Open leochr opened 3 months ago
Meeting summary (June 6, 2024):
wlp.password.encryption.key
variable will be used when it's specified to decrypt LTPA. There is no other way to specify a decrypt key for LPTA, so we must handle the decryption (and encryption) using this common variable that applies to the entire Liberty server.
The mounting of the Secret wlo-wlp-password-encryption-key
and the associated server configuration to read it must be enabled even when .spec.manageLTPA
is not enabled.
We should consider the mounting the sensitive information outside the configuration directory and instead referencing the location from the include
server config. We should consider the same for the managedLTPA directory.
When the Secret wlo-wlp-password-encryption-key
is specified for the first time or when it is changed or removed, the managed LTPA key must be regenerated. We can use the resource version of the Secret to detect the change and trigger regeneration.
Consider creating utils method in Operator to handle mounting of Secrets/ConfigMap and server configuration
Liberty uses a default key for encryption and decryption, but it can be overridden by
wlp.password.encryption.key
. Allow users to specify this and use it in operations such as LTPA key generation.Allow users to optionally specify this key via a secret (i.e.
wlo-wlp-password-encryption-key
) When specified, this key should be specified as part LTPA key generation commands:securityUtility encode --key
securityUtility createLTPAKeys --passwordKey
The key should also be specified in the server config so that LTPA key can be decrypted:
Validate that the
server dump
(Day 2 operation) doesn't leak this key: https://openliberty.io/docs/latest/password-encryption.html#_encryption_key_protection