Skip to content

Instantly share code, notes, and snippets.

@6be709c0

6be709c0/updateSecret.sh

Created September 20, 2017 04:18
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save 6be709c0/e8248d32d3a5b8caaf622c1a829cf067 to your computer and use it in GitHub Desktop.
Save 6be709c0/e8248d32d3a5b8caaf622c1a829cf067 to your computer and use it in GitHub Desktop.
Download ZIP
A simple command to finally update the docker secret !
Raw
updateSecret.sh
#!/usr/bin/env bash
# HOW TO USE
# ./updateSecret.sh secretName newValue
# It's that simple !
if [ "$#" -ne 2 ];
then
echo "#####"
echo "You must supplied secretName newValue"
echo "ex : ./updateSecret.sh mongo_url \"mongodb://mongo:27017,mongo_2:27017,mongo_3:27017/myDB?replicaSet=rs0\""
echo "#####"
exit
fi
secretName=$1
newValue=$2
dateNow=$(date +%s%N)
sourceSecretName="$secretName"_"$dateNow"
# Check which service is using the secret name
function whoUseMySecret {
local names=""
# Loop into each service to catch IDS using that secret
for name in $(docker service ls -q --format "{{.Name}}")
do
usingMySecret=$(docker service inspect $name | grep "\"$secretName\"" -c)
if [ $usingMySecret -gt 0 ]; then
names="$names:$name"
fi
done
echo ${names#":"}
}
function getAllSecretsBeginWith {
local names=""
# Get all secrets name begin with the secret name
# Useful to remove the oldests
for name in $(docker secret ls -qf name="$secretName" --format "{{.Name}}")
do
names="$names:$name"
done
echo ${names#":"}
}
function updateSecret {
local svNames=$1
local scNames=$2
# Transform into array
svNames=(${svNames//:/ })
scNames=(${scNames//:/ })
# string to delete multiple secrets on a service
deleteSecretsString=""
for name in "${scNames[@]}"
do
deleteSecretsString="$deleteSecretsString --secret-rm $name"
done
# Update all services, remove the old secret, and then set the new, with the same target
for name in "${svNames[@]}"
do
docker service update \
$deleteSecretsString \
--secret-add src="$sourceSecretName",target=$secretName \
$name --detach=false
done
# Remove the oldests secrets
for name in "${scNames[@]}"
do
docker secret rm $name
done
}
function main {
serviceNames=$(whoUseMySecret)
echo "serviceNames = $serviceNames"
secretsName=$(getAllSecretsBeginWith)
echo $newValue | docker secret create $sourceSecretName -
updateSecret $serviceNames $secretsName
}
main
@jamiejackson
Copy link

Thanks for this. I noticed it only after I had written my own: https://gist.github.com/jamiejackson/a1818acedaeb9c3cd70bafac86a0100b

I haven't tried yours yet, but a couple of things I noticed:

  • It doesn't seem to account for long secret names.
    • It will likely fail if the original secret name has > 44 characters. Secret names are capped at 64 characters, and your unique token is 20 characters long (e.g., _1529863818683524595).
    • Using date for the unique token might not be ideal.

Mine truncates the secret name, if necessary, and uses a UUID, so that if a truncation does occur and there are only a couple of beginning characters left in the "unique" version token, it's more likely (than date) to still be unique. Consider these:

Date-based, with truncation

Uniqueness is not ensured.

stack_name_secret_fusionreactor_administrator_password_152986381 3690565192
stack_name_secret_fusionreactor_administrator_password_152986381 8683524595

UUID-based, with truncation

Uniqueness is still very likely (and as likely as possible).

stack_name_secret_fusionreactor_administrator_password_v-10c4b9c 0-25d5-4104-9782-4fecf620366c
stack_name_secret_fusionreactor_administrator_password_v-d5c23c7 4-adcd-4a1d-a91f-901dff50b11d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment