How to Deploy

Using Kubernetes Secrets

1. Adding the Secretless Broker Sidecar Container

To begin, we start by adding the Secretless Broker sidecar to an existing service definition. This includes adding the Secretless Broker container, a Kubernetes Secrets volume and a ConfigMap for the Secretless configuration. In this example, the Secretless Broker will be configured to authenticate connections to a PostgreSQL database. For documentation on the other handlers available, visit Handlers.

---
apiVersion: apps/v1
kind: Pod
metadata:
  name: my-service
  namespace: demo
  labels:
    app: my-service
  spec:
    containers:
    - name: secretless-broker
      image: cyberark/secretless-broker:latest
      args: ["-f", "/etc/secretless/secretless.yml"]
      ports:
      - containerPort: 5432
      volumeMounts:
      - name: secret
        mountPath: "/etc/secret"
        readOnly: true
      - name: config
        mountPath: "/etc/secretless"
        readOnly: true

    # <-- Add your own container definition here -->
    # - name: my-service
    #   image: my-service:latest

    volumes:
    - name: secret
      secret:
        secretName: my-service-postgres
        items:
        - key: address
          path: address
        - key: username
          path: username
        - key: password
          path: password

    - name: config
      configMap:
        name: my-service-secretless-config

2. Configuring the Secretless Broker

Next, we’ll define a Secretless Broker configuration. Write the following YAML to a file named secretless.yml.

listeners:
  - name: pg
    protocol: pg
    address: 0.0.0.0:5432

handlers:
  - name: pg
    listener: pg
    credentials:
      - name: address
        provider: file
        id: /etc/secret/address
      - name: username
        provider: file
        id: /etc/secret/username
      - name: password
        provider: file
        id: /etc/secret/password

Create a new ConfigMap in Kubernetes using the newly created secretless.yml.

kubectl create configmap my-service-secretless-config --from-file=secretless.yml

Our secretless.yml uses the file provider to resolve credentials required to connect to PostgreSQL. Here we create a Kubernetes Secret to store our credentials.

kubectl create secret generic my-service-postgres \
  --from-literal=address=$POSTGRES_ADDRESS \
  --from-literal=username=$POSTGRES_USERNAME \
  --from-literal=password=$POSTGRES_PASSWORD

3. Running

Apply the manifest. Once running, PostgreSQL will be available within the Pod at localhost:5432. You may need to make a change to your applications configuration to update the address of the database. References to username or password can be safely removed.

kubectl apply -f my-service.yml

4. Next

We’ve just completed a quick deployment of the Secretless Broker to an existing application using Kubernetes Secrets.

Ready to use Secretless Broker in your Kubernetes environment? Check out our Kubernetes tutorial or our deployment guides!