This topic describes how to deploy Secretless in Kubernetes/OpenShift with Kubernetes secrets as the credential provider. Rather than supply your application with the database credentials directly, you deploy your application with the Secretless Broker sidecar to keep secrets out of your app and keep them secure.
OpenShift vs Kubernetes
The code snippets in this topic use
kubectl. If you are deploying OpenShift, replace each
You have a test application that requires a PostgreSQL or MySQL database
You are using a supported version of OpenShift or Kubernetes
You have already set up the database, it is accessible to apps running in your OpenShift / Kubernetes environment, it supports SSL, and you have credentials for the database
You are in a test or development environment and want to store the credentials in Kubernetes secrets
Kubernetes secrets should not be used in production environments without first carefully configuring your Kubernetes or OpenShift cluster. For more information on the possible risks, see the Kubernetes documentation.
The first step in preparing to deploy your application with Secretless is to load the database credentials into a Kubernetes secret. In the example that follows we are setting up a PostgreSQL connection; the setup for MySQL is similar.
Ensure you are logged in to your Kubernetes or OpenShift cluster via the command line.
Store the database connection details in your environment in
POSTGRES_PASSWORD environment variables and run the following command to create a Kubernetes secret with the
Create the Secretless Broker Configuration
Next, define the Secretless Broker configuration. Secretless uses this configuration to determine where to listen for incoming connections, where to route those connections, and where to get the credentials for each connection.
Write the following YAML to a file named
The configuration above instructs Secretless to listen on port 5432 for an incoming PostgreSQL connection.
The credentials for the connection are going to come from the
my-app-postgres Kubernetes secret.
By default Secretless Broker will connect to PostgreSQL using
For information on additional
To store the configuration in Kubernetes / OpenShift and make it accessible to the Secretless sidecar container,
create a new ConfigMap in Kubernetes using the newly created
Update Your Application
If you are already running your application elsewhere, it likely already has some method of retrieving or storing database credentials and opening the database connection.
To prepare your application to connect to the database via Secretless instead, you can remove any existing database
credentials from the application and configure it to connect to
localhost:5432 - the port that Secretless
is listening on.
That's it! It really is that simple to set up your app to use Secretless.
Add the Secretless Broker Sidecar to Your App Deployment
Secretless Broker is deployed as a sidecar container in the same pod as your application. You can deploy Secretless with your app by modifying your application manifest to include the Secretless Broker container definition with its configuration ConfigMap provided via a volume mount.
You will want to ensure the pod has access to the
Once you have updated your application manifest to include the configured Secretless Broker sidecar, save it as
my-app-manifest.yml and apply it
to deploy the pod. Your application will begin to access PostgreSQL via Secretless Broker without ever knowing the
Learn about the supported Secret Providers
Learn about the supported Service Connectors