Updating service secret


I’m playing with Rancher secrets, adding them to docker-compose in Rancher 1.6.2.

From what I can see, the secrets are linked to services using their name in docker-compose, but internally, Rancher maps to the secret ID. In order to modify a secret, it needs to be deleted and recreated with the same name.

The problem is that this won’t update the secret ID. The service still points to the old ID, which still exists (although deactivated), and there doesn’t seem to be a way to make the service use the new secret, besides recreating the stack.

Or am I missing something?

The way I use secrets (in Kubernetes, although the same will work with Rancher/Docker) is to create a new secret whenever I need to update something. I use the date + 2 digits to allow for multiple versions per day (i.e. my-secret-2017062700). Then you just upgrade the stack (or re-apply in K8s) pointing to the new secret ID and the containers are now using the new secret. This also allows me to know which version of a secret each container is currently using.

Yes, what @shubbard343 said; Secrets are not update-able because most uses of them will not know or have a way to find out that they changed and re-read them.