ansible/ansible-podman-collections
1
0
Fork 0
mirror of https://github.com/containers/ansible-podman-collections.git synced 2026-03-22 02:29:08 +00:00
Code Activity
ansible-podman-collections/tests/integration/targets/podman_secret/tasks/main.yml
André Lersveen ac5da409fe
Fix idempotency for any podman secret driver (#929) 
* Fix idempotency for any podman secret driver

All secret drivers are provided with the same interface in podman, so there is no need to hardcode the state as changed for all drivers other than 'file'.

Signed-off-by: lersveen <7195448+lersveen@users.noreply.github.com>

* ci: add tests for shell secret driver

Signed-off-by: lersveen <7195448+lersveen@users.noreply.github.com>

---------

Signed-off-by: lersveen <7195448+lersveen@users.noreply.github.com>
2025-05-13 15:06:45 +03:00

514 lines
16 KiB
YAML
Raw Blame History

- name: Test podman_secret
block:
- name: Discover podman version
shell: podman version | grep "^Version:" | awk {'print $2'}
register: podman_v
- name: Set podman version fact
set_fact:
podman_version: "{{ podman_v.stdout | string }}"
- name: Set podman version fact to gt than 4.7.0 if so
set_fact:
podman_version_gt470: "{{ podman_version is version('4.7.0', '>=') }}"
- name: Make sure secret doesn't exist
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
state: absent
name: "{{ item }}"
loop:
- mysecret
- mysecret2
- name: Create secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
debug: true
data: secret content
- name: Recreate secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: super secret content
force: true
register: forced
- name: Skip secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: super secret content
skip_existing: true
debug: true
register: skipped
- name: Force secret to same
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: super secret content
force: true
debug: true
register: forced2
- name: Check assertions
assert:
that:
- forced is changed
- skipped is not changed
- forced2 is changed
when: not podman_version_gt470
- name: Check assertions for podman >= 4.7.0
assert:
that:
- forced is changed
- skipped is not changed
- forced2 is not changed
when: podman_version_gt470
- name: Create container that uses secret
containers.podman.podman_container:
executable: "{{ test_executable | default('podman') }}"
name: showmysecret
image: alpine:3.7
secrets:
- mysecret
command: cat /run/secrets/mysecret
detach: false
rm: true
register: container
- name: Check secret data
assert:
that:
- container.stdout == "super secret content"
- name: Create container that uses secret with options
containers.podman.podman_container:
executable: "{{ test_executable | default('podman') }}"
name: showmysecret
image: alpine:3.7
secrets:
- mysecret,type=env,target=SECRET
command: ['/bin/sh', '-c', 'echo $SECRET']
detach: false
rm: true
register: container
- name: Check secret data
assert:
that:
- container.stdout == "super secret content\n"
- name: Remove secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
state: absent
name: mysecret
register: removed
- name: Check removed is changed
assert:
that:
- removed is changed
- name: Remove secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
state: absent
name: mysecret
register: removed
- name: Check removed is not changed
assert:
that:
- removed is not changed
- name: Create secret with file driver labels
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: secret content
driver: file
labels:
lab1: somestringhere
label2: "some value is there"
"long label": onestring
"boring label": "multi string value"
- name: Remove secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
state: absent
name: mysecret
- name: Create secret with file driver and custom options
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: secret content
driver: file
driver_opts:
a: b
c: d
- when: podman_version_gt470
block:
- name: Create secret with file driver and different options
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: secret content
driver: file
driver_opts:
a: b
c: e
register: opts_changed
- name: Create secret with file driver and different options again
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: secret content
driver: file
driver_opts:
a: b
c: e
register: opts_changed2
- name: Create secret with different content
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: other secret content
driver_opts:
a: b
c: e
register: secret_changed
- name: Create secret with different content again
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: other secret content
driver_opts:
a: b
c: e
register: secret_changed2
- name: Create secret with different content but skipped
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: other secret content and skipped
skip_existing: true
debug: true
driver_opts:
a: b
c: e
register: skip_secret_changed
- name: Create secret with different content but forced
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: other secret content and skipped
force: true
debug: true
driver_opts:
a: b
c: e
register: force_secret_changed
- name: Check opts changes
assert:
that:
- opts_changed is changed
- opts_changed2 is not changed
- secret_changed is changed
- secret_changed2 is not changed
- skip_secret_changed is not changed
- force_secret_changed is changed
- name: Create secret with file driver and labels
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: secret content
driver: file
labels:
lab1: somestringhere
label2: "some value is there"
"long label": onestring
"boring label": "multi string value"
register: secretlabels
- name: Create secret with file driver and labels again
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: secret content
driver: file
labels:
lab1: somestringhere
label2: "some value is there"
"long label": onestring
"boring label": "multi string value"
register: secretlabels2
- name: Create secret with file driver and different labels
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret
data: secret content
driver: file
labels:
lab1: somestringhere
label2: "some value is not there"
"long label": onestring
"boring label": "multi string value"
register: secretlabels3
- name: Check labels changes
assert:
that:
- secretlabels is changed
- secretlabels2 is not changed
- secretlabels3 is changed
- name: Set dummy shell secret driver opts
set_fact:
shell_driver_opts:
list: "cat ~/shellsecret_*"
lookup: "cat ~/shellsecret_${SECRET_ID}"
store: "cat > ~/shellsecret_${SECRET_ID}"
delete: "rm ~/shellsecret_${SECRET_ID}"
- name: Create secret with shell driver
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: shellsecret
data: secret content
driver: shell
driver_opts: "{{ shell_driver_opts }}"
register: shellsecret_changed
- name: Create secret with shell driver and same content
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: shellsecret
data: secret content
driver: shell
driver_opts: "{{ shell_driver_opts }}"
register: shellsecret_changed2
- name: Create secret with shell driver and different content
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: shellsecret
data: some other secret content
driver: shell
driver_opts: "{{ shell_driver_opts }}"
register: shellsecret_changed3
- name: Show shell secret
containers.podman.podman_secret_info:
executable: "{{ test_executable | default('podman') }}"
name: shellsecret
showsecret: true
register: shellsecret_info
- name: Remove shell secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
state: absent
name: shellsecret
register: shellsecret_removed
- name: Remove shell secret again
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
state: absent
name: shellsecret
register: shellsecret_removed2
- name: Check shell secret outputs
assert:
that:
- shellsecret_changed is changed
- shellsecret_changed2 is not changed
- shellsecret_changed3 is changed
- shellsecret_info is success
- shellsecret_info.secrets.0.SecretData == "some other secret content"
- shellsecret_removed is changed
- shellsecret_removed2 is not changed
- name: Remove secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
state: absent
name: "{{ item }}"
loop:
- mysecret
- mysecret2
- name: Create secret if not exists and skip existing
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret2
data: secret content
state: present
skip_existing: true
register: secretskip1
- name: Create secret if not exists and skip existing - again
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret2
data: secret content
state: present
skip_existing: true
register: secretskip2
- name: Check secret
containers.podman.podman_secret_info:
executable: "{{ test_executable | default('podman') }}"
name: mysecret2
register: secret_info
- name: Check outputs
assert:
that:
- secretskip1 is changed
- secretskip2 is not changed
- secret_info is success
- secret_info.secrets | length > 0
- name: Remove secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
state: absent
name: mysecret2
- when: podman_version_gt470
block:
- name: Create a file with secret data
copy:
content: "secret content 1"
dest: ~/mysecret-1
- name: Create secret from file
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret2
path: ~/mysecret-1
state: present
register: secret1
- name: Create secret again
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret2
path: ~/mysecret-1
state: present
register: secret2
- name: Check outputs
assert:
that:
- secret1 is changed
- secret2 is not changed
- name: Create another secret in other file
copy:
content: "secret content 2"
dest: ~/mysecret-2
- name: Create secret from other file
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret3
path: ~/mysecret-2
state: present
debug: true
register: secret3
- name: Check outputs
assert:
that:
- secret3 is changed
- name: Create a secret from non existing file
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret4
path: ~/mysecret-3
state: present
debug: true
register: secret4
ignore_errors: true
- name: Check outputs
assert:
that:
- secret4 is failed
- name: Create a secret from non-existing environment variable
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret5
env: NON_EXISTING_ENV
state: present
register: secret5
ignore_errors: true
- name: Check outputs
assert:
that:
- secret5 is failed
- "'Environment variable NON_EXISTING_ENV is not set' in secret5.msg"
- name: Create a secret from existing environment variable
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
name: mysecret5
env: EXISTING_ENV
state: present
environment:
EXISTING_ENV: "secret env content"
register: secret6
- name: Show secret6
containers.podman.podman_secret_info:
executable: "{{ test_executable | default('podman') }}"
name: mysecret5
showsecret: true
register: secret6_info
- name: Check outputs
assert:
that:
- secret6 is changed
- secret6_info is success
- secret6_info.secrets.0.SecretData == "secret env content"
- name: Remove secret
containers.podman.podman_secret:
executable: "{{ test_executable | default('podman') }}"
state: absent
name: mysecret5
always:
- name: Remove container that uses secret
containers.podman.podman_container:
executable: "{{ test_executable | default('podman') }}"
name: showmysecret
state: absent
View git blame Copy permalink