INF O2 Service User Guide
This guide will introduce the process that make INF O2 interface work with SMO.
Assume you have an O2 service with INF platform environment, and you have the OAuth Server configured with the O2 service.
export OAM_IP=<INF_OAM_IP> export OAUTH2_TOKEN_ENDPOINT=http://<3rd-party OAuth Server Address>:8080/realms/master/protocol/openid-connect/token export OAUTH2_CLIENT_ID=<oran-o2-client-id> export OAUTH2_CLIENT_SECRET=<oran-o2-client-secret>
Get berar token from the OAuth Server for request O2 application API.
curl -k -X POST ${OAUTH2_TOKEN_ENDPOINT} \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "client_id=${OAUTH2_CLIENT_ID}" \ -d "client_secret=${OAUTH2_CLIENT_SECRET}"
Set “access_token” value from the above step to the bash environment. And copy the client certificate into the bash folder that you are working on.
export BEARER_TOKEN=<access_token> ls client-cert.pem client-key.pem my-root-ca-cert.pem
Discover INF platform inventory
INF platform auto-discovery
After you installed the INF O2 service, it will automatically discover the INF through the parameters that you give from the “o2service-override.yaml”
The below command can get the INF platform information as O-Cloud
curl -X 'GET' \ --cacert my-root-ca-cert.pem \ --cert client-cert.pem --key client-key.pem \ -H "Authorization: Bearer ${BEARER_TOKEN}" \ -H 'accept: application/json' "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/"
Resource pool
The INF platform is a standalone environment, it has one resource pool. If the INF platform is a distributed cloud environment, the central cloud will be one resource pool, and each of the sub-cloud will be a resource pool. All the resources that belong to the cloud will be organized into the resource pool.
Get the resource pool information through this interface
curl -X 'GET' \ --cacert my-root-ca-cert.pem \ --cert client-cert.pem --key client-key.pem \ -H "Authorization: Bearer ${BEARER_TOKEN}" \ -H 'accept: application/json' "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/resourcePools" # export the first resource pool id export resourcePoolId=`curl -k -X 'GET' --cert client-cert.pem --key client-key.pem "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/resourcePools" -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" 2>/dev/null | jq .[0].resourcePoolId | xargs echo` echo ${resourcePoolId} # check the exported resource pool id
Resource type
Resource type defined what type is the specified resource, like a physical machine, memory, or CPU
Show all resource type
curl -X 'GET' \ --cacert my-root-ca-cert.pem \ --cert client-cert.pem --key client-key.pem \ -H "Authorization: Bearer ${BEARER_TOKEN}" \ -H 'accept: application/json' "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/resourceTypes"
Resource
Get the list of all resources, the value of resourcePoolId from the result of the resource pool interface
curl -X 'GET' \ --cacert my-root-ca-cert.pem \ --cert client-cert.pem --key client-key.pem \ -H "Authorization: Bearer ${BEARER_TOKEN}" \ -H 'accept: application/json' "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/resourcePools/${resourcePoolId}/resources"
To get the detail of one resource, need to export one specific resource id that wants to check
# export the first resource id in the resource pool export resourceId=`curl -k -X 'GET' --cert client-cert.pem --key client-key.pem "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/resourcePools/${resourcePoolId}/resources" -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" 2>/dev/null | jq .[0].resourceId | xargs echo` echo ${resourceId} # check the exported resource id # Get the detail of one specific resource curl -k -X 'GET' \ "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/resourcePools/${resourcePoolId}/resources/${resourceId}" \ -H 'accept: application/json' -H "Authorization: Bearer ${SMO_TOKEN_DATA}"
Deployment manager services endpoint
The Deployment Manager Service (DMS) related to this IMS information you can use the below API to check
curl -X 'GET' \ --cacert my-root-ca-cert.pem \ --cert client-cert.pem --key client-key.pem \ -H "Authorization: Bearer ${BEARER_TOKEN}" \ -H 'accept: application/json' "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/deploymentManagers"
Provisioning INF platform with SMO endpoint configuration
Assume you have an SMO, and prepare the configuration of the INF platform with the SMO endpoint address before the O2 service installation. This provisioning of the INF O2 service will make a request from the INF O2 service to SMO while the O2 service installing, which make SMO know the O2 service is working.
After you installed the INF O2 service, it will automatically register the SMO through the parameters that you give from the “o2app.conf”
export OCLOUD_GLOBAL_ID=<Ocloud global UUID defined by SMO> export SMO_REGISTER_URL=<SMO Register URL for O2 service> cat <<EOF > o2app.conf [DEFAULT] ocloud_global_id = ${OCLOUD_GLOBAL_ID} smo_register_url = ${SMO_REGISTER_URL} ...
Subscribe to the INF platform resource change notification
Assume you have an SMO, and the SMO has an API that can receive callback request
Create a subscription to the INF O2 IMS
export SMO_SUBSCRIBE_CALLBACK=<The Callback URL for SMO Subscribe resource> export SMO_CONSUMER_SUBSCRIPTION_ID=<The Subscription ID of the SMO Consumer> curl -X 'POST' \ --cacert my-root-ca-cert.pem \ --cert client-cert.pem --key client-key.pem \ -H "Authorization: Bearer ${BEARER_TOKEN}" \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/subscriptions" \ -d '{ "callback": "'${SMO_SUBSCRIBE_CALLBACK}'", "consumerSubscriptionId": "'${SMO_CONSUMER_SUBSCRIPTION_ID}'", "filter": "" }'
Handle resource change notification
When the SMO callback API gets the notification that the resource of INF platform changing, use the URL to get the latest resource information to update its database
Subscribe to the INF platform alarm change notification
Assume you have an SMO, and the SMO has an API that can receive callback request
Create an alarm subscription to the INF O2 IMS
export SMO_SUBSCRIBE_CALLBACK=<The Callback URL for SMO Subscribe alarm> export SMO_CONSUMER_SUBSCRIPTION_ID=<The Subscription ID of the SMO Consumer> curl -X 'POST' \ --cacert my-root-ca-cert.pem \ --cert client-cert.pem --key client-key.pem \ -H "Authorization: Bearer ${BEARER_TOKEN}" \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ "https://${OAM_IP}:30205/o2ims-infrastructureMonitoring/v1/alarmSubscriptions" \ -d '{ "callback": "'${SMO_SUBSCRIBE_CALLBACK}'", "consumerSubscriptionId": "'${SMO_CONSUMER_SUBSCRIPTION_ID}'", "filter": "" }'
Handle alarm change notification
When the SMO callback API gets the alarm of the INF platform, use the URL to get the latest alarm event record information to get more details
Use Kubernetes Control Client through O2 DMS profile
Assume you have the kubectl command tool on your local Linux environment.
And install the ‘jq’ command for your Linux bash terminal. If you are using Ubuntu, you can follow the below command to install it.
# install the 'jq' command sudo apt-get install -y jq # install 'kubectl' command sudo apt-get install -y apt-transport-https echo "deb http://mirrors.ustc.edu.cn/kubernetes/apt kubernetes-xenial main" | \ sudo tee -a /etc/apt/sources.list.d/kubernetes.list gpg --keyserver keyserver.ubuntu.com --recv-keys 836F4BEB gpg --export --armor 836F4BEB | sudo apt-key add - sudo apt-get update sudo apt-get install -y kubectl
We need to get the Kubernetes profile to set up the kubectl command tool.
Get the DMS Id in the INF O2 service, and set it into bash environment.
# Get all DMS ID, and print them with command dmsIDs=$(curl -k -s -X 'GET' --cert client-cert.pem --key client-key.pem \ "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/deploymentManagers" \ -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" \ | jq --raw-output '.[]["deploymentManagerId"]') for i in $dmsIDs;do echo ${i};done; # Choose one DMS and set it to bash environment, here I set the first one export dmsID=$(curl -k -s -X 'GET' --cert client-cert.pem --key client-key.pem \ "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/deploymentManagers" \ -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" \ | jq --raw-output '.[0]["deploymentManagerId"]') echo ${dmsID} # check the exported DMS Id
The profile of the ‘kubectl’ need the cluster name, I assume it is set to “o2dmsk8s1”.
It also needs the server endpoint address, username, and authority, and for the environment that has Certificate Authority validation, it needs the CA data to be set up.
CLUSTER_NAME="o2dmsk8s1" # set the cluster name K8S_SERVER=$(curl -k -s -X 'GET' --cert client-cert.pem --key client-key.pem \ "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/deploymentManagers/${dmsID}?profile=native_k8sapi" \ -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" \ | jq --raw-output '.["extensions"]["profileData"]["cluster_api_endpoint"]') K8S_CA_DATA=$(curl -k -s -X 'GET' --cert client-cert.pem --key client-key.pem \ "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/deploymentManagers/${dmsID}?profile=native_k8sapi" \ -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" \ | jq --raw-output '.["extensions"]["profileData"]["cluster_ca_cert"]') K8S_USER_NAME=$(curl -k -s -X 'GET' --cert client-cert.pem --key client-key.pem \ "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/deploymentManagers/${dmsID}?profile=native_k8sapi" \ -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" \ | jq --raw-output '.["extensions"]["profileData"]["admin_user"]') K8S_USER_CLIENT_CERT_DATA=$(curl -k -s -X 'GET' --cert client-cert.pem --key client-key.pem \ "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/deploymentManagers/${dmsID}?profile=native_k8sapi" \ -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" \ | jq --raw-output '.["extensions"]["profileData"]["admin_client_cert"]') K8S_USER_CLIENT_KEY_DATA=$(curl -k -s -X 'GET' --cert client-cert.pem --key client-key.pem \ "https://${OAM_IP}:30205/o2ims-infrastructureInventory/v1/deploymentManagers/${dmsID}?profile=native_k8sapi" \ -H 'accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" \ | jq --raw-output '.["extensions"]["profileData"]["admin_client_key"]') # If you do not want to set up the CA data, you can execute following command without the secure checking # kubectl config set-cluster ${CLUSTER_NAME} --server=${K8S_SERVER} --insecure-skip-tls-verify kubectl config set-cluster ${CLUSTER_NAME} --server=${K8S_SERVER} kubectl config set clusters.${CLUSTER_NAME}.certificate-authority-data ${K8S_CA_DATA} kubectl config set-credentials ${K8S_USER_NAME} kubectl config set users.${K8S_USER_NAME}.client-certificate-data ${K8S_USER_CLIENT_CERT_DATA} kubectl config set users.${K8S_USER_NAME}.client-key-data ${K8S_USER_CLIENT_KEY_DATA} # set the context and use it kubectl config set-context ${K8S_USER_NAME}@${CLUSTER_NAME} --cluster=${CLUSTER_NAME} --user ${K8S_USER_NAME} kubectl config use-context ${K8S_USER_NAME}@${CLUSTER_NAME} kubectl get ns # check the command working with this context
Now you can use “kubectl”, which means you set up a successfully Kubernetes client. But, it uses the default admin user, so I recommend you create an account for yourself.
Create a new user and account for K8S with a “cluster-admin” role. And, set the token of this user to the base environment.
USER="admin-user" NAMESPACE="kube-system" cat <<EOF > admin-login.yaml apiVersion: v1 kind: ServiceAccount metadata: name: ${USER} namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ${USER} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: ${USER} namespace: kube-system EOF kubectl apply -f admin-login.yaml TOKEN_DATA=$(kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep ${USER} | awk '{print $1}') | grep "token:" | awk '{print $2}') echo $TOKEN_DATA
Set the new user in ‘kubectl’ replace the original user, and set the default namespace into the context.
NAMESPACE=default TOKEN_DATA=<TOKEN_DATA from INF> USER="admin-user" CLUSTER_NAME="o2dmsk8s1" kubectl config set-credentials ${USER} --token=$TOKEN_DATA kubectl config set-context ${USER}@inf-cluster --cluster=${CLUSTER_NAME} --user ${USER} --namespace=${NAMESPACE} kubectl config use-context ${USER}@inf-cluster