From ebeef45e85b9ab444e4f4199d21c0c926be59fcd Mon Sep 17 00:00:00 2001
From: aiordache <anca.iordache@docker.com>
Date: Thu, 7 Jan 2021 14:59:15 +0100
Subject: [PATCH] Implement secrets via bind-mounts for local compose

Signed-off-by: aiordache <anca.iordache@docker.com>
---
 local/compose/create.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/local/compose/create.go b/local/compose/create.go
index 8855b2ef..1dd717c1 100644
--- a/local/compose/create.go
+++ b/local/compose/create.go
@@ -296,6 +296,31 @@ func buildContainerMountOptions(p types.Project, s types.ServiceConfig, inherit
 		}
 		mounts = append(mounts, mount)
 	}
+
+	secretsDir := "/run/secrets"
+	for _, secret := range s.Secrets {
+		target := secret.Target
+		if secret.Target == "" {
+			target = filepath.Join(secretsDir, secret.Source)
+		} else if !filepath.IsAbs(secret.Target) {
+			target = filepath.Join(secretsDir, secret.Target)
+		}
+
+		definedSecret := p.Secrets[secret.Source]
+		if definedSecret.External.External {
+			return nil, fmt.Errorf("unsupported external secret %s", definedSecret.Name)
+		}
+		mount, err := buildMount(p, types.ServiceVolumeConfig{
+			Type:   types.VolumeTypeBind,
+			Source: definedSecret.File,
+			Target: target,
+		})
+		if err != nil {
+			return nil, err
+		}
+		mounts = append(mounts, mount)
+	}
+
 	return mounts, nil
 }