From 832a69b0bee6ec289521fbd59ddd480372493ee3 Mon Sep 17 00:00:00 2001 From: Ashley Cui Date: Fri, 15 Jan 2021 01:27:23 -0500 Subject: Implement Secrets Implement podman secret create, inspect, ls, rm Implement podman run/create --secret Secrets are blobs of data that are sensitive. Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file. After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname] This secret will not be commited to an image on a podman commit Signed-off-by: Ashley Cui --- pkg/api/server/register_secrets.go | 194 +++++++++++++++++++++++++++++++++++++ pkg/api/server/server.go | 1 + 2 files changed, 195 insertions(+) create mode 100644 pkg/api/server/register_secrets.go (limited to 'pkg/api/server') diff --git a/pkg/api/server/register_secrets.go b/pkg/api/server/register_secrets.go new file mode 100644 index 000000000..95abf83e8 --- /dev/null +++ b/pkg/api/server/register_secrets.go @@ -0,0 +1,194 @@ +package server + +import ( + "net/http" + + "github.com/containers/podman/v2/pkg/api/handlers/compat" + "github.com/containers/podman/v2/pkg/api/handlers/libpod" + "github.com/gorilla/mux" +) + +func (s *APIServer) registerSecretHandlers(r *mux.Router) error { + // swagger:operation POST /libpod/secrets/create libpod libpodCreateSecret + // --- + // tags: + // - secrets + // summary: Create a secret + // parameters: + // - in: query + // name: name + // type: string + // description: User-defined name of the secret. + // required: true + // - in: query + // name: driver + // type: string + // description: Secret driver + // default: "file" + // - in: body + // name: request + // description: Secret + // schema: + // type: string + // produces: + // - application/json + // responses: + // '201': + // $ref: "#/responses/SecretCreateResponse" + // '500': + // "$ref": "#/responses/InternalError" + r.Handle(VersionedPath("/libpod/secrets/create"), s.APIHandler(libpod.CreateSecret)).Methods(http.MethodPost) + // swagger:operation GET /libpod/secrets/json libpod libpodListSecret + // --- + // tags: + // - secrets + // summary: List secrets + // description: Returns a list of secrets + // produces: + // - application/json + // parameters: + // responses: + // '200': + // "$ref": "#/responses/SecretListResponse" + // '500': + // "$ref": "#/responses/InternalError" + r.Handle(VersionedPath("/libpod/secrets/json"), s.APIHandler(compat.ListSecrets)).Methods(http.MethodGet) + // swagger:operation GET /libpod/secrets/{name}/json libpod libpodInspectSecret + // --- + // tags: + // - secrets + // summary: Inspect secret + // parameters: + // - in: path + // name: name + // type: string + // required: true + // description: the name or ID of the secret + // produces: + // - application/json + // responses: + // '200': + // "$ref": "#/responses/SecretInspectResponse" + // '404': + // "$ref": "#/responses/NoSuchSecret" + // '500': + // "$ref": "#/responses/InternalError" + r.Handle(VersionedPath("/libpod/secrets/{name}/json"), s.APIHandler(compat.InspectSecret)).Methods(http.MethodGet) + // swagger:operation DELETE /libpod/secrets/{name} libpod libpodRemoveSecret + // --- + // tags: + // - secrets + // summary: Remove secret + // parameters: + // - in: path + // name: name + // type: string + // required: true + // description: the name or ID of the secret + // - in: query + // name: all + // type: boolean + // description: Remove all secrets + // default: false + // produces: + // - application/json + // responses: + // '204': + // description: no error + // '404': + // "$ref": "#/responses/NoSuchSecret" + // '500': + // "$ref": "#/responses/InternalError" + r.Handle(VersionedPath("/libpod/secrets/{name}"), s.APIHandler(compat.RemoveSecret)).Methods(http.MethodDelete) + + /* + * Docker compatibility endpoints + */ + // swagger:operation GET /secrets compat ListSecret + // --- + // tags: + // - secrets (compat) + // summary: List secrets + // description: Returns a list of secrets + // produces: + // - application/json + // parameters: + // responses: + // '200': + // "$ref": "#/responses/SecretListResponse" + // '500': + // "$ref": "#/responses/InternalError" + r.Handle(VersionedPath("/secrets"), s.APIHandler(compat.ListSecrets)).Methods(http.MethodGet) + r.Handle("/secrets", s.APIHandler(compat.ListSecrets)).Methods(http.MethodGet) + // swagger:operation POST /secrets/create compat CreateSecret + // --- + // tags: + // - secrets (compat) + // summary: Create a secret + // parameters: + // - in: body + // name: create + // description: | + // attributes for creating a secret + // schema: + // $ref: "#/definitions/SecretCreate" + // produces: + // - application/json + // responses: + // '201': + // $ref: "#/responses/SecretCreateResponse" + // '409': + // "$ref": "#/responses/SecretInUse" + // '500': + // "$ref": "#/responses/InternalError" + r.Handle(VersionedPath("/secrets/create"), s.APIHandler(compat.CreateSecret)).Methods(http.MethodPost) + r.Handle("/secrets/create", s.APIHandler(compat.CreateSecret)).Methods(http.MethodPost) + // swagger:operation GET /secrets/{name} compat InspectSecret + // --- + // tags: + // - secrets (compat) + // summary: Inspect secret + // parameters: + // - in: path + // name: name + // type: string + // required: true + // description: the name or ID of the secret + // produces: + // - application/json + // responses: + // '200': + // "$ref": "#/responses/SecretInspectResponse" + // '404': + // "$ref": "#/responses/NoSuchSecret" + // '500': + // "$ref": "#/responses/InternalError" + r.Handle(VersionedPath("/secrets/{name}"), s.APIHandler(compat.InspectSecret)).Methods(http.MethodGet) + r.Handle("/secrets/{name}", s.APIHandler(compat.InspectSecret)).Methods(http.MethodGet) + // swagger:operation DELETE /secrets/{name} compat RemoveSecret + // --- + // tags: + // - secrets (compat) + // summary: Remove secret + // parameters: + // - in: path + // name: name + // type: string + // required: true + // description: the name or ID of the secret + // produces: + // - application/json + // responses: + // '204': + // description: no error + // '404': + // "$ref": "#/responses/NoSuchSecret" + // '500': + // "$ref": "#/responses/InternalError" + r.Handle(VersionedPath("/secrets/{name}"), s.APIHandler(compat.RemoveSecret)).Methods(http.MethodDelete) + r.Handle("/secret/{name}", s.APIHandler(compat.RemoveSecret)).Methods(http.MethodDelete) + + r.Handle(VersionedPath("/secrets/{name}/update"), s.APIHandler(compat.UpdateSecret)).Methods(http.MethodPost) + r.Handle("/secrets/{name}/update", s.APIHandler(compat.UpdateSecret)).Methods(http.MethodPost) + return nil +} diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go index d612041f6..6926eda62 100644 --- a/pkg/api/server/server.go +++ b/pkg/api/server/server.go @@ -124,6 +124,7 @@ func newServer(runtime *libpod.Runtime, duration time.Duration, listener *net.Li server.registerPlayHandlers, server.registerPluginsHandlers, server.registerPodsHandlers, + server.registerSecretHandlers, server.RegisterSwaggerHandlers, server.registerSwarmHandlers, server.registerSystemHandlers, -- cgit v1.2.3-54-g00ecf