Seed policysync container code

[dcaegen2/deployments.git] / dcae-services-policy-sync / README.md

# Policy Sync\r
This page serves as an implementation for the Policy sync container described in the [wiki](https://wiki.onap.org/display/DW/Policy+function+as+Sidecar)\r
\r
\r
Policy Sync utility is a python based utility that interfaces with the ONAP/ECOMP policy websocket and REST APIs. It is designed to keep a local listing of policies in sync with an environment's policy distribution point (PDP). It functions well as a Kubernetes sidecar container which can pull down the latest policies for consumption by an application container. \r
\r
The sync utility primarily utilizes the PDP's websocket notification API to receive policy update notifications. It also includes a periodic check of the  PDP for resilliency purposes in the event of websocket API issues. \r
\r
\r
## Build and Run\r
Easiest way to use is via docker by building the provided docker file\r
\r
```bash\r
docker build . -t policy-puller\r
```\r
\r
If you want to run it in a non containerized environment, an easy way is to use python virtual environments.\r
```bash\r
# Create a virtual environment in venv folder and activate it\r
python3 -m venv venv\r
source venv/bin/activate\r
\r
# install the utility\r
pip install .\r
\r
# Utility is now installed and usable in your virtual environment. Test it with:\r
policysync -h \r
```\r
\r
## Configuration\r
\r
Configuration is currently done via either env variables or by flag. Flags take precedence env variables, env variables take precedence over default\r
\r
### General configuration\r
General configuration that is used regardless of which PDP API you are using. \r
\r
| ENV Variable              | Flag               | Description                                  | Default                           |\r
| --------------------------| -------------------|----------------------------------------------|-----------------------------------|\r
| POLICY_SYNC_PDP_URL       | --pdp-url          | PDP URL to query                             | None (must be set in env or flag) |\r
| POLICY_SYNC_FILTER        | --filters          | yaml list of regex of policies to match      | []                                |\r
| POLICY_SYNC_ID            | --ids              | yaml list of ids of policies to match        | []                                |\r
| POLICY_SYNC_DURATION      | --duration         | duration in seconds for periodic checks      | 2600                              |\r
| POLICY_SYNC_OUTFILE       | --outfile          | File to output policies to                   | ./policies.json                   |\r
| POLICY_SYNC_PDP_USER      | --pdp-user         | Set user if you need basic auth for PDP      | None                              |\r
| POLICY_SYNC_PDP_PASS      | --pdp-password     | Set pass if you need basic auth for PDP      | None                              |\r
| POLICY_SYNC_HTTP_METRICS  | --http-metrics     | Whether to expose prometheus metrics         | True                              |  \r
| POLICY_SYNC_HTTP_BIND     | --http-bind        | host:port for exporting prometheus metrics   | localhost:8000                    |\r
| POLICY_SYNC_LOGGING_CONFIG| --logging-config   | Path to a python formatted logging file      | None (logs will write to stderr)  |\r
| POLICY_SYNC_V0_ENABLE     | --use-v0         | Set to true to enable usage of legacy v0 API   | False                             |\r
\r
### V1 Specific Configuration (Used as of the Dublin release)\r
Configurable variables used for the V1 API used in the ONAP Dublin Release.\r
\r
Note: Policy filters are not currently supported in the current policy release but will be eventually. \r
\r
| ENV Variable                     | Flag                   | Description                            | Default                      |\r
| ---------------------------------|------------------------|----------------------------------------|------------------------------|\r
| POLICY_SYNC_V1_DECISION_ENDPOINT | --v1-decision-endpoint | Endpoint to query for PDP decisions    | policy/pdpx/v1/decision      |\r
| POLICY_SYNC_V1_DMAAP_URL         | --v1-dmaap-topic       | Dmaap url with topic for notifications | None                         |\r
| POLICY_SYNC_V1_DMAAP_USER        | --v1-dmaap-user        | User to use for DMaaP notifications    | None                         |\r
| POLICY_SYNC_V1_DMAAP_PASS        | --v1-dmaap-pass        | Password to use for DMaaP notifications| None                         |\r
\r
\r
\r
### V0 Specific Configuration (Legacy Policy API)\r
Configurable variables used for the legacy V0 API Prior to the ONAP release. Only valid when --use-v0 is set to True\r
\r
\r
| ENV Variable                     | Flag                   | Description                            | Default                      |\r
| ---------------------------------|------------------------|----------------------------------------|------------------------------|\r
| POLICY_SYNC_V0_NOTIFIY_ENDPOINT  | --v0-notifiy-endpoint  | websock endpoint for pdp notifications |  pdp/notifications           |\r
| POLICY_SYNC_V0_DECISION_ENDPOINT | --v0-decision-endpoint | rest endpoint for pdp decisions        |  pdp/api                     |\r
\r
## Usage\r
\r
You can run in a pure docker setup:\r
```bash\r
# Run the container\r
docker run \r
    --env POLICY_SYNC_PDP_USER=<username> \\r
    --env POLICY_SYNC_PDP_PASS=<password> \\r
    --env POLICY_SYNC_PDP_URL=<path_to_pdp> \\r
    --env POLICY_SYNC_V1_DMAAP_URL='https://<dmaap_host>:3905/events/<dmaap_topic>' \\r
    --env POLICY_SYNC_V1_DMAAP_PASS='<user>' \\r
    --env POLICY_SYNC_V1_DMAAP_USER='<pass>' \\r
    --env POLICY_SYNC_ID=['DCAE.Config_MS_AGING_UVERSE_PROD'] \\r
    -v $(pwd)/policy-volume:/etc/policy \\r
    nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.policy-sync:1.0.0\r
```\r
\r
Or on Kubernetes: \r
```yaml\r
# policy-config-map\r
apiVersion: v1\r
kind: policy-config-map\r
metadata:\r
  name: special-config\r
  namespace: default\r
data:\r
  POLICY_SYNC_PDP_USER: myusername\r
  POLICY_SYNC_PDP_PASS: mypassword\r
  POLICY_SYNC_PDP_URL: <path_to_pdp>\r
  POLICY_SYNC_V1_DMAAP_URL: 'https://<dmaap_host>:3905/events/<dmaap_topic>' \\r
  POLICY_SYNC_V1_DMAAP_PASS: '<user>' \\r
  POLICY_SYNC_V1_DMAAP_USER: '<pass>' \\r
  POLICY_SYNC_FILTER: '["DCAE.Config_MS_AGING_UVERSE_PROD"]'\r
  \r
  \r
---\r
\r
apiVersion: v1\r
kind: Pod\r
metadata:\r
  name: Sidecar sample app\r
spec:\r
  restartPolicy: Never\r
 \r
 \r
  # The shared volume that the two containers use to communicate...empty dir for simplicity\r
  volumes:\r
  - name: policy-shared\r
    emptyDir: {}\r
 \r
  containers:\r
 \r
  # Sample app that uses inotifyd (part of busybox/alpine). For demonstration purposes only...\r
  - name: main\r
    image: nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.policy-sync:1.0.0\r
    volumeMounts:\r
    - name: policy-shared\r
      mountPath: /etc/policies.json\r
      subPath: policies.json\r
    # For details on what this does see: https://wiki.alpinelinux.org/wiki/Inotifyd\r
    # you can replace '-' arg below with a shell script to do more interesting\r
    cmd: [ "inotifyd", "-", "/etc/policies.json:c" ]\r
 \r
 \r
    # The sidecar app which keeps the policies in sync\r
  - name: policy-sync\r
    image: nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.policy-sync:1.0.0\r
    envFrom:\r
      - configMapRef:\r
          name: special-config\r
    \r
    volumeMounts:\r
    - name: policy-shared\r
      mountPath: /etc/policies\r
```\r
\r
\r