Solved: Encrypted KVM with Maven-Config-Plugin

daniel_biales · 06-15-2017 01:13 PM

I am trying to create an encrypted KVM with the apigee-config-maven-plugin. I have setup the edge.json file but I don't want to store my kvm value in clear text. I am using bamboo and have a secret management plugin that gives me bamboo variables with my secret value, is there a way that the edge.json file can replace the values with bamboo variables or do I need to write a script for it?

ssvaidyanathan

HI @daniel.biales

I am afraid this is not possible within the config-plugin. What you can do is pass that variable as an argument to the maven command and then use the maven-replacer-plugin to replace the value in your edge.json to the variable passed in the maven command

<plugin>
  <groupId>com.google.code.maven-replacer-plugin</groupId>
  <artifactId>replacer</artifactId>
  <version>1.5.2</version>
  <executions>
    <execution>
      <phase>process-resources</phase>
      <goals>
        <goal>replace</goal>
      </goals>
    </execution>
  </executions>
  <configuration>
    <basedir>${project.root.dir}</basedir> <!--Source directory-->
    <includes>
      <include>edge.json</include> <!--path to the edge.json -->
    </includes>
    <replacements>
      <replacement>
        <token>dummy</token> <!--Put a dummy token in your edge.json -->
        <value>${secretValue}</value> <!--Value passed as argument -->
      </replacement>
    </replacements>
  </configuration>
</plugin>

Your maven command will look like this

mvn apigee-config:kvms -Ptest -Dapigee.config.options=create -DsecretValue=secret

This is just an example. Let me know if this works.

View solution in original post

ssvaidyanathan

HI @daniel.biales

I am afraid this is not possible within the config-plugin. What you can do is pass that variable as an argument to the maven command and then use the maven-replacer-plugin to replace the value in your edge.json to the variable passed in the maven command

<plugin>
  <groupId>com.google.code.maven-replacer-plugin</groupId>
  <artifactId>replacer</artifactId>
  <version>1.5.2</version>
  <executions>
    <execution>
      <phase>process-resources</phase>
      <goals>
        <goal>replace</goal>
      </goals>
    </execution>
  </executions>
  <configuration>
    <basedir>${project.root.dir}</basedir> <!--Source directory-->
    <includes>
      <include>edge.json</include> <!--path to the edge.json -->
    </includes>
    <replacements>
      <replacement>
        <token>dummy</token> <!--Put a dummy token in your edge.json -->
        <value>${secretValue}</value> <!--Value passed as argument -->
      </replacement>
    </replacements>
  </configuration>
</plugin>

Your maven command will look like this

mvn apigee-config:kvms -Ptest -Dapigee.config.options=create -DsecretValue=secret

This is just an example. Let me know if this works.

daniel_biales

would I add the dummy token to the edge.json like so?

{
  "name": "encrypted-proxy-kvm",
  "encrypted":true,
  "entry": [
    {
      "name": "MESSAGE",
      "value": "dummy"
    }
  ]
}

ssvaidyanathan

Yes - the replacer plugin will find this file and the corresponding token, replace with the value mentioned in the pom.

daniel_biales

Awesome this worked great. I actually ended up adding a task that ran

com.google.code.maven-replacer-plugin:replacer:replace

before running

mvn apigee-config:kvms -Ptest-Dapigee.config.options=update

This was more flexible because then I only need to edit my pom.xml file if I need to add more encrypted values, I won't need to also edit my deploy plan.

Thank you very much for the help!

ssvaidyanathan

Glad it worked !!!

Yes, thats the beauty.. Also if you are invoking the script using the lifecycle, you can invoke the pom using the standard maven lifecycle - so this replacer gets executed first and then the configurations.

psdhera

@ssvaidyanathan I am looking for similar things where i do not want to store secure kvms values in gitlab , how to pass confidential kvms values and mask during Apigee Config maven ? maven replacer is the only one at moment or some other solution is in place??

Second maskconfig,json https://github.com/apigee/apigee-config-maven-plugin/blob/master/samples/EdgeConfig/resources/edge/o... is this something can help for above use case?

ssvaidyanathan

No maskconfig is for something else. Its used by Apigee which it in turn uses to obfuscate sensitive info on Trace

For your use, replacer plugin is the best option or else have those secured KVM config in a more tight controlled repo that only certain members (admins or DevOps) have access to. The pipeline picks that and pushes it to Apigee.