aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.readthedocs.yaml2
-rw-r--r--docs/sections/guides/deployment_guides/oom_customize_overrides.rst22
-rw-r--r--docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst2
-rw-r--r--docs/sections/guides/infra_guides/oom_infra.rst1
-rw-r--r--docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst59
-rw-r--r--docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst8
-rw-r--r--docs/sections/guides/infra_guides/oom_infra_ingres_controller_setup.rst181
-rw-r--r--docs/sections/oom_project_description.rst6
-rw-r--r--docs/sections/release_notes/release-notes-london.rst144
-rw-r--r--docs/sections/release_notes/release-notes.rst41
-rw-r--r--docs/sections/resources/yaml/common-gateway.yaml96
-rwxr-xr-xkubernetes/cds/components/cds-blueprints-processor/templates/service.yaml1
-rw-r--r--kubernetes/common/common/templates/_mariadb.tpl3
-rw-r--r--kubernetes/common/roles-wrapper/templates/role.yaml3
-rw-r--r--kubernetes/common/serviceAccount/templates/role.yaml3
-rw-r--r--kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml168
16 files changed, 495 insertions, 245 deletions
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
index 540143f27f..78491afc51 100644
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -10,6 +10,8 @@ build:
os: ubuntu-20.04
tools:
python: "3.8"
+ apt_packages:
+ - graphviz
python:
install:
diff --git a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst
index f3e3113ff5..a5458f8562 100644
--- a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst
+++ b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst
@@ -23,7 +23,7 @@ See the `helm deploy`_ plugin usage section for more detail, or it the plugin ha
Users can customize the override files to suit their required deployment.
.. note::
- Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-istio.yaml`)
+ Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-gatewayapi.yaml`)
can be found in the `oom/kubernetes/onap/resources/overrides/` directory.
* Users can selectively enable or disable ONAP components by changing the ``enabled: true/false`` flags.
@@ -70,6 +70,20 @@ Global settings relevant for ServiceMesh and Ingress:
enabled: true
# enable all component's Ingress interfaces
enable_all: false
+
+ # Provider: ingress, istio, gw-api
+ provider: gw-api
+ # Ingress class (only for provider "ingress"): e.g. nginx, traefik
+ ingressClass:
+ # Ingress Selector (only for provider "istio") to match with the
+ # ingress pod label "istio=ingress"
+ ingressSelector: ingress
+ # optional: common used Gateway (for Istio, GW-API) and listener names
+ commonGateway:
+ name: ""
+ httpListener: ""
+ httpsListener: ""
+
# default Ingress base URL
# All http requests via ingress will be redirected
virtualhost:
@@ -119,6 +133,10 @@ Ingress settings:
- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled)
- enable_all: true → enables Ingress configuration in each component
+- provider: "..." → sets the Ingress provider (ingress, istio, gw-api)
+- ingressClass: "" → Ingress class (only for provider "ingress"): e.g. nginx, traefik
+- ingressSelector: "" → Selector (only for provider "istio") to match with the ingress pod label "istio=ingress"
+- commonGateway: "" → optional: common used Gateway (for Istio, GW-API) and http(s) listener names
- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components,
resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride
- virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name for all Interfaces set by the components,
@@ -130,7 +148,7 @@ Ingress settings:
- namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate
.. note::
- For the Ingress setup an example override file (`onap-all-ingress-istio.yaml`)
+ For the Ingress setup example override files (`onap-all-ingress-istio.yaml`, `onap-all-ingress-gatewayapi.yaml`)
can be found in the `oom/kubernetes/onap/resources/overrides/` directory.
External Authentication configuration
diff --git a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst
index f932360e44..e7dc2f0a35 100644
--- a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst
+++ b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst
@@ -32,7 +32,7 @@ Add the repository:
To customize what applications are deployed, see the :ref:`oom_customize_overrides` section for more details, to provide your own custom overrides yaml file.
-- To deploy a release, execute the following, substituting the <version> tag with your preferred release (ie. 11.0.0)::
+- To deploy a release, execute the following, substituting the <version> tag with your preferred release (ie. 13.0.0)::
> helm deploy dev onap-release/onap --namespace onap --create-namespace --set global.masterPassword=myAwesomePasswordThatINeedToChange --version <version> -f oom/kubernetes/onap/resources/overrides/onap-all.yaml
diff --git a/docs/sections/guides/infra_guides/oom_infra.rst b/docs/sections/guides/infra_guides/oom_infra.rst
index ddc00b6115..5c1d1f1434 100644
--- a/docs/sections/guides/infra_guides/oom_infra.rst
+++ b/docs/sections/guides/infra_guides/oom_infra.rst
@@ -31,4 +31,3 @@ following documents:
oom_infra_deployment_requirements.rst
oom_infra_base_config_setup.rst
oom_infra_optional_addons.rst
- oom_infra_ingres_controller_setup.rst
diff --git a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst
index 8f74ea987e..4c21217c23 100644
--- a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst
+++ b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst
@@ -65,14 +65,14 @@ Validate the installation::
::
NAME STATUS ROLES AGE VERSION
- onap-control-1 Ready controlplane,etcd 3h53m v1.23.8
- onap-control-2 Ready controlplane,etcd 3h53m v1.23.8
- onap-k8s-1 Ready worker 3h53m v1.23.8
- onap-k8s-2 Ready worker 3h53m v1.23.8
- onap-k8s-3 Ready worker 3h53m v1.23.8
- onap-k8s-4 Ready worker 3h53m v1.23.8
- onap-k8s-5 Ready worker 3h53m v1.23.8
- onap-k8s-6 Ready worker 3h53m v1.23.8
+ onap-control-1 Ready controlplane,etcd 3h53m v1.27.5
+ onap-control-2 Ready controlplane,etcd 3h53m v1.27.5
+ onap-k8s-1 Ready worker 3h53m v1.27.5
+ onap-k8s-2 Ready worker 3h53m v1.27.5
+ onap-k8s-3 Ready worker 3h53m v1.27.5
+ onap-k8s-4 Ready worker 3h53m v1.27.5
+ onap-k8s-5 Ready worker 3h53m v1.27.5
+ onap-k8s-6 Ready worker 3h53m v1.27.5
Install & configure helm
@@ -212,7 +212,7 @@ Istio Service Mesh
------------------
.. note::
- In London ONAP deployment supports the
+ The ONAP deployment supports the
`ONAP Next Generation Security & Logging Structure`_
ONAP is currenty supporting Istio as default ServiceMesh platform.
@@ -291,14 +291,35 @@ Ingress Controller Installation
In the production setup 2 different Ingress setups are supported.
-- Istio Gateway `Istio-Gateway`_ (currently tested, but in the future deprecated)
-- Gateway API `Gateway-API`_ (in Alpha status, but will be standard in the future)
+- Gateway API `Gateway-API`_ (recommended)
+- Istio Gateway `Istio-Gateway`_ (alternative, but in the future deprecated)
Depending on the solution, the ONAP helm values.yaml has to be configured.
See the :ref:`OOM customized deployment<oom_customize_overrides>` section for more details.
-Istio Gateway
-^^^^^^^^^^^^^
+Gateway-API (recommended)
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Install the Gateway-API CRDs replacing the
+ <recommended-gwapi-version> with the version defined in
+ the :ref:`versions_table` table::
+
+ > kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/<recommended-gwapi-version>/experimental-install.yaml
+
+- Create a common Gateway instance named "common-gateway"
+ The following example uses provides listeners for HTTP(s), UDP and TCP
+
+ .. collapse:: common-gateway.yaml
+
+ .. include:: ../../resources/yaml/common-gateway.yaml
+ :code: yaml
+
+- Apply the change::
+
+ > kubectl apply -f common-gateway.yaml
+
+Istio Gateway (alternative)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Create a namespace istio-ingress for the Istio Ingress gateway
and enable istio-injection::
@@ -323,18 +344,6 @@ Istio Gateway
--version <recommended-istio-version> -f ingress-istio.yaml --wait
-Gateway-API
-^^^^^^^^^^^
-
-- Install the Gateway-API CRDs replacing the
- <recommended-gwapi-version> with the version defined in
- the :ref:`versions_table` table::
-
- > kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/<recommended-gwapi-version>/experimental-install.yaml
-
-- Create a common Gateway instance
- TBD
-
Keycloak Installation
---------------------
diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
index e46bee1c04..3d824c7171 100644
--- a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
+++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
@@ -39,7 +39,7 @@ See the :ref:`OOM customized deployment<oom_customize_overrides>` section for mo
.. rubric:: Software Requirements
-The versions of software that are supported by OOM are as follows:
+The versions of software that are supported and tested by OOM are as follows:
.. _versions_table:
@@ -50,7 +50,7 @@ The versions of software that are supported by OOM are as follows:
============== =========== ======= ======== ======== ============= ========
Kohn 1.23.8 3.8.2 1.23.8 20.10.x 1.8.0 0.32.0
London 1.23.8 3.8.2 1.23.x 20.10.x 1.12.2 0.35.0
- Montreal 1.23.8 3.10.2 1.23.x 20.10.x 1.12.2 0.35.0
+ Montreal 1.27.5 3.12.3 1.27.x 20.10.x 1.13.2 0.36.1
============== =========== ======= ======== ======== ============= ========
.. table:: OOM Software Requirements (production)
@@ -59,7 +59,7 @@ The versions of software that are supported by OOM are as follows:
Release Istio Gateway-API Keycloak
============== ====== ============ ==============
London 1.17.2 v0.6.2 19.0.3-legacy
- Montreal 1.17.2 v0.6.2 19.0.3-legacy
+ Montreal 1.19.3 v1.0.0 19.0.3-legacy
============== ====== ============ ==============
.. table:: OOM Software Requirements (optional)
@@ -69,5 +69,5 @@ The versions of software that are supported by OOM are as follows:
============== ================= ========== =================
Kohn 35.x
London 45.x 1.6.1
- Montreal 45.x 1.9.1 0.21.0
+ Montreal 45.x 1.10.2 0.23.1
============== ================= ========== =================
diff --git a/docs/sections/guides/infra_guides/oom_infra_ingres_controller_setup.rst b/docs/sections/guides/infra_guides/oom_infra_ingres_controller_setup.rst
deleted file mode 100644
index 3fb68f8b95..0000000000
--- a/docs/sections/guides/infra_guides/oom_infra_ingres_controller_setup.rst
+++ /dev/null
@@ -1,181 +0,0 @@
-.. This work is licensed under a Creative Commons Attribution 4.0
-.. International License.
-.. http://creativecommons.org/licenses/by/4.0
-.. Copyright 2020, Samsung Electronics
-.. Modification copyright (C) 2022 Nordix Foundation
-
-.. Links
-.. _metallb Metal Load Balancer installation: https://metallb.universe.tf/installation/
-
-.. _oom_setup_ingress_controller:
-
-OOM Ingress controller setup
-============================
-
-.. warning::
- This guide does not describe the Istio Ingress Gateway configuration
- required for the ONAP Production Setup in London
- The installation of Istio Ingress (and Gateway-API) is described in
- :ref:`OOM Base Platform<oom_base_setup_guide>`
-
-This optional guide provides instruction how to setup experimental ingress controller
-feature. For this, we are hosting our cluster on OpenStack VMs and using the
-Rancher Kubernetes Engine (RKE) to deploy and manage our Kubernetes Cluster and
-ingress controller
-
-.. contents::
- :backlinks: top
- :depth: 1
- :local:
-..
-
-The result at the end of this tutorial will be:
-
-#. Customization of the cluster.yaml file for ingress controller support
-
-#. Installation and configuration test DNS server for ingress host resolution
- on testing machines
-
-#. Installation and configuration MLB (Metal Load Balancer) required for
- exposing ingress service
-
-#. Installation and configuration NGINX ingress controller
-
-#. Additional info how to deploy ONAP with services exposed via Ingress
- controller
-
-Customize cluster.yml file
---------------------------
-
-Before setup cluster for ingress purposes DNS cluster IP and ingress provider
-should be configured and following:
-
-.. code-block:: yaml
-
- ---
- <...>
- restore:
- restore: false
- snapshot_name: ""
- ingress:
- provider: none
- dns:
- provider: coredns
- upstreamnameservers:
- - <custer_dns_ip>:31555
-
-Where the <cluster_dns_ip> should be set to the same IP as the CONTROLPANE
-node.
-
-For external load balancer purposes, minimum one of the worker node should be
-configured with external IP address accessible outside the cluster. It can be
-done using the following example node configuration:
-
-.. code-block:: yaml
-
- ---
- <...>
- - address: <external_ip>
- internal_address: <internal_ip>
- port: "22"
- role:
- - worker
- hostname_override: "onap-worker-0"
- user: ubuntu
- ssh_key_path: "~/.ssh/id_rsa"
- <...>
-
-Where the <external_ip> is external worker node IP address, and <internal_ip>
-is internal node IP address if it is required.
-
-
-DNS server configuration and installation
------------------------------------------
-
-DNS server deployed on the Kubernetes cluster makes it easy to use services
-exposed through ingress controller because it resolves all subdomain related to
-the ONAP cluster to the load balancer IP. Testing ONAP cluster requires a lot
-of entries on the target machines in the /etc/hosts. Adding many entries into
-the configuration files on testing machines is quite problematic and error
-prone. The better wait is to create central DNS server with entries for all
-virtual host pointed to simpledemo.onap.org and add custom DNS server as a
-target DNS server for testing machines and/or as external DNS for Kubernetes
-cluster.
-
-DNS server has automatic installation and configuration script, so installation
-is quite easy::
-
- > cd kubernetes/contrib/dns-server-for-vhost-ingress-testing
-
- > ./deploy\_dns.sh
-
-After DNS deploy you need to setup DNS entry on the target testing machine.
-Because DNS listen on non standard port configuration require iptables rules
-on the target machine. Please follow the configuration proposed by the deploy
-scripts.
-Example output depends on the IP address and example output looks like bellow::
-
- DNS server already deployed:
- 1. You can add the DNS server to the target machine using following commands:
- sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555
- sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555
- sudo sysctl -w net.ipv4.conf.all.route_localnet=1
- sudo sysctl -w net.ipv4.ip_forward=1
- 2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine
-
-
-MetalLB Load Balancer installation and configuration
-----------------------------------------------------
-
-By default pure Kubernetes cluster requires external load balancer if we want
-to expose external port using LoadBalancer settings. For this purpose MetalLB
-can be used. Before installing the MetalLB you need to ensure that at least one
-worker has assigned IP accessible outside the cluster.
-
-MetalLB Load balancer can be easily installed using automatic install script::
-
- > cd kubernetes/contrib/metallb-loadbalancer-inst
-
- > ./install-metallb-on-cluster.sh
-
-
-Configuration of the Nginx ingress controller
----------------------------------------------
-
-After installation of the DNS server and ingress controller, we can install and
-configure ingress controller.
-It can be done using the following commands::
-
- > cd kubernetes/contrib/ingress-nginx-post-inst
-
- > kubectl apply -f nginx_ingress_cluster_config.yaml
-
- > kubectl apply -f nginx_ingress_enable_optional_load_balacer_service.yaml
-
-After deploying the NGINX ingress controller, you can ensure that the ingress port is
-exposed as load balancer service with an external IP address::
-
- > kubectl get svc -n ingress-nginx
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- default-http-backend ClusterIP 10.10.10.10 <none> 80/TCP 25h
- ingress-nginx LoadBalancer 10.10.10.11 10.12.13.14 80:31308/TCP,443:30314/TCP 24h
-
-
-ONAP with ingress exposed services
-----------------------------------
-
-If you want to deploy onap with services exposed through ingress controller you
-can use full onap deploy yaml::
-
- > onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml
-
-Ingress also can be enabled on any onap setup override using following code:
-
-.. code-block:: yaml
-
- ---
- <...>
- global:
- <...>
- ingress:
- enabled: true
diff --git a/docs/sections/oom_project_description.rst b/docs/sections/oom_project_description.rst
index c2a0899054..774237946d 100644
--- a/docs/sections/oom_project_description.rst
+++ b/docs/sections/oom_project_description.rst
@@ -38,8 +38,8 @@ In summary OOM provides the following capabilities:
service impact
- **Delete** - cleanup individual containers or entire deployments
-OOM supports a wide variety of Kubernetes private clouds - built with Rancher,
-Kubeadm or Cloudify - and public cloud infrastructures such as: Microsoft
+OOM supports a wide variety of Kubernetes private clouds - built with ClusterAPI,
+Kubespray - and public cloud infrastructures such as: Microsoft
Azure, Amazon AWS, Google GCD, VMware VIO, and OpenStack.
The OOM documentation is broken into four different areas each targeted at a
@@ -51,8 +51,6 @@ different user:
- :ref:`oom_user_guide` - a guide for operators of an OOM instance
- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications
-
-
The :ref:`release_notes` for OOM describe the incremental features per release.
Component Orchestration Overview
diff --git a/docs/sections/release_notes/release-notes-london.rst b/docs/sections/release_notes/release-notes-london.rst
new file mode 100644
index 0000000000..28911b8923
--- /dev/null
+++ b/docs/sections/release_notes/release-notes-london.rst
@@ -0,0 +1,144 @@
+.. This work is licensed under a Creative Commons Attribution 4.0
+ International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. (c) ONAP Project and its contributors
+.. _release_notes_london:
+
+:orphan:
+
+*************************************
+ONAP Operations Manager Release Notes
+*************************************
+
+Previous Release Notes
+======================
+
+- :ref:`Kohn <release_notes_kohn>`
+- :ref:`Jakarta <release_notes_jakarta>`
+- :ref:`Istanbul <release_notes_istanbul>`
+- :ref:`Honolulu <release_notes_honolulu>`
+- :ref:`Guilin <release_notes_guilin>`
+- :ref:`Frankfurt <release_notes_frankfurt>`
+- :ref:`El Alto <release_notes_elalto>`
+- :ref:`Dublin <release_notes_dublin>`
+- :ref:`Casablanca <release_notes_casablanca>`
+- :ref:`Beijing <release_notes_beijing>`
+- :ref:`Amsterdam <release_notes_amsterdam>`
+
+Abstract
+========
+
+This document provides the release notes for the London release.
+
+Summary
+=======
+
+
+
+Release Data
+============
+
++--------------------------------------+--------------------------------------+
+| **Project** | OOM |
+| | |
++--------------------------------------+--------------------------------------+
+| **Docker images** | N/A |
+| | |
++--------------------------------------+--------------------------------------+
+| **Release designation** | London |
+| | |
++--------------------------------------+--------------------------------------+
+| **Release date** | 2023/06/xx |
+| | |
++--------------------------------------+--------------------------------------+
+
+New features
+------------
+
+* Introduction of "Production" ONAP setup, including:
+
+ * Istio Service Mesh based deployment
+ * Ingress (Istio-Gateway) deployment and usage as standard external access method
+ * Internal Security provided by ServiceMesh and Component2Component AuthorizationPolicies
+ * External Security by introducing AuthN/Z using Keycloak and OAuth2Proxy for Ingress Access
+
+* Removal of unsupported components (AAF, Portal, Contrib,...)
+* Update of Helmcharts to use common templates and practices
+* Optional support for Cassandra 4.x using k8ssandra-operator
+
+* `REQ-1349 <https://jira.onap.org/browse/REQ-1349>`_ Removal of AAF.
+ Internal communication encryption and authorization is offered by ServiceMesh
+
+* `REQ-1350 <https://jira.onap.org/browse/REQ-1350>`_ All component must be
+ able to run without MSB. Component helm charts modified to use MSB optionally
+ and test the components during Daily and Gating with and without MSB
+
+* `REQ-1351 <https://jira.onap.org/browse/REQ-1351>`_ External secure
+ communication only via Ingress.
+ Ingress resources created by templates and Ingress installation is described
+ in the OOM documents
+
+**Bug fixes**
+
+A list of issues resolved in this release can be found here:
+https://jira.onap.org/projects/OOM/versions/11500
+
+**Known Issues**
+
+* Components not working under ServiceMesh
+
+ * CDS UI
+ * SO Monitor UI
+ * CLI
+
+Deliverables
+------------
+
+Software Deliverables
+~~~~~~~~~~~~~~~~~~~~~
+
+OOM provides `Helm charts <https://nexus3.onap.org/service/rest/repository/browse/onap-helm-release/>`_
+
+Documentation Deliverables
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- :ref:`Project Description <oom_project_description>` - a guide for developers of OOM
+- :ref:`oom_dev_guide` - a guide for developers of OOM
+- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use
+- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud
+- :ref:`oom_user_guide` - a guide for operators of an OOM instance
+- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications
+
+Known Limitations, Issues and Workarounds
+=========================================
+
+Known Vulnerabilities
+---------------------
+
+* Cassandra version needs to be updated to support new Python version
+ see `OOM-2900 <https://jira.onap.org/browse/OOM-2900>`_
+ In London supported as option (using k8ssandra-operator), see :ref:`oom_base_optional_addons`
+
+Workarounds
+-----------
+
+Security Notes
+--------------
+
+**Fixed Security Issues**
+
+References
+==========
+
+For more information on the ONAP Istanbul release, please see:
+
+#. `ONAP Home Page`_
+#. `ONAP Documentation`_
+#. `ONAP Release Downloads`_
+#. `ONAP Wiki Page`_
+
+
+.. _`ONAP Home Page`: https://www.onap.org
+.. _`ONAP Wiki Page`: https://wiki.onap.org
+.. _`ONAP Documentation`: https://docs.onap.org
+.. _`ONAP Release Downloads`: https://git.onap.org
diff --git a/docs/sections/release_notes/release-notes.rst b/docs/sections/release_notes/release-notes.rst
index ed8957bddf..0df9483e95 100644
--- a/docs/sections/release_notes/release-notes.rst
+++ b/docs/sections/release_notes/release-notes.rst
@@ -11,6 +11,7 @@ ONAP Operations Manager Release Notes
Previous Release Notes
======================
+- :ref:`London <release_notes_london>`
- :ref:`Kohn <release_notes_kohn>`
- :ref:`Jakarta <release_notes_jakarta>`
- :ref:`Istanbul <release_notes_istanbul>`
@@ -26,7 +27,7 @@ Previous Release Notes
Abstract
========
-This document provides the release notes for the London release.
+This document provides the release notes for the Montreal release.
Summary
=======
@@ -43,10 +44,10 @@ Release Data
| **Docker images** | N/A |
| | |
+--------------------------------------+--------------------------------------+
-| **Release designation** | London |
+| **Release designation** | Montreal |
| | |
+--------------------------------------+--------------------------------------+
-| **Release date** | 2023/06/xx |
+| **Release date** | 2023/12/xx |
| | |
+--------------------------------------+--------------------------------------+
@@ -55,39 +56,27 @@ New features
* Introduction of "Production" ONAP setup, including:
- * Istio Service Mesh based deployment
- * Ingress (Istio-Gateway) deployment and usage as standard external access method
- * Internal Security provided by ServiceMesh and Component2Component AuthorizationPolicies
- * External Security by introducing AuthN/Z using Keycloak and OAuth2Proxy for Ingress Access
+ * Besides the Istio Ingress APIs now the support for `Gateway-API`_
+ is added to the templates, which includes:
-* Removal of unsupported components (AAF, Portal, Contrib,...)
-* Update of Helmcharts to use common templates and practices
-* Optional support for Cassandra 4.x using k8ssandra-operator
-
-* `REQ-1349 <https://jira.onap.org/browse/REQ-1349>`_ Removal of AAF.
- Internal communication encryption and authorization is offered by ServiceMesh
+ * TCP Routes
+ * UDP Routes
-* `REQ-1350 <https://jira.onap.org/browse/REQ-1350>`_ All component must be
- able to run without MSB. Component helm charts modified to use MSB optionally
- and test the components during Daily and Gating with and without MSB
-
-* `REQ-1351 <https://jira.onap.org/browse/REQ-1351>`_ External secure
- communication only via Ingress.
- Ingress resources created by templates and Ingress installation is described
- in the OOM documents
+* Update of Helmcharts to use common templates and practices
+* Default support for Cassandra 4.x using k8ssandra-operator
+* Default support for MariaDB 11.x using mariadb-operator
**Bug fixes**
A list of issues resolved in this release can be found here:
-https://jira.onap.org/projects/OOM/versions/11500
+https://jira.onap.org/projects/OOM/versions/11501
**Known Issues**
* Components not working under ServiceMesh
- * CDS UI
* SO Monitor UI
- * CLI
+ * Policy UI
Deliverables
------------
@@ -113,9 +102,6 @@ Known Limitations, Issues and Workarounds
Known Vulnerabilities
---------------------
-* Cassandra version needs to be updated to support new Python version
- see `OOM-2900 <https://jira.onap.org/browse/OOM-2900>`_
- In London supported as option (using k8ssandra-operator), see :ref:`oom_base_optional_addons`
Workarounds
-----------
@@ -140,3 +126,4 @@ For more information on the ONAP Istanbul release, please see:
.. _`ONAP Wiki Page`: https://wiki.onap.org
.. _`ONAP Documentation`: https://docs.onap.org
.. _`ONAP Release Downloads`: https://git.onap.org
+.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/
diff --git a/docs/sections/resources/yaml/common-gateway.yaml b/docs/sections/resources/yaml/common-gateway.yaml
new file mode 100644
index 0000000000..3cc1cc55bc
--- /dev/null
+++ b/docs/sections/resources/yaml/common-gateway.yaml
@@ -0,0 +1,96 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+ name: common-gateway
+ namespace: istio-ingress
+spec:
+ gatewayClassName: istio
+ listeners:
+ - name: http-80
+ hostname: "*.{{ onap_baseurl }}"
+ port: 80
+ protocol: HTTP
+ allowedRoutes:
+ namespaces:
+ from: All
+ - name: https-443
+ hostname: "*.{{ onap_baseurl }}"
+ port: 443
+ protocol: HTTPS
+ allowedRoutes:
+ namespaces:
+ from: All
+ tls:
+ mode: Terminate
+ certificateRefs:
+ - kind: Secret
+ group: ""
+ name: ingress-tls-secret
+ - name: udp-162
+ protocol: UDP
+ port: 162
+ allowedRoutes:
+ kinds:
+ - kind: UDPRoute
+ namespaces:
+ from: All
+ - name: tcp-4334
+ protocol: TCP
+ port: 4334
+ allowedRoutes:
+ kinds:
+ - kind: TCPRoute
+ namespaces:
+ from: All
+ - name: tcp-9000
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}"
+ port: 9000
+ protocol: TLS
+ tls:
+ certificateRefs:
+ - group: ""
+ kind: Secret
+ name: ingress-tls-secret
+ mode: Terminate
+ - name: tcp-9001
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}"
+ port: 9001
+ protocol: TLS
+ tls:
+ certificateRefs:
+ - group: ""
+ kind: Secret
+ name: ingress-tls-secret
+ mode: Terminate
+ - name: tcp-9002
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}"
+ port: 9002
+ protocol: TLS
+ tls:
+ certificateRefs:
+ - group: ""
+ kind: Secret
+ name: ingress-tls-secret
+ mode: Terminate
+ - name: tcp-9010
+ allowedRoutes:
+ namespaces:
+ from: All
+ hostname: "kafka-bootstrap-api{{ onap_postaddr }}.{{ onap_baseurl }}"
+ port: 9010
+ protocol: TLS
+ tls:
+ certificateRefs:
+ - group: ""
+ kind: Secret
+ name: ingress-tls-secret
+ mode: Terminate
diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml
index 4624cb9968..a841811dd1 100755
--- a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml
+++ b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml
@@ -67,6 +67,7 @@ metadata:
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.cluster.type }}
+ clusterIP: None
ports:
- port: {{ .Values.service.cluster.externalPort }}
targetPort: {{ .Values.service.cluster.internalPort }}
diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl
index c90b86c3a4..ff3f7f88c3 100644
--- a/kubernetes/common/common/templates/_mariadb.tpl
+++ b/kubernetes/common/common/templates/_mariadb.tpl
@@ -281,6 +281,9 @@ spec:
image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ $dot.Values.mariadbOperator.galera.initImage }}:{{ $dot.Values.mariadbOperator.galera.initVersion }}
imagePullPolicy: IfNotPresent
volumeClaimTemplate:
+ {{- if .Values.mariadbOperator.storageClassName }}
+ storageClassName: {{ .Values.mariadbOperator.storageClassName }}
+ {{- end }}
resources:
requests:
storage: 50Mi
diff --git a/kubernetes/common/roles-wrapper/templates/role.yaml b/kubernetes/common/roles-wrapper/templates/role.yaml
index 0be6c7bbd6..3438b6e36e 100644
--- a/kubernetes/common/roles-wrapper/templates/role.yaml
+++ b/kubernetes/common/roles-wrapper/templates/role.yaml
@@ -30,6 +30,9 @@ rules:
- batch
- extensions
resources:
+ - endpoints
+ - services
+ - nodes
- pods
- deployments
- deployments/status
diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml
index 1b686f521c..83cb945ba9 100644
--- a/kubernetes/common/serviceAccount/templates/role.yaml
+++ b/kubernetes/common/serviceAccount/templates/role.yaml
@@ -53,6 +53,9 @@ rules:
- batch
- extensions
resources:
+ - endpoints
+ - services
+ - nodes
- pods
- deployments
- deployments/status
diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml
new file mode 100644
index 0000000000..ba7b50e53c
--- /dev/null
+++ b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml
@@ -0,0 +1,168 @@
+# Copyright © 2019 Amdocs, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+###################################################################
+# This override file enables helm charts for all ONAP applications.
+###################################################################
+#ingress virtualhost based configuration
+global:
+ ingress:
+ enabled: true
+ # enable all component's Ingress interfaces
+ enable_all: true
+ # All http requests via ingress will be redirected
+
+ # Provider: ingress, istio, gw-api
+ provider: gw-api
+ # Ingress class (only for provider "ingress"): e.g. nginx, traefik
+ ingressClass:
+ # Ingress Selector (only for provider "istio") to match with the
+ # ingress pod label "istio=ingress"
+ ingressSelector: ingress
+ # optional: common used Gateway (for Istio, GW-API) and listener names
+ commonGateway:
+ name: "common-gateway"
+ httpListener: "http-80"
+ httpsListener: "https-443"
+ virtualhost:
+ # Default Ingress base URL
+ # can be overwritten in component by setting ingress.baseurlOverride
+ baseurl: "simpledemo.onap.org"
+ # prefix for baseaddr
+ # can be overwritten in component by setting ingress.preaddrOverride
+ preaddr: ""
+ # postfix for baseaddr
+ # can be overwritten in component by setting ingress.postaddrOverride
+ postaddr: ""
+ config:
+ ssl: "redirect"
+ # you can set an own Secret containing a certificate
+ # tls:
+ # secret: 'my-ingress-cert'
+ # optional: Namespace of the Istio IngressGateway
+ namespace: istio-ingress
+ centralizedLoggingEnabled: &centralizedLogging false
+ # Disabling CMPv2
+ cmpv2Enabled: false
+
+cassandra:
+ enabled: true
+mariadb-galera:
+ enabled: true
+postgres:
+ enabled: true
+aai:
+ enabled: true
+cds:
+ enabled: true
+cli:
+ enabled: true
+cps:
+ enabled: true
+dcaegen2:
+ enabled: true
+dcaegen2-services:
+ enabled: true
+ dcae-datafile-collector:
+ enabled: true
+ dcae-datalake-admin-ui:
+ enabled: true
+ dcae-datalake-des:
+ enabled: true
+ dcae-datalake-feeder:
+ enabled: true
+ dcae-heartbeat:
+ enabled: true
+ dcae-hv-ves-collector:
+ enabled: true
+ dcae-kpi-ms:
+ enabled: true
+ dcae-ms-healthcheck:
+ enabled: true
+ dcae-pm-mapper:
+ enabled: true
+ dcae-pmsh:
+ enabled: true
+ dcae-prh:
+ enabled: true
+ dcae-restconf-collector:
+ enabled: true
+ dcae-slice-analysis-ms:
+ enabled: true
+ dcae-snmptrap-collector:
+ enabled: true
+ dcae-son-handler:
+ enabled: true
+ dcae-tcagen2:
+ enabled: true
+ dcae-ves-collector:
+ enabled: true
+ applicationConfig:
+ auth.method: "noAuth"
+ dcae-ves-mapper:
+ enabled: true
+ dcae-ves-openapi-manager:
+ enabled: true
+holmes:
+ enabled: true
+dmaap:
+ enabled: true
+ message-router:
+ enabled: true
+ dmaap-dr-prov:
+ enabled: true
+ dmaap-dr-node:
+ enabled: true
+oof:
+ enabled: true
+msb:
+ enabled: true
+multicloud:
+ enabled: true
+nbi:
+ enabled: true
+platform:
+ enabled: true
+ cmpv2-cert-service:
+ enabled: false
+ keycloak-init:
+ enabled: true
+ oauth2-proxy:
+ enabled: true
+policy:
+ enabled: true
+portal-ng:
+ enabled: true
+robot:
+ enabled: true
+sdc:
+ enabled: true
+sdnc:
+ enabled: true
+so:
+ enabled: true
+strimzi:
+ enabled: true
+ strimzi-kafka-bridge:
+ enabled: true
+uui:
+ enabled: true
+vfc:
+ enabled: true
+vnfsdk:
+ enabled: true
+modeling:
+ enabled: true
+a1policymanagement:
+ enabled: true