docker_secret.py: use secret versioning to avoid secret deletion on update

[decentral1se]

SUMMARY

The current functionality of docker_secret.py is that when an update to a secret is discovered the existing secret is deleted and the new one is created. This is not ideal since current best practice is to preserve all secret values and increment a version or some other similar metadata to update to a following value. Docker secrets are immutable so deleting them and replacing them breaks their guarantee for rollback scenarios.

I'd like to propose that we retain the existing functionality of delete/replace of updated secrets to not break existing playbooks. Then, add a new module level option, say, version: true/false which expects to find a version: "1" key/val pair in the labels dictionary. Then if you have a secret with name: foo and labels: version: "1" the module will create an underlying secret with the name of foo-v1. Once you change version: "2" then you will get a foo-v2 and foo-v1 will still be there that can be used to ensure previous configurations work.

It may be that we need to expose a FOO_VERSION variable of some sort to tie this into the docker-compose.yml file where we have a name: foo-${FOO_VERSION} key/val on the secrets definition?

I haven't look deeply at the code but I hope this can be done without breaking changes.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

docker_secret

ADDITIONAL INFORMATION

Here is an example task.

- name: Change the secret data
  docker_secret:
    name: foo
    data: bar
    version: true
    labels:
      version: "1"
    state: present

[decentral1se]

/cc @chouseknecht (who I see is the flagged author for this module)

[ansibullbot]

cc @DBendit @WojciechowskiPiotr @akshay196 @danihodovic @dariko @felixfontein @jwitko @kassiansun @tbouvet
click here for bot help

[felixfontein]

Is this an official recommendation how to do versioning with docker swarm secrets, or your own scheme? If the second, I'm not sure whether it should be part of the docker_secret module. Maybe a separate module?

(And I guess the same is true for docker_config?)

[decentral1se]

It's the recommended practical approach, see moby/moby#29882 (comment) and the rest of the ticket. Also see https://blog.viktoradam.net/2018/02/28/swarm-secrets-made-easy/.

[felixfontein]

If you have to specify the version as a label, why not simply template the secret's name in the docker_secret task? Then you can have this without modifying the docker_secret module.

[decentral1se]

If you ever change the data the module will delete and re-create the secret in place regardless of what the name is versioned as. If we could just had a way to flick that functionality off then the name versioning could work, I guess.

[felixfontein]

So if your change is implemented, you expect the module to fail if you changed the secret without bumping the version manually?

[felixfontein]

Please describe the exact difference between what you envision

- name: Change the secret data
  docker_secret:
    name: foo
    data: bar
    version: true
    labels:
      version: "1"
    state: present

would do, and what

- name: Change the secret data
  docker_secret:
    name: foo-v1
    data: bar
    labels:
      version: "1"
    state: present

does.