Using Secretless in Kubernetes

Estimated time to complete: 5 min

Products used: Kubernetes Secrets, PostgreSQL Handler

Steps for Application Developer

Application Developer
You are now the application developer.
You can no longer access the secrets we stored previously in environment variables. Open a new terminal so that all those variables are gone.

You know only one thing – the name of the database:

export APPLICATION_DB_NAME=quick_start_db

Sample Application Overview

The application we’ll be deploying is a pet store demo application with a simple API:

  • GET /pets lists all the pets
  • POST /pet adds a pet

Its PostgreSQL backend is configured using a DB_URL environment variable:


Again, the application has no knowledge of the database credentials it’s using.

For usage examples, please see Test the Application.

Create Application Deployment Manifest

We’re ready to deploy our application.

A detailed explanation of the manifest below is featured in the next step, Appendix - Secretless Deployment Manifest Explained and isn’t needed to complete the tutorial.

To create the quick-start-application.yml manifest using the APPLICATION_DB_NAME above, run:

cat << EOF > quick-start-application.yml
apiVersion: apps/v1
kind: Deployment
  name: quick-start-application
    app: quick-start-application
  replicas: 3
      app: quick-start-application
        app: quick-start-application
      serviceAccountName: quick-start-application
      automountServiceAccountToken: true
        - name: quick-start-application
          image: cyberark/demo-app:latest
            - name: DB_URL
              value: postgresql://localhost:5432/${APPLICATION_DB_NAME}?sslmode=disable
        - name: secretless-broker
          image: cyberark/secretless-broker:latest
          imagePullPolicy: IfNotPresent
          args: ["-f", "/etc/secretless/secretless.yml"]
            - name: config
              mountPath: /etc/secretless
              readOnly: true
        - name: config
            name: quick-start-application-secretless-config

Deploy Application With Secretless Broker

To deploy the application, run:

kubectl --namespace quick-start-application-ns apply -f quick-start-application.yml
deployment "quick-start-application" created

Before moving on, verify that the pods are healthy:

kubectl --namespace quick-start-application-ns get pods
NAME                                       READY     STATUS        RESTARTS   AGE
quick-start-application-6bd8dbd57f-bshmf   2/2       Running       0          22s
quick-start-application-6bd8dbd57f-dr962   2/2       Running       0          26s
quick-start-application-6bd8dbd57f-fgfnh   2/2       Running       0          30s

Expose Application Publicly

The application is running, but not yet publicly available.

To expose it publicly as a Kubernetes Service, run:

cat << EOF > quick-start-application-service.yml
kind: Service
apiVersion: v1
  name: quick-start-application
    app: quick-start-application
  - port: 8080
    targetPort: 8080
    nodePort: 30002
  type: NodePort
kubectl --namespace quick-start-application-ns \
 apply -f quick-start-application-service.yml
service "quick-start-application" created


The application is now available at $(minikube ip):30002. We’ll call this the APPLICATION_URL going forward.

Test the Application

Let’s verify everything works as expected.

First, make sure the APPLICATION_URL is correctly set:

export APPLICATION_URL=$(minikube ip):30002

Now let’s create a pet (POST /pet):

curl -i -d @- \
 -H "Content-Type: application/json" \
 << EOF
   "name": "Secretlessly Fluffy"
HTTP/1.1 201
Content-Length: 0
Date: Thu, 23 Aug 2018 11:56:27 GMT

We should get a 201 response status.

Now let’s retrieve all the pets (GET /pets):

curl -i ${APPLICATION_URL}/pets
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 23 Aug 2018 11:57:17 GMT

[{"id":1,"name":"Secretlessly Fluffy"}]

We should get a 200 response with a JSON array of the pets.

That’s it!

The application is connecting to a password-protected Postgres database without any knowledge of the credentials.

It's Magic

For more info on configuring Secretless for your own use case, see the Secretless Documentation

Up next...

Get a closer look at Secretless...

Want to learn more? Check out our documentation for more information, like how to use Secretless Broker in your Kubernetes environment!