:operation GET /secrets compat ListSecret
+ // ---
+ // tags:
+ // - secrets (compat)
+ // summary: List secrets
+ // description: Returns a list of secrets
+ // produces:
+ // - application/json
+ // parameters:
+ // responses:
+ // '200':
+ // "$ref": "#/responses/SecretListResponse"
+ // '500':
+ // "$ref": "#/responses/InternalError"
+ r.Handle(VersionedPath("/secrets"), s.APIHandler(compat.ListSecrets)).Methods(http.MethodGet)
+ r.Handle("/secrets", s.APIHandler(compat.ListSecrets)).Methods(http.MethodGet)
+ // swagger:operation POST /secrets/create compat CreateSecret
+ // ---
+ // tags:
+ // - secrets (compat)
+ // summary: Create a secret
+ // parameters:
+ // - in: body
+ // name: create
+ // description: |
+ // attributes for creating a secret
+ // schema:
+ // $ref: "#/definitions/SecretCreate"
+ // produces:
+ // - application/json
+ // responses:
+ // '201':
+ // $ref: "#/responses/SecretCreateResponse"
+ // '409':
+ // "$ref": "#/responses/SecretInUse"
+ // '500':
+ // "$ref": "#/responses/InternalError"
+ r.Handle(VersionedPath("/secrets/create"), s.APIHandler(compat.CreateSecret)).Methods(http.MethodPost)
+ r.Handle("/secrets/create", s.APIHandler(compat.CreateSecret)).Methods(http.MethodPost)
+ // swagger:operation GET /secrets/{name} compat InspectSecret
+ // ---
+ // tags:
+ // - secrets (compat)
+ // summary: Inspect secret
+ // parameters:
+ // - in: path
+ // name: name
+ // type: string
+ // required: true
+ // description: the name or ID of the secret
+ // produces:
+ // - application/json
+ // responses:
+ // '200':
+ // "$ref": "#/responses/SecretInspectResponse"
+ // '404':
+ // "$ref": "#/responses/NoSuchSecret"
+ // '500':
+ // "$ref": "#/responses/InternalError"
+ r.Handle(VersionedPath("/secrets/{name}"), s.APIHandler(compat.InspectSecret)).Methods(http.MethodGet)
+ r.Handle("/secrets/{name}", s.APIHandler(compat.InspectSecret)).Methods(http.MethodGet)
+ // swagger:operation DELETE /secrets/{name} compat RemoveSecret
+ // ---
+ // tags:
+ // - secrets (compat)
+ // summary: Remove secret
+ // parameters:
+ // - in: path
+ // name: name
+ // type: string
+ // required: true
+ // description: the name or ID of the secret
+ // produces:
+ // - application/json
+ // responses:
+ // '204':
+ // description: no error
+ // '404':
+ // "$ref": "#/responses/NoSuchSecret"
+ // '500':
+ // "$ref": "#/responses/InternalError"
+ r.Handle(VersionedPath("/secrets/{name}"), s.APIHandler(compat.RemoveSecret)).Methods(http.MethodDelete)
+ r.Handle("/secret/{name}", s.APIHandler(compat.RemoveSecret)).Methods(http.MethodDelete)
+
+ r.Handle(VersionedPath("/secrets/{name}/update"), s.APIHandler(compat.UpdateSecret)).Methods(http.MethodPost)
+ r.Handle("/secrets/{name}/update", s.APIHandler(compat.UpdateSecret)).Methods(http.MethodPost)
+ return nil
+}
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
index d612041f6..6926eda62 100644
--- a/pkg/api/server/server.go
+++ b/pkg/api/server/server.go
@@ -124,6 +124,7 @@ func newServer(runtime *libpod.Runtime, duration time.Duration, listener *net.Li
server.registerPlayHandlers,
server.registerPluginsHandlers,
server.registerPodsHandlers,
+ server.registerSecretHandlers,
server.RegisterSwaggerHandlers,
server.registerSwarmHandlers,
server.registerSystemHandlers,
diff --git a/pkg/api/tags.yaml b/pkg/api/tags.yaml
index 0cfb3f440..bb56098eb 100644
--- a/pkg/api/tags.yaml
+++ b/pkg/api/tags.yaml
@@ -13,6 +13,8 @@ tags:
description: Actions related to pods
- name: volumes
description: Actions related to volumes
+ - name: secrets
+ description: Actions related to secrets
- name: system
description: Actions related to Podman engine
- name: containers (compat)
@@ -25,5 +27,7 @@ tags:
description: Actions related to compatibility networks
- name: volumes (compat)
description: Actions related to volumes for the compatibility endpoints
+ - name: secrets (compat)
+ description: Actions related to secrets for the compatibility endpoints
- name: system (compat)
description: Actions related to Podman and compatibility engines
diff --git a/pkg/bindings/secrets/secrets.go b/pkg/bindings/secrets/secrets.go
new file mode 100644
index 000000000..3fd70dcad
--- /dev/null
+++ b/pkg/bindings/secrets/secrets.go
@@ -0,0 +1,78 @@
+package secrets
+
+import (
+ "context"
+ "io"
+ "net/http"
+
+ "github.com/containers/podman/v2/pkg/bindings"
+ "github.com/containers/podman/v2/pkg/domain/entities"
+)
+
+// List returns information about existing secrets in the form of a slice.
+func List(ctx context.Context, options *ListOptions) ([]*entities.SecretInfoReport, error) {
+ var (
+ secrs []*entities.SecretInfoReport
+ )
+ conn, err := bindings.GetClient(ctx)
+ if err != nil {
+ return nil, err
+ }
+ response, err := conn.DoRequest(nil, http.MethodGet, "/secrets/json", nil, nil)
+ if err != nil {
+ return secrs, err
+ }
+ return secrs, response.Process(&secrs)
+}
+
+// Inspect returns low-level information about a secret.
+func Inspect(ctx context.Context, nameOrID string, options *InspectOptions) (*entities.SecretInfoReport, error) {
+ var (
+ inspect *entities.SecretInfoReport
+ )
+ conn, err := bindings.GetClient(ctx)
+ if err != nil {
+ return nil, err
+ }
+ response, err := conn.DoRequest(nil, http.MethodGet, "/secrets/%s/json", nil, nil, nameOrID)
+ if err != nil {
+ return inspect, err
+ }
+ return inspect, response.Process(&inspect)
+}
+
+// Remove removes a secret from storage
+func Remove(ctx context.Context, nameOrID string) error {
+ conn, err := bindings.GetClient(ctx)
+ if err != nil {
+ return err
+ }
+
+ response, err := conn.DoRequest(nil, http.MethodDelete, "/secrets/%s", nil, nil, nameOrID)
+ if err != nil {
+ return err
+ }
+ return response.Process(nil)
+}
+
+// Create creates a secret given some data
+func Create(ctx context.Context, reader io.Reader, options *CreateOptions) (*entities.SecretCreateReport, error) {
+ var (
+ create *entities.SecretCreateReport
+ )
+ conn, err := bindings.GetClient(ctx)
+ if err != nil {
+ return nil, err
+ }
+
+ params, err := options.ToParams()
+ if err != nil {
+ return nil, err
+ }
+
+ response, err := conn.DoRequest(reader, http.MethodPost, "/secrets/create", params, nil)
+ if err != nil {
+ return nil, err
+ }
+ return create, response.Process(&create)
+}
diff --git a/pkg/bindings/secrets/types.go b/pkg/bindings/secrets/types.go
new file mode 100644
index 000000000..a98e894dc
--- /dev/null
+++ b/pkg/bindings/secrets/types.go
@@ -0,0 +1,23 @@
+package secrets
+
+//go:generate go run ../generator/generator.go ListOptions
+// ListOptions are optional options for inspecting secrets
+type ListOptions struct {
+}
+
+//go:generate go run ../generator/generator.go InspectOptions
+// InspectOptions are optional options for inspecting secrets
+type InspectOptions struct {
+}
+
+//go:generate go run ../generator/generator.go RemoveOptions
+// RemoveOptions are optional options for removing secrets
+type RemoveOptions struct {
+}
+
+//go:generate go run ../generator/generator.go CreateOptions
+// CreateOptions are optional options for Creating secrets
+type CreateOptions struct {
+ Driver *string
+ Name *string
+}
diff --git a/pkg/bindings/secrets/types_create_options.go b/pkg/bindings/secrets/types_create_options.go
new file mode 100644
index 000000000..84cf38fa3
--- /dev/null
+++ b/pkg/bindings/secrets/types_create_options.go
@@ -0,0 +1,107 @@
+package secrets
+
+import (
+ "net/url"
+ "reflect"
+ "strings"
+
+ "github.com/containers/podman/v2/pkg/bindings/util"
+ jsoniter "github.com/json-iterator/go"
+ "github.com/pkg/errors"
+)
+
+/*
+This file is generated automatically by go generate. Do not edit.
+*/
+
+// Changed
+func (o *CreateOptions) Changed(fieldName string) bool {
+ r := reflect.ValueOf(o)
+ value := reflect.Indirect(r).FieldByName(fieldName)
+ return !value.IsNil()
+}
+
+// ToParams
+func (o *CreateOptions) ToParams() (url.Values, error) {
+ params := url.Values{}
+ if o == nil {
+ return params, nil
+ }
+ json := jsoniter.ConfigCompatibleWithStandardLibrary
+ s := reflect.ValueOf(o)
+ if reflect.Ptr == s.Kind() {
+ s = s.Elem()
+ }
+ sType := s.Type()
+ for i := 0; i < s.NumField(); i++ {
+ fieldName := sType.Field(i).Name
+ if !o.Changed(fieldName) {
+ continue
+ }
+ fieldName = strings.ToLower(fieldName)
+ f := s.Field(i)
+ if reflect.Ptr == f.Kind() {
+ f = f.Elem()
+ }
+ switch {
+ case util.IsSimpleType(f):
+ params.Set(fieldName, util.SimpleTypeToParam(f))
+ case f.Kind() == reflect.Slice:
+ for i := 0; i < f.Len(); i++ {
+ elem := f.Index(i)
+ if util.IsSimpleType(elem) {
+ params.Add(fieldName, util.SimpleTypeToParam(elem))
+ } else {
+ return nil, errors.New("slices must contain only simple types")
+ }
+ }
+ case f.Kind() == reflect.Map:
+ lowerCaseKeys := make(map[string][]string)
+ iter := f.MapRange()
+ for iter.Next() {
+ lowerCaseKeys[iter.Key().Interface().(string)] = iter.Value().Interface().([]string)
+
+ }
+ s, err := json.MarshalToString(lowerCaseKeys)
+ if err != nil {
+ return nil, err
+ }
+
+ params.Set(fieldName, s)
+ }
+
+ }
+ return params, nil
+}
+
+// WithDriver
+func (o *CreateOptions) WithDriver(value string) *CreateOptions {
+ v := &value
+ o.Driver = v
+ return o
+}
+
+// GetDriver
+func (o *CreateOptions) GetDriver() string {
+ var driver string
+ if o.Driver == nil {
+ return driver
+ }
+ return *o.Driver
+}
+
+// WithName
+func (o *CreateOptions) WithName(value string) *CreateOptions {
+ v := &value
+ o.Name = v
+ return o
+}
+
+// GetName
+func (o *CreateOptions) GetName() string {
+ var name string
+ if o.Name == nil {
+ return name
+ }
+ return *o.Name
+}
diff --git a/pkg/bindings/secrets/types_inspect_options.go b/pkg/bindings/secrets/types_inspect_options.go
new file mode 100644
index 000000000..cd36b0531
--- /dev/null
+++ b/pkg/bindings/secrets/types_inspect_options.go
@@ -0,0 +1,75 @@
+package secrets
+
+import (
+ "net/url"
+ "reflect"
+ "strings"
+
+ "github.com/containers/podman/v2/pkg/bindings/util"
+ jsoniter "github.com/json-iterator/go"
+ "github.com/pkg/errors"
+)
+
+/*
+This file is generated automatically by go generate. Do not edit.
+*/
+
+// Changed
+func (o *InspectOptions) Changed(fieldName string) bool {
+ r := reflect.ValueOf(o)
+ value := reflect.Indirect(r).FieldByName(fieldName)
+ return !value.IsNil()
+}
+
+// ToParams
+func (o *InspectOptions) ToParams() (url.Values, error) {
+ params := url.Values{}
+ if o == nil {
+ return params, nil
+ }
+ json := jsoniter.ConfigCompatibleWithStandardLibrary
+ s := reflect.ValueOf(o)
+ if reflect.Ptr == s.Kind() {
+ s = s.Elem()
+ }
+ sType := s.Type()
+ for i := 0; i < s.NumField(); i++ {
+ fieldName := sType.Field(i).Name
+ if !o.Changed(fieldName) {
+ continue
+ }
+ fieldName = strings.ToLower(fieldName)
+ f := s.Field(i)
+ if reflect.Ptr == f.Kind() {
+ f = f.Elem()
+ }
+ switch {
+ case util.IsSimpleType(f):
+ params.Set(fieldName, util.SimpleTypeToParam(f))
+ case f.Kind() == reflect.Slice:
+ for i := 0; i < f.Len(); i++ {
+ elem := f.Index(i)
+ if util.IsSimpleType(elem) {
+ params.Add(fieldName, util.SimpleTypeToParam(elem))
+ } else {
+ return nil, errors.New("slices must contain only simple types")
+ }
+ }
+ case f.Kind() == reflect.Map:
+ lowerCaseKeys := make(map[string][]string)
+ iter := f.MapRange()
+ for iter.Next() {
+ lowerCaseKeys[iter.Key().Interface().(string)] = iter.Value().Interface().([]string)
+
+ }
+ s, err := json.MarshalToString(lowerCaseKeys)
+ if err != nil {
+ return nil, err
+ }
+
+ params.Set(fieldName, s)
+ }
+
+ }
+ return params, nil
+}
diff --git a/pkg/bindings/secrets/types_list_options.go b/pkg/bindings/secrets/types_list_options.go
new file mode 100644
index 000000000..d313d8f73
--- /dev/null
+++ b/pkg/bindings/secrets/types_list_options.go
@@ -0,0 +1,75 @@
+package secrets
+
+import (
+ "net/url"
+ "reflect"
+ "strings"
+
+ "github.com/containers/podman/v2/pkg/bindings/util"
+ jsoniter "github.com/json-iterator/go"
+ "github.com/pkg/errors"
+)
+
+/*
+This file is generated automatically by go generate. Do not edit.
+*/
+
+// Changed
+func (o *ListOptions) Changed(fieldName string) bool {
+ r := reflect.ValueOf(o)
+ value := reflect.Indirect(r).FieldByName(fieldName)
+ return !value.IsNil()
+}
+
+// ToParams
+func (o *ListOptions) ToParams() (url.Values, error) {
+ params := url.Values{}
+ if o == nil {
+ return params, nil
+ }
+ json := jsoniter.ConfigCompatibleWithStandardLibrary
+ s := reflect.ValueOf(o)
+ if reflect.Ptr == s.Kind() {
+ s = s.Elem()
+ }
+ sType := s.Type()
+ for i := 0; i < s.NumField(); i++ {
+ fieldName := sType.Field(i).Name
+ if !o.Changed(fieldName) {
+ continue
+ }
+ fieldName = strings.ToLower(fieldName)
+ f := s.Field(i)
+ if reflect.Ptr == f.Kind() {
+ f = f.Elem()
+ }
+ switch {
+ case util.IsSimpleType(f):
+ params.Set(fieldName, util.SimpleTypeToParam(f))
+ case f.Kind() == reflect.Slice:
+ for i := 0; i < f.Len(); i++ {
+ elem := f.Index(i)
+ if util.IsSimpleType(elem) {
+ params.Add(fieldName, util.SimpleTypeToParam(elem))
+ } else {
+ return nil, errors.New("slices must contain only simple types")
+ }
+ }
+ case f.Kind() == reflect.Map:
+ lowerCaseKeys := make(map[string][]string)
+ iter := f.MapRange()
+ for iter.Next() {
+ lowerCaseKeys[iter.Key().Interface().(string)] = iter.Value().Interface().([]string)
+
+ }
+ s, err := json.MarshalToString(lowerCaseKeys)
+ if err != nil {
+ return nil, err
+ }
+
+ params.Set(fieldName, s)
+ }
+
+ }
+ return params, nil
+}
diff --git a/pkg/bindings/secrets/types_remove_options.go b/pkg/bindings/secrets/types_remove_options.go
new file mode 100644
index 000000000..ca970e30e
--- /dev/null
+++ b/pkg/bindings/secrets/types_remove_options.go
@@ -0,0 +1,75 @@
+package secrets
+
+import (
+ "net/url"
+ "reflect"
+ "strings"
+
+ "github.com/containers/podman/v2/pkg/bindings/util"
+ jsoniter "github.com/json-iterator/go"
+ "github.com/pkg/errors"
+)
+
+/*
+This file is generated automatically by go generate. Do not edit.
+*/
+
+// Changed
+func (o *RemoveOptions) Changed(fieldName string) bool {
+ r := reflect.ValueOf(o)
+ value := reflect.Indirect(r).FieldByName(fieldName)
+ return !value.IsNil()
+}
+
+// ToParams
+func (o *RemoveOptions) ToParams() (url.Values, error) {
+ params := url.Values{}
+ if o == nil {
+ return params, nil
+ }
+ json := jsoniter.ConfigCompatibleWithStandardLibrary
+ s := reflect.ValueOf(o)
+ if reflect.Ptr == s.Kind() {
+ s = s.Elem()
+ }
+ sType := s.Type()
+ for i := 0; i < s.NumField(); i++ {
+ fieldName := sType.Field(i).Name
+ if !o.Changed(fieldName) {
+ continue
+ }
+ fieldName = strings.ToLower(fieldName)
+ f := s.Field(i)
+ if reflect.Ptr == f.Kind() {
+ f = f.Elem()
+ }
+ switch {
+ case util.IsSimpleType(f):
+ params.Set(fieldName, util.SimpleTypeToParam(f))
+ case f.Kind() == reflect.Slice:
+ for i := 0; i < f.Len(); i++ {
+ elem := f.Index(i)
+ if util.IsSimpleType(elem) {
+ params.Add(fieldName, util.SimpleTypeToParam(elem))
+ } else {
+ return nil, errors.New("slices must contain only simple types")
+ }
+ }
+ case f.Kind() == reflect.Map:
+ lowerCaseKeys := make(map[string][]string)
+ iter := f.MapRange()
+ for iter.Next() {
+ lowerCaseKeys[iter.Key().Interface().(string)] = iter.Value().Interface().([]string)
+
+ }
+ s, err := json.MarshalToString(lowerCaseKeys)
+ if err != nil {
+ return nil, err
+ }
+
+ params.Set(fieldName, s)
+ }
+
+ }
+ return params, nil
+}
diff --git a/pkg/bindings/test/secrets_test.go b/pkg/bindings/test/secrets_test.go
new file mode 100644
index 000000000..17c043e4b
--- /dev/null
+++ b/pkg/bindings/test/secrets_test.go
@@ -0,0 +1,133 @@
+package test_bindings
+
+import (
+ "context"
+ "net/http"
+ "strings"
+ "time"
+
+ "github.com/containers/podman/v2/pkg/bindings"
+ "github.com/containers/podman/v2/pkg/bindings/secrets"
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+ "github.com/onsi/gomega/gexec"
+)
+
+var _ = Describe("Podman secrets", func() {
+ var (
+ bt *bindingTest
+ s *gexec.Session
+ connText context.Context
+ err error
+ )
+
+ BeforeEach(func() {
+ bt = newBindingTest()
+ bt.RestoreImagesFromCache()
+ s = bt.startAPIService()
+ time.Sleep(1 * time.Second)
+ connText, err = bindings.NewConnection(context.Background(), bt.sock)
+ Expect(err).To(BeNil())
+ })
+
+ AfterEach(func() {
+
+ s.Kill()
+ bt.cleanup()
+ })
+
+ It("create secret", func() {
+ r := strings.NewReader("mysecret")
+ name := "mysecret"
+ opts := &secrets.CreateOptions{
+ Name: &name,
+ }
+ _, err := secrets.Create(connText, r, opts)
+ Expect(err).To(BeNil())
+
+ // should not be allowed to create duplicate secret name
+ _, err = secrets.Create(connText, r, opts)
+ Expect(err).To(Not(BeNil()))
+ })
+
+ It("inspect secret", func() {
+ r := strings.NewReader("mysecret")
+ name := "mysecret"
+ opts := &secrets.CreateOptions{
+ Name: &name,
+ }
+ _, err := secrets.Create(connText, r, opts)
+ Expect(err).To(BeNil())
+
+ data, err := secrets.Inspect(connText, name, nil)
+ Expect(err).To(BeNil())
+ Expect(data.Spec.Name).To(Equal(name))
+
+ // inspecting non-existent secret should fail
+ data, err = secrets.Inspect(connText, "notasecret", nil)
+ code, _ := bindings.CheckResponseCode(err)
+ Expect(code).To(BeNumerically("==", http.StatusNotFound))
+ })
+
+ It("list secret", func() {
+ r := strings.NewReader("mysecret")
+ name := "mysecret"
+ opts := &secrets.CreateOptions{
+ Name: &name,
+ }
+ _, err := secrets.Create(connText, r, opts)
+ Expect(err).To(BeNil())
+
+ data, err := secrets.List(connText, nil)
+ Expect(err).To(BeNil())
+ Expect(data[0].Spec.Name).To(Equal(name))
+ })
+
+ It("list multiple secret", func() {
+ r := strings.NewReader("mysecret")
+ name := "mysecret"
+ opts := &secrets.CreateOptions{
+ Name: &name,
+ }
+ _, err := secrets.Create(connText, r, opts)
+ Expect(err).To(BeNil())
+
+ r2 := strings.NewReader("mysecret2")
+ name2 := "mysecret2"
+ opts2 := &secrets.CreateOptions{
+ Name: &name2,
+ }
+ _, err = secrets.Create(connText, r2, opts2)
+ Expect(err).To(BeNil())
+
+ data, err := secrets.List(connText, nil)
+ Expect(err).To(BeNil())
+ Expect(len(data)).To(Equal(2))
+ })
+
+ It("list no secrets", func() {
+ data, err := secrets.List(connText, nil)
+ Expect(err).To(BeNil())
+ Expect(len(data)).To(Equal(0))
+ })
+
+ It("remove secret", func() {
+ r := strings.NewReader("mysecret")
+ name := "mysecret"
+ opts := &secrets.CreateOptions{
+ Name: &name,
+ }
+ _, err := secrets.Create(connText, r, opts)
+ Expect(err).To(BeNil())
+
+ err = secrets.Remove(connText, name)
+ Expect(err).To(BeNil())
+
+ // removing non-existent secret should fail
+ err = secrets.Remove(connText, "nosecret")
+ Expect(err).To(Not(BeNil()))
+ code, _ := bindings.CheckResponseCode(err)
+ Expect(code).To(BeNumerically("==", http.StatusNotFound))
+ })
+
+})
diff --git a/pkg/domain/entities/engine_container.go b/pkg/domain/entities/engine_container.go
index 39bda1d72..9ff1714e7 100644
--- a/pkg/domain/entities/engine_container.go
+++ b/pkg/domain/entities/engine_container.go
@@ -81,6 +81,10 @@ type ContainerEngine interface {
PodTop(ctx context.Context, options PodTopOptions) (*StringSliceReport, error)
PodUnpause(ctx context.Context, namesOrIds []string, options PodunpauseOptions) ([]*PodUnpauseReport, error)
SetupRootless(ctx context.Context, cmd *cobra.Command) error
+ SecretCreate(ctx context.Context, name string, reader io.Reader, options SecretCreateOptions) (*SecretCreateReport, error)
+ SecretInspect(ctx context.Context, nameOrIDs []string) ([]*SecretInfoReport, []error, error)
+ SecretList(ctx context.Context) ([]*SecretInfoReport, error)
+ SecretRm(ctx context.Context, nameOrID []string, opts SecretRmOptions) ([]*SecretRmReport, error)
Shutdown(ctx context.Context)
SystemDf(ctx context.Context, options SystemDfOptions) (*SystemDfReport, error)
Unshare(ctx context.Context, args []string) error
diff --git a/pkg/domain/entities/secrets.go b/pkg/domain/entities/secrets.go
new file mode 100644
index 000000000..3cad4c099
--- /dev/null
+++ b/pkg/domain/entities/secrets.go
@@ -0,0 +1,104 @@
+package entities
+
+import (
+ "time"
+
+ "github.com/containers/podman/v2/pkg/errorhandling"
+)
+
+type SecretCreateReport struct {
+ ID string
+}
+
+type SecretCreateOptions struct {
+ Driver string
+}
+
+type SecretListRequest struct {
+ Filters map[string]string
+}
+
+type SecretListReport struct {
+ ID string
+ Name string
+ Driver string
+ CreatedAt string
+ UpdatedAt string
+}
+
+type SecretRmOptions struct {
+ All bool
+}
+
+type SecretRmReport struct {
+ ID string
+ Err error
+}
+
+type SecretInfoReport struct {
+ ID string
+ CreatedAt time.Time
+ UpdatedAt time.Time
+ Spec SecretSpec
+}
+
+type SecretSpec struct {
+ Name string
+ Driver SecretDriverSpec
+}
+
+type SecretDriverSpec struct {
+ Name string
+ Options map[string]string
+}
+
+// swagger:model SecretCreate
+type SecretCreateRequest struct {
+ // User-defined name of the secret.
+ Name string
+ // Base64-url-safe-encoded (RFC 4648) data to store as secret.
+ Data string
+ // Driver represents a driver (default "file")
+ Driver SecretDriverSpec
+}
+
+// Secret create response
+// swagger:response SecretCreateResponse
+type SwagSecretCreateResponse struct {
+ // in:body
+ Body struct {
+ SecretCreateReport
+ }
+}
+
+// Secret list response
+// swagger:response SecretListResponse
+type SwagSecretListResponse struct {
+ // in:body
+ Body []*SecretInfoReport
+}
+
+// Secret inspect response
+// swagger:response SecretInspectResponse
+type SwagSecretInspectResponse struct {
+ // in:body
+ Body SecretInfoReport
+}
+
+// No such secret
+// swagger:response NoSuchSecret
+type SwagErrNoSuchSecret struct {
+ // in:body
+ Body struct {
+ errorhandling.ErrorModel
+ }
+}
+
+// Secret in use
+// swagger:response SecretInUse
+type SwagErrSecretInUse struct {
+ // in:body
+ Body struct {
+ errorhandling.ErrorModel
+ }
+}
diff --git a/pkg/domain/infra/abi/secrets.go b/pkg/domain/infra/abi/secrets.go
new file mode 100644
index 000000000..b1fe60e01
--- /dev/null
+++ b/pkg/domain/infra/abi/secrets.go
@@ -0,0 +1,138 @@
+package abi
+
+import (
+ "context"
+ "io"
+ "io/ioutil"
+ "path/filepath"
+
+ "github.com/containers/common/pkg/secrets"
+ "github.com/containers/podman/v2/pkg/domain/entities"
+ "github.com/pkg/errors"
+)
+
+func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader io.Reader, options entities.SecretCreateOptions) (*entities.SecretCreateReport, error) {
+ data, _ := ioutil.ReadAll(reader)
+ secretsPath := ic.Libpod.GetSecretsStorageDir()
+ manager, err := secrets.NewManager(secretsPath)
+ if err != nil {
+ return nil, err
+ }
+ driverOptions := make(map[string]string)
+
+ if options.Driver == "" {
+ options.Driver = "file"
+ }
+ if options.Driver == "file" {
+ driverOptions["path"] = filepath.Join(secretsPath, "filedriver")
+ }
+ secretID, err := manager.Store(name, data, options.Driver, driverOptions)
+ if err != nil {
+ return nil, err
+ }
+ return &entities.SecretCreateReport{
+ ID: secretID,
+ }, nil
+}
+
+func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string) ([]*entities.SecretInfoReport, []error, error) {
+ secretsPath := ic.Libpod.GetSecretsStorageDir()
+ manager, err := secrets.NewManager(secretsPath)
+ if err != nil {
+ return nil, nil, err
+ }
+ errs := make([]error, 0, len(nameOrIDs))
+ reports := make([]*entities.SecretInfoReport, 0, len(nameOrIDs))
+ for _, nameOrID := range nameOrIDs {
+ secret, err := manager.Lookup(nameOrID)
+ if err != nil {
+ if errors.Cause(err).Error() == "no such secret" {
+ errs = append(errs, err)
+ continue
+ } else {
+ return nil, nil, errors.Wrapf(err, "error inspecting secret %s", nameOrID)
+ }
+ }
+ report := &entities.SecretInfoReport{
+ ID: secret.ID,
+ CreatedAt: secret.CreatedAt,
+ UpdatedAt: secret.CreatedAt,
+ Spec: entities.SecretSpec{
+ Name: secret.Name,
+ Driver: entities.SecretDriverSpec{
+ Name: secret.Driver,
+ },
+ },
+ }
+ reports = append(reports, report)
+
+ }
+
+ return reports, errs, nil
+}
+
+func (ic *ContainerEngine) SecretList(ctx context.Context) ([]*entities.SecretInfoReport, error) {
+ secretsPath := ic.Libpod.GetSecretsStorageDir()
+ manager, err := secrets.NewManager(secretsPath)
+ if err != nil {
+ return nil, err
+ }
+ secretList, err := manager.List()
+ if err != nil {
+ return nil, err
+ }
+ report := make([]*entities.SecretInfoReport, 0, len(secretList))
+ for _, secret := range secretList {
+ reportItem := entities.SecretInfoReport{
+ ID: secret.ID,
+ CreatedAt: secret.CreatedAt,
+ UpdatedAt: secret.CreatedAt,
+ Spec: entities.SecretSpec{
+ Name: secret.Name,
+ Driver: entities.SecretDriverSpec{
+ Name: secret.Driver,
+ Options: secret.DriverOptions,
+ },
+ },
+ }
+ report = append(report, &reportItem)
+ }
+ return report, nil
+}
+
+func (ic *ContainerEngine) SecretRm(ctx context.Context, nameOrIDs []string, options entities.SecretRmOptions) ([]*entities.SecretRmReport, error) {
+ var (
+ err error
+ toRemove []string
+ reports = []*entities.SecretRmReport{}
+ )
+ secretsPath := ic.Libpod.GetSecretsStorageDir()
+ manager, err := secrets.NewManager(secretsPath)
+ if err != nil {
+ return nil, err
+ }
+ toRemove = nameOrIDs
+ if options.All {
+ allSecrs, err := manager.List()
+ if err != nil {
+ return nil, err
+ }
+ for _, secr := range allSecrs {
+ toRemove = append(toRemove, secr.ID)
+ }
+ }
+ for _, nameOrID := range toRemove {
+ deletedID, err := manager.Delete(nameOrID)
+ if err == nil || errors.Cause(err).Error() == "no such secret" {
+ reports = append(reports, &entities.SecretRmReport{
+ Err: err,
+ ID: deletedID,
+ })
+ continue
+ } else {
+ return nil, err
+ }
+ }
+
+ return reports, nil
+}
diff --git a/pkg/domain/infra/tunnel/secrets.go b/pkg/domain/infra/tunnel/secrets.go
new file mode 100644
index 000000000..f7c0f7d13
--- /dev/null
+++ b/pkg/domain/infra/tunnel/secrets.go
@@ -0,0 +1,82 @@
+package tunnel
+
+import (
+ "context"
+ "io"
+
+ "github.com/containers/podman/v2/pkg/bindings/secrets"
+ "github.com/containers/podman/v2/pkg/domain/entities"
+ "github.com/containers/podman/v2/pkg/errorhandling"
+ "github.com/pkg/errors"
+)
+
+func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader io.Reader, options entities.SecretCreateOptions) (*entities.SecretCreateReport, error) {
+ opts := new(secrets.CreateOptions).WithDriver(options.Driver).WithName(name)
+ created, _ := secrets.Create(ic.ClientCtx, reader, opts)
+ return created, nil
+}
+
+func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string) ([]*entities.SecretInfoReport, []error, error) {
+ allInspect := make([]*entities.SecretInfoReport, 0, len(nameOrIDs))
+ errs := make([]error, 0, len(nameOrIDs))
+ for _, name := range nameOrIDs {
+ inspected, err := secrets.Inspect(ic.ClientCtx, name, nil)
+ if err != nil {
+ errModel, ok := err.(errorhandling.ErrorModel)
+ if !ok {
+ return nil, nil, err
+ }
+ if errModel.ResponseCode == 404 {
+ errs = append(errs, errors.Errorf("no such secret %q", name))
+ continue
+ }
+ return nil, nil, err
+ }
+ allInspect = append(allInspect, inspected)
+ }
+ return allInspect, errs, nil
+}
+
+func (ic *ContainerEngine) SecretList(ctx context.Context) ([]*entities.SecretInfoReport, error) {
+ secrs, _ := secrets.List(ic.ClientCtx, nil)
+ return secrs, nil
+}
+
+func (ic *ContainerEngine) SecretRm(ctx context.Context, nameOrIDs []string, options entities.SecretRmOptions) ([]*entities.SecretRmReport, error) {
+ allRm := make([]*entities.SecretRmReport, 0, len(nameOrIDs))
+ if options.All {
+ allSecrets, err := secrets.List(ic.ClientCtx, nil)
+ if err != nil {
+ return nil, err
+ }
+ for _, secret := range allSecrets {
+ allRm = append(allRm, &entities.SecretRmReport{
+ Err: secrets.Remove(ic.ClientCtx, secret.ID),
+ ID: secret.ID,
+ })
+ }
+ return allRm, nil
+ }
+ for _, name := range nameOrIDs {
+ secret, err := secrets.Inspect(ic.ClientCtx, name, nil)
+ if err != nil {
+ errModel, ok := err.(errorhandling.ErrorModel)
+ if !ok {
+ return nil, err
+ }
+ if errModel.ResponseCode == 404 {
+ allRm = append(allRm, &entities.SecretRmReport{
+ Err: errors.Errorf("no secret with name or id %q: no such secret ", name),
+ ID: "",
+ })
+ continue
+ }
+ }
+ allRm = append(allRm, &entities.SecretRmReport{
+ Err: secrets.Remove(ic.ClientCtx, name),
+ ID: secret.ID,
+ })
+
+ }
+ return allRm, nil
+}
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 1bc050b00..74291325c 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -359,6 +359,10 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
options = append(options, libpod.WithHealthCheck(s.ContainerHealthCheckConfig.HealthConfig))
logrus.Debugf("New container has a health check")
}
+
+ if len(s.Secrets) != 0 {
+ options = append(options, libpod.WithSecrets(s.Secrets))
+ }
return options, nil
}
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index a6cc0a730..732579bf0 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -237,6 +237,9 @@ type ContainerStorageConfig struct {
// If not set, the default of rslave will be used.
// Optional.
RootfsPropagation string `json:"rootfs_propagation,omitempty"`
+ // Secrets are the secrets that will be added to the container
+ // Optional.
+ Secrets []string `json:"secrets,omitempty"`
}
// ContainerSecurityConfig is a container's security features, including