Comments (3)
I'm not sure I understand what is the problem, the docs says:
data:
description:
- The value of the secret. Required when C(state) is C(present).
type: str
It should be value, not the file path. If you want to use file path it will be a feature request, but currently everything works as designed and documented.
from ansible-podman-collections.
@sshnaidm Yes, the documentation inside this repo does mention what you cited above, but I am referring to Podman's documentation of the secret subcommand and how it is intended to be used.
As I understand it, Ansible modules are wrappers for the actual underlying program (in this case Podman with the secret subcommand) and are supposed to mimic the original functionality as closely as possible with some extra checks (exit status, etc.). But this module says that it uses the driver file by default (like Podman) which Podman originally refers to as an actual file containing the secret. This module, however, does not honor the option driver with the file value in the same sense as Podman originally.
The documentation on both containers.github.io and docs.ansible.com mentions:
driver Override default secrets driver, currently podman uses file which is unencrypted.
But using this option explicitly (driver: file) does still use a literal string provided in the actual Yaml/Playbook which partially defeats the Podman secret functionality which tries to separate sensitive data from configuration files (be it podman-compose files, Containerfiles, or Ansible Playbook's which easily can wind up committed into repos). In other words, the option driver with the value file should read from the passed file. Otherwise, I do not see any meaning in having the option if everything is going to be passed as stdin.
I would even consider this somewhat of a security risk due to how one transitioning from writing podman secret create <NAME> <PATH>
to a task in an Ansible play could unintentionally set a certain service access token/password to the secret's file path and not content. So that one's, for example, reverse-proxy web interface is accessible when typing in the path to the secret file (a lot easier to brute force or attack with a dictionary attack). Here one has to hope that the respective service would throw an error and mention some formatting error with the secret data which in the worst case would just be used as a seed or token as mentioned above without throwing any errors.
I see two ways this could be tackled:
-
(Breaking changes) The usage of the option driver with the value file (which is the current default affecting everyone) results in using the value in the option data as input for the in
podman secret create <NAME> <PATH>
. Using a new value, for example, stdin in the option driver results in using the literal string provided in the value of the option data. -
Add the option, for example, file with the value being a file path, which ignores the data option and is used as input for the in
podman secret create <NAME> <PATH>
. Also, adding a warning in the documentation that using the data option without the file option will use the literal string and not a file's contents (as might expected by still having driver being the value file by default).
Alternative 1 does add an extra driver value (stdin) and encompasses breaking changes but makes it clear that either the file contents are being used as a secret or the literal string value in the data option.
Alternative 2 adds an extra option for file content usage and warns users in the documentation of the deviation from the original subcommand.
I would, even though it encompasses breaking changes, recommend the first alternative just because it makes this sensitive topic more "idiot-proof" from misconfigurations.
from ansible-podman-collections.
I strongly object to the first option, it's totally clear parameter name data
which means secret data. If we want to add a path
option to pass file, I'm only for it.
Would you like to submit a patch?
cc @amenzhinsky
from ansible-podman-collections.
Related Issues (20)
- Pod not idemponent when port is bound to 0.0.0.0/ maybe same as issue #679
- quadlet creates wrong healthcheck command for container HOT 1
- `podman_container`: using YAML dictionaries for options in the `secrets` parameter HOT 4
- Idempotency problem in collection version `1.15.0` when creating pods HOT 2
- podman_container is not idempotent due to cgroups, sdnotify and cidfile HOT 3
- Podman collection does not work on my development environment HOT 1
- Add examples of using connection plugin into documentation
- rootless always want to change the env HOT 4
- podman_network ignore dns when using quadlet HOT 4
- cli options from container command treated as podman arguments for idempotency HOT 2
- Unable to build custom image HOT 2
- containers.podman.podman_container is creating a systemd unit with invalid parameter for Podman 5.x
- idempotency broken with command in podman_container HOT 6
- podman_image build doesn't respect `arch` parameter HOT 1
- Quadlet filename set for podman_container but not podman_containers HOT 1
- Quadlet Label Value Truncation Due to Missing Quotes HOT 1
- Check Mode Actually Creates Quadlet Container File
- `tls_verify: false` not working in `containers.podman.podman_container` module HOT 1
- Proposal: Add podman_container_copy module for podman cp HOT 1
- `force_restart: true` ignores any changed parameters in container task HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-podman-collections.