#
# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation.
+# Copyright (C) 2022-2023 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ============LICENSE_END=========================================================
#
This collection of files represent rapp service exposure prototyping in O-RAN.
-Prerequisites: Istio should be installed on your cluster with the demo profile.
+Prerequisites: Istio should be installed on your cluster with the demo profile. You may need to add istioctl to you $PATH variable.
istioctl install --set profile=demo
Please refer to the istio documentation for more information.
-You will also need cfssl installed on your system: sudo apt install golang-cfssl
Please refer to the K8s documentation: Manage TLS Certificates in a Cluster
The deployments have been implemented and tested using minikube.
If you are not using minikube, references to "minikube ip" should be changed to the appropiate value for you host.
+The ipAddresses field in cluster-issuer.yaml not referring to the generic localhost ip should be changed to your own ip.
To replicate these tests you will need to setup the various host path referenced in the yaml files on your own machine.
chartmuseum.yaml: path: /var/chartmuseum/charts
-keycloak.yaml: path: /auth/realms/master
-keycloak.yaml: path: /var/keycloak/certs
postgres.yaml: path: "/var/keycloak/data2"
-postgres.yaml: path: /tmp
-rapps-keycloak-mgr.yaml: path: /var/rapps/certs
or change them to match your own setup.
-The certs directory contains 3 shell scripts for creating the server, client and webhook certs: server_certs.sh, client_certs.sh and webhook-certs.sh
-Certs generated by the server_certs.sh script: rootCA.crt, tls.crt and tls.key go in the "/var/keycloak/certs" directory
-Certs generated by the client_certs.sh script: client.crt, client.key, client_pub.key and rootCA.crt go in the "/var/rapps/certs" directory
-The webhook-certs.sh script generates certs for use in the MutatingWebhookConfiguration.yaml and the rapps-webhook.yaml files.
-To configure MutatingWebhookConfiguration.yaml run the following commands:
-1. ca_pem_b64="$(openssl base64 -A <"./certs/ca.pem")"
-2. sed -i 's/${CA_PEM_B64}/'"$ca_pem_b64"'/g' MutatingWebhookConfiguration.yaml
-
-To configure rapps-webhook.yaml append the rapps-webhook-tls.yaml file to the end of it
-1. cat rapps-webhook.yaml ./certs/rapps-webhook-tls.yaml >> rapps-webhook.yaml.tmp
-2. mv rapps-webhook.yaml.tmp rapps-webhook.yaml
-
Create the istio-nonrtric namespace and enable it for istio injection
kubectl create ns istio-nonrtric
go build rapps-helm-installer.go
go build rapps-keycloak-mgr.go
go build rapps-istio-mgr.go
- go build rapps-rapp-provider.go
- go build rapps-rapp-invoker.go
go build rapps-webhook.go
go build rapps-jwt.go
go build rapps-rapp-helloworld-provider.go
You will need to package your rapp charts and copy them to the /var/chartmuseum/charts directory before starting.
cd charts/
- helm package rapp-provider
- scp -i $(minikube ssh-key) rapp-provider-0.1.0.tgz docker@$(minikube ip):/var/chartmuseum/charts
+ helm package rapp-helloworld-provider
+ scp -i $(minikube ssh-key) rapp-helloworld-provider-0.1.0.tgz docker@$(minikube ip):/var/chartmuseum/charts
+
+ helm package rapp-helloworld-invoker1
+ scp -i $(minikube ssh-key) rapp-helloworld-invoker1-0.1.0.tgz docker@$(minikube ip):/var/chartmuseum/charts
- helm package rapp-invoker
- scp -i $(minikube ssh-key) rapp-invoker-0.1.0.tgz docker@$(minikube ip):/var/chartmuseum/charts
+ helm package rapp-helloworld-invoker2
+ scp -i $(minikube ssh-key) rapp-helloworld-invoker2-0.1.0.tgz docker@$(minikube ip):/var/chartmuseum/charts
+Start cert-manager using the following command:
+ ./cert-manager.sh deploy
-Start keycloak and postgres in the default namespace with istio injection:
+Copy keycloak client certs into the istio-nonrtric namespace by running:
+ ./copy_tls_secret.sh -n cm-keycloak-client-certs -s default -d istio-nonrtric
- istioctl kube-inject -f postgres.yaml | kubectl apply -f -
- istioctl kube-inject -f keycloak.yaml | kubectl apply -f -
-or use the keycloak.sh deploy script
+Start keycloak and postgres in the default namespace with istio injection by running:
+
+ ./keycloak.sh deploy
To start the management pods run:
- start_pods.sh
+ ./start_pods.sh
Once all pods have been started a list of running pods is displayed at the end of the script:
NAME READY STATUS RESTARTS AGE
rapps-istio-mgr-deployment-67c67647b6-p5s2k 1/1 Running 0 8s
rapps-keycloak-mgr-deployment-7464f87575-54h9x 1/1 Running 0 8s
-Get the node port for the helm installer that corresponds to port 80
- kubectl get svc rapps-helm-installer
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- rapps-helm-installer NodePort 10.96.58.211 <none> 80:31570/TCP 8m9s
+Once these pods are up and running use the following command to install the rapps:
+
+ ./deploy_rapp.sh rapp-helloworld-provider
-Once these pods are up and running run:
- curl http://<minikube ip>:<helm installer node port>/install?chart=<rapp chart name>
- to install your rapp
+ ./deploy_rapp.sh rapp-helloworld-invoker1
- e.g. curl http://192.168.49.2:31570/install?chart=rapp-hello-world-provider
- Successfully installed release: rapp-provider
+ ./deploy_rapp.sh rapp-helloworld-invoker2
- Alternativley use the deploy_rapp.sh script
- e.g. ./deploy_rapp.sh rapp-helloworld-provider
Note: The line export host= should be changed to the appropaite ip for the host you are running on.
This will setup keycloak realm + client, istio policies and deploy your chart.
Check the invoker logs to see the test message:
- kubectl logs rapp-invoker-758468d7d4-njmdn -n istio-nonrtric
- Received response for rapp-provider get request - Hello World!
+ kubectl logs rapp-helloworld-invoker1-758468d7d4-njmdn -n istio-nonrtric
+ Received response for rapp-helloworld-provider get request - Hello World!
If you want to test using the rp_test.sh file, the client_secret field needs be changed to match the secret for you keycloak client.
You can find this in the keycloak-mgr log.
-To uninstall run:
- curl http://<minikube ip>:<helm installer node port>/uninstall?chart=<rapp chart name>
- e.g. curl http://192.168.49.2:31570/uninstall?chart=rapp-invoker
- Successfully uninstalled release: rapp-invoker
+To uninstall the management pods and and rapps run:
+ ./stop_pods.sh
- Alternativley use the undeploy_rapp.sh script
+You can also uninstall individual rapp using the undeploy_rapp.sh script.
e.g. ./undeploy_rapp.sh rapp-helloworld-provider
-To stop the management pods and provider/invoker pods at the same time run:
- stop_pods.sh
-
-Remove postgres and keycloak with the following commands:
- kubectl delete -f keycloak.yaml
- kubectl delete -f postgres.yaml
+Remove postgres and keycloak with the following command:
+ ./keycloak.sh undeploy
- or use ./keycloak.sh undeploy
+Remove cert-manager with the following command:
+ ./cert-manager.sh undeploy
Code Review / nonrtric.git / blobdiff