| .. This work is licensed under a Creative Commons Attribution 4.0 |
| .. International License. |
| .. http://creativecommons.org/licenses/by/4.0 |
| .. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung |
| |
| .. Links |
| .. _Helm: https://docs.helm.sh/ |
| .. _Helm Charts: https://github.com/kubernetes/charts |
| .. _Kubernetes: https://Kubernetes.io/ |
| .. _Docker: https://www.docker.com/ |
| .. _Nexus: https://nexus.onap.org/ |
| .. _AWS Elastic Block Store: https://aws.amazon.com/ebs/ |
| .. _Azure File: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction |
| .. _GCE Persistent Disk: https://cloud.google.com/compute/docs/disks/ |
| .. _Gluster FS: https://www.gluster.org/ |
| .. _Kubernetes Storage Class: https://Kubernetes.io/docs/concepts/storage/storage-classes/ |
| .. _Assigning Pods to Nodes: https://Kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
| |
| |
| .. _developer-guide-label: |
| |
| OOM Developer Guide |
| ################### |
| |
| .. figure:: oomLogoV2-medium.png |
| :align: right |
| |
| ONAP consists of a large number of components, each of which are substantial |
| projects within themselves, which results in a high degree of complexity in |
| deployment and management. To cope with this complexity the ONAP Operations |
| Manager (OOM) uses a Helm_ model of ONAP - Helm being the primary management |
| system for Kubernetes_ container systems - to drive all user driven life-cycle |
| management operations. The Helm model of ONAP is composed of a set of |
| hierarchical Helm charts that define the structure of the ONAP components and |
| the configuration of these components. These charts are fully parameterized |
| such that a single environment file defines all of the parameters needed to |
| deploy ONAP. A user of ONAP may maintain several such environment files to |
| control the deployment of ONAP in multiple environments such as development, |
| pre-production, and production. |
| |
| The following sections describe how the ONAP Helm charts are constructed. |
| |
| .. contents:: |
| :depth: 3 |
| :local: |
| .. |
| |
| Container Background |
| ==================== |
| Linux containers allow for an application and all of its operating system |
| dependencies to be packaged and deployed as a single unit without including a |
| guest operating system as done with virtual machines. The most popular |
| container solution is Docker_ which provides tools for container management |
| like the Docker Host (dockerd) which can create, run, stop, move, or delete a |
| container. Docker has a very popular registry of containers images that can be |
| used by any Docker system; however, in the ONAP context, Docker images are |
| built by the standard CI/CD flow and stored in Nexus_ repositories. OOM uses |
| the "standard" ONAP docker containers and three new ones specifically created |
| for OOM. |
| |
| Containers are isolated from each other primarily via name spaces within the |
| Linux kernel without the need for multiple guest operating systems. As such, |
| multiple containers can be deployed with little overhead such as all of ONAP |
| can be deployed on a single host. With some optimization of the ONAP components |
| (e.g. elimination of redundant database instances) it may be possible to deploy |
| ONAP on a single laptop computer. |
| |
| Helm Charts |
| =========== |
| A Helm chart is a collection of files that describe a related set of Kubernetes |
| resources. A simple chart might be used to deploy something simple, like a |
| memcached pod, while a complex chart might contain many micro-service arranged |
| in a hierarchy as found in the `aai` ONAP component. |
| |
| Charts are created as files laid out in a particular directory tree, then they |
| can be packaged into versioned archives to be deployed. There is a public |
| archive of `Helm Charts`_ on GitHub that includes many technologies applicable |
| to ONAP. Some of these charts have been used in ONAP and all of the ONAP charts |
| have been created following the guidelines provided. |
| |
| The top level of the ONAP charts is shown below: |
| |
| .. code-block:: bash |
| |
| common |
| ├── cassandra |
| │ ├── Chart.yaml |
| │ ├── requirements.yaml |
| │ ├── resources |
| │ │ ├── config |
| │ │ │ └── docker-entrypoint.sh |
| │ │ ├── exec.py |
| │ │ └── restore.sh |
| │ ├── templates |
| │ │ ├── backup |
| │ │ │ ├── configmap.yaml |
| │ │ │ ├── cronjob.yaml |
| │ │ │ ├── pv.yaml |
| │ │ │ └── pvc.yaml |
| │ │ ├── configmap.yaml |
| │ │ ├── pv.yaml |
| │ │ ├── service.yaml |
| │ │ └── statefulset.yaml |
| │ └── values.yaml |
| ├── common |
| │ ├── Chart.yaml |
| │ ├── templates |
| │ │ ├── _createPassword.tpl |
| │ │ ├── _ingress.tpl |
| │ │ ├── _labels.tpl |
| │ │ ├── _mariadb.tpl |
| │ │ ├── _name.tpl |
| │ │ ├── _namespace.tpl |
| │ │ ├── _repository.tpl |
| │ │ ├── _resources.tpl |
| │ │ ├── _secret.yaml |
| │ │ ├── _service.tpl |
| │ │ ├── _storage.tpl |
| │ │ └── _tplValue.tpl |
| │ └── values.yaml |
| ├── ... |
| └── postgres-legacy |
| ├── Chart.yaml |
| ├── requirements.yaml |
| ├── charts |
| └── configs |
| |
| The common section of charts consists of a set of templates that assist with |
| parameter substitution (`_name.tpl`, `_namespace.tpl` and others) and a set of charts |
| for components used throughout ONAP. When the common components are used by other charts they |
| are instantiated each time or we can deploy a shared instances for several components. |
| |
| All of the ONAP components have charts that follow the pattern shown below: |
| |
| .. code-block:: bash |
| |
| name-of-my-component |
| ├── Chart.yaml |
| ├── requirements.yaml |
| ├── component |
| │ └── subcomponent-folder |
| ├── charts |
| │ └── subchart-folder |
| ├── resources |
| │ ├── folder1 |
| │ │ ├── file1 |
| │ │ └── file2 |
| │ └── folder1 |
| │ ├── file3 |
| │ └── folder3 |
| │ └── file4 |
| ├── templates |
| │ ├── NOTES.txt |
| │ ├── configmap.yaml |
| │ ├── deployment.yaml |
| │ ├── ingress.yaml |
| │ ├── job.yaml |
| │ ├── secrets.yaml |
| │ └── service.yaml |
| └── values.yaml |
| |
| Note that the component charts / components may include a hierarchy of sub |
| components and in themselves can be quite complex. |
| |
| You can use either `charts` or `components` folder for your subcomponents. |
| `charts` folder means that the subcomponent will always been deployed. |
| |
| `components` folders means we can choose if we want to deploy the |
| subcomponent. |
| |
| This choice is done in root `values.yaml`: |
| |
| .. code-block:: yaml |
| |
| --- |
| global: |
| key: value |
| |
| component1: |
| enabled: true |
| component2: |
| enabled: true |
| |
| Then in `requirements.yaml`, you'll use these values: |
| |
| .. code-block:: yaml |
| |
| --- |
| dependencies: |
| - name: common |
| version: ~x.y-0 |
| repository: '@local' |
| - name: component1 |
| version: ~x.y-0 |
| repository: 'file://components/component1' |
| condition: component1.enabled |
| - name: component2 |
| version: ~x.y-0 |
| repository: 'file://components/component2' |
| condition: component2.enabled |
| |
| Configuration of the components varies somewhat from component to component but |
| generally follows the pattern of one or more `configmap.yaml` files which can |
| directly provide configuration to the containers in addition to processing |
| configuration files stored in the `config` directory. It is the responsibility |
| of each ONAP component team to update these configuration files when changes |
| are made to the project containers that impact configuration. |
| |
| The following section describes how the hierarchical ONAP configuration system |
| is key to management of such a large system. |
| |
| Configuration Management |
| ======================== |
| |
| ONAP is a large system composed of many components - each of which are complex |
| systems in themselves - that needs to be deployed in a number of different |
| ways. For example, within a single operator's network there may be R&D |
| deployments under active development, pre-production versions undergoing system |
| testing and production systems that are operating live networks. Each of these |
| deployments will differ in significant ways, such as the version of the |
| software images deployed. In addition, there may be a number of application |
| specific configuration differences, such as operating system environment |
| variables. The following describes how the Helm configuration management |
| system is used within the OOM project to manage both ONAP infrastructure |
| configuration as well as ONAP components configuration. |
| |
| One of the artifacts that OOM/Kubernetes uses to deploy ONAP components is the |
| deployment specification, yet another yaml file. Within these deployment specs |
| are a number of parameters as shown in the following example: |
| |
| .. code-block:: yaml |
| |
| apiVersion: apps/v1 |
| kind: StatefulSet |
| metadata: |
| labels: |
| app.kubernetes.io/name: zookeeper |
| helm.sh/chart: zookeeper |
| app.kubernetes.io/component: server |
| app.kubernetes.io/managed-by: Tiller |
| app.kubernetes.io/instance: onap-oof |
| name: onap-oof-zookeeper |
| namespace: onap |
| spec: |
| <...> |
| replicas: 3 |
| selector: |
| matchLabels: |
| app.kubernetes.io/name: zookeeper |
| app.kubernetes.io/component: server |
| app.kubernetes.io/instance: onap-oof |
| serviceName: onap-oof-zookeeper-headless |
| template: |
| metadata: |
| labels: |
| app.kubernetes.io/name: zookeeper |
| helm.sh/chart: zookeeper |
| app.kubernetes.io/component: server |
| app.kubernetes.io/managed-by: Tiller |
| app.kubernetes.io/instance: onap-oof |
| spec: |
| <...> |
| affinity: |
| containers: |
| - name: zookeeper |
| <...> |
| image: gcr.io/google_samples/k8szk:v3 |
| imagePullPolicy: Always |
| <...> |
| ports: |
| - containerPort: 2181 |
| name: client |
| protocol: TCP |
| - containerPort: 3888 |
| name: election |
| protocol: TCP |
| - containerPort: 2888 |
| name: server |
| protocol: TCP |
| <...> |
| |
| Note that within the statefulset specification, one of the container arguments |
| is the key/value pair image: gcr.io/google_samples/k8szk:v3 which |
| specifies the version of the zookeeper software to deploy. Although the |
| statefulset specifications greatly simplify statefulset, maintenance of the |
| statefulset specifications themselves become problematic as software versions |
| change over time or as different versions are required for different |
| statefulsets. For example, if the R&D team needs to deploy a newer version of |
| mariadb than what is currently used in the production environment, they would |
| need to clone the statefulset specification and change this value. Fortunately, |
| this problem has been solved with the templating capabilities of Helm. |
| |
| The following example shows how the statefulset specifications are modified to |
| incorporate Helm templates such that key/value pairs can be defined outside of |
| the statefulset specifications and passed during instantiation of the component. |
| |
| .. code-block:: yaml |
| |
| apiVersion: apps/v1 |
| kind: StatefulSet |
| metadata: |
| name: {{ include "common.fullname" . }} |
| namespace: {{ include "common.namespace" . }} |
| labels: {{- include "common.labels" . | nindent 4 }} |
| spec: |
| replicas: {{ .Values.replicaCount }} |
| selector: |
| matchLabels: {{- include "common.matchLabels" . | nindent 6 }} |
| # serviceName is only needed for StatefulSet |
| # put the postfix part only if you have add a postfix on the service name |
| serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} |
| <...> |
| template: |
| metadata: |
| labels: {{- include "common.labels" . | nindent 8 }} |
| annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} |
| name: {{ include "common.name" . }} |
| spec: |
| <...> |
| containers: |
| - name: {{ include "common.name" . }} |
| image: {{ .Values.image }} |
| imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} |
| ports: |
| {{- range $index, $port := .Values.service.ports }} |
| - containerPort: {{ $port.port }} |
| name: {{ $port.name }} |
| {{- end }} |
| {{- range $index, $port := .Values.service.headlessPorts }} |
| - containerPort: {{ $port.port }} |
| name: {{ $port.name }} |
| {{- end }} |
| <...> |
| |
| This version of the statefulset specification has gone through the process of |
| templating values that are likely to change between statefulsets. Note that the |
| image is now specified as: image: {{ .Values.image }} instead of a |
| string used previously. During the statefulset phase, Helm (actually the Helm |
| sub-component Tiller) substitutes the {{ .. }} entries with a variable defined |
| in a values.yaml file. The content of this file is as follows: |
| |
| .. code-block:: yaml |
| |
| <...> |
| image: gcr.io/google_samples/k8szk:v3 |
| replicaCount: 3 |
| <...> |
| |
| |
| Within the values.yaml file there is an image key with the value |
| `gcr.io/google_samples/k8szk:v3` which is the same value used in |
| the non-templated version. Once all of the substitutions are complete, the |
| resulting statefulset specification ready to be used by Kubernetes. |
| |
| When creating a template consider the use of default values if appropriate. |
| Helm templating has built in support for DEFAULT values, here is |
| an example: |
| |
| .. code-block:: yaml |
| |
| imagePullSecrets: |
| - name: "{{ .Values.nsPrefix | default "onap" }}-docker-registry-key" |
| |
| The pipeline operator ("|") used here hints at that power of Helm templates in |
| that much like an operating system command line the pipeline operator allow |
| over 60 Helm functions to be embedded directly into the template (note that the |
| Helm template language is a superset of the Go template language). These |
| functions include simple string operations like upper and more complex flow |
| control operations like if/else. |
| |
| OOM is mainly helm templating. In order to have consistent deployment of the |
| different components of ONAP, some rules must be followed. |
| |
| Templates are provided in order to create Kubernetes resources (Secrets, |
| Ingress, Services, ...) or part of Kubernetes resources (names, labels, |
| resources requests and limits, ...). |
| |
| a full list and simple description is done in |
| `kubernetes/common/common/documentation.rst`. |
| |
| Service template |
| ---------------- |
| |
| In order to create a Service for a component, you have to create a file (with |
| `service` in the name. |
| For normal service, just put the following line: |
| |
| .. code-block:: yaml |
| |
| {{ include "common.service" . }} |
| |
| For headless service, the line to put is the following: |
| |
| .. code-block:: yaml |
| |
| {{ include "common.headlessService" . }} |
| |
| The configuration of the service is done in component `values.yaml`: |
| |
| .. code-block:: yaml |
| |
| service: |
| name: NAME-OF-THE-SERVICE |
| postfix: MY-POSTFIX |
| type: NodePort |
| annotations: |
| someAnnotationsKey: value |
| ports: |
| - name: tcp-MyPort |
| port: 5432 |
| nodePort: 88 |
| - name: http-api |
| port: 8080 |
| nodePort: 89 |
| - name: https-api |
| port: 9443 |
| nodePort: 90 |
| |
| `annotations` and `postfix` keys are optional. |
| if `service.type` is `NodePort`, then you have to give `nodePort` value for your |
| service ports (which is the end of the computed nodePort, see example). |
| |
| It would render the following Service Resource (for a component named |
| `name-of-my-component`, with version `x.y.z`, helm deployment name |
| `my-deployment` and `global.nodePortPrefix` `302`): |
| |
| .. code-block:: yaml |
| |
| apiVersion: v1 |
| kind: Service |
| metadata: |
| annotations: |
| someAnnotationsKey: value |
| name: NAME-OF-THE-SERVICE-MY-POSTFIX |
| labels: |
| app.kubernetes.io/name: name-of-my-component |
| helm.sh/chart: name-of-my-component-x.y.z |
| app.kubernetes.io/instance: my-deployment-name-of-my-component |
| app.kubernetes.io/managed-by: Tiller |
| spec: |
| ports: |
| - port: 5432 |
| targetPort: tcp-MyPort |
| nodePort: 30288 |
| - port: 8080 |
| targetPort: http-api |
| nodePort: 30289 |
| - port: 9443 |
| targetPort: https-api |
| nodePort: 30290 |
| selector: |
| app.kubernetes.io/name: name-of-my-component |
| app.kubernetes.io/instance: my-deployment-name-of-my-component |
| type: NodePort |
| |
| In the deployment or statefulSet file, you needs to set the good labels in |
| order for the service to match the pods. |
| |
| here's an example to be sure it matches (for a statefulSet): |
| |
| .. code-block:: yaml |
| |
| apiVersion: apps/v1 |
| kind: StatefulSet |
| metadata: |
| name: {{ include "common.fullname" . }} |
| namespace: {{ include "common.namespace" . }} |
| labels: {{- include "common.labels" . | nindent 4 }} |
| spec: |
| selector: |
| matchLabels: {{- include "common.matchLabels" . | nindent 6 }} |
| # serviceName is only needed for StatefulSet |
| # put the postfix part only if you have add a postfix on the service name |
| serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} |
| <...> |
| template: |
| metadata: |
| labels: {{- include "common.labels" . | nindent 8 }} |
| annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} |
| name: {{ include "common.name" . }} |
| spec: |
| <...> |
| containers: |
| - name: {{ include "common.name" . }} |
| ports: |
| {{- range $index, $port := .Values.service.ports }} |
| - containerPort: {{ $port.port }} |
| name: {{ $port.name }} |
| {{- end }} |
| {{- range $index, $port := .Values.service.headlessPorts }} |
| - containerPort: {{ $port.port }} |
| name: {{ $port.name }} |
| {{- end }} |
| <...> |
| |
| The configuration of the service is done in component `values.yaml`: |
| |
| .. code-block:: yaml |
| |
| service: |
| name: NAME-OF-THE-SERVICE |
| headless: |
| postfix: NONE |
| annotations: |
| anotherAnnotationsKey : value |
| publishNotReadyAddresses: true |
| headlessPorts: |
| - name: tcp-MyPort |
| port: 5432 |
| - name: http-api |
| port: 8080 |
| - name: https-api |
| port: 9443 |
| |
| `headless.annotations`, `headless.postfix` and |
| `headless.publishNotReadyAddresses` keys are optional. |
| |
| If `headless.postfix` is not set, then we'll add `-headless` at the end of the |
| service name. |
| |
| If it set to `NONE`, there will be not postfix. |
| |
| And if set to something, it will add `-something` at the end of the service |
| name. |
| |
| It would render the following Service Resource (for a component named |
| `name-of-my-component`, with version `x.y.z`, helm deployment name |
| `my-deployment` and `global.nodePortPrefix` `302`): |
| |
| .. code-block:: yaml |
| |
| apiVersion: v1 |
| kind: Service |
| metadata: |
| annotations: |
| anotherAnnotationsKey: value |
| name: NAME-OF-THE-SERVICE |
| labels: |
| app.kubernetes.io/name: name-of-my-component |
| helm.sh/chart: name-of-my-component-x.y.z |
| app.kubernetes.io/instance: my-deployment-name-of-my-component |
| app.kubernetes.io/managed-by: Tiller |
| spec: |
| clusterIP: None |
| ports: |
| - port: 5432 |
| targetPort: tcp-MyPort |
| nodePort: 30288 |
| - port: 8080 |
| targetPort: http-api |
| nodePort: 30289 |
| - port: 9443 |
| targetPort: https-api |
| nodePort: 30290 |
| publishNotReadyAddresses: true |
| selector: |
| app.kubernetes.io/name: name-of-my-component |
| app.kubernetes.io/instance: my-deployment-name-of-my-component |
| type: ClusterIP |
| |
| Previous example of StatefulSet would also match (except for the `postfix` part |
| obviously). |
| |
| Creating Deployment or StatefulSet |
| ---------------------------------- |
| |
| Deployment and StatefulSet should use the `apps/v1` (which has appeared in |
| v1.9). |
| As seen on the service part, the following parts are mandatory: |
| |
| .. code-block:: yaml |
| |
| apiVersion: apps/v1 |
| kind: StatefulSet |
| metadata: |
| name: {{ include "common.fullname" . }} |
| namespace: {{ include "common.namespace" . }} |
| labels: {{- include "common.labels" . | nindent 4 }} |
| spec: |
| selector: |
| matchLabels: {{- include "common.matchLabels" . | nindent 6 }} |
| # serviceName is only needed for StatefulSet |
| # put the postfix part only if you have add a postfix on the service name |
| serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} |
| <...> |
| template: |
| metadata: |
| labels: {{- include "common.labels" . | nindent 8 }} |
| annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} |
| name: {{ include "common.name" . }} |
| spec: |
| <...> |
| containers: |
| - name: {{ include "common.name" . }} |
| |
| ONAP Application Configuration |
| ------------------------------ |
| |
| Dependency Management |
| --------------------- |
| These Helm charts describe the desired state |
| of an ONAP deployment and instruct the Kubernetes container manager as to how |
| to maintain the deployment in this state. These dependencies dictate the order |
| in-which the containers are started for the first time such that such |
| dependencies are always met without arbitrary sleep times between container |
| startups. For example, the SDC back-end container requires the Elastic-Search, |
| Cassandra and Kibana containers within SDC to be ready and is also dependent on |
| DMaaP (or the message-router) to be ready - where ready implies the built-in |
| "readiness" probes succeeded - before becoming fully operational. When an |
| initial deployment of ONAP is requested the current state of the system is NULL |
| so ONAP is deployed by the Kubernetes manager as a set of Docker containers on |
| one or more predetermined hosts. The hosts could be physical machines or |
| virtual machines. When deploying on virtual machines the resulting system will |
| be very similar to "Heat" based deployments, i.e. Docker containers running |
| within a set of VMs, the primary difference being that the allocation of |
| containers to VMs is done dynamically with OOM and statically with "Heat". |
| Example SO deployment descriptor file shows SO's dependency on its mariadb |
| data-base component: |
| |
| SO deployment specification excerpt: |
| |
| .. code-block:: yaml |
| |
| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| name: {{ include "common.fullname" . }} |
| namespace: {{ include "common.namespace" . }} |
| labels: {{- include "common.labels" . | nindent 4 }} |
| spec: |
| replicas: {{ .Values.replicaCount }} |
| selector: |
| matchLabels: {{- include "common.matchLabels" . | nindent 6 }} |
| template: |
| metadata: |
| labels: |
| app: {{ include "common.name" . }} |
| release: {{ .Release.Name }} |
| spec: |
| initContainers: |
| - command: |
| - /app/ready.py |
| args: |
| - --container-name |
| - so-mariadb |
| env: |
| ... |
| |
| Kubernetes Container Orchestration |
| ================================== |
| The ONAP components are managed by the Kubernetes_ container management system |
| which maintains the desired state of the container system as described by one |
| or more deployment descriptors - similar in concept to OpenStack HEAT |
| Orchestration Templates. The following sections describe the fundamental |
| objects managed by Kubernetes, the network these components use to communicate |
| with each other and other entities outside of ONAP and the templates that |
| describe the configuration and desired state of the ONAP components. |
| |
| Name Spaces |
| ----------- |
| Within the namespaces are Kubernetes services that provide external |
| connectivity to pods that host Docker containers. |
| |
| ONAP Components to Kubernetes Object Relationships |
| -------------------------------------------------- |
| Kubernetes deployments consist of multiple objects: |
| |
| - **nodes** - a worker machine - either physical or virtual - that hosts |
| multiple containers managed by Kubernetes. |
| - **services** - an abstraction of a logical set of pods that provide a |
| micro-service. |
| - **pods** - one or more (but typically one) container(s) that provide specific |
| application functionality. |
| - **persistent volumes** - One or more permanent volumes need to be established |
| to hold non-ephemeral configuration and state data. |
| |
| The relationship between these objects is shown in the following figure: |
| |
| .. .. uml:: |
| .. |
| .. @startuml |
| .. node PH { |
| .. component Service { |
| .. component Pod0 |
| .. component Pod1 |
| .. } |
| .. } |
| .. |
| .. database PV |
| .. @enduml |
| |
| .. figure:: kubernetes_objects.png |
| |
| OOM uses these Kubernetes objects as described in the following sections. |
| |
| Nodes |
| ~~~~~ |
| OOM works with both physical and virtual worker machines. |
| |
| * Virtual Machine Deployments - If ONAP is to be deployed onto a set of virtual |
| machines, the creation of the VMs is outside of the scope of OOM and could be |
| done in many ways, such as |
| |
| * manually, for example by a user using the OpenStack Horizon dashboard or |
| AWS EC2, or |
| * automatically, for example with the use of a OpenStack Heat Orchestration |
| Template which builds an ONAP stack, Azure ARM template, AWS CloudFormation |
| Template, or |
| * orchestrated, for example with Cloudify creating the VMs from a TOSCA |
| template and controlling their life cycle for the life of the ONAP |
| deployment. |
| |
| * Physical Machine Deployments - If ONAP is to be deployed onto physical |
| machines there are several options but the recommendation is to use Rancher |
| along with Helm to associate hosts with a Kubernetes cluster. |
| |
| Pods |
| ~~~~ |
| A group of containers with shared storage and networking can be grouped |
| together into a Kubernetes pod. All of the containers within a pod are |
| co-located and co-scheduled so they operate as a single unit. Within ONAP |
| Amsterdam release, pods are mapped one-to-one to docker containers although |
| this may change in the future. As explained in the Services section below the |
| use of Pods within each ONAP component is abstracted from other ONAP |
| components. |
| |
| Services |
| ~~~~~~~~ |
| OOM uses the Kubernetes service abstraction to provide a consistent access |
| point for each of the ONAP components independent of the pod or container |
| architecture of that component. For example, the SDNC component may introduce |
| OpenDaylight clustering as some point and change the number of pods in this |
| component to three or more but this change will be isolated from the other ONAP |
| components by the service abstraction. A service can include a load balancer |
| on its ingress to distribute traffic between the pods and even react to dynamic |
| changes in the number of pods if they are part of a replica set. |
| |
| Persistent Volumes |
| ~~~~~~~~~~~~~~~~~~ |
| To enable ONAP to be deployed into a wide variety of cloud infrastructures a |
| flexible persistent storage architecture, built on Kubernetes persistent |
| volumes, provides the ability to define the physical storage in a central |
| location and have all ONAP components securely store their data. |
| |
| When deploying ONAP into a public cloud, available storage services such as |
| `AWS Elastic Block Store`_, `Azure File`_, or `GCE Persistent Disk`_ are |
| options. Alternatively, when deploying into a private cloud the storage |
| architecture might consist of Fiber Channel, `Gluster FS`_, or iSCSI. Many |
| other storage options existing, refer to the `Kubernetes Storage Class`_ |
| documentation for a full list of the options. The storage architecture may vary |
| from deployment to deployment but in all cases a reliable, redundant storage |
| system must be provided to ONAP with which the state information of all ONAP |
| components will be securely stored. The Storage Class for a given deployment is |
| a single parameter listed in the ONAP values.yaml file and therefore is easily |
| customized. Operation of this storage system is outside the scope of the OOM. |
| |
| .. code-block:: yaml |
| |
| Insert values.yaml code block with storage block here |
| |
| Once the storage class is selected and the physical storage is provided, the |
| ONAP deployment step creates a pool of persistent volumes within the given |
| physical storage that is used by all of the ONAP components. ONAP components |
| simply make a claim on these persistent volumes (PV), with a persistent volume |
| claim (PVC), to gain access to their storage. |
| |
| The following figure illustrates the relationships between the persistent |
| volume claims, the persistent volumes, the storage class, and the physical |
| storage. |
| |
| .. graphviz:: |
| |
| digraph PV { |
| label = "Persistance Volume Claim to Physical Storage Mapping" |
| { |
| node [shape=cylinder] |
| D0 [label="Drive0"] |
| D1 [label="Drive1"] |
| Dx [label="Drivex"] |
| } |
| { |
| node [shape=Mrecord label="StorageClass:ceph"] |
| sc |
| } |
| { |
| node [shape=point] |
| p0 p1 p2 |
| p3 p4 p5 |
| } |
| subgraph clusterSDC { |
| label="SDC" |
| PVC0 |
| PVC1 |
| } |
| subgraph clusterSDNC { |
| label="SDNC" |
| PVC2 |
| } |
| subgraph clusterSO { |
| label="SO" |
| PVCn |
| } |
| PV0 -> sc |
| PV1 -> sc |
| PV2 -> sc |
| PVn -> sc |
| |
| sc -> {D0 D1 Dx} |
| PVC0 -> PV0 |
| PVC1 -> PV1 |
| PVC2 -> PV2 |
| PVCn -> PVn |
| |
| # force all of these nodes to the same line in the given order |
| subgraph { |
| rank = same; PV0;PV1;PV2;PVn;p0;p1;p2 |
| PV0->PV1->PV2->p0->p1->p2->PVn [style=invis] |
| } |
| |
| subgraph { |
| rank = same; D0;D1;Dx;p3;p4;p5 |
| D0->D1->p3->p4->p5->Dx [style=invis] |
| } |
| |
| } |
| |
| In-order for an ONAP component to use a persistent volume it must make a claim |
| against a specific persistent volume defined in the ONAP common charts. Note |
| that there is a one-to-one relationship between a PVC and PV. The following is |
| an excerpt from a component chart that defines a PVC: |
| |
| .. code-block:: yaml |
| |
| Insert PVC example here |
| |
| OOM Networking with Kubernetes |
| ------------------------------ |
| |
| - DNS |
| - Ports - Flattening the containers also expose port conflicts between the |
| containers which need to be resolved. |
| |
| Node Ports |
| ~~~~~~~~~~ |
| |
| Pod Placement Rules |
| ------------------- |
| OOM will use the rich set of Kubernetes node and pod affinity / |
| anti-affinity rules to minimize the chance of a single failure resulting in a |
| loss of ONAP service. Node affinity / anti-affinity is used to guide the |
| Kubernetes orchestrator in the placement of pods on nodes (physical or virtual |
| machines). For example: |
| |
| - if a container used Intel DPDK technology the pod may state that it as |
| affinity to an Intel processor based node, or |
| - geographical based node labels (such as the Kubernetes standard zone or |
| region labels) may be used to ensure placement of a DCAE complex close to the |
| VNFs generating high volumes of traffic thus minimizing networking cost. |
| Specifically, if nodes were pre-assigned labels East and West, the pod |
| deployment spec to distribute pods to these nodes would be: |
| |
| .. code-block:: yaml |
| |
| nodeSelector: |
| failure-domain.beta.Kubernetes.io/region: {{ .Values.location }} |
| |
| - "location: West" is specified in the `values.yaml` file used to deploy |
| one DCAE cluster and "location: East" is specified in a second `values.yaml` |
| file (see OOM Configuration Management for more information about |
| configuration files like the `values.yaml` file). |
| |
| Node affinity can also be used to achieve geographic redundancy if pods are |
| assigned to multiple failure domains. For more information refer to `Assigning |
| Pods to Nodes`_. |
| |
| .. note:: |
| One could use Pod to Node assignment to totally constrain Kubernetes when |
| doing initial container assignment to replicate the Amsterdam release |
| OpenStack Heat based deployment. Should one wish to do this, each VM would |
| need a unique node name which would be used to specify a node constaint |
| for every component. These assignment could be specified in an environment |
| specific values.yaml file. Constraining Kubernetes in this way is not |
| recommended. |
| |
| Kubernetes has a comprehensive system called Taints and Tolerations that can be |
| used to force the container orchestrator to repel pods from nodes based on |
| static events (an administrator assigning a taint to a node) or dynamic events |
| (such as a node becoming unreachable or running out of disk space). There are |
| no plans to use taints or tolerations in the ONAP Beijing release. Pod |
| affinity / anti-affinity is the concept of creating a spacial relationship |
| between pods when the Kubernetes orchestrator does assignment (both initially |
| an in operation) to nodes as explained in Inter-pod affinity and anti-affinity. |
| For example, one might choose to co-located all of the ONAP SDC containers on a |
| single node as they are not critical runtime components and co-location |
| minimizes overhead. On the other hand, one might choose to ensure that all of |
| the containers in an ODL cluster (SDNC and APPC) are placed on separate nodes |
| such that a node failure has minimal impact to the operation of the cluster. |
| An example of how pod affinity / anti-affinity is shown below: |
| |
| Pod Affinity / Anti-Affinity |
| |
| .. code-block:: yaml |
| |
| apiVersion: v1 |
| kind: Pod |
| metadata: |
| name: with-pod-affinity |
| spec: |
| affinity: |
| podAffinity: |
| requiredDuringSchedulingIgnoredDuringExecution: |
| - labelSelector: |
| matchExpressions: |
| - key: security |
| operator: In |
| values: |
| - S1 |
| topologyKey: failure-domain.beta.Kubernetes.io/zone |
| podAntiAffinity: |
| preferredDuringSchedulingIgnoredDuringExecution: |
| - weight: 100 |
| podAffinityTerm: |
| labelSelector: |
| matchExpressions: |
| - key: security |
| operator: In |
| values: |
| - S2 |
| topologyKey: Kubernetes.io/hostname |
| containers: |
| - name: with-pod-affinity |
| image: gcr.io/google_containers/pause:2.0 |
| |
| This example contains both podAffinity and podAntiAffinity rules, the first |
| rule is is a must (requiredDuringSchedulingIgnoredDuringExecution) while the |
| second will be met pending other considerations |
| (preferredDuringSchedulingIgnoredDuringExecution). Preemption Another feature |
| that may assist in achieving a repeatable deployment in the presence of faults |
| that may have reduced the capacity of the cloud is assigning priority to the |
| containers such that mission critical components have the ability to evict less |
| critical components. Kubernetes provides this capability with Pod Priority and |
| Preemption. Prior to having more advanced production grade features available, |
| the ability to at least be able to re-deploy ONAP (or a subset of) reliably |
| provides a level of confidence that should an outage occur the system can be |
| brought back on-line predictably. |
| |
| Health Checks |
| ------------- |
| |
| Monitoring of ONAP components is configured in the agents within JSON files and |
| stored in gerrit under the consul-agent-config, here is an example from the AAI |
| model loader (aai-model-loader-health.json): |
| |
| .. code-block:: json |
| |
| { |
| "service": { |
| "name": "A&AI Model Loader", |
| "checks": [ |
| { |
| "id": "model-loader-process", |
| "name": "Model Loader Presence", |
| "script": "/consul/config/scripts/model-loader-script.sh", |
| "interval": "15s", |
| "timeout": "1s" |
| } |
| ] |
| } |
| } |
| |
| Liveness Probes |
| --------------- |
| |
| These liveness probes can simply check that a port is available, that a |
| built-in health check is reporting good health, or that the Consul health check |
| is positive. For example, to monitor the SDNC component has following liveness |
| probe can be found in the SDNC DB deployment specification: |
| |
| .. code-block:: yaml |
| |
| sdnc db liveness probe |
| |
| livenessProbe: |
| exec: |
| command: ["mysqladmin", "ping"] |
| initialDelaySeconds: 30 periodSeconds: 10 |
| timeoutSeconds: 5 |
| |
| The 'initialDelaySeconds' control the period of time between the readiness |
| probe succeeding and the liveness probe starting. 'periodSeconds' and |
| 'timeoutSeconds' control the actual operation of the probe. Note that |
| containers are inherently ephemeral so the healing action destroys failed |
| containers and any state information within it. To avoid a loss of state, a |
| persistent volume should be used to store all data that needs to be persisted |
| over the re-creation of a container. Persistent volumes have been created for |
| the database components of each of the projects and the same technique can be |
| used for all persistent state information. |
| |
| |
| |
| Environment Files |
| ~~~~~~~~~~~~~~~~~ |
| |
| MSB Integration |
| =============== |
| |
| The \ `Microservices Bus |
| Project <https://wiki.onap.org/pages/viewpage.action?pageId=3246982>`__ provides |
| facilities to integrate micro-services into ONAP and therefore needs to |
| integrate into OOM - primarily through Consul which is the backend of |
| MSB service discovery. The following is a brief description of how this |
| integration will be done: |
| |
| A registrator to push the service endpoint info to MSB service |
| discovery. |
| |
| - The needed service endpoint info is put into the kubernetes yaml file |
| as annotation, including service name, Protocol,version, visual |
| range,LB method, IP, Port,etc. |
| |
| - OOM deploy/start/restart/scale in/scale out/upgrade ONAP components |
| |
| - Registrator watch the kubernetes event |
| |
| - When an ONAP component instance has been started/destroyed by OOM, |
| Registrator get the notification from kubernetes |
| |
| - Registrator parse the service endpoint info from annotation and |
| register/update/unregister it to MSB service discovery |
| |
| - MSB API Gateway uses the service endpoint info for service routing |
| and load balancing. |
| |
| Details of the registration service API can be found at \ `Microservice |
| Bus API |
| Documentation <https://wiki.onap.org/display/DW/Microservice+Bus+API+Documentation>`__. |
| |
| ONAP Component Registration to MSB |
| ---------------------------------- |
| The charts of all ONAP components intending to register against MSB must have |
| an annotation in their service(s) template. A `sdc` example follows: |
| |
| .. code-block:: yaml |
| |
| apiVersion: v1 |
| kind: Service |
| metadata: |
| labels: |
| app: sdc-be |
| name: sdc-be |
| namespace: "{{ .Values.nsPrefix }}" |
| annotations: |
| msb.onap.org/service-info: '[ |
| { |
| "serviceName": "sdc", |
| "version": "v1", |
| "url": "/sdc/v1", |
| "protocol": "REST", |
| "port": "8080", |
| "visualRange":"1" |
| }, |
| { |
| "serviceName": "sdc-deprecated", |
| "version": "v1", |
| "url": "/sdc/v1", |
| "protocol": "REST", |
| "port": "8080", |
| "visualRange":"1", |
| "path":"/sdc/v1" |
| } |
| ]' |
| ... |
| |
| |
| MSB Integration with OOM |
| ------------------------ |
| A preliminary view of the OOM-MSB integration is as follows: |
| |
| .. figure:: MSB-OOM-Diagram.png |
| |
| A message sequence chart of the registration process: |
| |
| .. uml:: |
| |
| participant "OOM" as oom |
| participant "ONAP Component" as onap |
| participant "Service Discovery" as sd |
| participant "External API Gateway" as eagw |
| participant "Router (Internal API Gateway)" as iagw |
| |
| box "MSB" #LightBlue |
| participant sd |
| participant eagw |
| participant iagw |
| end box |
| |
| == Deploy Servcie == |
| |
| oom -> onap: Deploy |
| oom -> sd: Register service endpoints |
| sd -> eagw: Services exposed to external system |
| sd -> iagw: Services for internal use |
| |
| == Component Life-cycle Management == |
| |
| oom -> onap: Start/Stop/Scale/Migrate/Upgrade |
| oom -> sd: Update service info |
| sd -> eagw: Update service info |
| sd -> iagw: Update service info |
| |
| == Service Health Check == |
| |
| sd -> onap: Check the health of service |
| sd -> eagw: Update service status |
| sd -> iagw: Update service status |
| |
| |
| MSB Deployment Instructions |
| --------------------------- |
| MSB is helm installable ONAP component which is often automatically deployed. |
| To install it individually enter:: |
| |
| > helm install <repo-name>/msb |
| |
| .. note:: |
| TBD: Vaidate if the following procedure is still required. |
| |
| Please note that Kubernetes authentication token must be set at |
| *kubernetes/kube2msb/values.yaml* so the kube2msb registrator can get the |
| access to watch the kubernetes events and get service annotation by |
| Kubernetes APIs. The token can be found in the kubectl configuration file |
| *~/.kube/config* |
| |
| More details can be found here `MSB installation <https://docs.onap.org/projects/onap-msb-apigateway/en/latest/platform/installation.html>`_. |
| |
| .. MISC |
| .. ==== |
| .. Note that although OOM uses Kubernetes facilities to minimize the effort |
| .. required of the ONAP component owners to implement a successful rolling |
| .. upgrade strategy there are other considerations that must be taken into |
| .. consideration. |
| .. For example, external APIs - both internal and external to ONAP - should be |
| .. designed to gracefully accept transactions from a peer at a different |
| .. software version to avoid deadlock situations. Embedded version codes in |
| .. messages may facilitate such capabilities. |
| .. |
| .. Within each of the projects a new configuration repository contains all of |
| .. the project specific configuration artifacts. As changes are made within |
| .. the project, it's the responsibility of the project team to make appropriate |
| .. changes to the configuration data. |