Versions Compared

Old Version 5

changes.mady.by.user Sylvain Desbureaux

Saved on

compared with

New Version 6

changes.mady.by.user Sylvain Desbureaux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
indent20px

Motivation

Service Mesh simplifies infrastructure management on a an application by:

  • applying security policies in a centralized way
  • applying upgrade policies also in a centralized way
  • giving simple tracing view of the calls of an application

Today, ONAP uses AAF for certificates management and leaves the https implementation to the modules. Thus blacklisting a weak cipher or other security issue needs a verification on the ~200 services used by ONAP.

Having only one point of configuration would help a lot.


Troubleshooting issues is also very complex. Thus adding new tools such as tracing will help the ops people.

Service Mesh principles to apply

Generic principles

In order to make the service mesh work, here are the common principles:

  • Prefer use of (non headless) services. Pod to pod communication is not a first class citizen in a Service mesh (as the name stands). Thus using non headless services in the preferred way.
  • Listen at least on 127.0.0.1. Service Mesh sidecar will listen on the public POD IP. If the traffic is allowed, it needs to pass it to the "real" POD. For that, it sends it to 127.0.0.1. Then, the POD must listen on this interface
  • Name the ports in the service / pod with their protocol. In order to detect protocol, service mesh tends to use the naming of the port (on the service and pod part). Naming it "foo" doesn't help whereas "http" or "http-foo" helps the service mesh provider to know which protocol is used. allowed protocols are "tcp", "http", "https", "http2", "grpc".
  • Allow to disable https (or enable http). As the ssl part can be done by the service mesh, there's no need to do it on the pod side. Thus, we should be able to disable https (or enable http).

Principles specific to ONAP

  • As AAF is used for certificates generation and as AAF is not compliant with service mesh, we need to be able to disable AAF integration in ONAP components.

Plan of work

Focus first on the “core” part of ONAP, i.e. the one allowing to onboard and instantiate a service.

...

On the global part, we need to remove aaf, aaf-profile and hand change client service schema to no-auth:

...