From 632ecb8eaadbb004790b605024decb00657383ea Mon Sep 17 00:00:00 2001 From: Sune Keller Date: Tue, 4 Sep 2018 15:19:59 +0200 Subject: [PATCH 1/3] Add additional info for secret drivers This provides more context for the secret driver when it is requested the value for the secret. It is useful both for audit purposes, e.g. an external system logging which task requested what secret, as well as in a scenario where the plugin would return a different value (or error) based on e.g. labels on the secret. Signed-off-by: Sune Keller --- secrets/api.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/secrets/api.go b/secrets/api.go index dfe5122..28da1f4 100644 --- a/secrets/api.go +++ b/secrets/api.go @@ -14,9 +14,13 @@ const ( // Request is the plugin secret request type Request struct { SecretName string `json:",omitempty"` // SecretName is the name of the secret to request from the plugin + SecretLabels map[string]string `json:",omitempty"` // SecretLabels capture environment names and other metadata pertaining to the secret ServiceHostname string `json:",omitempty"` // ServiceHostname is the hostname of the service, can be used for x509 certificate ServiceName string `json:",omitempty"` // ServiceName is the name of the service that requested the secret - ServiceLabels map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata + ServiceID string `json:",omitempty"` // ServiceID is the name of the service that requested the secret + ServiceLabels map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata pertaining to the service + TaskID string `json:",omitempty"` // TaskID is the ID of the task that the secret is assigned to + TaskName string `json:",omitempty"` // TaskName is the name of the task that the secret is assigned to ServiceEndpointSpec *EndpointSpec `json:",omitempty"` // ServiceEndpointSpec holds the specification for endpoints } From d6622466bf637bbef5dd4f1ef3c1c3dd9f4a5a4e Mon Sep 17 00:00:00 2001 From: Sune Keller Date: Wed, 5 Sep 2018 13:24:50 +0200 Subject: [PATCH 2/3] Add test Signed-off-by: Sune Keller --- secrets/api_test.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/secrets/api_test.go b/secrets/api_test.go index 4b510f4..9763a4e 100644 --- a/secrets/api_test.go +++ b/secrets/api_test.go @@ -43,6 +43,16 @@ func TestHandler(t *testing.T) { if resp.Err == "" { t.Fatalf("expected missing secret") } + resp, err = pluginRequest(client, getPath, Request{SecretName: "another-secret", SecretLabels: map[string]string{"prefix": "p-"}}) + if err != nil { + t.Fatal(err) + } + if resp.Err != "" { + t.Fatalf("error while getting secret: %v", resp.Err) + } + if !bytes.EqualFold(append([]byte("p-"), secret...), resp.Value) { + t.Fatalf("expecting secret value %s, got %s", secret, resp.Value) + } } func pluginRequest(client *http.Client, method string, req Request) (*Response, error) { @@ -74,5 +84,8 @@ func (p *testPlugin) Get(req Request) Response { if req.SecretName == "" { return Response{Err: "missing secret name"} } + if prefix, exists := req.SecretLabels["prefix"]; exists { + return Response{Value: append([]byte(prefix), secret...)} + } return Response{Value: secret} } From f89a2cfa5cd93e36607e04ecdbb435fbe8bd8b58 Mon Sep 17 00:00:00 2001 From: Sune Keller Date: Thu, 6 Sep 2018 11:49:41 +0200 Subject: [PATCH 3/3] Add TaskImage while we're at it --- secrets/api.go | 1 + 1 file changed, 1 insertion(+) diff --git a/secrets/api.go b/secrets/api.go index 28da1f4..6b92656 100644 --- a/secrets/api.go +++ b/secrets/api.go @@ -21,6 +21,7 @@ type Request struct { ServiceLabels map[string]string `json:",omitempty"` // ServiceLabels capture environment names and other metadata pertaining to the service TaskID string `json:",omitempty"` // TaskID is the ID of the task that the secret is assigned to TaskName string `json:",omitempty"` // TaskName is the name of the task that the secret is assigned to + TaskImage string `json:",omitempty"` // TaskName is the image of the task that the secret is assigned to ServiceEndpointSpec *EndpointSpec `json:",omitempty"` // ServiceEndpointSpec holds the specification for endpoints }