Customizing OCNRF

3 Customizing OCNRF

This section includes information about OCNRF customization.

OCNRF Configuration

This section describes about the OCNRF customization.

The OCNRF deployment is customized by overriding the default values of various configurable parameters.

Follow the below steps to customize the ocnrf-custom-values-1.6.1.yaml file as per the required parameters:

Go to the Oracle Help Center (OHC) Web site.
Navigate to Industries->Communications->Cloud Native Core->Release 2.2.0.
Click the NRF Custom Template link to download the zip file.
Unzip the file to get ocnrf-custom-configTemplates-1.6.1.0.0 file that contains the ocnrf-custom-configTemplates-1.6.1.0.0. This file is used during installation.
- ocnrf-custom-values-1.6.1.yaml: This file is used during installation.
- NrfDashboard-1.6.1.json: This file is used by grafana.
- NrfAlertrules-1.6.1.yaml: This file is used for prometheus.
- OCNRF-MIB-TC-1.6.1.mib: This is considered as OCNRF top level mib file, where the Objects and their data types are defined .
- OCNRF-MIB-1.6.1.mib : This file fetches the Objects from the top level mib file and based on the Alert notification, these objects can be selected for display.
Customize the ocnrf-custom-values-1.6.1.yaml file.
Save the updated ocnrf-custom-values-1.6.1.yaml file in the helm chart directory.

Note:

Refer section OCNRF Configuration Parameters to know more about the configurable parameters.

OCNRF Images

Following are the OCNRF images:

Table 3-1 OCNRF Images

Services	Image	Tag
<helm-release-name>-NFRegistration	`ocnrf-nfregistration`	1.6.1
<helm-release-name>-NFSubscription	`ocnrf-nfsubscription`	1.6.1
<helm-release-name>-NFDiscovery	`ocnrf-nfdiscovery`	1.6.1
<helm-release-name>-NRF Auditor	`ocnrf-nrfauditor`	1.6.1
<helm-release-name>-NRF Configuration	`ocnrf-nrfconfiguration`	1.6.1
<helm-release-name>-NFAccessToken	`configurationinit`	1.1.1
	`configurationupdate`	1.1.1
	`ocnrf-nfaccesstoken`	1.6.1
<helm-release-name>-EgressGateway	`configurationinit`	1.1.1
	`configurationupdate`	1.1.1
	`ocegress_gateway`	1.6.4
<helm-release-name>-IngressGateway	`configurationinit`	1.1.1
	`configurationupdate`	1.1.1
	`ocingress_gateway`	1.6.4

Note:

IngressGateway, EgressGateway and NFAccessToken uses same configurationinit and configurationupdates docker images.

OCNRF Configuration Parameters

This section includes information about the configuration parameters of OCNRF.

OCNRF allows customization of parameters for the following services and related settings.

Global Parameters

Table 3-2 Global Parameters

Parameter	Description	Default value	Mandatory (M)/Optional (O)	Range or Possible Values (If applicable)	Notes
`mysql.primary.host`	Primary DB Connection Service IP or Hostname	ocnrf-mysql	M	Primary DB Connection Service HostName or IP	OCNRF connects to Primary DB Connection Service if not available then it connects to Secondary DB Connection Service. For NDB Cluster, use Host/IP of the DB Connection Service.
`mysql.primary.port`	Primary DB Connection Service	3306	M	Primary DB Connection Service Port	Port that is used while connecting to Primary DB Connection Service.
`mysql.secondary.host`	Secondary DB Connection Service IP or Hostname	ocnrf-mysql	O	Secondary DB Connection Service HostName or IP	OCNRF connects to Secondary DB Connection Service only if the Primary DB Connection Service is unavailable. It again switch pack to Primary DB Connection Service one it is available. For NDB Cluster, use Host/IP of the Remote DB Connection Service (if available).
`mysql.secondary.port`	Secondary DB Connection Service Port	3306	O	Secondary DB Connection Service Port	Port that is used while connecting to Secondary DB Connection Service.
`endpoint`	OCNRF END Point Name	ocnrf-ingress-gateway.ocnrf.svc.cluster.local	M	Service Name for OCNRF ingress gateway	OCNRF Ingress Gateway's Name and Port. This value is used in UriList of NfListRetrival Service Operation response. The endpoint needs to be OCNRF's External Routable FQDN (e.g. ocnrf.oracle.com) OR External Routable IpAddress (e.g. 10.75.212.60) OR for routing with in the same K8 cluster use full OCNRF ingress gateway Service FQDN as below format `# <helm-release-name>-ingress-gateway.<namespace>.svc.<cluster-domain-name>` e.g ocnrf-ingress-gateway.nrf-1.svc.cluster.local where "ocnrf": is the helm release name (deployment name that will be used during "helm install") "nrf-1": is the namespace in which OCNRF is deployed "cluster.local": is the K8's dnsDomain name (dnsDomain can be found using "kubectl -n kube-system get configmap kubeadm-config -o yaml \| grep -i dnsDomain") Note: This value must be changed during deployment based on the configuration.
`endpointPort`	OCNRF END Point Port	80	M	Port for OCNRF ingress gateway	This parameter is used as OCNRF end point port.
`nrfInstanceId`	OCNRF's NF Instance ID	6faf1bbc-6e4a-4454-a507-a14ef8e1bc5c	M		OCNRF's NfInstance Id (UUID format)
`dockerRegistry`	Registry for docker	ocnrf-registry.us.oracle.com:5000	M		Docker Registry's FQDN/Port where OCNRF's docker images are available.
`database.nameSpace`	Namespace for database connection	ocnrf	M		The Namespace where the Kubernetes Secret is created which contains MYSQL details. Note: See database.name configuration for more details.
`database.name`	Secret name for database connection	database-secret	M		The Kubernetes Secret which contains the Database name, Database User name and the Password. Note: Refer OCNRF Pre-requisites section for the file format.
`serviceAccountName`	ServiceAccount which is having permission for get, watch and list operation for below kubernetes resources; services, configmaps, pods, secrets and endpoints		M		This SeviceAccount is used for: fetching MYSQL DB Details from configured kubernetes secret fetching OCNRF's Private Key, OCNRF's Certificate and CA Certificate from configured kubernetes secret fetching OCNRF's Private and OCNRF's Public Keys for Digitally Signing AccessTokenClaims. fetching Producer/Consumer NF's Service/Endpoint details for routing messages from/to Egress/Ingress Gateways. Refer to prerequisites for command details.

Ingress Gateway Global Parameters

Table 3-3 Ingress Gateway Global Parameters

Parameter	Description	Default value	Mandatory (M)/Optional (O)	Range or Possible Values (If applicable)	Notes
`metalLbIpAllocationEnabled`	Enable or disable IP Address allocation from Metallb Pool	false	O	true/false
`metalLbIpAllocationAnnotation`	Address Pool Annotation for Metallb	metallb.universe.tf/address-pool: signaling	M when `metalLbIpAlocationEnabled` is true
`staticIpAddressEnabled`	Static load balancer IP enabled flag	false	O	true/false
`staticIpAddress`	Static IP address assigned to the Load Balancer from the metalLB IP pool.	10.75.212.50	M, when `staticIpAddressEnabled`is true		If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress. Else random IP will be assigned by the metalLB from its IP Pool.
`staticNodePortEnabled`	Static Node Port enabled flag	false	O	true/false	If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticHttpNodePort or staticHttpsNodePort. Else random node port will be assigned by K8.
`staticHttpNodePort`	HTTP node port	30080	M, when `staticNodePortEnabled` is true and `ingress-gateway.enableIncomingHttp` is true
`staticHttpsNodePort`	HTTPs node port	30443	M, when `staticNodePortEnabled` is true and `ingress-gateway.enableIncomingHttps` is true
`publicHttpSignalingPort`	Service Port on which OCNRF's Ingress Gateway is exposed	80	O		If enableIncomingHttp is true, publicHttpSignalingPort will be used as HTTP/2.0 Port (unsecured)
`publicHttpsSignallingPort`	Service Port on which OCNRF's Ingress Gateway is exposed	443	O		If enableIncomingHttps is true, publicHttpsSignallingPort Port will be used as HTTPS/2.0 Port (secured TLS)

Ingress Gateway

Table 3-4 Ingress Gateway

Parameter	Description	Default value	Mandatory (M)/Optional (O)	Range or Possible Values (If applicable)	Notes
`ingress-gateway.enableIncomingHttp`	This flag is for enabling/disabling HTTP/2.0 (insecure) in Ingress Gateway.	true	O	true/false	If the value is set to false, OCNRF will not accept any HTTP/2.0 (unsecured) Traffic. If the value is set to true, OCNRF will accept HTTP/2.0 (unsecured) Traffic
`ingress-gateway.enableIncomingHttps`	This flag is for enabling/disabling HTTPS/2.0 (secure) in Ingress Gateway.	false	O	true/false	If the value is set to false, OCNRF will not accept any HTTPS/2.0 (unsecured) Traffic. If the value is set to true, OCNRF will accept HTTPS/2.0 (unsecured) Traffic
`ingress-gateway.image.name`	Ingress Gateway image name.	ocingress_gateway	O
`ingress-gateway.image.tag`	Tag name of Ingress Gateway image	1.6.4	O
`ingress-gateway.image.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Always, IfNotPresent, Never
`ingress-gateway.initContainersImage.name`	Image Name for Ingress Gateway init container	configurationinit	O
`ingress-gateway.initContainersImage.tag`	Tag name of Ingress Gateway init container	1.1.1	O
`ingress-gateway.initContainersImage.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Always, IfNotPresent, Never
`ingress-gateway.updateContainersImage.name`	Image Name for Ingress Gateway update container	configurationupdate	O
`ingress-gateway.updateContainersImage.tag`	Tag name of Ingress Gateway update container	1.1.1	O
`ingress-gateway.updateContainersImage.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Always, IfNotPresent, Never
`ingress-gateway.jaegerTracingEnabled`	Flag to enable or disable the Jaeger Tracing at ingress-gateway	false	O	true / false	While making this flag as true, update the below attributes with correct values.
`ingress-gateway.opentracing.jaeger.udpsender.host`	Host name of Jaeger Agent Service	jaeger-agent.cne-infra	M, if `ingress-gateway.jaegerTracingEnabled` is true
`ingress-gateway.opentracing.jaeger.udpsender.port`	Port of Jaeger Agent Service	6831	M, if `ingress-gateway.jaegerTracingEnabled` is true
`ingress-gateway.opentracing.jaeger.probabilisticSampler`	Jaeger message sampler	0.5	O	0 to 1	# Jaeger message sampler. Value range: 0 to 1 # e.g. Value 0: No Trace will be sent to Jaeger collector # e.g. Value 0.3: 30% of message will be sampled and will be sent to Jaeger collector # e.g. Value 1: 100% of message (i.e. all the messages) will be sampled and will be sent to Jaeger collector
`ingress-gateway.cipherSuites`	Allowed CipherSuites for TLS1.2		M, if `ingress-gateway.enableIncomingHttps` is true	- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
`ingress-gateway.service.ssl.privateKey.k8SecretName`	Secret name that contains OCNRF Ingress gateway Private Key	ocingress-secret	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.privateKey.k8NameSpace`	Namespace in which k8SecretName is present	ocnrf	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.privateKey.rsa.filename`	OCNRF's Private Key (RSA type) file name	rsa_private_key_pkcs1.pem	M, if `ingress-gateway.enableIncomingHttps` is true and `ingress-gateway.service.ssl.initialAlgorithm` is RSA256		If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's ingress gateway will not comeup.
`ingress-gateway.service.ssl.privateKey.ecdsa.filename`	OCNRF's Private Key (ECDSA type) file name	ssl_ecdsa_private_key.pem	M, if `ingress-gateway.enableIncomingHttps` is true and `ingress-gateway.service.ssl.initialAlgorithm` is ES256		If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's ingress gateway will not comeup.
`ingress-gateway.service.ssl.certificate.k8SecretName`	Secret name that contains OCNRF's Certificate for HTTPS	ocingress-secret	M, if `ingress-gateway.enableIncomingHttps` is true		This is a Secret object for OCNRFcertificate details for HTTPS.
`ingress-gateway.service.ssl.certificate.k8NameSpace`	Namespace in which OCNRF's Certificate is present	ocnrf	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.certificate.rsa.filename`	OCNRF's Certificate (RSA type) file name	ssl_rsa_certificate.crt	M, if `ingress-gateway.enableIncomingHttps` is true and `ingress-gateway.service.ssl.initialAlgorithm` is RSA256		If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's ingress gateway will not comeup.
`ingress-gateway.service.ssl.certificate.ecdsa.filename`	OCNRF's Certificate (ECDSA type) file name	ssl_ecdsa_certificate.crt	M, if `ingress-gateway.enableIncomingHttps` is true and `ingress-gateway.service.ssl.initialAlgorithm` is ES256		If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's ingress gateway will not comeup.
`ingress-gateway.service.ssl.caBundle.k8SecretName`	Secret name that contains OCNRF's CA details for HTTPS	ocingress-secret	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.caBundle.k8NameSpace`	Namespace in which OCNRF's CA details is present	ocnrf	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.caBundle.filename`	OCNRF's CA bundle filename	caroot.cer	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.keyStorePassword.k8SecretName`	Secret name that contains keyStorePassword	ocingress-secret	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.keyStorePassword.k8NameSpace`	Namespace in which OCNRF's keystore password is present	ocnrf	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.keyStorePassword.fileName`	OCNRF's Key Store password Filename	ssl_keystore.txt	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.trustStorePassword.k8SecretName`	Secret name that contains trustStorePassword	ocingress-secret	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.trustStorePassword.k8NameSpace`	Namespace in which trustStorePassword is present	ocnrf	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.trustStorePassword.fileName`	OCNRF's trustStorePassword Filename	ssl_truststore.txt	M, if `ingress-gateway.enableIncomingHttps` is true
`ingress-gateway.service.ssl.initialAlgorithm`	Initial Algorithm for HTTPS	ES256	O	ES256, RSA256	Algorithm that will be used in TLS handshake
`ingress-gateway.service.log.level.root`	setting logging level	WARN	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE
`ingress-gateway.service.log.level.ingress`	setting logging level	INFO	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE
`ingress-gateway.service.log.level.oauth`	setting logging level	INFO	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE

Egress Gateway

Table 3-5 Egress Gateway

Parameter	Description	Default value	Mandatory (M)/ Optional (O)	Range or Possible Values (If applicable)	Notes
`egress-gateway.enableOutgoingHttps`	This flag is for enabling/disabling HTTPS/2.0 (secured TLS) in Egress Gateway.	false	O	true/false	If the value is set to false, OCNRF will not accept any HTTPS/2.0 (unsecured) Traffic. If the value is set to true, OCNRF will accept HTTPS/2.0 (unsecured) Traffic
`egress-gateway.deploymentegressgateway.image`	Egress Gateway image name	ocegress_gateway	O
`egress-gateway.deploymentegressgateway.imageTag`	tag name of image	1.6.4	O
`egress-gateway.deploymentegressgateway.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Always, IfNotPresent, Never
`egress-gateway.initContainersImage.name`	Image Name for Egress Gateway init container	configurationinit	O
`egress-gateway.initContainersImage.tag`	Tag name of Egress Gateway init container	1.1.1	O
`egress-gateway.initContainersImage.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Always, IfNotPresent, Never
`egress-gateway.updateContainersImage.name`	Image Name for Egress Gateway update container	configurationupdate	O
`egress-gateway.updateContainersImage.tag`	Tag name of Egress Gateway update container	1.1.1	O
`egress-gateway.updateContainersImage.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Always, IfNotPresent, Never
`egress-gateway.jaegerTracingEnabled`	Flag to enable or disable the Jaeger Tracing at egress gateway	false	O	true / false	While making this flag as true, update the below attributes with correct values.
`egress-gateway.opentracing.jaeger.udpsender.host`	Host name of Jaeger Agent Service	jaeger-agent.cne-infra	M, if `egress-gateway.jaegerTracingEnabled` is enabled
`egress-gateway.opentracing.jaeger.udpsender.port`	Port of Jaeger Agent Service	6831	M, if `egress-gateway.jaegerTracingEnabled` is enabled
`egress-gateway.opentracing.jaeger.probabilisticSampler`	Jaeger message sampler	0.5	O	0 to 1	# Jaeger message sampler. Value range: 0 to 1 # e.g. Value 0: No Trace will be sent to Jaeger collector # e.g. Value 0.3: 30% of message will be sampled and will be sent to Jaeger collector # e.g. Value 1: 100% of message (i.e. all the messages) will be sampled and will be sent to Jaeger collector
`egress-gateway.scpIntegrationEnabled`	Using SCP as an Proxy in Egress Gateway	false	O	true/false	If it is configured as false, SCP will not be used as an proxy. Messages will be directly sent to the Producers/HTTP Servers. If it is configured as true, SCP will be used as an Proxy for delivering messages to the Producers/HTTP Servers.
`egress-gateway.scpHttpHost`	SCP Configuration For Egress Gateway	localhost	M, if `egress-gateway.scpIntegrationEnabled` is true		All the SCP related configuration will be used only if scpIntegrationEnabled is set to true. SCP's HTTP Host/IP and Port Combination. This will be while sending HTTP/2.0 (unsecured) traffic.
`egress-gateway.scpHttpPort`	SCP's HTTP Port	80	M, if `egress-gateway.scpIntegrationEnabled` is true
`egress-gateway.scpHttpsHost`	SCP Configuration For Egress Gateway	localhost	M, if `egress-gateway.scpIntegrationEnabled` is true		All the SCP related configuration will be used only if scpIntegrationEnabled is set to true. SCP's HTTP Host/IP and Port Combination. This will be while sending HTTP/2.0 (unsecured) traffic.
`egress-gateway.scpHttpsPort`	SCP's HTTPS Port	443	M, if `egress-gateway.scpIntegrationEnabled` is true		This will be while sending HTTPS/2.0 (unsecured) traffic.
`egress-gateway.scpApiPrefix`	SCP's API Prefix. (Applicable only for SCP with TLS enabled)	/	O		This will be used for constructing the Egress messgage's APIROOT while proxying message to SCP. Change this value to SCP's apiprefix. "/" is not expected to be provided along.
`egress-gateway.scpDefaultScheme`	SCP's default scheme when 3gpp-sbi-target-apiroot header is missing	https	O
`egress-gateway.cipherSuites`	Allowed CipherSuites for TLS1.2		M, if `egress-gateway.enableOutgoingHttps` is true	- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
`egress-gateway.service.ssl.privateKey.k8SecretName`	Secret name that contains OCNRF Egress gateway Private Key	ocegress-secret	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.privateKey.k8NameSpace`	Namespace in which k8SecretName is present	ocnrf	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.privateKey.rsa.filename`	OCNRF's Private Key (RSA type) file name	ssl_rsa_private_key.pem	M, if `egress-gateway.enableOutgoingHttps` is true and `egress-gateway.service.ssl.initialAlgorithm` is RSA256		If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's egress gateway will not comeup.
`egress-gateway.service.ssl.privateKey.ecdsa.filename`	OCNRF's Private Key (ECDSA type) file name	ssl_ecdsa_private_key.pem	M, if `egress-gateway.enableOutgoingHttps` is true and `egress-gateway.service.ssl.initialAlgorithm` is ES256		If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's egress gateway will not comeup.
`egress-gateway.service.ssl.certificate.k8SecretName`	Secret name that contains OCNRF's Certificate for HTTPS	ocegress-secret	M, if `egress-gateway.enableOutgoingHttps` is true		This is a Secret object for OCNRFcertificate details for HTTPS.
`egress-gateway.service.ssl.certificate.k8NameSpace`	Namespace in which OCNRF's Certificate is present	ocnrf	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.certificate.rsa.filename`	OCNRF's Certificate (RSA type) file name	ssl_rsa_certificate.crt	M, if `egress-gateway.enableOutgoingHttps` is true and `egress-gateway.service.ssl.initialAlgorithm` is RSA256		If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's egress gateway will not comeup.
`egress-gateway.service.ssl.certificate.ecdsa.filename`	OCNRF's Certificate (ECDSA type) file name	ssl_ecdsa_certificate.crt	M, if `egress-gateway.enableOutgoingHttps` is true and `egress-gateway.service.ssl.initialAlgorithm` is ES256		If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's egress gateway will not comeup.
`egress-gateway.service.ssl.caBundle.k8SecretName`	Secret name that contains OCNRF's CA details for HTTPS	ocegress-secret	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.caBundle.k8NameSpace`	Namespace in which OCNRF's CA details is present	ocnrf	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.caBundle.filename`	OCNRF's CA bundle filename	ssl_cabundle.crt	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.keyStorePassword.k8SecretName`	Secret name that contains keyStorePassword	ocegress-secret	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.keyStorePassword.k8NameSpace`	Namespace in which OCNRF's keystore password is present	ocnrf	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.keyStorePassword.fileName`	OCNRF's Key Store password Filename	ssl_keystore.txt	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.trustStorePassword.k8SecretName`	Secret name that contains trustStorePassword	ocegress-secret	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.trustStorePassword.k8NameSpace`	Namespace in which trustStorePassword is present	ocnrf	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.trustStorePassword.fileName`	OCNRF's trustStorePassword Filename	ssl_truststore.txt	M, if `egress-gateway.enableOutgoingHttps` is true
`egress-gateway.service.ssl.initialAlgorithm`	Initial Algorithm for HTTPS	RSA256	O	ES256, RSA256	Algorithm that will be used in TLS handshake
`egress-gateway.service.log.level.root`	setting logging level	WARN	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE
`egress-gateway.service.log.level.egress`	setting logging level	INFO	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE
`egress-gateway.service.log.level.oauth`	setting logging level	INFO	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE

NF Registration Micro service (nfregistration)

Table 3-6 NF Registration

Parameter	Description	Default value	Mandatory (M) /Optional (O)	Range or Possible Values (If applicable)	Notes
`nfregistration.image.registry`	Docker registry name	ocnrf	O	Registry name
`nfregistration.image.name`	Full Image Path	ocnrf-nfregistration	O	Full image path of image
`nfregistration.image.tag`	Tag of Image	1.6.1	O	Tag of image in docker repository
`nfregistration.image.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Possible Values - `Always, IfNotPresent, Never`
`nfregistration.log.level`	Logging level	WARN	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE	Logging level

NF Subscription Micro service (nfsubscription)

Table 3-7 NF Subscription

Parameter	Description	Default value	Mandatory (M) /Optional (O)	Range or Possible Values (If applicable)
`nfsubscription.image.registry`	Docker registry name	ocnrf	O
`nfsubscription. image.name`	Full Image Path	ocnrf-nfsubscription	O	Full image path of image
`nfsubscription.image.tag`	Tag of Image	1.6.1	O	Tag of image in docker repository
`nfsubscription.image.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Possible Values: `Always, IfNotPresent, Never`
`nfsubscription.log.level`	Logging level	WARN	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE

OCNRF Auditor Micro service (nrfauditor)

Table 3-8 OCNRF Auditor

Parameter	Description	Default value	Mandatory (M) /Optional (O)	Range or Possible Values (If applicable)
`nrfauditor.image.registry`	Docker registry name	ocnrf	O
`nrfauditor.image.name`	Full Image Path	ocnrf-nrfauditor	O	Full image path of image
`nrfauditor.image.tag`	Tag of Image	1.6.1	O	Tag of image in docker repository
`nrfauditor.image.pullPolicy`	This setting indicates if the image needs to be pulled or not	IfNotPresent	O	Possible Values: `Always, IfNotPresent, Never`
`nrfauditor.log.level`	Logging level	WARN	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE

NF Discovery Micro service (nfdiscovery)

Table 3-9 NF Discovery

Parameter	Description	Default value	Mandatory (M) /Optional (O)	Range or Possible Values (If applicable)
`nfdiscovery.image.registry`	Docker registry name	ocnrf	O	Registry name
`nfdiscovery.image.name`	Full Image Path	ocnrf-nfdiscovery	O	Full image path of image
`nfdiscovery.image.tag`	Tag of Image	1.6.1	O	Tag of image in docker repository
`nfdiscovery.image.pullPolicy`	This setting determines if image needs to be pulled or not	IfNotPresent	O	Possible Values: `Always, IfNotPresent, Never`
`nfdiscovery.log.level`	Logging level	WARN	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE

OCNRF Configuration

Table 3-10 OCNRF Configuration

Parameter	Description	Default value	Mandatory (M) /Optional (O)	Range or Possible Values (If applicable)	Notes
`image.registry`	Docker registry name	ocnrf	O	Registry name
`image.name`	Full Image Path	nrfconfiguration	O	Full image path of image
`image.tag`	Tag of Image	1.6.1	O	Tag of image in docker repository
`image.pullPolicy`	This setting determines if image needs to be pulled or not	IfNotPresent	O	Possible Values: `Always, IfNotPresent, Never`
`log.level`	Logging level	WARN	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE
`service.metalLbIpAllocationEnabled`	Enable or disable IP Address allocation from Metallb Pool	false	O	As defined by operator	If this flag is enabled, the IP Address is allocated from Metallb Pool.
`service.metalLbIpAllocationAnnotation`	Address Pool for Metallb	metallb.universe.tf/address-pool : oam	M, if `nrfconfiguration.service.metalLbIpAllocationEnabled` is true		Address Pool Annotation for Metallb
`service.staticIpAddressEnabled`	Static load balancer IP enabled flag	false	O		If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress. Else random IP will be assigned by the metalLB from its IP Pool
`service.staticIpAddress`	Static load balancer IP	10.75.212.50	M, if `nrfconfiguration.service.metalLbIpAllocationEnabled` is true		Static IP address assigned to the Load Balancer from the metalLB IP pool.
`service.staticNodePortEnabled`	Static Node Port enabled flag	false	O		If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort, else random node port will be assigned by K8
`service.staticNodePort`	Static Node Port	30076	M, if `nrfconfiguration.service.staticIpAddressEnabled` is enabled.		If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort Else random node port will be assigned by K8

NF Access Token(nfaccesstoken)

Table 3-11 NF Access Token

Parameter	Description	Default value	Mandatory (M) / Optional (O)	Range or Possible Values (If applicable)	Notes
`nfaccesstoken.enabled`	Flag to disable Oauth functionality	true	O	true / false	If AccessToken service is not required, operator can choose to set it as false so that nfAccessToken micro-service will not be deployed.
`nfaccesstoken.image.name`	Full Image Path for access token service container	ocnrf-nfaccesstoken	O	Full image path of image
`nfaccesstoken.image.tag`	Tag of Image	1.6.1	O	Tag of image in docker repository
`nfaccesstoken.image.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Possible Values - Always IfNotPresent Never
`nfaccesstoken.initContainersImage.name`	Full Image Path for init container	configurationinit	O	Image Name for Access token Key certificate infrastructure	This image is used by OCNRF gateway for Key/Certificate infrastructure.
`nfaccesstoken.initContainersImage.tag`	Tag of Image	1.1.1	O	Tag of image in docker repository
`nfaccesstoken.initContainersImage.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Possible Values - Always IfNotPresent Never
`nfaccesstoken.updateContainersImage.name`	Full Image Path for update container	configurationupdate	O	Image Name for Access token Key certificate infrastructure
`nfaccesstoken.updateContainersImage.tag`	Tag of Image	1.1.1	O	Tag of image in docker repository
`nfaccesstoken.updateContainersImage.pullPolicy`	This setting will tell if image need to be pulled or not	IfNotPresent	O	Possible Values - Always IfNotPresent Never
`nfaccesstoken.oauth.nrfInstanceId`	OCNRF's NF Instance ID that is used for signing AccessTokenClaim	6faf1bbc-6e4a-4454-a507-a14ef8e1bc5c	M		NRF Instance ID that is used for signing AccessTokenClaim (iss IE of AccessTokenClaim). If NRF needs to issue AccessTokenClaim using it's own NF instance ID then the nrfInstanceId configured in the global section needs to configured here again,. If NRF needs to issue AccessTokenClaim using a common/virtual then a common/virtual NF instance ID needs to be configured here (along with the common/virtual PrivateKey and Certificate Pair). The same NF instance id and PrivateKey and Certificate Pair needs to be configured in all other NRFs as well so that tokens issues by all the NRF can be validated using a Single NfIstanceId and KeyPair.
`nfaccesstoken.oauth.privateKey.k8SecretName`	Secret name that contains OCNRF Private key	ocnrfaccesstoken-secret	M, if `nfaccesstoken.enabled` is true		This is a Secret object for OCNRFPrivate Key.
`nfaccesstoken.oauth.privateKey.k8NameSpace`	Namespace in which OCNRF Private key is present	ocnrf	M, if `nfaccesstoken.enabled` is true
`nfaccesstoken.oauth.privateKey.rsa.filename`	OCNRF's Private Key (RSA type) file name	rsa_private_key.pem	M, if `nfaccesstoken.enabled` is true and `nfaccesstoken.oauth.initialAlgorithm` is RSA256		If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF gateway will not comeup.
`nfaccesstoken.oauth.privateKey.ecdsa.filename`	ECDSA key file names	ecdsa_private_key.pem	M, if `nfaccesstoken.enabled` is true and `nfaccesstoken.oauth.initialAlgorithm` is ES256		If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's NFAccessToken microservice will not comeup.
`nfaccesstoken.oauth.certificate.k8SecretName`	Secret name that contains OCNRF's certificate	ocnrfaccesstoken-secret	M, if `nfaccesstoken.enabled` is true		This is a Secret object for OCNRFcertificate details for HTTPS.
`nfaccesstoken.oauth.certificate.k8NameSpace`	Namespace in which k8SecretName is present	ocnrf	M, if `nfaccesstoken.enabled` is true
`nfaccesstoken.oauth.certificate.rsa.filename`	OCNRF's certificate (RSA type) file name	rsa_certificate.crt	M, if `nfaccesstoken.enabled` is true and `nfaccesstoken.oauth.initialAlgorithm` is RSA256		If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's NFAccessToken microservice will not comeup.
`nfaccesstoken.oauth.certificate.ecdsa.filename`	OCNRF's certificate (ECDSA type) file name	ecdsa_certificate.crt	M, if `nfaccesstoken.enabled` is true and `nfaccesstoken.oauth.initialAlgorithm` is ES256		If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's NFAccessToken microservice will not comeup.
`nfaccesstoken.oauth.keyStorePassword.k8SecretName`	Secret name that contains OCNRF's keystore password	ocnrfaccesstoken-secret	M, if `nfaccesstoken.enabled` is true
`nfaccesstoken.oauth.keyStorePassword.k8NameSpace`	Namespace in which OCNRF's keystore password is present	ocnrf	M, if `nfaccesstoken.enabled` is true		Password that is used for creating in-memory Java Key Store (JKS)
`nfaccesstoken.oauth.keyStorePassword.filename`	KeyStore password file	keystore_password.txt	M, if `nfaccesstoken.enabled` is true
`nfaccesstoken.oauth.initialAlgorithm`	Initial Algorithm for Access Token key certificate infrastructure	ES256	O	ES256, RSA256
`nfaccesstoken.log.level`	Logging level	WARN	O	OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE