archy/core/container/Cargo.toml

28 lines
712 B
TOML
Raw Normal View History

2026-01-24 22:01:51 +00:00
[package]
name = "archipelago-container"
version = "0.1.0"
edition = "2021"
[dependencies]
serde = { version = "1.0", features = ["derive"] }
serde_yaml = "0.9"
serde_json = "1.0"
tokio = { version = "1", features = ["full"] }
reqwest = { version = "0.11", default-features = false, features = ["json", "rustls-tls"] }
hyper = { version = "0.14", features = ["client", "http1"] }
2026-01-24 22:01:51 +00:00
thiserror = "1.0"
anyhow = "1.0"
async-trait = "0.1"
futures = "0.3"
indexmap = { version = "2.0", features = ["serde"] }
chrono = { version = "0.4", features = ["serde"] }
uuid = { version = "1.0", features = ["v4"] }
log = "0.4"
tracing = "0.1"
feat(security): move secret env out of podman inspect and Quadlet unit files Secret env used to merge into manifest.app.environment, landing in 'podman inspect' Config.Env on the API backend and — worse — as plaintext Environment= lines in Quadlet unit files on disk. Now: - expand_and_partition_env (container crate, pure + tested) expands ${KEY} placeholders and splits env into plain entries and secret-bearing pairs. Plain entries that interpolate a secret (btcpay's Password=${BTCPAY_DB_PASS} connection strings) are tainted and travel as secrets too. Secret values themselves are never expanded (a generated value containing '${' passes verbatim). - values register as podman secrets: stdin (never argv/tempfile), --replace, content-hash label to skip no-op rewrites; a per-app hash cache in the orchestrator makes steady-state reconciles free of podman secret calls. Registration goes through the runtime trait (default no-op keeps mocks/docker inert). - containers reference secrets by name: secret_env map in the libpod create spec, Secret=<name>,type=env,target=<KEY> in Quadlet units. Verified empirically on fleet podman 5.4.2: value absent from inspect Config.Env, runtime injection works rootless. - rotation detection: io.archipelago.secret-env-hash container label (API) / the changed unit bytes (Quadlet). Pre-upgrade containers lack the label, so every secret-bearing app recreates ONCE on the first reconcile after deploy — deliberate, it scrubs the plaintext secrets out of existing container configs. Data dirs untouched. - docker dev fallback keeps plain -e injection (no secret store); podman secrets persist across uninstall, matching the preserve-credentials invariant (reinstall re-registers by hash). In-container /proc/<pid>/environ is unchanged — env remains the app-compat contract; the closed leaks are inspect output and unit files on disk. Tests: archipelago-container 61/61 (3 new: taint partition, verbatim secrets, hash order-independence), archipelago container:: 160/160 (fedimint install test now asserts the secret arrives as a ref, not env; quadlet render test asserts Secret=/Label= lines). NEEDS the on-node gate re-run before the item counts as verified. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-05 13:55:15 -04:00
sha2 = "0.10"
hex = "0.4"
2026-01-24 22:01:51 +00:00
[lib]
name = "archipelago_container"
path = "src/lib.rs"