Add --replace flag to podman secret create

Users may want to replace the secret used within containers, without
destroying the secret and recreating it.

Partial fix for containers#18667

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

cmd/podman/secrets/create.go

@@ -55,6 +55,8 @@ func init() {
 	envFlagName := "env"
 	flags.BoolVar(&env, envFlagName, false, "Read secret data from environment variable")
 
+	flags.BoolVar(&createOpts.Replace, "replace", false, "If a secret with the same name exists, replace it")
+
 	labelFlagName := "label"
 	flags.StringArrayVarP(&labels, labelFlagName, "l", nil, "Specify labels on the secret")
 	_ = createCmd.RegisterFlagCompletionFunc(labelFlagName, completion.AutocompleteNone)

docs/source/markdown/podman-secret-create.1.md

@@ -40,6 +40,12 @@ Print usage statement.
 
 Add label to secret. These labels can be viewed in podman secrete inspect or ls.
 
+#### **--replace**=*false*
+
+If existing secret with the same name already exists, update the secret.
+The `--replace` option does not change secrets within existing containers, only newly created containers.
+ The default is **false**.
+
 ## EXAMPLES
 
 ```

go.mod

@@ -13,13 +13,13 @@ require (
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.3.0
 	github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b
-	github.com/containers/common v0.54.0
+	github.com/containers/common v0.55.0
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/image/v5 v5.26.0
 	github.com/containers/libhvee v0.0.5
 	github.com/containers/ocicrypt v1.1.7
 	github.com/containers/psgo v1.8.0
-	github.com/containers/storage v1.47.0
+	github.com/containers/storage v1.48.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/coreos/stream-metadata-go v0.4.3
 	github.com/crc-org/vfkit v0.0.5-0.20230602131541-3d57f09010c9
@@ -180,3 +180,5 @@ require (
 )
 
 replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.1-0.20220617142545-8b9452f75cbc
+
+replace github.com/containers/common => github.com/rhatdan/common v0.47.1-0.20230630093538-09cc213d4358

go.sum

@@ -241,8 +241,6 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q
 github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
 github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b h1:cTb0Sxu/tIQ9uPIchFmkYs+uOtylhyO+0h2+i3XzisQ=
 github.com/containers/buildah v1.30.1-0.20230627110136-33b7088fec7b/go.mod h1:O2jiDd5+569W8cwqyLnRKiqAHOPTi/Kj+oDlFNsFg24=
-github.com/containers/common v0.54.0 h1:jJ2QVuliTa/40QxyDe1ZS1U/7BsDea7qdBeZE0VPu3E=
-github.com/containers/common v0.54.0/go.mod h1:xbA3bUfth8p2xmqSg01oxHNDRJA71SAVUCqhyEISKic=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/image/v5 v5.26.0 h1:P9H4+N/7fTTClnFthIWgJU+0LBkhGlW2tCWR+UNG0Vs=
@@ -259,8 +257,8 @@ github.com/containers/ocicrypt v1.1.7/go.mod h1:7CAhjcj2H8AYp5YvEie7oVSK2AhBY8Ns
 github.com/containers/psgo v1.8.0 h1:2loGekmGAxM9ir5OsXWEfGwFxorMPYnc6gEDsGFQvhY=
 github.com/containers/psgo v1.8.0/go.mod h1:T8ZxnX3Ur4RvnhxFJ7t8xJ1F48RhiZB4rSrOaR/qGHc=
 github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s=
-github.com/containers/storage v1.47.0 h1:Tl/onL8yE/4QABc2kfPDaTSYijk3QrmXGrO21KXkj58=
-github.com/containers/storage v1.47.0/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
+github.com/containers/storage v1.48.0 h1:wiPs8J2xiFoOEAhxHDRtP6A90Jzj57VqzLRXOqeizns=
+github.com/containers/storage v1.48.0/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
@@ -855,6 +853,8 @@ github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rhatdan/common v0.47.1-0.20230630093538-09cc213d4358 h1:YWWfQ0Gs/Q6MH4C72e7AxzPYk3UQBJRCVDQhlZn+ewU=
+github.com/rhatdan/common v0.47.1-0.20230630093538-09cc213d4358/go.mod h1:JNNJY++mDJW7xTNeU08b6h11omV0FYl9diWLofkgaY0=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=

pkg/api/handlers/libpod/secrets.go

@@ -24,6 +24,7 @@ func CreateSecret(w http.ResponseWriter, r *http.Request) {
 		Driver     string            `schema:"driver"`
 		DriverOpts map[string]string `schema:"driveropts"`
 		Labels     map[string]string `schema:"labels"`
+		Replace    bool              `schema:"replace"`
 	}{
 		// override any golang type defaults
 	}
@@ -36,6 +37,7 @@ func CreateSecret(w http.ResponseWriter, r *http.Request) {
 	opts.Driver = query.Driver
 	opts.DriverOpts = query.DriverOpts
 	opts.Labels = query.Labels
+	opts.Replace = query.Replace
 
 	ic := abi.ContainerEngine{Libpod: runtime}
 	report, err := ic.SecretCreate(r.Context(), query.Name, r.Body, opts)

pkg/bindings/secrets/types.go

@@ -28,4 +28,5 @@ type CreateOptions struct {
 	Driver     *string
 	DriverOpts map[string]string
 	Labels     map[string]string
+	Replace    *bool
 }

pkg/domain/entities/secrets.go

@@ -14,6 +14,7 @@ type SecretCreateOptions struct {
 	Driver     string
 	DriverOpts map[string]string
 	Labels     map[string]string
+	Replace    bool
 }
 
 type SecretInspectOptions struct {

pkg/domain/infra/abi/secrets.go

@@ -46,6 +46,7 @@ func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader
 	storeOpts := secrets.StoreOptions{
 		DriverOpts: options.DriverOpts,
 		Labels:     options.Labels,
+		Replace:    options.Replace,
 	}
 
 	secretID, err := manager.Store(name, data, options.Driver, storeOpts)
@@ -86,10 +87,13 @@ func (ic *ContainerEngine) SecretInspect(ctx context.Context, nameOrIDs []string
 		if secret.Labels == nil {
 			secret.Labels = make(map[string]string)
 		}
+		if secret.UpdatedAt.IsZero() {
+			secret.UpdatedAt = secret.CreatedAt
+		}
 		report := &entities.SecretInfoReport{
 			ID:        secret.ID,
 			CreatedAt: secret.CreatedAt,
-			UpdatedAt: secret.CreatedAt,
+			UpdatedAt: secret.UpdatedAt,
 			Spec: entities.SecretSpec{
 				Name: secret.Name,
 				Driver: entities.SecretDriverSpec{

pkg/domain/infra/tunnel/secrets.go

@@ -15,7 +15,8 @@ func (ic *ContainerEngine) SecretCreate(ctx context.Context, name string, reader
 		WithDriver(options.Driver).
 		WithDriverOpts(options.DriverOpts).
 		WithName(name).
-		WithLabels(options.Labels)
+		WithLabels(options.Labels).
+		WithReplace(options.Replace)
 	created, err := secrets.Create(ic.ClientCtx, reader, opts)
 	if err != nil {
 		return nil, err

test/e2e/secret_test.go

@@ -36,6 +36,26 @@ var _ = Describe("Podman secret", func() {
 		inspect.WaitWithDefaultTimeout()
 		Expect(inspect).Should(Exit(0))
 		Expect(inspect.OutputToString()).To(ContainSubstring("opt1:val"))
+
+		session = podmanTest.Podman([]string{"secret", "create", "-d", "file", "--driver-opts", "opt1=val1", "a", secretFilePath})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(125))
+		Expect(session.ErrorToString()).To(Equal("Error: a: secret name in use"))
+
+		session = podmanTest.Podman([]string{"secret", "create", "-d", "file", "--driver-opts", "opt1=val1", "--replace", "a", secretFilePath})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).To(Not(Equal(secrID)))
+
+		inspect = podmanTest.Podman([]string{"secret", "inspect", "-f", "{{.Spec.Driver.Options}}", secrID})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect).To(ExitWithError())
+		Expect(inspect.ErrorToString()).To(ContainSubstring(fmt.Sprintf("Error: inspecting secret: no such secret %q", secrID)))
+
+		inspect = podmanTest.Podman([]string{"secret", "inspect", "-f", "{{.Spec.Driver.Options}}", "a"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect).Should(Exit(0))
+		Expect(inspect.OutputToString()).To(ContainSubstring("opt1:val1"))
 	})
 
 	It("podman secret create bad name should fail", func() {