Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for environmental secrets #856

Closed
wants to merge 3 commits into from
Closed

Add support for environmental secrets #856

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6269414
Add type=env secret support
breca Feb 25, 2024
ad29317
Update tests for type=env secret
breca Feb 25, 2024
893d999
Merge branch 'containers:main' into feat_environment_secret
breca Mar 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 22 additions & 19 deletions podman_compose.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -544,24 +544,25 @@ def get_secret_args(compose, cnt, secret):
dest_file = ""
secret_opts = ""

target = None if is_str(secret) else secret.get("target", None)
uid = None if is_str(secret) else secret.get("uid", None)
gid = None if is_str(secret) else secret.get("gid", None)
mode = None if is_str(secret) else secret.get("mode", None)
secret_target = None if is_str(secret) else secret.get("target", None)
secret_uid = None if is_str(secret) else secret.get("uid", None)
secret_gid = None if is_str(secret) else secret.get("gid", None)
secret_mode = None if is_str(secret) else secret.get("mode", None)
secret_type = None if is_str(secret) else secret.get("type", None)

if source_file:
if not target:
dest_file = f"/run/secrets/{secret_name}"
elif not target.startswith("/"):
sec = target if target else secret_name
if not secret_target:
dest_file = "/run/secrets/{}".format(secret_name)
elif not secret_target.startswith("/"):
sec = secret_target if secret_target else secret_name
dest_file = f"/run/secrets/{sec}"
else:
dest_file = target
dest_file = secret_target
basedir = compose.dirname
source_file = os.path.realpath(os.path.join(basedir, os.path.expanduser(source_file)))
volume_ref = ["--volume", f"{source_file}:{dest_file}:ro,rprivate,rbind"]
if uid or gid or mode:
sec = target if target else secret_name
if secret_uid or secret_gid or secret_mode:
sec = secret_target if secret_target else secret_name
log(
f'WARNING: Service {cnt["_service"]} uses secret "{sec}" with uid, gid, or mode.'
+ " These fields are not supported by this implementation of the Compose file"
Expand All @@ -575,10 +576,12 @@ def get_secret_args(compose, cnt, secret):
# podman-create commands, albeit we can only support a 1:1 mapping
# at the moment
if declared_secret.get("external", False) or declared_secret.get("name", None):
secret_opts += f",uid={uid}" if uid else ""
secret_opts += f",gid={gid}" if gid else ""
secret_opts += f",mode={mode}" if mode else ""
# The target option is only valid for type=env,
secret_opts += f",uid={secret_uid}" if secret_uid else ""
secret_opts += f",gid={secret_gid}" if secret_gid else ""
secret_opts += f",mode={secret_mode}" if secret_mode else ""
secret_opts += f",type={secret_type}" if secret_type else ""
secret_opts += f",target={secret_target}" if secret_target and secret_type == "env" else ""
# The secret_target option is only valid for type=env,
# which in an ideal world would work
# for type=mount as well.
# having a custom name for the external secret
Expand All @@ -587,12 +590,12 @@ def get_secret_args(compose, cnt, secret):
err_str = 'ERROR: Custom name/target reference "{}" for mounted external secret "{}" is not supported'
if ext_name and ext_name != secret_name:
raise ValueError(err_str.format(secret_name, ext_name))
if target and target != secret_name:
raise ValueError(err_str.format(target, secret_name))
if target:
if secret_target and secret_target != secret_name and secret_type != 'env':
raise ValueError(err_str.format(secret_target, secret_name))
if secret_target and secret_type != 'env':
log(
'WARNING: Service "{}" uses target: "{}" for secret: "{}".'.format(
cnt["_service"], target, secret_name
cnt["_service"], secret_target, secret_name
)
+ " That is un-supported and a no-op and is ignored."
)
Expand Down
4 changes: 3 additions & 1 deletion tests/secrets/docker-compose.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ services:
uid: '103'
gid: '103'
mode: 400
- source: my_secret
target: ENV_SECRET
type: env

secrets:
my_secret:
Expand All @@ -43,4 +46,3 @@ secrets:
name: my_secret_3
file_secret:
file: ./my_secret

1 change: 1 addition & 0 deletions tests/secrets/print_secrets.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ ls -la /run/secrets/*
ls -la /etc/custom_location
cat /run/secrets/*
cat /etc/custom_location
env | grep SECRET
Loading