Simple container-based Minio deployment for Db2

MinIO console with Db2-generated files

You probably have read that I am testing Db2 external tables and remote storage. External tables are data files stored outside the database itself, either in the local file system or on (typically) S3-compatible object storage. To be able to test everything locally, even without Internet connectivity while traveling, I installed and configured MinIO. Here are the few steps to get it up and running as a Docker/podman deployment.

Authentication for your IBM Cloud Code Engine functions

Protect your Code Engine functions

How can we protect an API function implemented as IBM Cloud Code Engine function? This was one of the questions which I recently answered. When migrating from IBM Cloud Functions to Code Engine, this is a common question. Cloud Functions offer some basic security to protect against unauthorized calls. Code Engine and their functions differ in flexibility and hence you have to deal with authentication. Here is a simple solution.

Thoughts on how to move from Cloud Functions to Code Engine

Moving code and containers

IBM Cloud Code Engine is a fully managed, serverless platform to (not only) run your containerized workloads. It has evolved a lot since March 2021, the time when I published the blog post Migrating Cloud Functions Code to Code Engine. In 2021, there were only Code Engine apps and jobs. Earlier this year, Code Engine added support for functions(Function-as-a-Service, FaaS). Thus, in this post I am going to take a fresh look at that topic and discuss the options on how to move from Cloud Functions to Code Engine. 

IBM Cloud and Terraform: How to use a REST API

I am a regular user of the IBM Cloud provider plugin for Terraform. I use Terraform with the command line on my local machine or with IBM Cloud Schematics as managed service. Often, I am testing and evaluating new features. Sometimes, I face the situation where not all necessary functionality is available in Terraform. But luckily, often there exists already an API function. In this blog post I am going to show how to use a REST API with everything else done in Terraform.

Create your IBM Cloud toolchain with Terraform

Tekton pipeline in action on IBM Cloud

Automation is key to cost-efficient use of (cloud) resources and to security. One of our security-focused IBM Cloud solution tutorials, Apply end to end security to a cloud application, comes with an automation to easily provision all required services and to use a toolchain with CI/CD pipeline to build and deploy the app as container.

Because the tutorial is from some years back, it has been updated, reworked, modernized, and kept in shape to stay current. The improvements include the code for the deployment automation.

Create a REST API with OpenAPI spec for your database objects

Swagger UI for my events API

Recently, I wanted to create REST API for data managed in a Db2 on Cloud database. It was needed for a chatbot project using Watson Assistant. After looking into my options, I settled on APIFlask. In this blog, I am going to share my experiences and some resources for creating a REST API with an OpenAPI specification for database objects.

Containerize your Db2 Python app

De-containerizing my stuff

By following my blog posts (here or at the IBM Cloud site)  or my code samples, you might know that many of my apps are coded in Python. Moreover, many projects involve IBM Db2 (see "How to connect from Python to Db2"). With Docker and other container technologies around and many projects involving Kubernetes / OpenShift or Knative / IBM Cloud Code Engine, the next question is how to containerize / dockerize your Db2 application written in Python. Well, here I share some of my experience...

A simple nginx deployment on IBM Cloud Code Engine

HTML files as configmap in Code Engine

Over the weekend I deployed nginx on IBM Cloud Code Engine. It's nothing fancy or earth-moving. But I wanted to note down and share the steps with you on how to deploy this HTTP server and serve few static HTML pages. All is based on using the command line interface (CLI) and is done with few commands.

Blue-green deployment with IBM Cloud Code Engine and Knative

Code Engine app with green revision

From reading my past post on migrating from Cloud Foundry to Code Engine, you probably guessed that I am currently working with IBM Cloud Code Engine. One of the topics I looked into the past few days is advanced configuration of my app using the Knative CLI. Code Engine is using Knative which, again, is based on Kubernetes. All of them are involved in configuring traffic management for my app, so that I could realize blue-green deployment. It allows to gradually move traffic from the current stable to a newer app revision. Not much is needed to get it to work.

Simple, quick and secure cloud onboarding for workshops and hackathons

Create an external Identity Provider

Short-lived projects like hackathons or workshops often have the following characteristics:

• similar privileges for everyone on the project,
• only few IAM (Identity and Access Management) roles,
• preferred simple administration (setup, running it, cleanup) over tightest security.

Additionally, such projects often are repeated with similar setup, but other participants. So, how do you onboard them efficiently and securely?

With that question in mind, I published two blog posts on the IBM side along with code on GitHub:

• Secure onboarding for your workshops and hackathons and
  
• Bulk creation of users in IBM Cloud App ID.
  

The articles utilize features and services like access groups and trusted profiles, external identity providers based on IBM Cloud App ID. The code is in Terraform and Python for full automation where possible. Enjoy.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

IBM Cloud resource reclamations: Some more details and my best practices

Reclaim resources

This is a quick follow-up to my "To restore or delete" post in which I discussed IBM Cloud resource reclamations and shared some tricks. Today, I have some more details and also want to share with you my best practices on handling resources.

Cloud-based HSM with PKCS #11 for Db2 Native Encryption

Manage your encryption keys

When using Db2 databases, there are a different ways to encrypt the stored data (data at rest). One of them is to use the built-in feature, Db2 native encryption. It supports three kinds of keystores, a local keystore file or centralized key management systems (KMS) based on KMIP or PKCS #11 protocols.

Today, I want to point you to a tutorial in the IBM Cloud documentation. It discusses using Hyper Protect Crypto Services PKCS #11 for Db2 native encryption.

IBM Cloud: Send out alert emails using SMTP

Last year, I blogged about how to use Slack or email notifications for security IBM Cloud security issues. Now I added another code sample, showing how to send out notification emails using any SMTP server. The code is written in Python and Node.js and deployed as IBM Cloud Functions-based webhook. The core part in charge of connecting to an SMTP email server and sending the email is isolated as dedicated action. Thus, it is possible to use it on its own, e.g., to send out emails unrelated to the IBM Cloud Security & Compliance Center.

Cloud tutorial on serveless web app and eventing

A follow-up from my last post on Python decorators:

Solution architecture

Some years back, on IBM Cloud, we introduced an IBM Cloud solution tutorial for GitHub traffic analytics based on Cloud Foundry and IBM Cloud Functions. A Cloud Functions action is triggered daily to collect traffic data. The action stores the data in a Db2 database. Users can then analyse the data in a Python Flask app served by Cloud Foundry.

Today, that same solution scenario and app are still available, but they are served by IBM Cloud Code Engine. Code Engine is a fully managed, serverless platform that runs your containerized workloads, including web apps, microservices, event-driven functions or batch jobs. The slightly renamed tutorial — "Serverless web app and eventing for data retrieval and analytics" — demonstrates how the existing app can be containerized and both served as web app and and used to process the daily data collection event.

Continue reading the article on the IBM Cloud blog.

IBM Cloud CLI: Some tips and tricks - make it a home

IBM Cloud CLI options

In the past, I have blogged several times about how to use the command line. Today, I want to share some tips and tricks for the IBM Cloud CLI (command line interface). Many of you work with the ibmcloud command, but have you ever looked into its help option? Here is a quick look at them and how to put them to good use...

Follow-up to Db2 and JWT: What is JOSE...?

JWT: Encoded or decoded security claims

Last week, I wrote about Db2 support for JSON Web Tokens (JWT). Today, I have a small follow-up with some reading material on JWT and related topics like JOSE, JWS, JWK as well as OAuth and OpenID Connect.

Some JWT history and standards

The first draft for JSON Web Tokens, JWTs, is already 10 years old. It is from December 2010. The early draft states:

Db2 Security: Configure JSON Web Token (JWT) authentication

Db2 login utilizing a JWT

Since V11.5.4, Db2 allows to consume JWT (JSON Web Token). The business case is to support SSO (single sign-on). You can configure Db2 to accept access tokens issued by external Identity Provider (IDPs), including the IBM solutions or open source projects like gluu. V11.5.5 brought some JWT improvements, e.g., support for multiple labels. On a recent Friday, I set up my Db2 Docker container to accept JWTs, not those issued by an external identity service, but my own.

IBM Cloud: Considerations for role and resource setup

Solution architecture

Here is a quick follow-up on my recent blog on best practices for the cloud onboarding of enterprise projects. There, I discussed how to use Terraform scripts as blueprint in the onboarding process. Starting with a corporate standard for setting up roles and other security objects, project-specific layers are added later on. The IBM Cloud solution tutorial on applying end to end security to a cloud application served as example. In this blog, I am going to share details on how I mapped project resources to roles.

Terraform: Best practices for the cloud onboarding of enterprise projects

Architecture: End to end security

When onboarding a new project — either on-prem or to a cloud environment — there should be no questions on how to get started. Onboarding should follow an enterprise-defined process based on (internal) standards. It needs to detail access roles and privileges and provide means to implement them.

Recently, in an IBM Cloud blog, I discussed such a project onboarding. Terraform scripts implement the rules as code — they help to automate roll-out and tear down access roles and privileges. The scenario from the solution tutorial "Apply end-to-end security to a cloud application" serves as specific example to proof-point the ideas.

Head over to IBM Cloud and read my blog on "Blueprinting the Onboarding of Cloud Projects Using Terraform".

Db2 and S3-compatible Cloud Object Storage

A look at Db2 and S3 storage

Recently, I was contacted about an old blog post where I discussed how to access Cloud Object Storage from Db2. Since writing that article, both Db2 and (IBM) Cloud Object Storage have evolved. Thus, it is time for an update on how to backup data to cloud storage, load from external storage and even directly query data somewhere in the Internet...