Merge pull request docker#10084 from ndeloof/secret_uid

apply uid/gid when creating secret from environment

Author: glours

pkg/compose/secrets.go

@@ -21,6 +21,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"strconv"
 	"time"
 
 	"github.com/compose-spec/compose-go/types"
@@ -69,11 +70,29 @@ func createTar(env string, config types.ServiceSecretConfig) (bytes.Buffer, erro
 		target = "/run/secrets/" + config.Target
 	}
 
+	var uid, gid int
+	if config.UID != "" {
+		v, err := strconv.Atoi(config.UID)
+		if err != nil {
+			return b, err
+		}
+		uid = v
+	}
+	if config.GID != "" {
+		v, err := strconv.Atoi(config.GID)
+		if err != nil {
+			return b, err
+		}
+		gid = v
+	}
+
 	header := &tar.Header{
 		Name:    target,
 		Size:    int64(len(value)),
 		Mode:    int64(mode),
 		ModTime: time.Now(),
+		Uid:     uid,
+		Gid:     gid,
 	}
 	err := tarWriter.WriteHeader(header)
 	if err != nil {

pkg/e2e/fixtures/env-secret/compose.yaml

@@ -2,10 +2,14 @@ services:
   foo:
     image: alpine
     secrets:
-      - bar
+      - source: secret
+        target: bar
+        uid: "1005"
+        gid: "1005"
+        mode: 0440
     command: cat /run/secrets/bar
 
 secrets:
-  bar:
+  secret:
     environment: SECRET
 

pkg/e2e/secrets_test.go

@@ -32,4 +32,11 @@ func TestSecretFromEnv(t *testing.T) {
 			})
 		res.Assert(t, icmd.Expected{Out: "BAR"})
 	})
+	t.Run("secret uid", func(t *testing.T) {
+		res := icmd.RunCmd(c.NewDockerComposeCmd(t, "-f", "./fixtures/env-secret/compose.yaml", "run", "foo", "ls", "-al", "/var/run/secrets/bar"),
+			func(cmd *icmd.Cmd) {
+				cmd.Env = append(cmd.Env, "SECRET=BAR")
+			})
+		res.Assert(t, icmd.Expected{Out: "-r--r-----    1 1005     1005"})
+	})
 }