...
- Operators or Service Providers onboard a vendor ETSI SOL004 compliant VNF/CNF package to SDC
- SDC detects the CSAR file embeds software/container images, instead of referencing the image files
- SDC extracts the embedded software/container images from the CSAR file and stores the images to the Image Registry
- SDC updates the CSAR file for referencing the image files
- Risk:
- After we have altered the CSAR, the original CSAR protection (as per option1 or 2 of SOL004) is no longer reliable
- Since Release 3, it is mandatory to add individual signatures of every file in the package. It is mandatory to add individual signatures of every file in the package.
- This will allow still to verify the integrity of each file during its complete life cycle, i.e., also after onboarding.
- The fact that the VNF package is immutable is one of the sacred principles. It is the contract between the VNF vendor and the Service Provider.
- Once it is onboarded, SDC needs to verify the integrity with the original protection provided in the CSAR.
- In that case, the stored CSAR in the ETSI Catalog Manager is not the original vendor package
- Risk:
- CIR component provides Docker Registry APIs for the image file access (CRUDQ), by conforming to ETSI specifications
- CIR will be registered to AAI for ONAP runtime component to locate the proper CIR instance(s)
- CIR admin can upload the container image files to the Image Registry thru Docker Registry APIs
- K8S CIS can query for the container image files from CIR (It is allowed to use de Facto API standard)
...