We are evaluating adoption of Spinnaker and would like to understand what API, if any, is available for creating Spinnaker resources? If I want to script/templatize the creation of my App within Spinnaker, what is the best way to do this?
As best as I can see at the moment is script the creation of your infrastructure outside of Spinnaker (e.g. CloudFormation), load that in from your AWS account, and then keep a library of pipeline JSON files that can be copy/pasted into the JSON form for pipelines that will be added afterwords.
All of the items that you can manage via the Spinnaker UI (Server Groups, Load Balancers, Security Groups, Applications, Projects, Pipelines) are scriptable via Spinnaker's REST API. The API documentation is a lacking at the moment (but coming soon, stay tuned). For now you can watch the UI's network interaction with the API via developer tools to get example payloads.
For other more static cloud infrastructure (VPCs, subnets, etc) we don't really have a story via Spinnaker's API and would recommend looking at Terraform or CloudFormation
The documentation seems to be outdated. I had a similar problem creating pipeline using pipelines-templates. It worked fine using Deck(UI) where as the pipeline json as described in https://www.spinnaker.io/reference/pipeline/templates/#pipeline-json did not work.
After creating a pipeline from pipeline-template using UI, i analysed the payload and realised the documentation is missing some of the fields in the payload. The payload given below worked fine for me. I would suggest the same, that you should analyse the payload via UI in the browser and use that as reference.
{
"schema": "v2",
"template": {
"artifactAccount": "front50ArtifactCredentials",
"reference": "spinnaker://k8s-bake-approve-deploy-s3-23-oct:latest",
"type": "front50/pipelineTemplate"
},
"application": "v2poc",
"name": "test-6",
"triggers": [],
"type": "templatedPipeline",
"stages": [],
"variables": {
"namespace": "default",
"docker_registry": "docker.io",
"k8s_account": "my-k8-account",
"helm_package_s3_object_path": "s3://spin-helm/node-1.0.0.tgz",
"helm_override_file_s3_object_path": "s3://spin-helm/values.yaml",
"docker_registry_org": "athakur",
"docker_repository": "athakur/node",
"hal_s3_account": "my-s3-account",
"hal_docker_registry_account": "my-docker-registry",
"docker_image_tag": "0.1.0",
"spinnaker_application": "v2poc"
},
"exclude": [],
"parameterConfig": [],
"notifications": []
}
Related
I'm using Doxygen to generate documentation on a C++ project. I want to share this documentation with various team members without them having to build the docs themselves. In an ideal world, there's a service to privately host the static HTML that's generated from Doxygen, and gate it behind some sort of login. I think literally all this service needs to do is have some authentication middleware before serving the HTML. Just password protecting a directory is not good enough for what I'd like to do.
Does anyone know of a service like this that already exists? Am I taking the wrong approach?
What you are asking for is a service that host static pages but provide the authentication functionality. I don't know if something like that exists and I have not found anything in a quick search.
However, there's another approach, much more simple. Just generate the documentation and upload it wherever you want that requires authentication (Google Drive, a private repository in GitHub or Bitbucket, etc). Give access to your team members and they will just have to keep it up to date with the remote one and open the index.html locally in their browsers.
Azure has a static web app host available.
You can configure it so users must log in before anything is served up.
This is a bare bones config that will require people log into an app reg I made available to them, otherwise it will redirect to the azure ad login page.
We are already using Azure for our cloud needs, so this wasn't much to stand up for the documentation host.
Custom authentication in Azure Static Web Apps
Authentication and authorization for Azure Static Web Apps
{
"auth": {
"identityProviders": {
"azureActiveDirectory": {
"userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"registration": {
"openIdIssuer": "https://login.microsoftonline.com/TENANT_ID",
"clientIdSettingName": "AZURE_CLIENT_ID",
"clientSecretSettingName": "AZURE_CLIENT_SECRET"
}
}
}
},
"routes": [
{
"route": "/*",
"allowedRoles": [
"authenticated"
]
}
],
"responseOverrides": {
"401": {
"statusCode": 302,
"redirect": "/.auth/login/aad"
}
}
}
I've been at this for days and the documentation just isn't clear to me, maybe I'm just not reading it correctly.
I have a blazor WASM app (https://localhost:5001) that pulls data from an api. The api needs to be authenticated so I want to just pass the access token inside the header.
Inside the OneLogin admin dashboard I've created an OIDC app called "testApp", the Token Endpoint is None (PKCE).
Setting up oidcauthentication on blazor was super simple. I originall just used the
builder.Services.AddOidcAuthentication(options =>
{
builder.Configuration.Bind("OneLogin", options.ProviderOptions);
})
However I quickly realized I had no way to add an audience. So I followed this guide ..
auth0 oidc for blazor
and this github for the actual code I modified to create a custom provideroptions that has an audience string
github repo
And I also had no issues setting it up. However, where I get stuck is how seemingly complicated OneLogin's side of the setup is.
Reading their docs onelogin api auth docs, there are no modern examples of setting it up past the postman import. Downloading the import file offers a fairly organized set of apis however I can't figure out what needs to go where.
First I created an Api Auth Server
{
"description": "API",
"configuration": {
"access_token_expiration_minutes": 20,
"refresh_token_expiration_minutes": 20,
"resource_identifier": "https://localhost:5005",
"audiences": [
"https://localhost:5005/worker",
"https://localhost:5005/user"
]
},
"name": "API"
}
then I created a scope
{ "value": "custom:scope",
"description": "A custom scope" }
then I added api auth server client. I went to the admin panel and grabbed the app id from the url. https://{domain}.onelogin.com/apps/{appId}/edit/#configuration
and added an api auth server
which gave me this back from the postman api
[
{
"name": "TestApp",
"app_id": 1111111,
"scopes": [
{
"id": 172,
"description": "A custom scope",
"value": "custom:scope"
}
],
"api_auth_id": 1246001
}]
So from this point it looks like I have everything I need? Except I still can't get it to create an access token. I go back to my application and use the modified service and add my audience to my appsettings.json
"OneLogin": {
"Authority": "https://{domain}.onelogin.com/oidc/2/",
"ClientId": "{clientId from onelogin}",
"ResponseType": "code",
"DefaultScopes": "openid profile groups",
"Audience": "https://localhost:5005"
Except it still doesn't add the extra audience to the access token causing my api calls to fail when I add the access token inside the header. If anyone can figure out where I've gone wrong I'd be incredibly grateful.
woot. Figured it out myself. I had everything right but I had the audience wrong. In their docs they discuss having multiple audiences like example.com/blah and example.com/bleh but having the audience as just example.com and then having different scopes PER web service actually is working fine.
So when I create example2.com and add it to the audience both my api's will be able to be accessed.
I'm working with API project and writing test cases with Postman for automation to check API status. Here I have one upload method in which user has to upload a file to the server and need to check if the server returns an appropriate response.
Upload method accepting the request with multipart/form-data, from Postman I'm passing as below screen:
I believe that in order to write a test case, I need to write a pre-request script.
pm.sendRequest({
url: pm.environment.get("baseURL") + '/document/upload',
method: 'POST',
header: [{
"key": "Authorization",
"value": pm.environment.get("authorization"),
"type": "text",
}],
body: {
mode: 'formdata',
formdata: [{
"key": "file",
"type": "binary",
"src": "C:\Users\Desktop\api.pdf"
}]
}
}, function(err, res) {
console.log(res);
});
However, the method is getting hit two times, any thoughts to make it correct and hit only once?
I have gone through the docs and figured it out that what is the issue. I was facing issue while running collection using Runner, after searching out a way to handle file uploading, I came to Newman finally, which seem easy for such scenarios. However, it's still unclear how to upload file while running using Runner!
As per the comments above:
Due to security reasons Postman runner doesn't support file uploading
directly. Find Github thread
here
You can add request before this one in your collection which makes the upload if you need it in the next one. Although the good practice says, that the requests should be atomic with pre-request it will be very difficult. You may achieve it using base64 string of the files and send request with formdata if you insist of doing it like that. The other option runs with Newman in a pipeline. All you have to do is export the collection, the environment and the test files and make sure you don't have absolute path in the exported json. ( Newman should be executed from the directory with the collection and env json files)
Does some one know how can I get the status of the federation links using the RabbitMQ's HTTP APIs? I am able to get the definition of the federation upstream by the following example, but can't find a way to get its status.
Call - http://[hostname]:15672/api/parameters/federation-upstream returns me
[{"value":{"uri":["amqp://USER:PASSWORD#HOSTNAME:4003/VHOST"],"trust-user-id":false,"exchange":"anurag.fed"},"vhost":"VHOST","component":"federation-upstream","name":"upstream-fed"}]
The official documentation says, the link status can be monitored by rabbitmqctl or GUI, but it does not mention HTTP apis anywhere. Does this mean that rabbitmq does not have this capability in APIs? If it has can someone please help?
https://www.rabbitmq.com/federation-reference.html
"You can monitor the status of federation links using rabbitmqctl and the management plugin."
RabbitMQ version being used: 3.6.8
Thanks,
Anurag
The RabbitMQ management UI uses REST calls to fetch data, and you have the ability to trace those calls:
Enable the rabbitmq_federation_management plugin. Via the web UI, browse to the page showing the status you're looking for. Then, open the developer tools in your web browser to trace the network requests and responses. You will see requests to various /api REST resources - one of them will be what you can use in your application.
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.
You can call http://[hostname]:15672/api/federation-links which will retrieve a json which contains the status field, like this:
[
{
"node": "rabbit#hostname",
"exchange": "exchange_name",
"upstream_exchange": "exchange_name",
"type": "exchange",
"vhost": "/",
"upstream": "upstream_name",
"id": "blablabla",
"status": "running",
"local_connection": "<rabbit#hostname9>",
"uri": "amqp://hostname:5672/%2f",
"timestamp": "2019-03-15 13:57:57",
}
I'm playing with the interactive web sdk at https://ucwa.skype.com/websdk. I'm signed in successfully with a Azure AD login. With the F12 Tool I can see, that I have got a valid oauth token.
Now I take this token and trying to get a person object via a GET request like this: _https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me
This is the result:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/111364079681/me"
}
},
"rel": "me"
}
What I expect are more information about me like this:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"emailAddresses": [
"xxx"
],
"company": "my company name",
"workPhoneNumber": "tel:+123456789",
"endpointUri": "sip:xxx;opaque=user:epid:4JNzkgeuabct-CSuIgYV8gAA;gruu",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/113782897528/me"
},
"note": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/note"
},
"presence": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/presence"
},
"location": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/location"
},
"reportMyActivity": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/reportMyActivity"
},
"photo": {
"href": "/ucwa/oauth/v1/applications/113782897528/photos/xxxx"
}
},
"rel": "me"
}
I found out that the result depends on the application id. If I open the Office365 web portal (_https://outlook.office.com/owa) and search for an valid application id with the F12 tool, then I get the expected result. Even with the OAuth token that I got from the interactive web sdk example. So this can not be an security or permission issue??
I grant access to all permissions in the azure management portal.
Also very strange is that I get different status codes with the same oauth token for this two very similar request
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me/presence
-> 200 OK
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/112861033140/me/presence
-> 403 Forbidden
{
"code": "Forbidden",
"message": "The requested operation isn't allowed."
}
So why is there a difference between both applications and what is required to get the same results? Is anything missing in the azure configuration?
Thanks for help
UCWA and to a larger extent Skype for Business Online are in a preview phase which may help explain why you are seeing a different result set between the two applications. When logging into the O365 portal as your user you are most likely getting supplemental information from Exchange or the portal is able to receive more information from UCWA using internal APIs (and permissions) not publicly exposed.
If I remember correctly and your request example above is a follows:
/ucwa/oauth/v1/applications/113782897528/me/presence - O365 Portal
/ucwa/oauth/v1/applications/112861033140/me/presence - Non-Portal
What you are seeing is that Presence is not currently enabled (a better term might be the API is not publicly exposed) for UCWA when using Online clients.
Access to presence is available in preview mode through the "Read/write Skype user information (preview)" Delegated Permission. You might not have access to it, but here's a picture of what it looks like in Azure AD if you do:
I created a UCWA-based native app that connects to SfB Online and allows you to set your presence:
https://github.com/tamhinsf/ucwa-sfbo-console
Just follow the README to register your own app and plug in your settings into my code. I output the result of each API call onto the console so you can see what's going on.
I've also made fork of the Interactive Web SDK Samples you've been using that consolidates the Azure AD settings into a single file. You might want a local copy to more closely inspect and modify the calls:
https://github.com/tamhinsf/skype-web-sdk-samples
Sharing the token like that between applications seems like a security violation. The token is provided for a specific resource and the server likely validates that the token you are providing matches the scopes that the application was created with.
What scenario are you trying to perform by sharing the token?