Merge pull request #36 from orchestracities/dev

The Orion sidecar tale of woe

README.md

@@ -101,9 +101,16 @@ After installing Minikube, download the Istio release and install the demo
 profile. Here's the short version, assuming you've already installed Minikube:
 
     $ cd ~
+
+    # Start Minikube.
+
     $ minikube start --memory=16384 --cpus=4
     # Try --memory=4096 if you don't have that much RAM, it worked for us :-)
     $ kubectl config use-context minikube
+
+    # Download and install Istio 1.4.2.
+
+    $ export ISTIO_VERSION=1.4.2
     $ curl -L https://istio.io/downloadIstio | sh -
     $ cd istio-*
     $ export PATH="${PWD}/bin:${PATH}"
@@ -119,6 +126,12 @@ Long version:
 - https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection
 - https://istio.io/docs/tasks/policy-enforcement/enabling-policy/
 
+**Note**. *Istio version*. Version `1.4.2` is the safest to use since
+we've compiled and tested the adapter's gRPC interface against this
+version. We also tested extensively with version `1.4.0` and `1.4.3`.
+In principle what's documented in this README should work with any
+`1.4.*` version and, barring minor adjustments, with `1.5.*` too.
+
 **Note**. *Policy Enforcement*. The docs say the `demo` profile should enable
 it (i.e. set `disablePolicyChecks` to `false`) but it doesn't nor does it
 work to specify that option at installation time which is why you'll have
@@ -394,18 +407,57 @@ through port `31026`. Next deploy Orion
 
 and you're ready to play around! Here's how to get your feet wet:
 
-    $ curl -v "$(minikube ip):31026/v2"
+    $ source scripts/cluster-url.sh
+    $ curl -v "$ORION_BASE_URL/v2"
     # you should get back a 403/permission denied.
 
-    $ curl -v "$(minikube ip):31026/v2" -H "header:${HEADER_VALUE}"
+    $ curl -v "$ORION_BASE_URL/v2" -H "header:${HEADER_VALUE}"
     # set HEADER_VALUE as we did earlier; you should get back some
     # JSON with Orion's API entry points.
 
 You can try adding entities, subscriptions and trigger notifications.
-It should all go without a hitch, but there's a snag: because of
-[#28](https://github.com/orchestracities/boost/issues/28), at the
-moment no IDS header gets added to Orion notification messages. But
-a fix should become available soon soon, stay tuned!
+It should all go without a hitch. Here's a smoke test.
+
+    $ sh scripts/orion.post-entity.sh
+
+creates a brand new Orion entity of type `Room` with an ID of `Room1`,
+`pressure` and `temperature` attributes, whereas
+
+    $ sh scripts/orion.sub.sh
+
+tells Orion to notify our trustworthy friend at `httpbin.org` (we owe
+you big time my china!) whenever that entity changes. To see it while
+it's happening, start `tcpdump` in a separate terminal
+
+    $ sudo tcpdump -i any -s 4096 -A host httpbin.org
+
+then switch back to your current terminal and send a `Room1` update
+with
+
+    $ sh scripts/orion.update-entity.sh
+
+Your `tcpdump` should've spewed out a giant cloud of text but if your
+eyes can manage to separate the wheat from the chaff, you should be
+able to catch the Orion notification coming out of the mesh towards
+`httpbin.org`. It should look something like
+
+    POST /post HTTP/1.1
+    host: httpbin.org:80
+    fiware-servicepath: /
+    fiware-correlator: 449ec094-82fe-11ea-a8d6-0242ac110013
+    ngsiv2-attrsformat: normalized
+    header: eyJAdHlwZSI6ImlkczpSZXN1bH...(Orion's DAPS identity)...
+    ...
+
+    {"subscriptionId":"5e9d82045bfa0aeb50e8e21e",
+     "data":[{
+         "id":"Room1",
+         "type":"Room",
+         "temperature":{"type":"Float","value":21.5,"metadata":{}}}]}
+
+Smoking can badly damage your health, so I won't encourage you to try
+any more smoke tests but surely we've set the scene for your own,
+hopefully smoke-free, tests.
 
 ##### Access-control with AuthZ
 

deployment/egress_filter.yaml

@@ -3,6 +3,48 @@ kind: EnvoyFilter
 metadata:
   name: "orion-egress-filter"
   namespace: default
+spec:
+  configPatches:
+  - applyTo: HTTP_FILTER
+    match:
+      context: SIDECAR_OUTBOUND
+      listener:
+        filterChain:
+          filter:
+            name: envoy.http_connection_manager
+            subFilter:
+              name: envoy.router
+        portNumber: 80
+    patch:
+      operation: INSERT_BEFORE
+      value:
+        config:
+          inlineCode: "\n    function envoy_on_request(request_handle)\n        local headers, body = request_handle:httpCall(\n            \"lua_cluster\",\n            { [\":method\"] = \"GET\",\n              [\":path\"] = \"/\",\n              [\":authority\"] = \"lua_cluster\"\n            },\n            \"\",\n            5000)\n        request_handle:headers():add(\"header\", body)\n    end\n"
+        name: envoy.lua
+  - applyTo: CLUSTER
+    patch:
+      operation: ADD
+      value:
+        connect_timeout: 5.5s
+        hosts:
+        - socket_address:
+            address: "orionadapterservice.istio-system"
+            port_value: 54321
+            protocol: TCP
+        lb_policy: ROUND_ROBIN
+        name: lua_cluster
+        type: STRICT_DNS
+  workloadSelector:
+    labels:
+      app: orion
+
+---
+
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: "httpbin-egress-filter"
+  namespace: default
 spec:
   configPatches:
   - applyTo: HTTP_FILTER

deployment/orion_service.yaml

@@ -6,7 +6,7 @@ metadata:
   name: orion
 spec:
   ports:
-  - name: ngsi
+  - name: http
     port: 1026
     protocol: TCP
     targetPort: 1026
@@ -29,25 +29,17 @@ spec:
       app: orion
   template:
     metadata:
-      annotations:
-        "scheduler.alpha.kubernetes.io/critical-pod": ""
-        sidecar.istio.io/inject: "false"
       labels:
         app: orion
     spec:
       containers:
       - command:
-        - /usr/bin/contextBroker
-        - "-fg"
-        - "-multiservice"
-        - "-ngsiv1Autocast"
-        - "-dbhost"
-        - mongodb
-        - "-logLevel"
-        - DEBUG
+        - bash
+        - "-c"
+        - "sleep 10; exec /usr/bin/contextBroker -fg -multiservice -ngsiv1Autocast -dbhost mongodb -logLevel DEBUG"
         image: "fiware/orion:2.2.0"
         imagePullPolicy: IfNotPresent
         name: orion
         ports:
         - containerPort: 1026
-          name: ngsi
+          name: http

scripts/cluster-url.sh

@@ -1,5 +1,15 @@
 #!/usr/bin/env bash
 
-export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
+set -e
+
 export INGRESS_HOST=$(minikube ip)
+export INGRESS_PORT=$(kubectl -n istio-system \
+                      get service istio-ingressgateway \
+                      -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
+
 export BASE_URL="http://${INGRESS_HOST}:${INGRESS_PORT}"
+
+export ORION_INGRESS_PORT=$(kubectl \
+    -n istio-system get service istio-ingressgateway \
+    -o jsonpath='{.spec.ports[?(@.name=="orion")].nodePort}')
+export ORION_BASE_URL="http://${INGRESS_HOST}:${ORION_INGRESS_PORT}"

scripts/orion.post-entity.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -e
+
+
+if [[ -z "${HEADER_VALUE// }" ]];
+then
+    echo ">>> HEADER_VALUE env var not set properly"
+    echo ">>> set HEADER_VALUE as explained in README"
+    exit 1
+fi
+
+
+SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ROOTDIR="$(dirname "$SCRIPTPATH")"
+SCRIPTSDIR="${ROOTDIR}/scripts"
+
+source "${SCRIPTSDIR}/cluster-url.sh"
+
+
+curl -v "${ORION_BASE_URL}/v2/entities" \
+     -H "header: ${HEADER_VALUE}" -H 'Content-Type: application/json' \
+     -d @- <<EOF
+{
+  "id": "Room1",
+  "type": "Room",
+  "temperature": {
+    "value": 23,
+    "type": "Float"
+  },
+  "pressure": {
+    "value": 720,
+    "type": "Integer"
+  }
+}
+EOF

scripts/orion.sub.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -e
+
+
+if [[ -z "${HEADER_VALUE// }" ]];
+then
+    echo ">>> HEADER_VALUE env var not set properly"
+    echo ">>> set HEADER_VALUE as explained in README"
+    exit 1
+fi
+
+
+SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ROOTDIR="$(dirname "$SCRIPTPATH")"
+SCRIPTSDIR="${ROOTDIR}/scripts"
+
+source "${SCRIPTSDIR}/cluster-url.sh"
+
+
+curl -v "${ORION_BASE_URL}/v2/subscriptions" \
+     -H "header: ${HEADER_VALUE}" -H 'Content-Type: application/json' \
+     -d @- <<EOF
+{
+  "description": "A subscription to get info about Room1",
+  "subject": {
+    "entities": [
+      {
+        "id": "Room1",
+        "type": "Room"
+      }
+    ],
+    "condition": {
+      "attrs": [
+        "pressure"
+      ]
+    }
+  },
+  "notification": {
+    "http": {
+      "url": "http://httpbin.org/post"
+    },
+    "attrs": [
+      "temperature"
+    ]
+  },
+  "expires": "2040-01-01T14:00:00.00Z",
+  "throttling": 5
+}
+EOF

scripts/orion.update-entity.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -e
+
+
+if [[ -z "${HEADER_VALUE// }" ]];
+then
+    echo ">>> HEADER_VALUE env var not set properly"
+    echo ">>> set HEADER_VALUE as explained in README"
+    exit 1
+fi
+
+
+SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ROOTDIR="$(dirname "$SCRIPTPATH")"
+SCRIPTSDIR="${ROOTDIR}/scripts"
+
+source "${SCRIPTSDIR}/cluster-url.sh"
+
+
+curl -v "${ORION_BASE_URL}/v2/entities/Room1/attrs" \
+     -H "header: ${HEADER_VALUE}" -H 'Content-Type: application/json' \
+     -X PATCH -d @- <<EOF
+{
+  "temperature": {
+    "value": 21.5,
+    "type": "Float"
+  },
+  "pressure": {
+    "value": 703,
+    "type": "Float"
+  }
+}
+EOF

yamster/src/Mesh/Config/Envoy.hs

@@ -1,14 +1,17 @@
 {-# LANGUAGE UnicodeSyntax #-}
 {-# LANGUAGE QuasiQuotes #-}
 module Mesh.Config.Envoy
-  (orionEgressFilter)
+  ( httpbinEgressFilter
+  , orionEgressFilter
+  )
 where
 
 import Data.String.Interpolate (i)
 import Peml
 
 import Mesh.Config.Adapter
-import Mesh.Config.Services (orionadapter, orionadapterHttpEndpoint, httpbin)
+import Mesh.Config.Services (orionadapter, orionadapterHttpEndpoint, orion,
+                             httpbin)
 import Mesh.Util.K8s (ServiceSpec(..), Port(..), serviceFqn)
 
 
@@ -36,18 +39,24 @@ adapterHttpEndpoint = do
   "address"    =: serviceFqn orionadapter
   "port_value" =: servicePort orionadapterHttpEndpoint
 
-
-orionEgressFilter ∷ ExprBuilder
-orionEgressFilter = do
+idsEgressFilter ∷ String → ServiceSpec → ExprBuilder
+idsEgressFilter filterName target = do
   "apiVersion" =: "networking.istio.io/v1alpha3"
   "kind" =: "EnvoyFilter"
   "metadata" =: do
-    "name" =: "orion-egress-filter"
+    "name" =: filterName
     "namespace" =: "default"
   "spec" =: do
-    "workloadSelector" =: do          -- TODO how to select more than one?
-      "labels" =: do                  -- E.g. what if we want to have both
-        "app" =: serviceName httpbin  -- httpbin and orion? Go type is map...
+    "workloadSelector" =: do
+      "labels" =: do
+        "app" =: serviceName target
+-- (*) TODO. Multiple workload selector.
+-- Is there a way to select more than one target workload, e.g. orion
+-- and httpbin at the same time? If yes, then we could avoid defining
+-- two separate filters as we do here, one targeting orion and the
+-- other httpbin. The Go type for labels is map<string, string> so
+-- it doesn't look like we could do that by adding another app key...
+
     "configPatches" =: do
     -- This patch adds the lua filter to the listener/http connection manager
       (-:) $ do
@@ -100,3 +109,9 @@ orionEgressFilter = do
 -- one-element list with a map. In the end duplicates get ditched
 -- when converting to YAML anyway.
 --
+
+orionEgressFilter ∷ ExprBuilder
+orionEgressFilter = idsEgressFilter "orion-egress-filter" orion
+
+httpbinEgressFilter ∷ ExprBuilder
+httpbinEgressFilter = idsEgressFilter "httpbin-egress-filter" httpbin