In [None]:
%env kubectl=/Users/theganyo/dev/google-cloud-sdk/bin/kubectl
%env istio=/Users/theganyo/Downloads/istio-1.0.2
%env istioctl=/Users/theganyo/Downloads/istio-1.0.2/bin/istioctl
%env ingress=35.225.154.183
%env demo=/Users/theganyo/dev/fazio/microservices-demo
%env apigee-istio=/Users/theganyo/dev/istio/src/github.com/apigee/istio-mixer-adapter/dist/darwin_amd64/apigee-istio

---
## Expose the tracking api

In [None]:
%%bash
cat <<EOF | $kubectl apply -f -

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  annotations:
  name: frontend-ingress
  namespace: default
spec:
  gateways:
  - frontend-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        exact: /
    - uri:
        prefix: /cart
    - uri:
        prefix: /product
    - uri:
        exact: /setCurrency
    - uri:
        prefix: /static
    route:
    - destination:
        host: frontend
        port:
          number: 80
  - match:
    - uri:
        prefix: /tracking
    route:
    - destination:
        host: shipping
        port:
          number: 8080
    corsPolicy:
      allowOrigin:
      - "*"
      allowMethods:
      - GET
      - POST
      allowHeaders:
      - content-type
      - x-api-key
      allowCredentials: true

EOF

---
## Access the API

In [None]:
!curl $ingress/tracking/1  | python -m json.tool

---
## Wire up Apigee

The following configures how Istio passes data to the Apigee adapter.

In [None]:
%%bash
cat <<EOF | $kubectl apply -f -

# instance configuration for template 'apigee.analytics'
apiVersion: config.istio.io/v1alpha2
kind: analytics
metadata:
  name: apigee
  namespace: istio-system
spec:
  api_key: request.api_key | request.headers["x-api-key"] | ""
  api_proxy: api.service | destination.service.host | ""
  response_status_code: response.code | 0
  client_ip: source.ip | ip("0.0.0.0")
  request_verb: request.method | ""
  request_uri: request.path | ""
  useragent: request.useragent | ""
  client_received_start_timestamp: request.time
  client_received_end_timestamp: request.time
  target_sent_start_timestamp: request.time
  target_sent_end_timestamp: request.time
  target_received_start_timestamp: response.time
  target_received_end_timestamp: response.time
  client_sent_start_timestamp: response.time
  client_sent_end_timestamp: response.time
  api_claims: # from jwt
    json_claims: request.auth.raw_claims | ""
---

# instance configuration for template 'apigee.authorization'
apiVersion: config.istio.io/v1alpha2
kind: authorization
metadata:
  name: apigee
  namespace: istio-system
spec:
  subject:
    user: ""
    groups: ""
    properties:
      api_key: request.api_key | request.headers["x-api-key"] | ""
      json_claims: request.auth.raw_claims | ""
  action:
    namespace: destination.namespace | "default"
    service: api.service | destination.service.host | ""
    path: api.operation | request.path | ""
    method: request.method | ""

EOF

---
## Analytics Rule

This lets Istio know that we want to send all Istio telemetry to Apigee via the adapter.

In [None]:
%%bash
cat <<EOF | $kubectl apply -f -

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: apigee-analytics
  namespace: istio-system
spec:
  match: context.reporter.kind == "inbound"
  actions:
  - handler: apigee-handler.apigee.istio-system
    instances:
    - apigee.analytics

EOF

## Analytics Reporting

Now we have analytics coming from our Istio services.

https://apigee.com/platform/theganyodemo-eval/devices

---
## Apigee API Product

An API Product is how I will expose the API to developers.

https://apigee.com/platform/theganyodemo-eval/products/Tracking%20Details

---
## Developers can register to use the API in the Developer Portal

They can also test the API right there based on the Open API documentation I've provided.

https://theganyodemo-eval-fazio.apigee.io/

---
## Protect the API with an API Key

In [None]:
%%bash
cat <<EOF | $kubectl apply -f -

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: apigee-authorization
  namespace: istio-system
spec:
  match: context.reporter.kind == "inbound" && destination.service.name == "shipping"
  actions:
  - handler: apigee-handler.apigee.istio-system
    instances:
    - apigee.authorization

EOF

---
### Check the result in the portal

https://theganyodemo-eval-fazio.apigee.io/docs/tracking-details/1/routes/tracking/%7BtrackingNumber%7D/get

---
## Create an App to access the API Product

The Developer Portal lets our developers create their own Apps to access protected API Product.

https://theganyodemo-eval-fazio.apigee.io/

--- 
## Now we have an API Key

Back to the portal to try it out.

https://theganyodemo-eval-fazio.apigee.io/docs/tracking-details/1/routes/tracking/%7BtrackingNumber%7D/get

---
## Protect with OAuth

For finer-grained access, I can require OAuth tokens. First, we'll protect the API.

In [None]:
%%bash
cat <<EOF | $kubectl apply -f -

apiVersion: "authentication.istio.io/v1alpha1"
kind: Policy
metadata:
  name: shipping-auth-spec
  namespace: default
spec:
  targets:
  - name: shipping
  origins:
  - jwt:
      issuer: https://theganyodemo-eval-test.apigee.net/istio-auth/token
      jwks_uri: https://theganyodemo-eval-test.apigee.net/istio-auth/certs
  principalBinding: USE_ORIGIN

EOF

---
### Check the result in the portal

https://theganyodemo-eval-fazio.apigee.io/docs/tracking-details/1/routes/tracking/%7BtrackingNumber%7D/get

---
## Get a JWT Bearer token

First, we need our key and secret.

https://apigee.com/organizations/theganyodemo-eval/apps

In [None]:
%env apikey=
%env secret=

Use the apigee-istio CLI to get a token

In [None]:
%%bash 
JWT=$(apigee-istio token create -o theganyodemo-eval -e test -i $apikey -s $secret)
echo $JWT
echo "---"
apigee-istio token inspect -o theganyodemo-eval -e test <<< $JWT

---
### Check the result

In [None]:
!curl $ingress/tracking/1 -H "Authorization: Bearer eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhY2Nlc3NfdG9rZW4iOiJBbm13UGRNT3FEdFFEckt1a2wxVmJLVnVGSE56IiwiYXVkIjoiaXN0aW8iLCJuYmYiOjE1MzY4NzcyNTcsImFwaV9wcm9kdWN0X2xpc3QiOlsiVHJhY2tpbmcgRGV0YWlscyJdLCJhcHBsaWNhdGlvbl9uYW1lIjoibXktZGV0YWlscyIsImRldmVsb3Blcl9lbWFpbCI6InRoZWdhbnlvK2ZhemlvQGdvb2dsZS5jb20iLCJpc3MiOiJodHRwczovL3RoZWdhbnlvZGVtby1ldmFsLXRlc3QuYXBpZ2VlLm5ldC9pc3Rpby1hdXRoL3Rva2VuIiwiZXhwIjoxNTM2ODc4MTU3LCJpYXQiOjE1MzY4NzcyNTcsImp0aSI6IjQzZmI5ZTg0LWRhOWMtNDFmZS05NzczLTI4MDdjNGZhZGE1MSIsImNsaWVudF9pZCI6IkozZGQ4SW9qVThteEYxckkwaHZaQ0I1NnRweFlkR2tSIn0.G46FxAvMLpGMpxMUqS3Oh7eEQ1NjFSA3lIXum8ffg2kTn0vqp8KdKBia090FtKAQ9VjcaoaKrS17T1GIPXjNuuPHrl41hxrJd0TQMYS9oM2xCH-WQdgWornv7AQS1OwFa-oj-v6DCF-JBct8a3BT20Mg11EYJceLLevxef3MU0Q0A6RXSMq0-o9r-g6KpiUUa-4HIFYO0uAlbUacRxmxdUwMVeJgpJKWRkw7lzia_4HYqN_iTKGtqABmnQeqWTCZZU8QGFd_IqAbsNytIt_KEeZFPKpWaFIbXHrWAXUVksu2DRaBZkT0mRf7pDp5j1oU9YB871J17z4O7V00PfAw0w"| python -m json.tool