pronto_deployment_guide/run_time_deployment.rst

..
   SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
   SPDX-License-Identifier: Apache-2.0

==========================
Aether Run-Time Deployment
==========================
This section describes how to install Aether edge runtime and connectivity edge applications.
Aether provides GitOps based automated deployment,
so we just need to create a couple of patches to aether-pod-configs repository.

Before you begin
================
Make sure you have the edge pod checklist ready. Specifically, the following information is required in this section.

* Management network subnet
* K8S pod and service IP ranges
* List of servers and switches, and their management IP addresses

Download aether-pod-configs repository
======================================
First, download the aether-pod-configs repository to your development machine.

.. code-block:: shell

   $ cd $WORKDIR
   $ git clone "ssh://[username]@gerrit.opencord.org:29418/aether-pod-configs"

Create first patch to add ACE admin user
========================================
The first patch is to add a new ACE admin with full access to `EdgeApps` project.
Here is an example review request https://gerrit.opencord.org/c/aether-pod-configs/+/21393 you can refer to with the commands below.
Please replace "new" keyword with the name of the new ACE.

.. code-block:: diff

   $ cd $WORKDIR/aether-pod-configs/production
   $ vi user_map.tfvars
   # Add the new cluster admin user to the end of the list

   $ git diff
   diff --git a/production/user_map.tfvars b/production/user_map.tfvars
   index c0ec3a3..6b9ffb4 100644
   --- a/production/user_map.tfvars
   +++ b/production/user_map.tfvars
   @@ -40,5 +40,10 @@ user_map = {
      username      = "menlo"
      password      = "changeme"
      global_roles  = ["user-base", "catalogs-use"]
   +  },
   +  new_admin = {
   +    username      = "new"
   +    password      = "changeme"
   +    global_roles  = ["user-base", "catalogs-use"]
      }
   }

   $ git add production/user_map.tfvars
   $ git commit -m "Add admin user for new ACE"
   $ git review

The second patch has dependency on the first patch, so please make sure the first patch is merged before proceeding.

Create second patch to install edge runtime and apps
====================================================
Now create another patch that will eventually install K8S and edge applications
including monitoring and logging stacks as well as Aether connected edge.
Unlike the first patch, this patch requires creating and editing multiple files.
Here is an example of the patch https://gerrit.opencord.org/c/aether-pod-configs/+/21395.
Please replace cluster names and IP addresses in this example accordingly.

Update cluster_map.tfvars
^^^^^^^^^^^^^^^^^^^^^^^^^
The first file to edit is `cluster_map.tfvars`.
Move the directory to `aether-pod-configs/production`, open `cluster_map.tfvars` file, and add the new ACE cluster information at the end of the map.
This change is required to register a new K8S cluster to Rancher, and update ACC and AMP clusters for inter-cluster service discovery.

.. code-block:: diff

   $ cd $WORKDIR/aether-pod-configs/production
   $ vi cluster_map.tfvars
   # Edit the file and add the new cluster information to the end of the map

   $ git diff cluster_map.tfvars
   diff --git a/production/cluster_map.tfvars b/production/cluster_map.tfvars
   index c944352..a6d05a8 100644
   --- a/production/cluster_map.tfvars
   +++ b/production/cluster_map.tfvars
   @@ -89,6 +89,16 @@ cluster_map = {
         kube_dns_cluster_ip     = "10.53.128.10"
         cluster_domain          = "prd.menlo.aetherproject.net"
         calico_ip_detect_method = "can-reach=www.google.com"
   +    },
   +    ace-new = {
   +      cluster_name            = "ace-new"
   +      management_subnets      = ["10.94.1.0/24"]
   +      k8s_version             = "v1.18.8-rancher1-1"
   +      k8s_pod_range           = "10.54.0.0/17"
   +      k8s_cluster_ip_range    = "10.54.128.0/17"
   +      kube_dns_cluster_ip     = "10.54.128.10"
   +      cluster_domain          = "prd.new.aetherproject.net"
   +      calico_ip_detect_method = "can-reach=www.google.com"
         }
      }
   }

Update vpn_map.tfvars
^^^^^^^^^^^^^^^^^^^^^
The second file to edit is `vpn_map.tfvars`.
Move the directory to `aether-pod-configs/production`, open `vpn_map.tfvars` file, and add VPN tunnel information at the end of the map.
Unless you have specific preference, set ASN and BGP peer addresses to the next available vales in the map.
This change is required to add tunnels and router interfaces to Aether central.

.. code-block:: diff

   $ cd $WORKDIR/aether-pod-configs/production
   $ vi vpn_map.tfvars
   # Edit the file and add VPN tunnel information to the end of the map

   $ git diff vpn_map.tfvars
   diff --git a/production/vpn_map.tfvars b/production/vpn_map.tfvars
   index 3c1f9b9..dd62fce 100644
   --- a/production/vpn_map.tfvars
   +++ b/production/vpn_map.tfvars
   @@ -24,5 +24,15 @@ vpn_map = {
      bgp_peer_ip_address_1    = "169.254.0.6"
      bgp_peer_ip_range_2      = "169.254.1.5/30"
      bgp_peer_ip_address_2    = "169.254.1.6"
   +  },
   +  ace-new = {
   +    peer_name                = "production-ace-new"
   +    peer_vpn_gateway_address = "111.222.333.444"
   +    tunnel_shared_secret     = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   +    bgp_peer_asn             = "65003"
   +    bgp_peer_ip_range_1      = "169.254.0.9/30"
   +    bgp_peer_ip_address_1    = "169.254.0.10"
   +    bgp_peer_ip_range_2      = "169.254.1.9/30"
   +    bgp_peer_ip_address_2    = "169.254.1.10"
      }
   }

Create ACE specific state directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Next step is to create a directory containing Terraform configs
that define desired state of Rancher and GCP resources for the new ACE cluster,
and ACE specific configurations such as IP addresses of the ACE cluster nodes.


Let's create a new directory under `aether-pod-configs/production` and
symbolic links to predefined Terraform configs(`*.tf` files) that will add
cluster, projects and applications in Rancher and VPN tunnels and firewall rules in GCP for the new ACE.
And note that Aether maintains a separate Terraform state per ACE.
So we will create a remote Terraform state definition for the new ACE, too.

.. code-block:: shell

   # Create symbolic links to pre-defined Terraform configs
   $ cd $WORKDIR/aether-pod-configs/production
   $ mkdir ace-new && cd ace-new
   $ ln -s ../../common/ace-custom/* .

   $ export CLUSTER_NAME=ace-new
   $ export CLUSTER_DOMAIN=prd.new.aetherproject.net

   # Create Terraform state definition file
   $ cat >> backend.tf << EOF
   # SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>

   terraform {
   backend "gcs" {
      bucket  = "aether-terraform-bucket"
      prefix  = "product/${CLUSTER_NAME}"
   }
   }
   EOF

   # Confirm the changes
   $ tree .
   .
   ├── alerts.tf -> ../../common/ace-custom/alerts.tf
   ├── backend.tf
   ├── cluster.tf -> ../../common/ace-custom/cluster.tf
   ├── gcp_fw.tf -> ../../common/ace-custom/gcp_fw.tf
   ├── gcp_ha_vpn.tf -> ../../common/ace-custom/gcp_ha_vpn.tf
   ├── main.tf -> ../../common/ace-custom/main.tf
   └── variables.tf -> ../../common/ace-custom/variables.tf


Now create another file called `cluster_val.tfvars` that defines all cluster nodes including switches and servers.
ACE can have various number of servers and switches but note that an odd number of *servers* can have `etcd` and `controlplane` roles.
Also, switches are not allowed to play a K8S master or normal worker role.
So don’t forget to add `node-role.aetherproject.org=switch` to labels and `node-role.aetherproject.org=switch:NoSchedule` to taints.


If the ACE requires any special settings, different set of projects for example,
please take a closer look at `variables.tf` file and override the default values specified there to `cluster_val.tfvars`, too.

.. code-block:: shell

   $ cd $WORKDIR/aether-pod-configs/production/$CLUSTER_NAME
   $ vi cluster_val.tfvars
   # SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>

   cluster_name  = "ace-new"
   cluster_admin = "new_admin"
   cluster_nodes = {
   new-prd-leaf1 = {
      user        = "root"
      private_key = "~/.ssh/id_rsa_terraform"
      host        = "10.94.1.3"
      roles       = ["worker"]
      labels      = ["node-role.aetherproject.org=switch"]
      taints      = ["node-role.aetherproject.org=switch:NoSchedule"]
   },
   new-server-1 = {
      user        = "terraform"
      private_key = "~/.ssh/id_rsa_terraform"
      host        = "10.94.1.3"
      roles       = ["etcd", "controlplane", "worker"]
      labels      = []
      taints      = []
   },
   new-server-2 = {
      user        = "terraform"
      private_key = "~/.ssh/id_rsa_terraform"
      host        = "10.94.1.4"
      roles       = ["etcd", "controlplane", "worker"]
      labels      = []
      taints      = []
   },
   new-server-3 = {
      user        = "terraform"
      private_key = "~/.ssh/id_rsa_terraform"
      host        = "10.94.1.5"
      roles       = ["etcd", "controlplane", "worker"]
      labels      = []
      taints      = []
   }
   }

   projects = [
   "system_apps",
   "connectivity_edge_up4",
   "edge_apps"
   ]

Lastly, we will create a couple of overriding values files for the managed applications,
one for DNS server for UEs and the other for the connectivity edge application, omec-upf-pfcp-agent.

.. code-block:: shell

   $ cd $WORKDIR/aether-pod-configs/production/$CLUSTER_NAME
   $ mkdir app_values && cd app_values

   $ export CLUSTER_NAME=ace-new
   $ export CLUSTER_DOMAIN=prd.new.aetherproject.net
   $ export K8S_DNS=10.54.128.10 # same address as kube_dns_cluster_ip
   $ export UE_DNS=10.54.128.11  # next address of kube_dns_cluster_ip

   # Create ace-coredns overriding values file
   $ cat >> ace-coredns.yml << EOF
   # SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>

   serviceType: ClusterIP
   service:
   clusterIP: ${UE_DNS}
   servers:
   - zones:
   - zone: .
   port: 53
   plugins:
   - name: errors
   - name: health
      configBlock: |-
         lameduck 5s
   - name: ready
   - name: prometheus
      parameters: 0.0.0.0:9153
   - name: forward
      parameters: . /etc/resolv.conf
   - name: cache
      parameters: 30
   - name: loop
   - name: reload
   - name: loadbalance
   - zones:
   - zone: apps.svc.${CLUSTER_DOMAIN}
   port: 53
   plugins:
   - name: errors
   - name: forward
      parameters: . ${K8S_DNS}
   - name: cache
      parameters: 30
   EOF

   # Create PFCP agent overriding values file
   $ cat >> omec-upf-pfcp-agent.yml << EOF
   # SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>

   config:
   pfcp:
      cfgFiles:
         upf.json:
         p4rtciface:
            p4rtc_server: "onos-tost-onos-classic-hs.tost.svc.${CLUSTER_DOMAIN}"
   EOF

Make sure the ace-new directory has all necessary files and before a review request.

.. code-block:: shell

   $ cd $WORKDIR/aether-pod-configs/production/$CLUSTER_NAME
   $ tree .
   .
   ├── alerts.tf -> ../../common/ace-custom/alerts.tf
   ├── app_values
   │   ├── ace-coredns.yml
   │   └── omec-upf-pfcp-agent.yml
   ├── backend.tf
   ├── cluster.tf -> ../../common/ace-custom/cluster.tf
   ├── cluster_val.tfvars
   ├── gcp_fw.tf -> ../../common/ace-custom/gcp_fw.tf
   ├── gcp_ha_vpn.tf -> ../../common/ace-custom/gcp_ha_vpn.tf
   ├── main.tf -> ../../common/ace-custom/main.tf
   └── variables.tf -> ../../common/ace-custom/variables.tf

Create a review request
^^^^^^^^^^^^^^^^^^^^^^^
Now the patch is ready to review. The final step is to create a pull request!
Once the patch is accepted and merged, CD pipeline will install ACE runtime based on the patch.

.. code-block:: shell

   $ cd $WORKDIR/aether-pod-configs/production
   $ git status
   On branch ace-new
   Changes not staged for commit:
   (use "git add <file>..." to update what will be committed)
   (use "git checkout -- <file>..." to discard changes in working directory)

      modified:   cluster_map.tfvars
      modified:   vpn_map.tfvars

   Untracked files:
   (use "git add <file>..." to include in what will be committed)

      ace-new/

   $ git add .
   $ git commit -m "Add new ACE"
   $ git review