From be32a318a8d416831a88bb2cc2a9fc5eccf951af Mon Sep 17 00:00:00 2001 From: VENKATESH KUMAR Date: Fri, 7 Jun 2019 01:31:10 -0400 Subject: Add VES-tls deploy Change-Id: I7c1f90fc4a5ccabaed7faaa3883e5e14779ba975 Signed-off-by: VENKATESH KUMAR Issue-ID: DCAEGEN2-1593 --- docs/sections/architecture.rst | 6 +- docs/sections/build.rst | 6 +- docs/sections/release-notes.rst | 2 + docs/sections/services/ves-http/installation.rst | 209 ++++++++++++++++++++++- 4 files changed, 215 insertions(+), 8 deletions(-) (limited to 'docs') diff --git a/docs/sections/architecture.rst b/docs/sections/architecture.rst index 9daa7070..349f58b5 100644 --- a/docs/sections/architecture.rst +++ b/docs/sections/architecture.rst @@ -24,10 +24,8 @@ transported among different DCAE service components. DCAE use Consul's distributed K-V store service to manage component configurations where each key is based on the unique identity of a DCAE component (identified by ServiceComponentName), and the value is the configuration for the corresponding component. The K-V store for each service components is -created during deployment. DCAE platform creates and updates the K-V pairs based on information provided as part of the control loop blueprint deployment, or through - a notification/trigger received from other ONAP components such as Policy Framework and CLAMP. Either through periodically polling or proactive pushing, the DCAE - components get the configuration updates in realtime and apply the configuration updates. DCAE Platform also offers dynamic template resolution for configuration -parameters that are dynamic and only known by the DCAE platform, such as dynamically provisioned DMaaP topics. This approach standardizes component deployment and +created during deployment. DCAE platform creates and updates the K-V pairs based on information provided as part of the control loop blueprint deployment, or through a notification/trigger received from other ONAP components such as Policy Framework and CLAMP. Either through periodically polling or proactive pushing, the DCAE + components get the configuration updates in realtime and apply the configuration updates. DCAE Platform also offers dynamic template resolution for configuration parameters that are dynamic and only known by the DCAE platform, such as dynamically provisioned DMaaP topics. This approach standardizes component deployment and configuration management for DCAE service components in multi-site deployment. diff --git a/docs/sections/build.rst b/docs/sections/build.rst index 4b9db930..bc7a5489 100644 --- a/docs/sections/build.rst +++ b/docs/sections/build.rst @@ -82,9 +82,9 @@ Below is a list of the repos and their sub-modules, and the language they are wr * dcaegen2.platform.configbinding (Python) -* dcaegen2.platform.deployment-handler (Python) +* dcaegen2.platform.deployment-handler (NodeJS) -* dcaegen2.platform.inventory-api (Clojure) +* dcaegen2.platform.inventory-api (Java) * dcaegen2.platform.plugins @@ -96,7 +96,7 @@ Below is a list of the repos and their sub-modules, and the language they are wr * dcaegen2.platform.policy-handler (Python) -* dcaegen2.platform.servicechange-handler (Python) +* dcaegen2.platform.servicechange-handler (Clojure) * dcaegen2.utils diff --git a/docs/sections/release-notes.rst b/docs/sections/release-notes.rst index f073d0d8..d5ec7495 100644 --- a/docs/sections/release-notes.rst +++ b/docs/sections/release-notes.rst @@ -98,6 +98,8 @@ Source code of DCAE components are released under the following repositories on **Bug Fixes** **Known Issues** + * VES Collector basic authentication not working (DCAEGEN2-1541) + This has no impact on the Dublin usecases; will be addressed for El-Alto if not sooner. **Security Notes** diff --git a/docs/sections/services/ves-http/installation.rst b/docs/sections/services/ves-http/installation.rst index b39b007d..42d11e10 100644 --- a/docs/sections/services/ves-http/installation.rst +++ b/docs/sections/services/ves-http/installation.rst @@ -25,4 +25,211 @@ DMAAPHOST is required for standalone; for normal platform installed instance the - CONFIG_BINDING_SERVICE - used with conjunction with CBSPOLLTIMER, should be a name of CBS as it is registered in Consul - HOSTNAME - used with conjunction with CBSPOLLTIMER, should be a name of VESCollector application as it is registered in CBS catalog -These parameters can be configured either by passing command line option during `docker run` call or by specifying environment variables named after command line option name \ No newline at end of file +These parameters can be configured either by passing command line option during `docker run` call or by specifying environment variables named after command line option name + + +Authentication Support +---------------------- + +VES Collector support following authentication types + + * *auth.method=noAuth* default option - no security (http) + * *auth.method=certOnly* is used to enable mutual TLS authentication (https) + * *auth.method=certBasicAuth* is used to enable mutual TLS authentication or/and basic HTTPs authentication + * *auth.method=basicAuth* is used to enable basic HTTPs authentication + +Default ONAP deployed VESCOllector is configured for "noAuth". If VESCollector instance need to be deployed with authentication enabled, follow below setup + + +- Update existing VESCollector deployment to remove nodeport conflict by editing service definition + .. code-block:: bash + + kubectl edit svc -n onap xdcae-ves-collector + +and remove following entry and save the changes; K8S will update the service definition default VES instance + + .. code-block:: bash + + - name: xport-t-8443 + nodePort: 30417 + port: 8443 + protocol: TCP + targetPort: 8443 + +- Execute into Bootstrap POD using kubectl command + +- Copy blueprint content into DCAE bootstrap POD under /blueprints directory under same file name. + +``k8s-ves-tls.yaml`` +-------------------- + + +:: + + # ============LICENSE_START==================================================== + # ============================================================================= + # Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. + # ============================================================================= + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + # ============LICENSE_END====================================================== + + tosca_definitions_version: cloudify_dsl_1_3 + + imports: + - "http://www.getcloudify.org/spec/cloudify/3.4/types.yaml" + - https://nexus.onap.org/service/local/repositories/raw/content/org.onap.dcaegen2.platform.plugins/R4/k8splugin/1.4.13/k8splugin_types.yaml + + inputs: + ves_other_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.SEC_OTHER_OUTPUT" + ves_heartbeat_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.SEC_HEARTBEAT_OUTPUT" + ves_fault_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.SEC_FAULT_OUTPUT" + ves_measurement_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT" + ves_notification_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT" + ves_pnfRegistration_publish_url: + type: string + default: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.VES_PNFREG_OUTPUT" + tag_version: + type: string + default: "nexus3.onap.org:10001/onap/org.onap.dcaegen2.collectors.ves.vescollector:1.4.4" + external_port: + type: string + description: Kubernetes node port on which collector is exposed + default: "30235" + external_tls_port: + type: string + description: Kubernetes node port on which collector is exposed for https + default: "30417" + replicas: + type: integer + description: number of instances + default: 1 + node_templates: + ves: + interfaces: + cloudify.interfaces.lifecycle: + start: + inputs: + ports: + - concat: ["8443:", { get_input: external_tls_port }] + properties: + application_config: + collector.dmaap.streamid: fault=ves-fault|syslog=ves-syslog|heartbeat=ves-heartbeat|measurementsForVfScaling=ves-measurement|measurement=ves-measurement|mobileFlow=ves-mobileflow|other=ves-other|stateChange=ves-statechange|thresholdCrossingAlert=ves-thresholdCrossingAlert|voiceQuality=ves-voicequality|sipSignaling=ves-sipsignaling|notification=ves-notification|pnfRegistration=ves-pnfRegistration + collector.inputQueue.maxPending: "8096" + collector.keystore.file.location: /opt/app/VESCollector/etc/keystore + collector.keystore.passwordfile: /opt/app/VESCollector/etc/passwordfile + collector.schema.checkflag: "1" + collector.schema.file: "{\"v1\":\"./etc/CommonEventFormat_27.2.json\",\"v2\":\"./etc/CommonEventFormat_27.2.json\",\"v3\":\"./etc/CommonEventFormat_27.2.json\",\"v4\":\"./etc/CommonEventFormat_27.2.json\",\"v5\":\"./etc/CommonEventFormat_28.4.1.json\",\"v7\":\"./etc/CommonEventFormat_30.0.1.json\"}" + collector.service.port: "8080" + collector.service.secure.port: "8443" + event.transform.flag: "0" + auth.method: certBasicAuth + header.authlist: "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6" + services_calls: [] + streams_publishes: + ves-fault: + dmaap_info: + topic_url: + get_input: ves_fault_publish_url + type: message_router + ves-measurement: + dmaap_info: + topic_url: + get_input: ves_measurement_publish_url + type: message_router + ves-notification: + dmaap_info: + topic_url: + get_input: ves_notification_publish_url + type: message_router + ves-pnfRegistration: + dmaap_info: + topic_url: + get_input: ves_pnfRegistration_publish_url + type: message_router + ves-heartbeat: + dmaap_info: + topic_url: + get_input: ves_heartbeat_publish_url + type: message_router + ves-other: + dmaap_info: + topic_url: + get_input: ves_other_publish_url + type: message_router + collector.dynamic.config.update.frequency: "5" + docker_config: + healthcheck: + endpoint: /healthcheck + interval: 15s + timeout: 1s + type: https + image: + get_input: tag_version + replicas: {get_input: replicas} + name: 'dcae-ves-collector-tls' + dns_name: 'dcae-ves-collector-tls' + log_info: + log_directory: "/opt/app/VESCollector/logs/ecomp" + type: dcae.nodes.ContainerizedPlatformComponent + + + +- Validate blueprint + .. code-block:: bash + + cfy blueprints validate /blueprints/k8s-ves-tls.yaml + +- Deploy blueprint + .. code-block:: bash + + cfy install -b ves-tls -d ves-tls /blueprints/k8s-ves-tls.yaml + +To undeploy ves-tls, steps are noted below + +- Uninstall running ves-tls and delete deployment + .. code-block:: bash + + cfy uninstall ves-tls + +The deployment uninstall will also delete the blueprint. In somecase you might notice 400 error reported indicating active deployment exist such as below +** An error occurred on the server: 400: Can't delete blueprint ves-tls - There exist deployments for this blueprint; Deployments ids: ves-tls** + +In this case bluepint can be deleted explicitly using this command. + + .. code-block:: bash + + cfy blueprint delete ves-tls + +Note: When VESCollector is required to be deployed under *auth.method=certOnly* the blueprint above should be modified + + * Change auth.method: certBasicAuth to auth.method: certOnly + * Comment out following lines in blueprint to disable readiness check (DCAEGEN2-1594) + + .. code-block:: bash + + docker_config: + healthcheck: + endpoint: /healthcheck + interval: 15s + timeout: 1s + type: https -- cgit 1.2.3-korg