faas: Docker Swarm secret not available to function on remote system
I have created a secret and granted my function access to it when deploying with faas-cli, and this works in my local environment (Docker 17.12-ce on Windows). When I deploy to my remote system (Docker 17.12-ce on Debian Linux 9), the secret is not available to the function.
Expected Behaviour
The secret should be available to the function in my remote instance.
Current Behaviour
I deploy using this command: .\faas-cli.exe deploy -f .\python3-rabbit-crm-client.yml --secret rabbitsecrets
When I inspect the python3-rabbit-crm-client service on my local instance, I see the secret in the task template:
"TaskTemplate": {
"ContainerSpec": {
"Image": "lucasalexander/python3-rabbit-crm-client:latest",
"Labels": {
"com.openfaas.function": "python3-rabbit-crm-client",
"com.openfaas.uid": "173409400",
"function": "true"
},
"Env": [
"fprocess=python3 index.py"
],
"StopGracePeriod": 10000000000,
"DNSConfig": {},
"Secrets": [
{
"File": {
"Name": "rabbitsecrets",
"UID": "0",
"GID": "0",
"Mode": 292
},
"SecretID": "gbry69xf5eu90h8asbcrp3gsz",
"SecretName": "rabbitsecrets"
}
],
"Isolation": "default"
},
"Resources": {},
"RestartPolicy": {
"Condition": "any",
"Delay": 5000000000,
"MaxAttempts": 5
},
"Placement": {
"Constraints": [
"node.platform.os == linux"
]
},
"Networks": [
{
"Target": "vor6lx717vhtr1st3s6zr3pst"
}
],
"ForceUpdate": 0,
"Runtime": "container"
},
When I inspect the service on my remote instance, the secret is not listed in the task template:
"TaskTemplate": {
"ContainerSpec": {
"Image": "lucasalexander/python3-rabbit-crm-client",
"Labels": {
"com.openfaas.function": "python3-rabbit-crm-client",
"function": "true"
},
"Env": [
"fprocess=python3 index.py"
],
"StopGracePeriod": 10000000000,
"DNSConfig": {},
"Isolation": "default"
},
"Resources": {},
"RestartPolicy": {
"Condition": "any",
"Delay": 5000000000,
"MaxAttempts": 5
},
"Placement": {
"Constraints": [
"node.platform.os == linux"
]
},
"Networks": [
{
"Target": "15k7arichvdo2s1zc8u59p6ee"
}
],
"ForceUpdate": 0,
"Runtime": "container"
},
I have verified the secret exists on the remote system using “secret inspect rabbitsecrets.”
Possible Solution
Steps to Reproduce (for bugs)
- Create secret
- Create function that reads secret
- Build function
- Push function
- Deploy function with access to secret
- Run function (works on localhost, throws error on remote)
Context
I need to allow the function to access secured resources with a username and password.
Your Environment
-
Docker version
docker version(e.g. Docker 17.0.05 ): 17.12.0-ce -
Are you using Docker Swarm or Kubernetes (FaaS-netes)? Swarm
-
Operating System and version (e.g. Linux, Windows, MacOS): Debian Linux 9
-
Link to your project or a code example to reproduce issue: https://hub.docker.com/r/lucasalexander/python3-rabbit-crm-client/
import sys
import pika
import uuid
import datetime
import json
def get_secret(secret_name):
try:
with open('/run/secrets/{0}'.format(secret_name), 'r') as secret_file:
return secret_file.read()
except IOError:
return None
class CrmRpcClient(object):
def __init__(self):
print(get_secret('rabbitsecrets'))
#i've removed logic beyond this point where it fails to retrieve the secret
def handle(req):
#instantiate an rpc client
crm_rpc = CrmRpcClient()
- Please also follow the troubleshooting guide and paste in any other diagnostic information you have:
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 21 (21 by maintainers)
I am closing this issue as it is now reliably working on 0.7.1.