Support for the Multi Tenancy in ONAP

Key Contacts - Seshu Kumar Mudiganti Olivier Phenix

Guilin Proposed Requirements - Multi-tenancy v2.2.pdf

Executive Summary - Provide the multi tenant non-functional support in ONAP

As a starting point tenant wise runtime operations could be differed for each tenant.

Business Impact - Enables operators and service providers to use leverage ONAP

Business Markets - All operators and service providers can leverage the multi-tenancy functionality of ONAP

Funding/Financial Impacts - Reduction in operations expense from using industry standard Interfaces.

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

Documenting ONAP APIs

Key Contacts - Andy Mayer Eric Debeau

Guilin Proposed Requirements

Also see: Developing ONAP API Documentation

Executive Summary - Improve ONAP API Documentation:

Developer Friendly
Non-Developer Friendly
Easy to Find & Easy to Navigate
Common and Uniform Documentation Structure and Approach
Provides Information on Using the API (e.g., quick start)
Try It For Yourself (TIFY) Examples

Proposed non-functional requirements for Guilin release:

All components should place externally facing (i.e. interfaces exposed by the ONAP component to either other ONAP components or components external to ONAP) API definitions (e.g. Swagger) in a common path within their Gerrit/Git
Suggested Path: <Component>/docs/api/swagger/
Apply ReDoc to Swagger and place HTML in Readthedocs for the release
Apply Minimum (Phase 1+) swagger guidelines
1. See: Proposed Phase 1+ OpenAPI 2.0 / Swagger Style Guide
2. Use the common insert for the info section (e.g., license info, contact info, etc): Swagger Insert Sample for Info Section

Related JIRAs under the Documentation project for the API Documentation non-functional requirements:

Epic: https://jira.onap.org/browse/DOC-608

User Story: https://jira.onap.org/browse/DOC-609

User Story: https://jira.onap.org/browse/DOC-610

User Story: https://jira.onap.org/browse/DOC-611

Business Impact - Enables developers, operators and service providers to use leverage ONAP; Improve integration velocity for API client developers; Ease development handoffs;

Business Markets - All developers,operators and service providers can leverage ONAP APIs

Funding/Financial Impacts - Reduction in development and integration expense from using well defined open Interfaces.

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

Deterministic ONAP installation result

slides: 20200511.ONAP.relG.TIM.non functional requirements.v2.pptx

Key Contacts - Alessandro D'Alessandromarco.signorelli@telecomitalia.it

Executive Summary - ONAP code stability is steadly improved over the releases. Similarly is being happening for ONAP installation success rate. Anyway while it is recognized the OOM project efforts in providing an automation tool for ONAP installation, it is evident that further efforts are required among the ONAP projects to provide an overall solution that bring to a deterministic installation result.

Proposed non-functional requirements for Guiling release:

ONAP installation result shall be determinstic at k8s level with 99% success rate (e.g. all POD are up and running)
ONAP installation result shall be deterministic at functional level with 97% success rate (e.g. all functional modules are up and running, APIs are responsiveness, etc)
ONAP installation result shall be determinstic at service level with 95% success rate (e.g. a service can be designed, distributed and deployed successfully)
Same requirements shall apply when one or more ONAP functional modules are re-installed

Business Impact - Enables operators and service providers opex saving

Business Markets - All operators and service providers can leverage the benefit of a deterministic installation

Funding/Financial Impacts - Reduction in operations expense

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP projects shall upgrade all outdated, vulnerable direct dependencies in their code base

Key Contacts - Amy Zwarico Paweł Pawlak

Executive Summary - All ONAP projects shall reduce the risks associated with software vulnerabilities in the ONAP code base by upgrading all outdated, vulnerable direct dependencies in their code bases following the recommendations of SECCOM. The project and repo specific recommendations are provided in the Security Vulnerability space.

Business Impact - Improves the security posture of ONAP.

Business Markets - All operators and service providers can leverage the of fewer vulnerabilities in the open source dependencies in ONAP

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP projects shall define code coverage improvements and achieve at least 55% code coverage

Key Contacts - Amy Zwarico Paweł Pawlak

Executive Summary - Each project written in Java, Python or Javascript must provide the planned percent improvement in code coverage by M2 and meet the planned improvement by M4. Code coverage for each project must be at least 55% of the code base.

Business Impact - Improves the security posture of ONAP by improving the testing suite.

Business Markets - All operators and service providers can use the automated test suites in their own environments

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP shall increase the number of security tests performed during integration testing

Key Contacts - Amy Zwarico Krzysztof Opasiak Sylvain Desbureaux Morgan Richomme

Executive Summary - Integration testing shall continue to test for unsecure communication (HTTP) and vulnerable ports (e.g., JDWP). Integration shall add tests to ensure that project containers use the versions of Java, Python, Linux, Docker, database and utilities specified in Guilin versions.

Business Impact - Improves the security posture of ONAP by using current versions and simplifies the deployment.

Business Markets - All operators and service provider.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP shall increase the number of Docker Benchmark tests

Key Contacts - Amy Zwarico Krzysztof Opasiak Sylvain Desbureaux

Executive Summary - Integration testing shall include tests that a non-root user for the container has been created, containers use only trusted base images (versions specified on Guilin versions), and HEALTHCHECK instructions have been added to container images.

Business Impact - Improves the security posture of ONAP by hardening containers.

Business Markets - All operators and service provider.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

Each ONAP project shall improve its CII Badging score by improving input validation and documenting it in their CII Badging site.

Key Contacts - Tony Hansen Amy Zwarico Paweł Pawlak

Executive Summary - ONAP project will ensure that input validation is performed on all GUI and API inputs and that the answer to the input validation question in their CII Badging site is answered. Projects that have already answered this question positively, should verify that the answer is still correct.

Business Impact - Improves the security posture of ONAP by lessening the risk from bad or malicious input.

Business Markets - All operators and service provider.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP must complete update of the java language (from v8 -> v11)

Key Contacts - Amy Zwarico Paweł Pawlak

Executive Summary - All ONAP projects using java shall reduce the risks associated with no regular support for java v8 software as it causes increase of usage risk, as recommended by SECCOM.

Business Impact - Improves the security posture of ONAP.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP must complete update of the Python language (from 2.7 -> 3.8)

Key Contacts - Amy Zwarico Paweł Pawlak

Executive Summary - All ONAP projects using Python shall reduce the risks associated with no community support for Python 2.7 software as it causes increase of usage risk, as recommended by SECCOM.

Business Impact - Improves the security posture of ONAP.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP shall use STDOUT for logs collection

Key Contacts - Amy Zwarico Paweł Pawlak

Executive Summary - All ONAP projects should use a common place for logs data - all applications should generate logs that can be collected by Kubernetes in STDOUT, as recommended by SECCOM.

Business Impact - Improves the security posture of ONAP.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP Minimum Viable Product (MVP) must be defined

Key Contacts - rouzaut Natacha Mach

Executive Summary - A subset of ONAP components should be identified - handling a minimum level of functionality. This subset would consist in an ONAP baseline.

Business Impact - guarantees a minimum security level for this ONAP subset for each release ensuring a robust basis on which services can be developed.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

Flow management must be activated for ONAP.

Key Contacts - rouzaut Natacha Mach

Executive Summary - Full map of all the flows - before deploying ONAP in any actor's infrastructure should be defined: protocol type, ports open/closed with primary focus on outside of ONAP as an ingress.

Business Impact - flow management could then be controlled before any deployment.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP must implement IAM solutions.

Key Contacts - rouzaut Natacha Mach

Executive Summary - a centralized user access management solution should be proposed, so that any project relies on it.

Business Impact - common user management solution among projects, with respect of security requirements that will be defined.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP projects must use only approved and verified base images for their containers

Key Contacts - Krzysztof Opasiak cl664y@att.com

Executive Summary - We are shipping container images as our official release artifacts. We need to make sure that we comply with all licenses used in base images. This infeasible when projects use dozen of different base images.

Business Impact - Lack of license compliance may limit ONAP adoption and lead to bad perception in the open source community.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

ONAP container repository (nexus) must not contain upstream docker images

Key Contacts - Krzysztof Opasiak cl664y@att.com

Executive Summary - Uploading docker images to nexus means that we are distributing it. Distributing image means that we need to do license check for them. To avoid this extra work all upstream components (databases etc) should be downloaded directly from dockerhub

Business Impact - Lack of license compliance may limit ONAP adoption and lead to bad perception in the open source community.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

No root (superuser) access to database from application container

Key Contacts - Krzysztof Opasiak Paweł Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - ONAP application container should not access database using root account and should not ask for escalation (sudo). If application requires root access to bootstrap the database an init container or separate kubernetes job should be used.

Business Impact - Improves ONAP security and configurability by separating long running application container from actions that requires higher privileges.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

Container rootfs has to be mounted readOnly

Key Contacts - Krzysztof Opasiak Paweł Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - By design containers running in kubernetes should be ephemeral and stateless. It's a good security practice to mount their rootfs as a read only

Business Impact - Improves ONAP security and reduces the number of potential failures during ONAP deployment.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

Application config should be fully prepared before starting the application container

Key Contacts - Krzysztof Opasiak Paweł Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - Editing config files with sed from docker entrypoint script often causes a lot of silent failures in OOM deployments. Instead, config should be either provided as a ConfigMap and templated using helm or generated in the init container before the main application container comes up.

Business Impact - Reduces the number of potential failures during ONAP deployment and thus makes it more reliable.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.

Continue hardcoded passwords removal

Key Contacts - Krzysztof Opasiak Paweł Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - This effort has been started in F release by eliminating mariadb-galera and postgres hardcoded passwords. This effort should be continued to eliminate next set of passwords hardcoded in helm charts. Apart from working on already existing passwords, as a part of this requirement, all new passwords should use common secret template.

Business Impact - Improve ONAP security and make it easier for commercial adoption.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

All containers must run as non-root user

Key Contacts - Krzysztof Opasiak Paweł Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - This effort has been started in F with ONAP containers. Now we want to extend this to all containers that are deployed as a part of OOM.

Business Impact - Improve ONAP security and make it easier for commercial adoption.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

ONAP components should be able to run without AAF and MSB

Key Contacts - Krzysztof Opasiak Sylvain Desbureaux

Executive Summary - AAF is not the only possible security solution for ONAP. In some cases ONAP may be deployed behind a reverse proxy or using service mesh. That's why components should be able to work (even in degradated mode in example using HTTP instead of HTTP or without authentication) without AAF available. The same for MSB. It's not the most cloud native solution for accessing services in kubernetes thus it should be possible to deploy ONAP without it and access services using for example API gateway.

Business Impact - Improve ONAP configurability and increase number of possible deployment option which will result in wider adoption among operators.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Replace NodePorts with ingress controller as a default deployment option

Key Contacts - Krzysztof Opasiak Sylvain Desbureaux

Executive Summary - Nginx-based ingress controller is available in ONAP since F release. It's time to finally eliminate NodePorts which from the very beginning were considered just a temporary and insecure solutions. All components must be able to fully work via ingress.

Business Impact - Improve ONAP security and configurability will result in wider adoption among operators.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Containers must have no more than one main process

Key Contacts - Krzysztof Opasiak Sylvain Desbureaux

Executive Summary - Docker best practice is to have one main process (java, nginx, gunicorn, ...) per container as it allows a fine grained supervision of this process

Business Impact - Improve ONAP monitoring and will result in wider adoption among operators.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Containers must crash properly when a failure occurs

Key Contacts - Krzysztof Opasiak Sylvain Desbureaux

Executive Summary - Kubernetes best practice mandates that when an issue occurs (no access to Database, REST mandatory call fails, bug in code, ...), the container must crash with exit code different than 0

Business Impact - Improve ONAP monitoring and will result in wider adoption among operators.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Service mesh PoC

Key Contacts - Krzysztof OpasiakSylvain Desbureaux

Executive Summary - Service Mesh is a technique for facilitating secure service-to-service communications between microservices and especially adapated for Kubernetes based solution. The proposed PoC based on a subset of core ONAP components to. PoC will enabke to use mTLS between components, no passwords for internal communication, acces control for components and will facilitate tracability between micro-services

Business Impact - Improve ONAP user management, operability, traceability, security. Use best-practice from CNCF eco-system.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

ONAP shall improve its healthcheck tests

Key Contacts - Morgan Richomme

Executive Summary - Healthcheck tests are executed on the different components in gating and daily chains. It is critical to provide feedback. The maturity level of the tests are very different from one project to another.

Each new major feature shall be covered, therefore any new dockers shall include an improvement of the associated healthcheck test suite.

Integration can ensure the ..integration..but the quality of the internal healthcheck needs to be assessed by each project

Business Impact - Improve ONAP stability

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Replace nfs share with storage class as a default deployment option

Key Contacts - Krzysztof Opasiak Sylvain Desbureaux

Executive Summary - Volume retrieval via Dynamic PVC is available in ONAP since F release. It's time to use it as default deployment instead of the NFS share.

Business Impact - Improve ONAP security and usability as a component won't be able to use all the disk space but only it's dedicated one.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

ONAP Projects dealing with GUI must provide GUI test suites

Key Contacts - Morgan Richomme

Executive Summary - UI testing is not trivial. Some components are providing UI (Portal, SDC, VID,...) that are the entry points for the end users so very important to give trust evidence for end users. As we started setting up gating and CI daily chain, it would be great to include UI testing for the main components as part of the regression test suites integrated in the CI chains

Business Impact - Improve ONAP stability

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Components may use HTTP as server and client

Key Contacts - Krzysztof Opasiak Sylvain Desbureaux

Executive Summary - As AAF is not a mandatory component and as TLS encryption may be done using service mesh, components must be able to server their traffic in plain HTTP and must be able to access other components using HTTP. Per default, HTTPS (client and server side) is mandated but configuration must allow HTTP.

Business Impact - Improve ONAP configurability and increase number of possible deployment option which will result in wider adoption among operators.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Interactive documentation aligned with a deployment

Key Contacts - Eric Debeau

Executive Summary - ONAP documentation is static and does not provide a dynamic way to jump into all the ONAP Kubernetes components and to get all relevant information based on a real deployment

A prototype has been demonstrated during the virtual F2F event in April

Business Impact - Improve ONAP usability

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Support IPv4/IPv6 dual stack deployments

Key Contacts - damian.nowak Martin Skorupski

Executive Summary - Majority of LTE and 5G RAN networks today are running exclusively on IPv6. IPv4/IPv6 dual stack solution for ONAP is needed to enable integration.

Martin Skorupski is bringing as well a requirement to register the NetConf network devices in SDN-R controller, using IPv6 networking.

It is mainly about a Kubernetes platform, hosting ONAP application containers. An enabler for IPv4/IPv6 networking would be an upgrade of ONAP OOM Helm charts to K8S 1.16+ APIs.
The support for IPv4/IPv6 dual stack networking is planned to be executed in (at least) two steps:

Migrate ONAP OOM Helm charts to support Kubernetes 1.17+ interfaces.
Currently (June 2020), the newest K8S platform available as RKE distribution is 1.17. Newest K8S open-source GA distro is 1.18.
Alternatively, certain components of ONAP, which are deployed using non-Helm methods could be placed on a dedicated K8S platform with IPv4/IPv6 support
Review alternative K8S platforms, which can get an "ONAP recommended" stamp, and which support IPv4/IPv6 dual stack networking.

The 1st step described is considered as an enabler to execute the 2nd step. In ONAP/Guiin release, it is planned to implement the 1st step.
Initial tests targeting ONAP Frankfurt on RKE-K8S 1.17 have been executed, and impact is already understood.

Additionally, K8S 1.17+ upgrade will offer as well additional functionality on the platform side, which can be used for other purposes.

REQ-385 - Getting issue details... STATUS

Business Impact - Improves ONAP integration capabilities, mainly in 5G use-cases and E2E Network Slicing. Future-proofs ONAP for years to come.

Business Markets - All operators, service providers and entities using ONAP.

Funding/Financial Impacts - None. RKE is already supporting K8S 1.17 as one of recommended K8S solutions, thus no additional costs here.

Organization Mgmt, Sales Strategies - There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Browser not supported