diff options
author | Drew Erny <drew.erny@docker.com> | 2018-11-27 15:57:20 -0600 |
---|---|---|
committer | Drew Erny <drew.erny@docker.com> | 2019-02-04 14:52:01 -0600 |
commit | 04995fa7c71216969e17670cc3fb938de137af35 (patch) | |
tree | 42f5576adae6495126bdc04160833b80eca1e378 | |
parent | e7a9a7cdbc8fc87cb2bf07b770bd8bfe52ab0959 (diff) | |
download | docker-04995fa7c71216969e17670cc3fb938de137af35.tar.gz |
Add CredentialSpec from configs support
Signed-off-by: Drew Erny <drew.erny@docker.com>
-rw-r--r-- | daemon/cluster/executor/container/container.go | 2 | ||||
-rw-r--r-- | daemon/oci_windows.go | 17 |
2 files changed, 19 insertions, 0 deletions
diff --git a/daemon/cluster/executor/container/container.go b/daemon/cluster/executor/container/container.go index b26076bcd8..abbd6bfb11 100644 --- a/daemon/cluster/executor/container/container.go +++ b/daemon/cluster/executor/container/container.go @@ -651,6 +651,8 @@ func (c *containerConfig) applyPrivileges(hc *enginecontainer.HostConfig) { hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=file://"+credentials.GetFile()) case *api.Privileges_CredentialSpec_Registry: hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=registry://"+credentials.GetRegistry()) + case *api.Privileges_CredentialSpec_Config: + hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=config://"+credentials.GetConfig()) } } diff --git a/daemon/oci_windows.go b/daemon/oci_windows.go index da0c7667d4..11868ba3a0 100644 --- a/daemon/oci_windows.go +++ b/daemon/oci_windows.go @@ -288,6 +288,23 @@ func (daemon *Daemon) createSpecWindowsFields(c *container.Container, s *specs.S if cs, err = readCredentialSpecRegistry(c.ID, csValue); err != nil { return err } + } else if match, csValue = getCredentialSpec("config://", splitsOpt[1]); match { + if csValue == "" { + return fmt.Errorf("no value supplied for config:// credential spec security option") + } + + // if the container does not have a DependencyStore, then we + // return an error + if c.DependencyStore == nil { + return fmt.Errorf("cannot use config:// credential spec security option if not swarmkit managed") + } + csConfig, err := c.DependencyStore.Configs().Get(csValue) + if err != nil { + return fmt.Errorf("error getting value from config store: %v", err) + } + // stuff the resulting secret data into a string to use as the + // CredentialSpec + cs = string(csConfig.Spec.Data) } else { return fmt.Errorf("invalid credential spec security option - value must be prefixed file:// or registry:// followed by a value") } |