From 8f29c2815e0ec998e05a3c1ed0ce736921527e7a Mon Sep 17 00:00:00 2001 From: uumas Date: Mon, 23 Jun 2025 11:58:37 +0300 Subject: [PATCH] container: Allow setting secret target --- roles/container/meta/argument_specs.yaml | 9 ++++++++- roles/container/vars/main.yaml | 9 ++++++++- roles/service/meta/argument_specs.yaml | 24 +++++++++++++++++++----- 3 files changed, 35 insertions(+), 7 deletions(-) diff --git a/roles/container/meta/argument_specs.yaml b/roles/container/meta/argument_specs.yaml index a902c58..f72d61a 100644 --- a/roles/container/meta/argument_specs.yaml +++ b/roles/container/meta/argument_specs.yaml @@ -94,7 +94,7 @@ argument_specs: default: [] elements: str container_secrets: - description: A list of secrets available to the container in /run/secrets/ + description: A list of secrets available to the container as file or environment variable type: list required: false default: [] @@ -122,6 +122,13 @@ argument_specs: - mount - env default: mount + target: + description: > + Where the secret will be available inside the container. If type is mount, this is + either a full file path or a filename under /run/secrets. If type is env, this is + the name of the environment variable. Defaults to secret name. + type: str + required: false container_env: description: A dict of environment variables for the container diff --git a/roles/container/vars/main.yaml b/roles/container/vars/main.yaml index e8c9754..063f645 100644 --- a/roles/container/vars/main.yaml +++ b/roles/container/vars/main.yaml @@ -29,7 +29,14 @@ _container_secrets: >- | zip( container_secrets | map(attribute='type', default='mount') - | map('regex_replace', '^', 'type=') + | map('regex_replace', '^', 'type='), + container_secrets + | map(attribute='name') + | map('community.general.dict_kv', 'target') + | zip(container_secrets) + | map('combine') + | map(attribute='target') + | map('regex_replace', '^', 'target=') ) | map('join', ',') }} diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml index 733632a..daa81e2 100644 --- a/roles/service/meta/argument_specs.yaml +++ b/roles/service/meta/argument_specs.yaml @@ -114,10 +114,12 @@ argument_specs: default: "" service_container_secrets: description: - - A list of secrets available to the service container in /run/secrets/- - > - A dict of secrets and their values (including autogenerated values) is available as `service_podman_secrets` for use - in tepmlates or environment variables. This should only be used if the container doesn't support reading the secret from file + A list of secrets available to the service container as file or environment variable + - > + A dict of secrets and their values (including autogenerated values) is available as + `service_podman_secrets` for use in templates. This should only be used if the + container doesn't support reading the secret from file or environment variable. type: list required: false default: [] @@ -129,8 +131,12 @@ argument_specs: required: true value: description: - - Value of the secret. Defaults to a 128-character random string containing alphanumeric characters. - - If the value is not explicitly set, it will not be changed if the secret already exists. + - > + Value of the secret. Defaults to a 128-character random string containing + alphanumeric characters. + - > + If the value is not explicitly set, it will not be changed if the secret + already exists. type: str required: false length: @@ -145,6 +151,14 @@ argument_specs: - mount - env default: mount + target: + description: > + Where the secret will be available inside the container. If type is mount, this is + either a full file path or a filename under /run/secrets. If type is env, this is + the name of the environment variable. Defaults to secret name. + type: str + required: false + service_container_env: description: A dict of environment variables for the service container(s) type: dict