From d1038c422b2a069494476dd743cc06e11e8939e7 Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Fri, 10 Feb 2017 14:51:15 -0800
Subject: [PATCH] Add support for secrets in ContainerSpec

Signed-off-by: Joffrey F <joffrey@docker.com>
---
 docker/models/services.py  |  3 +++
 docker/types/__init__.py   |  2 +-
 docker/types/services.py   | 40 ++++++++++++++++++++++++++++++++++++--
 docker/utils/decorators.py |  2 +-
 4 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/docker/models/services.py b/docker/models/services.py
index ef6c3e3a..bd95b5f9 100644
--- a/docker/models/services.py
+++ b/docker/models/services.py
@@ -109,6 +109,8 @@ class ServiceCollection(Collection):
                 the service to. Default: ``None``.
             resources (Resources): Resource limits and reservations.
             restart_policy (RestartPolicy): Restart policy for containers.
+            secrets (list of :py:class:`docker.types.SecretReference`): List
+                of secrets accessible to containers for this service.
             stop_grace_period (int): Amount of time to wait for
                 containers to terminate before forcefully killing them.
             update_config (UpdateConfig): Specification for the update strategy
@@ -179,6 +181,7 @@ CONTAINER_SPEC_KWARGS = [
     'labels',
     'mounts',
     'stop_grace_period',
+    'secrets',
 ]
 
 # kwargs to copy straight over to TaskTemplate
diff --git a/docker/types/__init__.py b/docker/types/__init__.py
index 8e2fc174..0e887760 100644
--- a/docker/types/__init__.py
+++ b/docker/types/__init__.py
@@ -4,6 +4,6 @@ from .healthcheck import Healthcheck
 from .networks import EndpointConfig, IPAMConfig, IPAMPool, NetworkingConfig
 from .services import (
     ContainerSpec, DriverConfig, EndpointSpec, Mount, Resources, RestartPolicy,
-    ServiceMode, TaskTemplate, UpdateConfig
+    SecretReference, ServiceMode, TaskTemplate, UpdateConfig
 )
 from .swarm import SwarmSpec, SwarmExternalCA
diff --git a/docker/types/services.py b/docker/types/services.py
index 5f7b2fb0..b903fa43 100644
--- a/docker/types/services.py
+++ b/docker/types/services.py
@@ -2,7 +2,7 @@ import six
 
 from .. import errors
 from ..constants import IS_WINDOWS_PLATFORM
-from ..utils import format_environment, split_command
+from ..utils import check_resource, format_environment, split_command
 
 
 class TaskTemplate(dict):
@@ -79,9 +79,12 @@ class ContainerSpec(dict):
             :py:class:`~docker.types.Mount` class for details.
         stop_grace_period (int): Amount of time to wait for the container to
             terminate before forcefully killing it.
+        secrets (list of py:class:`SecretReference`): List of secrets to be
+            made available inside the containers.
     """
     def __init__(self, image, command=None, args=None, env=None, workdir=None,
-                 user=None, labels=None, mounts=None, stop_grace_period=None):
+                 user=None, labels=None, mounts=None, stop_grace_period=None,
+                 secrets=None):
         self['Image'] = image
 
         if isinstance(command, six.string_types):
@@ -109,6 +112,11 @@ class ContainerSpec(dict):
         if stop_grace_period is not None:
             self['StopGracePeriod'] = stop_grace_period
 
+        if secrets is not None:
+            if not isinstance(secrets, list):
+                raise TypeError('secrets must be a list')
+            self['Secrets'] = secrets
+
 
 class Mount(dict):
     """
@@ -410,3 +418,31 @@ class ServiceMode(dict):
         if self.mode != 'replicated':
             return None
         return self['replicated'].get('Replicas')
+
+
+class SecretReference(dict):
+    """
+        Secret reference to be used as part of a :py:class:`ContainerSpec`.
+        Describes how a secret is made accessible inside the service's
+        containers.
+
+        Args:
+            secret_id (string): Secret's ID
+            secret_name (string): Secret's name as defined at its creation.
+            filename (string): Name of the file containing the secret. Defaults
+                to the secret's name if not specified.
+            uid (string): UID of the secret file's owner. Default: 0
+            gid (string): GID of the secret file's group. Default: 0
+            mode (int): File access mode inside the container. Default: 0o444
+    """
+    @check_resource
+    def __init__(self, secret_id, secret_name, filename=None, uid=None,
+                 gid=None, mode=0o444):
+        self['SecretName'] = secret_name
+        self['SecretID'] = secret_id
+        self['File'] = {
+            'Name': filename or secret_name,
+            'UID': uid or '0',
+            'GID': gid or '0',
+            'Mode': mode
+        }
diff --git a/docker/utils/decorators.py b/docker/utils/decorators.py
index 2fe880c4..18cde412 100644
--- a/docker/utils/decorators.py
+++ b/docker/utils/decorators.py
@@ -16,7 +16,7 @@ def check_resource(f):
             resource_id = resource_id.get('Id', resource_id.get('ID'))
         if not resource_id:
             raise errors.NullResource(
-                'image or container param is undefined'
+                'Resource ID was not provided'
             )
         return f(self, resource_id, *args, **kwargs)
     return wrapped