You can easily protect access to all your Kubernetes clusters as Octelium Services and provide your clientless WORKLOAD Users such as your Golang-based microservices and applications with secretless access without having to expose, manage and share Kubeconfigs, mTLS client private keys or access tokens required to access such Kubernetes clusters. In this short guide, we're going to use the Golang SDK (read more here) to access a generic HTTP SaaS API that requires a bearer access token.
We first create a Secret that contains the kubeconfig file required to access the Kubernetes cluster (read more here) as follows:
octeliumctl create secret kubeconfig-k8s1 --file /PATH/TO/KUBECONFIGNote that Octelium also supports secretless access to Kubernetes clusters via access tokens and mTLS client certificates. You can read more here.
Now we create the KUBERNETES Service representing our Kubernetes cluster that needs to be protected as follows:
kind: Service
metadata:
name: k8s1
spec:
mode: KUBERNETES
config:
upstream:
url: https://k8s-cluster.example.com:6443
kubernetes:
kubeconfig:
fromSecret: kubeconfig-k8s1You can now apply the Service k8s1 as follows:
octeliumctl apply /PATH/TO/SERVICE.YAMLNow you have multiple options to access this Service from your applications, namely via OAuth2 client credentials, directly via bearer tokens or via the Octelium Golang-SDK. Th first 2 options allow you to use standard OAuth2 client credentials and bearer tokens without having to use any special SDKs or being aware of the Octelium Cluster existence at all. In this guide we're going to use K8s Golang-SDK to access the Kubernetes cluster resources.
For example, you can create an OAuth2 client Credential as follows:
octeliumctl create cred --type oauth2 --user microservice1 cred02
Client ID: spxg-cdyx
CLient Secret: AQpAN9OT1az6DQH69dNklhretPxlGjJ_qoXuwLMJfMNHwUiLsFGmixmU9klBjw2QLr1TNhgc9PzeL2bVYjeAYMnZDxI4CAMSEDfsj7P_gUROri5QfX1GW6saEKCiOwWyf0LDuE-9Fu8seI0iEPMGpIZKlUTknLzFO6uJH_8Now you can use your Credential in your Golang application to obtain an access token and use it to actually access the Service via the k8s Golang SDK simply as follows:
package main
import (
"context"
"fmt"
"golang.org/x/oauth2/clientcredentials"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
)
func main() {
if err := doMain(context.Background()); err != nil {
panic(err)
}
}
func doMain(ctx context.Context) error {
// Your Cluster domain
domain := "example.com"
// Configuration for the client credentials flow
config := clientcredentials.Config{
ClientID: "spxg-cdyx",
ClientSecret: "AQpAN9OT1az6...",
TokenURL: fmt.Sprintf("https://%s/oauth2/token", domain),
}
// Now we obtain an access token from our OAuth2 client credentials
tkn, err := config.Token(ctx)
if err != nil {
return err
}
k8sC, err := kubernetes.NewForConfig(&rest.Config{
Host: fmt.Sprintf("k8s1.%s", domain),
BearerToken: tkn.AccessToken,
})
if err != nil {
return err
}
podList, err := k8sC.CoreV1().Pods("").List(ctx, v1.ListOptions{})
if err != nil {
return err
}
fmt.Printf("podList = %+v\n", podList)
return nil
}If you want to use access token Credentials instead of OAuth2 client Credentials, you can simply feed it directly to the kubernetes.NewForConfig() function shown above.
We can also use use the octelium-go package with an authentication token Credential (read more about creating authentication token Credentials here) and automatically feed its HTTP client into the NewForConfigAndClient() function to create a kubernetes client as follows:
package main
import (
"context"
"fmt"
"os"
"github.com/octelium/octelium/octelium-go"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
)
func main() {
if err := doMain(context.Background()); err != nil {
panic(err)
}
}
func doMain(ctx context.Context) error {
octeliumC, err := octelium.NewClient(ctx, &octelium.ClientConfig{
Domain: "example.com",
AuthenticationToken: os.Getenv("OCTELIUM_AUTH_TOKEN"),
})
if err != nil {
return err
}
defer octeliumC.Close()
k8sC, err := kubernetes.NewForConfigAndClient(&rest.Config{
Host: "k8s1.example.com",
}, octeliumC.HTTP().Client())
if err != nil {
return err
}
podList, err := k8sC.CoreV1().Pods("").List(ctx, v1.ListOptions{})
if err != nil {
return err
}
fmt.Printf("podList = %+v\n", podList)
return nil
}Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for Kubernetes here). You can read more about visibility here.