[rancher-compose] env_file on hosts

[ghost]

Secrets.

I know there is rancher/rancher#186, and a feature request at rancher/rancher#1269 and a discussion at docker/docker#13490. And rancher/rancher#1759 is kind of the same feature except it doesn't use the env_file but just the environment variables from the host. However, I'm trying to find a way to use secrets with the features that docker and rancher have at the moment.

Right now I'm trying to do secrets via environment variables, although they are considered not safe, and you shouldn't do it. I do not want to add the secrets in environment variables in the docker-compose.yml file because then they will be added to the git repo. Instead, docker-compose supports --env-file or just setting env_file: ./some_file. This means I could add a file to a hosts where Rancher is deploying containers, this file would contain the secrets.

Now I'm trying to use this with rancher-compose. However, rancher-compose evaluates the docker-compose.yml at the location you run rancher-compose. Meaning that I need to have the file with secrets locally. I hoped to be able to set the file at the machine where Rancher deploys the containers, or maybe at the machine where rancher-server is running.

[ghost]

I mean, volumes mounts the volumes from the machine it's deployed to, not the machine you use rancher-compose on. I expect the same from the env_file directive.

[aburnett]

Our applications load secrets from a file at runtime, so we use a data volume container which contains our secrets and deploy that as a sidecar with our application and use volumes_from. You could fake env_file functionality by changing the entrypoint of your application container to source in variables from a file mounted via a data container before it starts your application.

I just discovered https://www.vaultproject.io/ the other day also. Looks promising, but would require adding something new to your stack.

[ghost]

I looked at doing that as well, but then I figured there was a feature for doing exactly this already. However, rancher-compose worked a bit different than expected.

Projects like vaultproject and keywhiz can do these things as well but would add some complexity and another thing to manage. I decided this was to much overhead for our small team. However, they might be very useful later on.

[ibuildthecloud]

We are current investigating integration Vault into Rancher. Managing secrets through environment variables has too many security issues that we don't feel comfortable recommending it to users.

[ghost]

+1 Secrets in environment variables should be forbidden.

[will-chan]

We have added a new secrets management feature in Rancher. It won't prevent anyone from adding secrets in ENV variable though. Closing this issue due to inactivity.