3 Customizing Provisioning Gateway
In this section, you will learn to customize Provisioning Gateway deployment. You can customize it by overriding the default values of various configurable parameters.
A ProvGateway Customization file is given
below:
# Copyright 2019 (C), Oracle and/or its affiliates. All rights reserved.
global:
dockerRegistry: reg-1:5000
serviceAccountName:
prefix:
container:
configmap:
hpa:
prov-gw:
image:
name: provgw/prov_gw
tag: 1.6.0
pullPolicy: Always
service:
type: ClusterIP
port:
https: 5002
http: 5001
management: 9000
deployment:
replicaCount: 2
logging:
level:
root: "WARN"
resources:
limits:
cpu: 3
memory: 4Gi
requests:
cpu: 3
memory: 4Gi
target:
averageCpuUtil: 80
server:
redirect:
http: false
http2enabled: true
udr:
segs:
- ocudr-ingressgateway.ocudr
- ocudr-ingressgateway.ocudr
minReplicas: 2
maxReplicas: 4
prov-ingressgateway:
global:
# Docker registry name
# dockerRegistry: reg-1:5000/ocudr
# Specify type of service - Possible values are :- ClusterIP, NodePort, LoadBalancer and ExternalName
type: LoadBalancer
# Enable or disable IP Address allocation from Metallb Pool
metalLbIpAllocationEnabled: true
# Address Pool Annotation for Metallb
metalLbIpAllocationAnnotation: "metallb.universe.tf/address-pool: signaling"
# If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort
# # Else random node port will be assigned by K8
staticNodePortEnabled: false
staticHttpNodePort: 30075
staticHttpsNodePort: 30043
image:
# image name
name: provgw/ocingress_gateway
# tag name of image
tag: 1.6.2
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
initContainersImage:
# inint Containers image name
name: provgw/configurationinit
# tag name of init Container image
tag: 1.1.1
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
updateContainersImage:
# update Containers image name
name: provgw/configurationupdate
# tag name of update Container image
tag: 1.1.1
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
service:
ssl:
tlsVersion: TLSv1.2
privateKey:
k8SecretName: provgw-ingress-secret
k8NameSpace: provgw
rsa:
fileName: rsa_private_key_pkcs1.pem
ecdsa:
fileName: ssl_ecdsa_private_key.pem
certificate:
k8SecretName: provgw-ingress-secret
k8NameSpace: provgw
rsa:
fileName: tmp.cer
ecdsa:
fileName: ssl_ecdsa_certificate.crt
caBundle:
k8SecretName: provgw-ingress-secret
k8NameSpace: provgw
fileName: caroot.cer
keyStorePassword:
k8SecretName: provgw-ingress-secret
k8NameSpace: provgw
fileName: key.txt
trustStorePassword:
k8SecretName: provgw-ingress-secret
k8NameSpace: provgw
fileName: trust.txt
initialAlgorithm: RSA256
# Resource details
resources:
limits:
cpu: 3
memory: 4Gi
requests:
cpu: 3
memory: 4Gi
target:
averageCpuUtil: 80
log:
level:
root: WARN
ingress: INFO
oauth: INFO
# enable jaeger tracing
jaegerTracingEnabled: false
openTracing :
jaeger:
udpSender:
# udpsender host
host: "occne-tracer-jaeger-query.occne-infra"
# udpsender port
port: 6831
probabilisticSampler: 0.5
# Number of Pods must always be available, even during a disruption.
minAvailable: 2
# Min replicas to scale to maintain an average CPU utilization
minReplicas: 2
# Max replicas to scale to maintain an average CPU utilization
maxReplicas: 5
# label to override name of api-gateway micro-service name
#fullnameOverride: provgw-endpoint
# To Initialize SSL related infrastructure in init/update container
initssl: false
# Cipher suites to be enabled on server side
ciphersuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_256_CCM
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#OAUTH CONFIGURATION
oauthValidatorEnabled: false
nfType: SMF
nfInstanceId: 6faf1bbc-6e4a-4454-a507-a14ef8e1bc11
producerScope: nsmf-pdusession,nsmf-event-exposure
allowedClockSkewSeconds: 0
nrfPublicKeyKubeSecret: nrfpublickeysecret
nrfPublicKeyKubeNamespace: ingress
validationType: strict
producerPlmnMNC: 123
producerPlmnMCC: 346
#Server Configuration for http and https support
#Server side http support
enableIncomingHttp: true
#Server side https support
enableIncomingHttps: false
#Client side https support
enableOutgoingHttps: false
maxRequestsQueuedPerDestination: 5000
maxConnectionsPerIp: 10
#Service Mesh (Istio) to take care of load-balancing
serviceMeshCheck: false
# configuring routes
routesConfig:
- id: traffic_mapping_rest_group_prov
uri: http://{{ .Release.Name }}-prov-gw:5001
path: /**The configurable parameters of Provisioning Gateway are:
Default Helm Release Name :- provgw
| Parameter | Description | Default value | Range or Possible Values (If applicable) | Notes |
|---|---|---|---|---|
| dockerRegistry | Docker registry from where the images will be pulled | reg-1:5000 | Not applicable | |
| serviceAccountName | Service account name | null | Not Applicable | The serviceaccount, role and rolebindings required for deployment should be done prior to the installation. Use the created serviceaccountname here. |
| prefix.container | Container configurable prefix | null | Not Applicable | If this is configured with some value, the same will be used as prefix for container names on different pods of ProvGw deployment. If Not configured, release name will be used as preifx. |
| prefix.configmap | Configmap configurabe prefix | null | Not Applicable | If this is configured with some value, the same will be used as prefix for configmap names. if Not configured, release name will be used as preifx. |
| prefix.hpa | HPA configurable prefix | null | Not Applicable | If this is configured with some value, the same will be used as prefix for HPA names. If Not configured, release name will be used as preifx. |
Following table provides parameters for provgw-service micro service.
| Parameter | Description | Default Value | Range of possible values(if applicable | Notes |
|---|---|---|---|---|
| image.name | Image name | provgw/prov_gw | Not Applicable | |
| image.tag | Tag of Image | 1.6.0 | Not Applicable | |
| image.pullPolicy | This setting will tell if image needs to be pulled or not | Always |
Always IfNotPresent Never |
|
| service.type | ProvGw service type | ClusterIP |
ClusterIP NodePort LoadBalancer |
The Kubernetes service type for exposing ProvGw deployment Note: Suggested to be set as LoadBalancer (default value) always |
| service.port.http | HTTP port | 5001 | Not Applicable | The http port to be used in provGw service |
| service.port.https | HTTPS port | 5002 | Not Applicable | The https port to be used in provgw service |
| service.port.management | Management port | 9000 | Not Applicable | The Prometheus management port to be used for ProvGw service |
| deployment.replicaCount | Replicas of provgw pod | 2 | Not applicable | Number of provgw pods to be maintained by replica set created with deployment |
| logging.level.root | Log Level | WARN |
WARN INFO DEBUG ERROR |
Log level of the Provisioning gateway pod |
| server.redirect.http | Enable redirecting HTTP mesagases | false | true/false | |
| server.http2enabled | Enabled HTTP2 support flag | true | true/false | |
| *udr.segs | FQDNs of UDR | **Not Applicable | Not Applicable |
To be used to send SLF requests to UDRs. This accepts yaml array. e.g. udr:
segs:
- ocudr1.ingressgateway.ocudr1
- ocudr2.intressgateway.ocudr2
|
| resources.requests.cpu | Cpu Allotment for nudr-drservice pod | 3 | Not applicable | The cpu to be allocated for prov-gw pod during deployment |
| resources.requests.memory | Memory allotment for nudr-drservice pod | 4Gi | Not applicable | The memory to be allocated for prov-gw pod during deployment |
| resources.limits.cpu | Cpu allotment limitation | 3 | Not applicable | |
| resources.limits.memory | Memory allotment limitation | 4Gi | Not applicable | |
| resources.target.averageCpuUtil | CPU utilization limit for autoscaling | 80 | Not Applicable | CPU utilization limit for creating HPA |
| minReplicas | Minimum Replicas | 2 | Not Applicable | Minimum number of pods |
| maxReplicas | Maximum Replicas | 4 | Not Applicable | Maximum number of pods |
Following table provides parameters for provgw-ingressgateway micro service
(API Gateway).
Note:
( * ) - This configuration is mandatory before starting the service.| Parameter | Description | Default value | Range or Possible Values (If applicable) | Notes |
|---|---|---|---|---|
| type | provgw-prov-ingressgateway service type | LoadBalancer |
Possbile Values- ClusterIP NodePort LoadBalancer |
|
| metalLbIpAllocationEnabled | Enable or disable Address Pool for Metallb | true | true/false | |
| metalLbIpAllocationAnnotation | Address Pool for Metallb | "metallb.universe.tf/address-pool: signaling" | Not applicable | |
| staticNodePortEnabled | If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort | false | Not applicable | |
| staticHttpNodePort | static http node port value needs to be provided | 30075 | can be changed based on user requirement. | |
| staticHttpsNodePort | static https node port value needs to be provided | 30043 | can be changed based on user requirement. | |
| image.name | Docker image name | provgw/ocingress_gateway | Not applicable | |
| image.tag | Image version tag | 1.6.2 | Not applicable | |
| image.pullPolicy | This setting will tell if image need to be pulled or not | Always |
Possible Values - Always IfNotPresent Never |
|
| initContainersImage.name | Docker image name | provgw/configurationinit | Not applicable | |
| initContainersImage.tag | Image version tag | 1.1.1 | Not applicable | |
| initContainersImage.pullPolicy | This setting will tell if image need to be pulled or not | Always |
Possible Values - Always IfNotPresent Never |
|
| updateContainersImage.name | Docker image name | provgw/configurationupdate | Not applicable | |
| updateContainersImage.tag | Image version tag | 1.1.1 | Not applicable | |
| updateContainersImage.pullPolicy | This setting will tell if image need to be pulled or not | Always |
Possible Values - Always IfNotPresent Never |
|
| service.ssl.privateKey.k8SecretName | name of the secret which stores keys and certificates | provgw-gateway-secret | Not applicable | |
| service.ssl.privateKey.k8NameSpace | namespace in which secret is created | provgw | Not applicable | |
| service.ssl.privateKey.rsa.fileName | rsa private key stored in the secret | rsa_private_key_pkcs1.pem | Not applicable | |
| service.ssl.privateKey.ecdsa.fileName | ecdsa private key stored in the secret | ecdsa_private_key_pkcs8.pem | Not applicable | |
| service.ssl.certificate.k8SecretName | name of the secret which stores keys and certificates | provgw-ingress-secret |
Not applicable | |
| service.ssl.certificate.k8NameSpace | namespace in which secret is created | provgw | Not applicable | |
| service.ssl.certificate.rsa.fileName | rsa certificate stored in the secret | apigatewayrsa.cer | Not applicable | |
| service.ssl.certificate.ecdsa.fileName | ecdsa certificate stored in the secret | apigatewayecdsa.cer | Not applicable | |
| service.ssl.caBundle.k8SecretName | name of the secret which stores keys and certificates | provgw-ingress-secret | Not applicable | |
| service.ssl.caBundle.k8NameSpace | namespace in which secret is created | provgw | Not applicable | |
| service.ssl.caBundle.fileName | ca Bundle stored in the secret | caroot.cer | Not applicable | |
| service.ssl.keyStorePassword.k8SecretName | name of the secret which stores keys and certificates | provgw-ingress-secret | Not applicable | |
| service.ssl.keyStorePassword.k8NameSpace | namespace in which secret is created | provgw | Not applicable | |
| service.ssl.keyStorePassword.fileName | keyStore password stored in the secret | key.txt | Not applicable | |
| service.ssl.trustStorePassword.k8SecretName | name of the secret which stores keys and certificates | provgw-ingress-secret |
Not applicable | |
| service.ssl.trustStorePassword.k8NameSpace | namespace in which secret is created | provgw | Not applicable | |
| service.ssl.trustStorePassword.fileName | trustStore password stored in the secret | trust.txt | Not applicable | |
| resources.limits.cpu | Cpu allotment limitation | 3 | Not applicable | |
| resources.limits.memory | Memory allotment limitation | 4Gi | Not applicable | |
| resources.requests.cpu | Cpu allotment for provgw-prov-ingressgateway pod | 3 | Not Applicable | |
| resources.requests.memory | Memory allotment for provgw-prov-ingressgateway pod | 4Gi | Not Applicable | |
| resources.target.averageCpuUtil | CPU utilization limit for autoscaling | 80 | Not Applicable | |
| minAvailable | Number of pods always running | 2 | Not Applicable | |
| minReplicas | Min replicas to scale to maintain an average CPU utilization | 2 | Not applicable | |
| maxReplicas | Max replicas to scale to maintain an average CPU utilization | 5 | Not applicable | |
| log.level.root | Logs to be shown on provgw-prov-ingressgateway pod | WARN | valid level | |
| log.level.ingress | Logs to be shown on provgw-prov-ingressgateway pod for ingress related flows | INFO | valid level | |
| log.level.oauth | Logs to be shown on provgw-prov-ingressgateway pod for oauth related flows | INFO | valid level | |
| initssl | To Initialize SSL related infrastructure in init/update container | true | Not Applicable | |
| jaegerTracingEnabled | Enable/Disable Jaeger Tracing | false | true/false | |
| openTracing.jaeger.udpSender.host | Jaeger agent service FQDN | jaeger-agent.cne-infra | Valid FQDN | |
| openTracing.jaeger.udpSender.port | Jaeger agent service UDP port | 6831 | Valid Port | |
| openTracing.jaeger.probabilisticSampler | Probablistic Sampler on Jaeger | 0.5 | Range: 0.0 - 1.0 | Sampler makes a random sampling decision with the probability of sampling. For example, if the value set is 0.1, approximately 1 in 10 traces will be sampled. |
| oauthValidatorEnabled | OAUTH Configuration | false | Not Applicable | |
| enableIncomingHttp | Enabling for accepting http requests | true | Not Applicable | |
| enableIncomingHttps | Enabling for accepting https requests | true | true or false | |
| enableOutgoingHttps | Enabling for sending https requests | false | true or false | |
| maxRequestsQueuedPerDestination | Queue Size at the provgw-prov-ingressgateway pod | 5000 | Not Applicable | |
| maxConnectionsPerIp | Connections from endpoint to other microServices | 10 | Not Applicable | |
| routesConfig | Routes configured to connect to ProvGw | - id: traffic_mapping_rest_group_prov uri:
http://{{ .Release.Name }}-prov-gw:5001 path: /** |
Not Applicable |