Add VES-tls deploy

Change-Id: I7c1f90fc4a5ccabaed7faaa3883e5e14779ba975
Signed-off-by: VENKATESH KUMAR <vv770d@att.com>
Issue-ID: DCAEGEN2-1593

1 files changed, 208 insertions, 1 deletions

diff --git a/docs/sections/services/ves-http/installation.rst b/docs/sections/services/ves-http/installation.rst
index b39b007d..42d11e10 100644
--- a/docs/sections/services/ves-http/installation.rst
+++ b/docs/sections/services/ves-http/installation.rst
@@ -25,4 +25,211 @@ DMAAPHOST is required for standalone; for normal platform installed instance the
 - CONFIG_BINDING_SERVICE - used with conjunction with CBSPOLLTIMER, should be a name of CBS as it is registered in Consul
 - HOSTNAME - used with conjunction with CBSPOLLTIMER, should be a name of VESCollector application as it is registered in CBS catalog
 
-These parameters can be configured either by passing command line option during `docker run` call or by specifying environment variables named after command line option name
\ No newline at end of file
+These parameters can be configured either by passing command line option during `docker run` call or by specifying environment variables named after command line option name
+
+
+Authentication Support
+----------------------
+
+VES Collector support following authentication types
+
+    * *auth.method=noAuth* default option - no security (http)
+    * *auth.method=certOnly* is used to enable mutual TLS authentication (https)
+    * *auth.method=certBasicAuth* is used to enable mutual TLS authentication or/and basic HTTPs authentication
+    * *auth.method=basicAuth* is used to enable basic HTTPs authentication
+
+Default ONAP deployed VESCOllector is configured for "noAuth". If VESCollector instance need to be deployed with authentication enabled, follow below setup
+
+
+- Update existing VESCollector deployment to remove nodeport conflict by editing service definition
+    .. code-block:: bash
+
+        kubectl edit svc -n onap xdcae-ves-collector
+
+and remove following entry and save the changes; K8S will update the  service definition default VES instance
+
+    .. code-block:: bash
+
+              - name: xport-t-8443
+                nodePort: 30417
+                port: 8443
+                protocol: TCP
+                targetPort: 8443
+
+- Execute into Bootstrap POD using kubectl command
+
+- Copy blueprint content into DCAE bootstrap POD under /blueprints directory under same file name.
+
+``k8s-ves-tls.yaml``
+--------------------
+
+
+::
+
+    # ============LICENSE_START====================================================
+    # =============================================================================
+    # Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
+    # =============================================================================
+    # Licensed under the Apache License, Version 2.0 (the "License");
+    # you may not use this file except in compliance with the License.
+    # You may obtain a copy of the License at
+    #
+    #      http://www.apache.org/licenses/LICENSE-2.0
+    #
+    # Unless required by applicable law or agreed to in writing, software
+    # distributed under the License is distributed on an "AS IS" BASIS,
+    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    # See the License for the specific language governing permissions and
+    # limitations under the License.
+    # ============LICENSE_END======================================================
+
+    tosca_definitions_version: cloudify_dsl_1_3
+
+    imports:
+      - "http://www.getcloudify.org/spec/cloudify/3.4/types.yaml"
+      - https://nexus.onap.org/service/local/repositories/raw/content/org.onap.dcaegen2.platform.plugins/R4/k8splugin/1.4.13/k8splugin_types.yaml
+
+    inputs:
+      ves_other_publish_url:
+        type: string
+        default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.SEC_OTHER_OUTPUT"
+      ves_heartbeat_publish_url:
+        type: string
+        default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.SEC_HEARTBEAT_OUTPUT"
+      ves_fault_publish_url:
+        type: string
+        default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.SEC_FAULT_OUTPUT"
+      ves_measurement_publish_url:
+        type: string
+        default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT"
+      ves_notification_publish_url:
+        type: string
+        default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT"
+      ves_pnfRegistration_publish_url:
+        type: string
+        default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.VES_PNFREG_OUTPUT"
+      tag_version:
+        type: string
+        default: "nexus3.onap.org:10001/onap/org.onap.dcaegen2.collectors.ves.vescollector:1.4.4"
+      external_port:
+        type: string
+        description: Kubernetes node port on which collector is exposed
+        default: "30235"
+      external_tls_port:
+        type: string
+        description: Kubernetes node port on which collector is exposed for https
+        default: "30417"
+      replicas:
+        type: integer
+        description: number of instances
+        default: 1
+    node_templates:
+      ves:
+        interfaces:
+          cloudify.interfaces.lifecycle:
+            start:
+              inputs:
+               ports:
+                 - concat: ["8443:", { get_input: external_tls_port }]
+        properties:
+          application_config:
+            collector.dmaap.streamid: fault=ves-fault|syslog=ves-syslog|heartbeat=ves-heartbeat|measurementsForVfScaling=ves-measurement|measurement=ves-measurement|mobileFlow=ves-mobileflow|other=ves-other|stateChange=ves-statechange|thresholdCrossingAlert=ves-thresholdCrossingAlert|voiceQuality=ves-voicequality|sipSignaling=ves-sipsignaling|notification=ves-notification|pnfRegistration=ves-pnfRegistration
+            collector.inputQueue.maxPending: "8096"
+            collector.keystore.file.location: /opt/app/VESCollector/etc/keystore
+            collector.keystore.passwordfile: /opt/app/VESCollector/etc/passwordfile
+            collector.schema.checkflag: "1"
+            collector.schema.file: "{\"v1\":\"./etc/CommonEventFormat_27.2.json\",\"v2\":\"./etc/CommonEventFormat_27.2.json\",\"v3\":\"./etc/CommonEventFormat_27.2.json\",\"v4\":\"./etc/CommonEventFormat_27.2.json\",\"v5\":\"./etc/CommonEventFormat_28.4.1.json\",\"v7\":\"./etc/CommonEventFormat_30.0.1.json\"}"
+            collector.service.port: "8080"
+            collector.service.secure.port: "8443"
+            event.transform.flag: "0"
+            auth.method: certBasicAuth
+            header.authlist: "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6"
+            services_calls: []
+            streams_publishes:
+                ves-fault:
+                  dmaap_info:
+                    topic_url:
+                      get_input: ves_fault_publish_url
+                  type: message_router
+                ves-measurement:
+                  dmaap_info:
+                    topic_url:
+                      get_input: ves_measurement_publish_url
+                  type: message_router
+                ves-notification:
+                  dmaap_info:
+                    topic_url:
+                      get_input: ves_notification_publish_url
+                  type: message_router
+                ves-pnfRegistration:
+                  dmaap_info:
+                    topic_url:
+                      get_input: ves_pnfRegistration_publish_url
+                  type: message_router
+                ves-heartbeat:
+                  dmaap_info:
+                    topic_url:
+                      get_input: ves_heartbeat_publish_url
+                  type: message_router
+                ves-other:
+                  dmaap_info:
+                    topic_url:
+                      get_input: ves_other_publish_url
+                  type: message_router
+            collector.dynamic.config.update.frequency: "5"
+          docker_config:
+            healthcheck:
+              endpoint: /healthcheck
+              interval: 15s
+              timeout: 1s
+              type: https
+          image:
+            get_input: tag_version
+          replicas: {get_input: replicas}
+          name: 'dcae-ves-collector-tls'
+          dns_name: 'dcae-ves-collector-tls'
+          log_info:
+            log_directory: "/opt/app/VESCollector/logs/ecomp"
+        type: dcae.nodes.ContainerizedPlatformComponent
+
+
+
+- Validate blueprint
+    .. code-block:: bash
+
+        cfy blueprints validate /blueprints/k8s-ves-tls.yaml
+
+- Deploy blueprint
+    .. code-block:: bash
+
+        cfy install -b ves-tls -d ves-tls /blueprints/k8s-ves-tls.yaml
+
+To undeploy ves-tls, steps are noted below
+
+- Uninstall running ves-tls and delete deployment
+    .. code-block:: bash
+
+        cfy uninstall ves-tls
+
+The deployment uninstall will also delete the blueprint. In somecase you might notice 400 error reported indicating active deployment exist such as below
+** An error occurred on the server: 400: Can't delete blueprint ves-tls - There exist deployments for this blueprint; Deployments ids: ves-tls**
+
+In this case bluepint can be deleted explicitly using this command.
+
+    .. code-block:: bash
+
+        cfy blueprint delete ves-tls
+
+Note: When VESCollector is required to be deployed under *auth.method=certOnly* the blueprint above should be modified
+
+    * Change auth.method: certBasicAuth to auth.method: certOnly
+    * Comment out following lines in blueprint to disable readiness check (DCAEGEN2-1594)
+
+        .. code-block:: bash
+
+            docker_config:
+                healthcheck:
+                  endpoint: /healthcheck
+                  interval: 15s
+                  timeout: 1s
+                  type: https