Skip to content

Commit

Permalink
Merge pull request #17423 from ygalblum/quadlet_container_secret
Browse files Browse the repository at this point in the history
Quadlet: Add support for the Secret key in Container group
  • Loading branch information
openshift-merge-robot authored Feb 8, 2023
2 parents 83f2f84 + d6dd17f commit 34e76a4
Show file tree
Hide file tree
Showing 5 changed files with 92 additions and 0 deletions.
5 changes: 5 additions & 0 deletions docs/source/markdown/podman-systemd.unit.5.md
Original file line number Diff line number Diff line change
Expand Up @@ -301,6 +301,11 @@ Set the label process level for the container processes.

Set the label process type for the container processes.

#### `Secret=`

Use a Podman secret in the container either as a file or an environment variable.
This is equivalent to the Podman `--secret` option and generally has the form `secret[,opt=opt ...]`

#### `Timezone=` (if unset uses system-configured default)

The timezone to run the container in.
Expand Down
7 changes: 7 additions & 0 deletions pkg/systemd/quadlet/quadlet.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ const (
KeySecurityLabelFileType = "SecurityLabelFileType"
KeySecurityLabelLevel = "SecurityLabelLevel"
KeySecurityLabelType = "SecurityLabelType"
KeySecret = "Secret"
KeyTimezone = "Timezone"
KeyType = "Type"
KeyUser = "User"
Expand Down Expand Up @@ -117,6 +118,7 @@ var (
KeySecurityLabelFileType: true,
KeySecurityLabelLevel: true,
KeySecurityLabelType: true,
KeySecret: true,
KeyTimezone: true,
KeyUser: true,
KeyVolatileTmp: true,
Expand Down Expand Up @@ -518,6 +520,11 @@ func ConvertContainer(container *parser.UnitFile, isUser bool) (*parser.UnitFile
podman.addBool("--env-host", envHost)
}

secrets := container.LookupAllArgs(ContainerGroup, KeySecret)
for _, secret := range secrets {
podman.add("--secret", secret)
}

podmanArgs := container.LookupAllArgs(ContainerGroup, KeyPodmanArgs)
podman.add(podmanArgs...)

Expand Down
9 changes: 9 additions & 0 deletions test/e2e/quadlet/secrets.container
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
## assert-podman-args "--secret" "mysecret"
## assert-podman-args "--secret" "source=mysecret,type=env,target=MYSECRET"
## assert-podman-args "--secret" "source=mysecret,type=mount,uid=1000,gid=1001,mode=777"

[Container]
Image=localhost/imagename
Secret=mysecret
Secret=source=mysecret,type=env,target=MYSECRET
Secret=source=mysecret,type=mount,uid=1000,gid=1001,mode=777
1 change: 1 addition & 0 deletions test/e2e/quadlet_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,7 @@ var _ = Describe("quadlet system generator", func() {
Entry("env-file.container", "env-file.container"),
Entry("env-host.container", "env-host.container"),
Entry("env-host-false.container", "env-host-false.container"),
Entry("secrets.container", "secrets.container"),

Entry("basic.volume", "basic.volume"),
Entry("label.volume", "label.volume"),
Expand Down
70 changes: 70 additions & 0 deletions test/system/252-quadlet.bats
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,24 @@ function service_cleanup() {
systemctl daemon-reload
}

function create_secret() {
local secret_name=$(random_string)
local secret_file=$PODMAN_TMPDIR/secret_$(random_string)
local secret=$(random_string)

echo $secret > $secret_file
run_podman secret create $secret_name $secret_file

SECRET_NAME=$secret_name
SECRET=$secret
}

function remove_secret() {
local secret_name="$1"

run_podman secret rm $secret_name
}

@test "quadlet - basic" {
local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
cat > $quadlet_file <<EOF
Expand Down Expand Up @@ -477,4 +495,56 @@ EOF
service_cleanup $QUADLET_SERVICE_NAME failed
}

@test "quadlet - secret as environment variable" {
create_secret

local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
cat > $quadlet_file <<EOF
[Container]
ContainerName=$NAME
Image=$IMAGE
Secret=$SECRET_NAME,type=env,target=MYSECRET
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top"
EOF

run_quadlet "$quadlet_file"
service_setup $QUADLET_SERVICE_NAME

# Ensure we have output. Output is synced via sd-notify (socat in Exec)
run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
is "$output" '.*STARTED CONTAINER.*'

run_podman exec $QUADLET_CONTAINER_NAME /bin/sh -c "printenv MYSECRET"
is "$output" $SECRET

service_cleanup $QUADLET_SERVICE_NAME failed
remove_secret $SECRET_NAME
}

@test "quadlet - secret as a file" {
create_secret

local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
cat > $quadlet_file <<EOF
[Container]
ContainerName=$NAME
Image=$IMAGE
Secret=$SECRET_NAME,type=mount,target=/root/secret
Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; top"
EOF

run_quadlet "$quadlet_file"
service_setup $QUADLET_SERVICE_NAME

# Ensure we have output. Output is synced via sd-notify (socat in Exec)
run journalctl "--since=$STARTED_TIME" --unit="$QUADLET_SERVICE_NAME"
is "$output" '.*STARTED CONTAINER.*'

run_podman exec $QUADLET_CONTAINER_NAME /bin/sh -c "cat /root/secret"
is "$output" $SECRET

service_cleanup $QUADLET_SERVICE_NAME failed
remove_secret $SECRET_NAME
}

# vim: filetype=sh

0 comments on commit 34e76a4

Please sign in to comment.