Client Config & Cert Documentation

Issue-ID: AAF-378
Change-Id: Ic0c05803551f1874b230c5c9e031b5bf5ff03599
Signed-off-by: Instrumental <jonathan.gathman@att.com>

1 files changed, 82 insertions, 16 deletions

diff --git a/docs/sections/installation/client_vol.rst b/docs/sections/installation/client_vol.rst
index ea98e5f2..fc33e1bb 100644
--- a/docs/sections/installation/client_vol.rst
+++ b/docs/sections/installation/client_vol.rst
@@ -26,8 +26,8 @@ Prerequisites
     | but it DOES have be accessible to the AAF Instance.  
   * For ONAP, this means
     
-	* Windriver VPN
-	* include "10.12.6.214 aaf-onap-test.osaaf.org" in your /etc/hosts or DNS
+    * Windriver VPN
+    * include "10.12.6.214 aaf-onap-test.osaaf.org" in your /etc/hosts or DNS
 
 -----------------------
 Obtain the Agent Script
@@ -49,22 +49,88 @@ In your chosen directory ::
  
   $ bash agent.sh
 
-The Agent will look for "aaf.props", and if it doesn't exist, or is missing information, it will ask for it
+The Agent will look for "aaf.props", and if it doesn't exist, or is missing information, it will ask for it.
 
+This file is available to reuse for multiple calls. More importantly, you should use it as a template for auto-configuration.  (In ONAP, these are HEAT templates and OOM Helm Charts)
 
---------------- ---------------
-Tag             Value
---------------- ---------------
-CADI Version    Defaults to CADI version of this
-AAF's FQDN      PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org'
-Deployer's FQI  deployer@people.osaaf.org.  In a REAL system, this would be a person or process 
-App's Root FQDN This will show up in the Cert Subject, and should be the name given by Docker. i.e. clamp.onap
-App's FQI       Fully Qualified ID given by Organization and with AAF NS/domain.  ex: clamp@clamp.onap.org 
-App's Volume    Volume to put the data, see above. ex: clamp_aaf
-DRIVER		Docker Volume type... See Docker Volume documentation
-LATITUDE	Global latitude coordinate of Node (best guess for Kubernetes)
-LONGITUDE	Global longitude coordinate of Node (best guess for Kubernetes)
---------------- ---------------
+---------------------
+'aaf.prop' Properties
+---------------------
 
+=================== =============== ============
+Query               Tag             Description
+=================== =============== ============
+CADI Version        VERSION         Defaults to CADI version of this
+AAF's FQDN          AAF_FQDN        PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org'
+Deployer's FQI      DEPLOY_FQI      deployer@people.osaaf.org.  In a REAL system, this would be a person or process 
+App's Root FQDN     APP_FQDN        This will show up in the Cert Subject, and should be the name given by Docker. i.e. clamp.onap
+App's FQI           APP_FQI         Fully Qualified ID given by Organization and with AAF NS/domain.  ex: clamp@clamp.onap.org 
+App's Volume        VOLUME          Volume to put the data, see above. ex: clamp_aaf
+DRIVER              DRIVER          Docker Volume type... See Docker Volume documentation
+LATITUDE of Node    LATITUDE        Global latitude coordinate of Node (best guess in Kubernetes)
+LONGITUDE of Node   LONGITUDE       Global longitude coordinate of Node (best guess in Kubernetes)
+=================== =============== ============
+
+---------------------
+Dynamic Properties
+---------------------
+
+These Properties do not automatically save in 'aaf.props', because...
+
+  | Passwords should not be stored clear text, with the possible exception of constant Environment Recreation, where it is impractical.
+  | The IP of the AAF's FQDN is looked up, if possible.  It can be set, however, when lookup isn't available.
+
+=================== =============== ============
+Query               Tag             Description
+=================== =============== ============
+Deployer's Password DEPLOY_PASSWORD Password for the Deployer. Avoids storing, except where impossible otherwise. 
+IP of <AAF_FQDN>    AAF_FQDN_IP     IP for Name of AAF FQDN, if not available by normal lookup means
+=================== =============== ============
+
+-----------------------
+ONAP Entity Info in AAF
+-----------------------
+
+============================= ===========================  =======================
+ONAP Namespaces               APP FQI                      APP FQDN
+============================= ===========================  =======================
+org.onap.aaf-sms              aaf-sms@aaf-sms.onap.org     aaf-sms
+org.onap.aai                  aai@aai.onap.org             aai
+org.onap.appc                 appc@appc.onap.org           appc
+org.onap.clamp                clamp@clamp.onap.org         clamp
+org.onap.dcae                 dcae@dcae.onap.org           dcae
+org.onap.dmaap-bc             dmaap-bc@dmaap-bc.onap.org   dmaap-bc
+org.onap.dmaap-mr             dmaap-mr@dmaap-mr.onap.org   dmaap-mr
+org.onap.oof                  oof@oof.onap.org             oof
+org.onap.sdnc                 sdnc@sdnc.onap.org           sdnc
+============================= ===========================  =======================
+
+*Note: FQDNs are set in AAF's Credential Artifact data, accessible in "Cred Details" from Namespace Page*
+
+If something goes wrong, and Certificate is not created, you can adjust the data, remove the data from the Container's /opt/app/osaaf/local dir, and it will generate again. ::
+
+  root@77777:/opt/app/osaaf/local# rm *
+  root@77777:/opt/app/osaaf/local# exit
+  $ bash agent.sh bash
+
+-------------
+Informational
+-------------
+
+There are two sets of Credentials at play here.  The ability to create the Certificate belongs to one of
+  
+  * The person responsible for the ID in the Organization 
+  * A delegated deployer
+
+It is expected in large organizations that Individual Employees are given the responsibility of an ID for an APP they are responsible for.
+
+  In ONAP test, to simplify create/tear-down environment... 
+     | The **Owner** is always "mmanager@people.osaaf.org". 
+     | The **Sponsor** is always "aaf_admin@people.osaaf.org".
+
+In a large org, there are probably many Operations teams to support many different apps.
+
+  In ONAP test, 
+     The **Deployer** is always set to "deploy@people.osaaf.org" for all Apps.