secrets

README

Docker secrets extension API

Go handler to get secrets from external secret stores in Docker.

Usage

This library is designed to be integrated in your program.

1. Implement the secrets.Driver interface.
2. Initialize a secrets.Handler with your implementation.
3. Call either ServeTCP or ServeUnix from the secrets.Handler.

Example using TCP sockets:

  import "github.com/docker/go-plugins-helpers/secrets"

  d := MySecretsDriver{}
  h := secrets.NewHandler(d)
  h.ServeTCP("test_secrets", ":8080")

Example using Unix sockets:

  import "github.com/docker/go-plugins-helpers/secrets"

  d := MySecretsDriver{}
  h := secrets.NewHandler(d)
  h.ServeUnix("test_secrets", 0)

Documentation

Index

• type Driver
• type EndpointSpec
• type Handler
  • func NewHandler(driver Driver) *Handler
• type PortConfig
• type Request
• type Response

Types

type Driver

type Driver interface {
	// Get gets a secret from a remote secret store
	Get(Request) Response
}

Driver represent the interface a driver must fulfill.

type EndpointSpec

type EndpointSpec struct {
	Mode  int32        `json:",omitempty"`
	Ports []PortConfig `json:",omitempty"`
}

EndpointSpec represents the spec of an endpoint.

type Handler

type Handler struct {
	sdk.Handler
	// contains filtered or unexported fields
}

Handler forwards requests and responses between the docker daemon and the plugin.

func NewHandler

func NewHandler(driver Driver) *Handler

NewHandler initializes the request handler with a driver implementation.

type PortConfig

type PortConfig struct {
	Name     string `json:",omitempty"`
	Protocol int32  `json:",omitempty"`
	// TargetPort is the port inside the container
	TargetPort uint32 `json:",omitempty"`
	// PublishedPort is the port on the swarm hosts
	PublishedPort uint32 `json:",omitempty"`
	// PublishMode is the mode in which port is published
	PublishMode int32 `json:",omitempty"`
}

PortConfig represents the config of a port.

type Request

type Request struct {
	SecretName          string            `json:",omitempty"` // SecretName is the name of the secret to request from the plugin
	SecretLabels        map[string]string `json:",omitempty"` // SecretLabels capture environment names and other metadata pertaining to the secret
	ServiceHostname     string            `json:",omitempty"` // ServiceHostname is the hostname of the service, can be used for x509 certificate
	ServiceName         string            `json:",omitempty"` // ServiceName is the name of the service that requested the secret
	ServiceID           string            `json:",omitempty"` // ServiceID is the name of the service that requested the secret
	ServiceLabels       map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata pertaining to the service
	TaskID              string            `json:",omitempty"` // TaskID is the ID of the task that the secret is assigned to
	TaskName            string            `json:",omitempty"` // TaskName is the name of the task that the secret is assigned to
	TaskImage           string            `json:",omitempty"` // TaskName is the image of the task that the secret is assigned to
	ServiceEndpointSpec *EndpointSpec     `json:",omitempty"` // ServiceEndpointSpec holds the specification for endpoints
}

Request is the plugin secret request

type Response

type Response struct {
	Value []byte `json:",omitempty"` // Value is the value of the secret
	Err   string `json:",omitempty"` // Err is the error response of the plugin

	// DoNotReuse indicates that the secret returned from this request should
	// only be used for one task, and any further tasks should call the secret
	// driver again.
	DoNotReuse bool `json:",omitempty"`
}

Response contains the plugin secret value