Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add view/update to secrets #18667

Closed
kriansa opened this issue May 23, 2023 · 5 comments · Fixed by #19200
Closed

Add view/update to secrets #18667

kriansa opened this issue May 23, 2023 · 5 comments · Fixed by #19200
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@kriansa
Copy link

kriansa commented May 23, 2023
edited by vrothberg
Loading

Feature request description

Currently, podman-secrets have pretty limited usage, being only useful for not exposing credentials directly at the command line of containers. Although it has gained a few niceties feature-wise, such as new built-in drivers, it hasn't changed significantly since it was introduced.

A few things I find lacking in the current design are:

  1. Updating existing secrets. Currently, we have a UpdatedAt metadata, but it's effectively not used, since we can't update them, so I imagine this was planned (?)
  2. Viewing existing secrets. I know that this should probably come with a more sophisticated RBAC, but I think it would make it so much easier and avoid needing to resort to ugly workarounds (e.g. finding it on the secrets storage or creating a container to show a secret)
  3. Usage in podman-login

Suggest potential solution

  • podman-secret-show
  • podman-secret-update
  • podman-login --password-secret

Have you considered any alternatives?

Yes, I can work around it, but it isn't nearly as convenient as having a built-in CLI for it.

Additional context

I apologize if this is already planned for the short or long term. I currently have no visibility of that. I have searched on the past issues but I couldn't find anything relevant on the topic.
@kriansa kriansa added the kind/feature Categorizes issue or PR as related to a new feature. label May 23, 2023
@vrothberg
Copy link
Member

Thanks for reaching out, @kriansa!

I enumerated your ideas to refer to them more easily.

  1. I like the idea. I think we planned to have some secret create --replace similar to other commands.
  2. We could make inspecting the contents optional in secrets inspect?
  3. This would have a very low priority for me since there is already an elaborate credential mechanism (see https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md).

@ashley-cui @containers/podman-maintainers WDYT?

@kriansa
Copy link
Author

kriansa commented May 24, 2023

Thanks for the prompt response @vrothberg!

  1. Ok, the most consistent with the rest of the CLI, the better.
  2. Yes I'm fine with that too
  3. This is fine, I don't mind login being the way it is today, the rationale for the suggestion is to get a more consistent pattern for the usage of secrets across the ecosystem, so whenever we might want to use a secret, then we should be encouraged to use the built-in mechanism rather than rolling our own. With that in place, for example, in the future when remote drivers gets implemented, a key rotation in the container registry could be done centrally (i.e. on hashicorp Vault) and the container engines would pick it up automatically. But as I said, it doesn't bother me today, I believe that viewing and updating secrets are far more important.

@grepusername
Copy link

seconding the request for secret create --replace - at present the updated field seems redundant?

@rhatdan
Copy link
Member

rhatdan commented May 26, 2023

Interested in opening PRs to make this happen?

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan rhatdan mentioned this issue Jun 26, 2023
Merged
@rhatdan rhatdan mentioned this issue Jun 27, 2023
Merged
rhatdan added a commit to rhatdan/podman that referenced this issue Jun 28, 2023
@rhatdan
Display secret to user in inpspect
bf60bb0 
It is pretty complicated to display the secret on the host, but is
not really secured. This patch makes it easier to examine the secret.

Partial fix for containers#18667

Signed-off-by: Daniel J Walsh <[email protected]>
rhatdan added a commit to rhatdan/podman that referenced this issue Jul 9, 2023
@rhatdan
Add --replace flag to podman secret create
efefd8c 
Users may want to replace the secret used within containers, without
destroying the secret and recreating it.

Partial fix for containers#18667

Make sure podman --remote secret inspect and podman secret inspect
return the same error message.

Signed-off-by: Daniel J Walsh <[email protected]>
@rhatdan rhatdan mentioned this issue Jul 11, 2023
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Oct 12, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add secret support to podman login rhatdan/podman
4 participants
@kriansa @rhatdan @vrothberg @grepusername