Tuesday, 2 January 2018

IBM DataPower on IBM Cloud Private - Wrapping it up

I'm using IBM Cloud Private (ICP) to spin up a container running IBM DataPower Gateway (IDG), via a Helm chart.

Right now, I'm cheating using the ICP admin UI: -

rather than the Helm command-line interface, as per my normal practice.

The Helm chart has two mandatory values - frontsideKey and frontsideCert - which contain a private key and a personal certificate.

I generated the key and certificate using openssl : -

openssl req -subj '/C=GB/O=IBM/CN=davehay.uk.ibm.com' -new -newkey rsa:2048 -days 365 -nodes -x509  -sha256 -keyout server.key -out server.crt

When I clicked the button to instal the Helm chart, I saw this exception in the UI : -

Internal service error : release DaveH failed: Secret in version "v1" cannot be handled as a Secret: v1.Secret: Data: decode base64: illegal base64 data at input byte 64, parsing 1177 ...X375XW1M="... at {"apiVersion":"v1","data":{"cert.pem":"MIIDQzCCAiugAwIBAgIJAMNFpd9mxNckMA0GCSqGSIb3DQEBCwUAMDgxCzAJBgNV BAYTAkdCMQwwCgYDVQQKDANJQk0xGzAZBgNVBAMMEmRhdmVoYXkudWsuaWJtLmNv 
G6rTAsZcFxBukcRxfCk4CmRR1C16dlsiz64rKVkdGO9IUTF0GchNAobYcAEK+dbW v+jU2J13dMnmzYfOz9QZkpM="},"kind":"Secret","metadata":{"labels":{"app":"DaveH-ibm-datapower-dev","chart":"ibm-datapower-dev-1.0.3","heritage":"Tiller","release":"DaveH"},"name":"DaveH-ibm-datapower-dev-secret","namespace":"default"}}

Reading this: -

I realised that the requisite values should be base64-encoded.

However, it's my understanding that X509 certificates already base-64 encoded.

I fiddled about for a bit …. and then realised where I was going wrong.

The .cer and .key files that are generated by the openssl command are written to files that are automatically formatted as …. 64-column files :-)

That may be the base64 encoding :-)

However, the ICP/Helm UI doesn't like the resulting wrapped text in the frontsideKey and frontsideCert parameters.

So I manually stripped away the CR/LF characters at the end of each 64-bit row, and pasted the result into each of the requisite fields.

This got me further, but I then saw this: -

Internal service error : release DaveH failed: Secret "DaveH-ibm-datapower-dev-secret" is invalid: metadata.name: Invalid value: "DaveH-ibm-datapower-dev-secret": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

which is easier to fix.

This is what ICP says: -

and this is what I had for my Release Name: -


Can you say "Doofus" ?

Once I changed it to daveh, we're good to go: -

No comments:

Note to self - using the CRI tool - crictl - to clean up unready pods

 Purely 'cos I know I'll need this again: - for i in `crictl pods | grep NotReady | awk '{print $1}'`; do crictl rmp $i; don...