From ebeef45e85b9ab444e4f4199d21c0c926be59fcd Mon Sep 17 00:00:00 2001
From: aiordache <anca.iordache@docker.com>
Date: Thu, 7 Jan 2021 14:59:15 +0100
Subject: [PATCH 1/2] Implement secrets via bind-mounts for local compose

Signed-off-by: aiordache <anca.iordache@docker.com>
---
 local/compose/create.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/local/compose/create.go b/local/compose/create.go
index 8855b2efc..1dd717c19 100644
--- a/local/compose/create.go
+++ b/local/compose/create.go
@@ -296,6 +296,31 @@ func buildContainerMountOptions(p types.Project, s types.ServiceConfig, inherit
 		}
 		mounts = append(mounts, mount)
 	}
+
+	secretsDir := "/run/secrets"
+	for _, secret := range s.Secrets {
+		target := secret.Target
+		if secret.Target == "" {
+			target = filepath.Join(secretsDir, secret.Source)
+		} else if !filepath.IsAbs(secret.Target) {
+			target = filepath.Join(secretsDir, secret.Target)
+		}
+
+		definedSecret := p.Secrets[secret.Source]
+		if definedSecret.External.External {
+			return nil, fmt.Errorf("unsupported external secret %s", definedSecret.Name)
+		}
+		mount, err := buildMount(p, types.ServiceVolumeConfig{
+			Type:   types.VolumeTypeBind,
+			Source: definedSecret.File,
+			Target: target,
+		})
+		if err != nil {
+			return nil, err
+		}
+		mounts = append(mounts, mount)
+	}
+
 	return mounts, nil
 }
 

From 30d6e1b9e21410067f58d3752c731ccda2dd309e Mon Sep 17 00:00:00 2001
From: aiordache <anca.iordache@docker.com>
Date: Fri, 8 Jan 2021 16:11:37 +0100
Subject: [PATCH 2/2] override inherited secret mounts

Signed-off-by: aiordache <anca.iordache@docker.com>
---
 local/compose/create.go | 10 ++++++++++
 local/compose/util.go   |  9 +++++++++
 2 files changed, 19 insertions(+)

diff --git a/local/compose/create.go b/local/compose/create.go
index 1dd717c19..62f834cd4 100644
--- a/local/compose/create.go
+++ b/local/compose/create.go
@@ -310,6 +310,16 @@ func buildContainerMountOptions(p types.Project, s types.ServiceConfig, inherit
 		if definedSecret.External.External {
 			return nil, fmt.Errorf("unsupported external secret %s", definedSecret.Name)
 		}
+
+		if contains(inherited, target) {
+			// remove inherited mount
+			pos := indexOf(inherited, target)
+			if pos >= 0 {
+				mounts = append(mounts[:pos], mounts[pos+1])
+				inherited = append(inherited[:pos], inherited[pos+1])
+			}
+		}
+
 		mount, err := buildMount(p, types.ServiceVolumeConfig{
 			Type:   types.VolumeTypeBind,
 			Source: definedSecret.File,
diff --git a/local/compose/util.go b/local/compose/util.go
index dd9cbbcfe..b0af71cac 100644
--- a/local/compose/util.go
+++ b/local/compose/util.go
@@ -38,3 +38,12 @@ func contains(slice []string, item string) bool {
 	}
 	return false
 }
+
+func indexOf(slice []string, item string) int {
+	for i, v := range slice {
+		if v == item {
+			return i
+		}
+	}
+	return -1
+}