Merge pull request #28140 from ozgur-as/fix-clone-secret-env

Fix container clone with secret type=env
2026-03-27 11:03:09 -04:00 · 2026-03-04 13:04:11 +01:00
parent 988628c6d4 03d9de1528
commit 8aad8d72e0
3 changed files with 35 additions and 1 deletions
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@@ -379,9 +379,11 @@ func ConfigToSpec(rt *libpod.Runtime, specg *specgen.SpecGenerator, containerID

 	tmpSystemd := conf.Systemd
 	tmpMounts := conf.Mounts
+	tmpEnvSecrets := conf.EnvSecrets

 	conf.Systemd = nil
 	conf.Mounts = []string{}
+	conf.EnvSecrets = nil

 	if specg == nil {
 		specg = &specgen.SpecGenerator{}
@@ -401,6 +403,7 @@ func ConfigToSpec(rt *libpod.Runtime, specg *specgen.SpecGenerator, containerID

 	conf.Systemd = tmpSystemd
 	conf.Mounts = tmpMounts
+	conf.EnvSecrets = tmpEnvSecrets

 	if conf.Spec != nil {
 		if conf.Spec.Linux != nil && conf.Spec.Linux.Resources != nil {
@@ -514,6 +517,14 @@ func ConfigToSpec(rt *libpod.Runtime, specg *specgen.SpecGenerator, containerID
 	specg.StartupHealthConfig = conf.StartupHealthCheckConfig
 	specg.HealthCheckOnFailureAction = conf.HealthCheckOnFailureAction

+	if len(tmpEnvSecrets) > 0 {
+		envSecrets := make(map[string]string, len(tmpEnvSecrets))
+		for target, secret := range tmpEnvSecrets {
+			envSecrets[target] = secret.Name
+		}
+		specg.EnvSecrets = envSecrets
+	}
+
 	specg.IDMappings = &conf.IDMappings
 	specg.ContainerCreateCommand = conf.CreateCommand
 	if len(specg.Rootfs) == 0 {
--- a/pkg/specgenutil/specgen.go
+++ b/pkg/specgenutil/specgen.go
@@ -900,7 +900,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 		s.RestartRetries = &retries
 	}

-	if len(s.Secrets) == 0 || len(c.Secrets) != 0 {
+	if (len(s.Secrets) == 0 && len(s.EnvSecrets) == 0) || len(c.Secrets) != 0 {
 		s.Secrets, s.EnvSecrets, err = parseSecrets(c.Secrets)
 		if err != nil {
 			return err
--- a/test/e2e/container_clone_test.go
+++ b/test/e2e/container_clone_test.go
@@ -3,6 +3,9 @@
 package integration

 import (
+	"os"
+	"path/filepath"
+
 	. "github.com/containers/podman/v6/test/utils"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -299,6 +302,26 @@ var _ = Describe("Podman container clone", func() {
 		Expect(session.OutputToString()).Should(ContainSubstring("12=3"))
 	})

+	It("podman container clone with secret env", func() {
+		secretsString := "somesecretdata"
+		secretFilePath := filepath.Join(podmanTest.TempDir, "secret")
+		err := os.WriteFile(secretFilePath, []byte(secretsString), 0o755)
+		Expect(err).ToNot(HaveOccurred())
+
+		podmanTest.PodmanExitCleanly("secret", "create", "mysecret", secretFilePath)
+
+		session := podmanTest.PodmanExitCleanly("run", "--secret", "source=mysecret,type=env", "--name", "secr", ALPINE, "printenv", "mysecret")
+		Expect(session.OutputToString()).To(Equal(secretsString))
+
+		podmanTest.PodmanExitCleanly("container", "clone", "secr")
+
+		session = podmanTest.PodmanExitCleanly("start", "-a", "secr-clone")
+		Expect(session.OutputToString()).To(Equal(secretsString))
+
+		cloneData := podmanTest.PodmanExitCleanly("inspect", "secr-clone").InspectContainerToJSON()[0]
+		Expect(cloneData.Config.Env).To(ContainElement("mysecret=*******"))
+	})
+
 	It("podman container clone container with healthcheck", func() {
 		podmanTest.PodmanExitCleanly(
 			"run", "-d", "--rm",