I'm using rancher and I set a secret using the rancher's GUI. I'm trying to make my application read this secret. Let's say the secret is called pass
and I want to read it. Being known with docker, I wrote the following code:
readDockerSecret: function(secretName) {
return fs.readFileSync(`/run/secrets/${secretName}`, 'utf8');
}
// code
// read secret
try {
var secretName = "pass";
var pass = utils.readDockerSecret(pass);
} catch (err) {
if (err.code !== 'ENOENT') {
logger.error(`An error occurred while trying to read the secret: ${secretName}. Err: ${err}`);
} else {
logger.debug(`Could not find the secret: ${secretName}. Err: ${err}`);
}
}
But when I use it in rancher, it never finds the secret. In the rancher shell in the GUI I can see that I have the following herechy:
ls -la /run/secrets
total 0
drwxr-xr-x 1 root root 27 Aug 10 11:02 .
drwxr-xr-x 1 root root 21 Aug 10 10:53 ..
drwxr-xr-x 2 root root 40 Aug 10 11:02 credentials.d
drwxr-xr-x 3 root root 28 Aug 10 11:02 kubernetes.io
credentials.d
is empty. But kubernetes.io
contains:
/run/secrets/kubernetes.io
total 0
drwxr-xr-x 3 root root 28 Aug 10 11:02 .
drwxr-xr-x 1 root root 27 Aug 10 11:02 ..
drwxrwxrwt 3 root root 140 Aug 10 11:02 serviceaccount
ls -la /run/secrets/kubernetes.io/serviceaccount/
total 0
drwxrwxrwt 3 root root 140 Aug 10 11:02 .
drwxr-xr-x 3 root root 28 Aug 10 11:02 ..
drwxr-xr-x 2 root root 100 Aug 10 11:02 ..2020_08_10_11_02_18.157580662
lrwxrwxrwx 1 root root 31 Aug 10 11:02 ..data -> ..2020_08_10_11_02_18.157580662
lrwxrwxrwx 1 root root 13 Aug 10 11:02 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Aug 10 11:02 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Aug 10 11:02 token -> ..data/token
No sign for pass
anywhere. Tried also to grep but without any luck. How should I read the secret in rancher?
EDIT: The screenshot:
In the yaml we have:
spec:
containers:
- envFrom:
- prefix: pass
secretRef:
name: pass
optional: false
image: <image-url>
imagePullPolicy: Always
name: <app-name>
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: false
stdin: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
tty: true
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: pass
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:
To be able to use a secret from inside a pod, you first need to "mount" that secret into the pod, either as an environment variable or a file. The secrets docs describe in detail how to do that.