Accessing IBM Cloud Database from IBM Kubernetes Service using private service endpoint

Back in March 2019, Program Director — Chris Rosen have published an article regarding to private endpoint for IBM Kubernetes Service(IKS). This allows traffic from IKS can access to services via private network of IBM Cloud.

The private endpoint of IKS can be easily enabled by clicking “Enable” button at IKS cluster page. Private service endpoint URL will be available in cluster’s Overview page. It will be quite obvious as there is word of “private” in the domain name.

I am re-using the example applications built on IBM Cloud Kubernetes using IBM Cloud Databases for this post-https://github.com/IBM-Cloud/clouddatabases-helloworld-kubernetes-examples

I am not going to repeat the same step, however there are extra steps I did to update Kubernetes secret to use private service endpoint.

At step 10 of the tutorial, a command is used to create the binding between IBM Kubernetes Service and IBM Cloud Database.

This command creates a Kubernetes secret, that takes the data-binding of IBM Cloud Database, in my example it is the same PostgreSQL I used in the previous article and stores as secret. You can check the Kubernetes secret by using command below:

kubectl get secrets

However this service binding is based on public service endpoint of IBM Cloud Database rather than using private service endpoint as we wanted. So what we can do is to update the secret of Kubernetes service. You can retrieve the details of the secret and note the binding value. The binding value is base64 encoded and holds the credentials for your service instance in JSON format.

kubectl get secrets binding-<service_instance_name> — namespace=<namespace> -o yaml

The data binding is the form of Base64. What we need to do is to decode the Base64 value to JSON format, update the value in JSON and convert back to Base64. To decode the Base64, you can refer to any conversation website to do so. It should be converted to similar JSON below:

What we need to update is the postgresql uri from public service endpoint to private service endpoint (just need to add “private.” in front of “database.appdomain.cloud”

Once the the JSON is updated, encode back to Base64 and create a yaml file.

Update the secret via

kubectl apply -f postgresql_secret.yaml

You can verify the newly updated Kubernetes secret

To ensure the pod is using the private service endpoint, you can manipulate the replicaset to zero and back to one in clouddb-deployment.yaml or redeploy the pod.