container: Allow setting secret target

2025-06-23 11:58:37 +03:00
parent 60529c18cd
commit 8f29c2815e
3 changed files with 35 additions and 7 deletions
--- a/roles/container/meta/argument_specs.yaml
+++ b/roles/container/meta/argument_specs.yaml
@@ -94,7 +94,7 @@ argument_specs:
        default: []
        elements: str
      container_secrets:
-        description: A list of secrets available to the container in /run/secrets/<secret name>
+        description: A list of secrets available to the container as file or environment variable
        type: list
        required: false
        default: []
@@ -122,6 +122,13 @@ argument_specs:
              - mount
              - env
            default: mount
+          target:
+            description: >
+              Where the secret will be available inside the container. If type is mount, this is
+              either a full file path or a filename under /run/secrets. If type is env, this is
+              the name of the environment variable. Defaults to secret name.
+            type: str
+            required: false

      container_env:
        description: A dict of environment variables for the container
--- a/roles/container/vars/main.yaml
+++ b/roles/container/vars/main.yaml
@@ -29,7 +29,14 @@ _container_secrets: >-
    | zip(
      container_secrets
      | map(attribute='type', default='mount')
-      | map('regex_replace', '^', 'type=')
+      | map('regex_replace', '^', 'type='),
+      container_secrets
+      | map(attribute='name')
+      | map('community.general.dict_kv', 'target')
+      | zip(container_secrets)
+      | map('combine')
+      | map(attribute='target')
+      | map('regex_replace', '^', 'target=')
    )
    | map('join', ',')
  }}