Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Bridge

...

Meeting pushed by 30 min for  ; will start at 15.00 UTC


[dcaegen2] Team ONAP11, Wed UTC 14:30

https://zoom.us/j/98967242523 
Meeting ID: 989 6724 2523
One tap mobile
+16465588656,,98967242523# US (New York)

Dial by your location
        +1 646 558 8656 US (New York)
        +1 669 900 6833 US (San Jose)
        877 369 0926 US Toll-free
        855 880 1246 US Toll-free
Meeting ID: 989 6724 2523
Find your local number: https://zoom.us/u/ad1U59khic

...


 Time (est) Topics Requester/Assignee Notes/Links




START RECORDING

PARTICIPANT LIST

1
Project Status



DCAE Blockers/High priority

Jira Legacy
serverSystem Jira
jqlQueryfilter=12210
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176





DCAE Outstanding Jira & MED priority bugs 

DCAEGEN2-2219 - DFC's SFTP client doesn't protect from MITM attacks  - Moved to Guilin

Open items from last meeting

  • DCAEGEN2-2194  runtTime 1.0.2 exception and import error

  • DCAEGEN2-2191 PH subscription error from Dmaap

  • DCAEGEN2-2193  During Deployment of Pm Mapper and Data File Collector fails in R6 release

  • DCAEGEN2-2170  Switch DCAE MOD components to non-root user (related to DCAEGEN2-2121) 
  • DCAEGEN2-2171 DL containers running as root(related to DCAEGEN2-2121)  - 4/1 - WIP
  • DCAEGEN2-2173,DCAEGEN2-2181, DCAEGEN2-2175 (PMSH) - Fiachra Corcoran will priortize and send email
  • DCAEGEN2-2067 VESCollector API/spec updates under documentation.

    • DCAEGEN2-2141 - Documentation
    warning  
  • AAF-1081 : Env issue; blocks DCAEGEN2-2042 Update DCAE certificates (Dashboard, PMSH SAN).
    • 4/1 - PMSH documentation to include workaround steps. 
  • CLAMP-650 - CLAMP not supporting blueprints (PMSH) with postgres plugin (workaround will be to onboard policy separate and use dashboard/consul)
    • Workaround will not involve CLAMP; so this defect/fix to be checked and moved to Guilin if still issue - David Farrelly  
    • 4/29 - Fix validated 
    • warning 
    2
    DCAE bootstrap updates

    05/06/2020 - Bootstrap 1.12.6 (frankfurt) -

    Pending release

    Released (OOM update pending)

    • SON_handler - 2.0.2  (released)

    Further blueprint updates will be assessed case by case if bootstrap version release is required

    • DataFileCollector - TBA

    4/7 - onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.12.5  released.

    • Datalake Handler (1.0.2)
    • PMSH 1.0.3

    Reference : https://lists.onap.org/g/onap-discuss/message/20046  Blueprint management for Frankfurt - DCAEGEN2-2041

    3
    CBS TLS in SDK

    Review recent discussion on : https://gerrit.onap.org/r/#/c/dcaegen2/services/sdk/+/94266/ and identify next step

    Confluence: TLS support for CBS - Migration Plan

    Current implementation relies on trust.jks being available. Following options to be explored

    Option 1: Work/address issue around using cacert.pem for CBS connection (original proposal)

  • Option 2: Enabled use_tls: true for all DCAE MS deployment (in blueprint) to ensure all AAF cert/trust and distributed (regardless of the MS/component being setup as server or not)
  • Option 3: Modify K8s plugin to include trust.jks distribution by default along with cacert.pem
  • Note: Current SDK change https://gerrit.onap.org/r/#/c/dcaegen2/services/sdk/+/94266/ relies on Option#2

    3/11 - New k8plugin released (2.0.0) and corresponding CM container released. Platform updates completed. Need test of HV_VES with new plugin - Piotr Wielebski

    4/29, 4/1 - tested on HV-VES 1.4.0 - not workingException in thread "main" org.onap.dcaegen2.services.sdk.security.ssl.exceptions.ReadingPasswordFromFileException: Could not read password from /etc/ves-hv/ssl/jks.pass   

        - jks.pass is distributed only when use_tls is set to true; need to be checked if app expects cert as server?  Piotr Wielebski

    5/6 - Below I've attached some notes regarding TLS support for DCAE Components: 

    k8splugin version 2.0.0 will automatically mount the CA certificate, in PEM and JKS formats, in the directory /opt/dcae/cacert. It is not necessary to add anything to the blueprint. To get the CA certificates in a different directory, add a tls_info property to the blueprint, set use_tls to false, and set cert_directory to the directory where the CA certs are needed. Whatever directory is used, the following files will be available:

    • trust.jks: A Java truststore containing the AAF CA certificate. (Needed by clients that access TLS-protected servers.)
    • trust.pass: A text file with a single line that contains the password for thetrust.jks keystore.
    • cacert.pem: The AAF CA certificate, in PEM form. (Needed by clients that access TLS-protected servers.)

    k8splugin version 2.0.0 uses an init container to supply the CA certificates.

    4/29, 4/1 - tested on HV-VES 1.4.0 - not working Exception in thread "main" org.onap.dcaegen2.services.sdk.security.ssl.exceptions.ReadingPasswordFromFileException: Could not read password from /etc/ves-hv/ssl/jks.pass   

        - jks.pass is distributed only when use_tls is set to true; need to be checked if app expects cert as server?  Piotr Wielebski

    link to the source https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/tls_enablement.html


    4
    Repo Branching 

    05/06/2020  - Documentation branching and new CI for frankfurt branch will be set up by 5/7

    Branching/tagging completed for all DCAE repo except  dcaegen2 (documentation)

    Documentation repo branching targetted

    for

    for  

    Committer must ensure new submissions are cherrypicked into Frankfurt branch

    • dcaegen2/analytics/tca
    • dcaegen2/analytics/tca-gen2
    • dcaegen2/collectors/datafile
    • dcaegen2/collectors/hv-ves
    • dcaegen2/collectors/restconf
    • dcaegen2/collectors/snmptrap
    • dcaegen2/collectors/ves
    • dcaegen2/deployments
    • dcaegen2/platform
    • dcaegen2/platform/blueprints
    • dcaegen2/platform/configbinding
    • dcaegen2/platform/deployment-handler
    • dcaegen2/platform/inventory-api
    • dcaegen2/platform/plugins
    • dcaegen2/platform/policy-handler
    • dcaegen2/platform/servicechange-handler
    • dcaegen2/services
    • dcaegen2/services/heartbeat
    • dcaegen2/services/mapper
    • dcaegen2/services/pm-mapper
    • dcaegen2/services/prh
    • dcaegen2/services/sdk
    • dcaegen2/services/son-handler
    • dcaegen2/utils





    6
    Guilin Items

    DCAE Guilin Priorities

    7
    AAF change impact

    aaf_agent (2.1.20) changed in Frankfurt generates cert as non-root; need to assess impact to dcae TLS init (currently uses 2.1.15)

    • one option is for separate truststore for external (discussed under CMPv2)
    • resolve the ownership for current cert/truststore to non-root user (common onap usergroup + and add into separate container)
      • change aaf_agent to default to non-root

    DCAE change to be assessed based on CMPv2 proposal; generic onap/usergroup to be discsussed with AAF team - Vijay Kumar



    Certificate for components/instance (wild card support)>Frankfurt

    PMSH may need to support multiple instance per different usecase. The certificate generation should be supported at instance level (possible AAF dependency

    4/29 - Policy may be using wildcard - *.pdp, *.pdp.onap.svc.cluster.local ; to be confirmed if supported from AAF currently Vijay Kumar

    2/20  -

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyDCAEGEN2-2084

     Image AddedDCAEGEN2-2084 - support certificate generation at instance level for DCAE services OPEN to track this request for DCAE; AAF dependency will be discussed post Frankfurt and corresponding AAF Jira to be created






    Frankfurt Artifacts Release versions

    Check "Artifacts released" section under RTD - https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/release-notes.html

    Open Action Items


    ...