X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=docs%2Finstallation%2Foom.rst;h=9da566828435592cd66a146f2f7e08676b717d2a;hb=4efa6f4d27f16b6b71775925cb801bad139d982e;hp=1bdaa240dbde0391da86ba77a2d2973a7c49ef43;hpb=0c56e114555b17818d2ee03bb680f27df8158ade;p=policy%2Fparent.git diff --git a/docs/installation/oom.rst b/docs/installation/oom.rst index 1bdaa240..9da56682 100644 --- a/docs/installation/oom.rst +++ b/docs/installation/oom.rst @@ -61,8 +61,8 @@ Accessing the policy docker containers is the same as for any kubernetes contain kubectl -n onap exec -it dev-policy-policy-xacml-pdp-584844b8cf-9zptx bash -Rebuilding and/or modifying the Policy Charts -********************************************* +Installing or Upgrading Policy +****************************** The assumption is you have cloned the charts from the OOM repository into a local directory. **Step 1** Go into local copy of OOM charts @@ -85,20 +85,44 @@ After undeploying policy, loop on monitoring the policy pods until they go away. kubectl get pods -n onap **Step 4** Delete NFS persisted data for Policy -Sudo to root if you logged in using another account such as ubuntu. .. code-block:: bash rm -fr /dockerdata-nfs/dev-policy -**Step 5** Re-Deploy Policy pods +**Step 5** Make sure there is no orphan policy database persistent volume or claim. + +First, find if there is an orphan database PV or PVC with the following commands: + +.. code-block:: bash + + kubectl get pvc -n onap | grep policy + kubectl get pv -n onap | grep policy + +If there are any orphan resources, delete them with + +.. code-block:: bash + + kubectl delete pvc + kubectl delete pv + +**Step 6** Re-Deploy Policy pods + After deploying policy, loop on monitoring the policy pods until they come up. .. code-block:: bash - helm deploy dev-policy local/onap --namespace onap + helm deploy dev-policy local/onap --namespace onap kubectl get pods -n onap +Restarting a faulty component +***************************** +Each policy component can be restarted independently by issuing the following command: + +.. code-block:: bash + + kubectl delete pod -n onap + Exposing ports ************** For security reasons, the ports for the policy containers are configured as ClusterIP and thus not exposed. If you find you need those ports in a development environment, then the following will expose them. @@ -107,3 +131,105 @@ For security reasons, the ports for the policy containers are configured as Clus kubectl -n onap expose service policy-api --port=7171 --target-port=6969 --name=api-public --type=NodePort +Overriding certificate stores +******************************* +Policy components package default key and trust stores that support https based communication with other +AAF-enabled ONAP components. Each store can be overridden at installation. + +To override a default keystore, the new certificate store (policy-keystore) file should be placed at the +appropriate helm chart locations below: + +* oom/kubernetes/policy/charts/drools/resources/secrets/policy-keystore drools pdp keystore override. +* oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-keystore apex pdp keystore override. +* oom/kubernetes/policy/charts/policy-api/resources/config/policy-keystore api keystore override. +* oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-keystore distribution keystore override. +* oom/kubernetes/policy/charts/policy-pap/resources/config/policy-keystore pap keystore override. +* oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-keystore xacml pdp keystore override. + +In the event that the truststore (policy-truststore) needs to be overriden as well, place it at the appropriate +location below: + +* oom/kubernetes/policy/charts/drools/resources/configmaps/policy-truststore drools pdp truststore override. +* oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-truststore apex pdp truststore override. +* oom/kubernetes/policy/charts/policy-api/resources/config/policy-truststore api truststore override. +* oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-truststore distribution truststore override. +* oom/kubernetes/policy/charts/policy-pap/resources/config/policy-truststore pap truststore override. +* oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-truststore xacml pdp truststore override. + +When the keystore passwords are changed, the corresponding component configuration ([1]_) should also change: + +* oom/kubernetes/policy/charts/drools/values.yaml +* oom/kubernetes/policy-apex-pdp/resources/config/config.json +* oom/kubernetes/policy-distribution/resources/config/config.json + +This procedure is applicable to an installation that requires either AAF or non-AAF derived certificates. +The reader is refered to the AAF documentation when new AAF-compliant keystores are desired: + +* `AAF automated configuration and Certificates `_. +* `AAF Certificate Management for Dummies `_. +* `Instructional Videos `_. + +After these changes, follow the procedures in the :ref:`Installing or Upgrading Policy` section to make usage of +the new stores effective. + +Additional PDP-D Customizations +******************************* + +Credentials and other configuration parameters can be set as values +when deploying the policy (drools) subchart. Please refer to +`PDP-D Default Values `_ +for the current default values. It is strongly recommended that sensitive +information is secured appropriately before using in production. + +Additional customization can be applied to the PDP-D. Custom configuration goes under the +"resources" directory of the drools subchart (oom/kubernetes/policy/charts/drools/resources). +This requires rebuilding the policy subchart +(see section :ref:`Installing or Upgrading Policy`). + +Configuration is done by adding or modifying configmaps and/or secrets. +Configmaps are placed under "drools/resources/configmaps", and +secrets under "drools/resources/secrets". + +Custom configuration supportes these types of files: + +* **\*.conf** files to support additional environment configuration. +* **features\*.zip** to add additional custom features. +* **\*.pre.sh** scripts to be executed before starting the PDP-D process. +* **\*.post.sh** scripts to be executed after starting the PDP-D process. +* **policy-keystore** to override the PDP-D policy-keystore. +* **policy-truststore** to override the PDP-D policy-truststore. +* **aaf-cadi.keyfile** to override the PDP-D AAF key. +* **\*.properties** to override or add properties files. +* **\*.xml** to override or add xml configuration files. +* **\*.json** to override json configuration files. +* **\*settings.xml** to override maven repositories configuration . + +Examples +^^^^^^^^ + +To *disable AAF*, simply override the "aaf.enabled" value when deploying the helm chart +(see the OOM installation instructions mentioned above). + +To *override the PDP-D keystore or trustore*, add a suitable replacement(s) under +"drools/resources/secrets". Modify the drools chart values.yaml with +new credentials, and follow the procedures described at +:ref:`Installing or Upgrading Policy` to redeploy the chart. + +To *disable https* for the DMaaP configuration topic, add a copy of +`engine.properties `_ +with "dmaap.source.topics.PDPD-CONFIGURATION.https" set to "false", or alternatively +create a ".pre.sh" script (see above) that edits this file before the PDP-D is +started. + +To use *noop topics* for standalone testing, add a "noop.pre.sh" script under +oom/kubernetes/policy/charts/drools/resources/configmaps/: + +.. code-block:: bash + + #!/bin/bash + sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties + + +.. rubric:: Footnotes + +.. [1] There is a limitation that store passwords are not configurable for policy-api, policy-pap, and policy-xacml-pdp.