Adding secrets details

Signed-off-by: Guillaume Tardif <guillaume.tardif@docker.com>
This commit is contained in:
Guillaume Tardif 2020-10-07 15:50:04 +02:00
parent c3983eea78
commit 808715d740
1 changed files with 29 additions and 2 deletions

View File

@ -2,7 +2,7 @@
This document outlines the conversion of an application defined in a Compose file to ACI objects. This document outlines the conversion of an application defined in a Compose file to ACI objects.
At a high-level, each Compose deployment is mapped to a single ACI container group. At a high-level, each Compose deployment is mapped to a single ACI container group.
Each service is mapped to a container in the container group. The Docker ACI integration provides does not allow scaling of services. Each service is mapped to a container in the container group. The Docker ACI integration does not allow scaling of services.
## Compose fields mapping ## Compose fields mapping
@ -58,7 +58,7 @@ __Legend:__
| service.networks | x | Communication between services is implemented by defining mapping for each service in the shared `/etc/hosts` file of the container group. Each service can resolve names for other services and the resulting network calls will be redirected to `localhost`. | service.networks | x | Communication between services is implemented by defining mapping for each service in the shared `/etc/hosts` file of the container group. Each service can resolve names for other services and the resulting network calls will be redirected to `localhost`.
| service.pid | x | | service.pid | x |
| service.ports | ✓ | Only symetrical por mapping is supported in ACI. See #exposing-ports. | service.ports | ✓ | Only symetrical por mapping is supported in ACI. See #exposing-ports.
| service.secrets | ✓ | | service.secrets | ✓ | See #secrets.
| service.security_opt | x | | service.security_opt | x |
| service.stop_grace_period | x | | service.stop_grace_period | x |
| service.stop_signal | x | | service.stop_signal | x |
@ -118,6 +118,33 @@ A Compose file can define several volumes, with different Azure file shares or s
Credentials for storage accounts will be automatically fetched at deployment time using the Azure login to retrieve the storage account key for each storage account used. Credentials for storage accounts will be automatically fetched at deployment time using the Azure login to retrieve the storage account key for each storage account used.
## Secrets
Secrets can be defined in compose files, and will need secret files available at deploy time next to the compose file.
The content of the secret file will be made available inside selected containers, under `/run/secrets/<SECRET_NAME>/<SECRET_NAME>
External secrets are not supported with the ACI integration.
Due to ACI secret volume mounting, each secret file is mounted in its own folder named after the secret.
```yaml
services:
nginx:
image: nginx
secrets:
- mysecret1
db:
image: mysql
secrets:
- mysecret2
secrets:
mysecret1:
file: ./my_secret1.txt
mysecret2:
file: ./my_secret2.txt
```
The nginx container will have secret1 mounted as `/run/secrets/mysecret1/mysecret1`, the db container will have secret2 mounted as `/run/secrets/mysecret1/mysecret2`
## Container Resources ## Container Resources
CPU and memory reservations and limits can be set in compose. CPU and memory reservations and limits can be set in compose.