fetch_ml

History

Jeremie Fraeys 5644338ebd security: implement Podman secrets for container credential management Add comprehensive Podman secrets support to prevent credential exposure: New types and methods (internal/container/podman.go): - PodmanSecret struct for secret definitions - CreateSecret() - Create Podman secrets from sensitive data - DeleteSecret() - Clean up secrets after use - BuildSecretArgs() - Generate podman run arguments for secrets - SanitizeContainerEnv() - Extract sensitive env vars as secrets - ContainerConfig.Secrets field for secret list Enhanced container lifecycle: - StartContainer() now creates secrets before starting container - Secrets automatically mounted via --secret flag - Cleanup on failure to prevent secret leakage - Secrets logged as count only (not content) Jupyter service integration (internal/jupyter/service_manager.go): - prepareContainerConfig() uses SanitizeContainerEnv() - JUPYTER_TOKEN and JUPYTER_PASSWORD now use secrets - Maintains backward compatibility with env var mounting Security benefits: - Credentials no longer visible in 'podman inspect' output - Secrets not exposed via /proc/*/environ inside container - Automatic cleanup prevents secret accumulation - Compatible with existing Jupyter authentication	2026-02-18 16:35:58 -05:00
..
podman.go	security: implement Podman secrets for container credential management	2026-02-18 16:35:58 -05:00
security_test.go	feat: implement research-grade maintainability phases 1,3,4,7	2026-02-18 15:27:50 -05:00

security: implement Podman secrets for container credential management

Add comprehensive Podman secrets support to prevent credential exposure:

New types and methods (internal/container/podman.go):
- PodmanSecret struct for secret definitions
- CreateSecret() - Create Podman secrets from sensitive data
- DeleteSecret() - Clean up secrets after use
- BuildSecretArgs() - Generate podman run arguments for secrets
- SanitizeContainerEnv() - Extract sensitive env vars as secrets
- ContainerConfig.Secrets field for secret list

Enhanced container lifecycle:
- StartContainer() now creates secrets before starting container
- Secrets automatically mounted via --secret flag
- Cleanup on failure to prevent secret leakage
- Secrets logged as count only (not content)

Jupyter service integration (internal/jupyter/service_manager.go):
- prepareContainerConfig() uses SanitizeContainerEnv()
- JUPYTER_TOKEN and JUPYTER_PASSWORD now use secrets
- Maintains backward compatibility with env var mounting

Security benefits:
- Credentials no longer visible in 'podman inspect' output
- Secrets not exposed via /proc/*/environ inside container
- Automatic cleanup prevents secret accumulation
- Compatible with existing Jupyter authentication

2026-02-18 16:35:58 -05:00

podman.go

security: implement Podman secrets for container credential management

2026-02-18 16:35:58 -05:00

security_test.go

feat: implement research-grade maintainability phases 1,3,4,7

2026-02-18 15:27:50 -05:00