From 28891144ee227576dced395ae59875584a1fd1f5 Mon Sep 17 00:00:00 2001
From: Adam Grare <adam@grare.com>
Date: Wed, 3 Apr 2024 14:47:25 -0400
Subject: [PATCH] Create podman secret as manageiq user

---
 app/models/opentofu_worker.rb   | 4 ++--
 systemd/opentofu-runner.service | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/models/opentofu_worker.rb b/app/models/opentofu_worker.rb
index 069f2be7..7a59418c 100644
--- a/app/models/opentofu_worker.rb
+++ b/app/models/opentofu_worker.rb
@@ -62,11 +62,11 @@ def unit_environment_variables
   end
 
   def create_podman_secret
-    return if AwesomeSpawn.run("podman", :params => %w[secret exists opentofu-runner-secret]).success?
+    return if AwesomeSpawn.run("runuser", :params => %w[secret exists opentofu-runner-secret]).success?
 
     database_password = ActiveRecord::Base.connection_db_config.configuration_hash[:password]
     secret = {"DATABASE_PASSWORD" => database_password}
 
-    AwesomeSpawn.run!("podman", :params => %w[secret create opentofu-runner-secret -], :in_data => secret.to_json)
+    AwesomeSpawn.run!("runuser", :params => [[:login, "manageiq"], [:command, "podman secret create opentofu-runner-secret -"]], :in_data => secret.to_json)
   end
 end
diff --git a/systemd/opentofu-runner.service b/systemd/opentofu-runner.service
index 6da0f1c3..61437ac9 100644
--- a/systemd/opentofu-runner.service
+++ b/systemd/opentofu-runner.service
@@ -6,7 +6,7 @@ WantedBy=opentofu-runner.target
 User=manageiq
 Group=manageiq
 ExecStartPre=/bin/rm -f /tmp/%n.cid
-ExecStart=/usr/bin/podman run --conmon-pidfile %T/%N.pid --cidfile %T/%N.cid --cgroup-manager=cgroupfs --cgroups=no-conmon --log-driver=journald --name=opentofu-runner docker.io/agrare/sleep:latest
+ExecStart=/usr/bin/podman run --conmon-pidfile %T/%N.pid --cidfile %T/%N.cid --cgroup-manager=cgroupfs --cgroups=no-conmon --log-driver=journald --name=opentofu-runner --secret=opentofu-runner-secret docker.io/agrare/sleep:latest
 ExecStop=/usr/bin/podman stop --ignore -t 30 --cidfile %T/%N.cid --cgroup-manager=cgroupfs
 ExecStopPost=/usr/bin/podman rm --ignore --cidfile %T/%N.cid --cgroup-manager=cgroupfs
 ExecStopPost=/usr/bin/rm -f %T/%N.pid %T/%N.cid