Encrypting AK/SK for Deploying an APM Agent in a CCE Container

Background

When an APM Agent is deployed in a CCE container, the AK/SK must be encrypted for security purposes.

Procedure

1. Generate a JAR package that contains the decryption method. Assume that the JAR package name is demo.jar, the built-in decryption class is com.demo.DecryptDemo, and the decryption method is decrypt (which is a static method). Then pack the JAR package into an image and upload it to the image repository. To obtain an access key, see Access Keys.
2. Add the initContainer attribute to the CCE deployment YAML file.

   Example:

   1. The address of the image uploaded in step 1 is swr.cn-north-5.myhuaweicloud.com/hwstaff_pub_apmpaasw3/decrypt:v2.
   2. The decryption class name is com.demo.DecryptDemo. The decryption method is decrypt.
      The following shows initContainer. Replace the information in bold.

      initContainers:
        - name: init-secret
          image: swr.cn-north-5.myhuaweicloud.com/hwstaff_pub_apmpaasw3/decrypt:v2
          command:
            - /bin/sh
            - '-c'
            - cp /root/com.demo.DecryptDemo.jar /var/init/secret/apm-javaagent/ext; sed -i 's%#decrypt.className=.*%decrypt.className=com.demo.DecryptDemo%g' /var/init/secret/apm-javaagent/apm.config; sed -i 's%#decrypt.methodName=.*%decrypt.methodName=decrypt%g' /var/init/secret/apm-javaagent/apm.config;
          resources:
            limits:
              cpu: 100m
              memory: 100Mi
            requests:
              cpu: 100m
              memory: 100Mi
          volumeMounts:
            - name: paas-apm2
              mountPath: /var/init/secret

      By adding initContainer, you can copy the JAR package to the apm-javaagent/ext directory and modify the configuration file.

3. Obtain an AK/SK from the APM console, encrypt the SK, and replace the AK/SK in the YAML file.

   

4. Save the configuration and upgrade the CCE instance.