Fix idempotency for any podman secret driver (#929)

* Fix idempotency for any podman secret driver All secret drivers are provided with the same interface in podman, so there is no need to hardcode the state as changed for all drivers other than 'file'. Signed-off-by: lersveen <7195448+lersveen@users.noreply.github.com> * ci: add tests for shell secret driver Signed-off-by: lersveen <7195448+lersveen@users.noreply.github.com> --------- Signed-off-by: lersveen <7195448+lersveen@users.noreply.github.com>
2026-02-04 07:11:49 +00:00 · 2025-05-13 14:06:45 +02:00 · 2025-05-13 14:06:45 +02:00 · ac5da409fe
commit ac5da409fe
parent 8a57012970
2 changed files with 73 additions and 9 deletions
--- a/plugins/modules/podman_secret.py
+++ b/plugins/modules/podman_secret.py
@ -140,11 +140,6 @@ def need_update(module, executable, name, data, path, env, skip, driver, driver_
        return False
    try:
        secret = module.from_json(out)[0]
-        # We support only file driver for now
-        if (driver and driver != 'file') or secret['Spec']['Driver']['Name'] != 'file':
-            if debug:
-                module.log("PODMAN-SECRET-DEBUG: Idempotency of driver %s is not supported" % driver)
-            return True
        if data:
            if secret['SecretData'] != data:
                if debug:
@ -175,7 +170,11 @@ def need_update(module, executable, name, data, path, env, skip, driver, driver_
                    diff['after'] = "<different-secret>"
                    diff['before'] = "<secret>"
                return True
-
+        if driver:
+            if secret['Spec']['Driver']['Name'] != driver:
+                diff['after'] = driver
+                diff['before'] = secret['Spec']['Driver']['Name']
+                return True
        if driver_opts:
            for k, v in driver_opts.items():
                if secret['Spec']['Driver']['Options'].get(k) != v:
@ -198,9 +197,7 @@ def need_update(module, executable, name, data, path, env, skip, driver, driver_
 def podman_secret_create(module, executable, name, data, path, env, force, skip,
                         driver, driver_opts, debug, labels):
    podman_version = get_podman_version(module, fail=False)
-    if (podman_version is not None and
-        LooseVersion(podman_version) >= LooseVersion('4.7.0')
-            and (driver is None or driver == 'file')):
+    if podman_version is not None and LooseVersion(podman_version) >= LooseVersion('4.7.0'):
        if need_update(module, executable, name, data, path, env, skip, driver, driver_opts, debug, labels):
            podman_secret_remove(module, executable, name)
        else:
--- a/tests/integration/targets/podman_secret/tasks/main.yml
+++ b/tests/integration/targets/podman_secret/tasks/main.yml
@ -281,6 +281,73 @@
              - secretlabels is changed
              - secretlabels2 is not changed
              - secretlabels3 is changed
+        
+        - name: Set dummy shell secret driver opts
+          set_fact:
+            shell_driver_opts:
+              list: "cat ~/shellsecret_*"
+              lookup: "cat ~/shellsecret_${SECRET_ID}"
+              store: "cat > ~/shellsecret_${SECRET_ID}"
+              delete: "rm ~/shellsecret_${SECRET_ID}"
+
+        - name: Create secret with shell driver
+          containers.podman.podman_secret:
+            executable: "{{ test_executable | default('podman') }}"
+            name: shellsecret
+            data: secret content
+            driver: shell
+            driver_opts: "{{ shell_driver_opts }}"
+          register: shellsecret_changed
+
+        - name: Create secret with shell driver and same content
+          containers.podman.podman_secret:
+            executable: "{{ test_executable | default('podman') }}"
+            name: shellsecret
+            data: secret content
+            driver: shell
+            driver_opts: "{{ shell_driver_opts }}"
+          register: shellsecret_changed2
+        
+        - name: Create secret with shell driver and different content
+          containers.podman.podman_secret:
+            executable: "{{ test_executable | default('podman') }}"
+            name: shellsecret
+            data: some other secret content
+            driver: shell
+            driver_opts: "{{ shell_driver_opts }}"
+          register: shellsecret_changed3
+        
+        - name: Show shell secret
+          containers.podman.podman_secret_info:
+            executable: "{{ test_executable | default('podman') }}"
+            name: shellsecret
+            showsecret: true
+          register: shellsecret_info
+
+        - name: Remove shell secret
+          containers.podman.podman_secret:
+            executable: "{{ test_executable | default('podman') }}"
+            state: absent
+            name: shellsecret
+          register: shellsecret_removed
+        
+        - name: Remove shell secret again
+          containers.podman.podman_secret:
+            executable: "{{ test_executable | default('podman') }}"
+            state: absent
+            name: shellsecret
+          register: shellsecret_removed2
+
+        - name: Check shell secret outputs
+          assert:
+            that:
+              - shellsecret_changed is changed
+              - shellsecret_changed2 is not changed
+              - shellsecret_changed3 is changed
+              - shellsecret_info is success
+              - shellsecret_info.secrets.0.SecretData == "some other secret content"
+              - shellsecret_removed is changed
+              - shellsecret_removed2 is not changed

    - name: Remove secret
      containers.podman.podman_secret: