Created
September 20, 2017 04:18
-
-
Save 6be709c0/e8248d32d3a5b8caaf622c1a829cf067 to your computer and use it in GitHub Desktop.
A simple command to finally update the docker secret !
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # HOW TO USE | |
| # ./updateSecret.sh secretName newValue | |
| # It's that simple ! | |
| if [ "$#" -ne 2 ]; | |
| then | |
| echo "#####" | |
| echo "You must supplied secretName newValue" | |
| echo "ex : ./updateSecret.sh mongo_url \"mongodb://mongo:27017,mongo_2:27017,mongo_3:27017/myDB?replicaSet=rs0\"" | |
| echo "#####" | |
| exit | |
| fi | |
| secretName=$1 | |
| newValue=$2 | |
| dateNow=$(date +%s%N) | |
| sourceSecretName="$secretName"_"$dateNow" | |
| # Check which service is using the secret name | |
| function whoUseMySecret { | |
| local names="" | |
| # Loop into each service to catch IDS using that secret | |
| for name in $(docker service ls -q --format "{{.Name}}") | |
| do | |
| usingMySecret=$(docker service inspect $name | grep "\"$secretName\"" -c) | |
| if [ $usingMySecret -gt 0 ]; then | |
| names="$names:$name" | |
| fi | |
| done | |
| echo ${names#":"} | |
| } | |
| function getAllSecretsBeginWith { | |
| local names="" | |
| # Get all secrets name begin with the secret name | |
| # Useful to remove the oldests | |
| for name in $(docker secret ls -qf name="$secretName" --format "{{.Name}}") | |
| do | |
| names="$names:$name" | |
| done | |
| echo ${names#":"} | |
| } | |
| function updateSecret { | |
| local svNames=$1 | |
| local scNames=$2 | |
| # Transform into array | |
| svNames=(${svNames//:/ }) | |
| scNames=(${scNames//:/ }) | |
| # string to delete multiple secrets on a service | |
| deleteSecretsString="" | |
| for name in "${scNames[@]}" | |
| do | |
| deleteSecretsString="$deleteSecretsString --secret-rm $name" | |
| done | |
| # Update all services, remove the old secret, and then set the new, with the same target | |
| for name in "${svNames[@]}" | |
| do | |
| docker service update \ | |
| $deleteSecretsString \ | |
| --secret-add src="$sourceSecretName",target=$secretName \ | |
| $name --detach=false | |
| done | |
| # Remove the oldests secrets | |
| for name in "${scNames[@]}" | |
| do | |
| docker secret rm $name | |
| done | |
| } | |
| function main { | |
| serviceNames=$(whoUseMySecret) | |
| echo "serviceNames = $serviceNames" | |
| secretsName=$(getAllSecretsBeginWith) | |
| echo $newValue | docker secret create $sourceSecretName - | |
| updateSecret $serviceNames $secretsName | |
| } | |
| main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for this. I noticed it only after I had written my own: https://gist.github.com/jamiejackson/a1818acedaeb9c3cd70bafac86a0100b
I haven't tried yours yet, but a couple of things I noticed:
_1529863818683524595).Mine truncates the secret name, if necessary, and uses a UUID, so that if a truncation does occur and there are only a couple of beginning characters left in the "unique" version token, it's more likely (than date) to still be unique. Consider these:
Date-based, with truncation
Uniqueness is not ensured.
stack_name_secret_fusionreactor_administrator_password_1529863813690565192stack_name_secret_fusionreactor_administrator_password_1529863818683524595UUID-based, with truncation
Uniqueness is still very likely (and as likely as possible).
stack_name_secret_fusionreactor_administrator_password_v-10c4b9c0-25d5-4104-9782-4fecf620366cstack_name_secret_fusionreactor_administrator_password_v-d5c23c74-adcd-4a1d-a91f-901dff50b11d