New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move secret name or ID prefix resolving from client to daemon #29218
Conversation
nice -- i had started something to work on 29125 but this is better. LGTM (nam) |
) | ||
|
||
func getSecretByNameOrIDPrefix(ctx context.Context, state *nodeState, nameOrIDPrefix string) (*swarmapi.Secret, error) { | ||
r, err := state.controlClient.ListSecrets(ctx, &swarmapi.ListSecretsRequest{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is an optimization, correct? Now that we run this on the daemon, is this still needed?
I don't fully know how the ListSecrets filters work; is it possible that that filter hides a secret, that would otherwise be successfully matched here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @thaJeztah. The filters in the ListSecrets will operates as OR
so only one call is needed. This is different from some other SwarmKit API such as listing tasks ListTasks
, which does not operate on OR
.
I think it might make sense to optimize some other SwarmKit APIs such as ListTasks
, if ListSecrets
already operates on OR
. Will open a PR in SwarmKit to seek additional discussions.
} | ||
|
||
// attempt to lookup secret by full ID | ||
for _, s := range r.Secrets { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of looping; does the secret-store already have aGetSecret()
that always matches on ID? If it exists; would it be better to use that as the primary way to get the secret?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes swarm api could get the Secret from ID directly 👍 . Let me update the PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thaJeztah Now full ID match is done through swarm kit's GetSecret
directly. ListSecrets
will do the Full Name and Partial ID match, only be called if GetSecret
returns nothing.
441c8e8
to
a097d6c
Compare
// attempt to lookup secret by full name | ||
for _, s := range r.Secrets { | ||
if s.Spec.Annotations.Name == nameOrIDPrefix { | ||
return s, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we error out if len(r.Secrets) > 0
before this for loop?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reason being if we get more than one, then it's an ambiguous result.
Also cleans up some of the stuff below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @cpuguy83 for the review. In swarmkit, the filter of secrets is slightly different from other filters (like services) in that it is operated as OR
:
https://github.com/docker/docker/blob/v1.13.0-rc4/vendor/github.com/docker/swarmkit/manager/controlapi/secret.go#L121-L132
In the above case, we passes both Names
and IDPrefixes
so the result could be multiple like one for name and one for IDPrefix. This is considered as non-ambiguous as we have a full name match.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/cc @thaJeztah |
Code LGTM @yongtang: This has API impact, so @thaJeztah: Are we comfortable making an API change like this to endpoints that have been added in 1.13? |
Ideally, this would've been part of 1.13, but I don't think that's still realistic, so;
For the documentation; I'm not sure how to define a change for a specific version in the swagger.yml. @dnephin @bfirsh perhaps you can assist with that? Otherwise; good to go 😄 - I'm changing the milestone to 1.14, unless we see reasons/options to include this in 1.13 (@vieux?) |
Actually; if this goes to 1.14, the CLI should still do "client side" lookup when talking to a 1.13 daemon. 😞 |
@thaJeztah Each API version has its own swagger.yml. For this change, there is no issue because there is no swagger.yml representation of 1.24 or lower. At some point we'll have to make a copy of swagger.yml for 1.25 docs when 1.26 becomes the current docs (if that hasn't happened already?). The original intention was to keep these old versions in the docs repository, because in theory they should not be updated again and any changes would just be bug fixes. For simplicity of contribution, however, perhaps it makes sense for them to live in this repo somewhere. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I don't think that's necessary. We can just make that an error or warning, and inform the user that it won't work as expected (only works with exact IDs in that case). |
@dnephin the point is that basic functionality of Client:
Version: 1.14.0-dev
API version: 1.25 (downgraded from 1.26)
Go version: go1.7.3
Git commit: a097d6c
Built: Mon Jan 16 21:30:03 2017
OS/Arch: linux/amd64
Server:
Version: 1.13.0-rc6
API version: 1.25 (minimum version 1.12)
Go version: go1.7.3
Git commit: 2f2d055
Built: Wed Jan 11 21:47:55 2017
OS/Arch: linux/amd64
Experimental: false Create a secret $ echo "foo" | docker secret create foo
veltdcwwvv5qdewcxs85n8tj2
$ docker secret ls
ID NAME CREATED UPDATED
veltdcwwvv5qdewcxs85n8tj2 foo 4 minutes ago 4 minutes ago then try to either $ docker secret inspect foo
[]
Error: no such secret: foo
$ docker secret rm foo
Error response from daemon: rpc error: code = 5 desc = could not find secret foo |
@thaJeztah I understand that. So we can add a warning about it in the 1.14 client. When the 1.14 downgrades it can warn about having to use ids. |
I'd like to get input from @vieux on that; I don't think it's good to have support for talking to older daemons, but at the same time break that functionality. I think we'll only be supporting going one or two versions back, in which case, keeping the fallback mechanism should still be an option. (but that's just my 0.02c) |
@yongtang needs rebase, sorry :) |
This fix is a follow up for comment: moby#28896 (comment) Currently secret name or ID prefix resolving is done at the client side, which means different behavior of API and CMD. This fix moves the resolving from client to daemon, with exactly the same rule: - Full ID - Full Name - Partial ID (prefix) All existing tests should pass. This fix is related to #288896, moby#28884 and may be related to moby#29125. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
a097d6c
to
fa358a8
Compare
Thanks @LK4D4 the PR has been rebased. |
This already has 2 LGTMs |
- What I did
This fix is a follow up for comment:
#28896 (comment)
Currently secret name or ID prefix resolving is done at the client side, which means different behavior of API and CMD.
/cc @thaJeztah @ehazlett @allencloud
- How I did it
This fix is a follow up for comment:
#28896 (comment)
Currently secret name or ID prefix resolving is done at the client side, which means different behavior of API and CMD.
- How to verify it
All existing tests should pass.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)
This fix is related to #28896, #28884 and may be related to #29125.
Signed-off-by: Yong Tang yong.tang.github@outlook.com