summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorAshley Cui <acui@redhat.com>2021-05-14 16:29:44 -0400
committerAshley Cui <acui@redhat.com>2021-05-17 14:35:55 -0400
commitcf30f160ad599cac0f3dc300f673d88f60128275 (patch)
tree140d265481fc1b2e02a0f903729253e6c631dada /pkg
parent2b0b97150a01c5a3c1706dd369a0caeb5cf6ec09 (diff)
downloadpodman-cf30f160ad599cac0f3dc300f673d88f60128275.tar.gz
podman-cf30f160ad599cac0f3dc300f673d88f60128275.tar.bz2
podman-cf30f160ad599cac0f3dc300f673d88f60128275.zip
Support uid,gid,mode options for secrets
Support UID, GID, Mode options for mount type secrets. Also, change default secret permissions to 444 so all users can read secret. Signed-off-by: Ashley Cui <acui@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/domain/infra/abi/play.go3
-rw-r--r--pkg/domain/infra/abi/secrets.go12
-rw-r--r--pkg/specgen/generate/container_create.go19
-rw-r--r--pkg/specgen/specgen.go9
4 files changed, 31 insertions, 12 deletions
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index a94c5f5c5..0ac9b5d8d 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -12,7 +12,6 @@ import (
"github.com/containers/common/libimage"
"github.com/containers/common/pkg/config"
- "github.com/containers/common/pkg/secrets"
"github.com/containers/image/v5/types"
"github.com/containers/podman/v3/libpod"
"github.com/containers/podman/v3/libpod/define"
@@ -161,7 +160,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
)
// Create the secret manager before hand
- secretsManager, err := secrets.NewManager(ic.Libpod.GetSecretsStorageDir())
+ secretsManager, err := ic.Libpod.SecretsManager()
if err != nil {
return nil, err
}
diff --git a/pkg/domain/infra/abi/secrets.go b/pkg/domain/infra/abi/secrets.go
index 764f4a9dc..1e1cbc70f 100644
--- a/pkg/domain/infra/abi/secrets.go
+++ b/pkg/domain/infra/abi/secrets.go
@@ -6,7 +6,6 @@ import (
"io/ioutil"
"path/filepath"
- "github.com/containers/common/pkg/secrets"
"github.com/containers/podman/v3/pkg/domain/entities"
"github.com/pkg/errors"
)
@@ -14,7 +13,7 @@ import (
func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader io.Reader, options entities.SecretCreateOptions) (*entities.SecretCreateReport, error) {
data, _ := ioutil.ReadAll(reader)
secretsPath := ic.Libpod.GetSecretsStorageDir()
- manager, err := secrets.NewManager(secretsPath)
+ manager, err := ic.Libpod.SecretsManager()
if err != nil {
return nil, err
}
@@ -36,8 +35,7 @@ func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader
}
func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string) ([]*entities.SecretInfoReport, []error, error) {
- secretsPath := ic.Libpod.GetSecretsStorageDir()
- manager, err := secrets.NewManager(secretsPath)
+ manager, err := ic.Libpod.SecretsManager()
if err != nil {
return nil, nil, err
}
@@ -71,8 +69,7 @@ func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string
}
func (ic *ContainerEngine) SecretList(ctx context.Context) ([]*entities.SecretInfoReport, error) {
- secretsPath := ic.Libpod.GetSecretsStorageDir()
- manager, err := secrets.NewManager(secretsPath)
+ manager, err := ic.Libpod.SecretsManager()
if err != nil {
return nil, err
}
@@ -105,8 +102,7 @@ func (ic *ContainerEngine) SecretRm(ctx context.Context, nameOrIDs []string, opt
toRemove []string
reports = []*entities.SecretRmReport{}
)
- secretsPath := ic.Libpod.GetSecretsStorageDir()
- manager, err := secrets.NewManager(secretsPath)
+ manager, err := ic.Libpod.SecretsManager()
if err != nil {
return nil, err
}
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 7682367b7..a0f5cc7e6 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -400,7 +400,24 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
}
if len(s.Secrets) != 0 {
- options = append(options, libpod.WithSecrets(s.Secrets))
+ manager, err := rt.SecretsManager()
+ if err != nil {
+ return nil, err
+ }
+ var secrs []*libpod.ContainerSecret
+ for _, s := range s.Secrets {
+ secr, err := manager.Lookup(s.Source)
+ if err != nil {
+ return nil, err
+ }
+ secrs = append(secrs, &libpod.ContainerSecret{
+ Secret: secr,
+ UID: s.UID,
+ GID: s.GID,
+ Mode: s.Mode,
+ })
+ }
+ options = append(options, libpod.WithSecrets(secrs))
}
if len(s.EnvSecrets) != 0 {
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index 2e01d1535..2815bdebb 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -258,7 +258,7 @@ type ContainerStorageConfig struct {
RootfsPropagation string `json:"rootfs_propagation,omitempty"`
// Secrets are the secrets that will be added to the container
// Optional.
- Secrets []string `json:"secrets,omitempty"`
+ Secrets []Secret `json:"secrets,omitempty"`
// Volatile specifies whether the container storage can be optimized
// at the cost of not syncing all the dirty files in memory.
Volatile bool `json:"volatile,omitempty"`
@@ -521,6 +521,13 @@ type PortMapping struct {
Protocol string `json:"protocol,omitempty"`
}
+type Secret struct {
+ Source string
+ UID uint32
+ GID uint32
+ Mode uint32
+}
+
var (
// ErrNoStaticIPRootless is used when a rootless user requests to assign a static IP address
// to a pod or container