@ -12,6 +12,8 @@ If you tried this approach by yourself you may end up, *sooner or later*, with a
What is this policy and why is it there?
Let's dig in!
<!--more-->
In a nutshell, the *Anonymous* policy instruct the *APIcast* gateway to expose an API **without any security mechanism**.
Given how we stress out the importance of security in our very fragile IT systems, this calls out the following question: why was it there in the first place?
In this article on the Red Hat Developer blog, I explained [how to deploy an API from a Jenkins Pipeline, using the 3scale toolbox](https://developers.redhat.com/blog/2019/07/30/deploy-your-api-from-a-jenkins-pipeline/).
If you tried this approach by yourself you may have noticed that in some cases, the configured service includes the *URL Rewriting* policy in its *Policy Chain*.
<!--more-->
The *URL Rewriting* policy can be used for a variety of use cases but, in a nutshell, the *URL Rewriting* policy is used by the toolbox to change the *Base Path* of an API.
For instance, if your actual API implementation is live at **/camel/my-route** but you wish to expose it on **/api/v1**, you can instruct the 3scale toolbox to configure the *URL Rewriting* policy for you by specifying the `--override-private-basepath` and `--override-public-basepath` options.
Recently, in [one of my Ansible playbooks](../airgap-openshift-installation-move-registry-created-using-oc-adm-release-mirror-between-environments) I had to prefix all items of a list with a chosen string.
@ -11,6 +11,8 @@ My Ansible playbooks sometimes use features that are available only in a very re
To prevent unecessary troubles to the team mates that will execute them, I like to add a task at the very beginning of my playbooks to check the Ansible version number and abort if the requirements are not met.
The [official documentation](https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.8/html/administering_the_api_gateway/openid-connect#configure_red_hat_single_sign_on) describes the steps to configure Red Hat SSO / Keycloak but it uses the Graphical User Interface, which can be tedious if you have multiple environments to configure. Let's configure Red Hat SSO for 3scale using the CLI!
<!--more-->
As a pre-requisite, install [jq](https://stedolan.github.io/jq/download/).
Fetch the hostname, login and password of your Red Hat SSO instance, from your OpenShift environment.
There is a hosted instance at [invidio.us](https://invidio.us/) if you want to give it a try. But, wouldn't it be cooler to host your own instance on your OpenShift cluster? Let's do it!
[Miniflux](https://miniflux.app) is a minimalist, open source and opinionated RSS feed reader. There is a [hosted instance](https://miniflux.app/hosting.html) available at a fair price point but wouldn't it be cooler to host your own instance on your OpenShift cluster? Let's do it!
@ -11,6 +11,8 @@ In the article "[Nginx with TLS on OpenWRT](../nginx-with-tls-on-openwrt/)", I e
But without an application to protect, Nginx is quite useless.
This article explains how to install [Miniflux](https://miniflux.app/) (a lightweight RSS reader) on your Raspberry PI and how to host it as an Nginx virtual host.
<!--more-->
Miniflux is a web application written in Go and backed by a PostgreSQL database. So we will need to install PostgreSQL, install miniflux and setup Nginx. The rest of this article assumes you [installed OpenWRT on your Raspberry](../install-openwrt-raspberry-pi/), but it should be applicable to any Linux distribution with minimal changes.
It made design choices that take it apart from the usual Linux distributions: musl libc instead of the usual glibc, busybox instead of coreutils, ash instead of bash, etc.
As a result, the system is very light and blazing fast!
<!--more-->
Continue reading to know how to **install OpenWRT on your Raspberry PI**.
@ -15,6 +15,8 @@ Most software now provide an operator and describe how to use it.
Nevertheless, almost every software documentation I read so far, includes the steps to install the operator using the nice GUI of OpenShift 4.
But since my OpenShift environments are provisioned by a playbook, I want to be able to install operators using the CLI only!
<!--more-->
The [OpenShift official documentation](https://docs.openshift.com/container-platform/4.3/operators/olm-adding-operators-to-cluster.html#olm-installing-operator-from-operatorhub-using-cli_olm-adding-operators-to-a-cluster) covers this part but I did not find it very clear.
So, this article tries to make it clearer: **how to install Kubernetes operators in OpenShift using only the CLI**.
@ -14,6 +14,8 @@ I could have jumped into the code and changed something, hoping it will improve
But that would be ineffective and unprofessional.
So, I decided to have an honest measure of the current performances as well as a reproducible setup to have consistent measures over time.
<!--more-->
This article explains how I built my performance testing lab using [JMeter](https://jmeter.apache.org/index.html) and an old ARM board.
To keep this article short and readable, I focused on the assessment of two HTTP libraries (golang's net/http and valyala's fasthttp), leaving the discussion about the Telegram Photo Bot performances for a next article.
In the article "[Install OpenWRT on your Raspberry PI](../install-openwrt-raspberry-pi/)", I explained how to install OpenWRT on a Raspberry PI and the first steps as an OpenWRT user.
As I plan to use my Raspberry PI to host plenty of web applications, I wanted to setup a versatile reverse proxy to protect them all, along with TLS support to meet nowadays security requirements.
<!--more-->
OpenWRT has an [nginx package](https://openwrt.org/packages/pkgdata/nginx), ready to be installed using *opkg* but unfortunately it does not have TLS enabled. So we need to recompile nginx with TLS enabled!
@ -11,6 +11,8 @@ In an article named [Red Hat Single Sign-On: Give it a try for no cost!](https:/
As pointed by a reader in a comment, as widespread OpenShift can be, not everyone has access to a running OpenShift cluster. So, here is how to run Red Hat SSO outside of OpenShift: using only plain Docker commands.
<!--more-->
The rest of this procedure assumes you already have a token to access the Red Hat registry (full procedure described in [my article](https://developers.redhat.com/blog/2019/02/07/red-hat-single-sign-on-give-it-a-try-for-no-cost/) and in the [Red Hat SSO Getting Started guide, chapter 3, section 3.1](https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/html/red_hat_single_sign-on_for_openshift/get_started)).
Start by logging in with this token using the *docker login* command (do not forget to replace the login and password with yours):
@ -14,6 +14,8 @@ But this is yet another password to remember!
OpenShift can handle the [OpenID Connect](https://openid.net/connect/) protocol and thus offers Single Sign On to its users.
No additional password to remember: you can login to the OpenShift console with your [Google Account](../use-google-account-openid-connect-provider) for instance.
<!--more-->
## Pre-requisites
The rest of this article assumes you have already setup your OpenID Connect client in the Google Developer Console as explained in this article: [Use your Google Account as an OpenID Connect provider](../use-google-account-openid-connect-provider).
@ -14,6 +14,8 @@ Quarkus can be used for any type of backend development, including API-enabled b
In this article, I'm describing how to secure a Quarkus API with Keycloak using JWT tokens.
<!--more-->
## Preparation
As a pre-requisite, install [Maven](https://maven.apache.org/), [jq](https://stedolan.github.io/jq/download/) and [jwt-cli](https://github.com/mike-engel/jwt-cli#installation).
@ -13,6 +13,8 @@ Some of the web applications that I installed on my Raspberry PI do not feature
No authentication means that anybody on the internet could reach those applications and play with them.
This article explains how to secure applications running on a Raspberry PI with [Keycloak Gatekeeper](https://github.com/keycloak/keycloak-gatekeeper).
<!--more-->
[Keycloak Gatekeeper](https://github.com/keycloak/keycloak-gatekeeper) is a reverse proxy whose sole purpose is to authenticate the end-users using the [OpenID Connect](https://openid.net/connect/) protocol.
If Keycloak Gatekeeper is best used in conjunction with the [Keycloak Identity Provider](https://www.keycloak.org/), it can also be used with any Identity Provider that conforms to the OpenID Connect specifications.
@ -13,6 +13,9 @@ With great power comes great responsibilities.
So, you might want to be notified when something goes wrong, a cron job failed, a hard disk is dying, etc., so that you can fix the problem at earliest, maybe before anyone else could notice.
This article explains how to send mails on OpenWRT with MSMTP and a GMail account.
<!--more-->
You can adapt this procedure to any email provider that supports SMTP access with a login and password.
@ -10,6 +10,8 @@ Unless you have a password vault to store your credentials securely, it is very
This article goes through all the steps to use your Google Account as an [OpenID Connect](https://openid.net/connect/) provider and subsequent articles (check links at the bottom of this article) explain how to configure the different services and software to use your Google Account as an OpenID Connect provider.
It strives to reduce the chattiness clients can experience when querying REST APIs.
It is very useful for mobile application and web development: by reducing the number of roundtrips needed to fetch the relevant data and by fetching only the needed field, the network usage is greatly reduced.
<!--more-->
To install QLKube in OpenShift, use the NodeJS Source-to-Image builder:
This is the third part of my series covering how to
[Write workshop instructions with Hugo](../writing-workshop-instructions-with-hugo/). In this article, we will deploy our [Hugo mini-training](https://github.com/nmasse-itix/hugo-workshop/) as a container in OpenShift.
<!--more-->
Since Hugo is a static website generator, we only need a web server in our container to serve those pages. Let's settle for nginx that is [neatly packaged as a container image, as part of the Software Collections](https://www.softwarecollections.org/en/scls/rhscl/rh-nginx114/).
And to build our final container image that will contain both our website (the static pages to serve) and the web server itself, we will use the [Source-to-image (S2I)](https://github.com/openshift/source-to-image) tool. Hopefully, the nginx image of the Software Collections is already S2I enabled!
