diff --git a/.travis.yml b/.travis.yml index c3ac23e3..204c4c39 100644 --- a/.travis.yml +++ b/.travis.yml @@ -21,6 +21,8 @@ stages: - 'Build, Upload and Publish (draft)' - 'Test github release assets' - 'Publish (real)' + - 'Readme-sync' + jobs: @@ -217,6 +219,55 @@ jobs: # how to use hub: https://hub.github.com/hub.1.html - hub release edit --draft=false -m "" ${TRAVIS_TAG} + - stage: 'Readme-sync' + name: 'run script if changes are detected in docs/' + cache: false + + # translation: if we're merging into a test branch... + if: type = push AND branch = docs-readme-sync + + language: node_js + install: + - mkdir $HOME/readme-sync2 && pushd $HOME/readme-sync2 && git init && git pull https://$CI_USER_TOKEN@github.com/optimizely/readme-sync2.git && popd + - source ~/.nvm/nvm.sh && cd $HOME/readme-sync2 && nvm install && npm install + + # this preps the input directory for readme-sync script in readme-sync2 + - mkdir -p $HOME/readme-sync2/docs-repo + - cd $HOME/readme-sync2/docs-repo/ + #now we clone our docs (inside another cloned repo: yuck); the docs dir is at: $HOME/readme-sync2/docs-repo/agent/docs/readme-sync/ + - git clone https://github.com/optimizely/agent + + + script: + # we need to be in $TRAVIS_BUILD_DIR in order to run the following git diff properly + - cd $TRAVIS_BUILD_DIR + - git diff --quiet $TRAVIS_COMMIT_RANGE -- docs/readme-sync || ( cd $HOME/readme-sync2 && npx ts-node sync/index.ts --apiKey $README_SYNC_API_KEY --version 4.0 --docs docs-repo/agent/docs/readme-sync/ ) + + + + + ######################################################################################### + # this commented out stuff is for enabling readme sync for all the SDK repos (authored by JC Tong) + ######################################################################################### + ## this preps the input directory for readme-sync script + #- mkdir -p $HOME/readme-sync2/docs/readme-sync/sdk-reference-guides + ## ${TRAVIS_REPO_SLUG#optimizely/} translates to go-sdk docs/readme-sync/sdk-reference-guides/go-sdk + #- ln -s $TRAVIS_BUILD_DIR/docs/readme-sync/sdk-reference-guides/${TRAVIS_REPO_SLUG#optimizely/} $HOME/readme-sync2/docs/readme-sync/sdk-reference-guides/${TRAVIS_REPO_SLUG#optimizely/} + + ## now we need to get all the other *-sdk repos too + ## + ## first we list all possible sdks and inside the for loop, remove the one we are updating + #- export ALL_SDK_REPOS="android-sdk csharp-sdk go-sdk java-sdk javascript-sdk objective-c-sdk python-sdk react-sdk ruby-sdk swift-sdk" + #- mkdir $HOME/sdks && pushd $HOME/sdks && for i in ${ALL_SDK_REPOS//${TRAVIS_REPO_SLUG#optimizely/}}; do git clone https://github.com/optimizely/$i; ( [ -d "$HOME/sdks/$i/docs/readme-sync/sdk-reference-guides/$i" ] && ln -s $HOME/sdks/$i/docs/readme-sync/sdk-reference-guides/$i $HOME/readme-sync2/docs/readme-sync/sdk-reference-guides/$i ) || true; done && popd + ## check our work + #- ls -al $HOME/sdks + #- ls -al $HOME/readme-sync2/docs/readme-sync/sdk-reference-guides + #script: + ## we need to be in $TRAVIS_BUILD_DIR in order to run the following git diff properly + #- cd $TRAVIS_BUILD_DIR + #- git diff --quiet $TRAVIS_COMMIT_RANGE -- docs/readme-sync || ( cd $HOME/readme-sync2 && npx ts-node sync/index.ts --apiKey $README_SYNC_API_KEY --version 4.0 --docs docs/readme-sync/ ) + + before_script: # https://github.com/travis-ci/gimme - eval "$(gimme)" diff --git a/docs/images/agent-example-implementation.png b/docs/images/agent-example-implementation.png new file mode 100644 index 00000000..cd533c3b Binary files /dev/null and b/docs/images/agent-example-implementation.png differ diff --git a/docs/images/agent-service-oriented-architecture.png b/docs/images/agent-service-oriented-architecture.png new file mode 100644 index 00000000..bbcea35b Binary files /dev/null and b/docs/images/agent-service-oriented-architecture.png differ diff --git a/docs/images/agent-single-service.png b/docs/images/agent-single-service.png new file mode 100644 index 00000000..fe06e2fe Binary files /dev/null and b/docs/images/agent-single-service.png differ diff --git a/docs/images/agent-standardized-access.png b/docs/images/agent-standardized-access.png new file mode 100644 index 00000000..7b155bdc Binary files /dev/null and b/docs/images/agent-standardized-access.png differ diff --git a/docs/readme-sync/deploy-as-a-microservice/010 - optimizely-agent.md b/docs/readme-sync/deploy-as-a-microservice/010 - optimizely-agent.md new file mode 100644 index 00000000..f4a4c4e8 --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/010 - optimizely-agent.md @@ -0,0 +1,76 @@ +--- +title: "Optimizely Agent" +excerpt: "" +slug: "optimizely-agent" +hidden: false +metadata: + title: "Optimizely Agent microservice - Optimizely Full Stack" +createdAt: "2020-02-21T20:35:58.387Z" +updatedAt: "2020-04-01T20:51:52.458Z" +--- +TEST COMMIT FOR TRAVIS BUILD 6/30 4:10 pm MST +Optimizely Agent is a stand-alone, open-source, and highly available microservice that provides major benefits over using Optimizely SDKs in certain use cases. The Agent [REST API](https://optimizely.github.io/docs/api/agent/) offers consolidated and simplified endpoints for accessing all the functionality of Optimizely Full Stack SDKs. + +A typical production installation of Optimizely Agent is to run two or more services behind a load balancer or proxy. The service itself can be run via a Docker container or installed from source. See [Setup Optimizely Agent](doc:setup-optimizely-agent) for instructions on how to run Optimizely Agent. + +### Example Implementation +![example implementation](https://raw.githubusercontent.com/optimizely/agent/master/docs/images/agent-example-implementation.png) +# Should I Use Optimizely Agent? + +Here are some of the top reasons to consider using Optimizely Agent: + +## 1. Service Oriented Architecture (SOA) +If you already separate some of your logic into services that might need to access the Optimizely decision APIs, we recommend using Optimizely Agent. + +The images below compare implementation styles in a service-oriented architecture, first *without* using Optimizely Agent, which shows six SDK embedded instances: + +!["A diagram showing the use of SDKs installed on each service in a service oriented architecture \n(Click to Enlarge)"](https://raw.githubusercontent.com/optimizely/agent/master/docs/images/agent-service-oriented-architecture.png) + +Now *with* Agent, instead of installing the SDK six times, you create just one Optimizely instance: an HTTP API that every service can access as needed. + +!["A diagram showing the use of Optimizely Agent in a single service \n(Click to Enlarge)"](https://raw.githubusercontent.com/optimizely/agent/master/docs/images/agent-single-service.png) + +## 2. Standardize Access Across Teams +If you want to deploy Optimizely Full Stack once, then roll out the single implementation across a large number of teams, we recommend using Optimizely Agent. + +By standardizing your teams' access to the Optimizely service, you can better enforce processes and implement governance around feature management and experimentation as a practice. + +!["A diagram showing the central and standardized access to the Optimizely Agent service across an arbitrary number of teams.\n(Click to Enlarge)"](https://raw.githubusercontent.com/optimizely/agent/master/docs/images/agent-standardized-access.png) + +## 3. Networking Centralization +You don’t want many SDK instances connecting to Optimizely's cloud service from every node in your application. Optimizely Agent centralizes your network connection. Only one cluster of agent instances connects to Optimizely for tasks like update [datafiles](doc:get-the-datafile) and dispatch [events](doc:track-events). + +## 4. Languages +You’re using a language that isn’t supported by a native SDK (i.e. Elixir, Scala, Perl). While its possible to create your own service using an Optimizely SDK of your choice, you could also customize the open-source Optimizely Agent to your needs without building the service layer on your own. + + +# Reasons to *not* use Optimizely Agent +If your use case wouldn't benefit greatly from Optimizely Agent, you should consider the below reasons to *not* use Optimizely Agent and review Optimizely's many [open-source SDKs](doc:sdk-reference-guides) instead. + +## 1. Latency +If time to provide bucketing decisions is a primary concern for you, you may want to use an embedded Full Stack SDK rather than Optimizely Agent. +| Implementation Option | Decision Latency | +|-----------------------|------------------| +| Embedded SDK | microseconds | +| Optimizely Agent | milliseconds | +## 2. Monolith +If your app is constructed as a monolith, embedded SDKs might be easier to install and might be a more natural fit for your application and development practices. + +## 3. Velocity +If you’re looking for the fastest way to get a single team up and running with deploying feature management and experimentation, embedding an SDK is the best option for you at first. You can always start using Optimizely Agent later, and it can even be used alongside Optimizely Full Stack SDKs running in another part of your stack. + +# Best Practices +While every implementation is different, you can review this section of best practices for tips on these commonly discussed topics. + + +## How many Agent instances should I deploy? +Agent can scale to large decision / event tracking volumes with relatively low CPU / memory specs. For example, at Optimizely, we scaled our deployment to 740 clients with a cluster of 12 agent instances, which in total use 6 vCPUs and 12GB RAM. You will likely need to focus more on network bandwidth than compute power. + +## Using a load balancer +Any standard load balancer should let you route traffic across your agent cluster. At Optimizely, we used an AWS Elastic Load Balancer (ELB) for our internal deployment. This allows us to transparently scale our agent cluster as internal demands increase. + +## Synchronizing datafiles across Agent instances +Agent offers eventual rather than strong consistency across datafiles. +In detail, today, each agent instance maintains a dedicated, separate cache. Each agent instance persists an SDK instance for each SDK key your team uses. Agent instances automatically keep datafiles up to date for each SDK key instance so that you will have eventual consistency across the cluster. The rate of the datafile update can be [set as the configuration](doc:configure-optimizely-agent) value ```OPTIMIZELY_CLIENT_POLLINGINTERVAL``` (the default is 1 minute). +Because SDKs are generally stateless today, they shouldn’t need to share data. We plan to add a common backing data store, so we invite you to share your feedback. +If you require strong consistency across datafiles, then we recommend an active / passive deployment where all requests are made to a single vertically scaled host, with a passive, standby cluster available for high availability. \ No newline at end of file diff --git a/docs/readme-sync/deploy-as-a-microservice/020 - setup-optimizely-agent.md b/docs/readme-sync/deploy-as-a-microservice/020 - setup-optimizely-agent.md new file mode 100644 index 00000000..4b7a58fc --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/020 - setup-optimizely-agent.md @@ -0,0 +1,75 @@ +--- +title: "Set up Optimizely Agent" +excerpt: "" +slug: "setup-optimizely-agent" +hidden: false +metadata: + title: "Getting started with Agent - Optimizely Full Stack" +createdAt: "2020-02-21T17:44:27.363Z" +updatedAt: "2020-03-31T23:54:17.841Z" +--- +## Running Agent from source (Linux / OSX) + +To develop and compile Optimizely Agent from source: + +1. Install [Golang](https://golang.org/dl/) version 1.13+ . +2. Clone the [Optimizely Agent repo](https://github.com/optimizely/agent). +3. From the repo directory, open a terminal and start Optimizely Agent: + +```bash +make setup +``` +Then +```bash +make run +``` + +This starts the Optimizely Agent with the default configuration in the foreground. + +## Running Agent from source (Windows) + +You can use a [helper script](https://github.com/optimizely/agent/blob/master/scripts/build.ps1) to install prerequisites (Golang, Git) and compile agent in a Windows environment. Take these steps: + +1. Clone the [Optimizely Agent repo](https://github.com/optimizely/agent) +2. From the repo directory, open a Powershell terminal and run + +```bash +Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser + +.\scripts\build.ps1 + +.\bin\optimizely.exe +``` + +## Running Agent via Docker + +If you have Docker installed, you can start Optimizely Agent as a container. Take these steps: + +1. Pull the Docker image: + +```bash +docker pull optimizely/agent +``` +By default this will pull the "latest" tag. You can also specify a specific version of Agent by providing the version as a tag to the docker command: + +```bash +docker pull optimizely/agent:X.Y.Z +``` + +2. Run the docker container with: + +```bash +docker run -p 8080:8080 optimizely/agent +``` +This will start Agent in the foreground and expose the container API port 8080 to the host. + +3. (Optional) You can alter the configuration by passing in environment variables to the preceding command, without having to create a config.yaml file. See [configure optimizely agent](doc:configure-optimizely-agent) for more options. + +Versioning: +When a new version is released, 2 images are pushed to dockerhub. They are distinguished by their tags: +- :latest (same as :X.Y.Z) +- :alpine (same as :X.Y.Z-alpine) + +The difference between latest and alpine is that latest is built `FROM scratch` while alpine is `FROM alpine`. +- [latest Dockerfile](https://github.com/optimizely/agent/blob/master/scripts/dockerfiles/Dockerfile.static) +- [alpine Dockerfile](https://github.com/optimizely/agent/blob/master/scripts/dockerfiles/Dockerfile.alpine) \ No newline at end of file diff --git a/docs/readme-sync/deploy-as-a-microservice/030 - use-optimizely-agent/010 - evaluate-rest-apis.md b/docs/readme-sync/deploy-as-a-microservice/030 - use-optimizely-agent/010 - evaluate-rest-apis.md new file mode 100644 index 00000000..fe00ee82 --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/030 - use-optimizely-agent/010 - evaluate-rest-apis.md @@ -0,0 +1,59 @@ +--- +title: "Evaluate REST APIs" +excerpt: "" +slug: "evaluate-rest-apis" +hidden: false +metadata: + title: "Evaluate REST APIs - Optimizely Full Stack" +createdAt: "2020-02-21T17:44:53.019Z" +updatedAt: "2020-04-13T23:02:34.056Z" +--- +Below is an example demonstrating the APIs capabilities. For brevity, we've chosen to illustrate the API usage with Python. Note that the API documentation is defined via an OpenAPI (Swagger) spec and can be viewed [here](https://optimizely.github.io/docs/api/agent/). + +## Start an http session +Each request made into Optimizely Agent is in the context of an Optimizely SDK Key. SDK Keys map API requests to a specific Optimizely Project and Environment. We can setup a global request header by using the `requests.Session` object. + + +```python +import requests + +s = requests.Session() +s.headers.update({'X-Optimizely-SDK-Key': 'YOUR-SDK-KEY'}) +``` +The following examples will assume this session is being maintained. + +## Get current environment configuration +The `/v1/config` endpoint returns a manifest of the current working environment. + +```python +resp = s.get('http://localhost:8080/v1/config') +env = resp.json() + +for key in env['featuresMap']: + print(key) +``` + +## Activate Feature +The `/v1/activate?featureKey={key}` endpoint activates the feature for a given user. In Optimizely, activation is in the context of a given user to make the relative bucketing decision. In this case we'll provide a `userId` via the request body. The `userId` will be used to determine how the feature will be evaluated. Features can either be part of a Feature Test in which variations of feature variables are being measured against one another or a feature rollout, which progressively make the feature available to the selected audience. + +From an API standpoint the presence of a Feature Test or Rollout is abstracted away from the response and only the resulting variation or enabled feature is returned. + + +```python +# single feature activate +params = { "featureKey": "my-feature" } +payload = { "userId": "test-user" } +resp = s.post(url = 'http://localhost:8080/v1/activate', params=params, json=payload) + +print(resp.json()) + + +# multiple (bulk) feature activate +params = { + "featureKey": [key for key in env['featuresMap']], + "experimentKey": [key for key in env['experimentsMap']] +} +resp2 = s.post(url = 'http://localhost:8080/v1/activate', params=params, json=payload) +print(json.dumps(resp.json(), indent=4, sort_keys=True)) +``` +The activate API is a POST to signal to the caller that there are side-effects. Namely, activation results in a "decision" event sent to Optimizely analytics for the purpose of analyzing Feature Test results. A "decision" will NOT be sent if the feature is simply part of a rollout. \ No newline at end of file diff --git a/docs/readme-sync/deploy-as-a-microservice/030 - use-optimizely-agent/020 - admin-api.md b/docs/readme-sync/deploy-as-a-microservice/030 - use-optimizely-agent/020 - admin-api.md new file mode 100644 index 00000000..9aefdfba --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/030 - use-optimizely-agent/020 - admin-api.md @@ -0,0 +1,89 @@ +--- +title: "Admin API" +excerpt: "" +slug: "admin-api" +hidden: false +metadata: + title: "Admin APIs - Optimizely Full Stack" +createdAt: "2020-02-21T17:44:28.054Z" +updatedAt: "2020-02-21T23:09:19.274Z" +--- +The Admin API provides system information about the running process. This can be used to check the availability of the service, runtime information and operational metrics. By default the admin listener is configured on port 8088. + +## Info + +The `/info` endpoint provides basic information about the Optimizely Agent instance. + +Example Request: +```bash +curl localhost:8088/info +``` + +Example Response: +```json +{ + "version": "v0.10.0", + "author": "Optimizely Inc.", + "app_name": "optimizely" +} +``` + +## Health Check + +The `/health` endpoint is used to determine service availability. + +Example Request: +```bash +curl localhost:8088/health +``` + +Example Response: +```json +{ + "status": "ok" +} +``` + +Agent will return a HTTP 200 - OK response if and only if all configured listeners are open and all external dependent services can be reached. +A non-healthy service will return a HTTP 503 - Unavailable response with a descriptive message to help diagnose the issue. + +This endpoint can used when placing Agent behind a load balancer to indicate whether a particular instance can receive inbound requests. + +## Metrics + +The `/metrics` endpoint exposes telemetry data of the running Optimizely Agent. The core runtime metrics are exposed via the go expvar package. Documentation for the various statistics can be found as part of the [mstats](https://golang.org/src/runtime/mstats.go) package. + +Example Request: +```bash +curl localhost:8088/metrics +``` + +Example Response: +```json +{ + "cmdline": [ + "bin/optimizely" + ], + "memstats": { + "Alloc": 924136, + "TotalAlloc": 924136, + "Sys": 71893240, + "Lookups": 0, + "Mallocs": 4726, + "HeapAlloc": 924136, + ... + "Frees": 172 + }, + ... +} +``` +Custom metrics are also provided for the individual service endpoints and follow the pattern of: + +```bash +"timers..counts": 0, +"timers..responseTime": 0, +"timers..responseTimeHist.p50": 0, +"timers..responseTimeHist.p90": 0, +"timers..responseTimeHist.p95": 0, +"timers..responseTimeHist.p99": 0, +``` \ No newline at end of file diff --git a/docs/readme-sync/deploy-as-a-microservice/030 - use-optimizely-agent/index.md b/docs/readme-sync/deploy-as-a-microservice/030 - use-optimizely-agent/index.md new file mode 100644 index 00000000..8c879f5a --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/030 - use-optimizely-agent/index.md @@ -0,0 +1,69 @@ +--- +title: "Use Optimizely Agent" +excerpt: "" +slug: "use-optimizely-agent" +hidden: false +metadata: + title: "How to use Optimizely Agent - Optimizely Full Stack" +createdAt: "2020-02-21T17:44:28.054Z" +updatedAt: "2020-04-08T21:26:30.308Z" +--- +Optimizely Agent provides [APIs](https://optimizely.github.io/docs/api/agent/) that enable experimentation and feature management. Agent provides equivalent functionality to all our SDKs. At its core is the [Optimizely Go SDK](doc:go-sdk). In some cases, however, we’ve updated our APIs to simplify key use cases. + +### Manage features + Optimizely Agent simplifies the core feature management of our [SDK APIs](doc:sdk-reference-guides). It consolidates the following endpoints: + +- [isFeatureEnabled](doc:is-feature-enabled-go) +- [getFeatureVariableBoolean](doc:get-feature-variable-go#section-boolean) +- [getFeatureVariableDouble](doc:get-feature-variable-go#section-double) +- [getFeatureVariableInteger](doc:get-feature-variable-go#section-integer) +- [getFeatureVariableString](doc:get-feature-variable-go#section-string) + +... into one, convenient endpoint: + +`POST /v1/activate?featureKey={featureKey}` + +This [endpoint](https://optimizely.github.io/docs/api/agent/#operation/activate) returns: + +- the decision for this feature for this user +- any corresponding feature variable values. + +For example: +```json +{ + "featureKey": "feature-key-1", + "enabled": true, + "variables": { + "my-var-1": "cust-val-1", + "my-var-2": "cust-va1-2" + } +} +``` +The response is determined by the [feature tests](doc:run-feature-tests) and [feature rollouts](doc:use-feature-flags) defined for the supplied feature key, following the same rules as any Full Stack SDK. + +Note: If the user is assigned to a feature test, this API will dispatch an impression. + +### Authentication +To authenticate, [pass your SDK key](https://docs.developers.optimizely.com/full-stack/docs/evaluate-rest-apis#section-start-an-http-session) as a header named ```X-Optimizely-SDK-Key``` in your API calls to Optimizely Agent. You can find your SDK key in app.optimizely.com under Settings > Environments > SDK Key. Remember you have a different SDK key for each environment. + +### Running A/B Tests +To activate an A/B test, use: + +`POST /v1/activate?experimentKey={experimentKey}` + +This dispatches an impression and return the user’s assigned variation: +```json +{ + "experimentKey": "experiment-key-1", + "variationKey": "variation-key-1" +} +``` + +### Tracking Conversions +To track events, use the same [tracking endpoint](https://optimizely.github.io/docs/api/agent/#operation/trackEvent) you use in the [SDKs' track API](doc:track-javascript): + +`POST /v1/track?eventKey={eventKey}` + +There is no response body for successful conversion event requests. +### API Reference + For more details on Optimizely Agent’s APIs, see the [complete API Reference](https://optimizely.github.io/docs/api/agent/). \ No newline at end of file diff --git a/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/010 -authorization.md b/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/010 -authorization.md new file mode 100644 index 00000000..df731365 --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/010 -authorization.md @@ -0,0 +1,188 @@ +--- +title: "Authorization" +excerpt: "" +slug: "authorization" +hidden: false +metadata: + title: "Agent Authorization - Optimizely Full Stack" +createdAt: "2020-03-11T20:58:11.777Z" +updatedAt: "2020-03-31T19:44:52.119Z" +--- +Optimizely Agent supports authorization workflows based on OAuth and JWT standards, allowing you to protect access to its API and Admin interfaces. + +There are three modes of operation: + +## 1. Issuer & Validator +Access tokens are issued by Agent itself, using a [Client Credentials grant](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/). Access tokens are signed and validated using the HS256 algorithm with a signing secret provided in configuration. Clients request access tokens by sending a `POST` request to `/oauth/token` on the port of the desired interface (by default, `8080` for the API interface, and `8088` for the Admin interface), including a client ID and secret in the request. + + +Issuer & Validator mode is useful if you want to implement authorization, and you are not already running an authorization server that can issue JWTs. + +## 2. Validator-only +Agent validates access tokens that were issued elsewhere. Access tokens are validated with public keys fetched from a [JWKS](https://tools.ietf.org/html/rfc7517) URL provided in configuration. + +Validator-only mode is useful if you want to plug directly into an existing JWT-based workflow already being used in your system or organization. + +## 3. No authorization (default) +The interface is publicly available. + +# Configuration +- The API and Admin interfaces are each independently configured to run in one of the above-mentioned modes of operation. +- Authorization configuration is located under the `auth` key +- Each mode of operation has its own set of configuration properties, described below. + +## Issuer & Validator +The configuration properties pertaining to Issuer & Validator mode are listed below: + +|Property Name|Environment Variable|Description| +|---|---|---| +|ttl|TTL|Time-to-live of access tokens issued| +|hmacSecrets|HMACSECRETS|Array of secrets used to sign & validate access tokens, using the HMAC SHA256 algorithm. Values must be base64-format strings. The first value in the array is used to sign issued access tokens. Access tokens signed with any value in the array are considered valid.| +|clients|N/A|Array of objects, used for token issuance, consisting of `id`, `secretHash`, and `sdkKeys`. Clients provide ID and secret in their requests to `/oauth/token`. Agent validates the request credentials by checking for an exact match of ID, checking that the BCrypt hash of the request secret matches the `secretHash` from configuration, and that the SDK key provided in the `X-Optimizely-Sdk-Key` request header exists in the `sdkKeys` from configuration. `secretHash` values must be base64-format strings.| + +To make setup easier, Agent provides a command-line tool that can generate base64-encoded 32-byte random values, and their associated base64-encoded BCrypt hashes: + +```shell +// From the Agent root directory +> make generate_secret +Client Secret: i3SrdrCy/wEGqggv9OI4FgIsdHHNpOacrmIMJ6SFIkE= +Client Secret's hash: JDJhJDEyJERGNzhjRXVTNTdOQUZ3cndxTkZ6Li5XQURlazU2R21YeFZjb1pWSkN5eGZ1SXM4VXRLb0ZD +``` +Use the hash value to configure Agent, and pass the secret value as `client_secret` when making access token requests to `/oauth/token`. For details of the access token issuance endpoint, see the OpenAPI spec file. + +## Validator-only +The configuration properties pertaining to Validator-only mode are listed below: + +|Property Name|Environment Variable|Description| +|---|---|---| +|jwksURL|JWKSURL|URL from which public keys should be fetched for token validation| +|jwksUpdateInterval|JWKSUPDATEINTERVAL|Interval on which public keys should be re-fetched (example: `30m` for 30 minutes)| + +## No authorization (default) +The API & Admin interfaces run with no authorization when no `auth` configuration is given. + +## Configuration examples +Optimizely Agent uses the [Viper](https://github.com/spf13/viper) library for configuration, which allows setting values via environment variables, flags, and YAML configuration files. +### Issuer & Validator +_*WARNING*_: For security, we advise that you configure `hmacSecrets` with either an environment variable or a flag, and NOT through a config file. + +In the below example, the Admin interface is configured in Issuer & Validator mode, with `hmacSecrets` provided via environment variable, and other values provided via YAML config file. +```shell +// Comma-separated value, to set multiple hmacSecrets. +// Access tokens are signed with the first value. +// Access tokens are valid when they are signed with either of these values. +export OPTIMIZELY_ADMIN_HMACSECRETS=QPtUGP/RqaXRltZf1QE1KxlF2Iuo09J0buZ3UNKeIr0,bkZAqSsZuM5NSnwEyO9Pzb6F8gGNu1BBuX/SpPaMeyM +``` + +```yaml +admin: + auth: + # Access tokens will expire after 30 minutes + ttl: 30m + clients: + # Either of these two id/secret pairs can be exchanged for access tokens + - id: agentConsumer1 + secretHash: XgZTeTvWaZ6fLiey6EBSOxJ2QFdd6dIiUcZGDIIJ+IY + sdkKeys: + # These credentials can be exchanged for tokens granting access to these two SDK keys + - abcd1234 + - efgh5678 + - id: agentConsumer2 + secretHash: ssz0EEViKIinkFXxzqncKxz+6VygEc2d2rKf+la5rXM + sdkKeys: + # These credentials can be exchanged for tokens granting access only to this one SDK key + - ijkl9012 +``` + +### Validator-only +```yaml +# In this example, the API interface is configured in Validator-only mode +api: + auth: + # Signing keys will be fetched from this url and used when validating access tokens + jwksURL: https://YOUR_DOMAIN/.well-known/jwks.json + # Siging keys will be periodically fetched on this interval + jwksUpdateInterval: 30m +``` + +# Secret Rotation (Issuer & Validator mode) +To support secret rotation, both `hmacSecrets` and `clients` support setting multiple values. In `hmacSecrets`, the first value will be +used to sign issued tokens, but tokens signed with any of the values will be considered valid. + +# Example (Python) +Example requests demonstrating the Issuer & Validator mode: +```python +#!/usr/bin/python + +import json +import requests +import sys + +# This example demonstrates interacting with Agent running in Issuer & Validator mode. +# We obtain an access token and use it to request the current Optimizely Config +# from the API interface. + +# Fist, we need a secret value to sign access tokens. +# You can use the generate_secret tool included with Agent to generate this: + +# > make generate_secret +# Client Secret: CvzvkWm3V1D9RBxPWEjC+ud9zvwcOvnnLkWaIkzDGyA= + +# You can ignore the second line that says "Client Secret's hash". + +# Then, set an environment variable to make this secret available to Agent: +# > export OPTIMIZELY_API_AUTH_HMACSECRETS=CvzvkWm3V1D9RBxPWEjC+ud9zvwcOvnnLkWaIkzDGyA= + +# Next, we need client credentials (ID & secret), and the BCrypt hash of our secret +# Again, you can use the generate_secret tool included with Agent to generate these: +# +# > make generate_secret +# Client Secret: 0bfLVX9U3Lpr6Qe4X3DSSIWNqEkEQ4bkX1WZ5Km6spM= +# Client Secret's hash: JDJhJDEyJEdkSHpicHpRODBqOC9FQzRneGIyNXU0ZFVPMFNKcUhkdTRUQXRzWUJOdjRzRmcuVGdFUTUu +# +# Take the hash, and add it to your agent configuration file (default: config.yaml) under the "api" section, +# along with your desired client ID and SDK key: +# +# auth: +# ttl: 30m +# clients: +# - id: clientid1 +# secretHash: JDJhJDEyJEdkSHpicHpRODBqOC9FQzRneGIyNXU0ZFVPMFNKcUhkdTRUQXRzWUJOdjRzRmcuVGdFUTUu +# sdkKeys: +# - + +# +# Start Agent with the API interface running on the default port (8080). +# Then, finally, run the example, passing your SDK key, client ID and secret: +# > python auth.py clientid1 0bfLVX9U3Lpr6Qe4X3DSSIWNqEkEQ4bkX1WZ5Km6spM= +# +# For more information, see docs/auth.md + +if len(sys.argv) < 4: + sys.exit('Requires three arguments: ') + +sdk_key = sys.argv[1] +client_id = sys.argv[2] +client_secret = sys.argv[3] + +s = requests.Session() +s.headers.update({'X-Optimizely-SDK-Key': sdk_key}) + +resp = s.get('http://localhost:8080/v1/config') +print('first config request, not including access token: response status = {}'.format(resp.status_code)) + +resp = s.post('http://localhost:8080/oauth/token', data={ + 'grant_type': 'client_credentials', + 'client_id': client_id, + 'client_secret': client_secret, +}) +resp_dict = resp.json() +print('access token response: ') +print(json.dumps(resp_dict, indent=4, sort_keys=True)) + +s.headers.update({'Authorization': 'Bearer {}'.format(resp_dict['access_token'])}) + +resp = s.get('http://localhost:8080/v1/config') +print('config response after passing access token: ') +print(json.dumps(resp.json(), indent=4, sort_keys=True)) +``` \ No newline at end of file diff --git a/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/020 - webhooks-agent.md b/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/020 - webhooks-agent.md new file mode 100644 index 00000000..c31b48ed --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/020 - webhooks-agent.md @@ -0,0 +1,37 @@ +--- +title: "Webhooks" +excerpt: "" +slug: "webhooks-agent" +hidden: false +metadata: + title: "Agent microservice webhooks - Optimizely Full Stack" +createdAt: "2020-02-21T17:44:26.981Z" +updatedAt: "2020-05-05T17:03:48.045Z" +--- +Optimizely Agent implements a webhook listener used to receive inbound [Webhook](doc:configure-webhooks) requests from optimizely.com. These webhooks enable PUSH style notifications triggering immediate project configuration updates. +The webhook listener is configured on its own port (default: 8085) since it can be configured to select traffic from the internet. + +To accept webhook requests Agent must be configured by mapping an Optimizely Project Id to a set of SDK keys along +with the associated secret used for validating the inbound request. An example webhook configuration can be seen below, while the full example configuration can be found in the the provided [config.yaml](https://github.com/optimizely/agent/blob/master/config.yaml#L58). + +```yaml +## +## webhook service receives update notifications to your Optimizely project. Receipt of the webhook will +## trigger an immediate download of the datafile from the CDN +## +webhook: + ## http listener port + port: "8089" +# ## a map of Optimizely Projects to one or more SDK keys +# projects: +# ## : Optimizely project id as an integer +# : +# ## sdkKeys: a list of SDKs linked to this project +# sdkKeys: +# - +# - +# ## secret: webhook secret used the validate the notification +# secret: +# ## skipSignatureCheck: override the signature check (not recommended for production) +# skipSignatureCheck: true +``` \ No newline at end of file diff --git a/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/030 - docker-configurations.md b/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/030 - docker-configurations.md new file mode 100644 index 00000000..fa5b3605 --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/030 - docker-configurations.md @@ -0,0 +1,9 @@ +--- +title: "Docker Configurations" +excerpt: "" +slug: "docker-configurations" +hidden: true +createdAt: "2020-03-13T18:37:48.448Z" +updatedAt: "2020-03-13T18:37:48.448Z" +--- +Stub page for further info on how to configure docker? \ No newline at end of file diff --git a/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/index.md b/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/index.md new file mode 100644 index 00000000..7deb1db8 --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/040 - configure-optimizely-agent/index.md @@ -0,0 +1,56 @@ +--- +title: "Configure Optimizely Agent" +excerpt: "" +slug: "configure-optimizely-agent" +hidden: false +metadata: + title: "Configure Agent microservice - Optimizely Full Stack" +createdAt: "2020-02-21T17:44:27.173Z" +updatedAt: "2020-04-08T21:42:08.698Z" +--- +By default Optimizely Agent uses the configuration file in the current active directory, e.g., `./config.yaml`. You can override the [default configuration](https://github.com/optimizely/agent/blob/master/config.yaml) by providing a yaml configuration file at runtime. + +You can specify alternative configuration locations at runtime via an environment variable or command line flag: + +```bash +OPTIMIZELY_CONFIG_FILENAME=config.yaml make run +``` + + +Below is a comprehensive list of available configuration properties. + +|Property Name|Env Variable|Description| +|---|---|---| +|admin.auth.clients|N/A|Credentials for requesting access tokens. See: [Authorization Guide](doc:authorization)| +|admin.auth.jwksURL|OPTIMIZELY_ADMIN_AUTH_JWKSURL|JWKS URL for validating access tokens. See: [Authorization Guide](doc:authorization)| +|admin.auth.jwksUpdateInterval|OPTIMIZELY_ADMIN_AUTH_JWKSUPDATEINTERVAL|JWKS Update Interval for caching the keys in the background. See: [Authorization Guide](doc:authorization)| +|admin.auth.hmacSecrets|OPTIMIZELY_ADMIN_AUTH_HMACSECRETS|Signing secret for issued access tokens. See: [Authorization Guide](doc:authorization)| +|admin.auth.ttl|OPTIMIZELY_ADMIN_AUTH_TTL|Time-to-live of issued access tokens. See: [Authorization Guide](doc:authorization)| +|admin.port|OPTIMIZELY_ADMIN_PORT|Admin listener port. Default: 8088| +|api.auth.clients|N/A|Credentials for requesting access tokens. See: [Authorization Guide](doc:authorization)| +|api.auth.hmacSecrets|OPTIMIZELY_API_AUTH_HMACSECRETS|Signing secret for issued access tokens. See: [Authorization Guide](doc:authorization)| +|api.auth.jwksURL|OPTIMIZELY_API_AUTH_JWKSURL|JWKS URL for validating access tokens. See: [Authorization Guide](doc:authorization)| +|api.auth.jwksUpdateInterval|OPTIMIZELY_API_AUTH_JWKSUPDATEINTERVAL|JWKS Update Interval for caching the keys in the background. See: [Authorization Guide](doc:authorization)| +|api.auth.ttl|OPTIMIZELY_API_AUTH_TTL|Time-to-live of issued access tokens. See: [Authorization Guide](doc:authorization)| +|api.port|OPTIMIZELY_API_PORT|Api listener port. Default: 8080| +|api.maxConns|OPTIMIZLEY_API_MAXCONNS|Maximum number of concurrent requests| +|author|OPTIMIZELY_AUTHOR|Agent author. Default: Optimizely Inc.| +|certfile|OPTIMIZELY_CERTFILE|Path to a certificate file, used to run Agent with HTTPS| +|client.batchSize|OPTIMIZELY_CLIENT_BATCHSIZE|The number of events in a batch. Default: 10| +|config.filename|OPTIMIZELY_CONFIG_FILENAME|Location of the configuration YAML file. Default: ./config.yaml| +|client.flushInterval|OPTIMIZELY_CLIENT_FLUSHINTERVAL|The maximum time between events being dispatched. Default: 30s| +|client.pollingInterval|OPTIMIZELY_CLIENT_POLLINGINTERVAL|The time between successive polls for updated project configuration. Default: 1m| +|client.queueSize|OPTIMIZELY_CLIENT_QUEUESIZE|The max number of events pending dispatch. Default: 1000| +|disabledCiphers|OPTIMIZELY_DISABLEDCIPHERS|List of TLS ciphers to disable when accepting HTTPS connections| +|keyfile|OPTIMIZELY_KEYFILE|Path to a key file, used to run Agent with HTTPS| +|log.level|OPTIMIZELY_LOG_LEVEL|The log [level](https://github.com/rs/zerolog#leveled-logging) for the agent. Default: info| +|log.pretty|OPTIMIZELY_LOG_PRETTY|Flag used to set colorized console output as opposed to structured json logs. Default: false| +|name|OPTIMIZELY_NAME|Agent name. Default: optimizely| +|version|OPTIMIZELY_VERSION|Agent version. Default: `git describe --tags`| +|sdkKeys|OPTIMIZELY_SDK_KEYS|List of SDK keys used to initialize on startup| +|server.readTimeout|OPTIMIZELY_SERVER_READTIMEOUT|The maximum duration for reading the entire body. Default: “5s”| +|server.writeTimeout|OPTIMIZELY_SERVER_WRITETIMEOUT|The maximum duration before timing out writes of the response. Default: “10s”| +|webhook.port|OPTIMIZELY_WEBHOOK_PORT|Webhook listener port: Default: 8085| +|webhook.projects.<*projectId*>.sdkKeys|N/A|Comma delimited list of SDK keys applicable to the respective projectId| +|webhook.projects.<*projectId*>.secret|N/A|Webhook secret used to validate webhook requests originating from the respective projectId| +|webhook.projects.<*projectId*>.skipSignatureCheck|N/A|Boolean to indicate whether the signature should be validated. TODO remove in favor of empty secret.| \ No newline at end of file diff --git a/docs/readme-sync/deploy-as-a-microservice/050 - api-reference.md b/docs/readme-sync/deploy-as-a-microservice/050 - api-reference.md new file mode 100644 index 00000000..3649a8a6 --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/050 - api-reference.md @@ -0,0 +1,11 @@ +--- +title: "API Reference" +excerpt: "" +slug: "api-reference" +hidden: false +createdAt: "2020-02-21T17:44:52.492Z" +updatedAt: "2020-02-21T17:44:52.492Z" +type: "link" +link_url: "https://optimizely.github.io/docs/api/agent/" +link_external: true +--- diff --git a/docs/readme-sync/deploy-as-a-microservice/060 - github-repository.md b/docs/readme-sync/deploy-as-a-microservice/060 - github-repository.md new file mode 100644 index 00000000..ae341515 --- /dev/null +++ b/docs/readme-sync/deploy-as-a-microservice/060 - github-repository.md @@ -0,0 +1,11 @@ +--- +title: "Github Repository" +excerpt: "" +slug: "github-repository" +hidden: false +createdAt: "2020-02-21T17:44:28.559Z" +updatedAt: "2020-02-21T17:44:28.559Z" +type: "link" +link_url: "https://github.com/optimizely/agent" +link_external: true +---