| # Istio-Apigee-Demo |
| This demo demostrate how Apigee works with Istio, how services deployed in Istio framework can make use of Apigee features like API key verification and Analytics. |
| |
| This is an unsupported project of Google. Feel free to submit issues and pull |
| requests, but do not expect formal support. |
| |
| ## Pre-requisites |
| |
| #### Kubernetes cluster with > 3 nodes |
| |
| You can use Google Container Engine to launch the Kubenertees Cluster - https://cloud.google.com/container-engine/ |
| |
| #### kubectl utility in your local machine |
| Find Instructions here - https://kubernetes.io/docs/tasks/tools/install-kubectl/ |
| |
| #### istioctl utility in your local machine |
| - Download the right istio release from here - https://github.com/istio/istio/releases |
| - Extract it and copy the istioctl binary from ```bin/istioctl``` to ```/usr/local/bin``` |
| - Make sure you can run ```istioctl --help``` |
| |
| #### Microgateway enable Apigee org |
| Contact Apigee Support |
| |
| ## Setup |
| |
| #### Point kubectl to your kubernetes cluster |
| Find instructions here - https://istio.io/docs/tasks/installing-istio.html#prerequisites |
| |
| #### Configuring Apigee parameters |
| You you need to provide parameters like like - **org_name**, **env**, **microgateway_key**, **microgateway_secret** for the mixer adapter to work with your org. |
| |
| - Install edgemicrogateway in your local machine |
| Find instructions here - http://docs.apigee.com/microgateway/latest/installing-edge-microgateway |
| - Generate key and secret so that edge can authenticate the apigee adapter. |
| Find instructions here - http://docs.apigee.com/microgateway/latest/setting-and-configuring-edge-microgateway#Part1 |
| |
| Go ahead and replace the respective values in the following file |
| ``` |
| config/testdata/configroot/scopes/global/adapters.yml |
| ``` |
| |
| Create kube secret for this file, which later get mount to istio mixer |
| ``` |
| kubectl create secret generic apigee-mixer-adapter --from-file=./config/testdata/configroot/scopes/global/adapters.yml |
| ``` |
| |
| #### Install Istio |
| |
| 1. Run the following command to determine if your cluster has RBAC (Role-Based Access Control) enabled: |
| ``` |
| kubectl api-versions | grep rbac |
| ``` |
| 2. If the command displays an error, or does not display anything, it means the cluster does not support RBAC, and you can skip the next 2 steps |
| |
| 3. If the command displays ‘beta’ version, or both ‘alpha’ and ‘beta’, please apply istio-rbac-beta.yaml configuration: |
| ``` |
| kubectl apply -f install/kubernetes/istio-rbac-beta.yaml |
| ``` |
| 4. If the command displays only ‘alpha’ version, please apply istio-rbac-alpha.yaml configuration: |
| ``` |
| kubectl apply -f install/kubernetes/istio-rbac-alpha.yaml |
| ``` |
| 5. Install Istio’s core components. |
| ``` |
| kubectl apply -f setup/istio.yaml |
| ``` |
| **NOTE** : In the mixer section of istio.yaml file use can see that we are using custom docker image(mixer:apigeev1) which contains apigee adapter |
| |
| This command will install Istio-Manager, Mixer with Apigee adapter, Ingress-Controller, Egress-Controller core components. |
| |
| |
| ## Demo |
| |
| For this demo we will use the simple httpbin application |
| |
| **Deploy App** |
| |
| Run the following commands to deploy httpbin application |
| ``` |
| source istio.VERSION |
| kubectl apply -f <(istioctl kube-inject -f demo/apps/httpbin/httpbin.yml) |
| ``` |
| |
| **Get IP of Ingress** |
| - Get the IP address of ingress to make calls to the deloyed application |
| ``` |
| kubectl get ingress -o wide |
| ``` |
| - If you don't find public IP from the above command, use the private IP of the ingress service and make sure you make calls from inside the kube network since you are using privateIP. You the following command to get private IP of ingress |
| ``` |
| kubectl get svc istio-ingress |
| ``` |
| ``` |
| export GATEWAY=<IP_of_Ingress> |
| ``` |
| |
| **Make calls before creating mixer rules** |
| ``` |
| curl $GATEWAY/get |
| ``` |
| you will see response code **200** |
| ``` |
| 200 |
| ``` |
| |
| **Creating mixer rules** |
| |
| Let's create mixer rules so that apigee adapter is triggerd on your API calls |
| Currently apigee adapter provides **APIkey verfification** and **Analytics** features. |
| |
| Run the following command to enable apigee for httpbin application. |
| ``` |
| istioctl mixer rule create global httpbin.default.svc.cluster.local -f config/rules.yml |
| ``` |
| |
| **Make calls after creating mixer rules** |
| ``` |
| curl -o /dev/null -s -w "%{http_code}\n" $GATEWAY/get |
| ``` |
| Now since APIkey verfication fails, you will see reponse code either **403** or **500** |
| ``` |
| 403 |
| ``` |
| Try with a wrong API key |
| ``` |
| curl -o /dev/null -s -w "%{http_code}\n" -H 'apikey: dsjcajcasbch' $GATEWAY/get |
| ``` |
| ``` |
| 403 |
| ``` |
| BTW **Analytics** is already being recorded for your **httpbin** service, you should be able to see failure API calls in the Apigee UI(might take 10 minutes to showup). |
| |
| You need to get the right API key from Apigee UI to be able to make successful calls. |
| |
| If you are familiar with Apigee following steps will make more sense to you |
| - Create a Apigee Product(```https://enterprise.apigee.com/platform/{org-name}/products```). This is how company expose their API to outside world |
| - Creata 2 Developers(```https://enterprise.apigee.com/platform/{org-name}/developers```). Developers can use the exposed APIs by creating Apigee App. |
| - Create 2 Apps(```https://enterprise.apigee.com/platform/{org-name}/app```). This will provission credentials to access the APIs. While creating the make sure you select the above created product and each developer. |
| |
| **NOTE** : Create 2 developers and 2 apps respectively so that we can see more intresting stuff in analytics. |
| |
| Now that you have credentails to make API calls, let's make some more calls. This time pass the Consumer Key of the App that yo just created as header parameter. |
| |
| ``` |
| curl -o /dev/null -s -w "%{http_code}\n" -H 'apikey: <ConsumerKey>' $GATEWAY/get |
| ``` |
| You should see response code 200 |
| ``` |
| 200 |
| ``` |
| |
| ## Analytics |
| |
| Let's dig more on **Analytics**, for the demo purpose make few more calls with API keys of both apps. |
| |
| **Let's check the API performance of your httpbin API (data might data 10 minutues to show up in UI)** |
| |
| Goto https://enterprise.apigee.com/platform/<org_name>/proxy-performance |
| |
| You should be able to something like below |
| |
|  |
| |
| The Proxy Performance dashboard helps you see API traffic patterns and processing times. You can easily visualize how much traffic your APIs generate and how long it takes for API calls to be processed, from the time they are received by Apigee Edge until they are returned to the client app. |
| |
| **Let's check developer engagement of your httpbin API (data might data 10 minutues to show up in UI)** |
| |
| Goto https://enterprise.apigee.com/platform/<org_name>/developer-engagement |
| |
| You should be able to something like below |
|  |
| |
| The Developer Engagement dashboard tells you which of your registered app developers are generating the most API traffic. For each of your developers, you can find out who is generating the most API traffic and the most errors. For example, if a particular developer's app is generating a lot of errors relative to other developers, you can pro-actively address the problem with that developer. |
| |
| Read more about developer engagement here - |
| |
| http://docs.apigee.com/analytics-services/content/partner-engagement-dashboard |
| |
| Read more about Apigee analytics here - |
| |
| https://apigee.com/about/products/apigee-edge-and-apis/edge-analytics-services |
| |
| ------------------------------------------------------------- |
