From a1b2f462168b0d4d41b99fc89fd7818ced231267 Mon Sep 17 00:00:00 2001 From: Sune Keller Date: Tue, 4 Sep 2018 15:10:13 +0200 Subject: [PATCH] Add additional info for secret drivers This provides more context for the secret driver when it is requested the value for the secret. It is useful both for audit purposes, e.g. an external system logging which task requested what secret, as well as in a scenario where the plugin would return a different value (or error) based on e.g. labels on the secret. Signed-off-by: Sune Keller --- manager/drivers/secrets.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/manager/drivers/secrets.go b/manager/drivers/secrets.go index a9bdaa46a6..fbe29674d3 100644 --- a/manager/drivers/secrets.go +++ b/manager/drivers/secrets.go @@ -5,6 +5,7 @@ import ( "github.com/docker/docker/pkg/plugingetter" "github.com/docker/swarmkit/api" + "github.com/docker/swarmkit/api/naming" ) const ( @@ -40,8 +41,14 @@ func (d *SecretDriver) Get(spec *api.SecretSpec, task *api.Task) ([]byte, bool, var secretResp SecretsProviderResponse secretReq := &SecretsProviderRequest{ SecretName: spec.Annotations.Name, + SecretLabels: spec.Annotations.Labels, + ServiceID: task.ServiceID, ServiceName: task.ServiceAnnotations.Name, ServiceLabels: task.ServiceAnnotations.Labels, + TaskID: task.ID, + TaskName: naming.Task(task), + TaskImage: task.Spec.GetContainer().Image, + NodeID: task.NodeID, } container := task.Spec.GetContainer() if container != nil { @@ -82,9 +89,15 @@ func (d *SecretDriver) Get(spec *api.SecretSpec, task *api.Task) ([]byte, bool, // SecretsProviderRequest is the secrets provider request. type SecretsProviderRequest struct { SecretName string `json:",omitempty"` // SecretName is the name of the secret to request from the plugin + SecretLabels map[string]string `json:",omitempty"` // SecretLabels capture environment names and other metadata pertaining to the secret ServiceHostname string `json:",omitempty"` // ServiceHostname is the hostname of the service, can be used for x509 certificate + ServiceID string `json:",omitempty"` // ServiceID is the name of the service that requested the secret ServiceName string `json:",omitempty"` // ServiceName is the name of the service that requested the secret - ServiceLabels map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata + ServiceLabels map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata pertaining to the service + TaskID string `json:",omitempty"` // TaskID is the ID of the task that the secret is assigned to + TaskName string `json:",omitempty"` // TaskName is the name of the task that the secret is assigned to + TaskImage string `json:",omitempty"` // TaskName is the image of the task that the secret is assigned to + NodeID string `json:",omitempty"` // NodeID is the ID of the node that the task will be executed on ServiceEndpointSpec *EndpointSpec `json:",omitempty"` // ServiceEndpointSpec holds the specification for endpoints }