Why Insomnia and not Postman?

Well, answer is straightforward – apples vs oranges. Somewhat I prefer Insomnia, though it is just a simplistic API client. But this is exactly what I normally need without additional features and Insomnia seems to be fulfilling my daily needs.

  • Depending on against what environment you run your API calls you can define a variables and their values per environment e.g. lab/prod. (Left top corner). Templating relies on Nunjucks

variable values for Dev environment

  • Allows to refer to results of different API calls e.g. Authorization Bearer token value – in the example below Fetch users requires Bearer token to be included in GET request hence it needs to perform first Authorization, obtain token and insert it into GET request:

Authorize URL looks as follows (IMPORTANT: never embed usernames, passwords in config files – rely on solutions like Hashicorp’s Vault, Azure KeyVault etc):

By peeking at results of the POST (Timeline) response from the server includes authorization Header that includes token value.

 

Subsequent Method can use the value just by manually copy pasting value of the header into authorization header of GET request:

Smarter solution is to define header in Header tab and use a function that will call POST Authorize method, grab the resulting authorization header value (Bearer token) and insert it into a header in the GET request. In value type CTRL+Space and look for function Response – Header:

Double click on red field and Edit tag window will pop up:

Now your requests will be using appropriate value for authorization header.

IMPORTANT: in order to have Edit tag pop up available you cannot enable (leave untickedRaw template syntax as otherwise you’ll have manually craft in Nunjucks value of the header.

Scanning docker container images

Looking for potential vulnerabilities in docker images is crucial before shipping these to customers or putting them into production. Scanning of images should be a part of any CI pipeline so that it’s ensured that shipped software is secured as possible and security vulnerabilities and CVEs are detected early in the process.

Docker engine comes in with 

that runs on Snyk engine to detect CVEs and vulnerabilities. A result of the scan will show also potential remediations (e.g. use newer base image). 

More details on: https://docs.docker.com/engine/scan/

Another solution is trivy from Aqua Security that serves a similar purpose https://github.com/aquasecurity/trivy. Running it after installation is as simple as 

openstack cli in a docker container

If you need to access your openstack cluster but there is no option to install packages on a jumpbox host that can access the cluster (lack of internet access or privileges) an alternative is to build locally a docker image that includes openstack CLI utility. Assumption is that the jumpbox host has docker installed and user can load docker images and run docker containers.

Firstly prepare a Dockerfile (based off python docker official images in this example):

Build docker image and provide as an argument path to stackrc file that includes details on how to access the cluster (endpoint, passwords etc).

After build is finished save docker image to tarball:

Copy tarball to a destination machine which can access openstack cluster and load docker image:

Run the container – you’ll and try listing e.g. servers