support labels for secrets upon creation; review updates

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>

api/types/swarm/secret.go

@@ -26,5 +26,5 @@ type SecretReferenceFileTarget struct {
 type SecretReference struct {
 	SecretID   string
 	SecretName string
-	Target     SecretReferenceFileTarget
+	Target     *SecretReferenceFileTarget
 }

cli/command/secret/create.go

@@ -9,29 +9,37 @@ import (
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/cli"
 	"github.com/docker/docker/cli/command"
+	"github.com/docker/docker/opts"
+	runconfigopts "github.com/docker/docker/runconfig/opts"
 	"github.com/spf13/cobra"
 )
 
 type createOptions struct {
-	name string
+	name   string
+	labels opts.ListOpts
 }
 
 func newSecretCreateCommand(dockerCli *command.DockerCli) *cobra.Command {
-	return &cobra.Command{
+	createOpts := createOptions{
+		labels: opts.NewListOpts(runconfigopts.ValidateEnv),
+	}
+
+	cmd := &cobra.Command{
 		Use:   "create [name]",
 		Short: "Create a secret using stdin as content",
-		Args:  cli.ExactArgs(1),
+		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts := createOptions{
+			createOpts.name = args[0]
-				name: args[0],
+			return runSecretCreate(dockerCli, createOpts)
-			}
-
-			return runSecretCreate(dockerCli, opts)
 		},
 	}
+	flags := cmd.Flags()
+	flags.VarP(&createOpts.labels, "label", "l", "Secret labels")
+
+	return cmd
 }
 
-func runSecretCreate(dockerCli *command.DockerCli, opts createOptions) error {
+func runSecretCreate(dockerCli *command.DockerCli, options createOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()
 
@@ -42,7 +50,8 @@ func runSecretCreate(dockerCli *command.DockerCli, opts createOptions) error {
 
 	spec := swarm.SecretSpec{
 		Annotations: swarm.Annotations{
-			Name: opts.name,
+			Name:   options.name,
+			Labels: runconfigopts.ConvertKVStringsToMap(options.labels.GetAll()),
 		},
 		Data: secretData,
 	}

cli/command/service/parse.go

@@ -19,7 +19,7 @@ func parseSecrets(client client.APIClient, requestedSecrets []*types.SecretReque
 	for _, secret := range requestedSecrets {
 		secretRef := &swarmtypes.SecretReference{
 			SecretName: secret.Source,
-			Target: swarmtypes.SecretReferenceFileTarget{
+			Target: &swarmtypes.SecretReferenceFileTarget{
 				Name: secret.Target,
 				UID:  secret.UID,
 				GID:  secret.GID,

daemon/cluster/convert/container.go

@@ -108,7 +108,7 @@ func secretReferencesFromGRPC(sr []*swarmapi.SecretReference) []*types.SecretRef
 		refs = append(refs, &types.SecretReference{
 			SecretID:   s.SecretID,
 			SecretName: s.SecretName,
-			Target: types.SecretReferenceFileTarget{
+			Target: &types.SecretReferenceFileTarget{
 				Name: target.Name,
 				UID:  target.UID,
 				GID:  target.GID,

daemon/container_operations_unix.go

@@ -172,13 +172,13 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 	}
 
 	for _, s := range c.Secrets {
+		targetPath := filepath.Clean(s.Target)
 		// ensure that the target is a filename only; no paths allowed
-		tDir, tPath := filepath.Split(s.Target)
+		if targetPath != filepath.Base(targetPath) {
-		if tDir != "" {
+			return fmt.Errorf("error creating secret: secret must not be a path")
-			return fmt.Errorf("error creating secret: secret must not have a path")
 		}
 
-		fPath := filepath.Join(localMountPath, tPath)
+		fPath := filepath.Join(localMountPath, targetPath)
 		if err := os.MkdirAll(filepath.Dir(fPath), 0700); err != nil {
 			return errors.Wrap(err, "error creating secret mount path")
 		}

docs/reference/commandline/secret_create.md

@@ -19,6 +19,9 @@ keywords: ["secret, create"]
 Usage:  docker secret create [NAME]
 
 Create a secret using stdin as content
+Options:
+      --help         Print usage
+  -l, --label list   Secret labels (default [])
 ```
 
 Creates a secret using standard input for the secret content. You must run this
@@ -29,14 +32,45 @@ command on a manager node.
 ### Create a secret
 
 ```bash
-$ cat ssh-dev | docker secret create ssh-dev
+$ cat secret.json | docker secret create secret.json
 mhv17xfe3gh6xc4rij5orpfds
 
 $ docker secret ls
-ID                          NAME                CREATED                                   UPDATED                                   SIZE
+ID                          NAME                    CREATED                                   UPDATED                                   SIZE
-mhv17xfe3gh6xc4rij5orpfds   ssh-dev             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679
+mhv17xfe3gh6xc4rij5orpfds   secret.json             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679
 ```
 
+### Create a secret with labels
+
+```bash
+$ cat secret.json | docker secret create secret.json --label env=dev --label rev=20161102
+jtn7g6aukl5ky7nr9gvwafoxh
+
+$ docker secret inspect secret.json
+[
+    {
+        "ID": "jtn7g6aukl5ky7nr9gvwafoxh",
+        "Version": {
+            "Index": 541
+        },
+        "CreatedAt": "2016-11-03T20:54:12.924766548Z",
+        "UpdatedAt": "2016-11-03T20:54:12.924766548Z",
+        "Spec": {
+            "Name": "secret.json",
+            "Labels": {
+                "env": "dev",
+                "rev": "20161102"
+            },
+            "Data": null
+        },
+        "Digest": "sha256:4212a44b14e94154359569333d3fc6a80f6b9959dfdaff26412f4b2796b1f387",
+        "SecretSize": 1679
+    }
+]
+
+```
+
+
 ## Related information
 
 * [secret inspect](secret_inspect.md)

docs/reference/commandline/secret_inspect.md

@@ -37,7 +37,7 @@ describes all the details of the format.
 
 ## Examples
 
-### Inspecting a secret  by name or ID
+### Inspecting a secret by name or ID
 
 You can inspect a secret, either by its *name*, or *ID*
 
@@ -45,12 +45,12 @@ For example, given the following secret:
 
 ```bash
 $ docker secret ls
-ID                          NAME                CREATED                                   UPDATED                                   SIZE
+ID                          NAME                    CREATED                                   UPDATED                                   SIZE
-mhv17xfe3gh6xc4rij5orpfds   ssh-dev             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679
+mhv17xfe3gh6xc4rij5orpfds   secret.json             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679
 ```
 
 ```bash
-$ docker secret inspect mhv17xfe3gh6xc4rij5orpfds
+$ docker secret inspect secret.json
 [
     {
         "ID": "mhv17xfe3gh6xc4rij5orpfds",
@@ -60,7 +60,7 @@ $ docker secret inspect mhv17xfe3gh6xc4rij5orpfds
         "CreatedAt": "2016-10-27T23:25:43.909181089Z",
         "UpdatedAt": "2016-10-27T23:25:43.909181089Z",
         "Spec": {
-            "Name": "ssh-dev",
+            "Name": "secret.json",
             "Data": null
         },
         "Digest": "sha256:8281c6d924520986e3c6af23ed8926710a611c90339db582c2a9ac480ba622b7",

docs/reference/commandline/secret_ls.md

@@ -33,8 +33,8 @@ On a manager node:
 
 ```bash
 $ docker secret ls
-ID                          NAME                CREATED                                   UPDATED                                   SIZE
+ID                          NAME                    CREATED                                   UPDATED                                   SIZE
-mhv17xfe3gh6xc4rij5orpfds   ssh-dev             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679
+mhv17xfe3gh6xc4rij5orpfds   secret.json             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679
 ```
 ## Related information
 

docs/reference/commandline/secret_rm.md

@@ -33,7 +33,7 @@ targeting a manager node.
 This example removes a secret:
 
 ```bash
-$ docker secret rm sapth4csdo5b6wz2p5uimh5xg
+$ docker secret rm secret.json
 sapth4csdo5b6wz2p5uimh5xg
 ```