container: Allow setting secret target

2025-06-23 11:58:37 +03:00
parent 60529c18cd
commit 8f29c2815e
3 changed files with 35 additions and 7 deletions
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -114,10 +114,12 @@ argument_specs:
            default: ""
      service_container_secrets:
        description:
-          - A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
          - >
-            A dict of secrets and their values (including autogenerated values) is available as `service_podman_secrets` for use
-            in tepmlates or environment variables. This should only be used if the container doesn't support reading the secret from file
+            A list of secrets available to the service container as file or environment variable
+          - >
+            A dict of secrets and their values (including autogenerated values) is available as
+            `service_podman_secrets` for use in templates. This should only be used if the
+            container doesn't support reading the secret from file or environment variable.
        type: list
        required: false
        default: []
@@ -129,8 +131,12 @@ argument_specs:
            required: true
          value:
            description:
-              - Value of the secret. Defaults to a 128-character random string containing alphanumeric characters.
-              - If the value is not explicitly set, it will not be changed if the secret already exists.
+              - >
+                Value of the secret. Defaults to a 128-character random string containing
+                alphanumeric characters.
+              - >
+                If the value is not explicitly set, it will not be changed if the secret
+                already exists.
            type: str
            required: false
          length:
@@ -145,6 +151,14 @@ argument_specs:
              - mount
              - env
            default: mount
+          target:
+            description: >
+              Where the secret will be available inside the container. If type is mount, this is
+              either a full file path or a filename under /run/secrets. If type is env, this is
+              the name of the environment variable. Defaults to secret name.
+            type: str
+            required: false
+
      service_container_env:
        description: A dict of environment variables for the service container(s)
        type: dict