Handling of clear text passwords in external components of API Gateway - 10.5 and above
Overview of the tutorial
API Gateway uses multiple external components for its various functionalities like persistence, dashboards, log aggregation, etc.
Some of the external components have config files containing the product-related configurations which will be picked during startup. Passwords are also part of these configurations files and the user should configure the secret in these configuration files as plain text. Any user who has access to the file system can view the passwords and access these components and can tamper the data. Since they are external components, we don't have control over their configuration files and startup procedure to mask these secrets and hence we planned to utilize their obfuscation method/settings storage for hiding the passwords from the YAML files.