blob: 17a49399adf69c72de1ce4dcd966360f5b9f38a8 [file] [log] [blame]
*************************************
vFWCL on Dublin ONAP offline platform
*************************************
|image0|
This document is collecting notes we have from running vFirewall demo on offline Dublin platform
installed by ONAP offline installer tool.
Overall it was much easier in compare with earlier version, however following steps are still needed.
Some of the most relevant materials are available on following links:
* `oom_quickstart_guide.html <https://docs.onap.org/en/dublin/submodules/oom.git/docs/oom_quickstart_guide.html>`_
* `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_
.. contents:: Table of Contents
:depth: 2
Step 1. Preconditions - before ONAP deployment
==============================================
Understanding of the underlying OpenStack deployment is required from anyone applying these instructions.
In addition, installation-specific location of the helm charts on the infra node must be known.
In this document it is referred to as <helm_charts_dir>
Snippets below are describing areas we need to configure for successfull vFWCL demo.
Pay attention to them and configure it (ideally before deployment) accordingly.
**1) <helm_charts_dir>/onap/values.yaml**::
#################################################################
# Global configuration overrides.
# !!! VIM specific entries are in APPC / Robot & SO parts !!!
#################################################################
global:
# Change to an unused port prefix range to prevent port conflicts
# with other instances running within the same k8s cluster
nodePortPrefix: 302
nodePortPrefixExt: 304
# ONAP Repository
# Uncomment the following to enable the use of a single docker
# repository but ONLY if your repository mirrors all ONAP
# docker images. This includes all images from dockerhub and
# any other repository that hosts images for ONAP components.
#repository: nexus3.onap.org:10001
repositoryCred:
user: docker
password: docker
# readiness check - temporary repo until images migrated to nexus3
readinessRepository: oomk8s
# logging agent - temporary repo until images migrated to nexus3
loggingRepository: docker.elastic.co
# image pull policy
pullPolicy: Always
# default mount path root directory referenced
# by persistent volumes and log files
persistence:
mountPath: /dockerdata-nfs
enableDefaultStorageclass: false
parameters: {}
storageclassProvisioner: kubernetes.io/no-provisioner
volumeReclaimPolicy: Retain
# override default resource limit flavor for all charts
flavor: unlimited
# flag to enable debugging - application support required
debugEnabled: false
#################################################################
# Enable/disable and configure helm charts (ie. applications)
# to customize the ONAP deployment.
#################################################################
aaf:
enabled: true
aai:
enabled: true
appc:
enabled: true
config:
openStackType: "OpenStackProvider"
openStackName: "OpenStack"
openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0"
openStackServiceTenantName: "service"
openStackDomain: "default"
openStackUserName: "onap-tieto"
openStackEncryptedPassword: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558"
cassandra:
enabled: true
clamp:
enabled: true
cli:
enabled: true
consul:
enabled: true
contrib:
enabled: true
dcaegen2:
enabled: true
pnda:
enabled: true
dmaap:
enabled: true
esr:
enabled: true
log:
enabled: true
sniro-emulator:
enabled: true
oof:
enabled: true
mariadb-galera:
enabled: true
msb:
enabled: true
multicloud:
enabled: true
nbi:
enabled: true
config:
# openstack configuration
openStackRegion: "Yolo"
openStackVNFTenantId: "1234"
nfs-provisioner:
enabled: true
policy:
enabled: true
pomba:
enabled: true
portal:
enabled: true
robot:
enabled: true
appcUsername: "appc@appc.onap.org"
appcPassword: "demo123456!"
openStackKeyStoneUrl: "http://10.20.30.40:5000"
openStackPublicNetId: "9403ceea-0738-4908-a826-316c8541e4bb"
openStackPublicNetworkName: "rc3-offline-network"
openStackTenantId: "b1ce7742d956463999923ceaed71786e"
openStackUserName: "onap-tieto"
ubuntu14Image: "trusty"
openStackPrivateNetId: "3c7aa2bd-ba14-40ce-8070-6a0d6a617175"
openStackPrivateSubnetId: "2bcb9938-9c94-4049-b580-550a44dc63b3"
openStackPrivateNetCidr: "10.0.0.0/16"
openStackSecurityGroup: "onap_sg"
openStackOamNetworkCidrPrefix: "10.0"
dcaeCollectorIp: "10.8.8.22" # this IP is taken from k8s host
vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPwF2bYm2QuqZpjuAcZDJTcFdUkKv4Hbd/3qqbxf6g5ZgfQarCi+mYnKe9G9Px3CgFLPdgkBBnMSYaAzMjdIYOEdPKFTMQ9lIF0+i5KsrXvszWraGKwHjAflECfpTAWkPq2UJUvwkV/g7NS5lJN3fKa9LaqlXdtdQyeSBZAUJ6QeCE5vFUplk3X6QFbMXOHbZh2ziqu8mMtP+cWjHNBB47zHQ3RmNl81Rjv+QemD5zpdbK/h6AahDncOY3cfN88/HPWrENiSSxLC020sgZNYgERqfw+1YhHrclhf3jrSwCpZikjl7rqKroua2LBI/yeWEta3amTVvUnR2Y7gM8kHyh Generated-by-Nova"
demoArtifactsVersion: "1.4.0" # Dublin prefered is 1.4.0
demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases"
scriptVersion: "1.4.0" # Dublin prefered is 1.4.0
rancherIpAddress: "10.8.8.8" # this IP is taken from infra node
config:
# instructions how to generate this value properly are in OOM quick quide mentioned above
openStackEncryptedPasswordHere: "f7920677e15e2678b0f33736189e8965"
sdc:
enabled: true
sdnc:
enabled: true
replicaCount: 1
mysql:
replicaCount: 1
so:
enabled: true
config:
openStackUserName: "onap-tieto"
openStackRegion: "RegionOne"
openStackKeyStoneUrl: "http://10.20.30.40:5000"
openStackServiceTenantName: "services"
# instructions how to generate this value properly are in OOM quick quide mentioned above
openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558"
replicaCount: 1
liveness:
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: true
so-catalog-db-adapter:
config:
openStackUserName: "onap-tieto"
openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0"
# instructions how to generate this value properly are in OOM quick quide mentioned above
openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558"
uui:
enabled: true
vfc:
enabled: true
vid:
enabled: true
vnfsdk:
enabled: true
modeling:
enabled: true
**2) <helm_charts_dir>/robot/resources/config/eteshare/config/vm_properties.py**::
# following patch is required because in Dublin public network is hardcoded
# reported in TEST-166 and is implemented in El-Alto
# just add following row into file
GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK = '{{ .Values.openStackPublicNetworkName }}'
Step 2. Preconditions - after ONAP deployment
=============================================
Run HealthChecks after successful deployment, all of them must pass
Relevant robot scripts are under <helm_charts_dir>/oom/kubernetes/robot
::
[root@tomas-infra robot]# ./ete-k8s.sh onap health
61 critical tests, 61 passed, 0 failed
61 tests total, 61 passed, 0 failed
very useful page describing commands for `manual checking of HC’s <https://wiki.onap.org/display/DW/Robot+Healthcheck+Tests+on+ONAP+Components#RobotHealthcheckTestsonONAPComponents-ApplicationController(APPC)Healthcheck>`_
Step 3. Patch public network
============================
This is the last part of correction for `TEST-166 <https://jira.onap.org/browse/TEST-166>`_ needed for Dublin branch.
::
[root@tomas-infra helm_charts]# kubectl get pods -n onap | grep robot
onap-robot-robot-5c7c46bbf4-4zgkn 1/1 Running 0 3h15m
[root@tomas-infra helm_charts]# kubectl exec -it onap-robot-robot-5c7c46bbf4-4zgkn bash
root@onap-robot-robot-5c7c46bbf4-4zgkn:/# cd /var/opt/ONAP/
root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/demo_preload.robot
root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/policy_check_vfw.robot
root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/validate_vfw.robot
Step 4. Set private key for robot when accessing VNFs
=====================================================
This is workaround for ticket `TEST-167 <https://jira.onap.org/browse/TEST-167>`_, as of now robot is using following file as private key
*/var/opt/ONAP/robot/assets/keys/onap_dev.pvt*
One can either set it to own private key, corresponding with public key inserted into VMs from *vnfPubKey* param
OR
set mount own private key into robot container and change GLOBAL_VM_PRIVATE_KEY in */var/opt/ONAP/robot/resources/global_properties.robot*
Step 5. robot init - demo services distribution
================================================
Run following robot script to execute both init_customer + distribute
::
#  demo-k8s.sh <namespace> init
[root@tomas-infra robot]# ./demo-k8s.sh onap init
Step 6. robot instantiateVFW
============================
Following tag is used for whole vFWCL testcase. It will deploy single heat stack with 3 VMs and set policies and APPC mount point for vFWCL to happen.
::
# demo-k8s.sh <namespace> instantiateVFW
root@tomas-infra robot]# ./demo-k8s.sh onap instantiateVFW
Step 7. fix CloseLoopName in tca microservice
=============================================
In Dublin scope, tca microservice is configured with hardcoded entries from `tcaSpec.json <https://gerrit.onap.org/r/gitweb?p=dcaegen2/analytics/tca.git;a=blob;f=dpo/tcaSpec.json;h=8e69c068ea47300707b8131fbc8d71e9a47af8a2;hb=HEAD#l278>`_
After updating operational policy within instantiateVFW robot tag execution, one must change CloseLoopName in tca to match with generated
value in policy. This is done in two parts:
a) get correct value
::
# from drools container, i.e. drools in Dublin is not mapped to k8s host
curl -k --silent --user 'demo@people.osaaf.org:demo123456!' -X GET https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops --insecure
# alternatively same value can be obtained from telemetry console in drools container
telemetry
https://localhost:9696/policy/pdp/engine> cd controllers/usecases/drools/facts/usecases/controlloops
https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops> get
HTTP/1.1 200 OK
Content-Length: 62
Content-Type: application/json
Date: Tue, 25 Jun 2019 07:18:56 GMT
Server: Jetty(9.4.14.v20181114)
[
"ControlLoop-vFirewall-da1fd2be-2a26-4704-ab99-cd80fe1cf89c"
]
b) update the tca microservice
see Preconditions part in `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_
This step will be automated in El-Alto, it's tracked in `TEST-168 <https://jira.onap.org/browse/TEST-168>`_
Step 8. verify vFW
==================
Verify VFWCL. This step is just to verify CL functionality, which can be also verified by checking DarkStat GUI on vSINK VM <sink_ip:667>
::
# demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address>
# e.g. where 10.8.8.5 is IP from public network dedicated to vPKG VM
root@tomas-infra robot]# ./demo-k8s.sh onap vfwclosedloop 10.8.8.5
.. |image0| image:: images/vFWCL-dublin.jpg
:width: 387px
:height: 393px