Docker Update Secrets via API

Question

Is there an equivalent to docker service update --secret-add [SOME SECRET] [SERVICE]?

The docs don't mention anywhere I can do this: https://docs.docker.com/engine/api/v1.25/#tag/Service

but I've been told before that the docker command uses the API, so I'm assuming there it's in the API somewhere?

On a related note, I noticed that inspecting a secret via the API gives back an "UpdatedAt" field. Does this suggest that there'll be a way to update the same secret in the future, rather than having to create a new secret?

score 0 · Answer 1 · answered Aug 24 '17 at 11:20

You can use the 'Services' endpoint to update a service. The request body contains a section for defining new secrets: TaskTemplate.ContainerSpec.Secrets.

Something like this should work:

{
  "Name": "top",
  "TaskTemplate": {
    "ContainerSpec": {
      "Image": "busybox",
      "Args": [],
      "Secrets: [
        "SecretID": <id_of_your_secret>
      ]
    },
    "Resources": {},
    "RestartPolicy": {},
    "Placement": { },
    "ForceUpdate": 0
  },
  "Mode": {
    "Replicated": {}
  },
  "UpdateConfig": {
    "Parallelism": 2,
    "Delay": 1000000000,
    "FailureAction": "pause",
    "Monitor": 15000000000,
    "MaxFailureRatio": 0.15
  },
  "RollbackConfig": {
    "Parallelism": 1,
    "Delay": 1000000000,
    "FailureAction": "pause",
    "Monitor": 15000000000,
    "MaxFailureRatio": 0.15
  },
  "EndpointSpec": {
    "Mode": "vip"
  }
}

score 0 · Answer 2 · answered Aug 08 '21 at 12:14

I know this question is old, but i may help others. The answer is on the documentation here.

Endpoint

/services/create

Example request:

{
  "Name": "web",
  "TaskTemplate": {
    "ContainerSpec": {
      "Image": "nginx:alpine",
      "Mounts": [
        {
          "ReadOnly": true,
          "Source": "web-data",
          "Target": "/usr/share/nginx/html",
          "Type": "volume",
          "VolumeOptions": {
            "DriverConfig": {},
            "Labels": {
              "com.example.something": "something-value"
            }
          }
        }
      ],
      "User": "33",
      "DNSConfig": {
        "Nameservers": [
          "8.8.8.8"
        ],
        "Search": [
          "example.org"
        ],
        "Options": [
          "timeout:3"
        ]
      }
    },
    "LogDriver": {
      "Name": "json-file",
      "Options": {
        "max-file": "3",
        "max-size": "10M"
      }
    },
    "Placement": {},
    "Resources": {
      "Limits": {
        "MemoryBytes": 104857600
      },
      "Reservations": {}
    },
    "RestartPolicy": {
      "Condition": "on-failure",
      "Delay": 10000000000,
      "MaxAttempts": 10
    }
  },
  "Mode": {
    "Replicated": {
      "Replicas": 4
    }
  },
  "UpdateConfig": {
    "Delay": 30000000000,
    "Parallelism": 2,
    "FailureAction": "pause"
  },
  "EndpointSpec": {
    "Ports": [
      {
        "Protocol": "tcp",
        "PublishedPort": 8080,
        "TargetPort": 80
      }
    ]
  },
  "Labels": {
    "foo": "bar"
  }
}

Example response

{
  "ID": "ak7w3gjqoa3kuz8xcpnyy0pvl",
  "Warning": "unable to pin image doesnotexist:latest to digest: image library/doesnotexist:latest not found"
}

Docker Update Secrets via API

2 Answers2