Browse code
Test and fix external secrets in stack deploy.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
(cherry picked from commit b3427e43edc56824f762e964c955b906fa363a3a)
Signed-off-by: Victor Vieux <vieux@docker.com>
Daniel Nephin authored on 2017/01/19 03:06:36Showing 4 changed files
- cli/compose/convert/service.go
- cli/compose/loader/loader.go
- integration-cli/docker_cli_stack_test.go
- integration-cli/fixtures/deploy/secrets.yaml
| ... | ... |
@@ -32,7 +32,7 @@ func Services( |
| 32 | 32 |
|
| 33 | 33 |
for _, service := range services {
|
| 34 | 34 |
|
| 35 |
- secrets, err := convertServiceSecrets(client, namespace, service.Secrets) |
|
| 35 |
+ secrets, err := convertServiceSecrets(client, namespace, service.Secrets, config.Secrets) |
|
| 36 | 36 |
if err != nil {
|
| 37 | 37 |
return nil, err |
| 38 | 38 |
} |
| ... | ... |
@@ -196,6 +196,7 @@ func convertServiceSecrets( |
| 196 | 196 |
client client.SecretAPIClient, |
| 197 | 197 |
namespace Namespace, |
| 198 | 198 |
secrets []composetypes.ServiceSecretConfig, |
| 199 |
+ secretSpecs map[string]composetypes.SecretConfig, |
|
| 199 | 200 |
) ([]*swarm.SecretReference, error) {
|
| 200 | 201 |
opts := []*types.SecretRequestOption{}
|
| 201 | 202 |
for _, secret := range secrets {
|
| ... | ... |
@@ -203,8 +204,15 @@ func convertServiceSecrets( |
| 203 | 203 |
if target == "" {
|
| 204 | 204 |
target = secret.Source |
| 205 | 205 |
} |
| 206 |
+ |
|
| 207 |
+ source := namespace.Scope(secret.Source) |
|
| 208 |
+ secretSpec := secretSpecs[secret.Source] |
|
| 209 |
+ if secretSpec.External.External {
|
|
| 210 |
+ source = secretSpec.External.Name |
|
| 211 |
+ } |
|
| 212 |
+ |
|
| 206 | 213 |
opts = append(opts, &types.SecretRequestOption{
|
| 207 |
- Source: namespace.Scope(secret.Source), |
|
| 214 |
+ Source: source, |
|
| 208 | 215 |
Target: target, |
| 209 | 216 |
UID: secret.UID, |
| 210 | 217 |
GID: secret.GID, |
| ... | ... |
@@ -422,8 +422,7 @@ func loadVolumes(source types.Dict) (map[string]types.VolumeConfig, error) {
|
| 422 | 422 |
// TODO: remove duplicate with networks/volumes |
| 423 | 423 |
func loadSecrets(source types.Dict, workingDir string) (map[string]types.SecretConfig, error) {
|
| 424 | 424 |
secrets := make(map[string]types.SecretConfig) |
| 425 |
- err := transform(source, &secrets) |
|
| 426 |
- if err != nil {
|
|
| 425 |
+ if err := transform(source, &secrets); err != nil {
|
|
| 427 | 426 |
return secrets, err |
| 428 | 427 |
} |
| 429 | 428 |
for name, secret := range secrets {
|
| ... | ... |
@@ -54,13 +54,13 @@ func (s *DockerSwarmSuite) TestStackDeployComposeFile(c *check.C) {
|
| 54 | 54 |
out, err := d.Cmd(stackArgs...) |
| 55 | 55 |
c.Assert(err, checker.IsNil, check.Commentf(out)) |
| 56 | 56 |
|
| 57 |
- out, err = d.Cmd([]string{"stack", "ls"}...)
|
|
| 57 |
+ out, err = d.Cmd("stack", "ls")
|
|
| 58 | 58 |
c.Assert(err, checker.IsNil) |
| 59 | 59 |
c.Assert(out, check.Equals, "NAME SERVICES\n"+"testdeploy 2\n") |
| 60 | 60 |
|
| 61 |
- out, err = d.Cmd([]string{"stack", "rm", testStackName}...)
|
|
| 61 |
+ out, err = d.Cmd("stack", "rm", testStackName)
|
|
| 62 | 62 |
c.Assert(err, checker.IsNil) |
| 63 |
- out, err = d.Cmd([]string{"stack", "ls"}...)
|
|
| 63 |
+ out, err = d.Cmd("stack", "ls")
|
|
| 64 | 64 |
c.Assert(err, checker.IsNil) |
| 65 | 65 |
c.Assert(out, check.Equals, "NAME SERVICES\n") |
| 66 | 66 |
} |
| ... | ... |
@@ -68,13 +68,16 @@ func (s *DockerSwarmSuite) TestStackDeployComposeFile(c *check.C) {
|
| 68 | 68 |
func (s *DockerSwarmSuite) TestStackDeployWithSecretsTwice(c *check.C) {
|
| 69 | 69 |
d := s.AddDaemon(c, true, true) |
| 70 | 70 |
|
| 71 |
+ out, err := d.Cmd("secret", "create", "outside", "fixtures/secrets/default")
|
|
| 72 |
+ c.Assert(err, checker.IsNil, check.Commentf(out)) |
|
| 73 |
+ |
|
| 71 | 74 |
testStackName := "testdeploy" |
| 72 | 75 |
stackArgs := []string{
|
| 73 | 76 |
"stack", "deploy", |
| 74 | 77 |
"--compose-file", "fixtures/deploy/secrets.yaml", |
| 75 | 78 |
testStackName, |
| 76 | 79 |
} |
| 77 |
- out, err := d.Cmd(stackArgs...) |
|
| 80 |
+ out, err = d.Cmd(stackArgs...) |
|
| 78 | 81 |
c.Assert(err, checker.IsNil, check.Commentf(out)) |
| 79 | 82 |
|
| 80 | 83 |
out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Secrets }}", "testdeploy_web")
|
| ... | ... |
@@ -82,14 +85,15 @@ func (s *DockerSwarmSuite) TestStackDeployWithSecretsTwice(c *check.C) {
|
| 82 | 82 |
|
| 83 | 83 |
var refs []swarm.SecretReference |
| 84 | 84 |
c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil) |
| 85 |
- c.Assert(refs, checker.HasLen, 2) |
|
| 85 |
+ c.Assert(refs, checker.HasLen, 3) |
|
| 86 | 86 |
|
| 87 | 87 |
sort.Sort(sortSecrets(refs)) |
| 88 |
- c.Assert(refs[0].SecretName, checker.Equals, "testdeploy_special") |
|
| 89 |
- c.Assert(refs[0].File.Name, checker.Equals, "special") |
|
| 90 |
- c.Assert(refs[1].SecretName, checker.Equals, "testdeploy_super") |
|
| 91 |
- c.Assert(refs[1].File.Name, checker.Equals, "foo.txt") |
|
| 92 |
- c.Assert(refs[1].File.Mode, checker.Equals, os.FileMode(0400)) |
|
| 88 |
+ c.Assert(refs[0].SecretName, checker.Equals, "outside") |
|
| 89 |
+ c.Assert(refs[1].SecretName, checker.Equals, "testdeploy_special") |
|
| 90 |
+ c.Assert(refs[1].File.Name, checker.Equals, "special") |
|
| 91 |
+ c.Assert(refs[2].SecretName, checker.Equals, "testdeploy_super") |
|
| 92 |
+ c.Assert(refs[2].File.Name, checker.Equals, "foo.txt") |
|
| 93 |
+ c.Assert(refs[2].File.Mode, checker.Equals, os.FileMode(0400)) |
|
| 93 | 94 |
|
| 94 | 95 |
// Deploy again to ensure there are no errors when secret hasn't changed |
| 95 | 96 |
out, err = d.Cmd(stackArgs...) |