Plugable secret backend

[liron-l]

This commit extends SwarmKit secret management with pluggable secret
backends support.

Following previous commits:

1. moby/swarmkit@eebac27
2. moby/moby@08f7cf0

Added driver parameter to docker secret command.
Specifically:

1. docker secret create [secret_name] --driver [driver_name]
2. Displaying the driver in

    $ docker secret ls
    $ docker secret inspect [secret_name]
    $ docker secret inspect [secret_name] -pretty

There is a bug in serialization of the secret data. Handled in moby/moby#34157.

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[cpuguy83]

Validations and tests appear to have failed but I can't see them in CircleCI.

[liron-l]

Thanks @cpuguy83, waiting for the fix in moby/moby#34157 (tests should work after updating the vendor folder).

[codecov-io]

Codecov Report

Merging #348 into master will increase coverage by 1.86%.
The diff coverage is 48.97%.

@@            Coverage Diff             @@
##           master     #348      +/-   ##
==========================================
+ Coverage   45.49%   47.35%   +1.86%     
==========================================
  Files         193      186       -7     
  Lines       16065    15355     -710     
==========================================
- Hits         7308     7271      -37     
+ Misses       8379     7707     -672     
+ Partials      378      377       -1

[dnephin]

Thanks!

We'll also need to add this to the Compose file, but we need to get v3.4 in first, which is in #306, so a follow up PR should be fine.

[dnephin]

It looks like the existing lines have a weird mix of tabs and spaces...

I think we'll need to fix this to be all spaces so that the new line aligns properly.

[liron-l]

Thanks, modified 👍

[dnephin]

The Use: line needs to be updated to make the second arg optional:

create [OPTIONS] SECRET [file | -]

[liron-l]

Good catch, thanks 👍

[dnephin]

The intent here will be more obvious is this check is changed to

if options.file != "" {
    ...
}

[liron-l]

Fixed as part of function refactoring 👍

[dnephin]

I know you've just adding another condition here, but now that this function is growing I think it would be appropriate to extract this as a new function.

secretData, err := readSecretData(options.file, dockerCli.In())
...

Even the initial options.file != "" check could be inside the function.

[liron-l]

thanks @dnephin, makes sense.

[dnephin]

I still see tabs here

[liron-l]

Got it, you mean I should remove all tabs from the formatter 👍

[dnephin]

this line is unused I think

[liron-l]

right. Thanks

[dnephin]

errors.Wrapf(err, "error reading content from %q", file)

Errors should start with lowercase so they look more appropriate when wrapped.

[liron-l]

Thanks, but those lines are not wrapped with anything (they are printed directly in the cli). I returned the error and wrapped with upper case in the main method. Please let me know if this makes sense.

[liron-l]

Thanks for the comments @dnephin! do you know what vndr is complaining?
CC @diogomonica @aaronlehmann @cpuguy83

[dnephin]

If I run make -f docker.Makefile vendor locally I see the same problem. I think you vendored using an older version of vndr. If you run that command and check in the changes it should fix it.

[liron-l]

Thanks @dnephin, it worked!

[dnephin]

LGTM

[cpuguy83]

Can we do the vendoring in a separate commit?

[liron-l]

Sure @cpuguy83 makes sense. I've updated the commit.

[thaJeztah]

Does this also update the docker-compose format to support this?

[thaJeztah]

I wonder if it would make sense to do the version bump in two stages; one to moby/moby@d0a8e73 (last commit before the upstream related change was merged), and one to moby/moby@0304c98 (the diff is quite large moby/moby@87df0e5...0304c98)

I see there's also some dependencies bumped in moby's vendor.conf; do we have to bump those as well accordingly (if used here?)

[liron-l]

Thanks @thaJeztah.
Re docker-compose, I checked that setting external: true for the secret reference works with the new plugin subsystem.
Do we need to support driver: name parameter, which will create the secret value?

Re version bump, let me know which commit history makes sense or which additional packages should be updated.

[liron-l]

@thaJeztah and @dnephin I've added a new parameter to secrets definitions:

driver: my-driver

So now it's possible to run:

version: '3.3'
services:
  web:
    image: nginx
    secrets:                    
     - hello-secret
secrets:                       
  hello-secret:
    driver: secrets:next

Can you please review?

[dnephin]

Sorry, the change should not be made to v3.3. It should go into v3.4. You can cherry-pick #358 to get v3.4, or we can add the compose changes in a separate PR. I think I would prefer a separate PR

[liron-l]

Thanks @dnephin makes sense. I will push those changes in the next commit.
I removed the compose changes, how do I re-trigger a build?

[dnephin]

hmm, we've been having problems with github not triggering builds. I'm going to email github support.

[liron-l]

Thanks @dnephin! was the issue resolved? can I trigger A build without closing the issue?

[dnephin]

github said they are looking into it, and that it's likely a bug on their end.

I've been able to trigger the build by closing and re-opening the PR in some cases, so I'm going to try that now.

[dnephin]

and in some cases CI fails with "fatal: Could not parse object" which is what's happening this time...