Policy Control Function Customization Parameters

Note:

  • All parameters mentioned as mandatory must be present in custom values file.
  • All fixed value parameters mentioned must be present in the custom values file with the exact values as specified here.

Global Configurations

These configuration parameters are common for all micro services.

Table 5-1 Customizable Parameters

Parameter Description Mandatory Parameter Default Value Notes
dockerRegistry Name of the Docker registry which hosts Policy Control Function (PCF) docker images Yes Not applicable

This is a docker registry running in OCCNE bastion server where all PCF docker images will be loaded. For example, 'occne-bastion:5000'

envMysqlHost

IP address or host name of the MySql server which hosts PCF's databases

Yes Not applicable
cmServiceNodePort Custom node port for CM service No 0 When not specified (default 0), kubernetes assigns a random port.
pcfDiamGatewayNodePort Custom node port for Diameter Gateway service No 0

When not specified, kubernetes assigns a random port.

envJaegerAgentHost Hostname or IP address for the jaeger agent Yes Not applicable This parameter is the fqdn of Jaeger Agent service running in OCCNE cluster under namespace occne-infra.
dbCredSecretName Name of the Kubernetes secret object containing Database username and password Yes Not applicable Refer Appendix B for K8s Secret Creation.
pcfApiRoot API root of PCF that is used in notification URLs generated by PCF's when sending request to other producer NFs (like NRF, UDR, CHF, etc..) No Ingress gateway service name and port

If not configured then the ingress gateway service name and port will be used as default value.

Example: If the PCF is deployed in namespace "site1" with https enabled in port 443, then the default value will be

"https://site1-pcf-egress-gateway:443"

Mandatory Fixed Value Parameters
Name Value
imageServiceDetector readiness-detector:1.5.0

Core Services

Table 5-2 Customizable Parameters

Parameter Description Mandatory Parameter Default Value Notes
am-service.envMysqlDatabase Name of the database for AM-Service No pcf_amservice
sm-service.envMysqlDatabase Name of the database for SM-Service No pcf_smservice

sm-service.auditSmSessionTtl

No 86400

sm-service.auditSmSessionMaxTtl

No 172800
sm-service.defaultBsfApiRoot Api root of pre-configured BSF No Not applicable Required, if PCF uses pre-configured BSF. For Example: "https://bsf.apigateway:8001/"
user-service.envMysqlDatabase Name of the database for User-Service No pcf_userservice

Common Services

Table 5-3 Customizable Parameters

Parameter Description Mandatory Parameter Default Value Notes
cm-service.envMysqlDatabaseSessionViewer Name of the database for Session viewer. (SM Service database name) Yes Not applicable

Specify the value of sm-service.envMysqlDatabase. If no value is specified for sm-service.envMysqlDatabase then assign "pcf_smservice".

config-server.envMysqlDatabase Name of the database for Config Server service No ocpm_config_server
nrf-client.configmap.nrfHost IP Address or hostname(Fqdn) of NRF Yes Not applicable

nrf-client.configmap.nrfServicePort

Service port of NRF Yes Not applicable

nrf-client. cacheNfProfilesDiscoveredOnDemand

Enable this if PCF is expected to cache the NF profiles of NFs "discovered on demand" (not discovered during startup) No False
cm-service.enableHttps Flag to enable/disable HTTPS for cm-service GUI/API No False
queryservice.envMysqlDatabase Specify the database name of SM service Yes pcf_smservice
perf-info.configmapPerformance.prometheus Specifies Prometheus server URL No http://prometheus-server.prometheus:5802 If no value is specified, PCFs load reported to NRF is always 0.

appinfo.serviceAccountName

K8s Service Account to access (RBAC) the K8s API server to retrieve status of PCF services and pods. The account should have read access ( "get" , "watch" , "list" ) to pods, services and nodes

No Not applicable If no value is specified, PCF creates a service account at the time of deployment.

Diameter

Table 5-4 Customizable Parameters

Parameter Description Mandatory Parameter Default Value Notes
diam-connector.envDiameterRealm Diameter Realm of PCF Yes Not applicable example: oracle.com
diam-connector.envDiameterIdentity Diameter Host of PCF Yes Not applicable example: ocpcf

diam-gateway.envDiameterRealm

Diameter Realm of PCF diameter gateway Yes Not applicable example: oracle.com

diam-gateway.envDiameterIdentity

Diameter Host of PCF diameter gateway Yes Not applicable example: ocpcf-gateway

Ingress Gateway Service

Table 5-5 Customizable Parameters

Parameter Description Mandatory Parameter Default Value Notes

global.publicHttpSignalingPort

HTTP/2.0 Port of ingress gateway No 80

global.publicHttpsSignallingPort

HTTPS/2.0 Port of ingress gateway No 443
global.metalLbIpAllocationEnabled Enable or disable IP Address allocation from Metallb Pool No false
global.metalLbIpAllocationAnnotation Address Pool Annotation for Metallb No "metallb.universe.tf/address-pool: signaling"

ingress-gateway.serviceMeshCheck

Enable this parameter if load balancing is handled by Service Mesh No False
ingress-gateway.oauthValidatorEnabled Enable or disable Oauth Validator Yes False
ingress-gateway.nfInstanceId NF Instance Id of service producer No 6faf1bbc-6e4a-4454-a507-a14ef8e1bc11
ingress-gateway.allowedClockSkewSeconds set this value if clock on the parsing NF (producer) is not perfectly in sync with the clock on the NF (consumer) that created by JWT No 0
ingress-gateway.nrfPublicKeyKubeSecret Name of the secret which stores the public key(s) of NRF No
ingress-gateway.nrfPublicKeyKubeNamespace Namespace of the NRF public key secret No
ingress-gateway.validationType Possible values are:
  • strict
  • relaxed

strict- If incoming request does not contain "Authorization" (Access Token) header, the request is rejected.

relaxed- relaxed means that if Incoming request contains "Authorization" header, it is validated. If Incoming request does not contain "Authorization" header, validation is ignored.

No
ingress-gateway.producerPlmnMNC MNC of the service producer No
ingress-gateway.producerPlmnMCC MCC of the service producer No

ingress-gateway.enableIncomingHttp

To enable http (INSECURE) for ingress traffic No False
ingress-gateway.enableIncomingHttps To enable https for ingress traffic No False If this parameter is enabled, refer Creating Private Keys and Certificates for Ingress Gateway and Egress Gateway for creating private keys and certificates.

ingress-gateway.service.ssl.privateKey.k8SecretName

Name of the privatekey secret No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.privateKey.k8NameSpace

Namespace of privatekey No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.privateKey.rsa.fileName

rsa private key file name No Not Applicable required if enableIncomingHttp is true
ingress-gateway.service.ssl.privateKey.ecdsa.fileName ecdsa private key file name No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.certificate.k8SecretName

Name of the privatekey secret No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.certificate.k8NameSpace

Namespace of privatekey No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.certificate.rsa.fileName

rsa private key file name No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.certificate.ecdsa.fileName

ecdsa private key file name No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.caBundle.k8SecretName

Name of the privatekey secret No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.caBundle.k8NameSpace

Namespace of privatekey No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.caBundle.rsa.fileName

rsa private key file name No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.keyStorePassword.k8SecretName

Name of the privatekey secret No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.keyStorePassword.k8NameSpace

Namespace of privatekey No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.keyStorePassword.fileName

File name that has password for keyStore No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.trustStorePassword.k8SecretName

Name of the privatekey secret No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.trustStorePassword.k8NameSpace

Namespace of privatekey No Not Applicable required if enableIncomingHttp is true

ingress-gateway.service.ssl.trustStorePassword.fileName

File name that has password for trustStore No Not Applicable required if enableIncomingHttp is true

Egress Gateway Service

Table 5-6 Customization Parameters

Parameter Description Mandatory Parameter Default Value Notes
egress-gateway.oauthClientEnabled Oauth Validator Enabled No false
egress-gateway.nrfAuthority NRF's ${HOSTNAME}:{PORT} No Not Applicable Modify the parameter with actual value, if oAuth is enabled.
egress-gateway.nfInstanceId NF InstanceId of Producer No Not Applicable Modify the parameter with actual value, if oAuth is enabled.
egress-gateway.consumerPlmnMNC MNC of service Consumer No Modify the parameter with actual value, if oAuth is enabled.
egress-gateway.consumerPlmnMCC MCC of service Consumer No Modify the parameter with actual value, if oAuth is enabled.
egress-gateway.enableOutgoingHttps Enabling it for outgoing https request No If this parameter is enabled, refer Creating Private Keys and Certificates for Ingress Gateway and Egress Gateway for creating private keys and certificates.
egress-gateway.egressGwCertReloadEnabled No
egress-gateway.egressGwCertReloadPath No
egress-gateway.service.ssl.privateKey.k8SecretName Name of the privatekey secret No Not Applicable
egress-gateway.service.ssl.privateKey.k8NameSpace Namespace of privatekey No Not Applicable
egress-gateway.service.ssl.privateKey.rsa.fileName rsa private key file name No Not Applicable
egress-gateway.service.ssl.privateKey.ecdsa.fileName ecdsa private key file name No Not Applicable
egress-gateway.service.ssl.certificate.k8SecretName Name of the privatekey secret No Not Applicable
egress-gateway.service.ssl.certificate.k8NameSpace Namespace of privatekey No Not Applicable
egress-gateway.service.ssl.certificate.rsa.fileName rsa private key file name No Not Applicable
egress-gateway.service.ssl.certificate.ecdsa.fileName ecdsa private key file name No Not Applicable
egress-gateway.service.ssl.caBundle.k8SecretName Name of the privatekey secret No Not Applicable
egress-gateway.service.ssl.caBundle.k8NameSpace Namespace of privatekey No Not Applicable
egress-gateway.service.ssl.caBundle.rsa.fileName rsa private key file name No Not Applicable
egress-gateway.service.ssl.keyStorePassword.k8SecretName Name of the privatekey secret No Not Applicable
egress-gateway.service.ssl.keyStorePassword.k8NameSpace Namespace of privatekey No Not Applicable
egress-gateway.service.ssl.keyStorePassword.fileName File name that has password for keyStore No Not Applicable
egress-gateway.service.ssl.trustStorePassword.k8SecretName Name of the privatekey secret No Not Applicable
egress-gateway.service.ssl.trustStorePassword.k8NameSpace Namespace of privatekey No Not Applicable
egress-gateway.service.ssl.trustStorePassword.fileName File name that has password for trustStore No Not Applicable
egress-gateway.scpIntegrationEnabled Change this to false when scp integration is not required No false
egress-gateway.scpHttpHost SCP HTTP IP/FQDN No Not Applicable
egress-gateway.scpHttpPort SCP HTTP PORT No 80
egress-gateway.scpHttpsHost SCP HTTPS IP/FQDN No n/a
egress-gateway.scpHttpsPort SCP HTTPS PORT No 443
egress-gateway.scpApiPrefix Change this value to corresponding prefix "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. No /
egress-gateway.scpDefaultScheme Default scheme applicable when 3gpp-sbi-target-apiroot header is missing No https
egress-gateway.K8ServiceCheck Enable this if loadbalancing is to be done by egress instead of K8s No false