summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate/kube/kube.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/specgen/generate/kube/kube.go')
-rw-r--r--pkg/specgen/generate/kube/kube.go100
1 files changed, 83 insertions, 17 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index d61c8bd19..31ed3fd7c 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -2,11 +2,13 @@ package kube
import (
"context"
+ "encoding/json"
"fmt"
"net"
"strings"
"github.com/containers/common/pkg/parse"
+ "github.com/containers/common/pkg/secrets"
"github.com/containers/podman/v3/libpod/image"
ann "github.com/containers/podman/v3/pkg/annotations"
"github.com/containers/podman/v3/pkg/specgen"
@@ -94,6 +96,8 @@ type CtrSpecGenOptions struct {
RestartPolicy string
// NetNSIsHost tells the container to use the host netns
NetNSIsHost bool
+ // SecretManager to access the secrets
+ SecretsManager *secrets.SecretsManager
}
func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error) {
@@ -210,12 +214,18 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
}
for _, env := range opts.Container.Env {
- value := envVarValue(env, opts.ConfigMaps)
+ value, err := envVarValue(env, opts)
+ if err != nil {
+ return nil, err
+ }
envs[env.Name] = value
}
for _, envFrom := range opts.Container.EnvFrom {
- cmEnvs := envVarsFromConfigMap(envFrom, opts.ConfigMaps)
+ cmEnvs, err := envVarsFrom(envFrom, opts)
+ if err != nil {
+ return nil, err
+ }
for k, v := range cmEnvs {
envs[k] = v
@@ -325,40 +335,96 @@ func quantityToInt64(quantity *resource.Quantity) (int64, error) {
return 0, errors.Errorf("Quantity cannot be represented as int64: %v", quantity)
}
-// envVarsFromConfigMap returns all key-value pairs as env vars from a configMap that matches the envFrom setting of a container
-func envVarsFromConfigMap(envFrom v1.EnvFromSource, configMaps []v1.ConfigMap) map[string]string {
+// read a k8s secret in JSON format from the secret manager
+func k8sSecretFromSecretManager(name string, secretsManager *secrets.SecretsManager) (map[string][]byte, error) {
+ _, jsonSecret, err := secretsManager.LookupSecretData(name)
+ if err != nil {
+ return nil, err
+ }
+
+ var secrets map[string][]byte
+ if err := json.Unmarshal(jsonSecret, &secrets); err != nil {
+ return nil, errors.Errorf("Secret %v is not valid JSON: %v", name, err)
+ }
+ return secrets, nil
+}
+
+// envVarsFrom returns all key-value pairs as env vars from a configMap or secret that matches the envFrom setting of a container
+func envVarsFrom(envFrom v1.EnvFromSource, opts *CtrSpecGenOptions) (map[string]string, error) {
envs := map[string]string{}
if envFrom.ConfigMapRef != nil {
- cmName := envFrom.ConfigMapRef.Name
+ cmRef := envFrom.ConfigMapRef
+ err := errors.Errorf("Configmap %v not found", cmRef.Name)
- for _, c := range configMaps {
- if cmName == c.Name {
+ for _, c := range opts.ConfigMaps {
+ if cmRef.Name == c.Name {
envs = c.Data
+ err = nil
break
}
}
+
+ if err != nil && (cmRef.Optional == nil || !*cmRef.Optional) {
+ return nil, err
+ }
}
- return envs
+ if envFrom.SecretRef != nil {
+ secRef := envFrom.SecretRef
+ secret, err := k8sSecretFromSecretManager(secRef.Name, opts.SecretsManager)
+ if err == nil {
+ for k, v := range secret {
+ envs[k] = string(v)
+ }
+ } else if secRef.Optional == nil || !*secRef.Optional {
+ return nil, err
+ }
+ }
+
+ return envs, nil
}
// envVarValue returns the environment variable value configured within the container's env setting.
-// It gets the value from a configMap if specified, otherwise returns env.Value
-func envVarValue(env v1.EnvVar, configMaps []v1.ConfigMap) string {
- for _, c := range configMaps {
- if env.ValueFrom != nil {
- if env.ValueFrom.ConfigMapKeyRef != nil {
- if env.ValueFrom.ConfigMapKeyRef.Name == c.Name {
- if value, ok := c.Data[env.ValueFrom.ConfigMapKeyRef.Key]; ok {
- return value
+// It gets the value from a configMap or secret if specified, otherwise returns env.Value
+func envVarValue(env v1.EnvVar, opts *CtrSpecGenOptions) (string, error) {
+ if env.ValueFrom != nil {
+ if env.ValueFrom.ConfigMapKeyRef != nil {
+ cmKeyRef := env.ValueFrom.ConfigMapKeyRef
+ err := errors.Errorf("Cannot set env %v: configmap %v not found", env.Name, cmKeyRef.Name)
+
+ for _, c := range opts.ConfigMaps {
+ if cmKeyRef.Name == c.Name {
+ if value, ok := c.Data[cmKeyRef.Key]; ok {
+ return value, nil
}
+ err = errors.Errorf("Cannot set env %v: key %s not found in configmap %v", env.Name, cmKeyRef.Key, cmKeyRef.Name)
+ break
+ }
+ }
+ if cmKeyRef.Optional == nil || !*cmKeyRef.Optional {
+ return "", err
+ }
+ return "", nil
+ }
+
+ if env.ValueFrom.SecretKeyRef != nil {
+ secKeyRef := env.ValueFrom.SecretKeyRef
+ secret, err := k8sSecretFromSecretManager(secKeyRef.Name, opts.SecretsManager)
+ if err == nil {
+ if val, ok := secret[secKeyRef.Key]; ok {
+ return string(val), nil
}
+ err = errors.Errorf("Secret %v has not %v key", secKeyRef.Name, secKeyRef.Key)
+ }
+ if secKeyRef.Optional == nil || !*secKeyRef.Optional {
+ return "", errors.Errorf("Cannot set env %v: %v", env.Name, err)
}
+ return "", nil
}
}
- return env.Value
+ return env.Value, nil
}
// getPodPorts converts a slice of kube container descriptions to an
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-09-25 04:30:19 +0000