diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/sections/apis/ves.rst | 6 | ||||
-rw-r--r-- | docs/sections/configuration.rst | 2 | ||||
-rw-r--r-- | docs/sections/consumedapis.rst | 11 | ||||
-rw-r--r-- | docs/sections/design-components/requirements-guidelines.rst | 2 | ||||
-rw-r--r-- | docs/sections/release-notes.rst | 54 | ||||
-rw-r--r-- | docs/sections/services/dfc/certificates.rst | 2 | ||||
-rw-r--r-- | docs/sections/services/heartbeat-ms/build_setup.rst | 2 | ||||
-rw-r--r-- | docs/sections/services/heartbeat-ms/testprocedure.rst | 8 | ||||
-rw-r--r-- | docs/sections/services/pm-mapper/configuration.rst | 14 | ||||
-rw-r--r-- | docs/sections/services/pm-subscription-handler/configuration.rst | 4 | ||||
-rw-r--r-- | docs/sections/services/snmptrap/installation.rst | 6 | ||||
-rw-r--r-- | docs/sections/services/son-handler/installation.rst | 6 | ||||
-rw-r--r-- | docs/sections/services/ves-http/installation.rst | 9 | ||||
-rw-r--r-- | docs/sections/tls_enablement.rst | 101 |
14 files changed, 192 insertions, 35 deletions
diff --git a/docs/sections/apis/ves.rst b/docs/sections/apis/ves.rst index 4ddd7b1d..35d4ebdb 100644 --- a/docs/sections/apis/ves.rst +++ b/docs/sections/apis/ves.rst @@ -28,14 +28,14 @@ onap-discuss@lists.onap.org Security ~~~~~~~~ -`VES Authentication Types <https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/services/ves-http/tls-authentication.html>`_ +`VES Authentication Types <https://docs.onap.org/projects/onap-dcaegen2/en/latest/sections/services/ves-http/tls-authentication.html>`_ VES Specification ~~~~~~~~~~~~~~~~~ -- `VES 7.1.1 Data Model <https://docs.onap.org/en/latest/submodules/vnfrqts/requirements.git/docs/Chapter8/ves7_1spec.html#common-event-format>`_ -- `VES 5.4 Data Model <https://docs.onap.org/en/latest/submodules/vnfrqts/requirements.git/docs/Chapter8/ves_5_4_1/VESEventListener.html#common-event-format>`_ +- `VES 7.1.1 Data Model <https://docs.onap.org/projects/onap-vnfrqts-requirements/en/latest/Chapter8/ves7_1spec.html#common-event-format>`_ +- `VES 5.4 Data Model <https://docs.onap.org/projects/onap-vnfrqts-requirements/en/latest/Chapter8/ves_5_4_1/VESEventListener.html#common-event-format>`_ Response Code diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst index b62a5406..d9bdae4d 100644 --- a/docs/sections/configuration.rst +++ b/docs/sections/configuration.rst @@ -47,7 +47,7 @@ In addition, for DCAE components deployed through Cloudify Manager blueprints, t * The blueprint input files may contain Helm templates, which are resolved into actual deployment time values following the rules for Helm values. -DCAE Service components are deployed via Cloudify Blueprints. Instruction for deployment and configuration are documented under https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/services/serviceindex.html +DCAE Service components are deployed via Cloudify Blueprints. Instruction for deployment and configuration are documented under https://docs.onap.org/projects/onap-dcaegen2/en/latest/sections/services/serviceindex.html Now we walk through an example, how to configure the Docker image for the DCAE VESCollector, which is deployed by Cloudify Manager. diff --git a/docs/sections/consumedapis.rst b/docs/sections/consumedapis.rst index 637ac7b2..80e177e9 100644 --- a/docs/sections/consumedapis.rst +++ b/docs/sections/consumedapis.rst @@ -15,8 +15,9 @@ Consumed APIs DCAEGEN2 Components making following API calls into other ONAP components. -* `DMaaP Message Router <https://docs.onap.org/en/latest/submodules/dmaap/messagerouter/messageservice.git/docs/offeredapis/offeredapis.html>`_ -* `DMaaP Data Router <https://docs.onap.org/en/latest/submodules/dmaap/datarouter.git/docs/offeredapis.html>`_ -* `Policy <https://docs.onap.org/en/latest/submodules/policy/engine.git/docs/platform/offeredapis.html>`_ -* `SDC <https://docs.onap.org/en/latest/submodules/sdc.git/docs/offeredapis.html>`_ -* `A&AI <https://docs.onap.org/en/latest/submodules/aai/aai-common.git/docs/platform/offeredapis.html>`_
\ No newline at end of file +* `DMaaP Message Router <https://docs.onap.org/projects/onap-dmaap-messagerouter-messageservice/en/latest/offeredapis/offeredapis.html>`_ +* `DMaaP Data Router <https://docs.onap.org/projects/onap-dmaap-datarouter/en/latest/offeredapis.html>`_ +* `DMaaP Buscontroller <https://docs.onap.org/projects/onap-dmaap-dbcapi/en/latest/api.html#offeredapis>`_ +* `Policy <https://docs.onap.org/projects/onap-policy-engine/en/latest/platform/offeredapis.html>`_ +* `SDC <https://docs.onap.org/projects/onap-sdc/en/latest/offeredapis.html>`_ +* `A&AI <https://docs.onap.org/projects/onap-aai-aai-common/en/latest/platform/offeredapis.html>`_
\ No newline at end of file diff --git a/docs/sections/design-components/requirements-guidelines.rst b/docs/sections/design-components/requirements-guidelines.rst index f633178c..c887d4ff 100644 --- a/docs/sections/design-components/requirements-guidelines.rst +++ b/docs/sections/design-components/requirements-guidelines.rst @@ -227,7 +227,7 @@ DCAE SDK DCAE has SDK/libraries which can be used for service components for easy integration. -- `Java Library <https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/sdk/architecture.html>`__ +- `Java Library <https://docs.onap.org/projects/onap-dcaegen2/en/latest/sections/sdk/architecture.html>`__ - `Python Modules <https://git.onap.org/dcaegen2/utils/tree/onap-dcae-cbs-docker-client>`__ diff --git a/docs/sections/release-notes.rst b/docs/sections/release-notes.rst index 98279453..2a858a3a 100644 --- a/docs/sections/release-notes.rst +++ b/docs/sections/release-notes.rst @@ -13,6 +13,60 @@ DCAE Release Notes :depth: 2 .. +.. ====================================== +.. * * * FRANKFURT MAINTENANCE * * * +.. ====================================== + + +Version: 6.0.1 +============== + +Abstract +======== + +This document provides the release notes for the Frankfurt Maintenance release + + +Summary +======= + +The focus of this release is to correct issues found on Frankfurt release. + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | DCAE | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | onap/org.onap.dcaegen2.services. | +| | son-handler:2.0.4 | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Frankfurt Maintenance Release 1 | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2020/07/24 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +None + +**Bug fixes** + +- `DCAEGEN2-2249 <https://jira.onap.org/browse/DCAEGEN2-2249>`_ SON-Handler: Fix networkId issue +while making call to oof +- `DCAEGEN2-2216 <https://jira.onap.org/browse/DCAEGEN2-2216>`_ SON-Handler: Change Policy notification + to align with policy component updates + +**Known Issues** +Same as Frankfurt Release + + + + .. =========================== .. * * * FRANKFURT * * * .. =========================== diff --git a/docs/sections/services/dfc/certificates.rst b/docs/sections/services/dfc/certificates.rst index b759e70c..2dc557b6 100644 --- a/docs/sections/services/dfc/certificates.rst +++ b/docs/sections/services/dfc/certificates.rst @@ -4,7 +4,7 @@ Certificates (From AAF) ======================= DCAE service components will use common certifcates generated from AAF/test instance and made available during deployment of DCAE TLS init container. -DCAE has a generalized process of certificate distribution as documented here - https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/tls_enablement.html +DCAE has a generalized process of certificate distribution as documented here - https://docs.onap.org/projects/onap-dcaegen2/en/latest/sections/tls_enablement.html The updated certificates are located in https://git.onap.org/dcaegen2/deployments/tree/tls-init-container/tls diff --git a/docs/sections/services/heartbeat-ms/build_setup.rst b/docs/sections/services/heartbeat-ms/build_setup.rst index 6ab6a178..6033affc 100644 --- a/docs/sections/services/heartbeat-ms/build_setup.rst +++ b/docs/sections/services/heartbeat-ms/build_setup.rst @@ -25,7 +25,7 @@ Docker build procedure Clone the code using below command
::
- git clone https://gerrit.onap.org/r/dcaegen2/services/heartbeat
+ git clone --depth 1 https://gerrit.onap.org/r/dcaegen2/services/heartbeat
give executable permission to mvn-phase-script.sh if not there
already
diff --git a/docs/sections/services/heartbeat-ms/testprocedure.rst b/docs/sections/services/heartbeat-ms/testprocedure.rst index 03bcbab1..a7c6f799 100644 --- a/docs/sections/services/heartbeat-ms/testprocedure.rst +++ b/docs/sections/services/heartbeat-ms/testprocedure.rst @@ -203,7 +203,7 @@ The postgres DB also have a CL_flag set indicating control loop event with ONSET ubuntu@r3-aai-inst2:~/heartbeat12Dec/heartbeat$ sudo Docker run -d --name hb1 --env-file env.list heartbeat.test1:latest102413e8af4ab754e008cee43a01bf3d5439820aa91cfb4e099a140a7931fd71
ubuntu@r3-aai-inst2:~/heartbeat12Dec/heartbeat$ sudo Docker logs -f hb1
- /usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
+ /usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install --no-cache-dir psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
""")
2018-12-12 12:39:58,968 | __main__ | misshtbtd | main | 309 | INFO | MSHBD:Execution Started
2018-12-12 12:39:58,970 | __main__ | misshtbtd | main | 314 | INFO | ('MSHBT:HB Properties -', '10.0.4.1', '5432', 'postgres', 'abc', 'hb_vnf', True, 300)
@@ -235,16 +235,16 @@ The postgres DB also have a CL_flag set indicating control loop event with ONSET 2018-12-12 12:39:59,139 | __main__ | misshtbtd | main | 386 | INFO | ('MSHBD: Creating HB and DBM threads. The param pssed %d and %s', '../etc/config.json', 7)
2018-12-12 12:39:59,142 | __main__ | misshtbtd | create_process | 301 | INFO | ('MSHBD:jobs list is', [<Process(Process-2, started)>, <Process(Process-3, started)>])
2018-12-12 12:39:59,221 | __main__ | misshtbtd | create_update_hb_common | 143 | INFO | MSHBT:Updated hb_common DB with new values
- /usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
+ /usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install --no-cache-dir psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
""")
2018-12-12 12:39:59,815 | __main__ | htbtworker | <module> | 243 | INFO | HBT:HeartBeat thread Created
2018-12-12 12:39:59,815 | __main__ | htbtworker | <module> | 245 | INFO | ('HBT:The config file name passed is -%s', '../etc/config.json')
- /usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
+ /usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install --no-cache-dir psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
""")
2018-12-12 12:39:59,931 | __main__ | cbs_polling | pollCBS | 39 | INFO | ('CBSP:Main process ID in hb_common is %d', 7)
2018-12-12 12:39:59,931 | __main__ | cbs_polling | pollCBS | 41 | INFO | ('CBSP:My parent process ID is %d', '7')
2018-12-12 12:39:59,931 | __main__ | cbs_polling | pollCBS | 43 | INFO | ('CBSP:CBS Polling interval is %d', 300)
- /usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
+ /usr/local/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install --no-cache-dir psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>.
""")
2018-12-12 12:39:59,937 | __main__ | db_monitoring | <module> | 231 | INFO | DBM: DBM Process started
2018-12-12 12:39:59,939 | __main__ | db_monitoring | <module> | 236 | INFO | ('DBM:Parent process ID and json file name', '7', '../etc/config.json')
diff --git a/docs/sections/services/pm-mapper/configuration.rst b/docs/sections/services/pm-mapper/configuration.rst index 1e676c6a..a9f4f5bf 100644 --- a/docs/sections/services/pm-mapper/configuration.rst +++ b/docs/sections/services/pm-mapper/configuration.rst @@ -4,10 +4,12 @@ Configuration and Performance ============================= -Filtering +PM Mapper Filtering """"""""" -PM Mapper maps PM XML files to performance VES event by applying the mapper filtering information. Mapper filtering is configured during instantiation through cloudify manager. -Mapper filtering is based on the PM dictionary fields. +The PM Mapper performs data reduction, by filtering the PM telemetry data it receives. +This filtering information is provided to the service as part of its configuration, and is used to identify desired PM measurements (measType) contained within the data. +The service can accept an exact match to the measType or regex(java.util.regex) identifying multiple measTypes (it is possible to use both types simultaneously). +If a filter is provided, any measurement that does not match the filter, will be ignored and a warning will be logged. PM Mapper expects the filter in the following JSON format: :: @@ -17,8 +19,8 @@ PM Mapper expects the filter in the following JSON format: "pmDefVsn": "1.3", "nfType": "gnb", "vendor": "Ericsson", - "measTypes": [ "attTCHSeizures", "succTCHSeizures" ] - }] + "measTypes": [ "attTCHSeizures", "succTCHSeizures", "att.*", ".*Seizures" ] + }] @@ -31,7 +33,7 @@ nfType nfType is vendor String defined and should match the string used in file ready eventName. -measTypes Measurement name used in PM Array of String +measTypes Measurement name used in PM List of Strings, Regular expressions file in 3GPP format where specified, else vendor defined. diff --git a/docs/sections/services/pm-subscription-handler/configuration.rst b/docs/sections/services/pm-subscription-handler/configuration.rst index 8f02af0e..83d9cfd8 100644 --- a/docs/sections/services/pm-subscription-handler/configuration.rst +++ b/docs/sections/services/pm-subscription-handler/configuration.rst @@ -47,6 +47,10 @@ specified in the dashboard deployment GUI. +-----------------------------+----------------------------------------------------------------------------------------+---------+----------+-------------------------------------------------------------------------------------+ | pgaas_cluster_name | Cluster name for Postgres As A Service. | string | True | dcae-pg-primary.onap | +-----------------------------+----------------------------------------------------------------------------------------+---------+----------+-------------------------------------------------------------------------------------+ +| enable_tls | Boolean flag to toggle HTTPS cert auth support. | boolean | True | true | ++-----------------------------+----------------------------------------------------------------------------------------+---------+----------+-------------------------------------------------------------------------------------+ +| protocol | HTTP protocol for PMSH. If 'enable_tls' is false, protocol must be set to http. | string | True | https | ++-----------------------------+----------------------------------------------------------------------------------------+---------+----------+-------------------------------------------------------------------------------------+ .. _Subscription: diff --git a/docs/sections/services/snmptrap/installation.rst b/docs/sections/services/snmptrap/installation.rst index ab523ef4..cce201d3 100644 --- a/docs/sections/services/snmptrap/installation.rst +++ b/docs/sections/services/snmptrap/installation.rst @@ -61,9 +61,9 @@ To install prerequisites: ``export PATH=<path to Python 3.6 binary>:$PATH`` - ``pip3 install requests==2.18.3`` + ``pip3 install --no-cache-dir requests==2.18.3`` - ``pip3 install pysnmp==4.4.5`` + ``pip3 install --no-cache-dir pysnmp==4.4.5`` Download latest trapd version from Gerrit """"""""""""""""""""""""""""""""""""""""" @@ -72,7 +72,7 @@ Download a copy of the latest trapd image from gerrit in it's standard runtime l ``cd /opt/app`` - ``git clone ssh://<your linux foundation id>@gerrit.onap.org:29418/dcaegen2/collectors/snmptrap snmptrap`` + ``git clone --depth 1 ssh://<your linux foundation id>@gerrit.onap.org:29418/dcaegen2/collectors/snmptrap snmptrap`` "Un-dockerize" """""""""""""" diff --git a/docs/sections/services/son-handler/installation.rst b/docs/sections/services/son-handler/installation.rst index 360d9474..c8b73a89 100644 --- a/docs/sections/services/son-handler/installation.rst +++ b/docs/sections/services/son-handler/installation.rst @@ -56,10 +56,10 @@ Deployment Prerequisites Deployment steps ~~~~~~~~~~~~~~~~ 1.Using DCAE Dashboard - - Login to DCAE Dashboard - - Go to Inventory --> Blueprints - - Upload son-handler blueprint which can be found under blueprints repo (https://gerrit.onap.org/r/dcaegen2/platform/blueprints) + - Login to DCAE Dashboard (https://{k8s-nodeip}:30418/ccsdk-app/login_external.htm) + - Go to Inventory --> Blueprints - Click on Deploy Action for son-handler blueprint + - Override the value of 'tag_version' to 'nexus3.onap.org:10001/onap/org.onap.dcaegen2.services.son-handler:2.0.4' and click deploy. - Deployment logs can be viewed under Deployments section 2.Using cloudify commands diff --git a/docs/sections/services/ves-http/installation.rst b/docs/sections/services/ves-http/installation.rst index b21ca919..c8d57141 100644 --- a/docs/sections/services/ves-http/installation.rst +++ b/docs/sections/services/ves-http/installation.rst @@ -18,12 +18,9 @@ DMAAPHOST is required for standalone; for normal platform installed instance the - COLLECTOR_IP - DMAAPHOST - should contain an address to DMaaP, so that event publishing can work -- CBSPOLLTIMER - it should be put in here if we want to automatically fetch configuration from CBS. -- CONSUL_PROTOCOL - Consul protocol by default set to **http**, if it is need to change it then that can be set to different value -- CONSUL_HOST - used with conjunction with CBSPOLLTIMER, should be a host address (without port! e.g my-ip-or-host) where Consul service lies -- CBS_PROTOCOL - Config Binding Service protocol by default set to **http**, if it is need to change it then that can be set to different value -- CONFIG_BINDING_SERVICE - used with conjunction with CBSPOLLTIMER, should be a name of CBS as it is registered in Consul -- HOSTNAME - used with conjunction with CBSPOLLTIMER, should be a name of VESCollector application as it is registered in CBS catalog +- CONFIG_BINDING_SERVICE - should be a name of CBS +- CONFIG_BINDING_SERVICE_SERVICE_PORT - should be a http port of CBS +- HOSTNAME - should be a name of VESCollector application as it is registered in CBS catalog These parameters can be configured either by passing command line option during `docker run` call or by specifying environment variables named after command line option name diff --git a/docs/sections/tls_enablement.rst b/docs/sections/tls_enablement.rst index c42c4761..ec23f65b 100644 --- a/docs/sections/tls_enablement.rst +++ b/docs/sections/tls_enablement.rst @@ -110,4 +110,103 @@ that is available in R6 but is not currently being used. * ``trust.pass``: A text file with a single line that contains the password for the ``trust.jks`` keystore. * ``cacert.pem``: The AAF CA certificate, in PEM form. (Needed by clients that access TLS-protected servers.) - k8splugin version 2.0.0 uses an init container to supply the CA certificates.
\ No newline at end of file + k8splugin version 2.0.0 uses an init container to supply the CA certificates. + +External TLS Support +-------------------- + +External TLS support was introduced in order to integrate DCAE with CertService to acquire operator certificates meant to protect external traffic between DCAE's components (VES collector, HV-VES, RestConf collector and DFC) and xNFs. For that reason K8s plugin which creates K8s resources from Cloudify blueprints was enhanced with new TLS properties support. New TLS properties are meant to control CertService's client call in init containers section and environment variables which are passed to it. + +This external TLS support doesn't influence ONAP internal traffic which is protected by certificates issued by AAF's CertMan. External TLS Support was introduced in k8splugin 3.1.0. + +1. Certificate setup: + + To create certificate artifacts, AAF CertService must obtain the certificate details. Common name and list of Subject Alternative Names (SANs) are set in blueprint as described in step 3. + The following parameters with default values are stored in OOM in k8splugin configuration file (k8splugin.json) in group ``external_cert``: + + * A string ``image_tag`` that indicates CertService client image name and version + * A string ``request_url`` that indicates URL to Cert Service API + * A string ``timeout`` that indicates request timeout. + * A string ``country`` that indicates country name in ISO 3166-1 alpha-2 format, for which certificate will be created + * A string ``organization`` that indicates organization name, for which certificate will be created. + * A string ``state`` that indicates state name, for which certificate will be created. + * A string ``organizational_unit`` that indicates organizational unit name, for which certificate will be created. + * A string ``location`` that indicates location name, for which certificate will be created. + * A string ``keystore_password`` that indicates keystore password. + * A string ``truststore_password`` that indicates truststore password. + + Group ``external_cert`` from k8splugin.json with default values: + + .. code-block:: JSON + + { + "image_tag": "nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION", + "request_url": "https://aaf-cert-service:8443/v1/certificate/", + "timeout": "30000", + "country": "US", + "organization": "Linux-Foundation", + "state": "California", + "organizational_unit": "ONAP", + "location": "San-Francisco", + "keystore_password": "secret", + "truststore_password": "secret" + } + + + Parameters configured in k8splugin are propagated via Helm Charts to Kubernetes ConfigMap and finally they are transfered to Consul. + Blueprint, during start of execution, reads k8splugin.json configuration from Consul and applies it. + +2. Certificate generation and retrieval: + + When a DCAE component that needs an external TLS certificate is launched, a Kubernetes init container runs before the main + component container is launched. The init container contacts the AAF CertService. + + DCAE service components (sometimes called "microservices") are deployed via Cloudify using blueprints. This is described + in more detail in the next section. + +3. Plugin and Blueprint: + The blueprint for a component that needs an external TLS certificate needs to include the node property called "external_cert" in + the node properties for the component. The property is a dictionary with following elements: + + * A boolean (``use_external_tls``) that indicates whether the component uses TLS in external traffic. + * A string (``external_cert_directory``) that indicates where the component expects to find operator certificate and trusted certs. + * A string (``ca_name``) that indicates name of Certificate Authority configured on CertService side (in cmpServers.json). + * A string (``output_type``) that indicates certificate output type. + * A dictionary (``external_certificate_parameters``) with two elements: + * A string (``common_name``) that indicates common name which should be present in certificate. Specific for every blueprint (e.g. dcae-ves-collector for VES). + * A string (``sans``) that indicates list of Subject Alternative Names (SANs) which should be present in certificate. Delimiter - : Should contain common_name value and other FQDNs under which given component is accessible. + + Example + + .. code-block:: yaml + + external_cert: + external_cert_directory: /opt/app/dcae-certificate/ + use_external_tls: true + ca_name: "RA" + cert_type: "P12" + external_certificate_parameters: + common_name: "simpledemo.onap.org" + sans: "simpledemo.onap.org;ves.simpledemo.onap.org;ves.onap.org" + + For this example the certificates are mounted into ``/opt/app/dcae-certificate/external`` directory within the container. + + During deployment Kubernetes plugin (referenced in blueprint) will check if the ``external_cert`` property is set and ``use_external_tls`` is set to true, then the plugin will add some elements to the Kubernetes Deployment for the component: + * A Kubernetes volume (``tls-volume``) that will hold the certificate artifacts + * A Kubernetes initContainer (``cert-service-client``) + * A Kubernetes volumeMount for the initContainer that mounts the ``tls-volume`` volume at ``/etc/onap/aaf/certservice/certs/``. + * A Kubernetes volumeMount for the main container that mounts the ``tls-info`` volume at the mount point specified in the ``external_cert_directory`` property. + + Kurbernetes volumeMount tls-info is shared with TLS init container for internal traffic. + +4. Certificate artifacts + + The certificate directory mounted on the container will include the following: + * Directory ``external`` with files: + * ``keystore.p12``: A keystore containing the operator certificate. + * ``keystore.pass``: A text file with a single line that contains the password for the ``keystore.p12`` keystore. + * ``truststore.p12``: A truststore containing the operator certificate. (Needed by clients that access TLS-protected servers in external traffic.) + * ``truststore.pass``: A text file with a single line that contains the password for the ``truststore.p12`` keystore. + * ``trust.jks``: The AAF CA certificate and private key packaged in Java form. + * ``trust.pass``: A text file with a single line that contains the password for ``trust.jks`` file. + * ``cacert.pem``: The AAF CA certificate, in PEM form. |