X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=docs%2Finstallation%2Foom.rst;h=8485bb74332ad599df3e215b715402f6a3992f68;hb=a4ca8c2419ca088808d33a7ec93128c2d935c1e0;hp=a22d7b7eec19f4544f569e10f6a871727fe977c9;hpb=5fc2fdb0eebfec733acbc26dc9ab933279ea2c83;p=policy%2Fparent.git

diff --git a/docs/installation/oom.rst b/docs/installation/oom.rst
index a22d7b7e..8485bb74 100644
--- a/docs/installation/oom.rst
+++ b/docs/installation/oom.rst
@@ -9,8 +9,211 @@ Policy OOM Installation
 .. contents::
     :depth: 2
 
+Policy OOM Charts
+*****************
+The policy K8S charts are located in the `OOM repository <https://gerrit.onap.org/r/gitweb?p=oom.git;a=tree;f=kubernetes/policy;h=78576c7a0d30cb87054e9776326cdde20986e6e3;hb=refs/heads/master>`_.
 
+Please refer to the OOM documentation on how to install and deploy ONAP.
 
+Policy Pods
+***********
+To get a listing of the Policy Pods, run the following command:
 
-End of Document
+.. code-block:: bash
 
+  kubectl get pods -n onap | grep dev-policy
+
+  dev-policy-59684c7b9c-5gd6r                        2/2     Running            0          8m41s
+  dev-policy-apex-pdp-0                              1/1     Running            0          8m41s
+  dev-policy-api-56f55f59c5-nl5cg                    1/1     Running            0          8m41s
+  dev-policy-distribution-54cc59b8bd-jkg5d           1/1     Running            0          8m41s
+  dev-policy-mariadb-0                               1/1     Running            0          8m41s
+  dev-policy-xacml-pdp-765c7d58b5-l6pr7              1/1     Running            0          8m41s
+
+.. note::
+   To get a listing of the Policy services, run this command:
+   kubectl get svc -n onap | grep policy
+
+Accessing Policy Containers
+***************************
+Accessing the policy docker containers is the same as for any kubernetes container. Here is an example:
+
+.. code-block:: bash
+
+  kubectl -n onap exec -it dev-policy-policy-xacml-pdp-584844b8cf-9zptx bash
+
+Installing or Upgrading Policy
+******************************
+The assumption is you have cloned the charts from the OOM repository into a local directory.
+
+**Step 1** Go into local copy of OOM charts
+
+From your local copy, edit any of the values.yaml files in the policy tree to make desired changes.
+
+**Step 2** Build the charts
+
+.. code-block:: bash
+
+  make policy
+  make SKIP_LINT=TRUE onap
+
+.. note::
+   SKIP_LINT is only to reduce the "make" time
+
+**Step 3** Undeploy Policy
+After undeploying policy, loop on monitoring the policy pods until they go away.
+
+.. code-block:: bash
+
+  helm del --purge dev-policy
+  kubectl get pods -n onap | grep dev-policy
+
+**Step 4** Delete NFS persisted data for Policy
+
+.. code-block:: bash
+
+  rm -fr /dockerdata-nfs/dev/policy
+
+**Step 5** Make sure there is no orphan policy database persistent volume or claim.
+
+First, find if there is an orphan database PV or PVC with the following commands:
+
+.. code-block:: bash
+
+  kubectl get pvc -n onap | grep policy
+  kubectl get pv -n onap | grep policy
+
+If there are any orphan resources, delete them with
+
+.. code-block:: bash
+
+    kubectl delete pvc <orphan-policy-mariadb-resource>
+    kubectl delete pv <orphan-policy-mariadb-resource>
+
+**Step 6** Re-Deploy Policy pods
+
+After deploying policy, loop on monitoring the policy pods until they come up.
+
+.. code-block:: bash
+
+  helm deploy dev-policy local/onap --namespace onap
+  kubectl get pods -n onap | grep dev-policy
+
+Restarting a faulty component
+*****************************
+Each policy component can be restarted independently by issuing the following command:
+
+.. code-block:: bash
+
+    kubectl delete pod <policy-pod> -n onap
+
+Exposing ports
+**************
+For security reasons, the ports for the policy containers are configured as ClusterIP and thus not exposed. If you find you need those ports in a development environment, then the following will expose them.
+
+.. code-block:: bash
+
+  kubectl -n onap expose service policy-api --port=7171 --target-port=6969 --name=api-public --type=NodePort
+
+Overriding certificate stores
+*******************************
+Policy components package default key and trust stores that support https based communication with other
+AAF-enabled ONAP components.  Each store can be overridden at installation.
+
+To override a default keystore, the new certificate store (policy-keystore) file should be placed at the
+appropriate helm chart locations below:
+
+* oom/kubernetes/policy/charts/drools/resources/secrets/policy-keystore drools pdp keystore override.
+* oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-keystore apex pdp keystore override.
+* oom/kubernetes/policy/charts/policy-api/resources/config/policy-keystore api keystore override.
+* oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-keystore distribution keystore override.
+* oom/kubernetes/policy/charts/policy-pap/resources/config/policy-keystore pap keystore override.
+* oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-keystore xacml pdp keystore override.
+
+In the event that the truststore (policy-truststore) needs to be overriden as well, place it at the appropriate
+location below:
+
+* oom/kubernetes/policy/charts/drools/resources/configmaps/policy-truststore drools pdp truststore override.
+* oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-truststore apex pdp truststore override.
+* oom/kubernetes/policy/charts/policy-api/resources/config/policy-truststore api truststore override.
+* oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-truststore distribution truststore override.
+* oom/kubernetes/policy/charts/policy-pap/resources/config/policy-truststore pap truststore override.
+* oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-truststore xacml pdp truststore override.
+
+When the keystore passwords are changed, the corresponding component configuration ([1]_) should also change:
+
+* oom/kubernetes/policy/charts/drools/values.yaml
+* oom/kubernetes/policy-apex-pdp/resources/config/config.json
+* oom/kubernetes/policy-distribution/resources/config/config.json
+
+This procedure is applicable to an installation that requires either AAF or non-AAF derived certificates.
+The reader is refered to the AAF documentation when new AAF-compliant keystores are desired:
+
+* `AAF automated configuration and Certificates <https://docs.onap.org/projects/onap-aaf-authz/en/latest/sections/configuration/AAF_4.1_config.html#typical-onap-entity-info-in-aaf>`_.
+* `AAF Certificate Management for Dummies <https://wiki.onap.org/display/DW/AAF+Certificate+Management+for+Dummies>`_.
+* `Instructional Videos <https://wiki.onap.org/display/DW/Instructional+Videos>`_.
+
+After these changes, follow the procedures in the :ref:`Installing or Upgrading Policy` section to make usage of
+the new stores effective.
+
+Additional PDP-D Customizations
+*******************************
+
+Credentials and other configuration parameters can be set as values
+when deploying the policy (drools) subchart.  Please refer to
+`PDP-D Default Values <https://git.onap.org/oom/tree/kubernetes/policy/components/policy-drools-pdp/values.yaml>`_
+for the current default values.  It is strongly recommended that sensitive
+information is secured appropriately before using in production.
+
+Additional customization can be applied to the PDP-D.  Custom configuration goes under the
+"resources" directory of the drools subchart (oom/kubernetes/policy/charts/drools/resources).
+This requires rebuilding the policy subchart
+(see section :ref:`Installing or Upgrading Policy`).
+
+Configuration is done by adding or modifying configmaps and/or secrets.
+Configmaps are placed under "drools/resources/configmaps", and
+secrets under "drools/resources/secrets".
+
+Custom configuration supportes these types of files:
+
+* **\*.conf** files to support additional environment configuration.
+* **features\*.zip** to add additional custom features.
+* **\*.pre.sh** scripts to be executed before starting the PDP-D process.
+* **\*.post.sh** scripts to be executed after starting the PDP-D process.
+* **policy-keystore** to override the PDP-D policy-keystore.
+* **policy-truststore** to override the PDP-D policy-truststore.
+* **aaf-cadi.keyfile** to override the PDP-D AAF key.
+* **\*.properties** to override or add properties files.
+* **\*.xml** to override or add xml configuration files.
+* **\*.json** to override json configuration files.
+* **\*settings.xml** to override maven repositories configuration .
+
+Examples
+^^^^^^^^
+
+To *disable AAF*, simply override the "aaf.enabled" value when deploying the helm chart
+(see the OOM installation instructions mentioned above).
+
+To *override the PDP-D keystore or trustore*, add a suitable replacement(s) under
+"drools/resources/secrets".  Modify the drools chart values.yaml with
+new credentials, and follow the procedures described at
+:ref:`Installing or Upgrading Policy` to redeploy the chart.
+
+To *disable https* for the DMaaP configuration topic, add a copy of
+`engine.properties <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/server/config/engine.properties>`_
+with "dmaap.source.topics.PDPD-CONFIGURATION.https" set to "false", or alternatively
+create a ".pre.sh" script (see above) that edits this file before the PDP-D is
+started.
+
+To use *noop topics* for standalone testing, add a "noop.pre.sh" script under
+oom/kubernetes/policy/charts/drools/resources/configmaps/:
+
+.. code-block:: bash
+
+    #!/bin/bash
+    sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties
+
+
+.. rubric:: Footnotes
+
+.. [1] There is a limitation that store passwords are not configurable for policy-api, policy-pap, and policy-xacml-pdp.