Kubernetes Secrets

This topic describes how to deploy Secretless in Kubernetes/OpenShift with Kubernetes secrets as the credential provider. Rather than supply your application with the database credentials directly, you deploy your application with the Secretless Broker sidecar to keep secrets out of your app and keep them secure.

Prerequisites

OpenShift vs Kubernetes

The code snippets in this topic use kubectl. If you are deploying OpenShift, replace each kubectl with oc

Assumptions

  • You have a test application that requires a PostgreSQL or MySQL database

  • You are using a supported version of OpenShift or Kubernetes

  • You have already set up the database, it is accessible to apps running in your OpenShift / Kubernetes environment, it supports SSL, and you have credentials for the database

  • You are in a test or development environment and want to store the credentials in Kubernetes secrets

 

Kubernetes secrets should not be used in production environments without first carefully configuring your Kubernetes or OpenShift cluster. For more information on the possible risks, see the Kubernetes documentation.

Before getting started, you may want to read up on How it works or Configuration.

Load Secrets

The first step in preparing to deploy your application with Secretless is to load the database credentials into a Kubernetes secret. In the example that follows we are setting up a PostgreSQL connection; the setup for MySQL is similar.

Ensure you are logged in to your Kubernetes or OpenShift cluster via the command line. Store the database connection details in your environment in POSTGRES_ADDRESS, POSTGRES_USERNAME, and POSTGRES_PASSWORD environment variables and run the following command to create a Kubernetes secret with the connection details:

 
kubectl create secret generic my-app-postgres \
  --from-literal=address=$POSTGRES_ADDRESS \
  --from-literal=username=$POSTGRES_USERNAME \
  --from-literal=password=$POSTGRES_PASSWORD

Create the Secretless Broker Configuration

Next, define the Secretless Broker configuration. Secretless uses this configuration to determine where to listen for incoming connections, where to route those connections, and where to get the credentials for each connection.

Write the following YAML to a file named secretless.yml.

 
listeners:
  - name: pg
    protocol: pg
    address: 0.0.0.0:5432
handlers:
  - name: pg
    listener: pg
    credentials:
      - name: address
        provider: kubernetes
        id: my-app-postgres#address
      - name: username
        provider: kubernetes
        id: my-app-postgres#username
      - name: password
        provider: kubernetes
        id: my-app-postgres#password

The configuration above instructs Secretless to listen on port 5432 for an incoming PostgreSQL connection. The credentials for the connection are going to come from the my-app-postgres Kubernetes secret.

 

By default Secretless Broker will connect to PostgreSQL usingsslmode=require.

For information on additional sslmode values available, see the Handlers.

To store the configuration in Kubernetes / OpenShift and make it accessible to the Secretless sidecar container, create a new ConfigMap in Kubernetes using the newly created secretless.yml.

 
kubectl create configmap my-app-secretless-config --from-file=secretless.yml

Update Your Application

If you are already running your application elsewhere, it likely already has some method of retrieving or storing database credentials and opening the database connection.

To prepare your application to connect to the database via Secretless instead, you can remove any existing database credentials from the application and configure it to connect to localhost:5432 - the port that Secretless is listening on.

That's it! It really is that simple to set up your app to use Secretless.

Add the Secretless Broker Sidecar to Your App Deployment

Secretless Broker is deployed as a sidecar container in the same pod as your application. You can deploy Secretless with your app by modifying your application manifest to include the Secretless Broker container definition with its configuration ConfigMap provided via a volume mount.

  You will want to ensure the pod has access to the my-app-postgres secret, otherwise the broker will be unable to retrieve it. By default secrets are namespace-scoped.
 
---
apiVersion: apps/v1
kind: Pod
metadata:
  name: my-app
  namespace: demo
  labels:
    app: my-app
  spec:
    containers:
    # <-- Your container definition here -->
    # - name: my-app
    #   image: my-app:latest
    - name: secretless-broker
      image: cyberark/secretless-broker:latest
      args: ["-f", "/etc/secretless/secretless.yml"]
      ports:
      - containerPort: 5432
      volumeMounts:
      - name: config
        mountPath: "/etc/secretless"
        readOnly: true
    volumes:
    - name: config
      configMap:
        name: my-app-secretless-config

Run

Once you have updated your application manifest to include the configured Secretless Broker sidecar, save it as my-app-manifest.yml and apply it to deploy the pod. Your application will begin to access PostgreSQL via Secretless Broker without ever knowing the database credentials.

 
kubectl create -f my-app-manifest.yml

Next steps

 
9.7