Move deployment variables to VCL (instead edge dicts)

[tripodsan]

Description
The values for the x-action-root and openwhisk_namespace etc, are read from from the edge-dictionary, which we assumed is bound to the active service version. but it is not:
https://docs.fastly.com/en/guides/about-edge-dictionaries#how-dictionaries-work

Edge Dictionaries are made up of dictionary containers and the dictionary items within them. Once you attach a dictionary container to a version of your service and that service is activated, the data in it becomes "versionless." This means you can add to and update the data an Edge Dictionary contains at any time after it is created, without ever incrementing a service's version.

So every publish is updating the edge dictionary for the already active version, which is wrong.

Very Short Term Solution

• set value of the x-action-root for the default strain directly in VCL
• assign the value of the OPENHWHISK_NAMESPACE to a global variable in VCL

Solution supporting strains

currently the following edge dicts are used:

• table secrets
• table strain_action_roots;
• table strain_allow;
• table strain_deny;
• table strain_github_static_owners;
• table strain_github_static_refs;
• table strain_github_static_repos;
• table strain_github_static_root;
• table strain_index_files;
• table strain_owners;
• table strain_refs;
• table strain_repos;
• table strain_root_pathsl

For the strain dependent variables, we should probably have a large if (strain == 'xyz') section in the VCL that sets the potential values. eg:

if (req.http.X-Strain == 'staging') {
 set req.http.X-Owner = 'adobe';
 set req.http.X-Repo = 'theblog';
 set req.http.X-Ref = 'stage';
 set req.http.X-Action-Root = 'helix-pages/12345';
 ...
} else if (req.http.X-Strain == 'testing') {
  ....
} else {
  // default
 set req.http.X-Owner = 'adobe';
 set req.http.X-Repo = 'theblog';
 set req.http.X-Ref = 'master';
 set req.http.X-Action-Root = 'helix-pages/6789';
}

As for the secrets, those need to be global for all versions. the problematic ones are the secrets that change per deployment. eg OPENWHISK_AUTH, GITHUB_TOKEN, OPENWHISK_NAMESPACE.

those are usually not a problem, since one fastly services should only be served by one openwhisk namespace, but it of course a problem during development or staging. and in the special case of helix-pages (once we want to move certain customers to custom namespaces).

as a workaround, the OPENWHISK_NAMESPACE could be stored in a global variable, and only the OPENWHISK_AUTH in a special table openhwhisk-creds that would store the auth per namespace.

[trieloff]

I'm not sure I see what the problem is. Using edge dicts would even allow us to speed up publishing in cases where the VCL has not changed by skipping all VCL updates.

[tripodsan]

using the VLC version for the action root would allow to rollback to a previous state via the fastly UI...
but yes. maybe it's not such a big problem....

[trieloff]

but maybe we should prevent the integration test from running against the helix-pages config, ever.

[tripodsan]

but we also had the case, where the CI updated the edge dicts, but wasn't able to activate the VCL....

personally, I'd rather have something that is visible in the VCL config and can easily be rolled back.