Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env bash
- set -e
- # ./docker_secret_update.sh --stack=hudx_local2 --service=lucee --secret=fr_admin_password --value=foobar
- while :
- do
- case $1 in
- --stack=*)
- stack=${1#*=}
- shift
- ;;
- --service=*)
- service=${1#*=}
- shift
- ;;
- --secret=*)
- secret=${1#*=}
- shift
- ;;
- --value=*)
- value=${1#*=}
- shift
- ;;
- --) # End of all options
- shift
- break
- ;;
- -*)
- echo "WARN: Unknown option (ignored): $1" >&2
- shift
- ;;
- *) # no more options. Stop while loop
- break
- ;;
- esac
- done
- if [ -z "$stack" ] || [ -z "$service" ] || [ -z "$secret" ] || [ -z "$value" ]; then
- echo "Must provide --stack <stack_name> --service <service_name> --secret <secret_nane> --value <secret_value>" 1>&2
- exit 1
- fi
- # green echo
- function myecho {
- BLACK=`tput setaf 0`
- RED=`tput setaf 1`
- GREEN=`tput setaf 2`
- YELLOW=`tput setaf 3`
- BLUE=`tput setaf 4`
- MAGENTA=`tput setaf 5`
- CYAN=`tput setaf 6`
- WHITE=`tput setaf 7`
- BOLD=`tput bold`
- RESET=`tput sgr0`
- echo -e "${GREEN}$1${RESET}"
- }
- secret_name=$secret
- secret_value=$value
- new_secret_version=_v-$(uuidgen)
- stack_service=${stack}_${service}
- stack_secret_name=${stack}_${secret_name}
- stack_secret_name_old_version=$(docker service inspect --format "
- {{range .Spec.TaskTemplate.ContainerSpec.Secrets}}
- {{if eq .File.Name \"$secret_name\"}}
- {{.SecretName}}
- {{end}}
- {{end}}
- " "$stack_service" | tr -d '[:space:]' )
- myecho "the existing service secret is named: $stack_secret_name_old_version"
- # create new secret name; trim down to 64 characters (docker secret name limit)
- stack_secret_name_new_version=$( echo ${stack}_${secret_name}${new_secret_version} | cut -c1-64 )
- myecho "creating new secret: $stack_secret_name_new_version"
- echo -n "$secret_value" | docker secret create "$stack_secret_name_new_version" - > /dev/null
- myecho "remove old secret, add new, & bring up updated service"
- docker service update \
- --secret-rm "$stack_secret_name_old_version" \
- --secret-add src="$stack_secret_name_new_version",target="$secret_name" \
- "$stack_service"
- myecho "find old secret versions"
- # todo: if we ever get into rolling back, will this cause problems?
- secrets_to_remove=$(
- docker secret ls --filter name="${stack_secret_name}_v-" --format='{{.Name}}' -q \
- | grep -v "$stack_secret_name_new_version"
- )
- myecho "clean up old secret versions"
- docker secret rm $secrets_to_remove || true
Add Comment
Please, Sign In to add comment