From be32a318a8d416831a88bb2cc2a9fc5eccf951af Mon Sep 17 00:00:00 2001 From: VENKATESH KUMAR Date: Fri, 7 Jun 2019 01:31:10 -0400 Subject: Add VES-tls deploy Change-Id: I7c1f90fc4a5ccabaed7faaa3883e5e14779ba975 Signed-off-by: VENKATESH KUMAR Issue-ID: DCAEGEN2-1593 --- docs/sections/services/ves-http/installation.rst | 209 ++++++++++++++++++++++- 1 file changed, 208 insertions(+), 1 deletion(-) (limited to 'docs/sections/services/ves-http/installation.rst') diff --git a/docs/sections/services/ves-http/installation.rst b/docs/sections/services/ves-http/installation.rst index b39b007d..42d11e10 100644 --- a/docs/sections/services/ves-http/installation.rst +++ b/docs/sections/services/ves-http/installation.rst @@ -25,4 +25,211 @@ DMAAPHOST is required for standalone; for normal platform installed instance the - CONFIG_BINDING_SERVICE - used with conjunction with CBSPOLLTIMER, should be a name of CBS as it is registered in Consul - HOSTNAME - used with conjunction with CBSPOLLTIMER, should be a name of VESCollector application as it is registered in CBS catalog -These parameters can be configured either by passing command line option during `docker run` call or by specifying environment variables named after command line option name \ No newline at end of file +These parameters can be configured either by passing command line option during `docker run` call or by specifying environment variables named after command line option name + + +Authentication Support +---------------------- + +VES Collector support following authentication types + + * *auth.method=noAuth* default option - no security (http) + * *auth.method=certOnly* is used to enable mutual TLS authentication (https) + * *auth.method=certBasicAuth* is used to enable mutual TLS authentication or/and basic HTTPs authentication + * *auth.method=basicAuth* is used to enable basic HTTPs authentication + +Default ONAP deployed VESCOllector is configured for "noAuth". If VESCollector instance need to be deployed with authentication enabled, follow below setup + + +- Update existing VESCollector deployment to remove nodeport conflict by editing service definition + .. code-block:: bash + + kubectl edit svc -n onap xdcae-ves-collector + +and remove following entry and save the changes; K8S will update the service definition default VES instance + + .. code-block:: bash + + - name: xport-t-8443 + nodePort: 30417 + port: 8443 + protocol: TCP + targetPort: 8443 + +- Execute into Bootstrap POD using kubectl command + +- Copy blueprint content into DCAE bootstrap POD under /blueprints directory under same file name. + +``k8s-ves-tls.yaml`` +-------------------- + + +:: + + # ============LICENSE_START==================================================== + # ============================================================================= + # Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. + # ============================================================================= + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + # ============LICENSE_END====================================================== + + tosca_definitions_version: cloudify_dsl_1_3 + + imports: + - "http://www.getcloudify.org/spec/cloudify/3.4/types.yaml" + - https://nexus.onap.org/service/local/repositories/raw/content/org.onap.dcaegen2.platform.plugins/R4/k8splugin/1.4.13/k8splugin_types.yaml + + inputs: + ves_other_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.SEC_OTHER_OUTPUT" + ves_heartbeat_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.SEC_HEARTBEAT_OUTPUT" + ves_fault_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.SEC_FAULT_OUTPUT" + ves_measurement_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT" + ves_notification_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT" + ves_pnfRegistration_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.VES_PNFREG_OUTPUT" + tag_version: + type: string + default: "nexus3.onap.org:10001/onap/org.onap.dcaegen2.collectors.ves.vescollector:1.4.4" + external_port: + type: string + description: Kubernetes node port on which collector is exposed + default: "30235" + external_tls_port: + type: string + description: Kubernetes node port on which collector is exposed for https + default: "30417" + replicas: + type: integer + description: number of instances + default: 1 + node_templates: + ves: + interfaces: + cloudify.interfaces.lifecycle: + start: + inputs: + ports: + - concat: ["8443:", { get_input: external_tls_port }] + properties: + application_config: + collector.dmaap.streamid: fault=ves-fault|syslog=ves-syslog|heartbeat=ves-heartbeat|measurementsForVfScaling=ves-measurement|measurement=ves-measurement|mobileFlow=ves-mobileflow|other=ves-other|stateChange=ves-statechange|thresholdCrossingAlert=ves-thresholdCrossingAlert|voiceQuality=ves-voicequality|sipSignaling=ves-sipsignaling|notification=ves-notification|pnfRegistration=ves-pnfRegistration + collector.inputQueue.maxPending: "8096" + collector.keystore.file.location: /opt/app/VESCollector/etc/keystore + collector.keystore.passwordfile: /opt/app/VESCollector/etc/passwordfile + collector.schema.checkflag: "1" + collector.schema.file: "{\"v1\":\"./etc/CommonEventFormat_27.2.json\",\"v2\":\"./etc/CommonEventFormat_27.2.json\",\"v3\":\"./etc/CommonEventFormat_27.2.json\",\"v4\":\"./etc/CommonEventFormat_27.2.json\",\"v5\":\"./etc/CommonEventFormat_28.4.1.json\",\"v7\":\"./etc/CommonEventFormat_30.0.1.json\"}" + collector.service.port: "8080" + collector.service.secure.port: "8443" + event.transform.flag: "0" + auth.method: certBasicAuth + header.authlist: "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6" + services_calls: [] + streams_publishes: + ves-fault: + dmaap_info: + topic_url: + get_input: ves_fault_publish_url + type: message_router + ves-measurement: + dmaap_info: + topic_url: + get_input: ves_measurement_publish_url + type: message_router + ves-notification: + dmaap_info: + topic_url: + get_input: ves_notification_publish_url + type: message_router + ves-pnfRegistration: + dmaap_info: + topic_url: + get_input: ves_pnfRegistration_publish_url + type: message_router + ves-heartbeat: + dmaap_info: + topic_url: + get_input: ves_heartbeat_publish_url + type: message_router + ves-other: + dmaap_info: + topic_url: + get_input: ves_other_publish_url + type: message_router + collector.dynamic.config.update.frequency: "5" + docker_config: + healthcheck: + endpoint: /healthcheck + interval: 15s + timeout: 1s + type: https + image: + get_input: tag_version + replicas: {get_input: replicas} + name: 'dcae-ves-collector-tls' + dns_name: 'dcae-ves-collector-tls' + log_info: + log_directory: "/opt/app/VESCollector/logs/ecomp" + type: dcae.nodes.ContainerizedPlatformComponent + + + +- Validate blueprint + .. code-block:: bash + + cfy blueprints validate /blueprints/k8s-ves-tls.yaml + +- Deploy blueprint + .. code-block:: bash + + cfy install -b ves-tls -d ves-tls /blueprints/k8s-ves-tls.yaml + +To undeploy ves-tls, steps are noted below + +- Uninstall running ves-tls and delete deployment + .. code-block:: bash + + cfy uninstall ves-tls + +The deployment uninstall will also delete the blueprint. In somecase you might notice 400 error reported indicating active deployment exist such as below +** An error occurred on the server: 400: Can't delete blueprint ves-tls - There exist deployments for this blueprint; Deployments ids: ves-tls** + +In this case bluepint can be deleted explicitly using this command. + + .. code-block:: bash + + cfy blueprint delete ves-tls + +Note: When VESCollector is required to be deployed under *auth.method=certOnly* the blueprint above should be modified + + * Change auth.method: certBasicAuth to auth.method: certOnly + * Comment out following lines in blueprint to disable readiness check (DCAEGEN2-1594) + + .. code-block:: bash + + docker_config: + healthcheck: + endpoint: /healthcheck + interval: 15s + timeout: 1s + type: https -- cgit 1.2.3-korg