Merge branch 'develop'

Author: nmatsui

CHANGELOG.md

@@ -4,6 +4,11 @@
 * We will employ the example of "wirecloud" running on RoboticBase-core
 * We will employ the example of "kurento" running on RoboticBase-core
 
+## [0.4.2]
+### Changed
+* create the subdomains and routing rules of "kibana" and "grafana", and expose them to Internet.
+* update the `auth` component to be able to change the auth tokens dynamically.
+
 ## [0.4.1]
 ### Changed
 * update components and documents to adjust [FIWARE Release 7.6](https://github.com/FIWARE/catalogue/releases/tag/FIWARE_7.6)

README.md

@@ -1,6 +1,6 @@
 # RoboticBase example: Deploy robot programs on TurtleBot3
 
-This repository is example of "RoboticBase-core". The latest version (0.4.1) conforms to [FIWARE Release 7.6](https://github.com/FIWARE/catalogue/releases/tag/FIWARE_7.6).
+This repository is example of "RoboticBase-core". The latest version (0.4.2) conforms to [FIWARE Release 7.6](https://github.com/FIWARE/catalogue/releases/tag/FIWARE_7.6).
 
 ## Description
 "RoboticBase" is a robot management platform based on [FIWARE](http://www.fiware.org/) which enables you to manage and operate many kinds of robots and IoT devices as interactions of contexts.
@@ -28,7 +28,7 @@ For example, you can deploy a ROS program to the robot and access the raw data o
 |:--|:--|:--|
 |[kubernetes](https://kubernetes.io/)|Container Orchestration Platform|1.14.1|
 |[deployer](https://github.com/RoboticBase/mqtt-kube-operator)|MQTT client to deploy (or delete) a resource to its own Kubernetes|0.2.0|
-|[bridge](https://github.com/RoboticBase/fiware_ros_turtlebot3_bridge)|ROS package to act as a bridge FIWARE orion and ROS|0.2.2|
+|[bridge](https://github.com/RoboticBase/fiware_ros_bridge)|ROS package to act as a bridge FIWARE orion and ROS|0.2.2|
 |[operator](https://github.com/RoboticBase/fiware_ros_turtlebot3_operator)|ROS package to control turtlebot3 (simulator and physical robot)|0.2.1|
 
 ## An experiment to prove our concept
@@ -143,7 +143,7 @@ Please see this repository [ogcaizu/ogc-poc1](https://github.com/ogcaizu/ogc-poc
     * An android application for Xperia Hello! It connect to FIWARE using MQTT(S).
 
 ### ROS package
-* [RoboticBase/fiware_ros_turtlebot3_bridge](https://github.com/RoboticBase/fiware_ros_turtlebot3_bridge)
+* [RoboticBase/fiware_ros_bridge](https://github.com/RoboticBase/fiware_ros_bridge)
     * A [ROS](http://wiki.ros.org/) pakage witten by python2 in order to act as a bridge between FIWARE and ROS nodes.
     * When a MQTT message is received from a MQTT topic, this package create ROS message and publish a ROS message to a ROS topic.
     * At the opposite, when a ROS message is received from a ROS topic, this package publish a MQTT message to a MQTT topic.

controller/cmd-proxy-service.yaml

@@ -11,7 +11,7 @@ metadata:
       kind:  Mapping
       name:  controller-mapping
       prefix: /controller/
-      host: "^api\\..+$"
+      host: "^web\\..+$"
       host_regex: true
       service: http://cmd-proxy:8888
 spec:

controller/robot-visualization-service.yaml

@@ -11,7 +11,7 @@ metadata:
       kind:  Mapping
       name:  visualizer-mapping
       prefix: /visualizer/
-      host: "^api\\..+$"
+      host: "^web\\..+$"
       host_regex: true
       service: http://robot-visualization:8888
 spec:

docs/en-jupyter_notebook/azure_aks/01_start_pods.ipynb

@@ -4,7 +4,7 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "# 1 start pods on Azure AKS"
+    "# 1 start business logic pods on Azure AKS"
    ]
   },
   {
@@ -89,6 +89,266 @@
     "source ${PJ_ROOT}/docs/environments/azure_aks/env"
    ]
   },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## add auth tokens for the web app of example-turtlebot3"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### create new `secrets/auth-tokens.json`"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "example)\n",
+    "```json\n",
+    "[\n",
+    "  {\n",
+    "    \"host\": \"api\\\\..+$\",\n",
+    "    \"settings\": {\n",
+    "      \"bearer_tokens\": [\n",
+    "        {\n",
+    "          \"token\": \"nrWtb8sS0MmwlkhHXv0DC6orPMpFFbni\",\n",
+    "          \"allowed_paths\": [\"^/orion/.*$\", \"^/idas/.*$\"]\n",
+    "        }\n",
+    "      ],\n",
+    "      \"basic_auths\": [],\n",
+    "      \"no_auths\": {}\n",
+    "    }\n",
+    "  },\n",
+    "  {\n",
+    "    \"host\": \"kibana\\\\..+$\",\n",
+    "    \"settings\": {\n",
+    "      \"bearer_tokens\": [],\n",
+    "      \"basic_auths\": [\n",
+    "        {\n",
+    "          \"username\": \"yW7FvSGD\",\n",
+    "          \"password\": \"6BoTFE5xfUlX3ssV\",\n",
+    "          \"allowed_paths\": [\"^.*$\"]\n",
+    "        }\n",
+    "      ],\n",
+    "      \"no_auths\": {\n",
+    "        \"allowed_paths\": []\n",
+    "      }\n",
+    "    }\n",
+    "  },\n",
+    "  {\n",
+    "    \"host\": \"grafana\\\\..+$\",\n",
+    "    \"settings\": {\n",
+    "      \"bearer_tokens\": [],\n",
+    "      \"basic_auths\": [],\n",
+    "      \"no_auths\": {\n",
+    "        \"allowed_paths\": [\"^.*$\"]\n",
+    "      }\n",
+    "    }\n",
+    "  },\n",
+    "  {\n",
+    "    \"host\": \"web\\\\..+$\",\n",
+    "    \"settings\": {\n",
+    "      \"bearer_tokens\": [\n",
+    "        {\n",
+    "          \"token\": \"Udgzdg6xMD5ymtQlInFHsM5UVD9OA2Wi\",\n",
+    "          \"allowed_paths\": [\n",
+    "            \"^/visualizer/positions/$\"\n",
+    "          ]\n",
+    "        }\n",
+    "      ],\n",
+    "      \"basic_auths\": [\n",
+    "        {\n",
+    "          \"username\": \"1JMF6D46\",\n",
+    "          \"password\": \"6u5M0bUhfjj7wMdM\",\n",
+    "          \"allowed_paths\": [\n",
+    "            \"/controller/web/\",\n",
+    "            \"/visualizer/locus/\"\n",
+    "          ]\n",
+    "        }\n",
+    "      ],\n",
+    "      \"no_auths\": {\n",
+    "        \"allowed_paths\": [\n",
+    "          \"^.*/static/.*$\"\n",
+    "        ]\n",
+    "      }\n",
+    "    }\n",
+    "  }\n",
+    "]\n",
+    "```"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### for macOS"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "cat ${CORE_ROOT}/secrets/auth-tokens.json | jq '.|=.+[{\n",
+    "  \"host\": \"web\\\\..+$\",\n",
+    "  \"settings\": {\n",
+    "    \"bearer_tokens\": [\n",
+    "      {\n",
+    "        \"token\": \"'$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | head -c 32)'\",\n",
+    "        \"allowed_paths\": [\"^/visualizer/positions/$\"]\n",
+    "      }\n",
+    "    ],\n",
+    "    \"basic_auths\": [\n",
+    "      {\n",
+    "        \"username\": \"'$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | head -c 8)'\",\n",
+    "        \"password\": \"'$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | head -c 16)'\",\n",
+    "        \"allowed_paths\": [\"/controller/web/\", \"/visualizer/locus/\"]\n",
+    "      }\n",
+    "    ],\n",
+    "    \"no_auths\": {\n",
+    "      \"allowed_paths\": [\"^.*/static/.*$\"]\n",
+    "    }\n",
+    "  }\n",
+    "}]' | tee /tmp/auth-tokens.json\n",
+    "mv ${CORE_ROOT}/secrets/auth-tokens.json ${CORE_ROOT}/secrets/auth-tokens.json.back\n",
+    "mv /tmp/auth-tokens.json ${CORE_ROOT}/secrets/auth-tokens.json"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### for Ubuntu"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "cat ${CORE_ROOT}/secrets/auth-tokens.json | jq '.|=.+[{\n",
+    "  \"host\": \"web\\\\..+$\",\n",
+    "  \"settings\": {\n",
+    "    \"bearer_tokens\": [\n",
+    "      {\n",
+    "        \"token\": \"'$(cat /dev/urandom 2>/dev/null | head -n 40 | tr -cd 'a-zA-Z0-9' | head -c 32)'\",\n",
+    "        \"allowed_paths\": [\"^/visualizer/positions/$\"]\n",
+    "      }\n",
+    "    ],\n",
+    "    \"basic_auths\": [\n",
+    "      {\n",
+    "        \"username\": \"'$(cat /dev/urandom 2>/dev/null | head -n 40 | tr -cd 'a-zA-Z0-9' | head -c 8)'\",\n",
+    "        \"password\": \"'$(cat /dev/urandom 2>/dev/null | head -n 40 | tr -cd 'a-zA-Z0-9' | head -c 16)'\",\n",
+    "        \"allowed_paths\": [\"/controller/web/\", \"/visualizer/locus/\"]\n",
+    "      }\n",
+    "    ],\n",
+    "    \"no_auths\": {\n",
+    "      \"allowed_paths\": [\"^.*/static/.*$\"]\n",
+    "    }\n",
+    "  }\n",
+    "}]' | tee /tmp/auth-tokens.json\n",
+    "mv ${CORE_ROOT}/secrets/auth-tokens.json ${CORE_ROOT}/secrets/auth-tokens.json.back\n",
+    "mv /tmp/auth-tokens.json ${CORE_ROOT}/secrets/auth-tokens.json"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## change the auth-tokens to kubernetes secrets"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### watch `auth` log"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "_Outside of this notebook_\n",
+    "1. open a ternminal.\n",
+    "1. run a command displayed below."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "echo \"kubectl logs -f -lapp=auth --all-containers=true\""
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### delete and re-register auth-tokens to kubernetes secrets"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "kubectl delete secret auth-tokens"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "kubectl create secret generic auth-tokens --from-file=${CORE_ROOT}/secrets/auth-tokens.json"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### confirm the token will be reloaded"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "**wait a few minutes until the change of secret is detected by Kubernetes.**  \n",
+    "When the new secret is detected, the tokens of auth will be reloaded automatically."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "log messages like below will be shown after tokens is reloaded.\n",
+    "\n",
+    "```\n",
+    "...\n",
+    "--------\n",
+    "2019/05/21 01:51:07 hosts: [api\\..+$ kibana\\..+$ grafana\\..+$ web\\..+$]\n",
+    "--------\n",
+    "2019/05/21 01:51:07 bearerTokenAllowedPaths: map[api\\..+$:map[XbZX1LpVv7DG9fu1X3WUq5kiqZyF34zI:[^/orion/.*$ ^/idas/.*$]] web\\..+$:map[Udgzdg6xMD5ymtQlInFHsM5UVD9OA2Wi:[^/visualizer/positions/$]]]\n",
+    "--------\n",
+    "2019/05/21 01:51:07 basicAuthPaths, map[kibana\\..+$:map[^.*$:map[1IGQBVF5:zRa2mxZVdBOyO6Zd]] web\\..+$:map[/controller/web/:map[1JMF6D46:6u5M0bUhfjj7wMdM] /visualizer/locus/:map[1JMF6D46:6u5M0bUhfjj7wMdM]]]\n",
+    "--------\n",
+    "2019/05/21 01:51:07 noAuthPaths, map[grafana\\..+$:[^.*$] web\\..+$:[^.*/static/.*$] api\\..+$:[] kibana\\..+$:[]]\n",
+    "--------\n",
+    "```"
+   ]
+  },
   {
    "cell_type": "markdown",
    "metadata": {},
@@ -180,7 +440,7 @@
    "source": [
     "export MONGODB_DATABASE=\"sth_${FIWARE_SERVICE}\"\n",
     "export MONGODB_COLLECTION=\"sth_${ROBOT_SERVICEPATH}_${ROBOT_ID}_${ROBOT_TYPE}\"\n",
-    "env BEARER_AUTH=$(cat ${CORE_ROOT}/secrets/auth-tokens.json | jq '.[0].settings.bearer_tokens | map(select(.allowed_paths[] | contains (\"^/visualizer/positions/$\"))) | .[0].token' -r) envsubst < controller/robot-visualization-deployment.yaml | kubectl apply -f -"
+    "env BEARER_AUTH=$(cat ${CORE_ROOT}/secrets/auth-tokens.json | jq '.[]|select(.host == \"web\\\\..+$\")|.settings.bearer_tokens | map(select(.allowed_paths[] | contains(\"^/visualizer/positions/$\"))) | .[0].token' -r) envsubst < controller/robot-visualization-deployment.yaml | kubectl apply -f -"
    ]
   },
   {
@@ -224,6 +484,23 @@
     "robot-visualization   ClusterIP   10.0.112.72   <none>        8888/TCP   13m\n",
     "```"
    ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### register DNS A Record for business logic"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "HTTPS_IPADDR=$(kubectl get services -l app=ambassador -o json | jq '.items[0].status.loadBalancer.ingress[0].ip' -r)\n",
+    "az network dns record-set a add-record --resource-group ${DNS_ZONE_RG} --zone-name \"${DOMAIN}\" --record-set-name \"web\" --ipv4-address \"${HTTPS_IPADDR}\""
+   ]
   }
  ],
  "metadata": {