5644338ebd
Add comprehensive Podman secrets support to prevent credential exposure: New types and methods (internal/container/podman.go): - PodmanSecret struct for secret definitions - CreateSecret() - Create Podman secrets from sensitive data - DeleteSecret() - Clean up secrets after use - BuildSecretArgs() - Generate podman run arguments for secrets - SanitizeContainerEnv() - Extract sensitive env vars as secrets - ContainerConfig.Secrets field for secret list Enhanced container lifecycle: - StartContainer() now creates secrets before starting container - Secrets automatically mounted via --secret flag - Cleanup on failure to prevent secret leakage - Secrets logged as count only (not content) Jupyter service integration (internal/jupyter/service_manager.go): - prepareContainerConfig() uses SanitizeContainerEnv() - JUPYTER_TOKEN and JUPYTER_PASSWORD now use secrets - Maintains backward compatibility with env var mounting Security benefits: - Credentials no longer visible in 'podman inspect' output - Secrets not exposed via /proc/*/environ inside container - Automatic cleanup prevents secret accumulation - Compatible with existing Jupyter authentication |
||
|---|---|---|
| .. | ||
| config.go | ||
| health_monitor.go | ||
| network_manager.go | ||
| package_manager.go | ||
| security_enhanced.go | ||
| service_manager.go | ||
| startup_blacklist_test.go | ||
| workspace_manager.go | ||
| workspace_metadata.go | ||