summaryrefslogtreecommitdiffstats
path: root/docs/installation/oom.rst
blob: 1170e4a8a47ae7951c06ec756345bc8dc9c11f61 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
.. This work is licensed under a
.. Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0


Policy OOM Installation
-----------------------

.. contents::
    :depth: 2

Policy OOM Charts
*****************
The policy K8S charts are located in the `OOM repository <https://gerrit.onap.org/r/gitweb?p=oom.git;a=tree;f=kubernetes/policy;h=78576c7a0d30cb87054e9776326cdde20986e6e3;hb=refs/heads/master>`_.

Please refer to the OOM documentation on how to install and deploy ONAP.

Policy Pods
***********
To get a listing of the Policy Pods, run the following command:

.. code-block:: bash

  kubectl get pods | grep policy

  brmsgw                     ClusterIP   10.43.77.177    <none>        9989/TCP                              5d15h   app=brmsgw,release=dev-policy
  drools                     ClusterIP   10.43.167.154   <none>        6969/TCP,9696/TCP                     5d15h   app=drools,release=dev-policy
  nexus                      ClusterIP   10.43.239.92    <none>        8081/TCP                              5d15h   app=nexus,release=dev-policy
  pap                        NodePort    10.43.207.229   <none>        8443:30219/TCP,9091:30218/TCP         5d15h   app=pap,release=dev-policy
  pdp                        ClusterIP   None            <none>        8081/TCP                              5d15h   app=pdp,release=dev-policy
  policy-apex-pdp            ClusterIP   10.43.226.0     <none>        6969/TCP                              5d15h   app=policy-apex-pdp,release=dev-policy
  policy-api                 ClusterIP   10.43.102.56    <none>        6969/TCP                              5d15h   app=policy-api,release=dev-policy
  policy-distribution        ClusterIP   10.43.4.211     <none>        6969/TCP                              5d15h   app=policy-distribution,release=dev-policy
  policy-pap                 ClusterIP   10.43.175.164   <none>        6969/TCP                              5d15h   app=policy-pap,release=dev-policy
  policy-xacml-pdp           ClusterIP   10.43.181.208   <none>        6969/TCP                              5d15h   app=policy-xacml-pdp,release=dev-policy
  policydb                   ClusterIP   10.43.93.233    <none>        3306/TCP                              5d15h   app=policydb,release=dev-policy

Some of these pods are shared between the legacy components and the latest framework components, while others are not.

.. csv-table::
   :header: "Policy Pod", "Latest Framework", "Legacy"
   :widths: 15,10,10

   "brmsgw", "", "yes"
   "drools", "yes", "yes"
   "nexus", "yes", "yes"
   "pap", "", "yes"
   "pdp", "", "yes"
   "policy-apex-pdp", "yes", ""
   "policy-api", "yes", ""
   "policy-distribution", "yes", "yes"
   "policy-pap", "yes", ""
   "policy-xacml-pdp", "yes", ""
   "policydb", "yes", "yes"

Accessing Policy Containers
***************************
Accessing the policy docker containers is the same as for any kubernetes container. Here is an example:

.. code-block:: bash

  kubectl -n onap exec -it dev-policy-policy-xacml-pdp-584844b8cf-9zptx bash

Installing or Upgrading Policy
******************************
The assumption is you have cloned the charts from the OOM repository into a local directory.

**Step 1** Go into local copy of OOM charts

From your local copy, edit any of the values.yaml files in the policy tree to make desired changes.

**Step 2** Build the charts

.. code-block:: bash

  make policy
  make onap

**Step 3** Undeploy Policy
After undeploying policy, loop on monitoring the policy pods until they go away.

.. code-block:: bash

  helm del --purge dev-policy
  kubectl get pods -n onap

**Step 4** Delete NFS persisted data for Policy

.. code-block:: bash

  rm -fr /dockerdata-nfs/dev-policy

**Step 5** Make sure there is no orphan policy database persistent volume or claim.

First, find if there is an orphan database PV or PVC with the following commands:

.. code-block:: bash

  kubectl get pvc -n onap | grep policy
  kubectl get pv -n onap | grep policy

If there are any orphan resources, delete them with

.. code-block:: bash

    kubectl delete pvc <orphan-policy-mariadb-resource>
    kubectl delete pv <orphan-policy-mariadb-resource>

**Step 6** Re-Deploy Policy pods

After deploying policy, loop on monitoring the policy pods until they come up.

.. code-block:: bash

  helm deploy dev-policy local/onap --namespace onap
  kubectl get pods -n onap

Restarting a faulty component
*****************************
Each policy component can be restarted independently by issuing the following command:

.. code-block:: bash

    kubectl delete pod <policy-pod> -n onap

Exposing ports
**************
For security reasons, the ports for the policy containers are configured as ClusterIP and thus not exposed. If you find you need those ports in a development environment, then the following will expose them.

.. code-block:: bash

  kubectl -n onap expose service policy-api --port=7171 --target-port=6969 --name=api-public --type=NodePort

Overriding certificate stores
*******************************
Policy components package default key and trust stores that support https based communication with other
AAF-enabled ONAP components.  Each store can be overridden at installation.

To override a default keystore, the new certificate store (policy-keystore) file should be placed at the
appropriate helm chart locations below:

* oom/kubernetes/policy/charts/drools/resources/secrets/policy-keystore drools pdp keystore override.
* oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-keystore apex pdp keystore override.
* oom/kubernetes/policy/charts/policy-api/resources/config/policy-keystore api keystore override.
* oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-keystore distribution keystore override.
* oom/kubernetes/policy/charts/policy-pap/resources/config/policy-keystore pap keystore override.
* oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-keystore xacml pdp keystore override.

In the event that the truststore (policy-truststore) needs to be overriden as well, place it at the appropriate
location below:

* oom/kubernetes/policy/charts/drools/resources/configmaps/policy-truststore drools pdp truststore override.
* oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-truststore apex pdp truststore override.
* oom/kubernetes/policy/charts/policy-api/resources/config/policy-truststore api truststore override.
* oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-truststore distribution truststore override.
* oom/kubernetes/policy/charts/policy-pap/resources/config/policy-truststore pap truststore override.
* oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-truststore xacml pdp truststore override.

When the keystore passwords are changed, the corresponding component configuration ([1]_) should also change:

* oom/kubernetes/policy/charts/drools/values.yaml
* oom/kubernetes/policy-apex-pdp/resources/config/config.json
* oom/kubernetes/policy-distribution/resources/config/config.json

This procedure is applicable to an installation that requires either AAF or non-AAF derived certificates.
The reader is refered to the AAF documentation when new AAF-compliant keystores are desired:

* `AAF automated configuration and Certificates <https://docs.onap.org/projects/onap-aaf-authz/en/latest/sections/configuration/AAF_4.1_config.html#typical-onap-entity-info-in-aaf>`_.
* `AAF Certificate Management for Dummies <https://wiki.onap.org/display/DW/AAF+Certificate+Management+for+Dummies>`_.
* `Instructional Videos <https://wiki.onap.org/display/DW/Instructional+Videos>`_.

After these changes, follow the procedures in the :ref:`Installing or Upgrading Policy` section to make usage of
the new stores effective.

Additional PDP-D Customizations
*******************************

Credentials and other configuration parameters can be set as values
when deploying the policy (drools) subchart.  Please refer to
`PDP-D Default Values <https://git.onap.org/oom/tree/kubernetes/policy/charts/drools/values.yaml>`_
for the current default values.  It is strongly recommended that sensitive
information is secured appropriately before using in production.

Additional customization can be applied to the PDP-D.  Custom configuration goes under the
"resources" directory of the drools subchart (oom/kubernetes/policy/charts/drools/resources).
This requires rebuilding the policy subchart
(see section :ref:`Installing or Upgrading Policy`).

Configuration is done by adding or modifying configmaps and/or secrets.
Configmaps are placed under "drools/resources/configmaps", and
secrets under "drools/resources/secrets".

Custom configuration supportes these types of files:

* **\*.conf** files to support additional environment configuration.
* **features\*.zip** to add additional custom features.
* **\*.pre.sh** scripts to be executed before starting the PDP-D process.
* **\*.post.sh** scripts to be executed after starting the PDP-D process.
* **policy-keystore** to override the PDP-D policy-keystore.
* **policy-truststore** to override the PDP-D policy-truststore.
* **aaf-cadi.keyfile** to override the PDP-D AAF key.
* **\*.properties** to override or add properties files.
* **\*.xml** to override or add xml configuration files.
* **\*.json** to override json configuration files.
* **\*settings.xml** to override maven repositories configuration .

Examples
^^^^^^^^

To *disable AAF*, simply override the "aaf.enabled" value when deploying the helm chart
(see the OOM installation instructions mentioned above).

To *override the PDP-D keystore or trustore*, add a suitable replacement(s) under
"drools/resources/secrets".  Modify the drools chart values.yaml with
new credentials, and follow the procedures described at
:ref:`Installing or Upgrading Policy` to redeploy the chart.

To *disable https* for the DMaaP configuration topic, add a copy of
`engine.properties <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/server/config/engine.properties>`_
with "dmaap.source.topics.PDPD-CONFIGURATION.https" set to "false", or alternatively
create a ".pre.sh" script (see above) that edits this file before the PDP-D is
started.

To use *noop topics* for standalone testing, add a "noop.pre.sh" script under
oom/kubernetes/policy/charts/drools/resources/configmaps/:

.. code-block:: bash

    #!/bin/bash
    sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties


.. rubric:: Footnotes

.. [1] There is a limitation that store passwords are not configurable for policy-api, policy-pap, and policy-xacml-pdp.