You can easily protect access to all your Kubernetes clusters as Octelium Services and provide your client-less WORKLOAD Users such as your Golang-based microservices and applications with secret-less access without having to expose, manage and share Kubeconfigs, mTLS client private keys or access tokens required to access such Kubernetes clusters. In this short guide, we're going to use the Golang SDK (read more here) to access a generic HTTP SaaS API that requires a bearer access token.
We first create a Secret that contains the kubeconfig file required to access the Kubernetes cluster (read more here) as follows:
octeliumctl create secret kubeconfig-k8s1 --file /PATH/TO/KUBECONFIG
Note that Octelium also supports secret-less access to Kubernetes clusters via access tokens and mTLS client certificates. You can read more here.
Now we create the KUBERNETES Service representing our Kubernetes cluster that needs to be protected as follows:
1kind: Service2metadata:3name: k8s14spec:5mode: KUBERNETES6config:7upstream:8url: https://k8s-cluster.example.com:64439kubernetes:10kubeconfig:11fromSecret: kubeconfig-k8s1
You can now apply the Service k8s1 as follows:
octeliumctl apply /PATH/TO/SERVICE.YAML
Now you have multiple options to access this Service from your applications, namely via OAuth2 client credentials, directly via bearer tokens or via the Octelium Golang-SDK. Th first 2 options allow you to use standard OAuth2 client credentials and bearer tokens without having to use any special SDKs or being aware of the Octelium Cluster existence at all. In this guide we're going to use K8s Golang-SDK to access the Kubernetes cluster resources.
For example, you can create an OAuth2 client Credential as follows:
octeliumctl create cred --type oauth2 --user microservice1 cred02Client ID: spxg-cdyxCLient Secret: AQpAN9OT1az6DQH69dNklhretPxlGjJ_qoXuwLMJfMNHwUiLsFGmixmU9klBjw2QLr1TNhgc9PzeL2bVYjeAYMnZDxI4CAMSEDfsj7P_gUROri5QfX1GW6saEKCiOwWyf0LDuE-9Fu8seI0iEPMGpIZKlUTknLzFO6uJH_8
Now you can use your Credential in your Golang application to obtain an access token and use it to actually access the Service via the k8s Golang SDK simply as follows:
1package main23import (4"context"5"fmt"67"golang.org/x/oauth2/clientcredentials"8v1 "k8s.io/apimachinery/pkg/apis/meta/v1"9"k8s.io/client-go/kubernetes"10"k8s.io/client-go/rest"11)1213func main() {14if err := doMain(context.Background()); err != nil {15panic(err)16}17}1819func doMain(ctx context.Context) error {20// Your Cluster domain21domain := "example.com"2223// Configuration for the client credentials flow24config := clientcredentials.Config{25ClientID: "spxg-cdyx",26ClientSecret: "AQpAN9OT1az6...",2728TokenURL: fmt.Sprintf("https://%s/oauth2/token", domain),29}3031// Now we obtain an access token from our OAuth2 client credentials32tkn, err := config.Token(ctx)33if err != nil {34return err35}3637k8sC, err := kubernetes.NewForConfig(&rest.Config{38Host: fmt.Sprintf("k8s1.%s", domain),39BearerToken: tkn.AccessToken,40})41if err != nil {42return err43}4445podList, err := k8sC.CoreV1().Pods("").List(ctx, v1.ListOptions{})46if err != nil {47return err48}49fmt.Printf("podList = %+v\n", podList)5051return nil52}
If you want to use access token Credentials instead of OAuth2 client Credentials, you can simply feed it directly to the kubernetes.NewForConfig() function shown above.
We can also use use the octelium-go package with an authentication token Credential (read more about creating authentication token Credentials here) and automatically feed its HTTP client into the NewForConfigAndClient() function to create a kubernetes client as follows:
1package main23import (4"context"5"fmt"6"os"78"github.com/octelium/octelium/octelium-go"9v1 "k8s.io/apimachinery/pkg/apis/meta/v1"10"k8s.io/client-go/kubernetes"11"k8s.io/client-go/rest"12)1314func main() {15if err := doMain(context.Background()); err != nil {16panic(err)17}18}1920func doMain(ctx context.Context) error {21octeliumC, err := octelium.NewClient(ctx, &octelium.ClientConfig{22Domain: "example.com",23AuthenticationToken: os.Getenv("AUTH_TOKEN"),24})25if err != nil {26return err27}2829defer octeliumC.Close()3031k8sC, err := kubernetes.NewForConfigAndClient(&rest.Config{32Host: "k8s1.example.com",33}, octeliumC.HTTP().Client())34if err != nil {35return err36}3738podList, err := k8sC.CoreV1().Pods("").List(ctx, v1.ListOptions{})39if err != nil {40return err41}42fmt.Printf("podList = %+v\n", podList)4344return nil45}
Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for Kubernetes here). You can read more about visibility here.