chore: drop temporary helm federation notes (afb0fc56) · Commits · OOP / code / open-exposure-gateway

.tmp/helm-federation-e2e-manual.md

deleted100644 → 0

+0 −455

Original line number	Diff line number	Diff line
		# Helm Federation E2E Manual

		## Purpose

		Validate the OEG federated Helm flow against the local Federation Manager deployment and confirm that OEG preserves full HTTP(S) Helm repository URLs when building the GSMA artefact payload.

		## Prerequisites

		- Local federation stack running from:
		`FederationManager/federation-manager-i2cat/src/test/local-deployment/docker-compose.yml`
		- OEG test container running as `oeg-local-test` on `http://127.0.0.1:8085`
		- OEG container configured with:
		- `SRM_HOST=http://srm-local:8080/srm/1.0.0`
		- `FEDERATION_MANAGER_HOST=http://federation-manager-local:8989/operatorplatform/federation/v1`
		- `PARTNER_API_ROOT=http://federation-manager-remote:8989`
		- `MONGO_URI=mongodb://mongodb-local:27017`

		## 1. Verify stack

		Run:

		```bash
		docker compose -f /home/sergio/i2cat/OperatorPlatform/FederationManager/federation-manager-i2cat/src/test/local-deployment/docker-compose.yml ps
		docker ps --format '{{.Names}} {{.Ports}}'
		```

		Expected relevant containers:

		- `federation-manager-local`
		- `federation-manager-remote`
		- `srm-local`
		- `srm-remote`
		- `lite2edge-local`
		- `lite2edge-remote`
		- `mongodb-local`
		- `keycloak-local`
		- `oeg-local-test`

		## 2. Restart OEG after code changes

		```bash
		docker restart oeg-local-test
		```

		## 3. Check OEG sees the federated zone

		```bash
		curl -sS http://127.0.0.1:8085/oeg/1.0.0/edge-cloud-zones
		```

		Expected to include a federated zone similar to:

		```json
		{
		"edgeCloudProvider": "i2cat",
		"edgeCloudZoneId": "default"
		}
		```

		## 4. Register a Helm app with a full HTTPS chart URL

		```bash
		curl -sS -X POST 'http://127.0.0.1:8085/oeg/1.0.0/apps' \
		-H 'Content-Type: application/json' \
		--data '{
		"appId":"550e8400-e29b-41d4-a716-446655440111",
		"name":"bitnamihelm",
		"appProvider":"i2cat",
		"version":"15.14.0",
		"packageType":"HELM",
		"operatingSystem":{
		"architecture":"x86_64",
		"family":"UBUNTU",
		"version":"OS_VERSION_UBUNTU_2204_LTS",
		"license":"OS_LICENSE_TYPE_FREE"
		},
		"appRepo":{
		"type":"PUBLICREPO",
		"imagePath":"https://charts.bitnami.com/bitnami/nginx:15.14.0"
		},
		"componentSpec":[{
		"componentName":"nginx",
		"networkInterfaces":[{
		"interfaceId":"eth0",
		"protocol":"TCP",
		"port":80,
		"visibilityType":"VISIBILITY_EXTERNAL"
		}]
		}]
		}'
		```

		Expected: HTTP `200` and an onboarded app response from OEG.

		## 5. Trigger federated deployment through OEG

		```bash
		curl -sS -X POST 'http://127.0.0.1:8085/oeg/1.0.0/appinstances' \
		-H 'Content-Type: application/json' \
		--data '{
		"appId":"550e8400-e29b-41d4-a716-446655440111",
		"appZones":[{
		"EdgeCloudZone":{
		"edgeCloudZoneId":"default",
		"edgeCloudZoneName":"unknown",
		"edgeCloudProvider":"i2cat",
		"edgeCloudZoneStatus":"unknown",
		"edgeCloudRegion":"unknown"
		}
		}]
		}'
		```

		## 6. Inspect OEG payloads

		```bash
		docker logs --since 2m oeg-local-test
		```

		Expected artefact payload fragment:

		```json
		"artefactRepoLocation": {
		"repoURL": "https://charts.bitnami.com/bitnami"
		}
		```

		Expected onboard payload fragment:

		```json
		"appDeploymentZones": [
		"default"
		]
		```

		Expected normalized component payload fragment:

		```json
		"appComponentSpecs": [
		{
		"componentName": "cmpbitnamihelm0"
		}
		]
		```

		## 7. Inspect downstream services

		```bash
		docker logs --since 2m federation-manager-local
		docker logs --since 2m srm-remote
		docker logs --since 2m lite2edge-remote
		```

		Expected current outcome:

		- OEG artefact upload reaches FM successfully.
		- OEG onboarding reaches FM successfully with HTTP `202`.
		- OEG deployment reaches FM and downstream lite2edge Helm install.
		- Current remaining failure is downstream Helm repository access, for example:

		```text
		Helm install failed: Error: INSTALLATION FAILED: looks like "https://charts.bitnami.com/bitnami" is not a valid chart repository or cannot be reached: Get "https://repo.broadcom.com/bitnami-files/index.yaml": EOF
		```

		## Interpretation

		- If OEG logs show `repoURL: https://charts.bitnami.com/bitnami`, the repository parsing fix is working.
		- If the flow fails later during Helm install or external repo fetch, OEG is no longer the blocker for this issue.

		## Post-VPN Recheck

		After disabling the corporate VPN, re-run direct chart access tests from `lite2edge-remote`:

		```bash
		docker exec lite2edge-remote \
		helm show chart nginx --repo https://charts.bitnami.com/bitnami --version 15.14.0

		docker exec lite2edge-remote \
		helm show chart oci://registry-1.docker.io/bitnamicharts/nginx --version 15.14.0
		```

		Expected after VPN disable:

		- Both commands succeed.
		- This confirms the earlier certificate failures were environment-related.

		Then replay the federated public Helm deployment through OEG using a fresh app id, for example `550e8400-e29b-41d4-a716-446655440444`.

		Observed result in this session:

		- OEG artefact payload is correct:

		```json
		"artefactRepoLocation": {
		"repoURL": "https://charts.bitnami.com/bitnami"
		}
		```

		- OEG onboarding succeeds with `202`.
		- Deployment reaches real Helm install.
		- Remaining failure is downstream Helm TLS/handshake behavior to the Bitnami/Broadcom endpoint:

		```text
		Helm install failed: Error: INSTALLATION FAILED: looks like "https://charts.bitnami.com/bitnami" is not a valid chart repository or cannot be reached: Get "https://repo.broadcom.com/bitnami-files/index.yaml": remote error: tls: handshake failure
		```

		Additional direct runtime check:

		```bash
		docker exec lite2edge-remote python - <<'PY'
		import urllib.request
		with urllib.request.urlopen("https://repo.broadcom.com/bitnami-files/index.yaml", timeout=20) as r:
		print(r.status)
		PY
		```

		Observed in this session:

		- Direct Python HTTPS access reached the endpoint and returned HTTP `403` rather than failing TLS.
		- That means the remaining issue is narrower than raw connectivity: it is specific to Helm's access path/handshake to that repository in the current runtime.

		## OCI Comparison

		To distinguish repo-format issues from network/TLS issues, a local plain-HTTP OCI registry can be used.

		### Start a local OCI registry

		```bash
		docker run -d --name local-oci-registry \
		--network local-deployment_remote-net \
		-p 5000:5000 \
		registry:2
		```

		### Package and push a local chart

		```bash
		mkdir -p /tmp/oeg-chart-packages
		helm package \
		/home/sergio/i2cat/OperatorPlatform/helm/oop-platform-chart/charts/oeg \
		--destination /tmp/oeg-chart-packages

		helm push /tmp/oeg-chart-packages/oeg-1.0.0.tgz \
		oci://127.0.0.1:5000/helm \
		--plain-http
		```

		### Verify direct OCI access from lite2edge

		```bash
		docker exec lite2edge-remote \
		helm show chart oci://local-oci-registry:5000/helm/oeg \
		--version 1.0.0 \
		--plain-http
		```

		Expected: chart metadata is returned successfully.

		### Register an OCI-backed Helm app in OEG

		```bash
		curl -sS -X POST 'http://127.0.0.1:8085/oeg/1.0.0/apps' \
		-H 'Content-Type: application/json' \
		--data '{
		"appId":"550e8400-e29b-41d4-a716-446655440333",
		"name":"ocitestfresh",
		"appProvider":"i2cat",
		"version":"1.0.0",
		"packageType":"HELM",
		"operatingSystem":{
		"architecture":"x86_64",
		"family":"UBUNTU",
		"version":"OS_VERSION_UBUNTU_2204_LTS",
		"license":"OS_LICENSE_TYPE_FREE"
		},
		"appRepo":{
		"type":"PUBLICREPO",
		"imagePath":"local-oci-registry:5000/helm/oeg:1.0.0"
		},
		"componentSpec":[{
		"componentName":"frontend",
		"networkInterfaces":[{
		"interfaceId":"eth0",
		"protocol":"TCP",
		"port":80,
		"visibilityType":"VISIBILITY_EXTERNAL"
		}]
		}]
		}'
		```

		### Deploy the OCI-backed app through OEG

		```bash
		curl -sS -X POST 'http://127.0.0.1:8085/oeg/1.0.0/appinstances' \
		-H 'Content-Type: application/json' \
		--data '{
		"appId":"550e8400-e29b-41d4-a716-446655440333",
		"appZones":[{
		"EdgeCloudZone":{
		"edgeCloudZoneId":"default",
		"edgeCloudZoneName":"unknown",
		"edgeCloudProvider":"i2cat",
		"edgeCloudZoneStatus":"unknown",
		"edgeCloudRegion":"unknown"
		}
		}]
		}'
		```

		### Current findings from OCI path

		- Direct OCI access from `lite2edge-remote` works.
		- Public HTTPS Helm and public OCI both fail in `lite2edge-remote` because of TLS trust issues, not because OCI is mandatory.
		- The federated OCI path exposed additional translation bugs:
		- `lite2edge` needed to treat `repoURL` values like `host:port` as OCI registries.
		- FM remote had a `countryCode` null crash in onboarding view.
		- SRM was reconstructing OCI app manifests incorrectly in some paths.

		### Current conclusion

		The system does not appear to require OCI-only URLs.

		- Classic Helm repos are supported by code path.
		- OCI registries are also supported by code path.
		- The public Bitnami failure was due to TLS trust in the runtime container.
		- The local OCI registry is useful as a deterministic test source while continuing to fix downstream translation issues.

		## Known-Good Success Paths

		### A. Direct local deployment success on lite2edge

		Use a chart source that does not hardcode conflicting cluster resources. A working example in this session was Bitnami nginx via OCI.

		Onboard directly to `lite2edge-remote`:

		```bash
		curl -sS -X POST 'http://127.0.0.1:8751/api/v1/apps/onboard' \
		-H 'Content-Type: application/json' \
		--data '{
		"appId":"local-oci-nginx",
		"name":"localnginxoci",
		"version":"15.14.0",
		"packageType":"HELM",
		"appProvider":"local-provider",
		"appRepo":{
		"type":"PUBLICREPO",
		"repoURL":"registry-1.docker.io",
		"imagePath":"registry-1.docker.io/bitnamicharts/nginx:15.14.0"
		},
		"appComponentSpecs":[{
		"artefactId":"local-oci-nginx-art",
		"componentName":"frontend",
		"serviceNameNB":"nbfrontend0",
		"serviceNameEW":"ewfrontend0"
		}],
		"appDeploymentZones":[{"zoneId":"default"}]
		}'
		```

		Deploy directly:

		```bash
		curl -sS -X POST 'http://127.0.0.1:8751/api/v1/apps/local-oci-nginx/deploy' \
		-H 'Content-Type: application/json' \
		--data '{"appId":"local-oci-nginx","appZones":[]}'
		```

		Expected result in this session:

		```json
		{
		"appInstanceState": "instantiating",
		"packageType": "HELM"
		}
		```

		### B. Federated deployment success through OEG

		Register a fresh OCI-backed app in OEG:

		```bash
		curl -sS -X POST 'http://127.0.0.1:8085/oeg/1.0.0/apps' \
		-H 'Content-Type: application/json' \
		--data '{
		"appId":"550e8400-e29b-41d4-a716-446655440555",
		"name":"federatednginxoci",
		"appProvider":"i2cat",
		"version":"15.14.0",
		"packageType":"HELM",
		"operatingSystem":{
		"architecture":"x86_64",
		"family":"UBUNTU",
		"version":"OS_VERSION_UBUNTU_2204_LTS",
		"license":"OS_LICENSE_TYPE_FREE"
		},
		"appRepo":{
		"type":"PUBLICREPO",
		"imagePath":"registry-1.docker.io/bitnamicharts/nginx:15.14.0"
		},
		"componentSpec":[{
		"componentName":"frontend",
		"networkInterfaces":[{
		"interfaceId":"eth0",
		"protocol":"TCP",
		"port":80,
		"visibilityType":"VISIBILITY_EXTERNAL"
		}]
		}]
		}'
		```

		Deploy it to the federated zone:

		```bash
		curl -sS -X POST 'http://127.0.0.1:8085/oeg/1.0.0/appinstances' \
		-H 'Content-Type: application/json' \
		--data '{
		"appId":"550e8400-e29b-41d4-a716-446655440555",
		"appZones":[{
		"EdgeCloudZone":{
		"edgeCloudZoneId":"default",
		"edgeCloudZoneName":"unknown",
		"edgeCloudProvider":"i2cat",
		"edgeCloudZoneStatus":"unknown",
		"edgeCloudRegion":"unknown"
		}
		}]
		}'
		```

		Expected result in this session:

		```json
		{
		"message":"Application deployed successfully at partner OP",
		"deployment_response":{
		"appInstIdentifier":"...",
		"zoneId":"default"
		}
		}
		```

		Useful validation logs:

		```bash
		docker logs --since 30s oeg-local-test
		docker logs --since 30s lite2edge-remote
		```

		Expected downstream evidence from `lite2edge-remote`:

		```text
		POST /api/v1/apps/550e8400-e29b-41d4-a716-446655440555/deploy HTTP/1.1" 202 Accepted
		```