Goal:
TO be able to pull acumos published model from DCAE MOD design GUI , store them in DACE nexus repo as docker image and then deploy those models as docker container(microservices)
Refer this doc
https://wiki.onap.org/display/DW/Acumos+Adapter+Installation
Note: We have used strategy to accept all untrusted CA certificate in dcae-acumos-adapter side.
1. In which ever machine, you have downloaded/pulled acumos-dcae adapter helm charts
create an overrides.yaml
in <acumos-dcae-loca>/platform/adapter/acumos-deployment/overrides.yaml
add new attribute "certverify: False" as show below also add the acumos private-key,acumos certificate and acumos ca certificate.
Example snippet of override.yaml
certverify: False
dockerUser: <docker_user>
dockerPass: <docker_pass>
dockerTargetRegistry: <dockerregop:port>
acumosCert: |
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCw1YbQ6TdQhV+U
...<rest of key>
i+QtRHjNSDr83KiSxhlyThLjT6Ia9C8l8K/VvLGmlQQXHrpiTAzv1BHqzAEUmvq1
M9XnfxIfCwGy8Joukg0d4NM+jVAqaBE=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGGDCCBACgAwIBAgIUJMZ7hi92lytO6R1HvVPcfuaTqRMwDQYJKoZIhvcNAQEL
BQAwezELMAkGA1UEBhMCVVMxFDASBgNVBAgMC1Vuc3BlY2lmaWVkMRQwEgYDVQQH
...
<RestOfAcumosCertificate>
CiyCTMLrpEIYg4NX04tgT+T43PKIcSjQZqik1g==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIUXr95y50kZ66mKpTQ0a2Omd30gj8wDQYJKoZIhvcNAQEL
..
.. <RestOfAcumosCaCertificate>
tQ/d7aEtr4q9YDY=
-----END CERTIFICATE-----
3. Now verify if your new attribue "certverigy: False" is indeed passed to pod
In machine, where DCAE adapter has been installed
kubectl get cm -n onap | grep adapter
kubectl describe cm acumos-dcae-acumos-adapter-configmap -n onap
How to get acumos certificates and keys
https://docs.acumos.org/en/clio/submodules/federation/docs/config.html
Most of the steps from above link, would be already done during installation, just refer trouble shooting and test connection sections
4. Go to kubernetes cluster, where you have deployed Acumos AI(I have installed clio release)
Assume namespace = acumos
kubectl get pod -n acumos | grep federation
kubectl describe pod federation-6899b94568-z2gfj -n acumos
Here federation pod = federation-6899b94568-z2gfj , pod name will change in each system.
In the description of federation pod, you will find all certificates details
login to pod and copy all certificates file , which you can use tp configure DCAE-Acumos-adapter and for testing connectivity between ONAP-dcae-acumos-adapter and acumos-federation gateway.
kubectl exec -it federation-6899b94568-z2gfj /bin/sh
In our case, all the certificates were located under
ls -lrt /app/certs/
acumos.crt -> ..data/acumos.crt
acumos-truststore.jks -> ..data/acumos-truststore.jks
acumos-keystore.p12 -> ..data/acumos-keystore.p12
acumos-ca.crt -> ..data/acumos-ca.crt
#Retrive acumos key from pkcs file and use this acumos.key content to configure onap-dcae-acumos-adapter's override.yaml .
openssl pkcs12 -in acumos-keystore.p12 -nocerts -out acumos.key
Note: If it asks for phrase, take it from describing federation pod.
Decrypt this private key to dec.key and use this dec.key in dace-acumos-adapter configuration(override.yaml)
openssl pkcs8 -in acumos.key -out dec.key
Retrieve the acumos certificate from pkcs file in .pem file
openssl x509 -inform der -in acumos.crt -out acumos.pem
IMP:
Now you have three imp files
a. dec.key (decrypted acumos private key)
b. acumos.pem (acumos certificate)
c. acumos.crt (acumos ca certificate)
5. Now before you configure onap dcae-adapter, you can check if these certificates are working
Basically, at acumos side, federation pod is the E5 endpoint, which everyone like dcae-adapter will contact to fetch solutions/models
Acumos-federation(E5) : Ip/host:9084 or Ip/host:31892
# How to get acumos federation details
a. login to acumos machine
b. kubectl get svc -n <namespace> | grep federation
6. Before you can pull acumos-ai model intern via acumos federation gateway endpoint(E5), you need to setup peer in acumos-ai GUI
7. Login to acumos gui --> Site admin --> Site configuration
Enable Onboarding = Enabled
Enable DCAE = Enabled
Save.
acumos gui --> Site admin --> remove all default peers --> add peer
Fill details
change acai-server as hostname of machine, where you have installed acumos ai, port, you can give 9084 which is internal pod's port, which didn't work for us as dcae-acumos-adapter was installed in different vm, so we used node-port of acumose-federation gateway(i.e. 31892)
mark as it self --> save
Example
7. Now, When you have publish some model to a catalog in acumos ai and that catalog is public
you can test the fetching of those model/catalog via curl command
a. Change to a directory, where you have kept all acumos keys and certificates
b. curl -vk --cert acumos.pem --key dec.key -X GET https://<AcumosIPOrHost>:31892/catalogs
sample output
{"error":null,"message":null,"content":[{"created":"2020-10-15T09:59:49Z","modified":"2020-12-03T06:03:42Z","catalogId":"2990ae3e-0ecd-11eb-af1b-3259a0ffa0c3","accessTypeCode":"PB","selfPublish":true,"name":"acai-server Public","publisher":"acai-server","description":"acai-server Public","origin":null,"url":"https://acai-server:443","size":5},{"created":"2020-10-15T09:59:49Z","modified":"2020-11-18T12:38:33Z","catalogId":"2990af82-0ecd-11eb-af1b-3259a0ffa0c3","accessTypeCode":"PB","selfPublish":true,"name":"acai-server Internal","publisher":"acai-server","description":"non","origin":null,"url":"https://acai-server:443","size":4}]}
c. Similarly, you should be able to fetch model/soltion by selecting any catalog id
curl -vk --cert acumos.pem --key dec.key -X GET https://<AcumosIPOrHost>:31892/solutions?catalogId=2990ae3e-0ecd-11eb-af1b-3259a0ffa0c3
8. Now, once you deploy your dcae-acumos-adapter, using above certificates and key, with extra parameter(certverify: False) following this guide syntax (https://wiki.onap.org/display/DW/Acumos+Adapter+Installation)
, you should be able to pull the acmos model, in DCAE designer gui.
acumos-federation url = https://<acumoshostOrIP>:<federationNodeport>
In DCAE Designer GUI
GUI details:
DCAE MOD design tool (this normally is found at ingress_controller_address/nifi)
Ip/hostname of VM where you have installed DCAE-Acumos adapter
Acumos GUI : https://<iporhostofacumos:443
Comments
Post a Comment