Estimated time to complete: 5 min
Products used: Kubernetes Secrets, PostgreSQL Service Connector
You know only one thing – the name of the database:
export APPLICATION_DB_NAME=quick_start_db
The application we’ll be deploying is a pet store demo application with a simple API:
GET /pets
lists all the petsPOST /pet
adds a petIts PostgreSQL backend is configured using a DB_URL
environment variable:
postgresql://localhost:5432/${APPLICATION_DB_NAME}?sslmode=disable
Again, the application has no knowledge of the database credentials it’s using.
For usage examples, please see Test the Application.
We’re ready to deploy our application.
A detailed explanation of the manifest below is featured in the next step, Appendix - Secretless Deployment Manifest Explained and isn’t needed to complete the tutorial.
To create the quick-start-application.yml manifest using the
APPLICATION_DB_NAME
above, run:
cat << EOF > quick-start-application.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: quick-start-application
labels:
app: quick-start-application
spec:
replicas: 3
selector:
matchLabels:
app: quick-start-application
template:
metadata:
labels:
app: quick-start-application
spec:
serviceAccountName: quick-start-application
automountServiceAccountToken: true
containers:
- name: quick-start-application
image: cyberark/demo-app:latest
env:
- name: DB_URL
value: postgresql://localhost:5432/${APPLICATION_DB_NAME}?sslmode=disable
- name: secretless-broker
image: cyberark/secretless-broker:latest
imagePullPolicy: Always
args: ["-f", "/etc/secretless/secretless.yml"]
volumeMounts:
- name: config
mountPath: /etc/secretless
readOnly: true
volumes:
- name: config
configMap:
name: quick-start-application-secretless-config
EOF
To deploy the application, run:
kubectl --namespace quick-start-application-ns apply -f quick-start-application.yml
deployment "quick-start-application" created
Before moving on, verify that the pods are healthy:
kubectl --namespace quick-start-application-ns get pods
NAME READY STATUS RESTARTS AGE quick-start-application-6bd8dbd57f-bshmf 2/2 Running 0 22s quick-start-application-6bd8dbd57f-dr962 2/2 Running 0 26s quick-start-application-6bd8dbd57f-fgfnh 2/2 Running 0 30s
The application is running, but not yet publicly available.
To expose it publicly as a Kubernetes Service, run:
cat << EOF > quick-start-application-service.yml
kind: Service
apiVersion: v1
metadata:
name: quick-start-application
spec:
selector:
app: quick-start-application
ports:
- port: 8080
targetPort: 8080
nodePort: 30002
type: NodePort
EOF
kubectl --namespace quick-start-application-ns \
apply -f quick-start-application-service.yml
service "quick-start-application" created
Congratulations!
The application is now available at $(minikube ip):30002
. We’ll call
this the APPLICATION_URL
going forward.
Let’s verify everything works as expected.
First, make sure the APPLICATION_URL
is correctly set:
export APPLICATION_URL=$(minikube ip):30002
Now let’s create a pet (POST /pet
):
curl -i -d @- \
-H "Content-Type: application/json" \
${APPLICATION_URL}/pet \
<< EOF
{
"name": "Secretlessly Fluffy"
}
EOF
HTTP/1.1 201 Location: http://192.168.99.100:30002/pet/2 Content-Length: 0 Date: Thu, 23 Aug 2018 11:56:27 GMT
We should get a 201 response status.
Now let’s retrieve all the pets (GET /pets
):
curl -i ${APPLICATION_URL}/pets
HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Thu, 23 Aug 2018 11:57:17 GMT [{"id":1,"name":"Secretlessly Fluffy"}]
We should get a 200 response with a JSON array of the pets.
That’s it!
The application is connecting to a password-protected Postgres database without any knowledge of the credentials.
For more info on configuring Secretless for your own use case, see the Secretless Documentation
Get a closer look at Secretless...