Add advanced secret management

**What** - Add the ability to specify secrets as a csv - Vendor the docker/cli/opts - Update the guide for secrets to use the `faas-cli` **Why** - Allowing the csv specification of secrets gives users more control about how those secrets are mounted into the container. This is good for things like key rotation and for developers that are building on top of OpenFaaS. Signed-off-by: Lucas Roesler <lucas.roesler@gmail.com>
2025-06-19 12:36:40 +00:00 · 2017-10-16 11:41:59 +02:00
parent 0fef825fb4
commit 5dce1deb21
23 changed files with 2092 additions and 33 deletions
--- a/gateway/handlers/create_handler.go
+++ b/gateway/handlers/create_handler.go
@ -13,6 +13,7 @@ import (
 	"strings"
 	"time"

+	"github.com/docker/cli/opts"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
@ -255,14 +256,21 @@ func makeSecretsArray(c *client.Client, secretNames []string) ([]*swarm.SecretRe
 		return values, nil
 	}

+	secretOpts := new(opts.SecretOpt)
+	for _, secret := range secretNames {
+		if err := secretOpts.Set(secret); err != nil {
+			return nil, err
+		}
+	}
+
 	requestedSecrets := make(map[string]bool)
 	ctx := context.Background()

 	// query the Swarm for the requested secret ids, these are required to complete
 	// the spec
 	args := filters.NewArgs()
-	for _, name := range secretNames {
-		args.Add("name", name)
+	for _, opt := range secretOpts.Value() {
+		args.Add("name", opt.SecretName)
 	}

 	secrets, err := c.SecretList(ctx, types.SecretListOptions{
@ -280,26 +288,21 @@ func makeSecretsArray(c *client.Client, secretNames []string) ([]*swarm.SecretRe

 	// mimics the simple syntax for `docker service create --secret foo`
 	// and the code is based on the docker cli
-	for _, secretName := range secretNames {
+	for _, opts := range secretOpts.Value() {
+
+		secretName := opts.SecretName
 		if _, exists := requestedSecrets[secretName]; exists {
 			return nil, fmt.Errorf("duplicate secret target for %s not allowed", secretName)
 		}

 		id, ok := foundSecrets[secretName]
 		if !ok {
-			return nil, fmt.Errorf("secret not found: %s", secretName)
+			return nil, fmt.Errorf("secret not found: %s; possible choices:\n%s", secretName, secrets)
 		}

-		options := &swarm.SecretReference{
-			File: &swarm.SecretReferenceFileTarget{
-				UID:  "0",
-				GID:  "0",
-				Mode: 0444,
-				Name: secretName,
-			},
-			SecretID:   id,
-			SecretName: secretName,
-		}
+		options := new(swarm.SecretReference)
+		*options = *opts
+		options.SecretID = id

 		requestedSecrets[secretName] = true
 		values = append(values, options)