Attendee-List:

• Andreas Geißler 
• Byung-Woo Jun 
• Jack Lucas 
• Marek Szwałkiewicz 
• Mateusz Pilat 
• Shrikant.Tarale 

Agenda

Video:

Today's topic:

• Marek Szwałkiewicz Try to establish an ArgoCD deployment to provide an alternative the helm deloyment
  • in oom chart provide directory for ArgoCD application definitions
  • Will be used in Gating/Daily Pipelines
• TSC accepted ONAP component disabling: OOM New Delhi Release
  • Update healthchecks https://gerrit.onap.org/r/c/testsuite/+/138386 → need to release it
  • Patch to move charts to "archive" folder → https://gerrit.onap.org/r/c/oom/+/138709?usp=search
  • (TBD) smoke tests to exclude component related tests
• Patches:
  • Make ONAP production ready, Epic: OOM-3288 - Getting issue details... STATUS
    • Charts have host paths mounted (etc. /etc/localtime), which conflicts with common policies (at least in DT)
      
      • we need to check the OOM charts and remove these paths, if possible
      • e.g. https://gerrit.onap.org/r/c/oom/+/137479?usp=search (AAI)
      • Removed entries: https://gerrit.onap.org/r/c/oom/+/137689?usp=search
    • Kyverno Policy Patches
      • https://gerrit.onap.org/r/c/oom/+/138496 →
      • "common" chart →https://gerrit.onap.org/r/c/oom/+/138624?usp=search
      • POLICY: https://gerrit.onap.org/r/c/oom/+/138587?usp=search,
      • CPS
      • AAI
    • ...
  • Keycloak/Oauth2Proxy/Realm
    • Configurable REALM and AuthorizationPolicies: OOM-3292 - Getting issue details... STATUS
      • Patch merged in New Dehli: https://gerrit.onap.org/r/c/oom/+/137736
      • Currently testing and enhancing in DT 
        • new patch (https://gerrit.onap.org/r/c/oom/+/138498?usp=search) →

• Logging improvement proposal (TCL) Mateusz Pilat 
  • All components have to log to STDOUT
  • They should use a common format (JSON struct) with defined attributes (example: https://git.onap.org/oom/tree/kubernetes/cps/components/cps-core/resources/config/logback-spring.xml)
  • A list will be provided for the required changes in components
  • Presentation next week in the TSC
• Hardening Istio with SPIRE/SPIFFE (https://blog.spiffe.io/hardening-istio-security-with-spire-d2f4f98f7a63) → need to check within DT
  Used in Nephio
  • see https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2c18d699447_0_31
  • FYI, Service Mesh + SPIFFE infrastructure ongoing study in Nephio, Study: Nephio security collaboration study
  • There is a separate study in Nephio for workload registration and workload/node attestation, https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2c18d699447_0_40
  • https://docs.google.com/document/d/1IwWVGASgdOuLHCHYg82WaZaHdOEXyOM1/edit?pli=1#heading=h.nzahaii2p80p
  • https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2bd96dea01c_0_1
• Tata (ematpil ) install ONAP Montreal/London and made improvements
  
  • will show improvements Tata did and might contribute to OOM
  • Presentation shown: (Platform Customization-oom v2.pptx) .
  • → Enhancements proposed:
    • Security enhancements (e.g. Keycloak/OAuthProxy, AuthorizationPolicy,...) eg: authentication.tar, oauth2 +KC research: rbac_research_wrap.pdf
    • Logging enhancements,...

Others:

• Change "bash" to "sh"
  • https://gerrit.onap.org/r/q/topic:bashisms
  • Started by Orange, but not finished
• Describe ONAP component deployment via ArgoCD
  • create "Application" config dir in oom repo ?

Open Jira issues:

T	Key	Summary	Assignee	Reporter	P	Status	Resolution	Created	Updated	Due
	OOM-3172	[Common] rendering issue of template "common.nginxIngress"	Alexander Dehn	Alexander Dehn		In Progress	Unresolved	Apr 27, 2023	Apr 27, 2023
	OOM-3171	service-mesh-wait-for-job-container fails, when no sidecar exists	Andreas Geissler	Andreas Geissler		Open	Unresolved	Apr 27, 2023	Apr 27, 2023
	OOM-3170	[SDNC] Support kafka native interface	Alexander Dehn	Alexander Dehn		In Progress	Unresolved	Apr 25, 2023	Apr 26, 2023
	OOM-3169	For SDNC setup consider new Websocketport	Alexander Dehn	Herbert Eiselt		In Progress	Unresolved	Apr 24, 2023	Apr 27, 2023
	OOM-3168	Introduce cassandra-operator to OOM	Andreas Geissler	Andreas Geissler		Open	Unresolved	Apr 24, 2023	Apr 24, 2023
	OOM-3167	DOC: change the plugin installation instructions	Marek Szwałkiewicz	Marek Szwałkiewicz		Open	Unresolved	Apr 24, 2023	Apr 24, 2023
	OOM-3166	Kiali Validation - KIA0601 - Port name must follow [-suffix] form	Fiete Ostkamp	Fiete Ostkamp		In Progress	Unresolved	Apr 19, 2023	Apr 19, 2023
	OOM-3165	Policy-gui Ingress target is wrong	Andreas Geissler	Andreas Geissler		Open	Unresolved	Apr 19, 2023	Apr 19, 2023
	OOM-3162	Update Strimzi Operator to 0.34.0 and Kafka to 3.4.3	Fiachra Corcoran	Andreas Geissler		Open	Unresolved	Apr 13, 2023	Apr 13, 2023
	OOM-3161	[COMMON] Add monitoring to postgres	Miroslav Masaryk	Miroslav Masaryk		Open	Unresolved	Apr 12, 2023	Apr 13, 2023
	OOM-3159	Update OOM documentation	Andreas Geissler	Andreas Geissler		Open	Unresolved	Mar 31, 2023	Apr 13, 2023
	OOM-3155	Review license scan issues	Andreas Geissler	David McBride		In Progress	Unresolved	Mar 30, 2023	Apr 26, 2023
	OOM-3153	Feature Freeze	Andreas Geissler	David McBride		Open	Unresolved	Mar 30, 2023	Mar 30, 2023	Mar 23, 2023
	OOM-3151	Improve stability in Daily Master Deployments	Andreas Geissler	Andreas Geissler		Open	Unresolved	Mar 21, 2023	Mar 21, 2023
	OOM-3149	The chartmuseum binary download URL not working in OOM deployment	Andreas Geissler	Sankar Palanivel		Open	Unresolved	Mar 09, 2023	Apr 13, 2023
	OOM-3147	Create authorization policy for platform	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023
	OOM-3146	Create authorization policy for Holmes	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023
	OOM-3145	Create authorization policy for CPS	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023
	OOM-3144	Create authorization policy for Cassandra	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023
	OOM-3143	Create authorization policy for Consul	Unassigned	Andrew Lamb		Open	Unresolved	Mar 06, 2023	Mar 08, 2023

Showing 20 out of 103 issues Refresh

Backlog from older meetings (to be cleaned up)

Pending component fixes:

(2023-05-03: No update)

• CDS-UI CCSDK-3814 - CDS-UI must be able to listen on HTTP Open → DT /TM has a look
  • maybe postpone to M
• SO Monitor SO-4027 - Make SO-Service-Monitor ServiceMesh compatible Open → Byung mentioned, that E/// team try to resolve the issue (Byung's note: It was assigned to Viresh Navalli, Capgemini. E/// plans to assist Viresh as needed.)
  → postpone to Montreal
• CLI will not work without fix... ( OOM-3096 - [CLI] Remove AAF dependency Delivered )
• UUI - not clear if working
  • MSB issue reported: MSB-755 - The route from the MSB module to the usecase-ui module does not support HTTP Closed (helong <hwx171157@163.com>)

Helm chart cleanup: OOM-2975 - Remove dependencies on AAF Open

(2023-05-10: No update)

• Common → Andreas
• Platform
• MSB
• VFC

Ingress enhancements for non-HTTP interfaces:

• External Kafka access → https://gerrit.onap.org/r/c/oom/+/133767
  • Doc: Test external Kafka access in London
• SDNC CallHome (SSH) → part of https://gerrit.onap.org/r/c/oom/+/133861
• Plan to update _ingress.tpl for Gateway-API support and AuthorizationPolicy

Oauth2-proxy setup (Andreas):

(2023-05-03: No update)

• Documentation: Oauth2-Proxy implementation and configuration
• Oauth2-Proxy: https://gerrit.onap.org/r/c/oom/+/130445
• Adding Oauth2-proxy client to ONAP realm: https://gerrit.onap.org/r/c/oom/+/133699

To be started:

(2023-05-03: No update)

• Ingress template improvements:
  • OOM-3108 - Investigate to change to K8S Gateway-API Open
  • OOM-3075 - Extend the Ingress template and add Component ingress configuration Open
• Remove unused components:
  • OOM-3074 - Remove components and options from charts Open
• MariaDB:
  • OOM-3072 - Resolve and improve the existing MariaDB-Galera templates Open → DT (with TM) to investigate
• Remove NodePort in Ingress environments:
  • OOM-3012 - Remove NodePort in Service definitions under ServiceMesh In Progress → will be automatically fixed with cleanups
• UDP Ingress support:
  • UDP Nodeport support in _service-tpl OOM-3107 - Allow NodePorts for UDP services Open → can be closed
  • Possible solution: UDPRoute support in Gatway-API

Others:

(2023-05-03: No update)

• SDC Listener HTTP issue SDC-4233 - SDC Distribution Client should work with lower-case Header entries Closed → Marek provided patch → merged, need to be released and can be used in the clients
  • When released, all clients need to be updated (CDS, AAI, Policy, SO, ...)
  • Create tickets for all clients....

2023-05-31:  Discussed presentation to TSC/PTL meeting proposing a new global requirement to rely (exclusively) on service mesh mechanisms for intra-ONAP authentication and authorization (get rid of HTTP basic auth).  To be presented to TSC on 2023-06-01.