diff options
Diffstat (limited to 'pkg/specgen')
| -rw-r--r-- | pkg/specgen/generate/container_create.go | 19 | ||||
| -rw-r--r-- | pkg/specgen/generate/kube/kube.go | 42 | ||||
| -rw-r--r-- | pkg/specgen/specgen.go | 9 |
3 files changed, 56 insertions, 14 deletions
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 7682367b7..a0f5cc7e6 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -400,7 +400,24 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. } if len(s.Secrets) != 0 { - options = append(options, libpod.WithSecrets(s.Secrets)) + manager, err := rt.SecretsManager() + if err != nil { + return nil, err + } + var secrs []*libpod.ContainerSecret + for _, s := range s.Secrets { + secr, err := manager.Lookup(s.Source) + if err != nil { + return nil, err + } + secrs = append(secrs, &libpod.ContainerSecret{ + Secret: secr, + UID: s.UID, + GID: s.GID, + Mode: s.Mode, + }) + } + options = append(options, libpod.WithSecrets(secrs)) } if len(s.EnvSecrets) != 0 { diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 4e41061a5..054388384 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -250,27 +250,26 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener if !exists { return nil, errors.Errorf("Volume mount %s specified for container but not configured in volumes", volume.Name) } + + dest, options, err := parseMountPath(volume.MountPath, volume.ReadOnly) + if err != nil { + return nil, err + } + switch volumeSource.Type { case KubeVolumeTypeBindMount: - if err := parse.ValidateVolumeCtrDir(volume.MountPath); err != nil { - return nil, errors.Wrapf(err, "error in parsing MountPath") - } mount := spec.Mount{ - Destination: volume.MountPath, + Destination: dest, Source: volumeSource.Source, Type: "bind", - } - if volume.ReadOnly { - mount.Options = []string{"ro"} + Options: options, } s.Mounts = append(s.Mounts, mount) case KubeVolumeTypeNamed: namedVolume := specgen.NamedVolume{ - Dest: volume.MountPath, - Name: volumeSource.Source, - } - if volume.ReadOnly { - namedVolume.Options = []string{"ro"} + Dest: dest, + Name: volumeSource.Source, + Options: options, } s.Volumes = append(s.Volumes, &namedVolume) default: @@ -300,6 +299,25 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener return s, nil } +func parseMountPath(mountPath string, readOnly bool) (string, []string, error) { + options := []string{} + splitVol := strings.Split(mountPath, ":") + if len(splitVol) > 2 { + return "", options, errors.Errorf("%q incorrect volume format, should be ctr-dir[:option]", mountPath) + } + dest := splitVol[0] + if len(splitVol) > 1 { + options = strings.Split(splitVol[1], ",") + } + if err := parse.ValidateVolumeCtrDir(dest); err != nil { + return "", options, errors.Wrapf(err, "error in parsing MountPath") + } + if readOnly { + options = append(options, "ro") + } + return dest, options, nil +} + func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) { if containerYAML.SecurityContext == nil { return diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 2e01d1535..2815bdebb 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -258,7 +258,7 @@ type ContainerStorageConfig struct { RootfsPropagation string `json:"rootfs_propagation,omitempty"` // Secrets are the secrets that will be added to the container // Optional. - Secrets []string `json:"secrets,omitempty"` + Secrets []Secret `json:"secrets,omitempty"` // Volatile specifies whether the container storage can be optimized // at the cost of not syncing all the dirty files in memory. Volatile bool `json:"volatile,omitempty"` @@ -521,6 +521,13 @@ type PortMapping struct { Protocol string `json:"protocol,omitempty"` } +type Secret struct { + Source string + UID uint32 + GID uint32 + Mode uint32 +} + var ( // ErrNoStaticIPRootless is used when a rootless user requests to assign a static IP address // to a pod or container |