1. Context
Kubernetes Secrets are usually used to store and manage sensitive data, such as API keys, passwords, and tokens, within a Kubernetes cluster. They help keep this information secure by avoiding hardcoding it in configuration files. Secrets can be injected into containers or read at runtime, ensuring that sensitive data are only accessible to authorized services or pods.
2. Prerequisites
A camel integrationt o be deployed on OpenShift.
3. Goal
Provide a configuration example to read kubernetes secrets values in camel applications.
4. Configuration
In Camel we provide the secret function to retrieve secret value from a secret resource.
The syntax is pretty simple:
secret:name/key[:defaultValue]
It’s important to restrict the ability to read secret with the least amount of permissions for your cluster. So the application should run with a role with only list/read secrets permission.
This could be done with the following command:
oc create clusterrole secretadmin --verb=get --verb=list --resource=secret --namespace=<namespace>
The minimum permissions are list and get.
Alternatively, you can create a yaml file with the following content:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secretadmin
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- listAnd then run
oc apply -f <file_name>
The application will have to run with that clusterrole.
This will ensure the running application won’t be able to do more than list and get secrets.
The same configuration could be seen on OCP by following the Camel on OCP Best Practices repository, in particular, the OCP Secrets section. You can follow the example for both the runtimes supported by Red Hat Build of Apache Camel: