This is pretty cool.

There are some golint issues around copying a structure with a lock inside it.

I don't have a strong opinion about the template cache. I would think that templates are relatively cheap to parse (sort of like a printf format string), and if we didn't cache them, we would only need to reparse when handling a new task. This is not exactly something we'd be doing in an inner loop, so the caching probably doesn't buy us much. But maybe template parsing has more overhead than I naively expect.

I don't have a strong opinion about the template cache

Yeah, template compilation is dirt cheap compared to prepping a container

I'll remove the template cache. I was breaking my own rules about premature optimization and felt dirty while doing it. If we prove a bottleneck here, we'll take care of it later. The actual answer might be to "de-feature" the template system, since complex templating isn't really needed.

Looks pretty cool. Will this bear any relation with config management?

@diogomonica This is the engine for configuration management:

• Imagine a new mount type that carries a file that can be evaluated as a template.
• Imagine having a secret template function to access to secrets within a template
• Imagine wiring this context to the evaluated resources to have the template re-expanded on resource change
• Imagine hooking in new sources for populating template variables

That is awesome @stevvooe !

My usecase would be to create a dir mounted as tmpfs and create a file in it containing credentials pulled from Vault that my service can access transparently.

Can't wait for this to land.

@tlvenn for this release all the secrets will be stored on the swarm managers, and will have to be added/removed/managed directly from the docker secret command. Later on we would love to support adding externally managed secrets that are imported from external secret stores and distributed throughout all the nodes.

This looks great.

What do you think about supporting ContainerSpec.Name and ContainerSpec.Hostname ?

@dnephin There is no ContainerSpec.Name field. We'd have to integrate Annotations and work to fix the backwards compatibility issues.

ContainerSpec.Hostname is not yet merged, but I think we can go ahead and merge it and add it without issue. The main problem with it, as I found out the other day, is that Hostname isn't just the hostname. It is parsed into both Hostname and DomainName, so we have to honor that model.

Based on all the "ooooh" and "ahhhh" above, shall I move this to "code review"?

LGTM

Please rebase

Added support for parameterizing hostname.

Current coverage is 55.89% (diff: 54.34%)

Merging #1650 into master will decrease coverage by 0.08%

@@             master      #1650   diff @@
==========================================
  Files            93         96     +3   
  Lines         14796      14886    +90   
  Methods           0          0          
  Messages          0          0          
  Branches          0          0          
==========================================
+ Hits           8283       8320    +37   
- Misses         5425       5466    +41   
- Partials       1088       1100    +12   

Powered by Codecov. Last update 328d703...21cdd63

@diogomonica Can you link the Issue/PR/Proposal if any that introduce docker secret command ? I would love to learn more about it. Thanks !

A few more changes:

• removed support for Task.Labels. These aren't really of interest to the user. They can set container labels manually or template with task labels. We may allow templating of container labels in the future and this limitation preserves that choice.
• Added some pedantic units tests ensuring that labels from the task.annotations don't pollute the templates.

ping @aaronlehmann @diogomonica PTAL, let's see if we can get this into 1.13 ❤️

LGTM

Needs rebase