opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-23 18:17:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

Make secret env var available to exec session

Browse Source 
Secret environment variables were only available to a podman run/start.
This commit makes sure that exec sessions can see them as well.

Signed-off-by: Ashley Cui <acui@redhat.com>
This commit is contained in:
Ashley Cui
2021-08-31 09:57:03 -04:00
parent 8ab84b4373
commit 1fb07c4225
2 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
libpod/oci_conmon_exec_linux.go
View File

@ -685,6 +685,19 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
pspec.Env = append(pspec.Env, env...) pspec.Env = append(pspec.Env, env...)
} }
// Add secret envs if they exist
manager, err := c.runtime.SecretsManager()
if err != nil {
return nil, err
}
for name, secr := range c.config.EnvSecrets {
_, data, err := manager.LookupSecretData(secr.Name)
if err != nil {
return nil, err
}
pspec.Env = append(pspec.Env, fmt.Sprintf("%s=%s", name, string(data)))
}
if options.Cwd != "" { if options.Cwd != "" {
pspec.Cwd = options.Cwd pspec.Cwd = options.Cwd
} }

30
test/e2e/exec_test.go
View File

@ -2,7 +2,9 @@ package integration
import ( import (
"fmt" "fmt"
"io/ioutil"
"os" "os"
"path/filepath"
"strings" "strings"
. "github.com/containers/podman/v3/test/utils" . "github.com/containers/podman/v3/test/utils"
@ -540,4 +542,32 @@ RUN useradd -u 1000 auser`, fedoraMinimal)
stop.WaitWithDefaultTimeout() stop.WaitWithDefaultTimeout()
Expect(stop).Should(Exit(0)) Expect(stop).Should(Exit(0))
}) })
It("podman exec with env var secret", func() {
secretsString := "somesecretdata"
secretFilePath := filepath.Join(podmanTest.TempDir, "secret")
err := ioutil.WriteFile(secretFilePath, []byte(secretsString), 0755)
Expect(err).To(BeNil())
session := podmanTest.Podman([]string{"secret", "create", "mysecret", secretFilePath})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
session = podmanTest.Podman([]string{"run", "-t", "-i", "-d", "--secret", "source=mysecret,type=env", "--name", "secr", ALPINE, "top"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
session = podmanTest.Podman([]string{"exec", "secr", "printenv", "mysecret"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
Expect(session.OutputToString()).To(ContainSubstring(secretsString))
session = podmanTest.Podman([]string{"commit", "secr", "foobar.com/test1-image:latest"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
session = podmanTest.Podman([]string{"run", "foobar.com/test1-image:latest", "printenv", "mysecret"})
session.WaitWithDefaultTimeout()
Expect(session.OutputToString()).To(Not(ContainSubstring(secretsString)))
})
}) })