[datacenter/ucp] Update secrets per suggestions

closes #1743 Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2017-02-16 13:47:22 -08:00 · 2017-02-16 13:47:22 -08:00 · 560640af83
parent 3ad5c38a77
commit 560640af83
2 changed files with 18 additions and 12 deletions
--- a/datacenter/ucp/2.1/guides/user/secrets/grant-revoke-access.md
+++ b/datacenter/ucp/2.1/guides/user/secrets/grant-revoke-access.md
@ -18,10 +18,9 @@ the secret.
 Users that are part of a team with access to that label will be able to see
 and use the secret.

-In this example, if Jenny is part of
-a team that has 'Restricted Control' over the `com.docker.ucp.access.label=blog`
-label, she will be able to use the secret in her services, as long as the
-service also has the same label.
+In this example, if Jenny is part of a team that has 'Restricted Control' over
+the `com.docker.ucp.access.label=blog` label, she will be able to use the
+secret in her services, as long as the service also has the same label.

 This ensures that users can use a secret in their services without having
 permissions to attach to the container running the service and inspect the
--- a/datacenter/ucp/2.1/guides/user/secrets/index.md
+++ b/datacenter/ucp/2.1/guides/user/secrets/index.md
@ -48,7 +48,9 @@ you won't be able to edit it or see the secret data again.
 ![](../../images/manage-secrets-2.png){: .with-border}

 Assign a unique name to the service and set its value. You can optionally define
-a permission label so that other users have permission to use this secret.
+a permission label so that other users have permission to use this secret. Also
+note that a service and secret must have the same permission label (or both
+must have no permission label at all) in order to be used together.

 In this example our secret is named `wordpress-password-v1`, to make it easier
 to track which version of the password our services are using.
@ -67,13 +69,18 @@ default configurations.
 Start by creating the MySQL service. Navigate to the **Services** page, click
 **Create Service**, and choose **Use Wizard**. Use the following configurations:

-| Field                | Value                                                       |
-|:---------------------|:------------------------------------------------------------|
-| Service name         | wordpress-db                                                |
-| Image name           | mysql:5.7                                                   |
-| Attached network     | wordpress-network                                           |
-| Secret               | wordpress-password-v1                                       |
-| Environment variable | MYSQL_ROOT_PASSWORD_FILE=/run/secrets/wordpress-password-v1 |
+| Field                      | Value                              |
+|:---------------------------|:-----------------------------------|
+| Service name               | wordpress-db                       |
+| Image name                 | mysql:5.7                          |
+| Attached network           | wordpress-network                  |
+| Secret                     | wordpress-password-v1              |
+| Environment variable name  | MYSQL_ROOT_PASSWORD_FILE           |
+| Environment variable value | /run/secrets/wordpress-password-v1 |
+
+Remember, if you specified a permission label on the secret, you must also set
+the same permission label on this service. If the secret does not have a
+permission label, then this service must also not have a permission label.

 This creates a MySQL service that's attached to the `wordpress-network` network,
 and that uses the `wordpress-password-v1`, which by default will create a file