2 minute read

Introduction

There are different ways to deploy an Integration Server on a kubernetes environment:

  • build your own image with the AppConnect flow already deployed
  • install the AppConnect dashboard and deploy an integration flow using BAR files that have been upload
  • use an external repository to store the bar file and configure the INtegrationServer to download it from there.

This post focuses on the last option and provides information on how to configure an IntegrationServer to retrieve the BAR file (AppConnect deployment package) from a http remote location secured using TLS and Basic authentication.

configuration

The Integration Server will be configured with the following parameters :

  • barURL: this corresponds to the https link to download the bar file from the remote Repository url.
  • configurations: the basic authentication is provided to the integration server using an AppConnect configuration.

IntegrationServer

Here is an Integration Server example:

apiVersion: appconnect.ibm.com/v1beta1
kind: IntegrationServer
metadata:
  name: ace-restapi-test
  namespace: ace
spec:
  adminServerSecure: true
  barURL: https://eu-de.git.cloud.ibm.com/.../-/raw/main/ace/restapi-sample.bar
  configurations:
  - barauth-ace-config
  createDashboardUsers: true
  designerFlowsOperationMode: disabled
  enableMetrics: true
  license:
    accept: true
    license: L-APEH-CCHL5W
    use: CloudPakForIntegrationNonProduction
  pod:
    containers:
      runtime:
        resources:
          limits:
            cpu: 300m
            memory: 368Mi
          requests:
            cpu: 300m
            memory: 368Mi
  replicas: 1
  router:
    timeout: 120s
  service:
    endpointType: http
  version: "12.0"

AppConnect configuration

The AppConnect configuration, used to reference the basic authentication to authenticate against the repository, can be created using the AppConnect dashboard or using the AppConnect operator user interface available in the openshift console.

The configuration definition reference a kubernetes secret that holds the credentials. If you are using a script of a cli, you will need to first create the secret(s) before the configuration.

Information related to the barAuth AppConnect configuration can be found at the knowledge center barurl.

Secret

The secret contains the credentials information and the certificate if required.

The secret is created using the following command:

oc create secret generic <barauth-ace-secret> --from-file=configuration=configurationFileName --namespace=namespaceName

The content of the secret would looks like:

apiVersion: v1
kind: Secret
metadata:
  name: gitbar-ace
  namespace: ace
type: Opaque
data:
  configuration: eyJhdXRoVHlwZSI6IkJBU0lDX0FVVEgiLCJjcmVkZW50aWFscyI6eyJ1c2VybmFtZSI6IiIsInBhc3N3b3JkIjoiIiwiaW5zZWN1cmVTc2wiOiJ0cnVlIn19Cg==

The configurationFileName content is in a json format and contains the following information:

  • If you are connecting to an endpoint that uses a certificate from a trusted CA, you can connect by using basic authentication without the need to specify any certificate details.
    {"authType":"BASIC_AUTH","credentials":{"username":"xxxx","password":"xxxx"}}
    
  • If you don’t need to have a mutual authentication, it is possible to avoid the certificate validation using the parameter “insecureSsl”.
    {"authType":"BASIC_AUTH","credentials":{"username":"xxxx","password":"xxxx","insecureSsl":"true"}}
    
  • If you need to provide a certificate, it is possible to provide it in the secret as well.
    {"authType":"BASIC_AUTH","credentials":{"username":"xxxx","password":"xxxx","caCertSecret":"secretName"}}
    

If you need to create the secret for the ca certificate, you can use the following yaml:

kind: Secret
apiVersion: v1
metadata:
  name: mycaCertSecret
  namespace: namespaceName
data:
  ca.crt: >-
    CAinBase64
  tls.crt: ''
  tls.key: ''
type: kubernetes.io/tls

Where the CAinBase64 should be replaced by the CA certificate encoded in base64. The following command can be used for this purpose:

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' test.pem | base64

And the secret can then be created using teh following command

oc apply -f secretFileName.yaml

AppConnect configuration

Finally the configuration will be as follow:

apiVersion: appconnect.ibm.com/v1beta1
kind: Configuration
metadata:
  name: barauth-ace-config
  namespace: ace
spec:
  description: Used to provide repo credentials to ACE
  secretName: gitbar-ace
  type: barauth
  version: 12.0.5.0-r2

Tags:

Categories:

Updated:

Leave a comment