...
For IP will use the l-interface in the vserver , and currently we are suggesting five fields proposing to be add to five parameters in AAI, as shown in below (Marked in RED).
Please let me know, if I need to modify/change anything. So that we can finalize the AAI model for the POD.
...
vserver.json (vserver-name,vserver-name2,prov-status,l3-interface-ipv4-address and l3-interface-ipv4-prefix-length).
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
{ "vserver-id":"example-vserver-id-val-54206", "vserver-name":"POD-NAME", "vserver-name2":"profile-name", "prov-status":"NAMESPACE", "vserver-selflink":"example-vserver-selflink-val-53168", "in-maint":true, "is-closed-loop-disabled":true, "volumes":{ "volume":[ { "volume-id":"example-volume-id-val-71602", "volume-selflink":"example-volume-selflink-val-80626" } ] }, "l-interfaces":{ "l-interface":[ { "interface-name":"example-interface-name-val-29637", "interface-role":"example-interface-role-val-49763", "v6-wan-link-ip":"example-v6-wan-link-ip-val-73419", "selflink":"example-selflink-val-83045", "interface-id":"example-interface-id-val-17917", "macaddr":"example-macaddr-val-71542", "network-name":"example-network-name-val-2842", "management-option":"example-management-option-val-16536", "interface-description":"example-interface-description-val-85643", "is-port-mirrored":true, "in-maint":true, "prov-status":"example-prov-status-val-73622", "is-ip-unnumbered":true, "allowed-address-pairs":"example-allowed-address-pairs-val-92267", "vlans":{ "vlan":[ { "vlan-interface":"example-vlan-interface-val-54497", "vlan-id-inner":70918078, "vlan-id-outer":61012074, "speed-value":"example-speed-value-val-12296", "speed-units":"example-speed-units-val-84452", "vlan-description":"example-vlan-description-val-13828", "backdoor-connection":"example-backdoor-connection-val-63476", "vpn-key":"example-vpn-key-val-54149", "orchestration-status":"example-orchestration-status-val-66103", "in-maint":true, "prov-status":"example-prov-status-val-60754", "is-ip-unnumbered":true, "is-private":true, "l3-interface-ipv4-address-list":[ { "l3-interface-ipv4-address":"example-l3-interface-ipv4-address-val-25332", "l3-interface-ipv4-prefix-length":44948626, "vlan-id-inner":90390215, "vlan-id-outer":59415181, "is-floating":true, "neutron-network-id":"example-neutron-network-id-val-49439", "neutron-subnet-id":"example-neutron-subnet-id-val-17490" } ], "l3-interface-ipv6-address-list":[ { "l3-interface-ipv6-address":"example-l3-interface-ipv6-address-val-65463", "l3-interface-ipv6-prefix-length":28285864, "vlan-id-inner":68853321, "vlan-id-outer":36358258, "is-floating":true, "neutron-network-id":"example-neutron-network-id-val-85239", "neutron-subnet-id":"example-neutron-subnet-id-val-11639" } ] } ] }, "sriov-vfs":{ "sriov-vf":[ { "pci-id":"example-pci-id-val-68804", "vf-vlan-filter":"example-vf-vlan-filter-val-66686", "vf-mac-filter":"example-vf-mac-filter-val-4844", "vf-vlan-strip":true, "vf-vlan-anti-spoof-check":true, "vf-mac-anti-spoof-check":true, "vf-mirrors":"example-vf-mirrors-val-62994", "vf-broadcast-allow":true, "vf-unknown-multicast-allow":true, "vf-unknown-unicast-allow":true, "vf-insert-stag":true, "vf-link-status":"example-vf-link-status-val-61210", "neutron-network-id":"example-neutron-network-id-val-92364" } ] }, "l-interfaces":{ "l-interface":[ { "interface-name":"example-interface-name-val-24756", "interface-role":"example-interface-role-val-99880", "v6-wan-link-ip":"example-v6-wan-link-ip-val-83433", "selflink":"example-selflink-val-37078", "interface-id":"example-interface-id-val-30028", "macaddr":"example-macaddr-val-48581", "network-name":"example-network-name-val-66290", "management-option":"example-management-option-val-75756", "interface-description":"example-interface-description-val-12906", "is-port-mirrored":true, "in-maint":true, "prov-status":"example-prov-status-val-34593", "is-ip-unnumbered":true, "allowed-address-pairs":"example-allowed-address-pairs-val-55176", "admin-status":"example-admin-status-val-64707" } ] }, "l3-interface-ipv4-address-list":[ { "l3-interface-ipv4-address":"IP_Address", "l3-interface-ipv4-prefix-length":"PORT", "vlan-id-inner":17112845, "vlan-id-outer":77792568, "is-floating":true, "neutron-network-id":"example-neutron-network-id-val-60469", "neutron-subnet-id":"example-neutron-subnet-id-val-22212" } ], "l3-interface-ipv6-address-list":[ { "l3-interface-ipv6-address":"example-l3-interface-ipv6-address-val-99899", "l3-interface-ipv6-prefix-length":78690445, "vlan-id-inner":66245854, "vlan-id-outer":11258712, "is-floating":true, "neutron-network-id":"example-neutron-network-id-val-57495", "neutron-subnet-id":"example-neutron-subnet-id-val-2203" } ], "admin-status":"example-admin-status-val-39685" } ] } } |
Proposal-2:
Pod names are not fixed. They will always change whenever the pod gets restarted. Remember pods are *NOT* like VMs.
If the goal here is to be able to connect to the POD to do some actions on it, then we are better off storing the Name of the Service that sends traffic to that POD.
Basically, the vserver information should say: "I want to connect to this service within my application and here is the IP and PORT to do so"
The connectivity information will be the Public IP: Port combo for each Kubernetes Service, which will allow you to ssh into the pod itself via the service.
Now, when there are multiple pods for each service, the pods will need to have to have a mechanism that will allow them to synchronize that information between them. Either via a persistent volume that stores state or via some kind of peer to peer gossip.
The connection flow will be like this. The only thing that is accessible to the outside is the PUBLIC_IP.
ONAP USER --> PUBLIC_IP:PORT --> INGRESS_GATEWAY --> SERVICE:SERVICE_PORT --> ONE OF THE PODS
Having said that, selection of a particular service can be done via route inspection for HTTP services.
For TCP services such as SSH or NETCONF, there is no route and we will have to use PORT based TCP routes.
So, a dynamically generated port will be allocated on the public_IP.
Observations from vFW Closed-loop:
That example has 2 parts:
- The vFW component sends VES events to the DCAE collector. In our lab setup, all that was needed was the IP address and port of the DCAE collector – and of course, the vFW pod (virtlet) needs to be able to access that. The aspect that needs to line up with AAI is the VES event contains a ‘sourceName’ field which is used by DCAE to lookup the corresponding vserver in AAI. With the current demo vFW code, the hostname of the vFW (virtlet) turns out to be the pod name. (see https://wiki.onap.org/display/DW/Setting+up+Closed+Loop+for+K8S+vFW+-+initial+pass#SettingupClosedLoopforK8SvFW-initialpass-VESEventsfromthevFirewall for details).
- If you look at my example in the link refered, you’ll note that I did not add any IP address info – it seems the key info is the vserver name and its relationship to the vnf-id. Obviously IP info is needed for connections coming the other direction.
- The other part of the vFW closed loop example is the connection made so that APPC can configure the Packet Generator in response to policy. So far, I have mimicked the steps used by the integration robot testing – and set up the APPC netconf mount to the Packet Generator manually. The 3 specific data items needed were: vnf-id, IP address and Port number. In my initial test case, the IP address was the IP of the Node and the Port was the Node Port of a Service (which will be added to the example). (see https://wiki.onap.org/display/DW/Setting+up+Closed+Loop+for+K8S+vFW+-+initial+pass#SettingupClosedLoopforK8SvFW-initialpass-SettingupaServicethePacketGeneratornetconfmount )
- If I’m following Kiran’s point then eventually, we’d use a Public IP:Port instead of the node values I used.
- For the service, the vserver object could be the service name.
- Once the netconf mount is done, ONAP just needs to know the vnf-id (I believe – response to policy worked without AAI having any IP info). So, while I manually performed the netconf mount, if ONAP has the ability to automatically perform the netconf mount, then AAI will need the appropriate information.
So, what if, for example, the vFW needs to send VES events (as in part #1) and it also needs to have configuration (as in part #2)?
Perhaps this implies two vserver objects?
One for the pod name of the pod generating ves events and another for the service and the network interface it exposes.
Also, one other thought, as Kiran mentions, the pod name can change – so if pod is used as vserver name, then you’d want some process to update AAI. Maybe we need to make our sample vFW VES events send something a little less volatile then pod name.