1. Context

Secret managers securely store sensitive data like API keys and passwords, preventing hardcoded secrets and reducing exposure risks. They provide encrypted storage, access control, and automated rotation, ensuring secure management of credentials across distributed applications. It is crucial, expecially in could environments, to be able to use such services.

2. Prerequisites

A camel integrationt o be deployed on OpenShift.

3. Goal

Provide a configuration example to retrieve GCP Secrets Manager Secrets and use them in a camel integration.

4. Configuration

First of all all of the following could be supported by simply adding the camel-google-secret-manager component to your classpath.

To set up the secret retrieval with Google Secrets Manager you have to first authenticate to the Google Cloud Services. The mechanisms are:

Static credentials in application.properties:

camel.vault.gcp.serviceAccountKey = serviceAccountKey
camel.vault.gcp.projectId = projectId

Default Instance in application.properties:

camel.vault.gcp.useDefaultInstance = true
camel.vault.gcp.projectId = region

The service account key file could be a Kubernetes/OCP secret or you can mount a volume containing the service account key file and use it as a reference in the configuration. This is something up to the end user.

Creating a secret on GCP will require to have access to the Google Cloud Console or to Google Cloud CLI with create-secret and general secret manager permissions. In general, the suggested way of creating a secret is by using JSON.

You can create a secret through Gcloud CLI with the following command:

gcloud secrets create authsecdb --data-file=secret.json

Where the content of secret.json could be something like:

{
  "username": "postgresadmin",
  "password": "xxxx",
  "host": "host"
}

The secret name will be authsecdb and the secret fields will be username, password and host.

In the Camel route it will be enough to use the following syntax and the secrets field will be retrieved.

{{gcp:authsecdb/host}}
{{gcp:authsecdb/username}}
{{gcp:authsecdb/password}}

For more information about the usable syntax, you can look at Google Secret Manager Property Function

The Spring Boot and Quarkus runtime have the starter and the extension related to AWS Secret Manager in their catalogs. The export and export Kubernetes command from camel-jbang, will automatically add the dependency in case of the above syntax usage. This should be transparent to the end user.

The same configuration could be seen on OCP by following the Camel on OCP Best Practices repository, in particular, the GCP vault section. You can follow the example for both the runtimes supported by Red Hat Build of Apache Camel:

Camel-Quarkus - Camel on OCP Best practices - GCP Vault

Camel-Spring-Boot - Camel on OCP Best practices - GCP Vault

5. GCP Secrets Manager Enabling Secret Refresh

In the section above we saw how to set up and use the Google Secret Manager Secrets retrieval. In this section, we’ll focus on introducing the Secret refresh in the picture. The Camel Google Secret Manager refresh feature is based on the relation between a secret and a dedicated Google PubSub topic resource, receiving events from the Monitored Secret. The reloading task will check for new events in relation to the secret and it will trigger a Camel context reload in case of an update.

The Google Secrets Refresh function will use the Google PubSub service to track events related to secrets.

Enabling the Secret refresh feature requires particular infrastructure operations.

The needed additional fields for this purpose are:

camel.vault.gcp.projectId=projectId
camel.vault.gcp.refreshEnabled=true
camel.vault.gcp.refreshPeriod=60000
camel.vault.gcp.secrets=secretsName
camel.vault.gcp.subscriptionName=subscriptionName
camel.main.context-reload-enabled = true

Where secretsName is a comma-separated list of secrets names to track and monitor and subscriptionName is the subscription name to Google PubSub Topic. It’s not mandatory to specify the secrets parameter, Camel will take care of monitoring all the secrets for you.

For the infrastructure part we’ll need to follow a guide including creating a Google project and preparing Google PubSub.

First of all you’ll need to install the gcloud cli from https://cloud.google.com/sdk/docs/install

Once the Cli has been installed we can proceed to log in and to set up the project with the following commands:

gcloud auth login

and

gcloud projects create gcp-sec-refresh --name="GCP Secret Manager Refresh"

The project will need a service identity for using secret manager service and we’ll be able to have that through the command:

gcloud beta services identity create --service "secretmanager.googleapis.com" --project "gcp-sec-refresh"

The latter command will provide a service account name that we need to export

export SM_SERVICE_ACCOUNT="service-...."

Since we want to have notifications about events related to a specific secret through a Google Pubsub topic we’ll need to create a topic for this purpose with the following command:

gcloud pubsub topics create "projects/gcp-sec-refresh/topics/pubsub-gcp-sec-refresh"

The service account will need Secret Manager authorization to publish messages on the topic just created, so we’ll need to add an iam policy binding with the following command:

gcloud pubsub topics add-iam-policy-binding pubsub-gcp-sec-refresh --member "serviceAccount:${SM_SERVICE_ACCOUNT}" --role "roles/pubsub.publisher" --project gcp-sec-refresh

We now need to create a subscription to the pubsub-gcp-sec-refresh just created and we’re going to call it sub-gcp-sec-refresh with the following command:

gcloud pubsub subscriptions create "projects/gcp-sec-refresh/subscriptions/sub-gcp-sec-refresh" --topic "projects/gcp-sec-refresh/topics/pubsub-gcp-sec-refresh"

Now we need to create a service account for running our application:

gcloud iam service-accounts create gcp-sec-refresh-sa --description="GCP Sec Refresh SA" --project gcp-sec-refresh

Let’s give the SA an owner role:

gcloud projects add-iam-policy-binding gcp-sec-refresh --member="serviceAccount:gcp-sec-refresh-sa@gcp-sec-refresh.iam.gserviceaccount.com" --role="roles/owner"

Now we should create a Service account key file for the just create SA:

gcloud iam service-accounts keys create gcp-sec-refresh.json --iam-account=gcp-sec-refresh-sa@gcp-sec-refresh.iam.gserviceaccount.com

Modify the application.properties file to point to serviceAccountKey property to the just create gcp-sec-refresh.json file.

Let’s enable the Secret Manager API for our project

gcloud services enable secretmanager.googleapis.com --project gcp-sec-refresh

Let’s enable the Pubsub API for our project

gcloud services enable pubsub.googleapis.com --project gcp-sec-refresh

If needed enable also the Billing API.

Now it’s time to create our hello secret, with topic notification:

gcloud secrets create authsecdb --topics=projects/gcp-sec-refresh/topics/pubsub-gcp-sec-refresh --project=gcp-sec-refresh

And let’s add the value

gcloud secrets versions add hello --data-file=secret.json --project=gcp-sec-refresh

The same configuration could be seen on OCP by following the Camel on OCP Best Practices repository, in particular, the GCP vault section:

Camel-Quarkus - Camel on OCP Best practices - GCP Vault with refresh

Camel-Spring-Boot - Camel on OCP Best practices - GCP Vault with refresh