doc: tmp use static envoy config in docker

Signed-off-by: hmoazzem <[email protected]>

Author: hmoazzem

README.md

@@ -18,30 +18,25 @@ Edge launches and configures these components to work together as a unified back
 
 Edge can run as:
 - A single binary (embeds official component binaries)
-- [Docker compose](./docker-compose.yaml)
+- [Docker compose](./docker-compose.yaml) (follow this README)
 - Kubernetes resources (follow this README)
 - Via a Kubernetes CRD named [Project](./example/project.yaml)
 
-This project is in the ideation stage. Edge configures/manages the four underlying tools to create a cohesive system.
+This project is in the ideation stage. Edge configures/manages the underlying tools to create a cohesive system.
 
 Interested in experimenting or contributing? See [CONTRIBUTING.md](./CONTRIBUTING.md).
 
 ```sh
 git clone [email protected]:edgeflare/edge.git && cd edge
 ```
 
-This uses iam.example.local and api.example.local domains. Ensure they point to the Gateway IP (envoyproxy) eg by adding an entry to `/etc/hosts` like
-
-```sh
-127.0.0.1 api.example.local iam.example.local
-```
-
 ### [docker-compose.yaml](./docker-compose.yaml)
 
 Adjust the docker-compose.yaml
 
 - Free up port 80 from envoy for zitadel's initial configuration via management API which requires end-to-end HTTP/2 support.
-envoyproxy config in docker doesn't support (our xds-server incomplete) HTTP/2 yet; on [k8s](https://raw.githubusercontent.com/edgeflare/pgo/refs/heads/main/k8s.yaml) everything works fine.
+envoyproxy config in docker doesn't support (we gotta finish xds-server) HTTP/2 yet.
+On [k8s](https://raw.githubusercontent.com/edgeflare/pgo/refs/heads/main/k8s.yaml) everything works fine.
 
 ```yaml
   envoy:
@@ -66,10 +61,10 @@ docker compose up -d
 Any OIDC compliant Identity Provider (eg ZITADEL, Keycloak, Auth0) can be used.
 
 ```sh
-export ZITADEL_ISSUER=http://iam.example.local
-export ZITADEL_API=iam.example.local:80
+export ZITADEL_ISSUER=http://iam.127-0-0-1.sslip.io
+export ZITADEL_API=iam.127-0-0-1.sslip.io:80
 export ZITADEL_KEY_PATH=__zitadel-machinekey/zitadel-admin-sa.json
-export ZITADEL_JWK_URL=http://iam.example.local/oauth/v2/keys
+export ZITADEL_JWK_URL=http://iam.127-0-0-1.sslip.io/oauth/v2/keys
 ```
 
 Configure components eg create OIDC clients in ZITADEL etc
@@ -78,26 +73,16 @@ Configure components eg create OIDC clients in ZITADEL etc
 go run ./internal/util/configure/...
 ```
 
-Once done, revert the ports (use 80 for envoy), and `docker compose restart`
+After configuring, revert the ports (use 80 for envoy), and `docker compose down && docker compose up -d`
 
-#### pgo rest
 
-Visit http://iam.example.local, login and regenerate client-secret for oauth2-proxy client in edge project. Then adjust `internal/util/pgo/config.yaml`
-
-> `pgo rest` container fails because of proxy issues. It can be run locally
-
-```sh
-go install github.com/edgeflare/pgo@latest # or download from release page
-```
-##### PostgREST-compatible REST API
 
-```sh
-pgo rest --config internal/util/pgo/config.yaml --rest.pg_conn_string "host=localhost port=5432 user=pgo password=pgopw dbname=main sslmode=prefer"
-```
+Visit ZITADEL UI (eg at iam.192-168-0-121.sslip.io), login (see docker-compose.yaml) and regenerate client-secret for oauth2-proxy client in edge project.
+Then update `internal/util/pgo/config.yaml` with the values. Again, `docker compose down && docker compose up -d`
 
-###### realtime/replication eg sync users from auth-db to app-db
+#### `pgo rest`: PostgREST-compatible REST API
 
-Create table in sink-db. See pgo repo for more examples
+Create a table in app-db for REST and pipeline demo. See pgo repo for more examples
 
 ```sh
 PGUSER=postgres PGPASSWORD=postgrespw PGHOST=localhost PGDATABASE=main PGPORT=5432 psql
@@ -109,14 +94,22 @@ CREATE SCHEMA IF NOT EXISTS iam;
 CREATE TABLE IF NOT EXISTS iam.users (
   id TEXT DEFAULT gen_random_uuid()::TEXT PRIMARY KEY
 );
+
+-- wide-open for demo. use GRANT and RLS for granular ACL
+GRANT USAGE ON SCHEMA iam to anon;
+GRANT ALL ON iam.users to anon;
 ```
 
-Start pipeline
+`docker restart edge_pgo-rest_1` to reload schema cache if it bugs. Now we can eg
 
 ```sh
-pgo pipeline --config internal/util/pgo/config.yaml
+curl localhost:8080/iam/users # via envoyproxy api.127-0-0-1.sslip.io isn't funtional yet
 ```
 
+##### `pgo pipeline`: Debezium-compatible CDC for realtime-event/replication etc
+
+The demo pgo-pipeline container syncs users from auth-db (in projections.users14 table) to app-db (in iam.users)
+
 ### Kubernetes
 If you already have a live k8s cluster, great just copy-paste-enter.
 For development and lightweight prod, [k3s](https://github.com/k3s-io/k3s) seems a great option.
@@ -143,7 +136,6 @@ export ZITADEL_ADMIN_PW=$(kubectl get secrets example-zitadel-firstinstance -o j
 
 Configure zitadel like in docker-compose. Then apply something like `https://raw.githubusercontent.com/edgeflare/pgo/refs/heads/main/k8s.yaml`
 
-
 ## Cleanup
 
 ```sh

docker-compose.yaml

@@ -34,7 +34,7 @@ services:
       ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
       ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgrespw
       ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
-      ZITADEL_EXTERNALDOMAIN: iam.example.local
+      ZITADEL_EXTERNALDOMAIN: iam.192-168-0-121.sslip.io   # resolves to 192.168.0.121 (gateway/envoy IP). use LAN or accesible IP/hostname
       ZITADEL_EXTERNALPORT: 80
       ZITADEL_PORT: 8080
       ZITADEL_EXTERNALSECURE: false
@@ -73,6 +73,52 @@ services:
       timeout: 5s
       retries: 5
 
+  envoy-controlplane:
+    build:
+      context: "."
+      dockerfile: "./internal/util/envoy/Containerfile"
+    entrypoint: /envoy-controlplane
+    ports:
+    - 18000:18000 # xds-server
+    environment:
+    - "DEBUG=true"
+
+  envoy:
+    image: docker.io/envoyproxy/envoy:contrib-v1.33-latest
+    # command: [envoy, --config-path, /etc/bootstrap.yaml, --base-id, 1]   # when used with envoy-controlplane for dynamic config
+    command: [envoy, --config-path, /etc/config.yaml, --base-id, 1]
+    privileged: true
+    ports:
+    - 9901:9901      # admin
+    - 80:10080       # http-proxy
+    volumes:
+    # - $PWD/internal/util/envoy/bootstrap.yaml:/etc/bootstrap.yaml:rw,Z   # when used with envoy-controlplane
+    - $PWD/internal/util/envoy/config.yaml:/etc/config.yaml:rw,Z           # hard-coded config
+    depends_on:
+    - envoy-controlplane
+
+  pgo-rest:
+    image: ghcr.io/edgeflare/pgo
+    command: [rest, --config, /rest/config.yaml]
+    ports:
+    - 8080:8080
+    volumes:
+    - $PWD/internal/util/pgo/config.yaml:/rest/config.yaml:rw,Z
+    depends_on:
+      app-db:
+        condition: service_healthy
+
+  pgo-pipeline:
+    image: ghcr.io/edgeflare/pgo
+    command: [pipeline, --config, /pipeline/config.yaml]
+    volumes:
+    - $PWD/internal/util/pgo/config.yaml:/pipeline/config.yaml:rw,Z
+    depends_on:
+      auth-db:
+        condition: service_healthy
+      app-db:
+        condition: service_healthy
+
   init-app-db:
     image: docker.io/bitnami/postgresql:17
     environment:
@@ -125,39 +171,6 @@ services:
       "
     restart: on-failure
 
-  envoy-controlplane:
-    build:
-      context: "."
-      dockerfile: "./internal/util/envoy/Containerfile"
-    entrypoint: /envoy-controlplane
-    ports:
-    - 18000:18000 # xds-server
-    environment:
-    - "DEBUG=true"
-
-  envoy:
-    image: docker.io/envoyproxy/envoy:contrib-v1.33-latest
-    command: [envoy, --config-path, /etc/bootstrap.yaml, --base-id, 1]
-    privileged: true
-    ports:
-    - 9901:9901      # admin
-    - 80:10080       # http-proxy
-    volumes:
-    - $PWD/internal/util/envoy/bootstrap.yaml:/etc/bootstrap.yaml:rw,Z
-    depends_on:
-    - envoy-controlplane
-
-  pgo-rest:
-    image: ghcr.io/edgeflare/pgo
-    command: [rest, --config, /rest/config.yaml]
-    ports:
-    - 8080:8080
-    volumes:
-    - $PWD/internal/util/pgo/config.yaml:/rest/config.yaml:rw,Z
-    depends_on:
-      app-db:
-        condition: service_healthy
-
 volumes:
   app-db:
   auth-db:

internal/util/envoy/config.yaml

@@ -0,0 +1,104 @@
+admin:
+  address:
+    socket_address:
+      address: 0.0.0.0
+      port_value: 9901
+
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 10080
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          codec_type: auto
+          stat_prefix: ingress_http
+          route_config:
+            name: multi_service_route
+            virtual_hosts:
+            - name: iam_service
+              domains: ["iam.127-0-0-1.sslip.io", "iam.192-168-0-121.sslip.io", "iam.example.local", "zitadel.example.local"]
+              routes:
+              - match: { prefix: "/" }
+                route:
+                  cluster: iam_zitadel_service
+                  timeout: 0s
+                  max_stream_duration:
+                    grpc_timeout_header_max: 0s
+              cors:
+                allow_origin_string_match:
+                - prefix: "*"
+                allow_methods: GET, PUT, DELETE, POST, OPTIONS
+                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
+                max_age: "1728000"
+                expose_headers: custom-header-1,grpc-status,grpc-message
+            - name: pgo_service
+              domains: ["api.127-0-0-1.sslip.io", "api.example.local", "pgo.example.local"]
+              routes:
+              - match: { prefix: "/" }
+                route:
+                  cluster: pgo_rest_service
+                  timeout: 0s
+                  max_stream_duration:
+                    grpc_timeout_header_max: 0s
+              cors:
+                allow_origin_string_match:
+                - prefix: "*"
+                allow_methods: GET, PUT, DELETE, POST, OPTIONS
+                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
+                max_age: "1728000"
+                expose_headers: custom-header-1,grpc-status,grpc-message
+          http_filters:
+          - name: envoy.filters.http.grpc_web
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb
+          - name: envoy.filters.http.cors
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+  clusters:
+  - name: iam_zitadel_service
+    connect_timeout: 0.25s
+    type: LOGICAL_DNS
+    typed_extension_protocol_options:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+        explicit_http_config:
+          http2_protocol_options: {}
+    lb_policy: round_robin
+    load_assignment:
+      cluster_name: iam_zitadel_cluster
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: iam-zitadel
+                port_value: 8080
+
+  - name: pgo_rest_service
+    connect_timeout: 0.25s
+    type: LOGICAL_DNS
+    typed_extension_protocol_options:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+        explicit_http_config:
+          http2_protocol_options: {}
+    lb_policy: round_robin
+    load_assignment:
+      cluster_name: pgo_rest_cluster
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: pgo-rest
+                port_value: 8080

internal/util/pgo/config.yaml

@@ -1,10 +1,10 @@
 rest:
   listenAddr: ":8080"
   pg:
-    # connString: "host=app-db port=5432 user=pgo password=pgopw dbname=main sslmode=prefer" # container
-    connString: "host=localhost port=5432 user=pgo password=pgopw dbname=main sslmode=prefer"
+    connString: "host=app-db port=5432 user=pgo password=pgopw dbname=main sslmode=prefer" # container
+    # connString: "host=localhost port=5432 user=pgo password=pgopw dbname=main sslmode=prefer"
   oidc:
-    issuer: http://iam.example.local
+    issuer: http://iam.192-168-0-121.sslip.io
     clientID: 311065325191888901
     clientSecret: WCHwhcHqOFj1igPCh8MvTdidnKMUcUiJV40fnuekKNmY3tdyS6CtIWfRrBjbG24w
     roleClaimKey: .policy.pgrole
@@ -16,13 +16,13 @@ pipeline:
   - name: auth-db
     connector: postgres
     config:
-      connString: "host=localhost port=5431 user=postgres password=postgrespw dbname=main sslmode=prefer replication=database"
+      connString: "host=auth-db port=5432 user=postgres password=postgrespw dbname=main sslmode=prefer replication=database"
       replication:
         tables: ["projections.users14"]
   - name: app-db
     connector: postgres
     config:
-      connString: "host=localhost port=5432 user=postgres password=postgrespw dbname=main sslmode=prefer"
+      connString: "host=app-db port=5432 user=postgres password=postgrespw dbname=main sslmode=prefer"
   - name: debug # logs CDC events to stdout
     connector: debug
   pipelines: