The latest articles on DEV Community by Kevin Davin (@davinkevin). https://dev.to/davinkevin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F275726%2Ffa0ac2a2-0823-4ff0-8953-cca5be891222.png https://dev.to/davinkevin en Kevin Davin Tue, 04 Jun 2024 16:00:00 +0000 https://dev.to/davinkevin/taming-fluxcd-helmreleases-the-kustomize-way-approach-48l8 https://dev.to/davinkevin/taming-fluxcd-helmreleases-the-kustomize-way-approach-48l8 <p><a href="https://fluxcd.io/" rel="noopener noreferrer">FluxCD</a> is a powerful tool for managing deployments in Kubernetes using GitOps principles. While it offers a wide range of features, this post will explore scenarios where a simpler approach might be preferable, aligning with the #SimplerIsBetter philosophy.</p> <p><strong>NOTE</strong>: This article shares insights and perspectives gained through experience in various contexts and companies. Feel free to disagree, but with respect! 😉</p> <h2> <code>HelmRelease</code>, what is this? </h2> <p><a href="https://fluxcd.io/flux/use-cases/helm/" rel="noopener noreferrer"><code>HelmRelease</code> is a custom resource provided by FluxCD</a>, which provides users<br> a way to automatically install <code>helm</code> charts using FluxCD and its declarative system. </p> <p>For example, if you want to install the <a href="https://github.com/stefanprodan/podinfo" rel="noopener noreferrer">PodInfo</a> app, you have to declare<br> the following manifest:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">helm.toolkit.fluxcd.io/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HelmRelease</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">chart</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">podinfo</span> <span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">6.5.*'</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HelmRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">releaseName</span><span class="pi">:</span> <span class="s">podinfo</span> <span class="na">values</span><span class="pi">:</span> <span class="c1"># part dedicated to the all `values` the chart accept</span> <span class="na">replicaCount</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <p><strong>NOTE</strong>: For the sake of simplicity, I kept only relevant attributes, but I can say FluxCD offers a rich API to cover most of use cases.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flwizd0gvqtzctacvfjs5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flwizd0gvqtzctacvfjs5.png" alt="Workflow"></a></p> <p>The simplified workflow can be described like this:</p> <ul> <li>The <code>HelmOperator</code> verifies and retrieves the Helm chart from a remote source like GitHub, GitLab, Artifactory or an OCI registry (recommended)</li> <li>It then renders the chart using configuration from the <code>HelmRelease</code> object, which can include values provided in different ways (inlined, using ConfigMap or Secret)</li> <li>Finally, the <code>HelmOperator</code> applies the generated <code>YAML</code> manifests to the Kubernetes API to install or upgrade the application.</li> </ul> <p>This approach can work for simple deployments, but as an operator, I've encountered several design drawbacks that I'd like to discuss. Let's see these issues!</p> <p><strong>NOTE</strong> Like every GitOps solution, FluxCD requires a connection to a <code>GitRepository</code> too. To keep the diagram simple, I've not materialized this item. </p> <h2> GitOps, aka "only source of truth" </h2> <p>The GitOps philosophy is built on top of 3 key principles: </p> <ul> <li> <strong>Declarative System</strong>: You define the desired state of your system (what you want) using declarative language (<a href="https://en.wikipedia.org/wiki/Fourth-generation_programming_language" rel="noopener noreferrer">4GL</a>). This approach focuses on the "what" instead of the "how," making your configuration easier to understand and maintain.</li> <li> <strong>System State Captured in a Git Repository</strong>: The desired state of your system is stored in a Git repository. This provides a central location for managing your infrastructure configurations, enabling version control, collaboration, and easy rollbacks if needed.</li> <li> <strong>Automatic Deployment system</strong>: Any changes pushed to the Git repository trigger an automated deployment process. This automates the process of translating your desired state into actual changes within your system, reducing manual intervention and the risk of errors.</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ilcr9vf1y9jwia24au1.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ilcr9vf1y9jwia24au1.jpg" alt="3 pillars"></a></p> <p>The <code>HelmRelease</code> is a <strong>Declarative</strong> approach, where <strong>automation</strong> is managed by the controller. However, "<strong>desired state of your system is stored in a Git repository</strong>" and all it implies are not respected.</p> <h3> External Chart Dependencies: A Potential Weak Point </h3> <p>A core principle of building resilient systems is ensuring the availability of all their components. When using <code>HelmRelease</code>, we introduce an external dependency, the location where the Helm chart resides.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frr35t0rbcs9ilcb0mdr4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frr35t0rbcs9ilcb0mdr4.png" alt="HelmRelease not able to fetch chart"></a></p> <p>If communication with this external location fails (due to server downtime, network issues, etc.), you might not be able to install or update your application. This introduces a potential single point of failure (SPOF) in your deployment process. Additionally, the desired state of your cluster is not solely defined by your <code>git</code> repository; it also depends on all the charts your system downloads. </p> <h3> Limited Visibility into Helm Chart Content </h3> <p>Another purpose of this <strong>System State Captured in a Git Repository</strong> is its auditability. If you capture the complete state of a system in <code>git</code>, you can review it before an installation or upgrade. However, using <code>HelmRelease</code> introduces a layer of opacity.</p> <p>While you declare the specific chart you want to use, you might not have a complete picture of what resources the chart will actually install in your cluster. It could potentially create various resources like <code>ClusterRoles</code>, <code>NetworkPolicies</code>, or <code>DaemonSets</code>. You can't say without… deploying it, running it locally or worth, reading the chart's source. 😞</p> <p><iframe class="tweet-embed" id="tweet-1648619974934642689-925" src="https://platform.twitter.com/embed/Tweet.html?id=1648619974934642689"> </iframe> // Detect dark theme var iframe = document.getElementById('tweet-1648619974934642689-925'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1648619974934642689&amp;theme=dark" } </p> <h3> Lack of Immutability in Helm Charts! </h3> <p>The problem we already have with container images applied the same way to <code>helm</code> charts. A chart produced and published at a specific date might be un-published or re-published with a different content. In those case, you expose your system to the two previous points again… </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwnafjo7x5jahkfhlycwb.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwnafjo7x5jahkfhlycwb.jpg" alt="representation of immutability with zebras…"></a></p> <p><strong>NOTE</strong> We can now store charts in OCI registries, with immutability feature. To leverage it, you have to complexify your system with <code>digest</code> pinning, because in security, we can't blindly trust a 3rd party 😇. </p> <h3> Chart customisation, another nightmare 👻 </h3> <p>While Helm charts offer a convenient way to package deployments, maintaining them can be challenging due to their complexity. Kubernetes itself provides a wide range of configuration options, which can further complicate matters.</p> <p>This complexity can lead to situations where the desired configuration isn't readily available within a chart. For example, you might want to add an annotation to a workload or modify taints and tolerations, but the chart may not offer built-in ways to do so.</p> <p><iframe class="tweet-embed" id="tweet-1622925402845970433-191" src="https://platform.twitter.com/embed/Tweet.html?id=1622925402845970433"> </iframe> // Detect dark theme var iframe = document.getElementById('tweet-1622925402845970433-191'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1622925402845970433&amp;theme=dark" } </p> <p>To address this challenge, FluxCD introduced the concept of <code>postRenderers</code> (see <a href="https://fluxcd.io/flux/components/helm/helmreleases/#post-renderers" rel="noopener noreferrer">documentation</a> within <code>HelmRelease</code> resources. This feature leverages the Kustomize API to customize deployments after the initial Helm chart rendering.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">helm.toolkit.fluxcd.io/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HelmRelease</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">releaseName</span><span class="pi">:</span> <span class="s">podinfo</span> <span class="na">chart</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">…</span> <span class="pi">}</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">…</span> <span class="pi">}</span> <span class="na">postRenderers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kustomize</span><span class="pi">:</span> <span class="na">patches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">target</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">patch</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- op: add</span> <span class="s">path: /metadata/labels/environment</span> <span class="s">value: production </span> <span class="na">images</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">docker.io/bitnami/metrics-server</span> <span class="na">newName</span><span class="pi">:</span> <span class="s">docker.io/bitnami/metrics-server</span> <span class="na">newTag</span><span class="pi">:</span> <span class="s">0.4.1-debian-10-r54</span> </code></pre> </div> <p>The configuration for <code>postRenderers</code> is separate from the Helm chart result. This can make it difficult to understand the complete picture of how the final deployment will be configured, potentially leading to hidden errors. 🤯</p> <p>FluxCD doesn't provide robust mechanisms to analyze the resources created after the combined rendering and post-rendering steps. This can make troubleshooting issues arising from these modifications cumbersome. 😞</p> <h2> Solution is simplicity 🚀! </h2> <p>We've discussed the challenges associated with relying solely on Helm charts within FluxCD deployments. These challenges can compromise the visibility, maintainability, and overall health of your GitOps workflow.</p> <p>So, how can we achieve the ideal balance: a declarative system, automatic deployments, and a clear picture of your system state captured entirely within your Git repository?</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7zogjy9jj9snirmvk8nb.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7zogjy9jj9snirmvk8nb.jpg" alt="human printing document with an old machine made of wood"></a></p> <h3> Render the chart and store it into <code>git</code> for better auditability </h3> <p>The answer lies in a simple yet powerful sub-command – <code>helm template</code> (or <code>helmfile template</code> if you use <a href="https://helmfile.readthedocs.io/" rel="noopener noreferrer">Helmfile</a>). This command allows you to locally render helm charts along with your desired values, generating the final deployment manifest files.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>helm repo add podinfo https://stefanprodan.github.io/podinfo <span class="s2">"podinfo"</span> has been added to your repositories <span class="nv">$ </span>helm repo update podinfo Hang tight <span class="k">while </span>we grab the latest from your chart repositories... ...Successfully got an update from the <span class="s2">"podinfo"</span> chart repository Update Complete. ⎈Happy Helming!⎈ <span class="nv">$ </span><span class="nb">echo</span> <span class="s2">"replicaCount: 2"</span> <span class="o">&gt;</span> values.yaml <span class="nv">$ </span>helm template podinfo/podinfo <span class="nt">-f</span> values.yaml <span class="nt">--version</span> 6.6.3 <span class="o">&gt;</span> podinfo.yaml </code></pre> </div> <p>And that's it! It was not so complicated 😇. We have a file called <code>podinfo.yaml</code>, located in <code>/k8s/podinfo</code> of our <code>git</code> repository. </p> <p>This file is now yours, it can be read, analyzed and pushed to <code>kubernetes</code>. After this generation, your system is free from the external chart registry where the chart is located.</p> <p><strong>NOTE</strong> I recommend to <strong>never</strong> modify a file "generated" by another tool, because you will loose this modification during the next rendering. tldr; treat them as "read-only".</p> <h3> How to deploy generated files with FluxCD? </h3> <p>Instead of using <code>HelmRelease</code>, we're going to use <code>Kustomization</code> resources provided by FluxCD. It is way simpler than <code>HelmRelease</code>, because it just deploys manifests located in a specific location.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">name</span><span class="pi">:</span> <span class="s">our-gitops-repository</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/k8s/podinfo"</span> <span class="c1"># our location in our GitOps repo</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">1m</span> </code></pre> </div> <p>Because we use the <code>GitRepository</code>, called <code>our-gitops-repository</code> and eventually used by <code>FluxCD</code> itself, there is no extra dependency in our system.</p> <h3> Direct Customization with Kustomize </h3> <p>While <code>HelmRelease</code> offers <code>postRenderers</code> for some customizations, the <code>Kustomization</code> resource provides full access to the powerful Kustomize capabilities. <br> This allows for more granular and flexible control over your manifests. Here's how to achieve a similar customization as the previous <code>postRenderer</code> example using a <code>kustomization.yaml</code> file:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># kustomization.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">podinfo.yaml</span> <span class="c1"># your generated file from the previous step</span> <span class="na">patches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">target</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">patch</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- op: add</span> <span class="s">path: /metadata/labels/environment</span> <span class="s">value: production </span> <span class="na">images</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">docker.io/bitnami/metrics-server</span> <span class="na">newName</span><span class="pi">:</span> <span class="s">docker.io/bitnami/metrics-server</span> <span class="na">newTag</span><span class="pi">:</span> <span class="s">0.4.1-debian-10-r54</span> </code></pre> </div> <p><a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/" rel="noopener noreferrer">kustomize</a> offers a wider range of functionalities compared to <code>postRenderers</code>. You can manipulate resources using features like <code>namePrefix</code>, <code>labels</code>, <code>replacements</code>, <code>components</code>… The list is too long to be detailed here 😇.</p> <p>As a bonus point, you can run <code>kustomize build /k8s/podinfo/</code> and see the complete result of the generation before any interaction with FluxCD. </p> <h3> Enjoy reviews and audit with rich diff! </h3> <p>One of the significant advantages of managing your full Kubernetes state with GitOps is the ability to leverage Git's powerful version control capabilities for reviewing and auditing deployments.</p> <p>From an operator perspective, there is nothing better than a clear and detailed diff views during tool upgrade:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftl6j9n7c5uusbhp8k7r9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftl6j9n7c5uusbhp8k7r9.png" alt="rancher/local-path-provisioner to v0.0.27 diff view"></a></p> <p>Obviously, your IDE will be your best friend to understand what happened, with clear context and details of changes:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvlxqzs8koih0coeacccs.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvlxqzs8koih0coeacccs.png" alt="cert-manager modification history"></a></p> <p><strong>NOTE</strong> Upgrade can be automated using tools like <code>renovate</code> or <code>dependabot</code></p> <h2> Conclusion </h2> <p>While Helm charts offer a convenient way to package deployments, maintaining them in a FluxCD workflow can introduce challenges related to <strong>transparency</strong>, <strong>maintainability</strong>, and <strong>control</strong>.</p> <p>This article explored the limitations of <code>HelmReleases</code> and presented <code>helm template …</code> as a more powerful and flexible alternative, leveraging FluxCD <code>Kustomize</code> resource. Using Kustomize directly within your <code>git</code> repository, you gain greater control, visibility, and the benefits of Git version control for reviewing and auditing changes.</p> <p>Ultimately, by adopting a Kustomize-based approach within your FluxCD workflows, you can achieve a more <strong>declarative</strong>, <strong>transparent</strong>, and <strong>auditable</strong> approach to managing your Kubernetes deployments.</p> kubernetes fluxcd yaml helm Kevin Davin Fri, 12 Aug 2022 14:41:32 +0000 https://dev.to/davinkevin/deploy-with-kustomize-fluxcd-and-remote-resources-2id7 https://dev.to/davinkevin/deploy-with-kustomize-fluxcd-and-remote-resources-2id7 <h2> Introduction </h2> <p>As a Kubernetes user, I chose to use the default tooling available, named <code>Kustomize</code>, to manage my manifests and all modifications I need to do over them for each environment I want to deploy. For that, <a href="https://kustomize.io/" rel="noopener noreferrer"><code>Kustomize</code></a> is a powerful solution based on concepts of <a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/resource/" rel="noopener noreferrer">inheritance</a> (<code>resources</code>) and <a href="https://kubectl.docs.kubernetes.io/guides/config_management/components/" rel="noopener noreferrer">composition</a> (<code>components</code>).</p> <p>But one thing I miss the most is the ability to distribute manifests to other people, letting them inherit or compose them as they want. This is one subject where <code>helm</code> is ahead of <code>Kustomize</code> now.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgh3ffmhnziqp6509y2rp.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgh3ffmhnziqp6509y2rp.jpg" alt="beautiful landscape"></a></p> <p>However, <code>Kustomize</code> provides a mechanism to use <code>remote</code> elements, for both <code>resources</code> and <code>components</code> using <code>git</code> under the hood. This solution is perfect, because we can use any <code>git</code> repository as a <code>yaml</code> registry for our <code>reousrces</code> and <code>components</code> 🔥.</p> <p>But, the downside is <code>FluxCD</code> does not supports so well, for <a href="https://github.com/fluxcd/flux2/issues/1749#issuecomment-905410469" rel="noopener noreferrer">a lot of good reasons</a> (especially when your repositories are private)… In this article, we will see how to bypass this limitation and use remote <code>resources</code> and <code>components</code>, the <code>FluxCD</code> way!</p> <h2> Cluster &amp; FluxCD configuration </h2> <p>In this article, I won't detail so much the cluster &amp; flux configuration… because there is already plenty of documentation and blogposts about that!</p> <p>For this article, I have set up a cluster using <a href="https://cloud.google.com/kubernetes-engine" rel="noopener noreferrer">Google Kubernetes Engine</a> (aka GKE) using this <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-zonal-cluster" rel="noopener noreferrer">documentation</a> and installed <code>FluxCD</code> connected to a GitLab repository with the following command (extracted from the <a href="https://fluxcd.io/legacy/flux/tutorials/get-started/" rel="noopener noreferrer">official documentation</a>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>flux bootstrap gitlab <span class="se">\</span> <span class="nt">--owner</span><span class="o">=</span>davinkevin.fr/articles/flux-and-kustomize-remote-base <span class="se">\</span> <span class="nt">--repository</span><span class="o">=</span>clusters <span class="se">\</span> <span class="nt">--branch</span><span class="o">=</span>gke <span class="se">\</span> <span class="nt">--path</span><span class="o">=</span>fluxcd </code></pre> </div> <p><strong>NOTE</strong>: I don't like to use <code>default</code> branch, so I chose to create a branch for this cluster, so if I have another cluster, I just need another branch 😉. This is some kind of <a href="https://docs.gitlab.com/ee/topics/gitlab_flow.html" rel="noopener noreferrer">GitLab Flow</a> for environment.</p> <p>With this, I have a complete Kubernetes Cluster ready for GitOps, using <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/clusters" rel="noopener noreferrer"><code>clusters</code> repository</a> as source-of-truth. Every modification made in this repository will be automatically deployed by <code>FluxCD</code> 🤩.</p> <h2> <code>bases</code> repository </h2> <p>I have set up another <code>git</code> repository dedicated to <code>resources</code> and <code>components</code>. It hosts what we usually call <code>base</code>, because it contains the common core of an application and also many <code>components</code> to enable some extra features (at infrastructure or application level).</p> <p>This repository <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/bases" rel="noopener noreferrer">is available in GitLab</a> and is agnostic of my deployment environment. Again, I only host here the bare definition of my applications, we can compare this to an <code>helm</code> registry. Because it is managed in <code>git</code>, I can use branch &amp; tags for management 🚀.</p> <p><strong>NOTE</strong>: Usually, this kind of <code>yaml</code> repository is only populated by CI from other projects automatically.</p> <h2> PodInfo base publication </h2> <p>I have chosen the well known <a href="https://github.com/stefanprodan/podinfo" rel="noopener noreferrer"><code>podinfo</code> application</a> as an example, and I have developed the <code>base</code> and some <code>components</code> associated to it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── README.md └── podinfo └── base ├── components │   ├── hpa │   │   ├── hpa.yaml │   │   └── kustomization.yaml │   ├── ingress │   │   ├── ingress.yaml │   │   └── kustomization.yaml │   └── redis │   ├── kustomization.yaml │   ├── redis.conf │   └── redis.yaml ├── kustomization.yaml └── podinfo.yaml </code></pre> </div> <h3> Core PodInfo </h3> <p>This part is the <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/bases/-/blob/podinfo/podinfo/base/podinfo.yaml" rel="noopener noreferrer">common part of all potential deployment</a>. It contains:</p> <ul> <li>The <code>podinfo</code> Kubernetes Service</li> <li>The <code>podinfo</code> Kubernetes Deployment</li> </ul> <p>And nothing else… if you need to deploy any other part of the app, you have to use <code>components</code> 👇.</p> <h3> Components </h3> <p>In this <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/bases/-/tree/podinfo/podinfo/base/components" rel="noopener noreferrer"><code>components</code></a>, we can find all <strong>optional</strong> part of our application. As an end-user, I need to declare those I want to use, because by default, they are not applied at all in the common core.</p> <p>Here, we have:</p> <ul> <li> <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/bases/-/tree/podinfo/podinfo/base/components/hpa" rel="noopener noreferrer"><code>hpa</code></a> with a default preconfigured <a href="https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/" rel="noopener noreferrer"><code>Horizontal-Pod-Autoscaler</code></a> if you want the application to scale up and down automatically</li> <li> <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/bases/-/tree/podinfo/podinfo/base/components/ingress" rel="noopener noreferrer"><code>ingress</code></a> definition to expose the application to the outside world (<a href="https://kubernetes.io/docs/concepts/services-networking/ingress/" rel="noopener noreferrer">see official documentation</a>)</li> <li> <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/bases/-/tree/podinfo/podinfo/base/components/redis" rel="noopener noreferrer"><code>redis</code></a> component to enable cache on the PodInfo application with default configuration.</li> </ul> <p>It's interesting to note components can be of any sort, <code>hpa</code> and <code>ingress</code> are focused on infrastructure when <code>redis</code> is a feature of the application. Without this <code>redis</code> component, the application is able to work, just without any caching system. This <code>redis</code> component is here to deploy a <code>redis</code> server (of course 😅) but also to enable caching at <code>podinfo</code> level too.</p> <p><strong>NOTE</strong>: If you want a better description of this <code>component</code> feature, I advise you to discover <a href="https://kubectl.docs.kubernetes.io/guides/config_management/components/" rel="noopener noreferrer">this article from the official documentation</a></p> <p>So, we have a complete, environment agnostic <code>resource</code> and <code>components</code> committed to our <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/bases/-/tree/podinfo/" rel="noopener noreferrer"><code>base</code> repository</a>. Now, It is time to use it!</p> <h2> Publish PodInfo to <code>dev</code> </h2> <p>Back to our cluster, I want to deploy this <code>podinfo</code> application, but of course I want to apply some extra customizations on it, like:</p> <ul> <li>Define <code>components</code> I want to enable</li> <li>Define a domain name for the <code>ingress</code> definition</li> <li>Define the required <code>tls</code> configuration to the <code>ingress</code> </li> <li>Define an alternative registry for the image</li> </ul> <p>So, to do that, I need to have <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/clusters/-/blob/gke/podinfo-dev/kustomization.yaml" rel="noopener noreferrer">one (or multiple) <code>kustomization.yaml</code></a> to define this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># &lt;clusters-repo&gt;/podinfo-dev/kustomization.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">podinfo-dev</span> <span class="na">images</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo</span> <span class="na">newName</span><span class="pi">:</span> <span class="s">ghcr.io/stefanprodan/podinfo</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../base</span> <span class="pi">-</span> <span class="s">ingress</span> <span class="na">components</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../base/components/redis</span> </code></pre> </div> <p><strong>NOTE</strong>: The <code>ingress</code> modification is in <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/clusters/-/blob/gke/podinfo-dev/ingress/kustomization.yaml" rel="noopener noreferrer">its own file</a> to keep this one simple enough.</p> <p>But, what is this <code>../base</code> folder? There is no <code>base</code> at all <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/clusters" rel="noopener noreferrer">in <code>cluster</code> repository</a>. And you are right… we will use <code>FluxCD</code> feature available in flux to <code>include</code> the <code>base</code> repository at the right location during <code>reconciliation</code>. To do that, we need to define multiple flux resources.</p> <h3> <code>podinfo-base</code> flux repository </h3> <p>First, we need a representation of our <code>flux.GitRepository</code> for <code>bases</code>, which is materialized in flux with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">source.toolkit.fluxcd.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo-base-dev</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">ref</span><span class="pi">:</span> <span class="na">branch</span><span class="pi">:</span> <span class="s">podinfo</span> <span class="na">url</span><span class="pi">:</span> <span class="s">ssh://git@gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/bases</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> </code></pre> </div> <p><strong>NOTE</strong>: Here, I have chosen to define <code>spec.ref.branch: podinfo</code> to follow every commit made to this branch. It is, for development, a continuous deployment system 🚀.</p> <h3> <code>podinfo</code> flux repository </h3> <p>Now, we need to create a <code>flux.GitRepository</code> for manifests in <code>clusters</code> repository <strong>and</strong> manifests from the <code>bases</code> repository created in the step before. To do that, we are going to use the <a href="https://fluxcd.io/docs/components/source/gitrepositories/#include" rel="noopener noreferrer"><code>include</code> feature</a> from FluxCD:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">source.toolkit.fluxcd.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo-dev</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">include</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repository</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo-base-dev</span> <span class="na">fromPath</span><span class="pi">:</span> <span class="s">podinfo/base</span> <span class="na">toPath</span><span class="pi">:</span> <span class="s">base</span> <span class="na">ref</span><span class="pi">:</span> <span class="na">branch</span><span class="pi">:</span> <span class="s">gke</span> <span class="na">url</span><span class="pi">:</span> <span class="s">ssh://git@gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/clusters</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> </code></pre> </div> <p>The important part is the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spec</span><span class="pi">:</span> <span class="na">include</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repository</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo-base-dev</span> <span class="c1"># &lt;1&gt;</span> <span class="na">fromPath</span><span class="pi">:</span> <span class="s">podinfo/base</span> <span class="c1"># &lt;2&gt;</span> <span class="na">toPath</span><span class="pi">:</span> <span class="s">base</span> <span class="c1"># &lt;3&gt;</span> </code></pre> </div> <p>This means the folder <code>podinfo/base</code> (<strong>2</strong>) previously defined in the <code>podinfo-base-dev</code> <code>flux.GitRepository</code> (<strong>1</strong>) will be injected in the path <code>base</code> (<strong>3</strong>) of the current <code>podinfo-dev</code> <code>flux.GitRepository</code> during FluxCD reconciliation… making all <code>resources</code> and <code>components</code> available.</p> <h3> <code>podinfo-dev</code> flux Kustomization </h3> <p>This one is the standard <code>flux.Kustomization</code> you would use in any case. This one is just using the composite <code>flux.GitRepository</code> from the previous step as source (<code>spec.sourceRef</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.toolkit.fluxcd.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo-dev</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">suspend</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10m0s</span> <span class="na">path</span><span class="pi">:</span> <span class="s">podinfo-dev</span> <span class="c1"># file path in the &lt;clusters&gt; repository </span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">sourceRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo-dev</span> <span class="na">validation</span><span class="pi">:</span> <span class="s">client</span> </code></pre> </div> <p>If we deploy all those files (you can put them in <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/clusters/-/blob/gke/fluxcd/podinfo-dev.yaml" rel="noopener noreferrer">the same one</a>), you will see your application deployed by FluxCD with your <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/clusters/-/tree/gke/podinfo-dev" rel="noopener noreferrer">provided custom configuration</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ kubectl get all <span class="nt">-n</span> podinfo-dev NAME READY STATUS RESTARTS AGE pod/redis-869ff7c78b-jjbbk 1/1 Running 0 103m pod/podinfo-6dbf56d6d7-ctxxr 1/1 Running 0 103m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/podinfo ClusterIP 10.43.115.207 &lt;none&gt; 9898/TCP,9999/TCP 103m service/redis ClusterIP 10.43.192.84 &lt;none&gt; 6379/TCP 103m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/redis 1/1 1 1 103m deployment.apps/podinfo 1/1 1 1 103m NAME DESIRED CURRENT READY AGE replicaset.apps/redis-869ff7c78b 1 1 1 103m replicaset.apps/podinfo-6dbf56d6d7 1 1 1 103m </code></pre> </div> <h2> Publish PodInfo to <code>prod</code> </h2> <p>Now, we want to use again the same <code>base</code> this time for a production environment.</p> <p>Because we want something relatively stable, we chose to define <code>spec.ref.tag</code> to a specific tag in the <code>bases</code> repository (instead of the <code>podinfo</code> branch).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">source.toolkit.fluxcd.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GitRepository</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">podinfo-base-prod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">flux-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">ref</span><span class="pi">:</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">podinfo-1.0</span> <span class="na">url</span><span class="pi">:</span> <span class="s">ssh://git@gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/bases</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">flux-system</span> </code></pre> </div> <p>All others <code>flux.Kustomization</code> and <code>flux.GitRepository</code> are <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/clusters/-/blob/gke/fluxcd/podinfo-prod.yaml" rel="noopener noreferrer">the same</a>.</p> <p>Because we are in production, we also want to enable different modules, here the <code>HorizontalPodAutoscaler</code>. So we have a different <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base/clusters/-/blob/gke/podinfo-prod/kustomization.yaml" rel="noopener noreferrer"><code>kustomization.yaml</code></a>. Thanks to the full control we have over the <code>kustomization.yaml</code> per environment, we can modify this only in production 😍.</p> <p>Once everything is published and FluxCD reconciliation is OK, we have:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ kubectl get all <span class="nt">-n</span> podinfo-prod NAME READY STATUS RESTARTS AGE pod/redis-869ff7c78b-lnll5 1/1 Running 0 113m pod/podinfo-6dbf56d6d7-k8rjl 1/1 Running 0 113m pod/podinfo-6dbf56d6d7-qldr8 1/1 Running 0 113m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/podinfo ClusterIP 10.43.109.213 &lt;none&gt; 9898/TCP,9999/TCP 113m service/redis ClusterIP 10.43.252.54 &lt;none&gt; 6379/TCP 113m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/redis 1/1 1 1 113m deployment.apps/podinfo 2/2 2 2 113m NAME DESIRED CURRENT READY AGE replicaset.apps/redis-869ff7c78b 1 1 1 113m replicaset.apps/podinfo-6dbf56d6d7 2 2 2 113m NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE horizontalpodautoscaler.autoscaling/podinfo Deployment/podinfo 4%/99% 2 4 2 113m </code></pre> </div> <h2> Conclusion </h2> <p>It was tough, with many <code>yaml</code> but we have achieved our original goal. Being able to publish bare manifests in a central place and allow other team / people to consume them instantaneously with all features available in Kustomize.<br> We are then able to enjoy all the feature of a GitOps model with a dedicated (<code>yaml</code>) registry, like <code>helm</code> already have 😇.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8jpxcjoo57lqh0odlfbj.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8jpxcjoo57lqh0odlfbj.jpg" alt="light after the article…"></a></p> <p>There is some follow-up improvements to come, like OCI registries (announced in <a href="https://fluxcd.io/blog/2022/08/july-2022-update/" rel="noopener noreferrer">FluxCD 0.32</a>), to replace <code>flux.GitRepository</code>. We still need <a href="https://github.com/fluxcd/source-controller/issues/854" rel="noopener noreferrer">this issue</a> to be solved to be able to use it with all features provided by Kustomize.</p> <p>In a more distant future, some other solution like <a href="https://kpt.dev/guides/porch-user-guide" rel="noopener noreferrer">porch</a> could be a good candidate to simplify again our deployment strategy… but it is currently in <code>alpha</code> stage.</p> <p>I hope you liked this article, you can find <a href="https://gitlab.com/davinkevin.fr/articles/flux-and-kustomize-remote-base" rel="noopener noreferrer">all resources used in GitLab</a>, and you can reproduce it in your own cluster! If you have any questions, don't hesitate to comment or ping me on twitter <a href="https://twitter.com/davinkevin" rel="noopener noreferrer">@davinkevin</a></p> kubernetes devops kustomize fluxcd Kevin Davin Fri, 04 Jun 2021 11:40:28 +0000 https://dev.to/stack-labs/scaling-keycloak-on-distroless-into-kubernetes-fj3 https://dev.to/stack-labs/scaling-keycloak-on-distroless-into-kubernetes-fj3 <p>In the two previous articles, we discovered how to <strong>build</strong> and <strong>run</strong> <strong>Keycloak</strong> with a <strong>Distroless</strong> base image in a <strong>Kubernetes</strong> cluster. The previously seen configuration was Ok for one instance, but the <strong>clustering</strong> capabilities of <strong>Keycloak</strong> was not used, which can cause some <strong>problems</strong>. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkv5ulw03zn6qnihvfive.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkv5ulw03zn6qnihvfive.jpeg" alt="clustering" width="800" height="533"></a></p> <p><strong>Keycloak</strong> has a built-in clustering mode, based on <strong>Wildfly</strong> &amp; <strong>Infinispan</strong>. To activate it, some <strong>start-up</strong> scripts are using <strong>environment values</strong> to set up everything for you… and of course, those scripts are <code>bash</code> based, not compatible with our <em>version</em> of <strong>Keycloak</strong>. Here, we will see how to configure this and deploy it to <strong>Kubernetes</strong></p> <h1> <code>standalone-ha.xml</code> extraction </h1> <p>We will use the same strategy seen before to generate the <code>standalone-ha.xml</code>, by running the official image with parameters we want to use and extract the file with <code>docker cp</code> command line. Let's see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In the first shell</span> <span class="c"># Creation of a docker network</span> first-shell<span class="nv">$ </span>docker network create keycloak-network 4da77163731b584bef2c6d0b00386b9d62e31fa216204c6c6795f66e109ba1a6 <span class="c"># Launching PostgreSQL linked to the network previously created</span> first-shell<span class="nv">$ </span>docker run <span class="nt">--rm</span> <span class="nt">-d</span> <span class="nt">--name</span> postgres <span class="nt">--net</span> keycloak-network <span class="se">\</span> <span class="nt">-e</span> <span class="nv">POSTGRES_DB</span><span class="o">=</span>keycloak <span class="se">\</span> <span class="nt">-e</span> <span class="nv">POSTGRES_USER</span><span class="o">=</span>keycloak <span class="se">\</span> <span class="nt">-e</span> <span class="nv">POSTGRES_PASSWORD</span><span class="o">=</span>password postgres 229816da42707e772542f1b089c616a2333a6fbe1aea2be7efe658d6f2c934a1 first-shell<span class="nv">$ </span>docker run <span class="nt">-it</span> <span class="nt">--rm</span> <span class="nt">--name</span> keycloak <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_ADDR</span><span class="o">=</span>postgres <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_USER</span><span class="o">=</span>keycloak <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_PASSWORD</span><span class="o">=</span>password <span class="se">\</span> <span class="nt">-e</span> <span class="nv">KEYCLOAK_USER</span><span class="o">=</span>foo <span class="se">\</span> <span class="nt">-e</span> <span class="nv">KEYCLOAK_PASSWORD</span><span class="o">=</span>bar <span class="se">\</span> <span class="nt">-e</span> <span class="nv">JGROUPS_DISCOVERY_PROTOCOL</span><span class="o">=</span><span class="s2">"dns.DNS_PING"</span> <span class="se">\</span> <span class="nt">-e</span> <span class="nv">JGROUPS_TRANSPORT_STACK</span><span class="o">=</span>tcp <span class="se">\</span> <span class="nt">-e</span> <span class="nv">JGROUPS_DISCOVERY_PROPERTIES</span><span class="o">=</span><span class="s2">"dns_query=keycloak-headless"</span> <span class="se">\</span> <span class="nt">--net</span> keycloak-network jboss/keycloak:13.0.1 <span class="o">=========================================================================</span> Using PostgreSQL database <span class="o">=========================================================================</span> 19:15:45,322 INFO <span class="o">[</span>org.jboss.modules] <span class="o">(</span>CLI <span class="nb">command </span>executor<span class="o">)</span> JBoss Modules version 1.11.0.Final 19:15:45,389 INFO <span class="o">[</span>org.jboss.msc] <span class="o">(</span>CLI <span class="nb">command </span>executor<span class="o">)</span> JBoss MSC version 1.4.12.Final 19:15:45,399 INFO <span class="o">[</span>org.jboss.threads] <span class="o">(</span>CLI <span class="nb">command </span>executor<span class="o">)</span> JBoss Threads version 2.4.0.Final 19:15:45,542 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>MSC service thread 1-2<span class="o">)</span> WFLYSRV0049: Keycloak 13.0.1 <span class="o">(</span>WildFly Core 15.0.1.Final<span class="o">)</span> starting ... 19:16:23,596 INFO <span class="o">[</span>org.jboss.as.server] <span class="o">(</span>ServerService Thread Pool <span class="nt">--</span> 46<span class="o">)</span> WFLYSRV0010: Deployed <span class="s2">"keycloak-server.war"</span> <span class="o">(</span>runtime-name : <span class="s2">"keycloak-server.war"</span><span class="o">)</span> 19:16:23,671 INFO <span class="o">[</span>org.jboss.as.server] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0212: Resuming server 19:16:23,679 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0025: Keycloak 13.0.1 <span class="o">(</span>WildFly Core 15.0.1.Final<span class="o">)</span> started <span class="k">in </span>25820ms - Started 692 of 978 services <span class="o">(</span>686 services are lazy, passive or on-demand<span class="o">)</span> 19:16:23,685 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 19:16:23,686 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 </code></pre> </div> <p>You can see we add some extra parameters for the <strong>clustering mode</strong>, based on <code>JGROUPS</code>. Some details are in the <a href="https://hub.docker.com/r/jboss/keycloak/" rel="noopener noreferrer">docker official documentation</a> but you will find more in the <a href="https://www.keycloak.org/docs/latest/server_installation/#_clustering" rel="noopener noreferrer">keycloak server installation documentation</a>. </p> <p>The simplest solution to set up cluster mode in a <strong>Kubernetes</strong> environment is to use <code>DNS_PING</code> over <code>TCP</code>. This is why we defined the following environment values in the previous <code>shell</code> example:</p> <ul> <li> <code>JGROUPS_DISCOVERY_PROTOCOL="dns.DNS_PING"</code> to activate <code>DNS_PING</code>.</li> <li> <code>JGROUPS_TRANSPORT_STACK=tcp</code> to activate clustering over <code>TCP</code>.</li> <li> <code>JGROUPS_DISCOVERY_PROPERTIES="dns_query=keycloak-headless"</code> to provide a way to find other instance (we will describe it in the next paragraph).</li> </ul> <p>Then, in another shell, we will <strong>steal</strong> again the <code>standalone-ha.xml</code>.</p> <p><strong>NOTE</strong>: In the previous article, we were targeting the <code>standalone.xml</code>, the <code>HA</code> version contains a more robust configuration for our use case in a cluster mode.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>second-shell<span class="nv">$ </span>docker <span class="nb">cp </span>keycloak:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml <span class="nb">.</span> second-shell<span class="nv">$ </span><span class="nb">ls </span>standalone-ha.xml <span class="c"># We can now stop the keycloak container</span> second-shell<span class="nv">$ </span>docker stop keycloak keycloak second-shell<span class="err">$</span> </code></pre> </div> <p><strong>NOTE</strong>: If you want to set up other parameters, you can use this method for almost everything 🤩.</p> <p>If we look into the <code>standalone-ha.xml</code> file, we can see an important configuration for our clustering mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="c">&lt;!-- standalone-ha.xml --&gt;</span> <span class="nt">&lt;subsystem</span> <span class="na">xmlns=</span><span class="s">"urn:jboss:domain:jgroups:8.0"</span><span class="nt">&gt;</span> <span class="nt">&lt;channels</span> <span class="na">default=</span><span class="s">"ee"</span><span class="nt">&gt;</span> <span class="nt">&lt;channel</span> <span class="na">name=</span><span class="s">"ee"</span> <span class="na">stack=</span><span class="s">"tcp"</span> <span class="na">cluster=</span><span class="s">"ejb"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/channels&gt;</span> <span class="nt">&lt;stacks&gt;</span> <span class="nt">&lt;stack</span> <span class="na">name=</span><span class="s">"tcp"</span><span class="nt">&gt;</span> <span class="nt">&lt;transport</span> <span class="na">type=</span><span class="s">"TCP"</span> <span class="na">socket-binding=</span><span class="s">"jgroups-tcp"</span><span class="nt">/&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"dns.DNS_PING"</span><span class="nt">&gt;</span> <span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"dns_query"</span><span class="nt">&gt;</span>keycloak-headless<span class="nt">&lt;/property&gt;</span> <span class="nt">&lt;/protocol&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"MERGE3"</span><span class="nt">/&gt;</span> <span class="nt">&lt;socket-protocol</span> <span class="na">type=</span><span class="s">"FD_SOCK"</span> <span class="na">socket-binding=</span><span class="s">"jgroups-tcp-fd"</span><span class="nt">/&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"FD_ALL"</span><span class="nt">/&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"VERIFY_SUSPECT"</span><span class="nt">/&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"pbcast.NAKACK2"</span><span class="nt">/&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"UNICAST3"</span><span class="nt">/&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"pbcast.STABLE"</span><span class="nt">/&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"pbcast.GMS"</span><span class="nt">/&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"MFC"</span><span class="nt">/&gt;</span> <span class="nt">&lt;protocol</span> <span class="na">type=</span><span class="s">"FRAG3"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/stack&gt;</span> <span class="nt">&lt;/stacks&gt;</span> <span class="nt">&lt;/subsystem&gt;</span> </code></pre> </div> <p>This file will configure <strong>Keycloak</strong> to find other instances through the <code>DNS_PING</code> protocol. In fact, <strong>Keycloak</strong> will forge a DNS request to find IPs behind the domain name <code>keycloak-headless</code>… easy as pie!</p> <h1> Kubernetes deployment </h1> <p>Keycloak is ready for clustering mode, but we have to adapt our <strong>deployment</strong> to allow this specific configuration where each instance can communicate to each other. </p> <p>The first modification is at <strong>deployment</strong> level, to expose some extra ports dedicated to instance-to-instance communication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">ports</span><span class="pi">:</span> <span class="c1"># Standard HTTP port used by keycloak</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="c1"># Port used by Jgroups to communicate</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">7600</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <p>To work well, <strong>Jgroups</strong> has to be bound to the Pod IP. In <strong>Kubernetes</strong> world, we usually don't know the Pod IP in advance, so we will have to inject the Pod IP in the <strong>deployment</strong> and use it in the <code>args</code> part, like below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-D[Standalone]"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-server"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Xms64m"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Xmx512m"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-XX:MetaspaceSize=96M"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-XX:MaxMetaspaceSize=256m"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djava.net.preferIPv4Stack=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djboss.modules.system.pkgs=org.jboss.byteman"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djava.awt.headless=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--add-exports=java.base/sun.nio.ch=ALL-UNNAMED"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Dorg.jboss.boot.log.file=/opt/jboss/keycloak/standalone/log/server.log"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Dlogging.configuration=file:/opt/jboss/keycloak/standalone/configuration/logging.properties"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-jar"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/opt/jboss/keycloak/jboss-modules.jar"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-mp"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/opt/jboss/keycloak/modules"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">org.jboss.as.standalone"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djboss.home.dir=/opt/jboss/keycloak"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djboss.server.base.dir=/opt/jboss/keycloak/standalone"</span> <span class="c1"># Note we have changed the command here to use the standalone-ha.xml file</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-c=standalone-ha.xml"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-b=0.0.0.0"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-bprivate=0.0.0.0"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-bmanagement=0.0.0.0"</span> <span class="c1"># Thanks to the Kubernetes interpolation, we are able to launch the app</span> <span class="c1"># with a custom parameter for each pods. </span> <span class="pi">-</span> <span class="s1">'</span><span class="s">-Djgroups.bind_addr=$(HOST_IP)'</span> <span class="na">env</span><span class="pi">:</span> <span class="c1"># the HOST_IP environment value is populated by Kubernetes with </span> <span class="c1"># the current Pod IP coming from `status.podIP`.</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">HOST_IP</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">status.podIP</span> </code></pre> </div> <p>With those modifications, <strong>Keycloak</strong> will be able to work in cluster mode… but it won't be able to find any other instances 😔. We have to add a way to discover other instances 💇‍♀️! </p> <h1> Headless Service to the rescue! </h1> <p>In <strong>Kubernetes</strong>, usually we are using <strong>Service</strong> to expose one domain name with multiple instances of an application behind it. In our case, we want to be able to fetch every IPs behind a domain name, and this is what <a href="https://kubernetes.io/docs/concepts/services-networking/service/#headless-services" rel="noopener noreferrer"><strong>Headless Service</strong></a> is for!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak-headless</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># Important parameter to discover every instance even before its complete startup</span> <span class="na">publishNotReadyAddresses</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ping</span> <span class="na">port</span><span class="pi">:</span> <span class="m">7600</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">7600</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">keycloak</span> </code></pre> </div> <p>Thanks to this, every <strong>DNS</strong> query made by <strong>Jgroups</strong> on the domaine <code>keycloak-headless</code> will result to the complete list of <strong>Keycloak</strong> pod IPs in namespace!</p> <h1> Demo time! </h1> <p>We will deploy and scale our keycloak application and see clustering mode in action. The <code>kustomization.yaml</code> is similar to version in the second part of this series:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">keycloak.yaml</span> <span class="pi">-</span> <span class="s">database.yaml</span> <span class="na">configMapGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">standalone-ha.xml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">user=keycloak</span> <span class="pi">-</span> <span class="s">name=keycloak</span> <span class="na">secretGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">password=sPCwZjuq8CMvrBn7</span> </code></pre> </div> <p>When we deploy it, we will have the following result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-k</span> <span class="nb">.</span> configmap/database-56h9f7gfdh created configmap/keycloak-k97c6gkct6 created secret/database-8g8gk22d26 created service/database created service/keycloak-headless created service/keycloak created deployment.apps/database created deployment.apps/keycloak created <span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE database-5dcc69b7b6-m48h9 1/1 Running 0 7s keycloak-7f5f7bd8c6-7s2br 0/1 Running 0 7s <span class="c"># After few seconds…</span> <span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE database-5dcc69b7b6-m48h9 1/1 Running 0 67s keycloak-7f5f7bd8c6-7s2br 1/1 Running 0 67s </code></pre> </div> <p>If we look at the <strong>Keycloak</strong> logs, everything looks good. We can scale it up and see if <strong>clustering</strong> mode do its job:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl scale deploy/keycloak <span class="nt">--replicas</span><span class="o">=</span>2 deployment.apps/keycloak scaled </code></pre> </div> <p>Now, in the log of the previously running instance, we can see the following messages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl logs keycloak-7f5f7bd8c6-7s2br 20:05:51,480 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-19,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>actionTokens] ISPN100009: Advancing to rebalance phase READ_NEW_WRITE_ALL, topology <span class="nb">id </span>10 20:05:51,480 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-27,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>offlineSessions] ISPN100009: Advancing to rebalance phase READ_NEW_WRITE_ALL, topology <span class="nb">id </span>10 20:05:51,480 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-28,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>authenticationSessions] ISPN100010: Finished rebalance with members <span class="o">[</span>keycloak-7f5f7bd8c6-7s2br, keycloak-7f5f7bd8c6-dbfxh], topology <span class="nb">id </span>11 20:05:51,482 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-12,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>offlineClientSessions] ISPN100009: Advancing to rebalance phase READ_NEW_WRITE_ALL, topology <span class="nb">id </span>10 20:05:51,471 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-25,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>clientSessions] ISPN100009: Advancing to rebalance phase READ_ALL_WRITE_ALL, topology <span class="nb">id </span>9 20:05:51,486 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>non-blocking-thread--p6-t2<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>sessions] ISPN100010: Finished rebalance with members <span class="o">[</span>keycloak-7f5f7bd8c6-7s2br, keycloak-7f5f7bd8c6-dbfxh], topology <span class="nb">id </span>11 20:05:51,493 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>non-blocking-thread--p6-t2<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>offlineSessions] ISPN100010: Finished rebalance with members <span class="o">[</span>keycloak-7f5f7bd8c6-7s2br, keycloak-7f5f7bd8c6-dbfxh], topology <span class="nb">id </span>11 20:05:51,493 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>non-blocking-thread--p6-t1<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>loginFailures] ISPN100009: Advancing to rebalance phase READ_NEW_WRITE_ALL, topology <span class="nb">id </span>10 20:05:51,499 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>non-blocking-thread--p6-t1<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>actionTokens] ISPN100010: Finished rebalance with members <span class="o">[</span>keycloak-7f5f7bd8c6-7s2br, keycloak-7f5f7bd8c6-dbfxh], topology <span class="nb">id </span>11 20:05:51,503 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-28,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>offlineClientSessions] ISPN100010: Finished rebalance with members <span class="o">[</span>keycloak-7f5f7bd8c6-7s2br, keycloak-7f5f7bd8c6-dbfxh], topology <span class="nb">id </span>11 20:05:51,506 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>non-blocking-thread--p6-t2<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>clientSessions] ISPN100009: Advancing to rebalance phase READ_NEW_WRITE_ALL, topology <span class="nb">id </span>10 20:05:51,512 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>non-blocking-thread--p6-t2<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>loginFailures] ISPN100010: Finished rebalance with members <span class="o">[</span>keycloak-7f5f7bd8c6-7s2br, keycloak-7f5f7bd8c6-dbfxh], topology <span class="nb">id </span>11 20:05:51,522 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-28,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> <span class="o">[</span><span class="nv">Context</span><span class="o">=</span>clientSessions] ISPN100010: Finished rebalance with members <span class="o">[</span>keycloak-7f5f7bd8c6-7s2br, keycloak-7f5f7bd8c6-dbfxh], topology <span class="nb">id </span>11 </code></pre> </div> <p>We can see the successful operation made by <strong>Infinispan</strong> to communicate between instances. In the log we found the name of our current pod <code>keycloak-7f5f7bd8c6-7s2br</code> and the name of the new one created through the <code>scale</code> command <code>keycloak-7f5f7bd8c6-dbfxh</code>. If we scale it back to <code>1</code> instance, new logs will be available:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl logs keycloak-7f5f7bd8c6-7s2br 20:10:28,787 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-34,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> ISPN100001: Node keycloak-7f5f7bd8c6-dbfxh left the cluster 20:10:28,790 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-34,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> ISPN000094: Received new cluster view <span class="k">for </span>channel ejb: <span class="o">[</span>keycloak-7f5f7bd8c6-7s2br|4] <span class="o">(</span>1<span class="o">)</span> <span class="o">[</span>keycloak-7f5f7bd8c6-7s2br] 20:10:28,791 INFO <span class="o">[</span>org.infinispan.CLUSTER] <span class="o">(</span>thread-34,ejb,keycloak-7f5f7bd8c6-7s2br<span class="o">)</span> ISPN100001: Node keycloak-7f5f7bd8c6-dbfxh left the cluster </code></pre> </div> <p>And <strong>Voila</strong>!</p> <h1> Conclusion </h1> <p>This ends this 3-part article on <strong>Keycloak</strong>, <strong>Distroless</strong> and <strong>Kubernetes</strong>. You are now able to deploy a rock-solid, less vulnerable and scalable instance of <strong>Keycloak</strong> in your own cluster 🚀. </p> <p>I hope you enjoyed it as mush as I enjoyed writing this article and share this experience about <strong>Keycloak</strong> configuration. You can find all the sample files from this article in this <strong>GitLab</strong> repository: <a href="https://gitlab.com/davinkevin/keycloak-distroless" rel="noopener noreferrer">davinkevin/keycloak-distroless</a>.</p> keycloak kubernetes security docker Kevin Davin Tue, 01 Jun 2021 09:14:27 +0000 https://dev.to/stack-labs/keycloak-on-distroless-into-kubernetes-f5g https://dev.to/stack-labs/keycloak-on-distroless-into-kubernetes-f5g <p>In the previous article, we've seen how to <strong>build</strong> and <strong>run</strong> a <strong>Keycloak</strong> application based on <strong>Distroless</strong> base image. However, this article only used <strong>Docker</strong> to launch containers, and you mostly use an orchestrator to do that. In this article, we will see how to run our previously created image in a <strong>Kubernetes</strong> cluster. </p> <h1> Challenges </h1> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Folt1rwsnvjbs440k3b80.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Folt1rwsnvjbs440k3b80.jpeg" alt="lots of challenges" width="800" height="535"></a></p> <p>Using a <strong>Keycloak</strong> image based on <strong>Distroless</strong> requires some adaptation:</p> <ul> <li>Launching the application require a specific command</li> <li>Stopping the application require a specific command</li> <li>Probes should be defined </li> <li>Database connection should be provided via env variables</li> <li>Configuration file should be mounted by the orchestrator</li> </ul> <h2> Database </h2> <p>Before doing some configuration, we will "install" a PostgreSQL instance inside our cluster. This will be done with this <em>manifest</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># database.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">database</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pg-port</span> <span class="na">port</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">database</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">database</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">database</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:13.3-alpine</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POSTGRES_USER</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">key</span><span class="pi">:</span> <span class="s">user</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POSTGRES_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">key</span><span class="pi">:</span> <span class="s">password</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POSTGRES_DB</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">key</span><span class="pi">:</span> <span class="s">name</span> <span class="na">lifecycle</span><span class="pi">:</span> <span class="na">preStop</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="s">su - postgres -c "pg_ctl stop -m fast"</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="s">exec pg_isready -U $POSTGRES_USER -d $POSTGRES_DB -h 127.1 -p </span><span class="m">5432</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="s">-e</span> <span class="pi">-</span> <span class="s">exec pg_isready -U $POSTGRES_USER -d $POSTGRES_DB -h 127.1 -p </span><span class="m">5432</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pg-port</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <p><strong>NOTE</strong>: This manifest is some kind of <code>hello-world</code> at PostgreSQL level and <strong>SHOULD NOT</strong> be used for production… because it doesn't manage any state. Every data will be lost if the pod restart. This is just for this example.</p> <h2> Launching Keycloak </h2> <p>In the previous step, we fetched the <code>java</code> command used to launched <strong>Keycloak</strong>. We will reuse it, in the <strong>Kubernetes</strong> manifest. For information, the command was:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>java '-D[Standalone]' -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED -Dorg.jboss.boot.log.file=/opt/jboss/keycloak/standalone/log/server.log -Dlogging.configuration=file:/opt/jboss/keycloak/standalone/configuration/logging.properties -jar /opt/jboss/keycloak/jboss-modules.jar -mp /opt/jboss/keycloak/modules org.jboss.as.standalone -Djboss.home.dir=/opt/jboss/keycloak -Djboss.server.base.dir=/opt/jboss/keycloak/standalone -Djboss.bind.address=172.17.0.2 -Djboss.bind.address.private=172.17.0.2 -c=standalone-ha.xml </code></pre> </div> <p>We will set <code>$.spec.template.spec.containers[0].command</code> and <code>$.spec.template.spec.containers[0].args</code> to the previously used <code>ENTRYPOINT</code> in the <code>Dockerfile</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># keycloak.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="c1"># We define Java as the main command of the image.</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">java"</span> <span class="pi">]</span> <span class="c1"># We put back all the parameters from the previous step.</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-D[Standalone]"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-server"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Xms64m"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Xmx512m"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-XX:MetaspaceSize=96M"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-XX:MaxMetaspaceSize=256m"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djava.net.preferIPv4Stack=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djboss.modules.system.pkgs=org.jboss.byteman"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djava.awt.headless=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--add-exports=java.base/sun.nio.ch=ALL-UNNAMED"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Dorg.jboss.boot.log.file=/opt/jboss/keycloak/standalone/log/server.log"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Dlogging.configuration=file:/opt/jboss/keycloak/standalone/configuration/logging.properties"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-jar"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/opt/jboss/keycloak/jboss-modules.jar"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-mp"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/opt/jboss/keycloak/modules"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">org.jboss.as.standalone"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djboss.home.dir=/opt/jboss/keycloak"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-Djboss.server.base.dir=/opt/jboss/keycloak/standalone"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-c=standalone.xml"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-b=0.0.0.0"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-bprivate=0.0.0.0"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-bmanagement=0.0.0.0"</span> </code></pre> </div> <p><strong>NOTE</strong>: Like previously, the parameter <strong>can</strong> and <strong>should</strong> be adapted to your needs, for performance and security reasons. </p> <h2> Providing configuration to Keycloak </h2> <p>Another part of the Keycloak configuration is the <code>standalone.xml</code>. Our goal here will be to mount the file inside the running container, at the right place, to be used as source of configuration at boot time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># keycloak.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># We declare a volume containing the configuration of keycloak</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak-config</span> <span class="c1"># The configMap targeted here will be declared in the next step of the article</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="c1"># And then, we mount the file from the previously seen volume at the </span> <span class="c1"># location where keycloak want to find it… </span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/jboss/keycloak/standalone/configuration/standalone.xml</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">standalone.xml</span> </code></pre> </div> <h2> Probes </h2> <p>In <strong>Kubernetes</strong> world, the orchestrator needs to know when the system is <strong>live</strong> and <strong>ready</strong>. For this, we have to define some <strong>liveness</strong> and <strong>readyness</strong> probes allowing <strong>Kubernetes</strong> to act and react to problem with <strong>Keycloak</strong> if required. Again, this is just some values in our manifest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># keycloak.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="c1"># Liveness, if in error, keycloak will be restarted</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/auth/</span> <span class="na">port</span><span class="pi">:</span> <span class="s">http</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Readiness, if in success, traffic will be routed to this pod</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/auth/realms/master</span> <span class="na">port</span><span class="pi">:</span> <span class="s">http</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">1</span> </code></pre> </div> <p><strong>NOTE</strong>: RedHat team will introduce more advanced and precise <code>liveness</code> and <code>readyness</code> probes in future version of Keycloak 😇.</p> <h2> Lifecycle Pre-Stop Command </h2> <p>To gracefully shutdown <strong>Keycloak</strong>, we usually have to execute a specific shell script. In our case, without any shell, this will be problematic… like for <code>ENTRYPOINT</code>, we will extract the <code>java</code> command from the shell script and use it in our manifest.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># We launch the keycloak original image and launch a bash inside it</span> <span class="nv">$ </span>docker run <span class="nt">-it</span> <span class="nt">--rm</span> <span class="nt">--entrypoint</span><span class="o">=</span>bash jboss/keycloak:13.0.1 <span class="c"># We use our magic trick to see commands executed by the jboss-cli.sh we will use</span> bash-4.4<span class="nv">$ </span><span class="nb">awk</span> <span class="nt">-i</span> inplace <span class="s1">'NR==2 {print "set -x"} 1'</span> /opt/jboss/keycloak/bin/jboss-cli.sh <span class="c"># Finally, we launch the script with parameters we want to execute in our pre-hook</span> bash-4.4<span class="nv">$ </span>/opt/jboss/keycloak/bin/jboss-cli.sh <span class="nt">--connect</span> <span class="nb">command</span><span class="o">=</span>:shutdown <span class="nt">--timeout</span><span class="o">=</span>20 ++ <span class="nb">dirname</span> /opt/jboss/keycloak/bin/jboss-cli.sh + <span class="nv">DIRNAME</span><span class="o">=</span>/opt/jboss/keycloak/bin + <span class="nv">GREP</span><span class="o">=</span><span class="nb">grep</span> + <span class="nb">.</span> /opt/jboss/keycloak/bin/common.sh ++ <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> ++ <span class="nv">COMMON_CONF</span><span class="o">=</span>/opt/jboss/keycloak/bin/common.conf ++ <span class="s1">'['</span> <span class="nt">-r</span> /opt/jboss/keycloak/bin/common.conf <span class="s1">']'</span> + <span class="nv">cygwin</span><span class="o">=</span><span class="nb">false</span> + <span class="nv">darwin</span><span class="o">=</span><span class="nb">false</span> + <span class="k">case</span> <span class="s2">"</span><span class="sb">`</span><span class="nb">uname</span><span class="sb">`</span><span class="s2">"</span> <span class="k">in</span> ++ <span class="nb">uname</span> + <span class="nb">false</span> ++ <span class="nb">cd</span> /opt/jboss/keycloak/bin/.. ++ <span class="nb">pwd</span> + <span class="nv">RESOLVED_JBOSS_HOME</span><span class="o">=</span>/opt/jboss/keycloak + <span class="s1">'['</span> x/opt/jboss/keycloak <span class="o">=</span> x <span class="s1">']'</span> ++ <span class="nb">cd</span> /opt/jboss/keycloak ++ <span class="nb">pwd</span> + <span class="nv">SANITIZED_JBOSS_HOME</span><span class="o">=</span>/opt/jboss/keycloak + <span class="s1">'['</span> /opt/jboss/keycloak <span class="s1">'!='</span> /opt/jboss/keycloak <span class="s1">']'</span> + <span class="nb">export </span>JBOSS_HOME + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nv">JBOSS_MODULEPATH</span><span class="o">=</span>/opt/jboss/keycloak/modules + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="s1">'['</span> x <span class="s1">'!='</span> x <span class="s1">']'</span> + <span class="nv">JAVA</span><span class="o">=</span>java + setDefaultModularJvmOptions + setModularJdk + java <span class="nt">--add-modules</span><span class="o">=</span>java.se <span class="nt">-version</span> + <span class="nv">MODULAR_JDK</span><span class="o">=</span><span class="nb">true</span> + <span class="s1">'['</span> <span class="nb">true</span> <span class="o">=</span> <span class="nb">true</span> <span class="s1">']'</span> ++ <span class="nb">echo</span> ++ <span class="nb">grep</span> <span class="s1">'\-\-add\-modules'</span> + <span class="nv">DEFAULT_MODULAR_JVM_OPTIONS</span><span class="o">=</span> + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nv">DEFAULT_MODULAR_JVM_OPTIONS</span><span class="o">=</span><span class="s1">' --add-exports=java.base/sun.nio.ch=ALL-UNNAMED'</span> + <span class="nv">DEFAULT_MODULAR_JVM_OPTIONS</span><span class="o">=</span><span class="s1">' --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED'</span> + <span class="nv">DEFAULT_MODULAR_JVM_OPTIONS</span><span class="o">=</span><span class="s1">' --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED'</span> + <span class="nv">JAVA_OPTS</span><span class="o">=</span><span class="s1">' --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED'</span> + <span class="nb">false</span> + <span class="nb">false</span> + <span class="nv">JAVA_OPTS</span><span class="o">=</span><span class="s1">' --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED -Djboss.modules.system.pkgs=com.sun.java.swing'</span> + <span class="nv">JAVA_OPTS</span><span class="o">=</span><span class="s1">' --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED -Djboss.modules.system.pkgs=com.sun.java.swing -Dcom.ibm.jsse2.overrideDefaultTLS=true'</span> ++ <span class="nb">eval echo</span> <span class="s1">'"/opt/jboss/keycloak/modules"'</span> +++ <span class="nb">echo</span> /opt/jboss/keycloak/modules + <span class="nv">JBOSS_MODULEPATH</span><span class="o">=</span>/opt/jboss/keycloak/modules ++ <span class="nb">echo</span> <span class="nt">--add-exports</span><span class="o">=</span>java.base/sun.nio.ch<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.misc<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.reflect<span class="o">=</span>ALL-UNNAMED <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>com.sun.java.swing <span class="nt">-Dcom</span>.ibm.jsse2.overrideDefaultTLS<span class="o">=</span><span class="nb">true</span> ++ <span class="nb">grep </span>logging.configuration + <span class="nv">LOG_CONF</span><span class="o">=</span> + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nb">exec </span>java <span class="nt">--add-exports</span><span class="o">=</span>java.base/sun.nio.ch<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.misc<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.reflect<span class="o">=</span>ALL-UNNAMED <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>com.sun.java.swing <span class="nt">-Dcom</span>.ibm.jsse2.overrideDefaultTLS<span class="o">=</span><span class="nb">true</span> <span class="nt">-Dlogging</span>.configuration<span class="o">=</span>file:/opt/jboss/keycloak/bin/jboss-cli-logging.properties <span class="nt">-jar</span> /opt/jboss/keycloak/jboss-modules.jar <span class="nt">-mp</span> /opt/jboss/keycloak/modules org.jboss.as.cli <span class="nt">--connect</span> <span class="nb">command</span><span class="o">=</span>:shutdown <span class="nt">--timeout</span><span class="o">=</span>20 Failed to connect to the controller: The controller is not available at localhost:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: Connection refused </code></pre> </div> <p>The execution ends in error, which is normal because, in this case, no Keycloak instance are running. The <code>java</code> command is displayed, starting with <code>+ exec java</code>. All of this can be moved into our <strong>yaml</strong> manifest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">lifecycle</span><span class="pi">:</span> <span class="na">preStop</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">java"</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">--add-exports=java.base/sun.nio.ch=ALL-UNNAMED'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">--add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">--add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">-Djboss.modules.system.pkgs=com.sun.java.swing'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">-Dcom.ibm.jsse2.overrideDefaultTLS=true'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">-Dlogging.configuration=file:/opt/jboss/keycloak/bin/jboss-cli-logging.properties'</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-jar"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/opt/jboss/keycloak/jboss-modules.jar"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-mp"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/opt/jboss/keycloak/modules"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">org.jboss.as.cli"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--connect"</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">--commands=shutdown</span><span class="nv"> </span><span class="s">--timeout=20'</span> </code></pre> </div> <h2> Environment Configuration </h2> <p>Finally, we have to provide all the configuration to <strong>Keycloak</strong>. Until now, we only define <strong>how</strong> the value will be linked but not <strong>which</strong> value at all. To do that, we will first include some environment values into the Keycloak manifest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_ADDR</span> <span class="na">value</span><span class="pi">:</span> <span class="s">database</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_DATABASE</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">key</span><span class="pi">:</span> <span class="s">name</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_USER</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">key</span><span class="pi">:</span> <span class="s">user</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">key</span><span class="pi">:</span> <span class="s">password</span> </code></pre> </div> <p>Here, we are mainly targeting values required for database connection. To provide it to the deployment, we will use a <code>kustomization.yaml</code> file. It will gather every manifests presented until now and add concret values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kustomization.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="c1"># Install everything in the kubernetes namespace named Keycloak</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="c1"># Load both keycloak.yaml and database.yaml</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">keycloak.yaml</span> <span class="pi">-</span> <span class="s">database.yaml</span> <span class="c1"># Generate two ConfigMap</span> <span class="na">configMapGenerator</span><span class="pi">:</span> <span class="c1"># One for Keycloak, containing the standalone.xml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">standalone.xml</span> <span class="c1"># One for database, containing user and name</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">user=keycloak</span> <span class="pi">-</span> <span class="s">name=keycloak</span> <span class="c1"># Generate a Secret</span> <span class="na">secretGenerator</span><span class="pi">:</span> <span class="c1"># For the database, containing just the password of the database</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">password=sPCwZjuq8CMvrBn7</span> </code></pre> </div> <p><strong>NOTE</strong>: The password is here stored in clear, you can choose to use some tooling to encrypt the secret at git level (with <a href="https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-g0a"><code>SOPS</code></a>) or cluster level (with <a href="https://dev.to/stack-labs/store-your-kubernetes-secrets-in-git-thanks-to-kubeseal-hello-sealedsecret-2i6h"><code>SealedSecret</code></a>).</p> <h2> Deploying Keycloak </h2> <p>In this step, we will deploy our version of <strong>Keycloak</strong> in a <strong>Kubernetes</strong> Cluster. For this example, I choose to use <code>docker-for-mac</code> and its <strong>Kubernetes</strong> integration. You can, of course, use any <strong>Kubernetes</strong> distribution (Google Kubernetes Engine, Azure Kubernetes Service, Amazon Elastic Kubernetes Service…).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">ls </span>database.yaml keycloak.yaml kustomization.yaml standalone.xml <span class="c"># We deploy all the manifests</span> <span class="nv">$ </span>kubectl apply <span class="nt">-k</span> <span class="nb">.</span> configmap/database-56h9f7gfdh created configmap/keycloak-96k2tfg747 created secret/database-8g8gk22d26 created service/database created service/keycloak created deployment.apps/database created deployment.apps/keycloak created <span class="c"># We create a port-forward to the keycloak pod</span> <span class="nv">$ </span>kubectl <span class="nt">-n</span> keycloak port-forward pod/keycloak-567797b6bb-6vqvz 8080:8080 Forwarding from 127.0.0.1:8080 -&gt; 8080 Forwarding from <span class="o">[</span>::1]:8080 -&gt; 8080 </code></pre> </div> <p>To access it, we create a <code>port-forward</code> between my computer and the cluster. Thanks to that, I'm able to access the UI:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2y5wuyg2708ea054zczy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2y5wuyg2708ea054zczy.png" alt="creation-user" width="800" height="550"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ildfow8j87bsmrqplpz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ildfow8j87bsmrqplpz.png" alt="creation-user-in-progress" width="800" height="550"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F92fj38bjluyd2ghirtrj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F92fj38bjluyd2ghirtrj.png" alt="login" width="800" height="550"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2vomubefzab1darab7ny.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2vomubefzab1darab7ny.png" alt="keycloak ui" width="800" height="550"></a></p> <p>And <strong>Voila</strong>!</p> <h1> Conclusion </h1> <p>In this article, we've seen how to deploy our custom <strong>Keycloak</strong> based on <strong>Distroless Java</strong>. This is a challenging setup, but at the end we can use a more secure version of <strong>Keycloak</strong> without any <code>shell</code>, which prevent any attack using <code>shell</code> as a vector of code execution for example!</p> <p>I hope you liked it, you can find all the sample files from this article in this <strong>GitLab</strong> repository: <a href="https://gitlab.com/davinkevin/keycloak-distroless" rel="noopener noreferrer">davinkevin/keycloak-distroless</a>.</p> keycloak kubernetes security docker Kevin Davin Fri, 28 May 2021 06:04:52 +0000 https://dev.to/stack-labs/keycloak-on-distroless-12ng https://dev.to/stack-labs/keycloak-on-distroless-12ng <p><strong>⚠️</strong> This article has been written and tested on Keycloak v13 and is working with version until 16. For later version, using Quarkus based distribution (v17+), another article will be redacted.</p> <p><strong>Keycloak</strong> is a wonderful piece of software, managed with success by RedHat, to be used as an Identity and Access Management software. RedHat distribute it as a zip package to be run on a machine with a JVM installed or as a container. Nowadays, container is a simpler solution, especially if you are using an orchestrator like <a href="https://kubernetes.io/" rel="noopener noreferrer">Kubernetes</a>.</p> <p>The <strong>Keycloak</strong> image is available on the <a href="https://hub.docker.com/r/jboss/keycloak/" rel="noopener noreferrer">DockerHub</a> or <a href="https://quay.io/repository/keycloak/keycloak" rel="noopener noreferrer">Quay</a>. It provides an important level of configuration through environment variables, which is useful if you are not familiar with <strong>WildFly</strong> configuration. But, this solution has an important downside, especially for a tool dedicated to security… tags are not maintained at OS level over time and has many vulnerabilities.</p> <p>You can see below, a lot of vulnerabilities in the latest <strong>Keycloak</strong> image, especially at the OS level. In some case, you can't choose to rely on so many vulnerabilities and need to fix that, or at least reduce them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>trivy image jboss/keycloak:13.0.1 2021-05-26T19:23:14.416+0200 INFO Detected OS: redhat 2021-05-26T19:23:14.416+0200 INFO Detecting RHEL/CentOS vulnerabilities... 2021-05-26T19:23:14.432+0200 INFO Number of PL dependency files: 621 jboss/keycloak:13.0.1 <span class="o">(</span>redhat 8.4<span class="o">)</span> <span class="o">==================================</span> Total: 118 <span class="o">(</span>UNKNOWN: 0, LOW: 49, MEDIUM: 67, HIGH: 2, CRITICAL: 0<span class="o">)</span> ... </code></pre> </div> <p><strong>NOTE</strong>: Number of CVEs in an image evolves over time, so reports in this article can be way different if you run it by yourself.</p> <p>On one side, you can choose to upgrade every packages in the image manually, hoping a fix is available in the official CentOS registry. Another solution is to change the <em>base image</em> to something with less vulnerability like <a href="https://github.com/GoogleContainerTools/distroless" rel="noopener noreferrer">Google Distroless</a>. Those images only contain the runtime for your application and nothing less… no shell, no package manager, nothing… just your runtime. For <strong>Keycloak</strong>, we will use the <a href="https://github.com/GoogleContainerTools/distroless/tree/main/java" rel="noopener noreferrer">Distroless Java</a> image to sanitize our workload.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1qjax5xrl53le9h72piu.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1qjax5xrl53le9h72piu.jpeg" alt="Nothing in distroless" width="800" height="533"></a></p> <h1> Crafting the best Dockerfile possible </h1> <p>The original <strong>Keycloak</strong> image use a lot of <code>bash</code> scripts to configure the whole system. This is a good idea, but here, we don't have any shell in our <strong>Distroless</strong> base image, so we will have to extract the application, and the way to launch it from <strong>scratch</strong>.</p> <h2> Moving Keycloak into Distroless </h2> <p>If we analyse the <code>jboss/keycloak:13.0.1</code> image with <a href="https://github.com/wagoodman/dive" rel="noopener noreferrer">Dive</a>, we can see all <strong>Keycloak</strong> related files are stored into <code>/opt/jboss/</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9kyd201hv91x9uww7sku.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9kyd201hv91x9uww7sku.png" alt="dive" width="800" height="533"></a></p> <p>We will copy them into our distroless then, with the following <code>Dockerfile</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">jboss/keycloak:13.0.1</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">base</span> <span class="k">FROM</span><span class="s"> gcr.io/distroless/java:11-nonroot</span> <span class="k">COPY</span><span class="s"> --chown=nonroot:nonroot --from=base /opt/jboss /opt/jboss</span> </code></pre> </div> <p>The execution is pretty simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker build <span class="nt">-t</span> keycloak-distroless <span class="nb">.</span> <span class="o">[</span>+] Building 0.6s <span class="o">(</span>8/8<span class="o">)</span> FINISHED <span class="o">=&gt;</span> <span class="o">[</span>internal] load build definition from Dockerfile 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> transferring dockerfile: 37B 0.0s <span class="o">=&gt;</span> <span class="o">[</span>internal] load .dockerignore 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> transferring context: 2B 0.0s <span class="o">=&gt;</span> <span class="o">[</span>internal] load metadata <span class="k">for </span>gcr.io/distroless/java:11-nonroot 0.5s <span class="o">=&gt;</span> <span class="o">[</span>internal] load metadata <span class="k">for </span>docker.io/jboss/keycloak:13.0.1 0.0s <span class="o">=&gt;</span> <span class="o">[</span>base 1/1] FROM docker.io/jboss/keycloak:13.0.1 0.0s <span class="o">=&gt;</span> <span class="o">[</span>stage-1 1/2] FROM gcr.io/distroless/java:11-nonroot@sha256:07d017944 0.0s <span class="o">=&gt;</span> CACHED <span class="o">[</span>stage-1 2/2] COPY <span class="nt">--chown</span><span class="o">=</span>nonroot:nonroot <span class="nt">--from</span><span class="o">=</span>base /opt/jb 0.0s <span class="o">=&gt;</span> exporting to image 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> exporting layers 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> writing image sha256:06e849f0ab369043be9c071a446484e2a699a114dd988 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> naming to docker.io/library/keycloak-distroless 0.0s </code></pre> </div> <p>Sadly, if we are launching it like this, we will see the following error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">-p</span> 8080:8080 keycloak-distroless Error: <span class="nt">-jar</span> requires jar file specification Usage: java <span class="o">[</span>options] &lt;mainclass&gt; <span class="o">[</span>args...] <span class="o">(</span>to execute a class<span class="o">)</span> or java <span class="o">[</span>options] <span class="nt">-jar</span> &lt;jarfile&gt; <span class="o">[</span>args...] <span class="o">(</span>to execute a jar file<span class="o">)</span> or java <span class="o">[</span>options] <span class="nt">-m</span> &lt;module&gt;[/&lt;mainclass&gt;] <span class="o">[</span>args...] java <span class="o">[</span>options] <span class="nt">--module</span> &lt;module&gt;[/&lt;mainclass&gt;] <span class="o">[</span>args...] <span class="o">(</span>to execute the main class <span class="k">in </span>a module<span class="o">)</span> or java <span class="o">[</span>options] &lt;sourcefile&gt; <span class="o">[</span>args] <span class="o">(</span>to execute a single source-file program<span class="o">)</span> Arguments following the main class, <span class="nb">source </span>file, <span class="nt">-jar</span> &lt;jarfile&gt;, <span class="nt">-m</span> or <span class="nt">--module</span> &lt;module&gt;/&lt;mainclass&gt; are passed as the arguments to main class. ... </code></pre> </div> <p>This is because the default <code>ENTRYPOINT</code> of this <strong>distroless</strong> image want to launch a (fat) <strong>JAR</strong>, but keycloak is more complex than this, so we will have to find the right <code>ENTRYPOINT</code> for our use case.</p> <h2> Generating the ENTRYPOINT </h2> <p>For this one, we will use the original image to <em>see</em> how Keycloak is launched in its natural state. To do that, we will edit the <code>standalone.sh</code> file to make it more verbose and copy the <code>java</code> command generated from it. We will follow <a href="https://hub.docker.com/r/jboss/keycloak/" rel="noopener noreferrer">the official documentation</a> to launch keycloak, but we will log into the container to do our magic trick:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Starting the container with the minimal configuration and log into it thanks to the custom entrypoint</span> <span class="nv">$ </span>docker run <span class="nt">-it</span> <span class="nt">--rm</span> <span class="nt">-e</span> <span class="nv">DB_VENDOR</span><span class="o">=</span>h2 <span class="nt">--entrypoint</span><span class="o">=</span>bash jboss/keycloak:13.0.1 <span class="c"># From here, we are IN the Keycloak image!</span> <span class="c"># The following command update the standalone.sh file to be a lot verbose</span> bash-4.4<span class="nv">$ </span><span class="nb">awk</span> <span class="nt">-i</span> inplace <span class="s1">'NR==2 {print "set -x"} 1'</span> /opt/jboss/keycloak/bin/standalone.sh <span class="c"># Finally, we will launch keycloak from here and stop it when we found the line starting with "++ java"</span> bash-4.4<span class="nv">$ </span>/opt/jboss/tools/docker-entrypoint.sh <span class="o">=========================================================================</span> Using Embedded H2 database <span class="o">=========================================================================</span> + <span class="nv">DEBUG_MODE</span><span class="o">=</span><span class="nb">false</span> + <span class="nv">DEBUG_PORT</span><span class="o">=</span>8787 + <span class="nv">GC_LOG</span><span class="o">=</span> + <span class="nv">SERVER_OPTS</span><span class="o">=</span> + <span class="s1">'['</span> 3 <span class="nt">-gt</span> 0 <span class="s1">']'</span> + <span class="k">case</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="k">in</span> + <span class="nv">SERVER_OPTS</span><span class="o">=</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address=172.17.0.2'</span><span class="se">\'</span><span class="s1">''</span> + <span class="nb">shift</span> + <span class="s1">'['</span> 2 <span class="nt">-gt</span> 0 <span class="s1">']'</span> + <span class="k">case</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="k">in</span> + <span class="nv">SERVER_OPTS</span><span class="o">=</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address=172.17.0.2'</span><span class="se">\'</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address.private=172.17.0.2'</span><span class="se">\'</span><span class="s1">''</span> + <span class="nb">shift</span> + <span class="s1">'['</span> 1 <span class="nt">-gt</span> 0 <span class="s1">']'</span> + <span class="k">case</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="k">in</span> + <span class="nv">SERVER_OPTS</span><span class="o">=</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address=172.17.0.2'</span><span class="se">\'</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address.private=172.17.0.2'</span><span class="se">\'</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-c=standalone-ha.xml'</span><span class="se">\'</span><span class="s1">''</span> + <span class="nb">shift</span> + <span class="s1">'['</span> 0 <span class="nt">-gt</span> 0 <span class="s1">']'</span> ++ <span class="nb">dirname</span> /opt/jboss/keycloak/bin/standalone.sh + <span class="nv">DIRNAME</span><span class="o">=</span>/opt/jboss/keycloak/bin ++ <span class="nb">basename</span> /opt/jboss/keycloak/bin/standalone.sh + <span class="nv">PROGNAME</span><span class="o">=</span>standalone.sh + <span class="nv">GREP</span><span class="o">=</span><span class="nb">grep</span> + <span class="nb">.</span> /opt/jboss/keycloak/bin/common.sh ++ <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> ++ <span class="nv">COMMON_CONF</span><span class="o">=</span>/opt/jboss/keycloak/bin/common.conf ++ <span class="s1">'['</span> <span class="nt">-r</span> /opt/jboss/keycloak/bin/common.conf <span class="s1">']'</span> + <span class="nv">MAX_FD</span><span class="o">=</span>maximum + <span class="nv">MALLOC_ARENA_MAX</span><span class="o">=</span>1 + <span class="nb">export </span>MALLOC_ARENA_MAX + <span class="nv">cygwin</span><span class="o">=</span><span class="nb">false</span> + <span class="nv">darwin</span><span class="o">=</span><span class="nb">false</span> + <span class="nv">linux</span><span class="o">=</span><span class="nb">false</span> + <span class="nv">solaris</span><span class="o">=</span><span class="nb">false</span> + <span class="nv">freebsd</span><span class="o">=</span><span class="nb">false</span> + <span class="nv">other</span><span class="o">=</span><span class="nb">false</span> + <span class="k">case</span> <span class="s2">"</span><span class="sb">`</span><span class="nb">uname</span><span class="sb">`</span><span class="s2">"</span> <span class="k">in</span> ++ <span class="nb">uname</span> + <span class="nv">linux</span><span class="o">=</span><span class="nb">true</span> + <span class="nb">false</span> ++ <span class="nb">cd</span> /opt/jboss/keycloak/bin/.. ++ <span class="nb">pwd</span> + <span class="nv">RESOLVED_JBOSS_HOME</span><span class="o">=</span>/opt/jboss/keycloak + <span class="s1">'['</span> x/opt/jboss/keycloak <span class="o">=</span> x <span class="s1">']'</span> ++ <span class="nb">cd</span> /opt/jboss/keycloak ++ <span class="nb">pwd</span> + <span class="nv">SANITIZED_JBOSS_HOME</span><span class="o">=</span>/opt/jboss/keycloak + <span class="s1">'['</span> /opt/jboss/keycloak <span class="s1">'!='</span> /opt/jboss/keycloak <span class="s1">']'</span> + <span class="nb">export </span>JBOSS_HOME + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nv">RUN_CONF</span><span class="o">=</span>/opt/jboss/keycloak/bin/standalone.conf + <span class="s1">'['</span> <span class="nt">-r</span> /opt/jboss/keycloak/bin/standalone.conf <span class="s1">']'</span> + <span class="nb">.</span> /opt/jboss/keycloak/bin/standalone.conf ++ <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> ++ <span class="nv">JBOSS_MODULES_SYSTEM_PKGS</span><span class="o">=</span>org.jboss.byteman ++ <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> ++ <span class="nv">JAVA_OPTS</span><span class="o">=</span><span class="s1">'-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true'</span> ++ <span class="nv">JAVA_OPTS</span><span class="o">=</span><span class="s1">'-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true'</span> ++ <span class="nv">JAVA_OPTS</span><span class="o">=</span><span class="s1">'-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true '</span> + <span class="s1">'['</span> <span class="nb">false</span> <span class="o">=</span> <span class="nb">true</span> <span class="s1">']'</span> + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="s1">'['</span> x <span class="s1">'!='</span> x <span class="s1">']'</span> + <span class="nv">JAVA</span><span class="o">=</span>java + <span class="nb">true</span> + <span class="nv">CONSOLIDATED_OPTS</span><span class="o">=</span><span class="s1">'-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true '</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address=172.17.0.2'</span><span class="se">\'</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address.private=172.17.0.2'</span><span class="se">\'</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-c=standalone-ha.xml'</span><span class="se">\'</span><span class="s1">''</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="nt">-Xms64m</span> ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-Xms64m</span> + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="nt">-Xmx512m</span> ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-Xmx512m</span> + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="s1">''</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address=172.17.0.2'</span><span class="se">\'</span><span class="s1">''</span> ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-Djboss</span>.bind.address<span class="o">=</span>172.17.0.2 + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="s1">''</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address.private=172.17.0.2'</span><span class="se">\'</span><span class="s1">''</span> ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-Djboss</span>.bind.address.private<span class="o">=</span>172.17.0.2 + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="k">for </span>var <span class="k">in</span> <span class="nv">$CONSOLIDATED_OPTS</span> ++ <span class="nb">echo</span> <span class="s1">''</span><span class="se">\'</span><span class="s1">'-c=standalone-ha.xml'</span><span class="se">\'</span><span class="s1">''</span> ++ <span class="nb">tr</span> <span class="nt">-d</span> <span class="se">\'</span> + <span class="nv">p</span><span class="o">=</span><span class="nt">-c</span><span class="o">=</span>standalone-ha.xml + <span class="k">case</span> <span class="nv">$p</span> <span class="k">in</span> + <span class="nb">false</span> + <span class="nb">false</span> + <span class="nb">false</span> + <span class="nb">false</span> + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nv">JBOSS_BASE_DIR</span><span class="o">=</span>/opt/jboss/keycloak/standalone + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nv">JBOSS_LOG_DIR</span><span class="o">=</span>/opt/jboss/keycloak/standalone/log + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nv">JBOSS_CONFIG_DIR</span><span class="o">=</span>/opt/jboss/keycloak/standalone/configuration + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nv">JBOSS_MODULEPATH</span><span class="o">=</span>/opt/jboss/keycloak/modules + <span class="nb">false</span> + <span class="s1">'['</span> <span class="s1">''</span> <span class="s1">'!='</span> <span class="nb">true</span> <span class="s1">']'</span> ++ <span class="nb">echo</span> <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> ++ <span class="nb">grep</span> <span class="s1">'\-d64'</span> + <span class="nv">JVM_D64_OPTION</span><span class="o">=</span> ++ <span class="nb">echo</span> <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> ++ <span class="nb">grep</span> <span class="s1">'\-d32'</span> + <span class="nv">JVM_D32_OPTION</span><span class="o">=</span> ++ <span class="nb">echo</span> <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> ++ <span class="nb">grep</span> <span class="s1">'\-server'</span> + <span class="nv">SERVER_SET</span><span class="o">=</span> ++ <span class="nb">echo</span> <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> ++ <span class="nb">grep</span> <span class="s1">'\-client'</span> + <span class="nv">CLIENT_SET</span><span class="o">=</span> + <span class="s1">'['</span> x <span class="s1">'!='</span> x <span class="s1">']'</span> + <span class="s1">'['</span> x <span class="s1">'!='</span> x <span class="s1">']'</span> + <span class="nb">false</span> + <span class="s1">'['</span> x <span class="o">=</span> x <span class="nt">-a</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nb">false</span> + <span class="nv">PREPEND_JAVA_OPTS</span><span class="o">=</span><span class="s1">' -server'</span> + setModularJdk + java <span class="nt">--add-modules</span><span class="o">=</span>java.se <span class="nt">-version</span> + <span class="nv">MODULAR_JDK</span><span class="o">=</span><span class="nb">true</span> + <span class="s1">'['</span> <span class="s1">''</span> <span class="o">=</span> <span class="nb">true</span> <span class="s1">']'</span> + setDefaultModularJvmOptions <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> + setModularJdk + java <span class="nt">--add-modules</span><span class="o">=</span>java.se <span class="nt">-version</span> + <span class="nv">MODULAR_JDK</span><span class="o">=</span><span class="nb">true</span> + <span class="s1">'['</span> <span class="nb">true</span> <span class="o">=</span> <span class="nb">true</span> <span class="s1">']'</span> ++ <span class="nb">echo</span> <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> ++ <span class="nb">grep</span> <span class="s1">'\-\-add\-modules'</span> + <span class="nv">DEFAULT_MODULAR_JVM_OPTIONS</span><span class="o">=</span> + <span class="s1">'['</span> x <span class="o">=</span> x <span class="s1">']'</span> + <span class="nv">DEFAULT_MODULAR_JVM_OPTIONS</span><span class="o">=</span><span class="s1">' --add-exports=java.base/sun.nio.ch=ALL-UNNAMED'</span> + <span class="nv">DEFAULT_MODULAR_JVM_OPTIONS</span><span class="o">=</span><span class="s1">' --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED'</span> + <span class="nv">DEFAULT_MODULAR_JVM_OPTIONS</span><span class="o">=</span><span class="s1">' --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED'</span> + <span class="nv">JAVA_OPTS</span><span class="o">=</span><span class="s1">'-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED'</span> + <span class="nv">JAVA_OPTS</span><span class="o">=</span><span class="s1">' -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED'</span> ++ <span class="nb">echo</span> <span class="nt">-server</span> <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> <span class="nt">--add-exports</span><span class="o">=</span>java.base/sun.nio.ch<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.misc<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.reflect<span class="o">=</span>ALL-UNNAMED ++ <span class="nb">grep</span> <span class="s1">'java\.security\.manager'</span> + <span class="nv">SECURITY_MANAGER_SET</span><span class="o">=</span> + <span class="s1">'['</span> x <span class="s1">'!='</span> x <span class="s1">']'</span> + <span class="nv">MODULE_OPTS</span><span class="o">=</span> + <span class="s1">'['</span> <span class="s1">''</span> <span class="o">=</span> <span class="nb">true</span> <span class="s1">']'</span> ++ <span class="nb">echo</span> <span class="s1">''</span> ++ <span class="nb">grep</span> <span class="s1">'\-javaagent:'</span> + <span class="nv">AGENT_SET</span><span class="o">=</span> + <span class="s1">'['</span> x <span class="s1">'!='</span> x <span class="s1">']'</span> + <span class="nb">echo</span> <span class="o">=========================================================================</span> <span class="o">=========================================================================</span> + <span class="nb">echo</span> <span class="s1">''</span> + <span class="nb">echo</span> <span class="s1">' JBoss Bootstrap Environment'</span> JBoss Bootstrap Environment + <span class="nb">echo</span> <span class="s1">''</span> + <span class="nb">echo</span> <span class="s1">' JBOSS_HOME: /opt/jboss/keycloak'</span> JBOSS_HOME: /opt/jboss/keycloak + <span class="nb">echo</span> <span class="s1">''</span> + <span class="nb">echo</span> <span class="s1">' JAVA: java'</span> JAVA: java + <span class="nb">echo</span> <span class="s1">''</span> + <span class="nb">echo</span> <span class="s1">' JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED'</span> JAVA_OPTS: <span class="nt">-server</span> <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> <span class="nt">--add-exports</span><span class="o">=</span>java.base/sun.nio.ch<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.misc<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.reflect<span class="o">=</span>ALL-UNNAMED + <span class="nb">echo</span> <span class="s1">''</span> + <span class="nb">echo</span> <span class="o">=========================================================================</span> <span class="o">=========================================================================</span> + <span class="nb">echo</span> <span class="s1">''</span> + <span class="nb">true</span> + <span class="s1">'['</span> x1 <span class="o">=</span> x <span class="s1">']'</span> + <span class="nb">eval</span> <span class="s1">'"java"'</span> <span class="s1">'-D"[Standalone]"'</span> <span class="nt">-server</span> <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> <span class="nt">--add-exports</span><span class="o">=</span>java.base/sun.nio.ch<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.misc<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.reflect<span class="o">=</span>ALL-UNNAMED <span class="s1">'"-Dorg.jboss.boot.log.file=/opt/jboss/keycloak/standalone/log/server.log"'</span> <span class="s1">'"-Dlogging.configuration=file:/opt/jboss/keycloak/standalone/configuration/logging.properties"'</span> <span class="nt">-jar</span> <span class="s1">'"/opt/jboss/keycloak/jboss-modules.jar"'</span> <span class="nt">-mp</span> <span class="s1">'"/opt/jboss/keycloak/modules"'</span> org.jboss.as.standalone <span class="s1">'-Djboss.home.dir="/opt/jboss/keycloak"'</span> <span class="s1">'-Djboss.server.base.dir="/opt/jboss/keycloak/standalone"'</span> <span class="s1">' '</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address=172.17.0.2'</span><span class="se">\'</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-Djboss.bind.address.private=172.17.0.2'</span><span class="se">\'</span><span class="s1">' '</span><span class="se">\'</span><span class="s1">'-c=standalone-ha.xml'</span><span class="se">\'</span><span class="s1">''</span> <span class="s1">'&amp;'</span> + <span class="nv">JBOSS_PID</span><span class="o">=</span>122 + <span class="nb">trap</span> <span class="s1">'kill -HUP 122'</span> HUP ++ java <span class="s1">'-D[Standalone]'</span> <span class="nt">-server</span> <span class="nt">-Xms64m</span> <span class="nt">-Xmx512m</span> <span class="nt">-XX</span>:MetaspaceSize<span class="o">=</span>96M <span class="nt">-XX</span>:MaxMetaspaceSize<span class="o">=</span>256m <span class="nt">-Djava</span>.net.preferIPv4Stack<span class="o">=</span><span class="nb">true</span> <span class="nt">-Djboss</span>.modules.system.pkgs<span class="o">=</span>org.jboss.byteman <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> <span class="nt">--add-exports</span><span class="o">=</span>java.base/sun.nio.ch<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.misc<span class="o">=</span>ALL-UNNAMED <span class="nt">--add-exports</span><span class="o">=</span>jdk.unsupported/sun.reflect<span class="o">=</span>ALL-UNNAMED <span class="nt">-Dorg</span>.jboss.boot.log.file<span class="o">=</span>/opt/jboss/keycloak/standalone/log/server.log <span class="nt">-Dlogging</span>.configuration<span class="o">=</span>file:/opt/jboss/keycloak/standalone/configuration/logging.properties <span class="nt">-jar</span> /opt/jboss/keycloak/jboss-modules.jar <span class="nt">-mp</span> /opt/jboss/keycloak/modules org.jboss.as.standalone <span class="nt">-Djboss</span>.home.dir<span class="o">=</span>/opt/jboss/keycloak <span class="nt">-Djboss</span>.server.base.dir<span class="o">=</span>/opt/jboss/keycloak/standalone <span class="nt">-Djboss</span>.bind.address<span class="o">=</span>172.17.0.2 <span class="nt">-Djboss</span>.bind.address.private<span class="o">=</span>172.17.0.2 <span class="nt">-c</span><span class="o">=</span>standalone-ha.xml + <span class="nb">trap</span> <span class="s1">'kill -TERM 122'</span> INT + <span class="nb">trap</span> <span class="s1">'kill -QUIT 122'</span> QUIT + <span class="nb">trap</span> <span class="s1">'kill -PIPE 122'</span> PIPE + <span class="nb">trap</span> <span class="s1">'kill -TERM 122'</span> TERM + <span class="s1">'['</span> x <span class="s1">'!='</span> x <span class="s1">']'</span> + <span class="nv">WAIT_STATUS</span><span class="o">=</span>128 + <span class="s1">'['</span> 128 <span class="nt">-ge</span> 128 <span class="s1">']'</span> + <span class="nb">wait </span>122 18:08:24,393 INFO <span class="o">[</span>org.jboss.modules] <span class="o">(</span>main<span class="p">)</span> JBoss Modules version 1.11.0.Final 18:08:25,034 INFO <span class="o">[</span>org.jboss.msc] <span class="o">(</span>main<span class="o">)</span> JBoss MSC version 1.4.12.Final 18:08:25,050 INFO <span class="o">[</span>org.jboss.threads] <span class="o">(</span>main<span class="o">)</span> JBoss Threads version 2.4.0.Final 18:08:25,219 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>MSC service thread 1-2<span class="o">)</span> WFLYSRV0049: Keycloak 13.0.1 <span class="o">(</span>WildFly Core 15.0.1.Final<span class="o">)</span> starting 18:08:25,412 INFO <span class="o">[</span>org.jboss.vfs] <span class="o">(</span>MSC service thread 1-4<span class="o">)</span> VFS000002: Failed to clean existing content <span class="k">for </span>temp file provider of <span class="nb">type </span>temp. Enable DEBUG level log to find what caused this 18:08:26,228 INFO <span class="o">[</span>org.wildfly.security] <span class="o">(</span>ServerService Thread Pool <span class="nt">--</span> 22<span class="o">)</span> ELY00001: WildFly Elytron version 1.15.3.Final ^C bash-4.4<span class="nv">$ </span><span class="nb">exit</span> <span class="nv">$ </span> </code></pre> </div> <p>In the huge starting log, we can see the following command, starting with <code>++ java</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>java '-D[Standalone]' -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED -Dorg.jboss.boot.log.file=/opt/jboss/keycloak/standalone/log/server.log -Dlogging.configuration=file:/opt/jboss/keycloak/standalone/configuration/logging.properties -jar /opt/jboss/keycloak/jboss-modules.jar -mp /opt/jboss/keycloak/modules org.jboss.as.standalone -Djboss.home.dir=/opt/jboss/keycloak -Djboss.server.base.dir=/opt/jboss/keycloak/standalone -Djboss.bind.address=172.17.0.2 -Djboss.bind.address.private=172.17.0.2 -c=standalone-ha.xml </code></pre> </div> <p>This is the <code>java</code> command we will put inside our <code>Dockerfile</code>, as an <code>ENTRYPOINT</code> to make <strong>Keycloak</strong> start.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">jboss/keycloak:13.0.1</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">base</span> <span class="k">FROM</span><span class="s"> gcr.io/distroless/java:11-nonroot</span> <span class="k">COPY</span><span class="s"> --chown=nonroot:nonroot --from=base /opt/jboss /opt/jboss</span> <span class="k">ENTRYPOINT</span><span class="s"> [ "java", "-D[Standalone]", "-server", "-Xms64m", "-Xmx512m", "-XX:MetaspaceSize=96M", "-XX:MaxMetaspaceSize=256m", "-Djava.net.preferIPv4Stack=true", "-Djboss.modules.system.pkgs=org.jboss.byteman", "-Djava.awt.headless=true", "--add-exports=java.base/sun.nio.ch=ALL-UNNAMED", "--add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED", "--add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED", "-Dorg.jboss.boot.log.file=/opt/jboss/keycloak/standalone/log/server.log", "-Dlogging.configuration=file:/opt/jboss/keycloak/standalone/configuration/logging.properties", "-jar", "/opt/jboss/keycloak/jboss-modules.jar", "-mp", "/opt/jboss/keycloak/modules", "org.jboss.as.standalone", "-Djboss.home.dir=/opt/jboss/keycloak", "-Djboss.server.base.dir=/opt/jboss/keycloak/standalone", "-Djboss.bind.address=0.0.0.0", "-Djboss.bind.address.private=1720.0.0.0", "-c=standalone.xml" ]</span> </code></pre> </div> <p><strong>NOTE</strong>: You can tune this command to increase or decrease the memory setup, the private/public bind address of your keycloak instance and many other parameters. Here, we changed the configuration file used (<code>-c=standalone.xml</code> instead of <code>-c=standalone-ha.xml</code> for simplicity reasons) and the bound ip adresses (to <code>0.0.0.0</code>)</p> <p>If we build and run this, we will be able to access the Keycloak UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker build <span class="nt">-t</span> keycloak-distroless <span class="nb">.</span> <span class="o">[</span>+] Building 0.6s <span class="o">(</span>8/8<span class="o">)</span> FINISHED <span class="o">=&gt;</span> <span class="o">[</span>internal] load build definition from Dockerfile 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> transferring dockerfile: 37B 0.0s <span class="o">=&gt;</span> <span class="o">[</span>internal] load .dockerignore 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> transferring context: 2B 0.0s <span class="o">=&gt;</span> <span class="o">[</span>internal] load metadata <span class="k">for </span>gcr.io/distroless/java:11-nonroot 0.5s <span class="o">=&gt;</span> <span class="o">[</span>internal] load metadata <span class="k">for </span>docker.io/jboss/keycloak:13.0.1 0.0s <span class="o">=&gt;</span> <span class="o">[</span>base 1/1] FROM docker.io/jboss/keycloak:13.0.1 0.0s <span class="o">=&gt;</span> <span class="o">[</span>stage-1 1/2] FROM gcr.io/distroless/java:11-nonroot@sha256:07d017944 0.0s <span class="o">=&gt;</span> CACHED <span class="o">[</span>stage-1 2/2] COPY <span class="nt">--chown</span><span class="o">=</span>nonroot:nonroot <span class="nt">--from</span><span class="o">=</span>base /opt/jb 0.0s <span class="o">=&gt;</span> exporting to image 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> exporting layers 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> writing image sha256:100908720c19018f2408bb53a5d78ef3d9eb51391b165 0.0s <span class="o">=&gt;</span> <span class="o">=&gt;</span> naming to docker.io/library/keycloak-distroless 0.0s <span class="nv">$ </span>docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">-p</span> 8080:8080 keycloak-distroless 18:15:22,645 INFO <span class="o">[</span>org.jboss.modules] <span class="o">(</span>main<span class="o">)</span> JBoss Modules version 1.11.0.Final 18:15:23,283 INFO <span class="o">[</span>org.jboss.msc] <span class="o">(</span>main<span class="o">)</span> JBoss MSC version 1.4.12.Final 18:15:23,292 INFO <span class="o">[</span>org.jboss.threads] <span class="o">(</span>main<span class="o">)</span> JBoss Threads version 2.4.0.Final 18:15:23,452 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>MSC service thread 1-2<span class="o">)</span> WFLYSRV0049: Keycloak 13.0.1 <span class="o">(</span>WildFly Core 15.0.1.Final<span class="o">)</span> starting 18:15:23,694 INFO <span class="o">[</span>org.jboss.vfs] <span class="o">(</span>MSC service thread 1-5<span class="o">)</span> VFS000002: Failed to clean existing content <span class="k">for </span>temp file provider of <span class="nb">type </span>temp. Enable DEBUG level log to find what caused this 18:15:24,457 INFO <span class="o">[</span>org.wildfly.security] <span class="o">(</span>ServerService Thread Pool <span class="nt">--</span> 22<span class="o">)</span> ELY00001: WildFly Elytron version 1.15.3.Final ... ... 18:15:44,642 INFO <span class="o">[</span>org.wildfly.extension.undertow] <span class="o">(</span>ServerService Thread Pool <span class="nt">--</span> 66<span class="o">)</span> WFLYUT0021: Registered web context: <span class="s1">'/auth'</span> <span class="k">for </span>server <span class="s1">'default-server'</span> 18:15:44,778 INFO <span class="o">[</span>org.jboss.as.server] <span class="o">(</span>ServerService Thread Pool <span class="nt">--</span> 46<span class="o">)</span> WFLYSRV0010: Deployed <span class="s2">"keycloak-server.war"</span> <span class="o">(</span>runtime-name : <span class="s2">"keycloak-server.war"</span><span class="o">)</span> 18:15:44,886 INFO <span class="o">[</span>org.jboss.as.server] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0212: Resuming server 18:15:44,892 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0025: Keycloak 13.0.1 <span class="o">(</span>WildFly Core 15.0.1.Final<span class="o">)</span> started <span class="k">in </span>22800ms - Started 692 of 977 services <span class="o">(</span>686 services are lazy, passive or on-demand<span class="o">)</span> 18:15:44,896 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 18:15:44,896 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 </code></pre> </div> <p>If we try to access <code>http://localhost:8080/</code>, we can see the following page 🎉.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4lk0ikvc8fpzw4yl1uby.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4lk0ikvc8fpzw4yl1uby.png" alt="keycloak-ui-from-distroless" width="800" height="564"></a></p> <p>This is a good start, but this is just the minimal setup with <code>H2</code> database, we often want something more robust for production!</p> <h2> Generating the perfect configuration </h2> <p>The <code>jboss/keycloak</code> image use a lot of environment variables to configure keycloak (and the underlying <code>standalone.xml</code>) for you… but in our case, we can't use that because:</p> <ul> <li>We don't have a <code>shell</code> to run those scripts.</li> <li>We don't want to run those scripts at every startup / scale-up.</li> </ul> <p>So, we will have to <em>steal</em> the generated <code>standalone.xml</code> file from the original container, post start-up, and include it in our container. For this example, I will use <code>PostgreSQL</code> as our main database.</p> <p>To do this, I will use two shells side-by-side, one to launch Keycloak, and the other one to fetch the configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In the first shell</span> <span class="c"># Creation of a docker network</span> first-shell<span class="nv">$ </span>docker network create keycloak-network 4da77163731b584bef2c6d0b00386b9d62e31fa216204c6c6795f66e109ba1a6 <span class="c"># Launching PostgreSQL linked to the network previously created</span> first-shell<span class="nv">$ </span>docker run <span class="nt">--rm</span> <span class="nt">-d</span> <span class="nt">--name</span> postgres <span class="nt">--net</span> keycloak-network <span class="se">\</span> <span class="nt">-e</span> <span class="nv">POSTGRES_DB</span><span class="o">=</span>keycloak <span class="se">\</span> <span class="nt">-e</span> <span class="nv">POSTGRES_USER</span><span class="o">=</span>keycloak <span class="se">\</span> <span class="nt">-e</span> <span class="nv">POSTGRES_PASSWORD</span><span class="o">=</span>password postgres 229816da42707e772542f1b089c616a2333a6fbe1aea2be7efe658d6f2c934a1 first-shell<span class="nv">$ </span>docker run <span class="nt">-it</span> <span class="nt">--rm</span> <span class="nt">--name</span> keycloak <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_ADDR</span><span class="o">=</span>postgres <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_USER</span><span class="o">=</span>keycloak <span class="se">\</span> <span class="nt">-e</span> <span class="nv">DB_PASSWORD</span><span class="o">=</span>password <span class="se">\</span> <span class="nt">-e</span> <span class="nv">KEYCLOAK_USER</span><span class="o">=</span>foo <span class="se">\</span> <span class="nt">-e</span> <span class="nv">KEYCLOAK_PASSWORD</span><span class="o">=</span>bar <span class="se">\</span> <span class="nt">--net</span> keycloak-network jboss/keycloak:13.0.1 <span class="o">=========================================================================</span> Using PostgreSQL database <span class="o">=========================================================================</span> 18:32:25,172 INFO <span class="o">[</span>org.jboss.modules] <span class="o">(</span>CLI <span class="nb">command </span>executor<span class="o">)</span> JBoss Modules version 1.11.0.Final 18:32:25,279 INFO <span class="o">[</span>org.jboss.msc] <span class="o">(</span>CLI <span class="nb">command </span>executor<span class="o">)</span> JBoss MSC version 1.4.12.Final 18:32:25,302 INFO <span class="o">[</span>org.jboss.threads] <span class="o">(</span>CLI <span class="nb">command </span>executor<span class="o">)</span> JBoss Threads version 2.4.0.Final 18:32:25,453 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>MSC service thread 1-2<span class="o">)</span> WFLYSRV0049: Keycloak 13.0.1 <span class="o">(</span>WildFly Core 15.0.1.Final<span class="o">)</span> starting ... 18:32:59,128 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 18:32:59,129 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 </code></pre> </div> <p>In another shell, while the previous is still running, we will execute the following command to get the <code>standalone.xml</code> file used to configure <strong>Keycloak</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>second-shell<span class="nv">$ </span>docker <span class="nb">cp </span>keycloak:/opt/jboss/keycloak/standalone/configuration/standalone.xml <span class="nb">.</span> second-shell<span class="nv">$ </span><span class="nb">ls </span>standalone.xml <span class="c"># We can now stop the keycloak container</span> second-shell<span class="nv">$ </span>docker stop keycloak keycloak second-shell<span class="err">$</span> </code></pre> </div> <p>Now, we will start the <strong>Distroless Keycloak</strong> and mount the <code>standalone.xml</code> inside the container.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">-e</span> <span class="nv">DB_USER</span><span class="o">=</span>keycloak <span class="nt">-e</span> <span class="nv">DB_PASSWORD</span><span class="o">=</span>password <span class="nt">--net</span> keycloak-network <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone.xml <span class="nt">-p</span> 8080:8080 keycloak-distroless 19:42:20,707 INFO <span class="o">[</span>org.jboss.modules] <span class="o">(</span>main<span class="o">)</span> JBoss Modules version 1.11.0.Final 19:42:21,317 INFO <span class="o">[</span>org.jboss.msc] <span class="o">(</span>main<span class="o">)</span> JBoss MSC version 1.4.12.Final 19:42:21,329 INFO <span class="o">[</span>org.jboss.threads] <span class="o">(</span>main<span class="o">)</span> JBoss Threads version 2.4.0.Final 19:42:21,470 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>MSC service thread 1-2<span class="o">)</span> WFLYSRV0049: Keycloak 13.0.1 <span class="o">(</span>WildFly Core 15.0.1.Final<span class="o">)</span> starting 19:42:21,651 INFO <span class="o">[</span>org.jboss.vfs] <span class="o">(</span>MSC service thread 1-1<span class="o">)</span> VFS000002: Failed to clean existing content <span class="k">for </span>temp file provider of <span class="nb">type </span>temp. Enable DEBUG level log to find what caused this 19:42:22,577 INFO <span class="o">[</span>org.wildfly.security] <span class="o">(</span>ServerService Thread Pool <span class="nt">--</span> 20<span class="o">)</span> ELY00001: WildFly Elytron version 1.15.3.Final ... 19:43:58,356 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0025: Keycloak 13.0.1 <span class="o">(</span>WildFly Core 15.0.1.Final<span class="o">)</span> started <span class="k">in </span>17828ms - Started 595 of 873 services <span class="o">(</span>584 services are lazy, passive or on-demand<span class="o">)</span> 19:43:58,362 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 19:43:58,363 INFO <span class="o">[</span>org.jboss.as] <span class="o">(</span>Controller Boot Thread<span class="o">)</span> WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 </code></pre> </div> <p>And <strong>Voila</strong>!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8o9no0uv4590wnqpnra.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8o9no0uv4590wnqpnra.png" alt="keycloak-auth" width="800" height="564"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjky6d1pt4milf243xcup.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjky6d1pt4milf243xcup.png" alt="keycloak-login" width="800" height="564"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6stjtu120ximoqrklovd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6stjtu120ximoqrklovd.png" alt="keycloak-ui" width="800" height="564"></a></p> <h1> What about security? </h1> <p>The original and main purpose of this manipulation is to reduce the number of CVEs present in our image. We will be able to compare it using <a href="https://github.com/aquasecurity/trivy" rel="noopener noreferrer">trivy</a> again on our newly image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>trivy image keycloak-distroless 2021-05-26T21:11:15.959+0200 INFO Detected OS: debian 2021-05-26T21:11:15.959+0200 INFO Detecting Debian vulnerabilities... 2021-05-26T21:11:15.963+0200 INFO Number of PL dependency files: 621 2021-05-26T21:11:15.963+0200 INFO Detecting jar vulnerabilities... keycloak-distroless <span class="o">(</span>debian 10.9<span class="o">)</span> <span class="o">=================================</span> Total: 27 <span class="o">(</span>UNKNOWN: 0, LOW: 23, MEDIUM: 3, HIGH: 1, CRITICAL: 0<span class="o">)</span> </code></pre> </div> <p>We can see, our image contain fewer vulnerabilities, at <code>LOW</code>, <code>MEDIUM</code> or <code>HIGH</code> level. Again, this depends on <em>when</em> you are doing this analysis. With the solution provided in this article, you'll be able to rebuild your keycloak on a new, up-to-date, <strong>Distroless base</strong> image without <em>updating</em> keycloak. With the original keycloak image, the keycloak version is tied to the OS version (and security flaws).</p> <p><strong>NOTE</strong>: The <code>jboss/keycloak:13.0.1</code> was released few hours before the creation of this article while the <code>distroless/java-debian10:non-root</code> was released 1 month ago. This is the worst comparison scenario possible for the <strong>Distroless</strong> base image.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxg69znq0rbkaxirtjxky.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxg69znq0rbkaxirtjxky.png" alt="dive-distroless" width="800" height="540"></a></p> <p>Another benefit of this alternative is to create a smaller image for keycloak. The previous <code>dive</code> reports stated <code>698 MB</code> for the official image when our custom image weight only <code>519 MB</code>, so around <code>179 MB</code> reduction 🏋️‍♂️, and I'm sure we can remove almost <code>100MB</code> by removing all useless binaries in the image (useless drivers, command line tools, documentation…).</p> <h1> Conclusion </h1> <p>With this article, you should be able to build, from the official <code>jboss/keycloak</code> image a custom one based on the <strong>Distroless/java</strong> and even fix CVEs by doing it again when a new version of <strong>Distroless/java</strong> image is released.</p> <p>I hope you liked it, you can find all the sample files from this article in this <strong>GitLab</strong> repository: <a href="https://gitlab.com/davinkevin/keycloak-distroless" rel="noopener noreferrer">davinkevin/keycloak-distroless</a>.</p> keycloak docker security java Kevin Davin Tue, 18 May 2021 05:55:46 +0000 https://dev.to/stack-labs/anthos-service-mesh-istio-on-google-cloud-51eo https://dev.to/stack-labs/anthos-service-mesh-istio-on-google-cloud-51eo <h1> Anthos Service Mesh, a managed Istio ⛵️ </h1> <p>Istio is one of the most advanced pieces of software in the Kubernetes ecosystem. It allows to redefine the way our services are communicating with each other, without being invasive. Istio works by taking control over the network of your Kubernetes cluster and allows applying configurations (through YAML). If you want to discover Istio, I invite you to read the excellent documentation provided in <a href="https://istio.io/" rel="noopener noreferrer">istio.io</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzelgop9oyvoaxqs0iy3s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzelgop9oyvoaxqs0iy3s.png" alt="istio-logo" width="800" height="311"></a></p> <p>The main problem with Istio, is the complexity to manage and configure it. Like kubernetes, this system is complex, and errors could lead to downtime in your cluster… 😓. Lots of software-company starts to provide a <strong>pre-configured</strong> version of Istio, and here we will talk about <strong>Anthos Service Mesh</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbsq6z72sfsix480wuj1n.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbsq6z72sfsix480wuj1n.jpeg" alt="anthos-logo" width="200" height="175"></a></p> <p><strong>Anthos Service Mesh</strong> is available on <em>Anthos clusters</em> running in <strong>Google Cloud</strong>, <strong>AWS</strong> or <strong>on-premise</strong> (different features are available depending on the cluster locality). Here, we will describe the <strong>Google Cloud</strong> version based on <strong>Anthos Service Mesh</strong> version 1.9.3.asm-2 (the last version may be different when you read this article).</p> <p><strong>NOTE:</strong> A fully managed version of <strong>Anthos Service Mesh</strong> exists but is actually in preview/beta. I prefer, for now, using the standard version of <strong>Anthos Service Mesh</strong> (aka <em>Customer-managed control plane</em>).</p> <h2> Installation </h2> <p>The installation is pretty straight-forward, <strong>Google</strong> provides a script <code>install_asm</code> to automate the installation on an already existing GKE cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./install_asm <span class="se">\</span> <span class="nt">--project_id</span> kevin-anthos-asm <span class="se">\</span> <span class="nt">--cluster_name</span> anthos-asm-demo <span class="se">\</span> <span class="nt">--cluster_location</span> europe-north1-a <span class="se">\</span> <span class="nt">--mode</span> <span class="nb">install</span> <span class="se">\</span> <span class="nt">--output_dir</span> ./asm-downloads <span class="se">\</span> <span class="nt">--enable_all</span> </code></pre> </div> <p><strong>NOTE:</strong> I am installing the latest version of <strong>ASM</strong> here, but you can choose a different one with the <code>--revision_name</code> parameter if required.</p> <p>To be executed, the script has some requirements. I invite you to check that <a href="https://cloud.google.com/service-mesh/docs/quickstart-asm#cloud-shell" rel="noopener noreferrer">here</a>. The best solution is to use the <strong>Google Cloud Shell</strong> to do the installation, it fulfills requirements by default.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>install_asm: Setting up necessary files... install_asm: Fetching/writing GCP credentials to kubeconfig file... install_asm: [WARNING]: nc not found, skipping k8s connection verification install_asm: [WARNING]: (Installation will continue normally.) install_asm: Checking installation tool dependencies... install_asm: Getting account information... install_asm: Confirming cluster information for kevin-anthos-asm/europe-north1-a/anthos-asm-demo... install_asm: Downloading ASM.. % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 41.7M 100 41.7M 0 0 31.5M 0 0:00:01 0:00:01 --:--:-- 31.5M install_asm: Downloading ASM kpt package... fetching package "/asm" from "https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" to "asm" install_asm: Confirming node pool requirements for kevin-anthos-asm/europe-north1-a/anthos-asm-demo... install_asm: Checking Istio installations... install_asm: Enabling required APIs... install_asm: Binding user:kevin.davin@stack-labs.com to required IAM roles... install_asm: Checking for project kevin-anthos-asm... install_asm: Reading labels for europe-north1-a/anthos-asm-demo... install_asm: Adding labels to europe-north1-a/anthos-asm-demo... install_asm: Enabling Workload Identity on europe-north1-a/anthos-asm-demo... install_asm: (This could take awhile, up to 10 minutes) install_asm: Initializing meshconfig API... install_asm: Enabling Stackdriver on europe-north1-a/anthos-asm-demo... install_asm: Querying for core/account... install_asm: Binding kevin.davin@stack-labs.com to cluster admin role... clusterrolebinding.rbac.authorization.k8s.io/kevin.davin-cluster-admin-binding created install_asm: Creating istio-system namespace... namespace/istio-system created install_asm: Configuring kpt package... asm/ set 22 field(s) of setter "gcloud.container.cluster" to value "anthos-asm-demo" asm/ set 40 field(s) of setter "gcloud.core.project" to value "kevin-anthos-asm" asm/ set 2 field(s) of setter "gcloud.project.projectNumber" to value "62405001080" asm/ set 6 field(s) of setter "gcloud.project.environProjectNumber" to value "62405001080" asm/ set 21 field(s) of setter "gcloud.compute.location" to value "europe-north1-a" asm/ set 2 field(s) of setter "gcloud.compute.network" to value "kevin-anthos-asm-default" asm/ set 6 field(s) of setter "anthos.servicemesh.rev" to value "asm-193-2" asm/ set 2 field(s) of setter "anthos.servicemesh.tag" to value "1.9.3-asm.2" install_asm: Installing validation webhook fix... service/istiod created install_asm: Installing ASM control plane... install_asm: ...done! install_asm: Installing ASM CanonicalService controller in asm-system namespace... namespace/asm-system created customresourcedefinition.apiextensions.k8s.io/canonicalservices.anthos.cloud.google.com created role.rbac.authorization.k8s.io/canonical-service-leader-election-role created clusterrole.rbac.authorization.k8s.io/canonical-service-manager-role created clusterrole.rbac.authorization.k8s.io/canonical-service-metrics-reader created serviceaccount/canonical-service-account created rolebinding.rbac.authorization.k8s.io/canonical-service-leader-election-rolebinding created clusterrolebinding.rbac.authorization.k8s.io/canonical-service-manager-rolebinding created clusterrolebinding.rbac.authorization.k8s.io/canonical-service-proxy-rolebinding created service/canonical-service-controller-manager-metrics-service created deployment.apps/canonical-service-controller-manager created install_asm: Waiting for deployment... deployment.apps/canonical-service-controller-manager condition met install_asm: ...done! install_asm: install_asm: ***************************** client version: 1.9.3-asm.2 control plane version: 1.9.3-asm.2 data plane version: 1.9.3-asm.2 (2 proxies) install_asm: ***************************** install_asm: The ASM control plane installation is now complete. install_asm: To enable automatic sidecar injection on a namespace, you can use the following command: install_asm: kubectl label namespace &lt;NAMESPACE&gt; istio-injection- istio.io/rev=asm-193-2 --overwrite install_asm: If you use 'istioctl install' afterwards to modify this installation, you will need install_asm: to specify the option '--set revision=asm-193-2' to target this control plane install_asm: instead of installing a new one. install_asm: To finish the installation, enable Istio sidecar injection and restart your workloads. install_asm: For more information, see: install_asm: https://cloud.google.com/service-mesh/docs/proxy-injection install_asm: The ASM package used for installation can be found at: install_asm: /home/kevin_davin/anthos/asm/2021-05-11-apres-midi/asm-downloads/asm install_asm: The version of istioctl that matches the installation can be found at: install_asm: /home/kevin_davin/anthos/asm/2021-05-11-apres-midi/asm-downloads/istio-1.9.3-asm.2/bin/istioctl install_asm: A symlink to the istioctl binary can be found at: install_asm: /home/kevin_davin/anthos/asm/2021-05-11-apres-midi/asm-downloads/istioctl install_asm: The combined configuration generated for installation can be found at: install_asm: /home/kevin_davin/anthos/asm/2021-05-11-apres-midi/asm-downloads/asm-193-2-manifest-raw.yaml install_asm: The full, expanded set of kubernetes resources can be found at: install_asm: /home/kevin_davin/anthos/asm/2021-05-11-apres-midi/asm-downloads/asm-193-2-manifest-expanded.yaml install_asm: ***************************** install_asm: Successfully installed ASM. </code></pre> </div> <p>This script will install a custom version of Istio, named <strong>A</strong>ntos <strong>S</strong>ervice <strong>M</strong>esh. At the end, your cluster will have two new namespaces, <code>asm-system</code> and <code>istio-system</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get ns NAME STATUS AGE asm-system Active 127m default Active 141m istio-system Active 128m kube-node-lease Active 141m kube-public Active 141m kube-system Active 141m </code></pre> </div> <p>You have successfully installed <strong>Anthos Service Mesh</strong> on your GKE Cluster… we have to use it now!</p> <h2> Namespace Activation </h2> <p>Istio is a cluster-wide tool, which can be activated at a namespace level or at a component level (but less common). We have to add a label to our <code>namespace</code> to trigger Istio functionalities on it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create namespace workshop <span class="nv">$ </span>kubectl label namespace workshop istio.io/rev<span class="o">=</span>asm-193-2 <span class="nt">--overwrite</span> </code></pre> </div> <p>Here, <code>asm-193-2</code> is the version provided by the <code>install_asm</code> command logs. With this information, <strong>ASM</strong> knows it will have to inject side-car container for every component of this namespace.</p> <p><strong>NOTE:</strong> If you want more details on the installation process, the official documentation is available <a href="https://cloud.google.com/service-mesh/docs/quickstart-asm" rel="noopener noreferrer">here</a> and provide a lot of information for various use cases.</p> <h2> Functionalities </h2> <p><strong>Anthos Service Mesh</strong> is a branded version of Istio. Modifications provided by Google are pretty soft and here mainly to make the system compatible with the cloud console. In <em>Customer-managed control plane</em>, you have access to every functionality the vast majority of feature provided by Istio 1.9.</p> <p>You can consult the complete list of features available <a href="https://cloud.google.com/service-mesh/docs/supported-features" rel="noopener noreferrer">here</a></p> <h2> Dashboards </h2> <p>The main advantage of <strong>ASM</strong> over the OpenSource version of Istio is its integration in the Google Cloud console.</p> <p>For this example, I've deployed 3 applications in the <code>workshop</code> namespace. Those applications came from our Stack Labs Workshop on Istio (accessible <a href="https://istio-in-action.training.stack-labs.com/istio-on-gke/1.3/02_workshop/03_application-bootstrap.html#workshop-resources" rel="noopener noreferrer">here</a>, and fully open source). With this, we can use theirs dashboards provided.</p> <h3> Global overview </h3> <p>We can have a global point-of-view on our micro-services deployed in our cluster. We have a tabular view, which can be filtered on namespace, providing a clear view of our services status and performance.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ubxinjnm7kuc401i5dg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ubxinjnm7kuc401i5dg.png" alt="tabular-view" width="800" height="348"></a></p> <p>A global topology view (still in beta 🧪) allowing us to drill down on our services, components, deployments, pods… very useful if we want to understand the communication schema in our cluster.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv0qwez5eto4ravitcswj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv0qwez5eto4ravitcswj.png" alt="topology-raw" width="800" height="521"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqsq44tfkcc2n4uvrxtrw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqsq44tfkcc2n4uvrxtrw.png" alt="topology-inside-service" width="800" height="467"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7mmcyl9z6ybea8wqig98.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7mmcyl9z6ybea8wqig98.png" alt="topology-inside-deployment" width="800" height="524"></a></p> <p>If we want to have deeper understanding on each component, we have access to a service specific view, accessible by clicking on a service on the tabular view.</p> <h3> Service Dashboard </h3> <p>This dashboard will provide a specific point of view on the behaviour of your service. Here, we will focus on the middleware service. For this example, we configure this application to send back 500 errors 50% of the time.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fya6huuponfig8u8h1jt6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fya6huuponfig8u8h1jt6.png" alt="middleware-details" width="800" height="458"></a></p> <p>This main view is here to summarize every following dashboards into one. It is an entry point for our service<br> analysis.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff8s3lv9c8t9nkyn1kudn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff8s3lv9c8t9nkyn1kudn.png" alt="slo-overview" width="800" height="412"></a></p> <p>The Health view is here to present us the <strong>Service Level Objectives</strong> (SLO) based on <strong>Service Level Indicators</strong> (SLI) we defined on our service.</p> <p><strong>NOTE:</strong> If you want to learn more about SLOs and SLIs, this <a href="https://cloud.google.com/blog/products/devops-sre/sre-fundamentals-slis-slas-and-slos" rel="noopener noreferrer">blog post</a> summarizes it (a lot) the idea behind it. You can also read the documentation and books provide freely by Google SRE team <a href="https://sre.google/" rel="noopener noreferrer">here</a>.</p> <p>We can define SLOs and SLIs on our service with multiple information gathered by the cloud console and <em>Anthos Service Mesh</em> for us.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa65urdn3a5n0zo46gnj6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa65urdn3a5n0zo46gnj6.png" alt="define-sli" width="800" height="661"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fozrx932vl4nnxbkvdd70.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fozrx932vl4nnxbkvdd70.png" alt="define-slo" width="800" height="603"></a></p> <p>You can define an alerting strategy for each SLO. Multiple systems are available from Slack, Pager-Duty, Email for the most standard to web-hook, cloud function or any other programmating system. I choose email for this example and I receive this after few minutes, because the SLO defined was not reached anymore.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdunbo9a3g2s92c5acmqi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdunbo9a3g2s92c5acmqi.png" alt="alert by email" width="800" height="1209"></a></p> <p>We have access to a global metrics view of the service. CPU, RAM, requests by seconds… all the required information to be able to follow the health of the application.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqevzfoxmto1p605ywd7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqevzfoxmto1p605ywd7.png" alt="metrics" width="800" height="606"></a></p> <p>We can analyse all the connectivity of our service. Here, we have a complete list of every services connecting to our service (<strong>inbound</strong>) or services reached by our service (<strong>outbound</strong>).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxqkf2hl2qqfsddqyc0fs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxqkf2hl2qqfsddqyc0fs.png" alt="inbound" width="800" height="375"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fary9gt9w1ijgdt1trzl4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fary9gt9w1ijgdt1trzl4.png" alt="outbound" width="800" height="379"></a></p> <p>The infrastructure pan allows us to see every instance of our service over time. Each of them has its own metrics (CPU, RAM, error rate…) and so, we can analyse at a fine grain level the performance and behaviour of our system.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5tlkrdwfy5u3x417tthc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5tlkrdwfy5u3x417tthc.png" alt="infrastructure" width="800" height="511"></a></p> <p>Security pane allows analysing communication security level between services. Istio and <strong>ASM</strong> provides a built-in way to communicate with <strong>mTLS</strong> between components. Here, you will see if exchanges are made "in clear" or with a secure protocol. I didn't configure anything and communications between <em>frontend</em>, <em>middleware</em> and <em>database</em> are secured by default.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvyqx027rgdpi4dg83lyz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvyqx027rgdpi4dg83lyz.png" alt="security inbound" width="800" height="349"></a></p> <p>Finally, a useful view is available to consult YAML resources deployed in the cluster corresponding to this service. Deployment, VirtualService, DestinationRoute… All resources are available from the web-ui, simplifying analysis again.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzeyh48bzj3v4nfgttel9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzeyh48bzj3v4nfgttel9.png" alt="resources" width="800" height="587"></a></p> <h3> Timeline everywhere! </h3> <p>When you analyze production, especially when a problem occurs, you can't only use <strong>current</strong> data, you have to compare data with past data of the same system to elaborate a conclusion. Here, in every dashboard I introduce to you, you have the capacity to activate <strong>a timeline</strong> and narrow down your observations to a specific period of time.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzat0rwz6o254btzfh4tg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzat0rwz6o254btzfh4tg.png" alt="timeline in metrics" width="800" height="440"></a></p> <p>Every table, graph, metrics will be adapted to the given time span to present you the information at a specific moment. This will be convenient when you will want to compare the behavior of a service before and after an upgrade, for example.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk37g5sbbdc20hte2i2o0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk37g5sbbdc20hte2i2o0.png" alt="timeline in metrics" width="800" height="521"></a></p> <p>This feature is really awesome because you won't have to configure a dashboard for each needs. The system provided to you is made for operator, no need to customize a <em>PromQL</em> or <em>Grafana</em> query to analyse what's currently happening in production…</p> <h2> Conclusion </h2> <p>I focused this article mainly on <strong>Observability</strong>, because <strong>Anthos Service Mesh</strong> provides it out of the box. Even if <strong>Istio</strong> has wonderful features for traffic splitting, mirroring, authorization… the first reason you will want to use it for is <strong>Observability</strong> 🕵️‍♂️.</p> <p>Google is now doing with <strong>Istio</strong> what it did with <strong>Kubernetes</strong> many years ago. It integrated it and simplify its usage to make it available for everyone with ease. The future version, with a <strong>Google Managed Control Plane</strong> should simplify it even more.</p> <p>If you want to increase your observability with a managed and preconfigured system, I advise you to test <strong>Anthos Service Mesh</strong>!</p> istio anthos googlecloud devops Kevin Davin Sat, 20 Jun 2020 10:55:53 +0000 https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-for-kubectl-kustomize-45b5 https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-for-kubectl-kustomize-45b5 <p>In previous parts, we see how to manage our secrets in Kubernetes format directly from Git with SOPS. For that we use the standard Kubernetes format, and some SOPS parameters to encrypt only some keys. We will go further here and see how to do that with if we want to use <code>kubectl -k</code> or <code>kustomize</code>.</p> <p><em>DISCLAIMER</em> If you want to discover <code>kustomize</code>, I've written an article about it available <a href="https://dev.to/stack-labs/kustomize-the-right-way-to-do-templating-in-kubernetes-3ohp">here</a>.</p> <h1> Simpler solutions </h1> <p>We will use here the solution provided by <code>kubectl</code> / <code>kustomize</code> to generate a secret from a secret generator (see the <a href="https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret-from-a-generator" rel="noopener noreferrer">official documentation about it</a>).<br> This solution induces two steps, one to decrypt the secret and another to produce the <code>YAML</code>. </p> <h2> 📄 With files </h2> <p><code>SecretGenerator</code> allows us to include secret from files. So, we can use <code>SOPS</code> to decrypt the file, and then we can use the <code>files</code> directive to include them into manifests.</p> <p><code>Devon</code> has the following files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kustomization.yaml</span> <span class="na">secretGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secret</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secret</span> <span class="c1"># sops encrypted file</span> <span class="pi">-</span> <span class="s">another-secret</span> <span class="c1"># sops encrypted file</span> </code></pre> </div> <p><code>secret</code> file before encryption:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TlZSNk1sRk9lR3RwTnpnNVdVWkVZUT09 </code></pre> </div> <p>And <code>another-secret</code> file before encryption:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CWNRUt3MPSTX3TizkhX2GVh5pN </code></pre> </div> <p>After encryption with command <code>sops -i -e secret</code>, the file look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">secret</span><span class="w"> </span><span class="err">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENC[AES256_GCM,data:FUiwHLcn9X1Js+4w5CxQ4Qh+SF3VC4AHGcxT9W3Taqmy,iv:Jh/QcOpcWelFr8cwpv2VtzJQ8/67aam9peVGImHZQdg=,tag:rzGayLJ1Blcymkk7R/Iq9A==,type:str]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sops"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"kms"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"gcp_kms"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"azure_kv"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"lastmodified"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:05Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mac"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENC[AES256_GCM,data:3aHK0NLSTT+XdFi44y4xCAfoXy+1PSc+FVTkBe8EpGCl3HlROoUbdjj/nDJTaAHQBctGg1E2U0pSgY2cIx/tWHR61XCtAZf59CL2pzMNeSRSuwJr1Atqq0ltonk08VWDVQ4DpVWBRvUPl5oxAvZpPmSk0LeuHVGeqXO2cTNa5gs=,iv:zUpUHeXghIs+/9hsHQuZtZ5UcgBzC/sF1ccJ6JHzN/U=,tag:rcwzfioUgN6H4wLcZtcrQw==,type:str]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pgp"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:04Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-----BEGIN PGP MESSAGE-----</span><span class="se">\n\n</span><span class="s2">hQGMA4Hzarga0atVAQv9EQ4B8KqC41L1h4N+1jpApv/wHeDUMzsp1q5VisRndjHU</span><span class="se">\n</span><span class="s2">cqmE0YtaJsPbIAMt1cdGZr+koZG5PH25Q6bby4lph3zMFQHZhyrKnGzMftsbCE92</span><span class="se">\n</span><span class="s2">DPK64vmGQ1QLpJ/3897acu1NtKJicigi14Dr18ujv9kDG4HV1EeqI8o0ylycpUDr</span><span class="se">\n</span><span class="s2">VVctbUP7WNKd23ShXTymVOJjjNgH4fZxoCHXnf5ndEaVKGcM6wLkPO5VtZBI0D1N</span><span class="se">\n</span><span class="s2">cyy+UxWV3fZRXqjWx/qFwVGfs9wayRSy16WfSlFCNFzM4bztAxb+bLzNPWVQR4Q3</span><span class="se">\n</span><span class="s2">Sf7eDPVbPHF2VWvmNsODVkg8kr+flf0yKD2T1BOZ9uc+fQiZW6FQYY7qP9fSgPjk</span><span class="se">\n</span><span class="s2">8Bto7rtqbcCqyQE7i7E7Xuw6hVjw8dB3nIUnr5WcLD7uuHOFTfk1YNPFV+DLdT4L</span><span class="se">\n</span><span class="s2">ch4bFkYLtlAz1EGavZuuGwe6vod/anS3BQyp1dNc34Z4Xoc2fZ7G3oeBCXzVlFK4</span><span class="se">\n</span><span class="s2">bYLba8pAfYfVQOoMKepp0l4BtV7JTcdNWB+hCCRfPy1nAmWS8SJYvZqFhPzL9VrY</span><span class="se">\n</span><span class="s2">L1kPWZ74Ooz6H1srlnNHR4YmxUHqtkHnkDv2GADZxvq0JPpKSv0fpHUi2cCnPO6d</span><span class="se">\n</span><span class="s2">7VQQaUr53Gl2blMJJPBg</span><span class="se">\n</span><span class="s2">=MdW8</span><span class="se">\n</span><span class="s2">-----END PGP MESSAGE-----</span><span class="se">\n</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5844C613B763F4374BAB2D2FC735658AB38BF93A"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:04Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-----BEGIN PGP MESSAGE-----</span><span class="se">\n\n</span><span class="s2">hQGMA+itJvd1gkukAQv7BzY7dpzpafy1CPpyEaUyZLHkr32KPWypU+x5Mgs1BXFo</span><span class="se">\n</span><span class="s2">7+Zo92bmnidK6SAgMTJFJZlZP/81AM9s9VYXkbTmpS6OaKgloPsCe4/TQYA7ktAa</span><span class="se">\n</span><span class="s2">c9mRAESQSt1gDX0xupfWqdmS8yUqnAM6bULNvRkwFgV8Fjz9014sE9yM5DZckLfY</span><span class="se">\n</span><span class="s2">9FxinBvEfnB2kg/8f82hu7/JIqbvc5uweUCfRglqORHx9L6wrx0suGnBeyWacNB8</span><span class="se">\n</span><span class="s2">F3Dw4ICMxOBLrvohomqjGQqX7uzmYF8akZVl1vqtHz6vLRu818NIpap9xuyPMzpJ</span><span class="se">\n</span><span class="s2">iXiC+NthfVCAAlKOtUxWMSC+ptZu2JtPaU+WALEwLhAGj26UVsghn1w3u2cEtNwi</span><span class="se">\n</span><span class="s2">09odd63jt6vXyT7KXPPyJN5stSuHZnRveN5pmXXY/+ZE4VNQXxBW8XzEW1jXJNWH</span><span class="se">\n</span><span class="s2">8153wy1ObJUG5vOftt8L/NjpYEOBh9TRK+W+DIjGXCcunAHJ2MYH4JRQCvZvinZK</span><span class="se">\n</span><span class="s2">sw27mdhGe1MTyfPUsLvp0l4BxIvJoO/ac/JcsWwUZBhNDynNzOObL++E0TMoJUmE</span><span class="se">\n</span><span class="s2">69Gn3UmPwNcFBVHjZRBZh2IpYL5J0Hp+SBxQtKf/XI5AuLQ3jL504teiXt1YuWf4</span><span class="se">\n</span><span class="s2">9JiEUVhwnGheaWIIWHCc</span><span class="se">\n</span><span class="s2">=cDXu</span><span class="se">\n</span><span class="s2">-----END PGP MESSAGE-----</span><span class="se">\n</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AE0D6FD0242FF896BE1E376B62E1E77388753B8E"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:04Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-----BEGIN PGP MESSAGE-----</span><span class="se">\n\n</span><span class="s2">hQGMA1ZWtaFCHvLMAQv+NkbxKcDPgNdtTs/n6OaXiFpCgCPRsjuXOmCFaZou33Od</span><span class="se">\n</span><span class="s2">tNCPTHeAiMseq+Hxl3c0cdLh8wj1C5Sgqc6OBGaTOki3ZKfWA7H6DyPlbFR2d+af</span><span class="se">\n</span><span class="s2">TZRQc6j7uGISJkPRVGQ5X5rJ1BcoT19rhUQm4vr3x3LHHbLvRXccKugiI7fxpDo4</span><span class="se">\n</span><span class="s2">rVl7Dc9jhwz8XlV1WdalBeXvupvgxV+6aMqsnt6TFKc0vS/ECSRNoGD/cp2ZnEb8</span><span class="se">\n</span><span class="s2">NRgIQXH7jv6cYSl1is7VIHvRIxyCukRznlQc6Bhcu/nDI2+vPJEIdiIX8qgG/AF7</span><span class="se">\n</span><span class="s2">lfFPg8S6FALWcjNmCZksInIGltAIaQir0D2RxPfH7JdYu34c0TwgZCjMow1fBMiS</span><span class="se">\n</span><span class="s2">82sa9cTWQStGh6lJALTlGWTmZeDtbL22+NX0tG0gtVGlnAmJqZbDCWunL61qrt1n</span><span class="se">\n</span><span class="s2">1vvAPiYM/KZJOUibn5/gVyyb8PuVyY5Y0GahiTPPXL5h2gFo11xYpHsA9Ir0r9iB</span><span class="se">\n</span><span class="s2">B2/9gyR8dqaI6xoLWJnc0l4BDdKoO+4+hhkkSneEC5FG6p0u0a2E+bjkfNKGuPas</span><span class="se">\n</span><span class="s2">EnlIaWEYPh4Ndz2Km/GbII0kOuXvxdt9fxBTmB2k7/weDusUhNYY00sNxLd6rGW4</span><span class="se">\n</span><span class="s2">iQeX7+n5ajUO1efzqmXM</span><span class="se">\n</span><span class="s2">=B2bM</span><span class="se">\n</span><span class="s2">-----END PGP MESSAGE-----</span><span class="se">\n</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3FF9E6938905023D25AB56EEFFEFFE9451381735"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:04Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-----BEGIN PGP MESSAGE-----</span><span class="se">\n\n</span><span class="s2">hQGMA5/a4uV8wP1EAQv/YmHFgZNe/FgrL9etsny96gztis5qnIDCus+GdZam6j+K</span><span class="se">\n</span><span class="s2">mVJ21tt5lqqPi3eXm/1OyEQKBgYjQzjDvLNFJRpQMyxogAgD062jKOOHooZWsGaA</span><span class="se">\n</span><span class="s2">uhQ8Pz05pzMAdmCS2YBQmKKBHbzcue8g0iiJCKd/LAr5Ude8VTAa+Z/Re5fbZAK7</span><span class="se">\n</span><span class="s2">Y7UX/uz7dg0msAF8PyYxovZG907Dsin0FC/ObAcyL5GW24YOWeEHp5VCwpnyWa6v</span><span class="se">\n</span><span class="s2">Vr3uopiWn0n9J1sqhlb9ESq/M5qz8tqBLh1Z0yw8en6Bite+kEiDNW1o16XH4zKA</span><span class="se">\n</span><span class="s2">B+SN0R/jS5uutijrneAUOQulYN148W9md1rvbL5U9VT5pJXEKPj55rSogvQkv6tK</span><span class="se">\n</span><span class="s2">PH1m4WiEu7GeujO4oTD2gL5k17c5VzSLYDg3QmkYsJqLh0Z6/DvYELTKo9icMhrb</span><span class="se">\n</span><span class="s2">ZUj2DhTB9RtctJAbfGhZHeRp+V2Lt6at3c/bt7lINAqkEAEUqymrRu9CZwhdDcM9</span><span class="se">\n</span><span class="s2">zDoanJrDqAInhUyYo7sq0l4Bbd0eyO2FNqsHTlwASkSNgP3bFdSGL5u2t4WlK+gx</span><span class="se">\n</span><span class="s2">yQd/AZO8C1dcd5VWLi90j6gYe/8zrxrfnnzY1E0CvYRL21YxI2lUeS7+7EAnGmXz</span><span class="se">\n</span><span class="s2">vw3ZXpnrNX44jC4RZ8FX</span><span class="se">\n</span><span class="s2">=NTXR</span><span class="se">\n</span><span class="s2">-----END PGP MESSAGE-----</span><span class="se">\n</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"57E6DA39E907744429FB07871141FE9F63986243"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"unencrypted_suffix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"_unencrypted"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3.5.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">another-secret</span><span class="w"> </span><span class="err">file</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENC[AES256_GCM,data:5MqAdBMFuvXolRkAiiRZzEEaOt6Tm7HU1aOd,iv:7Z7DGCzH9pQJfuMKs9/BJWsHNfK2RX+xg4/GZgQXWxg=,tag:uXwTc+2fzXmixc27RuhhCQ==,type:str]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sops"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"kms"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"gcp_kms"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"azure_kv"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"lastmodified"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:08Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mac"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENC[AES256_GCM,data:HMjZeBiuiN5oW6Z56Sd4O1+1stR7EyO1cNfAmlEUL8XSR97vSJ8mD+It0yZf7Y2/qcTBi1TQS+0Ic6YRL5RycBbRXzCwdVdAUsrQ0netosv1Zcz+jF+sRwzbtJY72hVA16XnAB/vGOBqdAOzzYt60yMI2Hw56AYvK2tnYihGJdk=,iv:bPdVIcUaNifmavFmcHroVU24dj6gqz3jLZHUIKupt5o=,tag:XucX0NIdbXxN3mNXE08Q8Q==,type:str]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pgp"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:07Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-----BEGIN PGP MESSAGE-----</span><span class="se">\n\n</span><span class="s2">hQGMA4Hzarga0atVAQwAmfkQySL6NV4gJL57RKTgxsJA9VYCZeww4vhZcCCNy1pN</span><span class="se">\n</span><span class="s2">zJF97UZSjrO9Pn5LZKgAHi4Ao0RANCH5S2+Se8t3t43SktJdN+TEBIG9gWa3WJ4W</span><span class="se">\n</span><span class="s2">A0yyR1Xx/bD81ogYmU1CNBxbxF4QO7wZcPtBwhN7whDDLsSvd1ETOR0ZifhhGXDw</span><span class="se">\n</span><span class="s2">WMieRpf3VannmCu8BugQBqYILyHCwkL/PFzZhVjBT08Vvy9EJwd0oSOKQ4LajDli</span><span class="se">\n</span><span class="s2">hJkiWwyzoyLmwqZDxSOhOhjF3FHc3cowAwrNDnXs0W1k+NZE+97M96Bkd4JcRvdX</span><span class="se">\n</span><span class="s2">6K7zD9oKQMT8jUToD6qyzyFGdGOnqh9odTInRDhcWGahbp8vkBsGPWrLFVxboRUy</span><span class="se">\n</span><span class="s2">1yT92AbWjfLsmhkPQOfpHZcy5zqg8/lrnuYtuw7i5v3OEGjEOoJA5ddjB16roX3I</span><span class="se">\n</span><span class="s2">JbyHCgrO+60dbDLFKDyYyt9kNBwo7tsFwVdoCtLdvs1/y4jwvRGR9udLaapZV/3H</span><span class="se">\n</span><span class="s2">zOwFzDpLDblM/eMjIB4G0l4B0dFU0EpjTwX6XDOjf2NVDJYhIu9hwBbqQiTQ2Fhe</span><span class="se">\n</span><span class="s2">lfVdSLMBwsgTmYmZsTz6Vm4QdwOY9gfNhZm6wrutJ7ZqKb0mZCYi5qtZIa96C2cG</span><span class="se">\n</span><span class="s2">/pRUsrtTnp8gZao/XjAR</span><span class="se">\n</span><span class="s2">=Lj0c</span><span class="se">\n</span><span class="s2">-----END PGP MESSAGE-----</span><span class="se">\n</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5844C613B763F4374BAB2D2FC735658AB38BF93A"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:07Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-----BEGIN PGP MESSAGE-----</span><span class="se">\n\n</span><span class="s2">hQGMA+itJvd1gkukAQwAhdEWK1TK+FsnqQAsD5KVCYNxySWfDUqoRgD5QWI6Axnm</span><span class="se">\n</span><span class="s2">TXo9d5g5qUsz6NrSjMIMQEZ4injIGj0aezxrrAQ+A5h2KnNNc76/Mhy1HdvrlnRz</span><span class="se">\n</span><span class="s2">qhP0pfwyB0MFyNEoD2nJoGONzg69Ob2mMBULsVxja4p+nl7V9xcNe8o7bgfbdobJ</span><span class="se">\n</span><span class="s2">YtkgNEJxfahMamQecED8/r7rUhbxxuc3yYx4ijU96dcjpnPl2HpXiD9kUVImMRuQ</span><span class="se">\n</span><span class="s2">wGdV1GrUYBYFb5U/PgD24Vz2V1D5hIGifbG5MLa0ddOkiKAlz6IXj8HKbR6nNklK</span><span class="se">\n</span><span class="s2">TGhs9FunpGuwgowef3BMwrKmQocvsHRgrv6Tu/sndwh7ThnV2tH0yoYOz3vaM57+</span><span class="se">\n</span><span class="s2">1VDGMZSe9QHJjsgaU36lgJBgq4SfzYeWs8zE08QzjZe07iAg6YKms2M+giZ0FDNx</span><span class="se">\n</span><span class="s2">sHwtCf6p432NTYokYd1NHS09c8s+fyxr271muNC5Q10+NltVJNRYuqfNPdZ9A9Aw</span><span class="se">\n</span><span class="s2">UBvdyLs9X6fSs+0yPCyq0l4BbF3pL5KfR+lRXkwZmqFr5yUfkaykCpF1sIGwHbfj</span><span class="se">\n</span><span class="s2">5VAnzcwTgcpSFdc9rqVq4E+HH4V5DZYbXTvqQ9vJGOZeqwUdhYF5NpRTDntzbqoe</span><span class="se">\n</span><span class="s2">2PolvaOWzvbCGu+DP4Ga</span><span class="se">\n</span><span class="s2">=6Tfo</span><span class="se">\n</span><span class="s2">-----END PGP MESSAGE-----</span><span class="se">\n</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AE0D6FD0242FF896BE1E376B62E1E77388753B8E"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:07Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-----BEGIN PGP MESSAGE-----</span><span class="se">\n\n</span><span class="s2">hQGMA1ZWtaFCHvLMAQv+Ndwgiv2ch5F/3FcIEtzqlxoq4yuy4L/xzD9Brhoqfgqx</span><span class="se">\n</span><span class="s2">ZPQsrSIez93SlR7JBBGmSaPZiCeUtNuQapi70f25LugGb3HHNVs6Brss05AabTUJ</span><span class="se">\n</span><span class="s2">WMNjlMBl7uk03bGtx83xNoJAnI8BGzkmrE5JlY3bYE+fTfzxY3CP8L0Tf/7lzbKy</span><span class="se">\n</span><span class="s2">9uTF3Jf3sWWX0bvSJY7KKuELImTJynfBj8z29DKl6Tmt15LbwVGpqSknhsuZBMBx</span><span class="se">\n</span><span class="s2">EI9JmwfPnA233jAz+f6QCDodx4GDv9+Ak5CJL9NleMBGJdG6VONrKRe8a8yNCI1k</span><span class="se">\n</span><span class="s2">Vyqgx9oWzpEZK9Go4eBIrbv9GpnyRDo7ULX6luqAeys0co0Cp8N/f8T20K24vEm+</span><span class="se">\n</span><span class="s2">Ghi1dIwcIj3gyFZZ+o7OkI/355CAdmYAldyEkBycZMV+oC7r3zyLniLRrTEzrtwt</span><span class="se">\n</span><span class="s2">QZCdu/lejBoUK/fWY++L8slZjTL8jVX9lVMHKQZqmC4LMsXtoPv9uS6xlA9I8usp</span><span class="se">\n</span><span class="s2">OzhrdGCiapQVfPAvZ3Fa0l4BHpAWInZcfWjYXCWfOfis+ygb/YV4I9BLRFTzRiRR</span><span class="se">\n</span><span class="s2">Epug1dNDEDX3uYO5BsQBt8qMPMsH7T+XI21081oLIH95UD5iOSiYsu600whQV7XO</span><span class="se">\n</span><span class="s2">g6p/T5LaVdoreMBDcyy/</span><span class="se">\n</span><span class="s2">=DSoD</span><span class="se">\n</span><span class="s2">-----END PGP MESSAGE-----</span><span class="se">\n</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3FF9E6938905023D25AB56EEFFEFFE9451381735"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-06-20T10:12:07Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-----BEGIN PGP MESSAGE-----</span><span class="se">\n\n</span><span class="s2">hQGMA5/a4uV8wP1EAQv/Z3Z2n4inarsPkhSQllWWG7+O7nDwdOK7c6S01f/eGBQ9</span><span class="se">\n</span><span class="s2">bzwhsZmyuYQ9ReKHRpxhbLjYnQBgc8JqDHCDgznZ8aIFp4XQ3zZeZwBzWYX2D+Ok</span><span class="se">\n</span><span class="s2">dXt2Ht1yd1zkhMGgrj55yjojnFZRRuNclXFZtypkVFzlU7trrBknlCjQDGIDqOS4</span><span class="se">\n</span><span class="s2">ZXUQ3IHeDOW7F0+wPxz96i4ZfxcZcOtRhsGGqxrMPAXRZGwgRwdOSJNC1a5iwEsc</span><span class="se">\n</span><span class="s2">k9DPcluf9+1Px/eOW2lmExntqkscNCgkjgT4ACsUCmI4p1V/LUrwvkPDPCH0EE4h</span><span class="se">\n</span><span class="s2">9MuBKQNuqp+gjjPwR9NOLOtoa/Njsp2V0vZsQ39Y+nfkqtE9w1bAX/R1VDABU+Bm</span><span class="se">\n</span><span class="s2">ml0WjT0eqGQwnZsBY4pfEvRwIS4JVQCa8sGhZXS4iax0uXgEFh4jma2uWBWKBnGd</span><span class="se">\n</span><span class="s2">D9mJ53RC6Xb4eTSkvNtF2VBFtqdu0N587xhykrprxVf7q/s2RXu3haP+JmdJHfMW</span><span class="se">\n</span><span class="s2">x2utciyuNIWAGm13u3Cn0l4BK5z9hlBxZfOeGAIyQIWQjYn/ZDG8smHmo8jGUPIR</span><span class="se">\n</span><span class="s2">ki/bs+uzo5Fnyk7OJhr0+bkQjG6weVoZJIUxZr61Tb0JhV4+xXaPVMZoZpg96Bii</span><span class="se">\n</span><span class="s2">+VWaRWaE+nTfH4wrXwDT</span><span class="se">\n</span><span class="s2">=svPU</span><span class="se">\n</span><span class="s2">-----END PGP MESSAGE-----</span><span class="se">\n</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"57E6DA39E907744429FB07871141FE9F63986243"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"unencrypted_suffix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"_unencrypted"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3.5.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="ltag_asciinema"> </div> <p>After decryption of the secret and execution of the command <code>kubectl apply -k . --dry-run -o yaml</code> or <code>kustomize build .</code>, we have the following YAML<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Generated manifest</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">another-secret</span><span class="pi">:</span> <span class="s">Q1dOUlV0M01QU1RYM1RpemtoWDJHVmg1cE4K</span> <span class="na">secret</span><span class="pi">:</span> <span class="s">VGxaU05rMXNSazlsUjNSd1RucG5OVmRWV2tWWlVUMDkK</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secret-8m97554t4c</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> </code></pre> </div> <p>You see here, the <code>secret</code> and <code>another-secret</code> keys used in the file <code>kustomization.yaml</code> (<code>$.secretGenerator[*].files[*]</code>) are both filenames on the file-system, and keys in the generated manifests (<code>$.data[*]</code>). This could lead to problems if key name can't be a file (unauthorized characters for example). </p> <h2> 🗂 With <code>.env</code> files </h2> <p>A feature available into <code>kustomize</code> but not yet in <code>kubectl</code> (see <a href="https://github.com/kubernetes/kubernetes/issues/82905" rel="noopener noreferrer">issue</a>) is the possibility to use <code>.env</code> file as secret source.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">secretGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secret</span> <span class="na">envs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secrets.env</span> </code></pre> </div> <p>The <code>secrets.env</code> before encryption:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>secret=TlZSNk1sRk9lR3RwTnpnNVdVWkVZUT09 another-secret=CWNRUt3MPSTX3TizkhX2GVh5pN </code></pre> </div> <p>After encryption with command <code>sops -i -e secrets.env</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>secret=ENC[AES256_GCM,data:LZxAINIj7/HOIqSJ/M1YTjGmjGIFk24KKEKyXxcFHvQ=,iv:OJNKetoqlJdmYKFpFsfr1ihQjpZ6nJfm8INW474EfE8=,tag:Ea8G+IGH+aORM0sePL9Njw==,type:str] another-secret=ENC[AES256_GCM,data:OFgAiBkTzEjPwxpo0qn17wvSXm3T164f1Wg=,iv:+kvczR+vGDl6W/UG8KOl++cCKDmx3zA4cGC2vIsge7w=,tag:n7Qbs/I/qo4uy4FfCOMQkg==,type:str] sops_pgp__list_3__map_fp=57E6DA39E907744429FB07871141FE9F63986243 sops_pgp__list_2__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQGMA1ZWtaFCHvLMAQv/S/gV3liTwmA8Rm3v08kjV39mfBF66mSbjgljoVMvlgoQ\nZ6l2djvzUfzTpgdfACwVVbzQ+KWYfYWnHtOlEHKGQ1abi4Ik/WRS9J6xfzf0aPj0\n9GAy43wCqblvKLKBPHzfYXsQQLP/IA3gHgj1T0hRMx0Nbv+bHi16DEilzxyhCQQf\nzV+w0IMfF1CJrTvTgn4ohaN1KvuQcqOJNlWyr0/fIL420QYL09rQvjA20ds8Jwaq\nZ61O6XOtjyCVAB1nAYfCIOtd0t/+ApnI6Qwe5FKKcN1GrCiqJ4rt4mCK9/nLRcqg\nF1h825h5yuAWYjIyIb8zbulfLxUUN8ztbn4myIUKTcXu+Onq6dq2jaCKOceVc90m\njpXwvcDKYRdeG1HUcmOeQu9ioyt+4xGxOkWY8/hg1YJp9lA+/n4uU5OE9Su0o8LP\n71EzXfISx2PeROkY2W83e8qhzgQQNsCOI9Y5k8Tmd8ctgI4i9Pw0j1S2+sdiD5Y9\njOW7hPVLNiQ/avAkfKVr0lwBZSwkvC3d0Rbw4Wskj8/meRNMYf8DsbFOYi05ysjO\nwTvWQFYPy4cvMtaIvMKn05f+dQIm/6jwOwu6tyytKxqYuq/vEPOrUMQU72wA25eS\nTyXEd7AjE4boT/hQ9g==\n=gUpS\n-----END PGP MESSAGE-----\n sops_pgp__list_3__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQGMA5/a4uV8wP1EAQv8DQgTw5K4u3E+J9rRxiNK3AvdM+ajifrhZ/NEXu1hgj6g\nMhp8eqQoG1P7/1OJAYL1B20fTatol6oHXgpE7/+f8W6pY+wLfo4d6JSL+KSAAxJk\nWizkR87JxWZFyQB109vgZRDagPylA02yq/2XSgI47JFGVPB14/MAxJkr3O47Si3D\nc3NkqUew8jwPNAToLxM/oCnnDuEoSKmB6smSiL5UHk2/04h3PqbcwUnEPheGR9LK\neA6LVhQ/AiEtbZqAeSU46KGLVHFvQdQVKO+sAHkia21Y041tfS1HDiijTk3UxYTV\nSIB5OKln0qVdDZPYDg4y6Pc/qvj+DHUE+gDoSFOOaGPl1BMw5m9AoY/UQ+Tip66k\nBpG54b20GNmlCuI+7N2QG/lpoML4CGDP2AJ40o6KbZrlo4iwGieg9gdSAstJKlvg\nPpi/p/Fo2zyWin1Gjf/T3QYk5PjbeDkqDqyehToI90qDv8KF7ZDf/t3bz9Geitef\nt9Vg74WCXK/yNcyGAGbC0lwBaqxUf2erAGoTDBkmjjlyEGiEsIgpZzhNj85/G1Mp\n1NxM7zM+5nJGEquzXe/FEoOVX4+LRm1W8+y0T2FRxiOUhlE3anWs+576BYZ+1zZl\nourCUh/MJPpDz3R6Cg==\n=D5A/\n-----END PGP MESSAGE-----\n sops_pgp__list_1__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQGMA+itJvd1gkukAQv+NZtoRyHQfmOEA2zLM3HaK2HDofMNqcA8Gy66sOfMRwM0\nDvnyu7gcurDE75hYiY4Dd/k5wy+HE7c6fITIWZ62nGAU33RQKgWzZ/vuZX2JnzcA\n8d2XsyoBLe3KGOB75tfepYVkPuRdzDqCY+IH6bHvr9MtNW/CGL58OBXfGTKs1NnI\nSpBWPhF/8Zj0l9S5QkA5ENYGM2u/yutav1z281PNLmZmTrmZ9VYnytwwPX2dY9LS\nupyJnywKqwuw1iaFh7f8BhbuqTjNzAkmjycL8ZFLQB1uGI5CwxCGZ9a3KByNJ6Eh\nH/KVrK5rBBP09ByoIAYoiSBraejoovNFns9O2oUin8HEjv4tziuZ3KeqR51uJCS0\n31nZ/JBlx7GyJ7WGKoVsthlrOebpUuDRbmcKhzhNZT7umTCOYCHdTvGH5p6nMvsE\ngcuuqiTJjrp1WECkr1mMhQqD1Ef708Cw9TAK1LbzdHz5ePBWZ9b+FP0PpBUBHZOc\npWlzd8nYATEK7kQsRbUw0lwB5XQZZKltYrzy1n0dmI98HpqWUpx/f0BX9WRQMkgz\nmbZ8iEQIOBSexNvcM3yA9RMVaTW6M1WoHPGoQdiz4kw4gWtaKqxkK/RlBa6YPnwG\ncrToyqNOO5+HxrSIJg==\n=3esV\n-----END PGP MESSAGE-----\n sops_pgp__list_1__map_fp=AE0D6FD0242FF896BE1E376B62E1E77388753B8E sops_pgp__list_2__map_created_at=2020-06-20T10:30:18Z sops_pgp__list_0__map_created_at=2020-06-20T10:30:18Z sops_pgp__list_0__map_fp=5844C613B763F4374BAB2D2FC735658AB38BF93A sops_unencrypted_suffix=_unencrypted sops_lastmodified=2020-06-20T10:30:19Z sops_pgp__list_3__map_created_at=2020-06-20T10:30:18Z sops_pgp__list_2__map_fp=3FF9E6938905023D25AB56EEFFEFFE9451381735 sops_version=3.5.0 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQGMA4Hzarga0atVAQv/cIT+IM2097+hQ5NWuod9D7WamqfLTkYeCA+eQqMWRy7l\nBeUGX+JNrh8Wzmq3jAT4NP61/WZiPdX/sqmw/VKd7f+RoLoT5vvT/omHqXgt07Qv\nG0Sp/lz5KZF9d5ujiEmvOTbHZgFhA/8CzLl6rfWLzyHocdV5585vcnRK6RUa8Ezh\nUG9+nLCecq5xIAiqUfWpwdt+bznHAgb9VMW8m8T3UFDnUDa0Y/ankLJ9wIaReoVB\nTCRpJnr5fKxUw4r+kJDFxhnSg21Iw5Rx4rGJHAlDmazXGHazXD5z7f9g3ZiHxrOQ\n6WpoxZw/X/d3697viqe/yemp+CDQJUWQBolhAqfrMN95KllNo7vb7dOpNYG4PFIK\nRLNSTgg+2Ph4mE7AQHTqCdV1jPhtONApcf7CQmkQG/KqyJ5YCfwDLzfo+7+pv1Xx\nhSYEGwMVX+jBIW7ZlLsqcYUaJNQeF3DYNrfgdsTiMB7aGdhohOJvpL/771t37P2s\nyJ/rgu/K8J1InTcEfRPs0lwBeXjohJIpTOL09QgXNSQ0Dsio19VhPjWTr0QI6cAP\nYedVlwrAebeQAOkBlC8RPSUG35CYUqnSRpGHKrl03xCP0Z4TXZ+v60XphehDpdOn\nROm168cPbVF+K2BTTQ==\n=Pdik\n-----END PGP MESSAGE-----\n sops_mac=ENC[AES256_GCM,data:kXxkiJmgK5nyDiEwStytEHwKLw5JIN1Y1xiNUAXKJLNGEk4VyZ+VkqMNBcUED8HQycHIRle550/Mtov4aVtviM9jM7MnTMIdtg/bp6f0AKiXcl5nCWt26b3JP2nvLN/COMUnvxHxW3uwhdnrsJupBMNDSVdDOv2wXbyazfuor+U=,iv:LR2dRc054UDQoWCVJ+bynri5j5zFKvE69ggLh19sXLY=,tag:nvYpc7ez5Hb4jYLNUnd9Fw==,type:str] sops_pgp__list_1__map_created_at=2020-06-20T10:30:18Z </code></pre> </div> <p>After decryption of the <code>secrets.env</code> and execution of the command <code>kustomize build .</code>, we have the following YAML<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">another-secret</span><span class="pi">:</span> <span class="s">Q1dOUlV0M01QU1RYM1RpemtoWDJHVmg1cE4=</span> <span class="na">secret</span><span class="pi">:</span> <span class="s">VGxaU05rMXNSazlsUjNSd1RucG5OVmRWV2tWWlVUMDk=</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secret-4g57fkmb8b</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> </code></pre> </div> <div class="ltag_asciinema"> </div> <p>Both way can be used without any problem (<code>files</code> or <code>envs</code>). This depends of the restriction on tooling you have to generate/deploy your manifests. </p> <h1> 🔧 Alternative with Kustomize Plugins </h1> <p>The main goal about using the <code>kustomize</code> plugin system is to be able to remove the step of files decryption before manifests creation. Thanks to that, you will be able to use <code>SOPS</code> secrets with some tools like skaffold and or others using<code>kustomize</code> under the hood. </p> <p><code>kustomize</code> has two plugins system (<a href="https://kubernetes-sigs.github.io/kustomize/guides/plugins/" rel="noopener noreferrer">official plugin documentation</a>)</p> <ul> <li>native <code>Go</code> extension</li> <li>exec <code>shell</code> extension</li> </ul> <p>This <code>native</code> solution is very useful because all can be done directly from <code>kustomize</code> code, and we don't need to have <code>SOPS</code> installed (for local or CI execution). </p> <p>But this solution is complex and requires compiling <code>kustomize</code> &amp; plugins from sources 😓... with all the Go build system. There is some <code>SOPS</code> plugins available: </p> <ul> <li><a href="https://github.com/viaduct-ai/kustomize-sops" rel="noopener noreferrer">KSOPS</a></li> <li><a href="https://github.com/Agilicus/kustomize-sops" rel="noopener noreferrer">Agilicus/kustomize-sops</a></li> <li><a href="https://github.com/barlik/kustomize-sops" rel="noopener noreferrer">barlik/kustomize-sops</a></li> <li> <a href="https://github.com/monopole/sopsencodedsecrets" rel="noopener noreferrer">sopsencodedsecrets</a> </li> </ul> <p>The <code>shell</code> solution is simpler to manage, but it will require installing <code>SOPS</code> or other binary to perform decrypt operation. I found only one implementation of shell plugin for <code>kustomize</code> available: <a href="https://github.com/goabout/kustomize-sopssecretgenerator" rel="noopener noreferrer">kustomize-sopssecretgenerator</a></p> <p>Both solutions have another downside, it requires extracting secrets configuration outside the <code>kustomization.yaml</code> (in a <code>generator.yaml</code> file), so it multiplies files and make it harder to read / manage 😓. Depending on your needs, I advise you to use <code>KSOPS</code> or <code>kustomize-sopssecretgenerator</code>.</p> <h1> 🔐 Conclusion </h1> <p>We have seen here a “simpler” solution to manage our secret and to use them with Kubernetes relying on the builtin Kustomize system. The plugin ecosystem is still young, so I hope integrations will be simpler in futur. </p> <p>You can find the source code of this article, files and scripts in this <a href="https://gitlab.com/davinkevin/sops-blog-post" rel="noopener noreferrer">GitLab repository</a>. </p> git devops security sops Kevin Davin Sat, 13 Jun 2020 13:25:56 +0000 https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-for-kubernetes-57me https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-for-kubernetes-57me <p>In previous parts, we see how to manage our secrets in Git and usable by humans and CI. Right now, we will discover how<br> to integrate it with Kubernetes, and especially with <a href="https://kubernetes.io/docs/concepts/configuration/secret/" rel="noopener noreferrer">Kubernetes Secrets</a>.</p> <h1> 😊 Naive usage </h1> <p>Since the beginning, <code>Alice</code>, <code>Bobby</code> and <code>Devon</code> are using only <code>*.env</code> file to store secrets. They have to use them<br> in a Kubernetes context, to create a secret named <code>app-secret</code>. The simple (and naive way) to do this is to use<br> the <code>kubectl</code> application to create the secret from an env files: </p> <div class="ltag_asciinema"> </div> <p>This solution is pretty basic and rely on the capacity of the <code>kubectl</code> cli to create secret from an <code>*.env</code> file. The main problem here is the fact we have to generate our secret from the env file. In Kubernetes context, when we have multiple manifests, we like to have the same semantic and organisation, which is simpler to read and debug. </p> <h1> 🔒 Sops &amp; YAML </h1> <p>To match the team expectation, <code>Devon</code> will move to a Kubernetes <code>YAML</code> format for secrets instead of relying on <code>*.env</code> files. To do so, he will use the output generated from the previous example and use sops to encrypt it.</p> <div class="ltag_asciinema"> </div> <p>The SOPS output is like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">ENC[AES256_GCM,data:gEA=,iv:2jeZ0y0SEPXZTgrsmYXc7LgPydoPwnKzF4GVqykSw5M=,tag:YzEMrctU19sUIqat+LUFIw==,type:str]</span> <span class="na">data</span><span class="pi">:</span> <span class="na">secret</span><span class="pi">:</span> <span class="s">ENC[AES256_GCM,data:uJIDP3yMdFyW/7bnBAU0MJp07xmF0nlh,iv:ardoVW+p9HLNpaWfXOWrevZFdNJqGJvt00jPbkrr7p4=,tag:mB3wqa7kNE7gZ9J87IboNg==,type:str]</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ENC[AES256_GCM,data:tu+OHbXI,iv:QfqZeYOkTPTzJ618gh+/zGWPMDBJfjp+GwM8yBZCD+Y=,tag:XrJfNhmyDhOQNncd/uNvxA==,type:str]</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ENC[AES256_GCM,data:X8WMTByIcUrjag==,iv:pQ6xt5DPchrxwXtt98l4mgCixpcpaA2ewST0lAqYY4E=,tag:fqj/1PbzbhjIhRx9Ogitxg==,type:str]</span> <span class="na">sops</span><span class="pi">:</span> <span class="na">kms</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">gcp_kms</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">azure_kv</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">lastmodified</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2020-06-13T12:21:16Z'</span> <span class="na">mac</span><span class="pi">:</span> <span class="s">ENC[AES256_GCM,data:dU1bm2GBwdkqMQqEa+b0EfuMG5BRiiHDxNjB3tvB4JTVxqamQ17A47tzMld93/lZnJWRb4BtDFUI2xHh/5BCpxdI4J67AvWdv91usRgpgh7z7SF4pK4UUVah3WDYd3tvo+VzugvN6b4V+oGZlfJM789dJrTDOjSCAyyaaa/Qfb0=,iv:Cdaet+2Sowq50TDIkDO1RXi4vgaVqe7rYz08PHybAv0=,tag:1aeR/f4NnydiP2Vuuvljvw==,type:str]</span> <span class="na">pgp</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">created_at</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2020-06-13T12:21:16Z'</span> <span class="na">enc</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">-----BEGIN PGP MESSAGE-----</span> <span class="s">hQGMA5/a4uV8wP1EAQwAshoGsWCKiYnsi1Rr/HoMtvp8Tx5cmUWLPz0OsGsQUFc/</span> <span class="s">HQ48h7KUAjemTBnyQ6SpZUK2uI5YOLnOIqNcQJvNb4o30o0M3kuD2KNzSbsRGt3j</span> <span class="s">vODVKcs699sT1mX/rc6/EzpLy0NUgrAlXn7IUG+rhnk97OvfMdjP6+i77OpSU9Uc</span> <span class="s">5l6FWokBzFBvL6EENay6EO54C17MBXijoM4h6x7YajOjk5VNFtUl7wh039VGWZpQ</span> <span class="s">7vMuTbla06DWAHIFKIOs54yEh+vMTMgnsg8NrPzz4xqKDMcmZoQIm1jwc8EvxYK4</span> <span class="s">nGI4LpXO8VMgCyHBEcMjCGhZ5xXAiMRzF9M8XAWRfDFgYjDosL8QOQkl4vVnsf4e</span> <span class="s">5bhITFz1ZGaJwEeVzlt82cxWy4+BNq+lfAghqEnHGAjLGFIgTiRtVB47NLk9WPIT</span> <span class="s">T7Qv5gvATdW0rNHecfoGCKWx15ZJezXSo8Vtt5eVPgdYd3wO76Uw6XWhkxwSgQNT</span> <span class="s">vE7W5qvLoqxZrJs4Kyd20l4BQzSEiHJRg7wmWx9Y0BhyzF1Zh6F0oQBxTzGjP0f1</span> <span class="s">J9THfwIOhyOBwm8bWkEz7ac84o2NEItdrvlhrB0Y61ZfRl6xZKWqFxJ3N1yVHxxM</span> <span class="s">MWRYzaQcuoh5670lRhY5</span> <span class="s">=KjAd</span> <span class="s">-----END PGP MESSAGE-----</span> <span class="na">fp</span><span class="pi">:</span> <span class="s">57E6DA39E907744429FB07871141FE9F63986243</span> <span class="na">unencrypted_suffix</span><span class="pi">:</span> <span class="s">_unencrypted</span> <span class="na">version</span><span class="pi">:</span> <span class="s">3.5.0</span> </code></pre> </div> <p>SOPS is encrypting every value of the previously generated <code>YAML</code>, including <code>kind</code> or <code>apiVersion</code> and <code>metadata.name</code>. This is problematic because the whole team need to be able to read keys, which are not sensible in this Kubernetes secret. </p> <h1> 🔏 Encrypt specific keys only </h1> <p>SOPS provides an handy parameter to choose which keys should be encrypted. This could be used directly from the command line <code>sops --encrypt --encrypted-regex '^(data|stringData)$' app-secret.yaml</code>.</p> <div class="ltag_asciinema"> </div> <p><strong>DISCLAIMER</strong>: For concision, I've removed a part of the generated files. SOPS parameters are included into the YAML and are verbose.</p> <p>The file looks like this now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">secret</span><span class="pi">:</span> <span class="s">ENC[AES256_GCM,data:RLfYML8bJ0d5kN0nudgGgJJQIJMHK9MB,iv:6rurG5rErwn2O7PrHVoPjRnkMT5MjenhRmF3Vxh/cVw=,tag:4B5NeHbTmm0yl5VFlA9fww==,type:str]</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secret</span> <span class="na">sops</span><span class="pi">:</span> <span class="na">kms</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">gcp_kms</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">azure_kv</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">lastmodified</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2020-06-13T12:32:40Z'</span> <span class="na">mac</span><span class="pi">:</span> <span class="s">ENC[AES256_GCM,data:jl00u8YtegEi3lvuHv70PtI6Zywo8tSDH2DKk2jw+b4yiUGU2y9T82t3bE6ahY1MWy1U6CRK9NYKBS8p5HJqDjH/N21rhQy7k3g4BuzG/CJt2S/xio0KaAwwGXURUtXbHpXLrko22q0cgqCrsr/IFvz65r6WNhji0utSC1FKCPQ=,iv:XoilcDIZR8ir/ySbu+xVGNO0NkEkQr/IlyKXvAyyeyM=,tag:Hraabep8cq85M3OjvjoQBA==,type:str]</span> <span class="na">pgp</span><span class="pi">:</span> <span class="s">...</span> <span class="c1"># Removed for concision</span> <span class="na">encrypted_regex</span><span class="pi">:</span> <span class="s">^(data|stringData)$</span> <span class="na">version</span><span class="pi">:</span> <span class="s">3.5.0</span> </code></pre> </div> <p>We can do better, because SOPS provides us a solution to store configuration required for every secret directly into the <code>.sops.yaml</code>. We can add the key <code>encrypted-regex</code> to simplify the command line. This is helpful when you need to add another secret key in an existing secret.</p> <div class="ltag_asciinema"> </div> <p>Every team member can now read and edit Kubernetes secret simply 🎉.</p> <h1> 🦊 CI Integration </h1> <p>The CI needs to be adjusted to be able to deploy those manifests. We are using the base described in <a href="https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-gitlab-ci-2jnd">the previous article</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy int</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.gitlab.com/davinkevin/sops-blog-post-repository/gcloud-sops</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="nv">*auth</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sops -d app-secret.yaml | kubectl apply -f -</span> </code></pre> </div> <h1> Conclusion </h1> <p>If you are using Kubernetes, and you want to manage your secrets in Git, SOPS will be a good match ❤️. You will be able to encrypt only desired value in a <code>YAML</code> file to keep it readable, by a human and other tools working on Kubernetes manifests. </p> <p>You can find the source code of this article, files and scripts in this <a href="https://gitlab.com/davinkevin/sops-blog-post" rel="noopener noreferrer">GitLab repository</a>.</p> sops kubernetes git devops Kevin Davin Sat, 06 Jun 2020 12:50:18 +0000 https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-gitlab-ci-2jnd https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-gitlab-ci-2jnd <p>In this series, we saw how to create and manage our secrets in git and restrict their access to team members. </p> <p>What if I want do use my secret from my CI for Continuous Deployment? This is exactly what we will see in this article, based on <a href="https://docs.gitlab.com/ee/ci/" rel="noopener noreferrer">GitLab CI 🦊</a>.</p> <p><strong>DISCLAIMER</strong>: Every CI system should be compatible, you just need to have access to CI secrets and be able to fetch them during execution. </p> <h2> 🤖 Creation of the CI identity </h2> <p>To be able to decrypt secrets within Continuous Integration, we should create an identity for our CI. <code>Alice</code>, <code>Bobby</code> and <code>Devon</code> will have a new friend named <code>CI</code> 🤖 ! </p> <p><code>Devon</code>, in charge of the CI, will create a new key-pair for this new special user. He will use the <code>gpg --full-gen-key</code> command and answer questions like if it was for a real human.</p> <div class="ltag_asciinema"> </div> <p>Then, he will extract a backup of the private/public key with the command <code>gpg -o ci.key --armor --export-secret-keys ci@domain.fr</code>. This key is in a textual format, which is easy to use as an environment variable.</p> <p><strong>NOTE</strong>: This key and the passphrase should be stored securely, in a keypass, vault or something else, because they represent the identity of your CI. By design, it will be able to decrypt all secrets from the repository.</p> <p>We also need to extract the public key separately to distribute it to every team members. Without it, they won't be able to encrypt a secret and include the <code>CI</code> key in the process. </p> <p>To do so, <code>Devon</code> will use the command <code>gpg -o ci.public.key --armor --export</code>. </p> <h2> 🔑 Import public key of CI </h2> <p>Each team member should import the public key extracted by <code>Devon</code> in the previous step. Here, <code>Booby</code> will use the <code>gpg --import ci.public.key</code> command to perform this. </p> <div class="ltag_asciinema"> </div> <p>At the end, he, and every other team members should have in their key list (<code>gpg --list-keys</code>) the public key of <code>CI</code>.</p> <h2> 🔏 Update keys of every secret </h2> <p><code>CI</code> is a new team member, as any other human. The team has to let this new "person" access and decrypt every secret. So we will use the <code>sops updatekeys &lt;secret&gt;</code> on every secret.</p> <div class="ltag_asciinema"> </div> <p>This requires a correctly configured <code>.sops.yaml</code> file. For more information about this, you can read the <a href="https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g">second part</a> of this series. </p> <h2> 🦊 GitLab CI Configuration </h2> <p>Now, the CI is ready to be configured. <code>Devon</code>, in charge of this, will import into GitLab secret pane (in <em>Settings</em> &gt; <em>CI/CD</em> &gt; <em>Variables</em>) the content of the <code>ci.key</code> created previously and the passphrase defined for it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Ff51lanyy7mfvm24hoe1y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Ff51lanyy7mfvm24hoe1y.png" alt="passphrase &amp; key in gitlab parameters" width="800" height="361"></a></p> <p><strong>NOTE</strong>: The variable <code>Type</code> is defined to <code>File</code> for the <code>KEY</code>. For more information about this, look at <a href="https://docs.gitlab.com/ee/ci/variables/#custom-environment-variables-of-type-file" rel="noopener noreferrer">the official GitLab documentation about file variable</a></p> <p>Then, <code>Devon</code> will define a GitLab CI job able to read the value from the encrypted secret. For our example, this will just do a <code>cat</code> on the standard output. Of course, you can do what you want with those values in your CI pipeline.</p> <p>We need to take care of the <code>image</code> used in our Continuous Integration. We should be able to access the <code>gpg</code> command. In this example, we will install it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy int</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk</span> <span class="c1"># &lt;1&gt;</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y curl gnupg</span> <span class="c1"># &lt;2&gt;</span> <span class="pi">-</span> <span class="s">curl -qsL https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux -o /usr/local/bin/sops</span> <span class="c1"># &lt;3&gt;</span> <span class="pi">-</span> <span class="s">chmod +x /usr/local/bin/sops</span> <span class="pi">-</span> <span class="s">cat $KEY | gpg --batch --import</span> <span class="c1"># &lt;4&gt; </span> <span class="pi">-</span> <span class="s">echo $PASSPHRASE | gpg --batch --always-trust --yes --passphrase-fd 0 --pinentry-mode=loopback -s $(mktemp)</span> <span class="c1"># &lt;5&gt;</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sops -d int.encrypted.env &gt; int.env</span> <span class="c1"># &lt;6&gt;</span> <span class="pi">-</span> <span class="s">cat int.env</span> </code></pre> </div> <ol> <li>Define a job image based required for our deploy phase... it should fit team needs, this is just for example here.</li> <li>We install <code>gpg</code> and <code>curl</code> thanks to <code>apt</code> on debian distribution. Should be adapted if you are using another distribution.</li> <li>We use <code>curl</code> to download <code>sops</code> binary from GitHub. Take care to get the latest version 😉.</li> <li>Import the <code>ci.key</code> into our <code>gpg</code> toolchain.</li> <li>Provide the <code>PASSPHRASE</code> to the <code>gpg</code> toolchain to be totally "not interactive".</li> <li>Then, the CI can decrypt the <code>int.encrypted.env</code> file and use it where we want in our deploy phase. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Running with gitlab-runner 13.0.0 (c127439c) on docker-auto-scale 0277ea0f Preparing the "docker+machine" executor Using Docker executor with image google/cloud-sdk ... Pulling docker image google/cloud-sdk ... Using docker image sha256:5d096c48b3b4bab72df240dcf94940be3e0397606bb4cc94143f2a12189dba1f for google/cloud-sdk ... Preparing environment Running on runner-0277ea0f-project-19225532-concurrent-0 via runner-0277ea0f-srm-1591443365-4e9ad7c3... Getting source from Git repository $ eval "$CI_PRE_CLONE_SCRIPT" Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/davinkevin/sops-blog-post-repository/.git/ Created fresh repository. From https://gitlab.com/davinkevin/sops-blog-post-repository * [new ref] refs/pipelines/153546622 -&gt; refs/pipelines/153546622 * [new branch] master -&gt; origin/master Checking out 84edc518 as master... Skipping Git submodules setup Restoring cache 00:02 Downloading artifacts 00:01 Running before_script and script $ apt-get update &amp;&amp; apt-get install -y curl gnupg Hit:1 http://deb.debian.org/debian buster InRelease Get:2 http://deb.debian.org/debian buster-updates InRelease [49.3 kB] Get:3 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB] Hit:4 https://packages.cloud.google.com/apt cloud-sdk-buster InRelease Get:5 http://deb.debian.org/debian sid InRelease [146 kB] Get:6 http://security.debian.org/debian-security buster/updates/main amd64 Packages [201 kB] Get:7 http://deb.debian.org/debian sid/main amd64 Packages.diff/Index [27.9 kB] Get:8 http://deb.debian.org/debian sid/main amd64 Packages 2020-06-05-2003.49.pdiff [23.8 kB] Get:9 http://deb.debian.org/debian sid/main amd64 Packages 2020-06-06-0208.52.pdiff [16.2 kB] Get:10 http://deb.debian.org/debian sid/main amd64 Packages 2020-06-06-0803.34.pdiff [12.5 kB] Get:10 http://deb.debian.org/debian sid/main amd64 Packages 2020-06-06-0803.34.pdiff [12.5 kB] Fetched 543 kB in 2s (243 kB/s) Reading package lists... Reading package lists... Building dependency tree... Reading state information... The following packages were automatically installed and are no longer required: dh-python libperl5.28 libpython3.7 libpython3.7-minimal libpython3.7-stdlib perl-modules-5.28 python3.7-minimal Use 'apt autoremove' to remove them. The following additional packages will be installed: dirmngr gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm gpgv libbrotli1 libcurl4 Suggested packages: dbus-user-session libpam-systemd pinentry-gnome3 tor parcimonie xloadimage scdaemon The following NEW packages will be installed: libbrotli1 The following packages will be upgraded: curl dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm gpgv libcurl4 13 upgraded, 1 newly installed, 0 to remove and 132 not upgraded. Need to get 8559 kB of archives. After this operation, 1241 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian sid/main amd64 gpg-wks-client amd64 2.2.20-1 [507 kB] Get:2 http://deb.debian.org/debian sid/main amd64 dirmngr amd64 2.2.20-1 [740 kB] Get:3 http://deb.debian.org/debian sid/main amd64 gnupg-utils amd64 2.2.20-1 [889 kB] Get:4 http://deb.debian.org/debian sid/main amd64 gpg-wks-server amd64 2.2.20-1 [500 kB] Get:5 http://deb.debian.org/debian sid/main amd64 gpg-agent amd64 2.2.20-1 [641 kB] Get:6 http://deb.debian.org/debian sid/main amd64 gpg amd64 2.2.20-1 [894 kB] Get:7 http://deb.debian.org/debian sid/main amd64 gpgconf amd64 2.2.20-1 [532 kB] Get:8 http://deb.debian.org/debian sid/main amd64 gnupg-l10n all 2.2.20-1 [1035 kB] Get:9 http://deb.debian.org/debian sid/main amd64 gnupg all 2.2.20-1 [749 kB] Get:10 http://deb.debian.org/debian sid/main amd64 gpgsm amd64 2.2.20-1 [627 kB] Get:11 http://deb.debian.org/debian sid/main amd64 gpgv amd64 2.2.20-1 [608 kB] Get:12 http://deb.debian.org/debian sid/main amd64 libbrotli1 amd64 1.0.7-6.1 [267 kB] Get:13 http://deb.debian.org/debian sid/main amd64 curl amd64 7.68.0-1 [249 kB] Get:14 http://deb.debian.org/debian sid/main amd64 libcurl4 amd64 7.68.0-1 [321 kB] debconf: delaying package configuration, since apt-utils is not installed Fetched 8559 kB in 0s (22.3 MB/s) (Reading database ... 85863 files and directories currently installed.) Preparing to unpack .../00-gpg-wks-client_2.2.20-1_amd64.deb ... Unpacking gpg-wks-client (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../01-dirmngr_2.2.20-1_amd64.deb ... Unpacking dirmngr (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../02-gnupg-utils_2.2.20-1_amd64.deb ... Unpacking gnupg-utils (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../03-gpg-wks-server_2.2.20-1_amd64.deb ... Unpacking gpg-wks-server (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../04-gpg-agent_2.2.20-1_amd64.deb ... Unpacking gpg-agent (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../05-gpg_2.2.20-1_amd64.deb ... Unpacking gpg (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../06-gpgconf_2.2.20-1_amd64.deb ... Unpacking gpgconf (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../07-gnupg-l10n_2.2.20-1_all.deb ... Unpacking gnupg-l10n (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../08-gnupg_2.2.20-1_all.deb ... Unpacking gnupg (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../09-gpgsm_2.2.20-1_amd64.deb ... Unpacking gpgsm (2.2.20-1) over (2.2.12-1+deb10u1) ... Preparing to unpack .../10-gpgv_2.2.20-1_amd64.deb ... Unpacking gpgv (2.2.20-1) over (2.2.12-1+deb10u1) ... Setting up gpgv (2.2.20-1) ... Selecting previously unselected package libbrotli1:amd64. (Reading database ... 85881 files and directories currently installed.) Preparing to unpack .../libbrotli1_1.0.7-6.1_amd64.deb ... Unpacking libbrotli1:amd64 (1.0.7-6.1) ... Preparing to unpack .../curl_7.68.0-1_amd64.deb ... Unpacking curl (7.68.0-1) over (7.64.0-4+deb10u1) ... Preparing to unpack .../libcurl4_7.68.0-1_amd64.deb ... Unpacking libcurl4:amd64 (7.68.0-1) over (7.64.0-4+deb10u1) ... Setting up libbrotli1:amd64 (1.0.7-6.1) ... Setting up gnupg-l10n (2.2.20-1) ... Setting up gpgconf (2.2.20-1) ... Setting up libcurl4:amd64 (7.68.0-1) ... Setting up curl (7.68.0-1) ... Setting up gpg (2.2.20-1) ... Setting up gnupg-utils (2.2.20-1) ... Setting up gpg-agent (2.2.20-1) ... Installing new version of config file /etc/logcheck/ignore.d.server/gpg-agent ... Setting up gpgsm (2.2.20-1) ... Setting up dirmngr (2.2.20-1) ... Setting up gpg-wks-server (2.2.20-1) ... Setting up gpg-wks-client (2.2.20-1) ... Setting up gnupg (2.2.20-1) ... Processing triggers for libc-bin (2.30-8) ... $ curl -qsL https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux -o /usr/local/bin/sops $ chmod +x /usr/local/bin/sops $ cat $KEY | gpg --batch --import gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key FFEFFE9451381735: public key "continuous-integration &lt;ci@domain.fr&gt;" imported gpg: key FFEFFE9451381735: secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 $ echo $PASSPHRASE | gpg --batch --always-trust --yes --passphrase-fd 0 --pinentry-mode=loopback -s $(mktemp) $ sops -d int.encrypted.env &gt; int.env $ cat int.env secret=5Tz2QNxki789YFDa Running after_script 00:01 Saving cache 00:02 Uploading artifacts for successful job 00:01 Job succeeded </code></pre> </div> <p>Like we see here (and in the <a href="https://gitlab.com/davinkevin/sops-blog-post-repository/-/jobs/584226660" rel="noopener noreferrer">GitLab job view</a>), every time the pipeline is triggered, it will re-install every software, from <code>gpg</code> to <code>sops</code>, which can be time-consuming and source of error. </p> <h2> 🦊 GitLab CI Optimization </h2> <p><code>Devon</code> will create another project just for <code>CI</code> tooling image, and he will prepare the image of the CI to be able to have <code>gpg</code> and <code>sops</code> installed. Here is for example, the <code>Dockerfile</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">tutum/curl</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">downloader</span> <span class="k">RUN </span>curl <span class="nt">-qsL</span> https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux <span class="nt">-o</span> /opt/sops <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chmod</span> +x /opt/sops <span class="k">FROM</span><span class="w"> </span><span class="s">google/cloud-sdk</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">final</span> <span class="k">COPY</span><span class="s"> --from=downloader /opt/sops /usr/local/bin/sops</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> gnupg <span class="nt">--no-install-recommends</span> </code></pre> </div> <p>Then, he will activate a schedule to build this image every day and publish it in their own docker registry. Thanks to this, he can improve the previous <code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy int</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.gitlab.com/davinkevin/sops-blog-post-repository/gcloud-sops</span> <span class="c1"># Image created by the previous Dockerfile 🐳</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cat $KEY | gpg --batch --import</span> <span class="pi">-</span> <span class="s">echo $PASSPHRASE | gpg --batch --always-trust --yes --passphrase-fd 0 --pinentry-mode=loopback -s $(mktemp)</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sops -d int.encrypted.env &gt; int.env</span> <span class="pi">-</span> <span class="s">cat int.env</span> </code></pre> </div> <p>You can see, the job execution is much straightforward now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Running with gitlab-runner 13.0.0 (c127439c) on docker-auto-scale ed2dce3a Preparing the "docker+machine" executor Using Docker executor with image registry.gitlab.com/davinkevin/sops-blog-post-repository/gcloud-sops ... Authenticating with credentials from job payload (GitLab Registry) Pulling docker image registry.gitlab.com/davinkevin/sops-blog-post-repository/gcloud-sops ... Using docker image sha256:ec7e941ae9f66656c9c0b7b4ce61b229eeb215492c65ebfe21c69026aa166013 for registry.gitlab.com/davinkevin/sops-blog-post-repository/gcloud-sops ... Preparing environment 00:05 Running on runner-ed2dce3a-project-19225532-concurrent-0 via runner-ed2dce3a-srm-1591446538-6f33846d... Getting source from Git repository 00:03 $ eval "$CI_PRE_CLONE_SCRIPT" Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/davinkevin/sops-blog-post-repository/.git/ Created fresh repository. From https://gitlab.com/davinkevin/sops-blog-post-repository * [new ref] refs/pipelines/153552640 -&gt; refs/pipelines/153552640 * [new branch] master -&gt; origin/master Checking out 625b7479 as master... Skipping Git submodules setup Restoring cache 00:01 Downloading artifacts 00:02 Running before_script and script 00:04 Authenticating with credentials from job payload (GitLab Registry) $ cat $KEY | gpg --batch --import gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key FFEFFE9451381735: public key "continuous-integration &lt;ci@domain.fr&gt;" imported gpg: key FFEFFE9451381735: secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 $ echo $PASSPHRASE | gpg --batch --always-trust --yes --passphrase-fd 0 --pinentry-mode=loopback -s $(mktemp) $ sops -d int.encrypted.env &gt; int.env $ cat int.env secret=5Tz2QNxki789YFDa Running after_script 00:02 Saving cache 00:01 Uploading artifacts for successful job 00:02 Job succeeded </code></pre> </div> <p><strong>NOTE</strong>: You can use this method with any docker registry, not only the one from GitLab 🦊.</p> <p>Of course, the <code>before_script</code> should be copy/paste for every job requiring access to secrets. <code>Devon</code> will refactor this to optimize the <code>Don't Repeat Yourself</code> aspect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">.auth</span><span class="pi">:</span> <span class="nl">&amp;auth</span> <span class="pi">|</span> <span class="c1"># &lt;1&gt;</span> <span class="s">function gpg_auth() {</span> <span class="s">cat $KEY | gpg --batch --import &gt; /dev/null</span> <span class="s">echo $PASSPHRASE | gpg --batch --always-trust --yes --passphrase-fd 0 --pinentry-mode=loopback -s $(mktemp) &gt; /dev/null</span> <span class="s">}</span> <span class="s">gpg_auth</span> <span class="na">deploy alice</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.gitlab.com/davinkevin/sops-blog-post-repository/gcloud-sops</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="nv">*auth</span> <span class="c1"># &lt;2&gt;</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sops -d dev_a.encrypted.env &gt; dev_a.env</span> <span class="pi">-</span> <span class="s">cat dev_a.env</span> <span class="na">deploy int</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.gitlab.com/davinkevin/sops-blog-post-repository/gcloud-sops</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="nv">*auth</span> <span class="c1"># &lt;3&gt;</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sops -d int.encrypted.env &gt; int.env</span> <span class="pi">-</span> <span class="s">cat int.env</span> </code></pre> </div> <ol> <li>A <code>YAML</code> anchor used to set a custom shell function and calling it right away.</li> <li>Usage of the anchor as a <code>before_script</code> step in the job.</li> <li>Re-use of the <code>auth</code> anchor in another job.</li> </ol> <p>You can see <a href="https://gitlab.com/davinkevin/sops-blog-post-repository/-/jobs/584245508" rel="noopener noreferrer"><code>deploy alice</code></a> and <a href="https://gitlab.com/davinkevin/sops-blog-post-repository/-/jobs/584245509" rel="noopener noreferrer"><code>deploy int</code></a> logs in the GitLab UI.</p> <p>Of course, this is just an extract of the real <code>.gitlab-ci.yaml</code>, which includes linting, test, build &amp; cie 👍. </p> <h2> Conclusion </h2> <p>Here, we learn how to configure our CI identity and configure the GitLab CI 🦊 to be able to decrypt secrets. We also see how to optimize it in a GitLab environment leveraging usage of home made docker image. </p> <p>You can find the source code of this article, files and scripts in this <a href="https://gitlab.com/davinkevin/sops-blog-post" rel="noopener noreferrer">GitLab repository</a>. The CI is triggered in <a href="https://gitlab.com/davinkevin/sops-blog-post-repository" rel="noopener noreferrer">this GitLab repository</a> </p> git sops devops ci Kevin Davin Thu, 04 Jun 2020 05:56:02 +0000 https://dev.to/stack-labs/kustomize-the-right-way-to-do-templating-in-kubernetes-3ohp https://dev.to/stack-labs/kustomize-the-right-way-to-do-templating-in-kubernetes-3ohp <p><strong>Note</strong>: this article was originally published on <a href="https://blog.stack-labs.com/code/kustomize-101/" rel="noopener noreferrer">Stack Labs blog</a>.</p> <p>We always need to customize our deployment with Kubernetes and, I don't know why but the main tool around for now is HELM which throws away all the logic we learn on docker and Kubernetes. <br> Here I will introduce to you an alternative called <strong>Kustomize</strong> ❤️</p> <p><a href="https://github.com/kubernetes-sigs/kustomize" rel="noopener noreferrer">Kustomize</a> isn't a new tool, it is under construction since 2017 and has been introduced as a native <code>kubectl</code> sub-command in the version <code>1.14</code>. Yeah, you've heard correctly, this is now embedded directly inside the tool you use everyday... so you will be able to throw that <code>helm</code> command away 😉. </p> <h2> Philosophy </h2> <p>Kustomize tries to follow the philosophy you are using in your everyday job when using Git as VCS, creating Docker images or declaring your resources inside Kubernetes.</p> <p>So, first of all, Kustomize is like Kubernetes, it is totally <strong>declarative</strong> ! <br> You say what you want and the system provides it to you. You don't have to follow the <strong>imperative</strong> way and describe how you want it to build the thing.</p> <p>Secondly, it works like Docker. You have many layers and each of those is modifying the previous ones. <br> Thanks to that, you can constantly write things above others without adding complexity inside your configuration. <br> The result of the build will be the addition of the base and the different layers you applied over it.</p> <p>Lastly, like Git, you can use a remote base as the start of your work and add some customization on it. </p> <h2> Installation </h2> <p>Of course, for 🍎 Mac users, you can use <code>brew</code> to install it :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>brew <span class="nb">install </span>kustomize </code></pre> </div> <p>If you are on another operating system, you can directly download the binary from the <a href="https://github.com/Kubernetes-sigs/kustomize/blob/master/docs/INSTALL.md" rel="noopener noreferrer">release page</a> and add it to your path.</p> <p>For the others, you also can build it from source, why not 😅.</p> <h2> Your base </h2> <p>To start with Kustomize, you need to have your original yaml files describing any resources you want to deploy into your cluster. <br> Those files will be stored for this example in the folder <code>./k8s/base/</code>.</p> <p>Those files will NEVER (EVER) be touched, we will just apply customization above them to create new resources definitions </p> <blockquote> <p><strong>Note</strong>: You can build base templates (e.g. for dev environment) at any point in time using the command kubectl apply -f ./k8s/base/.</p> </blockquote> <p>In this example, we will work with a <code>service</code> and a <code>deployment</code> resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">foo/bar:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <p>We wil add a new file inside this folder, named <code>kustomization.yaml</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - service.yaml - deployment.yaml </code></pre> </div> <p>This file will be the central point of your base and it describes the resources you use. <br> Those resources are the path to the files relatively to the current file. </p> <blockquote> <p><strong>Note</strong>: This <code>kustomization.yaml</code> file could lead to errors when running <code>kubectl apply -f ./k8s/base/</code>, you can either run it with the parameter <code>--validate=false</code> or simply not running the command against the whole folder</p> </blockquote> <p>To apply your base template to your cluster, you just have to execute the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl apply -k k8s/base </code></pre> </div> <p>To see what will be applied in your cluster, we will mainly use in this article the command <code>kustomize build</code> instead of <code>kubectl apply -k</code>.</p> <p>The result of <code>kustomize build k8s/base</code> command will be the following, which is for now only the two files previously seen, concatenated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">foo/bar:latest</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <h2> <strong>K</strong>ustomization </h2> <p>Now, we want to kustomize our app for a specific case, for example, for our <code>prod</code> environement. <br> In each step, we will see how to enhance our base with some modification. </p> <p>The main goal of this article is not to cover the whole set of functionnalities of Kustomize but to be a standard example to show you the phiplosophy behind this tool.</p> <p>First of all, we will create the folder <code>k8s/overlays/prod</code> with a <code>kustomization.yaml</code> inside it. </p> <p>The <code>k8s/overlays/prod/kustomization.yaml</code> has the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">bases</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> </code></pre> </div> <p>If we build it, we will see the same result as before when building the base.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kustomize build k8s/overlays/prod </code></pre> </div> <p>This will output the following <code>yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">foo/bar:latest</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <p>We are now ready to apply kustomization for our <code>prod</code> env</p> <h3> Define Env variables for our deployment </h3> <p>In our <code>base</code>, we didn't define any env variable. We will now add those <code>env</code> variables above our base.<br> To do so, it's very simple, we just have to create the chunk of yaml we would like to apply above our base and referece it inside the <code>kustomization.yaml</code>.</p> <p>This file <code>custom-env.yaml</code> containing env variables will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="c1"># (1)</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CUSTOM_ENV_VARIABLE</span> <span class="na">value</span><span class="pi">:</span> <span class="s">Value defined by Kustomize ❤️</span> </code></pre> </div> <blockquote> <p><strong>Note</strong>: The <code>name</code> <strong>(1)</strong> key here is very important and allow Kustomize to find the right container which need to be modified.</p> </blockquote> <p>You can see this <code>yaml</code> file isn't valid by itself but it describes only the addition we would like to do on our previous base.</p> <p>We just have to add this file to a specific entry in the <code>k8s/overlays/prod/kustomization.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">bases</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patchesStrategicMerge</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">custom-env.yaml</span> </code></pre> </div> <p>If we build this one, we will have the following result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kustomize build k8s/overlays/prod </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CUSTOM_ENV_VARIABLE</span> <span class="c1"># (1)</span> <span class="na">value</span><span class="pi">:</span> <span class="s">Value defined by Kustomize ❤️</span> <span class="na">image</span><span class="pi">:</span> <span class="s">foo/bar:latest</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <p>You can see our <code>env</code> block has been applied above our base and now the <code>CUSTOM_ENV_VARIABLE</code> (1) will be defined inside our deployment.yaml.</p> <h3> Change the number of replica </h3> <p>Like in our previous example, we will extend our base to define variables not already defined</p> <blockquote> <p><strong>Note</strong>: You can also override some variables already present in your base files.</p> </blockquote> <p>Here, we would like to add information about the number of replica. Like before, a chunk or <code>yaml</code> with just the extra info needed for defining replica will be enought:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> </code></pre> </div> <p>And like before, we add it to the list of <code>patchesStrategicMerge</code> in the <code>kustomization.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">bases</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patchesStrategicMerge</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">custom-env.yaml</span> <span class="pi">-</span> <span class="s">replica-and-rollout-strategy.yaml</span> </code></pre> </div> <p>The result of the command <code>kustomize build k8s/overlays/prod</code> give us the following result<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CUSTOM_ENV_VARIABLE</span> <span class="na">value</span><span class="pi">:</span> <span class="s">Value defined by Kustomize ❤️</span> <span class="na">image</span><span class="pi">:</span> <span class="s">foo/bar:latest</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <p>And you can see the replica number and rollingUpdate strategy have been applied above our base.</p> <h3> Use a secret define through command line </h3> <p>One of the things we often do is to set some variables as secret from command-line. <br> In our case, we are doing this directly from our Gitlab-CI on <a href="https://gitlab.com" rel="noopener noreferrer">Gitlab.com</a>.</p> <p>But you can do this from anywhere else, the main purpose here is to define Kubernetes Secret without putting them inside Git 😱.</p> <p>To do so, <code>kustomize</code> has a sub-command to edit a <code>kustomization.yaml</code> and create a secret for you. You just have to use it in your deployment like if it already exists.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cd </span>k8s/overlays/prod <span class="nv">$ </span>kustomize edit add secret sl-demo-app <span class="nt">--from-literal</span><span class="o">=</span>db-password<span class="o">=</span>12345 </code></pre> </div> <p>These commands will modify your <code>kustomization.yaml</code> and add a <code>SecretGenerator</code> inside it.</p> <blockquote> <p><strong>Note</strong>: You can also use secret comming from properties file (with <code>--from-file=file/path</code>) or from env file (with <code>--from-env-file=env/path.env</code>)<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">bases</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patchesStrategicMerge</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">custom-env.yaml</span> <span class="pi">-</span> <span class="s">replica-and-rollout-strategy.yaml</span> <span class="na">secretGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">db-password=12345</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> </code></pre> </div> <p>If you run the <code>kustomize build k8s/overlays/prod</code> from the root folder of the example project, you will have the following output<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">db-password</span><span class="pi">:</span> <span class="s">MTIzNDU=</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app-6ft88t2625</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CUSTOM_ENV_VARIABLE</span> <span class="na">value</span><span class="pi">:</span> <span class="s">Value defined by Kustomize ❤️</span> <span class="na">image</span><span class="pi">:</span> <span class="s">foo/bar:latest</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <blockquote> <p><strong>Note</strong>: The secret name is <code>sl-demo-app-6ft88t2625</code> instead of <code>sl-demo-app</code>, it's normal and this is made to trigger a rolling update of the deployment if secrets content is changed.</p> </blockquote> <p>If we want to use this secret from our deployment, we just have, like before, to add a new layer definition which uses the secret.</p> <p>For example, this file will mount the <code>db-password</code> value as environement variables<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">DB_PASSWORD"</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">key</span><span class="pi">:</span> <span class="s">db.password</span> </code></pre> </div> <p>And, like before, we add this to the <code>k8s/overlays/prod/kustomization.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">bases</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patchesStrategicMerge</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">custom-env.yaml</span> <span class="pi">-</span> <span class="s">replica-and-rollout-strategy.yaml</span> <span class="pi">-</span> <span class="s">database-secret.yaml</span> <span class="na">secretGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">db-password=12345</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> </code></pre> </div> <p>If we build the whole <code>prod</code> files, we now have<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">db-password</span><span class="pi">:</span> <span class="s">MTIzNDU=</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app-6ft88t2625</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">db.password</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app-6ft88t2625</span> <span class="c1"># (1)</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CUSTOM_ENV_VARIABLE</span> <span class="na">value</span><span class="pi">:</span> <span class="s">Value defined by Kustomize ❤️</span> <span class="na">image</span><span class="pi">:</span> <span class="s">foo/bar:latest</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <p>You can see the <code>secretKeyRef.name</code> used is automatically modified to follow the name defined by Kustomize (1)</p> <blockquote> <p><strong>Note</strong>: Don't forget, the command to put the secret inside the <code>kustomization.yaml</code> file should be made only from safe env and should not be commited.</p> </blockquote> <p>The same logic exists with ConfigMap with hash at the end to allow redeployement of your app if ConfigMap changes. </p> <h3> Change the image of a deployment </h3> <p>Like for secret, there is a custom directive to allow changing of image or tag directly from the command line. <br> This is very useful if you need to deploy the image previously tagged by your continuous build system.</p> <p>To do that, you can use the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cd </span>k8s/overlays/prod <span class="nv">$ TAG_VERSION</span><span class="o">=</span>3.4.5 <span class="c"># (1)</span> <span class="nv">$ </span>kustomize edit add secret sl-demo-app <span class="nt">--from-literal</span><span class="o">=</span>db-password<span class="o">=</span>12345 <span class="c"># To create my required secret</span> <span class="nv">$ </span>kustomize edit <span class="nb">set </span>image foo/bar<span class="o">=</span>foo/bar:<span class="nv">$TAG_VERSION</span> </code></pre> </div> <blockquote> <p><strong>Note</strong>: the <code>TAG_VERSION</code> here is usualy defined by your CI/CD system</p> </blockquote> <p>The <code>k8s/overlays/prod/kustomization.yaml</code> will be modified with those values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kustomize.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Kustomization</span> <span class="na">bases</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patchesStrategicMerge</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">custom-env.yaml</span> <span class="pi">-</span> <span class="s">replica-and-rollout-strategy.yaml</span> <span class="pi">-</span> <span class="s">database-secret.yaml</span> <span class="na">secretGenerator</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">literals</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">db-password=12345</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">images</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">foo/bar</span> <span class="na">newName</span><span class="pi">:</span> <span class="s">foo/bar</span> <span class="na">newTag</span><span class="pi">:</span> <span class="s">3.4.5</span> </code></pre> </div> <p>And if we build it, with the <code>kustomize build k8s/overlays/prod/</code> we have the following result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">db-password</span><span class="pi">:</span> <span class="s">MTIzNDU=</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app-6ft88t2625</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">sl-demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">db.password</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sl-demo-app-6ft88t2625</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CUSTOM_ENV_VARIABLE</span> <span class="na">value</span><span class="pi">:</span> <span class="s">Value defined by Kustomize ❤️</span> <span class="na">image</span><span class="pi">:</span> <span class="s">foo/bar:3.4.5</span> <span class="c1"># (1)</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> </code></pre> </div> <p>You see the first <code>container.image</code> of the deployment have been modified to be run with the version <code>3.4.5</code> (1).</p> <h3> Conclusion </h3> <p>We see in these examples how we can leverage the power of Kustomize to define your Kubernetes files without even using a templating system. <br> All the modification files you made will be applied above the original files without altering it with curly braces and imperative modification.</p> <p>There is a lot of advanced topic in Kustomize, like the mixins and inheritance logic or other directive allowing to define a name, label or namespace to every created object... <br> You can follow the <a href="https://github.com/kubernetes-sigs/kustomize" rel="noopener noreferrer">official Kustomize github repository</a> to see advanced examples and documentation. </p> <p>Note: You can find all code from this article in this <a href="https://gitlab.com/davinkevin/kustomize-blog-demo" rel="noopener noreferrer">Gitlab project</a>.</p> kubernetes devops cloud yaml Kevin Davin Sat, 30 May 2020 14:27:23 +0000 https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g <p>We saw in the previous article <a href="https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-g0a">how to use SOPS</a> to store our secrets in Git. Here, we will see some common operations required when you are using SOPS.</p> <h2> Edit a secret </h2> <p><code>Alice</code> would like to change the value in <code>dev_a</code> secret. To do so, she can use the <code>sops dev_a.encrypted.env</code> command to open the <code>$EDITOR</code> and allow in-place changes. </p> <div class="ltag_asciinema"> </div> <p>After the edition, the secret is encrypted back, and she can commit the file in Git. </p> <h2> Add secret access to someone else </h2> <p><code>Alice</code> would like to let <code>Bobby</code> read the <code>dev_a</code> secret. To do that, she will use <code>sops --rotate --in-place --add-pgp &lt;bobby-key-id&gt; dev_a.encrypted.env</code> command.</p> <div class="ltag_asciinema"> </div> <p>After this modification, <code>Bobby</code> can fetch modifications. He is now able to read (and modify) the secret.</p> <h2> Remove secret access to someone else </h2> <p><code>Alice</code> now wants to remove <code>Bobby</code> access to <code>dev_a</code> secret. She is able to do this by using the <code>sops --rotate --in-place --rm-pgp &lt;bobby-key-id&gt; dev_a.encrypted.env</code>. </p> <div class="ltag_asciinema"> </div> <p>After this, <code>Bobby</code> is unable to decrypt the secret anymore.</p> <h2> Configure automatic key selection </h2> <p>Like we saw before, <code>sops</code> commands often requires references to <code>key-id</code> of people concerned by the modification... and this is error prone and hard to manage if you share access with a lot of people. </p> <p>To simplify this, the team can create a file, named <code>.sops.yaml</code> and placed it in the root of our Git repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">creation_rules</span><span class="pi">:</span> <span class="c1"># Specific to `dev_a` env</span> <span class="pi">-</span> <span class="na">path_regex</span><span class="pi">:</span> <span class="s">dev_a\.encrypted\.env$</span> <span class="c1"># Here, only the `Alice` key-id</span> <span class="na">pgp</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">5844C613B763F4374BAB2D2FC735658AB38BF93A</span> <span class="c1"># Specific to `int` env</span> <span class="pi">-</span> <span class="na">path_regex</span><span class="pi">:</span> <span class="s">int\.encrypted\.env$</span> <span class="c1"># Here, we have :</span> <span class="c1"># * `Alice` key-id: 5844C613B763F4374BAB2D2FC735658AB38BF93A</span> <span class="c1"># * `Bobby` key-id: AE0D6FD0242FF896BE1E376B62E1E77388753B8E</span> <span class="c1"># * `Devon` key-id: 57E6DA39E907744429FB07871141FE9F63986243</span> <span class="na">pgp</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">5844C613B763F4374BAB2D2FC735658AB38BF93A,</span> <span class="s">AE0D6FD0242FF896BE1E376B62E1E77388753B8E,</span> <span class="s">57E6DA39E907744429FB07871141FE9F63986243</span> <span class="c1"># Specific for new env `dev_a_and_b`</span> <span class="pi">-</span> <span class="na">path_regex</span><span class="pi">:</span> <span class="s">dev_a_and_b\.encrypted.env$</span> <span class="c1"># Here, we have only `Alice` and `Bobby` :</span> <span class="c1"># * `Alice` key-id: 5844C613B763F4374BAB2D2FC735658AB38BF93A</span> <span class="c1"># * `Bobby` key-id: AE0D6FD0242FF896BE1E376B62E1E77388753B8E</span> <span class="na">pgp</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">5844C613B763F4374BAB2D2FC735658AB38BF93A,</span> <span class="s">AE0D6FD0242FF896BE1E376B62E1E77388753B8E</span> </code></pre> </div> <p>Here, <code>Bobby</code> will create a new secret for <code>dev_a_and_b</code> env just with the command <code>sops dev_a_and_b.encrypted.env</code>. No more <code>--pgp &lt;key-id&gt;</code>, <code>sops</code> automatically selects the closest <code>.sops.yaml</code> file from the <code>CWD</code> (see <a href="https://github.com/mozilla/sops#using-sops-yaml-conf-to-select-kms-pgp-for-new-files" rel="noopener noreferrer">this</a>).</p> <div class="ltag_asciinema"> </div> <p>Keys are selected by matching a <code>regex</code> againt the path of the file, so possibilities are wide and this is simpler than using parameters in command line ! </p> <h2> Add or Remove access with <code>.sops.yaml</code> </h2> <p>If a <code>.sops.yaml</code> file is used, <code>Alice</code> can simplify the <code>add-pgp</code> or <code>rm-pgp</code> command previously seen. She just need to change the <code>.sops.yaml</code> and use the command <code>sops updatekeys dev_a.encrypted.env</code> to update who can decrypt the file.</p> <div class="ltag_asciinema"> </div> <h2> Conclusion </h2> <p>Those are the most common operations required to use <code>sops</code> in your project. This is simple and still helps you to keep your secrets in sync with your code !</p> <p>You can find the source code of this article, files, and scripts in this <a href="https://gitlab.com/davinkevin/sops-blog-post" rel="noopener noreferrer">GitLab repository</a>.</p> git sops security devops Kevin Davin Sat, 23 May 2020 10:35:16 +0000 https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-g0a https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-g0a <p>We use Git for everything now, from code source to organization, history, and even for Kubernetes Cluster Management (aka GitOps). </p> <p>But, there is still something not widely adopted... managing our secrets in Git. Some tools like <a href="https://www.vaultproject.io/" rel="noopener noreferrer">HashiCorp Vault</a>, <a href="https://cloud.google.com/solutions/secrets-management" rel="noopener noreferrer">Google Secret Management</a>, or <a href="https://aws.amazon.com/fr/secrets-manager/" rel="noopener noreferrer">AWS Secret Manager</a> provide us a solution to manage our secrets in a dedicated system, but they are still not in sync with our source code.</p> <p>We will see here, thanks to <a href="https://github.com/mozilla/sops" rel="noopener noreferrer">Mozilla SOPS</a> how to integrate our secrets management directly in Git. </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fassets.dev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/getsops" rel="noopener noreferrer"> getsops </a> / <a href="https://github.com/getsops/sops" rel="noopener noreferrer"> sops </a> </h2> <h3> Simple and flexible tool for managing secrets </h3> </div> <div class="ltag-github-body"> <div id="readme" class="rst"> <div class="markdown-heading"> <h1 class="heading-element">SOPS: Secrets OPerationS</h1> </div> <p><strong>SOPS</strong> is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP (<a href="https://www.youtube.com/watch?v=YTEVyLXFiq0" rel="nofollow noopener noreferrer">demo</a>)</p> <p><a rel="noopener noreferrer nofollow" href="https://camo.githubusercontent.com/1ea5f0bb71c611d225ac52c8a003530292add9989abaf48894abbade6348c139/68747470733a2f2f692e696d6775722e636f6d2f5830544d354e492e676966"><img alt="https://i.imgur.com/X0TM5NI.gif" src="https://camo.githubusercontent.com/1ea5f0bb71c611d225ac52c8a003530292add9989abaf48894abbade6348c139/68747470733a2f2f692e696d6775722e636f6d2f5830544d354e492e676966"></a></p> <a href="https://pkg.go.dev/github.com/getsops/sops/v3" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/2e45ef5eb16abb1b72b56b9b3731554aca5d70368eccd57e8fc24fb5c0b9d054/68747470733a2f2f706b672e676f2e6465762f62616467652f6769746875622e636f6d2f676574736f70732f736f70732f76332e737667"> </a> <div class="markdown-heading"> <h2 class="heading-element"><a href="https://github.com/getsops/sops#id2" rel="noopener noreferrer">1   Download</a></h2> </div> <div class="markdown-heading"> <h3 class="heading-element"><a href="https://github.com/getsops/sops#id3" rel="noopener noreferrer">1.1   Stable release</a></h3> </div> <p>Binaries and packages of the latest stable release are available at <a href="https://github.com/getsops/sops/releases" rel="noopener noreferrer">https://github.com/getsops/sops/releases</a>.</p> <div class="markdown-heading"> <h3 class="heading-element"><a href="https://github.com/getsops/sops#id4" rel="noopener noreferrer">1.2   Development branch</a></h3> </div> <p>For the adventurous, unstable features are available in the main branch, which you can install from source:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>$ mkdir -p <span class="pl-smi">$GOPATH</span>/src/github.com/getsops/sops/ $ git clone https://github.com/getsops/sops.git <span class="pl-smi">$GOPATH</span>/src/github.com/getsops/sops/ $ <span class="pl-c1">cd</span> <span class="pl-smi">$GOPATH</span>/src/github.com/getsops/sops/ $ make install</pre> </div> <p>(requires Go &gt;= 1.19)</p> <p>If you don't have Go installed, set it up with:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>$ {apt,yum,brew} install golang $ <span class="pl-c1">echo</span> <span class="pl-s"><span class="pl-pds">'</span>export GOPATH=~/go<span class="pl-pds">'</span></span> <span class="pl-k">&gt;&gt;</span> <span class="pl-k">~</span>/.bashrc $ <span class="pl-c1">source</span> <span class="pl-k">~</span>/.bashrc $ mkdir <span class="pl-smi">$GOPATH</span></pre> </div> <p>Or whatever variation of the above fits your system and shell.</p> <p>To use <strong>SOPS</strong> as a library, take a look at the <a href="https://pkg.go.dev/github.com/getsops/sops/v3/decrypt" rel="nofollow noopener noreferrer">decrypt package</a>.</p> <div id="user-content-table-of-contents"><p>…</p></div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/getsops/sops" rel="noopener noreferrer">View on GitHub</a></div> </div> <p><strong>DISCLAIMER</strong>: I've previously written <a href="https://blog.stack-labs.com/code/keep-your-kubernetes-secrets-in-git-with-kubesec/" rel="noopener noreferrer">an article</a> on the same subject about a project named <code>kubesec</code> specialized in Kubernetes Secret. The project seems to be stopped and <a href="https://github.com/mozilla/sops" rel="noopener noreferrer">Mozilla SOPS</a> is a better alternative right now, because it can manage every kind of secrets, not only Kubernetes ones. </p> <h2> Sops Installation </h2> <p>Sops is very simple to install, like every <code>golang</code> application, you just have to download the binary for your specific Operating System (Linux, Mac, Windows) directly from the <a href="https://github.com/mozilla/sops/releases" rel="noopener noreferrer">release page</a> on GitHub.</p> <p>By the way, you can install it thanks to <code>brew</code> on Mac &amp; Linux (<a href="https://formulae.brew.sh/formula/sops" rel="noopener noreferrer">sops formuale</a>).</p> <h2> Use case </h2> <p>What we will try to achieve is to store secrets in Git but with restrictions on "who can access what". </p> <p>For example, we have 4 environments, <code>dev_a</code>, <code>dev_b</code>, <code>int</code>, and <code>prod</code> and 3 team members, <code>Alice</code>, <code>Bobby</code>, and <code>Devon</code>. </p> <p>We want to restrict secrets access with the following requirements: </p> <ul> <li> <code>dev_a</code> secrets should be only accessible by <code>Alice</code>.</li> <li> <code>dev_b</code> secrets should be only accessible by <code>Bobby</code>.</li> <li> <code>int</code> secrets should be accessible by <code>Alice</code>, <code>Bobby</code>, and <code>Devon</code>.</li> <li> <code>prod</code> secrets should be accessible only by <code>Devon</code>.</li> </ul> <p>Each of them already has configured their GPG key pairs. If you need to set them up, you can follow the <a href="https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/#generating-a-gpg-key" rel="noopener noreferrer">official GitLab documentation 🦊</a> about this.</p> <p>In this example, secrets are just plain old <code>env</code> files.</p> <h2> <code>dev_a</code> configuration </h2> <p>Alice will generate a file containing a secret: </p> <div class="ltag_asciinema"> </div> <p>Thanks to the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sops -pgp 5844C613B763F4374BAB2D2FC735658AB38BF93A -e dev_a.env &gt; dev_a.encrypted.env </code></pre> </div> <p><code>Alice</code> has encrypted the file <code>dev_a.env</code> and stored the result in <code>dev_a.encrypted.env</code>. She is the only one able to decrypt it. </p> <p>Let's see, if we run this as <code>Bobby</code>: </p> <div class="ltag_asciinema"> </div> <p><code>dev_b</code> and <code>prod</code> configurations are similar to the one created by <code>Alice</code>. Then, <code>Bobby</code> and <code>Devon</code> will respectively create <code>dev_b</code> and <code>prod</code>. </p> <h2> <code>int</code> configuration </h2> <p>In this configuration, we would like every developers to be able to read this file. But, only developers from the project and not everyone with access to the git repository... so we still have to encrypt this file. </p> <p>To do so, <code>Devon</code> will execute the following commands: </p> <div class="ltag_asciinema"> </div> <p><code>Devon</code> has to create the secret with the command<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sops <span class="nt">--pgp</span> 57E6DA39E907744429FB07871141FE9F63986243,<span class="se">\</span> 5844C613B763F4374BAB2D2FC735658AB38BF93A,<span class="se">\</span> AE0D6FD0242FF896BE1E376B62E1E77388753B8E <span class="se">\</span> <span class="nt">-e</span> int.env <span class="o">&gt;</span> int.encrypted.env<span class="sb">`</span> </code></pre> </div> <p>This command contains every public key ids, comma sparated. </p> <p>We can check that both <code>Alice</code> and <code>Bobby</code> can decrypt the <code>int.encrypted.env</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>alice <span class="nv">$ </span>sops <span class="nt">-d</span> int.encrypted.env <span class="nv">secret</span><span class="o">=</span>5Tz2QNxki789YFDa </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bobby <span class="nv">$ </span>sops <span class="nt">-d</span> int.encrypted.env <span class="nv">secret</span><span class="o">=</span>5Tz2QNxki789YFDa </code></pre> </div> <p>All the <code>*.encrypted.env</code> files are now stored in <code>Git</code> and can be managed like any other resources, with history and diff in commits. Only those defined during encryption can read them edit them.</p> <p>You can find the source code of this article, files, and scripts in this <a href="https://gitlab.com/davinkevin/sops-blog-post" rel="noopener noreferrer">GitLab repository</a>.</p> <p>I hope this will help you to use <code>Git</code> &amp; <code>SOPS</code> to manage your secrets.</p> git sops security devops