| == GCP Secrets Manager Vault Example |
| |
| In this sample you'll use the GCP Secrets Manager Vault Properties Source |
| |
| === Install JBang |
| |
| First install JBang according to https://www.jbang.dev |
| |
| When JBang is installed then you should be able to run from a shell: |
| |
| [source,sh] |
| ---- |
| $ jbang --version |
| ---- |
| |
| This will output the version of JBang. |
| |
| To run this example you can either install Camel on JBang via: |
| |
| [source,sh] |
| ---- |
| $ jbang app install camel@apache/camel |
| ---- |
| |
| Which allows to run CamelJBang with `camel` as shown below. |
| |
| === Setup the GCP Secret Manager |
| |
| First of all you'll need to install the gcloud cli from https://cloud.google.com/sdk/docs/install |
| |
| Once the Cli has been installed we can proceed to login and to setup the project with the following commands: |
| |
| [source,sh] |
| ---- |
| gcloud auth login |
| ---- |
| |
| and |
| |
| [source,sh] |
| ---- |
| gcloud projects create gcp-sec-refresh --name="GCP Secret Manager Refresh" |
| ---- |
| |
| The project will need a service identity for using secret manager service and we'll be able to have that through the command: |
| |
| [source,sh] |
| ---- |
| gcloud beta services identity create --service "secretmanager.googleapis.com" --project "gcp-sec-refresh" |
| ---- |
| |
| The latter command will provide a service account name that we need to export |
| |
| [source,sh] |
| ---- |
| export SM_SERVICE_ACCOUNT="service-...." |
| ---- |
| |
| Since we want to have notifications about event related to a specific secret through a Google Pubsub topic we'll need to create a topic for this purpose with the following command: |
| |
| [source,sh] |
| ---- |
| gcloud pubsub topics create "projects/gcp-sec-refresh/topics/pubsub-gcp-sec-refresh" |
| ---- |
| |
| The service account will need Secret Manager authorization to publish messages on the topic just created, so we'll need to add an iam policy binding with the following command: |
| |
| [source,sh] |
| ---- |
| gcloud pubsub topics add-iam-policy-binding pubsub-gcp-sec-refresh --member "serviceAccount:${SM_SERVICE_ACCOUNT}" --role "roles/pubsub.publisher" --project gcp-sec-refresh |
| ---- |
| |
| We now need to create a subscription to the pubsub-gcp-sec-refresh just created and we're going to call it sub-gcp-sec-refresh with the following command: |
| |
| [source,sh] |
| ---- |
| gcloud pubsub subscriptions create "projects/gcp-sec-refresh/subscriptions/sub-gcp-sec-refresh" --topic "projects/gcp-sec-refresh/topics/pubsub-gcp-sec-refresh" |
| ---- |
| |
| Now we need to create a service account for running our application: |
| |
| [source,sh] |
| ---- |
| gcloud iam service-accounts create gcp-sec-refresh-sa --description="GCP Sec Refresh SA" --project gcp-sec-refresh |
| ---- |
| |
| Let's give the SA an owner role: |
| |
| [source,sh] |
| ---- |
| gcloud projects add-iam-policy-binding gcp-sec-refresh --member="serviceAccount:gcp-sec-refresh-sa@gcp-sec-refresh.iam.gserviceaccount.com" --role="roles/owner" |
| ---- |
| |
| Now we should create a Service account key file for the just create SA: |
| |
| [source,sh] |
| ---- |
| gcloud iam service-accounts keys create gcp-sec-refresh.json --iam-account=gcp-sec-refresh-sa@gcp-sec-refresh.iam.gserviceaccount.com |
| ---- |
| |
| Modify the application.properties file to point to serviceAccountKey property to the just create gcp-sec-refresh.json file. |
| |
| Let's enable the Secret Manager API for our project |
| |
| [source,sh] |
| ---- |
| gcloud services enable secretmanager.googleapis.com --project gcp-sec-refresh |
| ---- |
| |
| If needed enable also the Billing API. |
| |
| Now it's time to create our hello secret, with topic notification: |
| |
| [source,sh] |
| ---- |
| gcloud secrets create hello --topics=projects/gcp-sec-refresh/topics/pubsub-gcp-sec-refresh --project=gcp-sec-refresh |
| ---- |
| |
| Let's add a value to the secret: |
| |
| [source,sh] |
| ---- |
| echo -n "Camel rocks! " | gcloud secrets versions add hello --data-file=- --project=gcp-sec-refresh |
| ---- |
| |
| === Setting up the GCP Service account key |
| |
| In the gcp-sec-integration.propertie you'll need to provide all the needed bits and the path to the just created service account key file. So you should have something like this: |
| |
| [source,sh] |
| ---- |
| camel.vault.gcp.projectId=gcp-sec-refresh |
| camel.vault.gcp.serviceAccountKey = file:////gcp-sec-refresh.json |
| camel.vault.gcp.refreshEnabled=true |
| camel.vault.gcp.refreshPeriod=60000 |
| camel.vault.gcp.secrets=hello* |
| camel.vault.gcp.subscriptionName=sub-gcp-sec-refresh |
| camel.main.context-reload-enabled = true |
| ---- |
| |
| === How to run |
| |
| Then you can run this example using: |
| |
| [source,sh] |
| ---- |
| $ camel run --properties=gcp-sec-integration.properties timer-gcp-secret-reloading.yaml |
| ---- |
| |
| Or run it even shorter: |
| |
| [source,sh] |
| ---- |
| $ camel run * |
| ---- |
| |
| Or run with JBang using the longer command line (without installing camel as app in JBang): |
| |
| [source,sh] |
| ---- |
| $ jbang camel@apache/camel run --properties=gcp-sec-integration.properties timer-gcp-secret-reloading.yaml |
| ---- |
| |
| |
| |
| === Modify the secret |
| |
| You can list the secrets in use from the GCP secret manager service: |
| |
| [source,sh] |
| ---- |
| camel get vault |
| ---- |
| |
| While the integration is running you could modify the secret and the integration will reload automatically |
| |
| [source,sh] |
| ---- |
| echo -n "Camel rocks reloaded! " | gcloud secrets versions add hello --data-file=- --project=gcp-sec-refresh |
| |
| ---- |
| |
| Now, get back, to the running Camel application and wait for the reloading. |
| |
| And the secret should also now be listed as updated from the get vault command: |
| |
| [source,sh] |
| ---- |
| camel get vault |
| ---- |
| |
| === Developer Web Console |
| |
| You can enable the developer console via `--console` flag as show: |
| |
| [source,sh] |
| ---- |
| $ camel run --properties=gcp-sec-integration.properties timer-gcp-secret-reloading.yaml --console |
| ---- |
| |
| Then you can browse: http://localhost:8080/q/dev to introspect the running Camel applicaton. |
| |
| |
| === Help and contributions |
| |
| If you hit any problem using Camel or have some feedback, then please |
| https://camel.apache.org/community/support/[let us know]. |
| |
| We also love contributors, so |
| https://camel.apache.org/community/contributing/[get involved] :-) |
| |
| The Camel riders! |