Using Secretless in Kubernetes

Estimated time to complete: 5 min

Products used: Kubernetes Secrets, PostgreSQL Service Authenticator

Steps for Application Developer

Application Developer
You are now the application developer.
You can no longer access the secrets we stored previously in environment variables. Open a new terminal so that all those variables are gone.

You know only one thing – the name of the database:

export APPLICATION_DB_NAME=quick_start_db

Sample Application Overview

The application we’ll be deploying is a pet store demo application with a simple API:

  • GET /pets lists all the pets
  • POST /pet adds a pet

Its PostgreSQL backend is configured using a DB_URL environment variable:


Again, the application has no knowledge of the database credentials it’s using.

For usage examples, please see Test the Application.

Create Application Deployment Manifest

We’re ready to deploy our application.

A detailed explanation of the manifest below is featured in the next step, Appendix - Secretless Deployment Manifest Explained and isn’t needed to complete the tutorial.

To create the quick-start-application.yml manifest using the APPLICATION_DB_NAME above, run:

cat << EOF > quick-start-application.yml
apiVersion: apps/v1
kind: Deployment
  name: quick-start-application
    app: quick-start-application
  replicas: 3
      app: quick-start-application
        app: quick-start-application
      serviceAccountName: quick-start-application
      automountServiceAccountToken: true
        - name: quick-start-application
          image: cyberark/demo-app:latest
            - name: DB_URL
              value: postgresql://localhost:5432/${APPLICATION_DB_NAME}?sslmode=disable
        - name: secretless-broker
          image: cyberark/secretless-broker:latest
          imagePullPolicy: IfNotPresent
          args: ["-f", "/etc/secretless/secretless.yml"]
            - name: config
              mountPath: /etc/secretless
              readOnly: true
        - name: config
            name: quick-start-application-secretless-config

Deploy Application With Secretless Broker

To deploy the application, run:

kubectl --namespace quick-start-application-ns apply -f quick-start-application.yml
deployment "quick-start-application" created

Before moving on, verify that the pods are healthy:

kubectl --namespace quick-start-application-ns get pods
NAME                                       READY     STATUS        RESTARTS   AGE
quick-start-application-6bd8dbd57f-bshmf   2/2       Running       0          22s
quick-start-application-6bd8dbd57f-dr962   2/2       Running       0          26s
quick-start-application-6bd8dbd57f-fgfnh   2/2       Running       0          30s

Expose Application Publicly

The application is running, but not yet publicly available.

To expose it publicly as a Kubernetes Service, run:

cat << EOF > quick-start-application-service.yml
kind: Service
apiVersion: v1
  name: quick-start-application
    app: quick-start-application
  - port: 8080
    targetPort: 8080
    nodePort: 30002
  type: NodePort
kubectl --namespace quick-start-application-ns \
 apply -f quick-start-application-service.yml
service "quick-start-application" created


The application is now available at $(minikube ip):30002. We’ll call this the APPLICATION_URL going forward.

Test the Application

Let’s verify everything works as expected.

First, make sure the APPLICATION_URL is correctly set:

export APPLICATION_URL=$(minikube ip):30002

Now let’s create a pet (POST /pet):

curl -i -d @- \
 -H "Content-Type: application/json" \
 << EOF
   "name": "Secretlessly Fluffy"
HTTP/1.1 201
Content-Length: 0
Date: Thu, 23 Aug 2018 11:56:27 GMT

We should get a 201 response status.

Now let’s retrieve all the pets (GET /pets):

curl -i ${APPLICATION_URL}/pets
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 23 Aug 2018 11:57:17 GMT

[{"id":1,"name":"Secretlessly Fluffy"}]

We should get a 200 response with a JSON array of the pets.

That’s it!

The application is connecting to a password-protected Postgres database without any knowledge of the credentials.

It's Magic

For more info on configuring Secretless for your own use case, see the Secretless Documentation

Up next...

Get a closer look at Secretless...

Want to learn more? Check out our documentation for more information, like how to use Secretless Broker in your Kubernetes environment!