Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 1 | .. vim: syntax=rst |
| 2 | |
Scott Baker | f07ec23 | 2022-03-08 12:20:24 -0800 | [diff] [blame] | 3 | .. _roc-developer-guide: |
| 4 | |
Larry Peterson | 0fa9b36 | 2023-08-09 15:15:13 -0700 | [diff] [blame] | 5 | ROC Development |
| 6 | =============== |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 7 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 8 | This document assumes familiarity with Kubernetes and Helm, and that a |
| 9 | Kubernetes/Helm development environment has already been deployed in |
| 10 | the developer’s work environment (for example, using a mechanism like |
| 11 | KinD or kubeadm). |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 12 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 13 | .. note:: By default, ROC is deployed without security enabled, with no Authentication or Authorization. |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 14 | To secure ROC so that the Authentication and Authorization can be tested, follow the Securing ROC |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 15 | section below :ref:`securing_roc`. |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 16 | |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 17 | Installing Prerequisites |
| 18 | ------------------------ |
| 19 | |
| 20 | Atomix and onos-operator must be installed:: |
| 21 | |
| 22 | # create necessary namespaces |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 23 | kubectl create namespace aether |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 24 | |
Andy Bavier | 4c42541 | 2021-08-27 14:39:38 -0700 | [diff] [blame] | 25 | # add repos |
| 26 | helm repo add atomix https://charts.atomix.io |
| 27 | helm repo add onosproject https://charts.onosproject.org |
| 28 | helm repo update |
| 29 | |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 30 | # install atomix |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 31 | export ATOMIX_VERSION=1.1.2 |
| 32 | helm -n kube-system install atomix atomix/atomix --version $ATOMIX_VERSION |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 33 | |
| 34 | # install the onos operator |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 35 | ONOS_OPERATOR_VERSION=0.5.6 |
Sean Condon | 257687f | 2021-08-23 11:13:20 +0100 | [diff] [blame] | 36 | helm install -n kube-system onos-operator onosproject/onos-operator --version $ONOS_OPERATOR_VERSION |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 37 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 38 | .. note:: ROC is sensitive to the versions of Atomix and onos-operator installed. The values |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 39 | shown above are correct for the 2.1.36- versions of the *aether-roc-umbrella*. |
Sean Condon | 257687f | 2021-08-23 11:13:20 +0100 | [diff] [blame] | 40 | |
| 41 | .. list-table:: ROC support component version matrix |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 42 | :widths: 40 20 20 20 20 20 |
Sean Condon | 257687f | 2021-08-23 11:13:20 +0100 | [diff] [blame] | 43 | :header-rows: 1 |
| 44 | |
| 45 | * - ROC Version |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 46 | - atomix/atomix-controller |
| 47 | - atomix/atomix-raft |
| 48 | - atomix/atomix-runtime |
| 49 | - atomix/atomix |
| 50 | - onosproject/onos-operator |
Sean Condon | 70dcf70 | 2021-08-24 10:57:29 +0100 | [diff] [blame] | 51 | * - 1.2.25-1.2.45 |
Sean Condon | 257687f | 2021-08-23 11:13:20 +0100 | [diff] [blame] | 52 | - 0.6.7 |
| 53 | - 0.1.8 |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 54 | - n/a |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 55 | - n/a |
Sean Condon | 257687f | 2021-08-23 11:13:20 +0100 | [diff] [blame] | 56 | - 0.4.8 |
Zack Williams | 90578fa | 2021-11-04 11:57:23 -0700 | [diff] [blame] | 57 | * - 1.3.0-1.3.10 |
Sean Condon | 70dcf70 | 2021-08-24 10:57:29 +0100 | [diff] [blame] | 58 | - 0.6.8 |
| 59 | - 0.1.9 |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 60 | - n/a |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 61 | - n/a |
Sean Condon | 1df1fcf | 2021-09-20 09:45:39 +0100 | [diff] [blame] | 62 | - 0.4.10 |
Zack Williams | 90578fa | 2021-11-04 11:57:23 -0700 | [diff] [blame] | 63 | * - 1.3.11-,1.4.0- |
| 64 | - 0.6.8 |
| 65 | - 0.1.14 |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 66 | - n/a |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 67 | - n/a |
Zack Williams | 90578fa | 2021-11-04 11:57:23 -0700 | [diff] [blame] | 68 | - 0.4.12 |
Sean Condon | 8d55a1e | 2021-11-11 12:49:00 +0000 | [diff] [blame] | 69 | * - 1.4.42- |
| 70 | - 0.6.8 |
| 71 | - 0.1.15 |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 72 | - n/a |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 73 | - n/a |
Sean Condon | 8d55a1e | 2021-11-11 12:49:00 +0000 | [diff] [blame] | 74 | - 0.4.14 |
Scott Baker | 6bd3d19 | 2022-03-03 14:50:38 -0800 | [diff] [blame] | 75 | * - 2.0.29- |
| 76 | - 0.6.8 |
| 77 | - 0.1.16 |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 78 | - n/a |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 79 | - n/a |
Scott Baker | 6bd3d19 | 2022-03-03 14:50:38 -0800 | [diff] [blame] | 80 | - 0.5.1 |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 81 | * - 2.1.8- |
| 82 | - 0.6.9 |
| 83 | - 0.1.26 |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 84 | - n/a |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 85 | - n/a |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 86 | - 0.5.3 |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 87 | * - 2.1.32-2.1.35 |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 88 | - n/a |
| 89 | - n/a |
| 90 | - 0.1.8 |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 91 | - n/a |
| 92 | - 0.5.6 |
| 93 | * - 2.1.36- |
| 94 | - n/a |
| 95 | - n/a |
| 96 | - n/a |
| 97 | - 1.1.2 |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 98 | - 0.5.6 |
| 99 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 100 | .. note:: Changing between atomix and operators in a cluster may cause problems |
| 101 | if there are changes in the definition of the CRDs that they |
| 102 | include. To fully ensure a clean installation the CRDs should be |
| 103 | deleted manually AFTER deleting the old version of atomix or ONOS |
| 104 | Operator. |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 105 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 106 | Use `kubectl get crds | grep atomix` and `kubectl get crds | grep onos` to see the CRDs present. |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 107 | |
| 108 | Verify that these services were installed properly. |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 109 | You should see pods for *atomix-controller(s)* |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 110 | *onos-operator-app*, and *onos-operator-topo*. |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 111 | Execute these commands:: |
| 112 | |
Sean Condon | 257687f | 2021-08-23 11:13:20 +0100 | [diff] [blame] | 113 | helm -n kube-system list |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 114 | kubectl -n kube-system get pods | grep -i atomix |
| 115 | kubectl -n kube-system get pods | grep -i onos |
| 116 | |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 117 | |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 118 | Installing the ``aether-roc-umbrella`` Helm chart |
| 119 | ------------------------------------------------- |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 120 | |
| 121 | Add the necessary helm repositories:: |
| 122 | |
Scott Baker | 6bd3d19 | 2022-03-03 14:50:38 -0800 | [diff] [blame] | 123 | helm repo add aether https://charts.aetherproject.org |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 124 | |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 125 | ``aether-roc-umbrella`` will bring up the ROC and its services:: |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 126 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 127 | helm -n aether install aether-roc-umbrella aether/aether-roc-umbrella |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 128 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 129 | kubectl wait pod -n aether --for=condition=Ready -l type=config --timeout=300s |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 130 | |
| 131 | |
Sean Condon | f918f64 | 2021-08-04 14:32:53 +0100 | [diff] [blame] | 132 | .. _posting-the-mega-patch: |
| 133 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 134 | Posting the Mega-Patch |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 135 | ---------------------- |
| 136 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 137 | The ROC usually comes up in a blank state; there are no Enterprises, |
| 138 | UEs, or other artifacts present in it. The Mega-Patch is an example |
| 139 | patch that populates the ROC with some sample enterprises, UEs, |
| 140 | slices, etc. |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 141 | |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 142 | Execute the following:: |
| 143 | |
| 144 | # launch a port-forward for the API |
| 145 | # this will continue to run in the background |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 146 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 147 | kubectl -n aether port-forward service/aether-roc-api --address 0.0.0.0 8181:8181 & |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 148 | |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 149 | curl http://localhost:8181/targets |
| 150 | # It should show a list of the configure enterprises: [{"name":"defaultent"},{"name":"acme"},{"name":"starbucks"} |
| 151 | |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 152 | git clone https://github.com/onosproject/aether-roc-api.git |
| 153 | |
| 154 | # execute the mega-patch (it will post via CURL to localhost:8181) |
Scott Baker | ae02410 | 2022-02-23 10:55:28 -0800 | [diff] [blame] | 155 | bash ~/path/to/aether-roc-api/examples/MEGA_Patch_20.curl |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 156 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 157 | .. note:: No port-forwarding is necessary to configure Aether |
| 158 | OnRamp. Use URL *http://<hostname>:31194/aether-roc-api/*. |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 159 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 160 | You may wish to customize the mega patch. For example, by default the |
| 161 | patch configures the ``sdcore-adapter`` to push to |
| 162 | ``sdcore-test-dummy``. You could instead configure it to push to a |
| 163 | live instantiation of Aether by doing something like this:: |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 164 | |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 165 | sed -i 's^http://aether-roc-umbrella-sdcore-test-dummy/v1/config/5g^http://webui.omec.svc.cluster.local:9089/config^g' MEGA_Patch_21.curl |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 166 | |
| 167 | #apply the patch |
Scott Baker | ae02410 | 2022-02-23 10:55:28 -0800 | [diff] [blame] | 168 | ./MEGA_Patch_20.curl |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 169 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 170 | Note that if Aether is installed on a different machine, then port-forwarding may be necessary. |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 171 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 172 | Expected CURL output from a successful Mega-Patch post will be a UUID. |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 173 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 174 | You can also verify that the Mega-Patch was successful by going into the |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 175 | ``aether-roc-gui`` in a browser (see the section on useful port-forwards |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 176 | below). The GUI may open to a dashboard that is unpopulated. You can use the |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 177 | dropdown menu (upper-right hand corner of the screen) to select an object such |
Scott Baker | ae02410 | 2022-02-23 10:55:28 -0800 | [diff] [blame] | 178 | as Slice and you will see a list of slices. |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 179 | |
| 180 | |ROCGUI| |
| 181 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 182 | Adding New Enterprises |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 183 | ---------------------- |
| 184 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 185 | Enterprises are stored in `onos-topo` outside of `onos-config` are are |
| 186 | usually only created by system administrators during the onboarding of |
| 187 | new customers (tenants) on Aether. |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 188 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 189 | There is currently no way of adding new Enterprises through the ROC |
| 190 | GUI or the ROC API. It can be done in the two ways described in the |
| 191 | following sections. |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 192 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 193 | Enterprises are specified as Entities using CRDs, and the |
| 194 | `onos-operator` ensures that these are created as `entitites` inside |
| 195 | `onos-topo`. |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 196 | |
| 197 | To check that the current list of enterprises (as CRDs), the following command may be used:: |
| 198 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 199 | kubectl -n aether get entities |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 200 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 201 | and to check that the `onos-operator` does indeed take effect, the ROC |
| 202 | API endpoint `/targets` can be used to list the `enterprises`. |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 203 | |
| 204 | Another option is to use the `onos-cli` pod to query `onos-topo` directly:: |
| 205 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 206 | kubectl -n aether exec deployment/onos-cli -- onos topo get entities -v |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 207 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 208 | Adding New Enterprises Through Helm Chart |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 209 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 210 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 211 | To have an entity added at **start up of the cluster** it can be added |
| 212 | through the Helm Chart in the `values.yaml` under |
| 213 | `enterprises`. e.g.:: |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 214 | |
| 215 | enterprises: |
| 216 | - id: starbucks |
| 217 | name: Starbucks Enterprise |
| 218 | lat: 52.5150 |
| 219 | long: 13.3885 |
| 220 | |
| 221 | This will load the `enterprise` as an Entity CRD through the `onos-operator`. |
| 222 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 223 | Adding New Enterprises Through `onos-topo` |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 224 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 225 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 226 | New `enterprises` can be added to a live running system through the |
| 227 | `onos-topo` command line (bypassing the `onos-operator`). For |
| 228 | example:: |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 229 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 230 | kubectl -n aether exec deployment/onos-cli -- \ |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 231 | onos topo create entity new-enterprise \ |
| 232 | -a onos.topo.Configurable='{"address”:”sdcore-adapter-v2-1:5150”,”version”:”2.1.x”,”type”:”aether”}' \ |
| 233 | -a onos.topo.TLSOptions='{"insecure":true}' \ |
| 234 | -a onos.topo.Asset='{"name”:”New Enterprise”}' \ |
| 235 | -a onos.topo.MastershipState='{}' \ |
SeanCondon | 5e6234c | 2022-11-30 14:44:05 +0000 | [diff] [blame] | 236 | -k enterprise |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 237 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 238 | Uninstalling the ``aether-roc-umbrella`` Helm Chart |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 239 | --------------------------------------------------- |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 240 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 241 | To tear things back down, usually as part of a developer loop prior to |
| 242 | redeploying again, do the following:: |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 243 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 244 | helm -n aether del aether-roc-umbrella |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 245 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 246 | Useful Port Forwards |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 247 | -------------------- |
| 248 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 249 | Port forwarding is often necessary to allow access to ports inside of |
| 250 | Kubernetes pods that use ClusterIP addressing. Note that you |
| 251 | typically need to leave a port-forward running (you can put it in the |
| 252 | background). Also, If you redeploy the ROC and/or if a pod crashes |
| 253 | then you might have to restart a port-forward. |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 254 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 255 | .. note:: No port-forward is necessary with OnRamp. The GUI |
| 256 | can be accessed at ``http://<hostname>:31194`` and the API at |
| 257 | ``http://<hostname>:31194/aether-roc-api/``. |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 258 | |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 259 | The following port-forwards may be useful:: |
| 260 | |
| 261 | # aether-roc-api |
| 262 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 263 | kubectl -n aether port-forward service/aether-roc-api --address 0.0.0.0 8181:8181 |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 264 | |
| 265 | # aether-roc-gui |
| 266 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 267 | kubectl -n aether port-forward service/aether-roc-gui-v2-1 --address 0.0.0.0 8183:80 |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 268 | |
| 269 | # grafana |
| 270 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 271 | kubectl -n aether port-forward service/aether-roc-umbrella-grafana --address 0.0.0.0 8187:80 |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 272 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 273 | .. note:: Internally, the ``aether-roc-gui`` operates a Reverse Proxy |
| 274 | on the ``aether-roc-api``. This means that if you have done a |
| 275 | ``port-forward`` to ``aether-roc-gui``, say on port ``8183``, |
| 276 | there's no need to do another on the ``aether-roc-api``. Instead, |
| 277 | you can access the API on ``http://localhost:8183/aether-roc-api``. |
Sean Condon | 257687f | 2021-08-23 11:13:20 +0100 | [diff] [blame] | 278 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 279 | Deploying Custom Images |
| 280 | -------------------------- |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 281 | |
| 282 | Custom images may be used by editing the values-override.yaml file. |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 283 | For example, to deploy a custom ``sdcore-adapter``:: |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 284 | |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 285 | sdcore-adapter-v2-1: |
Scott Baker | 6bd3d19 | 2022-03-03 14:50:38 -0800 | [diff] [blame] | 286 | prometheusEnabled: false |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 287 | image: |
Scott Baker | 6bd3d19 | 2022-03-03 14:50:38 -0800 | [diff] [blame] | 288 | repository: my-private-repo/sdcore-adapter |
| 289 | tag: my-tag |
| 290 | pullPolicy: Always |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 291 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 292 | The above example assumes you have published a docker images at |
| 293 | ``my-private-repo/sdcore-adapter:my-tag``. One possible workflow is |
| 294 | to deploy a local-docker registry and push images to that. |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 295 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 296 | There are alternatives to using a private docker repository. For |
| 297 | example, if you are using kubeadm, then you may be able to simply tag |
| 298 | the image locally. If you’re using KinD, then you can push a local |
| 299 | image to into the kind cluster:: |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 300 | |
| 301 | kind load docker-image sdcore-adapter:my-tag |
| 302 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 303 | Developing with a Custom onos-config |
Scott Baker | abcfc6e | 2021-09-08 22:37:51 -0700 | [diff] [blame] | 304 | ------------------------------------- |
| 305 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 306 | The onos-config Helm Chart is responsible for loading model plugins at |
| 307 | runtime. You can override which plugins it loads, and optionally |
| 308 | override the image for onos-config as well. For example:: |
Scott Baker | abcfc6e | 2021-09-08 22:37:51 -0700 | [diff] [blame] | 309 | |
Scott Baker | 6bd3d19 | 2022-03-03 14:50:38 -0800 | [diff] [blame] | 310 | onos-config: |
| 311 | image: |
| 312 | tag: mytag |
| 313 | repository: mydockeraccount/onos-config |
| 314 | modelPlugins: |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 315 | - name: aether-2 |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 316 | image: onosproject/aether-2.0.x:2.0.16-aether-2.0.x |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 317 | endpoint: localhost |
| 318 | port: 5152 |
| 319 | - name: aether-2-1 |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 320 | image: onosproject/aether-2.1.x:2.1.16-aether-2.1.x |
SeanCondon | 909d55b | 2022-04-25 17:59:46 +0100 | [diff] [blame] | 321 | endpoint: localhost |
| 322 | port: 5153 |
Scott Baker | abcfc6e | 2021-09-08 22:37:51 -0700 | [diff] [blame] | 323 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 324 | In the above example, the onos-config image will be pulled from |
| 325 | `mydockeraccount`, and it will install two plugins for v2 and v4 |
| 326 | models, from that same docker account. |
Scott Baker | abcfc6e | 2021-09-08 22:37:51 -0700 | [diff] [blame] | 327 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 328 | Inspecting Logs |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 329 | --------------- |
| 330 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 331 | Most of the relevant Kubernetes pods are in the aether namespace. The |
| 332 | names may change from deployment to deployment, so start by getting a |
| 333 | list of pods:: |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 334 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 335 | kubectl -n aether get pods |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 336 | |
| 337 | Then you can inspect a specific pod/container:: |
| 338 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 339 | kubectl -n aether logs deployment/sdcore-adapter-v2-1 |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 340 | |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 341 | .. _securing_roc: |
| 342 | |
| 343 | Securing ROC |
| 344 | ------------ |
| 345 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 346 | Running your own Keycloak Server |
| 347 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 348 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 349 | .. note:: There is no longer a central keycloak server |
| 350 | for development as there was at `keycloak-dev.onlab.us`, so you |
| 351 | must run your own own Keycloak server inside of Kubernetes. |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 352 | |
| 353 | See `Keycloak README.md <https://gerrit.opencord.org/plugins/gitiles/roc-helm-charts/+/refs/heads/master/keycloak/>`_ for details. |
| 354 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 355 | When running it should be available at |
| 356 | *http://localhost:8080/realms/master/.well-known/openid-configuration*. |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 357 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 358 | .. note:: You can access the Keycloak management page from |
| 359 | *http://localhost:8080/admin* but you must login as |
| 360 | `admin`. Because of the SSO feature of Keycloak this will affect |
| 361 | your Aether ROC GUI login too. To login as two separate users at |
| 362 | the same time, use a private browser window for one. |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 363 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 364 | .. note:: Services inside the cluster (e.g. onos-config) should set |
| 365 | the issuer to *https://keycloak/realms/master* on port 80, while |
| 366 | the aether-roc-gui should use `http://localhost:8080/realms/master`. |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 367 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 368 | Enabling Security |
| 369 | ^^^^^^^^^^^^^^^^^^^^^ |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 370 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 371 | When deploying ROC with the ``aether-roc-umbrella`` chart, secure mode |
| 372 | can be enabled by specifying an OpenID Connect (OIDC) issuer; for example:: |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 373 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 374 | helm -n aether install aether-roc-umbrella aether/aether-roc-umbrella \ |
| 375 | --set onos-config.openidc.issuer=http://keycloak/realms/master \ |
| 376 | --set onos-config.openpolicyagent.enabled=true \ |
| 377 | --set onos-config.openpolicyagent.regoConfigMap=aether-roc-umbrella-opa-rbac \ |
| 378 | --set aether-roc-api.openidc.issuer=http://keycloak/realms/master \ |
| 379 | --set aether-roc-gui-v2-1.openidc.issuer=http://localhost:8080/realms/master \ |
| 380 | --set prom-label-proxy-acc.config.openidc.issuer=http://keycloak/realms/master \ |
| 381 | --set prom-label-proxy-amp.config.openidc.issuer=http://keycloak/realms/master |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 382 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 383 | The choice of OIDC issuer in this case is the **local** Keycloak |
| 384 | server at *http://keycloak* inside the `aether` namespace. |
Sean Condon | 9e182f6 | 2021-12-06 17:35:53 -0800 | [diff] [blame] | 385 | |
Sean Condon | 9e182f6 | 2021-12-06 17:35:53 -0800 | [diff] [blame] | 386 | Production Environment |
| 387 | ^^^^^^^^^^^^^^^^^^^^^^ |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 388 | |
| 389 | In a production environment, the public Aether Keycloak (with its LDAP |
| 390 | server populated with real Aether users and groups) should be used. |
| 391 | See `public keycloak |
| 392 | <https://keycloak.opennetworking.org/auth/realms/master/.well-known/openid-configuration>`_ |
| 393 | for more details. |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 394 | |
| 395 | .. note:: Your RBAC access to ROC will be limited by the groups you belong to in its LDAP store. |
| 396 | |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 397 | Role Based Access Control |
Sean Condon | 9e182f6 | 2021-12-06 17:35:53 -0800 | [diff] [blame] | 398 | ^^^^^^^^^^^^^^^^^^^^^^^^^ |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 399 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 400 | When secured, access to the configuration in ROC is limited by the |
| 401 | **groups** that a user belongs to. |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 402 | |
| 403 | * **AetherROCAdmin** - users in this group have full read **and** write access to all configuration. |
| 404 | * *<enterprise>* - users in a group the lowercase name of an enterprise, will have **read** access to that enterprise. |
| 405 | * **EnterpriseAdmin** - users in this group will have read **and** write access the enterprise they belong to. |
| 406 | |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 407 | |
| 408 | Requests to a Secure System |
Sean Condon | 9e182f6 | 2021-12-06 17:35:53 -0800 | [diff] [blame] | 409 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 410 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 411 | When configuration is retrieved or updated through *aether-config*, a |
| 412 | Bearer Token in the form of a JSON Web Token (JWT) issued by the |
| 413 | selected OIDC Issuer server must accompany the request as an |
| 414 | Authorization Header. |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 415 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 416 | This applies to both the REST interface of ``aether-roc-api`` **and** |
| 417 | the *gnmi* interface of ``aether-config``. |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 418 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 419 | In the Aether ROC, a Bearer Token can be generated by logging in and |
| 420 | selecting API Key from the menu. This pops up a window with a copy |
| 421 | button, where the key can be copied. |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 422 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 423 | Alternatively with Keycloak a Token may be requested programmatically |
| 424 | through the Keycloak API:: |
Sean Condon | 8d55a1e | 2021-11-11 12:49:00 +0000 | [diff] [blame] | 425 | |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 426 | curl --location --request POST 'http://localhost:8080/realms/master/protocol/openid-connect/token' \ |
Sean Condon | 8d55a1e | 2021-11-11 12:49:00 +0000 | [diff] [blame] | 427 | --header 'Content-Type: application/x-www-form-urlencoded' \ |
| 428 | --data-urlencode 'grant_type=password' \ |
| 429 | --data-urlencode 'client_id=aether-roc-gui' \ |
| 430 | --data-urlencode 'username=alicea' \ |
| 431 | --data-urlencode 'password=password' \ |
Scott Baker | 6bd3d19 | 2022-03-03 14:50:38 -0800 | [diff] [blame] | 432 | --data-urlencode 'scope=openid profile email groups' | jq "{access_token}" |
Sean Condon | 8d55a1e | 2021-11-11 12:49:00 +0000 | [diff] [blame] | 433 | |
| 434 | |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 435 | The key will expire after 24 hours. |
| 436 | |
| 437 | .. image:: images/aether-roc-gui-copy-api-key.png |
| 438 | :width: 580 |
| 439 | :alt: Aether ROC GUI allows copying of API Key to clipboard |
| 440 | |
| 441 | Accessing the REST interface from a tool like Postman, should include this Auth token. |
| 442 | |
| 443 | .. image:: images/postman-auth-token.png |
| 444 | :width: 930 |
| 445 | :alt: Postman showing Authentication Token pasted in |
| 446 | |
| 447 | Logging |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 448 | """"""" |
| 449 | |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 450 | The logs of *aether-config* will contain the **username** and **timestamp** of |
| 451 | any **gnmi** call when security is enabled. |
| 452 | |
| 453 | .. image:: images/aether-config-log.png |
| 454 | :width: 887 |
| 455 | :alt: aether-config log message showing username and timestamp |
| 456 | |
Sean Condon | 435be9a | 2021-08-06 14:28:37 +0100 | [diff] [blame] | 457 | Accessing GUI from an external system |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 458 | """"""""""""""""""""""""""""""""""""" |
| 459 | |
Sean Condon | 435be9a | 2021-08-06 14:28:37 +0100 | [diff] [blame] | 460 | To access the ROC GUI from a computer outside the Cluster machine using *port-forwarding* then |
| 461 | it is necessary to: |
| 462 | |
| 463 | * Ensure that all *port-forward*'s have **--address=0.0.0.0** |
| 464 | * Add to the IP address of the cluster machine to the **/etc/hosts** of the outside computer as:: |
| 465 | |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 466 | <ip address of cluster> k3u-keycloak aether-roc-gui |
SeanCondon | 13596ad | 2023-05-23 14:01:15 +0100 | [diff] [blame] | 467 | * Verify that you can access the Keycloak server by its name *http://localhost:8080/realms/master/.well-known/openid-configuration* |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 468 | * Access the GUI through the hostname (rather than ip address) ``http://aether-roc-gui:8183`` |
Sean Condon | 435be9a | 2021-08-06 14:28:37 +0100 | [diff] [blame] | 469 | |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 470 | Troubleshooting Secure Access |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 471 | """"""""""""""""""""""""""""" |
| 472 | |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 473 | While every effort has been made to ensure that securing Aether is simple and effective, |
| 474 | some difficulties may arise. |
| 475 | |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 476 | One of the most important steps is to validate that the OIDC Issuer (Keycloak server) can be reached |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 477 | from the browser. The **well_known** URL should be available and show the important endpoints are correct. |
| 478 | |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 479 | .. image:: images/keycloak-389-umbrella-well-known.png |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 480 | :width: 580 |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 481 | :alt: Keycloak Well Known page |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 482 | |
| 483 | If logged out of the Browser when accessing the Aether ROC GUI, accessing any page of the application should |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 484 | redirect to the Keycloak login page. |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 485 | |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 486 | .. image:: images/keycloak-ldap-login-page.png |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 487 | :width: 493 |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 488 | :alt: Keycloak Login page |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 489 | |
| 490 | When logged in the User details can be seen by clicking the User's name in the drop down menu. |
| 491 | This shows the **groups** that the user belongs to, and can be used to debug RBAC issues. |
| 492 | |
| 493 | .. image:: images/aether-roc-gui-user-details.png |
| 494 | :width: 700 |
| 495 | :alt: User Details page |
| 496 | |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 497 | When you sign out of the ROC GUI, if you are not redirected to the Keycloak Login Page, |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 498 | you should check the Developer Console of the browser. The console should show the correct |
Sean Condon | 948aeaa | 2021-09-29 12:08:30 +0100 | [diff] [blame] | 499 | OIDC issuer (Keycloak server), and that Auth is enabled. |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 500 | |
| 501 | .. image:: images/aether-roc-gui-console-loggedin.png |
| 502 | :width: 418 |
| 503 | :alt: Browser Console showing correct configuration |
| 504 | |
Sean Condon | 8d55a1e | 2021-11-11 12:49:00 +0000 | [diff] [blame] | 505 | |
Scott Baker | b46a6ed | 2021-08-02 14:03:10 -0700 | [diff] [blame] | 506 | ROC Data Model Conventions and Requirements |
| 507 | ------------------------------------------- |
| 508 | |
Larry Peterson | bd52968 | 2023-10-11 11:56:46 -0700 | [diff] [blame^] | 509 | The Mega-Patch described above will bring up a fully compliant sample data model. |
Scott Baker | b46a6ed | 2021-08-02 14:03:10 -0700 | [diff] [blame] | 510 | However, it may be useful to bring up your own data model, customized to a different |
| 511 | site of sites. This subsection documents conventions and requirements for the Aether |
Zack Williams | 1ae109e | 2021-07-27 11:17:04 -0700 | [diff] [blame] | 512 | modeling within the ROC. |
Scott Baker | b46a6ed | 2021-08-02 14:03:10 -0700 | [diff] [blame] | 513 | |
| 514 | The ROC models must be configured with the following: |
| 515 | |
| 516 | * A default enterprise with the id `defaultent`. |
Scott Baker | b46a6ed | 2021-08-02 14:03:10 -0700 | [diff] [blame] | 517 | * A default site with the id `defaultent-defaultsite`. |
Scott Baker | ae02410 | 2022-02-23 10:55:28 -0800 | [diff] [blame] | 518 | This site should be within the `defaultent` enterprise. |
Scott Baker | fab7c9e | 2021-07-29 17:12:16 -0700 | [diff] [blame] | 519 | |
| 520 | .. |ROCGUI| image:: images/rocgui.png |
Sean Condon | eb95cd6 | 2021-08-04 19:44:18 +0100 | [diff] [blame] | 521 | :width: 945 |
Scott Baker | ae02410 | 2022-02-23 10:55:28 -0800 | [diff] [blame] | 522 | :alt: ROC GUI showing list of Slices |