Plugable secrets backend #366
Conversation
Codecov Report
@@ Coverage Diff @@
## master #366 +/- ##
==========================================
+ Coverage 49.01% 49.06% +0.04%
==========================================
Files 199 199
Lines 16392 16422 +30
==========================================
+ Hits 8035 8057 +22
- Misses 7939 7946 +7
- Partials 418 419 +1 |
|
@dnephin @thaJeztah I closed and re-opend #348 since the tests did not get triggered on push. |
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
343de92
to
64bfcb7
Compare
|
@dnephin thanks! I think that the commit approval is what's causing the builds to stop. |
|
Hmm, I don't know about that. We approve plenty of PRs that are still able to build afterward. I think it's something about the files/changes. On my PR which had this issue (#107) I also retried recreating it, and after the first build it also stopped building again, and the new PR doesn't have any approvals. |
|
Makes sense @dnephin. Let me know what further steps are required to complete this PR. |
|
Once someone else gives their approval we can run the tests manually and merge. Let's not worry about the github bug for now |
|
Great @dnephin thanks! |
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
64bfcb7
to
27fcb6d
Compare
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
27fcb6d
to
d8176e9
Compare
|
@thaJeztah PTAL, I separated |
liron-l
force-pushed
the
plugable_secrets_backend
branch
2 times, most recently
from
8c158ce
to
4064118
Compare
|
@thaJeztah @cpuguy83 please take a look, I've updated the docker vendor dependencies again. Thanks! |
|
@thaJeztah PTAL |
|
@vdemeester, @cpuguy83, @diogomonica, @thaJeztah, should I add additional changes to this commit? |
cli/command/secret/create.go
Outdated
| return runSecretCreate(dockerCli, options) | ||
| }, | ||
| } | ||
| flags := cmd.Flags() | ||
| flags.VarP(&options.labels, "label", "l", "Secret labels") | ||
| flags.StringVar(&options.driver, "driver", "", "Secret driver") |
There was a problem hiding this comment.
This flag needs to have a version annotation, so that it is hidden / produces an error on older API versions
There was a problem hiding this comment.
Also, to be consistent with docker network create, docker volume create, in this case I would be +1 to add a -d shorthand as well
There was a problem hiding this comment.
Thanks @thaJeztah I set the version annotation to 1.31, hope this makes sense.
| in = file | ||
| defer file.Close() | ||
| if options.driver != "" && options.file != "" { | ||
| return errors.Errorf("When using secret driver secret data must be empty") |
There was a problem hiding this comment.
Could this be handled by the (external) driver? IIUC, with this change the secret's value is taken from the external store, so
$ docker secret create --driver external mysecretDoesn't really "create" a secret, but "associates" the external secret with a secret in Docker.
Do we need to keep the option open to have external secret stores create new secrets from the Docker CLI? i.e.
$ echo "new secret" | docker secret create --driver external mysecret -If so, this validation should be done by the driver (just like currently checking for empty values is done in the backend)
$ docker secret create foo
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 512000 bytesThere was a problem hiding this comment.
@thaJeztah according to the secrets plugin subsystem design, the secrets plugin will be readonly (that is, swarm will not populate the secret values).
I think it might be better to prevent incorrect usage as soon as possible (since file is a cli only option).
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
4064118
to
66ac875
Compare
|
Thanks @thaJeztah, I've updated the review according to your comments.
|
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
66ac875
to
7133af1
Compare
liron-l
force-pushed
the
plugable_secrets_backend
branch
4 times, most recently
from
3bf9d64
to
74c55de
Compare
|
@thaJeztah @diogomonica I've updated the code, please take a look if the new secrets driver API makes sense. |
|
@diogomonica @thaJeztah PTAL. |
liron-l
force-pushed
the
plugable_secrets_backend
branch
3 times, most recently
from
1920e7e
to
93292ff
Compare
|
@thaJeztah PTAL, let me know if additional changes are required. |
liron-l
force-pushed
the
plugable_secrets_backend
branch
2 times, most recently
from
bc8f58d
to
736f0a4
Compare
|
@diogomonica @thaJeztah PTAL, all other dependencies related to this feature are completed. Thanks. |
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
736f0a4
to
ef47835
Compare
This commit extends SwarmKit secret management with pluggable secret backends support. Following previous commits: 1. moby/swarmkit@eebac27 2. moby/moby@08f7cf0 Added driver parameter to `docker secret` command. Specifically: 1. `docker secret create [secret_name] --driver [driver_name]` 2. Displaying the driver in ``` $ docker secret ls $ docker secret inspect [secret_name] $ docker secret inspect [secret_name] -pretty ``` Signed-off-by: Liron Levin <liron@twistlock.com>
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
ef47835
to
0ee9e05
Compare
|
This LGTM, but I don't have merging rights. |
|
@vdemeester @dnephin @thaJeztah can somebody please merge? |
This commit extends SwarmKit secret management with pluggable secret
backends support.
Following previous commits:
Added driver parameter to
docker secretcommand.Specifically:
docker secret create [secret_name] --driver [driver_name]Signed-off-by: Liron Levin liron@twistlock.com