Add additional info for secret drivers

This provides more context for the secret driver when it is requested the value for the secret. It is useful both for audit purposes, e.g. an external system logging which task requested what secret, as well as in a scenario where the plugin would return a different value (or error) based on e.g. labels on the secret. Signed-off-by: Sune Keller <absukl@almbrand.dk>
moby · Sep 13, 2018 · d80c1c1 · d80c1c1
1 parent a5a4101
commit d80c1c1
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/manager/drivers/secrets.go b/manager/drivers/secrets.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/api/naming"
 )
 
 const (
@@ -37,8 +38,14 @@ func (d *SecretDriver) Get(spec *api.SecretSpec, task *api.Task) ([]byte, error)
 	var secretResp SecretsProviderResponse
 	secretReq := &SecretsProviderRequest{
 		SecretName:    spec.Annotations.Name,
+		SecretLabels:  spec.Annotations.Labels,
 		ServiceName:   task.ServiceAnnotations.Name,
+		ServiceID:     task.ServiceID,
 		ServiceLabels: task.ServiceAnnotations.Labels,
+		TaskID:        task.ID,
+		TaskName:      naming.Task(task),
+		TaskImage:     task.Spec.GetContainer().Image,
+		NodeID:        task.NodeID,
 	}
 	container := task.Spec.GetContainer()
 	if container != nil {
@@ -79,9 +86,15 @@ func (d *SecretDriver) Get(spec *api.SecretSpec, task *api.Task) ([]byte, error)
 // SecretsProviderRequest is the secrets provider request.
 type SecretsProviderRequest struct {
 	SecretName          string            `json:",omitempty"` // SecretName is the name of the secret to request from the plugin
+	SecretLabels        map[string]string `json:",omitempty"` // SecretLabels capture environment names and other metadata pertaining to the secret
 	ServiceHostname     string            `json:",omitempty"` // ServiceHostname is the hostname of the service, can be used for x509 certificate
 	ServiceName         string            `json:",omitempty"` // ServiceName is the name of the service that requested the secret
-	ServiceLabels       map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata
+	ServiceID           string            `json:",omitempty"` // ServiceID is the name of the service that requested the secret
+	ServiceLabels       map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata pertaining to the service
+	TaskID              string            `json:",omitempty"` // TaskID is the ID of the task that the secret is assigned to
+	TaskName            string            `json:",omitempty"` // TaskName is the name of the task that the secret is assigned to
+	TaskImage           string            `json:",omitempty"` // TaskName is the image of the task that the secret is assigned to
+	NodeID              string            `json:",omitempty"` // NodeID is the ID of the node that the task will be executed on
 	ServiceEndpointSpec *EndpointSpec     `json:",omitempty"` // ServiceEndpointSpec holds the specification for endpoints
 }