This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 3ae0f2c6e58 chore(doc): suggest best security practice on cloud
environments
3ae0f2c6e58 is described below
commit 3ae0f2c6e58a948748f15263b43be63010e5cde3
Author: Pasquale Congiusti <pasquale.congiu...@gmail.com>
AuthorDate: Wed Oct 23 16:57:45 2024 +0200
chore(doc): suggest best security practice on cloud environments
---
.../src/main/docs/aws-secrets-manager-component.adoc | 6 ++++--
.../src/main/docs/azure-key-vault-component.adoc | 4 +++-
.../src/main/docs/google-secret-manager-component.adoc | 8 +++++---
.../src/main/docs/hashicorp-vault-component.adoc | 4 +++-
4 files changed, 15 insertions(+), 7 deletions(-)
diff --git
a/components/camel-aws/camel-aws-secrets-manager/src/main/docs/aws-secrets-manager-component.adoc
b/components/camel-aws/camel-aws-secrets-manager/src/main/docs/aws-secrets-manager-component.adoc
index 5928786ad71..02e52c6a209 100644
---
a/components/camel-aws/camel-aws-secrets-manager/src/main/docs/aws-secrets-manager-component.adoc
+++
b/components/camel-aws/camel-aws-secrets-manager/src/main/docs/aws-secrets-manager-component.adoc
@@ -59,8 +59,8 @@ The order of evaluation for Default Credentials Provider is
the following:
- Web Identity Token from AWS STS.
- The shared credentials and config files.
- Amazon ECS container credentials - loaded from the Amazon ECS if the
environment variable `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is set.
- - Amazon EC2 Instance profile credentials.
-
+ - Amazon EC2 Instance profile credentials.
+
You have also the possibility of using Profile Credentials Provider, by
specifying the useProfileCredentialsProvider option to true and
profileCredentialsName to the profile name.
Only one of static, default and profile credentials could be used at the same
time.
@@ -87,6 +87,8 @@ camel.vault.aws.secretKey = secretKey
camel.vault.aws.region = region
----
+NOTE: if you're running the application on a Kubernetes based cloud platform,
you can initialize the environment variables from a Secret or Configmap to
enhance security. You can also enhance security by
xref:manual::using-propertyplaceholder.adoc#_resolving_property_placeholders_on_cloud[setting
a Secret property placeholder] which will be initialized at application
runtime only.
+
If you want instead to use the
https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials.html[AWS
default credentials provider], you'll need to provide the following env
variables:
[source,bash]
diff --git
a/components/camel-azure/camel-azure-key-vault/src/main/docs/azure-key-vault-component.adoc
b/components/camel-azure/camel-azure-key-vault/src/main/docs/azure-key-vault-component.adoc
index 8ca4c13034b..860793598fa 100644
---
a/components/camel-azure/camel-azure-key-vault/src/main/docs/azure-key-vault-component.adoc
+++
b/components/camel-azure/camel-azure-key-vault/src/main/docs/azure-key-vault-component.adoc
@@ -15,7 +15,7 @@
*{component-header}*
-The azure-key-vault component that integrates
https://azure.microsoft.com/en-us/services/key-vault/[Azure Key Vault].
+The azure-key-vault component that integrates
https://azure.microsoft.com/en-us/services/key-vault/[Azure Key Vault].
Prerequisites
@@ -80,6 +80,8 @@ camel.vault.azure.clientSecret = clientSecret
camel.vault.azure.vaultName = vaultName
----
+NOTE: if you're running the application on a Kubernetes based cloud platform,
you can initialize the environment variables from a Secret or Configmap to
enhance security. You can also enhance security by
xref:manual::using-propertyplaceholder.adoc#_resolving_property_placeholders_on_cloud[setting
a Secret property placeholder] which will be initialized at application
runtime only.
+
Or you can enable the usage of Azure Identity in the following way:
[source,bash]
diff --git
a/components/camel-google/camel-google-secret-manager/src/main/docs/google-secret-manager-component.adoc
b/components/camel-google/camel-google-secret-manager/src/main/docs/google-secret-manager-component.adoc
index a144984366c..dcccdf17458 100644
---
a/components/camel-google/camel-google-secret-manager/src/main/docs/google-secret-manager-component.adoc
+++
b/components/camel-google/camel-google-secret-manager/src/main/docs/google-secret-manager-component.adoc
@@ -88,7 +88,7 @@ include::partial$component-endpoint-options.adoc[]
include::partial$component-endpoint-headers.adoc[]
// component headers: END
-=== Using GCP Secret Manager Properties Source
+=== Using GCP Secret Manager Property Function
To use GCP Secret Manager, you need to provide `serviceAccountKey` file and
GCP `projectId`.
This can be done using environmental variables before starting the application:
@@ -107,6 +107,8 @@ camel.vault.gcp.serviceAccountKey = serviceAccountKey
camel.vault.gcp.projectId = projectId
----
+NOTE: if you're running the application on a Kubernetes based cloud platform,
you can initialize the environment variables from a Secret or Configmap to
enhance security. You can also enhance security by
xref:manual::using-propertyplaceholder.adoc#_resolving_property_placeholders_on_cloud[setting
a Secret property placeholder] which will be initialized at application
runtime only.
+
If you want instead to use the
https://cloud.google.com/docs/authentication/production[GCP default client
instance], you'll need to provide the following env variables:
[source,bash]
@@ -234,7 +236,7 @@ This approach will return the route secret value with
version '1' or default val
This approach will return the username field of the database secret with
version '1' or admin in case the secret doesn't exist or the version doesn't
exist.
-There are only two requirements:
+There are only two requirements:
- Adding `camel-google-secret-manager` JAR to your Camel application.
- Give the service account used permissions to do operation at secret
management level, (for example, accessing the secret payload, or being admin of
secret manager service)
@@ -281,7 +283,7 @@ The `camel.vault.gcp.subscriptionName` is the subscription
name created in relat
This mechanism while making use of the notification system related to Google
Secret Manager: through this feature, every secret could be associated with one
up to ten Google Pubsub Topics. These topics will receive
events related to the life cycle of the secret.
-There are only two requirements:
+There are only two requirements:
- Adding `camel-google-secret-manager` JAR to your Camel application.
- Give the service account used permissions to do operation at secret
management level, (for example, accessing the secret payload, or being admin of
secret manager service and also have permission over the Pubsub service)
diff --git
a/components/camel-hashicorp-vault/src/main/docs/hashicorp-vault-component.adoc
b/components/camel-hashicorp-vault/src/main/docs/hashicorp-vault-component.adoc
index 7f7b182d041..88e5f674cfd 100644
---
a/components/camel-hashicorp-vault/src/main/docs/hashicorp-vault-component.adoc
+++
b/components/camel-hashicorp-vault/src/main/docs/hashicorp-vault-component.adoc
@@ -14,7 +14,7 @@
*{component-header}*
-The hashicorp-vault component that integrates
https://www.vaultproject.io/[Hashicorp Vault].
+The hashicorp-vault component that integrates
https://www.vaultproject.io/[Hashicorp Vault].
== URI Format
@@ -71,6 +71,8 @@ camel.vault.hashicorp.port = port
camel.vault.hashicorp.scheme = scheme
----
+NOTE: if you're running the application on a Kubernetes based cloud platform,
you can initialize the environment variables from a Secret or Configmap to
enhance security. You can also enhance security by
xref:manual::using-propertyplaceholder.adoc#_resolving_property_placeholders_on_cloud[setting
a Secret property placeholder] which will be initialized at application
runtime only.
+
NOTE: `camel.vault.hashicorp` configuration only applies to the Hashicorp
Vault properties function (E.g when resolving properties).
When using the `operation` option to create, get, list secrets etc., you
should provide the `host`, `port`, `scheme` (if required) & `token` options.
