metrics endpoint/esp for prime in prod

ocsgw/build.gradle

@@ -95,20 +95,6 @@ task packDev(type: Zip, dependsOn: 'shadowJar') {
             fileName.replace('dev.', '')
         }
     }
-    // TODO vihang: figure out why wild-card certs fail to verify
-    from ('../certs/dev.ostelco.org/nginx.crt') {
-        into (project.name + '/config/')
-        rename { String fileName ->
-            fileName.replace('nginx', 'ocs')
-        }
-    }
-    from ('../certs/dev.ostelco.org/nginx.crt') {
-        into (project.name + '/config/')
-        rename { String fileName ->
-            fileName.replace('nginx', 'metrics')
-        }
-    }
-    // END of certs
     from ('config/pantel-prod.json') {
         into (project.name + '/config/')
     }

prime/infra/README.md

@@ -83,6 +83,8 @@ Reference:
 Generate self-contained protobuf descriptor file - `ocs_descriptor.pb` & `metrics_descriptor.pb`
 
 ```bash
+pyenv versions
+pyenv local 3.5.2
 pip install grpcio grpcio-tools
 
 python -m grpc_tools.protoc \

prime/infra/dev/metrics-api.yaml

@@ -27,4 +27,4 @@ authentication:
   rules:
   - selector: "*"
     requirements:
-      - provider_id: google_service_account
+      - provider_id: google_service_account

prime/infra/prod/metrics-api.yaml

@@ -0,0 +1,30 @@
+type: google.api.Service
+
+config_version: 3
+
+name: metrics.ostelco.org
+
+title: Prime Metrics Reporter Service gRPC API
+
+apis:
+  - name: org.ostelco.prime.metrics.api.OcsgwAnalyticsService
+
+usage:
+  rules:
+  # All methods can be called without an API Key.
+  - selector: "*"
+    allow_unregistered_calls: true
+
+authentication:
+  providers:
+  - id: google_service_account
+    issuer: [email protected]
+    jwks_uri: https://www.googleapis.com/robot/v1/metadata/x509/[email protected]
+    audiences: >
+      https://metrics.ostelco.org/org.ostelco.prime.metrics.api.OcsgwAnalyticsService,
+      metrics.ostelco.org/org.ostelco.prime.metrics.api.OcsgwAnalyticsService,
+      metrics.ostelco.org
+  rules:
+  - selector: "*"
+    requirements:
+      - provider_id: google_service_account

prime/infra/prod/prime.yaml

@@ -37,6 +37,25 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  name: prime-metrics
+  labels:
+    app: prime
+    tier: backend
+spec:
+  type: LoadBalancer
+  loadBalancerIP: 35.240.23.167
+  ports:
+  - name: grpc
+    port: 443
+    targetPort: 9443
+    protocol: TCP
+  selector:
+    app: prime
+    tier: backend
+---
+apiVersion: v1
+kind: Service
 metadata:
   name: pseudonym-server-service
   labels:
@@ -71,7 +90,7 @@ spec:
         prometheus.io/port: '8081'
     spec:
       containers:
-      - name: esp
+      - name: ocs-esp
         image: gcr.io/endpoints-release/endpoints-runtime:1
         args: [
           "--http2_port=9000",
@@ -105,6 +124,23 @@ spec:
         - mountPath: /etc/nginx/ssl
           name: api-ostelco-ssl
           readOnly: true
+      - name: metrics-esp
+        image: gcr.io/endpoints-release/endpoints-runtime:1
+        args: [
+          "--http2_port=9004",
+          "--ssl_port=9443",
+          "--status_port=8094",
+          "--service=metrics.ostelco.org",
+          "--rollout_strategy=managed",
+          "--backend=grpc://127.0.0.1:8083"
+        ]
+        ports:
+        - containerPort: 9004
+        - containerPort: 9443
+        volumeMounts:
+        - mountPath: /etc/nginx/ssl
+          name: metrics-ostelco-ssl
+          readOnly: true
       - name: prime
         image: eu.gcr.io/pantel-2decb/prime:PRIME_VERSION
         imagePullPolicy: Always
@@ -132,6 +168,7 @@ spec:
         - containerPort: 8080
         - containerPort: 8081
         - containerPort: 8082
+        - containerPort: 8083
       volumes:
       - name: secret-config
         secret:
@@ -142,3 +179,6 @@ spec:
       - name: ocs-ostelco-ssl
         secret:
           secretName: ocs-ostelco-ssl
+      - name: metrics-ostelco-ssl
+        secret:
+          secretName: metrics-ostelco-ssl