Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Secrets #9125

Merged
merged 1 commit into from
Feb 9, 2021
Merged

Implement Secrets #9125

merged 1 commit into from
Feb 9, 2021

Conversation

ashley-cui
Copy link
Member

Implement podman secret create, inspect, ls, rm
Implement podman run/create --secret
Secrets are blobs of data that are sensitive.
Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file.
After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname]
This secret will not be commited to an image on a podman commit

Signed-off-by: Ashley Cui [email protected]

@ashley-cui ashley-cui added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 27, 2021
@ashley-cui
Copy link
Member Author

ashley-cui commented Jan 27, 2021
edited
Loading

This needs a new common, or it'll fail all tests.
And also shouldn't be merged until after 3.0.

Also, needs some lint-y fixes.

@TomSweeneyRedHat
Copy link
Member

Need to update commands-demo.md and https://github.com/containers/podman/blob/master/docs/source/Commands.rst, maybe another spot or two to get the man pages to show on docs.podman.io.

@mheon
Copy link
Member

mheon commented Jan 27, 2021

We've already branched 3.0, so we're already safe to merge this, FYI

Luap99
Luap99 reviewed Jan 27, 2021
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments regarding the shell completion logic.

cmd/podman/secrets/create.go Outdated Show resolved Hide resolved
cmd/podman/secrets/list.go Outdated Show resolved Hide resolved
cmd/podman/secrets/create.go Show resolved Hide resolved
cmd/podman/common/create.go Outdated Show resolved Hide resolved
vrothberg
vrothberg reviewed Jan 29, 2021
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really good work, @ashley-cui!

This is a huge PR and in really good shape. Once we have this merged, we can create a follow up card and work together with @edsantiago to create system tests in test/system. Those are executed in the RHEL gating tests and important on the enterprise side.

cmd/podman/secrets/create.go Outdated Show resolved Hide resolved
cmd/podman/secrets/create.go Show resolved Hide resolved
cmd/podman/secrets/create.go Outdated Show resolved Hide resolved
docs/source/markdown/podman-create.1.md Outdated Show resolved Hide resolved
docs/source/markdown/podman-run.1.md Outdated Show resolved Hide resolved
libpod/container_internal_linux.go Outdated Show resolved Hide resolved
pkg/bindings/test/secrets_test.go Show resolved Hide resolved
pkg/domain/infra/abi/secrets.go Show resolved Hide resolved
pkg/domain/infra/abi/secrets.go Show resolved Hide resolved
test/e2e/secret_test.go Show resolved Hide resolved
mheon
mheon reviewed Jan 29, 2021
View reviewed changes
libpod/container_config.go Outdated Show resolved Hide resolved
mheon
mheon reviewed Jan 29, 2021
View reviewed changes
libpod/options.go Outdated Show resolved Hide resolved
@ashley-cui ashley-cui force-pushed the secretswiring branch 3 times, most recently from 70117ef to 4a086f8 Compare February 5, 2021 19:21
@rhatdan
Copy link
Member

rhatdan commented Feb 5, 2021

I pushed a common with the journald change reverted.

@ashley-cui
Copy link
Member Author

Vendoring in the new common vendored in a lot of weird other stuff.. Let me know if that's okay

@rhatdan
Copy link
Member

rhatdan commented Feb 5, 2021

Well I opened a vendoring for common, and it pulls in some vendors that common got on runc and friends, so this is not surprising.

Once my PR gets merged, you should easily just update to it.

@ashley-cui ashley-cui removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 8, 2021
@ashley-cui ashley-cui force-pushed the secretswiring branch 3 times, most recently from 48134f2 to 7534f2b Compare February 9, 2021 06:03
@vrothberg
Copy link
Member 

#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv                                        
#| FAIL: podman secret create: --help has 'Options:' section but no '[options]' in synopsis

The cobra.Command.Use string of secret create needs an [options] sub-string to pass test/system/015-helps.bats.

You can test it locally with PODMAN=./bin/podman bats test/system/015-help.bats

vrothberg
vrothberg reviewed Feb 9, 2021
View reviewed changes
libpod/container_internal_linux.go Outdated Show resolved Hide resolved
libpod/container_internal_linux.go Show resolved Hide resolved
@ashley-cui
Implement Secrets
832a69b 
Implement podman secret create, inspect, ls, rm
Implement podman run/create --secret
Secrets are blobs of data that are sensitive.
Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file.
After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname]
This secret will not be commited to an image on a podman commit

Signed-off-by: Ashley Cui <[email protected]>
@ashley-cui
Copy link
Member Author

ashley-cui commented Feb 9, 2021
edited
Loading

SHE'S GREEN!!!!!

@containers/podman-maintainers PTAL

@mheon
Copy link
Member

mheon commented Feb 9, 2021

LGTM

vrothberg
vrothberg reviewed Feb 9, 2021
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 9, 2021
@rhatdan rhatdan added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 9, 2021
@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: ashley-cui

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit f98605e into containers:master Feb 9, 2021
@TomSweeneyRedHat
Copy link
Member

Great job completing this one @ashley-cui! 🎆 🥇

@ashley-cui
Copy link
Member Author

Thanks @TomSweeneyRedHat !!

@ashley-cui ashley-cui mentioned this pull request Feb 10, 2021
Closed
@ashley-cui ashley-cui deleted the secretswiring branch June 29, 2021 21:13
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Luap99 Luap99 Luap99 left review comments

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@vrothberg vrothberg vrothberg left review comments

@mheon mheon mheon left review comments

Assignees

@vrothberg vrothberg

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@ashley-cui @TomSweeneyRedHat @mheon @Luap99 @rhatdan @vrothberg @openshift-ci-robot @openshift-merge-robot