Storing service account secrets in Kubernetes secrets
This page describes how to store Apigee hybrid service account keys in Kubernetes secrets. Storing service account keys in Kubernetes secrets enhances security and streamlines management within your Kubernetes environment. With keys stored in secrets, you do not need to store them on the file system.
Service accounts
Hybrid uses the following service accounts:
Production
apigee-cassandra(required for Cassandra backup and restore in Google Cloud Storage)apigee-loggerapigee-martapigee-metricsapigee-mint-task-scheduler(if you are using Monetization for Apigee hybrid)apigee-runtimeapigee-synchronizerapigee-udcaapigee-watcher
Non-prod
apigee-non-prod
Before you begin
This procedure uses two optional environment variables:
$APIGEE_HELM_CHARTS_HOME and $PROJECT_ID. If you do
not define these variables, substitute the appropriate value for each
variable in the code samples.
- Create a directory for the service account keys in the
$APIGEE_HELM_CHARTS_HOMEdirectory:mkdir -p $APIGEE_HELM_CHARTS_HOME/service-accounts
- Verify that you can execute the
create-service-accounttool. If you recently downloaded the charts, thecreate-service-accountfile might not be in an executable mode. In your$APIGEE_HELM_CHARTS_HOMEdirectory, run the following command:$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \ --help
If the output indicates a permission denied error, make the file executable. For example, use
chmodin Linux, macOS, or UNIX:chmod +x $APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account
Create service account keys
Create or update the service accounts and download the key files using the
create-service-account tool. This action downloads one JSON file
for each service account.
The service account key filenames will have the following format:
$PROJECT_ID-apigee-SERVICE_ACCOUNT_NAME.json
Production
$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \ --env prod \ --dir $APIGEE_HELM_CHARTS_HOME/service-accounts
Non-prod
$APIGEE_HELM_CHARTS_HOME/apigee-operator/etc/tools/create-service-account \ --env non-prod \ --dir $APIGEE_HELM_CHARTS_HOME/service-accounts
Create Kubernetes secrets
Create the Kubernetes secrets to store the service account keys.
The kubectl create secret command in the following code samples has the structure:
kubectl create secret generic SECRET_NAME \ --from-file="client_secret.json=PATH_TO_SERVICE_ACCOUNT_KEY" \ -n APIGEE_NAMESPACE
Production
Create the secrets with the following commands:
-
apigee-cassandra(if scheduling backups in Cloud Storage)kubectl create secret generic apigee-cassandra-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-cassandra.json" \ -n APIGEE_NAMESPACE
-
apigee-loggerkubectl create secret generic apigee-logger-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-logger.json" \ -n APIGEE_NAMESPACE
-
apigee-martkubectl create secret generic apigee-mart-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-mart.json" \ -n APIGEE_NAMESPACE
-
apigee-metricskubectl create secret generic apigee-metrics-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-metrics.json" \ -n APIGEE_NAMESPACE
-
apigee-mint-task-scheduler(if you are using Monetization for Apigee hybrid)kubectl create secret generic apigee-mint-task-scheduler-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-mint-task-scheduler.json" \ -n APIGEE_NAMESPACE
-
apigee-runtimekubectl create secret generic apigee-runtime-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-runtime.json" \ -n APIGEE_NAMESPACE
-
apigee-synchronizerkubectl create secret generic apigee-synchronizer-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-synchronizer.json" \ -n APIGEE_NAMESPACE
-
apigee-udcakubectl create secret generic apigee-udca-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-udca.json" \ -n APIGEE_NAMESPACE
-
apigee-watcherkubectl create secret generic apigee-watcher-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-watcher.json" \ -n APIGEE_NAMESPACE
Non-prod
kubectl create secret generic apigee-non-prod-svc-account \ --from-file="client_secret.json=$APIGEE_HELM_CHARTS_HOME/service-accounts/$PROJECT_ID-apigee-non-prod.json" \ -n APIGEE_NAMESPACE
Reference service account keys in configuration
After storing service account keys as Kubernetes secrets, update your Hybrid overrides.yaml file to reference these secrets instead of direct file paths. Modify the relevant serviceAccountPath properties to use serviceAccountSecretRef.
Use the following serviceAccountSecretRefs and serviceAccountRef configurations in the appropriate sections youroverrides.yaml:
Production
envs:
- name: test
serviceAccountSecretRefs:
synchronizer: apigee-synchronizer-svc-account
runtime: apigee-runtime-svc-account
udca: apigee-udca-svc-account
mart:
serviceAccountRef: apigee-mart-svc-account
# Use the same service account for mart.serviceAccountRef and connectAgent.serviceAccountRef
connectAgent:
serviceAccountRef: apigee-mart-svc-account
# Use the same service account for mart.serviceAccountRef and connectAgent.serviceAccountRef
logger:
serviceAccountRef: apigee-logger-svc-account
metrics:
serviceAccountRef: apigee-metrics-svc-account
udca:
serviceAccountRef: apigee-udca-svc-account
watcher:
serviceAccountRef: apigee-watcher-svc-account
# If Scheduling backups in Cloud Storage
cassandra:
backup:
serviceAccountRef: apigee-cassandra-svc-account
# If using Monetization for Apigee hybrid
mintTaskScheduler:
serviceAccountRef: apigee-mint-task-scheduler-svc-account
Non-prod
envs:
- name: test-env
serviceAccountSecretRefs:
synchronizer: apigee-non-prod-svc-account
runtime: apigee-non-prod-svc-account
udca: apigee-non-prod-svc-account
mart:
serviceAccountRef: apigee-non-prod-svc-account
connectAgent:
serviceAccountRef: apigee-non-prod-svc-account
logger:
serviceAccountRef: apigee-non-prod-svc-account
metrics:
serviceAccountRef: apigee-non-prod-svc-account
udca:
serviceAccountRef: apigee-non-prod-svc-account
watcher:
serviceAccountRef: apigee-non-prod-svc-account
# If Scheduling backups in Cloud Storage
cassandra:
backup:
serviceAccountRef: apigee-non-prod-svc-account
# If using Monetization for Apigee hybrid
mintTaskScheduler:
serviceAccountRef: apigee-non-prod-svc-account
Apply configuration changes
Apply the changes to the apigee-telemetry, apigee-org, and apigee-env charts with the following commands:
-
Upgrade the Apigee telemetry:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE
-
Upgrade the Apigee organization:
helm upgrade ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE
-
Upgrade the environment.
Specify the environment with
--set env=ENV_NAME. Repeat this command for each environment.helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --set env=ENV_NAME \ -f OVERRIDES_FILE
What's next
- Learn more about Hybrid service accounts and roles.
- Refer to the Create service accounts section of the Hybrid installation guide.