...
- Marek Szwałkiewicz Try to establish an ArgoCD deployment to provide an alternative the helm deloyment
- in oom chart provide directory for ArgoCD application definitions
- Will be used in Gating/Daily Pipelines
- TSC accepted ONAP component disabling: OOM New Delhi Release
- Update healthchecks https://gerrit.onap.org/r/c/testsuite/+/138386 → need to release it
- (TBD) smoke tests to exclude component related tests
- UUI Patch to move charts to "archive" folder → https://gerrit.onap.org/r/c/oom/+/138260138709?usp=search
- Update done, Gatingstarted(TBD) smoke tests to exclude component related tests
- (TBD) Update of Oslo Release info: Oslo Release Key Updates
- Patches:
- Make ONAP production ready, Epic:
Jira Legacy server System Jira serverId 4733707d-2057-3a0f-ae5e-4fd8aff50176 key OOM-3288 - Charts have host paths mounted (etc. /etc/localtime), which conflicts with common policies (at least in DT)
- we need to check the OOM charts and remove these paths, if possible
- e.g. https://gerrit.onap.org/r/c/oom/+/137479?usp=search (AAI)
- Removed entries: https://gerrit.onap.org/r/c/oom/+/137689?usp=search
- Kyverno Policy Patches
- https://gerrit.onap.org/r/c/oom/+/138496 →
- "common" chart → More to comehttps://gerrit.onap.org/r/c/oom/+/138624?usp=search
- POLICY: https://gerrit.onap.org/r/c/oom/+/138587?usp=search, some fix is needed for xacml-pdp
- CPS
- AAI
- ...
- Charts have host paths mounted (etc. /etc/localtime), which conflicts with common policies (at least in DT)
- Keycloak/Oauth2Proxy/Realm
- Configurable REALM and AuthorizationPolicies:
Jira Legacy server System Jira serverId 4733707d-2057-3a0f-ae5e-4fd8aff50176 key OOM-3292 - Patch merged in New Dehli: https://gerrit.onap.org/r/c/oom/+/137736
- Currently testing and enhancing in DT
- new patch (https://gerrit.onap.org/r/c/oom/+/138498?usp=search) → gating OK → need to be submitted
- Configurable REALM and AuthorizationPolicies:
- Make ONAP production ready, Epic:
- Logging improvement proposal (TCL) Mateusz Pilat
- All components have to log to STDOUT
- They should use a common format (JSON struct) with defined attributes (example: https://git.onap.org/oom/tree/kubernetes/cps/components/cps-core/resources/config/logback-spring.xml)
- A list will be provided for the required changes in components
- Presentation next week in the TSC
- Hardening Istio with SPIRE/SPIFFE (https://blog.spiffe.io/hardening-istio-security-with-spire-d2f4f98f7a63) → need to check within DT
Used in Nephio- see https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2c18d699447_0_31
- FYI, Service Mesh + SPIFFE infrastructure ongoing study in Nephio, Study: Nephio security collaboration study
- There is a separate study in Nephio for workload registration and workload/node attestation, https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2c18d699447_0_40
- https://docs.google.com/document/d/1IwWVGASgdOuLHCHYg82WaZaHdOEXyOM1/edit?pli=1#heading=h.nzahaii2p80p
- https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2bd96dea01c_0_1
- Tata (ematpil ) install ONAP Montreal/London and made improvements
- will show improvements Tata did and might contribute to OOM
- Presentation shown: (Platform Customization-oom v2.pptx) .
- → Enhancements proposed:
- Security enhancements (e.g. Keycloak/OAuthProxy, AuthorizationPolicy,...) eg: authentication.tar, oauth2 +KC research: rbac_research_wrap.pdf
- Logging enhancements,...
...
- External Kafka access → https://gerrit.onap.org/r/c/oom/+/133767
- SDNC CallHome (SSH) → part of https://gerrit.onap.org/r/c/oom/+/133861
- Plan to update _ingress.tpl for Gateway-API support and AuthorizationPolicy
...
(2023-05-03: No update)
- Documentation: Oauth2-Proxy implementation and configuration
- Oauth2-Proxy: https://gerrit.onap.org/r/c/oom/+/130445
- Adding Oauth2-proxy client to ONAP realm: https://gerrit.onap.org/r/c/oom/+/133699
...