Add support for secrets in ContainerSpec

shin- · shin- · commit 18e61e8b4526 · 2017-02-16T16:19:31.000-08:00
Signed-off-by: Joffrey F &lt;joffrey@docker.com&gt;
diff --git a/docker/models/services.py b/docker/models/services.py
@@ -109,6 +109,8 @@ def create(self, image, command=None, **kwargs):
                 the service to. Default: ``None``.
             resources (Resources): Resource limits and reservations.
             restart_policy (RestartPolicy): Restart policy for containers.
+            secrets (list of :py:class:`docker.types.SecretReference`): List
+                of secrets accessible to containers for this service.
             stop_grace_period (int): Amount of time to wait for
                 containers to terminate before forcefully killing them.
             update_config (UpdateConfig): Specification for the update strategy
@@ -179,6 +181,7 @@ def list(self, **kwargs):
     'labels',
     'mounts',
     'stop_grace_period',
+    'secrets',
 ]
 
 # kwargs to copy straight over to TaskTemplate
diff --git a/docker/types/__init__.py b/docker/types/__init__.py
@@ -4,6 +4,6 @@
 from .networks import EndpointConfig, IPAMConfig, IPAMPool, NetworkingConfig
 from .services import (
     ContainerSpec, DriverConfig, EndpointSpec, Mount, Resources, RestartPolicy,
-    ServiceMode, TaskTemplate, UpdateConfig
+    SecretReference, ServiceMode, TaskTemplate, UpdateConfig
 )
 from .swarm import SwarmSpec, SwarmExternalCA
diff --git a/docker/types/services.py b/docker/types/services.py
@@ -2,7 +2,7 @@
 
 from .. import errors
 from ..constants import IS_WINDOWS_PLATFORM
-from ..utils import format_environment, split_command
+from ..utils import check_resource, format_environment, split_command
 
 
 class TaskTemplate(dict):
@@ -79,9 +79,12 @@ class ContainerSpec(dict):
             :py:class:`~docker.types.Mount` class for details.
         stop_grace_period (int): Amount of time to wait for the container to
             terminate before forcefully killing it.
+        secrets (list of py:class:`SecretReference`): List of secrets to be
+            made available inside the containers.
     """
     def __init__(self, image, command=None, args=None, env=None, workdir=None,
-                 user=None, labels=None, mounts=None, stop_grace_period=None):
+                 user=None, labels=None, mounts=None, stop_grace_period=None,
+                 secrets=None):
         self['Image'] = image
 
         if isinstance(command, six.string_types):
@@ -109,6 +112,11 @@ def __init__(self, image, command=None, args=None, env=None, workdir=None,
         if stop_grace_period is not None:
             self['StopGracePeriod'] = stop_grace_period
 
+        if secrets is not None:
+            if not isinstance(secrets, list):
+                raise TypeError('secrets must be a list')
+            self['Secrets'] = secrets
+
 
 class Mount(dict):
     """
@@ -410,3 +418,31 @@ def replicas(self):
         if self.mode != 'replicated':
             return None
         return self['replicated'].get('Replicas')
+
+
+class SecretReference(dict):
+    """
+        Secret reference to be used as part of a :py:class:`ContainerSpec`.
+        Describes how a secret is made accessible inside the service's
+        containers.
+
+        Args:
+            secret_id (string): Secret's ID
+            secret_name (string): Secret's name as defined at its creation.
+            filename (string): Name of the file containing the secret. Defaults
+                to the secret's name if not specified.
+            uid (string): UID of the secret file's owner. Default: 0
+            gid (string): GID of the secret file's group. Default: 0
+            mode (int): File access mode inside the container. Default: 0o444
+    """
+    @check_resource
+    def __init__(self, secret_id, secret_name, filename=None, uid=None,
+                 gid=None, mode=0o444):
+        self['SecretName'] = secret_name
+        self['SecretID'] = secret_id
+        self['File'] = {
+            'Name': filename or secret_name,
+            'UID': uid or '0',
+            'GID': gid or '0',
+            'Mode': mode
+        }
diff --git a/docker/utils/decorators.py b/docker/utils/decorators.py
@@ -16,7 +16,7 @@ def wrapped(self, resource_id=None, *args, **kwargs):
             resource_id = resource_id.get('Id', resource_id.get('ID'))
         if not resource_id:
             raise errors.NullResource(
-                'image or container param is undefined'
+                'Resource ID was not provided'
             )
         return f(self, resource_id, *args, **kwargs)
     return wrapped

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,6 @@`
`4`	`4`	`from .networks import EndpointConfig, IPAMConfig, IPAMPool, NetworkingConfig`
`5`	`5`	`from .services import (`
`6`	`6`	`ContainerSpec, DriverConfig, EndpointSpec, Mount, Resources, RestartPolicy,`
`7`		`- ServiceMode, TaskTemplate, UpdateConfig`
	`7`	`+ SecretReference, ServiceMode, TaskTemplate, UpdateConfig`
`8`	`8`	`)`
`9`	`9`	`from .swarm import SwarmSpec, SwarmExternalCA`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ def wrapped(self, resource_id=None, args, *kwargs):`
`16`	`16`	`resource_id = resource_id.get('Id', resource_id.get('ID'))`
`17`	`17`	`if not resource_id:`
`18`	`18`	`raise errors.NullResource(`
`19`		`- 'image or container param is undefined'`
	`19`	`+ 'Resource ID was not provided'`
`20`	`20`	`)`
`21`	`21`	`return f(self, resource_id, args, *kwargs)`
`22`	`22`	`return wrapped`