How to keep your ForgeRock configuration secure when deploying to Kubernetes
For my second blog I thought it might be interesting to address the problem of how to keep your #ForgeRock configuration secure when deploying to #Kubernetes.
About Juan Redondo
I am a full stack developer with experience across #IAM, #Kubernetes, #Cloud, and #DevOps. I am accredited on #ForgeRock Access Manager and has Mentor Status.
For any queries, feedback you may have please contact me on firstname.lastname@example.org
Now that you have decided to move your ForgeRock deployment to K8s you might be concerned about two important areas in your architecture. Yes, we are talking about High Availability (HA) and Secrets Management.
As an enterprise, you will want to adhere to the well-known CIA triad in security policy development (Confidentiality-Integrity-Availability). So, the questions we need to answer are :
How do we implement this practices in our brand-new ForgeRock K8s deployment?
Does it differ in some way with the standard approaches taken in Virtual Server world?
To answer to these questions, we will be relying on the out-of-the-box settings provided in our ForgeRock accelerator.
One of the key features that our accelerator provides is a Secrets Management solution (#Hashicorp Vault) that will take care of retrieving the required secrets during runtime for each of the components of the ForgeRock stack (AM, Config store, User store and Token store), as observed in the CI/CD architecture below:
We use the Vault is to store all of our ForgeRock related secrets (certificates, keys, passwords etc), In addition, our accelerator uses the vault to also hold the bespoke customer specific configuration. This ensures that all this sensitive data is centrally managed, remains secure and can be environment specific.
Since the Vault can be scaled, it will also ensure that the secret information is always available for the ForgeRock components during runtime. This approach also solves the dependency of using K8s secrets implementation, which will rely on multi-cluster deployments to provide this same HA for the secrets used by the ForgeRock stack.
Once we trigger a deployment, we will observe in the pod logs how the components configuration and secrets are securely pulled from the Vault paths during runtime. Taking the AM pod as an example, we can observe how the certificates and the application passwords are retrieved from the Vault:
Once the deployment is finished, you will have a FR running stack fully integrated with a secure Secrets Management solution which will be used to centrally manage your FR application configuration and any sensitive data.
I hope you found this helpful. If you have any queries please let me know.