Kubernetes
Last updated
Was this helpful?
Last updated
Was this helpful?
Let's connect a nodejs app in one kubernetes cluster with a postgres database in another private kubernetes cluster.
Each company’s network is private, isolated, and doesn't expose ports. To learn how end-to-end trust is established, please read: “”
If everything runs as expected, you'll see the message: The example run was successful 🥳
We connected a nodejs app in one kubernetes cluster with a postgres database in another kubernetes cluster over an end-to-end encrypted portal.
Analysis Corp. does not get unfettered access to Bank Corp.’s cluster. It gets access only to run queries on the postgres server. Bank Corp. does not get unfettered access to Analysis Corp.’s cluster. It gets access only to respond to queries over a tcp connection. Bank Corp. cannot initiate connections.
To delete all containers and images:
This example requires Bash, Git, Curl,, and. Please set up these tools for your operating system, then run the following commands:
The, that you ran above, and itsare full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore.
Thecalls thewhich invokes theto create an new identity, sign into Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership.
The run function then. The tickets are valid for 10 minutes. Each ticket can be redeemed only once and assignsto its redeemer. Theis meant for the Ockam node that will run in Bank Corp.’s kubernetes cluster. Theis for the Ockam node that will run in Analysis Corp.’s kubernetes cluster.
In a typical production setup an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project. It usesto Ockam nodes that are being provisioned in Bank Corp.’s and Analysis Corp.’s kubernetes clusters.
The run function takes the enrollment tickets, sets them as kubernetes secrets, andto create Bank Corp.’s and Analysis Corp.’s kubernetes clusters.
Bank Corp.’sdefines a pod and containers to run in Bank Corp’s isolated kubernetes cluster. The run.sh scriptto create the cluster,andto start the pod and its containers.
One of the containers defined in Bank Corp.’s kubernetes manifest runs amakes it available on localhost:5432 inside its pod.
Another container defined inside that same pod runs anas a companion to the postgres container. The Ockam node container is created usingand this. The enrollment ticket from run.sh is.
When the Ockam node container starts in the Bank Corp cluster, it runs. The entrypoint script creates a new identity and uses the enrollment ticket toand get a project membership credential that attests to the attribute postgres-outlet=true. The run functionto the enrollment ticket.
The entrypoint script thenthis identity and membership credential to authenticate and create ain the project, back to the node, at relay address: postgres. The run functionto use this relay address.
Next, the entrypoint sets anthat only allows project members that possesses a credential with attribute postgres-inlet="true" to connect to tcp portal outlets on this node. It then creates tcp portal outlet to postgres at.
Analysis Corp.’sdefines a pod and containers to run in Analysis Corp.’s isolated kubernetes cluster. The run.sh scriptto create the cluster,andto start the pod and its containers. Thedefines a pod with two containers anand an.
Theis created usingand this. The enrollment ticket from run.sh is.
When the Ockam node container starts in the Analysis Corp network, it runs. The entrypoint script creates a new identity and uses the enrollment ticket toand get a project membership credential that attests to the attribute postgres-inlet=true. The run functionto the enrollment ticket.
The entrypoint script thenthis identity and membership credential. It then sets anthat only allows project members that possesses a credential with attribute postgres-outlet="true" to connect to tcp portal inlets on this node.
Next, the entrypointthat makes theavailable on all localhost IPs at. This makes postgres available at localhost:15432 within Analysis Corp’sthat also has the app container.
The app container is created usingwhich runs thisfile on startup. The app.js file is a nodejs app, iton localhost:15432, thenin the database,into the table,back, and.
Sensitive business data in the postgres database is only accessible to Bank Corp. and Analysis Corp. All data iswith strong forward secrecy as it moves through the Internet. The communication channel isand. Keys and credentials are automatically rotated. Access to connect with postgres can be easily revoked.
Allare secure-by-default. Only project members, with valid credentials, can connect with each other. NAT’s are traversed using a relay and outgoing tcp connections. Bank Corp. or Analysis Corp. don’t expose any listening endpoints on the Internet. Their kubernetes clusters are completely closed and protected from any attacks from the Internet.
