diff --git a/REFERENCE.md b/REFERENCE.md index 337940d..593c562 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -683,7 +683,7 @@ Struct[Optional['AddCapability'] => Variant[Array[String[1],1], String[1]], Optional['DNSSearch'] => Variant[Array[Stdlib::Fqdn,0], Stdlib::Fqdn], Optional['DropCapability'] => Variant[Array[String[1],0], String[1]], Optional['Entrypoint'] => String, - Optional['Environment'] => Variant[Array[String[1],0], String[1]], + Optional['Environment'] => Variant[Array[Variant[String[1], Sensitive[String[1]]],0], String[1], Sensitive[String[1]]], Optional['EnvironmentFile'] => Variant[Array[String[1],0], String[1]], Optional['EnvironmentHost'] => Variant[Array[String[1],0], String[1]], Optional['Exec'] => String[1], diff --git a/spec/acceptance/container_with_sensitive_env_spec.rb b/spec/acceptance/container_with_sensitive_env_spec.rb new file mode 100644 index 0000000..23d693b --- /dev/null +++ b/spec/acceptance/container_with_sensitive_env_spec.rb @@ -0,0 +1,52 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'quadlets::quadlet' do + context 'with a simple CentOS container running with Sensitive Environment' do + it_behaves_like 'an idempotent resource' do + let(:manifest) do + <<-PUPPET + + # We might want to fall back on fuse-overlayfs + # rather than rely on overlay working. + # + package{'fuse-overlayfs': + ensure => present, + before => Quadlets::Quadlet['centos.container'], + } + quadlets::quadlet{'centos.container': + ensure => present, + unit_entry => { + 'Description' => 'Trivial Container that will be very lazy', + }, + service_entry => { + 'TimeoutStartSec' => '900', + }, + container_entry => { + 'Image' => 'quay.io/centos/centos:latest', + 'Exec' => 'sh -c "sleep inf"', + 'Environment' => [Sensitive("MYENV=password")], + }, + install_entry => { + 'WantedBy' => 'default.target', + }, + active => true, + } + PUPPET + end + end + + describe service('centos.service') do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end + + describe file('/etc/containers/systemd/centos.container') do + it { is_expected.to be_file } + it { is_expected.to be_owned_by 'root' } + it { is_expected.to be_grouped_into 'root' } + its(:content) { is_expected.to match %r{^Environment=MYENV=password$} } + end + end +end diff --git a/spec/type_aliases/unit_container_spec.rb b/spec/type_aliases/unit_container_spec.rb index 3249aa3..74b42ee 100644 --- a/spec/type_aliases/unit_container_spec.rb +++ b/spec/type_aliases/unit_container_spec.rb @@ -20,7 +20,8 @@ it { is_expected.to allow_value({ 'Entrypoint' => 'python3' }) } it { is_expected.to allow_value({ 'Entrypoint' => '["/usr/bin/sleep", "inf"]' }) } it { is_expected.to allow_value({ 'Environment' => 'FOO=bar' }) } - it { is_expected.to allow_value({ 'Environment' => ['FOO=bar', 'BAZ=qux'] }) } + it { is_expected.to allow_value({ 'Environment' => RSpec::Puppet::Sensitive.new('SECRET=pass') }) } + it { is_expected.to allow_value({ 'Environment' => ['FOO=bar', 'BAZ=qux', RSpec::Puppet::Sensitive.new('SECRET=pass')] }) } it { is_expected.to allow_value({ 'EnvironmentFile' => '/etc/myenv.conf' }) } it { is_expected.to allow_value({ 'EnvironmentFile' => ['/etc/myenv.conf', '/opt/app/env.list'] }) } it { is_expected.to allow_value({ 'EnvironmentHost' => 'HOME' }) } diff --git a/types/unit/container.pp b/types/unit/container.pp index 110bfdf..d34f75f 100644 --- a/types/unit/container.pp +++ b/types/unit/container.pp @@ -14,7 +14,7 @@ Optional['DNSSearch'] => Variant[Array[Stdlib::Fqdn,0], Stdlib::Fqdn], Optional['DropCapability'] => Variant[Array[String[1],0], String[1]], Optional['Entrypoint'] => String, - Optional['Environment'] => Variant[Array[String[1],0], String[1]], + Optional['Environment'] => Variant[Array[Variant[String[1], Sensitive[String[1]]],0], String[1], Sensitive[String[1]]], Optional['EnvironmentFile'] => Variant[Array[String[1],0], String[1]], Optional['EnvironmentHost'] => Variant[Array[String[1],0], String[1]], Optional['Exec'] => String[1],