1 .. This work is licensed under a
2 .. Creative Commons Attribution 4.0 International License.
3 .. http://creativecommons.org/licenses/by/4.0
6 Policy/ACM OOM Installation
7 ---------------------------
14 * This guide assumes that you have access to a Kubernetes cluster.
15 * The examples for this guide were carried out on a 3 node Ubuntu-based cluster. However, cluster software such as microk8s should work just as well.
17 Cluster Used in this Guide
18 **************************
19 * Ubuntu-based cluster using Ubuntu 20.04.1 LTS
20 * 3 nodes - each having 8GB RAM and 4CPU
24 * K8s Cluster capable of running kubectl commands
25 * Both kubectl client and the server use v1.22.4
26 * Helm version v3.6.3 is installed
27 * There should be a running chart repo called "local"
28 * Chartmuseum used to create the chart repo
30 Deploy Policy/ACM OOM & Required Charts
31 ***************************************
32 The policy K8S charts are located in the `OOM repository <https://gerrit.onap.org/r/gitweb?p=oom.git;a=tree;f=kubernetes/policy;h=78576c7a0d30cb87054e9776326cdde20986e6e3;hb=refs/heads/master>`_.
36 Chart museum's **helm-push** plugin should be installed
40 helm plugin install https://github.com/chartmuseum/helm-push --version 0.10.3
42 And then we should install the **deploy** and **undeploy** plugins from oom. so, navigate to the oom/kubernetes directory in the above cloned oom gerrit repo.
46 helm plugin install helm/plugins/deploy
47 helm plugin install helm/plugins/undeploy
49 Package and Upload Charts to Repo
50 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
51 Navigate to the same oom/kubernetes directory. The **make** command can be used here to package and upload (among other things) the charts to the local chart repo. This command is slow as it has to package and upload all of the helm charts in oom. However, we are skipping linting of the charts and using the **-j** flag to allow us to use multiple threads - this will maximize the speed.
55 make all SKIP_LINT=TRUE -j$(nproc)
57 Once this is completed, we should be able to see all of the charts in the local helm repo.
61 helm search repo local
63 local/policy 12.0.0 ONAP Policy
64 local/policy-apex-pdp 12.0.0 ONAP Policy APEX PDP
65 local/policy-api 12.0.0 ONAP Policy Design API
66 local/policy-clamp-ac-a1pms-ppnt 12.0.0 ONAP Policy Clamp A1PMS Participant
67 local/policy-clamp-ac-http-ppnt 12.0.0 ONAP Policy Clamp Controlloop Http Participant
68 local/policy-clamp-ac-k8s-ppnt 12.0.0 ONAP Policy Clamp Controlloop K8s Participant
69 local/policy-clamp-ac-kserve-ppnt 12.0.0 ONAP Policy Clamp Kserve Participant
70 local/policy-clamp-ac-pf-ppnt 12.0.0 ONAP Policy Clamp Controlloop Policy Participant
71 local/policy-clamp-runtime-acm 12.0.0 ONAP Policy Clamp Controlloop Runtime
72 local/policy-distribution 12.0.0 ONAP Policy Distribution
73 local/policy-drools-pdp 12.0.0 ONAP Drools Policy Engine (PDP-D)
74 local/policy-pap 12.0.0 ONAP Policy Administration (PAP)
75 local/policy-xacml-pdp 12.0.0 ONAP Policy XACML PDP (PDP-X)
78 Only the policy/acm charts are shown above - there will be many others.
80 Strimzi Kafka and Cert Manager Install
81 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
86 kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
88 Currently, the following policy/acm components use Strimzi Kafka by default:
97 There is a future plan to move all components to Strimzi Kafka. However, in the meantime, our deployments require both DMAAP message-router and Strimzi Kafka
99 Install Strimzi Kafka Operator
103 helm repo add strimzi https://strimzi.io/charts/
104 helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version 0.32.0 --set watchAnyNamespace=true --create-namespace
106 Once these are installed and running, we can move on to the installation of the policy and related helm charts
108 Policy and Related Helm Chart Install
109 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
110 At this stage, we have all the required charts that we need for either Policy Framework or ACM installation. The command to deploy the charts is below
114 helm deploy dev local/onap --namespace onap -f ~/override.yaml --create-namespace
116 In the above **helm deploy** command we provide an override file called **override.yaml**. In this file, we can turn on/off different parts of the onap installation. we have provided 2 different override files below in the collapsable code. One is for just the policy components and requirements. One is for the ACM components and requirements. These are provided just as examples - you can adjust any way you see fit.
118 .. collapse:: Policy Chart Override
123 repository: nexus3.onap.org:10001
124 pullPolicy: IfNotPresent
125 masterPassword: password
129 addTestingComponents: false
145 enableClustering: false
224 strimzi-kafka-bridge:
228 policy-clamp-ac-a1pms-ppnt:
230 policy-clamp-ac-k8s-ppnt:
232 policy-clamp-ac-http-ppnt:
234 policy-clamp-ac-pf-ppnt:
236 policy-clamp-runtime-acm:
255 .. collapse:: ACM Chart Override
260 repository: nexus3.onap.org:10001
261 pullPolicy: IfNotPresent
262 masterPassword: password
266 addTestingComponents: false
282 enableClustering: false
361 strimzi-kafka-bridge:
365 policy-clamp-ac-a1pms-ppnt:
367 policy-clamp-ac-k8s-ppnt:
369 policy-clamp-ac-http-ppnt:
371 policy-clamp-ac-pf-ppnt:
373 policy-clamp-runtime-acm:
396 To get a listing of the Policy or ACM Pods, run the following command:
400 kubectl get pods -n onap | grep dev-policy
402 dev-policy-59684c7b9c-5gd6r 2/2 Running 0 8m41s
403 dev-policy-apex-pdp-0 1/1 Running 0 8m41s
404 dev-policy-api-56f55f59c5-nl5cg 1/1 Running 0 8m41s
405 dev-policy-distribution-54cc59b8bd-jkg5d 1/1 Running 0 8m41s
406 dev-policy-mariadb-0 1/1 Running 0 8m41s
407 dev-policy-xacml-pdp-765c7d58b5-l6pr7 1/1 Running 0 8m41s
410 To get a listing of the Policy services, run this command:
411 kubectl get svc -n onap | grep policy
413 Accessing Policy/ACM Containers
414 *******************************
415 Accessing the policy docker containers is the same as for any kubernetes container. Here is an example:
419 kubectl -n onap exec -it dev-policy-policy-xacml-pdp-584844b8cf-9zptx bash
421 .. _install-upgrade-policy-label:
423 Installing or Upgrading Policy/ACM
424 **********************************
425 The assumption is you have cloned the charts from the OOM repository into a local directory.
427 **Step 1** Go into local copy of OOM charts
429 From your local copy, edit any of the values.yaml files in the policy tree to make desired changes.
431 The policy schema will be installed automatically as part of the database configuration using ``db-migrator``.
432 By default the policy schema is upgraded to the latest version.
433 For more information on how to change the ``db-migrator`` setup please see
434 :ref:`Using Policy DB Migrator <policy-db-migrator-label>`.
436 **Step 2** Build the charts
440 make policy -j$(nproc)
441 make SKIP_LINT=TRUE onap -j$(nproc)
444 SKIP_LINT is only to reduce the "make" time. **-j** allows the use of multiple threads.
446 **Step 3** Undeploy Policy/ACM
447 After undeploying policy, loop on monitoring the policy pods until they go away.
451 helm undeploy dev-policy
452 kubectl get pods -n onap | grep dev-policy
455 **Step 4** Re-Deploy Policy pods
457 After deploying policy, loop on monitoring the policy pods until they come up.
461 helm deploy dev-policy local/onap --namespace onap
462 kubectl get pods -n onap | grep dev-policy
465 If you want to purge the existing data and start with a clean install,
466 please follow these steps after undeploying:
468 **Step 1** Delete NFS persisted data for Policy
472 rm -fr /dockerdata-nfs/dev/policy
474 **Step 2** Make sure there is no orphan policy database persistent volume or claim.
476 First, find if there is an orphan database PV or PVC with the following commands:
480 kubectl get pvc -n onap | grep policy
481 kubectl get pv -n onap | grep policy
483 If there are any orphan resources, delete them with
487 kubectl delete pvc <orphan-policy-mariadb-resource>
488 kubectl delete pv <orphan-policy-mariadb-resource>
491 Restarting a faulty component
492 *****************************
493 Each policy component can be restarted independently by issuing the following command:
497 kubectl delete pod <policy-pod> -n onap
501 For security reasons, the ports for the policy containers are configured as ClusterIP and thus not exposed. If you find you need those ports in a development environment, then the following will expose them.
505 kubectl -n onap expose service policy-api --port=7171 --target-port=6969 --name=api-public --type=NodePort
507 Additional PDP-D Customizations
508 *******************************
510 Credentials and other configuration parameters can be set as values
511 when deploying the policy (drools) subchart. Please refer to
512 `PDP-D Default Values <https://git.onap.org/oom/tree/kubernetes/policy/components/policy-drools-pdp/values.yaml>`_
513 for the current default values. It is strongly recommended that sensitive
514 information is secured appropriately before using in production.
516 Additional customization can be applied to the PDP-D. Custom configuration goes under the
517 "resources" directory of the drools subchart (oom/kubernetes/policy/charts/drools/resources).
518 This requires rebuilding the policy subchart
519 (see section :ref:`install-upgrade-policy-label`).
521 Configuration is done by adding or modifying configmaps and/or secrets.
522 Configmaps are placed under "drools/resources/configmaps", and
523 secrets under "drools/resources/secrets".
525 Custom configuration supportes these types of files:
527 * **\*.conf** files to support additional environment configuration.
528 * **features\*.zip** to add additional custom features.
529 * **\*.pre.sh** scripts to be executed before starting the PDP-D process.
530 * **\*.post.sh** scripts to be executed after starting the PDP-D process.
531 * **policy-keystore** to override the PDP-D policy-keystore.
532 * **policy-truststore** to override the PDP-D policy-truststore.
533 * **aaf-cadi.keyfile** to override the PDP-D AAF key.
534 * **\*.properties** to override or add properties files.
535 * **\*.xml** to override or add xml configuration files.
536 * **\*.json** to override json configuration files.
537 * **\*settings.xml** to override maven repositories configuration .
541 To *override the PDP-D keystore or trustore*, add a suitable replacement(s) under
542 "drools/resources/secrets". Modify the drools chart values.yaml with
543 new credentials, and follow the procedures described at
544 :ref:`install-upgrade-policy-label` to redeploy the chart.
546 To *disable https* for the DMaaP configuration topic, add a copy of
547 `engine.properties <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/server/config/engine.properties>`_
548 with "dmaap.source.topics.PDPD-CONFIGURATION.https" set to "false", or alternatively
549 create a ".pre.sh" script (see above) that edits this file before the PDP-D is
552 To use *noop topics* for standalone testing, add a "noop.pre.sh" script under
553 oom/kubernetes/policy/charts/drools/resources/configmaps/:
558 sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties
Code Review / policy / parent.git / blob