Policy/ACM OOM Installation
Notes
This guide assumes that you have access to a Kubernetes cluster.
The examples for this guide were carried out on a 3 node Ubuntu-based cluster. However, cluster software such as microk8s should work just as well.
Cluster Used in this Guide
Ubuntu-based cluster using Ubuntu 20.04.1 LTS
3 nodes - each having 8GB RAM and 4CPU
Prerequisites
K8s Cluster capable of running kubectl commands
Both kubectl client and the server use v1.22.4
Helm version v3.6.3 is installed
There should be a running chart repo called “local”
Chartmuseum used to create the chart repo
Deploy Policy/ACM OOM & Required Charts
The policy K8S charts are located in the OOM repository.
Install Helm Plugins
Chart museum’s helm-push plugin should be installed
helm plugin install https://github.com/chartmuseum/helm-push --version 0.10.3
And then we should install the deploy and undeploy plugins from oom. so, navigate to the oom/kubernetes directory in the above cloned oom gerrit repo.
helm plugin install helm/plugins/deploy
helm plugin install helm/plugins/undeploy
Package and Upload Charts to Repo
Navigate to the same oom/kubernetes directory. The make command can be used here to package and upload (among other things) the charts to the local chart repo. This command is slow as it has to package and upload all of the helm charts in oom. However, we are skipping linting of the charts and using the -j flag to allow us to use multiple threads - this will maximize the speed.
make all SKIP_LINT=TRUE -j$(nproc)
Once this is completed, we should be able to see all of the charts in the local helm repo.
helm search repo local
local/policy 12.0.0 ONAP Policy
local/policy-apex-pdp 12.0.0 ONAP Policy APEX PDP
local/policy-api 12.0.0 ONAP Policy Design API
local/policy-clamp-ac-a1pms-ppnt 12.0.0 ONAP Policy Clamp A1PMS Participant
local/policy-clamp-ac-http-ppnt 12.0.0 ONAP Policy Clamp Controlloop Http Participant
local/policy-clamp-ac-k8s-ppnt 12.0.0 ONAP Policy Clamp Controlloop K8s Participant
local/policy-clamp-ac-kserve-ppnt 12.0.0 ONAP Policy Clamp Kserve Participant
local/policy-clamp-ac-pf-ppnt 12.0.0 ONAP Policy Clamp Controlloop Policy Participant
local/policy-clamp-runtime-acm 12.0.0 ONAP Policy Clamp Controlloop Runtime
local/policy-distribution 12.0.0 ONAP Policy Distribution
local/policy-drools-pdp 12.0.0 ONAP Drools Policy Engine (PDP-D)
local/policy-pap 12.0.0 ONAP Policy Administration (PAP)
local/policy-xacml-pdp 12.0.0 ONAP Policy XACML PDP (PDP-X)
Note
Only the policy/acm charts are shown above - there will be many others.
Strimzi Kafka and Cert Manager Install
Install Cert Manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
Currently, the following policy/acm components use Strimzi Kafka by default:
policy-ppnt
k8s-ppnt
http-ppnt
a1Policy-mgmt-ppnt
kserve-ppnt
acm runtime
There is a future plan to move all components to Strimzi Kafka. However, in the meantime, our deployments require both DMAAP message-router and Strimzi Kafka | Install Strimzi Kafka Operator
helm repo add strimzi https://strimzi.io/charts/
helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version 0.32.0 --set watchAnyNamespace=true --create-namespace
Once these are installed and running, we can move on to the installation of the policy and related helm charts
Policy/ACM Pods
To get a listing of the Policy or ACM Pods, run the following command:
kubectl get pods -n onap | grep dev-policy
dev-policy-59684c7b9c-5gd6r 2/2 Running 0 8m41s
dev-policy-apex-pdp-0 1/1 Running 0 8m41s
dev-policy-api-56f55f59c5-nl5cg 1/1 Running 0 8m41s
dev-policy-distribution-54cc59b8bd-jkg5d 1/1 Running 0 8m41s
dev-policy-mariadb-0 1/1 Running 0 8m41s
dev-policy-xacml-pdp-765c7d58b5-l6pr7 1/1 Running 0 8m41s
Note
To get a listing of the Policy services, run this command: kubectl get svc -n onap | grep policy
Accessing Policy/ACM Containers
Accessing the policy docker containers is the same as for any kubernetes container. Here is an example:
kubectl -n onap exec -it dev-policy-policy-xacml-pdp-584844b8cf-9zptx bash
Installing or Upgrading Policy/ACM
The assumption is you have cloned the charts from the OOM repository into a local directory.
Step 1 Go into local copy of OOM charts
From your local copy, edit any of the values.yaml files in the policy tree to make desired changes.
The policy schema will be installed automatically as part of the database configuration using db-migrator.
By default the policy schema is upgraded to the latest version.
For more information on how to change the db-migrator setup please see
Using Policy DB Migrator.
Step 2 Build the charts
make policy -j$(nproc)
make SKIP_LINT=TRUE onap -j$(nproc)
Note
SKIP_LINT is only to reduce the “make” time. -j allows the use of multiple threads.
Step 3 Undeploy Policy/ACM After undeploying policy, loop on monitoring the policy pods until they go away.
helm undeploy dev-policy
kubectl get pods -n onap | grep dev-policy
Step 4 Re-Deploy Policy pods
After deploying policy, loop on monitoring the policy pods until they come up.
helm deploy dev-policy local/onap --namespace onap
kubectl get pods -n onap | grep dev-policy
Note
If you want to purge the existing data and start with a clean install, please follow these steps after undeploying:
Step 1 Delete NFS persisted data for Policy
rm -fr /dockerdata-nfs/dev/policy
Step 2 Make sure there is no orphan policy database persistent volume or claim.
First, find if there is an orphan database PV or PVC with the following commands:
kubectl get pvc -n onap | grep policy
kubectl get pv -n onap | grep policy
If there are any orphan resources, delete them with
kubectl delete pvc <orphan-policy-mariadb-resource>
kubectl delete pv <orphan-policy-mariadb-resource>
Restarting a faulty component
Each policy component can be restarted independently by issuing the following command:
kubectl delete pod <policy-pod> -n onap
Exposing ports
For security reasons, the ports for the policy containers are configured as ClusterIP and thus not exposed. If you find you need those ports in a development environment, then the following will expose them.
kubectl -n onap expose service policy-api --port=7171 --target-port=6969 --name=api-public --type=NodePort
Additional PDP-D Customizations
Credentials and other configuration parameters can be set as values when deploying the policy (drools) subchart. Please refer to PDP-D Default Values for the current default values. It is strongly recommended that sensitive information is secured appropriately before using in production.
Additional customization can be applied to the PDP-D. Custom configuration goes under the “resources” directory of the drools subchart (oom/kubernetes/policy/charts/drools/resources). This requires rebuilding the policy subchart (see section Installing or Upgrading Policy/ACM).
Configuration is done by adding or modifying configmaps and/or secrets. Configmaps are placed under “drools/resources/configmaps”, and secrets under “drools/resources/secrets”.
Custom configuration supportes these types of files:
*.conf files to support additional environment configuration.
features*.zip to add additional custom features.
*.pre.sh scripts to be executed before starting the PDP-D process.
*.post.sh scripts to be executed after starting the PDP-D process.
policy-keystore to override the PDP-D policy-keystore.
policy-truststore to override the PDP-D policy-truststore.
aaf-cadi.keyfile to override the PDP-D AAF key.
*.properties to override or add properties files.
*.xml to override or add xml configuration files.
*.json to override json configuration files.
*settings.xml to override maven repositories configuration .
Examples
To override the PDP-D keystore or trustore, add a suitable replacement(s) under “drools/resources/secrets”. Modify the drools chart values.yaml with new credentials, and follow the procedures described at Installing or Upgrading Policy/ACM to redeploy the chart.
To disable https for the DMaaP configuration topic, add a copy of engine.properties with “dmaap.source.topics.PDPD-CONFIGURATION.https” set to “false”, or alternatively create a “.pre.sh” script (see above) that edits this file before the PDP-D is started.
To use noop topics for standalone testing, add a “noop.pre.sh” script under oom/kubernetes/policy/charts/drools/resources/configmaps/:
#!/bin/bash
sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties