Merge pull request containers#11376 from ashley-cui/envsec

Make secret env var available to exec session
cdoern · Sep 1, 2021 · 5c33699 · 5c33699
2 parents 331b359 + 1fb07c4
commit 5c33699
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
@@ -684,6 +684,19 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
 		pspec.Env = append(pspec.Env, env...)
 	}
 
+	// Add secret envs if they exist
+	manager, err := c.runtime.SecretsManager()
+	if err != nil {
+		return nil, err
+	}
+	for name, secr := range c.config.EnvSecrets {
+		_, data, err := manager.LookupSecretData(secr.Name)
+		if err != nil {
+			return nil, err
+		}
+		pspec.Env = append(pspec.Env, fmt.Sprintf("%s=%s", name, string(data)))
+	}
+
 	if options.Cwd != "" {
 		pspec.Cwd = options.Cwd
 	}

diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go
@@ -2,7 +2,9 @@ package integration
 
 import (
 	"fmt"
+	"io/ioutil"
 	"os"
+	"path/filepath"
 	"strings"
 
 	. "github.com/containers/podman/v3/test/utils"
@@ -540,4 +542,32 @@ RUN useradd -u 1000 auser`, fedoraMinimal)
 		stop.WaitWithDefaultTimeout()
 		Expect(stop).Should(Exit(0))
 	})
+
+	It("podman exec with env var secret", func() {
+		secretsString := "somesecretdata"
+		secretFilePath := filepath.Join(podmanTest.TempDir, "secret")
+		err := ioutil.WriteFile(secretFilePath, []byte(secretsString), 0755)
+		Expect(err).To(BeNil())
+
+		session := podmanTest.Podman([]string{"secret", "create", "mysecret", secretFilePath})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		session = podmanTest.Podman([]string{"run", "-t", "-i", "-d", "--secret", "source=mysecret,type=env", "--name", "secr", ALPINE, "top"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		session = podmanTest.Podman([]string{"exec", "secr", "printenv", "mysecret"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).To(ContainSubstring(secretsString))
+
+		session = podmanTest.Podman([]string{"commit", "secr", "foobar.com/test1-image:latest"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		session = podmanTest.Podman([]string{"run", "foobar.com/test1-image:latest", "printenv", "mysecret"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.OutputToString()).To(Not(ContainSubstring(secretsString)))
+	})
 })