Plugable secret backend #348
Conversation
liron-l
force-pushed
the
plugable_secrets_backend
branch
3 times, most recently
from
40e2d6b
to
0f89fe6
Compare
|
Validations and tests appear to have failed but I can't see them in CircleCI. |
|
Thanks @cpuguy83, waiting for the fix in moby/moby#34157 (tests should work after updating the vendor folder). |
liron-l
force-pushed
the
plugable_secrets_backend
branch
2 times, most recently
from
a248bac
to
17c3a85
Compare
Codecov Report
@@ Coverage Diff @@
## master #348 +/- ##
==========================================
+ Coverage 45.49% 47.35% +1.86%
==========================================
Files 193 186 -7
Lines 16065 15355 -710
==========================================
- Hits 7308 7271 -37
+ Misses 8379 7707 -672
+ Partials 378 377 -1 |
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
17c3a85
to
08d9020
Compare
cli/command/formatter/secret.go
Outdated
| @@ -23,6 +23,7 @@ Labels: | |||
| {{- range $k, $v := .Labels }} | |||
| - {{ $k }}{{if $v }}={{ $v }}{{ end }} | |||
| {{- end }}{{ end }} | |||
| Driver: {{.Driver}} | |||
| Created at: {{.CreatedAt}} | |||
| Updated at: {{.UpdatedAt}}` | |||
There was a problem hiding this comment.
It looks like the existing lines have a weird mix of tabs and spaces...
I think we'll need to fix this to be all spaces so that the new line aligns properly.
cli/command/secret/create.go
Outdated
| @@ -29,15 +30,18 @@ func newSecretCreateCommand(dockerCli command.Cli) *cobra.Command { | |||
| cmd := &cobra.Command{ | |||
| Use: "create [OPTIONS] SECRET file|-", | |||
| Short: "Create a secret from a file or STDIN as content", | |||
| Args: cli.ExactArgs(2), | |||
| Args: cli.RequiresRangeArgs(1, 2), | |||
There was a problem hiding this comment.
The Use: line needs to be updated to make the second arg optional:
create [OPTIONS] SECRET [file | -]
There was a problem hiding this comment.
Good catch, thanks 👍
cli/command/secret/create.go
Outdated
| if err != nil { | ||
| return errors.Errorf("Error reading content from %q: %v", options.file, err) | ||
| var secretData []byte | ||
| if options.driver == "" { |
There was a problem hiding this comment.
The intent here will be more obvious is this check is changed to
if options.file != "" {
...
}There was a problem hiding this comment.
Fixed as part of function refactoring 👍
cli/command/secret/create.go
Outdated
| secretData, err = ioutil.ReadAll(in) | ||
| if err != nil { | ||
| return errors.Errorf("Error reading content from %q: %v", options.file, err) | ||
| } |
There was a problem hiding this comment.
I know you've just adding another condition here, but now that this function is growing I think it would be appropriate to extract this as a new function.
secretData, err := readSecretData(options.file, dockerCli.In())
...Even the initial options.file != "" check could be inside the function.
There was a problem hiding this comment.
thanks @dnephin, makes sense.
liron-l
force-pushed
the
plugable_secrets_backend
branch
2 times, most recently
from
da74b0e
to
780465b
Compare
cli/command/formatter/secret.go
Outdated
| @@ -23,6 +23,7 @@ Labels: | |||
| {{- range $k, $v := .Labels }} | |||
| - {{ $k }}{{if $v }}={{ $v }}{{ end }} | |||
| {{- end }}{{ end }} | |||
| Driver: {{.Driver}} | |||
| Created at: {{.CreatedAt}} | |||
| Updated at: {{.UpdatedAt}}` | |||
There was a problem hiding this comment.
Got it, you mean I should remove all tabs from the formatter 👍
cli/command/secret/create.go
Outdated
| } | ||
| defer in.Close() | ||
| } | ||
| var err error |
There was a problem hiding this comment.
this line is unused I think
cli/command/secret/create.go
Outdated
| var err error | ||
| data, err := ioutil.ReadAll(in) | ||
| if err != nil { | ||
| return nil, errors.Errorf("Error reading content from %q: %v", file, err) |
There was a problem hiding this comment.
errors.Wrapf(err, "error reading content from %q", file)Errors should start with lowercase so they look more appropriate when wrapped.
There was a problem hiding this comment.
Thanks, but those lines are not wrapped with anything (they are printed directly in the cli). I returned the error and wrapped with upper case in the main method. Please let me know if this makes sense.
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
780465b
to
2ad48c9
Compare
|
Thanks for the comments @dnephin! do you know what |
|
If I run |
liron-l
force-pushed
the
plugable_secrets_backend
branch
2 times, most recently
from
96fa77c
to
d5f1104
Compare
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
d5f1104
to
67cbc67
Compare
|
Thanks @dnephin, it worked! |
|
Can we do the vendoring in a separate commit? |
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
67cbc67
to
e34fae3
Compare
|
Sure @cpuguy83 makes sense. I've updated the commit. |
|
Does this also update the |
|
I wonder if it would make sense to do the version bump in two stages; one to moby/moby@d0a8e73 (last commit before the upstream related change was merged), and one to moby/moby@0304c98 (the diff is quite large moby/moby@87df0e5...0304c98) I see there's also some dependencies bumped in moby's vendor.conf; do we have to bump those as well accordingly (if used here?) |
|
Thanks @thaJeztah. Re version bump, let me know which commit history makes sense or which additional packages should be updated. |
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
e34fae3
to
b8f39b7
Compare
|
@thaJeztah and @dnephin I've added a new parameter to secrets definitions: So now it's possible to run: Can you please review? |
|
Sorry, the change should not be made to v3.3. It should go into v3.4. You can cherry-pick #358 to get v3.4, or we can add the compose changes in a separate PR. I think I would prefer a separate PR |
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
b8f39b7
to
bb96a8f
Compare
|
Thanks @dnephin makes sense. I will push those changes in the next commit. |
|
hmm, we've been having problems with github not triggering builds. I'm going to email github support. |
liron-l
force-pushed
the
plugable_secrets_backend
branch
2 times, most recently
from
3e153c4
to
389f146
Compare
|
Thanks @dnephin! was the issue resolved? can I trigger A build without closing the issue? |
|
github said they are looking into it, and that it's likely a bug on their end. I've been able to trigger the build by closing and re-opening the PR in some cases, so I'm going to try that now. |
|
and in some cases CI fails with "fatal: Could not parse object" which is what's happening this time... |
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
389f146
to
87bd71e
Compare
Update vendor to support plugable secret backend Signed-off-by: Liron Levin <liron@twistlock.com>
This commit extends SwarmKit secret management with pluggable secret backends support. Following previous commits: 1. moby/swarmkit@eebac27 2. moby/moby@08f7cf0 Added driver parameter to `docker secret` command. Specifically: 1. `docker secret create [secret_name] --driver [driver_name]` 2. Displaying the driver in ``` $ docker secret ls $ docker secret inspect [secret_name] $ docker secret inspect [secret_name] -pretty ``` Signed-off-by: Liron Levin <liron@twistlock.com>
liron-l
force-pushed
the
plugable_secrets_backend
branch
from
87bd71e
to
343de92
Compare
This commit extends SwarmKit secret management with pluggable secret
backends support.
Following previous commits:
Added driver parameter to
docker secretcommand.Specifically:
docker secret create [secret_name] --driver [driver_name]There is a bug in serialization of the secret data. Handled in moby/moby#34157.
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)