Test and fix external secrets in stack deploy.

Signed-off-by: Daniel Nephin <dnephin@docker.com>

compose/convert/service.go

@@ -31,7 +31,7 @@ func Services(
 
 	for _, service := range services {
 
-		secrets, err := convertServiceSecrets(client, namespace, service.Secrets)
+		secrets, err := convertServiceSecrets(client, namespace, service.Secrets, config.Secrets)
 		if err != nil {
 			return nil, err
 		}
@@ -181,6 +181,7 @@ func convertServiceSecrets(
 	client client.SecretAPIClient,
 	namespace Namespace,
 	secrets []composetypes.ServiceSecretConfig,
+	secretSpecs map[string]composetypes.SecretConfig,
 ) ([]*swarm.SecretReference, error) {
 	opts := []*types.SecretRequestOption{}
 	for _, secret := range secrets {
@@ -188,8 +189,15 @@ func convertServiceSecrets(
 		if target == "" {
 			target = secret.Source
 		}
+
+		source := namespace.Scope(secret.Source)
+		secretSpec := secretSpecs[secret.Source]
+		if secretSpec.External.External {
+			source = secretSpec.External.Name
+		}
+
 		opts = append(opts, &types.SecretRequestOption{
-			Source: namespace.Scope(secret.Source),
+			Source: source,
 			Target: target,
 			UID:    secret.UID,
 			GID:    secret.GID,

compose/loader/loader.go

@@ -422,8 +422,7 @@ func loadVolumes(source types.Dict) (map[string]types.VolumeConfig, error) {
 // TODO: remove duplicate with networks/volumes
 func loadSecrets(source types.Dict, workingDir string) (map[string]types.SecretConfig, error) {
 	secrets := make(map[string]types.SecretConfig)
-	err := transform(source, &secrets)
-	if err != nil {
+	if err := transform(source, &secrets); err != nil {
 		return secrets, err
 	}
 	for name, secret := range secrets {