Support for secrets in DeployConfigReader
berndos opened this issue · 2 comments
As per https://docs.docker.com/compose/compose-file/#secrets a compose v3 file may specify secrets to be mapped into the services/containers running on the swarm-workers.
When using this feature with a compose-file parsed by DeployConfigReader.loadCompose, this does not quite work. Although the secrets in the compose-file are created in swarm by ManageStackClient.stackDeploy, the actual services don't seem to reference them, and therefore don't have the secret-file/data available in their containers.
It seems that the entries of config.services that are passed to createOrUpdateServices (ManageStackClient.groovy:104) do not have the taskTemplate fully populated for services that had secrets specified in the compose-file. I think based on https://docs.docker.com/engine/api/v1.37/#operation/ServiceCreate there should be a Secrets entry present in the ContainerSpec, which isn't the case. Looking at DeployConfigReader.groovy:136, where the service-specs are created there is a commented out line // secrets : secrets, so I guess this was never fully implemented.
It would be great to have this feature :)
You've found the exact place where the feature needs to be implemented. I didn't have enough time, yet, to continue there. If you're willing to provide a pull request, I'd be very happy :)