3 Customizing OCNRF
This section includes information about OCNRF customization.
OCNRF Configuration
This section describes about the OCNRF customization.
The OCNRF deployment is customized by overriding the default values of various configurable parameters.
ocnrf-custom-values-1.6.1.yaml
file as per the required parameters:
- Go to the Oracle Help Center (OHC) Web site.
- Navigate to Industries->Communications->Cloud Native Core->Release 2.2.0.
- Click the NRF Custom Template link to download the zip file.
- Unzip the file to get ocnrf-custom-configTemplates-1.6.1.0.0 file that
contains the ocnrf-custom-configTemplates-1.6.1.0.0. This file is used during
installation.
ocnrf-custom-values-1.6.1.yaml
: This file is used during installation.NrfDashboard-1.6.1.json
: This file is used bygrafana
.NrfAlertrules-1.6.1.yaml
: This file is used forprometheus
.OCNRF-MIB-TC-1.6.1.mib
: This is considered as OCNRF top level mib file, where the Objects and their data types are defined .OCNRF-MIB-1.6.1.mib
: This file fetches the Objects from the top level mib file and based on the Alert notification, these objects can be selected for display.
- Customize the ocnrf-custom-values-1.6.1.yaml file.
- Save the updated ocnrf-custom-values-1.6.1.yaml file in the helm chart directory.
Note:
Refer section OCNRF Configuration Parameters to know more about the configurable parameters.OCNRF Images
Following are the OCNRF images:
Table 3-1 OCNRF Images
Services | Image | Tag |
---|---|---|
<helm-release-name>-NFRegistration |
ocnrf-nfregistration
|
1.6.1 |
<helm-release-name>-NFSubscription |
ocnrf-nfsubscription
|
1.6.1 |
<helm-release-name>-NFDiscovery |
ocnrf-nfdiscovery
|
1.6.1 |
<helm-release-name>-NRF Auditor |
ocnrf-nrfauditor
|
1.6.1 |
<helm-release-name>-NRF Configuration | ocnrf-nrfconfiguration
|
1.6.1 |
<helm-release-name>-NFAccessToken |
configurationinit
|
1.1.1 |
configurationupdate
|
1.1.1 | |
ocnrf-nfaccesstoken
|
1.6.1 | |
<helm-release-name>-EgressGateway |
configurationinit
|
1.1.1 |
configurationupdate
|
1.1.1 | |
ocegress_gateway
|
1.6.4 | |
<helm-release-name>-IngressGateway |
configurationinit
|
1.1.1 |
configurationupdate
|
1.1.1 | |
ocingress_gateway
|
1.6.4 |
Note:
IngressGateway, EgressGateway and NFAccessToken uses same configurationinit and configurationupdates docker images.OCNRF Configuration Parameters
This section includes information about the configuration parameters of OCNRF.
OCNRF allows customization of parameters for the following services and related settings.
Global Parameters
Table 3-2 Global Parameters
Parameter | Description | Default value | Mandatory (M)/Optional (O) | Range or Possible Values (If applicable) | Notes |
---|---|---|---|---|---|
mysql.primary.host
|
Primary DB Connection Service IP or Hostname | ocnrf-mysql | M | Primary DB Connection Service HostName or IP | OCNRF connects to Primary DB Connection Service if not available then it connects to Secondary DB Connection Service. For NDB Cluster, use Host/IP of the DB Connection Service. |
mysql.primary.port
|
Primary DB Connection Service | 3306 | M | Primary DB Connection Service Port | Port that is used while connecting to Primary DB Connection Service. |
mysql.secondary.host
|
Secondary DB Connection Service IP or Hostname | ocnrf-mysql | O | Secondary DB Connection Service HostName or IP | OCNRF connects to Secondary DB Connection Service only if the Primary DB Connection Service is unavailable. It again switch pack to Primary DB Connection Service one it is available. For NDB Cluster, use Host/IP of the Remote DB Connection Service (if available). |
mysql.secondary.port
|
Secondary DB Connection Service Port | 3306 | O | Secondary DB Connection Service Port | Port that is used while connecting to Secondary DB Connection Service. |
endpoint
|
OCNRF END Point Name | ocnrf-ingress-gateway.ocnrf.svc.cluster.local | M | Service Name for OCNRF ingress gateway |
OCNRF Ingress Gateway's Name and Port. This value is used in UriList of NfListRetrival Service Operation response. The endpoint needs to be OCNRF's External Routable FQDN (e.g. ocnrf.oracle.com) OR External Routable IpAddress (e.g. 10.75.212.60) OR for routing with in the same K8 cluster use full OCNRF ingress gateway Service FQDN as below format
e.g ocnrf-ingress-gateway.nrf-1.svc.cluster.local where "ocnrf": is the helm release name (deployment name that will be used during "helm install") "nrf-1": is the namespace in which OCNRF is deployed "cluster.local": is the K8's dnsDomain name (dnsDomain can be found using "kubectl -n kube-system get configmap kubeadm-config -o yaml | grep -i dnsDomain") Note: This value must be changed during deployment based on the configuration. |
endpointPort
|
OCNRF END Point Port | 80 | M | Port for OCNRF ingress gateway | This parameter is used as OCNRF end point port. |
nrfInstanceId
|
OCNRF's NF Instance ID | 6faf1bbc-6e4a-4454-a507-a14ef8e1bc5c | M | OCNRF's NfInstance Id (UUID format) | |
dockerRegistry
|
Registry for docker | ocnrf-registry.us.oracle.com:5000 | M | Docker Registry's FQDN/Port where OCNRF's docker images are available. | |
database.nameSpace
|
Namespace for database connection | ocnrf | M |
The Namespace where the Kubernetes Secret is created which contains MYSQL details. Note: See database.name configuration for more details. |
|
database.name
|
Secret name for database connection | database-secret | M |
The Kubernetes Secret which contains the Database name, Database User name and the Password. Note: Refer OCNRF Pre-requisites section for the file format. |
|
serviceAccountName
|
ServiceAccount which is having permission for get, watch and list operation for below kubernetes resources; services, configmaps, pods, secrets and endpoints |
M |
This SeviceAccount is used for:
Refer to prerequisites for command details.
|
Table 3-3 Ingress Gateway Global Parameters
Parameter | Description | Default value | Mandatory (M)/Optional (O) | Range or Possible Values (If applicable) | Notes |
---|---|---|---|---|---|
metalLbIpAllocationEnabled
|
Enable or disable IP Address allocation from Metallb Pool | false | O | true/false | |
metalLbIpAllocationAnnotation
|
Address Pool Annotation for Metallb | metallb.universe.tf/address-pool: signaling | M when
metalLbIpAlocationEnabled
is true
|
||
staticIpAddressEnabled
|
Static load balancer IP enabled flag | false | O | true/false | |
staticIpAddress
|
Static IP address assigned to the Load Balancer from the metalLB IP pool. | 10.75.212.50 | M, when
staticIpAddressEnabled is
true
|
If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress. Else random IP will be assigned by the metalLB from its IP Pool. | |
staticNodePortEnabled
|
Static Node Port enabled flag | false | O | true/false | If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticHttpNodePort or staticHttpsNodePort. Else random node port will be assigned by K8. |
staticHttpNodePort
|
HTTP node port | 30080 |
M, when |
||
staticHttpsNodePort
|
HTTPs node port | 30443 |
M, when |
||
publicHttpSignalingPort
|
Service Port on which OCNRF's Ingress Gateway is exposed | 80 | O | If enableIncomingHttp is true, publicHttpSignalingPort will be used as HTTP/2.0 Port (unsecured) | |
publicHttpsSignallingPort
|
Service Port on which OCNRF's Ingress Gateway is exposed | 443 | O | If enableIncomingHttps is true, publicHttpsSignallingPort Port will be used as HTTPS/2.0 Port (secured TLS) |
Table 3-4 Ingress Gateway
Parameter | Description | Default value | Mandatory (M)/Optional (O) | Range or Possible Values (If applicable) | Notes |
---|---|---|---|---|---|
ingress-gateway.enableIncomingHttp
|
This flag is for enabling/disabling HTTP/2.0 (insecure) in Ingress Gateway. | true | O | true/false |
If the value is set to false, OCNRF will not accept any HTTP/2.0 (unsecured) Traffic. If the value is set to true, OCNRF will accept HTTP/2.0 (unsecured) Traffic |
ingress-gateway.enableIncomingHttps
|
This flag is for enabling/disabling HTTPS/2.0 (secure) in Ingress Gateway. | false | O | true/false |
If the value is set to false, OCNRF will not accept any HTTPS/2.0 (unsecured) Traffic. If the value is set to true, OCNRF will accept HTTPS/2.0 (unsecured) Traffic |
ingress-gateway.image.name
|
Ingress Gateway image name. | ocingress_gateway | O | ||
ingress-gateway.image.tag
|
Tag name of Ingress Gateway image | 1.6.4 | O | ||
ingress-gateway.image.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Always, IfNotPresent, Never | |
ingress-gateway.initContainersImage.name
|
Image Name for Ingress Gateway init container | configurationinit | O | ||
ingress-gateway.initContainersImage.tag
|
Tag name of Ingress Gateway init container | 1.1.1 | O | ||
ingress-gateway.initContainersImage.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Always, IfNotPresent, Never | |
ingress-gateway.updateContainersImage.name
|
Image Name for Ingress Gateway update container | configurationupdate | O | ||
ingress-gateway.updateContainersImage.tag
|
Tag name of Ingress Gateway update container | 1.1.1 | O | ||
ingress-gateway.updateContainersImage.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Always, IfNotPresent, Never | |
ingress-gateway.jaegerTracingEnabled
|
Flag to enable or disable the Jaeger Tracing at ingress-gateway | false | O | true / false | While making this flag as true, update the below attributes with correct values. |
ingress-gateway.opentracing.jaeger.udpsender.host
|
Host name of Jaeger Agent Service | jaeger-agent.cne-infra | M, if ingress-gateway.jaegerTracingEnabled is true
|
||
ingress-gateway.opentracing.jaeger.udpsender.port
|
Port of Jaeger Agent Service | 6831 | M, if ingress-gateway.jaegerTracingEnabled is true
|
||
ingress-gateway.opentracing.jaeger.probabilisticSampler
|
Jaeger message sampler | 0.5 | O | 0 to 1 | # Jaeger message sampler. Value range: 0 to 1 # e.g. Value 0: No Trace will be sent to Jaeger collector # e.g. Value 0.3: 30% of message will be sampled and will be sent to Jaeger collector # e.g. Value 1: 100% of message (i.e. all the messages) will be sampled and will be sent to Jaeger collector |
ingress-gateway.cipherSuites
|
Allowed CipherSuites for TLS1.2 | M, if ingress-gateway.enableIncomingHttps is true
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
||
ingress-gateway.service.ssl.privateKey.k8SecretName
|
Secret name that contains OCNRF Ingress gateway Private Key | ocingress-secret |
M, if |
||
ingress-gateway.service.ssl.privateKey.k8NameSpace
|
Namespace in which k8SecretName is present | ocnrf |
M, if |
||
ingress-gateway.service.ssl.privateKey.rsa.filename
|
OCNRF's Private Key (RSA type) file name | rsa_private_key_pkcs1.pem | M, if ingress-gateway.enableIncomingHttps is true and
ingress-gateway.service.ssl.initialAlgorithm is RSA256
|
If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's ingress gateway will not comeup. | |
ingress-gateway.service.ssl.privateKey.ecdsa.filename
|
OCNRF's Private Key (ECDSA type) file name | ssl_ecdsa_private_key.pem |
M, if |
If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's ingress gateway will not comeup. | |
ingress-gateway.service.ssl.certificate.k8SecretName
|
Secret name that contains OCNRF's Certificate for HTTPS | ocingress-secret | M, if ingress-gateway.enableIncomingHttps is true
|
This is a Secret object for OCNRFcertificate details for HTTPS. | |
ingress-gateway.service.ssl.certificate.k8NameSpace
|
Namespace in which OCNRF's Certificate is present | ocnrf | M, if ingress-gateway.enableIncomingHttps is true
|
||
ingress-gateway.service.ssl.certificate.rsa.filename
|
OCNRF's Certificate (RSA type) file name | ssl_rsa_certificate.crt |
M, if |
If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's ingress gateway will not comeup. | |
ingress-gateway.service.ssl.certificate.ecdsa.filename
|
OCNRF's Certificate (ECDSA type) file name | ssl_ecdsa_certificate.crt |
M, if |
If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's ingress gateway will not comeup. | |
ingress-gateway.service.ssl.caBundle.k8SecretName
|
Secret name that contains OCNRF's CA details for HTTPS | ocingress-secret |
M, if |
||
ingress-gateway.service.ssl.caBundle.k8NameSpace
|
Namespace in which OCNRF's CA details is present | ocnrf |
M, if |
||
ingress-gateway.service.ssl.caBundle.filename
|
OCNRF's CA bundle filename | caroot.cer |
M, if |
||
ingress-gateway.service.ssl.keyStorePassword.k8SecretName
|
Secret name that contains keyStorePassword | ocingress-secret |
M, if |
||
ingress-gateway.service.ssl.keyStorePassword.k8NameSpace
|
Namespace in which OCNRF's keystore password is present | ocnrf |
M, if |
||
ingress-gateway.service.ssl.keyStorePassword.fileName
|
OCNRF's Key Store password Filename | ssl_keystore.txt |
M, if |
||
ingress-gateway.service.ssl.trustStorePassword.k8SecretName
|
Secret name that contains trustStorePassword | ocingress-secret |
M, if |
||
ingress-gateway.service.ssl.trustStorePassword.k8NameSpace
|
Namespace in which trustStorePassword is present | ocnrf |
M, if |
||
ingress-gateway.service.ssl.trustStorePassword.fileName
|
OCNRF's trustStorePassword Filename | ssl_truststore.txt |
M, if |
||
ingress-gateway.service.ssl.initialAlgorithm
|
Initial Algorithm for HTTPS | ES256 | O | ES256, RSA256 | Algorithm that will be used in TLS handshake |
ingress-gateway.service.log.level.root
|
setting logging level | WARN | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | |
ingress-gateway.service.log.level.ingress |
setting logging level | INFO | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | |
ingress-gateway.service.log.level.oauth |
setting logging level | INFO | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE |
Table 3-5 Egress Gateway
Parameter | Description | Default value | Mandatory (M)/ Optional (O) | Range or Possible Values (If applicable) | Notes |
---|---|---|---|---|---|
egress-gateway.enableOutgoingHttps
|
This flag is for enabling/disabling HTTPS/2.0 (secured TLS) in Egress Gateway. | false | O | true/false |
If the value is set to false, OCNRF will not accept any HTTPS/2.0 (unsecured) Traffic. If the value is set to true, OCNRF will accept HTTPS/2.0 (unsecured) Traffic |
egress-gateway.deploymentegressgateway.image
|
Egress Gateway image name | ocegress_gateway | O | ||
egress-gateway.deploymentegressgateway.imageTag
|
tag name of image | 1.6.4 | O | ||
egress-gateway.deploymentegressgateway.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Always, IfNotPresent, Never | |
egress-gateway.initContainersImage.name
|
Image Name for Egress Gateway init container | configurationinit | O | ||
egress-gateway.initContainersImage.tag
|
Tag name of Egress Gateway init container | 1.1.1 | O | ||
egress-gateway.initContainersImage.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Always, IfNotPresent, Never | |
egress-gateway.updateContainersImage.name
|
Image Name for Egress Gateway update container | configurationupdate | O | ||
egress-gateway.updateContainersImage.tag
|
Tag name of Egress Gateway update container | 1.1.1 | O | ||
egress-gateway.updateContainersImage.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Always, IfNotPresent, Never | |
egress-gateway.jaegerTracingEnabled
|
Flag to enable or disable the Jaeger Tracing at egress gateway | false | O | true / false | While making this flag as true, update the below attributes with correct values. |
egress-gateway.opentracing.jaeger.udpsender.host
|
Host name of Jaeger Agent Service | jaeger-agent.cne-infra |
M, if |
||
egress-gateway.opentracing.jaeger.udpsender.port
|
Port of Jaeger Agent Service | 6831 |
M, if |
||
egress-gateway.opentracing.jaeger.probabilisticSampler
|
Jaeger message sampler | 0.5 | O | 0 to 1 | # Jaeger message sampler. Value range: 0 to 1
# e.g. Value 0: No Trace will be sent to Jaeger collector # e.g. Value 0.3: 30% of message will be sampled and will be sent to Jaeger collector # e.g. Value 1: 100% of message (i.e. all the messages) will be sampled and will be sent to Jaeger collector |
egress-gateway.scpIntegrationEnabled
|
Using SCP as an Proxy in Egress Gateway | false | O | true/false | If it is configured as false, SCP will not be used as an proxy. Messages will be directly sent to the Producers/HTTP Servers. If it is configured as true, SCP will be used as an Proxy for delivering messages to the Producers/HTTP Servers. |
egress-gateway.scpHttpHost
|
SCP Configuration For Egress Gateway | localhost |
M, if |
All the SCP related configuration will be used only if scpIntegrationEnabled is set to true. SCP's HTTP Host/IP and Port Combination. This will be while sending HTTP/2.0 (unsecured) traffic. | |
egress-gateway.scpHttpPort
|
SCP's HTTP Port | 80 |
M, if |
||
egress-gateway.scpHttpsHost
|
SCP Configuration For Egress Gateway | localhost |
M, if |
All the SCP related configuration will be used only if scpIntegrationEnabled is set to true. SCP's HTTP Host/IP and Port Combination. This will be while sending HTTP/2.0 (unsecured) traffic. | |
egress-gateway.scpHttpsPort
|
SCP's HTTPS Port | 443 |
M, if |
This will be while sending HTTPS/2.0 (unsecured) traffic. | |
egress-gateway.scpApiPrefix
|
SCP's API Prefix. (Applicable only for SCP with TLS enabled) | / | O | This will be used for constructing the Egress messgage's APIROOT while proxying message to SCP. Change this value to SCP's apiprefix. "/" is not expected to be provided along. | |
egress-gateway.scpDefaultScheme
|
SCP's default scheme when 3gpp-sbi-target-apiroot header is missing | https | O | ||
egress-gateway.cipherSuites
|
Allowed CipherSuites for TLS1.2 | M, if egress-gateway.enableOutgoingHttps is true
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
||
egress-gateway.service.ssl.privateKey.k8SecretName
|
Secret name that contains OCNRF Egress gateway Private Key | ocegress-secret | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.privateKey.k8NameSpace
|
Namespace in which k8SecretName is present | ocnrf | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.privateKey.rsa.filename
|
OCNRF's Private Key (RSA type) file name | ssl_rsa_private_key.pem | M, if egress-gateway.enableOutgoingHttps is true and egress-gateway.service.ssl.initialAlgorithm is RSA256
|
If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's egress gateway will not comeup. | |
egress-gateway.service.ssl.privateKey.ecdsa.filename
|
OCNRF's Private Key (ECDSA type) file name | ssl_ecdsa_private_key.pem | M, if egress-gateway.enableOutgoingHttps is true and egress-gateway.service.ssl.initialAlgorithm is ES256
|
If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's egress gateway will not comeup. | |
egress-gateway.service.ssl.certificate.k8SecretName
|
Secret name that contains OCNRF's Certificate for HTTPS | ocegress-secret | M, if egress-gateway.enableOutgoingHttps is true
|
This is a Secret object for OCNRFcertificate details for HTTPS. | |
egress-gateway.service.ssl.certificate.k8NameSpace
|
Namespace in which OCNRF's Certificate is present | ocnrf | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.certificate.rsa.filename
|
OCNRF's Certificate (RSA type) file name | ssl_rsa_certificate.crt | M, if egress-gateway.enableOutgoingHttps is true and egress-gateway.service.ssl.initialAlgorithm is RSA256
|
If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's egress gateway will not comeup. | |
egress-gateway.service.ssl.certificate.ecdsa.filename
|
OCNRF's Certificate (ECDSA type) file name | ssl_ecdsa_certificate.crt | M, if egress-gateway.enableOutgoingHttps is true and egress-gateway.service.ssl.initialAlgorithm is ES256
|
If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's egress gateway will not comeup. | |
egress-gateway.service.ssl.caBundle.k8SecretName
|
Secret name that contains OCNRF's CA details for HTTPS | ocegress-secret | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.caBundle.k8NameSpace
|
Namespace in which OCNRF's CA details is present | ocnrf | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.caBundle.filename
|
OCNRF's CA bundle filename | ssl_cabundle.crt | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.keyStorePassword.k8SecretName
|
Secret name that contains keyStorePassword | ocegress-secret | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.keyStorePassword.k8NameSpace
|
Namespace in which OCNRF's keystore password is present | ocnrf | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.keyStorePassword.fileName
|
OCNRF's Key Store password Filename | ssl_keystore.txt | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.trustStorePassword.k8SecretName
|
Secret name that contains trustStorePassword | ocegress-secret | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.trustStorePassword.k8NameSpace
|
Namespace in which trustStorePassword is present | ocnrf | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.trustStorePassword.fileName
|
OCNRF's trustStorePassword Filename | ssl_truststore.txt | M, if egress-gateway.enableOutgoingHttps is true
|
||
egress-gateway.service.ssl.initialAlgorithm
|
Initial Algorithm for HTTPS | RSA256 | O | ES256, RSA256 | Algorithm that will be used in TLS handshake |
egress-gateway.service.log.level.root
|
setting logging level | WARN | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | |
egress-gateway.service.log.level.egress |
setting logging level | INFO | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | |
egress-gateway.service.log.level.oauth |
setting logging level | INFO | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE |
nfregistration
)
Table 3-6 NF Registration
Parameter | Description | Default value | Mandatory (M) /Optional (O) | Range or Possible Values (If applicable) | Notes |
---|---|---|---|---|---|
nfregistration.image.registry
|
Docker registry name | ocnrf | O | Registry name | |
nfregistration.image.name
|
Full Image Path | ocnrf-nfregistration | O | Full image path of image | |
nfregistration.image.tag
|
Tag of Image | 1.6.1 | O | Tag of image in docker repository | |
nfregistration.image.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Possible Values -
Always,
IfNotPresent, Never
|
|
nfregistration.log.level
|
Logging level | WARN | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | Logging level |
nfsubscription
)
Table 3-7 NF Subscription
Parameter | Description | Default value | Mandatory (M) /Optional (O) | Range or Possible Values (If applicable) |
---|---|---|---|---|
nfsubscription.image.registry
|
Docker registry name | ocnrf | O | |
nfsubscription. image.name
|
Full Image Path | ocnrf-nfsubscription | O | Full image path of image |
nfsubscription.image.tag
|
Tag of Image | 1.6.1 | O | Tag of image in docker repository |
nfsubscription.image.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Possible Values:
Always,
IfNotPresent, Never
|
nfsubscription.log.level
|
Logging level | WARN | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE |
nrfauditor
)
Table 3-8 OCNRF Auditor
Parameter | Description | Default value | Mandatory (M) /Optional (O) | Range or Possible Values (If applicable) |
---|---|---|---|---|
nrfauditor.image.registry
|
Docker registry name | ocnrf | O | |
nrfauditor.image.name
|
Full Image Path | ocnrf-nrfauditor | O | Full image path of image |
nrfauditor.image.tag
|
Tag of Image | 1.6.1 | O | Tag of image in docker repository |
nrfauditor.image.pullPolicy
|
This setting indicates if the image needs to be pulled or not | IfNotPresent | O | Possible Values:
Always,
IfNotPresent, Never
|
nrfauditor.log.level
|
Logging level | WARN | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE |
nfdiscovery
)
Table 3-9 NF Discovery
Parameter | Description | Default value | Mandatory (M) /Optional (O) | Range or Possible Values (If applicable) |
---|---|---|---|---|
nfdiscovery.image.registry
|
Docker registry name | ocnrf | O | Registry name |
nfdiscovery.image.name
|
Full Image Path | ocnrf-nfdiscovery | O | Full image path of image |
nfdiscovery.image.tag
|
Tag of Image | 1.6.1 | O | Tag of image in docker repository |
nfdiscovery.image.pullPolicy
|
This setting determines if image needs to be pulled or not | IfNotPresent | O | Possible Values:
Always,
IfNotPresent, Never
|
nfdiscovery.log.level
|
Logging level | WARN | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE |
OCNRF Configuration
Table 3-10 OCNRF Configuration
Parameter | Description | Default value | Mandatory (M) /Optional (O) | Range or Possible Values (If applicable) | Notes |
---|---|---|---|---|---|
image.registry
|
Docker registry name | ocnrf | O | Registry name | |
image.name
|
Full Image Path | nrfconfiguration | O | Full image path of image | |
image.tag
|
Tag of Image | 1.6.1 | O | Tag of image in docker repository | |
image.pullPolicy
|
This setting determines if image needs to be pulled or not | IfNotPresent | O | Possible Values:
Always,
IfNotPresent, Never
|
|
log.level
|
Logging level | WARN | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE | |
service.metalLbIpAllocationEnabled
|
Enable or disable IP Address allocation from Metallb Pool | false | O | As defined by operator | If this flag is enabled, the IP Address is allocated from Metallb Pool. |
service.metalLbIpAllocationAnnotation
|
Address Pool for Metallb |
metallb.universe.tf/address-pool : oam |
M, if
|
Address Pool Annotation for Metallb | |
service.staticIpAddressEnabled
|
Static load balancer IP enabled flag | false | O | If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress. Else random IP will be assigned by the metalLB from its IP Pool | |
service.staticIpAddress
|
Static load balancer IP | 10.75.212.50 |
M, if
|
Static IP address assigned to the Load Balancer from the metalLB IP pool. | |
service.staticNodePortEnabled
|
Static Node Port enabled flag | false | O | If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort, else random node port will be assigned by K8 | |
service.staticNodePort
|
Static Node Port | 30076 |
M, if
|
If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort Else random node port will be assigned by K8 |
NF Access
Token(nfaccesstoken
)
Table 3-11 NF Access Token
Parameter | Description | Default value | Mandatory (M) / Optional (O) | Range or Possible Values (If applicable) | Notes |
---|---|---|---|---|---|
nfaccesstoken.enabled
|
Flag to disable Oauth functionality | true | O | true / false | If AccessToken service is not required, operator can choose to set it as false so that nfAccessToken micro-service will not be deployed. |
nfaccesstoken.image.name
|
Full Image Path for access token service container | ocnrf-nfaccesstoken | O | Full image path of image | |
nfaccesstoken.image.tag
|
Tag of Image | 1.6.1 | O | Tag of image in docker repository | |
nfaccesstoken.image.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Possible Values - Always IfNotPresent Never | |
nfaccesstoken.initContainersImage.name
|
Full Image Path for init container | configurationinit | O | Image Name for Access token Key certificate infrastructure | This image is used by OCNRF gateway for Key/Certificate infrastructure. |
nfaccesstoken.initContainersImage.tag
|
Tag of Image | 1.1.1 | O | Tag of image in docker repository | |
nfaccesstoken.initContainersImage.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Possible Values - Always IfNotPresent Never | |
nfaccesstoken.updateContainersImage.name
|
Full Image Path for update container | configurationupdate | O | Image Name for Access token Key certificate infrastructure | |
nfaccesstoken.updateContainersImage.tag
|
Tag of Image | 1.1.1 | O | Tag of image in docker repository | |
nfaccesstoken.updateContainersImage.pullPolicy
|
This setting will tell if image need to be pulled or not | IfNotPresent | O | Possible Values - Always IfNotPresent Never | |
nfaccesstoken.oauth.nrfInstanceId |
OCNRF's NF Instance ID that is used for signing AccessTokenClaim | 6faf1bbc-6e4a-4454-a507-a14ef8e1bc5c | M |
NRF Instance ID that is used for signing AccessTokenClaim (iss IE of AccessTokenClaim). If NRF needs to issue AccessTokenClaim using it's own NF instance ID then the nrfInstanceId configured in the global section needs to configured here again,. If NRF needs to issue AccessTokenClaim using a common/virtual then a common/virtual NF instance ID needs to be configured here (along with the common/virtual PrivateKey and Certificate Pair). The same NF instance id and PrivateKey and Certificate Pair needs to be configured in all other NRFs as well so that tokens issues by all the NRF can be validated using a Single NfIstanceId and KeyPair. |
|
nfaccesstoken.oauth.privateKey.k8SecretName
|
Secret name that contains OCNRF Private key | ocnrfaccesstoken-secret | M, if
nfaccesstoken.enabled
is true
|
This is a Secret object for OCNRFPrivate Key. | |
nfaccesstoken.oauth.privateKey.k8NameSpace
|
Namespace in which OCNRF Private key is present | ocnrf | M, if
nfaccesstoken.enabled
is true
|
||
nfaccesstoken.oauth.privateKey.rsa.filename
|
OCNRF's Private Key (RSA type) file name | rsa_private_key.pem | M, if
nfaccesstoken.enabled
is true and
nfaccesstoken.oauth.initialAlgorithm
is RSA256
|
If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF gateway will not comeup. | |
nfaccesstoken.oauth.privateKey.ecdsa.filename
|
ECDSA key file names | ecdsa_private_key.pem | M, if
nfaccesstoken.enabled
is true and
nfaccesstoken.oauth.initialAlgorithm
is ES256
|
If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's NFAccessToken microservice will not comeup. | |
nfaccesstoken.oauth.certificate.k8SecretName
|
Secret name that contains OCNRF's certificate | ocnrfaccesstoken-secret | M, if
nfaccesstoken.enabled
is true
|
This is a Secret object for OCNRFcertificate details for HTTPS. | |
nfaccesstoken.oauth.certificate.k8NameSpace
|
Namespace in which k8SecretName is present | ocnrf | M, if
nfaccesstoken.enabled
is true
|
||
nfaccesstoken.oauth.certificate.rsa.filename
|
OCNRF's certificate (RSA type) file name | rsa_certificate.crt | M, if
nfaccesstoken.enabled
is true and
nfaccesstoken.oauth.initialAlgorithm
is RSA256
|
If initialAlgorithm is configured as RSA, then rsa file name must be configured. Otherwise OCNRF's NFAccessToken microservice will not comeup. | |
nfaccesstoken.oauth.certificate.ecdsa.filename
|
OCNRF's certificate (ECDSA type) file name | ecdsa_certificate.crt | M, if
nfaccesstoken.enabled
is true and
nfaccesstoken.oauth.initialAlgorithm
is ES256
|
If initialAlgorithm is configured as ECDSA, then rsa file name must be configured. Otherwise OCNRF's NFAccessToken microservice will not comeup. | |
nfaccesstoken.oauth.keyStorePassword.k8SecretName
|
Secret name that contains OCNRF's keystore password | ocnrfaccesstoken-secret | M, if
nfaccesstoken.enabled
is true
|
||
nfaccesstoken.oauth.keyStorePassword.k8NameSpace
|
Namespace in which OCNRF's keystore password is present | ocnrf | M, if
nfaccesstoken.enabled
is true
|
Password that is used for creating in-memory Java Key Store (JKS) | |
nfaccesstoken.oauth.keyStorePassword.filename
|
KeyStore password file | keystore_password.txt | M, if
nfaccesstoken.enabled
is true
|
||
nfaccesstoken.oauth.initialAlgorithm
|
Initial Algorithm for Access Token key certificate infrastructure | ES256 | O | ES256, RSA256 | |
nfaccesstoken.log.level
|
Logging level | WARN | O | OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE |