search

docker-flow / docker-flow-proxy

Docker Flow Proxy
https://docker-flow.github.io/docker-flow-proxy/
MIT License
317 stars 189 forks source link

Docker stack prefix for credentials secret #71

Closed simon-jouet closed 5 years ago

simon-jouet commented 5 years ago

Hi,

First of all thanks for dfp it's very nice and the documentation is well done so it's actually very usable :)

I've been settings things up in a dev. environment using a couple of VMs and so far it's looking great. However I just ran into an issue and I'm wondering if i'm missing something or it's a limitation.

So i've set up a stack deployment of the proxy + swarm listener as shown in the documentation and that's working perfectly fine.

Now I'm trying to setup a service with credentials but I'm running into issues with docker stack prefixing the secrets with the stack's name while dnf expects dfp_users_<secret_name>.

So as a reference I'm setting up a basic docker registry with authentication like this:

version: '3.7'

services:
  registry:
    image: registry:2
    networks:
      - proxy
    volumes:
      - type: volume
        source: registrydata
        target: /var/lib/registry
        volume:
          nocopy: true
    deploy:
      placement:
        constraints: [node.labels.registry == true]
      labels:
        - com.df.notify=true
        - com.df.serviceDomain=mydomain
        - com.df.port=5000
        - com.df.usersPassEncrypted=true
        - com.df.usersSecret=credentials

volumes:
  registrydata:

secrets:
  dfp_users_credentials:
    file: ./credentials.txt

networks:
  proxy:
    external: true

This spawns everything as it should but the secret created is registry_dfp_users_credentials

$ docker secret ls
ID                          NAME                             DRIVER              CREATED             UPDATED
kmqx8y2cd8r9xsq1vo71tf16i   registry_dfp_users_credentials                       17 seconds ago      17 seconds ago

As a workaround I could always make the secret external and simply define it manually but I was wondering if there was a better way of doing it.

Thanks

thomasjpfan commented 5 years ago

When you create any service, you can change the name/target of the secret:

version: "3.7"
services:
  myservice:
    ...
    secrets:
      - source: registry_dfp_users_credentials
        target: dfp_users_credentials
secrets:
  registry_dfp_users_credentials:
    external: true
simon-jouet commented 5 years ago

Thanks @thomasjpfan I actually had also misunderstood something else, all good now :+1: I'm closing to keep the issues clean