Adding secrets details

Signed-off-by: Guillaume Tardif <guillaume.tardif@docker.com>
2020-10-07 15:50:04 +02:00 · 2020-10-07 15:50:04 +02:00 · 808715d740
parent c3983eea78
commit 808715d740
1 changed files with 29 additions and 2 deletions
--- a/docs/aci-compose-features.md
+++ b/docs/aci-compose-features.md
@ -2,7 +2,7 @@

 This document outlines the conversion of an application defined in a Compose file to ACI objects.
 At a high-level, each Compose deployment is mapped to a single ACI container group. 
-Each service is mapped to a container in the container group. The Docker ACI integration provides does not allow scaling of services.
+Each service is mapped to a container in the container group. The Docker ACI integration does not allow scaling of services.

 ## Compose fields mapping

@ -58,7 +58,7 @@ __Legend:__
 | service.networks               | x |  Communication between services is implemented by defining mapping for each service in the shared `/etc/hosts` file of the container group. Each service can resolve names for other services and the resulting network calls will be redirected to `localhost`.
 | service.pid                    | x |  
 | service.ports                  | ✓ |  Only symetrical por mapping is supported in ACI. See #exposing-ports.
-| service.secrets                | ✓ |  
+| service.secrets                | ✓ |  See #secrets.
 | service.security_opt           | x |  
 | service.stop_grace_period      | x |  
 | service.stop_signal            | x |  
@ -118,6 +118,33 @@ A Compose file can define several volumes, with different Azure file shares or s

 Credentials for storage accounts will be automatically fetched at deployment time using the Azure login to retrieve the storage account key for each storage account used. 

+## Secrets
+
+Secrets can be defined in compose files, and will need secret files available at deploy time next to the compose file. 
+The content of the secret file will be made available inside selected containers, under `/run/secrets/<SECRET_NAME>/<SECRET_NAME>
+External secrets are not supported with the ACI integration.
+Due to ACI secret volume mounting, each secret file is mounted in its own folder named after the secret.
+
+```yaml
+services:
+    nginx:
+        image: nginx
+        secrets:
+          - mysecret1
+    db:
+        image: mysql
+        secrets:
+          - mysecret2
+          
+secrets:
+  mysecret1:
+    file: ./my_secret1.txt
+  mysecret2:
+    file: ./my_secret2.txt
+```
+
+The nginx container will have secret1 mounted as `/run/secrets/mysecret1/mysecret1`, the db container will have secret2 mounted as `/run/secrets/mysecret1/mysecret2`
+
 ## Container Resources

 CPU and memory reservations and limits can be set in compose.