Support for vault archives that are exported from App Connect Enterprise
As part of our recent Continuous Delivery (CD) release of IBM App Connect Operator 12.11.0, we've introduced two new configuration types. These new configuration types make it easier to upload an integration server vault or external directory vault by using the export facility provided by App Connect Enterprise.
- Vault archive
- Vault archive key
In our container offering, we've had the ability for you to consume a vault that you created within App Connect Enterprise for a while, by using the Vault and Vault key configuration types. However, obtaining the compressed vault content, which is needed to create a Vault configuration object, is not a seamless experience.
With the new Vault archive and Vault archive key configuration types, we're accepting in exactly what is exported from App Connect Enterprise, which should lead to an easier user experience with fewer manual steps. To enable this, we're making use of the export functionality provided with either the mqsivault or ibmint commands, which allow you to create a vault archive that contains the credentials you want to use in the containerized environment.
Example
This example shows what the new configurations look like in practice and uses the mqsivault command to export an external directory vault that was created with the App Connect Enterprise Toolkit.
To create our vault archive in .zip format within our /tmp directory, we'll run the following command. In addition to the external directory vault key, we're also providing an archive key that can be used to secure our vault archive.
mqsivault --export --ext-vault-dir TEST_EXT_DIR_VAULT/ --ext-vault-key robustPassword1 --archive-location /tmp/ext-dir.zip --archive-key robustPassword2
Now that we have a vault archive, we can create a configuration of type Vault archive to use in our containerized environment. We'll start by Base64 encoding the .zip file we've just created.
cat /tmp/ext-dir.zip| base64
Next, we'll use the Base64-encoded string to create a configuration of type Vault archive. In our Configuration custom resource (CR), notice that spec.type is set to vaultarchive and spec.data contains our Base64-encoded string.
apiVersion: appconnect.ibm.com/v1beta1
kind: Configuration
metadata:
name: vault-archive-upload
namespace: ace-mac
spec:
type: vaultarchive
data: UEsDBBQAAgAIAHV1s1rNRrZA6wEAAHECAAA6AAAAdmF1bHRBcmNoaXZlL2NyZWRlbnRpYWxzL1pXMWhhV3d2ZEdWemRDMWxiV0ZwYkMxamNtVmsuanNvbjXMbW+qMBQH8O/CW68Riqj4TqV1Q+lsodUSkwVop8iDjAcftuy7X7e7m5yTnOT3/59P7S3N1VKVqo5aJV9KbaoBHVh93eobdmCY0+FjQKj90cqoUA9VRZTm+0Grmrb/c/eTWsmHt/fq22GZ1Pfq8Yuq5Fx/Q1WfK1W3qWq06ed/T89l8K8QqeYVWKPXJE4e4d/WVCNZTojhhgyRq+fMvtfCzjPwgswIT4kZ7uTFz/I2dlw3YhD4DLuYGV2IeEp1ywgCfOYAs22JAm7OG854hKEtWO4S7syrAKKfvly2R64blc/oJdQNRnYSU4jMX++C4pj6CP163sQfLo0Dfg2XN58usQjNPPIKehVG6GLORzGs0khnFkPYTXRcRiDPYh5a4sNtZOFW/lZuIoYsAobXjehYNloDCxVy0WQTTPcDEU9aOQIzKvX9QMKMiITKHVwN59CAT/N7HPdM8S686+XKFaXmbE0caM5QtKCLqi3YyR6R4CBO8iCeVzt19MCTbbrD6h2ZzDlWdevVt8K0e+bb7R58NLP9YI1dpbztce3Hy9F+oOoG6Yj3KDWaXQdXbdnVcKMX+g0Tx7HOZDJ+t4d2hoF3e1lt5CYjpwPtxOQ0Xj2XjsVJM76sV3bZkVM9yQ/jYB7UedxzOqF9ff0FUEsBAgAAFAACAAgAdXWzWs1GtkDrAQAAcQIAADoAAAAAAAAAAQAAAAAAAAAAAHZhdWx0QXJjaGl2ZS9jcmVkZW50aWFscy9aVzFoYVd3dmRHVnpkQzFsYldGcGJDMWpjbVZrLmpzb25QSwUGAAAAAAEAAQBoAAAAQwIAAAAA
To go alongside this configuration object, we need a corresponding Vault archive key configuration that stores the archive key that we specified earlier in the mqsivault command. In this new Configuration CR, we'll set spec.type to vaultarchivekey and spec.data to the Base64-encoded string value of our archive key.
apiVersion: appconnect.ibm.com/v1beta1
kind: Configuration
metadata:
name: vault-archive-key-upload
namespace: ace-mac
spec:
type: vaultarchivekey
data: cGFzc3dvcmQ=
Now that we've created both of these configurations, we can reference them in our desired integration runtimes to enable the use of our sensitive data where required.