I need to store/load a separate JKS file for a very specific 3rd party integration on one of my microservices (Spring/JAVA). Those key/certificate pairs should be used by a separate background task that should call 3rd party servers once in a while using custom black box SDK. This SDK requires a path to JKS file as one of input params, so it must be physically stored on disk.
The simplest approach I am going with for now: JKS stored in git under resources folder, then password supplied to docker container through some custom terraform script. How bad/not secure is this? Assuming repo is private github.
I think another options might be (considering docker/terraform run by jenkins builder, deployed to aws ecs):
- Load at runtime from aws secret manager/encrypted s3 then store on filesystem.
- Somehow supply at image building stage.
- Somehow supply at container startup stage.
Now the question is, how do I properly store and load this JKS on my service? What wold be the best way and would be the minimum acceptable way?
If we go full enterprise security mode, developers shouldn't even have access to that JKS file.
For development, they should get a different JKS file that gives them just enough permissions to do their development work.
To get a file that is only accessible at runtime from a running Docker image, you can put it on a Volume that is only mounted in production, and managed separately from your normal development deployments.
If you use Docker Swarm or Docker Compose, you can define it as an external Docker secret, and your file will be available under
/run/secrets/my_secret.jks.If you use Kubernetes, you can store the file as a Kubernetes Secret and mount it as a volume of type
secret: