From 6f9d9636a23cf19a619c04d38e5efd524b846534 Mon Sep 17 00:00:00 2001
From: Ashley Cui <acui@redhat.com>
Date: Fri, 14 May 2021 16:29:44 -0400
Subject: Support uid,gid,mode options for secrets

Support UID, GID, Mode options for mount type secrets. Also, change
default secret permissions to 444 so all users can read secret.

Signed-off-by: Ashley Cui <acui@redhat.com>
---
 pkg/specgen/generate/container_create.go | 19 ++++++++++++++++++-
 pkg/specgen/specgen.go                   |  9 ++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

(limited to 'pkg/specgen')

diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index e53032ebe..087ff59df 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -401,7 +401,24 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 	}
 
 	if len(s.Secrets) != 0 {
-		options = append(options, libpod.WithSecrets(s.Secrets))
+		manager, err := rt.SecretsManager()
+		if err != nil {
+			return nil, err
+		}
+		var secrs []*libpod.ContainerSecret
+		for _, s := range s.Secrets {
+			secr, err := manager.Lookup(s.Source)
+			if err != nil {
+				return nil, err
+			}
+			secrs = append(secrs, &libpod.ContainerSecret{
+				Secret: secr,
+				UID:    s.UID,
+				GID:    s.GID,
+				Mode:   s.Mode,
+			})
+		}
+		options = append(options, libpod.WithSecrets(secrs))
 	}
 
 	if len(s.EnvSecrets) != 0 {
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index 2e01d1535..2815bdebb 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -258,7 +258,7 @@ type ContainerStorageConfig struct {
 	RootfsPropagation string `json:"rootfs_propagation,omitempty"`
 	// Secrets are the secrets that will be added to the container
 	// Optional.
-	Secrets []string `json:"secrets,omitempty"`
+	Secrets []Secret `json:"secrets,omitempty"`
 	// Volatile specifies whether the container storage can be optimized
 	// at the cost of not syncing all the dirty files in memory.
 	Volatile bool `json:"volatile,omitempty"`
@@ -521,6 +521,13 @@ type PortMapping struct {
 	Protocol string `json:"protocol,omitempty"`
 }
 
+type Secret struct {
+	Source string
+	UID    uint32
+	GID    uint32
+	Mode   uint32
+}
+
 var (
 	// ErrNoStaticIPRootless is used when a rootless user requests to assign a static IP address
 	// to a pod or container
-- 
cgit v1.2.3-54-g00ecf