Add support for rotating docker secrets #293
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With this change `docker_secret` now supports the case where we store multiple versions of a secret with the `_v123` postfix. `absent` state implicitly handles removing these this way.
To make rolling updates actually work instead of failing on trying to remove a secret that is attached to a service, use the `versions_to_keep` parameter to remove old versions of the secret after creating the new one. This way the secret with the new data is created with a different name and can be attached to the service by its ID without having to delete the previous one first which would fail if it is already attached to a service.
Attach the incremental version number to the secret name as a `_v123` postfix where `123` is replaced with an incremental counter starting from 1. A label with the numeric version is also attached to the secret to ease calculating the new version number upon change with the name `ansible_version`.
Docs Build 📝Thank you for contribution!✨ This PR has been merged and your docs changes will be incorporated when they are next published. |
|
Build succeeded (third-party-check pipeline).
|
felixfontein
reviewed
Feb 5, 2022
There was a problem hiding this comment.
Thanks for your contribution! Please also add a changelog fragment.
|
Build succeeded (third-party-check pipeline).
|
felixfontein
reviewed
Feb 5, 2022
|
Build succeeded (third-party-check pipeline).
|
…ditional deletions
|
Build succeeded (third-party-check pipeline).
|
|
I think it looks good now. The only part missing is a changelog fragment. |
|
Build succeeded (third-party-check pipeline).
|
felixfontein
reviewed
Feb 5, 2022
Co-authored-by: Felix Fontein <[email protected]>
felixfontein
approved these changes
Feb 6, 2022
|
shipit :) I'm not merging it to let others review it as well :) |
|
@andrasmaroy thanks for implementing this! |
1 task
1 task
This was referenced Feb 21, 2022
Merged
This was referenced Mar 7, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Add support for rolling updates for docker secrets. This change does roughly what was described in #21.
Adding two additional parameters for the
docker_secretmodule:rolling_versions(default: false): whether to use versioning secrets for rolling updates.versions_to_keep(default: 5): when using rolling updates, how many of the old versions to keep.When
rolling_versionsis set totruesecrets are created with a_vXpostfix in their names whereXis replaced with an incremental counter. That counter is also added to the secrets as a label with the name ofansible_version. This way when a secret is changed a new version is created with an incremented version number instead of deleting it first then creating again. This aims to solve the problem where the secret is attached to a service, thus deleting it fails.This is the recommended approach of updating secrets based on the official Docker documentation.
The change is not breaking, users of this module shouldn't expect any changes.
ISSUE TYPE
COMPONENT NAME
docker_secret
ADDITIONAL INFORMATION
The problem this PR aims to solve is the following:
When a secret is attached to a service docker won't let it get deleted, thus the current version of the module fails execution if one tries to update a secret that is attached to a service already. The recommendation from docker for this is to create a new secret with the updated data then update the service definition adding the new secret in place of the old one. Afterwards the old secret can be safely deleted. Having different names for the secrets is a non-issue since one can define the mountpoint for the secret in the container regardless of its name.
If this change gets accepted I'd implement the same functionality for docker_config as well, as the same issue stands there to fix issue #109.
The PR addresses #21, #246
Fixes #21.