Draft
Conversation
This allows for secrets to be automatically mounted into Docker containers through volume definitions. This is a first pass, with many rough edges and little testing.
conditions on first/last mount/unmount
instead of just the mount path. Also fixed? a bug where a crash / stop of locket after a mount (but without an unmount) causes layered mounts. i.e. Mount -> Mount -> Unmount would cause the OS to stack mounts on top of each other, and then the files cannot be removed because unmount only unmounted one of the mounts, leaving the mount still busy. Now, this instead will iteratively continue to call unmount until no mounts exist anymore.
Move signal handling to the run loop, and add a Drop for the plugin to clean up the socket.
cancellation future
global locks Introduces a `watch::channel` to manage the lifecycle instead of the `Notify` mechanism for a more state-driven approach. The `VolumeEntry` is now wrapped in an `Arc<RwLock<...>>` to allow concurrent access. Adds an `is_mounted` helper function to `VolumeMount` to determine if a path is currently a mountpoint. This is used to avoid unnecessary mount/unmount operations when recovering existing volumes.
states. Also simplifies the messaging.
handle credential staleness. Previously, provider must be set at install time, and the provider is built on startup. Instead, this now allows the provider config to be stored as a default at start time, but the actual provider is built on-demand, after being merged with volume specific overrides. The provider args themselves are now hashable, and so a map for all built providers is held by he volume registry. Now, everytime a different config is loaded, a new provider is built, and that config will in the future use the built provider, allowing it to maintain state. Additionally, the problem of credential stalenss is addressed here. Previously, a long running daemon where credentials may become stale would result in a dead provider. Now, the provider is accessed through a ManagedProvider interface instead, which holds a copy of its configuration, and when necessary, it can check if it has new credentials on-disk to reload from. This will allow it to seamlessly rebuild itself with the new credentials, and continue operating.
ReferenceParser syntax. Now, the reference syntax parsing can be delegated to the SecretReference variant, and then the provider config and base implementation can easily mark their reference type to gain access to the ReferenceParser automatically. Now, the ReferenceParser for ManagedConfig is just delegation, just like Signature.
to extract a specific SecretReference variant for SecretProvider
parsing more generic. Needed to update vec parser to handle single entries.
future, potentially.
notifcation only happens on drop, data isn't checked.
Now the plugin will require a metadata file from docker bake in order to ensure that the bake file remains the source of truth. Update CI to publish plugin, and add support for dockerhub.
add a test in runfile
dockerignore to stop invalidating cache for script changes.
nonexistant one can be specified for use in volume plugin.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for use of locket as a Docker Engine Plugin, implementing a volume driver.
This means volumes can use the
locketdriver instead of the default local driver. It will create a tmpfs mount with secrets injected, and can be used as normal docker volumes from there.There are a few small caveats I need to document, and some tweaks to configuration I want to do. Then need to implement the actual configurations to be installed directly by docker with docker plugin install.