You are now the application developer.
Using Secretless in Kubernetes
Estimated time to complete: 5 min
Products used: Kubernetes Secrets, PostgreSQL Service Authenticator
Steps for Application Developer
You know only one thing – the name of the database:
export APPLICATION_DB_NAME=quick_start_db
Sample Application Overview
The application we’ll be deploying is a pet store demo application with a simple API:
GET /petslists all the petsPOST /petadds a pet
Its PostgreSQL backend is configured using a DB_URL environment variable:
postgresql://localhost:5432/${APPLICATION_DB_NAME}?sslmode=disable
Again, the application has no knowledge of the database credentials it’s using.
For usage examples, please see Test the Application.
Create Application Deployment Manifest
We’re ready to deploy our application.
A detailed explanation of the manifest below is featured in the next step, Appendix - Secretless Deployment Manifest Explained and isn’t needed to complete the tutorial.
To create the quick-start-application.yml manifest using the
APPLICATION_DB_NAME above, run:
cat << EOF > quick-start-application.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: quick-start-application
labels:
app: quick-start-application
spec:
replicas: 3
selector:
matchLabels:
app: quick-start-application
template:
metadata:
labels:
app: quick-start-application
spec:
serviceAccountName: quick-start-application
automountServiceAccountToken: true
containers:
- name: quick-start-application
image: cyberark/demo-app:latest
env:
- name: DB_URL
value: postgresql://localhost:5432/${APPLICATION_DB_NAME}?sslmode=disable
- name: secretless-broker
image: cyberark/secretless-broker:latest
imagePullPolicy: IfNotPresent
args: ["-f", "/etc/secretless/secretless.yml"]
volumeMounts:
- name: config
mountPath: /etc/secretless
readOnly: true
volumes:
- name: config
configMap:
name: quick-start-application-secretless-config
EOF
Deploy Application With Secretless Broker
To deploy the application, run:
kubectl --namespace quick-start-application-ns apply -f quick-start-application.yml
deployment "quick-start-application" created
Before moving on, verify that the pods are healthy:
kubectl --namespace quick-start-application-ns get pods
NAME READY STATUS RESTARTS AGE quick-start-application-6bd8dbd57f-bshmf 2/2 Running 0 22s quick-start-application-6bd8dbd57f-dr962 2/2 Running 0 26s quick-start-application-6bd8dbd57f-fgfnh 2/2 Running 0 30s
Expose Application Publicly
The application is running, but not yet publicly available.
To expose it publicly as a Kubernetes Service, run:
cat << EOF > quick-start-application-service.yml
kind: Service
apiVersion: v1
metadata:
name: quick-start-application
spec:
selector:
app: quick-start-application
ports:
- port: 8080
targetPort: 8080
nodePort: 30002
type: NodePort
EOF
kubectl --namespace quick-start-application-ns \
apply -f quick-start-application-service.yml
service "quick-start-application" created
Congratulations!
The application is now available at $(minikube ip):30002. We’ll call
this the APPLICATION_URL going forward.
Test the Application
Let’s verify everything works as expected.
First, make sure the APPLICATION_URL is correctly set:
export APPLICATION_URL=$(minikube ip):30002
Now let’s create a pet (POST /pet):
curl -i -d @- \
-H "Content-Type: application/json" \
${APPLICATION_URL}/pet \
<< EOF
{
"name": "Secretlessly Fluffy"
}
EOF
HTTP/1.1 201 Location: http://192.168.99.100:30002/pet/2 Content-Length: 0 Date: Thu, 23 Aug 2018 11:56:27 GMT
We should get a 201 response status.
Now let’s retrieve all the pets (GET /pets):
curl -i ${APPLICATION_URL}/pets
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 23 Aug 2018 11:57:17 GMT
[{"id":1,"name":"Secretlessly Fluffy"}]
We should get a 200 response with a JSON array of the pets.
That’s it!
The application is connecting to a password-protected Postgres database without any knowledge of the credentials.
For more info on configuring Secretless for your own use case, see the Secretless Documentation
Up next...
Get a closer look at Secretless...