Skip to content

Raw credential spec in docker compose / docker stack #39730

New issue
New issue
Open
Open
Raw credential spec in docker compose / docker stack#39730
Labels
area/authenticationarea/stack
@Drewster727

Description

@Drewster727
Drewster727
opened on Aug 12, 2019

Description of the issue

It appears that docker supports passing crdential specs directly in a raw json format: #38777
I tested this out when running from the CLI and I can indeed create a swarm service and have it utilize the credspec json:

docker run --rm --security-opt "credentialspec=raw://<somejson>" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain

My issue here is that it seems either a bug or a missing feature that I cannot do this same thing in my compose/stack files. I mean... I may have a cluster of dozens of hosts, are we expected to deploy these cred specs to every host?? I'd rather pass them in my yml to tell the service what to do, rather than relying on a hard-set file system reference.

I know that this works:

version: "3.7"

services:
  cdm:
    image: mcr.microsoft.com/windows/servercore:servercore:ltsc2019
    credential_spec:
      file: cred-spec.json

but, I should be able to do something along the lines of this:

version: "3.7"

services:
  app:
    image: mcr.microsoft.com/windows/servercore:servercore:ltsc2019
    credential_spec:
       raw: "{ somejson: blah }"

Which allows me to use credential specs from my secure key vault and embed them in the yml at deployment time.

Reference links:
#38777
#38632

Context information (for bug reports)

Output of docker-compose version

docker-compose version 1.24.0, build 0aa59064
docker-py version: 3.7.2
CPython version: 3.6.8
OpenSSL version: OpenSSL 1.0.2q  20 Nov 2018

Output of docker version

Client: Docker Engine - Enterprise
 Version:           19.03.0
 API version:       1.40
 Go version:        go1.12.5
 Git commit:        87b1f470ad
 Built:             07/16/2019 23:41:30
 OS/Arch:           windows/amd64
 Experimental:      false

Server: Docker Engine - Enterprise
 Engine:
  Version:          19.03.0
  API version:      1.40 (minimum version 1.24)
  Go version:       go1.12.5
  Git commit:       87b1f470ad
  Built:            07/16/2019 23:39:21
  OS/Arch:          windows/amd64
  Experimental:     false

Steps to reproduce the issue

  1. Create a docker-compose.yml file
  2. Add in a raw credential-spec json in the config area
  3. it works in the CLI, but doesn't work on a stack deploy or compose up

Observed result

raw isn't supported

@thaJeztah thoughts on this? Those PRs made me think this was possible, but apparently only for the CLI?

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/authenticationarea/stack

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions