Questions about secrets

I’m a bit new to Rancher. I’ll try to explain my goal first. My app (written in js) contains a password that we pass in order to connect to the server. Currently, every time we want to run the app, we set an environment variable to contain this password and we read this information in runtime (by process.env.pass). Now that we moved to docker, I want to make it more sophisticated. After reading about docker’s secrets I found out that I need to read it from /run/secrets/, after creating one. The way we use rancher is by building the docker image, uploading to Harbor and creating a new workload in the Ranch UI.

At first, I tried to set the secret in an environment variable like so:

But for some reason I can’t find it in the list of the environment variables (What could be reason for that?)

After that, I tried to set a volume with that secret (It does not lead me to add another image as I’m a new user).

Now I can see the directory /run/secrets/pass but it’s different from Docker secrets. In Docker, the /run/secrets/pass is a file that I should read and get the secret but in Rancher, it’s a directory that contains pass. Also for some reason I can’t read that file:

cat /run/secrets/pass/pass
cat: /run/secrets/pass/pass: Permission denied

To sum up:

  1. Why it didn’t show the secret in the envs?
  2. What would be the best way to set up a secret so it will be easy to read it with Rancher and without Rancher (with docker only)? By that I mean - minimal code support. I already added support so it will read a secret from /run/secrets/ (it tries to read the file called pass).
  3. Why it didn’t let me read the /run/secrets/pass/pass?

Thank you.

Any help with it will be appreciated.

For the environment vars you picked “All” keys so the variables defined will be the prefix set to the right (pass) plus whatever keys are defined in the secret (whose name is also called “pass”). I.e. if the secret has keys foo and bar defined in it, you’re ending up with two variables, passfoo and passbar.

If you want exactly one variable named pass then you need to pick a single key from the secret to populate it with. Print out all of process.env and you’ll see what you’ve defined.

/run/secrets Is from Rancher 1.x so you’re reading something outdated. It is essentially totally unrelated to 2.x. For Kubernetes/2.x you define a volume backed by a secret and then mount that volume wherever you want in the container.