Service Mesh PoC plan

Recording of introduction

 

Phase 1

Used Components

This PoC will use at least the following ONAP components:

  • AAI

    • Schema Service

    • Traversal  (data queries)

    • Search Data  (only needed if using the UI)

    • Resources (CRUD interaction)

    • GraphAdmin (needed to set up the backend)

    • others?

  • SDC

    • BE

    • FE

    • Onboarding BE

  • VID

  • SO

    • BPMN infra

    • Catalog DB Adapter

    • Monitoring

    • Openstack Adapter

    • Request DB Adapter

    • SDNC Adapter

    • SDC Controller

    • API Handler (SO "base" c

  • DMaaP:

    • Message Router

  • SDNC:

    • DMaaP listener

    • SDNC Portal

    • UEB listener

Integrating the other sub components of AAI, DMaaP, SDC, SDNC and SO will be done if possible

 

 

client → https → Ingress → http → svc → http → pod

Ingress → http → sidecar → mtls → sidecar pod → http →  pod

 

 

Validation Scenarios

The Validation Scenario will be to onboard and then deploy "basicUbuntu" VNF from gating system using GR API.

The validation scenario will be performed at each steps

Phase 2 (if time allows)

If "Step 1" of phase one is validated, we may move in parallel to step 2 → 4 of phase 1 to Phase 2

Used Components

On top of Phase 1 component, we'll add:

  • CDS

  • Multicloud k8s

Validation Scenario

The validation scenario will be to onboard and then deploy a CNF with values processed thanks to CDS

 

Flow Matrix

We have two possibilities to perform the Authoritypolicy with service mesh:

Simple

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name:so-vnfm-adapter-policy
  namespace: onap
spec:
  selector:
    matchLabels:
      app: aaf-cert-service                           --> name of target (service)
  action: ALLOW
  rules:
    - from:
      - source:
         principals: ["/cluster.local/ns/onap/sa/so-vnfm-adapter-sa"] --> source, in this case the service account of POD

 

 

 

 

 

  •  Simple to maintain

  •  but less secure.

Complex

apiVersion: "security.istio.io/v1beta1"
kind: AuthorizationPolicy
  metadata:
    name: so-vnfm-adapter-policy
    namespace: onap
  spec:
    selector:
      matchLabels:
       app: aaf-cert-service                                  --> name of target (service)
    action: ALLOW
   rules:
     - from:
       - source:
           principals: ["/cluster.local/ns/onap/sa/so-vnfm-adapter-sa"]      --> source, in this case the service account of POD
       to:
        - operation:                                              
            ports: ["27017"]                                   --> the target port
           methods: ["GET", "POST"]                   --> the used methods

 

 

  • more complex to deploy

  • very hard to maintain if you modify the API 

  •  more secure.

Simple

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name:so-vnfm-adapter-policy
  namespace: onap
spec:
  selector:
    matchLabels:
      app: aaf-cert-service                           --> name of target (service)
  action: ALLOW
  rules:
    - from:
      - source:
         principals: ["/cluster.local/ns/onap/sa/so-vnfm-adapter-sa"] --> source, in this case the service account of POD

 

 

 

 

 

  •  Simple to maintain

  •  but less secure.

Complex

apiVersion: "security.istio.io/v1beta1"
kind: AuthorizationPolicy
  metadata:
    name: so-vnfm-adapter-policy
    namespace: onap
  spec:
    selector:
      matchLabels:
       app: aaf-cert-service                                  --> name of target (service)
    action: ALLOW
   rules:
     - from:
       - source:
           principals: ["/cluster.local/ns/onap/sa/so-vnfm-adapter-sa"]      --> source, in this case the service account of POD
       to:
        - operation:                                              
            ports: ["27017"]                                   --> the target port
           methods: ["GET", "POST"]                   --> the used methods

 

 

  • more complex to deploy

  • very hard to maintain if you modify the API 

  •  more secure.

 

Exemple of complex matrix (for simple, remove the 2 last columns):

Name of Source POD

Name of Target POD

Port Number

name of Methods

Name of Source POD

Name of Target POD

Port Number

name of Methods

so-vnfm-adapter

aaf-cert-service

27017

GET, POST

so

aaf-locate.onap

8095

 

 

 logstash

4544

 

 

8095

 

 

 

, mariadb 3306,

 

 

 

sdncOamPort: 8282,

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This flows are an information but due to the complexity and the heterogeneous of configuration, Could be miss some flow.

This information were find into values.yaml or overrides.yml, depend on the component.

aai

aai

cassandra

aai-babel

No value

aai-data-router

No value

aai-elasticsearch

No value

aai-graphadmin

No value

aai-graphadmin-job

No value

aai-modelloader

No value

aai-resources

No value

aai-schema-service

No value

aai-search-data

No value

aai-sparky-be

aai, aai-elasticsearch, aai-gizmo, aai-search-data

aai-traversal

No value

aai-traversal-job

No directory

SDC

sdc

cassandra, logstashPort "5044"

sdc-be

No value

sdc-be-job

No directory 

sdc-cs

cassandra

sdc-cs-job

sdc-be:8443

sdc-dcae-be

sdc-dcae-be-8082, sdc-dcae-be-8444

sdc-dcae-be-job

No directory

sdc-dcae-dt

No value

sdc-dcae-fe

No value

sdc-dcae-tosca-lab

sdc-dcae-tosca-lab-8085 sdc-dcae-tosca-lab-8445

sdc-fe

sdc-dcae-fe:9444, sdc.dcae.plugin.simpledemo.onap.org:30264, https://sdc.dcae.plugin.simpledemo.onap.org:30266, sdc-wfd-fe:8443, sdc.workflow.plugin.simpledemo.onap.org:30256

sdc-onboarding-be

cassandra

sdc-onboarding-be-job

No directory

sdc-wfd-be

cassandraClientPort: 9042, sdc-be:8443

sdc-wfd-be-job

No directory 

sdc-wfd-fe

/sdc-wfd-be:8443

vid

vid

mariadb, asdcclient 8443, so vidaai 8443, msoport "8080"

vid-galera

no directory 

vid-job

no firectory

so

so

aaf-locate.onap:8095 logstashPort: 5044, mariadb 3306, sdncOamPort: 8282, mso, sdc, dmaap, nbi.onap:8080/nbi/api/v3, dmaap-bc, aai

so-appc-orchestrator

appc, aaf, so-bpmn-infra  (Deprecated in the Guilin release)

so-bpmn-infra

cds-blueprints-processor-grpc, aai, mso, aaf, sdnc; sniro, mso-adapter-db, mso-adapter-po, aaf , oof-osdf, so-vnfm-adapter, camanda so-openstack-adapter,
so-request-db-adapter, so-sdnc-adapter, so-vfc-adapter, so-nssmf-adapter so-catalog-db-adapter, pdp, naming.demo.onap/com

so-catalog-db-adapter

aaf , Maria DB (Gallera)

so-mariadb

Gallera (cluster deployment)

so-monitoring

No value

so-nssmf-adapter

aaf, aai,so-request-request-db-adapter

so-openstack-adapter

aaf, aai, so-request-db-adapter, so-bpmn-infra, so-catalog-db-adapter

so-request-db-adapter

aaf, Maria DB (Gallera)

so-sdc-controller

aai, aaf, asdc, so-catalog-db-adapter,  request-db-adapter, asdc-connections, sdc-wfd-be, Maria DB (Gallera)

so-sdnc-adapter

aaf, sndc, so-catalog-db-adapter

so-ve-vnfm-adapter

msb-iag,  aai, message-router  (Deprecated in the Guilin release) 

so-vfc-adapter

aaf, so-request-db-adapter

so-vnfm-adapter - Renamed as Sol003-adapter in Guilin

aaf, sdc-be, msb-iag, modeling-etsicatalog, aai

so-etsi-nfvo - introduced in Guilin

aaf, sdc-be, msb-iag, modeling-etsicatalog, aai

so-cnf-adapter -Introduced in Guilin

so-bpmn-infra

so-oof-adater - Introduced in Guilin

oof, bpmn-infa

Dmaap

dmaap

aaf

dmaap-bc

 https://aaf-service:8100/, https://aaf-locate:8095

dmaap-dr-node

aaf

dmaap-dr-prov

mariadb 3306

message-router

message-router-kafka, message-router-zookeeper

message-router-kafka

no directory

message-router-zookeeper

no directory

sdnc

sdnc

aaf sdnc-cert-initializer, netbox, aai, modeling, restconf, scaleout, ansible

sdnc-ansible-server

mariadbGalera

sdnc-db

mariadbGalera

sdnc-dgbuilder

mariadbGalera

sdnc-dmaap-listener

 dmaap , mariadbGalera

sdnc-portal

mariadbGalera – Sdnc portal is disabled in Frankfurt and removed in Guilin

sdnc-ueb-listener

mariadbGalera logging sdc-be

ccsdk/cds

cds

mariadbGalera

cds-blueprints-processor

mariadb-galera, cds-db, dmaap

cds-command-executor

No value

cds-db

No Directory

cds-py-executor

No value

cds-sdc-listener

No value

cds-ui

cds-blueprints-processor

Multicloud

multicloud

msb-iag, log-ls, aai

multicloud-azure

msb-iag, aai

multicloud-fcaps

msb-iag, aai

multicloud-k8s

No value

multicloud-k8s-mongo

no directory

multicloud-promotheus

logging

multicloud-pike

msb-iag, aai

multicloud-starlingx

msb-iag, aai

multicloud-vio

msb-iag, aai

multicloud-windriver

msb-iag, aai