Docker Community Forums

Share and learn in the Docker community.

Is there any way to use extension fields in docker-compose with docker secrets?

docker
swarm

(Ilia Petrov) #1

Let’s imagine that we have docker stack which is configured by .yml file with 3 services - a,b and c. Also, there are a bunch of secrets that these services use. Two for the database, Azure service and some unique for each service. So, our .yml file looks like:

version: '3.4'

services:
 a:
  image: a-image
  [...]
  secrets:
   -db.pwd
   -db.user
   -azure.secret_key
   -azure.public_key
   -a.secret_key1
   -a.secret_key2
 b:
  image: b-image
  [...]
  secrets:
   -db.pwd
   -db.user
   -b.secret_key1
   -b.secret_key2
 c:
  image: c-image
  [...]
  secrets:
   -db.pwd
   -db.user
   -azure.secret_key
   -azure.public_key
   -c.secret_key1
   -c.secret_key2

secrets:
 db.pwd:
  external: true
 db.user:
  external: true
 azure.secret_key:
  external: true
 azure.public_key:
  external: true
 a.secret_key1:
  external: true
 a.secret_key2:
  external: true
 b.secret_key1:
  external: true
 b.secret_key2:
  external: true
 c.secret_key1:
  external: true
 c.secret_key2:
  external: true

As you can see some secrets are repeated in each service. docker-compose file has such thing as “Extension fields” - https://docs.docker.com/compose/compose-file/#extension-fields Is there any way how I can use this extension fields to avoid repeating of secrets? Something like this:

version: '3.4'
x-common-db-secrets: &db-secrets
 - db.user
 - db.pwd

x-common-azure-secrets: &azure-secrets
 - azure.public_key
 - azure.secret_key

services:
 a:
  image: a-image
  [...]
  secrets:
   <<: *db-secrets
   <<: *azure-secrets
   - a.secret_key1
   - a.secret_key2
 b:
  image: b-image
  [...]
  secrets:
   <<: *db-secrets
   - b.secret_key1
   - b.secret_key2
 c:
  image: c-image
  [...]
  secrets:
   <<: *db-secrets
   <<: *azure-secrets
   - c.secret_key1
   - c.secret_key2

secrets:
 [...]

I am using this extension fields for such way of sharing environment variables. But the structure required for parsing extension fields is map. And “secrets” section requires list. Have anyone ideas how to deal with it right?Please note that in future there can be added new secrets that will be used in old and new services for example, so the solution has to be flexible. I will be really appreciated to find an answer. Am searching an answer for any compose version 3.4+.


(Metin Y.) #2

I am afraid that YAML achors do not work for sequences (array lists).
This is rather a YAML limitation, rather then a docker limitation (see: https://yaml.org/spec/1.2/spec.html#id2765878 and https://yaml.org/type/merge.html).

If Docker would switch from sequences (acualy sequenced map) to a map, the YAML anchors could be used for secrets as well.

You can verify your example on http://ben-kiki.org/ypaste


(Ilia Petrov) #3

Okay, got it.
So, the secrets duplication is currently one solution. Hope, that in future yaml maps structure will be supported for secrets.
Thank you for your answer!