The policy-sync sidecar is a simple python utility that abstracts the ONAP policy interface. It is designed to function well as a Kubernetes sidecar container that is injected into a pod.
...
| Drawio | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Configuration
configuration is done via environment variables to support varied environments easily.
...
ENV_VARIABLE
...
flag
...
Description
...
Example
...
A regular expression or full policy name that the puller should track and query the PDP
...
...
Interface with Policy
Sidecar to use ONAP's policy API to interface and retrieve policies as described: Policy Life Cycle API — onap master documentation.
...
Utilize the PAP's DMaaP Notification URL to identify changes to policy and act accordingly: https://docs.onap.org/projects/onap-policy-parent/en/latest/pap/pap.html#dmaap-api
Interface with a microservice
Integration with a microservice
We will provide the sync utility as a dockerized container that can be run alongside a microservice container as part of a kubernetes POD.
Configuration
Configuration is done via environment variables or command line flag to make configuration via configmap easy.
ENV_VARIABLE | flag | Description | Example |
|---|---|---|---|
| POLICY_SYNC_PDP_URL | --pdp | PDP URL to query | https://policy-conexus-ist-02.ecomp.cci.att.com:30281 |
| POLICY_SYNC_FILTER | --filter | A regular expression or full policy name that the puller should track and query the PDP | DCAE.Config_MS_AGING_UVERSE_.* |
| POLICY_SYNC_ID | --id | This just brings back a specific policy name for those who don't need or want a regular expression. | XYZ |
| POLICY_SYNC_OUTFILE | --outfile | The output file to write the policy inventory to | /opt/etc/policies.json |
| POLICY_SYNC_CHECKINTERVAL | --checkinterval | How often to check the PDP periodically for resiliency purposes | 20m |
| POLICY_SYNC_USER | --user | Optional Username to use as part of basic auth for the PDP | userxyz |
| POLICY_SYNC_PASS | --password | Optional Password to use as part of basic auth for the PDP | password123 |
Communication with the main application
...
Running the sync utility as a sidecar container (For use with HELM deployments, etc.).
In this configuration, the utility should be injected Code will be packaged as a sidecar container that is part of your pod but isolated from the main container. The policy-sync container and main container should communicate using a Kubernetes shared volumedocker container that can be easily injected into a kubernetes mainfest.
Example K8s pod manifest (which would produce something like the diagram above):
...
Inspired by the open source git-sync utility which essentially does the same thing for git repositories.A similar sidecar pattern is also utilized by the AAF-Certificate renewal container (already widely deployed in DCAE).
- The existing policy handler microservice: https://github.com/onap/dcaegen2-platform-policy-handler/tree/master/policyhandler
...