Attendee-List:

• Andreas Geißler 
• Andrew Lamb 
• Jack Lucas 
• Marek Szwałkiewicz 
• Mateusz Pilat 
• Byung-Woo Jun 
• Shrikant.Tarale 

Agenda

Video:

Today's topic:

• Proposal for ONAP component disabling: OOM New Delhi Release
• Update of New Delhi Key Updates: New Delhi Release Key Updates
• Logging improvement proposal (TCL) Mateusz Pilat 
• Patches:
  
  • Readiness is updated, as it did not support services without "Selector"
    • https://gerrit.onap.org/r/c/oom/readiness/+/137651?usp=search
    • Created new release 6.0.3 (https://gerrit.onap.org/r/c/oom/readiness/+/137657?usp=search)
    • Patch to update the OOM charts to use 6.0.3 and the "service" option https://gerrit.onap.org/r/c/oom/+/137672?usp=search
  • DB Operators
    
    • Add mongodb-init chart to be added (TBD)
  • ONAP Streamlining
    • Patch for imagePullSecet: https://gerrit.onap.org/r/c/oom/+/137537
  • Chart restructuring
    • Move DGBuilder and network-name-gen under SDNC (https://gerrit.onap.org/r/c/oom/+/137663?usp=search)
  • Platform Updates
    • K8S version update to 1.18.6 (later 1.29.x)
    • Istio (1.21.0)
    • Strimzi + Kafka https://gerrit.onap.org/r/c/oom/+/137184?usp=search
    • Documenting Infrastructure changes: https://gerrit.onap.org/r/c/oom/+/137636?usp=search (WIP)
  • Make ONAP production ready, Epic: OOM-3288 - Getting issue details... STATUS
    • Charts have host paths mounted (etc. /etc/localtime), which conflicts with common policies (at least in DT)
      
      • we need to check the OOM charts and remove these paths, if possible
      • e.g. https://gerrit.onap.org/r/c/oom/+/137479?usp=search (AAI)
      • Removed entries: https://gerrit.onap.org/r/c/oom/+/137689?usp=search
    • ...
  • Keycloak/Oauth2Proxy/Realm
    • Update of Keycloak version OOM-3267 - Getting issue details... STATUS
    • Update of Oauth2Proxy version (7.5.1) and update of configuration (check with Mateusz Pilat ): OOM-3268 - Getting issue details... STATUS
      • Received charts for "authentication" creating:
        • Keycloak deployment
        • Realm creation for keycloak
        • Oauth2 setup and configuration incl. Redis setup
      • Created a page to sum up the proposal (Improvement for NewDelhi Release)
        • Questions:
          • MeshConfig (see https://docs.onap.org/projects/onap-oom/en/latest/sections/guides/infra_guides/oom_infra_base_config_setup.html#istio-service-mesh=
            vs. RequestAuthentication 

          • Oauth2-proxy config 

  • MR indepenency:
    • Policy
      • Patch for Policy (https://gerrit.onap.org/r/c/oom/+/137529?usp=search) → (Drools is disabled, as some investigation is ongoing)
    • NBI
      • Patch for NBI only in DT internal fork, as NBI in Archived mode)
      • TSC Decision request for "NewDelhi"
        • → if we disable MR, should we disable NBI ?
    • HOLMES
      • No patch available, as not active
      • TSC Decision request for "NewDelhi"
        • → if we disable MR, should we disable Holmes ?
    • SDNC
      • SDNC-DMAAP-Listener (to be checked)
        • Is the Listener required ?

        • currently listening on, but none topic exists:

          DEBUG 2024-03-25 17:45:31.268 +0000 DmaapListener - Initializing consumer org.onap.ccsdk.sli.northbound.dmaapclient.OofPciPocDmaapConsumers(/opt/onap/sdnc/data/properties/dmaap-consumer-oofpcipoc.properties)
          DEBUG 2024-03-25 17:45:31.275 +0000 DmaapListener - Initializing consumer org.onap.ccsdk.sli.northbound.dmaapclient.A1AdapterPolicyDmaapConsumer(/opt/onap/sdnc/data/properties/dmaap-consumer-a1Adapter-policy.properties)
          DEBUG 2024-03-25 17:45:31.282 +0000 DmaapListener - Initializing consumer org.onap.ccsdk.sli.northbound.dmaapclient.CMNotifyDmaapConsumer(/opt/onap/sdnc/data/properties/dmaap-consumer-CMNotify.properties)
          DEBUG 2024-03-25 17:45:31.288 +0000 DmaapListener - Initializing consumer org.onap.ccsdk.sli.northbound.dmaapclient.SdncRANSliceDmaapConsumer(/opt/onap/sdnc/data/properties/dmaap-consumer-RANSlice.properties)
          ...INFO 2024-03-25 17:46:07.549 +0000 SdncDmaapConsumer - A1AdapterPolicyDmaapConsumer received ResponseMessage: No such topic exists.-[A1-P]
          INFO 2024-03-25 17:46:07.548 +0000 SdncDmaapConsumer - CMNotifyDmaapConsumer received ResponseMessage: No such topic exists.-[CM-NOTIFICATION]
          INFO 2024-03-25 17:46:07.551 +0000 SdncDmaapConsumer - SdncDhcpEventConsumer received ResponseMessage: No such topic exists.-[VCPE-DHCP-EVENT]
          INFO 2024-03-25 17:46:02.473 +0000 SdncDmaapConsumer - SdncLcmDmaapConsumer received ResponseMessage: No such topic exists.-[SDNC-LCM-READ]
          INFO 2024-03-25 17:46:02.472 +0000 SdncDmaapConsumer - OofPciPocDmaapConsumers received ResponseMessage: No such topic exists.-[SDNR-CL]
          INFO 2024-03-25 17:46:02.448 +0000 SdncDmaapConsumer - SdncRANSliceDmaapConsumer received ResponseMessage: No such topic exists.-[RAN-Slice-Mgmt]

      • TSC Decision request for "NewDelhi"
        • → if we disable MR, should we disable SDNC DmaaP Listener ?
    • DCAEGEN2-Services MSs
      • dcae-ves-collector →
        • OOM https://gerrit.onap.org/r/c/oom/+/137002?usp=search 
        • code: https://git.onap.org/dcaegen2/collectors/ves/commit/?id=47195e4ac559963cd33dc155f219bd2b127ef025
      • dcae-prh → , https://gerrit.onap.org/r/c/oom/+/137153
      • dcae-pmsh
      • dcae-tcagen2
      • dcae-son-handler
      • dcae-slice-analysis-ms
      • dcae-heartbeat
      • dcae-kpi-ms
      • dcae-datafile-collector
      • dcae-snmptrap-collector
      • (UPDATE info by DT) So there is a DCAE SDK for interaction with DMaaP.
        We have changed the implementation of that SDK  to talk to Kafka directly.
        This new SDK is now used in VES collector and PRH services.
        If other services are using the SDK to talk to DMaaP, they can use this new version now.
        We have updated documentation of this SDK as well.https://docs.onap.org/projects/onap-dcaegen2/en/latest/sections/sdk/apis.html
      • TSC Decision request for "NewDelhi"
        • → if we disable MR, should we disable all DCAE MS, which are not migrated to native Kafka ?
• Hardening Istio with SPIRE/SPIFFE (https://blog.spiffe.io/hardening-istio-security-with-spire-d2f4f98f7a63) → need to check within DT
  Used in Nephio
  • see https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2c18d699447_0_31
  • FYI, Service Mesh + SPIFFE infrastructure ongoing study in Nephio, Study: Nephio security collaboration study
  • There is a separate study in Nephio for workload registration and workload/node attestation, https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2c18d699447_0_40
  • https://docs.google.com/document/d/1IwWVGASgdOuLHCHYg82WaZaHdOEXyOM1/edit?pli=1#heading=h.nzahaii2p80p
  • https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2bd96dea01c_0_1
• Tata (ematpil ) install ONAP Montreal/London and made improvements
  
  • will show improvements Tata did and might contribute to OOM
  • Presentation shown: (Platform Customization-oom v2.pptx) .
  • → Enhancements proposed:
    • Security enhancements (e.g. Keycloak/OAuthProxy, AuthorizationPolicy,...) eg: authentication.tar, oauth2 +KC research: rbac_research_wrap.pdf
    • Logging enhancements,...

Others:

• Change "bash" to "sh"
  • https://gerrit.onap.org/r/q/topic:bashisms
  • Started by Orange, but not finished
• Describe ONAP component deployment via ArgoCD
  • create "Application" config dir in oom repo ?

Open Jira issues:

T	Key	Summary	Assignee	Reporter	P	Status	Resolution	Created	Updated	Due
	OOM-3172	[Common] rendering issue of template "common.nginxIngress"	Alexander Dehn	Alexander Dehn		In Progress	Unresolved	Apr 27, 2023	Apr 27, 2023
	OOM-3171	service-mesh-wait-for-job-container fails, when no sidecar exists	Andreas Geissler	Andreas Geissler		Open	Unresolved	Apr 27, 2023	Apr 27, 2023
	OOM-3170	[SDNC] Support kafka native interface	Alexander Dehn	Alexander Dehn		In Progress	Unresolved	Apr 25, 2023	Apr 26, 2023
	OOM-3169	For SDNC setup consider new Websocketport	Alexander Dehn	Herbert Eiselt		In Progress	Unresolved	Apr 24, 2023	Apr 27, 2023
	OOM-3168	Introduce cassandra-operator to OOM	Andreas Geissler	Andreas Geissler		Open	Unresolved	Apr 24, 2023	Apr 24, 2023
	OOM-3167	DOC: change the plugin installation instructions	Marek Szwałkiewicz	Marek Szwałkiewicz		Open	Unresolved	Apr 24, 2023	Apr 24, 2023
	OOM-3166	Kiali Validation - KIA0601 - Port name must follow [-suffix] form	Fiete Ostkamp	Fiete Ostkamp		In Progress	Unresolved	Apr 19, 2023	Apr 19, 2023
	OOM-3165	Policy-gui Ingress target is wrong	Andreas Geissler	Andreas Geissler		Open	Unresolved	Apr 19, 2023	Apr 19, 2023
	OOM-3162	Update Strimzi Operator to 0.34.0 and Kafka to 3.4.3	Fiachra Corcoran	Andreas Geissler		Open	Unresolved	Apr 13, 2023	Apr 13, 2023
	OOM-3161	[COMMON] Add monitoring to postgres	Miroslav Masaryk	Miroslav Masaryk		Open	Unresolved	Apr 12, 2023	Apr 13, 2023
	OOM-3159	Update OOM documentation	Andreas Geissler	Andreas Geissler		Open	Unresolved	Mar 31, 2023	Apr 13, 2023
	OOM-3155	Review license scan issues	Andreas Geissler	David McBride		In Progress	Unresolved	Mar 30, 2023	Apr 26, 2023
	OOM-3153	Feature Freeze	Andreas Geissler	David McBride		Open	Unresolved	Mar 30, 2023	Mar 30, 2023	Mar 23, 2023
	OOM-3151	Improve stability in Daily Master Deployments	Andreas Geissler	Andreas Geissler		Open	Unresolved	Mar 21, 2023	Mar 21, 2023
	OOM-3149	The chartmuseum binary download URL not working in OOM deployment	Andreas Geissler	Sankar Palanivel		Open	Unresolved	Mar 09, 2023	Apr 13, 2023
	OOM-3147	Create authorization policy for platform	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023
	OOM-3146	Create authorization policy for Holmes	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023
	OOM-3145	Create authorization policy for CPS	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023
	OOM-3144	Create authorization policy for Cassandra	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023
	OOM-3143	Create authorization policy for Consul	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023

Showing 20 out of 103 issues Refresh

Backlog from older meetings (to be cleaned up)

Pending component fixes:

(2023-05-03: No update)

• CDS-UI CCSDK-3814 - CDS-UI must be able to listen on HTTP Open → DT /TM has a look
  • maybe postpone to M
• SO Monitor SO-4027 - Make SO-Service-Monitor ServiceMesh compatible Open → Byung mentioned, that E/// team try to resolve the issue (Byung's note: It was assigned to Viresh Navalli, Capgemini. E/// plans to assist Viresh as needed.)
  → postpone to Montreal
• CLI will not work without fix... ( OOM-3096 - [CLI] Remove AAF dependency Delivered )
• UUI - not clear if working
  • MSB issue reported: MSB-755 - The route from the MSB module to the usecase-ui module does not support HTTP Closed (helong <hwx171157@163.com>)

Helm chart cleanup: OOM-2975 - Remove dependencies on AAF Open

(2023-05-10: No update)

• Common → Andreas
• Platform
• MSB
• VFC

Ingress enhancements for non-HTTP interfaces:

• External Kafka access → https://gerrit.onap.org/r/c/oom/+/133767
  • Doc: Test external Kafka access in London
• SDNC CallHome (SSH) → part of https://gerrit.onap.org/r/c/oom/+/133861
• Plan to update _ingress.tpl for Gateway-API support and AuthorizationPolicy

Oauth2-proxy setup (Andreas):

(2023-05-03: No update)

• Documentation: Oauth2-Proxy implementation and configuration
• Oauth2-Proxy: https://gerrit.onap.org/r/c/oom/+/130445
• Adding Oauth2-proxy client to ONAP realm: https://gerrit.onap.org/r/c/oom/+/133699

To be started:

(2023-05-03: No update)

• Ingress template improvements:
  • OOM-3108 - Investigate to change to K8S Gateway-API Open
  • OOM-3075 - Extend the Ingress template and add Component ingress configuration Open
• Remove unused components:
  • OOM-3074 - Remove components and options from charts Open
• MariaDB:
  • OOM-3072 - Resolve and improve the existing MariaDB-Galera templates Open → DT (with TM) to investigate
• Remove NodePort in Ingress environments:
  • OOM-3012 - Remove NodePort in Service definitions under ServiceMesh In Progress → will be automatically fixed with cleanups
• UDP Ingress support:
  • UDP Nodeport support in _service-tpl OOM-3107 - Allow NodePorts for UDP services Open → can be closed
  • Possible solution: UDPRoute support in Gatway-API

Others:

(2023-05-03: No update)

• SDC Listener HTTP issue SDC-4233 - SDC Distribution Client should work with lower-case Header entries Closed → Marek provided patch → merged, need to be released and can be used in the clients
  • When released, all clients need to be updated (CDS, AAI, Policy, SO, ...)
  • Create tickets for all clients....

2023-05-31:  Discussed presentation to TSC/PTL meeting proposing a new global requirement to rely (exclusively) on service mesh mechanisms for intra-ONAP authentication and authorization (get rid of HTTP basic auth).  To be presented to TSC on 2023-06-01.