Rancher secrets not working from docker-compose.yml

Hi guys, i am having an issue with secrets, i know its still experimental but based on the documentation what i am trying to do should work.
what i did:

  • Installed secrets from catalog, created a secret on the ui.

Now If i try to run from the rancher-cli the command below it created the stack but the container wp-data doesn’t have the secret mounted:
rancher --url xxxxx --access-key xxx --secret-key xxx --env web up -d --upgrade --batch-size 1 --pull --stack blog-test-master apache2 wp-data

with this docker-compose.yml:

version: '2'
services:
  php-fpm:
    image: xxxxxxx/docker/php-fpm:1.0
    tty: true
    volumes_from:
    - wp-data
    ports:
    - 9000/tcp
  apache2:
    image: httpd:2.4
    tty: true
    links:
    - php-fpm
    volumes_from:
    - wp-data
    ports:
    - 80:80/tcp
    labels:
      io.rancher.sidekicks: wp-data, php-fpm
  wp-data:
    image: xxxxx/wp-datavolume/wp-datavolume-master:latest
    network_mode: none
    volumes:
    - /usr/local/apache2/htdocs/
    - /usr/local/apache2/conf/
    secrets:
    - source: wp-config-test-v1
      target: wp-config
      mode: 444
      uid: '0'
      gid: '0'
    tty: true
    command:
    - cat
secrets:
  wp-config-test-v1:
    external: true

Thanks!!

I think the problem is the secrets: section. I added a Rancher secret to one of my containers from the UI, and the yaml looks different than yours.

version: '2'
services:
  ubuntu:
    image: ubuntu:16.04
    stdin_open: true
    entrypoint:
    - sleep
    - infinity
    tty: true
    secrets:
    - uid: '0'
      gid: '0'
      mode: '444'
      name: redis_host
      secretId: 1
    labels:
      io.rancher.container.pull_image: always

I think you need to find the secret ID, and specify that instead of using the external secret.
You might try adding it from the UI to see the yaml format that it creates.

The yaml was exported from the UI. After manually adding the secret to the wp-data container.

Seem to have find the issue, the secret has to be attached to the primary service not to the sidekick. Once its attached to the primary its automatically available to all sidekick containers.

Weird that attaching the secret only to the sidekick on the UI works.

thanks!!