jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/internal
History
Jeremie Fraeys 5644338ebd
security: implement Podman secrets for container credential management 
Add comprehensive Podman secrets support to prevent credential exposure:

New types and methods (internal/container/podman.go):
- PodmanSecret struct for secret definitions
- CreateSecret() - Create Podman secrets from sensitive data
- DeleteSecret() - Clean up secrets after use
- BuildSecretArgs() - Generate podman run arguments for secrets
- SanitizeContainerEnv() - Extract sensitive env vars as secrets
- ContainerConfig.Secrets field for secret list

Enhanced container lifecycle:
- StartContainer() now creates secrets before starting container
- Secrets automatically mounted via --secret flag
- Cleanup on failure to prevent secret leakage
- Secrets logged as count only (not content)

Jupyter service integration (internal/jupyter/service_manager.go):
- prepareContainerConfig() uses SanitizeContainerEnv()
- JUPYTER_TOKEN and JUPYTER_PASSWORD now use secrets
- Maintains backward compatibility with env var mounting

Security benefits:
- Credentials no longer visible in 'podman inspect' output
- Secrets not exposed via /proc/*/environ inside container
- Automatic cleanup prevents secret accumulation
- Compatible with existing Jupyter authentication
2026-02-18 16:35:58 -05:00
..
api security: implement comprehensive secrets protection 2026-02-18 16:18:09 -05:00
audit feat(tracking): add pluggable tracking backends and audit support 2026-01-05 12:33:57 -05:00
auth security: implement comprehensive secrets protection 2026-02-18 16:18:09 -05:00
config refactor: replace panic with error returns and update maintenance 2026-02-18 14:44:21 -05:00
container security: implement Podman secrets for container credential management 2026-02-18 16:35:58 -05:00
controller Fix multi-user authentication and clean up debug code 2025-12-06 12:35:32 -05:00
domain feat: implement research-grade maintainability phases 1,3,4,7 2026-02-18 15:27:50 -05:00
envpool feat(worker): add integrity checks, snapshot staging, and prewarm support 2026-01-05 12:31:13 -05:00
errtypes feat: implement research-grade maintainability phases 1,3,4,7 2026-02-18 15:27:50 -05:00
experiment refactor: Export SelectDependencyManifest for API helpers 2026-02-17 16:45:59 -05:00
fileutil Fix multi-user authentication and clean up debug code 2025-12-06 12:35:32 -05:00
jupyter security: implement Podman secrets for container credential management 2026-02-18 16:35:58 -05:00
logging security: implement comprehensive secrets protection 2026-02-18 16:18:09 -05:00
manifest feat: implement research-grade maintainability phases 2, 5, 8, 10 2026-02-18 15:34:28 -05:00
metrics refactor: Phase 6 - Complete migration, remove legacy files 2026-02-17 14:39:48 -05:00
middleware feat(api): refactor websocket handlers; add health and prometheus middleware 2026-01-05 12:31:07 -05:00
network refactor(dependency-hygiene): Move path functions from config to storage 2026-02-17 21:15:23 -05:00
prommetrics feat(api): refactor websocket handlers; add health and prometheus middleware 2026-01-05 12:31:07 -05:00
queue refactor: move queue spec tests to tests/unit/ and fix test failures 2026-02-18 15:45:30 -05:00
resources feat(worker): add integrity checks, snapshot staging, and prewarm support 2026-01-05 12:31:13 -05:00
storage security: implement comprehensive secrets protection 2026-02-18 16:18:09 -05:00
telemetry Fix multi-user authentication and clean up debug code 2025-12-06 12:35:32 -05:00
tracking feat(tracking): add pluggable tracking backends and audit support 2026-01-05 12:33:57 -05:00
worker feat: implement research-grade maintainability phases 2, 5, 8, 10 2026-02-18 15:34:28 -05:00