.. This work is licensed under a .. Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 Policy OOM Installation ----------------------- .. contents:: :depth: 2 Policy OOM Charts ***************** The policy K8S charts are located in the `OOM repository `_. Please refer to the OOM documentation on how to install and deploy ONAP. Policy Pods *********** To get a listing of the Policy Pods, run the following command: .. code-block:: bash kubectl get pods | grep policy brmsgw ClusterIP 10.43.77.177 9989/TCP 5d15h app=brmsgw,release=dev-policy drools ClusterIP 10.43.167.154 6969/TCP,9696/TCP 5d15h app=drools,release=dev-policy nexus ClusterIP 10.43.239.92 8081/TCP 5d15h app=nexus,release=dev-policy pap NodePort 10.43.207.229 8443:30219/TCP,9091:30218/TCP 5d15h app=pap,release=dev-policy pdp ClusterIP None 8081/TCP 5d15h app=pdp,release=dev-policy policy-apex-pdp ClusterIP 10.43.226.0 6969/TCP 5d15h app=policy-apex-pdp,release=dev-policy policy-api ClusterIP 10.43.102.56 6969/TCP 5d15h app=policy-api,release=dev-policy policy-distribution ClusterIP 10.43.4.211 6969/TCP 5d15h app=policy-distribution,release=dev-policy policy-pap ClusterIP 10.43.175.164 6969/TCP 5d15h app=policy-pap,release=dev-policy policy-xacml-pdp ClusterIP 10.43.181.208 6969/TCP 5d15h app=policy-xacml-pdp,release=dev-policy policydb ClusterIP 10.43.93.233 3306/TCP 5d15h app=policydb,release=dev-policy Some of these pods are shared between the legacy components and the latest framework components, while others are not. .. csv-table:: :header: "Policy Pod", "Latest Framework", "Legacy" :widths: 15,10,10 "brmsgw", "", "yes" "drools", "yes", "yes" "nexus", "yes", "yes" "pap", "", "yes" "pdp", "", "yes" "policy-apex-pdp", "yes", "" "policy-api", "yes", "" "policy-distribution", "yes", "yes" "policy-pap", "yes", "" "policy-xacml-pdp", "yes", "" "policydb", "yes", "yes" Accessing Policy Containers *************************** Accessing the policy docker containers is the same as for any kubernetes container. Here is an example: .. code-block:: bash kubectl -n onap exec -it dev-policy-policy-xacml-pdp-584844b8cf-9zptx bash Installing or Upgrading Policy ****************************** The assumption is you have cloned the charts from the OOM repository into a local directory. **Step 1** Go into local copy of OOM charts From your local copy, edit any of the values.yaml files in the policy tree to make desired changes. **Step 2** Build the charts .. code-block:: bash make policy make onap **Step 3** Undeploy Policy After undeploying policy, loop on monitoring the policy pods until they go away. .. code-block:: bash helm del --purge dev-policy kubectl get pods -n onap **Step 4** Delete NFS persisted data for Policy .. code-block:: bash rm -fr /dockerdata-nfs/dev-policy **Step 5** Make sure there is no orphan policy database persistent volume or claim. First, find if there is an orphan database PV or PVC with the following commands: .. code-block:: bash kubectl get pvc -n onap | grep policy kubectl get pv -n onap | grep policy If there are any orphan resources, delete them with .. code-block:: bash kubectl delete pvc kubectl delete pv **Step 6** Re-Deploy Policy pods After deploying policy, loop on monitoring the policy pods until they come up. .. code-block:: bash helm deploy dev-policy local/onap --namespace onap kubectl get pods -n onap Restarting a faulty component ***************************** Each policy component can be restarted independently by issuing the following command: .. code-block:: bash kubectl delete pod -n onap Exposing ports ************** For security reasons, the ports for the policy containers are configured as ClusterIP and thus not exposed. If you find you need those ports in a development environment, then the following will expose them. .. code-block:: bash kubectl -n onap expose service policy-api --port=7171 --target-port=6969 --name=api-public --type=NodePort Overriding certificate stores ******************************* Policy components package default key and trust stores that support https based communication with other AAF-enabled ONAP components. Each store can be overridden at installation. To override a default keystore, the new certificate store (policy-keystore) file should be placed at the appropriate helm chart locations below: * oom/kubernetes/policy/charts/drools/resources/secrets/policy-keystore drools pdp keystore override. * oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-keystore apex pdp keystore override. * oom/kubernetes/policy/charts/policy-api/resources/config/policy-keystore api keystore override. * oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-keystore distribution keystore override. * oom/kubernetes/policy/charts/policy-pap/resources/config/policy-keystore pap keystore override. * oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-keystore xacml pdp keystore override. In the event that the truststore (policy-truststore) needs to be overriden as well, place it at the appropriate location below: * oom/kubernetes/policy/charts/drools/resources/configmaps/policy-truststore drools pdp truststore override. * oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-truststore apex pdp truststore override. * oom/kubernetes/policy/charts/policy-api/resources/config/policy-truststore api truststore override. * oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-truststore distribution truststore override. * oom/kubernetes/policy/charts/policy-pap/resources/config/policy-truststore pap truststore override. * oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-truststore xacml pdp truststore override. When the keystore passwords are changed, the corresponding component configuration ([1]_) should also change: * oom/kubernetes/policy/charts/drools/values.yaml * oom/kubernetes/policy-apex-pdp/resources/config/config.json * oom/kubernetes/policy-distribution/resources/config/config.json This procedure is applicable to an installation that requires either AAF or non-AAF derived certificates. The reader is refered to the AAF documentation when new AAF-compliant keystores are desired: * `AAF automated configuration and Certificates `_. * `AAF Certificate Management for Dummies `_. * `Instructional Videos `_. After these changes, follow the procedures in the :ref:`Installing or Upgrading Policy` section to make usage of the new stores effective. Additional PDP-D Customizations ******************************* Credentials and other configuration parameters can be set as values when deploying the policy (drools) subchart. Please refer to `PDP-D Default Values `_ for the current default values. It is strongly recommended that sensitive information is secured appropriately before using in production. Additional customization can be applied to the PDP-D. Custom configuration goes under the "resources" directory of the drools subchart (oom/kubernetes/policy/charts/drools/resources). This requires rebuilding the policy subchart (see section :ref:`Installing or Upgrading Policy`). Configuration is done by adding or modifying configmaps and/or secrets. Configmaps are placed under "drools/resources/configmaps", and secrets under "drools/resources/secrets". Custom configuration supportes these types of files: * **\*.conf** files to support additional environment configuration. * **features\*.zip** to add additional custom features. * **\*.pre.sh** scripts to be executed before starting the PDP-D process. * **\*.post.sh** scripts to be executed after starting the PDP-D process. * **policy-keystore** to override the PDP-D policy-keystore. * **policy-truststore** to override the PDP-D policy-truststore. * **aaf-cadi.keyfile** to override the PDP-D AAF key. * **\*.properties** to override or add properties files. * **\*.xml** to override or add xml configuration files. * **\*.json** to override json configuration files. * **\*settings.xml** to override maven repositories configuration . Examples ^^^^^^^^ To *disable AAF*, simply override the "aaf.enabled" value when deploying the helm chart (see the OOM installation instructions mentioned above). To *override the PDP-D keystore or trustore*, add a suitable replacement(s) under "drools/resources/secrets". Modify the drools chart values.yaml with new credentials, and follow the procedures described at :ref:`Installing or Upgrading Policy` to redeploy the chart. To *disable https* for the DMaaP configuration topic, add a copy of `engine.properties `_ with "dmaap.source.topics.PDPD-CONFIGURATION.https" set to "false", or alternatively create a ".pre.sh" script (see above) that edits this file before the PDP-D is started. To use *noop topics* for standalone testing, add a "noop.pre.sh" script under oom/kubernetes/policy/charts/drools/resources/configmaps/: .. code-block:: bash #!/bin/bash sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties .. rubric:: Footnotes .. [1] There is a limitation that store passwords are not configurable for policy-api, policy-pap, and policy-xacml-pdp.