3 Customizing Binding Support Function
This chapter describes how to customize the Binding Support Function (BSF) deployment in a cloud native environment.
The BSF deployment is customized by overriding the default values of various configurable parameters in the ocbsf-custom-values-1.5.1.yaml file.
- Go to the Oracle Help Center (OHC) Web site:
- Navigate to Industries->Communications->Cloud Native Core ->Release 2.3.0.
- Click the Binding Support Function (BSF) Custom Template link to download the zip file.
- Unzip the file to get
ocbsf-custom-configTemplates-1.5.1.0.0file that contains the ocbsf-custom-values-1.5.1.yaml . This file is used during installation. - Customize the ocbsf-custom-values-1.5.1.yaml file.
- Save the updated ocbsf-custom-values-1.5.1.yaml file in the helm chart directory.
Note:
- All parameters mentioned as mandatory must be present in ocbsf-custom-values-1.5.1.yaml file.
- All fixed value parameters listed must be present in the ocbsf-custom-values-1.5.1.yaml file with the exact values as specified here.
Configuring Mandatory Parameters
This section describes the mandatory configurable parameters that you must customize in the ocbsf-custom-values-1.5.1.yaml file for successful installation of Binding Support Function (BSF).
Table 3-1 Configurable Parameters for Mandatory Configurations
| Parameter | Description |
|---|---|
| global.dockerRegistry | This mandatory parameter specifies the name
of the Docker registry that hosts Binding Support Function docker
images.
Note: The Docker registry runs in OCCNE bastion server where all OAuth docker images are loaded. |
| global.envMysqlHost | This mandatory parameter specifies the IP address or host name of the MySQL server where BSF databases are hosted. |
| global.envMysqlPort | This mandatory parameter specifies the port number of the MySQL server where BSF databases are hosted. |
| global.dbCredSecretName | This mandatory parameter specifies the name
of the Kubernetes secret object that contains Database username and
password.
Default Value:
|
| global.privilegedDbCredSecretName | This mandatory parameter specifies the name
of the Kubernetes secret object containing Database username and
password for an admin user.
Default Value:
|
| global.releaseDbName | This mandatory parameter specifies the name
of the release database that contains details of release
version.
Default Value:
|
global:
# Docker registry name
dockerRegistry: ''
# Primary MYSQL Host IP or Hostname
envMysqlHost: ''
envMysqlPort: ''
# K8s secret object name containing OCBSF MYSQL UserName and Password
dbCredSecretName: 'ocbsf-db-pass'
privilegedDbCredSecretName: 'ocbsf-privileged-db-pass'
#Release DB name containing release version details
releaseDbName: 'ocbsf_release'Enabling/Disabling Services Configurations
This section describes the configuration parameters that can be used to select the services that you want to enable/disable for your deployment.
Table 3-2 Configurable Parameters for Enabling/Disabling the BSF Core Service
| Parameter | Description |
|---|---|
| global.bsfManagementEnable | This parameter determines if the BSF core service is
enabled or not.
Default Value: true |
| global.bsfManagementVersion1Enable | |
| global.bsfManagementVersion2Enable |
Table 3-3 Configurable Parameters for Enabling/Disabling the NRF Client Services
| Parameter | Description |
|---|---|
| global.nrfClientNfManagementEnable | This is an optional
parameter.
Default Value: true |
| global.appinfoServiceEnable | This optional parameter determines if the app info
service is enabled or
not.
Default Value: true |
| global.performanceServiceEnable | This optional parameter determines if the
performance service is enabled or
not.
Default Value: true |
Table 3-4 Configurable Parameters for Enabling/Disabling the Diameter Gateway and Diameter Connector
| Parameter | Description |
|---|---|
| global.diamConnectorEnable | This optional parameter detremines if the diameter
connector is enabled or
not.
Default Value: true |
| global.diamGatewayEnable | This optional parameter determines if the diameter
gateway is enabled or
not.
Default Value: true |
global:
# BSF Core Services Enable/Disable option
bsfManagementEnable: true
bsfManagementVersion1Enable: false
bsfManagementVersion2Enable: false
nrfClientNfManagementEnable: true
appinfoServiceEnable: true
performanceServiceEnable: true
diamConnectorEnable: true
diamGatewayEnable: trueConfiguring Tracing Parameters
Table 3-5 Configurable Parameters for Tracing Configuration in Ingress Gateway
| Parameter | Description |
|---|---|
| global.envJaegerAgentHost | This mandatory parameter specifies the
Hostname or IP address for the jaeger agent.
It is the FQDN of
Jaeger Agent service running in OCCNE cluster under namespace
It is written in the
following
format:
<JAEGER_SVC_NAME>.<JAEGER_NAMESPACE> |
| ingress-gateway.jaegerTracingEnabled | Optional Parameter
Default Value: true |
| ingress-gateway.openTracing.jaeger.udpSender.host | Optional Parameter
Default Value:
|
| ingress-gateway.openTracing.jaeger.udpSender.port | Optional Parameter
Default Value:
|
| ingress-gateway.openTracing. jaeger.probabilisticSampler | Optional Parameter
Default Value:
|
jaegerTracingEnabled: true
openTracing :
jaeger:
udpSender:
# udpsender host
host: "occne-tracer-jaeger-agent.occne-infra"
# udpsender port
port: 6831
probabilisticSampler: 0.5Table 3-6 Configurable Parameters for Tracing Configuration in Egress Gateway
| Parameter | Description |
|---|---|
| egress-gateway.jaegerTracingEnabled | Optional Parameter
Default Value: true |
| egress-gateway.openTracing.jaeger.udpSender.host | Optional Parameter
Default Value:
|
| egress-gateway.openTracing.jaeger.udpSender.port | Optional Parameter
Default Value:
|
| egress-gateway.openTracing. jaeger.probabilisticSampler | Optional Parameter
Default Value:
|
egress-gateway:
jaegerTracingEnabled: true
openTracing :
jaeger:
udpSender:
# udpsender host
host: "occne-tracer-jaeger-agent.occne-infra"
# udpsender port
port: 6831
probabilisticSampler: 0.5nrf-client-nfmanagement, you may
configure the following configurable parameters in custom-value.yaml file:
Table 3-7 Configurable Parameters for Tracing Configuration in nrf-client-nfmanagement
| Parameter | Description |
|---|---|
| nrf-client.nrf-client-nfmanagement.envJaegerSamplerParam |
Note: You must customize this parameter only when NRF client services are enabled. Default Value: 1 |
| nrf-client.nrf-client-nfmanagement.envJaegerSamplerType |
Note: You must customize this parameter only when NRF client services are enabled. Default Value: ratelimiting |
| nrf-client.nrf-client-nfmanagement.envJaegerServiceName |
Note: You must customize this parameter only when NRF client services are enabled. Default Value: pcf-nrf-client-nfmanagement |
nrf-client-nfmanagement:
envJaegerSamplerParam: '1'
envJaegerSamplerType: ratelimiting
envJaegerServiceName: pcf-nrf-client-nfmanagementConfiguring Database Names
Note:
Database name specified in the custom.yaml file should be used while creating the database during installation. See Configuring Database, Creating Users, and Granting Permissions.Table 3-8 Customizable Parameters for Database Name Configuration for BSF Services
| Parameter | Description |
|---|---|
| bsf-management-service.envMysqlDatabase | This parameter specifies the name of the database of
BSF Management
Service.
Default Value: ocpm_bsf |
| config-server.envMysqlDatabase | This optional parameter specifies the name of the
database for Config Server
service.
Default Value: bsf_config_server |
bsf-management-service:
envMysqlDatabase: 'ocpm_bsf'
config-server:
envMysqlDatabase: bsf_config_serverConfiguring NRF client
Important:
These configurations are required when NF is required to register with NRF. Before configuring NRF client configuration, make sure that NRF Client services are enabled.Table 3-9 Configurable Parameters for NRF Client Configuration
| Parameter | Description |
|---|---|
| global.deploymentNrfClientService.envNfNamespace | This mandatory parameter specifies the K8s namespace of PCF. |
| nrf-client.configmapApplicationConfig.profile | This mandatory parameter contains
configuration parameters that goes into nrf-client's config
map.
See Table 3-* for more details. |
| appinfo.infraServices | Set this conditional parameter to an empty array if
any one of below condition is met:
|
| perf-info.configmapPerformance.prometheus | This conditional parameter specifies the Prometheus
server URL.
Default Value:
http://prometheus-server.prometheus:5802Note: If you do not specify any value for this parameter, PCF reported 0 loads to NRF. |
Configurable parameters for NRF Client Configuration in Config-map
| Parameter | Description |
|---|---|
| primaryNrfApiRoot | Primary NRF hostname and port in the following
format:
<http scheme>://<Hostname/IP>:<Port> This
parameter can only contain valid API root. For example:
|
| SecondaryNrfApiRoot | Secondary NRF hostname and port in the following
format:
<http scheme>://<Hostname/IP>:<Port> This
parameter can only contain valid API root. For example:
|
| retryAfterTime | When primary NRF is down, this will be the wait Time
(in ISO 8601 duration format) after which request to primary NRF
will be retried to detect primary NRF's availability.
This
parameter can only contain valid ISO 8601 duration format. For
example: |
| nrfClientType | The NfType of the NF registering. The value for this parameter must be set to BSF. |
| nrfClientSubscribeTypes | NF Type(s) for which the NF wants to discover and subscribe to the NRF. |
| appProfiles | NfProfile of BSF to be registered with NRF.
This parameter can only contain valid NF profile. |
| enableF3 | Support for 29.510 Release 15.3
This parameter can only have true (default) or false as values. |
| enableF5 | Support for 29.510 Release 15.5
This parameter can only have true (default) or false as values. |
| renewalTimeBeforeExpiry | Time Period (in seconds) before the Subscription
Validity time expires.
For example: 3600 |
| validityTime | The default validity time (in days) for
subscriptions.
For example: 30 |
| enableSubscriptionAutoRenewal | This parameter can be used to enable renewal of
subscriptions automatically.
This parameter can only have true (default) or false as values. |
| acceptAdditionalAttributes | This parameter can be used to enable additional
Attributes as part of 29.510 Release 15.5.
This parameter can only have true or false (default) as values. |
deploymentNrfClientService:
#K8s namespace of BSF
envNfNamespace: ''appinfo:
serviceAccountName: ''
# Set Infrastructure services to empty array if any one of below condition is met
# 1. Deploying on occne 1.4 or lesser version
# 2. Not deploying on OCCNE
# 3. Do not wish to monitor infra services such as db-monitor service
# then the below mentioned attribute 'infra_services' should be uncommneted and epmty array should be passed as already mentioned.
#infraServices: []
perf-info:
configmapPerformance:
prometheus: ''nrf-client:
# This config map is for providing inputs to NRF-Client
configmapApplicationConfig:
# primaryNrfApiRoot - Primary NRF Hostname and Port
# SecondaryNrfApiRoot - Secondary NRF Hostname and Port
# retryAfterTime - Default downtime(in ISO 8601 duration format) of an NRF detected to be unavailable.
# nrfClientType - The NfType of the NF registering
# nrfClientSubscribeTypes - the NFType for which the NF wants to subscribe to the NRF.
# appProfiles - The NfProfile of the NF to be registered with NRF.
# enableF3 - Support for 29.510 Release 15.3
# enableF5 - Support for 29.510 Release 15.5
# renewalTimeBeforeExpiry - Time Period(seconds) before the Subscription Validity time expires.
# validityTime - The default validity time(days) for subscriptions.
# enableSubscriptionAutoRenewal - Enable Renewal of Subscriptions automatically.
# acceptAdditionalAttributes - Enable additionalAttributes as part of 29.510 Release 15.5
profile: |-
[appcfg]
primaryNrfApiRoot=http://nrf1-api-gateway.svc:80
secondaryNrfApiRoot=http://nrf2-api-gateway.svc:80
retryAfterTime=PT120S
nrfClientType=BSF
appProfiles=[{"nfInstanceId":"25a59926-3049-479c-8954-16ce0xyz","nfType":"BSF","nfStatus":"REGISTERED","fqdn":"ocbsf1-2-api-gateway.bsf1-2.svc.atlantic.morrisville.us.lab.oracle.com","priority":1,"capacity":1,"load":2,"bsfInfo":{"ipv4AddressRanges":[{"start":"10.0.0.1","end":"10.113.255.255"}],"ipv6PrefixRanges":[{"start":"2800:a00:cc03::/64","end":"2800:a00:cc04::/64"}]},"nfServices":[{"serviceInstanceId":"03063893-cf9e-4f7a-9827-111111111111","serviceName":"nbsf-management","versions":[{"apiVersionInUri":"v1","apiFullVersion":"1.R15.1.0","expiry":"2019-08-03T18:66:08.871+0000"}],"scheme":"http","nfServiceStatus":"REGISTERED","fqdn":"ocbsf1-2-api-gateway.bsf1-2.svc.atlantic.morrisville.us.lab.oracle.com","interPlmnFqdn":null,"ipEndPoints":[{"ipv4Address":"10.233.22.149","transport":"TCP","port":80}],"apiPrefix":null,"allowedNfTypes":["PCF","AF","NEF"],"priority":1,"capacity":1,"load":2}]}]
enableF3=true
enableF5=true
renewalTimeBeforeExpiry=3600
validityTime=30
enableSubscriptionAutoRenewal=true
acceptAdditionalAttributes=false
Configuring Diameter Gateway/Connector
This section describes the configurable parameters that you may customize in the ocbsf-custom-values-1.5.1.yaml file for configuring diameter gateway and diameter connector.
Note:
You must configure the parameters listed in the following table only when diameter connector is enabled.Table 3-10 Configurable Parameters for Diameter Connector
| Parameter | Description |
|---|---|
| diam-connector.envDiameterRealm | This mandatory parameter specifies the Diameter
Realm of BSF. For example: oracle.com |
| diam-connector.envDiameterIdentity | This mandatory parameter specifies the Diameter Host
of BSF. For example: ocbsf |
Note:
You must configure the parameters listed in the following table only when diameter gateway is enabled.Table 3-11 Configurable Parameters for Diameter Gateway
| Parameter | Description |
|---|---|
| diam-gateway.envGatewayMode | This mandatory parameter specifies the Diameter
Gateway mode. For BSF, the value must be set to
bsf.
|
| diam-gateway.envGatewayDeploymentType | This mandatory parameter specifies the Diameter
Gateway deployment type. For BSF, the value must be set to
PCF.
|
|
diam-gateway.envDiameterRealm |
This mandatory parameter specifies the Diameter
Realm of BSF diameter gateway. For example,
oracle.com.
|
|
diam-gateway.envDiameterIdentity |
This mandatory parameter specifies the Diameter host
of BSF diameter gateway. For example,
oc-diam-gateway.
|
diam-connector:
envDiameterRealm: 'oracle.com'
envDiameterIdentity: 'ocbsf'
diam-gateway:
#The diam-gateway mode i.e. converged, bsf, pcf and pcrf
envGatewayMode: bsf
#The diam-gateway deployment type (applicable only when mode is converged) i.e. CONVERGED, PCF and PCRF
envGatewayDeploymentType: PCF
envDiameterRealm: 'oracle.com'
envDiameterIdentity: 'oc-diam-gateway'API Root Configuration for Notification URI
This section describes the configuration parameters that can be used to API Root configuration.
To configure these parameters, you should configure the following configurable parameters in the custom-values.yaml file:
Table 3-12 Configurable Parameters for Api Root Configuration for Notification URI
| Parameter | Description |
|---|---|
| global.bsfApiRoot | This optional parameter specifies the API root of
BSF that is used in notification URLs generated by BSF's when
sending request to other producer NFs.
If the value is not
configured for this parameter, the ingress gateway service name
and port is used as default value. For example:
|
| global.deploymentNrfClientService.nfApiRoot | This mandatory parameter specifies Api root of
BSF.
Note: This parameter must be
configured only when when NRF Client services are enabled. Its
value should be same as the value of
" |
# API root of BSF that will be used in notification URLs generated by BSF's when sending request to other producer NFs
#If not configured then the ingress gateway service name and port will be used as default value. ex:"https://<helm name>-ocbsf-ingress-gateway:443"
global:
bsfApiRoot: ''
deploymentNrfClientService:
#same as bsfApiRoot
nfApiRoot: ''Configuring Ingress Gateway
Note:
Following configurations are applicable only when ingress-gateway is enabled.Table 3-13 Configurable Parameters for Basic Configurations in Ingress Gateway
| Parameter | Description | Mandatory/Optional Parameter | Default Value |
|---|---|---|---|
| global.metalLbIpAllocationEnabled | Enable or disable IP Address allocation from Metallb Pool | Optional | false |
| global.metalLbIpAllocationAnnotation | Address Pool Annotation for Metallb | Optional | metallb.universe.tf/address-pool:
signaling |
|
ingress-gateway.enableIncomingHttp |
Enable it to accept incoming http requests | Optional | true |
| ingress-gateway.ingressServer.keepAlive.enabled | Optional | false | |
| ingress-gateway.ingressServer.keepAlive.idealTime | Optional | 180 (in seconds) | |
| ingress-gateway.ingressServer.keepAlive.count | Optional | 9 | |
| ingress-gateway.ingressServer.keepAlive.interval | Optional | 60 (in seconds) |
ingress-gateway:
# Enable or disable IP Address allocation from Metallb Pool
metalLbIpAllocationEnabled: false
# Address Pool Annotation for Metallb
metalLbIpAllocationAnnotation: "metallb.universe.tf/address-pool: signaling"
# -----Ingress Gateway Settings - END-----ingress-gateway:
#keep alive settings
ingressServer:
keepAlive:
enabled: false
idealTime: 180 #in seconds
count: 9
interval: 60 #in secondsingress-gateway:
# Enable it to accept incoming http requests
enableIncomingHttp: trueConfiguring Service and Container Ports
Note:
For upgrade scenario, changing port will cause temporary service disruption.Table 3-14 Customizable Parameters for Service Ports Configuration
| Parameter | Description | Mandatory/Optional Parameter | Default Value |
|---|---|---|---|
| global.servicePorts.bsfManagementServiceHttp | HTTP signaling port for BSF management service. | Optional | 5903 |
| global.servicePorts.bsfManagementServiceHttps | HTTPS signaling port for BSF management service. | Optional | 8443 |
| global.servicePorts.appInfoHttp | HTTP signaling port for app info.
Note: The value for this port must be same as
|
Optional | 5906 |
| global.servicePorts.cmServiceHttp | HTTP signaling port for CM service. | Optional | 5808 |
| global.servicePorts.configServerHttp | HTTP signaling port for config server.
Note: The value for this port must be same as
|
Optional | 5807 |
| global.servicePorts.diamConnectorHttp | HTTP signaling port for Diameter connector. | Optional | 8080 |
| global.servicePorts.diamConnectorDiameter | Port for Diameter connector. | Optional | 3868 |
| global.servicePorts.diamGatewayHttp | HTTP signaling port for Diameter gateway. | Optional | 8080 |
| global.servicePorts.diamGatewayDiameter | Port for Diameter gateway. | Optional | 3868 |
| global.servicePorts.perfInfoHttp | HTTP signaling port for perf info.
The
value for this port must be same as
|
Optional | 5905 |
| global.servicePorts.queryServiceHttp | HTTP signaling port for queryservice. | Optional | 5805 |
| global.servicePorts.egressGatewayHttp | HTTP signaling port for Egress Gateway.
The value for this port must be same as
|
Optional | 8080 |
| global.servicePorts.nrfClientNfManagementHttp | HTTP signaling port for NRF client management
service.
The value for this port must be same as
|
Optional | 5910 |
| global.servicePorts.nrfClientNfManagementHttps | HTTPS signaling port for NRF client management
service.
The value for this port must be same as
|
Optional | 5805 |
servicePorts:
bsfManagementServiceHttp: 5903
bsfManagementServiceHttps: 8443
# app info
appInfoHttp: &svcAppInfoHttp 5906
# cm service
cmServiceHttp: 5808
# config server
configServerHttp: &svcConfigServerHttp 5807
# diam connector
diamConnectorHttp: 8080
diamConnectorDiameter: 3868
# diameter gateway
diamGatewayHttp: 8080
diamGatewayDiameter: 3868
# perf info
perfInfoHttp: &svcPerfInfoHttp 5905
# query service
queryServiceHttp: 5805
# egress gateway
egressGatewayHttp: &svcEgressGatewayHttp 8080
# nrf client
nrfClientNfManagementHttp: &svcNrfClientNfManagementHttp 5910
nrfClientNfManagementHttps: &svcNrfClientNfManagementHttps 5805Table 3-15 Customizable Parameters for Container Ports Configuration
| Parameter | Description | Mandatory/Optional Parameter | Default Value |
|---|---|---|---|
| global.containerPorts.monitoringHttp | HTTP signaling port for monitoring.
Note: The value for this port must be same as
|
Optional | 9000 |
| global.containerPorts.bsfManagementServiceHttp | HTTP signaling port for BSF Management service. | Optional | 8080 |
| global.containerPorts.bsfManagementServiceHttps | HTTPS signaling port for BSF Management service. | Optional | 8443 |
| global.containerPorts.appInfoHttp | HTTP signaling port for app info. | Optional | 5906 |
| global.containerPorts.cmServiceHttp | HTTP signaling port for CMservice. | Optional | 5807 |
| global.containerPorts.configServerHttp | HTTP signaling port for config server. | Optional | 8001 |
| global.containerPorts.diamConnectorHttp | HTTP signaling port for Diameter Connector. | Optional | 8080 |
| global.containerPorts.diamConnectorDiameter | Diameter connector. | Optional | 3868 |
| global.containerPorts.diamGatewayHttp | HTTP signaling port for Diameter Gateway. | Optional | 8080 |
| global.containerPorts.diamGatewayDiameter | Diameter gateway. | Optional | 3868 |
| global.containerPorts.perfInfoHttp | HTTP signaling port for perf-info. | Optional | 5905 |
| global.containerPorts.queryServiceHttp | HTTP signaling port for queryservice. | Optional | 8081 |
| global.containerPorts.nrfClientNfManagementHttp | HTTP signaling port for NRF client management.
Note: The value for this port must be same as
|
Optional | 8000 |
| global.containerPorts.nrfClientNfManagementHttps | HTTPS signaling port for NRF client management.
Note: The value for this port must be same as
|
Optional | 9443 |
| global.containerPorts.ingressGatewayHttp | HTTP signaling port for Ingress Gateway.
Note: The value for this port must be same as
|
Optional | 8081 |
| global.containerPorts.ingressGatewayHttps | HTTPS signaling port for Ingress Gateway.
Note: The value for this port must be same as
|
Optional | 9443 |
containerPorts:
bsfManagementServiceHttp: 8000
bsfManagementServiceHttps: 8443
monitoringHttp: &containerMonitoringHttp 9000
# app info
appInfoHttp: 5906
# cm service
cmServiceHttp: 5807
# config server
configServerHttp: 8001
# diam connector
diamConnectorHttp: 8080
diamConnectorDiameter: 3868
# diameter gateway
diamGatewayHttp: 8080
diamGatewayDiameter: 3868
# perf info
perfInfoHttp: 5905
# query service
queryServiceHttp: 8081
# nrf client
nrfClientNfManagementHttp: &containerNrfClientNfManagementHttp 8080
nrfClientNfManagementHttps: &containerNrfClientNfManagementHttps 9443
# ingress gateway
ingressGatewayHttp: &containerIngressGatewayHttp 8081
ingressGatewayHttps: &containerIngressGatewayHttps 9443Table 3-16 Customizable Parameters for Ports Configuration in Ingress Gateway
| Parameter | Description | Mandatory/Optional Parameter | Default Value |
|---|---|---|---|
|
global.publicHttpSignalingPort |
HTTP/2.0 Port of ingress gateway | Optional | 80 |
|
global.publicHttpsSignallingPort |
HTTPS/2.0 Port of ingress gateway
The value for this port must be set to 0 if HTTPS is disabled. |
Optional | 443 |
| global.configServerPort | HTTP signaling port for config server. | Optional |
Note: The value for this port must be same as
|
| ingress-gateway.ports.actuatorPort | Optional | Same value as
containerMonitoringHttp |
|
| ingress-gateway.ports.containerPort | Optional | Same value as
containerIngressGatewayHttp |
|
| ingress-gateway.ports.containersslPort | Optional | Same value as
containerIngressGatewayHttps |
# -----Ingress Gateway Settings - BEGIN-----
# If httpsEnabled is false, this Port would be HTTP/2.0 Port (unsecured)
publicHttpSignalingPort: 80
# If httpsEnabled is true, this Port would be HTTPS/2.0 Port (secured SSL)
publicHttpsSignallingPort: 443
configServerPort: *svcConfigServerHttp
ingress-gateway:
ports:
actuatorPort: *containerMonitoringHttp
containerPort: *containerIngressGatewayHttp
containersslPort: *containerIngressGatewayHttpsTable 3-17 Customizable Parameters for Ports Configuration in Egress Gateway
| Parameter | Description | Mandatory/Optional Parameter | Default Value |
|---|---|---|---|
| egress-gateway.serviceEgressGateway.actuatorPort | Optional | Same value as
containerMonitoringHttp |
|
| egress-gateway.serviceEgressGateway.Port | Optional | Same value as
svcEgressGatewayHttp |
egress-gateway:
serviceEgressGateway:
actuatorPort: *containerMonitoringHttp
port: *svcEgressGatewayHttpTable 3-18 Customizable Parameters for Ports Configuration in nrf-client-nfmanagement
| Parameter | Description | Mandatory/Optional Parameter | Default Value | Value |
|---|---|---|---|---|
|
global.nrf-client-nfmanagement.envPlatformServicePort |
HTTP signaling port for app info. | Optional | 5906 | Same value as svcAppInfoHttp |
|
global.nrf-client-nfmanagement.envPerformanceServicePort |
HTTP signaling port for perf info. | Optional | 5905 | Same value as svcPerfInfoHttp |
| global.nrf-client-nfmanagement.envCfgServerPort | HTTP signaling port for config server. | Optional | 5807 | same vale as svcConfigServerHttp |
| global.nrf-client-nfmanagement.containerHttpPort | HTTP signaling port for NRF client discovery. | Optional | 8000 | Same value as
containerNrfClientNfManagementHttp |
| global.nrf-client-nfmanagement.containerHttpsPort | HTTPS signaling port for NRF client discovery. | Optional | 9443 | Same value as
containerNrfClientNfManagementHttps |
| global.nrf-client-nfmanagement.serviceHttpPort | HTTP signaling port for NRF client discovery service. | Optional | 5910 | Same value as
svcNrfClientNfManagementHttp |
| global.nrf-client-nfmanagement.serviceHttpsPort | HTTPS signaling port for NRF client discovery service. | Optional | 8443 | Same value as
svcNrfClientNfManagementHttps |
nrf-client-nfmanagement:
envPlatformServicePort: *svcAppInfoHttp
envPerformanceServicePort: *svcPerfInfoHttp
envCfgServerPort: *svcConfigServerHttp
containerHttpPort: *containerNrfClientNfManagementHttp
containerHttpsPort: *containerNrfClientNfManagementHttps
serviceHttpPort: *svcNrfClientNfManagementHttp
serviceHttpsPort: *svcNrfClientNfManagementHttpsOAUTH Configuration
Note:
These configurations are applicable when the Ingress/Egress Gatway is enabled and the NRF Client services are enabled.Table 3-19 Configurable Parameters for OAUTH Configuration in Ingress Gateway
| Parameter | Description | Mandatory/Optional Parameter | Default Value |
|---|---|---|---|
| ingress-gateway.oauthValidatorEnabled | Enable or disable OAuth Validator. | Mandatory | False |
| ingress-gateway.nfInstanceId | NF Instance Id of service producer | Optional | 6faf1bbc-6e4a-4454-a507-a14ef8e1bc11 |
| ingress-gateway.allowedClockSkewSeconds | set this value if clock on the parsing NF (producer) is not perfectly in sync with the clock on the NF (consumer) that created by JWT | Optional | 0 |
| ingress-gateway.nrfPublicKeyKubeSecret | Name of the secret which stores the public key(s) of NRF | Optional | |
| ingress-gateway.nrfPublicKeyKubeNamespace | Namespace of the NRF public key secret | Optional | |
| ingress-gateway.validationType | Possible values are:
strict- If incoming request does not contain "Authorization" (Access Token) header, the request is rejected. relaxed- relaxed means that if Incoming request contains "Authorization" header, it is validated. If Incoming request does not contain "Authorization" header, validation is ignored. |
Optional | relaxed |
| ingress-gateway.producerPlmnMNC | MNC of the service producer | Optional | 123 |
| ingress-gateway.producerPlmnMCC | MCC of the service producer | Optional | 456 |
# ----OAUTH CONFIGURATION - BEGIN ----
oauthValidatorEnabled: false
nfInstanceId: 6faf1bbc-6e4a-4454-a507-a14ef8e1bc11
allowedClockSkewSeconds: 0
nrfPublicKeyKubeSecret: ''
nrfPublicKeyKubeNamespace: ''
validationType: relaxed
producerPlmnMNC: 123
producerPlmnMCC: 456
# ----OAUTH CONFIGURATION - END ----Table 3-20 Configurable Parameters for OAUTH Configuration in Egress Gateway
| Parameter | Description | Mandatory/Optional Parameter | Default Value |
|---|---|---|---|
| egress-gateway.oauthClient.enabled | OAuth Validator Enabled | Optional | false |
| egress-gateway.oauthClient.dnsSrvEnabled | Enable/Dsiable the DNS-SRV query to coreDNS Server | Optional | false |
| egress-gateway.oauthClient.httpsEnabled | Determine if https support is enabled or not which is a deciding factor for oauth request scheme and search query parameter in dns-srv request. | Optional | false |
| egress-gateway.oauthClient.virtualFqdn | virtualFqdn value which needs to be populated and sent in the dns-srv query. | Conditional ( If dnsSrvEnabled is set to true.) | -1 |
| egress-gateway.oauthClient.staticNrfList | List of Static NRF's | Conditional ( If oAuth is enabled.) | |
| egress-gateway.oauthClient.nfInstanceId | NF InstanceId of Producer | Optional |
fe7d992b-0541-4c7d-ab84-c6d70b1b01b1
Note: Update the parameter with actual value, if OAuth is enabled. |
| egress-gateway.oauthClient.consumerPlmnMNC | MNC of service Consumer | Optional | 345
Note: Update the parameter with actual value, if OAuth is enabled. |
| egress-gateway.oauthClient.consumerPlmnMCC | MCC of service Consumer | Optional | 567
Note: Update the parameter with actual value, if OAuth is enabled. |
| egress-gateway.oauthClient.maxRetry | Maximum number of retry that need to be performed to other NRF Fqdn’s in case of failure response from first contacted NRF based on the errorCodeSeries configured. | Conditional ( If oAuth is enabled.) | 2 |
| egress-gateway.oauthClient.apiPrefix | apiPrefix that needs to be appended in the Oauth request flow. | Conditional ( If oAuth is enabled.) | |
| egress-gateway.oauthClient.errorCodeSeries | Determines the fallback condition to other NRF in case of failure response from currently contacted NRF. | Conditional ( If oAuth is enabled and required a different error code series.) | 4XX |
| egress-gateway.oauthClient.retryAfter | RetryAfter value in milliseconds that needs to be set for a particular NRF Fqdn, if the error matched the configured errorCodeSeries. | Conditional ( If oAuth is enabled.) | 5000 |
# ---- Oauth Configuration - BEGIN ----
oauthClient:
enabled: false
dnsSrvEnabled: false
httpsEnabled: false
virtualFqdn: nrf.oracle.com:80
staticNrfList:
- nrf1.oracle.com:80
nfInstanceId: fe7d992b-0541-4c7d-ab84-c6d70b1b01b1
consumerPlmnMNC: 345
consumerPlmnMCC: 567
maxRetry: 2
apiPrefix: ""
errorCodeSeries: 4XX
retryAfter: 5000
# ---- Oauth Configuration - END ----Configuring Ingress/Egress Gateway HTTPS
Note:
These configurations are applicable only when ingress/egress gateway is enabled and the following parameters are set to true in custom-yaml file:-
ingress-gateway.enableIncomingHttps egress-gateway.enableOutgoingHttps
Table 3-21 Configurable Parameters for HTTPS Configurations in Ingress Gateway
| Parameter | Description | Mandatory/Optional Parameter | Default Value | Notes |
|---|---|---|---|---|
| ingress-gateway.enableIncomingHttps | To enable https for ingress traffic | Optional | False | |
|
ingress-gateway.service.ssl.privateKey.k8SecretName |
Name of the private key secret. | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.privateKey.k8NameSpace |
Namespace of private key. | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.privateKey.rsa.fileName |
rsa private key file name. | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.certificate.k8SecretName |
Name of the private key secret | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.certificate.k8NameSpace |
Namespace of private key | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.certificate.rsa.fileName |
rsa private key file name | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.caBundle.k8SecretName |
Name of the private key secret | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.caBundle.k8NameSpace |
Namespace of private key | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.caBundle.fileName |
private key file name | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.keyStorePassword.k8SecretName |
Name of the privatekey secret | Optional | Not Applicable | required if enableIncomingHttp is true |
|
ingress-gateway.service.ssl.keyStorePassword.k8NameSpace |
Namespace of privatekey | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.keyStorePassword.fileName |
File name that has password for keyStore | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.trustStorePassword.k8SecretName |
Name of the privatekey secret | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.trustStorePassword.k8NameSpace |
Namespace of privatekey | Optional | Not Applicable | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.trustStorePassword.fileName |
File name that has password for trustStore | Optional | Not Applicable | required if enableIncomingHttps is true |
# ---- HTTPS Configuration - BEGIN ----
enableIncomingHttps: false
service:
ssl:
privateKey:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
rsa:
fileName: rsa_private_key_pkcs1.pem
certificate:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
rsa:
fileName: ocegress.cer
caBundle:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
fileName: caroot.cer
keyStorePassword:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
fileName: key.txt
trustStorePassword:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
fileName: trust.txtTable 3-22 Configurable Parameters for HTTPS Configurations in Egress Gateway
| Parameter | Description | Mandatory/Optional Parameter | Default Value | Notes |
|---|---|---|---|---|
| egress-gateway.enableOutgoingHttps | Enabling it for outgoing https request | No | false | |
| egress-gateway.egressGwCertReloadEnabled | No | false | ||
| egress-gateway.egressGwCertReloadPath | No | /egress-gw/store/reload | ||
| egress-gateway.service.ssl.privateKey.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
| egress-gateway.service.ssl.privateKey.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
| egress-gateway.service.ssl.privateKey.rsa.fileName | rsa private key file name | No | Not Applicable | |
| egress-gateway.service.ssl.privateKey.ecdsa.fileName | ecdsa private key file name | No | Not Applicable | |
| egress-gateway.service.ssl.certificate.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
| egress-gateway.service.ssl.certificate.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
| egress-gateway.service.ssl.certificate.rsa.fileName | rsa private key file name | No | Not Applicable | |
| egress-gateway.service.ssl.certificate.ecdsa.fileName | ecdsa private key file name | No | Not Applicable | |
| egress-gateway.service.ssl.caBundle.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
| egress-gateway.service.ssl.caBundle.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
| egress-gateway.service.ssl.caBundle.fileName | private key file name | No | Not Applicable | |
| egress-gateway.service.ssl.keyStorePassword.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
| egress-gateway.service.ssl.keyStorePassword.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
| egress-gateway.service.ssl.keyStorePassword.fileName | File name that has password for keyStore | No | Not Applicable | |
| egress-gateway.service.ssl.trustStorePassword.k8SecretName | Name of the privatekey secret | No | Not Applicable | |
| egress-gateway.service.ssl.trustStorePassword.k8NameSpace | Namespace of privatekey | No | Not Applicable | |
| egress-gateway.service.ssl.trustStorePassword.fileName | File name that has password for trustStore | No | Not Applicable |
# ---- HTTPS Configuration - BEGIN ----
#Enabling it for egress https requests
enableOutgoingHttps: false
egressGwCertReloadEnabled: false
egressGwCertReloadPath: /egress-gw/store/reload
service:
ssl:
privateKey:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
rsa:
fileName: rsa_private_key_pkcs1.pem
ecdsa:
fileName: ssl_ecdsa_private_key.pem
certificate:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
rsa:
fileName: ocegress.cer
ecdsa:
fileName: ssl_ecdsa_certificate.crt
caBundle:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
fileName: caroot.cer
keyStorePassword:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
fileName: key.txt
trustStorePassword:
k8SecretName: ocbsf-gateway-secret
k8NameSpace: ocbsf
fileName: trust.txt
# ---- HTTPS Configuration - END ----
Configuring SCP
This section describes the customizatons that you can make in custom-value.yaml files to support SCP integration.
Table 3-23 Configurable Parameters for SCP Configuration
| Parameter | Description | Mandatory/Optional Parameter | Default Value | Notes |
|---|---|---|---|---|
| egress-gateway.scp.scpIntegrationEnabled | Change this to false when scp integration is not required | Mandatory | false | |
| egress-gateway.scp.scpRerouteEnabled | Set this flag to true if re-routing to multiple SCP instances is to be enabled. globalretry can be enabled only when scpRerouteEnabled flag is set to true. | Optional | false | |
| egress-gateway.globalretry.enabled | globalretry can be enabled only when scpRerouteEnabled flag is set to true. And, it is applied only when no "retries" is specified under routesConfig. | Optional | false | |
| egress-gateway.globalretry.retries | Optional | 2 | ||
| egress-gateway.scp.instances.http.host | SCP HTTP IP/FQDN | Optional | Not Applicable | |
| egress-gateway.scp.instances.http.Port | SCP HTTP PORT | Optional | 80 | |
| egress-gateway.scp.instances.http.ApiPrefix | Change this value to corresponding prefix "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. | Optional | / | |
| egress-gateway.scp.scpDefaultScheme | Default scheme applicable when 3gpp-sbi-target-apiroot header is missing | Optional | https | |
| egress-gateway.K8ServiceCheck | Enable this if loadbalancing is to be done by egress instead of K8s | Optional | false | |
| httpsScpOnly |
This is global parameter which will be taken into consideration if route (under routeConfig section ) based httpsScpOnly parameter is not available. If set to true, select SCP instances for https list only. If set to false, run existing logic as per provided scheme. |
Optional | false | Please note double quotes to be enclosed for values of httpScpOnly. |
| httpRuriOnly |
This is global parameter which will be taken into consideration if route (under routeConfig section) based httpRuriOnly parameter is not available. If set to true, change scheme of RURI to http. If set to false, don't change the scheme. |
Optional | false | Please notedouble quotes to be enclosed for values of httpsScpOnly. |
| routesConfig.httpRuriOnly |
If set to true, change Scheme of RURI to http. If set to false, don't change the scheme. |
Optional | false | Please note double quotes to be enclosed for values of httpsRuriOnly. If httpsRuriOnly under route is not present globally available value will be considered. |
| routesConfig.httpsScpOnly |
If set to true, select SCP instances for https list only. If set to false, run existing logic as per provided scheme. |
Optional | false | Please note double quotes to be enclosed for values of httpsScpOnly. If httpsScpOnly under route is not present globally available value will be considered. |
| egress-gateway.scp.instances.scpSets[0] |
SetId for the SCP instances. Only one set of Static configuration of SCP instances are allowed to be configured. Dynamic configuration sets can be any number. Refer Custom-values file for more details. |
Mandatory | false | |
| egress-gateway.scp.instances.scpSets[0].httpConfigs[0].host | First Scp instance HTTP IP/FQDN | Mandatory (If scp.scpIntegrationEnabled is set to true.) | More SCP instances can be configured in a similar way if required. | |
| egress-gateway.scp.instances.scpSets[0].httpConfigs[0].port | First Scp instance Port | Mandatory (If scp.scpIntegrationEnabled is set to true.) | ||
| egress-gateway.scp.instances.scpSets[0].httpConfigs[0].apiPrefix | First Scp instance apiPrefix. Change this value to corresponding prefix if "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. | Optional | / | Examples : XXX, Point to be noted here is that "/" is not required to be included when providing some data. |
| egress-gateway.scp.instances.scpSets[0].httpConfigs[0].virtualHost | This will have Http VirtualFQDN and is applicable from SetId 1 and later. | Mandatory (If DnsSrv integration is required) | Not Applicable | |
| egress-gateway.scp.instances.scpSets[0].httpsConfigs[0].host | First SCP instance HTTPS IP/FQDN | Mandatory (If scp.scpIntegrationEnabled is set to true.) | Not Applicable | More SCP instances can be configured in a similar way if required. |
| egress-gateway.scp.instances.scpSets[0].httpsConfigs[0].port | First SCP instance HTTPS Port | Mandatory (If scp.scpIntegrationEnabled is set to true.) | Not Applicable | |
| egress-gateway.scp.instances.scpSets[0].httpsConfigs[0].apiPrefix | First Scp instance apiPrefix. Change this value to corresponding prefix if "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. | Optional | / | Examples : XXX, Point to be noted here is that "/" is not required to be included when providing some data. |
| egress-gateway.scp.instances.scpSets[0].httpsConfigs[0].virtualHost | This will have Http VirtualFQDN and is applicable from SetId 1 and later. | Mandatory (If DnsSrv integration is required) | Not Applicable |
# ---- SCP Configuration - BEGIN ----
# globalretry can be enabled only when scpRerouteEnabled flag is set to true. This is an OPTIONAL configuration. And
# it is applied only when no "retries" specified under routesConfig
globalretry:
enabled: false
retries: 2
#true: Select SCP instances for https list only
#false: Run existing logic as per provided scheme.
#Change the flag's accordingly. Please note double quotes to be enclosed for values of httpsScpOnly
httpsScpOnly: "false"
#true: Means change Scheme of RURI to http
#false: Keep scheme as is.
#Change the flag's accordingly. Please note double quotes to be enclosed for values of httpRuriOnly
httpRuriOnly: "false"
# Below is a basic route configuration for SCP. This configuration routes all egress traffic towards SCP.
# filterName1 - (fixed value)should be set to ScpFilter
# The retry section (fliterName2) is required only when there is a need to retry the requests. Retry will be sent to secondary SCP, if no secondary configured then retry will happen on primary.
# filterName2.name - (fixed value) should have the value ScpRetry.
# filterName2.retries - (Customizable value) number of retries can be done for a request
# filterName2.methods - (Customizable value) HTTP request methods for which retries should be done.
# filterName2.statuses - (Customizable value) HTTP status received on response for which request should be retried.
# httpsScpOnly - "true" Select SCP instances for https list only, "false" Run existing logic as per provided scheme.
# httpRuriOnly - "true" Means change Scheme of RURI to http, "false" Keep scheme as is.
#routesConfig:
#- id: scp_route
# uri: https://dummy.dontchange
# path: /**
# order: 1
# httpsScpOnly: "false"
# httpRuriOnly: "false"
# filterName1: ScpFilter
# filterName2:
# name: ScpRetry
# retries: 1
# methods: GET, POST, PUT, DELETE, PATCH
# statuses: INTERNAL_SERVER_ERROR, BAD_GATEWAY
dnsSrv:
host: 10.75.225.67
port: 32081
scheme: http
errorCodeOnDNSResolutionFailure: 425
scp:
# Change this to true when scp integration is required. Below SCP configurations will take effect only when this is 'true'.
scpIntegrationEnabled: false
# Default scheme applicable when 3gpp-sbi-target-apiroot header is missing
scpDefaultScheme: http
# Set this flag to true if re-routing to multiple SCP instances is to be enabled.
scpRerouteEnabled: false
#globalretry can be enabled only when scpRerouteEnabled flag is set to true.
# Configure the SCP instance(s) host/IP and port.
# At least one SCP host details (under http or https) is required when scpIntegrationEnabled
# In this example scp-host-1 is primary SCP and scp-host-1 is secondary SCP.
instances:
scpSets:
- setId: 0
httpConfigs:
- host: scp-host-1
port: 80
apiPrefix: "/" # Change this value to corresponding prefix "/" is not expected to be provided along.
- host: scp-host-2
port: 80
apiPrefix: "/"
- host: scp-host-3
port: 80
apiPrefix: "/"
httpsConfigs:
- host: scp-host-1
port: 443
apiPrefix: "/"
- host: scp-host-2
port: 443
apiPrefix: "/"
- host: scp-host-3
port: 443
apiPrefix: "/"
- setId: 1
httpConfigs:
- virtualHost: xyz.test.com
apiPrefix: "/"
httpsConfigs:
- virtualHost: abc.test.com
apiPrefix: "/"
# ---- SCP Configuration - END ----Logging Configuration
This section describes the customizatons that you should make in custom-value.yaml files to configure logging.
Table 3-24 Configurable Parameters for Logging Configuration in Ingress Gateway
| Parameter | Description | Mandatory/Optional Parameter | Default Value | Notes |
|---|---|---|---|---|
| ingress-gateway.log.level.root | Log level for root logs | No | WARN | Applicable only when ingress-gateway is enabled. |
| ingress-gateway.log.level.ingress | Log level for ingress logs | No | WARN | Applicable only when ingress-gateway is enabled. |
| ingress-gateway.log.level.oauth | Log level for oauth logs | No | WARN | Applicable only when ingress-gateway is enabled. |
ingress-gateway:
log:
level:
root: WARN
ingress: WARN
oauth: WARNTable 3-25 Configurable Parameters for Logging Configuration in Egress Gateway
| Parameter | Description | Mandatory/Optional Parameter | Default Value | Notes |
|---|---|---|---|---|
| egress-gateway.log.level.root | Log level for root logs | No | WARN | Applicable only when egress-gateway is enabled. |
| egress-gateway.log.level.egress | Log level for egress logs | No | WARN | Applicable only when egress-gateway is enabled. |
| egress-gateway.log.level.oauth | Log level for oauth logs | No | WARN | Applicable only when egress-gateway is enabled. |
egress-gateway:
log:
level:
root: WARN
egress: WARN
oauth: WARNAdditional Configurations
This section describes the additional customizatons that you can make in custom-values.yaml files of Binding Support Function.
- Annotation to support custom extension global parameters: To
support custom extension global parameters, update the following parameters in
custom extensionunderglobalsection of custom values file:global: customExtension: allResources: labels: {} annotations: {} lbServices: labels: {} annotations: {} lbDeployments: labels: {} annotations: {} nonlbServices: labels: {} annotations: {} nonlbDeployments: labels: {} annotations: {} - Custom container name: You can customize the name of containers
of a pod with a prefix and suffix. To do so, add the prefix and suffix to the
k8sResource under global section of custom values
file:
global: k8sResource: container: prefix: ABC suffix: XYZThen, after installing BSF, you will see the container names as shown below:Containers: abcd-am-service-xyz: - Kubernetes service account name: You can use a custom service
account for all services by adding it to
appinfosection in the custom values file:appinfo: serviceAccountName: ocbsfsaccountNote:
You can create the service account and roles before the installation as well.