@@ -23,4 +23,9 @@ type Backend interface {

 	RemoveNode(string, bool) error

 	GetTasks(basictypes.TaskListOptions) ([]types.Task, error)

 	GetTask(string) (types.Task, error)

+	GetSecrets(opts basictypes.SecretListOptions) ([]types.Secret, error)

+	CreateSecret(s types.SecretSpec) (string, error)

+	RemoveSecret(id string) error

+	GetSecret(id string) (types.Secret, error)

+	UpdateSecret(id string, version uint64, spec types.SecretSpec) error

 }

@@ -40,5 +40,10 @@ func (sr *swarmRouter) initRoutes() {

 		router.NewPostRoute("/nodes/{id:.*}/update", sr.updateNode),

 		router.NewGetRoute("/tasks", sr.getTasks),

 		router.NewGetRoute("/tasks/{id:.*}", sr.getTask),

+		router.NewGetRoute("/secrets", sr.getSecrets),

+		router.NewPostRoute("/secrets/create", sr.createSecret),

+		router.NewDeleteRoute("/secrets/{id:.*}", sr.removeSecret),

+		router.NewGetRoute("/secrets/{id:.*}", sr.getSecret),

+		router.NewPostRoute("/secrets/{id:.*}/update", sr.updateSecret),

 	}

 }

@@ -261,3 +261,77 @@ func (sr *swarmRouter) getTask(ctx context.Context, w http.ResponseWriter, r *ht

 	return httputils.WriteJSON(w, http.StatusOK, task)

 }

+

+func (sr *swarmRouter) getSecrets(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {

+	if err := httputils.ParseForm(r); err != nil {

+		return err

+	}

+	filter, err := filters.FromParam(r.Form.Get("filters"))

+	if err != nil {

+		return err

+	}

+

+	secrets, err := sr.backend.GetSecrets(basictypes.SecretListOptions{Filter: filter})

+	if err != nil {

+		logrus.Errorf("Error getting secrets: %v", err)

+		return err

+	}

+

+	return httputils.WriteJSON(w, http.StatusOK, secrets)

+}

+

+func (sr *swarmRouter) createSecret(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {

+	var secret types.SecretSpec

+	if err := json.NewDecoder(r.Body).Decode(&secret); err != nil {

+		return err

+	}

+

+	id, err := sr.backend.CreateSecret(secret)

+	if err != nil {

+		logrus.Errorf("Error creating secret %s: %v", id, err)

+		return err

+	}

+

+	return httputils.WriteJSON(w, http.StatusCreated, &basictypes.SecretCreateResponse{

+		ID: id,

+	})

+}

+

+func (sr *swarmRouter) removeSecret(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {

+	if err := sr.backend.RemoveSecret(vars["id"]); err != nil {

+		logrus.Errorf("Error removing secret %s: %v", vars["id"], err)

+		return err

+	}

+

+	return nil

+}

+

+func (sr *swarmRouter) getSecret(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {

+	secret, err := sr.backend.GetSecret(vars["id"])

+	if err != nil {

+		logrus.Errorf("Error getting secret %s: %v", vars["id"], err)

+		return err

+	}

+

+	return httputils.WriteJSON(w, http.StatusOK, secret)

+}

+

+func (sr *swarmRouter) updateSecret(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {

+	var secret types.SecretSpec

+	if err := json.NewDecoder(r.Body).Decode(&secret); err != nil {

+		return err

+	}

+

+	rawVersion := r.URL.Query().Get("version")

+	version, err := strconv.ParseUint(rawVersion, 10, 64)

+	if err != nil {

+		return fmt.Errorf("Invalid secret version '%s': %s", rawVersion, err.Error())

+	}

+

+	id := vars["id"]

+	if err := sr.backend.UpdateSecret(id, version, secret); err != nil {

+		return fmt.Errorf("Error updating secret: %s", err)

+	}

+

+	return nil

+}

new file mode 100644

@@ -0,0 +1,12 @@

+package container

+

+import "os"

+

+type ContainerSecret struct {

+	Name   string

+	Target string

+	Data   []byte

+	Uid    int

+	Gid    int

+	Mode   os.FileMode

+}

@@ -37,4 +37,5 @@ type ContainerSpec struct {

 	StopGracePeriod *time.Duration          `json:",omitempty"`

 	Healthcheck     *container.HealthConfig `json:",omitempty"`

 	DNSConfig       *DNSConfig              `json:",omitempty"`

+	Secrets         []*SecretReference      `json:",omitempty"`

 }

new file mode 100644

@@ -0,0 +1,30 @@

+package swarm

+

+// Secret represents a secret.

+type Secret struct {

+	ID string

+	Meta

+	Spec       *SecretSpec `json:",omitempty"`

+	Digest     string      `json:",omitempty"`

+	SecretSize int64       `json:",omitempty"`

+}

+

+type SecretSpec struct {

+	Annotations

+	Data []byte `json",omitempty"`

+}

+

+type SecretReferenceMode int

+

+const (

+	SecretReferenceSystem SecretReferenceMode = 0

+	SecretReferenceFile   SecretReferenceMode = 1

+	SecretReferenceEnv    SecretReferenceMode = 2

+)

+

+type SecretReference struct {

+	SecretID   string              `json:",omitempty"`

+	Mode       SecretReferenceMode `json:",omitempty"`

+	Target     string              `json:",omitempty"`

+	SecretName string              `json:",omitempty"`

+}

@@ -6,6 +6,7 @@ import (

 	"time"

 	"github.com/docker/docker/api/types/container"

+	"github.com/docker/docker/api/types/filters"

 	"github.com/docker/docker/api/types/mount"

 	"github.com/docker/docker/api/types/network"

 	"github.com/docker/docker/api/types/registry"

@@ -509,3 +510,15 @@ type ImagesPruneReport struct {

 type NetworksPruneReport struct {

 	NetworksDeleted []string

 }

+

+// SecretCreateResponse contains the information returned to a client

+// on the creation of a new secret.

+type SecretCreateResponse struct {

+	// ID is the id of the created secret.

+	ID string

+}

+

+// SecretListOptions holds parameters to list secrets

+type SecretListOptions struct {

+	Filter filters.Args

+}

@@ -11,6 +11,7 @@ import (

 	"github.com/docker/docker/cli/command/node"

 	"github.com/docker/docker/cli/command/plugin"

 	"github.com/docker/docker/cli/command/registry"

+	"github.com/docker/docker/cli/command/secret"

 	"github.com/docker/docker/cli/command/service"

 	"github.com/docker/docker/cli/command/stack"

 	"github.com/docker/docker/cli/command/swarm"

@@ -25,6 +26,7 @@ func AddCommands(cmd *cobra.Command, dockerCli *command.DockerCli) {

 		node.NewNodeCommand(dockerCli),

 		service.NewServiceCommand(dockerCli),

 		swarm.NewSwarmCommand(dockerCli),

+		secret.NewSecretCommand(dockerCli),

 		container.NewContainerCommand(dockerCli),

 		image.NewImageCommand(dockerCli),

 		system.NewSystemCommand(dockerCli),

new file mode 100644

@@ -0,0 +1,29 @@

+package secret

+

+import (

+	"fmt"

+

+	"github.com/spf13/cobra"

+

+	"github.com/docker/docker/cli"

+	"github.com/docker/docker/cli/command"

+)

+

+// NewSecretCommand returns a cobra command for `secret` subcommands

+func NewSecretCommand(dockerCli *command.DockerCli) *cobra.Command {

+	cmd := &cobra.Command{

+		Use:   "secret",

+		Short: "Manage Docker secrets",

+		Args:  cli.NoArgs,

+		Run: func(cmd *cobra.Command, args []string) {

+			fmt.Fprintf(dockerCli.Err(), "\n"+cmd.UsageString())

+		},

+	}

+	cmd.AddCommand(

+		newSecretListCommand(dockerCli),

+		newSecretCreateCommand(dockerCli),

+		newSecretInspectCommand(dockerCli),

+		newSecretRemoveCommand(dockerCli),

+	)

+	return cmd

+}

new file mode 100644

@@ -0,0 +1,57 @@

+package secret

+

+import (

+	"context"

+	"fmt"

+	"io/ioutil"

+	"os"

+

+	"github.com/docker/docker/api/types/swarm"

+	"github.com/docker/docker/cli"

+	"github.com/docker/docker/cli/command"

+	"github.com/spf13/cobra"

+)

+

+type createOptions struct {

+	name string

+}

+

+func newSecretCreateCommand(dockerCli *command.DockerCli) *cobra.Command {

+	return &cobra.Command{

+		Use:   "create [name]",

+		Short: "Create a secret using stdin as content",

+		Args:  cli.ExactArgs(1),

+		RunE: func(cmd *cobra.Command, args []string) error {

+			opts := createOptions{

+				name: args[0],

+			}

+

+			return runSecretCreate(dockerCli, opts)

+		},

+	}

+}

+

+func runSecretCreate(dockerCli *command.DockerCli, opts createOptions) error {

+	client := dockerCli.Client()

+	ctx := context.Background()

+

+	secretData, err := ioutil.ReadAll(os.Stdin)

+	if err != nil {

+		return fmt.Errorf("Error reading content from STDIN: %v", err)

+	}

+

+	spec := swarm.SecretSpec{

+		Annotations: swarm.Annotations{

+			Name: opts.name,

+		},

+		Data: secretData,

+	}

+

+	r, err := client.SecretCreate(ctx, spec)

+	if err != nil {

+		return err

+	}

+

+	fmt.Fprintln(dockerCli.Out(), r.ID)

+	return nil

+}

new file mode 100644

@@ -0,0 +1,42 @@

+package secret

+

+import (

+	"context"

+

+	"github.com/docker/docker/cli"

+	"github.com/docker/docker/cli/command"

+	"github.com/docker/docker/cli/command/inspect"

+	"github.com/spf13/cobra"

+)

+

+type inspectOptions struct {

+	name   string

+	format string

+}

+

+func newSecretInspectCommand(dockerCli *command.DockerCli) *cobra.Command {

+	opts := inspectOptions{}

+	cmd := &cobra.Command{

+		Use:   "inspect [name]",

+		Short: "Inspect a secret",

+		Args:  cli.ExactArgs(1),

+		RunE: func(cmd *cobra.Command, args []string) error {

+			opts.name = args[0]

+			return runSecretInspect(dockerCli, opts)

+		},

+	}

+

+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", "Format the output using the given go template")

+	return cmd

+}

+

+func runSecretInspect(dockerCli *command.DockerCli, opts inspectOptions) error {

+	client := dockerCli.Client()

+	ctx := context.Background()

+

+	getRef := func(name string) (interface{}, []byte, error) {

+		return client.SecretInspectWithRaw(ctx, name)

+	}

+

+	return inspect.Inspect(dockerCli.Out(), []string{opts.name}, opts.format, getRef)

+}

new file mode 100644

@@ -0,0 +1,62 @@

+package secret

+

+import (

+	"context"

+	"fmt"

+	"text/tabwriter"

+

+	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/cli"

+	"github.com/docker/docker/cli/command"

+	"github.com/spf13/cobra"

+)

+

+type listOptions struct {

+	quiet bool

+}

+

+func newSecretListCommand(dockerCli *command.DockerCli) *cobra.Command {

+	opts := listOptions{}

+

+	cmd := &cobra.Command{

+		Use:   "ls",

+		Short: "List secrets",

+		Args:  cli.NoArgs,

+		RunE: func(cmd *cobra.Command, args []string) error {

+			return runSecretList(dockerCli, opts)

+		},

+	}

+

+	flags := cmd.Flags()

+	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Only display IDs")

+

+	return cmd

+}

+

+func runSecretList(dockerCli *command.DockerCli, opts listOptions) error {

+	client := dockerCli.Client()

+	ctx := context.Background()

+

+	secrets, err := client.SecretList(ctx, types.SecretListOptions{})

+	if err != nil {

+		return err

+	}

+

+	w := tabwriter.NewWriter(dockerCli.Out(), 20, 1, 3, ' ', 0)

+	if opts.quiet {

+		for _, s := range secrets {

+			fmt.Fprintf(w, "%s\n", s.ID)

+		}

+	} else {

+		fmt.Fprintf(w, "ID\tNAME\tCREATED\tUPDATED\tSIZE")

+		fmt.Fprintf(w, "\n")

+

+		for _, s := range secrets {

+			fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%d\n", s.ID, s.Spec.Annotations.Name, s.Meta.CreatedAt, s.Meta.UpdatedAt, s.SecretSize)

+		}

+	}

+

+	w.Flush()

+

+	return nil

+}

new file mode 100644

@@ -0,0 +1,43 @@

+package secret

+

+import (

+	"context"

+	"fmt"

+

+	"github.com/docker/docker/cli"

+	"github.com/docker/docker/cli/command"

+	"github.com/spf13/cobra"

+)

+

+type removeOptions struct {

+	ids []string

+}

+

+func newSecretRemoveCommand(dockerCli *command.DockerCli) *cobra.Command {

+	return &cobra.Command{

+		Use:   "rm [id]",

+		Short: "Remove a secret",

+		Args:  cli.RequiresMinArgs(1),

+		RunE: func(cmd *cobra.Command, args []string) error {

+			opts := removeOptions{

+				ids: args,

+			}

+			return runSecretRemove(dockerCli, opts)

+		},

+	}

+}

+

+func runSecretRemove(dockerCli *command.DockerCli, opts removeOptions) error {

+	client := dockerCli.Client()

+	ctx := context.Background()

+

+	for _, id := range opts.ids {

+		if err := client.SecretRemove(ctx, id); err != nil {

+			return err

+		}

+

+		fmt.Fprintln(dockerCli.Out(), id)

+	}

+

+	return nil

+}

@@ -58,6 +58,13 @@ func runCreate(dockerCli *command.DockerCli, opts *serviceOptions) error {

 		return err

 	}

+	// parse and validate secrets

+	secrets, err := parseSecrets(apiClient, opts.secrets)

+	if err != nil {

+		return err

+	}

+	service.TaskTemplate.ContainerSpec.Secrets = secrets

+

 	ctx := context.Background()

 	// only send auth if flag was set

@@ -191,6 +191,19 @@ func convertNetworks(networks []string) []swarm.NetworkAttachmentConfig {

 	return nets

 }

+func convertSecrets(secrets []string) []*swarm.SecretReference {

+	sec := []*swarm.SecretReference{}

+	for _, s := range secrets {

+		sec = append(sec, &swarm.SecretReference{

+			SecretID: s,

+			Mode:     swarm.SecretReferenceFile,

+			Target:   "",

+		})

+	}

+

+	return sec

+}

+

 type endpointOptions struct {

 	mode  string

 	ports opts.ListOpts

@@ -337,6 +350,7 @@ type serviceOptions struct {

 	logDriver logDriverOptions

 	healthcheck healthCheckOptions

+	secrets     []string

 }

 func newServiceOptions() *serviceOptions {

@@ -403,6 +417,7 @@ func (opts *serviceOptions) ToService() (swarm.ServiceSpec, error) {

 					Options:     opts.dnsOptions.GetAll(),

 				},

 				StopGracePeriod: opts.stopGrace.Value(),

+				Secrets:         convertSecrets(opts.secrets),

 			},

 			Networks:      convertNetworks(opts.networks.GetAll()),

 			Resources:     opts.resources.ToResourceRequirements(),

@@ -488,6 +503,7 @@ func addServiceFlags(cmd *cobra.Command, opts *serviceOptions) {

 	flags.BoolVar(&opts.healthcheck.noHealthcheck, flagNoHealthcheck, false, "Disable any container-specified HEALTHCHECK")

 	flags.BoolVarP(&opts.tty, flagTTY, "t", false, "Allocate a pseudo-TTY")

+	flags.StringSliceVar(&opts.secrets, flagSecret, []string{}, "Specify secrets to expose to the service")

 }

 const (

@@ -553,4 +569,5 @@ const (

 	flagHealthRetries         = "health-retries"

 	flagHealthTimeout         = "health-timeout"

 	flagNoHealthcheck         = "no-healthcheck"

+	flagSecret                = "secret"

 )

new file mode 100644

@@ -0,0 +1,92 @@

+package service

+

+import (

+	"context"

+	"fmt"

+	"strings"

+

+	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/filters"

+	swarmtypes "github.com/docker/docker/api/types/swarm"

+	"github.com/docker/docker/client"

+)

+

+// parseSecretString parses the requested secret and returns the secret name

+// and target.  Expects format SECRET_NAME:TARGET

+func parseSecretString(secretString string) (string, string, error) {

+	tokens := strings.Split(secretString, ":")

+

+	secretName := strings.TrimSpace(tokens[0])

+	targetName := ""

+

+	if secretName == "" {

+		return "", "", fmt.Errorf("invalid secret name provided")

+	}

+

+	if len(tokens) > 1 {

+		targetName = strings.TrimSpace(tokens[1])

+		if targetName == "" {

+			return "", "", fmt.Errorf("invalid presentation name provided")

+		}

+	} else {

+		targetName = secretName

+	}

+	return secretName, targetName, nil

+}

+

+// parseSecrets retrieves the secrets from the requested names and converts

+// them to secret references to use with the spec

+func parseSecrets(client client.APIClient, requestedSecrets []string) ([]*swarmtypes.SecretReference, error) {

+	lookupSecretNames := []string{}

+	needSecrets := make(map[string]*swarmtypes.SecretReference)

+	ctx := context.Background()

+

+	for _, secret := range requestedSecrets {

+		n, t, err := parseSecretString(secret)

+		if err != nil {

+			return nil, err

+		}

+

+		secretRef := &swarmtypes.SecretReference{

+			SecretName: n,

+			Mode:       swarmtypes.SecretReferenceFile,

+			Target:     t,

+		}

+

+		lookupSecretNames = append(lookupSecretNames, n)

+		needSecrets[n] = secretRef

+	}

+

+	args := filters.NewArgs()

+	for _, s := range lookupSecretNames {

+		args.Add("names", s)

+	}

+

+	secrets, err := client.SecretList(ctx, types.SecretListOptions{

+		Filter: args,

+	})

+	if err != nil {

+		return nil, err

+	}

+

+	foundSecrets := make(map[string]*swarmtypes.Secret)

+	for _, secret := range secrets {

+		foundSecrets[secret.Spec.Annotations.Name] = &secret

+	}

+

+	addedSecrets := []*swarmtypes.SecretReference{}

+

+	for secretName, secretRef := range needSecrets {

+		s, ok := foundSecrets[secretName]

+		if !ok {

+			return nil, fmt.Errorf("secret not found: %s", secretName)

+		}

+

+		// set the id for the ref to properly assign in swarm

+		// since swarm needs the ID instead of the name

+		secretRef.SecretID = s.ID

+		addedSecrets = append(addedSecrets, secretRef)

+	}

+

+	return addedSecrets, nil

+}

@@ -217,3 +217,25 @@ func (cli *Client) NewVersionError(APIrequired, feature string) error {

 	}

 	return nil

 }

+

+// secretNotFoundError implements an error returned when a secret is not found.

+type secretNotFoundError struct {

+	name string

+}

+

+// Error returns a string representation of a secretNotFoundError

+func (e secretNotFoundError) Error() string {

+	return fmt.Sprintf("Error: No such secret: %s", e.name)

+}

+

+// NoFound indicates that this error type is of NotFound

+func (e secretNotFoundError) NotFound() bool {

+	return true

+}

+

+// IsErrSecretNotFound returns true if the error is caused

+// when a secret is not found.

+func IsErrSecretNotFound(err error) bool {

+	_, ok := err.(secretNotFoundError)

+	return ok

+}

@@ -23,6 +23,7 @@ type CommonAPIClient interface {

 	NetworkAPIClient

 	ServiceAPIClient

 	SwarmAPIClient

+	SecretAPIClient

 	SystemAPIClient

 	VolumeAPIClient

 	ClientVersion() string

@@ -141,3 +142,11 @@ type VolumeAPIClient interface {

 	VolumeRemove(ctx context.Context, volumeID string, force bool) error

 	VolumesPrune(ctx context.Context, cfg types.VolumesPruneConfig) (types.VolumesPruneReport, error)

 }

+

+// SecretAPIClient defines API client methods for secrets

+type SecretAPIClient interface {

+	SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error)

+	SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error)

+	SecretRemove(ctx context.Context, id string) error

+	SecretInspectWithRaw(ctx context.Context, name string) (swarm.Secret, []byte, error)

+}

new file mode 100644

@@ -0,0 +1,24 @@

+package client

+

+import (

+	"encoding/json"

+

+	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/swarm"

+	"golang.org/x/net/context"

+)

+

+// SecretCreate creates a new Secret.

+func (cli *Client) SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error) {

+	var headers map[string][]string

+

+	var response types.SecretCreateResponse

+	resp, err := cli.post(ctx, "/secrets/create", nil, secret, headers)

+	if err != nil {

+		return response, err

+	}

+

+	err = json.NewDecoder(resp.body).Decode(&response)

+	ensureReaderClosed(resp)

+	return response, err

+}

new file mode 100644

@@ -0,0 +1,57 @@

+package client

+

+import (

+	"bytes"

+	"encoding/json"

+	"fmt"

+	"io/ioutil"

+	"net/http"

+	"strings"

+	"testing"

+

+	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/swarm"

+	"golang.org/x/net/context"

+)

+

+func TestSecretCreateError(t *testing.T) {

+	client := &Client{

+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),

+	}

+	_, err := client.SecretCreate(context.Background(), swarm.SecretSpec{})

+	if err == nil || err.Error() != "Error response from daemon: Server error" {

+		t.Fatalf("expected a Server Error, got %v", err)

+	}

+}

+

+func TestSecretCreate(t *testing.T) {

+	expectedURL := "/secrets/create"

+	client := &Client{

+		client: newMockClient(func(req *http.Request) (*http.Response, error) {

+			if !strings.HasPrefix(req.URL.Path, expectedURL) {

+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)

+			}

+			if req.Method != "POST" {

+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)

+			}

+			b, err := json.Marshal(types.SecretCreateResponse{

+				ID: "test_secret",

+			})

+			if err != nil {

+				return nil, err

+			}

+			return &http.Response{

+				StatusCode: http.StatusOK,

+				Body:       ioutil.NopCloser(bytes.NewReader(b)),

+			}, nil

+		}),

+	}

+

+	r, err := client.SecretCreate(context.Background(), swarm.SecretSpec{})

+	if err != nil {

+		t.Fatal(err)

+	}

+	if r.ID != "test_secret" {

+		t.Fatalf("expected `test_secret`, got %s", r.ID)

+	}

+}

new file mode 100644

@@ -0,0 +1,34 @@

+package client

+

+import (

+	"bytes"

+	"encoding/json"

+	"io/ioutil"

+	"net/http"

+

+	"github.com/docker/docker/api/types/swarm"

+	"golang.org/x/net/context"

+)

+

+// SecretInspectWithRaw returns the secret information with raw data

+func (cli *Client) SecretInspectWithRaw(ctx context.Context, id string) (swarm.Secret, []byte, error) {

+	resp, err := cli.get(ctx, "/secrets/"+id, nil, nil)

+	if err != nil {

+		if resp.statusCode == http.StatusNotFound {

+			return swarm.Secret{}, nil, secretNotFoundError{id}

+		}

+		return swarm.Secret{}, nil, err

+	}

+	defer ensureReaderClosed(resp)

+

+	body, err := ioutil.ReadAll(resp.body)

+	if err != nil {

+		return swarm.Secret{}, nil, err

+	}

+

+	var secret swarm.Secret

+	rdr := bytes.NewReader(body)

+	err = json.NewDecoder(rdr).Decode(&secret)

+

+	return secret, body, err

+}

new file mode 100644

@@ -0,0 +1,65 @@

+package client

+

+import (

+	"bytes"

+	"encoding/json"

+	"fmt"

+	"io/ioutil"

+	"net/http"

+	"strings"

+	"testing"

+

+	"github.com/docker/docker/api/types/swarm"

+	"golang.org/x/net/context"

+)

+

+func TestSecretInspectError(t *testing.T) {

+	client := &Client{

+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),

+	}

+

+	_, _, err := client.SecretInspectWithRaw(context.Background(), "nothing")

+	if err == nil || err.Error() != "Error response from daemon: Server error" {

+		t.Fatalf("expected a Server Error, got %v", err)

+	}

+}

+

+func TestSecretInspectSecretNotFound(t *testing.T) {

+	client := &Client{

+		client: newMockClient(errorMock(http.StatusNotFound, "Server error")),

+	}

+

+	_, _, err := client.SecretInspectWithRaw(context.Background(), "unknown")

+	if err == nil || !IsErrSecretNotFound(err) {

+		t.Fatalf("expected an secretNotFoundError error, got %v", err)

+	}

+}

+

+func TestSecretInspect(t *testing.T) {

+	expectedURL := "/secrets/secret_id"

+	client := &Client{

+		client: newMockClient(func(req *http.Request) (*http.Response, error) {

+			if !strings.HasPrefix(req.URL.Path, expectedURL) {

+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)

+			}

+			content, err := json.Marshal(swarm.Secret{

+				ID: "secret_id",

+			})

+			if err != nil {

+				return nil, err

+			}

+			return &http.Response{

+				StatusCode: http.StatusOK,

+				Body:       ioutil.NopCloser(bytes.NewReader(content)),

+			}, nil

+		}),

+	}

+

+	secretInspect, _, err := client.SecretInspectWithRaw(context.Background(), "secret_id")

+	if err != nil {

+		t.Fatal(err)

+	}

+	if secretInspect.ID != "secret_id" {

+		t.Fatalf("expected `secret_id`, got %s", secretInspect.ID)

+	}

+}

new file mode 100644

@@ -0,0 +1,35 @@

+package client

+

+import (

+	"encoding/json"

+	"net/url"

+

+	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/filters"

+	"github.com/docker/docker/api/types/swarm"

+	"golang.org/x/net/context"

+)