From 2634cb234f1500b76a2fd89351b9ad8a737a24ea Mon Sep 17 00:00:00 2001
From: Ashley Cui <acui@redhat.com>
Date: Wed, 5 May 2021 10:34:13 -0400
Subject: Add support for environment variable secrets

Env var secrets are env vars that are set inside the container but not
commited to and image. Also support reading from env var when creating a
secret.

Signed-off-by: Ashley Cui <acui@redhat.com>
---
 libpod/container_config.go         |  2 ++
 libpod/container_internal_linux.go | 14 ++++++++++++++
 libpod/options.go                  | 22 ++++++++++++++++++++++
 3 files changed, 38 insertions(+)

(limited to 'libpod')

diff --git a/libpod/container_config.go b/libpod/container_config.go
index d0572fbc2..ac17a2c4f 100644
--- a/libpod/container_config.go
+++ b/libpod/container_config.go
@@ -368,4 +368,6 @@ type ContainerMiscConfig struct {
 	PidFile string `json:"pid_file,omitempty"`
 	// CDIDevices contains devices that use the CDI
 	CDIDevices []string `json:"cdiDevices,omitempty"`
+	// EnvSecrets are secrets that are set as environment variables
+	EnvSecrets map[string]*secrets.Secret `json:"secret_env,omitempty"`
 }
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index f4762b5ff..c6839ffd0 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -29,6 +29,7 @@ import (
 	"github.com/containers/common/pkg/apparmor"
 	"github.com/containers/common/pkg/chown"
 	"github.com/containers/common/pkg/config"
+	"github.com/containers/common/pkg/secrets"
 	"github.com/containers/common/pkg/subscriptions"
 	"github.com/containers/common/pkg/umask"
 	"github.com/containers/podman/v3/libpod/define"
@@ -763,6 +764,19 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil {
 		return nil, errors.Wrapf(err, "error setting up OCI Hooks")
 	}
+	if len(c.config.EnvSecrets) > 0 {
+		manager, err := secrets.NewManager(c.runtime.GetSecretsStorageDir())
+		if err != nil {
+			return nil, err
+		}
+		for name, secr := range c.config.EnvSecrets {
+			_, data, err := manager.LookupSecretData(secr.Name)
+			if err != nil {
+				return nil, err
+			}
+			g.AddProcessEnv(name, string(data))
+		}
+	}
 
 	return g.Config, nil
 }
diff --git a/libpod/options.go b/libpod/options.go
index 103a9a80a..7c574df75 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1703,6 +1703,28 @@ func WithSecrets(secretNames []string) CtrCreateOption {
 	}
 }
 
+// WithSecrets adds environment variable secrets to the container
+func WithEnvSecrets(envSecrets map[string]string) CtrCreateOption {
+	return func(ctr *Container) error {
+		ctr.config.EnvSecrets = make(map[string]*secrets.Secret)
+		if ctr.valid {
+			return define.ErrCtrFinalized
+		}
+		manager, err := secrets.NewManager(ctr.runtime.GetSecretsStorageDir())
+		if err != nil {
+			return err
+		}
+		for target, src := range envSecrets {
+			secr, err := manager.Lookup(src)
+			if err != nil {
+				return err
+			}
+			ctr.config.EnvSecrets[target] = secr
+		}
+		return nil
+	}
+}
+
 // WithPidFile adds pidFile to the container
 func WithPidFile(pidFile string) CtrCreateOption {
 	return func(ctr *Container) error {
-- 
cgit v1.2.3-54-g00ecf