1 .. This work is licensed under a
2 .. Creative Commons Attribution 4.0 International License.
3 .. http://creativecommons.org/licenses/by/4.0
6 Policy/ACM OOM Installation
7 ---------------------------
14 * This guide assumes that you have access to a Kubernetes cluster.
15 * The examples for this guide were carried out on a 3 node Ubuntu-based cluster. However, cluster software such as microk8s should work just as well.
17 Cluster Used in this Guide
18 **************************
19 * Ubuntu-based VM using Ubuntu 22.04.1 LTS
20 * VM has 16GB RAM and 150 GB HDD and 4CPU
21 * microk8s-based cluster is used
25 * Microk8s Cluster capable of running kubectl commands
26 * Both kubectl client and the server use v1.30.4
27 * Helm version v3.15.4 is installed
28 * There should be a running chart repo called "local"
29 * Chartmuseum used to create the chart repo
31 Deploy Policy/ACM OOM & Required Charts
32 ***************************************
33 The policy K8S charts are located in the `OOM repository <https://gerrit.onap.org/r/gitweb?p=oom.git;a=tree;f=kubernetes/policy;h=78576c7a0d30cb87054e9776326cdde20986e6e3;hb=refs/heads/master>`_.
37 Chart museum's **helm-push** plugin should be installed
41 helm plugin install https://github.com/chartmuseum/helm-push --version 0.10.3
43 And then we should install the **deploy** and **undeploy** plugins from oom. so, navigate to the oom/kubernetes directory in the above cloned oom gerrit repo.
47 helm plugin install helm/plugins/deploy
48 helm plugin install helm/plugins/undeploy
50 Package and Upload Charts to Repo
51 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
52 Navigate to the same oom/kubernetes directory. The **make** command can be used here to package and upload (among other things) the charts to the local chart repo. This command is slow as it has to package and upload all of the helm charts in oom. However, we are skipping linting of the charts and using the **-j** flag to allow us to use multiple threads - this will maximize the speed.
56 make all SKIP_LINT=TRUE -j$(nproc)
58 Once this is completed, we should be able to see all of the charts in the local helm repo.
62 helm search repo local
64 local/policy 14.0.5 ONAP Policy
65 local/policy-apex-pdp 14.0.1 ONAP Policy APEX PDP
66 local/policy-api 14.0.2 ONAP Policy Design API
67 local/policy-clamp-ac-a1pms-ppnt 14.0.1 ONAP Policy Clamp A1PMS Participant
68 local/policy-clamp-ac-http-ppnt 14.0.1 ONAP Policy Clamp Controlloop Http Participant
69 local/policy-clamp-ac-k8s-ppnt 14.0.1 ONAP Policy Clamp Controlloop K8s Participant
70 local/policy-clamp-ac-kserve-ppnt 14.0.1 ONAP Policy Clamp Kserve Participant
71 local/policy-clamp-ac-pf-ppnt 14.0.1 ONAP Policy Clamp Controlloop Policy Participant
72 local/policy-clamp-runtime-acm 14.0.2 ONAP Policy Clamp Controlloop Runtime
73 local/policy-distribution 14.0.1 ONAP Policy Distribution
74 local/policy-drools-pdp 14.0.2 ONAP Drools Policy Engine (PDP-D)
75 local/policy-pap 14.0.2 ONAP Policy Administration (PAP)
76 local/policy-xacml-pdp 14.0.3 ONAP Policy XACML PDP (PDP-X)
79 Only the policy/acm charts are shown above - there will be many others.
81 Strimzi Kafka and Cert Manager Install
82 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
87 kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
89 Currently, the following policy/acm components use Strimzi Kafka by default:
98 There is a future plan to move all components to Strimzi Kafka. However, in the meantime, our deployments require both DMAAP message-router and Strimzi Kafka
100 Install Strimzi Kafka Operator
104 helm repo add strimzi https://strimzi.io/charts/
105 helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version 0.43.0 --set watchAnyNamespace=true --create-namespace
107 Once these are installed and running, we can move on to the installation of the policy and related helm charts
109 Policy and Related Helm Chart Install
110 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
111 At this stage, we have all the required charts that we need for either Policy Framework or ACM installation. The command to deploy the charts is below
115 helm deploy dev local/onap --namespace onap -f ~/override.yaml --create-namespace
117 In the above **helm deploy** command we provide an override file called **override.yaml**. In this file, we can turn on/off different parts of the onap installation. we have provided an file below in the collapsable code. This is provided just as examples - you can adjust any way you see fit. The choice between postgres and mariadb is controlled by **global.mariadbGalera.localCluster & global.mariadbGalera.useInPolicy** for mariadb and **global.postgres.localCluster & global.postgres.useInPolicy** for postgres
119 .. collapse:: Policy/ACM Chart Override
124 repository: nexus3.onap.org:10001
125 pullPolicy: IfNotPresent
126 masterPassword: password
130 addTestingComponents: false
131 useStrimziKafka: true
132 useStrimziKafkaPf: false
134 # flag to enable the DB creation via mariadb-operator
136 # if useOperator set to "true", set "enableServiceAccount to "false"
137 # as the SA is created by the Operator
138 enableServiceAccount: true
140 # '&mariadbConfig' means we "store" the values for later use in the file
141 # with '*mariadbConfig' pointer.
142 config: &mariadbConfig
143 mysqlDatabase: policyadmin
144 service: &mariadbService policy-mariadb
146 nameOverride: *mariadbService
147 # (optional) if localCluster=false and an external secret is used set this variable
148 #userRootSecret: <secretName>
150 prometheusEnabled: false
155 name2: policy-pg-primary
156 name3: policy-pg-replica
175 enableClustering: false
254 strimzi-kafka-bridge:
258 policy-clamp-ac-a1pms-ppnt:
260 policy-clamp-ac-kserve-ppnt:
262 policy-clamp-ac-k8s-ppnt:
264 policy-clamp-ac-http-ppnt:
266 policy-clamp-ac-pf-ppnt:
268 policy-clamp-runtime-acm:
291 To get a listing of the Policy or ACM Pods, run the following command:
295 kubectl get pods -n onap | grep dev-policy
297 dev-policy-59684c7b9c-5gd6r 2/2 Running 0 8m41s
298 dev-policy-apex-pdp-0 1/1 Running 0 8m41s
299 dev-policy-api-56f55f59c5-nl5cg 1/1 Running 0 8m41s
300 dev-policy-distribution-54cc59b8bd-jkg5d 1/1 Running 0 8m41s
301 dev-policy-mariadb-0 1/1 Running 0 8m41s
302 dev-policy-xacml-pdp-765c7d58b5-l6pr7 1/1 Running 0 8m41s
305 To get a listing of the Policy services, run this command:
306 kubectl get svc -n onap | grep policy
308 Accessing Policy/ACM Containers
309 *******************************
310 Accessing the policy docker containers is the same as for any kubernetes container. Here is an example:
314 kubectl -n onap exec -it dev-policy-policy-xacml-pdp-584844b8cf-9zptx bash
316 .. _install-upgrade-policy-label:
318 Installing or Upgrading Policy/ACM
319 **********************************
320 The assumption is you have cloned the charts from the OOM repository into a local directory.
322 **Step 1** Go into local copy of OOM charts
324 From your local copy, edit any of the values.yaml files in the policy tree to make desired changes.
326 The policy/acm schemas will be installed automatically as part of the database configuration using ``db-migrator``.
327 By default the policy/acm schemas is upgraded to the latest version.
328 For more information on how to change the ``db-migrator`` setup please see
329 :ref:`Using Policy DB Migrator <policy-db-migrator-label>`.
331 **Step 2** Build the charts
335 make policy -j$(nproc)
336 make SKIP_LINT=TRUE onap -j$(nproc)
339 SKIP_LINT is only to reduce the "make" time. **-j** allows the use of multiple threads.
341 **Step 3** Undeploy Policy/ACM
342 After undeploying policy, loop on monitoring the policy pods until they go away.
347 kubectl get pods -n onap | grep dev
350 **Step 4** Re-Deploy Policy pods
352 After deploying policy, loop on monitoring the policy pods until they come up.
356 helm deploy dev local/onap --namespace onap -f override.yaml
357 kubectl get pods -n onap | grep dev
360 If you want to purge the existing data and start with a clean install,
361 please follow these steps after undeploying:
363 **Step 1** Delete NFS persisted data for Policy
367 rm -fr /dockerdata-nfs/dev/policy
369 **Step 2** Make sure there is no orphan policy database persistent volume or claim.
371 First, find if there is an orphan database PV or PVC with the following commands:
375 kubectl get pvc -n onap | grep policy
376 kubectl get pv -n onap | grep policy
378 If there are any orphan resources, delete them with
382 kubectl delete pvc <orphan-policy-mariadb-resource>
383 kubectl delete pv <orphan-policy-mariadb-resource>
386 Restarting a faulty component
387 *****************************
388 Each policy component can be restarted independently by issuing the following command:
392 kubectl delete pod <policy-pod> -n onap
396 For security reasons, the ports for the policy containers are configured as ClusterIP and thus not exposed. If you find you need those ports in a development environment, then the following will expose them.
400 kubectl -n onap expose service policy-api --port=7171 --target-port=6969 --name=api-public --type=NodePort
402 Additional PDP-D Customizations
403 *******************************
405 Credentials and other configuration parameters can be set as values
406 when deploying the policy (drools) subchart. Please refer to
407 `PDP-D Default Values <https://git.onap.org/oom/tree/kubernetes/policy/components/policy-drools-pdp/values.yaml>`_
408 for the current default values. It is strongly recommended that sensitive
409 information is secured appropriately before using in production.
411 Additional customization can be applied to the PDP-D. Custom configuration goes under the
412 "resources" directory of the drools subchart (oom/kubernetes/policy/charts/drools/resources).
413 This requires rebuilding the policy subchart
414 (see section :ref:`install-upgrade-policy-label`).
416 Configuration is done by adding or modifying configmaps and/or secrets.
417 Configmaps are placed under "drools/resources/configmaps", and
418 secrets under "drools/resources/secrets".
420 Custom configuration supportes these types of files:
422 * **\*.conf** files to support additional environment configuration.
423 * **features\*.zip** to add additional custom features.
424 * **\*.pre.sh** scripts to be executed before starting the PDP-D process.
425 * **\*.post.sh** scripts to be executed after starting the PDP-D process.
426 * **policy-keystore** to override the PDP-D policy-keystore.
427 * **policy-truststore** to override the PDP-D policy-truststore.
428 * **aaf-cadi.keyfile** to override the PDP-D AAF key.
429 * **\*.properties** to override or add properties files.
430 * **\*.xml** to override or add xml configuration files.
431 * **\*.json** to override json configuration files.
432 * **\*settings.xml** to override maven repositories configuration .
436 To *override the PDP-D keystore or trustore*, add a suitable replacement(s) under
437 "drools/resources/secrets". Modify the drools chart values.yaml with
438 new credentials, and follow the procedures described at
439 :ref:`install-upgrade-policy-label` to redeploy the chart.
Code Review / policy / parent.git / blob