From eff2e908fbc3cac6c020901519646fd2ecfa783f Mon Sep 17 00:00:00 2001
From: uumas <gitcommit@uumas.fi>
Date: Mon, 11 Nov 2024 11:51:22 +0200
Subject: [PATCH] container: Add podman secret support

---
 roles/container/defaults/main.yaml       |  1 +
 roles/container/meta/argument_specs.yaml | 18 ++++++++++++++++++
 roles/container/tasks/main.yaml          |  7 +++++++
 roles/container/templates/container.j2   |  3 +++
 4 files changed, 29 insertions(+)

diff --git a/roles/container/defaults/main.yaml b/roles/container/defaults/main.yaml
index 3b23bce..552b0f7 100644
--- a/roles/container/defaults/main.yaml
+++ b/roles/container/defaults/main.yaml
@@ -4,6 +4,7 @@ container_user: ""
 container_mounts: []
 container_publish_ports: []
 container_networks: []
+container_secrets: []
 container_env: {}
 container_auto_start: true
 container_auto_update: true
diff --git a/roles/container/meta/argument_specs.yaml b/roles/container/meta/argument_specs.yaml
index 7be4e42..2645d95 100644
--- a/roles/container/meta/argument_specs.yaml
+++ b/roles/container/meta/argument_specs.yaml
@@ -66,6 +66,24 @@ argument_specs:
         required: false
         default: []
         elements: str
+      container_secrets:
+        description: A list of secrets available to the container in /run/secrets/<secret name>
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          name:
+            description: Name of the secret
+            type: str
+            required: true
+          value:
+            description:
+              - Value of the secret. Defaults to a 128-character random string containing alphanumeric characters.
+              - If the value is not explicitly set, it will not be changed if the secret already exists.
+            type: str
+            required: false
+
       container_env:
         description: A dict of environment variables for the container
         type: dict
diff --git a/roles/container/tasks/main.yaml b/roles/container/tasks/main.yaml
index 244b582..0d30173 100644
--- a/roles/container/tasks/main.yaml
+++ b/roles/container/tasks/main.yaml
@@ -8,6 +8,13 @@
   loop_control:
     loop_var: network
 
+- name: Create secrets for container {{ container_name }}
+  containers.podman.podman_secret:
+    name: "{{ item.name }}"
+    data: "{{ item.value | default(lookup('community.general.random_string', special=false, length=128)) }}"
+    skip_existing: "{{ item.value is not defined }}"
+  loop: "{{ container_secrets }}"
+
 - name: Create container service {{ container_name }}
   ansible.builtin.template:
     src: container.j2
diff --git a/roles/container/templates/container.j2 b/roles/container/templates/container.j2
index 915d038..6e60c5a 100644
--- a/roles/container/templates/container.j2
+++ b/roles/container/templates/container.j2
@@ -30,6 +30,9 @@ Network={{ network }}.network
 {% for port in container_publish_ports %}
 PublishPort={{ port }}
 {% endfor %}
+{% for secret in container_secrets %}
+Secret={{ secret.name }}
+{% endfor %}
 {% for key, value in container_env.items() %}
 Environment={{ key }}={{ value }}
 {% endfor %}