CNC Console IAM Configuration Options During Deployment
| Attribute Name | DataType | Range | Mandatory(M)/ Optional(O)/Conditional(C) | Description |
|---|---|---|---|---|
| keycloak.image.repository | <String> | It may contain lowercase letters, digits, and separators. A separator is defined as a period, one or two underscores, or one or more dashes. | M | Here user provides the repository that contains cncc-iam container
image.
It comprises of the following: <registry-url>:<registry-port>/<repo> e.g.: ocspf-registry.us.oracle.com:5000/cncc/cncc-iam |
| keycloak.image.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. | M | Image Tag to be used for cncc-iam micro service. |
| keycloak.image.pullpolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
O | Pull Policy decides from where to pull the image. |
| keycloak.username | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M |
The name of cncc-iam user as given by the user. Example: admin |
| keycloak.existingSecret | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | M |
It specifies an existing secret name to be used for the admin password Example: cncc-iam-secret |
| keycloak.serviceAccount.create | <Boolean> |
It can take either True or False value. By default, it is false. |
O | Flag for creating service account. |
| keycloak.serviceAccount.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | O |
The name of service account. Applicable only if keycloak.serviceAccount.create is set to 'true'. If keycloak.serviceAccount.name is kept as empty, a default service account with name 'cncc-iam' is created by CNCC, otherwise user has to create the service account and provide its name here. kubectl create serviceaccount <name> -n <namespace> |
| keycloak.existingSecretKey | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | M |
Applicable only if keycloak.existingSecret is provided. It is the key in the existing secret that stores the password Example: iamAdminPasswordKey |
| keycloak.persistence.dbVendor | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M |
The database vendor name Example: mysql |
| keycloak.persistence.dbName | <String> | Valid String | M |
The name of the database used for cncc-iam. User should create DB with the same name as provided here before deploying CNCC-IAM Example: cnccdb |
| keycloak.persistence.dbHost | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M |
It the hostname for persistence db Example: mysql-sds.default.svc.cluster.local |
| keycloak.persistence.dbPort | <Integer> | It can range from 0-65535 | M |
The db port for cncc-iam Example: 3306 |
| keycloak.persistence.existingSecret | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | M |
It specifies an existing secret to be used for mysql username and password Example: cncc-db-secret |
| keycloak.persistence.existingSecretPasswordKey | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | M |
The key in the existing secret that stores the password Example: dbPasswordKey |
| keycloak.persistence.existingSecretUsernameKey | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | M |
The key in the existing secret that stores the username Example: dbUserNameKey |
| keycloak.service.httpPort | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | O | The port number which makes cncc-iam service visible to other services running within the same K8s cluster. |
| ingress-gateway.global.dockerRegistry | <String> | It may contain lowercase letters, digits, and separators. A separator is defined as a period, one or two underscores, or one or more dashes. | M | |
| ingress-gateway.global.publicHttpSignalingPort | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | M | |
| ingress-gateway.global.publicHttpsSignallingPort | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | ||
| ingress-gateway.global.serviceAccountName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters. | O | Service Account name |
| ingress-gateway.global.type | <String> | It can take ClusterIP, NodePort, LoadBalancer and ExternalName. | M | |
| ingress-gateway.global.metalLbIpAllocationEnabled | <Boolean> |
It can take either True or False value. By default, it is false. |
M | Enable or disable IP Address allocation from Metallb Pool |
| ingress-gateway.global.metalLbIpAllocationAnnotation | <String> | metallb.universe.tf/address-pool: oam | M | Address Pool Annotation for Metallb |
| ingress-gateway.global.staticIpAddressEnabled | <Boolean> |
It can take either True or False value. By default, it is false. |
O |
If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress Else random IP will be assigned by the metalLB from its IP Pool |
| ingress-gateway.global.staticIpAddress | <String> | Static Ip | O | Static Ip and applicable only when ingress-gateway.global.staticNodePortEnabled is true. |
| ingress-gateway.global.staticNodePortEnabled | <Boolean> |
It can take either True or False value. By default, it is false. |
O | Node Port Enabled |
| ingress-gateway.global.staticHttpNodePort | <String> | Http Node Port | O | Http Node Port and applicable only when ingress-gateway.global.staticNodePortEnabled is true. |
| ingress-gateway.global.image.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters. | M | Image Name to be used for "ingress-gateway" micro service |
| ingress-gateway.global.image.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. | M | Image Tag to be used for "ingress-gateway" micro service |
| ingress-gateway.global.image.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
M | Pull Policy decides from where to pull the image. |
| ingress-gateway.global.initContainersImage.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters. | M | Image Name to be used for init container |
| ingress-gateway.global.initContainersImage.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. | M | Image tag to be used for init container |
| ingress-gateway.global.initContainersImage.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
M | Pull Policy decides from where to pull the image. |
| ingress-gateway.global.updateContainersImage.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters. | M | Image Name to be used for update container |
| ingress-gateway.global.updateContainersImage.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. | M | Image tag to be used for update container |
| ingress-gateway.global.updateContainersImage.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
M | Pull Policy decides from where to pull the image. |
| ingress-gateway.global.service.ssl.tlsVersion | Default Value is TLSv1.2 | M | TLS Version | |
| ingress-gateway.global.service.ssl.privateKey.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
Name of the privatekey secret Example: cncc-iam-ingress-secret |
| ingress-gateway.global.service.ssl.privateKey.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
Namespace of privatekey Example: cncc |
| ingress-gateway.global.service.ssl.privateKey.rsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
rsa private key file name Example: rsa_private_key_pkcs1.pem |
| ingress-gateway.global.service.ssl.privateKey.ecdsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
ecdsa private key file name Example: ssl_ecdsa_private_key.pem |
| ingress-gateway.global.service.ssl.certificate.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
Name of the certificate secret Example: cncc-iam-ingress-secret |
| ingress-gateway.global.service.ssl.certificate.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Namespace of certificate Example: cncc |
| ingress-gateway.global.service.ssl.certificate.rsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
rsa certificate file name Example: ssl_rsa_certificate.crt |
| ingress-gateway.global.service.ssl.certificate.ecdsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
ecdsa certificate file name Example: ssl_ecdsa_certificate.crt |
| ingress-gateway.global.service.ssl.caBundle.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
Name of the caBundle secret Example: cncc-iam-ingress-secret |
| ingress-gateway.global.service.ssl.caBundle.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
Namespace of caBundle Example: cncc |
| ingress-gateway.global.service.ssl.caBundle.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
rsa caBundle file name Example: caroot.cer |
| ingress-gateway.global.service.ssl.initialAlgorithm | <String> | Default values is RSA256 | M | |
| ingress-gateway.global.service.ssl.keyStorePassword.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
Name of the keyStorePassword secret Example: cncc-iam-ingress-secret |
| ingress-gateway.global.service.ssl.keyStorePassword.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Namespace of keyStorePassword Example: cncc |
| ingress-gateway.global.service.ssl.keyStorePassword.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
File name that has password for keyStore Example: ssl_keystore.txt |
| ingress-gateway.global.service.ssl.trustStorePassword.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
Name of the trustStorePassword secret Example: cncc-iam-ingress-secret |
| ingress-gateway.global.service.ssl.trustStorePassword.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
Namespace of trustStorePassword Example: cncc |
| ingress-gateway.global.service.ssl.trustStorePassword.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
File name that has password for trustStore Example: ssl_truststore.txt |
| ingress-gateway.global.ports.containerPort | <String> | It can take value in the range: 0-65535. | M | ContainerPort represents a network port in a single container |
| ingress-gateway.global.ports.containersslPort | <String> | Default value is 8443 | M | |
| ingress-gateway.global.ports.actuatorPort | <String> | Default value is 9090 | ||
| ingress-gateway.global.log.level.root | <String> | It can take values like: WARN, DEBUG, INFO, TRACE etc. | M |
The level at which user wants to see the logs. E.g. WARN |
| ingress-gateway.global.log.level.ingress | <String> |
It can take values like: WARN, DEBUG, INFO, TRACE etc. Default value is INFO |
M | Log level for ingress logs |
| ingress-gateway.global.readinessProbe.initialDelaySeconds | <String> |
It can take value in the range: 0-65535. Default value:30 |
M | It tells the kubelet that it should wait second before performing the first probe |
| ingress-gateway.global.readinessProbe.timeoutSeconds | <String> |
It can take value in the range: 0-65535. Default value:3 |
M | The number of seconds after which the probe times out |
| ingress-gateway.global.readinessProbe.periodSeconds | <String> |
It can take value in the range: 0-65535. Default value:10 |
M | It specifies that the kubelet should perform a liveness probe every xx seconds |
| ingress-gateway.global.readinessProbe.successThreshold | <String> |
It can take value in the range: 0-65535. Default value:1 |
M | Minimum consecutive successes for the probe to be considered successful after having failed |
| ingress-gateway.global.readinessProbe.failureThreshold | <String> |
It can take value in the range: 0-65535. Default value:3 |
M | When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up |
| ingress-gateway.global.livenessProbe.initialDelaySeconds | <String> |
It can take value in the range: 0-65535. Default value:30 |
M | It tells the kubelet that it should wait second before performing the first probe |
| ingress-gateway.global.livenessProbe.timeoutSeconds | <String> |
It can take value in the range: 0-65535. Default value:3 |
M | The number of seconds after which the probe times out |
| ingress-gateway.global.livenessProbe.periodSeconds | <String> |
It can take value in the range: 0-65535. Default value:15 |
M | It specifies that the kubelet should perform a liveness probe every xx seconds |
| ingress-gateway.global.livenessProbe.successThreshold | <String> |
It can take value in the range: 0-65535. Default value:1 |
M | Minimum consecutive successes for the probe to be considered successful after having failed |
| ingress-gateway.global.livenessProbe.failureThreshold | <String> |
It can take value in the range: 0-65535. Default value:3 |
M | When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up |
| ingress-gateway.global.resources.limits.cpu | <String> | Valid floating point value between 0 and 1 | M | It limits the number of CPUs to be used by the microservice. |
| ingress-gateway.global.resources.limits.initServiceCpu | <String> | Default value is 1 | M | Init Container CPU Limit |
| ingress-gateway.global.resources.limits.updateServiceCpu | <String> | Default value is 1 | M | Update Container CPU Limit |
| ingress-gateway.global.resources.limits.memory | <String> | Valid Integer value followed by Mi/Gi etc. | M | It limits the memory utilization by the "cncc-cmservice" microservice. By default, it is set to '2'. |
| ingress-gateway.global.resources.limits.updateServiceMemory | <String> | Default value is 1Gi | M | Update Container Memory Limit |
| ingress-gateway.global.resources.limits.initServiceMemory | <String> | 1Gi | M | Init Container Memory Limit |
| ingress-gateway.global.resources.requests.cpu | <String> | Valid floating point value between 0 and 1 | M | It limits the number of CPUs to be used by the "cncc-cmservice" microservice. By default, it is set to '2'. |
| ingress-gateway.global.resources.requests.initServiceCpu | <String> | Default value is 1 | M | Init Container CPU Limit |
| ingress-gateway.global.resources.requests.updateServiceCpu | <String> | Default value is 1 | M | Update Container CPU for requests |
| ingress-gateway.global.resources.requests.memory | <String> | Valid Integer value followed by Mi/Gi etc. | M | It limits the memory utilization by the "cncc-cmservice" microservice. By default, it is set to '2'. |
| ingress-gateway.global.resources.requests.updateServiceMemory | <String> | 1Gi | M | Update Container Memory for requests |
| ingress-gateway.global.resources.requests.initServiceMemory | <String> | 1Gi | M | Init Container Memory for requests |
| ingress-gateway.global.resources.target.averageCpuUtil | <String> | A value in between 0-100 | M | It gives the average CPU utilization percentage. |
| ingress-gateway.global.minAvailable | <String> |
It can take value in the range: 0-65535. Default value:1 |
M | the number of pods that must always be available, even during a disruption. |
| ingress-gateway.global.minReplicas | <String> |
It can take value in the range: 0-65535. Default value:1 |
M | Min replicas to scale to maintain an average CPU utilization |
| ingress-gateway.global.maxReplicas | <String> |
It can take value in the range: 0-65535. Default value:5 |
M | Max replicas to scale to maintain an average CPU utilization |
| ingress-gateway.global.initssl | <String> |
It can take either True or False value. By default, it is false. |
M | To Initialize SSL related infrastructure in init/update container |
| ingress-gateway.global.enableIncomingHttp | <String> |
It can take either True or False value. By default, it is false. |
M | Server Configuration for http and https support |
| ingress-gateway.global.enableIncomingHttps | <String> |
It can take either True or False value. By default, it is false. |
M | Server Configuration for http and https support |
| ingress-gateway.cipherSuites | <List[String]> |
TLS_ECDHE_ ECDSA_WIT H_AES_256_ GCM_SHA38 4 TLS_ECDHE_ RSA_WITH_ AES_256_GC M_SHA384 TLS_ECDHE_ RSA_WITH_ CHACHA20_ POLY1305_S HA256 TLS_DHE_RS A_WITH_AE S_256_GCM_ SHA384 TLS_ECDHE_ ECDSA_WIT H_AES_128_ GCM_SHA25 6 TLS_ECDHE_ RSA_WITH_ AES_128_GC M_SHA256 |
M, if ingressgateway.enableIncomingHttps is true | Allowed CipherSuites for TLS1.2 |
| ingress-gateway.global.ingressGwCertReloadEnabled | <boolean> |
It can take either True or False value. Default value is true |
M | |
| ingress-gateway.global.ingressGwCertReloadPath | <String> | M | ||
| ingress-gateway.global.routesConfig.[].id | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | Routes to be added for cncc-iam ingress-gateway |
| ingress-gateway.global.routesConfig.[].uri | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | |
| ingress-gateway.global.routesConfig.[].path | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | |
| ingress-gateway.global.routesConfig.[].filters.addRequestHeader.[].name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M | |
| ingress-gateway.global.routesConfig.[].filters.addRequestHeader.[].value | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It component may not start or end with a separator. | M |