This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch sec-ibm-sec in repository https://gitbox.apache.org/repos/asf/camel.git
commit 866b21655b4d5910c563b43620029054b68e4118 Author: Andrea Cosentino <anco...@gmail.com> AuthorDate: Mon Mar 3 16:46:35 2025 +0100 Camel-IBM-Secrets-Manager: Adding documentation in Security Asciidoc too Signed-off-by: Andrea Cosentino <anco...@gmail.com> --- docs/user-manual/modules/ROOT/pages/security.adoc | 133 ++++++++++++++++++++++ 1 file changed, 133 insertions(+) diff --git a/docs/user-manual/modules/ROOT/pages/security.adoc b/docs/user-manual/modules/ROOT/pages/security.adoc index 261bd6627c7..b875b439717 100644 --- a/docs/user-manual/modules/ROOT/pages/security.adoc +++ b/docs/user-manual/modules/ROOT/pages/security.adoc @@ -581,6 +581,139 @@ This approach will return the route secret value with version '2' or default val This approach will return the username field of the database secret with version '2' or admin in case the secret doesn't exist or the version doesn't exist (in the 'secret' engine). +==== Using IBM Secrets Manager Vault + +To use this function, you'll need to provide credentials for IBM Secrets Manager vault as environment variables: + +[source,bash] +---- +export CAMEL_VAULT_IBM_TOKEN=token +export CAMEL_VAULT_IBM_SERVICE_URL=serviceUrl +---- + +You can also configure the credentials in the `application.properties` file such as: + +[source,properties] +---- +camel.vault.ibm.token = token +camel.vault.ibm.serviceUrl = serviceUrl +---- + +NOTE: if you're running the application on a Kubernetes based cloud platform, you can initialize the environment variables from a Secret or Configmap to enhance security. You can also enhance security by xref:manual::using-propertyplaceholder.adoc#_resolving_property_placeholders_on_cloud[setting a Secret property placeholder] which will be initialized at application runtime only. + +NOTE: `camel.vault.ibm` configuration only applies to the IBM Secrets Manager Vault properties function (E.g when resolving properties). +When using the `operation` option to create, get, list secrets etc., you should provide the `token` and `serviceUrl` options. + +At this point, you'll be able to reference a property in the following way: + +[source,xml] +---- +<camelContext> + <route> + <from uri="direct:start"/> + <to uri="{{ibm:default:route}}"/> + </route> +</camelContext> +---- + +Where route will be the name of the secret stored in the IBM Secrets Manager Vault instance, in the 'default' secret group. + +You could specify a default value in case the secret is not present on IBM Secrets Manager Vault instance: + +[source,xml] +---- +<camelContext> + <route> + <from uri="direct:start"/> + <to uri="{{ibm:default:route:default}}"/> + </route> +</camelContext> +---- + +In this case, if the secret doesn't exist in the 'default' secret group, the property will fall back to "default" as value. + +Also, you are able to get a particular field of the secret, if you have, for example, a secret named database of this form: + +[source,bash] +---- +{ + "username": "admin", + "password": "password123", + "engine": "postgres", + "host": "127.0.0.1", + "port": "3128", + "dbname": "db" +} +---- + +You're able to do get single secret value in your route, in the 'default' secret group, like for example: + +[source,xml] +---- +<camelContext> + <route> + <from uri="direct:start"/> + <log message="Username is {{ibm:default:database#username}}"/> + </route> +</camelContext> +---- + +Or re-use the property as part of an endpoint. + +You could specify a default value in case the particular field of secret is not present on IBM Secrets Manager Vault instance, in the 'secret' engine: + +[source,xml] +---- +<camelContext> + <route> + <from uri="direct:start"/> + <log message="Username is {{ibm:default:database#username:admin}}"/> + </route> +</camelContext> +---- + +In this case, if the secret doesn't exist or the secret exists (in the 'default' secret group) but the username field is not part of the secret, the property will fall back to "admin" as value. + +There is also the syntax to get a particular version of the secret for both the approaches, with field/default value specified or only with secret: + +[source,xml] +---- +<camelContext> + <route> + <from uri="direct:start"/> + <to uri="{{ibm:default:route@2}}"/> + </route> +</camelContext> +---- + +This approach will return the RAW route secret with version '2', in the 'default' secret group. + +[source,xml] +---- +<camelContext> + <route> + <from uri="direct:start"/> + <to uri="{{ibm:default:route:default@2}}"/> + </route> +</camelContext> +---- + +This approach will return the route secret value with version '2' or default value in case the secret doesn't exist or the version doesn't exist (in the 'default' secret group). + +[source,xml] +---- +<camelContext> + <route> + <from uri="direct:start"/> + <log message="Username is {{ibm:default:database#username:admin@2}}"/> + </route> +</camelContext> +---- + +This approach will return the username field of the database secret with version '2' or admin in case the secret doesn't exist or the version doesn't exist (in the 'default' secret group). + +The only requirement is adding the camel-ibm-secrets-manager jar to your Camel application. + ==== Automatic Camel context reloading on Secret Refresh while using AWS Secrets Manager Being able to reload Camel context on a Secret Refresh, could be done by specifying the usual credentials (the same used for AWS Secret Manager Property Function).