Secrets management by using a vault init container
You can use external vault software to manage your FTM secrets instead of using the Red Hat® OpenShift® secrets. Provide an init container image that interfaces with the vault software and makes its information available to the Financial Transaction Manager (FTM) application containers. The FTM images do not provide this interface.
For the solutions that use IBM App Connect, the truststore and keystore passwords need to be stored in Red Hat OpenShift secrets so the IBM App Connect components can access them. If those passwords are not specified in the FTM custom resource, the FTM operator creates random passwords and stores them in a secret to use for the truststore and keystore passwords.
When you use an external secure vault, FTM stores its certificates, keys,
and passwords in the external vault instead of Red Hat
OpenShift secrets. The FTM TLS CA certificate, however, must be stored in an Red Hat
OpenShift
secret. Reference this secret using the spec.config.security.certificate key in the
FTM custom resource.
A vault init container reads the secrets from an external vault and makes that information available for the FTM application containers to use. After the vault init container reads the secrets from the external vault, it puts the secrets in a file named /shared/vars.env. If this file exists, the FTM containers read the secrets from the file and ignore the values that are in the Red Hat OpenShift secrets.
The init container must mount a volume that is named ftm-shared. The FTM containers also mount this volume and read the
vars.env file that the init container created in this volume.
Init containers that are used to interface with external vault software must be named ftm-init-secrets.
Create the vault secrets file for the FTM containers
DB_PASSWORD=db2pw
QMGR_PASSWORD=mqpw
KSTORE_PASSWORD=kspw
TSTORE_PASSWORD=tspw
FXH_PASSWORD=fxhpw
KEY_P12=Base64 encoded value
TRUSTSTORE_JKS=Base64 encoded valueAdd values to the vars.env file as plain text, except for the values for the key names
that represent binary files. Add the values for these key names as Base64 encoded values. For example, the
KEY_P12 and TRUSTSTORE_JKS key names represent binary files.
The entrypoint script of the FTM containers uses the keys as key names. The
entrypoint either uses the values from these key names in the component configuration or uses them to update
the configuration. The keys include the certificate or keystore files that the Red Hat
OpenShift Container
Platform
secrets support. For example, the KEY_P12 and TRUSTSTORE_JKS key names.
These key names are made available as environment variables to the FTM process that is
running inside the FTM container.
For more information about the keys, see Key names for the vault secrets file.
Deploy init container with FTM
init:
default:
initContainers:
- name: ftm-init-secrets
image: <init-image>
volumeMounts:
- name: ftm-shared
mountPath: /shared
env:
- name: SHARED_FILE
value: /shared/vars.envVerify that the vault data was received by the FTM containers
If init container support is enabled and the FTM secrets were successfully retrieved from the external vault, you see specific log messages in the container logs. The following examples show the format of the vault data messages that are logged in the container logs.
[Info] Following Keys are found in the shared file
<Key1> <Key2> <Key3>
.......
.......
<KeyN>