Use Kubernetes Secrets to Deploy Secretless

This topic describes how to deploy Secretless in Kubernetes/OpenShift with Kubernetes secrets as the credential provider. Rather than supply your application with the database credentials directly, you deploy your application with the Secretless Broker sidecar to keep secrets out of your app and keep them secure.

Prerequisites

OpenShift vs Kubernetes

The code snippets in this topic use kubectl. If you are deploying OpenShift, replace each kubectl with oc.

Assumptions

You have a test application that requires a PostgreSQL or MySQL database.
You are using a supported version of OpenShift or Kubernetes.
You have already set up the database, it is accessible to apps running in your OpenShift / Kubernetes environment, it supports SSL, and you have credentials for the database.
You are in a test or development environment and want to store the credentials in Kubernetes secrets.

Kubernetes secrets should not be used in production environments without first carefully configuring your Kubernetes or OpenShift cluster. For more information on the possible risks, see the Kubernetes documentation.

Before getting started, you may want to read up on How Secretless Works or Secretless Configuration.

Load Secrets

The first step in preparing to deploy your application with Secretless is to load the database credentials into a Kubernetes secret. In the example that follows we are setting up a PostgreSQL connection; the setup for MySQL is similar.

Ensure you are logged in to your Kubernetes or OpenShift cluster via the command line. Store the database connection details in your environment in POSTGRES_ADDRESS, POSTGRES_USERNAME, and POSTGRES_PASSWORD environment variables and run the following command to create a Kubernetes secret with the connection details:

kubectl create secret generic my-app-postgres \
  --from-literal=address=$POSTGRES_ADDRESS \
  --from-literal=username=$POSTGRES_USERNAME \
  --from-literal=password=$POSTGRES_PASSWORD

Create the Secretless Broker Configuration

Next, define the Secretless Broker configuration. Secretless uses this configuration to determine where to listen for incoming connections, where to route those connections, and where to get the credentials for each connection.

Write the following YAML to a file named secretless.yml.

          
version: "2"
services:
   pg-db:
     connector: pg
     listenOn: tcp://0.0.0.0:5432
     credentials:
       host:
         from: kubernetes
         get: my-app-postgres#host
       port:
         from: kubernetes
         get: my-app-postgres#port
       username:
         from: kubernetes
         get: my-app-postgres#username
       password:
         from: kubernetes
         get: my-app-postgres#password

The configuration above instructs Secretless to listen on port 5432 for an incoming PostgreSQL connection. The credentials for the connection are going to come from the my-app-postgres Kubernetes secret.

By default Secretless Broker connects to PostgreSQL usingsslmode=require.

For information on additional sslmode values, see the Secretless Service Connectors.

To store the configuration in Kubernetes / OpenShift and make it accessible to the Secretless sidecar container, create a new ConfigMap in Kubernetes using the newly created secretless.yml.

kubectl create configmap my-app-secretless-config --from-file=secretless.yml

Update Your Application

If you are already running your application elsewhere, it likely already has some method of retrieving or storing database credentials and opening the database connection.

To prepare your application to connect to the database via Secretless instead, you can remove any existing database credentials from the application and configure it to connect to localhost:5432 - the port on which Secretless is listening.

That's it! It really is that simple to set up your app to use Secretless.

Add the Secretless Broker Sidecar to Your App Deployment

Secretless Broker is deployed as a sidecar container in the same pod as your application. You can deploy Secretless with your app by modifying your application manifest to include the Secretless Broker container definition with its configuration ConfigMap provided via a volume mount.

You will want to ensure the pod has access to the my-app-postgres secret, otherwise the broker will be unable to retrieve it. By default secrets are namespace-scoped.

          
            ---
apiVersion: apps/v1
kind: Pod
metadata:
  name: my-app
  namespace: demo
  labels:
    app: my-app
  spec:
    containers:
    # <-- Your container definition here -->
    # - name: my-app
    #   image: my-app:latest
    - name: secretless-broker
      image: cyberark/secretless-broker:latest
      args: ["-f", "/etc/secretless/secretless.yml"]
      ports:
      - containerPort: 5432
      volumeMounts:
      - name: config
        mountPath: "/etc/secretless"
        readOnly: true
    volumes:
    - name: config
      configMap:
        name: my-app-secretless-config

Run

Once you have updated your application manifest to include the configured Secretless Broker sidecar, save it as my-app-manifest.yml and apply it to deploy the pod. Your application will begin to access PostgreSQL via Secretless Broker without ever knowing the database credentials.

kubectl create -f my-app-manifest.yml

Next steps

Learn how to deploy Secretless Broker with CyberArk Dynamic Access Provider.
Learn about the supported secret providers.
Learn about the supported Secretless Service Connectors.