Estimated time to complete: 5 min
Products used: Kubernetes Secrets, PostgreSQL Service Connector
Here we’ll walk through the application deployment manifest, to better understand how Secretless works.
We’ll focus on the Pod’s template, which is where the magic happens:
# top part elided...
template:
metadata:
labels:
app: quick-start-application
spec:
serviceAccountName: quick-start-application
automountServiceAccountToken: true
containers:
- name: quick-start-application
image: cyberark/demo-app:latest
env:
- name: DB_URL
value: postgresql://localhost:5432/${APPLICATION_DB_NAME}?sslmode=disable
- name: secretless-broker
image: cyberark/secretless-broker:latest
imagePullPolicy: Always
args: ["-f", "/etc/secretless/secretless.yml"]
volumeMounts:
- name: config
mountPath: /etc/secretless
readOnly: true
volumes:
- name: config
configMap:
name: quick-start-application-secretless-config
Since it resides in the same pod, the application can access the Secretless sidecar container over localhost.
As specified in the ConfigMap we created, Secretless listens on port
5432
, and hence this:
env:
- name: DB_URL
value: postgresql://localhost:5432/${APPLICATION_DB_NAME}?sslmode=disable
is all our application needs to locate Secretless.
Notice the ?sslmode=disable
at the end of our DB_URL
.
This means that the application connects to Secretless without SSL, which is safe because it is intra-Pod communication over localhost.
However, the connection between Secretless and Postgres is secure, and does use SSL.
The situation looks like this:
No SSL SSL
Application <----------> Secretless <----------> Postgres
For more information on PostgreSQL SSL modes see:
Notice we add the quick-start-application ServiceAccount to the pod:
spec:
serviceAccountName: quick-start-application
That’s the ServiceAccount we created earlier, the one with access to the credentials in Kubernetes Secrets. This is what gives Secretless access to those credentials.
Finally, notice the sections defining the volumes and the volume mount in the Secretless container:
# ... elided
volumeMounts:
- name: config
mountPath: /etc/secretless
readOnly: true
volumes:
- name: config
configMap:
name: quick-start-application-secretless-config
Here we create a volume base on the ConfigMap we created earlier, which stores our secretless.yml configuration file.
Thus Secretless gets its configuration file via a volume mount.
A summary of what you accomplished in this tutorial!