Just-in-time PostgreSQL access
Overview
This tutorial will deploy an example cluster to highlight Otterize's PostgreSQL capabilities. Within that cluster is a client service that hits an endpoint on a server, which then connects to a database. The server runs two different database operations:
- An
INSERT
operation to append a table within the database - A
SELECT
operation to validate the updates.
The server needs appropriate permissions to access the database. You could use one admin user for all services, which is insecure and is the cause for many security breaches. With Otterize, you can specify required access, and have Otterize create users and perform correctly scoped SQL GRANTs just in time, as the service spins up and down.
In this tutorial, we will:
- Deploy an example cluster
- Make our database accessible to Otterize Cloud
- Connect our cluster and database to Otterize Cloud
- Declare a ClientIntents resource for the server, specifying required access
- See that the required access has been granted
Prerequisites
1. Minikube Cluster
Prepare a Kubernetes cluster with Minikube
For this tutorial you'll need a local Kubernetes cluster. Having a cluster with a CNI that supports NetworkPolicies isn't required for this tutorial, but is recommended so that your cluster works with other tutorials.
If you don't have the Minikube CLI, first install it.
Then start your Minikube cluster with Calico, in order to enforce network policies.
minikube start --cpus=4 --memory 4096 --disk-size 32g --cni=calico
2. ngrok
We will be using it to create a proxy to connect our locally running database to Otterize Cloud, for the tutorial's purposes. Once you have a ngrok account, you’ll want to install it in your terminal using the instructions found here: ngrok install
Tutorial
Deploy tutorial services and request database credentials
This will set up the namespace we will use for our tutorial and deploy the client, server, and database.
Our server's Deployment spec will specify an annotation on the Pod, which requests that the credentials operator will provision a username and password for the server.
template:
metadata:
annotations:
credentials-operator.otterize.com/user-password-secret-name: server-creds
This specifies that the secret server-creds
will have keys with the username and password to connect to the database.
The secret will only be created once the database is integrated with Otterize Cloud.
kubectl create namespace otterize-tutorial-postgres
kubectl apply -n otterize-tutorial-postgres -f https://docs.otterize.com/code-examples/postgres/client-server-database.yaml
Make the database accessible to Otterize Cloud
We need to allow Otterize Cloud to access the database server so Otterize Cloud can configure on-demand credentials for our server’s access. This tutorial will expose our database port to our local environment and then proxy it to Otterize Cloud using ngrok. We will need both of these processes up and running during the rest of this tutorial.
In a new terminal window, run the following command to forward our database port from our cluster into your local environment:
kubectl port-forward svc/database 5432:5432 -n otterize-tutorial-postgres
Now that your database port is accessible to your local environment, we are using ngrok to make that available to Otterize Cloud. For production uses, this can be done through firewall configurations.
In a new terminal window, run:
ngrok tcp 5432
Once ngrok is running, make note of the Forwarding host and port. Will need this for our next step.
Integrate the database to Otterize Cloud
To add the database, we head over to the Integrations page
- Click Add Integration
- Select Integration Type: Database
- Provide a name for the integration: otterize-tutorial-postgres
- Leave the database type set to PostgreSQL
- Copy your Forwarding host and port from ngrok in the Address Field. This will look something like
0.tcp.us-cal-1.ngrok.io:14192
. Be sure to remove thetcp://
portion of the URL. - Username: otterize-tutorial, Password: jeffdog523
- Note this is a superuser, which allows Otterize to create unique credentials for each service. For production, it is recommended to create a privileged user for Otterize’s exclusive use. This user should have the necessary permissions to GRANT access to any databases and tables you want it to manage.
- Hit Test Connection, and you should see an “OK” status.
- Hit the Add button to complete the integration
Integrate the cluster to Otterize Cloud
Create a Kubernetes integration on the Integrations page, and follow the instructions.
In the second step, after providing an integration name and environment, choose:
- mTLS and Kafka Support: None
- Enforcement mode: Enabled.
- Copy and run the Helm upgrade command.
- You should see the Connection status change.
View logs for the server
After the client, server, and database are up and running, we can see that the server does not have the appropriate access to the database by inspecting the logs with the following command.
kubectl logs -f -n otterize-tutorial-postgres deploy/server
Example log:
Define your ClientIntents
ClientIntents are Otterize’s way of defining access through unique relationships, which lead to perfectly scoped access. In this example, we provide our server
service the ability to insert select records to allow it to access the database.
Below is our intents.yaml
file. As you can see, it is scoped to our database named otterize-tutorial
and our public.example
table. We also have limited the access to just SELECT
and INSERT
operations. We could add more databases, tables, or operations if our service required more access.
Specifying the table and operations is optional. If you don't specify the table, access will be granted to all tables in the specified database. If you don't specify the operations, all operations will be allowed.
apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
name: client-intents-for-server
namespace: otterize-tutorial-postgres
spec:
service:
name: server
calls:
- name: otterize-tutorial-postgres # Same name as our integration
type: database
databaseResources:
- databaseName: otterize-tutorial
table: public.example
operations:
- SELECT
- INSERT
We can now apply our intents. Behind the scenes, Otterize Cloud runs CREATE USER
and GRANT
queries on the database, making our SELECT
and INSERT
errors disappear.
kubectl apply -f intents.yaml
Example log:
That’s it! If your service’s functionality changes, adding or removing access is as simple as updating your ClientIntents definitions. For fun, try altering the operations
to just SELECT
or INSERT
.
Teardown
To remove the deployed examples, run:
kubectl delete namespace otterize-tutorial-postgres
End the ngrok and port forwarding processes by closing the terminal windows or Ctrl-C the processes.