jbang/gcp-secret-manager-reloading/README.adoc

== GCP Secrets Manager Vault Example

In this sample you'll use the GCP Secrets Manager Vault Properties Source

=== Install JBang

First install JBang according to https://www.jbang.dev

When JBang is installed then you should be able to run from a shell:

[source,sh]
----
$ jbang --version
----

This will output the version of JBang.

To run this example you can either install Camel on JBang via:

[source,sh]
----
$ jbang app install camel@apache/camel
----

Which allows to run CamelJBang with `camel` as shown below.

=== Setup the GCP Secret Manager

First of all you'll need to install the gcloud cli from https://cloud.google.com/sdk/docs/install

Once the Cli has been installed we can proceed to login and to setup the project with the following commands:

[source,sh]
----
gcloud auth login
----

and

[source,sh]
----
gcloud projects create gcp-sec-refresh --name="GCP Secret Manager Refresh"
----

The project will need a service identity for using secret manager service and we'll be able to have that through the command:

[source,sh]
----
gcloud beta services identity create --service "secretmanager.googleapis.com" --project "gcp-sec-refresh"
----

The latter command will provide a service account name that we need to export

[source,sh]
----
export SM_SERVICE_ACCOUNT="service-...."
----

Since we want to have notifications about event related to a specific secret through a Google Pubsub topic we'll need to create a topic for this purpose with the following command:

[source,sh]
----
gcloud pubsub topics create "projects/gcp-sec-refresh/topics/pubsub-gcp-sec-refresh"
----

The service account will need Secret Manager authorization to publish messages on the topic just created, so we'll need to add an iam policy binding with the following command:

[source,sh]
----
gcloud pubsub topics add-iam-policy-binding pubsub-gcp-sec-refresh --member "serviceAccount:${SM_SERVICE_ACCOUNT}" --role "roles/pubsub.publisher" --project gcp-sec-refresh
----

We now need to create a subscription to the pubsub-gcp-sec-refresh just created and we're going to call it sub-gcp-sec-refresh with the following command:

[source,sh]
----
gcloud pubsub subscriptions create "projects/gcp-sec-refresh/subscriptions/sub-gcp-sec-refresh" --topic "projects/gcp-sec-refresh/topics/pubsub-gcp-sec-refresh"
----

Now we need to create a service account for running our application:

[source,sh]
----
gcloud iam service-accounts create gcp-sec-refresh-sa --description="GCP Sec Refresh SA" --project gcp-sec-refresh
----

Let's give the SA an owner role:

[source,sh]
----
gcloud projects add-iam-policy-binding gcp-sec-refresh --member="serviceAccount:gcp-sec-refresh-sa@gcp-sec-refresh.iam.gserviceaccount.com" --role="roles/owner"
----

Now we should create a Service account key file for the just create SA:

[source,sh]
----
gcloud iam service-accounts keys create gcp-sec-refresh.json --iam-account=gcp-sec-refresh-sa@gcp-sec-refresh.iam.gserviceaccount.com
----

Modify the application.properties file to point to serviceAccountKey property to the just create gcp-sec-refresh.json file.

Let's enable the Secret Manager API for our project

[source,sh]
----
gcloud services enable secretmanager.googleapis.com --project gcp-sec-refresh
----

If needed enable also the Billing API.

Now it's time to create our hello secret, with topic notification:

[source,sh]
----
gcloud secrets create hello --topics=projects/gcp-sec-refresh/topics/pubsub-gcp-sec-refresh --project=gcp-sec-refresh
----

Let's add a value to the secret:

[source,sh]
----
echo -n "Camel rocks! " | gcloud secrets versions add hello --data-file=- --project=gcp-sec-refresh
----

=== Setting up the GCP Service account key

In the gcp-sec-integration.propertie you'll need to provide all the needed bits and the path to the just created service account key file. So you should have something like this:

[source,sh]
----
camel.vault.gcp.projectId=gcp-sec-refresh
camel.vault.gcp.serviceAccountKey = file:////gcp-sec-refresh.json
camel.vault.gcp.refreshEnabled=true
camel.vault.gcp.refreshPeriod=60000
camel.vault.gcp.secrets=hello*
camel.vault.gcp.subscriptionName=sub-gcp-sec-refresh
camel.main.context-reload-enabled = true
----

=== How to run

Then you can run this example using:

[source,sh]
----
$ camel run --properties=gcp-sec-integration.properties timer-gcp-secret-reloading.yaml
----

Or run it even shorter:

[source,sh]
----
$ camel run *
----

Or run with JBang using the longer command line (without installing camel as app in JBang):

[source,sh]
----
$ jbang camel@apache/camel run --properties=gcp-sec-integration.properties timer-gcp-secret-reloading.yaml
----



=== Modify the secret

You can list the secrets in use from the GCP secret manager service:

[source,sh]
----
camel get vault
----

While the integration is running you could modify the secret and the integration will reload automatically

[source,sh]
----
echo -n "Camel rocks reloaded! " | gcloud secrets versions add hello --data-file=- --project=gcp-sec-refresh

----

Now, get back, to the running Camel application and wait for the reloading.

And the secret should also now be listed as updated from the get vault command:

[source,sh]
----
camel get vault
----

=== Developer Web Console

You can enable the developer console via `--console` flag as show:

[source,sh]
----
$ camel run --properties=gcp-sec-integration.properties timer-gcp-secret-reloading.yaml --console
----

Then you can browse: http://localhost:8080/q/dev to introspect the running Camel applicaton.


=== Help and contributions

If you hit any problem using Camel or have some feedback, then please
https://camel.apache.org/community/support/[let us know].

We also love contributors, so
https://camel.apache.org/community/contributing/[get involved] :-)

The Camel riders!