Proposal: hierarchical secrets

[ndeloof]

What is the problem you're trying to solve
Docker secret use a simple model to map the content of a secret as plain text to a file under /run/secrets.
Both Kubernetes and AWS Secret Manager use a more complex model where secrets are stored as key-indexed documents (map[string]string).

The intent of this proposal is to extend Compose spec secret definition to cover both use cases in a consistent way.

Describe the solution you'd like
I propose we introduce support for keys in secret definition:

secrets:
  my_secret:
    external: true
    keys: ["foo", "bar"]

Doing so will result into retrieving external secret my_secret from infrastructure as a hierarchical document, and create files foo and bar in secret volume mounted inside container:

➜  ls -l /run/secrets/my_secret
total 0
-r--r--r--    1 root  root     bar
-r--r--r--    1 root  root     foo

Not being able to parse secret content as a hierarchical document will result into an error.

keys will support special value * to inject all entries in the secret as files.

if keys is not defined, and Compose implementation support this, the raw secret content is written into a file and attached to the container as secret volume:

secrets:
  my_secret:
    external: true

➜  cat /run/secrets/my_secret
{
  "foo": "***",
  "bar": "***"
}

So,

• Kubernetes Secrets can be covered with optionally limiting bound keys. As raw secret is not supported on this platform, keys could default to *.
• Swarm do not supported hierarchical secrets, and would reject (or ignore) a Compose file using `keys``
• AWS ECS can both support hierarchical secrets being injected, as well as plain text secrets.

Additional context
see https://github.com/docker/ecs-plugin/issues/207

[EricHripko]

I've previously had to work with projects that use secrets (either as env. vars or mounts) and I've struggled with running them locally. How does one reason with secret-dependent code when doing local development? With env. vars I can specify an env_file to provide an approximation - but it requires much more effort to model /run/secrets mounts. Would it make sense to have some sort local tooling for this? For example, this is how .NET Secret Manager works.

[ndeloof]

I use to override my secrets definition for development and use a file to set secret to a known value that would let me run application localy for development purpose. Proposal for Profiles could help make this pattern a common one.
Otherwise, as Moby has no support for Secrets (but within Swarm mode) local development will always require some hack. Maybe Compose in Go could help make things better, by offering a more flexible "local secret store" that could be provisionned by secrets before a Compose file is ran.

[EricHripko]

I am keen to see if profiles could help with this 🙌 Currently, I feel like developers have to address this via tribal knowledge or Contributing guides - which makes secret-reliant projects less portable and increases the entry barrier (especially for external contributors). It'd be awesome if we came up with an easier way to handle secrets locally (even if it's just via a set of recommendations).

[hangyan]

Can we provide some customize for the path to be mouted ('/run/secrets) ?

[ndeloof]

@hangyan afaik docker engine (swarm) does indeed not allow to use an alternate path in service secrets configuration.
Maybe we could clarify that target can be either a relative path (then mounted as /run/secrets/<target>) or an absolute path in container, wdyt?

[justincormack]

I agree that having a fixed path is not good, especially as Kubernetes allows path specification, but we should open a new issue for this. We can fix Swarm behaviour.

[hangyan]

@hangyan afaik docker engine (swarm) does indeed not allow to use an alternate path in service secrets configuration.
Maybe we could clarify that target can be either a relative path (then mounted as /run/secrets/<target>) or an absolute path in container, wdyt?

sounds ok