1. Context
Secret managers securely store sensitive data like API keys and passwords, preventing hardcoded secrets and reducing exposure risks. They provide encrypted storage, access control, and automated rotation, ensuring secure management of credentials across distributed applications. It is crucial, expecially in could environments, to be able to use such services.
2. Prerequisites
A camel integrationt o be deployed on OpenShift.
3. Goal
Provide a configuration example to retrieve Azure Key Vault Secrets and use them in a camel integration.
4. Configuration
First of all all of the following could be supported by simply adding the camel-azure-key-vault component to your classpath.
To set up the secret retrieval with Azure Key Vault you have to first authenticate to the Azure Key Vault Service. The mechanisms are:
Static credentials in application.properties:
camel.vault.azure.tenantId = accessKey camel.vault.azure.clientId = clientId camel.vault.azure.clientSecret = clientSecret camel.vault.azure.vaultName = vaultName
Default Credentials Provider in application.properties:
camel.vault.azure.azureIdentityEnabled = true camel.vault.azure.vaultName = vaultName
First of all we need to create an application
az ad app create --display-name test-app-key-vault
Then we need to obtain credentials
az ad app credential reset --id <appId> --append --display-name 'Description: Key Vault app client' --end-date '2024-12-31'
This will return a result like this
{
"appId": "appId",
"password": "pwd",
"tenant": "tenantId"
}You should take note of the password and use it as clientSecret parameter in the application.properties file
Now create the key vault
az keyvault create --name <vaultName> --resource-group <resourceGroup>
Create a service principal associated with the application Id
az ad sp create --id <appId>
At this point we need to add a role to the application with role assignment
az role assignment create --assignee <appId> --role "Key Vault Administrator" --scope /subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<vaultName>
Last step is to create policy on what can be or cannot be done with the application. In this case we just want to read the secret value. So This should be enough.
az keyvault set-policy --name <vaultName> --spn <appId> --secret-permissions get
You can create a secret through Azure CLI with the following command:
az keyvault secret set --name authsecdb --vault-name <vaultName> -f postgresCreds.json
Where the content of postgresCreds.json could be something like:
{
"username": "postgresadmin",
"password": "xxxx",
"host": "host"
}The secret name will be authsecdb and the secret fields will be username, password and host.
In the Camel route it will be enough to use the following syntax and the secrets field will be retrieved.
{{azure:authsecdb/host}}
{{azure:authsecdb/username}}
{{azure:authsecdb/password}}
For more information about the usable syntax, you can look at Azure Key Vault Property Function
The same configuration could be seen on OCP by following the Camel on OCP Best Practices repository, in particular, the AWS vault section. You can follow the example for both the runtimes supported by Red Hat Build of Apache Camel:
5. Enabling Secret Refresh
In the section above we saw how to set up and use the Azure Key Vault Secrets retrieval. In this section, we’ll focus on introducing the Secret refresh in the picture. The Camel Azure Key Vault refresh feature is based on the relation between a secret and a Event grid subscription topic resource, receiving events from the Eventhub related resource. The reloading task will check for new events in relation to the secret and it will trigger a Camel context reload in case of an update.
The Azure Key Vault Secrets Refresh function will use the Azure Storage Blob and Azure Eventhubs service to track events related to secrets.
Enabling the Secret refresh feature requires particular infrastructure operations.
The needed additional fields for this purpose are:
camel.vault.azure.refreshEnabled=true camel.vault.azure.refreshPeriod=60000 camel.vault.azure.secrets=authsecdbref camel.vault.azure.blobAccountName=<blobAccountName> camel.vault.azure.blobContainerName=<blobContainerName> camel.vault.azure.blobAccessKey=<blobAccessKey> camel.vault.azure.eventhubConnectionString=<eventhubConnectionString> camel.main.context-reload-enabled=true
Where secretsName is a comma-separated list of secrets names to track and monitor and eventhubConnectionString is the connection String to Eventhub resource. It’s not mandatory to specify the secrets parameter, Camel will take care of monitoring all the secrets for you.
For the infrastructure part we’ll need to follow a guide including creating a Google project and preparing Azure Key Vault.
Create an Azure Key Vault supported application will require some operation with the az cli
First of all we need to create an application
az ad app create --display-name test-app-key-vault
Then we need to obtain credentials
az ad app credential reset --id <appId> --append --display-name 'Description: Key Vault app client' --end-date '2024-12-31'
This will return a result like this
{
"appId": "appId",
"password": "pwd",
"tenant": "tenantId"
}You should take note of the password and use it as clientSecret parameter in the application.properties file
Now create the key vault
az keyvault create --name <vaultName> --resource-group <resourceGroup>
Create a service principal associated with the application Id
az ad sp create --id <appId>
At this point we need to add a role to the application with role assignment
az role assignment create --assignee <appId> --role "Key Vault Administrator" --scope /subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<vaultName>
Last step is to create policy on what can be or cannot be done with the application. In this case we just want to read the secret value. So This should be enough.
az keyvault set-policy --name <vaultName> --spn <appId> --secret-permissions get
Now we need to setup the Eventhub/EventGrid notification for being informed about secrets updates.
First of all we’ll need a Blob account and Blob container, to track Eventhub consuming activities.
az storage account create --name <blobAccountName> --resource-group <resourceGroup>
Then create a container
az storage container create --account-name <blobAccountName> --name <blobContainerName>
Then recover the access key for this purpose
az storage account keys list -g <resourceGroup> -n <blobAccountName>
Substitute the blob Account name, blob Container name and Blob Access Key into the application.properties file.
Let’s now create the Eventhub side
Create the namespace first
az eventhubs namespace create --resource-group <resourceGroup> --name <eventhub-namespace> --location westus --sku Standard --enable-auto-inflate --maximum-throughput-units 20
Now create the resource
az eventhubs eventhub create --resource-group <resourceGroup> --namespace-name <eventhub-namespace> --name <eventhub-name> --cleanup-policy Delete --partition-count 15
In the Azure portal create a shared policy for the just created eventhub resource with "MANAGE" permissions and copy the connection string.
Substitute the connection string into the application.properties.
In the Azure portal, in the key vault we’re using, select events and create event subscription to event grid, by selecting "event grid schema", a system topic name of your choice and the eventhub endpoint for the just created eventhub resource.
You can create a secret through Azure CLI with the following command:
az keyvault secret set --name authsecdb --vault-name <vaultName> -f postgresCreds.json
Where the content of postgresCreds.json could be something like:
{
"username": "postgresadmin",
"password": "xxxx",
"host": "host"
}The secret name will be authsecdb and the secret fields will be username, password and host.
In the Camel route it will be enough to use the following syntax and the secrets field will be retrieved.
{{azure:authsecdb/host}}
{{azure:authsecdb/username}}
{{azure:authsecdb/password}}
The Spring Boot and Quarkus runtime have the starter and the extension related to Azure Key Vault in their catalogs. The export and export Kubernetes command from camel-jbang, will automatically add the dependency in case of the above syntax usage. This should be transparent to the end user.
The same configuration could be seen on OCP by following the Camel on OCP Best Practices repository, in particular, the Azure Key vault section: