diff options
author | Andreas Geissler <andreas-geissler@telekom.de> | 2023-12-06 10:02:43 +0100 |
---|---|---|
committer | Andreas Geissler <andreas-geissler@telekom.de> | 2023-12-07 15:13:54 +0000 |
commit | e68c766712ed6c95aff054004335813952bf5ffa (patch) | |
tree | 83db344a3b583fd6d1b2a269430353ac718b11f8 | |
parent | c5cdaf46f0c414ad2be7efcc4b792e9d3d9c51eb (diff) |
[COMMON][DOC] Add documentation for Montral and GatewayAPI
Add override file to use GatewayAPI as Ingress provider
A precreated GW named "common-gateway" is used.
Added documentation for Montreal like release notes,
Infrastructure guides...
Issue-ID: OOM-3184
Issue-ID: OOM-3242
Change-Id: I18107bac52abf34dbc0b217fd8b7542ba51aab84
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
11 files changed, 483 insertions, 245 deletions
diff --git a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst index f3e3113ff5..a5458f8562 100644 --- a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst +++ b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst @@ -23,7 +23,7 @@ See the `helm deploy`_ plugin usage section for more detail, or it the plugin ha Users can customize the override files to suit their required deployment. .. note:: - Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-istio.yaml`) + Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-gatewayapi.yaml`) can be found in the `oom/kubernetes/onap/resources/overrides/` directory. * Users can selectively enable or disable ONAP components by changing the ``enabled: true/false`` flags. @@ -70,6 +70,20 @@ Global settings relevant for ServiceMesh and Ingress: enabled: true # enable all component's Ingress interfaces enable_all: false + + # Provider: ingress, istio, gw-api + provider: gw-api + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + # default Ingress base URL # All http requests via ingress will be redirected virtualhost: @@ -119,6 +133,10 @@ Ingress settings: - enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled) - enable_all: true → enables Ingress configuration in each component +- provider: "..." → sets the Ingress provider (ingress, istio, gw-api) +- ingressClass: "" → Ingress class (only for provider "ingress"): e.g. nginx, traefik +- ingressSelector: "" → Selector (only for provider "istio") to match with the ingress pod label "istio=ingress" +- commonGateway: "" → optional: common used Gateway (for Istio, GW-API) and http(s) listener names - virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components, resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride - virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name for all Interfaces set by the components, @@ -130,7 +148,7 @@ Ingress settings: - namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate .. note:: - For the Ingress setup an example override file (`onap-all-ingress-istio.yaml`) + For the Ingress setup example override files (`onap-all-ingress-istio.yaml`, `onap-all-ingress-gatewayapi.yaml`) can be found in the `oom/kubernetes/onap/resources/overrides/` directory. External Authentication configuration diff --git a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst index f932360e44..e7dc2f0a35 100644 --- a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst @@ -32,7 +32,7 @@ Add the repository: To customize what applications are deployed, see the :ref:`oom_customize_overrides` section for more details, to provide your own custom overrides yaml file. -- To deploy a release, execute the following, substituting the <version> tag with your preferred release (ie. 11.0.0):: +- To deploy a release, execute the following, substituting the <version> tag with your preferred release (ie. 13.0.0):: > helm deploy dev onap-release/onap --namespace onap --create-namespace --set global.masterPassword=myAwesomePasswordThatINeedToChange --version <version> -f oom/kubernetes/onap/resources/overrides/onap-all.yaml diff --git a/docs/sections/guides/infra_guides/oom_infra.rst b/docs/sections/guides/infra_guides/oom_infra.rst index ddc00b6115..5c1d1f1434 100644 --- a/docs/sections/guides/infra_guides/oom_infra.rst +++ b/docs/sections/guides/infra_guides/oom_infra.rst @@ -31,4 +31,3 @@ following documents: oom_infra_deployment_requirements.rst oom_infra_base_config_setup.rst oom_infra_optional_addons.rst - oom_infra_ingres_controller_setup.rst diff --git a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst index 8f74ea987e..4c21217c23 100644 --- a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst +++ b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst @@ -65,14 +65,14 @@ Validate the installation:: :: NAME STATUS ROLES AGE VERSION - onap-control-1 Ready controlplane,etcd 3h53m v1.23.8 - onap-control-2 Ready controlplane,etcd 3h53m v1.23.8 - onap-k8s-1 Ready worker 3h53m v1.23.8 - onap-k8s-2 Ready worker 3h53m v1.23.8 - onap-k8s-3 Ready worker 3h53m v1.23.8 - onap-k8s-4 Ready worker 3h53m v1.23.8 - onap-k8s-5 Ready worker 3h53m v1.23.8 - onap-k8s-6 Ready worker 3h53m v1.23.8 + onap-control-1 Ready controlplane,etcd 3h53m v1.27.5 + onap-control-2 Ready controlplane,etcd 3h53m v1.27.5 + onap-k8s-1 Ready worker 3h53m v1.27.5 + onap-k8s-2 Ready worker 3h53m v1.27.5 + onap-k8s-3 Ready worker 3h53m v1.27.5 + onap-k8s-4 Ready worker 3h53m v1.27.5 + onap-k8s-5 Ready worker 3h53m v1.27.5 + onap-k8s-6 Ready worker 3h53m v1.27.5 Install & configure helm @@ -212,7 +212,7 @@ Istio Service Mesh ------------------ .. note:: - In London ONAP deployment supports the + The ONAP deployment supports the `ONAP Next Generation Security & Logging Structure`_ ONAP is currenty supporting Istio as default ServiceMesh platform. @@ -291,14 +291,35 @@ Ingress Controller Installation In the production setup 2 different Ingress setups are supported. -- Istio Gateway `Istio-Gateway`_ (currently tested, but in the future deprecated) -- Gateway API `Gateway-API`_ (in Alpha status, but will be standard in the future) +- Gateway API `Gateway-API`_ (recommended) +- Istio Gateway `Istio-Gateway`_ (alternative, but in the future deprecated) Depending on the solution, the ONAP helm values.yaml has to be configured. See the :ref:`OOM customized deployment<oom_customize_overrides>` section for more details. -Istio Gateway -^^^^^^^^^^^^^ +Gateway-API (recommended) +^^^^^^^^^^^^^^^^^^^^^^^^^ + +- Install the Gateway-API CRDs replacing the + <recommended-gwapi-version> with the version defined in + the :ref:`versions_table` table:: + + > kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/<recommended-gwapi-version>/experimental-install.yaml + +- Create a common Gateway instance named "common-gateway" + The following example uses provides listeners for HTTP(s), UDP and TCP + + .. collapse:: common-gateway.yaml + + .. include:: ../../resources/yaml/common-gateway.yaml + :code: yaml + +- Apply the change:: + + > kubectl apply -f common-gateway.yaml + +Istio Gateway (alternative) +^^^^^^^^^^^^^^^^^^^^^^^^^^^ - Create a namespace istio-ingress for the Istio Ingress gateway and enable istio-injection:: @@ -323,18 +344,6 @@ Istio Gateway --version <recommended-istio-version> -f ingress-istio.yaml --wait -Gateway-API -^^^^^^^^^^^ - -- Install the Gateway-API CRDs replacing the - <recommended-gwapi-version> with the version defined in - the :ref:`versions_table` table:: - - > kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/<recommended-gwapi-version>/experimental-install.yaml - -- Create a common Gateway instance - TBD - Keycloak Installation --------------------- diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst index e46bee1c04..3d824c7171 100644 --- a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst @@ -39,7 +39,7 @@ See the :ref:`OOM customized deployment<oom_customize_overrides>` section for mo .. rubric:: Software Requirements -The versions of software that are supported by OOM are as follows: +The versions of software that are supported and tested by OOM are as follows: .. _versions_table: @@ -50,7 +50,7 @@ The versions of software that are supported by OOM are as follows: ============== =========== ======= ======== ======== ============= ======== Kohn 1.23.8 3.8.2 1.23.8 20.10.x 1.8.0 0.32.0 London 1.23.8 3.8.2 1.23.x 20.10.x 1.12.2 0.35.0 - Montreal 1.23.8 3.10.2 1.23.x 20.10.x 1.12.2 0.35.0 + Montreal 1.27.5 3.12.3 1.27.x 20.10.x 1.13.2 0.36.1 ============== =========== ======= ======== ======== ============= ======== .. table:: OOM Software Requirements (production) @@ -59,7 +59,7 @@ The versions of software that are supported by OOM are as follows: Release Istio Gateway-API Keycloak ============== ====== ============ ============== London 1.17.2 v0.6.2 19.0.3-legacy - Montreal 1.17.2 v0.6.2 19.0.3-legacy + Montreal 1.19.3 v1.0.0 19.0.3-legacy ============== ====== ============ ============== .. table:: OOM Software Requirements (optional) @@ -69,5 +69,5 @@ The versions of software that are supported by OOM are as follows: ============== ================= ========== ================= Kohn 35.x London 45.x 1.6.1 - Montreal 45.x 1.9.1 0.21.0 + Montreal 45.x 1.10.2 0.23.1 ============== ================= ========== ================= diff --git a/docs/sections/guides/infra_guides/oom_infra_ingres_controller_setup.rst b/docs/sections/guides/infra_guides/oom_infra_ingres_controller_setup.rst deleted file mode 100644 index 3fb68f8b95..0000000000 --- a/docs/sections/guides/infra_guides/oom_infra_ingres_controller_setup.rst +++ /dev/null @@ -1,181 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020, Samsung Electronics -.. Modification copyright (C) 2022 Nordix Foundation - -.. Links -.. _metallb Metal Load Balancer installation: https://metallb.universe.tf/installation/ - -.. _oom_setup_ingress_controller: - -OOM Ingress controller setup -============================ - -.. warning:: - This guide does not describe the Istio Ingress Gateway configuration - required for the ONAP Production Setup in London - The installation of Istio Ingress (and Gateway-API) is described in - :ref:`OOM Base Platform<oom_base_setup_guide>` - -This optional guide provides instruction how to setup experimental ingress controller -feature. For this, we are hosting our cluster on OpenStack VMs and using the -Rancher Kubernetes Engine (RKE) to deploy and manage our Kubernetes Cluster and -ingress controller - -.. contents:: - :backlinks: top - :depth: 1 - :local: -.. - -The result at the end of this tutorial will be: - -#. Customization of the cluster.yaml file for ingress controller support - -#. Installation and configuration test DNS server for ingress host resolution - on testing machines - -#. Installation and configuration MLB (Metal Load Balancer) required for - exposing ingress service - -#. Installation and configuration NGINX ingress controller - -#. Additional info how to deploy ONAP with services exposed via Ingress - controller - -Customize cluster.yml file --------------------------- - -Before setup cluster for ingress purposes DNS cluster IP and ingress provider -should be configured and following: - -.. code-block:: yaml - - --- - <...> - restore: - restore: false - snapshot_name: "" - ingress: - provider: none - dns: - provider: coredns - upstreamnameservers: - - <custer_dns_ip>:31555 - -Where the <cluster_dns_ip> should be set to the same IP as the CONTROLPANE -node. - -For external load balancer purposes, minimum one of the worker node should be -configured with external IP address accessible outside the cluster. It can be -done using the following example node configuration: - -.. code-block:: yaml - - --- - <...> - - address: <external_ip> - internal_address: <internal_ip> - port: "22" - role: - - worker - hostname_override: "onap-worker-0" - user: ubuntu - ssh_key_path: "~/.ssh/id_rsa" - <...> - -Where the <external_ip> is external worker node IP address, and <internal_ip> -is internal node IP address if it is required. - - -DNS server configuration and installation ------------------------------------------ - -DNS server deployed on the Kubernetes cluster makes it easy to use services -exposed through ingress controller because it resolves all subdomain related to -the ONAP cluster to the load balancer IP. Testing ONAP cluster requires a lot -of entries on the target machines in the /etc/hosts. Adding many entries into -the configuration files on testing machines is quite problematic and error -prone. The better wait is to create central DNS server with entries for all -virtual host pointed to simpledemo.onap.org and add custom DNS server as a -target DNS server for testing machines and/or as external DNS for Kubernetes -cluster. - -DNS server has automatic installation and configuration script, so installation -is quite easy:: - - > cd kubernetes/contrib/dns-server-for-vhost-ingress-testing - - > ./deploy\_dns.sh - -After DNS deploy you need to setup DNS entry on the target testing machine. -Because DNS listen on non standard port configuration require iptables rules -on the target machine. Please follow the configuration proposed by the deploy -scripts. -Example output depends on the IP address and example output looks like bellow:: - - DNS server already deployed: - 1. You can add the DNS server to the target machine using following commands: - sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 - sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 - sudo sysctl -w net.ipv4.conf.all.route_localnet=1 - sudo sysctl -w net.ipv4.ip_forward=1 - 2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine - - -MetalLB Load Balancer installation and configuration ----------------------------------------------------- - -By default pure Kubernetes cluster requires external load balancer if we want -to expose external port using LoadBalancer settings. For this purpose MetalLB -can be used. Before installing the MetalLB you need to ensure that at least one -worker has assigned IP accessible outside the cluster. - -MetalLB Load balancer can be easily installed using automatic install script:: - - > cd kubernetes/contrib/metallb-loadbalancer-inst - - > ./install-metallb-on-cluster.sh - - -Configuration of the Nginx ingress controller ---------------------------------------------- - -After installation of the DNS server and ingress controller, we can install and -configure ingress controller. -It can be done using the following commands:: - - > cd kubernetes/contrib/ingress-nginx-post-inst - - > kubectl apply -f nginx_ingress_cluster_config.yaml - - > kubectl apply -f nginx_ingress_enable_optional_load_balacer_service.yaml - -After deploying the NGINX ingress controller, you can ensure that the ingress port is -exposed as load balancer service with an external IP address:: - - > kubectl get svc -n ingress-nginx - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - default-http-backend ClusterIP 10.10.10.10 <none> 80/TCP 25h - ingress-nginx LoadBalancer 10.10.10.11 10.12.13.14 80:31308/TCP,443:30314/TCP 24h - - -ONAP with ingress exposed services ----------------------------------- - -If you want to deploy onap with services exposed through ingress controller you -can use full onap deploy yaml:: - - > onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml - -Ingress also can be enabled on any onap setup override using following code: - -.. code-block:: yaml - - --- - <...> - global: - <...> - ingress: - enabled: true diff --git a/docs/sections/oom_project_description.rst b/docs/sections/oom_project_description.rst index c2a0899054..774237946d 100644 --- a/docs/sections/oom_project_description.rst +++ b/docs/sections/oom_project_description.rst @@ -38,8 +38,8 @@ In summary OOM provides the following capabilities: service impact - **Delete** - cleanup individual containers or entire deployments -OOM supports a wide variety of Kubernetes private clouds - built with Rancher, -Kubeadm or Cloudify - and public cloud infrastructures such as: Microsoft +OOM supports a wide variety of Kubernetes private clouds - built with ClusterAPI, +Kubespray - and public cloud infrastructures such as: Microsoft Azure, Amazon AWS, Google GCD, VMware VIO, and OpenStack. The OOM documentation is broken into four different areas each targeted at a @@ -51,8 +51,6 @@ different user: - :ref:`oom_user_guide` - a guide for operators of an OOM instance - :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications - - The :ref:`release_notes` for OOM describe the incremental features per release. Component Orchestration Overview diff --git a/docs/sections/release_notes/release-notes-london.rst b/docs/sections/release_notes/release-notes-london.rst new file mode 100644 index 0000000000..28911b8923 --- /dev/null +++ b/docs/sections/release_notes/release-notes-london.rst @@ -0,0 +1,144 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_london: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Kohn <release_notes_kohn>` +- :ref:`Jakarta <release_notes_jakarta>` +- :ref:`Istanbul <release_notes_istanbul>` +- :ref:`Honolulu <release_notes_honolulu>` +- :ref:`Guilin <release_notes_guilin>` +- :ref:`Frankfurt <release_notes_frankfurt>` +- :ref:`El Alto <release_notes_elalto>` +- :ref:`Dublin <release_notes_dublin>` +- :ref:`Casablanca <release_notes_casablanca>` +- :ref:`Beijing <release_notes_beijing>` +- :ref:`Amsterdam <release_notes_amsterdam>` + +Abstract +======== + +This document provides the release notes for the London release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | London | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2023/06/xx | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Introduction of "Production" ONAP setup, including: + + * Istio Service Mesh based deployment + * Ingress (Istio-Gateway) deployment and usage as standard external access method + * Internal Security provided by ServiceMesh and Component2Component AuthorizationPolicies + * External Security by introducing AuthN/Z using Keycloak and OAuth2Proxy for Ingress Access + +* Removal of unsupported components (AAF, Portal, Contrib,...) +* Update of Helmcharts to use common templates and practices +* Optional support for Cassandra 4.x using k8ssandra-operator + +* `REQ-1349 <https://jira.onap.org/browse/REQ-1349>`_ Removal of AAF. + Internal communication encryption and authorization is offered by ServiceMesh + +* `REQ-1350 <https://jira.onap.org/browse/REQ-1350>`_ All component must be + able to run without MSB. Component helm charts modified to use MSB optionally + and test the components during Daily and Gating with and without MSB + +* `REQ-1351 <https://jira.onap.org/browse/REQ-1351>`_ External secure + communication only via Ingress. + Ingress resources created by templates and Ingress installation is described + in the OOM documents + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11500 + +**Known Issues** + +* Components not working under ServiceMesh + + * CDS UI + * SO Monitor UI + * CLI + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts <https://nexus3.onap.org/service/rest/repository/browse/onap-helm-release/>`_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description <oom_project_description>` - a guide for developers of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +* Cassandra version needs to be updated to support new Python version + see `OOM-2900 <https://jira.onap.org/browse/OOM-2900>`_ + In London supported as option (using k8ssandra-operator), see :ref:`oom_base_optional_addons` + +Workarounds +----------- + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes.rst b/docs/sections/release_notes/release-notes.rst index ed8957bddf..0df9483e95 100644 --- a/docs/sections/release_notes/release-notes.rst +++ b/docs/sections/release_notes/release-notes.rst @@ -11,6 +11,7 @@ ONAP Operations Manager Release Notes Previous Release Notes ====================== +- :ref:`London <release_notes_london>` - :ref:`Kohn <release_notes_kohn>` - :ref:`Jakarta <release_notes_jakarta>` - :ref:`Istanbul <release_notes_istanbul>` @@ -26,7 +27,7 @@ Previous Release Notes Abstract ======== -This document provides the release notes for the London release. +This document provides the release notes for the Montreal release. Summary ======= @@ -43,10 +44,10 @@ Release Data | **Docker images** | N/A | | | | +--------------------------------------+--------------------------------------+ -| **Release designation** | London | +| **Release designation** | Montreal | | | | +--------------------------------------+--------------------------------------+ -| **Release date** | 2023/06/xx | +| **Release date** | 2023/12/xx | | | | +--------------------------------------+--------------------------------------+ @@ -55,39 +56,27 @@ New features * Introduction of "Production" ONAP setup, including: - * Istio Service Mesh based deployment - * Ingress (Istio-Gateway) deployment and usage as standard external access method - * Internal Security provided by ServiceMesh and Component2Component AuthorizationPolicies - * External Security by introducing AuthN/Z using Keycloak and OAuth2Proxy for Ingress Access + * Besides the Istio Ingress APIs now the support for `Gateway-API`_ + is added to the templates, which includes: -* Removal of unsupported components (AAF, Portal, Contrib,...) -* Update of Helmcharts to use common templates and practices -* Optional support for Cassandra 4.x using k8ssandra-operator - -* `REQ-1349 <https://jira.onap.org/browse/REQ-1349>`_ Removal of AAF. - Internal communication encryption and authorization is offered by ServiceMesh + * TCP Routes + * UDP Routes -* `REQ-1350 <https://jira.onap.org/browse/REQ-1350>`_ All component must be - able to run without MSB. Component helm charts modified to use MSB optionally - and test the components during Daily and Gating with and without MSB - -* `REQ-1351 <https://jira.onap.org/browse/REQ-1351>`_ External secure - communication only via Ingress. - Ingress resources created by templates and Ingress installation is described - in the OOM documents +* Update of Helmcharts to use common templates and practices +* Default support for Cassandra 4.x using k8ssandra-operator +* Default support for MariaDB 11.x using mariadb-operator **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11500 +https://jira.onap.org/projects/OOM/versions/11501 **Known Issues** * Components not working under ServiceMesh - * CDS UI * SO Monitor UI - * CLI + * Policy UI Deliverables ------------ @@ -113,9 +102,6 @@ Known Limitations, Issues and Workarounds Known Vulnerabilities --------------------- -* Cassandra version needs to be updated to support new Python version - see `OOM-2900 <https://jira.onap.org/browse/OOM-2900>`_ - In London supported as option (using k8ssandra-operator), see :ref:`oom_base_optional_addons` Workarounds ----------- @@ -140,3 +126,4 @@ For more information on the ONAP Istanbul release, please see: .. _`ONAP Wiki Page`: https://wiki.onap.org .. _`ONAP Documentation`: https://docs.onap.org .. _`ONAP Release Downloads`: https://git.onap.org +.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/ diff --git a/docs/sections/resources/yaml/common-gateway.yaml b/docs/sections/resources/yaml/common-gateway.yaml new file mode 100644 index 0000000000..3cc1cc55bc --- /dev/null +++ b/docs/sections/resources/yaml/common-gateway.yaml @@ -0,0 +1,96 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: common-gateway + namespace: istio-ingress +spec: + gatewayClassName: istio + listeners: + - name: http-80 + hostname: "*.{{ onap_baseurl }}" + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All + - name: https-443 + hostname: "*.{{ onap_baseurl }}" + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: ingress-tls-secret + - name: udp-162 + protocol: UDP + port: 162 + allowedRoutes: + kinds: + - kind: UDPRoute + namespaces: + from: All + - name: tcp-4334 + protocol: TCP + port: 4334 + allowedRoutes: + kinds: + - kind: TCPRoute + namespaces: + from: All + - name: tcp-9000 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9000 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9001 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9001 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9002 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9002 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9010 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-bootstrap-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9010 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml new file mode 100644 index 0000000000..ba7b50e53c --- /dev/null +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml @@ -0,0 +1,168 @@ +# Copyright © 2019 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################### +# This override file enables helm charts for all ONAP applications. +################################################################### +#ingress virtualhost based configuration +global: + ingress: + enabled: true + # enable all component's Ingress interfaces + enable_all: true + # All http requests via ingress will be redirected + + # Provider: ingress, istio, gw-api + provider: gw-api + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "common-gateway" + httpListener: "http-80" + httpsListener: "https-443" + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + namespace: istio-ingress + centralizedLoggingEnabled: ¢ralizedLogging false + # Disabling CMPv2 + cmpv2Enabled: false + +cassandra: + enabled: true +mariadb-galera: + enabled: true +postgres: + enabled: true +aai: + enabled: true +cds: + enabled: true +cli: + enabled: true +cps: + enabled: true +dcaegen2: + enabled: true +dcaegen2-services: + enabled: true + dcae-datafile-collector: + enabled: true + dcae-datalake-admin-ui: + enabled: true + dcae-datalake-des: + enabled: true + dcae-datalake-feeder: + enabled: true + dcae-heartbeat: + enabled: true + dcae-hv-ves-collector: + enabled: true + dcae-kpi-ms: + enabled: true + dcae-ms-healthcheck: + enabled: true + dcae-pm-mapper: + enabled: true + dcae-pmsh: + enabled: true + dcae-prh: + enabled: true + dcae-restconf-collector: + enabled: true + dcae-slice-analysis-ms: + enabled: true + dcae-snmptrap-collector: + enabled: true + dcae-son-handler: + enabled: true + dcae-tcagen2: + enabled: true + dcae-ves-collector: + enabled: true + applicationConfig: + auth.method: "noAuth" + dcae-ves-mapper: + enabled: true + dcae-ves-openapi-manager: + enabled: true +holmes: + enabled: true +dmaap: + enabled: true + message-router: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true +oof: + enabled: true +msb: + enabled: true +multicloud: + enabled: true +nbi: + enabled: true +platform: + enabled: true + cmpv2-cert-service: + enabled: false + keycloak-init: + enabled: true + oauth2-proxy: + enabled: true +policy: + enabled: true +portal-ng: + enabled: true +robot: + enabled: true +sdc: + enabled: true +sdnc: + enabled: true +so: + enabled: true +strimzi: + enabled: true + strimzi-kafka-bridge: + enabled: true +uui: + enabled: true +vfc: + enabled: true +vnfsdk: + enabled: true +modeling: + enabled: true +a1policymanagement: + enabled: true |