Policy OOM Installation

Policy OOM Charts

The policy K8S charts are located in the OOM repository.

Please refer to the OOM documentation on how to install and deploy ONAP.

Policy Pods

To get a listing of the Policy Pods, run the following command:

kubectl get pods -n onap | grep dev-policy

dev-policy-59684c7b9c-5gd6r                        2/2     Running            0          8m41s
dev-policy-apex-pdp-0                              1/1     Running            0          8m41s
dev-policy-api-56f55f59c5-nl5cg                    1/1     Running            0          8m41s
dev-policy-distribution-54cc59b8bd-jkg5d           1/1     Running            0          8m41s
dev-policy-mariadb-0                               1/1     Running            0          8m41s
dev-policy-xacml-pdp-765c7d58b5-l6pr7              1/1     Running            0          8m41s

Note

To get a listing of the Policy services, run this command: kubectl get svc -n onap | grep policy

Accessing Policy Containers

Accessing the policy docker containers is the same as for any kubernetes container. Here is an example:

kubectl -n onap exec -it dev-policy-policy-xacml-pdp-584844b8cf-9zptx bash

Installing or Upgrading Policy

The assumption is you have cloned the charts from the OOM repository into a local directory.

Step 1 Go into local copy of OOM charts

From your local copy, edit any of the values.yaml files in the policy tree to make desired changes.

The policy schema will be installed automatically as part of the database configuration using db-migrator. By default the policy schema is upgraded to the latest version. For more information on how to change the db-migrator setup please see: Using Policy DB Migrator.

Step 2 Build the charts

make policy
make SKIP_LINT=TRUE onap

Note

SKIP_LINT is only to reduce the “make” time

Step 3 Undeploy Policy After undeploying policy, loop on monitoring the policy pods until they go away.

helm undeploy dev-policy
kubectl get pods -n onap | grep dev-policy

Step 4 Re-Deploy Policy pods

After deploying policy, loop on monitoring the policy pods until they come up.

helm deploy dev-policy local/onap --namespace onap
kubectl get pods -n onap | grep dev-policy

Note

If you want to purge the existing data and start with a clean install, please follow these steps after undeploying:

Step 1 Delete NFS persisted data for Policy

rm -fr /dockerdata-nfs/dev/policy

Step 2 Make sure there is no orphan policy database persistent volume or claim.

First, find if there is an orphan database PV or PVC with the following commands:

kubectl get pvc -n onap | grep policy
kubectl get pv -n onap | grep policy

If there are any orphan resources, delete them with

kubectl delete pvc <orphan-policy-mariadb-resource>
kubectl delete pv <orphan-policy-mariadb-resource>

Restarting a faulty component

Each policy component can be restarted independently by issuing the following command:

kubectl delete pod <policy-pod> -n onap

Exposing ports

For security reasons, the ports for the policy containers are configured as ClusterIP and thus not exposed. If you find you need those ports in a development environment, then the following will expose them.

kubectl -n onap expose service policy-api --port=7171 --target-port=6969 --name=api-public --type=NodePort

Overriding certificate stores

Policy components package default key and trust stores that support https based communication with other AAF-enabled ONAP components. Each store can be overridden at installation.

To override a default keystore, the new certificate store (policy-keystore) file should be placed at the appropriate helm chart locations below:

  • oom/kubernetes/policy/charts/drools/resources/secrets/policy-keystore drools pdp keystore override.

  • oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-keystore apex pdp keystore override.

  • oom/kubernetes/policy/charts/policy-api/resources/config/policy-keystore api keystore override.

  • oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-keystore distribution keystore override.

  • oom/kubernetes/policy/charts/policy-pap/resources/config/policy-keystore pap keystore override.

  • oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-keystore xacml pdp keystore override.

In the event that the truststore (policy-truststore) needs to be overriden as well, place it at the appropriate location below:

  • oom/kubernetes/policy/charts/drools/resources/configmaps/policy-truststore drools pdp truststore override.

  • oom/kubernetes/policy/charts/policy-apex-pdp/resources/config/policy-truststore apex pdp truststore override.

  • oom/kubernetes/policy/charts/policy-api/resources/config/policy-truststore api truststore override.

  • oom/kubernetes/policy/charts/policy-distribution/resources/config/policy-truststore distribution truststore override.

  • oom/kubernetes/policy/charts/policy-pap/resources/config/policy-truststore pap truststore override.

  • oom/kubernetes/policy/charts/policy-xacml-pdp/resources/config/policy-truststore xacml pdp truststore override.

When the keystore passwords are changed, the corresponding component configuration (1) should also change:

  • oom/kubernetes/policy/charts/drools/values.yaml

  • oom/kubernetes/policy-apex-pdp/resources/config/config.json

  • oom/kubernetes/policy-distribution/resources/config/config.json

This procedure is applicable to an installation that requires either AAF or non-AAF derived certificates. The reader is refered to the AAF documentation when new AAF-compliant keystores are desired:

After these changes, follow the procedures in the Installing or Upgrading Policy section to make usage of the new stores effective.

Additional PDP-D Customizations

Credentials and other configuration parameters can be set as values when deploying the policy (drools) subchart. Please refer to PDP-D Default Values for the current default values. It is strongly recommended that sensitive information is secured appropriately before using in production.

Additional customization can be applied to the PDP-D. Custom configuration goes under the “resources” directory of the drools subchart (oom/kubernetes/policy/charts/drools/resources). This requires rebuilding the policy subchart (see section Installing or Upgrading Policy).

Configuration is done by adding or modifying configmaps and/or secrets. Configmaps are placed under “drools/resources/configmaps”, and secrets under “drools/resources/secrets”.

Custom configuration supportes these types of files:

  • *.conf files to support additional environment configuration.

  • features*.zip to add additional custom features.

  • *.pre.sh scripts to be executed before starting the PDP-D process.

  • *.post.sh scripts to be executed after starting the PDP-D process.

  • policy-keystore to override the PDP-D policy-keystore.

  • policy-truststore to override the PDP-D policy-truststore.

  • aaf-cadi.keyfile to override the PDP-D AAF key.

  • *.properties to override or add properties files.

  • *.xml to override or add xml configuration files.

  • *.json to override json configuration files.

  • *settings.xml to override maven repositories configuration .

Examples

To disable AAF, simply override the “aaf.enabled” value when deploying the helm chart (see the OOM installation instructions mentioned above).

To override the PDP-D keystore or trustore, add a suitable replacement(s) under “drools/resources/secrets”. Modify the drools chart values.yaml with new credentials, and follow the procedures described at Installing or Upgrading Policy to redeploy the chart.

To disable https for the DMaaP configuration topic, add a copy of engine.properties with “dmaap.source.topics.PDPD-CONFIGURATION.https” set to “false”, or alternatively create a “.pre.sh” script (see above) that edits this file before the PDP-D is started.

To use noop topics for standalone testing, add a “noop.pre.sh” script under oom/kubernetes/policy/charts/drools/resources/configmaps/:

#!/bin/bash
sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties

Footnotes

1

There is a limitation that store passwords are not configurable for policy-api, policy-pap, and policy-xacml-pdp.