diff --git a/README.md b/README.md index bc075b2..8e7537b 100644 --- a/README.md +++ b/README.md @@ -174,6 +174,55 @@ Find **Protocol Buffers Descriptions** at the [`./pb` directory](./pb). curl -v "http://$INGRESS_HOST" + +### (Optional) Apigee Istio Demo + +> **Note:** Complete the [Optional Istio installation](#optional-deploying-on-a-istio-installed-cluster) above + +1. Create an Apigee Edge account [here](https://login.apigee.com/sign__up) + +2. Install Apigee Istio Mixer plugin [here](https://github.com/apigee/istio-mixer-adapter/releases) + +3. Configure the Apigee Istio Mixer plugin with your Apigee Edge *organization*, *environment*, *username*, and *password*: + + apigee-istio provision -o [organization] -e [environment] -u [username] -p [password] > ./istio-manifests/apigee/handler.yaml + +4. Apply the Apigee manifests in [`./istio-manifests/apigee`](./istio-manifests/apigee) directory. + + kubectl apply -f -f ./istio-manifests/apigee + + This is required only once. + +5. Find the IP address of your application, then visit the application on your + browser to confirm installation. + + kubectl get service frontend-external + + _This will partially fail with HTTP 500 and HTTP 403 errors_ + +![alt text](img/apigee/hipster-shop-landing-unauthorized.png) + +6. Create an Apigee Edge Developer and an API Product with the appropriate Hipster Shop service names [example](https://docs.apigee.com/api-platform/istio-adapter/installation#get_an_api_key). You will need to add at least the following to the API Product Istio Services: +``` +productcatalogservice.default.svc.cluster.local +recommendationservice.default.svc.cluster.local +currencyservice.default.svc.cluster.local +cartservice.default.svc.cluster.local +shippingservice.default.svc.cluster.local +``` + +7. Create an Apigee Edge application with the above API Product either in the Management UI or an Apigee developer portal [example](https://docs.apigee.com/api-platform/istio-adapter/installation#4_create_a_developer_app) + +8. Copy the Apigee application Client ID above, add the Client ID to the Hipster Shop configuration, and click the **Save** button. `/config#apigee_client_id` + +![alt text](img/apigee/hipster-shop-configuration.png) + +9. Navigate around the Hipster Shop again in your browser! + * _This will succeed without any errors for the services you added to the API Product_ + +10. Navigate around the Apigee Edge [Analytics](https://docs.apigee.com/api-platform/analytics/analytics-services-overview) to discover metrics about your application and Hipster Shop services! + + --- **Note to fellow Googlers:** Please fill out the form at diff --git a/img/apigee/hipster-shop-configuration.png b/img/apigee/hipster-shop-configuration.png new file mode 100644 index 0000000..d026425 Binary files /dev/null and b/img/apigee/hipster-shop-configuration.png differ diff --git a/img/apigee/hipster-shop-landing-unauthorized.png b/img/apigee/hipster-shop-landing-unauthorized.png new file mode 100644 index 0000000..34d82b1 Binary files /dev/null and b/img/apigee/hipster-shop-landing-unauthorized.png differ diff --git a/istio-manifests/apigee/definitions.yaml b/istio-manifests/apigee/definitions.yaml new file mode 100644 index 0000000..d851b84 --- /dev/null +++ b/istio-manifests/apigee/definitions.yaml @@ -0,0 +1,84 @@ +# Defines the base structures and data map for the Apigee mixer adapter. +# In general, these are static and should not need to be modified. +# However, certain specific behaviors such as where to retrieve an API Key +# could be changed here. +--- +# declares the Apigee adapter +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: apigees.config.istio.io + namespace: istio-system + labels: + package: apigee + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: apigee + plural: apigees + singular: apigee + scope: Namespaced + version: v1alpha2 +--- +# define template 'analytics' +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: analytics.config.istio.io + namespace: istio-system + labels: + package: analytics + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: analytics + plural: analytics + singular: analytics + scope: Namespaced + version: v1alpha2 +--- +# instance configuration for template 'apigee.analytics' +apiVersion: config.istio.io/v1alpha2 +kind: analytics +metadata: + name: apigee + namespace: istio-system +spec: + api_key: request.api_key | request.headers["x-api-key"] | "" + api_proxy: api.service | destination.service.host | "" + response_status_code: response.code | 0 + client_ip: source.ip | ip("0.0.0.0") + request_verb: request.method | "" + request_uri: request.path | "" + useragent: request.useragent | "" + client_received_start_timestamp: request.time + client_received_end_timestamp: request.time + target_sent_start_timestamp: request.time + target_sent_end_timestamp: request.time + target_received_start_timestamp: response.time + target_received_end_timestamp: response.time + client_sent_start_timestamp: response.time + client_sent_end_timestamp: response.time + api_claims: # from jwt + json_claims: request.auth.raw_claims | "" +--- +# instance configuration for template 'apigee.authorization' +apiVersion: config.istio.io/v1alpha2 +kind: authorization +metadata: + name: apigee + namespace: istio-system +spec: + subject: + user: "" + groups: "" + properties: + api_key: request.api_key | request.headers["x-api-key"] | "" + json_claims: request.auth.raw_claims | "" + action: + namespace: destination.namespace | "default" + service: api.service | destination.service.host | "" + path: api.operation | request.path | "" + method: request.method | "" diff --git a/istio-manifests/apigee/rule.yaml b/istio-manifests/apigee/rule.yaml new file mode 100644 index 0000000..54cfc4d --- /dev/null +++ b/istio-manifests/apigee/rule.yaml @@ -0,0 +1,19 @@ +# Defines rules to apply the Apigee mixer adapter to requests. +# In the rule below, we apply Apigee authorization and analytics +# as defined in the apigee-handler (handler.yaml) to all intra-mesh +# requests. +--- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: hipster-rule + namespace: istio-system +spec: + match: context.reporter.kind == "inbound" && destination.namespace == "default" + && destination.service.name != "frontend" + && destination.service.name != "frontend-external" + actions: + - handler: apigee-handler.apigee.istio-system + instances: + - apigee.analytics + - apigee.authorization