Merge pull request #23959 from auyer/hide-secrets-from-container-inspect

Hide secrets from container inspect command
2025-12-01 10:38:05 +08:00 · 2024-09-17 13:00:18 +00:00
parent 9781a268a2 a5e9b4d126
commit f4a08f46b7
2 changed files with 36 additions and 0 deletions
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -372,6 +372,20 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
 	if spec.Process != nil {
 		ctrConfig.Tty = spec.Process.Terminal
 		ctrConfig.Env = append([]string{}, spec.Process.Env...)
+
+		// finds all secrets mounted as env variables and hides the value
+		// the inspect command should not display it
+		envSecrets := c.config.EnvSecrets
+		for envIndex, envValue := range ctrConfig.Env {
+			// env variables come in the style `name=value`
+			envName := strings.Split(envValue, "=")[0]
+
+			envSecret, ok := envSecrets[envName]
+			if ok {
+				ctrConfig.Env[envIndex] = envSecret.Name + "=*******"
+			}
+		}
+
 		ctrConfig.WorkingDir = spec.Process.Cwd
 	}