CD2H gitForager

cloudfoundry/copilot

Name: copilot

Owner: Cloud Foundry

Description: Supplies data from Cloud Controller and Diego for consumption by Istio Pilot

Created: 2017-11-09 18:49:30.0

Updated: 2018-05-22 18:51:45.0

Pushed: 2018-05-22 18:51:44.0

Homepage:

Size: 309

Language: Go

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

Copilot

To help Istio Pilot work with Cloud Foundry

You probably want to deploy this using Istio Release.

Development

To get started:

clone https://github.com/cloudfoundry/copilot.git
opilot
et github.com/onsi/ginkgo/ginkgo
et github.com/golang/dep/cmd/dep
ensure

To run the tests:

go -r -p -race

To compile the server:

uild code.cloudfoundry.org/copilot/cmd/copilot-server

Using the Server

We are using a generic grpc client to interact with cloud controller grpc service (installation instructions below)

Setup GRPC Client

If you are developing locally, you can install grpcurl

et -u github.com/fullstorydev/grpcurl

If you are using a cloudfoundry

bosh ssh to the istio-control vm and sudo su
grpcurl is at /var/vcap/packages/grpcurl/bin/grpcurl
the certs you need are in /var/vcap/jobs/pilot-discovery/config/certs/

Push an App

ush ...

Find Diego Process GUID

Get the CAPI Process GUID:

The following example assumes the “web” process type, but you can replace that with another type if you know what you're doing.

rt CAPI_PROCESS_GUID=$(cf curl "/v3/apps/$(cf curl "/v3/apps" | jq -r '.resources[] | select(.name == "<app-name>") | .guid')/processes" | jq -r '.resources[] | select(.type == "web") | .guid')

Get the CAPI Process Version:

The CAPI Process GUID is not sufficient for routing. If you want to map/delete a route, you'll need the entire <capi-process-guid>-<version> concatenation (the “Diego Process GUID”):

rt APP_GUID=$(cf app <my-app> --guid) # to obtain the application guid
rt CAPI_PROCESS_VERSION=$(cf curl /v2/apps/$APP_GUID | jq -r .entity.version) # to obtain the version

Construct the Diego Process GUID

rt DIEGO_PROCESS_GUID="$CAPI_PROCESS_GUID-$CAPI_PROCESS_VERSION"

Get the Route Guid used by Cloud Controller

Given an existing route in cloud controller…

rt CAPI_ROUTE_GUID=$(cf curl /v2/routes | jq -r '.resources[] | select(.entity.host == "<hostname-of-existing-route>").metadata.guid')

As Cloud Controller, Add a Route

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
 '{"route": {"host": "example.com", "guid": "route-guid-a"}}' \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/UpsertRoute

As Cloud Controller, Map a Route

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
 '{"route_mapping": {"route_guid": "route-guid-a", "capi_process_guid": "capi_guid_1"}}' \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/MapRoute

As Cloud Controller, Associate a CAPI Process with a Diego Process

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
 '{"capi_diego_process_association": {"capi_process_guid": "capi_guid_1", "diego_process_guids": ["diego_guid_1"]}}' \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/UpsertCapiDiegoProcessAssociation

As Istio Pilot, List Routes

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
pilot.service.cf.internal:9000 \
i.IstioCopilot/Routes

As Cloud Controller, Delete an Association between a CAPI Process and a Diego Process

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
 '{"capi_process_guid": "capi_guid_1"}' \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/DeleteCapiDiegoProcessAssociation

As Cloud Controller, Unmap a Route

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
 '{"route_mapping": {"capi_process_guid": "capi_guid_1", "route_guid": "route-guid-a"}}' \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/UnmapRoute

As Cloud Controller, Delete a Route

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
 '{"guid": "route-guid-a"}' \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/DeleteRoute

As Cloud Controller, Bulk Sync Routes Between Cloud Controller and Istio

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
 '{"route_mappings": [{"route_guid": "route-guid-1", "capi_process_guid": "capi-guid-1"}, \
outes": [{"host": "example.org", "guid": "route-guid-1"}], \
api_diego_process_associations": [{"capi_process_guid": "capi-guid-1", "diego_process_guids": ["diego-guid-1", "diego-guid-2"]}]}' \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/BulkSync

The following endpoints are only used for debugging. They expose Copilot's internal state

List the CF Routes that Copilot knows about

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/ListCfRoutes

List the CF Route Mappings that Copilot knows about

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/ListCfRouteMappings

List the associations between CAPI Process GUIDs and Diego Process GUIDs that Copilot knows about

(running from /var/vcap/jobs/pilot-discovery/config/certs)

/vcap/packages/grpcurl/bin/grpcurl -cacert ./ca.crt \
ey ./client.key \
ert ./client.crt \
pilot.service.cf.internal:9001 \
i.CloudControllerCopilot/ListCapiDiegoProcessAssociations

Debugging

To open an ssh against a copilot running in a cloud foundry:

ssh -f -L 9000:$COPILOT_IP:9000 jumpbox@$(bbl jumpbox-address) -i $JUMPBOX_PRIVATE_KEY sleep 600 this will open a tunnel for 10 minutes
make sure that copilot.listen_address is 0.0.0.0:9000 and not 127.0.0.1:9000
open a hole in the jumpbox firewall rule (envname-jumpbox-to-all) to allow traffic on port 9000

Now you are ready to start your own pilot:

bosh scp -r istio:/var/vcap/jobs/pilot-discovery/config /tmp/config
check that the /tmp/config/cf_config.yml so the IP address matches your tunnel and the cert file paths point to /tmp/config
install dlv on your machine go get -u github.com/derekparker/delve/cmd/dlv
from istio: dlv debug ./pilot/cmd/pilot-discovery/main.go -- discovery --configDir=/dev/null --registries=CloudFoundry --cfConfig=/users/pivotal/downloads/config/cf_config.yml --meshConfig=/dev/null

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.