Adding notes from vFWCL in Dublin
This is just to share notes from the vFWCL exercise in Dublin.
Issue-ID: OOM-1900
Change-Id: I76cc577342a8e25a900b119462ff6c7768189382
Signed-off-by: Michal Ptacek <m.ptacek@partner.samsung.com>
diff --git a/docs/images/vFWCL-dublin.jpg b/docs/images/vFWCL-dublin.jpg
new file mode 100644
index 0000000..a943a5d
--- /dev/null
+++ b/docs/images/vFWCL-dublin.jpg
Binary files differ
diff --git a/docs/vFWCL-notes.rst b/docs/vFWCL-notes.rst
new file mode 100644
index 0000000..17a4939
--- /dev/null
+++ b/docs/vFWCL-notes.rst
@@ -0,0 +1,337 @@
+*************************************
+vFWCL on Dublin ONAP offline platform
+*************************************
+
+|image0|
+
+This document is collecting notes we have from running vFirewall demo on offline Dublin platform
+installed by ONAP offline installer tool.
+
+Overall it was much easier in compare with earlier version, however following steps are still needed.
+
+Some of the most relevant materials are available on following links:
+
+* `oom_quickstart_guide.html <https://docs.onap.org/en/dublin/submodules/oom.git/docs/oom_quickstart_guide.html>`_
+* `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_
+
+
+.. contents:: Table of Contents
+ :depth: 2
+
+
+
+Step 1. Preconditions - before ONAP deployment
+==============================================
+
+Understanding of the underlying OpenStack deployment is required from anyone applying these instructions.
+
+In addition, installation-specific location of the helm charts on the infra node must be known.
+In this document it is referred to as <helm_charts_dir>
+
+Snippets below are describing areas we need to configure for successfull vFWCL demo.
+
+Pay attention to them and configure it (ideally before deployment) accordingly.
+
+**1) <helm_charts_dir>/onap/values.yaml**::
+
+
+ #################################################################
+ # Global configuration overrides.
+ # !!! VIM specific entries are in APPC / Robot & SO parts !!!
+ #################################################################
+ global:
+ # Change to an unused port prefix range to prevent port conflicts
+ # with other instances running within the same k8s cluster
+ nodePortPrefix: 302
+ nodePortPrefixExt: 304
+
+ # ONAP Repository
+ # Uncomment the following to enable the use of a single docker
+ # repository but ONLY if your repository mirrors all ONAP
+ # docker images. This includes all images from dockerhub and
+ # any other repository that hosts images for ONAP components.
+ #repository: nexus3.onap.org:10001
+ repositoryCred:
+ user: docker
+ password: docker
+
+ # readiness check - temporary repo until images migrated to nexus3
+ readinessRepository: oomk8s
+ # logging agent - temporary repo until images migrated to nexus3
+ loggingRepository: docker.elastic.co
+
+ # image pull policy
+ pullPolicy: Always
+
+ # default mount path root directory referenced
+ # by persistent volumes and log files
+ persistence:
+ mountPath: /dockerdata-nfs
+ enableDefaultStorageclass: false
+ parameters: {}
+ storageclassProvisioner: kubernetes.io/no-provisioner
+ volumeReclaimPolicy: Retain
+
+ # override default resource limit flavor for all charts
+ flavor: unlimited
+
+ # flag to enable debugging - application support required
+ debugEnabled: false
+
+ #################################################################
+ # Enable/disable and configure helm charts (ie. applications)
+ # to customize the ONAP deployment.
+ #################################################################
+ aaf:
+ enabled: true
+ aai:
+ enabled: true
+ appc:
+ enabled: true
+ config:
+ openStackType: "OpenStackProvider"
+ openStackName: "OpenStack"
+ openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0"
+ openStackServiceTenantName: "service"
+ openStackDomain: "default"
+ openStackUserName: "onap-tieto"
+ openStackEncryptedPassword: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558"
+ cassandra:
+ enabled: true
+ clamp:
+ enabled: true
+ cli:
+ enabled: true
+ consul:
+ enabled: true
+ contrib:
+ enabled: true
+ dcaegen2:
+ enabled: true
+ pnda:
+ enabled: true
+ dmaap:
+ enabled: true
+ esr:
+ enabled: true
+ log:
+ enabled: true
+ sniro-emulator:
+ enabled: true
+ oof:
+ enabled: true
+ mariadb-galera:
+ enabled: true
+ msb:
+ enabled: true
+ multicloud:
+ enabled: true
+ nbi:
+ enabled: true
+ config:
+ # openstack configuration
+ openStackRegion: "Yolo"
+ openStackVNFTenantId: "1234"
+ nfs-provisioner:
+ enabled: true
+ policy:
+ enabled: true
+ pomba:
+ enabled: true
+ portal:
+ enabled: true
+ robot:
+ enabled: true
+ appcUsername: "appc@appc.onap.org"
+ appcPassword: "demo123456!"
+ openStackKeyStoneUrl: "http://10.20.30.40:5000"
+ openStackPublicNetId: "9403ceea-0738-4908-a826-316c8541e4bb"
+ openStackPublicNetworkName: "rc3-offline-network"
+ openStackTenantId: "b1ce7742d956463999923ceaed71786e"
+ openStackUserName: "onap-tieto"
+ ubuntu14Image: "trusty"
+ openStackPrivateNetId: "3c7aa2bd-ba14-40ce-8070-6a0d6a617175"
+ openStackPrivateSubnetId: "2bcb9938-9c94-4049-b580-550a44dc63b3"
+ openStackPrivateNetCidr: "10.0.0.0/16"
+ openStackSecurityGroup: "onap_sg"
+ openStackOamNetworkCidrPrefix: "10.0"
+ dcaeCollectorIp: "10.8.8.22" # this IP is taken from k8s host
+ vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPwF2bYm2QuqZpjuAcZDJTcFdUkKv4Hbd/3qqbxf6g5ZgfQarCi+mYnKe9G9Px3CgFLPdgkBBnMSYaAzMjdIYOEdPKFTMQ9lIF0+i5KsrXvszWraGKwHjAflECfpTAWkPq2UJUvwkV/g7NS5lJN3fKa9LaqlXdtdQyeSBZAUJ6QeCE5vFUplk3X6QFbMXOHbZh2ziqu8mMtP+cWjHNBB47zHQ3RmNl81Rjv+QemD5zpdbK/h6AahDncOY3cfN88/HPWrENiSSxLC020sgZNYgERqfw+1YhHrclhf3jrSwCpZikjl7rqKroua2LBI/yeWEta3amTVvUnR2Y7gM8kHyh Generated-by-Nova"
+ demoArtifactsVersion: "1.4.0" # Dublin prefered is 1.4.0
+ demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases"
+ scriptVersion: "1.4.0" # Dublin prefered is 1.4.0
+ rancherIpAddress: "10.8.8.8" # this IP is taken from infra node
+ config:
+ # instructions how to generate this value properly are in OOM quick quide mentioned above
+ openStackEncryptedPasswordHere: "f7920677e15e2678b0f33736189e8965"
+
+ sdc:
+ enabled: true
+ sdnc:
+ enabled: true
+
+ replicaCount: 1
+
+ mysql:
+ replicaCount: 1
+ so:
+ enabled: true
+ config:
+ openStackUserName: "onap-tieto"
+ openStackRegion: "RegionOne"
+ openStackKeyStoneUrl: "http://10.20.30.40:5000"
+ openStackServiceTenantName: "services"
+ # instructions how to generate this value properly are in OOM quick quide mentioned above
+ openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558"
+
+ replicaCount: 1
+
+ liveness:
+ # necessary to disable liveness probe when setting breakpoints
+ # in debugger so K8s doesn't restart unresponsive container
+ enabled: true
+
+ so-catalog-db-adapter:
+ config:
+ openStackUserName: "onap-tieto"
+ openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0"
+ # instructions how to generate this value properly are in OOM quick quide mentioned above
+ openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558"
+
+ uui:
+ enabled: true
+ vfc:
+ enabled: true
+ vid:
+ enabled: true
+ vnfsdk:
+ enabled: true
+ modeling:
+ enabled: true
+
+
+**2) <helm_charts_dir>/robot/resources/config/eteshare/config/vm_properties.py**::
+
+ # following patch is required because in Dublin public network is hardcoded
+ # reported in TEST-166 and is implemented in El-Alto
+ # just add following row into file
+ GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK = '{{ .Values.openStackPublicNetworkName }}'
+
+
+
+Step 2. Preconditions - after ONAP deployment
+=============================================
+
+
+Run HealthChecks after successful deployment, all of them must pass
+
+Relevant robot scripts are under <helm_charts_dir>/oom/kubernetes/robot
+
+::
+
+ [root@tomas-infra robot]# ./ete-k8s.sh onap health
+
+ 61 critical tests, 61 passed, 0 failed
+ 61 tests total, 61 passed, 0 failed
+
+very useful page describing commands for `manual checking of HC’s <https://wiki.onap.org/display/DW/Robot+Healthcheck+Tests+on+ONAP+Components#RobotHealthcheckTestsonONAPComponents-ApplicationController(APPC)Healthcheck>`_
+
+Step 3. Patch public network
+============================
+
+This is the last part of correction for `TEST-166 <https://jira.onap.org/browse/TEST-166>`_ needed for Dublin branch.
+
+::
+
+ [root@tomas-infra helm_charts]# kubectl get pods -n onap | grep robot
+ onap-robot-robot-5c7c46bbf4-4zgkn 1/1 Running 0 3h15m
+ [root@tomas-infra helm_charts]# kubectl exec -it onap-robot-robot-5c7c46bbf4-4zgkn bash
+ root@onap-robot-robot-5c7c46bbf4-4zgkn:/# cd /var/opt/ONAP/
+ root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/demo_preload.robot
+ root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/policy_check_vfw.robot
+ root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/validate_vfw.robot
+
+
+Step 4. Set private key for robot when accessing VNFs
+=====================================================
+
+This is workaround for ticket `TEST-167 <https://jira.onap.org/browse/TEST-167>`_, as of now robot is using following file as private key
+*/var/opt/ONAP/robot/assets/keys/onap_dev.pvt*
+
+One can either set it to own private key, corresponding with public key inserted into VMs from *vnfPubKey* param
+OR
+set mount own private key into robot container and change GLOBAL_VM_PRIVATE_KEY in */var/opt/ONAP/robot/resources/global_properties.robot*
+
+
+Step 5. robot init - demo services distribution
+================================================
+
+Run following robot script to execute both init_customer + distribute
+
+::
+
+ # demo-k8s.sh <namespace> init
+
+ [root@tomas-infra robot]# ./demo-k8s.sh onap init
+
+
+
+Step 6. robot instantiateVFW
+============================
+
+Following tag is used for whole vFWCL testcase. It will deploy single heat stack with 3 VMs and set policies and APPC mount point for vFWCL to happen.
+
+::
+
+ # demo-k8s.sh <namespace> instantiateVFW
+
+ root@tomas-infra robot]# ./demo-k8s.sh onap instantiateVFW
+
+Step 7. fix CloseLoopName in tca microservice
+=============================================
+
+In Dublin scope, tca microservice is configured with hardcoded entries from `tcaSpec.json <https://gerrit.onap.org/r/gitweb?p=dcaegen2/analytics/tca.git;a=blob;f=dpo/tcaSpec.json;h=8e69c068ea47300707b8131fbc8d71e9a47af8a2;hb=HEAD#l278>`_
+
+After updating operational policy within instantiateVFW robot tag execution, one must change CloseLoopName in tca to match with generated
+value in policy. This is done in two parts:
+
+a) get correct value
+
+::
+
+ # from drools container, i.e. drools in Dublin is not mapped to k8s host
+ curl -k --silent --user 'demo@people.osaaf.org:demo123456!' -X GET https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops --insecure
+
+
+ # alternatively same value can be obtained from telemetry console in drools container
+ telemetry
+ https://localhost:9696/policy/pdp/engine> cd controllers/usecases/drools/facts/usecases/controlloops
+ https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops> get
+ HTTP/1.1 200 OK
+ Content-Length: 62
+ Content-Type: application/json
+ Date: Tue, 25 Jun 2019 07:18:56 GMT
+ Server: Jetty(9.4.14.v20181114)
+ [
+ "ControlLoop-vFirewall-da1fd2be-2a26-4704-ab99-cd80fe1cf89c"
+ ]
+
+b) update the tca microservice
+
+see Preconditions part in `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_
+This step will be automated in El-Alto, it's tracked in `TEST-168 <https://jira.onap.org/browse/TEST-168>`_
+
+Step 8. verify vFW
+==================
+
+Verify VFWCL. This step is just to verify CL functionality, which can be also verified by checking DarkStat GUI on vSINK VM <sink_ip:667>
+
+::
+
+ # demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address>
+ # e.g. where 10.8.8.5 is IP from public network dedicated to vPKG VM
+ root@tomas-infra robot]# ./demo-k8s.sh onap vfwclosedloop 10.8.8.5
+
+.. |image0| image:: images/vFWCL-dublin.jpg
+ :width: 387px
+ :height: 393px
