Merge pull request #17423 from ygalblum/quadlet_container_secret

Quadlet: Add support for the Secret key in Container group
2025-06-27 13:38:49 +08:00 · 2023-02-08 15:45:41 -05:00
parent 83f2f840e4 d6dd17fdfe
commit 34e76a46ab
5 changed files with 92 additions and 0 deletions
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@ -301,6 +301,11 @@ Set the label process level for the container processes.

 Set the label process type for the container processes.

+#### `Secret=`
+
+Use a Podman secret in the container either as a file or an environment variable.
+This is equivalent to the Podman `--secret` option and generally has the form `secret[,opt=opt ...]`
+
 #### `Timezone=` (if unset uses system-configured default)

 The timezone to run the container in.
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -74,6 +74,7 @@ const (
 	KeySecurityLabelFileType = "SecurityLabelFileType"
 	KeySecurityLabelLevel    = "SecurityLabelLevel"
 	KeySecurityLabelType     = "SecurityLabelType"
+	KeySecret                = "Secret"
 	KeyTimezone              = "Timezone"
 	KeyType                  = "Type"
 	KeyUser                  = "User"
@ -117,6 +118,7 @@ var (
 		KeySecurityLabelFileType: true,
 		KeySecurityLabelLevel:    true,
 		KeySecurityLabelType:     true,
+		KeySecret:                true,
 		KeyTimezone:              true,
 		KeyUser:                  true,
 		KeyVolatileTmp:           true,
@ -518,6 +520,11 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
 		podman.addBool("--env-host", envHost)
 	}

+	secrets := container.LookupAllArgs(ContainerGroup, KeySecret)
+	for _, secret := range secrets {
+		podman.add("--secret", secret)
+	}
+
 	podmanArgs := container.LookupAllArgs(ContainerGroup, KeyPodmanArgs)
 	podman.add(podmanArgs...)

--- a/test/e2e/quadlet/secrets.container
+++ b/test/e2e/quadlet/secrets.container
@ -0,0 +1,9 @@
+## assert-podman-args "--secret" "mysecret"
+## assert-podman-args "--secret" "source=mysecret,type=env,target=MYSECRET"
+## assert-podman-args "--secret" "source=mysecret,type=mount,uid=1000,gid=1001,mode=777"
+
+[Container]
+Image=localhost/imagename
+Secret=mysecret
+Secret=source=mysecret,type=env,target=MYSECRET
+Secret=source=mysecret,type=mount,uid=1000,gid=1001,mode=777
--- a/test/e2e/quadlet_test.go
+++ b/test/e2e/quadlet_test.go
@ -481,6 +481,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("env-file.container", "env-file.container"),
 		Entry("env-host.container", "env-host.container"),
 		Entry("env-host-false.container", "env-host-false.container"),
+		Entry("secrets.container", "secrets.container"),

 		Entry("basic.volume", "basic.volume"),
 		Entry("label.volume", "label.volume"),
--- a/test/system/252-quadlet.bats
+++ b/test/system/252-quadlet.bats
@ -114,6 +114,24 @@ function service_cleanup() {
    systemctl daemon-reload
 }

+function create_secret() {
+    local secret_name=$(random_string)
+    local secret_file=$PODMAN_TMPDIR/secret_$(random_string)
+    local secret=$(random_string)
+
+    echo $secret > $secret_file
+    run_podman secret create $secret_name $secret_file
+
+    SECRET_NAME=$secret_name
+    SECRET=$secret
+}
+
+function remove_secret() {
+    local secret_name="$1"
+
+    run_podman secret rm $secret_name
+}
+
@test "quadlet - basic" {
    local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
    cat > $quadlet_file <<EOF
@ -477,4 +495,56 @@ EOF
    service_cleanup $QUADLET_SERVICE_NAME failed
 }

+@test "quadlet - secret as environment variable" {
+    create_secret
+
+    local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
+    cat > $quadlet_file <<EOF
+[Container]
+ContainerName=$NAME
+Image=$IMAGE
+Secret=$SECRET_NAME,type=env,target=MYSECRET
+Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top"
+EOF
+
+    run_quadlet "$quadlet_file"
+    service_setup $QUADLET_SERVICE_NAME
+
+    # Ensure we have output. Output is synced via sd-notify (socat in Exec)
+    run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
+    is "$output" '.*STARTED CONTAINER.*'
+
+    run_podman exec $QUADLET_CONTAINER_NAME /bin/sh -c "printenv MYSECRET"
+    is "$output" $SECRET
+
+    service_cleanup $QUADLET_SERVICE_NAME failed
+    remove_secret $SECRET_NAME
+}
+
+@test "quadlet - secret as a file" {
+    create_secret
+
+    local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
+    cat > $quadlet_file <<EOF
+[Container]
+ContainerName=$NAME
+Image=$IMAGE
+Secret=$SECRET_NAME,type=mount,target=/root/secret
+Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top"
+EOF
+
+    run_quadlet "$quadlet_file"
+    service_setup $QUADLET_SERVICE_NAME
+
+    # Ensure we have output. Output is synced via sd-notify (socat in Exec)
+    run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
+    is "$output" '.*STARTED CONTAINER.*'
+
+    run_podman exec $QUADLET_CONTAINER_NAME /bin/sh -c "cat /root/secret"
+    is "$output" $SECRET
+
+    service_cleanup $QUADLET_SERVICE_NAME failed
+    remove_secret $SECRET_NAME
+}
+
 # vim: filetype=sh