Hello, If Ingress is also accepted as default deployment (it's for now in "PTL GO/NO GO" state), we (OOM team) can also create a template that would push the certificate on the ingress instead of pusing it on the component. Work to do that is not big although there's some.
That's an approach that SO would like to work on also so the work wouldn't be done for one component only. Regards, Sylvain ________________________________________ De : Krzysztof Opasiak [k.opas...@samsung.com] Envoyé : mercredi 15 juillet 2020 20:25 À : TIMONEY, DAN; DESBUREAUX Sylvain TGI/OLN; 'dmcbr...@linuxfoundation.org'; LEFEVRE, CATHERINE Cc : LUCAS, JACK; HERNANDEZ-HERRERO, JORGE; 'fiachra.corco...@est.tech'; 'marek.szwalkiew...@external.t-mobile.pl'; LUNANUOVA, DOMINIC; DETERME, SEBASTIEN; PARTHASARATHY, RAMESH; 'seshu.kuma...@huawei.com'; DRAGOSH, PAM; SONSINO, OFIR; MALAKOV, YURIY; 'onap-...@lists.onap.org'; 'onap-tsc@lists.onap.org'; DEBEAU Eric TGI/OLN; RICHOMME Morgan TGI/OLN Objet : Re: [ONAP][Maintenance Releases] What's onboarded from an OOM point of view On 15.07.2020 20:08, TIMONEY, DAN wrote: > Krzysztof, > > For Guilin, instead of certInitializer, how about if we change dgbuilder to > use http instead of https and use it as a trial for using an ingress > controller instead of a node port? Since dgbuilder is a design time tool > primarily, it's pretty isolated and low risk- and then we'll have one less > cert to have to worry about maintaining. Well as long as it is exposed to the outside world it should be https. So we can either: 1) Change its type to ClusterIP if doesn't have to be exposed. 2) Keep it https;) > > For Frankfurt, could we cherry pick that same change? If so, I'm happy to > make that a priority if you can provide some pointers on how to switch from > using a node port to ingress controller for the dgbuilder service, and then I > can make that change once the right way. Actually there is nothing to do from OOM perspective apart from enabling ingress;) All the ingress configuration (with SSL passthrough) is already there. The only thing that you need to do is to make sure that dgbuilder can actually work with ingress which means that there is no hardcoded urls etc > Otherwise, I'm happy to install those certs in the Frankfurt branch like > Sylvain did for us for the CDS py-executor pod recently. That's exactly what I've been talking about:) > > > Dan > > -----Original Message----- > From: Krzysztof Opasiak <k.opas...@samsung.com> > Sent: Wednesday, July 15, 2020 12:25 PM > To: TIMONEY, DAN <dt5...@att.com>; sylvain.desbure...@orange.com; > dmcbr...@linuxfoundation.org; LEFEVRE, CATHERINE > <catherine.lefe...@intl.att.com> > Cc: LUCAS, JACK <jflu...@research.att.com>; HERNANDEZ-HERRERO, JORGE > <jh1...@att.com>; fiachra.corco...@est.tech; > marek.szwalkiew...@external.t-mobile.pl; LUNANUOVA, DOMINIC > <d...@research.att.com>; DETERME, SEBASTIEN <sebastien.dete...@intl.att.com>; > PARTHASARATHY, RAMESH <rp6...@att.com>; seshu.kuma...@huawei.com; DRAGOSH, > PAM <pdrag...@research.att.com>; SONSINO, OFIR <ofir.sons...@intl.att.com>; > MALAKOV, YURIY <ym9...@att.com>; onap-...@lists.onap.org; > onap-tsc@lists.onap.org; DEBEAU Eric TGI/OLN <eric.deb...@orange.com>; > RICHOMME Morgan TGI/OLN <morgan.richo...@orange.com> > Subject: Re: [ONAP][Maintenance Releases] What's onboarded from an OOM point > of view > > > > On 15.07.2020 15:04, TIMONEY, DAN wrote: >> David, Sylvain, Catherine: >> >> The changes in CCSDK and SDNC for the Frankfurt maintenance release are >> marked in the ONAP jira with the frankfurt_maintenance_release_1 tag. I >> created a shared query for (hopefully) easy reference: >> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__jira.onap.org_issues_-3Ffilter-3D12419&d=DwIDaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=Ms-DNhR23dO4sQFfYRm4ow&m=MH705N3khZcYCab8BWZQ-KGe7F_MSPGPow7XAH0AutI&s=4Nul3p0kn2KxOXVCPL4xVGlFlrWpt3VNRgPDCAQYSII&e= >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__protect2.fireeye.com_url-3Fk-3D74340a1b-2D29aff678-2D74358154-2D0cc47a31cdbc-2D22b3eeadf7f1f882-26q-3D1-26u-3Dhttps-253A-252F-252Fjira.onap.org-252Fissues-252F-253Ffilter-253D12419&d=DwIDaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=Ms-DNhR23dO4sQFfYRm4ow&m=MH705N3khZcYCab8BWZQ-KGe7F_MSPGPow7XAH0AutI&s=QDGPcOWtfGOeizUdcir51R5V1Yc3oEwQPIgQOmM9ixU&e= >> > >> >> The changes in CCSDK and SDNC for the El Alto maintenance release are >> also marked in the ONAP Jira, with the El_Alto_Maintenance_1 tag. I >> created a shared query for that one as well: >> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__jira.onap.org_issues_-3Ffilter-3D12418&d=DwIDaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=Ms-DNhR23dO4sQFfYRm4ow&m=MH705N3khZcYCab8BWZQ-KGe7F_MSPGPow7XAH0AutI&s=AbrzXZdr8B95ujLKCzkdAmOjJogP8TItzzNc80ld9tM&e= >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__protect2.fireeye.com_url-3Fk-3Db340f9b6-2Deedb05d5-2Db34172f9-2D0cc47a31cdbc-2Dac7d3148487fbdee-26q-3D1-26u-3Dhttps-253A-252F-252Fjira.onap.org-252Fissues-252F-253Ffilter-253D12418&d=DwIDaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=Ms-DNhR23dO4sQFfYRm4ow&m=MH705N3khZcYCab8BWZQ-KGe7F_MSPGPow7XAH0AutI&s=PRLrhmi-d8XFKWM7Z770hrjID117o1AXW6cuOs9WDB8&e= >> > >> >> There are 2 new issues in that list that I added in order to address the >> expired certificate in dgbuilder that Morgan brought to our attention >> (thanks for that!). I’m in the process of creating a new docker to >> address that issue and would like to include that in this maintenance >> release if we can. > > El Alto - I'm fine with docker > > Frankfurt - would be great to have it in OOM repo instead > > master - use certInitializer > >> >> Thanks! >> >> Dan >> >> *From: *"sylvain.desbure...@orange.com" <sylvain.desbure...@orange.com> >> *Date: *Friday, July 10, 2020 at 5:17 AM >> *To: *"dmcbr...@linuxfoundation.org" <dmcbr...@linuxfoundation.org>, >> "LEFEVRE, CATHERINE" <catherine.lefe...@intl.att.com> >> *Cc: *"LUCAS, JACK" <jflu...@research.att.com>, "HERNANDEZ-HERRERO, >> JORGE" <jh1...@att.com>, "fiachra.corco...@est.tech" >> <fiachra.corco...@est.tech>, "marek.szwalkiew...@external.t-mobile.pl" >> <marek.szwalkiew...@external.t-mobile.pl>, "LUNANUOVA, DOMINIC" >> <d...@research.att.com>, "DETERME, SEBASTIEN" >> <sebastien.dete...@intl.att.com>, "PARTHASARATHY, RAMESH" >> <rp6...@att.com>, "seshu.kuma...@huawei.com" <seshu.kuma...@huawei.com>, >> "TIMONEY, DAN" <dt5...@att.com>, "DRAGOSH, PAM" >> <pdrag...@research.att.com>, "SONSINO, OFIR" >> <ofir.sons...@intl.att.com>, "MALAKOV, YURIY" <ym9...@att.com>, >> "onap-...@lists.onap.org" <onap-...@lists.onap.org>, >> "onap-tsc@lists.onap.org" <onap-tsc@lists.onap.org>, DEBEAU Eric TGI/OLN >> <eric.deb...@orange.com>, RICHOMME Morgan TGI/OLN >> <morgan.richo...@orange.com>, Krzysztof Opasiak <k.opas...@samsung.com> >> *Subject: *[ONAP][Maintenance Releases] What's onboarded from an OOM >> point of view >> >> Hi David and Catherine, >> >> Following yesterday's call, here's what I see from OOM code point of >> view on our maintenance releases. >> It's my view as of today, we may see new merge request coming, >> especially for the (not announced) Frankfurt Maintenance Release. >> >> # El Alto >> >> 24 commits have (will for 2) been applied to El Alto branch since last >> maintenance release: >> >> The following commits include code change in parent repo, so digging >> between the two release is needed in order to know >> what changed: >> * Update policy brmsgw to point to latest versions (POLICY-2171) >> BRMS_DEPENDENCY_VERSION: 1.4.2 -> 1.5.3 >> BRMS_MODELS_DEPENDENCY_VERSION: 2.0.2 -> 2.1.4 >> * [DMaaP DR] New certs fro ElAlto images (DMAAP-1421) >> onap/dmaap/datarouter-node: 2.1.2 -> 2.2.0 >> onap/dmaap/datarouter-prov: 2.1.2 -> 2.2.0 >> * Update DCAE certs for El Alto (DCAEGEN2-2206) >> onap/org.onap.dcaegen2.deployments.tls-init-container: 1.0.3 -> 1.0.4 >> * Update CDS image version for elalto to 0.6.5 (OOM-2336) >> onap/ccsdk-blueprintsprocessor: 0.6.3 -> 0.6.5 >> onap/ccsdk-commandexecutor: 0.6.3 -> 0.6.5 >> onap/ccsdk-sdclistener: 0.6.3 -> 0.6.5 >> onap/ccsdk-cds-ui-server: 0.6.3 -> 0.6.5 >> * [POLICY] new elato images (POLICY-2519) >> onap/policy-pe: 1.5.2 -> 1.5.3 >> onap/policy-pdpd-cl: 1.5.3 -> 1.5.4 >> onap/policy-apex-pdp: 2.2.2 -> 2.2.3 >> onap/policy-api: 2.1.2 -> 2.1.3 >> onap/policy-distribution: 2.2.1 -> 2.2.2 >> onap/policy-pap: 2.1.2 -> 2.1.3 >> onap/policy-xacml-pdp: 2.1.2 -> 2.1.3 >> * use new image with updated certs (DMAAP-1424) >> onap/dmaap/dmaap-bc: 1.1.5 -> 1.1.9 >> onap/dmaap/dbc-client: 1.0.9 -> 1.1.9 >> * [SDC] Update sdc images for ElAlto (SDC-3199) (*** NOT YET MERGED ***) >> onap/sdc-backend: 1.5.2 -> 1.5.3 >> onap/sdc-backend-init: 1.5.2 -> 1.5.3 >> onap/sdc-cassandra: 1.5.2 -> 1.5.3 >> onap/sdc-cassandra-init: 1.5.2 -> 1.5.3 >> onap/dcae-be: 1.3.2 -> 1.3.2-1 >> onap/dcae-tools: 1.3.2 -> 1.3.2-1 >> onap/dcae-dt: 1.3.2 -> 1.3.2-1 >> onap/dcae-fe: 1.3.2 -> 1.3.2-1 >> onap/sdc-elasticsearch: 1.5.2 -> 1.5.3 >> onap/sdc-init-elasticsearch: 1.5.2 -> 1.5.3 >> onap/sdc-frontend: 1.5.2 -> 1.5.3 >> onap/sdc-kibana: 1.5.2 -> 1.5.3 >> onap/sdc-onboard-backend: 1.5.2 -> 1.5.3 >> onap/sdc-onboard-cassandra-init: 1.5.2 -> 1.5.3 >> >> These are "OOM only" (change in helm charts, no new images): >> * Fixing missing apiVersion in etcd chart (OOM-2156) >> * NBI to SDC: API is HTTPS with port 8443 (EXTAPI-341) >> * VNFM-adapter health check failing (SO-2517) >> * Fix the deployment issue (CLAMP-551) >> * docs: Replace include directives for non existent file (OOM-2203) >> * docs: Ensure literalinclude directive rendering (OOM-1612) >> * Type in deployment.yaml forf cds-ui branch:elAlto (CCSDK-1953) >> * Fix multicloud log message output issue (MULTICLOUD-966) >> * update cert using secrets (DMAAP-1422) >> * fix for the expiring cert (DMAAP-1438) >> * [DMaaP] Remove "BOM" Character (OOM-2364) >> * [GENERIC] follow elalto branches for submodules (OOM-2364) >> * [AAI|ROBOT] track latest commits on submodules (OOM-2364) >> * Workaround for cert expiration (DMAAP-1424) >> * Portal certificate renewal (PORTAL-878) >> * Fix: make all - returns multiple warnings (OOM-2412) >> * deploy.sh does not work on Mac os x because untar directory is create… >> (OOM-2407) >> * [COMMON] Align Makefile with last changes (OOM-2412) >> * AAF SMS] Override outdated certificates (AAF-1159) (*** NOT YET MERGED >> ***) >> >> >> I then believe that Policy, DMaaP, SDC and CCSDK/CDS should list commits >> between the related releases in order to have the full >> view of what would be OOM El Alto Maintenance Release 2 >> >> We have an issue on SO Api Handler today so we may have a new image needed >> >> # Frankfurt >> >> 14 commits have (will for 2) been applied to El Alto branch since last >> maintenance release: >> >> The following commits include code change in parent repo, so digging >> between the two release is needed in order to know >> what changed: >> * Add new SO component so-appc-orchestrator to OOM (SO-2903) >> new SO image: onap/so/so-appc-orchestrator:1.6.0 >> * bump the SO version (SO-3022) >> onap/so/bpmn-infra: 1.6.3 -> 1.6.4 >> onap/so/catalog-db-adapter: 1.6.3 -> 1.6.4 >> onap/so/so-monitoring: 1.6.3 -> 1.6.4 >> onap/so/nssmf-adapter: 1.6.3 -> 1.6.4 >> onap/so/openstack-adapter: 1.6.3 -> 1.6.4 >> onap/so/request-db-adapter: 1.6.3 -> 1.6.4 >> onap/so/sdc-controller: 1.6.3 -> 1.6.4 >> onap/so/sdnc-adapter: 1.6.3 -> 1.6.4 >> onap/so/ve-vnfm-adapter: 1.6.3 -> 1.6.4 >> onap/so/vfc-adapter: 1.6.3 -> 1.6.4 >> onap/so/vnfm-adapter: 1.6.3 -> 1.6.4 >> onap/so/api-handler-infra: 1.6.3 -> 1.6.4 >> * [CDS/SDNC] Update versions for Frankfurt mtce release (CCSDK-2519, >> CCSDK-2399) >> onap/ccsdk-blueprintsprocessor: 0.7.3 -> 0.7.5 >> onap/ccsdk-commandexecutor: 0.7.3 -> 0.7.5 >> onap/ccsdk-py-executor: 0.7.3 -> 0.7.5 >> onap/ccsdk-sdclistener: 0.7.3 -> 0.7.5 >> onap/ccsdk-cds-ui-server: 0.7.3 -> 0.7.5 >> onap/sdnc-dmaap-listener-image: 1.8.3 -> 1.8.4 >> onap/sdnc-ansible-server-image: 1.8.3 -> 1.8.4 >> onap/admportal-sdnc-image: 1.8.3 -> 1.8.4 >> onap/sdnc-ueb-listener-image: 1.8.3 -> 1.8.4 >> onap/sdnc-image: 1.8.3 -> 1.8.4 >> * [SDC] Update sdc images for Frankfurt (SDC-3189) (*** NOT YET MERGED ***) >> onap/sdc-backend: 1.6.6 -> 1.6.7 >> onap/sdc-backend-init: 1.6.6 -> 1.6.7 >> onap/sdc-cassandra: 1.6.6 -> 1.6.7 >> onap/sdc-cassandra-init: 1.6.6 -> 1.6.7 >> onap/sdc-frontend: 1.6.6 -> 1.6.7 >> onap/sdc-onboard-backend: 1.6.6 -> 1.6.7 >> onap/sdc-onboard-cassandra-init: 1.6.6 -> 1.6.7 >> >> >> These are "OOM only" (change in helm charts, no new images): >> * Add property enabling the py-executor component (CCSDK-2414) >> * Fix SDNC DMAAP consumer properties in HELM charts (OOM-2400) >> * Revert "[COMMON] add pre upgrade script for mariadb-galera" (INT-1633) >> * [CLAMP] Allow to use ' in clamp mariadb passwords (CLAMP-878) >> * [POLICY] add env passwords to api/pap/xacml/dist (POLICY-2575) >> * point .gitreview to frankfurt branch (POLICY-2575) >> * [SO] Sync up with the last-minute MSB certificate changes. (SO-2982) >> * [CDS] Add hardcoded certificates to CDS (CCSDK-2410, CCSDK-2519) >> * [COMMON] Allow to use ' in mariadb-init (OOM-2436) >> * [AAF CertService] Increase certificates validity (AAF-1175) (*** NOT >> YET MERGED ***) >> >> I then believe that SO, SDNC, SDC and CCSDK/CDS should list commits >> between the related releases in order to have the >> >> full view of what would be OOM Frankfurt Maintenance Release 1. >> >> Regards >> >> Sylvain >> >> _________________________________________________________________________________________________________________________ >> >> Ce message et ses pieces jointes peuvent contenir des informations >> confidentielles ou privilegiees et ne doivent donc >> >> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu >> ce message par erreur, veuillez le signaler >> >> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages >> electroniques etant susceptibles d'alteration, >> >> Orange decline toute responsabilite si ce message a ete altere, deforme ou >> falsifie. Merci. >> >> This message and its attachments may contain confidential or privileged >> information that may be protected by law; >> >> they should not be distributed, used or copied without authorisation. >> >> If you have received this email in error, please notify the sender and >> delete this message and its attachments. >> >> As emails may be altered, Orange is not liable for messages that have been >> modified, changed or falsified. >> >> Thank you. >> > -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6774): https://lists.onap.org/g/onap-tsc/message/6774 Mute This Topic: https://lists.onap.org/mt/75414933/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
