I’m curious what others are doing to handle sensitive information in Rancher deployments. I am trying to keep application properties such as database password and API keys out of the Docker images. I’d prefer to pull the data at deploy time (such that a release version is paired with a configuration / properties file).
Wondering if anyone is currently handling this in some fashion with Rancher and how you go about it?
I’m also interested on how people are doing it. I think it’s not only specific to rancher since it’s an infrastructure management system not a platform for deployment, although anyway here I’m giving you all the ways I found to deal with this :
all of those methods have drawbacks
here are a couple of related github work items that seem to be progressing. Maybe they cover your scenarios.
If not, you may want to get in there and request enhancements.
Those linked issues help for keeping the sensitive information hidden once it gets into the system, so those are definitely worth following.
These are probably overkill. But for the cases where you cannot modify the application to deal with environment variables, some more ideas:
rancher-compose up that get deployed next to the container on the filesystem.Mostly just thinking out loud here 
We use spring here so have a config server. For the non-spring components we still use the config server with a simple curl command to pull config in and then use either sed or better still augeas to insert config into config files. I know others have used an external ansible service to poke config in from outside.
My containers have customize start up scripts which pulls the secrets from HasiCorp Vault at start up and sets them whichever way the app needs it (config file, environment variable, etc).