Support for secrets

[surajssd]

Right now there is no way I can specify secrets from docker-compose which then maps to kubernetes. This would be great thing to have.

For using this feature I had to manually create secret object and then add it to container spec in deployment.

[sebgoa]

Docker does not yet have a concept of secrets, does it ? I think they are working on it , but it is not there yet and not in compose AFAIK.

[jamstar]

So one instance that would be supported now would be in use of environmental variables. the docker compose for my project i just converted sets stuff like the username and pass for a database as env variables. ill convert them over to using secrets

[surajssd]

@jamstar yeah that needs to be done manually!

[cdrage]

Secrets are able to be defined in Docker Compose Version 3: https://docs.docker.com/compose/compose-file/#secrets-configuration-reference and thus we can map this to Kubernetes much easier than expected.

[cdrage]

Since Docker Compose now has secrets, the best way (from my research) would be to use secrets as well as the file option of import. Unfortunately using external will not work as secrets stored within swarm are encrypted Raft variables (no idea what they mean by that in the documentation).

See: https://stackoverflow.com/questions/42139605/how-do-you-manage-secret-values-with-docker-compose-v3-1 for some context.

[surajnarwade]

FYI, secrets is supported in docker-compose version 3.1

[Code0x58]

I just had a look at things and it appears as though the mapping is doable, with the exception of uid and gid when projecting the secret into /run/secrets/ - this may be something to raise as an in Kubernetes if it hasn't been already.

The rest of this post is really just a summary of the documentation and links to things that I think are relevant for whoever takes this on, which I found from a quick poke around (I'm not familiar with the codebases).

Creating secrets

compose documentation
The documentation shows the 3 ways secrets can be specified:

secrets:
  my_first_secret:
    file: "./secret_data"
  my_second_secret:
    external: true
  my_third_secret:
    external:
      name: "name_externally"

I'm not sure we can use the values of external secrets (I think what @cdrage was saying), even if we could I think maintaining the separation in environments that comes with the externals is beneficial.

In Kubernetes I think this would revolve around Secret objects.

Using secrets

compose documentation
When a secret is shared with a container it is mapped into it, by default to /run/secrets/$name. The following are configurable:

• source - the name of the secret in Docker
• target - the name to use within /run/secrets/
• uid - the UID to use for the secret in the container
• gid - the GID to use for the secret in the container
• mode - the file mode to use for the secret in the container

In Kubernetes I think this would revolve around SecretProjections to project the secrets into /run/secrets/. example

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[cocowalla]

I see this has been marked as stale now. It would be really nice to get this into kompose (along with support for docker 'configs'!), as these are perhaps the trickiest bits to understand and get right for a k8s noob.

Not sure what the etiquette is with the bot and /remove-lifecycle stale - is this meant just for repo owners, or anyone who is interested in the feature?

[hangyan]

This is a big feature, i can start working on it !

[hangyan]

The file secret seems pretty straightforward. The external secret data seems can be retrieved from the docker api ( docker inspect ). But seems we don't connect to docker when do kompose convert, this is tricky. I think I can start trying to add the file part first.

[galvinograd]

+1

[fentas]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[cdrage]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[cocowalla]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[cocowalla]

/remove-lifecycle stale

[ffMathy]

How is this going? What's the status? Is there an ETA?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[cocowalla]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fentas]

/remove-lifecycle stale

[pgordon9]

Really need secret support to make Kompose usage seamless 🚀

[hangyan]

@pgordon9 Good news, the PR has been merged, you can try this feature in the master branch