From 5cc9da5da0176f14864a55d0796582b90f84dab4 Mon Sep 17 00:00:00 2001
From: Nicolas De Loof <nicolas.deloof@gmail.com>
Date: Thu, 6 Feb 2025 09:22:01 +0100
Subject: [PATCH] report error using non-file secret|config with read-only
 service

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
---
 pkg/compose/secrets.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/pkg/compose/secrets.go b/pkg/compose/secrets.go
index 4ba49eed445..7bc0e904807 100644
--- a/pkg/compose/secrets.go
+++ b/pkg/compose/secrets.go
@@ -35,6 +35,10 @@ func (s *composeService) injectSecrets(ctx context.Context, project *types.Proje
 			continue
 		}
 
+		if service.ReadOnly {
+			return fmt.Errorf("cannot create secret %q in read-only service %s: `file` is the sole supported option", file.Name, service.Name)
+		}
+
 		if config.Target == "" {
 			config.Target = "/run/secrets/" + config.Source
 		} else if !isAbsTarget(config.Target) {
@@ -43,7 +47,7 @@ func (s *composeService) injectSecrets(ctx context.Context, project *types.Proje
 
 		env, ok := project.Environment[file.Environment]
 		if !ok {
-			return fmt.Errorf("environment variable %q required by file %q is not set", file.Environment, file.Name)
+			return fmt.Errorf("environment variable %q required by secret %q is not set", file.Environment, file.Name)
 		}
 		b, err := createTar(env, types.FileReferenceConfig(config))
 		if err != nil {
@@ -67,7 +71,7 @@ func (s *composeService) injectConfigs(ctx context.Context, project *types.Proje
 		if file.Environment != "" {
 			env, ok := project.Environment[file.Environment]
 			if !ok {
-				return fmt.Errorf("environment variable %q required by file %q is not set", file.Environment, file.Name)
+				return fmt.Errorf("environment variable %q required by config %q is not set", file.Environment, file.Name)
 			}
 			content = env
 		}
@@ -75,6 +79,10 @@ func (s *composeService) injectConfigs(ctx context.Context, project *types.Proje
 			continue
 		}
 
+		if service.ReadOnly {
+			return fmt.Errorf("cannot create config %q in read-only service %s: `file` is the sole supported option", file.Name, service.Name)
+		}
+
 		if config.Target == "" {
 			config.Target = "/" + config.Source
 		}