Policy Control Function Customization Parameters
Note:
- All parameters mentioned as mandatory must be present in custom values file.
- All fixed value parameters mentioned must be present in the custom values file with the exact values as specified here.
Global Configurations
These configuration parameters are common for all micro services.
Table 5-1 Customizable Parameters
Parameter | Description | Mandatory Parameter | Default Value | Notes |
---|---|---|---|---|
dockerRegistry | Name of the Docker registry which hosts Policy Control Function (PCF) docker images | Yes | Not applicable |
This is a docker registry running in OCCNE bastion server where all PCF docker images will be loaded. For example, 'occne-bastion:5000' |
envMysqlHost |
IP address or host name of the MySql server which hosts PCF's databases |
Yes | Not applicable | |
cmServiceNodePort | Custom node port for CM service | No | 0 | When not specified (default 0), kubernetes assigns a random port. |
pcfDiamGatewayNodePort | Custom node port for Diameter Gateway service | No | 0 |
When not specified, kubernetes assigns a random port. |
envJaegerAgentHost | Hostname or IP address for the jaeger agent | Yes | Not applicable | This parameter is the fqdn of Jaeger Agent service running in OCCNE cluster under namespace occne-infra. |
dbCredSecretName | Name of the Kubernetes secret object containing Database username and password | Yes | Not applicable | Refer Appendix B for K8s Secret Creation. |
pcfApiRoot | API root of PCF that is used in notification URLs generated by PCF's when sending request to other producer NFs (like NRF, UDR, CHF, etc..) | No | Ingress gateway service name and port |
If not configured then the ingress gateway service name and port will be used as default value. Example: If the PCF is deployed in namespace "site1" with https enabled in port 443, then the default value will be "https://site1-pcf-egress-gateway:443" |
Mandatory Fixed Value Parameters
Name | Value |
---|---|
imageServiceDetector | readiness-detector:1.5.0 |
Core Services
Table 5-2 Customizable Parameters
Parameter | Description | Mandatory Parameter | Default Value | Notes |
---|---|---|---|---|
am-service.envMysqlDatabase | Name of the database for AM-Service | No | pcf_amservice | |
sm-service.envMysqlDatabase | Name of the database for SM-Service | No | pcf_smservice | |
sm-service.auditSmSessionTtl |
No | 86400 | ||
sm-service.auditSmSessionMaxTtl |
No | 172800 | ||
sm-service.defaultBsfApiRoot | Api root of pre-configured BSF | No | Not applicable | Required, if PCF uses pre-configured BSF. For Example: "https://bsf.apigateway:8001/" |
user-service.envMysqlDatabase | Name of the database for User-Service | No | pcf_userservice |
Common Services
Table 5-3 Customizable Parameters
Parameter | Description | Mandatory Parameter | Default Value | Notes |
---|---|---|---|---|
cm-service.envMysqlDatabaseSessionViewer | Name of the database for Session viewer. (SM Service database name) | Yes | Not applicable |
Specify the value of sm-service.envMysqlDatabase. If no value is specified for sm-service.envMysqlDatabase then assign "pcf_smservice". |
config-server.envMysqlDatabase | Name of the database for Config Server service | No | ocpm_config_server | |
nrf-client.configmap.nrfHost | IP Address or hostname(Fqdn) of NRF | Yes | Not applicable | |
nrf-client.configmap.nrfServicePort |
Service port of NRF | Yes | Not applicable | |
nrf-client. cacheNfProfilesDiscoveredOnDemand |
Enable this if PCF is expected to cache the NF profiles of NFs "discovered on demand" (not discovered during startup) | No | False | |
cm-service.enableHttps | Flag to enable/disable HTTPS for cm-service GUI/API | No | False | |
queryservice.envMysqlDatabase | Specify the database name of SM service | Yes | pcf_smservice | |
perf-info.configmapPerformance.prometheus | Specifies Prometheus server URL | No | http://prometheus-server.prometheus:5802 | If no value is specified, PCFs load reported to NRF is always 0. |
appinfo.serviceAccountName |
K8s Service Account to access (RBAC) the K8s API server to retrieve status of PCF services and pods. The account should have read access ( "get" , "watch" , "list" ) to pods, services and nodes |
No | Not applicable | If no value is specified, PCF creates a service account at the time of deployment. |
Diameter
Table 5-4 Customizable Parameters
Parameter | Description | Mandatory Parameter | Default Value | Notes |
---|---|---|---|---|
diam-connector.envDiameterRealm | Diameter Realm of PCF | Yes | Not applicable | example: oracle.com |
diam-connector.envDiameterIdentity | Diameter Host of PCF | Yes | Not applicable | example: ocpcf |
diam-gateway.envDiameterRealm |
Diameter Realm of PCF diameter gateway | Yes | Not applicable | example: oracle.com |
diam-gateway.envDiameterIdentity |
Diameter Host of PCF diameter gateway | Yes | Not applicable | example: ocpcf-gateway |
Ingress Gateway Service
Table 5-5 Customizable Parameters
Parameter | Description | Mandatory Parameter | Default Value | Notes |
---|---|---|---|---|
global.publicHttpSignalingPort |
HTTP/2.0 Port of ingress gateway | No | 80 | |
global.publicHttpsSignallingPort |
HTTPS/2.0 Port of ingress gateway | No | 443 | |
global.metalLbIpAllocationEnabled | Enable or disable IP Address allocation from Metallb Pool | No | false | |
global.metalLbIpAllocationAnnotation | Address Pool Annotation for Metallb | No | "metallb.universe.tf/address-pool: signaling" | |
ingress-gateway.serviceMeshCheck |
Enable this parameter if load balancing is handled by Service Mesh | No | False | |
ingress-gateway.oauthValidatorEnabled | Enable or disable Oauth Validator | Yes | False | |
ingress-gateway.nfInstanceId | NF Instance Id of service producer | No | 6faf1bbc-6e4a-4454-a507-a14ef8e1bc11 | |
ingress-gateway.allowedClockSkewSeconds | set this value if clock on the parsing NF (producer) is not perfectly in sync with the clock on the NF (consumer) that created by JWT | No | 0 | |
ingress-gateway.nrfPublicKeyKubeSecret | Name of the secret which stores the public key(s) of NRF | No | ||
ingress-gateway.nrfPublicKeyKubeNamespace | Namespace of the NRF public key secret | No | ||
ingress-gateway.validationType | Possible values are:
strict- If incoming request does not contain "Authorization" (Access Token) header, the request is rejected. relaxed- relaxed means that if Incoming request contains "Authorization" header, it is validated. If Incoming request does not contain "Authorization" header, validation is ignored. |
No | ||
ingress-gateway.producerPlmnMNC | MNC of the service producer | No | ||
ingress-gateway.producerPlmnMCC | MCC of the service producer | No | ||
ingress-gateway.enableIncomingHttp |
To enable http (INSECURE) for ingress traffic | No | False | |
ingress-gateway.enableIncomingHttps | To enable https for ingress traffic | No | False | If this parameter is enabled, refer Creating Private Keys and Certificates for Ingress Gateway and Egress Gateway for creating private keys and certificates. |
ingress-gateway.service.ssl.privateKey.k8SecretName |
Name of the privatekey secret | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.privateKey.k8NameSpace |
Namespace of privatekey | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.privateKey.rsa.fileName |
rsa private key file name | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.privateKey.ecdsa.fileName | ecdsa private key file name | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.certificate.k8SecretName |
Name of the privatekey secret | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.certificate.k8NameSpace |
Namespace of privatekey | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.certificate.rsa.fileName |
rsa private key file name | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.certificate.ecdsa.fileName |
ecdsa private key file name | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.caBundle.k8SecretName |
Name of the privatekey secret | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.caBundle.k8NameSpace |
Namespace of privatekey | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.caBundle.rsa.fileName |
rsa private key file name | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.keyStorePassword.k8SecretName |
Name of the privatekey secret | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.keyStorePassword.k8NameSpace |
Namespace of privatekey | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.keyStorePassword.fileName |
File name that has password for keyStore | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.trustStorePassword.k8SecretName |
Name of the privatekey secret | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.trustStorePassword.k8NameSpace |
Namespace of privatekey | No | Not Applicable | required if enableIncomingHttp is true |
ingress-gateway.service.ssl.trustStorePassword.fileName |
File name that has password for trustStore | No | Not Applicable | required if enableIncomingHttp is true |
Egress Gateway Service
Table 5-6 Customization Parameters
Parameter | Description | Mandatory Parameter | Default Value | Notes |
---|---|---|---|---|
egress-gateway.oauthClientEnabled | Oauth Validator Enabled | No | false | |
egress-gateway.nrfAuthority | NRF's ${HOSTNAME}:{PORT} | No | Not Applicable | Modify the parameter with actual value, if oAuth is enabled. |
egress-gateway.nfInstanceId | NF InstanceId of Producer | No | Not Applicable | Modify the parameter with actual value, if oAuth is enabled. |
egress-gateway.consumerPlmnMNC | MNC of service Consumer | No | Modify the parameter with actual value, if oAuth is enabled. | |
egress-gateway.consumerPlmnMCC | MCC of service Consumer | No | Modify the parameter with actual value, if oAuth is enabled. | |
egress-gateway.enableOutgoingHttps | Enabling it for outgoing https request | No | If this parameter is enabled, refer Creating Private Keys and Certificates for Ingress Gateway and Egress Gateway for creating private keys and certificates. | |
egress-gateway.egressGwCertReloadEnabled | No | |||
egress-gateway.egressGwCertReloadPath | No | |||
egress-gateway.service.ssl.privateKey.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
egress-gateway.service.ssl.privateKey.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
egress-gateway.service.ssl.privateKey.rsa.fileName | rsa private key file name | No | Not Applicable | |
egress-gateway.service.ssl.privateKey.ecdsa.fileName | ecdsa private key file name | No | Not Applicable | |
egress-gateway.service.ssl.certificate.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
egress-gateway.service.ssl.certificate.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
egress-gateway.service.ssl.certificate.rsa.fileName | rsa private key file name | No | Not Applicable | |
egress-gateway.service.ssl.certificate.ecdsa.fileName | ecdsa private key file name | No | Not Applicable | |
egress-gateway.service.ssl.caBundle.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
egress-gateway.service.ssl.caBundle.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
egress-gateway.service.ssl.caBundle.rsa.fileName | rsa private key file name | No | Not Applicable | |
egress-gateway.service.ssl.keyStorePassword.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
egress-gateway.service.ssl.keyStorePassword.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
egress-gateway.service.ssl.keyStorePassword.fileName | File name that has password for keyStore | No | Not Applicable | |
egress-gateway.service.ssl.trustStorePassword.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
egress-gateway.service.ssl.trustStorePassword.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
egress-gateway.service.ssl.trustStorePassword.fileName | File name that has password for trustStore | No | Not Applicable | |
egress-gateway.scpIntegrationEnabled | Change this to false when scp integration is not required | No | false | |
egress-gateway.scpHttpHost | SCP HTTP IP/FQDN | No | Not Applicable | |
egress-gateway.scpHttpPort | SCP HTTP PORT | No | 80 | |
egress-gateway.scpHttpsHost | SCP HTTPS IP/FQDN | No | n/a | |
egress-gateway.scpHttpsPort | SCP HTTPS PORT | No | 443 | |
egress-gateway.scpApiPrefix | Change this value to corresponding prefix "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. | No | / | |
egress-gateway.scpDefaultScheme | Default scheme applicable when 3gpp-sbi-target-apiroot header is missing | No | https | |
egress-gateway.K8ServiceCheck | Enable this if loadbalancing is to be done by egress instead of K8s | No | false |