docker_secret fails to remove secrets if a service is using them

[kaysond]

SUMMARY

If you try to change or remove a secret that is being used by an existing service, the module will fail:

Error removing secret secret_name: 400 Client Error for http+docker://localhost/v1.41/secrets/vurz9eq24g7kyilccxu20m3j3: Bad Request (\"rpc error: code = InvalidArgument desc = secret 'secret_name' is in use by the following service: authelia_authelia\")"}

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.docker.docker_secret

ANSIBLE VERSION

ansible [core 2.11.1]
  config file = None
  configured module search path = ['/home/administrator/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/administrator/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/administrator/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.10 (default, Sep 28 2021, 16:10:42) [GCC 9.3.0]
  jinja version = 2.11.2
  libyaml = True

COLLECTION VERSION

# /home/administrator/.ansible/collections/ansible_collections
Collection       Version
---------------- -------
community.docker 2.0.0

# /home/administrator/.local/lib/python3.8/site-packages/ansible_collections
Collection       Version
---------------- -------
community.docker 1.5.0

# /usr/local/lib/python3.8/dist-packages/ansible_collections
Collection       Version
---------------- -------
community.docker 1.9.1

CONFIGURATION

<empty>

OS / ENVIRONMENT

Ubuntu 20.04, Debian 10

STEPS TO REPRODUCE

• Create a secret (probably using ansible so it has the metadata label)
• Create a service that uses that secret (doesnt need to be ansible)
• Change the value of the secret in the ansible module arg, and re-run ansible

EXPECTED RESULTS

module successfully changes the secret

ACTUAL RESULTS

module fails with the above error

[kaysond]

The module itself isn't "smart" (or swarm-aware). It just calls docker-py's remove_secret method which is the equivalent of running docker secret rm

It would be nice if the module removed (and potentially recreated) services that are using that secret. This should probably be behind a new option like remove_services or recreate_services.

I'd be interested in contributing these features, and also adding an option to this module that causes it to fail if the secret doesn't have metadata (#30)

As a bonus, the same options and code could probably be applied to docker_network to address #14

[felixfontein]

I don't think this is a bug, since that behavior is to be expected. Adding a switch to do this is definitely a feature request.

[kaysond]

Fair enough. Would you take a PR to add this feature?

[felixfontein]

I think such a PR would be accepted.

[imartinezortiz]

@kaysond #293 it is possible to rotate a secret, that I guess it is what you expect. This playbook it is a basic playbook (nginx + php-fpm) that I've used to test the approach. Just change the PHP $secret variable in the app_secret and run the playbook.

[kaysond]

Ah that is very cool!

I think there's still a potential missing feature, which is to automatically update services that were using the old secret. This is the behavior of docker_network, though that module is somewhat primitive in that it doesn't support swarm or custom network options