Are you an API Connect user managing your appliance in an OVA environment? If so, you're likely responsible for rotating encryption secrets for both the Management and Portal subsystems. This process is beneficial for bolstering the security and integrity of your API Connect environment.
In this blog post, we'll tackle the complexities of rotating encryption secrets in API Connect v10.0.8.1 and earlier versions. We'll then highlight the significant enhancements introduced in v10.0.8.2, which simplify the encryption secret rotation process for API Connect users. Regardless of whether you're managing Standalone or 2DCDR setups, or handling the Management and Portal subsystems, this post will equip you with the essential steps to effortlessly rotate encryption secrets in your API Connect appliance. Let's dive in and simplify your encryption secret rotation process!
In API Connect v10.0.8.1 and earlier versions, managing encryption secret rotation in the OVA environment using apicup presented several challenges. The primary issue stemmed from the fact that apicup derived secret names from their content, and the CR field spec.encryptionSecret.secretName was immutable. This made it difficult for customers to rotate their encryption secrets without contacting IBM Support.
The process involved manually changing the management encryption secret, which would result in apicup attempting to set a new secret name with the updated encryption key in the management CR. However, due to the immutability of the secretName field, this approach was not feasible.
To address this, an "original-encryption-secret" was introduced in v10.0.8.1. This secret was automatically set to the current encryption secret if empty and remained untouched thereafter. The original-encryption-secret's hash was then used to ensure that the computed name of the encryption-secret remained consistent.
Despite these improvements, manual steps (using K8's steps) were still required to trigger the rotation using installer. These steps included:
Manual steps to be followed in 10.0.8.1 :
1. Rotate the secret using secret rotation CR:
apiVersion: management.apiconnect.ibm.com/v1beta1
kind: ManagementSecretRotation
metadata:
name: rotate-secret
spec:
managementCluster: management
rotateEncryptionSecret:
rotate: true
kubectl get secret <mgmt_sec_name> --template='{{ index .data "encryption_secret.bin" }}'|base64 -d > secret.txt
apicup certs set <stack-name> encryption-secret secret.txt
Whenever commands such as "apicup subsys install mgmt" is used, the management CR will continue to refer to the original encryption secret name.
Improvements in v10.0.8.2: Simplified Encryption Secret Rotation
Recognising the complexity introduced by additional Kubernetes operations for VMware users, API Connect v10.0.8.2 introduced a new apicup command to simplify encryption secret rotation across different environments and subsystems. This command can be used for both Standalone and 2DCDR setups, as well as for the Management and Portal subsystems.
Standalone
apicup subsys rotate-secrets <stack-name> --rotate-encryption-secret
apicup subsys rotate-secrets <active-stack-name> --rotate-encryption-secret
The above is applicable to Portal as well as Management subsystems.
For the case of portal, if user want to set encryption secret to a specific value, Create the secret in the environment (in active env for 2DC setup) and use the flag --encryption-secret.
These enhancements streamline the encryption secret rotation process, making it more accessible and user-friendly for API Connect users.