1. Network Repository Function (NRF) Cloud Native Installation and Upgrade Guide
  2. OCNRF pre-deployment configuration

5 OCNRF pre-deployment configuration

This chapter divided into different sections:

  1. Verify and create kubernetes namespace

    Note:

    This is a mandatory procedure, execute this before proceeding any further. The namespace created/verified in this procedure is an input for next procedures.
  2. Creation of Service Account, Role and Role bindings

    Note:

    Following are sample steps, in case of already configured service account with role and role-bindings or the user has previously prepared procedure to create service account, skip this procedure.
  3. Creation of MySql database and user for OCNRF
  4. Creation of kubernetes secret for MySql database/User details
  5. Creation of kubernetes secrets for enabling HTTPS
  6. Creation of kubernetes secret for enabling AccessToken service

Verify and create kubernetes namespace

This section explains how user can verify required namespace exists in system or not. If namespace does not exists, user must create it.

Procedure

  1. Verify required namespace already exists in system: 
    $ kubectl get namespaces
  2. In the output of the above command, check if required namespace is there or not. If not, create the namespace using following command:

    Note:

    This is an optional step. In case required namespace already exists, proceed with next procedures. 
    $ kubectl create namespace <required namespace>
    For example:- 
    $ kubectl create namespace ocnrf

Creation of Service Account, Role and Role bindings

This section explains how user can create service account, required role and role bindings resources. Sample templates for the resources is as follows. Sample template can be filled inline and can be added into sample resource input yaml file. Input file name example:- ocnrf-sample-resource-template.yaml

Example command for creating the resources 

kubectl -n <ocnrf-namespace> create -f ocnrf-sample-resource-template.yaml

Sample template to create the resources

Note:

Update <helm-release> and <namespace> with respective ocnrf namespace and planned ocnrf helm release name in below place holders. 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: <helm-release>-ocnrf-serviceaccount
  namespace: <namespace>
---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: <helm-release>-ocnrf-role
  namespace: <namespace>
rules:
- apiGroups:
  - "" # "" indicates the core API group
  resources:
  - services
  - configmaps
  - pods
  - secrets
  - endpoints
  verbs:
  - get
  - watch
  - list
---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: <helm-release>-ocnrf-rolebinding
  namespace: <namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: <helm-release>-ocnrf-role
  namespace: <namespace>
subjects:
- kind: ServiceAccount                                   
  name:  <helm-release>-ocnrf-serviceaccount
  namespace: <namespace>

Creation of MySql database and user for OCNRF

Procedure for Geo-Redundant OCNRF sites

This section explains how database administrator can create the OCNRF database and OCNRF application user.

Note:

  1. Procedure can be different for geo-redundant OCNRF sites and standalone OCNRF site.
  2. For geo-redundant sites, before executing below procedure, assumption is geo-redundant DB-Tier sites are already up and replication channels enabled.
  1. Login to the server/machine which has permission to access the SQL nodes of NDB cluster.
  2. Connect to the SQL node of NDB cluster one by one.
  3. Login to the MySQL prompt using root permission or user, who has permission to create users with conditions as mentioned below. For example: mysql -h 127.0.0.1 -uroot -p

    Note:

    This command may vary from system to system, path for mysql binary, root user and root password. After executing this command, user need to enter the password specific to the user mentioned in the command.
  4. Check OCNRF network function user already exists. If the NF does not exists, create an OCNRF network function user by executing the following command: 
    $ SELECT User FROM mysql.user;

     In case, user already exists, move to next step.

    Command to create new user:-
    $ CREATE USER '<OCNRF User Name>'@'%' IDENTIFIED BY '<OCNRF Password>';

    Example:-
    $ CREATE USER 'nrfusr'@'%' IDENTIFIED BY 'nrfpasswd';
  5. Check OCNRF network function database already exists. If the database does not exists, create an OCNRF network function database and provide permissions to OCNRF user name created in above step:
    Execute the following command to check if database exists:- 
    $ show databases;

    Check if the required database is already in the list. In case database already exists, then move to next step.

    Database creation:- 

    $ CREATE DATABASE IF NOT EXISTS <OCNRF Database> CHARACTER SET utf8;
    Example:- 
    $ CREATE DATABASE IF NOT EXISTS nrfdb CHARACTER
SET utf8;
    Granting permission to user:- 
     $ GRANT SELECT, INSERT, CREATE, ALTER, DROP, LOCK TABLES, CREATE TEMPORARY TABLES, DELETE, UPDATE, EXECUTE ON
<OCNRF Database>.* TO '<OCNRF User Name>'@'%';
    Example:- 
    $ GRANT SELECT, INSERT, CREATE, ALTER, DROP, LOCK TABLES, CREATE TEMPORARY TABLES, DELETE, UPDATE, EXECUTE ON
nrfdb.* TO 'nrfusr'@'%';
  6. Exit from MySQL prompt and SQL nodes.

Note:

Execute the commands on each SQL node on only one geo-redundant site. Other geo-redundant site(s) will get the data replicated automatically.

Procedure for standalone OCNRF site

  1. Login to the server/machine which has permission to access the SQL nodes of NDB cluster.
  2. Connect to the SQL node of NDB cluster one by one.
  3. Login to the MySQL prompt using root permission or user, who has permission to create users with conditions as mentioned below. For example: mysql -h 127.0.0.1 -uroot -p

    Note:

    This command may vary from system to system, path for mysql binary, root user and root password. After executing this command, user need to enter the password specific to the user mentioned in the command.
  4. Check OCNRF network function user already exists. If the NF does not exists, create an OCNRF network function user by executing the following command: 
    $ SELECT User FROM mysql.user;

    In case, user already exists, move to next step.

    Execute the following command to create new user:- 
     $ CREATE USER '<OCNRF User Name>'@'%' IDENTIFIED BY '<OCNRF Password>';
    Example:- 
    $ CREATE USER 'nrfusr'@'%' IDENTIFIED BY 'nrfpasswd';
  5. Check OCNRF network function database already exists. If the database does not exists, create an OCNRF network function database and provide permissions to OCNRF user name created in above step:
    Execute the following command to check if database exists:- 
    $ show databases;

    Check if required database is already in list. In case the database already exists, then move to next step.

    Database creation:- 
     $ CREATE DATABASE IF NOT EXISTS <OCNRF Database> CHARACTER SET utf8;
    Example:- 
    $ CREATE DATABASE IF NOT EXISTS nrfdb CHARACTER SET utf8;
    Granting permission to user:- 
    $ GRANT SELECT, INSERT, CREATE, ALTER, DROP,LOCK TABLES, CREATE TEMPORARY TABLES, DELETE, UPDATE, EXECUTE ON
<OCNRF Database>.* TO '<OCNRF User Name>'@'%';
    Example:- 
    $ GRANT SELECT, INSERT, CREATE, ALTER, DROP, LOCK TABLES, CREATE TEMPORARY TABLES, DELETE, UPDATE, EXECUTE ON
nrfdb.* TO 'nrfusr'@'%';
  6. Exit from MySQL prompt and SQL nodes.

Note:

Execute the commands on each SQL node of standalone site.

Creation of kubernetes secret for MySql database/User details

This section explains the steps for accessing MySql database and user details created by database administer in above section. This section must be execute before deploying OCNRF.

Command to create kubernetes secret: 
$ kubectl create secret generic <database secret name> --from-literal=dbUsername=<OCNRF Mysql database username> --from-literal=dbPassword=<OCNRF Mysql database passsword> --from-literal=dbName=<OCNRF Mysql database name> -n <Namespace of MYSQL secret>

Example 

$ kubectl create secret generic database-secret --from-literal=dbUsername=nrfusr --from-literal=dbPassword=nrfpasswd --from-literal=dbName=nrfdb -n ocnrf

Command to verify secret creation 

 $ kubectl describe secret <database secret name> -n <Namespace of MYSQL secret>

Example 

 $ kubectl describe secret database-secret -n ocnrf

Creation of kubernetes secrets for enabling HTTPS

Creation of secrets for enabling HTTPS in OCNRF Ingress gateway

This section explains the steps to create secret for HTTPS related details. This section must be executed before enabling HTTPS in OCNRF Ingress gateway.

Note:

The passwords for TrustStore and KeyStore are stored in respective password files below.
To create kubernetes secret for HTTPS, following files are required:-
  • ECDSA private key and CA signed certificate of OCNRF (if initialAlgorithm is ES256)
  • RSA private key and CA signed certificate of OCNRF (if initialAlgorithm is RSA256)
  • TrustStore password file
  • KeyStore password file
  • CA certificate

Note:

Creation process for private keys, certificates and passwords is on discretion of user/operator.

Execute the following command to create secret:

The names used below are same as provided in custom values.yaml in OCNRF deployment. 

$ kubectl create secret generic ocingress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt -n ocnrf

Command to verify secret created: 

$ kubectl describe secret ocingress-secret -n ocnrf

Creation of secrets for enabling HTTPS in OCNRF Egress gateway

This section explains the steps to create secret for HTTPS related details. This section must be executed before enabling HTTPS in OCNRF Egress gateway.

Note:

The passwords for TrustStore and KeyStore are stored in respective password files below.

To create kubernetes secret for HTTPS, following files are required:-

  • ECDSA private key and CA signed certificate of OCNRF (if initialAlgorithm is ES256)
  • RSA private key and CA signed certificate of OCNRF (if initialAlgorithm is RSA256)
  • TrustStore password file
  • KeyStore password file
  • CA certificate

Note:

Creation process for private keys, certificates and passwords is on discretion of user/operator.

Execute the following command to create secret. The names used below are same as provided in custom values.yaml in OCNRF deployment. 

$ kubectl create secret generic ocegress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=ssl_rsa_private_key.pem --fromfile=ssl_truststore.txt
--from-file=ssl_keystore.txt --from-file=ssl_cabundle.crt --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt -n ocnrf

Command to verify secret created 

$ kubectl describe secret ocegress-secret -n ocnrf

Creation of kubernetes secret for enabling AccessToken service

This section explains the steps to create secret for AccessToken service of NRF. This section must be executed before enabling Access Token in OCNRF.

Note:

The passwords for KeyStore is stored in respective password file below.

To create kubernetes secret for HTTPS, following files are required:-

  • ECDSA private key and CA signed certificate of OCNRF (if initialAlgorithm is ES256)
  • RSA private key and CA signed certificate of OCNRF (if initialAlgorithm is RSA256)
  • KeyStore password file

Note:

Creation process for private keys, certificates and passwords is on discretion of user/operator.

Execute the following command to create secret.The names used below are same as provided in custom values.yaml in OCNRF deployment 

$ kubectl create secret generic ocnrfaccesstoken-secret --fromfile=ecdsa_private_key.pem --from-file=rsa_private_key.pem --fromfile=ssl_truststore.txt
--from-file=keystore_password.txt --fromfile=rsa_certificate.crt --from-file=ecdsa_certificate.crt -n ocnrf

Command to verify secret created 

 $ kubectl describe secret ocnrfaccesstoken-secret -n ocnrf