opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-27 13:38:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17423 from ygalblum/quadlet_container_secret

Browse Source 
Quadlet: Add support for the Secret key in Container group
This commit is contained in:
OpenShift Merge Robot
2023-02-08 15:45:41 -05:00
committed by GitHub
parent 83f2f840e4 d6dd17fdfe
commit 34e76a46ab
5 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/source/markdown/podman-systemd.unit.5.md
View File

@ -301,6 +301,11 @@ Set the label process level for the container processes.
Set the label process type for the container processes. Set the label process type for the container processes.
#### `Secret=`
Use a Podman secret in the container either as a file or an environment variable.
This is equivalent to the Podman `--secret` option and generally has the form `secret[,opt=opt ...]`
#### `Timezone=` (if unset uses system-configured default) #### `Timezone=` (if unset uses system-configured default)
The timezone to run the container in. The timezone to run the container in.

7
pkg/systemd/quadlet/quadlet.go
View File

@ -74,6 +74,7 @@ const (
KeySecurityLabelFileType = "SecurityLabelFileType" KeySecurityLabelFileType = "SecurityLabelFileType"
KeySecurityLabelLevel = "SecurityLabelLevel" KeySecurityLabelLevel = "SecurityLabelLevel"
KeySecurityLabelType = "SecurityLabelType" KeySecurityLabelType = "SecurityLabelType"
KeySecret = "Secret"
KeyTimezone = "Timezone" KeyTimezone = "Timezone"
KeyType = "Type" KeyType = "Type"
KeyUser = "User" KeyUser = "User"
@ -117,6 +118,7 @@ var (
KeySecurityLabelFileType: true, KeySecurityLabelFileType: true,
KeySecurityLabelLevel: true, KeySecurityLabelLevel: true,
KeySecurityLabelType: true, KeySecurityLabelType: true,
KeySecret: true,
KeyTimezone: true, KeyTimezone: true,
KeyUser: true, KeyUser: true,
KeyVolatileTmp: true, KeyVolatileTmp: true,
@ -518,6 +520,11 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
podman.addBool("--env-host", envHost) podman.addBool("--env-host", envHost)
} }
secrets := container.LookupAllArgs(ContainerGroup, KeySecret)
for _, secret := range secrets {
podman.add("--secret", secret)
}
podmanArgs := container.LookupAllArgs(ContainerGroup, KeyPodmanArgs) podmanArgs := container.LookupAllArgs(ContainerGroup, KeyPodmanArgs)
podman.add(podmanArgs...) podman.add(podmanArgs...)

9
test/e2e/quadlet/secrets.container Normal file
View File

@ -0,0 +1,9 @@
## assert-podman-args "--secret" "mysecret"
## assert-podman-args "--secret" "source=mysecret,type=env,target=MYSECRET"
## assert-podman-args "--secret" "source=mysecret,type=mount,uid=1000,gid=1001,mode=777"
[Container]
Image=localhost/imagename
Secret=mysecret
Secret=source=mysecret,type=env,target=MYSECRET
Secret=source=mysecret,type=mount,uid=1000,gid=1001,mode=777

1
test/e2e/quadlet_test.go
View File

@ -481,6 +481,7 @@ var _ = Describe("quadlet system generator", func() {
Entry("env-file.container", "env-file.container"), Entry("env-file.container", "env-file.container"),
Entry("env-host.container", "env-host.container"), Entry("env-host.container", "env-host.container"),
Entry("env-host-false.container", "env-host-false.container"), Entry("env-host-false.container", "env-host-false.container"),
Entry("secrets.container", "secrets.container"),
Entry("basic.volume", "basic.volume"), Entry("basic.volume", "basic.volume"),
Entry("label.volume", "label.volume"), Entry("label.volume", "label.volume"),

70
test/system/252-quadlet.bats
View File

@ -114,6 +114,24 @@ function service_cleanup() {
systemctl daemon-reload systemctl daemon-reload
} }
function create_secret() {
local secret_name=$(random_string)
local secret_file=$PODMAN_TMPDIR/secret_$(random_string)
local secret=$(random_string)
echo $secret > $secret_file
run_podman secret create $secret_name $secret_file
SECRET_NAME=$secret_name
SECRET=$secret
}
function remove_secret() {
local secret_name="$1"
run_podman secret rm $secret_name
}
@test "quadlet - basic" { @test "quadlet - basic" {
local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
cat > $quadlet_file <<EOF cat > $quadlet_file <<EOF
@ -477,4 +495,56 @@ EOF
service_cleanup $QUADLET_SERVICE_NAME failed service_cleanup $QUADLET_SERVICE_NAME failed
} }
@test "quadlet - secret as environment variable" {
create_secret
local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
cat > $quadlet_file <<EOF
[Container]
ContainerName=$NAME
Image=$IMAGE
Secret=$SECRET_NAME,type=env,target=MYSECRET
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top"
EOF
run_quadlet "$quadlet_file"
service_setup $QUADLET_SERVICE_NAME
# Ensure we have output. Output is synced via sd-notify (socat in Exec)
run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
is "$output" '.*STARTED CONTAINER.*'
run_podman exec $QUADLET_CONTAINER_NAME /bin/sh -c "printenv MYSECRET"
is "$output" $SECRET
service_cleanup $QUADLET_SERVICE_NAME failed
remove_secret $SECRET_NAME
}
@test "quadlet - secret as a file" {
create_secret
local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
cat > $quadlet_file <<EOF
[Container]
ContainerName=$NAME
Image=$IMAGE
Secret=$SECRET_NAME,type=mount,target=/root/secret
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top"
EOF
run_quadlet "$quadlet_file"
service_setup $QUADLET_SERVICE_NAME
# Ensure we have output. Output is synced via sd-notify (socat in Exec)
run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
is "$output" '.*STARTED CONTAINER.*'
run_podman exec $QUADLET_CONTAINER_NAME /bin/sh -c "cat /root/secret"
is "$output" $SECRET
service_cleanup $QUADLET_SERVICE_NAME failed
remove_secret $SECRET_NAME
}
# vim: filetype=sh # vim: filetype=sh