Chapter 5. Invoking the Data Grid REST API
Data Grid services expose a REST endpoint at port 8443
.
By default, Data Grid requires user authentication for data access and encryption for client connections.
- Authentication
-
Data Grid authorizes data access requests with credentials that you specify with the
APPLICATION_USER
andAPPLICATION_PASSWORD
parameters. - Encryption
-
When Data Grid pods start they generate TLS certificate/key pairs and save them in the
service-certs
secret. The TLS certificates are signed by the OpenShift certificate authority (CA).
5.1. Creating External Routes to the REST API
REST clients running outside OpenShift access Data Grid pods through routes with reencrypt
termination.
Procedure
Create a route with
reencrypt
termination.$ oc create route reencrypt ${ROUTE_NAME} \ --port=https \ --service ${APPLICATION_NAME}
For example:
$ oc create route reencrypt cache-service-https-route \ --port=https \ --service cache-service
Run
oc get routes
to find the HTTPS route hostname, for example:$ oc get routes NAME HOST/PORT cache-service-https-route cache-service-https-route-rhdg-helloworld.192.0.2.0.nip.io
5.2. Making REST Calls
Prerequisite
Configure REST clients for authentication and encryption.
- On OpenShift
-
Create truststores with the CA bundle mounted in the pod at:
/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- Outside OpenShift
- Create truststores with the CA for your OpenShift environment.
Procedure
Invoke the Data Grid REST API as appropriate.
For example, invoke a
PUT
call to add a key:value pair:curl -X PUT \ -u ${USERNAME}:${PASSWORD} \ -H 'Content-type: text/plain' \ -d 'world' \ https://${HOSTNAME_FOR_HTTPS_ROUTE}/rest/default/hello
5.2.1. Using the OpenShift CA to Make REST Calls
In cases where the CA certificate is not valid, such as local OpenShift clusters or Red Hat OpenShift Container Platform development installations, you can use service-ca.crt
to make REST calls.
Procedure
Get
service-ca.crt
from Data Grid pods.$ oc rsync ${pod_name}:/var/run/secrets/kubernetes.io/serviceaccount/..data/service-ca.crt .
Pass
service-ca.crt
when you invoke REST calls.curl -X PUT \ -u ${USERNAME}:${PASSWORD} \ --cacert service-ca.crt \ -H 'Content-type: text/plain' \ -d 'world' \ https://${HOSTNAME_FOR_HTTPS_ROUTE}/rest/default/hello