[nonrtric.git] / service-exposure / README.md

#
# ============LICENSE_START=======================================================
#  Copyright (C) 2022 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# ============LICENSE_END=========================================================
#
This collection of files represent rapp service exposure prototyping in O-RAN.
Prerequisites: Istio should be installed on your cluster with the demo profile.
  istioctl install --set profile=demo
Please refer to the istio documentation for more information.
You will also need cfssl installed on your system: sudo apt install golang-cfssl
Please refer to the K8s documentation: Manage TLS Certificates in a Cluster
The deployments have been implemented and tested using minikube.
If you are not using minikube, references to "minikube ip" should be changed to the appropiate value for you host.
To replicate these tests you will need to setup the various host path referenced in the yaml files on your own machine.

chartmuseum.yaml:             path: /var/chartmuseum/charts
keycloak.yaml:                path: /auth/realms/master
keycloak.yaml:                path: /var/keycloak/certs
postgres.yaml:                path: "/var/keycloak/data2"
postgres.yaml:                path: /tmp
rapps-keycloak-mgr.yaml:      path: /var/rapps/certs

or change them to match your own setup.

The certs directory contains 3 shell scripts for creating the server, client and webhook certs: server_certs.sh, client_certs.sh and webhook-certs.sh
Certs generated by the server_certs.sh script: rootCA.crt, tls.crt and tls.key go in the "/var/keycloak/certs" directory
Certs generated by the client_certs.sh script: client.crt, client.key, client_pub.key and rootCA.crt go in the "/var/rapps/certs" directory
The webhook-certs.sh script generates certs for use in the MutatingWebhookConfiguration.yaml and the rapps-webhook.yaml files.
To configure MutatingWebhookConfiguration.yaml run the following commands:
1. ca_pem_b64="$(openssl base64 -A <"./certs/ca.pem")"
2. sed -i 's/${CA_PEM_B64}/'"$ca_pem_b64"'/g' MutatingWebhookConfiguration.yaml

To configure rapps-webhook.yaml append the rapps-webhook-tls.yaml file to the end of it
1. cat rapps-webhook.yaml ./certs/rapps-webhook-tls.yaml >> rapps-webhook.yaml.tmp
2. mv rapps-webhook.yaml.tmp rapps-webhook.yaml

Create the istio-nonrtric namespace and enable it for istio injection

   kubectl create ns istio-nonrtric

   kubectl label namespace istio-nonrtric istio-injection=enabled


All go programs need to be built prior to running the Dockerfiles

   go build rapps-helm-installer.go
   go build rapps-keycloak-mgr.go
   go build rapps-istio-mgr.go
   go build rapps-rapp-provider.go
   go build rapps-rapp-invoker.go
   go build rapps-webhook.go
   go build rapps-jwt.go
   go build rapps-rapp-helloworld-provider.go
   go build rapps-rapp-helloworld-invoker1.go
   go build rapps-rapp-helloworld-invoker2.go

Once the go programs have been compile you then need to build a docker image for each of them.

   docker build -f Dockerfile_rim . -t <tag prefix>/rapps-istio-mgr
   docker build -f Dockerfile_rkm . -t <tag prefix>/rapps-keycloak-mgr
   docker build -f Dockerfile_rhi . -t <tag prefix>/rapps-helm-installer
   docker build -f Dockerfile_wh . -t <tag prefix>/rapps-webhook
   docker build -f Dockerfile_jwt . -t <tag prefix>/rapps-jwt
   docker build -f Dockerfile_rhwp  . -t <tag prefix>/rapps-rapp-helloworld-provider
   docker build -f Dockerfile_rhwi1  . -t <tag prefix>/rapps-rapp-helloworld-invoker1
   docker build -f Dockerfile_rhwi2  . -t <tag prefix>/rapps-rapp-helloworld-invoker2

Image references in the yaml files/helm charts should be changed to match your own tagged images.

You will need to package your rapp charts and copy them to the /var/chartmuseum/charts directory before starting.

   cd charts/
   helm package rapp-provider
   scp -i $(minikube ssh-key) rapp-provider-0.1.0.tgz docker@$(minikube ip):/var/chartmuseum/charts

   helm package rapp-invoker
   scp -i $(minikube ssh-key) rapp-invoker-0.1.0.tgz docker@$(minikube ip):/var/chartmuseum/charts


Start keycloak and postgres in the default namespace with istio injection:

   istioctl kube-inject -f postgres.yaml | kubectl apply -f -
   istioctl kube-inject -f keycloak.yaml | kubectl apply -f -
or use the keycloak.sh deploy script

To start the management pods run:

   start_pods.sh

Once all pods have been started a list of running pods is displayed at the end of the script:
NAME                                                         READY   STATUS    RESTARTS   AGE
chartmuseum-deployment-7b8cd4c9d4-nd7dk                      1/1     Running   0          9s
jwt-proxy-admission-controller-deployment-66797fb6df-mlk8t   1/1     Running   0          8s
keycloak-846ff979bc-ndvdf                                    2/2     Running   0          2m16s
postgres-78b4b9d95-nqjkj                                     2/2     Running   0          2m29s
rapps-helm-installer-deployment-67476694-n5r24               1/1     Running   0          8s
rapps-istio-mgr-deployment-67c67647b6-p5s2k                  1/1     Running   0          8s
rapps-keycloak-mgr-deployment-7464f87575-54h9x               1/1     Running   0          8s

Get the node port for the helm installer that corresponds to port 80

   kubectl get svc rapps-helm-installer
   NAME                   TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
   rapps-helm-installer   NodePort   10.96.58.211   <none>        80:31570/TCP   8m9s

Once these pods are up and running run:
   curl http://<minikube ip>:<helm installer node port>/install?chart=<rapp chart name>
   to install your rapp

   e.g. curl http://192.168.49.2:31570/install?chart=rapp-hello-world-provider
        Successfully installed release: rapp-provider

   Alternativley use the deploy_rapp.sh script
   e.g. ./deploy_rapp.sh rapp-helloworld-provider
   Note: The line export host= should be changed to the appropaite ip for the host you are running on.

This will setup keycloak realm + client, istio policies and deploy your chart.

You should install both the provider and the invoker to see the pods communicating.

Check the invoker logs to see the test message:

   kubectl logs rapp-invoker-758468d7d4-njmdn  -n istio-nonrtric
   Received response for rapp-provider get request - Hello World!

If you want to test using the rp_test.sh file, the client_secret field needs be changed to match the secret for you keycloak client.
You can find this in the keycloak-mgr log.

To uninstall run:
   curl http://<minikube ip>:<helm installer node port>/uninstall?chart=<rapp chart name>
   e.g. curl http://192.168.49.2:31570/uninstall?chart=rapp-invoker
        Successfully uninstalled release: rapp-invoker

   Alternativley use the undeploy_rapp.sh script
   e.g. ./undeploy_rapp.sh rapp-helloworld-provider

To stop the management pods and provider/invoker pods at the same time run:
   stop_pods.sh

Remove postgres and keycloak with the following commands:
   kubectl delete -f keycloak.yaml
   kubectl delete -f postgres.yaml

   or use ./keycloak.sh undeploy