Modern applications exploit commonly used protocols and standards: thoroughly knowing them means if necessary being able to write the missing code to integrate applications to have everything playing nice together.

Besides being able to code scripts or to develop applications, this requires a having a good understanding of at least:

  • HTTP protocol – knowing status code is enough most of the times, but when troubleshooting having a better understanding can really help a lot
  • REST API design principles – the very most of the API are REST based. This of course requires to be skilled in managing JSON formatted documents
  • SOAP API design principles – although much rare, it may happen to the to deal with SOAP API. This of course requires to be skilled in managing XML formatted documents
  • Commonly used authentication and authorisation frameworks, such as SAML, OpenID, OAuth 2.0 and so

Beside this, professionals should be familiar with the usage of tools such as curl to connect to the API endpoints and issue commands.

Since nowadays TLS is broadly used to secure communications, professionals should also be skilled on TLS, X.509 certificates and PKI.

Take in account that professionals with these skills are quite rare (recruiters know this very well) but are among the most valuable ones, since they can make the glue between the “pure” system administration/engineering and the development.

Kubernetes cert-manager: How to for mTLS,CSI Driver and Helm post explains how to issue TLS Server certificates and Mutual TLS (mTLS) Client certificates using Kubernetes cert-manager.

We will start with raw YAML manifests to understand the core mechanics of rigid mTLS communication. Then, we will explore how to eliminate long-lived Kubernetes Secrets using the cert-manager CSI Driver, before wrapping up with a practical Helm example to cleanly automate the entire certificate lifecycle for production deployments.

Read more >

Kubernetes cert-manager Tutorial: How to Set Up Custom CA post provides a quick overview of using cert-manager on Kubernetes, showing how to easily set up a CA with the simple CA Issuer.

Certificate management is not just a security sensitive task dealing with issuing security sensitive objects: it is a cumbersome activity including taking care of handling the reissuing of expiring certificates before they reach their end of life, delivering them to the consuming services.

In Kubernetes cert-manager Tutorial: How to Set Up Custom CA post we discuss how to simplify this process using cert-manager, automating the issuing and renewal of issued certificates.

Read more >

One of the HAProxy strengths is not being very strict about its configuration structure, enabling it to create configurations suitable for fitting very messy scenarios. Sadly this is also its biggest maintainability pitfall: especially if you want to automate its configuration using automation tools and templates, it is up to you to define the best possible standard configuration structure fitting your needs.

The "HAProxy Tutorial - A Clean And Tidy Configuration Structure" post is an insight providing guidelines on how to structure the HAProxy configuration in an effective way, promoting the sharing of floating IP addresses and using easy to edit maps for load balancing the traffic forwarding it to the correct destination. In addition to that, it also provides a way for splitting the statistics so to have them displayed only for the scope of each specific balanced service instead of as a whole.

HAProxy is certainly one of the most blazoned, fast and efficient (in terms of processor and memory usage) open source load balancer and proxy, enabling both TCP and HTTP-based applications to spread requests across multiple servers. In the "High Available HA Proxy Tutorial With Keepalived" we see not only how to install it in a High Available fashion, but also how to set the configuration in a clean and tidy way, having it automatically fetched from a Git remote repository.

OAuth 2.0 and OpenID Connect are broadly used frameworks to address delegating of authentication and authorization. Despite their popularity they are such complex to be a tough nut to crack even for veterans: the scenarios and use cases they cover are very security sensitive and wide, so acquainting them is certainly a huge challenge very often causing a lot of pain and frustration.

The "OpenID Connect With Kratos And Hydra Tutorial - Gitea OAuth" post aim is to provide a good starting point for exploring this tough topic: after a short but comprehensive overview of them, we quickly focus on a real life scenario installing a full featured on premise suite made of Ory Kratos (the IDM), Ory Hydra (the OpenID Connect and OAuth 2 API) and the Ory Kratos Self Service UI node (the Resource Server - in this case it is just a demo).

Once the suite is up and running, we also explore a real life use case implementing the OAUth2 Authorization Code grant by configuring OpenID Connect as an authentication source into a Gitea instance.

The first Wayland release is dated 2012, and it was of course in a very early stage. Now 16 years have passed since the initial design, they say Wayland is mature enough that it is safe to remove X11 sessions. In the Wayland Tutorial - A Wayland HowTo post we will go through everything it is worth the effort to know about Wayland, trying to answer the question: do Wayland replace the whole X Window system, or do it replace just the X11 protocol?