1, F-GPS:
Please refer to the patch https://gerrit.onap.org/r/#/c/78634/ which elaborate how to enhance current API to support F-GPS.
The AZ names should be discovered by multicloud discovery/registry process, the AAI schema can be reused without change:
2, SO/MC integration
Create Workload: https://wiki.onap.org/display/DW/SO+to+Multicloud+API+enhancements
AAI updating: https://wiki.onap.org/pages/viewpage.action?pageId=58228881
SDC design: https://gerrit.onap.org/r/#/c/75851/ , SDC Service Software Architecture
3, FCAPS enhancement
- MULTICLOUD-523Getting issue details... STATUS
4, Multi-Tenant Support
- MULTICLOUD-527Getting issue details... STATUS
https://gerrit.onap.org/r/#/c/82085/
So far MultiCloud exposed API with ID of a cloud region, assuming the consumer will issue the API request with the default tenant which are part of the AAI cloud region. With that the different tenants on the same VIM/Cloud instance can only be on-boarded into ONAP as different cloud regions.
To support the vision of enabling multiple tenants on the same cloud region, multicloud could help from following aspects:
a, discover all tenants from the VIM/Cloud instance and register them under one AAI cloud region, this is already done if the tenant user comes along with privilege to get list of tenants of the VIM/Cloud instance.
b, MultiCloud NBI should allow consumers to specify the tenant name/id during the requesting the API to MultiCloud. This can be done on various way, the easy and backward compatible approach is to having consumers putting the tenant ID/name into the "optional" request headers of the Rest API call.
5, Secured-communication enablement
- MULTICLOUD-518Getting issue details... STATUS
- uwsgi https option
The multicloud services which are based on uwsgi could utilize the https feature of uwsgi: https://uwsgi-docs.readthedocs.io/en/latest/HTTPS.htmlYou probably have to rebuild uwsgi with ssl-support:
On a debian server with uwsgi installed by pip this would be (as root):
apt-get install libssl-dev pip install uwsgi -I --no-cache-dir
-I
for reinstall,--no-cache-dir
for building new from scratch. - cert files
The question would be: who/how to generate key and cert ?Follow the practice of MSB project, multicloud service will generate our own keys/certs and put them in the docker by default. And also make sure these keys/certs can be overrided by OOM helm chart , just like the logging settings.
It is suggested that we follow the same pattern, put the generated certs under pub/ssl/cert/ with name cert.crt and cert.key
- ENV variable to enable/disable https on the same port
I don't believe the http and https endpoint should co-exists which make no sense from security perspective. So I recommend that the http/https should be toggled by an ENV variable and binding to the same port
The ENV variable could be: SSL_ENABLED, to enable https endpoint, set SSL_ENABLED=true ; otherwise just leave it unset or set to some other value (SSL_ENABLED=false, e.g.)
The entry point of docker container will check this ENV var and determine to enable https or http mode for uwsgi. - example patch: https://gerrit.onap.org/r/#/c/81829/ + https://gerrit.onap.org/r/#/c/81912/
6, Security Requirement: Run microservice as non-root user
- MULTICLOUD-492Getting issue details... STATUS
Reference: https://gerrit.onap.org/r/#/c/78803/
Make sure you test it with healthcheck API
7, Docker image footprint optimization
- MULTICLOUD-504Getting issue details... STATUS
Reference:
Exercise on multicloud broker: https://gerrit.onap.org/r/#/c/79582/
Local try, observed image size drops from 846MB to 194MB: