Complete guide for running the one-click Nephio Intent-to-O2 demo showcasing the verifiable intent pipeline for Telco cloud & O-RAN.
This demo demonstrates a complete verifiable intent pipeline that transforms TMF921 intents into O-RAN O2 IMS deployments using cloud-native technologies:
📡 TMF921 Intent → 3GPP TS 28.312 → KRM Packages → O2 IMS → GitOps Deployment
(TIO/CTK) (Expectation) (kpt/Porch) (ProvisioningRequest) (SLO-gated)
- 🔒 Security-First: Sigstore + Kyverno + cert-manager with default-on security
- 📊 SLO-Gated: Automated rollback on threshold violations
- 🏗️ Cloud-Native: Nephio R5 + O-RAN integration with Kubernetes-native workflows
- 🎬 Presentation-Ready: Visual progress indicators, timing metrics, comprehensive reporting
# Complete demo pipeline (recommended)
make demo
# Dry-run to preview steps
make demo DRY_RUN=true
# Demo with rollback demonstration
make demo && make demo-rollback# Direct script execution with options
./scripts/demo_orchestrator.sh --mode presentation
# Development mode with debugging
DEMO_MODE=debug make demo
# Continue on errors for troubleshooting
CONTINUE_ON_ERROR=true make demo# Core tools (must be installed)
- kubectl (v1.28+)
- git (v2.30+)
- jq (v1.6+)
- curl (v7.68+)
- make (v4.2+)
- python3.11
- go (v1.22+)
# Optional tools (for enhanced experience)
- kpt (v1.0+)
- kubeconform (v0.6+)
- cosign (v2.0+)# Automated prerequisites validation
make check-prereqs
# Manual verification
kubectl cluster-info
git --version
jq --version
python3.11 --version
go version- Subnet: 172.16.0.0/16 (VM-1 and VM-2 must be in this range)
- VM-1 (Demo Host): Current machine running the demo
- VM-2 (Edge Target): 172.16.4.45 (default, configurable)
| Service | Port | Protocol | Description |
|---|---|---|---|
| SSH | 22 | TCP | Remote access |
| Kubernetes API | 6443 | TCP | Cluster management |
| Gitea Web | 30080 | TCP | Git repository web UI |
| Observability | 30090 | TCP | Metrics and monitoring |
# Test VM-2 connectivity
ping -c 3 172.16.4.45
# Test port accessibility
nc -zv 172.16.4.45 6443
nc -zv 172.16.4.45 30080
# Validate subnet configuration
ip route | grep 172.16- Kubernetes: v1.28+ (kind, k3s, or managed clusters supported)
- Nephio: R5 release components installed
- Porch: Package orchestration system running
- RBAC: Cluster-admin permissions for CRD installation
# Verify cluster access
kubectl cluster-info
# Check Nephio components
kubectl get pods -n porch-system
kubectl get crd | grep porch
# Validate RBAC permissions
kubectl auth can-i create customresourcedefinitionsThe demo executes the following sequence automatically:
# Step 1: p0-check
make p0-checkPurpose: Validates Nephio Phase-0 infrastructure readiness
- ✅ kubectl cluster connectivity
- ✅ porch-system pods running
- ✅ Porch API resources available
- ✅ Configuration management (optional)
# Step 2: o2ims-install
make o2ims-installPurpose: Installs O-RAN O2 IMS operator components
- ✅ ProvisioningRequest CRD installation
- ✅ O2IMS operator deployment
- ✅ RBAC and service account setup
- ✅ Health check validation
# Step 3: ocloud-provision
make ocloud-provisionPurpose: Provisions O-Cloud using FoCoM operator
- ✅ KinD cluster creation for SMO
- ✅ FoCoM operator deployment
- ✅ Edge cluster secret configuration
- ✅ O-Cloud custom resources application
# Step 4: precheck
make precheckPurpose: Supply chain security validation
- ✅ Container image signature verification
- ✅ Vulnerability scanning
- ✅ Policy compliance checking
- ✅ Security gate validation
# Step 5: publish-edge
make publish-edgePurpose: Publishes edge overlay with security validation
- ✅ KRM package validation
- ✅ Security compliance scoring
- ✅ GitOps repository publishing
- ✅ Deployment pipeline trigger
# Step 6: postcheck
make postcheckPurpose: Post-deployment SLO validation
- ✅ RootSync reconciliation monitoring
- ✅ VM-2 observability metrics validation
- ✅ SLO threshold compliance checking
- ✅ Automated rollback on violations
- Total Demo Time: 15-25 minutes (depending on network and cluster)
- Per-Step Timeout: 5 minutes (configurable)
- Network Tests: 30 seconds
- Security Validation: 2-3 minutes
# View demo progress in real-time
tail -f artifacts/demo/step-*.log
# Monitor Kubernetes resources
watch kubectl get pods -A
# Check demo artifacts
ls -la artifacts/demo/artifacts/demo/
├── demo-report.json # Complete execution summary
├── demo-report.html # Visual presentation report
├── step-1-p0-check.log # Phase-0 validation log
├── step-2-o2ims-install.log # O2IMS installation log
├── step-3-ocloud-provision.log # O-Cloud provisioning log
├── step-4-precheck.log # Security precheck log
├── step-5-publish-edge.log # Edge publishing log
└── step-6-postcheck.log # SLO validation log
reports/
├── security-latest.json # Comprehensive security report
├── security-YYYYMMDD-HHMMSS.json # Timestamped security snapshots
└── compliance-summary.json # Policy compliance summary
artifacts/demo-rollback/
├── rollback-audit-report.json # Rollback execution audit
├── rollback-audit-report.html # Visual rollback report
├── rollback-diff-report.html # Before/after comparison
├── state-comparison.json # System state diff analysis
└── state-snapshots/
├── before.json # Pre-rollback system state
└── after.json # Post-rollback system state
- ✅ All 6 steps complete without errors
- ✅ Security compliance score ≥ 60%
- ✅ SLO thresholds met:
- Latency P95 ≤ 15ms
- Success rate ≥ 99.5%
- Throughput P95 ≥ 200 Mbps
- ✅ Kubernetes resources deployed successfully
- ✅ GitOps reconciliation completed
╔══════════════════════════════════════════════════════════════════════╗
║ ║
║ 🎉 DEMO SUCCESS! Intent-to-O2 Pipeline Completed Successfully ║
║ ║
║ ✅ Phase-0 Infrastructure Validated ║
║ ✅ O2 IMS Operator Installed ║
║ ✅ O-Cloud Provisioned ║
║ ✅ Security Precheck Passed ║
║ ✅ Edge Overlay Published ║
║ ✅ SLO Postcheck Validated ║
║ ║
╚══════════════════════════════════════════════════════════════════════╝
# Execute rollback with state comparison
make demo-rollback
# Rollback with custom reason
ROLLBACK_REASON="demo-reset" make demo-rollback
# Dry-run rollback preview
make demo-rollback DRY_RUN=true# Git revert strategy (preserves history)
ROLLBACK_STRATEGY=revert ./scripts/demo_rollback.sh
# Git reset strategy (clean rollback)
ROLLBACK_STRATEGY=reset ./scripts/demo_rollback.sh
# Demonstration cleanup strategy
ROLLBACK_STRATEGY=demonstrate ./scripts/demo_rollback.sh- System State Snapshots: Git, Kubernetes, O2IMS, filesystem
- Visual Diff Reports: HTML comparison with change highlighting
- Impact Analysis: Quantified changes with severity assessment
- Audit Trail: Complete rollback action logging
| Strategy | Description | Use Case |
|---|---|---|
revert |
Git revert (preserves history) | Production-safe rollback |
reset |
Git reset to main branch | Clean slate rollback |
demonstrate |
Demo cleanup (artifacts, namespaces) | Demo reset for re-run |
# Demo execution mode
DEMO_MODE=presentation # presentation|development|debug
# Network configuration
VM2_IP=172.16.4.45 # VM-2 IP address
NETWORK_SUBNET=172.16.0.0/16 # Expected network subnet
# Timeout configuration
TIMEOUT_STEP=300 # Per-step timeout (seconds)
TIMEOUT_TOTAL=1800 # Total demo timeout (seconds)
# Error handling
CONTINUE_ON_ERROR=false # Continue on step failures
DRY_RUN=false # Dry-run mode
# Artifact configuration
ARTIFACTS_DIR=./artifacts/demo # Artifacts output directory
SKIP_CLEANUP=false # Skip cleanup on exit# Security validation levels
SECURITY_POLICY_LEVEL=strict # strict|permissive
ALLOW_UNSIGNED=false # Allow unsigned container images
# Compliance thresholds
COMPLIANCE_THRESHOLD=60 # Minimum compliance score (%)
# SLO thresholds
LATENCY_P95_THRESHOLD_MS=15 # Max latency P95 (ms)
SUCCESS_RATE_THRESHOLD=0.995 # Min success rate
THROUGHPUT_P95_THRESHOLD_MBPS=200 # Min throughput P95 (Mbps)# Rollback behavior
ROLLBACK_STRATEGY=revert # revert|reset|demonstrate
ROLLBACK_REASON=SLO-violation # Rollback reason
GENERATE_REPORTS=true # Generate rollback reports
SHOW_VISUAL_DIFF=true # Display visual differencesCreate .demo.conf in project root:
# Demo-specific configuration
DEMO_MODE=presentation
VM2_IP=172.16.4.45
ARTIFACTS_DIR=./artifacts/demo-$(date +%Y%m%d-%H%M%S)
CONTINUE_ON_ERROR=falseCreate .security.conf in project root:
# Security validation configuration
SECURITY_POLICY_LEVEL=strict
COMPLIANCE_THRESHOLD=75
ALLOW_UNSIGNED=falseCreate .postcheck.conf in project root:
# SLO validation thresholds
LATENCY_P95_THRESHOLD_MS=10
SUCCESS_RATE_THRESHOLD=0.999
THROUGHPUT_P95_THRESHOLD_MBPS=300Issue: Missing required tools
# Error: "kubectl is required but not installed"
# Solution: Install kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x kubectl
sudo mv kubectl /usr/local/bin/Issue: Kubernetes cluster not accessible
# Error: "Unable to connect to Kubernetes cluster"
# Solution: Configure kubeconfig
export KUBECONFIG=/path/to/your/kubeconfig
kubectl cluster-infoIssue: Cannot reach VM-2
# Error: "VM-2 not accessible on common ports"
# Diagnosis steps:
ping -c 3 172.16.4.45
nc -zv 172.16.4.45 6443
nc -zv 172.16.4.45 30080
# Solutions:
# 1. Verify VM-2 is running and accessible
# 2. Check firewall rules
# 3. Verify security group configurations
# 4. Update VM2_IP environment variable if differentIssue: Wrong network subnet
# Error: "Local IP not in expected subnet"
# Solution: Override network assumptions
export NETWORK_SUBNET=your.actual.subnet/cidr
export VM2_IP=your.vm2.ip.addressPhase-0 Check Failures
# Issue: porch-system pods not running
kubectl get pods -n porch-system
kubectl describe pod -n porch-system
# Solution: Install/restart Nephio components
kubectl apply -f https://github.com/nephio-project/nephio/releases/latest/download/install.yamlO2IMS Installation Failures
# Issue: CRD installation failed
# Solution: Check cluster-admin permissions
kubectl auth can-i create customresourcedefinitions
# Issue: Operator pods failing
kubectl logs -n o2ims deployment/o2ims-controllerSecurity Precheck Failures
# Issue: Security compliance score below threshold
# Solution: Review security report
jq '.security_report.summary.policy_compliance_score' reports/security-latest.json
# Solution: Run in development mode
SECURITY_POLICY_LEVEL=permissive make demoSLO Validation Failures
# Issue: SLO thresholds not met
# Solution: Check VM-2 observability endpoint
curl -s http://172.16.4.45:30090/metrics/api/v1/slo | jq .
# Solution: Adjust thresholds for demo environment
export LATENCY_P95_THRESHOLD_MS=50
export SUCCESS_RATE_THRESHOLD=0.95# Full debug mode with verbose logging
DEMO_MODE=debug VERBOSE=true make demo
# Continue on errors for full diagnosis
CONTINUE_ON_ERROR=true DEMO_MODE=debug make demo
# Dry-run with debug information
DRY_RUN=true DEMO_MODE=debug make demo# Review all step logs
ls -la artifacts/demo/step-*.log
tail -f artifacts/demo/step-*.log
# Check demo report for failure details
jq '.steps[] | select(.status == "FAILED")' artifacts/demo/demo-report.json
# Review security report details
jq '.security_report.findings' reports/security-latest.json# Full cleanup and restart
make clean
make demo-rollback ROLLBACK_STRATEGY=demonstrate
make demo# Skip completed phases
make o2ims-install # If p0-check passed
make ocloud-provision # If o2ims-install passed
# ... continue from where it failed# Nuclear option: reset everything
git checkout main
make clean
./scripts/demo_rollback.sh --strategy reset
make demo-
Introduction (2 minutes)
- Show demo banner and overview
- Explain the intent pipeline architecture
- Highlight security-first approach
-
Prerequisites Validation (2 minutes)
- Run
make check-prereqs - Show network connectivity to VM-2
- Demonstrate Kubernetes cluster access
- Run
-
One-Click Demo Execution (15-20 minutes)
- Execute
make demo - Highlight progress indicators and timing
- Show each phase completing successfully
- Point out security validation gates
- Execute
-
Results Review (3 minutes)
- Show success banner
- Navigate through generated artifacts
- Open HTML reports in browser
- Highlight key metrics and compliance scores
-
Rollback Demonstration (5 minutes)
- Execute
make demo-rollback - Show before/after state comparison
- Highlight automated rollback capabilities
- Show audit trail and impact analysis
- Execute
- Cloud-Native Architecture: Kubernetes-native with GitOps workflows
- Security Integration: Default-on security with comprehensive validation
- Standards Compliance: TMF921, 3GPP TS 28.312, O-RAN specifications
- Production Readiness: SLO-gated deployments with automated rollback
- Observability: Comprehensive monitoring and reporting
- Intent Transformation: TMF921 → 28.312 → KRM mapping details
- Security Architecture: Sigstore, Kyverno, cert-manager integration
- GitOps Implementation: Flux/ArgoCD with Nephio R5
- O2 IMS Integration: ProvisioningRequest lifecycle management
- SLO Implementation: Metrics collection and threshold validation
# Show intent transformation pipeline
cd tools/intent-gateway && ./intent-gateway validate --file ../../samples/tmf921/emergency_slice_intent.json
cd tools/tmf921-to-28312 && ./tmf921-to-28312 convert --input ../../samples/tmf921/emergency_slice_intent.json
# Demonstrate security validation
make security-report-strict
jq '.security_report.summary' reports/security-latest.json
# Show O2 IMS integration
kubectl get provisioningrequests -A
kubectl describe provisioningrequest -n o2ims
# Monitor SLO validation
curl -s http://172.16.4.45:30090/metrics/api/v1/slo | jq .- Architecture: docs/ARCHITECTURE.md
- Operations: docs/OPERATIONS.md
- Security: docs/SECURITY.md
- Pipeline Details: docs/PIPELINE.md
- References: docs/REFERENCES.md
- Intent Gateway: tools/intent-gateway/README.md
- TMF921-to-28312: tools/tmf921-to-28312/README.md
- O2IMS SDK: o2ims-sdk/README.md
- Security Guardrails: guardrails/README.md
- Nephio R5: https://nephio.org/releases/r5
- O-RAN O2 IMS: https://docs.o-ran-sc.org/projects/o-ran-sc-smo-o2/en/latest/
- TMF921: https://www.tmforum.org/resources/specification/tmf921-intent-management-api/
- 3GPP TS 28.312: https://www.3gpp.org/ftp/Specs/archive/28_series/28.312/
- kpt Functions: https://kpt.dev/book/04-using-functions/
- GitHub Issues: Project Issues
- Discussion Forum: GitHub Discussions
- Nephio Community: Nephio Slack
- O-RAN Community: O-RAN Software Community
This comprehensive demo system provides:
✅ One-Click Execution: Complete pipeline with single make demo command
✅ Visual Progress: Real-time progress indicators and timing metrics
✅ Comprehensive Reporting: JSON and HTML reports with detailed analysis
✅ Security Integration: Default-on security with compliance validation
✅ Automated Rollback: SLO-gated deployments with automatic recovery
✅ Production-Ready: Cloud-native architecture with GitOps workflows
✅ Presentation-Ready: Visual banners, success indicators, and artifact generation
The demo successfully showcases the complete Nephio Intent-to-O2 pipeline with verifiable security, automated deployment, and comprehensive observability suitable for evaluation, presentation, and production deployment scenarios.
Generated by Nephio Intent-to-O2 Demo System - Comprehensive cloud-native intent pipeline for Telco & O-RAN