Add support for secrets in ContainerSpec

Signed-off-by: Joffrey F <joffrey@docker.com>

Add support for secrets in ContainerSpec
Signed-off-by: Joffrey F <joffrey@docker.com>
d1038c42 · Joffrey F · 52bae3ca · d1038c42 · d1038c42 · d1038c42
Kaydet (Commit) d1038c42 authored Şub 10, 2017 tarafından Joffrey F
Showing with 43 additions and 4 deletions

services.py docker/models/services.py +3 -0

__init__.py docker/types/__init__.py +1 -1

services.py docker/types/services.py +38 -2

decorators.py docker/utils/decorators.py +1 -1

No files found.
--- a/docker/models/services.py
+++ b/docker/models/services.py
@@ -109,6 +109,8 @@ class ServiceCollection(Collection):
                the service to. Default: ``None``.
            resources (Resources): Resource limits and reservations.
            restart_policy (RestartPolicy): Restart policy for containers.
+            secrets (list of :py:class:`docker.types.SecretReference`): List
+                of secrets accessible to containers for this service.
            stop_grace_period (int): Amount of time to wait for
                containers to terminate before forcefully killing them.
            update_config (UpdateConfig): Specification for the update strategy
@@ -179,6 +181,7 @@ CONTAINER_SPEC_KWARGS = [
    'labels',
    'mounts',
    'stop_grace_period',
+    'secrets',
 ]

 # kwargs to copy straight over to TaskTemplate

--- a/docker/types/__init__.py
+++ b/docker/types/__init__.py
@@ -4,6 +4,6 @@ from .healthcheck import Healthcheck
 from .networks import EndpointConfig, IPAMConfig, IPAMPool, NetworkingConfig
 from .services import (
    ContainerSpec, DriverConfig, EndpointSpec, Mount, Resources, RestartPolicy,
-    ServiceMode, TaskTemplate, UpdateConfig
+    SecretReference, ServiceMode, TaskTemplate, UpdateConfig
 )
 from .swarm import SwarmSpec, SwarmExternalCA
--- a/docker/types/services.py
+++ b/docker/types/services.py
@@ -2,7 +2,7 @@ import six

 from .. import errors
 from ..constants import IS_WINDOWS_PLATFORM
-from ..utils import format_environment, split_command
+from ..utils import check_resource, format_environment, split_command


 class TaskTemplate(dict):
@@ -79,9 +79,12 @@ class ContainerSpec(dict):
            :py:class:`~docker.types.Mount` class for details.
        stop_grace_period (int): Amount of time to wait for the container to
            terminate before forcefully killing it.
+        secrets (list of py:class:`SecretReference`): List of secrets to be
+            made available inside the containers.
    """
    def __init__(self, image, command=None, args=None, env=None, workdir=None,
-                 user=None, labels=None, mounts=None, stop_grace_period=None):
+                 user=None, labels=None, mounts=None, stop_grace_period=None,
+                 secrets=None):
        self['Image'] = image

        if isinstance(command, six.string_types):
@@ -109,6 +112,11 @@ class ContainerSpec(dict):
        if stop_grace_period is not None:
            self['StopGracePeriod'] = stop_grace_period

+        if secrets is not None:
+            if not isinstance(secrets, list):
+                raise TypeError('secrets must be a list')
+            self['Secrets'] = secrets
+

 class Mount(dict):
    """
@@ -410,3 +418,31 @@ class ServiceMode(dict):
        if self.mode != 'replicated':
            return None
        return self['replicated'].get('Replicas')
+
+
+class SecretReference(dict):
+    """
+        Secret reference to be used as part of a :py:class:`ContainerSpec`.
+        Describes how a secret is made accessible inside the service's
+        containers.
+
+        Args:
+            secret_id (string): Secret's ID
+            secret_name (string): Secret's name as defined at its creation.
+            filename (string): Name of the file containing the secret. Defaults
+                to the secret's name if not specified.
+            uid (string): UID of the secret file's owner. Default: 0
+            gid (string): GID of the secret file's group. Default: 0
+            mode (int): File access mode inside the container. Default: 0o444
+    """
+    @check_resource
+    def __init__(self, secret_id, secret_name, filename=None, uid=None,
+                 gid=None, mode=0o444):
+        self['SecretName'] = secret_name
+        self['SecretID'] = secret_id
+        self['File'] = {
+            'Name': filename or secret_name,
+            'UID': uid or '0',
+            'GID': gid or '0',
+            'Mode': mode
+        }
--- a/docker/utils/decorators.py
+++ b/docker/utils/decorators.py
@@ -16,7 +16,7 @@ def check_resource(f):
            resource_id = resource_id.get('Id', resource_id.get('ID'))
        if not resource_id:
            raise errors.NullResource(
-                'image or container param is undefined'
+                'Resource ID was not provided'
            )
        return f(self, resource_id, *args, **kwargs)
    return wrapped