mirror of https://github.com/containers/podman.git
Merge pull request #23959 from auyer/hide-secrets-from-container-inspect
Hide secrets from container inspect command
This commit is contained in:
openshift-merge-bot[bot]
GitHub
commit
f4a08f46b7
|
|
@ -372,6 +372,20 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
|
||||||
if spec.Process != nil {
|
if spec.Process != nil {
|
||||||
ctrConfig.Tty = spec.Process.Terminal
|
ctrConfig.Tty = spec.Process.Terminal
|
||||||
ctrConfig.Env = append([]string{}, spec.Process.Env...)
|
ctrConfig.Env = append([]string{}, spec.Process.Env...)
|
||||||
|
|
||||||
|
// finds all secrets mounted as env variables and hides the value
|
||||||
|
// the inspect command should not display it
|
||||||
|
envSecrets := c.config.EnvSecrets
|
||||||
|
for envIndex, envValue := range ctrConfig.Env {
|
||||||
|
// env variables come in the style `name=value`
|
||||||
|
envName := strings.Split(envValue, "=")[0]
|
||||||
|
|
||||||
|
envSecret, ok := envSecrets[envName]
|
||||||
|
if ok {
|
||||||
|
ctrConfig.Env[envIndex] = envSecret.Name + "=*******"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ctrConfig.WorkingDir = spec.Process.Cwd
|
ctrConfig.WorkingDir = spec.Process.Cwd
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@
|
||||||
package integration
|
package integration
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
|
||||||
|
|
@ -82,4 +83,25 @@ var _ = Describe("Podman container inspect", func() {
|
||||||
Expect(data[0].HostConfig.VolumesFrom).To(Equal([]string{volsctr}))
|
Expect(data[0].HostConfig.VolumesFrom).To(Equal([]string{volsctr}))
|
||||||
Expect(data[0].Config.Annotations[define.VolumesFromAnnotation]).To(Equal(volsctr))
|
Expect(data[0].Config.Annotations[define.VolumesFromAnnotation]).To(Equal(volsctr))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
It("podman inspect hides secrets mounted to env", func() {
|
||||||
|
secretName := "mysecret"
|
||||||
|
|
||||||
|
secretFilePath := filepath.Join(podmanTest.TempDir, "secret")
|
||||||
|
err := os.WriteFile(secretFilePath, []byte("mySecretValue"), 0755)
|
||||||
|
Expect(err).ToNot(HaveOccurred())
|
||||||
|
|
||||||
|
session := podmanTest.Podman([]string{"secret", "create", secretName, secretFilePath})
|
||||||
|
session.WaitWithDefaultTimeout()
|
||||||
|
Expect(session).Should(ExitCleanly())
|
||||||
|
|
||||||
|
name := "testcon"
|
||||||
|
session = podmanTest.Podman([]string{"run", "--secret", fmt.Sprintf("%s,type=env", secretName), "--name", name, CITEST_IMAGE})
|
||||||
|
session.WaitWithDefaultTimeout()
|
||||||
|
Expect(session).Should(ExitCleanly())
|
||||||
|
|
||||||
|
data := podmanTest.InspectContainer(name)
|
||||||
|
Expect(data).To(HaveLen(1))
|
||||||
|
Expect(data[0].Config.Env).To(ContainElement(Equal(secretName + "=*******")))
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue