@[email protected] to Fedora [email protected]English • 1 year ago

Using Fedora CoreOS, how can I add secrets to podman systemd services?

2

Using Fedora CoreOS, how can I add secrets to podman systemd services?

@[email protected] to Fedora [email protected]English • 1 year ago

Like the title says, does anyone know how to give systemd services a secret?

For example: postgresql.bu

variant: fcos
version: 1.4.0
storage:
  directories:
    - path: /opt/services/postgres/data
      overwrite: true
      mode: 0755
systemd:
  units:
    - name: postgres.service
      enabled: true
      contents: |
        [Unit]
        Description=The PostgreSQL object-relational database system
        Wants=network-online.target
        After=network-online.target

        [Service]
        Type=notify
        NotifyAccess=all
        Restart=on-failure
        RestartSec=60
        ExecStartPre=-/bin/podman kill postgres
        ExecStartPre=-/bin/podman rm postgres
        ExecStartPre=/bin/podman pull docker.io/library/postgres:15
        ExecStart=/bin/podman run --name postgres \
            --volume /opt/services/postgres/data:/var/lib/postgresql/data:z \
            --env POSTGRES_USER=admin \
            --env POSTGRES_PASSWORD=admin \
            --env POSTGRES_DB=admin \
            --replace --sdnotify=conmon \
            --publish 0.0.0.0:5432:5432/tcp \
            --restart=unless-stopped \
            --log-level info \
            docker.io/library/postgres:15

        [Install]
        WantedBy=multi-user.target

If that is my SystemD unit file, can I replace:

env POSTGRES_PASSWORD=admin with a value that is discovered at runtime?

Chat

dogA
link
fedilink
English
1•1 year ago
that’s fair! i think it’s more because deploying vault is not really a quick task, iirc xD but yeah, i 'd love to hear how other coreos users handle their secrets. more than one way to… inject your secrets i guess xD