Implement secrets via bind-mounts for local compose

Signed-off-by: aiordache <anca.iordache@docker.com>
2021-01-07 14:59:15 +01:00 · 2021-01-07 14:59:15 +01:00 · ebeef45e85
parent c6cdfec530
commit ebeef45e85
1 changed files with 25 additions and 0 deletions
--- a/local/compose/create.go
+++ b/local/compose/create.go
@ -296,6 +296,31 @@ func buildContainerMountOptions(p types.Project, s types.ServiceConfig, inherit
 		}
 		mounts = append(mounts, mount)
 	}
+
+	secretsDir := "/run/secrets"
+	for _, secret := range s.Secrets {
+		target := secret.Target
+		if secret.Target == "" {
+			target = filepath.Join(secretsDir, secret.Source)
+		} else if !filepath.IsAbs(secret.Target) {
+			target = filepath.Join(secretsDir, secret.Target)
+		}
+
+		definedSecret := p.Secrets[secret.Source]
+		if definedSecret.External.External {
+			return nil, fmt.Errorf("unsupported external secret %s", definedSecret.Name)
+		}
+		mount, err := buildMount(p, types.ServiceVolumeConfig{
+			Type:   types.VolumeTypeBind,
+			Source: definedSecret.File,
+			Target: target,
+		})
+		if err != nil {
+			return nil, err
+		}
+		mounts = append(mounts, mount)
+	}
+
 	return mounts, nil
 }