Templated secrets and configs #33702
Conversation
aaronlehmann
force-pushed
the
templated-secrets-and-configs
branch
2 times, most recently
from
0ee21b0 to
5259d1a
Compare
|
Just so I understand, this is making it so you can template the actual secret/config data and effectively creates a dependencies between secrets/configs (assuming that the template is referencing a secret/config). |
I suppose you can say that, but you only secrets and configs already attached to the service may be referenced. So it effectively creates dependencies between services/configs, but cannot add new secret/config dependencies to a service. |
| Name: "golang", | ||
| }, | ||
| Data: []byte("SERVICE_NAME={{.Service.Name}}\n" + | ||
| "{{secret \"referencedsecrettarget\"}}\n" + |
There was a problem hiding this comment.
If configs can pull in secrets, doesn't this have security consequences since configs are not on tmpfs?
There was a problem hiding this comment.
I brought that up here, but there didn't seem to be concerns about it: moby/swarmkit#2133 (comment)
I'd be fine with restricting the ability to insert secrets into configs if people think that's the right thing to do.
There was a problem hiding this comment.
Yeah, I think it's a mistake to allow importing secrets into a config.
/cc @diogomonica
There was a problem hiding this comment.
Aren't configs also tmpFS?
There was a problem hiding this comment.
Nope. See moby/swarmkit#2133 (comment)
There was a problem hiding this comment.
I vaguely remember the outcome of that discussion being that if configs are flagged having a dependency on a secret, it was going to be treated as a secret? It was left as an implementation detail for the future, though.
There was a problem hiding this comment.
I started working on flagging configs that depend on a secret so they can be stored in tmpfs. moby/swarmkit#2286 is the swarmkit part of this. I will update this PR to make use of this.
There was a problem hiding this comment.
Updated the PR with new commits to store configs in the tmpfs secrets directory when they have secrets inserted inside them. Marking WIP because this depends on moby/swarmkit#2286.
There was a problem hiding this comment.
that seems really complicated, why don't we move all configs to tmpfs? They should be accounted for under the container's memory usage so I don't think thats an issue.
There was a problem hiding this comment.
That would be fine with me. I don't have time to update the PR right now, but it's okay with me if someone wants to carry this.
aaronlehmann
force-pushed
the
templated-secrets-and-configs
branch
from
5259d1a to
6715c7e
Compare
|
Rebased |
aaronlehmann
force-pushed
the
templated-secrets-and-configs
branch
from
6715c7e to
82340f8
Compare
aaronlehmann
changed the title
aaronlehmann
force-pushed
the
templated-secrets-and-configs
branch
from
82340f8 to
c0f58cf
Compare
|
docker-py test failures are unrelated (#33863) |
aaronlehmann
force-pushed
the
templated-secrets-and-configs
branch
from
c0f58cf to
6c946d4
Compare
thaJeztah
added
the
status/needs-attention
aaronlehmann
changed the title
aaronlehmann
force-pushed
the
templated-secrets-and-configs
branch
from
6c946d4 to
3c61b4c
Compare
|
Swarmkit PR was merged. Rebased this one. ping @diogomonica @cyli @cpuguy83 |
|
Not sure if the lack of network-create event failures are related to the vendoring... but the config changes LGTM. |
|
I broke something in moby/swarmkit#2310. I messed up the lifecycle on the watch server - it's supposed to be available on non-leader nodes as well. I'll fix it. |
| // TODO: Right now Windows doesn't really have a "secure" storage for secrets, | ||
| // however some configs may contain secrets. Once secure storage is worked out, | ||
| // configs and secret handling should be merged. | ||
| func (container *Container) ConfigMounts() []Mount { |
There was a problem hiding this comment.
Won't this fail to validate (golint 😛)
cpuguy83
force-pushed
the
templated-secrets-and-configs
branch
from
48615bf to
4d3d211
Compare
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This makes configs and secrets behavior identical. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
On unix, merge secrets/configs handling. This is important because configs can contain secrets (via templating) and potentially a config could just simply have secret information "by accident" from the user. This just make sure that configs are as secure as secrets and de-dups a lot of code. Generally this makes everything simpler and configs more secure. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Makes sure if the user specifies an older API version that we don't pass through templating options for versions that templating was not supported. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
cpuguy83
force-pushed
the
templated-secrets-and-configs
branch
from
4d3d211 to
a407761
Compare
| @@ -372,6 +372,10 @@ func (sr *swarmRouter) createSecret(ctx context.Context, w http.ResponseWriter, | |||
| if err := json.NewDecoder(r.Body).Decode(&secret); err != nil { | |||
| return err | |||
| } | |||
| version := httputils.VersionFromContext(ctx) | |||
| if secret.Templating != nil && versions.LessThan(version, "1.36") { | |||
| return errdefs.InvalidParameter(errors.Errorf("secret templating is not supported on the specified API version: %s", version)) | |||
There was a problem hiding this comment.
Hm initially thought we'd ignore the property (as in: "old API doesn't know about this option, so just ignores it"), but I guess it's ok
| @@ -372,6 +372,10 @@ func (sr *swarmRouter) createSecret(ctx context.Context, w http.ResponseWriter, | |||
| if err := json.NewDecoder(r.Body).Decode(&secret); err != nil { | |||
| return err | |||
| } | |||
| version := httputils.VersionFromContext(ctx) | |||
| if secret.Templating != nil && versions.LessThan(version, "1.36") { | |||
There was a problem hiding this comment.
oh, dang! this needs to be 1.37 now (#33922 was merged) - also needs a mention in the API version history, can do that in the same follow-up
There was a problem hiding this comment.
I'm ok with fixing that in a follow-up
thaJeztah
added
status/4-merge
and removed
status/2-code-review
status/needs-attention
Codecov Report
@@ Coverage Diff @@
## master #33702 +/- ##
==========================================
- Coverage 34.22% 34.05% -0.18%
==========================================
Files 609 609
Lines 45267 46075 +808
==========================================
+ Hits 15493 15690 +197
- Misses 27821 28371 +550
- Partials 1953 2014 +61 |
|
Ignoring codecode/patch;
|
This adds support for template expansion in secrets and configs, as added up stream in moby/swarmkit#2133.
SecretSpecandConfigSpechave a new optionalTemplatingfield. Currently, the only supported value isgolangfor go-style templates, but I imagine supporting other templating engines in the future, as Go-style templating is not especially familiar to Docker's target audience.When templating is enabled, it's possible to expand information about the task and service (examples:
{{.Task.ID}},{{env "VAR"}}), and other secrets and configs available to the service (example:{{secret "sometarget"}}).A few areas where this can be useful:
cc @diogomonica