docker_secret – Manage docker secrets.
docker_secret – Manage docker secrets.
New in version 2.4.
Synopsis
- Create and remove Docker secrets in a Swarm environment. Similar to
docker secret create
anddocker secret rm
. - Adds to the metadata of new secrets ‘ansible_key’, an encrypted hash representation of the data, which is then used
- in future runs to test if a secret has changed.
- If ‘ansible_key is not present, then a secret will not be updated unless the
force
option is set. - Updates to secrets are performed by removing the secret and creating it again.
Requirements
The below requirements are needed on the host that executes this module.
- docker-py >= 2.1.0
- Please note that the docker-py Python module has been superseded by docker (see here for details). Version 2.1.0 or newer is only available with the
docker
module. - Docker API >= 1.25
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
api_version - |
Default: "auto" |
The version of the Docker API running on the Docker Host. Defaults to the latest version of the API supported by docker-py. If the value is not specified in the task, the value of environment variable
|
cacert_path - |
Use a CA certificate when performing server verification by providing the path to a CA certificate file. If the value is not specified in the task and the environment variable
| |
cert_path - |
Path to the client's TLS certificate file. If the value is not specified in the task and the environment variable
| |
data - |
String. The value of the secret. Required when state is | |
debug boolean |
|
Debug mode |
docker_host - |
Default: "unix://var/run/docker.sock" |
The URL or Unix socket path used to connect to the Docker API. To connect to a remote host, provide the TCP connection string. For example, 'tcp://192.0.2.23:2376'. If TLS is used to encrypt the connection, the module will automatically replace 'tcp' in the connection URL with 'https'. If the value is not specified in the task, the value of environment variable
|
force boolean |
|
Use with state If true, an existing secret will be replaced, even if it has not changed. |
key_path - |
Path to the client's TLS key file. If the value is not specified in the task and the environment variable
| |
labels - |
A map of key:value meta data, where both the key and value are expected to be a string. If new meta data is provided, or existing meta data is modified, the secret will be updated by removing it and creating it again. | |
name - / required |
The name of the secret. | |
ssl_version - |
Provide a valid SSL version number. Default value determined by ssl.py module. If the value is not specified in the task, the value of environment variable | |
state - |
|
Set to |
timeout - |
Default: 60 |
The maximum amount of time in seconds to wait on a response from the API. If the value is not specified in the task, the value of environment variable |
tls boolean |
|
Secure the connection to the API by using TLS without verifying the authenticity of the Docker host server. If the value is not specified in the task, the value of environment variable |
tls_hostname - |
Default: "localhost" |
When verifying the authenticity of the Docker Host server, provide the expected name of the server. If the value is not specified in the task, the value of environment variable |
tls_verify boolean |
|
Secure the connection to the API by using TLS and verifying the authenticity of the Docker host server. If the value is not specified in the task, the value of environment variable |
Notes
Note
- Connect to the Docker daemon by providing parameters with each task or by defining environment variables. You can define DOCKER_HOST, DOCKER_TLS_HOSTNAME, DOCKER_API_VERSION, DOCKER_CERT_PATH, DOCKER_SSL_VERSION, DOCKER_TLS, DOCKER_TLS_VERIFY and DOCKER_TIMEOUT. If you are using docker machine, run the script shipped with the product that sets up the environment. It will set these variables for you. See https://docker-py.readthedocs.io/en/stable/machine/ for more details.
- When connecting to Docker daemon with TLS, you might need to install additional Python packages. For the Docker SDK for Python, version 2.4 or newer, this can be done by installing
docker[tls]
with pip. - Note that the Docker SDK for Python only allows to specify the path to the Docker configuration for very few functions. In general, it will use
$HOME/docker/config.json
if theDOCKER_CONFIG
environment variable is not specified, and use$DOCKER_CONFIG/config.json
otherwise.
Examples
- name: Create secret foo
docker_secret:
name: foo
data: Hello World!
state: present
- name: Change the secret data
docker_secret:
name: foo
data: Goodnight everyone!
labels:
bar: baz
one: '1'
state: present
- name: Add a new label
docker_secret:
name: foo
data: Goodnight everyone!
labels:
bar: baz
one: '1'
# Adding a new label will cause a remove/create of the secret
two: '2'
state: present
- name: No change
docker_secret:
name: foo
data: Goodnight everyone!
labels:
bar: baz
one: '1'
# Even though 'two' is missing, there is no change to the existing secret
state: present
- name: Update an existing label
docker_secret:
name: foo
data: Goodnight everyone!
labels:
bar: monkey # Changing a label will cause a remove/create of the secret
one: '1'
state: present
- name: Force the removal/creation of the secret
docker_secret:
name: foo
data: Goodnight everyone!
force: yes
state: present
- name: Remove secret foo
docker_secret:
name: foo
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
secret_id string |
success |
The ID assigned by Docker to the secret object.
Sample: hzehrmyjigmcp2gb6nlhmjqcv |
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Chris Houseknecht (@chouseknecht)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.7/modules/docker_secret_module.html