Using secrets is ok, but sometimes cumbersome. What if there were an option in Rancher to encrypt all environment variables at runtime. The Rancher Server administrator would still be able to see and change the unencrypted environment variables in the gui. Inside the container, the variables could be decompressed by a mounted decryption volume and individually piped to selected commands. Variables would not be distinguishable by running ps on the host, and it would be quite easy to keep them safe in the container as well.
What do you think? Would it work and would it really be secure, or are there things I haven’t thought of?