Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman Secret - JSON #121

Closed
sveno1990 opened this issue Jan 18, 2024 · 4 comments
Closed

Podman Secret - JSON #121

sveno1990 opened this issue Jan 18, 2024 · 4 comments

Comments

@sveno1990
Copy link

sveno1990 commented Jan 18, 2024
edited

If I pass a json value to my podman secret:

`    podman_secrets:
      - name: password
        state: present
        force: true
        data: '{"test": "json"}'

And I mount this secret in my .container file
Secret=password,type=mount,target=/test/test.json

When I exec in my container I see that ansible turned my double quotes to single quotes so no longer valid json.

sh-4.2# cat /test/test.json {'test': 'json'}

Is there a way to solve this?
@richm
Copy link
Contributor

richm commented Jan 19, 2024

It appears to be an issue with the way that the containers.podman.podman_secret handles the data argument.

    - name: Debug1
      containers.podman.podman_secret:
        name: mysecret2
        state: present
        force: true
        data: "{{ __data }}"
      vars:
        __data: '{"test": "json"}'

then following the instructions at https://docs.ansible.com/ansible/latest/dev_guide/debugging.html#debugging-modules
this is what the module arguments look like:

{"ANSIBLE_MODULE_ARGS": {"name": "mysecret2", "state": "present", "force": true, "data": {"test": "json"}, "_ansible_check_mode": false, "_ansible_no_log": false, "_ansible_debug": false, "_ansible_diff": false, "_ansible_verbosity": 7, "_ansible_version": "2.16.2", "_ansible_module_name": "containers.podman.podman_secret", "_ansible_syslog_facility": "LOG_USER", "_ansible_selinux_special_fs": ["fuse", "nfs", "vboxsf", "ramfs", "9p", "vfat"], "_ansible_string_conversion_action": "warn", "_ansible_socket": null, "_ansible_shell_executable": "/bin/sh", "_ansible_keep_remote_files": true, "_ansible_tmpdir": "/root/.ansible/tmp/ansible-tmp-1705626845.0551057-1083060-265276551058460/", "_ansible_remote_tmp": "~/.ansible/tmp"}}

as you can see, the data: '{"test": "json"}' gets turned into "data": {"test": "json"}

I looked at the built-in ansible copy module to see how the content parameter is implemented - I could not figure it out - I think it copies the data to the remote machine as-is, rather than trying to pass it as a module argument as above. Whatever is happening, it is happening inside Ansible between the invocation of the module, and when the module arguments are formatted.

Note that this works:

    - name: Debug2
      containers.podman.podman_secret:
        name: mysecret3
        state: present
        force: true
        data: "{{ __data | to_json }}"
      vars:
        __data: {test: json}

this is converted to "data": "{\"test\": \"json\"}"
not sure if that helps you - still not sure how to pass a raw, JSON formatted string

@sveno1990
Copy link
Author

Thanks for your quick reply and elaborate analsysis.
The to_json results in the secret file being filled with "{\"test\":\"test\"}".
Unfortuneatly our application at this moment cannot deal with the escapes.

richm added a commit to richm/linux-system-roles-podman that referenced this issue Jan 20, 2024
@richm
fix: cast secret data to string in order to allow JSON valued strings
877ead8 
Cause: Ansible is somehow converting JSON strings to the corresponding
JSON object if the value is used in a loop and the value is used
like `data: "{{ value }}"`

Consequence: You cannot pass JSON strings as secrets and have the
value preserved.

Fix: Cast the data value to a string when passing to the podman_secret
module.

Result: JSON strings are preserved as-is for use in secrets.

Github issue: linux-system-roles#121

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
@richm richm mentioned this issue Jan 20, 2024
Merged
@richm
Copy link
Contributor

richm commented Jan 20, 2024

@sveno1990 are you able to try out #122 ?

@sveno1990
Copy link
Author

@richm just tested it, works great!

richm added a commit that referenced this issue Jan 22, 2024
@richm
fix: cast secret data to string in order to allow JSON valued strings
278f709 
Cause: Ansible is somehow converting JSON strings to the corresponding
JSON object if the value is used in a loop and the value is used
like `data: "{{ value }}"`

Consequence: You cannot pass JSON strings as secrets and have the
value preserved.

Fix: Cast the data value to a string when passing to the podman_secret
module.

Result: JSON strings are preserved as-is for use in secrets.

Github issue: #121

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
@richm richm closed this as completed Jan 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@richm @sveno1990