From b3427e43edc56824f762e964c955b906fa363a3a Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@docker.com>
Date: Wed, 18 Jan 2017 13:06:36 -0500
Subject: [PATCH] Test and fix external secrets in stack deploy.

Signed-off-by: Daniel Nephin <dnephin@docker.com>
---
 cli/compose/convert/service.go               | 12 ++++++++--
 cli/compose/loader/loader.go                 |  3 +--
 integration-cli/docker_cli_stack_test.go     | 24 ++++++++++++--------
 integration-cli/fixtures/deploy/secrets.yaml |  4 ++++
 4 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/cli/compose/convert/service.go b/cli/compose/convert/service.go
index 78ad308d38..573f7723fd 100644
--- a/cli/compose/convert/service.go
+++ b/cli/compose/convert/service.go
@@ -31,7 +31,7 @@ func Services(
 
 	for _, service := range services {
 
-		secrets, err := convertServiceSecrets(client, namespace, service.Secrets)
+		secrets, err := convertServiceSecrets(client, namespace, service.Secrets, config.Secrets)
 		if err != nil {
 			return nil, err
 		}
@@ -181,6 +181,7 @@ func convertServiceSecrets(
 	client client.SecretAPIClient,
 	namespace Namespace,
 	secrets []composetypes.ServiceSecretConfig,
+	secretSpecs map[string]composetypes.SecretConfig,
 ) ([]*swarm.SecretReference, error) {
 	opts := []*types.SecretRequestOption{}
 	for _, secret := range secrets {
@@ -188,8 +189,15 @@ func convertServiceSecrets(
 		if target == "" {
 			target = secret.Source
 		}
+
+		source := namespace.Scope(secret.Source)
+		secretSpec := secretSpecs[secret.Source]
+		if secretSpec.External.External {
+			source = secretSpec.External.Name
+		}
+
 		opts = append(opts, &types.SecretRequestOption{
-			Source: namespace.Scope(secret.Source),
+			Source: source,
 			Target: target,
 			UID:    secret.UID,
 			GID:    secret.GID,
diff --git a/cli/compose/loader/loader.go b/cli/compose/loader/loader.go
index a43347f475..39f69a03ff 100644
--- a/cli/compose/loader/loader.go
+++ b/cli/compose/loader/loader.go
@@ -422,8 +422,7 @@ func loadVolumes(source types.Dict) (map[string]types.VolumeConfig, error) {
 // TODO: remove duplicate with networks/volumes
 func loadSecrets(source types.Dict, workingDir string) (map[string]types.SecretConfig, error) {
 	secrets := make(map[string]types.SecretConfig)
-	err := transform(source, &secrets)
-	if err != nil {
+	if err := transform(source, &secrets); err != nil {
 		return secrets, err
 	}
 	for name, secret := range secrets {
diff --git a/integration-cli/docker_cli_stack_test.go b/integration-cli/docker_cli_stack_test.go
index 03e1e5f08c..af43836831 100644
--- a/integration-cli/docker_cli_stack_test.go
+++ b/integration-cli/docker_cli_stack_test.go
@@ -53,13 +53,13 @@ func (s *DockerSwarmSuite) TestStackDeployComposeFile(c *check.C) {
 	out, err := d.Cmd(stackArgs...)
 	c.Assert(err, checker.IsNil, check.Commentf(out))
 
-	out, err = d.Cmd([]string{"stack", "ls"}...)
+	out, err = d.Cmd("stack", "ls")
 	c.Assert(err, checker.IsNil)
 	c.Assert(out, check.Equals, "NAME        SERVICES\n"+"testdeploy  2\n")
 
-	out, err = d.Cmd([]string{"stack", "rm", testStackName}...)
+	out, err = d.Cmd("stack", "rm", testStackName)
 	c.Assert(err, checker.IsNil)
-	out, err = d.Cmd([]string{"stack", "ls"}...)
+	out, err = d.Cmd("stack", "ls")
 	c.Assert(err, checker.IsNil)
 	c.Assert(out, check.Equals, "NAME  SERVICES\n")
 }
@@ -67,13 +67,16 @@ func (s *DockerSwarmSuite) TestStackDeployComposeFile(c *check.C) {
 func (s *DockerSwarmSuite) TestStackDeployWithSecretsTwice(c *check.C) {
 	d := s.AddDaemon(c, true, true)
 
+	out, err := d.Cmd("secret", "create", "outside", "fixtures/secrets/default")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
 	testStackName := "testdeploy"
 	stackArgs := []string{
 		"stack", "deploy",
 		"--compose-file", "fixtures/deploy/secrets.yaml",
 		testStackName,
 	}
-	out, err := d.Cmd(stackArgs...)
+	out, err = d.Cmd(stackArgs...)
 	c.Assert(err, checker.IsNil, check.Commentf(out))
 
 	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Secrets }}", "testdeploy_web")
@@ -81,14 +84,15 @@ func (s *DockerSwarmSuite) TestStackDeployWithSecretsTwice(c *check.C) {
 
 	var refs []swarm.SecretReference
 	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
-	c.Assert(refs, checker.HasLen, 2)
+	c.Assert(refs, checker.HasLen, 3)
 
 	sort.Sort(sortSecrets(refs))
-	c.Assert(refs[0].SecretName, checker.Equals, "testdeploy_special")
-	c.Assert(refs[0].File.Name, checker.Equals, "special")
-	c.Assert(refs[1].SecretName, checker.Equals, "testdeploy_super")
-	c.Assert(refs[1].File.Name, checker.Equals, "foo.txt")
-	c.Assert(refs[1].File.Mode, checker.Equals, os.FileMode(0400))
+	c.Assert(refs[0].SecretName, checker.Equals, "outside")
+	c.Assert(refs[1].SecretName, checker.Equals, "testdeploy_special")
+	c.Assert(refs[1].File.Name, checker.Equals, "special")
+	c.Assert(refs[2].SecretName, checker.Equals, "testdeploy_super")
+	c.Assert(refs[2].File.Name, checker.Equals, "foo.txt")
+	c.Assert(refs[2].File.Mode, checker.Equals, os.FileMode(0400))
 
 	// Deploy again to ensure there are no errors when secret hasn't changed
 	out, err = d.Cmd(stackArgs...)
diff --git a/integration-cli/fixtures/deploy/secrets.yaml b/integration-cli/fixtures/deploy/secrets.yaml
index 965260f8cd..6ac92cddee 100644
--- a/integration-cli/fixtures/deploy/secrets.yaml
+++ b/integration-cli/fixtures/deploy/secrets.yaml
@@ -9,8 +9,12 @@ services:
       - source: super
         target: foo.txt
         mode: 0400
+      - star
 secrets:
   special:
     file: fixtures/secrets/default
   super:
     file: fixtures/secrets/default
+  star:
+    external:
+      name: outside