This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-kamelets-examples.git
The following commit(s) were added to refs/heads/main by this push:
new 25f6016 Added Kubernetes Secrets Context Reload example on Secret
update, by using External Secrets Operator
25f6016 is described below
commit 25f60162fc98b378ddf098d9182f1f56d23cfe49
Author: Andrea Cosentino <[email protected]>
AuthorDate: Fri Sep 6 08:01:17 2024 +0200
Added Kubernetes Secrets Context Reload example on Secret update, by using
External Secrets Operator
Signed-off-by: Andrea Cosentino <[email protected]>
---
jbang/external-secrets-aws/README.adoc | 184 +++++++++++++++++++++
jbang/external-secrets-aws/app.properties | 2 +
.../basic-external-secret.yaml | 15 ++
jbang/external-secrets-aws/basic-secret-store.yaml | 19 +++
jbang/external-secrets-aws/secret.json | 4 +
.../timer-to-log-sec-kube.yaml | 26 +++
6 files changed, 250 insertions(+)
diff --git a/jbang/external-secrets-aws/README.adoc
b/jbang/external-secrets-aws/README.adoc
new file mode 100644
index 0000000..c77ff0c
--- /dev/null
+++ b/jbang/external-secrets-aws/README.adoc
@@ -0,0 +1,184 @@
+## AWS Secrets Manager Vault on Minikube through External Secrets Operator
infrastructure and Kubernetes Secrets trigger reloading
+
+In this sample you'll use the Kubernetes Secrets properties from Camel in
combination with External Secrets Operator AWS Secrets Manager Provider and
automatic context reloading on Secrets update.
+
+## Install JBang
+
+First install JBang according to https://www.jbang.dev
+
+When JBang is installed then you should be able to run from a shell:
+
+[source,sh]
+----
+$ jbang --version
+----
+
+This will output the version of JBang.
+
+To run this example you can either install Camel on JBang via:
+
+[source,sh]
+----
+$ jbang app install camel@apache/camel
+----
+
+Which allows to run CamelJBang with `camel` as shown below.
+
+## Preparing the project
+
+First of all run minikube
+
+```
+minikube start --driver=<preferred_driver>
+```
+
+We'll connect to the `default` namespace.
+
+## Setting up the secret we want to sue
+
+We need to create the secret we are going to store in AWS Secrets Manager
+
+```
+{
+ "username": "<user>",
+ "password": "<password>"
+}
+```
+
+Place your information, it's just an example. In my case user will be admin
and password will be pwd.
+
+Now create the secret with the AWS CLI or with the console:
+
+```
+aws secretsmanager create-secret --name auth-secret --secret-string
file://secret.json
+```
+
+This complete the secret setup.
+
+## Externalize secrets into External Secret operator infra
+
+In your namespace 'default' install the External Secret operator with latest
version. We'll use helm.
+
+Now run the following:
+
+```
+helm repo add external-secrets https://charts.external-secrets.io
+```
+
+and next
+
+```
+helm install external-secrets external-secrets/external-secrets -n default
+```
+
+This should install your operator correctly for Kubernetes.
+
+Now run the following list of commands and substitute the KEYID and SECRETKEY
with your AWS credentials
+
+```
+echo -n 'KEYID' > ./access-key
+echo -n 'SECRETKEY' > ./secret-access-key
+kubectl create secret generic awssm-secret --from-file=./access-key
--from-file=./secret-access-key -n default
+```
+
+Once everything is done you can create your secret
+
+```
+kubectl apply -f basic-secret-store.yaml -n default
+```
+
+and create the secret
+
+```
+kubectl apply -f basic-external-secret.yaml -n default
+```
+
+To be sure everything is fine you should find a secret named auth-secret in
your secrets for the namespace default.
+
+
+## Running with Jbang
+
+Run the following command
+
+```
+jbang --fresh -Dcamel.jbang.version=4.8.0-SNAPSHOT camel@apache/camel run
--dep=camel-kubernetes --properties=app.properties timer-to-log-sec-kube.yaml
+```
+
+You should see the following logs
+
+```
+jbang --fresh -Dcamel.jbang.version=4.8.0-SNAPSHOT camel@apache/camel run
--dep=camel-kubernetes --properties=app.properties timer-to-log-sec-kube.yaml
+[jbang] Resolving dependencies...
+[jbang] org.apache.camel:camel-bom:4.8.0-SNAPSHOT@pom
+[jbang] org.apache.camel:camel-jbang-core:4.8.0-SNAPSHOT
+[jbang] org.apache.camel.kamelets:camel-kamelets:4.7.0
+[jbang] Dependencies resolved
+[jbang] Building jar for CamelJBang.java...
+2024-09-06 07:52:22.421 INFO 40880 --- [ main]
org.apache.camel.main.MainSupport : Apache Camel (JBang) 4.8.0-SNAPSHOT
is starting
+2024-09-06 07:52:22.618 INFO 40880 --- [ main]
org.apache.camel.main.MainSupport : Using Java 17.0.8 with PID 40880.
Started by oscerd in
/home/oscerd/workspace/apache-camel/camel-kamelets-examples/jbang/external-secrets-aws
+2024-09-06 07:52:23.653 INFO 40880 --- [ main]
org.apache.camel.main.BaseMainSupport : Properties location:
file:///home/oscerd/workspace/apache-camel/camel-kamelets-examples/jbang/external-secrets-aws/app.properties
+2024-09-06 07:52:23.723 INFO 40880 --- [ main]
org.apache.camel.main.ProfileConfigurer : The application is starting with
profile: dev
+2024-09-06 07:52:24.845 INFO 40880 --- [ main]
rnetes.properties.BasePropertiesFunction : KubernetesClient using masterUrl:
https://192.168.59.102:8443/ with namespace: default
+2024-09-06 07:52:24.893 INFO 40880 --- [ main]
org.apache.camel.main.BaseMainSupport : Auto-configuration summary
+2024-09-06 07:52:24.893 INFO 40880 --- [ main]
org.apache.camel.main.BaseMainSupport : [app.properties]
camel.vault.kubernetes.refreshEnabled = true
+2024-09-06 07:52:24.893 INFO 40880 --- [ main]
org.apache.camel.main.BaseMainSupport : [app.properties]
camel.vault.kubernetes.secrets = auth-secret
+2024-09-06 07:52:25.097 INFO 40880 --- [ main]
he.camel.cli.connector.LocalCliConnector : Camel JBang CLI enabled
+2024-09-06 07:52:26.526 INFO 40880 --- [ main]
e.camel.impl.engine.AbstractCamelContext : Apache Camel 4.8.0-SNAPSHOT
(timer-to-log-sec-kube) is starting
+2024-09-06 07:52:26.668 INFO 40880 --- [ main]
org.apache.camel.main.BaseMainSupport : Property-placeholders summary
+2024-09-06 07:52:26.669 INFO 40880 --- [ main]
org.apache.camel.main.BaseMainSupport : [timer-source.kamelet.yaml]
period = 20000
+2024-09-06 07:52:26.669 INFO 40880 --- [ main]
org.apache.camel.main.BaseMainSupport : [timer-source.kamelet.yaml]
message = {"id":"1","message":"Camel Rocks"}
+2024-09-06 07:52:26.669 INFO 40880 --- [ main]
org.apache.camel.main.BaseMainSupport : [timer-source.kamelet.yaml]
contentType = application/json
+2024-09-06 07:52:26.764 INFO 40880 --- [ main]
e.camel.impl.engine.AbstractCamelContext : Routes startup (total:1 started:1
kamelets:1)
+2024-09-06 07:52:26.765 INFO 40880 --- [ main]
e.camel.impl.engine.AbstractCamelContext : Started route1
(kamelet://timer-source)
+2024-09-06 07:52:26.765 INFO 40880 --- [ main]
e.camel.impl.engine.AbstractCamelContext : Apache Camel 4.8.0-SNAPSHOT
(timer-to-log-sec-kube) started in 238ms (build:0ms init:0ms start:238ms)
+2024-09-06 07:52:27.686 INFO 40880 --- [ - timer://tick]
timer-to-log-sec-kube.yaml:26 : pwd
+```
+
+## Auto refresh of the secret and modification
+
+To show how to refresh works we'll need to change the password for the secret
on AWS Secrets Manager while the integration is still running
+
+First run the following command:
+
+```
+aws secretsmanager put-secret-value --secret-id auth-secret --secret-string
"{\"username\":\"<username>\",\"password\":\"<new_password>\"}"
+```
+
+In my example the values will be admin again and 'pwd1' as password.
+
+Once the secret will be synced in the integration logs you could see:
+
+Now get back to the log and you should see the following entries:
+
+```
+2024-09-06 07:56:51.041 INFO 41333 --- [ - timer://tick]
timer-to-log-sec-kube.yaml:26 : pwd
+2024-09-06 07:57:03.866 INFO 41333 --- [pool-3-thread-3]
s.secrets.vault.SecretsReloadTriggerTask : Update for Kubernetes Secret:
auth-secret detected, triggering CamelContext reload
+2024-09-06 07:57:03.866 INFO 41333 --- [pool-3-thread-3]
mel.support.DefaultContextReloadStrategy : Reloading CamelContext
(timer-to-log-sec-kube) triggered by:
org.apache.camel.component.kubernetes.secrets.vault.SecretsReloadTriggerTask$1@6b8765dd
+2024-09-06 07:57:04.900 INFO 41333 --- [ - timer://tick]
timer-to-log-sec-kube.yaml:26 : pwd1
+```
+
+If you look at the description of external secret you should see the secret
has been updated:
+
+```
+kubectl describe es example
+.
+.
+.
+.
+Status:
+ Binding:
+ Name: auth-secret
+ Conditions:
+ Last Transition Time: 2024-09-04T12:35:22Z
+ Message: Secret was synced
+ Reason: SecretSynced
+ Status: True
+ Type: Ready
+ Refresh Time: 2024-09-06T05:57:06Z
+ Synced Resource Version: 1-b206cdac36c6797383ec6c96697893dc
+Events:
+ Type Reason Age From Message
+ ---- ------ ---- ---- -------
+ Normal Updated 48s external-secrets Updated Secret
+
+```
diff --git a/jbang/external-secrets-aws/app.properties
b/jbang/external-secrets-aws/app.properties
new file mode 100644
index 0000000..a23d733
--- /dev/null
+++ b/jbang/external-secrets-aws/app.properties
@@ -0,0 +1,2 @@
+camel.vault.kubernetes.refreshEnabled=true
+camel.vault.kubernetes.secrets=auth-secret
diff --git a/jbang/external-secrets-aws/basic-external-secret.yaml
b/jbang/external-secrets-aws/basic-external-secret.yaml
new file mode 100644
index 0000000..366d224
--- /dev/null
+++ b/jbang/external-secrets-aws/basic-external-secret.yaml
@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: example
+spec:
+ refreshInterval: 1m
+ secretStoreRef:
+ name: secretstore-sample
+ kind: SecretStore
+ target:
+ name: auth-secret
+ creationPolicy: Owner
+ dataFrom:
+ - extract:
+ key: auth-secret
diff --git a/jbang/external-secrets-aws/basic-secret-store.yaml
b/jbang/external-secrets-aws/basic-secret-store.yaml
new file mode 100644
index 0000000..d656b5d
--- /dev/null
+++ b/jbang/external-secrets-aws/basic-secret-store.yaml
@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+ name: secretstore-sample
+ labels:
+ external-secrets.io/type: webhook
+spec:
+ provider:
+ aws:
+ service: SecretsManager
+ region: eu-west-1
+ auth:
+ secretRef:
+ accessKeyIDSecretRef:
+ name: awssm-secret
+ key: access-key
+ secretAccessKeySecretRef:
+ name: awssm-secret
+ key: secret-access-key
diff --git a/jbang/external-secrets-aws/secret.json
b/jbang/external-secrets-aws/secret.json
new file mode 100644
index 0000000..e5f41e5
--- /dev/null
+++ b/jbang/external-secrets-aws/secret.json
@@ -0,0 +1,4 @@
+{
+ "username": "<user>",
+ "password": "<password>"
+}
diff --git a/jbang/external-secrets-aws/timer-to-log-sec-kube.yaml
b/jbang/external-secrets-aws/timer-to-log-sec-kube.yaml
new file mode 100644
index 0000000..cbb8c10
--- /dev/null
+++ b/jbang/external-secrets-aws/timer-to-log-sec-kube.yaml
@@ -0,0 +1,26 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements. See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+- route:
+ from:
+ uri: "kamelet:timer-source"
+ parameters:
+ message: '{"id":"1","message":"Camel Rocks"}'
+ contentType: "application/json"
+ period: 20000
+ steps:
+ - log: "{{secret:auth-secret/password}}"
