docs/doc/source/admintasks/kubernetes/oran-o2-application-b50a0c899e66.rst

O-RAN O2 Application

In the context of hosting a Application on , the O2 Application provides and exposes the and service APIs of the O2 interface between the O-Cloud () and the Service Management & Orchestration (SMO), in the Architecture.

The O2 interfaces enable the management of the O-Cloud () infrastructure and the deployment life-cycle management of cloudified that run on O-Cloud (). See O-RAN O2 General Aspects and Principles 2.0, and INF O2 documentation.

The O2 application is integrated into as a system application. The O2 application package is saved in during system installation, but it is not applied by default.

System administrators can follow the procedures below to install and uninstall the O2 application.

Install

Configure the internal Ceph storage for the O2 application persistent storage, see : Configure the Internal Ceph Storage Backend <configure-the-internal-ceph-storage-backend>.

Enable support in oran-o2 namespace, see : Enable ReadWriteOnce PVC Support in Additional Namespaces <enable-readwriteonce-pvc-support-in-additional-namespaces>.

You can install O2 application on from the command line.

1. Locate the O2 application tarball in /usr/local/share/applications/helm.

   For example:

   /usr/local/share/applications/helm/oran-o2-<version>.tgz

2. Download admin_openrc.sh from the admin dashboard.

   • Visit https://<oam-floating-ip-address>:8443/project/api_access/
   • Click the Download OpenStack RC File"/"OpenStack RC File button

3. Copy the file to the controller host.

4. Source the platform environment.

   $ source ./admin_openrc.sh
   ~(keystone_admin)]$

5. Upload the application.

   ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/oran-o2-<version>.tgz

6. Prepare the override yaml file.

   1. Create a client on the server.

      Assuming you have a 3rd-party 2 server, you have permission to create a client on your server, and the O2 application API required to get a token from the server in each requst from .

      When you create a client, you will get a client ID and client secret.

      OAUTH2_TOKEN_ENDPOINT=http://<3rd-party OAuth Server Address>:8080/realms/master/protocol/openid-connect/token
      OAUTH2_CLIENT_ID=<oran-o2-client-id>
      OAUTH2_CLIENT_SECRET=<oran-o2-client-secret>

      Note

      The reference to the 3rd-party Server (Keycloak)

   2. Prepare the 2 variables to authenticate the updates.

      When using with shared key, the following attributes need to be configured. For example:

      ~(keystone_admin)]$ OAUTH2_ALGORITHM=RS256
      ~(keystone_admin)]$ OAUTH2_PUB_KEY=<3rd-party OAuth Server Public Key>

      For token introspection, for example:

      ~(keystone_admin)]$ OAUTH2_INTROSPECTION_ENDPOINT=http://<3rd-party OAuth Server Address>:8080/realms/master/protocol/openid-connect/token/introspect
      ~(keystone_admin)]$ OAUTH2_CLIENT_ID=<oran-o2-client-id>
      ~(keystone_admin)]$ OAUTH2_CLIENT_SECRET=<oran-o2-client-secret>

   3. Create certificates for the O2 service.

      Obtain an intermediate or Root -signed certificate and key from a trusted intermediate or Root Certificate Authority (). Refer to the documentation for the external Root that you are using on how to create a public certificate and private key pairs signed by an intermediate or Root for HTTPS.

      For lab purposes, see : Create Certificates Locally using openssl <create-certificates-locally-using-openssl> to create an Intermediate or test Root certificate and key, and use it to locally sign test certificates.

      The resulting files, from either an external or locally generated for the lab with openssl, should be:

      • Local certificate - my-root-ca-cert.pem
      • Server certificate - my-server-cert.pem
      • Server key - my-server-key.pem

      Note

      If using a server certificate signed by a local (i.e. lab scenario above), this local certificate (e.g. my-root-ca-cert.pem from lab scenario above) must be shared with the application for the O2 server certificate verification.

      Prepare client certificate for (Mutual TLS).

      When you request the O2 application from , it needs the certificate for . We assume you have the CA certificate and CA key of the client. It can be used to generate the client certificate and key.

      • certificate - smo-ca-cert.pem
      • key - smo-ca-key.pem
      • Client certificate - client-cert.pem
      • Client key - client-key.pem

      The reference command to generate the client certificate is below. For example:

      openssl genrsa -out client-key.pem 2048
      openssl req -new -key client-key.pem -out client.csr
      openssl x509 -req -in client.csr -CA smo-ca.pem -CAkey smo-ca-key.pem -CAcreateserial -out client-cert.pem -days 365

   4. Prepare the O2 service application configuration file.

      As per the Cloudification and Orchestration use case defined in O-RAN Working Group 6, the following information should be generated by :

      • O-Cloud Gload ID - OCLOUD_GLOBAL_ID
      • Register URL - SMO_REGISTER_URL

      See O-RAN Cloudification and Orchestration Use Cases and Requirements for O-RAN Virtualized RAN.

      API_HOST_EXTERNAL_FLOATING=$(echo ${OS_AUTH_URL} | awk -F / '{print $3}' | cut -d: -f1)
      
      cat <<EOF > app.conf
      [DEFAULT]
      
      ocloud_global_id = ${OCLOUD_GLOBAL_ID}
      smo_register_url = ${SMO_REGISTER_URL}
      
      [OCLOUD]
      OS_AUTH_URL = ${OS_AUTH_URL}
      OS_USERNAME = ${OS_USERNAME}
      OS_PASSWORD = ${OS_PASSWORD}
      API_HOST_EXTERNAL_FLOATING = ${API_HOST_EXTERNAL_FLOATING}
      
      [OAUTH2]
      oauth2_verify_type = jwt
      oauth2_public_key = ${OAUTH2_PUB_KEY}
      oauth2_algorithm = ${OAUTH2_ALGORITHM}
      
      # required if oauth2_verify_type = introspection
      #oauth2_verify_type = introspection
      #oauth2_introspection_endpoint = ${OAUTH2_INTROSPECTION_ENDPOINT}
      #oauth2_client_id = ${OAUTH2_CLIENT_ID}
      #oauth2_client_secret = ${OAUTH2_CLIENT_SECRET}
      
      [API]
      
      [WATCHER]
      
      [PUBSUB]
      EOF

   5. Retrieve the certificate from your vendor.

      If the application provides service via HTTPS, and the server certificate is self-signed, the certificate should be retrieved from the .

      This procedure assumes that the name of the certificate is smo-ca.pem

   6. Populate the override yaml file.

      Refer to the previous step for the required override values.

      APPLICATION_CONFIG=$(base64 app.conf -w 0)
      SERVER_CERT=$(base64 my-server-cert.pem -w 0)
      SERVER_KEY=$(base64 my-server-key.pem -w 0)
      SMO_CA_CERT=$(base64 smo-ca.pem -w 0)
      
      cat <<EOF > o2service-override.yaml
      
      applicationconfig: ${APPLICATION_CONFIG}
      servercrt: ${SERVER_CERT}
      serverkey: ${SERVER_KEY}
      smocacrt: ${SMO_CA_CERT}
      
      EOF

      To deploy other versions of an image required for a quick solution, to have early access to the features (eg. oranscinf/pti-o2imsdms:), and to authenticate images that are hosted by a private registry, follow the steps below:

      1. Create a docker-registry secret in oran-o2 namespace.

         export O2SERVICE_IMAGE_REG=<docker-server-endpoint>
         
         kubectl create secret docker-registry private-registry-key \
         --docker-server=${O2SERVICE_IMAGE_REG} --docker-username=${USERNAME} \
         --docker-password=${PASSWORD} -n oran-o2

      2. Refer to the imagePullSecrets in override file.

         cat <<EOF > o2service-override.yaml imagePullSecrets: - private-registry-key

         o2ims:

         serviceaccountname: admin-oran-o2 images: tags: o2service: ${O2SERVICE_IMAGE_REG}/docker.io/oranscinf/pti-o2imsdms: postgres: ${O2SERVICE_IMAGE_REG}/docker.io/library/postgres:9.6 redis: ${O2SERVICE_IMAGE_REG}/docker.io/library/redis:alpine pullPolicy: IfNotPresent logginglevel: "DEBUG"

         applicationconfig: ${APPLICATION_CONFIG} servercrt: ${SERVER_CERT} serverkey: ${SERVER_KEY} smocacrt: ${SMO_CA_CERT}

         EOF

7. Update the overrides for the oran-o2 application.

   ~(keystone_admin)]$ system helm-override-update oran-o2 oran-o2 oran-o2 --values o2service-override.yaml
   
   # Check the overrides
   ~(keystone_admin)]$ system helm-override-show oran-o2 oran-o2 oran-o2

8. Run the system application-apply command to apply the updates.

   ~(keystone_admin)]$ system application-apply oran-o2

9. Monitor the status using the command below.

   ~(keystone_admin)]$ watch -n 5 system application-list

   OR

   ~(keystone_admin)]$ watch kubectl get all -n oran-o2

You have launched services in the above namespace.

You will need to integrate with an application that performs management of O-Cloud infrastructure and the deployment life cycle management of O-RAN cloudified . See the following API reference for details:

• API O-RAN O2 interface

Uninstall

You can uninstall the O2 application on from the command line.

1. Uninstall the application.

   Remove O2 application related resources.

   ~(keystone_admin)]$ system application-remove oran-o2

2. Delete the application.

   Remove the uninstalled O2 application’s definition, including the manifest and helm charts and helm chart overrides, from the system.

   ~(keystone_admin)]$ system application-delete oran-o2

You have uninstalled the O2 application from the system.