Gitiles
Code Review Sign In
gerrit.nordix.org / onap / dcaegen2 / deployments / fa3dff166049ee4420892fff92485652e571c95f / . / dcae-services-policy-sync
tree: 465d2b0dc8d03e6a49d16d5dc9422ac1485c1922 [path history] [tgz]
  1. policysync/
  2. tests/
  3. cacert.pem
  4. Dockerfile
  5. pom.xml
  6. README.md
  7. setup.py
  8. tox.ini
dcae-services-policy-sync/README.md

Policy Sync

This page serves as an implementation for the Policy sync container described in the wiki

Policy Sync utility is a python based utility that interfaces with the ONAP/ECOMP policy websocket and REST APIs. It is designed to keep a local listing of policies in sync with an environment's policy distribution point (PDP). It functions well as a Kubernetes sidecar container which can pull down the latest policies for consumption by an application container.

The sync utility primarily utilizes the PDP's websocket notification API to receive policy update notifications. It also includes a periodic check of the PDP for resilliency purposes in the event of websocket API issues.

Build and Run

Easiest way to use is via docker by building the provided docker file

docker build . -t policy-puller

If you want to run it in a non containerized environment, an easy way is to use python virtual environments.

# Create a virtual environment in venv folder and activate it
python3 -m venv venv
source venv/bin/activate

# install the utility
pip install .

# Utility is now installed and usable in your virtual environment. Test it with:
policysync -h

Configuration

Configuration is currently done via either env variables or by flag. Flags take precedence env variables, env variables take precedence over default

General configuration

General configuration that is used regardless of which PDP API you are using.

ENV VariableFlagDescriptionDefault
POLICY_SYNC_PDP_URL--pdp-urlPDP URL to queryNone (must be set in env or flag)
POLICY_SYNC_FILTER--filtersyaml list of regex of policies to match[]
POLICY_SYNC_ID--idsyaml list of ids of policies to match[]
POLICY_SYNC_DURATION--durationduration in seconds for periodic checks2600
POLICY_SYNC_OUTFILE--outfileFile to output policies to./policies.json
POLICY_SYNC_PDP_USER--pdp-userSet user if you need basic auth for PDPNone
POLICY_SYNC_PDP_PASS--pdp-passwordSet pass if you need basic auth for PDPNone
POLICY_SYNC_HTTP_METRICS--http-metricsWhether to expose prometheus metricsTrue
POLICY_SYNC_HTTP_BIND--http-bindhost:port for exporting prometheus metricslocalhost:8000
POLICY_SYNC_LOGGING_CONFIG--logging-configPath to a python formatted logging fileNone (logs will write to stderr)
POLICY_SYNC_V0_ENABLE--use-v0Set to true to enable usage of legacy v0 APIFalse

V1 Specific Configuration (Used as of the Dublin release)

Configurable variables used for the V1 API used in the ONAP Dublin Release.

Note: Policy filters are not currently supported in the current policy release but will be eventually.

ENV VariableFlagDescriptionDefault
POLICY_SYNC_V1_DECISION_ENDPOINT--v1-decision-endpointEndpoint to query for PDP decisionspolicy/pdpx/v1/decision
POLICY_SYNC_V1_DMAAP_URL--v1-dmaap-topicDmaap url with topic for notificationsNone
POLICY_SYNC_V1_DMAAP_USER--v1-dmaap-userUser to use for DMaaP notificationsNone
POLICY_SYNC_V1_DMAAP_PASS--v1-dmaap-passPassword to use for DMaaP notificationsNone

V0 Specific Configuration (Legacy Policy API)

Configurable variables used for the legacy V0 API Prior to the ONAP release. Only valid when --use-v0 is set to True

ENV VariableFlagDescriptionDefault
POLICY_SYNC_V0_NOTIFIY_ENDPOINT--v0-notifiy-endpointwebsock endpoint for pdp notificationspdp/notifications
POLICY_SYNC_V0_DECISION_ENDPOINT--v0-decision-endpointrest endpoint for pdp decisionspdp/api

Usage

You can run in a pure docker setup:

# Run the container
docker run 
    --env POLICY_SYNC_PDP_USER=<username> \
    --env POLICY_SYNC_PDP_PASS=<password> \
    --env POLICY_SYNC_PDP_URL=<path_to_pdp> \
    --env POLICY_SYNC_V1_DMAAP_URL='https://<dmaap_host>:3905/events/<dmaap_topic>' \
    --env POLICY_SYNC_V1_DMAAP_PASS='<user>' \
    --env POLICY_SYNC_V1_DMAAP_USER='<pass>' \
    --env POLICY_SYNC_ID=['DCAE.Config_MS_AGING_UVERSE_PROD'] \
    -v $(pwd)/policy-volume:/etc/policy \
    nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.policy-sync:1.0.0

Or on Kubernetes:

# policy-config-map
apiVersion: v1
kind: policy-config-map
metadata:
  name: special-config
  namespace: default
data:
  POLICY_SYNC_PDP_USER: myusername
  POLICY_SYNC_PDP_PASS: mypassword
  POLICY_SYNC_PDP_URL: <path_to_pdp>
  POLICY_SYNC_V1_DMAAP_URL: 'https://<dmaap_host>:3905/events/<dmaap_topic>' \
  POLICY_SYNC_V1_DMAAP_PASS: '<user>' \
  POLICY_SYNC_V1_DMAAP_USER: '<pass>' \
  POLICY_SYNC_FILTER: '["DCAE.Config_MS_AGING_UVERSE_PROD"]'
  
  
---

apiVersion: v1
kind: Pod
metadata:
  name: Sidecar sample app
spec:
  restartPolicy: Never
 
 
  # The shared volume that the two containers use to communicate...empty dir for simplicity
  volumes:
  - name: policy-shared
    emptyDir: {}
 
  containers:
 
  # Sample app that uses inotifyd (part of busybox/alpine). For demonstration purposes only...
  - name: main
    image: nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.policy-sync:1.0.0
    volumeMounts:
    - name: policy-shared
      mountPath: /etc/policies.json
      subPath: policies.json
    # For details on what this does see: https://wiki.alpinelinux.org/wiki/Inotifyd
    # you can replace '-' arg below with a shell script to do more interesting
    cmd: [ "inotifyd", "-", "/etc/policies.json:c" ]
 
 
    # The sidecar app which keeps the policies in sync
  - name: policy-sync
    image: nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.policy-sync:1.0.0
    envFrom:
      - configMapRef:
          name: special-config
    
    volumeMounts:
    - name: policy-shared
      mountPath: /etc/policies