Skip to content

Remove Swarm API Key from Docs#24404

Closed
vallieres wants to merge 1 commit intomainfrom
update-swarm-docs-2
Closed

Remove Swarm API Key from Docs#24404
vallieres wants to merge 1 commit intomainfrom
update-swarm-docs-2

Conversation

@vallieres
Copy link

@vallieres vallieres commented Mar 18, 2026

Description

Removing secrets from documentation.

Related issues or tickets

Reviews

  • Technical review
  • Editorial review
  • Product review

@netlify
Copy link

netlify bot commented Mar 18, 2026
edited
Loading

Deploy Preview for docsdocker ready!

Name Link
🔨 Latest commit 90a21cd
🔍 Latest deploy log https://app.netlify.com/projects/docsdocker/deploys/69baec78dc745c0008e5bb0f
😎 Deploy Preview https://deploy-preview-24404--docsdocker.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions github-actions bot added area/engine Issue affects Docker engine/daemon area/networking Relates to anything around networking area/swarm Issue affects swarm and clustering functionality of docker area/guides labels Mar 18, 2026
@vallieres vallieres marked this pull request as ready for review March 18, 2026 18:37
@vallieres vallieres requested a review from dvdksn as a code owner March 18, 2026 18:38
docker-agent[bot]
docker-agent bot reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

@docker-agent docker-agent bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🔴 CRITICAL

This PR modifies CLI reference YAML files in data/cli/engine/ that are vendored from the upstream docker/cli repository. According to project policy (see AGENTS.md), these files should not be edited directly in the docs repository.

Required action: These changes must be made in the upstream docker/cli repository first, then vendored back to the docs repository. Direct edits here will be overwritten on the next vendor sync.

The content changes themselves (removing real Swarm secrets and replacing with placeholders) are appropriate for security reasons, but they need to go through the correct upstream workflow.

data/cli/engine/docker_swarm_init.yaml
To add a worker to this swarm, run the following command:

docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx 172.17.0.2:2377
docker swarm join --token SWMTKN-1-aaa 172.17.0.2:2377
Copy link
Contributor

@docker-agent docker-agent bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 CRITICAL: Editing vendored CLI reference file

This file is vendored from the upstream docker/cli repository and should not be edited directly in the docs repository.

According to AGENTS.md:

Content in _vendor/ and CLI reference pages generated from data/cli/ are vendored from upstream repos. Don't edit these files — changes must go to the source repository

Required action: Make this change in docker/cli first, then vendor it back to the docs repository. Direct edits here will be overwritten on the next vendor sync.

data/cli/engine/docker_swarm_join-token.yaml

docker swarm join \
--token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx \
--token SWMTKN-1-aaa \
Copy link
Contributor

@docker-agent docker-agent bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 CRITICAL: Editing vendored CLI reference file

This file is vendored from the upstream docker/cli repository and should not be edited directly in the docs repository.

According to AGENTS.md:

Content in _vendor/ and CLI reference pages generated from data/cli/ are vendored from upstream repos. Don't edit these files — changes must go to the source repository

Required action: Make this change in docker/cli first, then vendor it back to the docs repository. Direct edits here will be overwritten on the next vendor sync.

data/cli/engine/docker_swarm_join.yaml

```console
$ docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2 192.168.99.121:2377
$ docker swarm join --token SWMTKN-1-aaa 192.168.99.121:2377
Copy link
Contributor

@docker-agent docker-agent bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 CRITICAL: Editing vendored CLI reference file

This file is vendored from the upstream docker/cli repository and should not be edited directly in the docs repository.

According to AGENTS.md:

Content in _vendor/ and CLI reference pages generated from data/cli/ are vendored from upstream repos. Don't edit these files — changes must go to the source repository

Required action: Make this change in docker/cli first, then vendor it back to the docs repository. Direct edits here will be overwritten on the next vendor sync.

data/cli/engine/docker_swarm_unlock-key.yaml
command and provide the following key:

SWMKEY-1-fySn8TY4w5lKcWcJPIpKufejh9hxx5KYwx6XZigx3Q4
SWMKEY-1-aaa
Copy link
Contributor

@docker-agent docker-agent bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 CRITICAL: Editing vendored CLI reference file

This file is vendored from the upstream docker/cli repository and should not be edited directly in the docs repository.

According to AGENTS.md:

Content in _vendor/ and CLI reference pages generated from data/cli/ are vendored from upstream repos. Don't edit these files — changes must go to the source repository

Required action: Make this change in docker/cli first, then vendor it back to the docs repository. Direct edits here will be overwritten on the next vendor sync.

@dvdksn
Copy link
Contributor

dvdksn commented Mar 18, 2026

@vallieres - see bot comment. This needs to be updated in the docker/cli repo upstream. But not sure why we need to change these?

@thaJeztah
Copy link
Member

thaJeztah commented Mar 18, 2026

Do you know if the secrets detection on GitHub allows for patterns for example values? Ideally we'd still show a key with the same format and length; I recall there was a thread about that, but not sure what the outcome was (if github supported it)

@vallieres
Copy link
Author

vallieres commented Mar 18, 2026

Do you know if the secrets detection on GitHub allows for patterns for example values? Ideally we'd still show a key with the same format and length; I recall there was a thread about that, but not sure what the outcome was (if github supported it)

Sadly it's not possible. The most we can do is provide negative lookahead regexp but it's easily getting out of hand if we start adding a rule for each token...

@vallieres
Copy link
Author

vallieres commented Mar 18, 2026

@vallieres - see bot comment. This needs to be updated in the docker/cli repo upstream. But not sure why we need to change these?

These keep on triggering secrete scanning tools as they look like valid Swarm tokens. And since this is being replicated in a few other places, we easily 50+ notifications regularly. Trying to fix this at the source so we stop tripping the wire for these tools. I'll get the cli repo updated.

docker/cli#6867

@thaJeztah
Copy link
Member

thaJeztah commented Mar 18, 2026

Do you know if the secrets detection on GitHub allows for patterns for example values? Ideally we'd still show a key with the same format and length; I recall there was a thread about that, but not sure what the outcome was (if github supported it)

Sadly it's not possible. The most we can do is provide negative lookahead regexp but it's easily getting out of hand if we start adding a rule for each token...

Yeah; I recall we discussed a separate prefix for demo purposes as alternative. I somewhat expected them to have some approach for that as it's not uncommon to have tokens for documentation or tests that should be ignored (not just these tokens)

Perhaps we can do something like SWMTKN-1-aabbccddeeff112233..... to closer match the expected format

@vallieres
Copy link
Author

vallieres commented Mar 18, 2026

Do you know if the secrets detection on GitHub allows for patterns for example values? Ideally we'd still show a key with the same format and length; I recall there was a thread about that, but not sure what the outcome was (if github supported it)

Sadly it's not possible. The most we can do is provide negative lookahead regexp but it's easily getting out of hand if we start adding a rule for each token...

Yeah; I recall we discussed a separate prefix for demo purposes as alternative. I somewhat expected them to have some approach for that as it's not uncommon to have tokens for documentation or tests that should be ignored (not just these tokens)

Perhaps we can do something like SWMTKN-1-aabbccddeeff112233..... to closer match the expected format

If I use the same format, they will once again trigger the secret detection. The only way to skip over that is to "break" the pattern with something that does not fit the length and regexp.

@vallieres vallieres closed this Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docker-agent docker-agent[bot] docker-agent[bot] left review comments

@dvdksn dvdksn Awaiting requested review from dvdksn dvdksn is a code owner

Assignees

No one assigned

Labels

area/engine Issue affects Docker engine/daemon area/guides area/networking Relates to anything around networking area/swarm Issue affects swarm and clustering functionality of docker

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vallieres @dvdksn @thaJeztah