- name: Test podman_secret block: - name: Discover podman version shell: podman version | grep "^Version:" | awk {'print $2'} register: podman_v - name: Set podman version fact set_fact: podman_version: "{{ podman_v.stdout | string }}" - name: Set podman version fact to gt than 4.7.0 if so set_fact: podman_version_gt470: "{{ podman_version is version('4.7.0', '>=') }}" - name: Make sure secret doesn't exist containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" state: absent name: "{{ item }}" loop: - mysecret - mysecret2 - name: Create secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret debug: true data: secret content - name: Recreate secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: super secret content force: true register: forced - name: Skip secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: super secret content skip_existing: true debug: true register: skipped - name: Force secret to same containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: super secret content force: true debug: true register: forced2 - name: Check assertions assert: that: - forced is changed - skipped is not changed - forced2 is changed when: not podman_version_gt470 - name: Check assertions for podman >= 4.7.0 assert: that: - forced is changed - skipped is not changed - forced2 is not changed when: podman_version_gt470 - name: Create container that uses secret containers.podman.podman_container: executable: "{{ test_executable | default('podman') }}" name: showmysecret image: alpine:3.7 secrets: - mysecret command: cat /run/secrets/mysecret detach: false rm: true register: container - name: Check secret data assert: that: - container.stdout == "super secret content" - name: Create container that uses secret with options containers.podman.podman_container: executable: "{{ test_executable | default('podman') }}" name: showmysecret image: alpine:3.7 secrets: - mysecret,type=env,target=SECRET command: ['/bin/sh', '-c', 'echo $SECRET'] detach: false rm: true register: container - name: Check secret data assert: that: - container.stdout == "super secret content\n" - name: Remove secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" state: absent name: mysecret register: removed - name: Check removed is changed assert: that: - removed is changed - name: Remove secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" state: absent name: mysecret register: removed - name: Check removed is not changed assert: that: - removed is not changed - name: Create secret with file driver labels containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: secret content driver: file labels: lab1: somestringhere label2: "some value is there" "long label": onestring "boring label": "multi string value" - name: Remove secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" state: absent name: mysecret - name: Create secret with file driver and custom options containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: secret content driver: file driver_opts: a: b c: d - when: podman_version_gt470 block: - name: Create secret with file driver and different options containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: secret content driver: file driver_opts: a: b c: e register: opts_changed - name: Create secret with file driver and different options again containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: secret content driver: file driver_opts: a: b c: e register: opts_changed2 - name: Create secret with different content containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: other secret content driver_opts: a: b c: e register: secret_changed - name: Create secret with different content again containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: other secret content driver_opts: a: b c: e register: secret_changed2 - name: Create secret with different content but skipped containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: other secret content and skipped skip_existing: true debug: true driver_opts: a: b c: e register: skip_secret_changed - name: Create secret with different content but forced containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: other secret content and skipped force: true debug: true driver_opts: a: b c: e register: force_secret_changed - name: Check opts changes assert: that: - opts_changed is changed - opts_changed2 is not changed - secret_changed is changed - secret_changed2 is not changed - skip_secret_changed is not changed - force_secret_changed is changed - name: Create secret with file driver and labels containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: secret content driver: file labels: lab1: somestringhere label2: "some value is there" "long label": onestring "boring label": "multi string value" register: secretlabels - name: Create secret with file driver and labels again containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: secret content driver: file labels: lab1: somestringhere label2: "some value is there" "long label": onestring "boring label": "multi string value" register: secretlabels2 - name: Create secret with file driver and different labels containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret data: secret content driver: file labels: lab1: somestringhere label2: "some value is not there" "long label": onestring "boring label": "multi string value" register: secretlabels3 - name: Check labels changes assert: that: - secretlabels is changed - secretlabels2 is not changed - secretlabels3 is changed - name: Set dummy shell secret driver opts set_fact: shell_driver_opts: list: "cat ~/shellsecret_*" lookup: "cat ~/shellsecret_${SECRET_ID}" store: "cat > ~/shellsecret_${SECRET_ID}" delete: "rm ~/shellsecret_${SECRET_ID}" - name: Create secret with shell driver containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: shellsecret data: secret content driver: shell driver_opts: "{{ shell_driver_opts }}" register: shellsecret_changed - name: Create secret with shell driver and same content containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: shellsecret data: secret content driver: shell driver_opts: "{{ shell_driver_opts }}" register: shellsecret_changed2 - name: Create secret with shell driver and different content containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: shellsecret data: some other secret content driver: shell driver_opts: "{{ shell_driver_opts }}" register: shellsecret_changed3 - name: Show shell secret containers.podman.podman_secret_info: executable: "{{ test_executable | default('podman') }}" name: shellsecret showsecret: true register: shellsecret_info - name: Remove shell secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" state: absent name: shellsecret register: shellsecret_removed - name: Remove shell secret again containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" state: absent name: shellsecret register: shellsecret_removed2 - name: Check shell secret outputs assert: that: - shellsecret_changed is changed - shellsecret_changed2 is not changed - shellsecret_changed3 is changed - shellsecret_info is success - shellsecret_info.secrets.0.SecretData == "some other secret content" - shellsecret_removed is changed - shellsecret_removed2 is not changed - name: Remove secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" state: absent name: "{{ item }}" loop: - mysecret - mysecret2 - name: Create secret if not exists and skip existing containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret2 data: secret content state: present skip_existing: true register: secretskip1 - name: Create secret if not exists and skip existing - again containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret2 data: secret content state: present skip_existing: true register: secretskip2 - name: Check secret containers.podman.podman_secret_info: executable: "{{ test_executable | default('podman') }}" name: mysecret2 register: secret_info - name: Check outputs assert: that: - secretskip1 is changed - secretskip2 is not changed - secret_info is success - secret_info.secrets | length > 0 - name: Remove secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" state: absent name: mysecret2 - when: podman_version_gt470 block: - name: Create a file with secret data copy: content: "secret content 1" dest: ~/mysecret-1 - name: Create secret from file containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret2 path: ~/mysecret-1 state: present register: secret1 - name: Create secret again containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret2 path: ~/mysecret-1 state: present register: secret2 - name: Check outputs assert: that: - secret1 is changed - secret2 is not changed - name: Create another secret in other file copy: content: "secret content 2" dest: ~/mysecret-2 - name: Create secret from other file containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret3 path: ~/mysecret-2 state: present debug: true register: secret3 - name: Check outputs assert: that: - secret3 is changed - name: Create a secret from non existing file containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret4 path: ~/mysecret-3 state: present debug: true register: secret4 ignore_errors: true - name: Check outputs assert: that: - secret4 is failed - name: Create a secret from non-existing environment variable containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret5 env: NON_EXISTING_ENV state: present register: secret5 ignore_errors: true - name: Check outputs assert: that: - secret5 is failed - "'Environment variable NON_EXISTING_ENV is not set' in secret5.msg" - name: Create a secret from existing environment variable containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" name: mysecret5 env: EXISTING_ENV state: present environment: EXISTING_ENV: "secret env content" register: secret6 - name: Show secret6 containers.podman.podman_secret_info: executable: "{{ test_executable | default('podman') }}" name: mysecret5 showsecret: true register: secret6_info - name: Check outputs assert: that: - secret6 is changed - secret6_info is success - secret6_info.secrets.0.SecretData == "secret env content" - name: Remove secret containers.podman.podman_secret: executable: "{{ test_executable | default('podman') }}" state: absent name: mysecret5 always: - name: Remove container that uses secret containers.podman.podman_container: executable: "{{ test_executable | default('podman') }}" name: showmysecret state: absent