Fix #17096: support secrets in Docker swarm

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerSwarmBackend.java

@@ -21,11 +21,15 @@
 package eu.openanalytics.containerproxy.backend.docker;
 
 import com.spotify.docker.client.DockerClient;
+import com.spotify.docker.client.exceptions.DockerException;
 import com.spotify.docker.client.messages.mount.Mount;
 import com.spotify.docker.client.messages.swarm.DnsConfig;
 import com.spotify.docker.client.messages.swarm.EndpointSpec;
 import com.spotify.docker.client.messages.swarm.NetworkAttachmentConfig;
 import com.spotify.docker.client.messages.swarm.PortConfig;
+import com.spotify.docker.client.messages.swarm.Secret;
+import com.spotify.docker.client.messages.swarm.SecretBind;
+import com.spotify.docker.client.messages.swarm.SecretFile;
 import com.spotify.docker.client.messages.swarm.Service;
 import com.spotify.docker.client.messages.swarm.ServiceSpec;
 import com.spotify.docker.client.messages.swarm.Task;
@@ -39,6 +43,7 @@
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.RuntimeValueKey;
 import eu.openanalytics.containerproxy.model.runtime.runtimevalues.UserIdKey;
 import eu.openanalytics.containerproxy.model.spec.ContainerSpec;
+import eu.openanalytics.containerproxy.model.spec.DockerSwarmSecret;
 import eu.openanalytics.containerproxy.util.Retrying;
 
 import java.net.URI;
@@ -84,6 +89,11 @@ protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Excep
 			}
 		}
 
+        List<SecretBind> secretBinds = new ArrayList<>();
+        for (DockerSwarmSecret secret : spec.getDockerSwarmSecrets()) {
+            secretBinds.add(convertSecret(secret));
+        }
+
 		com.spotify.docker.client.messages.swarm.ContainerSpec containerSpec =
 				com.spotify.docker.client.messages.swarm.ContainerSpec.builder()
 				.image(spec.getImage())
@@ -92,6 +102,7 @@ protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Excep
 				.env(convertEnv(buildEnv(spec, proxy)))
 				.dnsConfig(DnsConfig.builder().nameServers(spec.getDns()).build())
 				.mounts(mounts)
+                .secrets(secretBinds)
 				.build();
 
 		NetworkAttachmentConfig[] networks = Arrays
@@ -181,7 +192,33 @@ protected URI calculateTarget(Container container, int containerPort, int servic
 		return new URI(String.format("%s://%s:%s%s", targetProtocol, targetHostName, targetPort, targetPath));
 	}
 
-	@Override
+    private SecretBind convertSecret(DockerSwarmSecret secret) throws DockerException, InterruptedException {
+        if (secret.getName() == null) {
+            throw new IllegalArgumentException("No name for a Docker swarm secret provided");
+        }
+        return SecretBind.builder()
+                .secretName(secret.getName())
+                .secretId(getSecretId(secret.getName()))
+                .file(
+                        SecretFile.builder()
+                                .name(Optional.ofNullable(secret.getTarget()).orElse(secret.getName()))
+                                .gid(Optional.ofNullable(secret.getGid()).orElse("0"))
+                                .uid(Optional.ofNullable(secret.getUid()).orElse("0"))
+                                .mode(Long.parseLong(Optional.ofNullable(secret.getMode()).orElse("444"), 8))
+                                .build()
+                )
+                .build();
+
+    }
+
+    private String getSecretId(String secretName) throws DockerException, InterruptedException {
+        return dockerClient.listSecrets().stream()
+                .filter(it -> it.secretSpec().name().equals(secretName))
+                .findFirst()
+                .map(Secret::id).orElseThrow(() -> new IllegalArgumentException("Secret not found!"));
+    }
+
+    @Override
 	protected void doStopProxy(Proxy proxy) throws Exception {
 		for (Container container: proxy.getContainers()) {
 			String serviceId = (String) container.getParameters().get(PARAM_SERVICE_ID);

src/main/java/eu/openanalytics/containerproxy/model/spec/ContainerSpec.java

@@ -20,8 +20,10 @@
  */
 package eu.openanalytics.containerproxy.model.spec;
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 public class ContainerSpec {
@@ -43,6 +45,7 @@ public class ContainerSpec {
 	private String targetPath;
 	private Map<String, String> labels = new HashMap<>();
 	private Map<String, String> settings = new HashMap<>();
+	private List<DockerSwarmSecret> dockerSwarmSecrets = new ArrayList();
 
 	public String getImage() {
 		return image;
@@ -153,6 +156,14 @@ public void setTargetPath(String targetPath) {
 		this.targetPath = targetPath;
 	}
 
+	public List<DockerSwarmSecret> getDockerSwarmSecrets() {
+		return dockerSwarmSecrets;
+	}
+
+	public void setDockerSwarmSecrets(List<DockerSwarmSecret> dockerSwarmSecrets) {
+		this.dockerSwarmSecrets = dockerSwarmSecrets;
+	}
+
 	public void copy(ContainerSpec target) {
 		target.setImage(image);
 		if (cmd != null) target.setCmd(Arrays.copyOf(cmd, cmd.length));
@@ -182,6 +193,10 @@ public void copy(ContainerSpec target) {
 			if (target.getSettings() == null) target.setSettings(new HashMap<>());
 			target.getSettings().putAll(settings);
 		}
+		if (dockerSwarmSecrets != null) {
+			if (target.getDockerSwarmSecrets() == null) target.setDockerSwarmSecrets(new ArrayList<>());
+			target.getDockerSwarmSecrets().addAll(dockerSwarmSecrets);
+		}
 		target.setTargetPath(targetPath);
 	}
 

src/main/java/eu/openanalytics/containerproxy/model/spec/DockerSwarmSecret.java

@@ -0,0 +1,81 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.model.spec;
+
+public class DockerSwarmSecret {
+
+    private String name;
+    private String target;
+    private String gid;
+    private String uid;
+    private String mode;
+
+    public DockerSwarmSecret() {
+    }
+
+    public DockerSwarmSecret(String name, String target, String gid, String uid, String mode) {
+        this.name = name;
+        this.target = target;
+        this.gid = gid;
+        this.uid = uid;
+        this.mode = mode;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getTarget() {
+        return target;
+    }
+
+    public void setTarget(String target) {
+        this.target = target;
+    }
+
+    public String getGid() {
+        return gid;
+    }
+
+    public void setGid(String gid) {
+        this.gid = gid;
+    }
+
+    public String getUid() {
+        return uid;
+    }
+
+    public void setUid(String uid) {
+        this.uid = uid;
+    }
+
+    public String getMode() {
+        return mode;
+    }
+
+    public void setMode(String mode) {
+        this.mode = mode;
+    }
+}

src/main/java/eu/openanalytics/containerproxy/spec/expression/ExpressionAwareContainerSpec.java

@@ -20,14 +20,16 @@
  */
 package eu.openanalytics.containerproxy.spec.expression;
 
-import java.util.HashMap;
-import java.util.Map;
-
 import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import eu.openanalytics.containerproxy.model.spec.ContainerSpec;
-import org.springframework.data.util.Pair;
+import eu.openanalytics.containerproxy.model.spec.DockerSwarmSecret;
 import org.springframework.security.core.Authentication;
 
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
 /**
  * Adds expression support to ContainerSpecs.
  * <p>
@@ -113,6 +115,19 @@ public boolean isPrivileged() {
 		return source.isPrivileged();
 	}
 
+	public List<DockerSwarmSecret> getDockerSwarmSecrets() {
+		if (source.getDockerSwarmSecrets() == null) return null;
+		return source.getDockerSwarmSecrets().stream().map(
+				it -> new DockerSwarmSecret(
+						resolve(it.getName()),
+						resolve(it.getTarget()),
+						resolve(it.getGid()),
+						resolve(it.getUid()),
+						resolve(it.getMode())
+				)
+		).collect(Collectors.toList());
+	}
+
 	@Override
 	public Map<String, String> getLabels() {
 		if (source.getLabels() == null) return null;