From 832a69b0bee6ec289521fbd59ddd480372493ee3 Mon Sep 17 00:00:00 2001
From: Ashley Cui <acui@redhat.com>
Date: Fri, 15 Jan 2021 01:27:23 -0500
Subject: Implement Secrets

Implement podman secret create, inspect, ls, rm
Implement podman run/create --secret
Secrets are blobs of data that are sensitive.
Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file.
After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname]
This secret will not be commited to an image on a podman commit

Signed-off-by: Ashley Cui <acui@redhat.com>
---
 pkg/domain/infra/tunnel/secrets.go | 82 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 pkg/domain/infra/tunnel/secrets.go

(limited to 'pkg/domain/infra/tunnel')

diff --git a/pkg/domain/infra/tunnel/secrets.go b/pkg/domain/infra/tunnel/secrets.go
new file mode 100644
index 000000000..f7c0f7d13
--- /dev/null
+++ b/pkg/domain/infra/tunnel/secrets.go
@@ -0,0 +1,82 @@
+package tunnel
+
+import (
+	"context"
+	"io"
+
+	"github.com/containers/podman/v2/pkg/bindings/secrets"
+	"github.com/containers/podman/v2/pkg/domain/entities"
+	"github.com/containers/podman/v2/pkg/errorhandling"
+	"github.com/pkg/errors"
+)
+
+func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader io.Reader, options entities.SecretCreateOptions) (*entities.SecretCreateReport, error) {
+	opts := new(secrets.CreateOptions).WithDriver(options.Driver).WithName(name)
+	created, _ := secrets.Create(ic.ClientCtx, reader, opts)
+	return created, nil
+}
+
+func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string) ([]*entities.SecretInfoReport, []error, error) {
+	allInspect := make([]*entities.SecretInfoReport, 0, len(nameOrIDs))
+	errs := make([]error, 0, len(nameOrIDs))
+	for _, name := range nameOrIDs {
+		inspected, err := secrets.Inspect(ic.ClientCtx, name, nil)
+		if err != nil {
+			errModel, ok := err.(errorhandling.ErrorModel)
+			if !ok {
+				return nil, nil, err
+			}
+			if errModel.ResponseCode == 404 {
+				errs = append(errs, errors.Errorf("no such secret %q", name))
+				continue
+			}
+			return nil, nil, err
+		}
+		allInspect = append(allInspect, inspected)
+	}
+	return allInspect, errs, nil
+}
+
+func (ic *ContainerEngine) SecretList(ctx context.Context) ([]*entities.SecretInfoReport, error) {
+	secrs, _ := secrets.List(ic.ClientCtx, nil)
+	return secrs, nil
+}
+
+func (ic *ContainerEngine) SecretRm(ctx context.Context, nameOrIDs []string, options entities.SecretRmOptions) ([]*entities.SecretRmReport, error) {
+	allRm := make([]*entities.SecretRmReport, 0, len(nameOrIDs))
+	if options.All {
+		allSecrets, err := secrets.List(ic.ClientCtx, nil)
+		if err != nil {
+			return nil, err
+		}
+		for _, secret := range allSecrets {
+			allRm = append(allRm, &entities.SecretRmReport{
+				Err: secrets.Remove(ic.ClientCtx, secret.ID),
+				ID:  secret.ID,
+			})
+		}
+		return allRm, nil
+	}
+	for _, name := range nameOrIDs {
+		secret, err := secrets.Inspect(ic.ClientCtx, name, nil)
+		if err != nil {
+			errModel, ok := err.(errorhandling.ErrorModel)
+			if !ok {
+				return nil, err
+			}
+			if errModel.ResponseCode == 404 {
+				allRm = append(allRm, &entities.SecretRmReport{
+					Err: errors.Errorf("no secret with name or id %q: no such secret ", name),
+					ID:  "",
+				})
+				continue
+			}
+		}
+		allRm = append(allRm, &entities.SecretRmReport{
+			Err: secrets.Remove(ic.ClientCtx, name),
+			ID:  secret.ID,
+		})
+
+	}
+	return allRm, nil
+}
-- 
cgit v1.2.3-54-g00ecf