Showing posts with label kubernetes. Show all posts
Showing posts with label kubernetes. Show all posts

Tuesday, May 9, 2023

Decode JWTs in bash

Today, it is once again time for one of those "let's document it" blog posts. Lately, I looked into one of the IBM Cloud security features, trusted profiles based on compute resources. I described how to turn your container into a trusted identity. For developing code locally, I needed to copy over files from the Kubernetes pods to my local machine, then decode JWT access tokens, all using the command line. Here is what I did.
Read more »
at
Labels: , , , , , ,

Tuesday, June 7, 2022

Use event subscriptions for scheduled scale up and down of your IBM Cloud Code Engine apps

Few lines of scripting
Over the past months, I wrote several blog posts related to IBM Cloud Code Engine. Code Engine is a managed, serverless platform for containerized workloads. You can run (web) apps and (batch) jobs, both types can receive events. Code Engine apps have settings for minimum and maximum scaling and have assigned compute resources within these boundaries. A "scale to zero" is possible, i.e., there isn't any app instance running and, because it is pay per use, nothing is charged during that time. Which brings up the question, how can I schedule different min / max scale values, e.g., scale down to zero over night, but have some higher minimums during the day? 

I heard that built-in support is on the roadmap. For now, I am using a Code Engine cron subscription for the job...

Read more »
at
Labels: , , , ,

Thursday, June 2, 2022

Create a REST API with OpenAPI spec for your database objects

Swagger UI for my events API
Recently, I wanted to create REST API for data managed in a Db2 on Cloud database. It was needed for a chatbot project using Watson Assistant. After looking into my options, I settled on APIFlask. In this blog, I am going to share my experiences and some resources for creating a REST API with an OpenAPI specification for database objects.

Read more »
at
Labels: , , , , , , , , ,

Monday, May 16, 2022

Containerize your Db2 Python app

De-containerizing my stuff
By following my blog posts (here or at the IBM Cloud site)  or my code samples, you might know that many of my apps are coded in Python. Moreover, many projects involve IBM Db2 (see "How to connect from Python to Db2"). With Docker and other container technologies around and many projects involving Kubernetes / OpenShift or Knative / IBM Cloud Code Engine, the next question is how to containerize / dockerize your Db2 application written in Python. Well, here I share some of my experience...

Read more »
at
Labels: , , , , , , , , ,

Tuesday, May 10, 2022

Some fun with traefik routing on the edge of a reverse proxy

Path-based routing with Traefik

In a recent blog post, I mentioned that I use the traefik edge router / reverse proxy to put a custom domain in front of my IBM Cloud Code Engine apps. Today, I want to share details on how I configured path-based routing, i.e., depending on the path in the URI a different Code Engine app serves the request. The use case is to implement a microservices-based solution architecture with multiple backend services reachable over a single host name (on a custom domain).

Read more »
at
Labels: , , ,

Thursday, May 5, 2022

Custom domain for your serverless Code Engine app

Output of a IBM Cloud Code Engine app
A custom domain, e.g. somethin like myapp.example.com, always puts a nice touch on an app. Often, it is required for corporate identity. Still, not all services offer that capability. As written, I recently migrated some apps from Cloud Foundry to IBM Cloud Code Engine. Right now, Code Engine does not support custom domains out of the box, but I heard that it is planned. Thus, I looked into temporary workarounds for using a custom domain name for my serverless Code Engine apps.

Read more »
at
Labels: , , , , ,

Thursday, March 24, 2022

Blue-green deployment with IBM Cloud Code Engine and Knative

Code Engine app with green revision
From reading my past post on migrating from Cloud Foundry to Code Engine, you probably guessed that I am currently working with IBM Cloud Code Engine. One of the topics I looked into the past few days is advanced configuration of my app using the Knative CLI. Code Engine is using Knative which, again, is based on Kubernetes. All of them are involved in configuring traffic management for my app, so that I could realize blue-green deployment. It allows to gradually move traffic from the current stable to a newer app revision. Not much is needed to get it to work.

Read more »
at
Labels: , , , , , ,

Thursday, August 1, 2019

Use a Delivery Pipeline to rotate credentials

Job in Delivery Pipeline to rotate keys
In my recent posts I touched on updating credentials for solutions deployed on IBM Cloud Functions or using Cloud Foundry on IBM Cloud. Today, I am showing you how to rotate API keys and passwords for a containerized solution on IBM Kubernetes Service that makes use of a delivery pipeline (devops). I am going to use the app discussed in the tutorial on how to apply end to end security to a cloud application.
Read more »
at
Labels: , , , , , , , , , , ,

Monday, March 25, 2019

Running Db2 Developer-C as Docker container

Container: Db2 the easy way
Last week I wanted to start testing some new Db2 features without going through the steps of installing that Db2 version. I turned to my local Docker installation, issued a single command and had Db2 up and running. Quite interesting, that command downloaded Db2, installed it, created a sample database. Here are the details.

Db2 Developer-C Edition as Docker Image

IBM provides a free Db2 edition, Db2 Developer-C Edition. It can be installed and used as Docker container, see here the Db2 Developer-C Edition in the Docker store. Once you have added it to your basket and checked out, you can download it and get information about how to configure it. Basically, only few values need to be set in an environment file (see db2_env_list below).

After adapting the environment file, I invoke the script (with a single command) to run Db2 on docker. If not downloaded yet, it obtains the container image, starts it, sets it up:

docker run -h db2server_ --name db2server --detach \
--privileged=true \
-p 50000:50000 -p 55000:55000 \
--env-file db2_env_list \
-v /home/hloeser/progs/db2:/database \
store/ibmcorp/db2_developer_c:11.1.4.4-x86_64

Thereafter, I can connect to Db2 using the usual tools and SDKs.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.
at
Labels: , , , , ,

Thursday, October 11, 2018

Use a custom domain, manage TLS certificates and apply e2e security to cloud app

End to end security for a cloud app on IBM Cloud
Well, that title is a little bit long and ugly, but it basically describes what I wanted to tell you about today. A while ago, I blogged that my team published a tutorial "Apply end to end security to a cloud application". It demonstrates how to use secure network traffic (data in transit), cloud object storage (data at rest), and the app itself by access control (authentication). The app runs on the IBM Cloud Kubernetes Service (IKS). By default, the app is exposed on an IBM Cloud-supplied hostname and domain. I updated the tutorial to show how to use a custom domain and deploy a TLS certificate managed by the IBM Cloud Certificate Manager.
Read more »
at
Labels: , , , , , ,

Wednesday, October 10, 2018

BYOK to encrypt Kubernetes secrets on IBM Cloud

Add Key Protect
Few days ago, it was announced that IBM Cloud Key Protect integrates with the Kubernetes Service. It means that cluster secrets such as service credentials, TLS certificate information and other confidential information can be encrypted using a managed root key. That root key is either generated or can be imported (bring your own key, BYOK). What needs to be done to wrap this additional layer of security around your cluster? Read on.
Read more »
at
Labels: , , , , , , ,

Friday, September 14, 2018

Tutorial on how to apply end to end security to a cloud application

Before you head out to the weekend I wanted to point you to a new cloud security tutorial. If you read this at the beginning of your week: What a great start... ;-)

Did you ever wonder how different security services work together to secure a cloud application? In the new tutorial we use
  • IBM Cloud Activity Tracker to log all security-related events. This includes logging in to the account, provisioning or deleting services, working with encryption keys and more.
  • IBM Cloud Key Protect to manage encryption keys. For the tutorial, we generate a root key for envelope encryption of stored files. You could also import your own root key (bring your own key, BYOK). We use the root key to create encrypted buckets in the IBM Cloud Object Storage service.
  • IBM Cloud Object Storage (COS) service to produce expiring links to individual files. The links can be shared with others and expire after the set amount of time, so that the file cannot be accessed thereafter.
  • IBM Cloud App ID as a wrapper around (enterprise and social) Identity Providers to manage authentication and authorization through a single interface. The App ID service can be directly integrated with Kubernetes Ingress.
  • IBM Cloud Container Registry as a private image registry from which we deploy the application as container into a Kubernetes cluster (IBM Cloud Kubernetes Service). The container registry includes a Vulnerability Advisors that scans for and assesses container vulnerability and then recommends fixes.
Best of all, the code for the security tutorial is shared on GitHub in this repository. If you are in a hurry, it even allows you to deploy the full Node.js in Docker application and its services with the press of a button via toolchain.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.
at
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)