![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
The goal here is to build a simple app using IBM Cloud Code Engine to update the secrets in a project.
The IBM Services which we will be using are:
It is not required to have prerequiste knowledge on the services (Although brief knowledge would be good).
You can just follow the instructions and you will be able to build this sample application
Let's say we have a secret (eg: TLS Certficate with Private key) stored in Secrets Manager. The same secret will be stored in your Code Engine Project which will be utilised by your workloads within the code engine project.
We will build a Code Engine Application to retrieve the secrets from the Secrets Manager and update it in the project.
We will also implement Event Notifications so that it can send notification to our App whenever the secret gets rotated in the project, the app can then do the updation.
These are the steps which we will follow:
- We will create an instance in the Secrets Manager and Event Notifications
- We will create a secret in the Secrets Manager
- We will build a Code Engine App (code is already provided)
- We will create same secret in the Code Engine Project
- We will create necessary sources, topics, destination etc., in Event Notifications
- We will bind all these components together
- At last we will manually rotate the secrets in Secrets Manager
- We will check the logs of the apps to verify if secret got updated in Code Engine Project
- Install Code Engine cli
Command:ibmcloud plugin install code-engine - Install Event Notifications cli, version 0.2.0 or later
Command:ibmcloud plugin install en@0.2.0 - Install the Secrets Manager CLI
Command:ibmcloud plugin install secrets-manager - Login to your IBM Cloud Account and select the region and resource group
Command:ibmcloud login --sso -g <resource-group> -r <region> - Select the Code Engine Project where you would like to use this sample application
To select the Code Engine Project doibmcloud ce project select -n <project_name>(Note: If you do not have a Code Engine Project already, then you can create a new project. Instructions can be found here documentation) - Update your
api-keyvalue in therun.shfile - Execute the run script using command:
./run.sh
Architecture:
- The run script will create the Event Notifications Instance and Secrets Manager Instance of lite plan
- A secret will be created in the Secret Manager with certificate and key
- Necessary components like topics, sources, destinations and subscriptions will be created in the Event Notification Instance
- The script will create Code Engine application and Code Engine secret which will reside in the project selected.
- At last we will rotate the secret in the Secrets Manager with new certificate
- When the secret is rotated, Secrets Manager will send notification to Event Notification
- Event Notification instance will then invoke the Code Engine Application
- The App will retrieve the secret from Secrets Manager and update the Secret in the project
As we have seen that Event Notification will invoke our application via sending POST request to it with the notification. But there is one caveat here, there is a reponse timeout from Event Notifications which is 60 seconds. To know more about it check the documentation.
So the App should scale up and process the response(i.e retrieve secret from Secrets Manager and update it in the project) within 60 seconds.
If you consider to execute a longer workload then you can use the Code Engine Job for the same. Refer this documentation to know more about Code Engine Jobs