diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index aa561a5cdc..33bd465da0 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -372,6 +372,20 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp if spec.Process != nil { ctrConfig.Tty = spec.Process.Terminal ctrConfig.Env = append([]string{}, spec.Process.Env...) + + // finds all secrets mounted as env variables and hides the value + // the inspect command should not display it + envSecrets := c.config.EnvSecrets + for envIndex, envValue := range ctrConfig.Env { + // env variables come in the style `name=value` + envName := strings.Split(envValue, "=")[0] + + envSecret, ok := envSecrets[envName] + if ok { + ctrConfig.Env[envIndex] = envSecret.Name + "=*******" + } + } + ctrConfig.WorkingDir = spec.Process.Cwd } diff --git a/test/e2e/container_inspect_test.go b/test/e2e/container_inspect_test.go index 8e26eb0f25..120f8ae4a5 100644 --- a/test/e2e/container_inspect_test.go +++ b/test/e2e/container_inspect_test.go @@ -3,6 +3,7 @@ package integration import ( + "fmt" "os" "path/filepath" @@ -82,4 +83,25 @@ var _ = Describe("Podman container inspect", func() { Expect(data[0].HostConfig.VolumesFrom).To(Equal([]string{volsctr})) Expect(data[0].Config.Annotations[define.VolumesFromAnnotation]).To(Equal(volsctr)) }) + + It("podman inspect hides secrets mounted to env", func() { + secretName := "mysecret" + + secretFilePath := filepath.Join(podmanTest.TempDir, "secret") + err := os.WriteFile(secretFilePath, []byte("mySecretValue"), 0755) + Expect(err).ToNot(HaveOccurred()) + + session := podmanTest.Podman([]string{"secret", "create", secretName, secretFilePath}) + session.WaitWithDefaultTimeout() + Expect(session).Should(ExitCleanly()) + + name := "testcon" + session = podmanTest.Podman([]string{"run", "--secret", fmt.Sprintf("%s,type=env", secretName), "--name", name, CITEST_IMAGE}) + session.WaitWithDefaultTimeout() + Expect(session).Should(ExitCleanly()) + + data := podmanTest.InspectContainer(name) + Expect(data).To(HaveLen(1)) + Expect(data[0].Config.Env).To(ContainElement(Equal(secretName + "=*******"))) + }) })