X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=docs%2Finstallation%2Foom.rst;h=30efdbe76df059686b770af8138c1f54ba2bba7c;hb=688a2dd3a681c28ac48ad737316c2dc1dff08526;hp=44588df97af9840876c35ebd3414893ae80afafd;hpb=c8cccc73f72f97f8cc3e8a70aed7bca2f5c3e384;p=policy%2Fparent.git diff --git a/docs/installation/oom.rst b/docs/installation/oom.rst index 44588df9..30efdbe7 100644 --- a/docs/installation/oom.rst +++ b/docs/installation/oom.rst @@ -21,37 +21,18 @@ To get a listing of the Policy Pods, run the following command: .. code-block:: bash - kubectl get pods | grep policy - - brmsgw ClusterIP 10.43.77.177 9989/TCP 5d15h app=brmsgw,release=dev-policy - drools ClusterIP 10.43.167.154 6969/TCP,9696/TCP 5d15h app=drools,release=dev-policy - nexus ClusterIP 10.43.239.92 8081/TCP 5d15h app=nexus,release=dev-policy - pap NodePort 10.43.207.229 8443:30219/TCP,9091:30218/TCP 5d15h app=pap,release=dev-policy - pdp ClusterIP None 8081/TCP 5d15h app=pdp,release=dev-policy - policy-apex-pdp ClusterIP 10.43.226.0 6969/TCP 5d15h app=policy-apex-pdp,release=dev-policy - policy-api ClusterIP 10.43.102.56 6969/TCP 5d15h app=policy-api,release=dev-policy - policy-distribution ClusterIP 10.43.4.211 6969/TCP 5d15h app=policy-distribution,release=dev-policy - policy-pap ClusterIP 10.43.175.164 6969/TCP 5d15h app=policy-pap,release=dev-policy - policy-xacml-pdp ClusterIP 10.43.181.208 6969/TCP 5d15h app=policy-xacml-pdp,release=dev-policy - policydb ClusterIP 10.43.93.233 3306/TCP 5d15h app=policydb,release=dev-policy - -Some of these pods are shared between the legacy components and the latest framework components, while others are not. - -.. csv-table:: - :header: "Policy Pod", "Latest Framework", "Legacy" - :widths: 15,10,10 - - "brmsgw", "", "yes" - "drools", "yes", "yes" - "nexus", "yes", "yes" - "pap", "", "yes" - "pdp", "", "yes" - "policy-apex-pdp", "yes", "" - "policy-api", "yes", "" - "policy-distribution", "yes", "yes" - "policy-pap", "yes", "" - "policy-xacml-pdp", "yes", "" - "policydb", "yes", "yes" + kubectl get pods -n onap | grep dev-policy + + dev-policy-59684c7b9c-5gd6r 2/2 Running 0 8m41s + dev-policy-apex-pdp-0 1/1 Running 0 8m41s + dev-policy-api-56f55f59c5-nl5cg 1/1 Running 0 8m41s + dev-policy-distribution-54cc59b8bd-jkg5d 1/1 Running 0 8m41s + dev-policy-mariadb-0 1/1 Running 0 8m41s + dev-policy-xacml-pdp-765c7d58b5-l6pr7 1/1 Running 0 8m41s + +.. note:: + To get a listing of the Policy services, run this command: + kubectl get svc -n onap | grep policy Accessing Policy Containers *************************** @@ -61,6 +42,8 @@ Accessing the policy docker containers is the same as for any kubernetes contain kubectl -n onap exec -it dev-policy-policy-xacml-pdp-584844b8cf-9zptx bash +.. _install-upgrade-policy-label: + Installing or Upgrading Policy ****************************** The assumption is you have cloned the charts from the OOM repository into a local directory. @@ -69,41 +52,73 @@ The assumption is you have cloned the charts from the OOM repository into a loca From your local copy, edit any of the values.yaml files in the policy tree to make desired changes. +The policy schema will be installed automatically as part of the database configuration using ``db-migrator``. +By default the policy schema is upgraded to the latest version. +For more information on how to change the ``db-migrator`` setup please see +:ref:`Using Policy DB Migrator `. + **Step 2** Build the charts .. code-block:: bash make policy - make onap + make SKIP_LINT=TRUE onap + +.. note:: + SKIP_LINT is only to reduce the "make" time **Step 3** Undeploy Policy After undeploying policy, loop on monitoring the policy pods until they go away. .. code-block:: bash - helm del --purge dev-policy - kubectl get pods -n onap + helm undeploy dev-policy + kubectl get pods -n onap | grep dev-policy -**Step 4** Delete NFS persisted data for Policy -Sudo to root if you logged in using another account such as ubuntu. -.. code-block:: bash - - rm -fr /dockerdata-nfs/dev-policy +**Step 4** Re-Deploy Policy pods -**Step 5** Re-Deploy Policy pods After deploying policy, loop on monitoring the policy pods until they come up. .. code-block:: bash helm deploy dev-policy local/onap --namespace onap - kubectl get pods -n onap + kubectl get pods -n onap | grep dev-policy + +.. note:: + If you want to purge the existing data and start with a clean install, + please follow these steps after undeploying: + + **Step 1** Delete NFS persisted data for Policy + + .. code-block:: bash + + rm -fr /dockerdata-nfs/dev/policy + + **Step 2** Make sure there is no orphan policy database persistent volume or claim. + + First, find if there is an orphan database PV or PVC with the following commands: + + .. code-block:: bash + + kubectl get pvc -n onap | grep policy + kubectl get pv -n onap | grep policy + + If there are any orphan resources, delete them with + + .. code-block:: bash + + kubectl delete pvc + kubectl delete pv + Restarting a faulty component ***************************** Each policy component can be restarted independently by issuing the following command: -kubectl delete pod -n onap +.. code-block:: bash + + kubectl delete pod -n onap Exposing ports ************** @@ -114,32 +129,44 @@ For security reasons, the ports for the policy containers are configured as Clus kubectl -n onap expose service policy-api --port=7171 --target-port=6969 --name=api-public --type=NodePort Overriding certificate stores -******************************* -Each policy component keystore and or truststore can be overriden. The procedure will be applicable -to an installation that requires certificates other than the pre-packaged AAF derived ones -that come with the official ONAP distribution. +***************************** +Policy components package default key and trust stores that support https based communication with other +AAF-enabled ONAP components. Each store can be overridden at installation. To override a default keystore, the new certificate store (policy-keystore) file should be placed at the appropriate helm chart locations below: -* **oom/kubernetes/policy/charts/drools/resources/secrets/policy-keystore** drools pdp keystore override. -* **oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-keystore** apex pdp keystore override. -* **oom/kubernetes/policy/charts/policy-api/resources/config/policy-keystore** api keystore override. -* **oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-keystore** distribution keystore override. -* **oom/kubernetes/policy/charts/policy-pap/resources/config/policy-keystore** pap keystore override. -* **oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-keystore** xacml pdp keystore override. +* oom/kubernetes/policy/charts/drools/resources/secrets/policy-keystore drools pdp keystore override. +* oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-keystore apex pdp keystore override. +* oom/kubernetes/policy/charts/policy-api/resources/config/policy-keystore api keystore override. +* oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-keystore distribution keystore override. +* oom/kubernetes/policy/charts/policy-pap/resources/config/policy-keystore pap keystore override. +* oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-keystore xacml pdp keystore override. In the event that the truststore (policy-truststore) needs to be overriden as well, place it at the appropriate location below: -* **oom/kubernetes/policy/charts/drools/resources/configmaps/policy-truststore** drools pdp truststore override. -* **oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-truststore** apex pdp truststore override. -* **oom/kubernetes/policy/charts/policy-api/resources/config/policy-truststore** api truststore override. -* **oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-truststore** distribution truststore override. -* **oom/kubernetes/policy/charts/policy-pap/resources/config/policy-truststore** pap truststore override. -* **oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-truststore** xacml pdp truststore override. +* oom/kubernetes/policy/charts/drools/resources/configmaps/policy-truststore drools pdp truststore override. +* oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-truststore apex pdp truststore override. +* oom/kubernetes/policy/charts/policy-api/resources/config/policy-truststore api truststore override. +* oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-truststore distribution truststore override. +* oom/kubernetes/policy/charts/policy-pap/resources/config/policy-truststore pap truststore override. +* oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-truststore xacml pdp truststore override. + +When the keystore passwords are changed, the corresponding component configuration ([1]_) should also change: + +* oom/kubernetes/policy/charts/drools/values.yaml +* oom/kubernetes/policy-apex-pdp/resources/config/config.json +* oom/kubernetes/policy-distribution/resources/config/config.json + +This procedure is applicable to an installation that requires either AAF or non-AAF derived certificates. +The reader is refered to the AAF documentation when new AAF-compliant keystores are desired: -After these changes, follow the procedures in the :ref:`Installing or Upgrading Policy` section to make usage of +* `AAF automated configuration and Certificates `_. +* `AAF Certificate Management for Dummies `_. +* `Instructional Videos `_. + +After these changes, follow the procedures in the :ref:`install-upgrade-policy-label` section to make usage of the new stores effective. Additional PDP-D Customizations @@ -147,14 +174,14 @@ Additional PDP-D Customizations Credentials and other configuration parameters can be set as values when deploying the policy (drools) subchart. Please refer to -`PDP-D Default Values `_ +`PDP-D Default Values `_ for the current default values. It is strongly recommended that sensitive information is secured appropriately before using in production. Additional customization can be applied to the PDP-D. Custom configuration goes under the "resources" directory of the drools subchart (oom/kubernetes/policy/charts/drools/resources). This requires rebuilding the policy subchart -(see section :ref:`Rebuilding and/or modifying the Policy Charts`). +(see section :ref:`install-upgrade-policy-label`). Configuration is done by adding or modifying configmaps and/or secrets. Configmaps are placed under "drools/resources/configmaps", and @@ -170,6 +197,9 @@ Custom configuration supportes these types of files: * **policy-truststore** to override the PDP-D policy-truststore. * **aaf-cadi.keyfile** to override the PDP-D AAF key. * **\*.properties** to override or add properties files. +* **\*.xml** to override or add xml configuration files. +* **\*.json** to override json configuration files. +* **\*settings.xml** to override maven repositories configuration . Examples ^^^^^^^^ @@ -180,10 +210,23 @@ To *disable AAF*, simply override the "aaf.enabled" value when deploying the hel To *override the PDP-D keystore or trustore*, add a suitable replacement(s) under "drools/resources/secrets". Modify the drools chart values.yaml with new credentials, and follow the procedures described at -:ref:`Rebuilding and/or modifying the Policy Charts` to redeploy the chart. +:ref:`install-upgrade-policy-label` to redeploy the chart. To *disable https* for the DMaaP configuration topic, add a copy of `engine.properties `_ with "dmaap.source.topics.PDPD-CONFIGURATION.https" set to "false", or alternatively create a ".pre.sh" script (see above) that edits this file before the PDP-D is started. + +To use *noop topics* for standalone testing, add a "noop.pre.sh" script under +oom/kubernetes/policy/charts/drools/resources/configmaps/: + +.. code-block:: bash + + #!/bin/bash + sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties + + +.. rubric:: Footnotes + +.. [1] There is a limitation that store passwords are not configurable for policy-api, policy-pap, and policy-xacml-pdp.