kubernetes · hangyan · May 16, 2018 · Jul 25, 2018 · Aug 2, 2018 · Aug 2, 2018
diff --git a/docs/conversion.md b/docs/conversion.md
@@ -33,7 +33,7 @@ __Glossary:__
 | deploy: replicas       | -  | -  | ✓  | Deployment.Spec.Replicas / DeploymentConfig.Spec.Replicas   |                                                                                                                |
 | deploy: placement      | -  | -  | ✓  | Pod.Spec.NodeSelector                                       |                                                                                                                |
 | deploy: update_config  | -  | -  | n  |                                                             |                                                                                                                |
-| deploy: resources      | -  | -  | ✓  | Containers.Resources.Limits.Memory / Containers.Resources.Limits.CPU | Support for memory as well as cpu                                                                    |
+| deploy: resources      | -  | -  | ✓  | Containers.Resources.Limits.Memory / Containers.Resources.Limits.CPU | Support for memory as well as cpu                                                                     |
 | deploy: restart_policy | -  | -  | ✓  | Pod generation                                              | This generated a Pod, see the [user guide on restart](http://kompose.io/user-guide/#restart)                   |
 | deploy: labels         | -  | -  | n  |                                                             |                                                                                                                |
 | devices                | x  | x  | x  |                                                             | Not supported within Kubernetes, See issue https://github.com/kubernetes/kubernetes/issues/5607                |
@@ -58,18 +58,18 @@ __Glossary:__
 | labels                 | ✓  | ✓  | ✓  | Metadata.Annotations                                        |                                                                                                                |
 | links                  | x  | x  | x  |                                                             | All containers in the same pod are accessible in Kubernetes                                                    |
 | logging                | x  | x  | x  |                                                             | Kubernetes has built-in logging support at the node-level                                                      |
-| network_mode           | x  | x  | x  |                                                             | Kubernetes uses its own cluster networking                                                                    |
+| network_mode           | x  | x  | x  |                                                             | Kubernetes uses its own cluster networking                                                                     |
 | networks               | x  | x  | x  |                                                             | See `networks` key                                                                                             |
 | networks: aliases      | x  | x  | x  |                                                             | See `networks` key                                                                                             |
 | networks: addresses    | x  | x  | x  |                                                             | See `networks` key                                                                                             |
 | pid                    | ✓  | ✓  | ✓  | Pod.Spec.HostPID                                            |                                                                                                                |
 | ports                  | ✓  | ✓  | ✓  | Service.Spec.Ports                                          |                                                                                                                |
 | ports: short-syntax    | ✓  | ✓  | ✓  | Service.Spec.Ports                                          |                                                                                                                |
 | ports: long-syntax     | -  | -  | ✓  | Service.Spec.Ports                                          |                                                                                                                |
-| secrets                | -  | -  | n  |                                                             |                                                                                                                |
-| secrets: short-syntax  | -  | -  | n  |                                                             |                                                                                                                |
-| secrets: long-syntax   | -  | -  | n  |                                                             |                                                                                                                |
-| security_opt           | x  | x  | x  |                                                             | Kubernetes uses its own container naming scheme                                                               |
+| secrets                | -  | -  | ✓  | Secret                                                      | External Secret is not Supported                                                                               |
+| secrets: short-syntax  | -  | -  | ✓  | Secret                                                      | External Secret is not Supported                                                                               |
+| secrets: long-syntax   | -  | -  | ✓  | Secret                                                      | External Secret is not Supported                                                                               |
+| security_opt           | x  | x  | x  |                                                             | Kubernetes uses its own container naming scheme                                                                |
 | stop_grace_period      | ✓  | ✓  | ✓  | Pod.Spec.TerminationGracePeriodSeconds                      |                                                                                                                |
 | stop_signal            | x  | x  | x  |                                                             | Not supported within Kubernetes. See issue https://github.com/kubernetes/kubernetes/issues/30051               |
 | sysctls                | n  | n  | n  |                                                             |                                                                                                                |

diff --git a/glide.lock b/glide.lock
diff --git a/glide.yaml b/glide.yaml
@@ -7,6 +7,9 @@ import:
 - package: github.com/sirupsen/logrus
   version: 1.0.3
 
+- package: github.com/spf13/cast
+  version: v1.2.0
+
 - package: golang.org/x/sys
   version: ebfc5b4631820b793c9010c87fd8fef0f39eb082
 

diff --git a/pkg/kobject/kobject.go b/pkg/kobject/kobject.go
@@ -29,6 +29,8 @@ type KomposeObject struct {
 	// Transformer need to know origin format in order to tell user what tag is not supported in origin format
 	// as they can have different names. For example environment variables  are called environment in compose but Env in bundle.
 	LoadedFrom string
+
+	Secrets map[string]dockerCliTypes.SecretConfig
 }
 
 // ConvertOptions holds all options that controls transformation process
@@ -107,8 +109,9 @@ type ServiceConfig struct {
 	Replicas         int                 `compose:"replicas"`
 	GroupAdd         []int64             `compose:"group_add"`
 	Volumes          []Volumes           `compose:""`
-	HealthChecks     HealthCheck         `compose:""`
-	Placement        map[string]string   `compose:""`
+	Secrets          []dockerCliTypes.ServiceSecretConfig
+	HealthChecks     HealthCheck       `compose:""`
+	Placement        map[string]string `compose:""`
 	//This is for long LONG SYNTAX link(https://docs.docker.com/compose/compose-file/#long-syntax)
 	Configs []dockerCliTypes.ServiceConfigObjConfig `compose:""`
 	//This is for SHORT SYNTAX link(https://docs.docker.com/compose/compose-file/#configs)

diff --git a/pkg/loader/compose/v3.go b/pkg/loader/compose/v3.go
@@ -248,6 +248,7 @@ func dockerComposeToKomposeMapping(composeObject *types.Config) (kobject.Kompose
 	komposeObject := kobject.KomposeObject{
 		ServiceConfigs: make(map[string]kobject.ServiceConfig),
 		LoadedFrom:     "compose",
+		Secrets:        composeObject.Secrets,
 	}
 
 	// Step 2. Parse through the object and convert it to kobject.KomposeObject!
@@ -276,6 +277,7 @@ func dockerComposeToKomposeMapping(composeObject *types.Config) (kobject.Kompose
 		serviceConfig.Labels = composeServiceConfig.Labels
 		serviceConfig.HostName = composeServiceConfig.Hostname
 		serviceConfig.DomainName = composeServiceConfig.DomainName
+		serviceConfig.Secrets = composeServiceConfig.Secrets
 
 		//
 		// Deploy keys

diff --git a/pkg/transformer/kubernetes/k8sutils.go b/pkg/transformer/kubernetes/k8sutils.go
@@ -608,7 +608,18 @@ func GetEnvsFromFile(file string, opt kobject.ConvertOptions) (map[string]string
 	return envLoad, nil
 }
 
+// GetSecretDataFromFile load secret content data
+func GetSecretDataFromFile(file string, opt kobject.ConvertOptions) ([]byte, error) {
+	composeDir, err := transformer.GetComposeFileDir(opt.InputFiles)
+	if err != nil {
+		return nil, errors.Wrap(err, "Unable to load file context")
+	}
+	fileLocation := path.Join(composeDir, file)
+	return ioutil.ReadFile(fileLocation)
+}
+
 // GetContentFromFile get content from file
+// TODO(hang): merge these two functions
 func GetContentFromFile(file string, opt kobject.ConvertOptions) (string, error) {
 	// Get the correct file context / directory
 	composeDir, err := transformer.GetComposeFileDir(opt.InputFiles)

diff --git a/pkg/transformer/kubernetes/kubernetes.go b/pkg/transformer/kubernetes/kubernetes.go
@@ -50,6 +50,7 @@ import (
 
 	"github.com/kubernetes/kompose/pkg/loader/compose"
 	"github.com/pkg/errors"
+	"github.com/spf13/cast"
 	"k8s.io/kubernetes/pkg/api/meta"
 	"k8s.io/kubernetes/pkg/labels"
 	"path/filepath"
@@ -372,6 +373,37 @@ func (k *Kubernetes) initIngress(name string, service kobject.ServiceConfig, por
 	return ingress
 }
 
+// CreateSecrets create secrets
+func (k *Kubernetes) CreateSecrets(komposeObject kobject.KomposeObject) ([]*api.Secret, error) {
+	var objects []*api.Secret
+	for name, config := range komposeObject.Secrets {
+		if config.File != "" {
+			data, err := GetSecretDataFromFile(config.File, k.Opt)
+			if err != nil {
+				log.Fatal("unable to read secret from file: ", config.File)
+				return nil, err
+			}
+			secret := &api.Secret{
+				TypeMeta: unversioned.TypeMeta{
+					Kind:       "Secret",
+					APIVersion: "v1",
+				},
+				ObjectMeta: api.ObjectMeta{
+					Name:   name,
+					Labels: transformer.ConfigLabels(name),
+				},
+				Type: api.SecretTypeOpaque,
+				Data: map[string][]byte{name: data},
+			}
+			objects = append(objects, secret)
+		} else {
+			log.Warnf("External secrets %s is not currently supported - ignoring", name)
+		}
+	}
+	return objects, nil
+
+}
+
 // CreatePVC initializes PersistentVolumeClaim
 func (k *Kubernetes) CreatePVC(name string, mode string, size string) (*api.PersistentVolumeClaim, error) {
 	volSize, err := resource.ParseQuantity(size)
@@ -516,6 +548,60 @@ func (k *Kubernetes) ConfigTmpfs(name string, service kobject.ServiceConfig) ([]
 	return volumeMounts, volumes
 }
 
+// ConfigSecretVolumes config volumes from secret.
+// Link: https://docs.docker.com/compose/compose-file/#secrets
+// In kubernetes' Secret resource, it has a data structure like a map[string]bytes, every key will act like the file name
+// when mount to a container. This is the part that missing in compose. So we will create a single key secret from compose
+// config and the key's name will be the secret's name, it's value is the file content.
+// compose'secret can only be mounted at `/run/secrets`, so we will hardcoded this.
+func (k *Kubernetes) ConfigSecretVolumes(name string, service kobject.ServiceConfig) ([]api.VolumeMount, []api.Volume) {
+	var volumeMounts []api.VolumeMount
+	var volumes []api.Volume
+	if len(service.Secrets) > 0 {
+		for _, secretConfig := range service.Secrets {
+			if secretConfig.UID != "" {
+				log.Warnf("Ignore pid in secrets for service: %s", name)
+			}
+			if secretConfig.GID != "" {
+				log.Warnf("Ignore gid in secrets for service: %s", name)
+			}
+
+			target := secretConfig.Target
+			if target == "" {
+				target = secretConfig.Source
+			}
+
+			volSource := api.VolumeSource{
+				Secret: &api.SecretVolumeSource{
+					SecretName: secretConfig.Source,
+					Items: []api.KeyToPath{{
+						Key:  secretConfig.Source,
+						Path: target,
+					}},
+				},
+			}
+
+			if secretConfig.Mode != nil {
+				mode := cast.ToInt32(*secretConfig.Mode)
+				volSource.Secret.DefaultMode = &mode
+			}
+
+			vol := api.Volume{
+				Name:         secretConfig.Source,
+				VolumeSource: volSource,
+			}
+			volumes = append(volumes, vol)
+
+			volMount := api.VolumeMount{
+				Name:      vol.Name,
+				MountPath: "/run/secrets",
+			}
+			volumeMounts = append(volumeMounts, volMount)
+		}
+	}
+	return volumeMounts, volumes
+}
+
 // ConfigVolumes configure the container volumes.
 func (k *Kubernetes) ConfigVolumes(name string, service kobject.ServiceConfig) ([]api.VolumeMount, []api.Volume, []*api.PersistentVolumeClaim, error) {
 	volumeMounts := []api.VolumeMount{}
@@ -536,6 +622,11 @@ func (k *Kubernetes) ConfigVolumes(name string, service kobject.ServiceConfig) (
 		useHostPath = true
 	}
 
+	// config volumes from secret if present
+	secretsVolumeMounts, secretsVolumes := k.ConfigSecretVolumes(name, service)
+	volumeMounts = append(volumeMounts, secretsVolumeMounts...)
+	volumes = append(volumes, secretsVolumes...)
+
 	var count int
 	//iterating over array of `Vols` struct as it contains all necessary information about volumes
 	for _, volume := range service.Volumes {
@@ -806,6 +897,16 @@ func (k *Kubernetes) Transform(komposeObject kobject.KomposeObject, opt kobject.
 	// this will hold all the converted data
 	var allobjects []runtime.Object
 
+	if komposeObject.Secrets != nil {
+		secrets, err := k.CreateSecrets(komposeObject)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Unable to create Secret resource")
+		}
+		for _, item := range secrets {
+			allobjects = append(allobjects, item)
+		}
+	}
+
 	sortedKeys := SortedKeys(komposeObject)
 	for _, name := range sortedKeys {
 		service := komposeObject.ServiceConfigs[name]

diff --git a/pkg/transformer/openshift/openshift.go b/pkg/transformer/openshift/openshift.go
@@ -275,6 +275,16 @@ func (o *OpenShift) Transform(komposeObject kobject.KomposeObject, opt kobject.C
 	buildRepo := opt.BuildRepo
 	buildBranch := opt.BuildBranch
 
+	if komposeObject.Secrets != nil {
+		secrets, err := o.CreateSecrets(komposeObject)
+		if err != nil {
+			return nil, errors.Wrapf(err, "create secrets error")
+		}
+		for _, item := range secrets {
+			allobjects = append(allobjects, item)
+		}
+	}
+
 	sortedKeys := kubernetes.SortedKeys(komposeObject)
 	for _, name := range sortedKeys {
 		service := komposeObject.ServiceConfigs[name]