linkcheck_ignore = [
+ "https://istio-release.storage.googleapis.com/charts",
r'http://localhost:\d+/'
]
.. http://creativecommons.org/licenses/by/4.0
.. Copyright (C) 2022 Nordix Foundation
+.. Links
+.. _Kubernetes LoadBalancer: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
+.. _Kubernetes NodePort: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+
.. _oom_access_info_guide:
OOM Access Info
----------------
+###############
.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png
:align: right
+Access via NodePort/Loadbalancer
+********************************
+
+The ONAP deployment created by OOM operates in a private IP network that isn't
+publicly accessible (i.e. OpenStack VMs with private internal network) which
+blocks access to the ONAP User Interfaces.
+To enable direct access to a service from a user's own environment (a laptop etc.)
+the application's internal port is exposed through a `Kubernetes NodePort`_ or
+`Kubernetes LoadBalancer`_ object.
+
+Typically, to be able to access the Kubernetes nodes publicly a public address
+is assigned. In OpenStack this is a floating IP address.
+
+Most ONAP applications use the `NodePort` as predefined `service:type`,
+which opens allows access to the service through the the IP address of each
+Kubernetes node.
+When using the `Loadbalancer` as `service:type` `Kubernetes LoadBalancer`_ object
+which gets a separate IP address.
+
+.. note::
+ The following example uses the `ONAP Portal`, which is not actively maintained
+ in Kohn and will be replaced in the future
+
+When e.g. the `portal-app` chart is deployed a Kubernetes service is created that
+instantiates a load balancer. The LB chooses the private interface of one of
+the nodes as in the example below (10.0.0.4 is private to the K8s cluster only).
+Then to be able to access the portal on port 8989 from outside the K8s &
+OpenStack environment, the user needs to assign/get the floating IP address that
+corresponds to the private IP as follows::
+
+ > kubectl -n onap get services|grep "portal-app"
+ portal-app LoadBalancer 10.43.142.201 10.0.0.4 8989:30215/TCP,8006:30213/TCP,8010:30214/TCP 1d app=portal-app,release=dev
+
+
+In this example, use the 11.0.0.4 private address as a key find the
+corresponding public address which in this example is 10.12.6.155. If you're
+using OpenStack you'll do the lookup with the horizon GUI or the OpenStack CLI
+for your tenant (openstack server list). That IP is then used in your
+`/etc/hosts` to map the fixed DNS aliases required by the ONAP Portal as shown
+below::
+
+ 10.12.6.155 portal.api.simpledemo.onap.org
+ 10.12.6.155 vid.api.simpledemo.onap.org
+ 10.12.6.155 sdc.api.fe.simpledemo.onap.org
+ 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org
+ 10.12.6.155 sdc.dcae.plugin.simpledemo.onap.org
+ 10.12.6.155 portal-sdk.simpledemo.onap.org
+ 10.12.6.155 policy.api.simpledemo.onap.org
+ 10.12.6.155 aai.api.sparky.simpledemo.onap.org
+ 10.12.6.155 cli.api.simpledemo.onap.org
+ 10.12.6.155 msb.api.discovery.simpledemo.onap.org
+ 10.12.6.155 msb.api.simpledemo.onap.org
+ 10.12.6.155 clamp.api.simpledemo.onap.org
+ 10.12.6.155 so.api.simpledemo.onap.org
+ 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org
+
+Ensure you've disabled any proxy settings the browser you are using to access
+the portal and then simply access now the new ssl-encrypted URL:
+``https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm``
+
+.. note::
+ Using the HTTPS based Portal URL the Browser needs to be configured to accept
+ unsecure credentials.
+ Additionally when opening an Application inside the Portal, the Browser
+ might block the content, which requires to disable the blocking and reloading
+ of the page
+
+.. note::
+ Besides the ONAP Portal the Components can deliver additional user interfaces,
+ please check the Component specific documentation.
+
+.. note::
+
+ | Alternatives Considered:
+
+ - Kubernetes port forwarding was considered but discarded as it would
+ require the end user to run a script that opens up port forwarding tunnels
+ to each of the pods that provides a portal application widget.
+
+ - Reverting to a VNC server similar to what was deployed in the Amsterdam
+ release was also considered but there were many issues with resolution,
+ lack of volume mount, /etc/hosts dynamic update, file upload that were
+ a tall order to solve in time for the Beijing release.
+
+ Observations:
+
+ - If you are not using floating IPs in your Kubernetes deployment and
+ directly attaching a public IP address (i.e. by using your public provider
+ network) to your K8S Node VMs' network interface, then the output of
+ 'kubectl -n onap get services | grep "portal-app"'
+ will show your public IP instead of the private network's IP. Therefore,
+ you can grab this public IP directly (as compared to trying to find the
+ floating IP first) and map this IP in /etc/hosts.
+
Some relevant information regarding accessing OOM from outside the cluster etc
+ONAP Nodeports
+==============
+
+NodePorts are used to allow client applications, that run outside of
+Kubernetes, access to ONAP components deployed by OOM.
+A NodePort maps an externally reachable port to an internal port of an ONAP
+microservice.
+It should be noted that the use of NodePorts is temporary.
+An alternative solution based on Ingress Controller, which initial support is
+already in place. It is planned to become a default deployment option in the
+London release.
+
+More information from official Kubernetes documentation about
+`Kubernetes NodePort`_.
+
+The following table lists all the NodePorts used by ONAP.
+
+.. csv-table:: NodePorts table
+ :file: ../../resources/csv/nodeports.csv
+ :widths: 20,20,20,20,20
+ :header-rows: 1
+
+
+This table retrieves information from the ONAP deployment using the following
+Kubernetes command:
+
+.. code-block:: bash
+
+ kubectl get svc -n onap -o go-template='{{range .items}}{{range.spec.ports}}{{if .nodePort}}{{.nodePort}}{{.}}{{"\n"}}{{end}}{{end}}{{end}}'
+
+
+(Optional) Access via Ingress
+*****************************
+
+Using Ingress as access method requires the installation of an Ingress
+controller and the configuration of the ONAP deployment to use it.
+
+For "ONAP on ServiceMesh" you can find the instructions in:
+
+- :ref:`oom_base_optional_addons`
+- :ref:`oom_customize_overrides`
+
+In the ServiceMesh deployment the Istio IngressGateway is the only access point
+for ONAP component interfaces.
+Usually the Ingress is accessed via a LoadBalancer IP (<ingress-IP>),
+which is used as central address.
+All APIs/UIs are provided via separate URLs which are routed to the component service.
+To use these URLs they need to be resolvable via DNS or via /etc/hosts.
+
+The domain name is usually defined in the `global` section of the ONAP helm-charts,
+`virtualhost.baseurl` (here "simpledemo.onap.org") whereas the hostname of
+the service (e.g. "sdc-fe-ui") is defined in the component's chart.
+
+.. code-block:: none
-.. toctree::
- :maxdepth: 1
+ <ingress-IP> kiali.simpledemo.onap.org
+ <ingress-IP> cds-ui.simpledemo.onap.org
+ <ingress-IP> sdc-fe-ui.simpledemo.onap.org
+ ...
- oom_ingress_access.rst
+To access e.g. the SDC UI now the new ssl-encrypted URL:
+``https://sdc-fe-ui.simpledemo.onap.org/sdc1``
+++ /dev/null
-.. This work is licensed under a Creative Commons Attribution 4.0
-.. International License.
-.. http://creativecommons.org/licenses/by/4.0
-.. Copyright (C) 2022 Nordix Foundation
-
-.. Links
-
-
-.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png
- :align: right
-
-.. _oom_ingress_access:
-
-
-Ingress access to OOM
-#####################
-
-TBD
Enabling/Disabling Components
------------------------------
+*****************************
Here is an example of the nominal entries that need to be provided.
Different values files are available for different contexts.
|
-Some other heading
-------------------
-adva
\ No newline at end of file
+(Optional) "ONAP on Service Mesh"
+*********************************
+
+To enable "ONAP on Service Mesh" both "ServiceMesh" and "Ingress"
+configuration entries need to be configured before deployment.
+
+Global settings relevant for ServiceMesh:
+
+.. code-block:: yaml
+
+ global:
+ ingress:
+ # generally enable ingress for ONAP components
+ enabled: false
+ # enable all component's Ingress interfaces
+ enable_all: false
+ # default Ingress base URL
+ # can be overwritten in component by setting ingress.baseurlOverride
+ virtualhost:
+ baseurl: "simpledemo.onap.org"
+ # All http requests via ingress will be redirected on Ingress controller
+ # only valid for Istio Gateway (ServiceMesh enabled)
+ config:
+ ssl: "redirect"
+ # you can set an own Secret containing a certificate
+ # only valid for Istio Gateway (ServiceMesh enabled)
+ # tls:
+ # secret: 'my-ingress-cert'
+ # optional: Namespace of the Istio IngressGateway
+ # only valid for Istio Gateway (ServiceMesh enabled)
+ namespace: istio-ingress
+ ...
+ serviceMesh:
+ enabled: true
+ tls: true
+ # be aware that linkerd is not well tested
+ engine: "istio" # valid value: istio or linkerd
+ aafEnabled: false
+ cmpv2Enabled: false
+ tlsEnabled: false
+ msbEnabled: false
+
+ServiceMesh settings:
+
+- enabled: true → enables ServiceMesh functionality in the ONAP Namespace (Istio: enables Sidecar deployment)
+- tls: true → enables mTLS encryption in Sidecar communication
+- engine: istio → sets the SM engine (currently only Istio is supported)
+- aafEnabled: false → disables AAF usage for TLS interfaces
+- tlsEnabled: false → disables creation of TLS in component services
+- cmpv2Enabled: false → disable cmpv2 feature
+- msbEnabled: false → MSB is not used in Istio setup (Open, if all components are MSB independend)
+
+Ingress settings:
+
+- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled)
+- enable_all: true → enables Ingress configuration in each component
+- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components,
+ resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride
+- config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443)
+- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret
+- namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate
+
+.. note::
+ For "ONAP on Istio" an example override file (`onap-all-ingress-istio.yaml`)
+ can be found in the `oom/kubernetes/onap/resources/overrides/` directory.
.. Links
.. _Prometheus stack README: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#readme
+.. _ONAP Next Generation Security & Logging Structure: https://wiki.onap.org/pages/viewpage.action?pageId=103417456
+.. _Istio best practices: https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prod/namespaces/
+.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/
+.. _Kiali setup guide: https://kiali.io/docs/installation/installation-guide/example-install/
.. _oom_base_optional_addons:
- To install prometheus, execute the following, replacing the <recommended-pm-version> with the version defined in the :ref:`versions_table` table::
> helm install prometheus prometheus-community/kube-prometheus-stack --namespace=prometheus --create-namespace --version=<recommended-pm-version>
+
+ONAP on Service Mesh
+********************
+
+.. warning::
+ "ONAP on Service Mesh" is not fully supported in "Kohn". Full support is
+ planned for London release to support the
+ `ONAP Next Generation Security & Logging Structure`_
+
+.. figure:: ../../resources/images/servicemesh/ServiceMesh.png
+ :align: center
+
+ONAP is currenty planned to support Istio as default ServiceMesh platform.
+Therefor the following instructions describe the setup of Istio and required tools.
+Used `Istio best practices`_ and `Istio setup guide`_
+
+Istio Platform Installation
+===========================
+
+Install Istio Basic Platform
+----------------------------
+
+- Configure the Helm repository::
+
+ > helm repo add istio https://istio-release.storage.googleapis.com/charts
+
+ > helm repo update
+
+- Create a namespace for "mesh-level" configurations::
+
+ > kubectl create namespace istio-config
+
+- Create a namespace istio-system for Istio components::
+
+ > kubectl create namespace istio-system
+
+- Install the Istio Base chart which contains cluster-wide resources used by the
+ Istio control plane, replacing the <recommended-istio-version> with the version
+ defined in the :ref:`versions_table` table::
+
+ > helm upgrade -i istio-base istio/base -n istio-system --version <recommended-istio-version>
+
+- Install the Istio Base Istio Discovery chart which deploys the istiod service, replacing the
+ <recommended-istio-version> with the version defined in the :ref:`versions_table` table
+ (enable the variable to enforce the (sidecar) proxy startup before the container start)::
+
+ > helm upgrade -i istiod istio/istiod -n istio-system --version <recommended-istio-version>
+ --wait --set global.proxy.holdApplicationUntilProxyStarts=true --set meshConfig.rootNamespace=istio-config
+
+Add an EnvoyFilter for HTTP header case
+---------------------------------------
+
+When handling HTTP/1.1, Envoy will normalize the header keys to be all lowercase.
+While this is compliant with the HTTP/1.1 spec, in practice this can result in issues
+when migrating existing systems that might rely on specific header casing.
+In our case a problem was detected in the SDC client implementation, which relies on
+uppercase header values. To solve this problem in general we add a EnvoyFilter to keep
+the uppercase header in the istio-config namespace to apply for all namespaces, but
+set the context to SIDECAR_INBOUND to avoid problems in the connection between Istio-Gateway and Services
+
+- Create a EnvoyFilter file (e.g. envoyfilter-case.yaml)
+
+ .. collapse:: envoyfilter-case.yaml
+
+ .. include:: ../../resources/yaml/envoyfilter-case.yaml
+ :code: yaml
+
+- Apply the change to Istio::
+
+ > kubectl apply -f envoyfilter-case.yaml
+
+Install Istio Gateway
+---------------------
+
+- Create a namespace istio-ingress for the Istio Ingress gateway
+ and enable istio-injection::
+
+ > kubectl create namespace istio-ingress
+
+ > kubectl label namespace istio-ingress istio-injection=enabled
+
+- Install the Istio Gateway chart,replacing the
+ <recommended-istio-version> with the version defined in
+ the :ref:`versions_table` table::
+
+ > helm upgrade -i istio-ingressgateway istio/gateway -n istio-ingress
+ --version <recommended-istio-version> --wait
+
+Kiali Installation
+==================
+
+Kiali is used to visualize the Network traffic in a ServiceMesh enabled cluster
+For setup the kiali operator is used, see `Kiali setup guide`_
+
+- Install kiali-operator namespace::
+
+ > kubectl create namespace kiali-operator
+
+ > kubectl label namespace kiali-operator istio-injection=enabled
+
+- Install the kiali-operator::
+
+ > helm repo add kiali https://kiali.org/helm-charts
+
+ > helm repo update kiali
+
+ > helm install --namespace kiali-operator kiali/kiali-operator
+
+- Create Kiali CR file (e.g. kiali.yaml)
+
+ .. collapse:: kiali.yaml
+
+ .. include:: ../../resources/yaml/kiali.yaml
+ :code: yaml
+
+- Install kiali::
+
+ > kubectl apply -f kiali.yaml
+
+- Create Ingress gateway entry for the kiali web interface
+ using the configured Ingress <base-url> (here "simpledemo.onap.org")
+ as described in :ref:`oom_customize_overrides`
+
+ .. collapse:: kiali-ingress.yaml
+
+ .. include:: ../../resources/yaml/kiali-ingress.yaml
+ :code: yaml
+
+- Add the Ingress entry for Kiali::
+
+ > kubectl -n istio-system apply -f kiali-ingress.yaml
+
+
+Jaeger Installation
+===================
+
+To be done...
\ No newline at end of file
.. _versions_table:
-.. table:: OOM Software Requirements
-
- ============== =========== ======= ======== ======== ============ ================= =======
- Release Kubernetes Helm kubectl Docker Cert-Manager Prometheus Stack Strimzi
- ============== =========== ======= ======== ======== ============ ================= =======
- Jakarta 1.22.4 3.6.3 1.22.4 20.10.x 1.8.0 35.x 0.28.0
- Kohn 1.23.8 3.8.2 1.23.8 20.10.x 1.8.0 35.x 0.32.0
- ============== =========== ======= ======== ======== ============ ================= =======
+.. table:: OOM Software Requirements (base)
+
+ ============== =========== ======= ======== ======== ============ =======
+ Release Kubernetes Helm kubectl Docker Cert-Manager Strimzi
+ ============== =========== ======= ======== ======== ============ =======
+ Jakarta 1.22.4 3.6.3 1.22.4 20.10.x 1.8.0 0.28.0
+ Kohn 1.23.8 3.8.2 1.23.8 20.10.x 1.8.0 0.32.0
+ ============== =========== ======= ======== ======== ============ =======
+
+.. table:: OOM Software Requirements (optional)
+
+ ============== ================= ======
+ Release Prometheus Stack Istio
+ ============== ================= ======
+ Jakarta 35.x ---
+ Kohn 35.x 1.15.1
+ ============== ================= ======
.. toctree::
<...>
-Accessing the ONAP Portal using OOM and a Kubernetes Cluster
-------------------------------------------------------------
-
-The ONAP deployment created by OOM operates in a private IP network that isn't
-publicly accessible (i.e. OpenStack VMs with private internal network) which
-blocks access to the ONAP Portal. To enable direct access to this Portal from a
-user's own environment (a laptop etc.) the portal application's port 8989 is
-exposed through a `Kubernetes LoadBalancer`_ object.
-
-Typically, to be able to access the Kubernetes nodes publicly a public address
-is assigned. In OpenStack this is a floating IP address.
-
-When the `portal-app` chart is deployed a Kubernetes service is created that
-instantiates a load balancer. The LB chooses the private interface of one of
-the nodes as in the example below (10.0.0.4 is private to the K8s cluster only).
-Then to be able to access the portal on port 8989 from outside the K8s &
-OpenStack environment, the user needs to assign/get the floating IP address that
-corresponds to the private IP as follows::
-
- > kubectl -n onap get services|grep "portal-app"
- portal-app LoadBalancer 10.43.142.201 10.0.0.4 8989:30215/TCP,8006:30213/TCP,8010:30214/TCP 1d app=portal-app,release=dev
-
-
-In this example, use the 11.0.0.4 private address as a key find the
-corresponding public address which in this example is 10.12.6.155. If you're
-using OpenStack you'll do the lookup with the horizon GUI or the OpenStack CLI
-for your tenant (openstack server list). That IP is then used in your
-`/etc/hosts` to map the fixed DNS aliases required by the ONAP Portal as shown
-below::
-
- 10.12.6.155 portal.api.simpledemo.onap.org
- 10.12.6.155 vid.api.simpledemo.onap.org
- 10.12.6.155 sdc.api.fe.simpledemo.onap.org
- 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org
- 10.12.6.155 sdc.dcae.plugin.simpledemo.onap.org
- 10.12.6.155 portal-sdk.simpledemo.onap.org
- 10.12.6.155 policy.api.simpledemo.onap.org
- 10.12.6.155 aai.api.sparky.simpledemo.onap.org
- 10.12.6.155 cli.api.simpledemo.onap.org
- 10.12.6.155 msb.api.discovery.simpledemo.onap.org
- 10.12.6.155 msb.api.simpledemo.onap.org
- 10.12.6.155 clamp.api.simpledemo.onap.org
- 10.12.6.155 so.api.simpledemo.onap.org
- 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org
-
-Ensure you've disabled any proxy settings the browser you are using to access
-the portal and then simply access now the new ssl-encrypted URL:
-``https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm``
-
-.. note::
- Using the HTTPS based Portal URL the Browser needs to be configured to accept
- unsecure credentials.
- Additionally when opening an Application inside the Portal, the Browser
- might block the content, which requires to disable the blocking and reloading
- of the page
-
-.. note::
- Besides the ONAP Portal the Components can deliver additional user interfaces,
- please check the Component specific documentation.
-
-.. note::
-
- | Alternatives Considered:
-
- - Kubernetes port forwarding was considered but discarded as it would
- require the end user to run a script that opens up port forwarding tunnels
- to each of the pods that provides a portal application widget.
-
- - Reverting to a VNC server similar to what was deployed in the Amsterdam
- release was also considered but there were many issues with resolution,
- lack of volume mount, /etc/hosts dynamic update, file upload that were
- a tall order to solve in time for the Beijing release.
-
- Observations:
-
- - If you are not using floating IPs in your Kubernetes deployment and
- directly attaching a public IP address (i.e. by using your public provider
- network) to your K8S Node VMs' network interface, then the output of
- 'kubectl -n onap get services | grep "portal-app"'
- will show your public IP instead of the private network's IP. Therefore,
- you can grab this public IP directly (as compared to trying to find the
- floating IP first) and map this IP in /etc/hosts.
.. figure:: ../../resources/images/oom_logo/oomLogoV2-Monitor.png
:align: right
--- /dev/null
+NodePort,Component,Service name,targetPort,Port
+30200,VID,vid,8443,8443
+30201,SDNC,sdnc-portal,8443,8443
+30203,SDNC,sdnc-dgbuilder,3100,3000
+30204,SDC,sdc-be-external,8443,8443
+30207,SDC,sdc-fe,9443,9443
+30209,ROBOT,robot,443,443
+30210,AAI,aai-modelloader,8080,8080
+30211,APPC,appc,9191,9090
+30212,PORTAL,portal-sdk,8443,8443
+30218,POLICY,pap,9091,9091
+30219,POLICY,pap,8443,8443
+30220,AAI,aai-sparky-be,8000,8000
+30222,DCAE,xdcae-hv-ves-collector,6061,6061
+30225,PORTAL,portal-app,8443,8443
+30226,DMAAP,message-router-external,3905,3905
+30228,APPC,appc-dgbuilder,3100,3000
+30229,AAI,aai-modelloader,8443,8443
+30230,APPC,appc,8443,8443
+30231,APPC,appc,1830,1830
+30233,AAI,aai,8443,8443
+30234,POMBA*),pomba-kibana,5601,5601
+30242,DMAAP,dmaap-bc,8443,8443
+30248,OOF,oof-osdf,8699,8698
+30249,POMBA*),pomba-data-router,9502,9502
+30251,AAF,aaf-gui,8200,8200
+30253,LOG*),log-kibana,5601,5601
+30254,LOG*),log-es,9200,9200
+30255,LOG*),log-ls,5044,5044
+30256,SDC,sdc-wfd-fe,8443,8443
+30257,SDC,sdc-wfd-be,8443,8443
+30258,CLAMP,clamp-external,2443,2443
+30260,CLI,cli,443,443
+30264,DCAE,sdc-dcae-fe,9444,9444
+30266,DCAE,sdc-dcae-dt,9446,9446
+30267,SDNC,sdnc,8443,8443
+30269,DMAAP,dmaapr-prov,443,8443
+30271,CLI,cli,9090,9090
+30274,EXTAPI,nbi,8443,8443
+30275,OOF,oof-has-api,8091,8091
+30277,SO,so,8080,8080
+30279,AAI,aai-babel,9516,9516
+30283,MSB,msb-iag,443,443
+30284,MSB,msb-eag,443,443
+30288,SNIRO*),sniro-emulator,9999,80
+30289,APPC,appc-cdt,18080,18080
+30290,CLAMP,cdash-kibana,5601,5601
+30297,VNFSDK,refrepo,8703,8703
+30299,POMBA*),pomba-networkdiscovery,8443,9531
+30398,UUI,uui,8443,8443
+30399,UUI,uui-server,8082,8082
+30406,SO,so-vnfm-adapter,9092,9092
+30407,MUSIC,music,8443,8443
+30417,DCAE,xdcae-ves-collector,8443,8443
+30418,DCAE,dashboard,8443,8443
+30420,NETBOX,netbox-nginx,8080,8080
+30478,AWX,awx-web,8080,80
+30490,DMAAP,message-router-kafka-0,9091,9091
+30491,DMAAP,message-router-kafka-1,9091,9091
+30492,DMAAP,message-router-kafka-2,9091,9091
+30494,DMAAP,dmaap-dr-node-external,8443,8443
+30497,CDS,cds-ui,3000,3000
\ No newline at end of file
--- /dev/null
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+ name: header-casing
+ namespace: istio-config
+spec:
+ configPatches:
+ - applyTo: CLUSTER
+ match:
+ context: SIDECAR_INBOUND
+ patch:
+ operation: MERGE
+ value:
+ typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ use_downstream_protocol_config:
+ http_protocol_options:
+ header_key_format:
+ stateful_formatter:
+ name: preserve_case
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig
+ - applyTo: NETWORK_FILTER
+ match:
+ listener:
+ filterChain:
+ filter:
+ name: envoy.filters.network.http_connection_manager
+ patch:
+ operation: MERGE
+ value:
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ http_protocol_options:
+ header_key_format:
+ stateful_formatter:
+ name: preserve_case
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig
\ No newline at end of file
--- /dev/null
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: kiali-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - hosts:
+ - kiali.simpledemo.onap.org
+ port:
+ name: http
+ number: 80
+ protocol: HTTP
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: kiali-service
+spec:
+ hosts:
+ - kiali.simpledemo.onap.org
+ gateways:
+ - kiali-gateway
+ http:
+ - route:
+ - destination:
+ port:
+ number: 20001
+ host: kiali
\ No newline at end of file
--- /dev/null
+apiVersion: kiali.io/v1alpha1
+kind: Kiali
+metadata:
+ name: kiali
+ namespace: istio-system
+ annotations:
+ ansible.operator-sdk/verbosity: "1"
+spec:
+ auth:
+ strategy: anonymous
+ istio_component_namespaces:
+ prometheus: monitoring
+ external_services:
+ grafana:
+ in_cluster_url: http://prometheus-stack-grafana.monitoring
+ prometheus:
+ url: http://prometheus-stack-kube-prom-prometheus.monitoring:9090
+ tracing:
+ in_cluster_url: http://istio-query.observability:16686
+ deployment:
+ accessible_namespaces: ["**"]
+ view_only_mode: false
+ server:
+ web_root: "/kiali"
\ No newline at end of file
## **Quick Start Guide**
+> **WARNING**: This README is no longer maintained and will be deprecated.
+> Please refer to the official OOM guide here - [OOM Guide](https://docs.onap.org/projects/onap-oom/en/latest/sections/oom_project_description.html)
+
This is a quick start guide describing how to deploy ONAP on Kubernetes using Helm.
resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
resources.client-cert-password=${KEYSTORE_PASSWORD}
{{ else }}
-resources.port=8080
+resources.port=80
resources.authType=HTTP_NOAUTH
{{ end }}
subPath: logback.xml
ports:
- containerPort: {{ .Values.service.internalPort }}
+ - containerPort: {{ .Values.service.internalPlainPort }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort }}
+ port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end -}}
readinessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort }}
+ port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
resources:
release: {{ include "common.release" . }}
heritage: {{ .Release.Service }}
spec:
- type: {{ .Values.service.type }}
ports:
- {{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.internalPort }}
+ - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }}
+ port: {{ .Values.service.externalPort }}
+ targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }}
+ {{- if eq .Values.service.type "NodePort" }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
- {{- else -}}
- - port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}{{ ternary "s" "" (eq "true" (include "common.needTLS" .)) }}
- {{- end }}
+ {{- end }}
+ type: {{ .Values.service.type }}
selector:
app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
service:
type: NodePort
portName: http
+ externalPort: 8000
internalPort: 8000
+ internalPlainPort: 9517
nodePort: 20
ingress:
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
+{{/*
+ Create the hostname as concatination <baseaddr>.<baseurl>
+ - baseaddr: from component values: ingress.service.baseaddr
+ - baseurl: from values: global.ingress.virtualhost.baseurl
+ which van be overwritten in the component via: ingress.baseurlOverride
+*/}}
{{- define "ingress.config.host" -}}
{{- $dot := default . .dot -}}
{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
{{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}}
+{{- $burl := include "common.ingress._overrideIfDefined" (dict "currVal" $burl "parent" (default (dict) $dot.Values.ingress) "var" "baseurlOverride") -}}
{{ printf "%s.%s" $baseaddr $burl }}
{{- end -}}
+{{/*
+ Helper function to add the tls route
+*/}}
+{{- define "ingress.config.tls" -}}
+{{- $dot := default . .dot -}}
+{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
+{{- if $dot.Values.global.ingress.config }}
+{{- if $dot.Values.global.ingress.config.ssl }}
+{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }}
+ tls:
+ httpsRedirect: true
+ - port:
+ number: 443
+ name: https
+ protocol: HTTPS
+ tls:
+{{- if $dot.Values.global.ingress.config }}
+{{- if $dot.Values.global.ingress.config.tls }}
+ credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }}
+{{- else }}
+ credentialName: "ingress-tls-secret"
+{{- end }}
+{{- else }}
+ credentialName: "ingress-tls-secret"
+{{- end }}
+ mode: SIMPLE
+ hosts:
+ - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+ Helper function to add the route to the service
+*/}}
{{- define "ingress.config.port" -}}
{{- $dot := default . .dot -}}
{{ range .Values.ingress.service }}
{{- end }}
{{- end -}}
+{{/*
+ Helper function to add the route to the service
+*/}}
{{- define "istio.config.route" -}}
{{- $dot := default . .dot -}}
-{{ range .Values.ingress.service }}
http:
- route:
- destination:
{{- end }}
host: {{ .name }}
{{- end -}}
-{{- end -}}
+{{/*
+ Helper function to add ssl annotations
+*/}}
{{- define "ingress.config.annotations.ssl" -}}
{{- if .Values.ingress.config -}}
{{- if .Values.ingress.config.ssl -}}
{{- end -}}
+{{/*
+ Helper function to add annotations
+*/}}
{{- define "ingress.config.annotations" -}}
{{- if .Values.ingress -}}
{{- if .Values.ingress.annotations -}}
{{ include "ingress.config.annotations.ssl" . | indent 4 | trim }}
{{- end -}}
+{{/*
+ Helper function to check the existance of an override value
+*/}}
{{- define "common.ingress._overrideIfDefined" -}}
{{- $currValue := .currVal }}
{{- $parent := .parent }}
{{- end -}}
{{- end -}}
-{{- define "common.ingress" -}}
+{{/*
+ Helper function to check, if Ingress is enabled
+*/}}
+{{- define "common.ingress._enabled" -}}
{{- $dot := default . .dot -}}
-{{- if .Values.ingress -}}
- {{- $ingressEnabled := default false .Values.ingress.enabled -}}
- {{- $ingressEnabled := include "common.ingress._overrideIfDefined" (dict "currVal" $ingressEnabled "parent" (default (dict) .Values.global.ingress) "var" "enabled") }}
- {{- $ingressEnabled := include "common.ingress._overrideIfDefined" (dict "currVal" $ingressEnabled "parent" .Values.ingress "var" "enabledOverride") }}
-{{- if $ingressEnabled }}
-{{- if (include "common.onServiceMesh" .) }}
-{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }}
- {{- $dot := default . .dot -}}
+{{- if $dot.Values.ingress -}}
+{{- if $dot.Values.global.ingress -}}
+{{- if (default false $dot.Values.global.ingress.enabled) -}}
+{{- if (default false $dot.Values.global.ingress.enable_all) -}}
+true
+{{- else -}}
+{{- if $dot.Values.ingress.enabled -}}
+true
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ Create Istio Ingress resources per defined service
+*/}}
+{{- define "common.istioIngress" -}}
+{{- $dot := default . .dot -}}
+{{ range $dot.Values.ingress.service }}
+{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }}
+---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
- name: {{ include "common.fullname" . }}-gateway
+ name: {{ $baseaddr }}-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
name: http
protocol: HTTP
hosts:
- {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }}
- - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
- {{- end }}
-{{- if .Values.global.ingress.config }}
-{{- if .Values.global.ingress.config.ssl }}
-{{- if eq .Values.global.ingress.config.ssl "redirect" }}
- tls:
- httpsRedirect: true
- - port:
- number: 443
- name: https
- protocol: HTTPS
- tls:
-{{- if .Values.global.ingress.config }}
-{{- if .Values.global.ingress.config.tls }}
- credentialName: {{ default "ingress-tls-secret" .Values.global.ingress.config.tls.secret }}
-{{- else }}
- credentialName: "ingress-tls-secret"
-{{- end }}
-{{- else }}
- credentialName: "ingress-tls-secret"
-{{- end }}
- mode: SIMPLE
- hosts:
- {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }}
- {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
- {{- end }}
-{{- end }}
-{{- end }}
-{{- end }}
+ {{ include "ingress.config.tls" (dict "dot" $dot "baseaddr" $baseaddr) }}
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
- name: {{ include "common.fullname" . }}-service
+ name: {{ $baseaddr }}-service
spec:
hosts:
- {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }}
- {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
- {{- end }}
gateways:
- - {{ include "common.fullname" . }}-gateway
+ - {{ $baseaddr }}-gateway
{{ include "istio.config.route" . | trim }}
+{{- end -}}
{{- end -}}
-{{- else -}}
+
+{{/*
+ Create default Ingress resource
+*/}}
+{{- define "common.nginxIngress" -}}
+{{- $dot := default . .dot -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
- name: {{ include "common.fullname" . }}-ingress
+ name: {{ include "common.fullname" $dot }}-ingress
annotations:
- {{ include "ingress.config.annotations" . }}
+ {{ include "ingress.config.annotations" $dot }}
labels:
- app: {{ .Chart.Name }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
+ app: {{ $dot.Chart.Name }}
+ chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" $dot }}
+ heritage: {{ $dot.Release.Service }}
spec:
rules:
- {{ include "ingress.config.port" . | trim }}
-{{- if .Values.ingress.tls }}
+ {{ include "ingress.config.port" $dot | trim }}
+{{- if $dot.Values.ingress.tls }}
tls:
-{{ toYaml .Values.ingress.tls | indent 4 }}
+{{ toYaml $dot.Values.ingress.tls | indent 4 }}
{{- end -}}
-{{- if .Values.ingress.config -}}
-{{- if .Values.ingress.config.tls -}}
+{{- if $dot.Values.ingress.config -}}
+{{- if $dot.Values.ingress.config.tls -}}
tls:
- hosts:
- {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }}
+ {{- range $dot.Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }}
- {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
- {{- end }}
- secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }}
-{{- end -}}
-{{- end -}}
-{{- end -}}
+ {{- end }}
+ secretName: {{ required "secret" (tpl (default "" $dot.Values.ingress.config.tls.secret) $dot) }}
+{{- end -}}
{{- end -}}
{{- end -}}
+
+{{/*
+ Create ingress template
+ Will create ingress template depending on the following values:
+ - .Values.global.ingress.enabled : enables Ingress globally
+ - .Values.global.ingress.enable_all : override default Ingress for all charts
+ - .Values.ingress.enabled : sets Ingress per chart basis
+
+ | global.ingress.enabled | global.ingress.enable_all |ingress.enabled | result |
+ |------------------------|---------------------------|----------------|------------|
+ | false | any | any | no ingress |
+ | true | false | false | no ingress |
+ | true | true | any | ingress |
+ | true | false | true | ingress |
+
+ If ServiceMesh (Istio) is enabled the respective resources are created:
+ - Gateway
+ - VirtualService
+
+ If ServiceMesh is disabled the standard Ingress resource is creates:
+ - Ingress
+*/}}
+{{- define "common.ingress" -}}
+{{- $dot := default . .dot -}}
+{{- if (include "common.ingress._enabled" (dict "dot" $dot)) }}
+{{- if (include "common.onServiceMesh" .) }}
+{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }}
+{{ include "common.istioIngress" (dict "dot" $dot) }}
+{{- end -}}
+{{- else -}}
+{{ include "common.nginxIngress" (dict "dot" $dot) }}
+{{- end -}}
+{{- end -}}
{{- end -}}
{{- $labels := default (dict) .labels -}}
{{- $matchLabels := default (dict) .matchLabels -}}
{{- if and (include "common.onServiceMesh" $dot) (eq $serviceType "NodePort") }}
-{{- $serviceType = "ClusterIP" }}
+{{- $serviceType = "ClusterIP" }}
{{- end }}
{{- if (and (include "common.needTLS" $dot) $both_tls_and_plain) }}
- name: common
version: ~12.x-0
repository: '@local'
- - name: dmaap-strimzi
- version: ~12.x-0
- repository: 'file://components/dmaap-strimzi'
- condition: dmaap-strimzi.enabled
- name: message-router
version: ~12.x-0
repository: 'file://components/message-router'
## Items below are passed through to Kafka's producer and consumer
## configurations (after removing "kafka.")
## if you want to change request.required.acks it can take this one value
-kafka.metadata.broker.list={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}:{{ .Values.global.kafkaInternalPort }}
-config.zk.servers=127.0.0.1:{{ .Values.global.zkTunnelService.internalPort }}
#kafka.request.required.acks=-1
+kafka.metadata.broker.list={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+config.zk.servers=127.0.0.1:{{ .Values.global.zkTunnelService.internalPort }}
consumer.timeout.ms=100
zookeeper.connection.timeout.ms=6000
zookeeper.session.timeout.ms=20000
- name: JAASLOGIN
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "mr-kafka-admin-secret" "key" "sasl.jaas.config") | indent 12 }}
- name: SASLMECH
- value: {{ .Values.global.saslMechanism }}
+ value: scram-sha-512
- name: enableCadi
value: "{{ .Values.global.aafEnabled }}"
- name: useZkTopicStore
#################################################################
global:
nodePortPrefix: 302
- kafkaBootstrap: strimzi-kafka-bootstrap
- saslMechanism: scram-sha-512
- kafkaInternalPort: 9092
zkTunnelService:
type: ClusterIP
name: zk-tunnel-svc
portName: tcp-zk-tunnel
internalPort: 2181
+zookeeper:
+ entrance:
+ image: scholzj/zoo-entrance:latest
+
#################################################################
# AAF part
#################################################################
image: onap/dmaap/dmaap-mr:1.4.3
pullPolicy: Always
-zookeeper:
- entrance:
- image: scholzj/zoo-entrance:latest
-
secrets:
- uid: mr-kafka-admin-secret
externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}'
aafEnabled: true
#Strimzi config
- kafkaBootstrap: strimzi-kafka-bootstrap
kafkaStrimziAdminUser: strimzi-kafka-admin
- kafkaInternalPort: 9092
- saslMechanism: scram-sha-512
#Component overrides
message-router:
# This override file is used to deploy a core configuration. It is based on
# minimal-onap.yaml and Orange accomplishments [1][2][3].
# It includes the following components:
-# AAI, DMAAP, SDC, SDNC, SO (+ Cassandra)
+# AAI, DMAAP Message Router, SDC, SDNC, SO (+ Cassandra), STRIMZI Kafka
#
# Minimal resources are also reviewed for the various containers
# AAI: no override => to be fixed
enabled: false
dmaap:
enabled: true
+ message-router:
+ enabled: true
+ dmaap-bc:
+ enabled: false
+ dmaap-dr-prov:
+ enabled: false
+ dmaap-dr-node:
+ enabled: false
log:
enabled: false
mariadb-galera:
openStackKeyStoneUrl: "$OPENSTACK_KEYSTONE_URL"
openStackServiceTenantName: "$OPENSTACK_TENANT_NAME"
openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD"
+strimzi:
+ enabled: true
+ replicaCount: 2
+ persistence:
+ kafka:
+ size: 1Gi
+ zookeeper:
+ size: 500Mbi
+ strimzi-kafka-bridge:
+ enabled: false
uui:
enabled: false
vid:
mariadb:
config:
mariadbRootPassword: password
+strimzi:
+ enabled: false
uui:
enabled: false
vfc:
enabled: false
so:
enabled: false
+strimzi:
+ enabled: false
uui:
enabled: false
vfc:
# This override file is used to deploy a minimal configuration to
# onboard and deploy a VNF.
# It includes the following components:
-# A&AI, Cassandra, DMAAP, Portal, Robot, SDC, SDNC, SO, VID
+# A&AI, Cassandra, DMAAP Message Router, Portal, Robot, SDC, SDNC, SO, STRIMZI Kafka, VID
#
# Minimal resources are also reviewed for the various containers
# A&AI: no override => to be fixed
enabled: false
dmaap:
enabled: true
+ message-router:
+ enabled: true
+ dmaap-bc:
+ enabled: false
+ dmaap-dr-prov:
+ enabled: false
+ dmaap-dr-node:
+ enabled: false
log:
enabled: false
mariadb-galera:
openStackKeyStoneUrl: "$OPENSTACK_KEYSTONE_URL"
openStackServiceTenantName: "$OPENSTACK_TENANT_NAME"
openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD"
+strimzi:
+ enabled: true
+ replicaCount: 1
+ persistence:
+ kafka:
+ size: 1Gi
+ zookeeper:
+ size: 500Mbi
+ strimzi-kafka-bridge:
+ enabled: false
uui:
enabled: false
vid:
enabled: false
dmaap:
enabled: true
+ message-router:
+ enabled: true
+ dmaap-bc:
+ enabled: false
+ dmaap-dr-prov:
+ enabled: false
+ dmaap-dr-node:
+ enabled: false
log:
enabled: true
sniro-emulator:
openStackServiceTenantName: "service"
openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e"
+strimzi:
+ enabled: true
+ strimzi-kafka-bridge:
+ enabled: false
uui:
enabled: true
vfc:
global:
ingress:
enabled: true
+ # enable all component's Ingress interfaces
+ enable_all: true
# All http requests via ingress will be redirected
config:
ssl: "redirect"
enabled: true
dmaap:
enabled: true
+ message-router:
+ enabled: true
+ dmaap-bc:
+ enabled: true
+ dmaap-dr-prov:
+ enabled: true
+ dmaap-dr-node:
+ enabled: true
oof:
enabled: true
msb:
enabled: true
strimzi:
enabled: true
+ strimzi-kafka-bridge:
+ enabled: true
uui:
enabled: true
vfc:
global:
ingress:
enabled: true
+ enable_all: true
addTestingComponents: &testing true
centralizedLoggingEnabled: ¢ralizedLogging false
cassandra:
enabled: true
dmaap:
enabled: true
+ message-router:
+ enabled: true
+ dmaap-bc:
+ enabled: true
+ dmaap-dr-prov:
+ enabled: true
+ dmaap-dr-node:
+ enabled: true
oof:
enabled: true
msb:
enabled: true
strimzi:
enabled: true
+ strimzi-kafka-bridge:
+ enabled: true
uui:
enabled: true
vfc:
enabled: true
dmaap:
enabled: true
+ message-router:
+ enabled: true
+ dmaap-bc:
+ enabled: true
+ dmaap-dr-prov:
+ enabled: true
+ dmaap-dr-node:
+ enabled: true
oof:
enabled: true
msb:
enabled: true
strimzi:
enabled: true
+ strimzi-kafka-bridge:
+ enabled: true
uui:
enabled: true
vfc:
enabled: true
dmaap:
enabled: true
+ message-router:
+ enabled: true
+ dmaap-bc:
+ enabled: false
+ dmaap-dr-prov:
+ enabled: false
+ dmaap-dr-node:
+ enabled: false
log:
enabled: true
oof:
enabled: true
strimzi:
enabled: true
+ strimzi-kafka-bridge:
+ enabled: false
vid:
enabled: true
#
# Minimal resources are also reviewed for the various containers
# AAI: no override => to be fixed
-# DMAAP: no override # SO: no override
+# DMAAP: no override
+# SO: no override
# SDC: new values
# SDNC: no override
#
enabled: false
dcaegen2-services:
enabled: false
+dmaap:
+ enabled: true
+ message-router:
+ enabled: true
+ dmaap-bc:
+ enabled: true
+ dmaap-dr-prov:
+ enabled: true
+ dmaap-dr-node:
+ enabled: true
holmes:
enabled: false
log:
openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD"
strimzi:
enabled: true
+ strimzi-kafka-bridge:
+ enabled: true
uui:
enabled: false
vid:
enabled: false
cds:
enabled: true
-dmaap:
- enabled: true
- dmaap-bc:
- enabled: false
+
# Global ingress configuration
ingress:
+ # generally enable ingress for ONAP components
enabled: false
+ # enable all component's Ingress interfaces
+ enable_all: false
+ # default Ingress base URL
+ # can be overwritten in component vy setting ingress.baseurlOverride
virtualhost:
baseurl: "simpledemo.onap.org"
+ # All http requests via ingress will be redirected on Ingress controller
+ # only valid for Istio Gateway (ServiceMesh enabled)
+ config:
+ ssl: "redirect"
+ # you can set an own Secret containing a certificate
+ # only valid for Istio Gateway (ServiceMesh enabled)
+ # tls:
+ # secret: 'my-ingress-cert'
+
+ # optional: Namespace of the Istio IngressGateway
+ # only valid for Istio Gateway (ServiceMesh enabled)
+ namespace: istio-ingress
# Global Service Mesh configuration
# POC Mode, don't use it in production
enabled: false
dmaap:
enabled: false
+ message-router:
+ enabled: false
+ dmaap-bc:
+ enabled: false
+ dmaap-dr-prov:
+ enabled: false
+ dmaap-dr-node:
+ enabled: false
# Today, "logging" chart that perform the central part of logging must also be
# enabled in order to make it work. So `logging.enabled` must have the same
-# value than centralizedLoggingEnabled
+# value as centralizedLoggingEnabled
log:
enabled: *centralizedLogging
sniro-emulator:
# server:
# monitoring:
# password: demo123456!
+
strimzi:
enabled: false
+ # Kafka replication & disk storage should be dimensioned
+ # according to each given system use case.
+ replicaCount: 3
+ persistence:
+ kafka:
+ size: 10Gi
+ zookeeper:
+ size: 1Gi
+ # Strimzi kafka bridge is an optional http api towards
+ # kafka provided by https://strimzi.io/docs/bridge/latest/
+ strimzi-kafka-bridge:
+ enabled: false
+
uui:
enabled: false
vfc:
enabled: false
a1policymanagement:
enabled: false
-
cert-wrapper:
enabled: true
repository-wrapper:
keyStorePassword: ${KEYSTORE_PASSWORD}
trustStore: ${TRUSTSTORE}
trustStorePassword: ${TRUSTSTORE_PASSWORD}
+ {{- else }}
+ ssl:
+ enabled: false
{{- end }}
tomcat:
max-threads: 50
# limitations under the License.
apiVersion: v2
-description: ONAP Strimzi kafka
+description: ONAP Strimzi Kafka
name: strimzi
version: 12.0.0
dependencies:
- name: common
version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
- name: serviceAccount
version: ~12.x-0
repository: '@local'
+ - name: strimzi-kafka-bridge
+ version: ~12.x-0
+ repository: 'file://components/strimzi-kafka-bridge'
+ condition: strimzi-kafka-bridge.enabled
# limitations under the License.
apiVersion: v2
-description: ONAP Dmaap Strimzi Kafka Bridge
-name: dmaap-strimzi
+description: ONAP Strimzi Kafka Bridge
+name: strimzi-kafka-bridge
version: 12.0.0
dependencies:
- name: common
- version: ~12.x-0
- # local reference to common chart, as it is
- # a part of this chart's package and will not
- # be published independently to a repo (at this point)
- repository: '@local'
- - name: repositoryGenerator
- version: ~12.x-0
- repository: '@local'
- - name: serviceAccount
version: ~12.x-0
repository: '@local'
*/}}
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaBridge
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
spec:
- replicas: {{ .Values.kafkaBridgeReplicaCount }}
- enableMetrics: false
- bootstrapServers: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}:{{ .Values.global.kafkaInternalPort }}
+ replicas: {{ .Values.replicaCount }}
+ bootstrapServers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:{{ .Values.config.kafkaInternalPort }}
authentication:
- type: {{ .Values.global.saslMechanism }}
- username: {{ .Values.global.kafkaStrimziAdminUser }}
+ type: {{ .Values.config.saslMechanism }}
+ username: {{ .Values.config.strimziKafkaAdminUser }}
passwordSecret:
- secretName: {{ .Values.global.kafkaStrimziAdminUser }}
+ secretName: {{ .Values.config.strimziKafkaAdminUser }}
password: password
+ enableMetrics: {{ .Values.config.enableMetrics }}
http:
- port: {{ .Values.kafkaBridgePort }}
+ port: {{ .Values.config.port }}
# Global configuration defaults.
#################################################################
global:
- kafkaBootstrap: strimzi-kafka-bootstrap
- kafkaStrimziAdminUser: strimzi-kafka-admin
- kafkaInternalPort: 9092
- saslMechanism: scram-sha-512
#################################################################
# Application configuration defaults.
#################################################################
-kafkaBridgeReplicaCount: 1
-kafkaBridgePort: 8080
+replicaCount: 1
+config:
+ port: 8080
+ enableMetrics: false
+ # The following config should be set/overridden
+ # from parent chart kubernetes/strimzi/values.yaml
+ saslMechanism: parentValue
+ kafkaInternalPort: parentValue
+ strimziKafkaAdminUser: parentValue
-ingress:
- enabled: false
-
-#Pods Service Account
-serviceAccount:
- nameOverride: dmaap-strimzi
- roles:
- - read
+# nameOverride is required to avoid duplication
+# in pod and service names ie ...-bridge-bridge-{random hex}
+nameOverride: strimzi-kafka
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{ include "common.replicaPV" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistenceKafka) }}
+{{ include "common.replicaPV" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }}
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-
-{{ include "common.replicaPV" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistenceZk) }}
+{{ include "common.replicaPV" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }}
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
- name: {{ .Values.kafkaStrimziAdminUser }}
+ name: {{ .Values.config.strimziKafkaAdminUser }}
labels:
strimzi.io/cluster: {{ include "common.release" . }}-strimzi
spec:
authentication:
- type: {{ .Values.saslMechanism }}
+ type: {{ .Values.config.saslMechanism }}
authorization:
- type: simple
+ type: {{ .Values.config.authType }}
acls:
- resource:
type: group
*/}}
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
-metadata:
- name: {{ include "common.fullname" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
spec:
kafka:
- version: {{ .Values.version }}
+ version: {{ .Values.config.kafkaVersion }}
replicas: {{ .Values.replicaCount }}
listeners:
- name: plain
- port: {{ .Values.kafkaInternalPort }}
+ port: {{ .Values.config.kafkaInternalPort }}
type: internal
tls: false
authentication:
- type: {{ .Values.saslMechanism }}
+ type: {{ .Values.config.saslMechanism }}
- name: tls
port: 9093
type: internal
- broker: 2
nodePort: {{ .Values.global.nodePortPrefixExt }}92
authorization:
- type: simple
+ type: {{ .Values.config.authType }}
superUsers:
- - {{ .Values.kafkaStrimziAdminUser }}
+ - {{ .Values.config.strimziKafkaAdminUser }}
template:
pod:
securityContext:
fsGroup: 0
config:
default.replication.factor: {{ .Values.replicaCount }}
- min.insync.replicas: {{ .Values.replicaCount }}
+ min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }}
offsets.topic.replication.factor: {{ .Values.replicaCount }}
+ num.partitions: {{ mul .Values.replicaCount 2 }}
transaction.state.log.replication.factor: {{ .Values.replicaCount }}
- num.partitions: {{ .Values.numPartitions }}
- transaction.state.log.min.isr: {{ .Values.replicaCount }}
- log.message.format.version: {{ .Values.version }}
- inter.broker.protocol.version: {{ .Values.version }}
+ transaction.state.log.min.isr: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }}
+ log.message.format.version: {{ .Values.config.kafkaVersion }}
+ inter.broker.protocol.version: {{ .Values.config.kafkaVersion }}
storage:
type: jbod
volumes:
- id: 0
type: persistent-claim
- size: {{ .Values.persistenceKafka.size }}
+ size: {{ .Values.persistence.kafka.size }}
deleteClaim: true
- class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistenceKafka) }}
+ class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }}
zookeeper:
template:
pod:
{{- end }}
storage:
type: persistent-claim
- size: {{ .Values.persistenceZk.size }}
+ size: {{ .Values.persistence.zookeeper.size }}
deleteClaim: true
- class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistenceZk) }}
+ class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }}
entityOperator:
topicOperator: {}
userOperator: {}
nodePortPrefixExt: 304
persistence:
mountPath: /dockerdata-nfs
-
#################################################################
# Application configuration defaults.
#################################################################
replicaCount: 3
-numPartitions: 10
-kafkaInternalPort: 9092
-saslMechanism: scram-sha-512
-version: 3.2.3
-kafkaStrimziAdminUser: strimzi-kafka-admin
-persistence: {}
+config:
+ kafkaVersion: 3.2.3
+ authType: simple
+ saslMechanism: &saslMech scram-sha-512
+ kafkaInternalPort: &plainPort 9092
+ strimziKafkaAdminUser: &adminUser strimzi-kafka-admin
-persistenceKafka:
- enabled: true
- size: 2Gi
- volumeReclaimPolicy: Retain
- accessMode: ReadWriteOnce
- mountPath: /dockerdata-nfs
- mountSubPath: strimzi-kafka/kafka
-persistenceZk:
- enabled: true
- size: 2Gi
- volumeReclaimPolicy: Retain
- accessMode: ReadWriteOnce
+persistence:
+ enabled: &pvenabled true
mountPath: /dockerdata-nfs
- mountSubPath: strimzi-kafka/zk
+ kafka:
+ enabled: *pvenabled
+ # default values of 2Gi for dev env.
+ # Production values should be dimensioned according to requirements. ie >= 10Gi
+ size: 2Gi
+ volumeReclaimPolicy: Retain
+ accessMode: ReadWriteOnce
+ mountPath: /dockerdata-nfs
+ mountSubPath: strimzi-kafka/kafka
+ zookeeper:
+ enabled: *pvenabled
+ size: 1Gi
+ volumeReclaimPolicy: Retain
+ accessMode: ReadWriteOnce
+ mountPath: /dockerdata-nfs
+ mountSubPath: strimzi-kafka/zk
#Pods Service Account
serviceAccount:
nameOverride: strimzi-kafka
roles:
- read
+
+######################
+# Component overrides
+######################
+strimzi-kafka-bridge:
+ enabled: true
+ config:
+ saslMechanism: *saslMech
+ kafkaInternalPort: *plainPort
+ strimziKafkaAdminUser: *adminUser
\ No newline at end of file