Skip to content

Remove JFS references + secrets engine injection #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Remove JFS references + secrets engine injection #247

wants to merge 11 commits into from
+409 −927

Conversation

@saucow
Copy link
Contributor

@saucow saucow commented Nov 18, 2025
edited
Loading

What I did

Changes

Secret Injection

Container MCPs

Secrets injected as se:// URIs, resolved by Docker Desktop at container runtime. Gateway never holds secret values in memory.

Remote MCPs

Secrets queried from Secrets Engine and expanded into HTTP headers. Actual values required for Bearer tokens and header interpolation.

OAuth Tokens

OAuth tokens retrieved from Secrets Engine in Desktop mode. Falls back to credential helpers in CE mode. Token refresh monitoring also uses Secrets Engine.

Commands Removed

  • docker mcp policy set/dump - Policy management incompatible with Secrets Engine access control
  • docker mcp secret export - Replaced by Secrets Engine queries

Commands Changed

docker mcp secret set

Stores secrets via docker pass to OS Keychain under docker/mcp/generic/ namespace.

docker mcp secret ls

Queries Secrets Engine HTTP API instead of JFS socket. JSON output format compatible with Docker Desktop UI.

docker mcp secret rm

Deletes secrets via docker pass rm. Only removes docker-pass provider secrets. Legacy secrets must be removed via OS credential tools.

Benehiko and others added 4 commits November 17, 2025 13:29
@Benehiko @saucow
cmd/secret: use new store (#217)
bc38cfe 
* cmd/secret: use new store

Signed-off-by: Alano Terblanche <[email protected]>

* Add temporary secrets engine client

Signed-off-by: Alano Terblanche <[email protected]>

* Lint fixes + remove tests + don't return cred value

* update docs

---------

Signed-off-by: Alano Terblanche <[email protected]>
Co-authored-by: Saurabh Davala <[email protected]>
@saucow
inject secrets by ID + return empty secrets map
9154242
@saucow
Remove jfs references and commnds which utilize jfs like: dump, restore
49d560d
@saucow
Use secrets client for remote case
51295fb
@saucow saucow requested a review from Benehiko November 18, 2025 04:35
@saucow saucow changed the title Secrets engine injection Remove JFS references + secrets engine injection Nov 18, 2025
saucow
saucow commented Nov 21, 2025
View reviewed changes
cmd/docker-mcp/secret-management/secret/secretsengine.go Outdated
Comment on lines 41 to 42
`{"pattern": "docker/mcp/generic/*"}`, // Generic secrets (docker pass)
`{"pattern": "docker/mcp/oauth/*"}`, // OAuth tokens
Copy link
Contributor Author

@saucow saucow Nov 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: workaround as I wasn't able to query all with: docker/mcp/**

@saucow saucow changed the base branch from secrets-engine to main November 24, 2025 22:54
@saucow saucow marked this pull request as ready for review November 25, 2025 01:46
@saucow saucow requested a review from a team as a code owner November 25, 2025 01:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Benehiko Benehiko Awaiting requested review from Benehiko

@cmrigney cmrigney Awaiting requested review from cmrigney

@slimslenderslacks slimslenderslacks Awaiting requested review from slimslenderslacks

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@saucow @Benehiko