Merge pull request #9125 from ashley-cui/secretswiring

Implement Secrets
author: OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> 2021-02-09 17:51:08 +0100
committer: GitHub <noreply@github.com> 2021-02-09 17:51:08 +0100
commit: f98605e0e4f25c148b27cc617976357ff5b9d96e (patch)
tree: 6ffd63474853fcc7c2056964984e1fb88c3c0314 /pkg
parent: 9da4169e312bb822a0fbae8e18a0eb7c7eff6e64 (diff)
parent: 832a69b0bee6ec289521fbd59ddd480372493ee3 (diff)
download: podman-f98605e0e4f25c148b27cc617976357ff5b9d96e.tar.gz
podman-f98605e0e4f25c148b27cc617976357ff5b9d96e.tar.bz2
podman-f98605e0e4f25c148b27cc617976357ff5b9d96e.zip
19 files changed, 1269 insertions, 0 deletions
diff --git a/pkg/api/handlers/compat/secrets.go b/pkg/api/handlers/compat/secrets.go
new file mode 100644
index 000000000..ea2dfc707
--- /dev/null
+++ b/pkg/api/handlers/compat/secrets.go
@@ -0,0 +1,121 @@
+package compat
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/containers/podman/v2/libpod"
+	"github.com/containers/podman/v2/pkg/api/handlers/utils"
+	"github.com/containers/podman/v2/pkg/domain/entities"
+	"github.com/containers/podman/v2/pkg/domain/infra/abi"
+	"github.com/gorilla/schema"
+	"github.com/pkg/errors"
+)
+
+func ListSecrets(w http.ResponseWriter, r *http.Request) {
+	var (
+		runtime = r.Context().Value("runtime").(*libpod.Runtime)
+		decoder = r.Context().Value("decoder").(*schema.Decoder)
+	)
+	query := struct {
+		Filters map[string][]string `schema:"filters"`
+	}{}
+
+	if err := decoder.Decode(&query, r.URL.Query()); err != nil {
+		utils.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest,
+			errors.Wrapf(err, "failed to parse parameters for %s", r.URL.String()))
+		return
+	}
+	if len(query.Filters) > 0 {
+		utils.Error(w, "filters not supported", http.StatusBadRequest, errors.New("bad parameter"))
+	}
+	ic := abi.ContainerEngine{Libpod: runtime}
+	reports, err := ic.SecretList(r.Context())
+	if err != nil {
+		utils.InternalServerError(w, err)
+		return
+	}
+	utils.WriteResponse(w, http.StatusOK, reports)
+}
+
+func InspectSecret(w http.ResponseWriter, r *http.Request) {
+	var (
+		runtime = r.Context().Value("runtime").(*libpod.Runtime)
+	)
+	name := utils.GetName(r)
+	names := []string{name}
+	ic := abi.ContainerEngine{Libpod: runtime}
+	reports, errs, err := ic.SecretInspect(r.Context(), names)
+	if err != nil {
+		utils.InternalServerError(w, err)
+		return
+	}
+	if len(errs) > 0 {
+		utils.SecretNotFound(w, name, errs[0])
+		return
+	}
+	utils.WriteResponse(w, http.StatusOK, reports[0])
+
+}
+
+func RemoveSecret(w http.ResponseWriter, r *http.Request) {
+	var (
+		runtime = r.Context().Value("runtime").(*libpod.Runtime)
+	)
+
+	opts := entities.SecretRmOptions{}
+	name := utils.GetName(r)
+	ic := abi.ContainerEngine{Libpod: runtime}
+	reports, err := ic.SecretRm(r.Context(), []string{name}, opts)
+	if err != nil {
+		utils.InternalServerError(w, err)
+		return
+	}
+	if reports[0].Err != nil {
+		utils.SecretNotFound(w, name, reports[0].Err)
+		return
+	}
+	utils.WriteResponse(w, http.StatusNoContent, nil)
+}
+
+func CreateSecret(w http.ResponseWriter, r *http.Request) {
+	var (
+		runtime = r.Context().Value("runtime").(*libpod.Runtime)
+	)
+	opts := entities.SecretCreateOptions{}
+	createParams := struct {
+		*entities.SecretCreateRequest
+		Labels map[string]string `schema:"labels"`
+	}{}
+
+	if err := json.NewDecoder(r.Body).Decode(&createParams); err != nil {
+		utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "Decode()"))
+		return
+	}
+	if len(createParams.Labels) > 0 {
+		utils.Error(w, "labels not supported", http.StatusBadRequest, errors.New("bad parameter"))
+	}
+
+	decoded, _ := base64.StdEncoding.DecodeString(createParams.Data)
+	reader := bytes.NewReader(decoded)
+	opts.Driver = createParams.Driver.Name
+
+	ic := abi.ContainerEngine{Libpod: runtime}
+	report, err := ic.SecretCreate(r.Context(), createParams.Name, reader, opts)
+	if err != nil {
+		if errors.Cause(err).Error() == "secret name in use" {
+			utils.Error(w, "name conflicts with an existing object", http.StatusConflict, err)
+			return
+		}
+		utils.InternalServerError(w, err)
+		return
+	}
+	utils.WriteResponse(w, http.StatusOK, report)
+}
+
+func UpdateSecret(w http.ResponseWriter, r *http.Request) {
+	utils.Error(w, fmt.Sprintf("unsupported endpoint: %v", r.Method), http.StatusNotImplemented, errors.New("update is not supported"))
+}
diff --git a/pkg/api/handlers/libpod/secrets.go b/pkg/api/handlers/libpod/secrets.go
new file mode 100644
index 000000000..447a5d021
--- /dev/null
+++ b/pkg/api/handlers/libpod/secrets.go
@@ -0,0 +1,40 @@
+package libpod
+
+import (
+	"net/http"
+
+	"github.com/containers/podman/v2/libpod"
+	"github.com/containers/podman/v2/pkg/api/handlers/utils"
+	"github.com/containers/podman/v2/pkg/domain/entities"
+	"github.com/containers/podman/v2/pkg/domain/infra/abi"
+	"github.com/gorilla/schema"
+	"github.com/pkg/errors"
+)
+
+func CreateSecret(w http.ResponseWriter, r *http.Request) {
+	var (
+		runtime = r.Context().Value("runtime").(*libpod.Runtime)
+		decoder = r.Context().Value("decoder").(*schema.Decoder)
+	)
+	query := struct {
+		Name   string `schema:"name"`
+		Driver string `schema:"driver"`
+	}{
+		// override any golang type defaults
+	}
+	opts := entities.SecretCreateOptions{}
+	if err := decoder.Decode(&query, r.URL.Query()); err != nil {
+		utils.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest,
+			errors.Wrapf(err, "failed to parse parameters for %s", r.URL.String()))
+		return
+	}
+	opts.Driver = query.Driver
+
+	ic := abi.ContainerEngine{Libpod: runtime}
+	report, err := ic.SecretCreate(r.Context(), query.Name, r.Body, opts)
+	if err != nil {
+		utils.InternalServerError(w, err)
+		return
+	}
+	utils.WriteResponse(w, http.StatusOK, report)
+}
diff --git a/pkg/api/handlers/utils/errors.go b/pkg/api/handlers/utils/errors.go
index e2c287c45..c8785fb89 100644
--- a/pkg/api/handlers/utils/errors.go
+++ b/pkg/api/handlers/utils/errors.go
@@ -80,6 +80,14 @@ func SessionNotFound(w http.ResponseWriter, name string, err error) {
 	Error(w, msg, http.StatusNotFound, err)
 }
 
+func SecretNotFound(w http.ResponseWriter, nameOrID string, err error) {
+	if errors.Cause(err).Error() != "no such secret" {
+		InternalServerError(w, err)
+	}
+	msg := fmt.Sprintf("No such secret: %s", nameOrID)
+	Error(w, msg, http.StatusNotFound, err)
+}
+
 func ContainerNotRunning(w http.ResponseWriter, containerID string, err error) {
 	msg := fmt.Sprintf("Container %s is not running", containerID)
 	Error(w, msg, http.StatusConflict, err)
diff --git a/pkg/api/server/register_secrets.go b/pkg/api/server/register_secrets.go
new file mode 100644
index 000000000..95abf83e8
--- /dev/null
+++ b/pkg/api/server/register_secrets.go
@@ -0,0 +1,194 @@
+package server
+
+import (
+	"net/http"
+
+	"github.com/containers/podman/v2/pkg/api/handlers/compat"
+	"github.com/containers/podman/v2/pkg/api/handlers/libpod"
+	"github.com/gorilla/mux"
+)
+
+func (s *APIServer) registerSecretHandlers(r *mux.Router) error {
+	// swagger:operation POST /libpod/secrets/create libpod libpodCreateSecret
+	// ---
+	// tags:
+	//  - secrets
+	// summary: Create a secret
+	// parameters:
+	//   - in: query
+	//     name: name
+	//     type: string
+	//     description: User-defined name of the secret.
+	//     required: true
+	//   - in: query
+	//     name: driver
+	//     type: string
+	//     description: Secret driver
+	//     default: "file"
+	//   - in: body
+	//     name: request
+	//     description: Secret
+	//     schema:
+	//       type: string
+	// produces:
+	// - application/json
+	// responses:
+	//   '201':
+	//     $ref: "#/responses/SecretCreateResponse"
+	//   '500':
+	//      "$ref": "#/responses/InternalError"
+	r.Handle(VersionedPath("/libpod/secrets/create"), s.APIHandler(libpod.CreateSecret)).Methods(http.MethodPost)
+	// swagger:operation GET /libpod/secrets/json libpod libpodListSecret
+	// ---
+	// tags:
+	//  - secrets
+	// summary: List secrets
+	// description: Returns a list of secrets
+	// produces:
+	// - application/json
+	// parameters:
+	// responses:
+	//   '200':
+	//     "$ref": "#/responses/SecretListResponse"
+	//   '500':
+	//      "$ref": "#/responses/InternalError"
+	r.Handle(VersionedPath("/libpod/secrets/json"), s.APIHandler(compat.ListSecrets)).Methods(http.MethodGet)
+	// swagger:operation GET /libpod/secrets/{name}/json libpod libpodInspectSecret
+	// ---
+	// tags:
+	//  - secrets
+	// summary: Inspect secret
+	// parameters:
+	//  - in: path
+	//    name: name
+	//    type: string
+	//    required: true
+	//    description: the name or ID of the secret
+	// produces:
+	// - application/json
+	// responses:
+	//   '200':
+	//     "$ref": "#/responses/SecretInspectResponse"
+	//   '404':
+	//     "$ref": "#/responses/NoSuchSecret"
+	//   '500':
+	//     "$ref": "#/responses/InternalError"
+	r.Handle(VersionedPath("/libpod/secrets/{name}/json"), s.APIHandler(compat.InspectSecret)).Methods(http.MethodGet)
+	// swagger:operation DELETE /libpod/secrets/{name} libpod libpodRemoveSecret
+	// ---
+	// tags:
+	//  - secrets
+	// summary: Remove secret
+	// parameters:
+	//  - in: path
+	//    name: name
+	//    type: string
+	//    required: true
+	//    description: the name or ID of the secret
+	//  - in: query
+	//    name: all
+	//    type: boolean
+	//    description: Remove all secrets
+	//    default: false
+	// produces:
+	// - application/json
+	// responses:
+	//   '204':
+	//     description: no error
+	//   '404':
+	//     "$ref": "#/responses/NoSuchSecret"
+	//   '500':
+	//     "$ref": "#/responses/InternalError"
+	r.Handle(VersionedPath("/libpod/secrets/{name}"), s.APIHandler(compat.RemoveSecret)).Methods(http.MethodDelete)
+
+	/*
+	 * Docker compatibility endpoints
+	 */
+	// swagger:operation GET /secrets compat ListSecret
+	// ---
+	// tags:
+	//  - secrets (compat)
+	// summary: List secrets
+	// description: Returns a list of secrets
+	// produces:
+	// - application/json
+	// parameters:
+	// responses:
+	//   '200':
+	//     "$ref": "#/responses/SecretListResponse"
+	//   '500':
+	//      "$ref": "#/responses/InternalError"
+	r.Handle(VersionedPath("/secrets"), s.APIHandler(compat.ListSecrets)).Methods(http.MethodGet)
+	r.Handle("/secrets", s.APIHandler(compat.ListSecrets)).Methods(http.MethodGet)
+	// swagger:operation POST /secrets/create compat CreateSecret
+	// ---
+	// tags:
+	//  - secrets (compat)
+	// summary: Create a secret
+	// parameters:
+	//  - in: body
+	//    name: create
+	//    description: |
+	//      attributes for creating a secret
+	//    schema:
+	//      $ref: "#/definitions/SecretCreate"
+	// produces:
+	// - application/json
+	// responses:
+	//   '201':
+	//     $ref: "#/responses/SecretCreateResponse"
+	//   '409':
+	//     "$ref": "#/responses/SecretInUse"
+	//   '500':
+	//      "$ref": "#/responses/InternalError"
+	r.Handle(VersionedPath("/secrets/create"), s.APIHandler(compat.CreateSecret)).Methods(http.MethodPost)
+	r.Handle("/secrets/create", s.APIHandler(compat.CreateSecret)).Methods(http.MethodPost)
+	// swagger:operation GET /secrets/{name} compat InspectSecret
+	// ---
+	// tags:
+	//  - secrets (compat)
+	// summary: Inspect secret
+	// parameters:
+	//  - in: path
+	//    name: name
+	//    type: string
+	//    required: true
+	//    description: the name or ID of the secret
+	// produces:
+	// - application/json
+	// responses:
+	//   '200':
+	//     "$ref": "#/responses/SecretInspectResponse"
+	//   '404':
+	//     "$ref": "#/responses/NoSuchSecret"
+	//   '500':
+	//     "$ref": "#/responses/InternalError"
+	r.Handle(VersionedPath("/secrets/{name}"), s.APIHandler(compat.InspectSecret)).Methods(http.MethodGet)
+	r.Handle("/secrets/{name}", s.APIHandler(compat.InspectSecret)).Methods(http.MethodGet)
+	// swagger:operation DELETE /secrets/{name} compat RemoveSecret
+	// ---
+	// tags:
+	//  - secrets (compat)
+	// summary: Remove secret
+	// parameters:
+	//  - in: path
+	//    name: name
+	//    type: string
+	//    required: true
+	//    description: the name or ID of the secret
+	// produces:
+	// - application/json
+	// responses:
+	//   '204':
+	//     description: no error
+	//   '404':
+	//     "$ref": "#/responses/NoSuchSecret"
+	//   '500':
+	//     "$ref": "#/responses/InternalError"
+	r.Handle(VersionedPath("/secrets/{name}"), s.APIHandler(compat.RemoveSecret)).Methods(http.MethodDelete)
+	r.Handle("/secret/{name}", s.APIHandler(compat.RemoveSecret)).Methods(http.MethodDelete)
+
+	r.Handle(VersionedPath("/secrets/{name}/update"), s.APIHandler(compat.UpdateSecret)).Methods(http.MethodPost)
+	r.Handle("/secrets/{name}/update", s.APIHandler(compat.UpdateSecret)).Methods(http.MethodPost)
+	return nil
+}
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
index d612041f6..6926eda62 100644
--- a/pkg/api/server/server.go
+++ b/pkg/api/server/server.go
@@ -124,6 +124,7 @@ func newServer(runtime *libpod.Runtime, duration time.Duration, listener *net.Li
 		server.registerPlayHandlers,
 		server.registerPluginsHandlers,
 		server.registerPodsHandlers,
+		server.registerSecretHandlers,
 		server.RegisterSwaggerHandlers,
 		server.registerSwarmHandlers,
 		server.registerSystemHandlers,
diff --git a/pkg/api/tags.yaml b/pkg/api/tags.yaml
index 0cfb3f440..bb56098eb 100644
--- a/pkg/api/tags.yaml
+++ b/pkg/api/tags.yaml
@@ -13,6 +13,8 @@ tags:
       description: Actions related to pods
     - name: volumes
       description: Actions related to volumes
+    - name: secrets
+      description: Actions related to secrets
     - name: system
       description: Actions related to Podman engine
     - name: containers (compat)
@@ -25,5 +27,7 @@ tags:
       description: Actions related to compatibility networks
     - name: volumes (compat)
       description: Actions related to volumes for the compatibility endpoints
+    - name: secrets (compat)
+      description: Actions related to secrets for the compatibility endpoints
     - name: system (compat)
       description: Actions related to Podman and compatibility engines
diff --git a/pkg/bindings/secrets/secrets.go b/pkg/bindings/secrets/secrets.go
new file mode 100644
index 000000000..3fd70dcad
--- /dev/null
+++ b/pkg/bindings/secrets/secrets.go
@@ -0,0 +1,78 @@
+package secrets
+
+import (
+	"context"
+	"io"
+	"net/http"
+
+	"github.com/containers/podman/v2/pkg/bindings"
+	"github.com/containers/podman/v2/pkg/domain/entities"
+)
+
+// List returns information about existing secrets in the form of a slice.
+func List(ctx context.Context, options *ListOptions) ([]*entities.SecretInfoReport, error) {
+	var (
+		secrs []*entities.SecretInfoReport
+	)
+	conn, err := bindings.GetClient(ctx)
+	if err != nil {
+		return nil, err
+	}
+	response, err := conn.DoRequest(nil, http.MethodGet, "/secrets/json", nil, nil)
+	if err != nil {
+		return secrs, err
+	}
+	return secrs, response.Process(&secrs)
+}
+
+// Inspect returns low-level information about a secret.
+func Inspect(ctx context.Context, nameOrID string, options *InspectOptions) (*entities.SecretInfoReport, error) {
+	var (
+		inspect *entities.SecretInfoReport
+	)
+	conn, err := bindings.GetClient(ctx)
+	if err != nil {
+		return nil, err
+	}
+	response, err := conn.DoRequest(nil, http.MethodGet, "/secrets/%s/json", nil, nil, nameOrID)
+	if err != nil {
+		return inspect, err
+	}
+	return inspect, response.Process(&inspect)
+}
+
+// Remove removes a secret from storage
+func Remove(ctx context.Context, nameOrID string) error {
+	conn, err := bindings.GetClient(ctx)
+	if err != nil {
+		return err
+	}
+
+	response, err := conn.DoRequest(nil, http.MethodDelete, "/secrets/%s", nil, nil, nameOrID)
+	if err != nil {
+		return err
+	}
+	return response.Process(nil)
+}
+
+// Create creates a secret given some data
+func Create(ctx context.Context, reader io.Reader, options *CreateOptions) (*entities.SecretCreateReport, error) {
+	var (
+		create *entities.SecretCreateReport
+	)
+	conn, err := bindings.GetClient(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	params, err := options.ToParams()
+	if err != nil {
+		return nil, err
+	}
+
+	response, err := conn.DoRequest(reader, http.MethodPost, "/secrets/create", params, nil)
+	if err != nil {
+		return nil, err
+	}
+	return create, response.Process(&create)
+}
diff --git a/pkg/bindings/secrets/types.go b/pkg/bindings/secrets/types.go
new file mode 100644
index 000000000..a98e894dc
--- /dev/null
+++ b/pkg/bindings/secrets/types.go
@@ -0,0 +1,23 @@
+package secrets
+
+//go:generate go run ../generator/generator.go ListOptions
+// ListOptions are optional options for inspecting secrets
+type ListOptions struct {
+}
+
+//go:generate go run ../generator/generator.go InspectOptions
+// InspectOptions are optional options for inspecting secrets
+type InspectOptions struct {
+}
+
+//go:generate go run ../generator/generator.go RemoveOptions
+// RemoveOptions are optional options for removing secrets
+type RemoveOptions struct {
+}
+
+//go:generate go run ../generator/generator.go CreateOptions
+// CreateOptions are optional options for Creating secrets
+type CreateOptions struct {
+	Driver *string
+	Name   *string
+}
diff --git a/pkg/bindings/secrets/types_create_options.go b/pkg/bindings/secrets/types_create_options.go
new file mode 100644
index 000000000..84cf38fa3
--- /dev/null
+++ b/pkg/bindings/secrets/types_create_options.go
@@ -0,0 +1,107 @@
+package secrets
+
+import (
+	"net/url"
+	"reflect"
+	"strings"
+
+	"github.com/containers/podman/v2/pkg/bindings/util"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/pkg/errors"
+)
+
+/*
+This file is generated automatically by go generate.  Do not edit.
+*/
+
+// Changed
+func (o *CreateOptions) Changed(fieldName string) bool {
+	r := reflect.ValueOf(o)
+	value := reflect.Indirect(r).FieldByName(fieldName)
+	return !value.IsNil()
+}
+
+// ToParams
+func (o *CreateOptions) ToParams() (url.Values, error) {
+	params := url.Values{}
+	if o == nil {
+		return params, nil
+	}
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
+	s := reflect.ValueOf(o)
+	if reflect.Ptr == s.Kind() {
+		s = s.Elem()
+	}
+	sType := s.Type()
+	for i := 0; i < s.NumField(); i++ {
+		fieldName := sType.Field(i).Name
+		if !o.Changed(fieldName) {
+			continue
+		}
+		fieldName = strings.ToLower(fieldName)
+		f := s.Field(i)
+		if reflect.Ptr == f.Kind() {
+			f = f.Elem()
+		}
+		switch {
+		case util.IsSimpleType(f):
+			params.Set(fieldName, util.SimpleTypeToParam(f))
+		case f.Kind() == reflect.Slice:
+			for i := 0; i < f.Len(); i++ {
+				elem := f.Index(i)
+				if util.IsSimpleType(elem) {
+					params.Add(fieldName, util.SimpleTypeToParam(elem))
+				} else {
+					return nil, errors.New("slices must contain only simple types")
+				}
+			}
+		case f.Kind() == reflect.Map:
+			lowerCaseKeys := make(map[string][]string)
+			iter := f.MapRange()
+			for iter.Next() {
+				lowerCaseKeys[iter.Key().Interface().(string)] = iter.Value().Interface().([]string)
+
+			}
+			s, err := json.MarshalToString(lowerCaseKeys)
+			if err != nil {
+				return nil, err
+			}
+
+			params.Set(fieldName, s)
+		}
+
+	}
+	return params, nil
+}
+
+// WithDriver
+func (o *CreateOptions) WithDriver(value string) *CreateOptions {
+	v := &value
+	o.Driver = v
+	return o
+}
+
+// GetDriver
+func (o *CreateOptions) GetDriver() string {
+	var driver string
+	if o.Driver == nil {
+		return driver
+	}
+	return *o.Driver
+}
+
+// WithName
+func (o *CreateOptions) WithName(value string) *CreateOptions {
+	v := &value
+	o.Name = v
+	return o
+}
+
+// GetName
+func (o *CreateOptions) GetName() string {
+	var name string
+	if o.Name == nil {
+		return name
+	}
+	return *o.Name
+}
diff --git a/pkg/bindings/secrets/types_inspect_options.go b/pkg/bindings/secrets/types_inspect_options.go
new file mode 100644
index 000000000..cd36b0531
--- /dev/null
+++ b/pkg/bindings/secrets/types_inspect_options.go
@@ -0,0 +1,75 @@
+package secrets
+
+import (
+	"net/url"
+	"reflect"
+	"strings"
+
+	"github.com/containers/podman/v2/pkg/bindings/util"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/pkg/errors"
+)
+
+/*
+This file is generated automatically by go generate.  Do not edit.
+*/
+
+// Changed
+func (o *InspectOptions) Changed(fieldName string) bool {
+	r := reflect.ValueOf(o)
+	value := reflect.Indirect(r).FieldByName(fieldName)
+	return !value.IsNil()
+}
+
+// ToParams
+func (o *InspectOptions) ToParams() (url.Values, error) {
+	params := url.Values{}
+	if o == nil {
+		return params, nil
+	}
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
+	s := reflect.ValueOf(o)
+	if reflect.Ptr == s.Kind() {
+		s = s.Elem()
+	}
+	sType := s.Type()
+	for i := 0; i < s.NumField(); i++ {
+		fieldName := sType.Field(i).Name
+		if !o.Changed(fieldName) {
+			continue
+		}
+		fieldName = strings.ToLower(fieldName)
+		f := s.Field(i)
+		if reflect.Ptr == f.Kind() {
+			f = f.Elem()
+		}
+		switch {
+		case util.IsSimpleType(f):
+			params.Set(fieldName, util.SimpleTypeToParam(f))
+		case f.Kind() == reflect.Slice:
+			for i := 0; i < f.Len(); i++ {
+				elem := f.Index(i)
+				if util.IsSimpleType(elem) {
+					params.Add(fieldName, util.SimpleTypeToParam(elem))
+				} else {
+					return nil, errors.New("slices must contain only simple types")
+				}
+			}
+		case f.Kind() == reflect.Map:
+			lowerCaseKeys := make(map[string][]string)
+			iter := f.MapRange()
+			for iter.Next() {
+				lowerCaseKeys[iter.Key().Interface().(string)] = iter.Value().Interface().([]string)
+
+			}
+			s, err := json.MarshalToString(lowerCaseKeys)
+			if err != nil {
+				return nil, err
+			}
+
+			params.Set(fieldName, s)
+		}
+
+	}
+	return params, nil
+}
diff --git a/pkg/bindings/secrets/types_list_options.go b/pkg/bindings/secrets/types_list_options.go
new file mode 100644
index 000000000..d313d8f73
--- /dev/null
+++ b/pkg/bindings/secrets/types_list_options.go
@@ -0,0 +1,75 @@
+package secrets
+
+import (
+	"net/url"
+	"reflect"
+	"strings"
+
+	"github.com/containers/podman/v2/pkg/bindings/util"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/pkg/errors"
+)
+
+/*
+This file is generated automatically by go generate.  Do not edit.
+*/
+
+// Changed
+func (o *ListOptions) Changed(fieldName string) bool {
+	r := reflect.ValueOf(o)
+	value := reflect.Indirect(r).FieldByName(fieldName)
+	return !value.IsNil()
+}
+
+// ToParams
+func (o *ListOptions) ToParams() (url.Values, error) {
+	params := url.Values{}
+	if o == nil {
+		return params, nil
+	}
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
+	s := reflect.ValueOf(o)
+	if reflect.Ptr == s.Kind() {
+		s = s.Elem()
+	}
+	sType := s.Type()
+	for i := 0; i < s.NumField(); i++ {
+		fieldName := sType.Field(i).Name
+		if !o.Changed(fieldName) {
+			continue
+		}
+		fieldName = strings.ToLower(fieldName)
+		f := s.Field(i)
+		if reflect.Ptr == f.Kind() {
+			f = f.Elem()
+		}
+		switch {
+		case util.IsSimpleType(f):
+			params.Set(fieldName, util.SimpleTypeToParam(f))
+		case f.Kind() == reflect.Slice:
+			for i := 0; i < f.Len(); i++ {
+				elem := f.Index(i)
+				if util.IsSimpleType(elem) {
+					params.Add(fieldName, util.SimpleTypeToParam(elem))
+				} else {
+					return nil, errors.New("slices must contain only simple types")
+				}
+			}
+		case f.Kind() == reflect.Map:
+			lowerCaseKeys := make(map[string][]string)
+			iter := f.MapRange()
+			for iter.Next() {
+				lowerCaseKeys[iter.Key().Interface().(string)] = iter.Value().Interface().([]string)
+
+			}
+			s, err := json.MarshalToString(lowerCaseKeys)
+			if err != nil {
+				return nil, err
+			}
+
+			params.Set(fieldName, s)
+		}
+
+	}
+	return params, nil
+}
diff --git a/pkg/bindings/secrets/types_remove_options.go b/pkg/bindings/secrets/types_remove_options.go
new file mode 100644
index 000000000..ca970e30e
--- /dev/null
+++ b/pkg/bindings/secrets/types_remove_options.go
@@ -0,0 +1,75 @@
+package secrets
+
+import (
+	"net/url"
+	"reflect"
+	"strings"
+
+	"github.com/containers/podman/v2/pkg/bindings/util"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/pkg/errors"
+)
+
+/*
+This file is generated automatically by go generate.  Do not edit.
+*/
+
+// Changed
+func (o *RemoveOptions) Changed(fieldName string) bool {
+	r := reflect.ValueOf(o)
+	value := reflect.Indirect(r).FieldByName(fieldName)
+	return !value.IsNil()
+}
+
+// ToParams
+func (o *RemoveOptions) ToParams() (url.Values, error) {
+	params := url.Values{}
+	if o == nil {
+		return params, nil
+	}
+	json := jsoniter.ConfigCompatibleWithStandardLibrary
+	s := reflect.ValueOf(o)
+	if reflect.Ptr == s.Kind() {
+		s = s.Elem()
+	}
+	sType := s.Type()
+	for i := 0; i < s.NumField(); i++ {
+		fieldName := sType.Field(i).Name
+		if !o.Changed(fieldName) {
+			continue
+		}
+		fieldName = strings.ToLower(fieldName)
+		f := s.Field(i)
+		if reflect.Ptr == f.Kind() {
+			f = f.Elem()
+		}
+		switch {
+		case util.IsSimpleType(f):
+			params.Set(fieldName, util.SimpleTypeToParam(f))
+		case f.Kind() == reflect.Slice:
+			for i := 0; i < f.Len(); i++ {
+				elem := f.Index(i)
+				if util.IsSimpleType(elem) {
+					params.Add(fieldName, util.SimpleTypeToParam(elem))
+				} else {
+					return nil, errors.New("slices must contain only simple types")
+				}
+			}
+		case f.Kind() == reflect.Map:
+			lowerCaseKeys := make(map[string][]string)
+			iter := f.MapRange()
+			for iter.Next() {
+				lowerCaseKeys[iter.Key().Interface().(string)] = iter.Value().Interface().([]string)
+
+			}
+			s, err := json.MarshalToString(lowerCaseKeys)
+			if err != nil {
+				return nil, err
+			}
+
+			params.Set(fieldName, s)
+		}
+
+	}
+	return params, nil
+}
diff --git a/pkg/bindings/test/secrets_test.go b/pkg/bindings/test/secrets_test.go
new file mode 100644
index 000000000..17c043e4b
--- /dev/null
+++ b/pkg/bindings/test/secrets_test.go
@@ -0,0 +1,133 @@
+package test_bindings
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/containers/podman/v2/pkg/bindings"
+	"github.com/containers/podman/v2/pkg/bindings/secrets"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/gexec"
+)
+
+var _ = Describe("Podman secrets", func() {
+	var (
+		bt       *bindingTest
+		s        *gexec.Session
+		connText context.Context
+		err      error
+	)
+
+	BeforeEach(func() {
+		bt = newBindingTest()
+		bt.RestoreImagesFromCache()
+		s = bt.startAPIService()
+		time.Sleep(1 * time.Second)
+		connText, err = bindings.NewConnection(context.Background(), bt.sock)
+		Expect(err).To(BeNil())
+	})
+
+	AfterEach(func() {
+
+		s.Kill()
+		bt.cleanup()
+	})
+
+	It("create secret", func() {
+		r := strings.NewReader("mysecret")
+		name := "mysecret"
+		opts := &secrets.CreateOptions{
+			Name: &name,
+		}
+		_, err := secrets.Create(connText, r, opts)
+		Expect(err).To(BeNil())
+
+		// should not be allowed to create duplicate secret name
+		_, err = secrets.Create(connText, r, opts)
+		Expect(err).To(Not(BeNil()))
+	})
+
+	It("inspect secret", func() {
+		r := strings.NewReader("mysecret")
+		name := "mysecret"
+		opts := &secrets.CreateOptions{
+			Name: &name,
+		}
+		_, err := secrets.Create(connText, r, opts)
+		Expect(err).To(BeNil())
+
+		data, err := secrets.Inspect(connText, name, nil)
+		Expect(err).To(BeNil())
+		Expect(data.Spec.Name).To(Equal(name))
+
+		// inspecting non-existent secret should fail
+		data, err = secrets.Inspect(connText, "notasecret", nil)
+		code, _ := bindings.CheckResponseCode(err)
+		Expect(code).To(BeNumerically("==", http.StatusNotFound))
+	})
+
+	It("list secret", func() {
+		r := strings.NewReader("mysecret")
+		name := "mysecret"
+		opts := &secrets.CreateOptions{
+			Name: &name,
+		}
+		_, err := secrets.Create(connText, r, opts)
+		Expect(err).To(BeNil())
+
+		data, err := secrets.List(connText, nil)
+		Expect(err).To(BeNil())
+		Expect(data[0].Spec.Name).To(Equal(name))
+	})
+
+	It("list multiple secret", func() {
+		r := strings.NewReader("mysecret")
+		name := "mysecret"
+		opts := &secrets.CreateOptions{
+			Name: &name,
+		}
+		_, err := secrets.Create(connText, r, opts)
+		Expect(err).To(BeNil())
+
+		r2 := strings.NewReader("mysecret2")
+		name2 := "mysecret2"
+		opts2 := &secrets.CreateOptions{
+			Name: &name2,
+		}
+		_, err = secrets.Create(connText, r2, opts2)
+		Expect(err).To(BeNil())
+
+		data, err := secrets.List(connText, nil)
+		Expect(err).To(BeNil())
+		Expect(len(data)).To(Equal(2))
+	})
+
+	It("list no secrets", func() {
+		data, err := secrets.List(connText, nil)
+		Expect(err).To(BeNil())
+		Expect(len(data)).To(Equal(0))
+	})
+
+	It("remove secret", func() {
+		r := strings.NewReader("mysecret")
+		name := "mysecret"
+		opts := &secrets.CreateOptions{
+			Name: &name,
+		}
+		_, err := secrets.Create(connText, r, opts)
+		Expect(err).To(BeNil())
+
+		err = secrets.Remove(connText, name)
+		Expect(err).To(BeNil())
+
+		// removing non-existent secret should fail
+		err = secrets.Remove(connText, "nosecret")
+		Expect(err).To(Not(BeNil()))
+		code, _ := bindings.CheckResponseCode(err)
+		Expect(code).To(BeNumerically("==", http.StatusNotFound))
+	})
+
+})
diff --git a/pkg/domain/entities/engine_container.go b/pkg/domain/entities/engine_container.go
index 2c97d7baf..d43b422a3 100644
--- a/pkg/domain/entities/engine_container.go
+++ b/pkg/domain/entities/engine_container.go
@@ -82,6 +82,10 @@ type ContainerEngine interface {
 	PodTop(ctx context.Context, options PodTopOptions) (*StringSliceReport, error)
 	PodUnpause(ctx context.Context, namesOrIds []string, options PodunpauseOptions) ([]*PodUnpauseReport, error)
 	SetupRootless(ctx context.Context, cmd *cobra.Command) error
+	SecretCreate(ctx context.Context, name string, reader io.Reader, options SecretCreateOptions) (*SecretCreateReport, error)
+	SecretInspect(ctx context.Context, nameOrIDs []string) ([]*SecretInfoReport, []error, error)
+	SecretList(ctx context.Context) ([]*SecretInfoReport, error)
+	SecretRm(ctx context.Context, nameOrID []string, opts SecretRmOptions) ([]*SecretRmReport, error)
 	Shutdown(ctx context.Context)
 	SystemDf(ctx context.Context, options SystemDfOptions) (*SystemDfReport, error)
 	Unshare(ctx context.Context, args []string) error
diff --git a/pkg/domain/entities/secrets.go b/pkg/domain/entities/secrets.go
new file mode 100644
index 000000000..3cad4c099
--- /dev/null
+++ b/pkg/domain/entities/secrets.go
@@ -0,0 +1,104 @@
+package entities
+
+import (
+	"time"
+
+	"github.com/containers/podman/v2/pkg/errorhandling"
+)
+
+type SecretCreateReport struct {
+	ID string
+}
+
+type SecretCreateOptions struct {
+	Driver string
+}
+
+type SecretListRequest struct {
+	Filters map[string]string
+}
+
+type SecretListReport struct {
+	ID        string
+	Name      string
+	Driver    string
+	CreatedAt string
+	UpdatedAt string
+}
+
+type SecretRmOptions struct {
+	All bool
+}
+
+type SecretRmReport struct {
+	ID  string
+	Err error
+}
+
+type SecretInfoReport struct {
+	ID        string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+	Spec      SecretSpec
+}
+
+type SecretSpec struct {
+	Name   string
+	Driver SecretDriverSpec
+}
+
+type SecretDriverSpec struct {
+	Name    string
+	Options map[string]string
+}
+
+// swagger:model SecretCreate
+type SecretCreateRequest struct {
+	// User-defined name of the secret.
+	Name string
+	// Base64-url-safe-encoded (RFC 4648) data to store as secret.
+	Data string
+	// Driver represents a driver (default "file")
+	Driver SecretDriverSpec
+}
+
+// Secret create response
+// swagger:response SecretCreateResponse
+type SwagSecretCreateResponse struct {
+	// in:body
+	Body struct {
+		SecretCreateReport
+	}
+}
+
+// Secret list response
+// swagger:response SecretListResponse
+type SwagSecretListResponse struct {
+	// in:body
+	Body []*SecretInfoReport
+}
+
+// Secret inspect response
+// swagger:response SecretInspectResponse
+type SwagSecretInspectResponse struct {
+	// in:body
+	Body SecretInfoReport
+}
+
+// No such secret
+// swagger:response NoSuchSecret
+type SwagErrNoSuchSecret struct {
+	// in:body
+	Body struct {
+		errorhandling.ErrorModel
+	}
+}
+
+// Secret in use
+// swagger:response SecretInUse
+type SwagErrSecretInUse struct {
+	// in:body
+	Body struct {
+		errorhandling.ErrorModel
+	}
+}
diff --git a/pkg/domain/infra/abi/secrets.go b/pkg/domain/infra/abi/secrets.go
new file mode 100644
index 000000000..b1fe60e01
--- /dev/null
+++ b/pkg/domain/infra/abi/secrets.go
@@ -0,0 +1,138 @@
+package abi
+
+import (
+	"context"
+	"io"
+	"io/ioutil"
+	"path/filepath"
+
+	"github.com/containers/common/pkg/secrets"
+	"github.com/containers/podman/v2/pkg/domain/entities"
+	"github.com/pkg/errors"
+)
+
+func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader io.Reader, options entities.SecretCreateOptions) (*entities.SecretCreateReport, error) {
+	data, _ := ioutil.ReadAll(reader)
+	secretsPath := ic.Libpod.GetSecretsStorageDir()
+	manager, err := secrets.NewManager(secretsPath)
+	if err != nil {
+		return nil, err
+	}
+	driverOptions := make(map[string]string)
+
+	if options.Driver == "" {
+		options.Driver = "file"
+	}
+	if options.Driver == "file" {
+		driverOptions["path"] = filepath.Join(secretsPath, "filedriver")
+	}
+	secretID, err := manager.Store(name, data, options.Driver, driverOptions)
+	if err != nil {
+		return nil, err
+	}
+	return &entities.SecretCreateReport{
+		ID: secretID,
+	}, nil
+}
+
+func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string) ([]*entities.SecretInfoReport, []error, error) {
+	secretsPath := ic.Libpod.GetSecretsStorageDir()
+	manager, err := secrets.NewManager(secretsPath)
+	if err != nil {
+		return nil, nil, err
+	}
+	errs := make([]error, 0, len(nameOrIDs))
+	reports := make([]*entities.SecretInfoReport, 0, len(nameOrIDs))
+	for _, nameOrID := range nameOrIDs {
+		secret, err := manager.Lookup(nameOrID)
+		if err != nil {
+			if errors.Cause(err).Error() == "no such secret" {
+				errs = append(errs, err)
+				continue
+			} else {
+				return nil, nil, errors.Wrapf(err, "error inspecting secret %s", nameOrID)
+			}
+		}
+		report := &entities.SecretInfoReport{
+			ID:        secret.ID,
+			CreatedAt: secret.CreatedAt,
+			UpdatedAt: secret.CreatedAt,
+			Spec: entities.SecretSpec{
+				Name: secret.Name,
+				Driver: entities.SecretDriverSpec{
+					Name: secret.Driver,
+				},
+			},
+		}
+		reports = append(reports, report)
+
+	}
+
+	return reports, errs, nil
+}
+
+func (ic *ContainerEngine) SecretList(ctx context.Context) ([]*entities.SecretInfoReport, error) {
+	secretsPath := ic.Libpod.GetSecretsStorageDir()
+	manager, err := secrets.NewManager(secretsPath)
+	if err != nil {
+		return nil, err
+	}
+	secretList, err := manager.List()
+	if err != nil {
+		return nil, err
+	}
+	report := make([]*entities.SecretInfoReport, 0, len(secretList))
+	for _, secret := range secretList {
+		reportItem := entities.SecretInfoReport{
+			ID:        secret.ID,
+			CreatedAt: secret.CreatedAt,
+			UpdatedAt: secret.CreatedAt,
+			Spec: entities.SecretSpec{
+				Name: secret.Name,
+				Driver: entities.SecretDriverSpec{
+					Name:    secret.Driver,
+					Options: secret.DriverOptions,
+				},
+			},
+		}
+		report = append(report, &reportItem)
+	}
+	return report, nil
+}
+
+func (ic *ContainerEngine) SecretRm(ctx context.Context, nameOrIDs []string, options entities.SecretRmOptions) ([]*entities.SecretRmReport, error) {
+	var (
+		err      error
+		toRemove []string
+		reports  = []*entities.SecretRmReport{}
+	)
+	secretsPath := ic.Libpod.GetSecretsStorageDir()
+	manager, err := secrets.NewManager(secretsPath)
+	if err != nil {
+		return nil, err
+	}
+	toRemove = nameOrIDs
+	if options.All {
+		allSecrs, err := manager.List()
+		if err != nil {
+			return nil, err
+		}
+		for _, secr := range allSecrs {
+			toRemove = append(toRemove, secr.ID)
+		}
+	}
+	for _, nameOrID := range toRemove {
+		deletedID, err := manager.Delete(nameOrID)
+		if err == nil || errors.Cause(err).Error() == "no such secret" {
+			reports = append(reports, &entities.SecretRmReport{
+				Err: err,
+				ID:  deletedID,
+			})
+			continue
+		} else {
+			return nil, err
+		}
+	}
+
+	return reports, nil
+}
diff --git a/pkg/domain/infra/tunnel/secrets.go b/pkg/domain/infra/tunnel/secrets.go
new file mode 100644
index 000000000..f7c0f7d13
--- /dev/null
+++ b/pkg/domain/infra/tunnel/secrets.go
@@ -0,0 +1,82 @@
+package tunnel
+
+import (
+	"context"
+	"io"
+
+	"github.com/containers/podman/v2/pkg/bindings/secrets"
+	"github.com/containers/podman/v2/pkg/domain/entities"
+	"github.com/containers/podman/v2/pkg/errorhandling"
+	"github.com/pkg/errors"
+)
+
+func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader io.Reader, options entities.SecretCreateOptions) (*entities.SecretCreateReport, error) {
+	opts := new(secrets.CreateOptions).WithDriver(options.Driver).WithName(name)
+	created, _ := secrets.Create(ic.ClientCtx, reader, opts)
+	return created, nil
+}
+
+func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string) ([]*entities.SecretInfoReport, []error, error) {
+	allInspect := make([]*entities.SecretInfoReport, 0, len(nameOrIDs))
+	errs := make([]error, 0, len(nameOrIDs))
+	for _, name := range nameOrIDs {
+		inspected, err := secrets.Inspect(ic.ClientCtx, name, nil)
+		if err != nil {
+			errModel, ok := err.(errorhandling.ErrorModel)
+			if !ok {
+				return nil, nil, err
+			}
+			if errModel.ResponseCode == 404 {
+				errs = append(errs, errors.Errorf("no such secret %q", name))
+				continue
+			}
+			return nil, nil, err
+		}
+		allInspect = append(allInspect, inspected)
+	}
+	return allInspect, errs, nil
+}
+
+func (ic *ContainerEngine) SecretList(ctx context.Context) ([]*entities.SecretInfoReport, error) {
+	secrs, _ := secrets.List(ic.ClientCtx, nil)
+	return secrs, nil
+}
+
+func (ic *ContainerEngine) SecretRm(ctx context.Context, nameOrIDs []string, options entities.SecretRmOptions) ([]*entities.SecretRmReport, error) {
+	allRm := make([]*entities.SecretRmReport, 0, len(nameOrIDs))
+	if options.All {
+		allSecrets, err := secrets.List(ic.ClientCtx, nil)
+		if err != nil {
+			return nil, err
+		}
+		for _, secret := range allSecrets {
+			allRm = append(allRm, &entities.SecretRmReport{
+				Err: secrets.Remove(ic.ClientCtx, secret.ID),
+				ID:  secret.ID,
+			})
+		}
+		return allRm, nil
+	}
+	for _, name := range nameOrIDs {
+		secret, err := secrets.Inspect(ic.ClientCtx, name, nil)
+		if err != nil {
+			errModel, ok := err.(errorhandling.ErrorModel)
+			if !ok {
+				return nil, err
+			}
+			if errModel.ResponseCode == 404 {
+				allRm = append(allRm, &entities.SecretRmReport{
+					Err: errors.Errorf("no secret with name or id %q: no such secret ", name),
+					ID:  "",
+				})
+				continue
+			}
+		}
+		allRm = append(allRm, &entities.SecretRmReport{
+			Err: secrets.Remove(ic.ClientCtx, name),
+			ID:  secret.ID,
+		})
+
+	}
+	return allRm, nil
+}
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 1bc050b00..74291325c 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -359,6 +359,10 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 		options = append(options, libpod.WithHealthCheck(s.ContainerHealthCheckConfig.HealthConfig))
 		logrus.Debugf("New container has a health check")
 	}
+
+	if len(s.Secrets) != 0 {
+		options = append(options, libpod.WithSecrets(s.Secrets))
+	}
 	return options, nil
 }
 
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index a6cc0a730..732579bf0 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -237,6 +237,9 @@ type ContainerStorageConfig struct {
 	// If not set, the default of rslave will be used.
 	// Optional.
 	RootfsPropagation string `json:"rootfs_propagation,omitempty"`
+	// Secrets are the secrets that will be added to the container
+	// Optional.
+	Secrets []string `json:"secrets,omitempty"`
 }
 
 // ContainerSecurityConfig is a container's security features, including
author	OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>	2021-02-09 17:51:08 +0100
committer	GitHub <noreply@github.com>	2021-02-09 17:51:08 +0100
commit	f98605e0e4f25c148b27cc617976357ff5b9d96e (patch)
tree	6ffd63474853fcc7c2056964984e1fb88c3c0314 /pkg
parent	9da4169e312bb822a0fbae8e18a0eb7c7eff6e64 (diff)
parent	832a69b0bee6ec289521fbd59ddd480372493ee3 (diff)
download	podman-f98605e0e4f25c148b27cc617976357ff5b9d96e.tar.gz podman-f98605e0e4f25c148b27cc617976357ff5b9d96e.tar.bz2 podman-f98605e0e4f25c148b27cc617976357ff5b9d96e.zip