Uploaded image for project: 'ONAP Architecture Committee'
  1. ONAP Architecture Committee
  2. ONAPARC-281

Service Mesh - Using K8S and ISTIO as infrastructure for ONAP

XMLWordPrintable

    • Service mesh technology integration with ONAP

      Background:

      Initial ONAP goals is to deploy ONAP as VMs and containers using Openstack and Kubernetes. Hence, infrastructure software is developed to make ONAP work as VMs and containers.  Also, when ONAP work was started in its previous incarnation,  Micro service infrastructure software is either not available or not in a state that can be adopted.  

      Now, ONAP community is decided to support ONAP as containers and only orchestrated using Kubernetes.  In addition, CNCF has few stable projects/features that help any micro-service based solutions. 

      These infrastructure solutions help in dramatically improving the development productivity or reduce spending time in debugging interoperability issues.

      Purpose

      • Make the applications not worry about activities that are required to be done to make ONAP micro-service based solution.
        • Application developers should not be concerned with
          • Service registration and destination service discovery
          • Load balancing of connections across multiple-instances of destination service.
          • A/B testing and Canary deployment
          • Rolling updates 
          • Mutual TLS
          • Certificate enrollment
          • Certificate renewal
          • Securing the private keys using HW RoT.
          • Acceleration of TLS connections and data
          • Transactions visibility
          • Content-aware load balancing
          • Role based Access control
      • Develop solutions that does not increase memory size (keep it less than 5%)

      Dublin scope

      • Use native K8S facilities (IPVS) for service load balancing.
      • Use K8S Network policies for RBAC (At the service granularity, not at the HTTP protocol level)
      • Use ISTIO Citadel for CA
      • Secure ISTIO CA private keys using HW RoT via PKCS11.
      • Prove few application services  using ISTIO citadel using nodeagent and create guideline document
      • POCs with the ISTIO/Envoy community to reduce the memory footprint of Envoy proxy.

      Future:

      • Leverage HW ROT for securing envoy certificate private keys.
      • Use Envoy proxy  for TLS as a proxy.
      • Accelerate Envoy using Crypto accelerator.
      • Provide ISTIO RBAC.
      • Use AAF RBAC from ISTIO mixer.
      • Use third party CAs (start with Hashicorp vault)  from ISTIO CA using plugin mechanism provided 
      • True ISTIO usage

       

       

       

       

       

            auztizza auztizza
            saddepalli saddepalli
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: