1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Add CredentialSpec from configs support

Signed-off-by: Drew Erny <drew.erny@docker.com>
This commit is contained in:
Drew Erny 2018-11-27 15:57:20 -06:00
parent e7a9a7cdbc
commit 04995fa7c7
2 changed files with 19 additions and 0 deletions

View file

@ -651,6 +651,8 @@ func (c *containerConfig) applyPrivileges(hc *enginecontainer.HostConfig) {
hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=file://"+credentials.GetFile())
case *api.Privileges_CredentialSpec_Registry:
hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=registry://"+credentials.GetRegistry())
case *api.Privileges_CredentialSpec_Config:
hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=config://"+credentials.GetConfig())
}
}

View file

@ -288,6 +288,23 @@ func (daemon *Daemon) createSpecWindowsFields(c *container.Container, s *specs.S
if cs, err = readCredentialSpecRegistry(c.ID, csValue); err != nil {
return err
}
} else if match, csValue = getCredentialSpec("config://", splitsOpt[1]); match {
if csValue == "" {
return fmt.Errorf("no value supplied for config:// credential spec security option")
}
// if the container does not have a DependencyStore, then we
// return an error
if c.DependencyStore == nil {
return fmt.Errorf("cannot use config:// credential spec security option if not swarmkit managed")
}
csConfig, err := c.DependencyStore.Configs().Get(csValue)
if err != nil {
return fmt.Errorf("error getting value from config store: %v", err)
}
// stuff the resulting secret data into a string to use as the
// CredentialSpec
cs = string(csConfig.Spec.Data)
} else {
return fmt.Errorf("invalid credential spec security option - value must be prefixed file:// or registry:// followed by a value")
}