3 CNC Console IAM Installation Instructions

Prerequisites for CNC Console IAM

Following are the prerequisites for the installation of CNC Console IAM:

1. Create MySQL Database and User
2. Populate CNCC Database with CNCC IAM Tables
3. Create a Kubernetes Secret for MySQL
4. Create a Kubernetes Secret for Admin User
5. CNCC IAM Secret Configuration to Enable HTTPS

Create MySQL Database and User

This section explains how to create CNCC user and CNCC database.

1. Login to the server or machine which has permission to access the SQL nodes of NDB cluster.
2. Connect to the SQL nodes of NDB cluster one by one.
3. Execute the following command to login to the MySQL prompt using root permission or user, which has permission to create users with permissions:

   mysql -h -uroot -p

   Note:

   After writing the command mentioned above, user must enter MySql password.
4. Check whether CNCC user already exists. If user does not exist, create a CNCC user by executing following commands:
   1. Execute $ SELECT User FROM mysql.user; to list the users.
   2. If user does not exist, create the new user by executing $ CREATE USER '<CNCC User Name>'@'%' IDENTIFIED BY '<CNCC Password>';
5. Check if CNCC database already exists. If the database does not exist, create a CNCC database and provide permissions to CNCC user created in the previous step:
   1. Execute $ show databases; to check if database exists.
   2. If MySql has CNCC database created as per release 1.0.0, drop it before creating cnccdb by executing the following command:
      DROP DATABASE cnccdb
   3. Execute $ CREATE DATABASE IF NOT EXISTS <CNCC Database> CHARACTER SET utf8; for Database creation.
   4. Grant permission to user by executing the following command:
      $ GRANT SELECT,INSERT,CREATE,ALTER,DROP,LOCK TABLES,CREATE TEMPORARY TABLES, DELETE,UPDATE,EXECUTE ON <CNCC Database>.* TO '<CNCC User Name>'@'%';

Example to demonstrate cncc user creation, cnccdb creation and granting permissions to cncc user:

# Login to MySql prompt:-
$ mysql -u root -p
Check user already exists or not
$ SELECT User FROM mysql.user;
# In case, user already exists, move to next step. Command to create new user is as mentioned below:-
$ CREATE USER 'cnccusr'@'%' IDENTIFIED BY 'cnccpasswd'
# Command to check if database exists:-
$ show databases;
# Check if required database is already in list. If MySql has cnccdb already created as per 1.0.0 release creation, drop it.  
$ DROP DATABASE cnccdb;
# Database creation for CNCC
$ CREATE DATABASE IF NOT EXISTS cnccdb CHARACTER SET utf8;
#Granting permission to user:-
$ GRANT SELECT, INSERT, CREATE, ALTER, DROP, LOCK TABLES, CREATE TEMPORARY TABLES, DELETE, UPDATE, EXECUTE ON cnccdb .* TO'cnccusr'@'%';

Populate CNCC Database with CNCC IAM Tables

The user must load the CNCC database created with cnccdb_<version>.sql file provided in the cncc-custom-configtemplatepackage file. This section describes how to polulate CNCC database with CNCC IAM tables.

1. Load the database with tables from cnccdb_<version>.sql. Ensure cnccdb_<version>.sql is in /home/admusr/directory of the MySql Query Node.

   mysql -u <username> -p <databasename> cnccdb_<version>.sql

   Note:

   The user must enter the mysql password.
2. Verify the tables are loaded into the database using command:

   $ use <databasename>;

   $ show tables;

   Note:

   It shows a list of 93 tables related to CNCC-IAM.
3. Exit from MySql Query Node using following command:

   $ exit;

Example to demonstrate loading of cnccdb with tables from cnccdb_<version>.sql:

#mysql -h 127.0.0.1 -uroot -pNextGenCne cnccdb < /home/admusr/cnccdb.sql 
#mysql -h 127.0.0.1 -uroot -pNextGenCne 
mysql>use cnccdb; 
mysql> show tables; 

Create a Kubernetes Secret for MySQL

This section describes how to create a kubernetes secret for MySQL.

1. Execute the following command to create the kubernetes secret for MySQL:

   kubectl create secret generic <database secret name> --from-literal=dbUserNameKey=<CNCC 
   Mysql database username> --from-literal=dbPasswordKey=<CNCC Mysql database passsword> -n <Namespace of MYSQL secret     

2. Execute the following command to verify the secret creation:

   $ kubectl describe secret <database secret name> -n <Namespace of MYSQL secret>

   Example:

   $ kubectl create secret generic cncc-db-secret --from-literal=dbUserNameKey=root --from-
   literal=dbPasswordKey=mypass -n cncc
   $ kubectl describe secret cncc-db-secret -n cncc

Create a Kubernetes Secret for Admin User

This section describes how to create a kubernetes secret for admin user.

1. Execute the following command to create the kubernetes secret for MySQL:

   $ kubectl create secret generic <secret-name> --from-literal=iamAdminPasswordKey=<password>
         --namespace <namespace>  

2. Execute the following command to verify the secret creation:

   $ kubectl describe secret <secret name> -n <namespace>

   Example:

   $ kubectl create secret generic cncc-iam-secret
           --from-literal=iamAdminPasswordKey=cncciampasswordvalue --namespace cncc
   $ kubectl describe secret cncc-iam-secret -n cncc

CNCC IAM Secret Configuration to Enable HTTPS

This section describes how to create secret configuration for enabling HTTPS. This section must be executed before enabling HTTPS in CNCC Core Ingress gateway.

Note:

The passwords for TrustStore and KeyStore are stored in respective password files.

To create kubernetes secret for HTTPS, following files are required:

• ECDSA private key and CA signed certificate of CNCC (if initialAlgorithm is ES256)
• RSA private key and CA signed certificate of CNCC (if initialAlgorithm is RSA256)
• TrustStore password file
• KeyStore password file
• CA certificate

This section explains how to create the secrets for enabling HTTPS after required certificates and password files are generated:

1. Create a secret by executing the following command:

   $ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem>
         --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt>
         --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt>
         --from-file=<ssl_ecdsa_certificate.crt> -n <Namespace of CNCC IAM Ingress Gateway
       secret>

   Example:

   $ kubectl create secret generic cncc-iam-ingress-secret
         --fromfile=ssl_ecdsa_private_key.pem  --from-file=rsa_private_key_pkcs1.pem
         --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer
         --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt -n
       cncc

2. On successfully executing the above command, the following message will be displayed:

   secret/cncc-iam-ingress-secret created

3. Execute the following command to verify the secret creation: :

   $ kubectl describe secret cncc-iam-ingress-secret -n cncc

This section explains how to update the secrets for enabling HTTPS, if they already exist:

1. Create a secret by executing the following command:

   $ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem>
         --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt>
         --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt>
         --from-file=<ssl_ecdsa_certificate.crt> --dry-run -o yaml -n <Namespace of CNCC IAM Ingress
         Gateway secret> | kubectl replace -f - -n <Namespace of CNCC IAM Ingress Gateway
       secret>

   Example:

   $ kubectl create secret generic cncc-iam-ingress-secret
         --fromfile=ssl_ecdsa_private_key.pem  --from-file=rsa_private_key_pkcs1.pem
         --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer
         --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --dry-run -o yaml -n
         cncc | kubectl replace -f - -n cncc

2. On successfully executing the above command, the following message will be displayed:

   secret/cncc-iam-ingress-secret replaced

CNCC IAM Configuration for Service Account

This section describes about the CNCC IAM Configuration for Service Account. CNCC IAM provides option to configure custom service account.

Sample CNCC IAM service account yaml file

cncc-iam-sa

## Service account yaml file for cncc-iam
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cncc-iam-sa
  namespace: cncc
  annotations: {}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cncc-iam-role
  namespace: cncc
rules:
- apiGroups:
  - "" # "" indicates the core API group
  resources:
  - services
  - configmaps
  - pods
  - secrets
  - endpoints
  - persistentvolumeclaims
  verbs:
  - get
  - watch
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cncc-iam-rolebinding
  namespace: cncc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cncc-iam-role
subjects:
- kind: ServiceAccount
  name: cncc-iam-sa
  namespace: cncc

Configure service account for ingress-gateway and keycloak in cncc-iam_values.yaml as follows:

1. For ingress-gateway provide custom service account under global.serviceAccountName.

   global:
    
     # ********  Sub-Section Start: Ingress Gateway Global Parameters ********
     # ***********************************************************************
    
     serviceAccountName: cncc-iam-sa

   .
2. For keycloak provide custom service account under kc.keycloak.serviceAccount.name.serviceAccountName.

    kc:
     keycloak:
    
       serviceAccount:
         # Specifies whether a service account should be created
         create: false
         # The name of the service account to use.
         # If not set and create is true, a name is generated using the fullname template
         name: cncc-iam-sa

CNCC IAM Configuration for Aspen Service Mesh (ASM)

This section describes about CNCC IAM Configuration for Aspen Service Mesh (ASM).

1. Annotation:
   1. Add traffic.sidecar.istio.io/excludeInboundPorts: "\"8081\"" annotation under global.customExtention.lbDeployments.annotations section in cncc-iam_values.yaml to disable mTLS on cncc-iam ingress container port.

      global:
        # ********  Sub-Section Start: Common Global Parameters *************
        # *******************************************************************
         
        customExtension:
          lbDeployments:
            labels: {}
            annotations:
              traffic.sidecar.istio.io/excludeInboundPorts: "\"8081\""
       
       
        # ********  Sub-Section End: Common Global Parameters *******************
        # ***********************************************************************

   2. Add sidecar.istio.io/rewriteAppHTTPProbers: "\"true\""under global.customExtention.allResources.annotations section in cncc-iam_values.yaml for readiness and liveness probe to work.

      global:
        # ********  Sub-Section Start: Common Global Parameters *************
        # *******************************************************************
         
        customExtension:
          allResources:
            labels: {}
            annotations:
              sidecar.istio.io/rewriteAppHTTPProbers: "\"true\""
       
       
        # ********  Sub-Section End: Common Global Parameters *******************
        # ***********************************************************************x  

      Note:

      This is only required when deployed ASM is configured with rewriteAppHTTPProbe set to false.

      sidecarInjectorWebhook:
        rewriteAppHTTPProbe: false           # To enable istio to rewrite probes when mTLS is enabled

2. External MySQL DB:

   Note:

   Skip this step, if

   CNCC IAM is deployed in same namespace as other 5G NFs and those NFs are already configure with MySQL service then user can use same service for CNCC IAM also.

   Refer CNCC IAM configuration for MySQL section to configure and populate db with required configuration.

   1. Create Service & Endpoint for External MySQL instance.

      Example: service and endpoint

      apiVersion: v1
      kind: Endpoints
      metadata:
        name: mysql-connectivity-service-headless
        namespace: cncc
      subsets:
      - addresses:
        - ip: 10.75.203.49 # IP of cluster where MySQL is running
        ports:
        - port: 3306
          protocol: TCP
      ---
      apiVersion: v1
      kind: Service
      metadata:
        name: mysql-connectivity-service-headless
        namespace: cncc
      spec:
        clusterIP: None
        ports:
        - port: 3306
          protocol: TCP
          targetPort: 3306
        sessionAffinity: None
        type: ClusterIP
      ---
      apiVersion: v1
      kind: Service
      metadata:
        name: mysql-connectivity-service
        namespace: cncc
      spec:
        externalName: mysql-connectivity-service-headless.cncc.svc.cluster.local
        sessionAffinity: None
        type: ExternalName
      ---

   2. Create service-entry and destination rule for MySQL service.

      Example: service-entry and destination-rule

      apiVersion: networking.istio.io/v1alpha3
      kind: ServiceEntry
      metadata:
        name: mysql-external-se
        namespace: cncc
      spec:
        hosts:
        - mysql-connectivity-service-headless.cncc.svc.cluster.local
        ports:
        - number: 3306
          name: mysql
          protocol: MySQL
        location: MESH_EXTERNAL
      ---
      apiVersion: networking.istio.io/v1alpha3
      kind: DestinationRule
      metadata:
        name: mysql-external-dr
        namespace: cncc
      spec:
        host: mysql-connectivity-service-headless.cncc.svc.cluster.local
        trafficPolicy:
          tls:
            mode: DISABLE

   3. In cncc-iam_values.yaml under keycloak section provide MySQL service FQDN as follows:

      dbName: cnccdb
      dbHost: mysql-connectivity-service
      dbPort: 3306

CNCC IAM Configuration for Operations Services Overlay (OSO)

This section describes about CNCC IAM Configuration for Operations Services Overlay (OSO).

Add Annotation oracle.com/cnc: "\"true\"" under global.customExtention.lbDeployments.annotations section in cncc-iam_values.yaml to indicate OSO to scrape metrics from ingress pod.

global:
  # ********  Sub-Section Start: Common Global Parameters *************
  # *******************************************************************
   
  customExtension:
    lbDeployments:
      labels: {}
      annotations:
        oracle.com/cnc: "\"true\""
 
  # ********  Sub-Section End: Common Global Parameters *******************
  # ***********************************************************************

Installation Sequence for CNC Console IAM

The installation sequence for CNC Console IAM is:

1. Installation Preparation.
2. Configure custom-cncc-iam_values_<version>.yaml file.
   This includes configuring the following based on the deployment:
   1. Repository path
   2. cncc-iam details

   Note: Other configurations might be changed based on the deployment.
3. cncc-iam deployment:
   1. With helm repository
   2. With helm tar
4. Verify cncc-iam deployment.

Deployment of CNC Console IAM

1. Search helm chart:
   Execute the following command to check the version of the helm chart installation.
   helm search <release_name>

   Example: helm search cncc-iam
    
   NAME                  CHART VERSION  APP VERSION  DESCRIPTION
   ocspf-helm-repo/cncc-iam  3.0.0        8.0.1     Open Source Identity and Access 
                                                    Management For Modern App

2. Prepare custom-cncc-iam_values_<version>.yaml file:

   Prepare a custom-cncc-iam_values_<version>.yamlfile with the required parameter information.

3. Deploy cncc-iam:
   Installation using helm repository
   Execute the following command:

   For helm 2 based:
   helm install --name <release_name> <helm-repo> -f custom-cncc-iam_values_<version>.yaml 
   --namenamespace<deployment<namespace_name> --version <helm_version>
   For helm 3 based:
   helm install <release_name> <helm-repo> -f custom-cncc-iam_values_<version>.yaml 
   --namespace <namespace_name> --version <helm_version>

   Where:

   helm-repo: repository name where the helm images, charts are stored

   values: helm configuration file which needs to be updated based on the docker registry

   release_name and namespace_name : depends on customer configuration

   Example:

   For helm 2 based:
   helm install --name cncc-iam ocscp-helm-repo/ocscp -f custom-cncc-iam_values_1.2.1.yaml --namenamespace 
   cncc-iam --version 1.2.1
   For helm 3 based:
   helm install cncc-iam ocscp-helm-repo/ocscp -f custom-cncc-iam_values_1.2.1.yaml --namespace 
   cncc-iam --version 1.2.1

   Note: Update dbVendor, dbHost , dbName fields in custom-cncc-iam_values_<version>.yaml

   Example:

   dbVendor: mysql 
   dbName: cnccdb 
   dbHost: mysql-sds.default.svc.cluster.local 
   dbPort: 3306

   Installation using helm tar

   Execute the following command:

   For helm 2 based:
   helm install --name cncc-iam -f custom-cncc-iam_values_<version>.yaml  --name namespace <namespace> <chartpath>./<chart>.tgz
   For helm 3 based:
   helm install cncc-iam -f custom-cncc-iam_values_<version>.yaml  --namespace <namespace> <chartpath>./<chart>.tgz

   Example:

   For helm 2 based:
   helm install --name cncc-iam -f custom-cncc-iam_values_1.2.1.yaml --namenamespace cncc-iam ./cncc-iam.tgz
   For helm 3 based:
   helm install cncc-iam -f custom-cncc-iam_values_1.2.1.yaml --namespace cncc-iam ./cncc-iam.tgz

4. Check repository status:
   Execute the following command to check the deployment status.

   helm status <release_name>

5. Check service status:
   Check if all the services are deployed and running:

   kubectl -n <namespace_name> get services

   Example:

   $ kubectl -n cncc get services

   NAME	TYPE	CLUSTER-IP	EXTERNAL-IP	PORT(S)	AGE
   cncc-iam-kc-headless	ClusterIP	None	<none>	8285/TCP	9m13s
   cncc-iam-kc-http	ClusterIP	10.233.25.75	<none>	8285/TCP	9m13s
   cncc-iam-ingress-gateway	LoadBalancer	10.233.7.236	10.75.182.72	8080:30346/TCP	9m13s

6. Check pod status :
   Check if all the pods are up and running by executing the following command:

   kubectl -n <namespace_name> get pods

   Example:

   $ kubectl -n cncc get pods

   NAME	READY	STATUS	RESTARTS	AGE
   cncc-iam-kc-0	1/1	Running	0	44h
   cncc-iam-ingress-gateway-6748d55f98-szdqm	1/1	Running	0	12h

CNC Console IAM Microservices

CNC Console IAM has three microservices, which are responsible for Identity Access Management:

• cncc-iam-kc-headless
• cncc-iam-kc-http
• cncc-iam-ingress-gateway

Following is an example of services CNC Console IAM offers:

Table 3-1 CNC Console IAM Microservices

NAME	TYPE	CLUSTER-IP	EXTERNAL-IP	PORT(S)	AGE
cncc-iam-kc-headless	ClusterIP	None	<none>	8285/TCP	9m13s
cncc-iam-kc-http	NodePort	10.233.25.75	<none>	8285/TCP	9m13s
cncc-iam-ingress-gateway	LoadBalancer	10.233.7.236	10.75.182.72	8080:30346/TCP	9m13s

CNC Console IAM Sample Custom Values

custom-cncc-iam_values_1.2.1.yaml with helm chart version 1.2.1

#########################################################
#            Section Start: global attributes           #
#########################################################
 
global:
  # ********  Sub-Section Start: Common Global Parameters *************
  # *******************************************************************
 
  dockerRegistry: ocspf-registry.us.oracle.com:5000/ocscp
   
  customExtension:
    allResources:
      labels: {}
      annotations: {}
      #  sidecar.istio.io/rewriteAppHTTPProbers: "\"true\""
 
    lbServices:
      labels: {}
      annotations: {}
 
    lbDeployments:
      labels: {}
      annotations: {}
      #  traffic.sidecar.istio.io/excludeInboundPorts: "\"8081\""
      #  oracle.com/cnc: "\"true\""
 
    nonlbServices:
      labels: {}
      annotations: {}
 
    nonlbDeployments:
      labels: {}
      annotations: {}
 
 
  # ********  Sub-Section End: Common Global Parameters *******************
  # ***********************************************************************
 
  # ********  Sub-Section Start: Ingress Gateway Global Parameters ********
  # ***********************************************************************
 
  # If https is enabled, this Port would be HTTP/1.0 Port (unsecured)
  # If https is disabled, this Port would be HTTPS/1.0 Port (secured SSL)
  publicHttpSignalingPort: 8080
  publicHttpsSignallingPort: 8443
   
  serviceAccountName: ""
   
  # Specify type of service - Possible values are :- ClusterIP, NodePort, LoadBalancer and ExternalName
  type: LoadBalancer
  # Enable or disable IP Address allocation from Metallb Pool
  metalLbIpAllocationEnabled: true
 
  # Address Pool Annotation for Metallb
  metalLbIpAllocationAnnotation: "metallb.universe.tf/address-pool: oam"
   
  # If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress
  # Else random IP will be assigned by the metalLB from its IP Pool
  staticIpAddressEnabled: false
  staticIpAddress: 10.75.212.60
 
  # If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort
  # Else random node port will be assigned by K8
  staticNodePortEnabled: true
  staticHttpNodePort: 30085
  staticHttpsNodePort: 30053
 
  nodeSelector:
    nodeKey: ""
    nodeValue: ""
 
  k8sResource:
    container:
      prefix: ""
      suffix: ""
 
# ********  Sub-Section End: Ingress Gateway Global Parameters ********
# *********************************************************************
 
#########################################################
#            Section End  : global attributes           #
#########################################################
 
#########################################################
#            Section Start  : IAM  attributes           #
#########################################################
 
kc:
  keycloak:
    image:
      name: cncc/cncc-iam
      tag: 1.2.1
      pullPolicy: Always
   
    ## Username for the initial CNCConsole-IAM admin user
    username: admin
     
    # Specifies an existing secret to be used for the admin password
    existingSecret: cncc-iam-secret
     
    # The key in the existing secret that stores the password
    existingSecretKey: iamAdminPasswordKey
    
    serviceAccount:
      # Specifies whether a service account should be created
      create: false
      # The name of the service account to use.
      # If not set and create is true, a name is generated using the fullname template
      name:
       
    ## Persistence configuration
    persistence:
      # The database vendor. Can be either "mysql", "mariadb", or "h2"
      dbVendor: mysql
   
      ## The database name, host and port
      ## If dbVendor is 'mysql", then database should be created in mysql prior to installing cncn-iam
      dbName: cnccdb
      dbHost: ""
      dbPort: ""
   
      ## Database Credentials are loaded from a Secret residing in the same Namespace as keycloak.
      ## The Chart can read credentials from an existing Secret OR it can provision its own Secret.
   
      ## Specify existing Secret
      # If set, specifies the Name of an existing Secret to read db credentials from.
      existingSecret: cncc-db-secret
      existingSecretPasswordKey: dbPasswordKey  # read keycloak db password from existingSecret under this Key
      existingSecretUsernameKey: dbUserNameKey  # read keycloak db user from existingSecret under this Key 
   
    service:
      # Labels and Annotations that are specific to service IAM are added here.
      customExtension:
        labels: {}
        annotations: {}
      httpPort: 8285
       
    resources:
      limits:
        cpu: 2
        memory: 2Gi
      requests:
        cpu: 1
        memory: 1Gi
   
 
#########################################################
##            Section End  : IAM attributes              #
##########################################################
 
 
##########################################################
##            Section Start  : Ingress Gateway attributes #
##########################################################
 
ingress-gateway:
  
  image:
    # image name
    name: cncc/cncc-apigateway-api-tag
    # tag name of image
    tag: helm-tag
    # Pull Policy - Possible Values are:- Always, IfNotPresent, Never
    pullPolicy: Always
   
  initContainersImage:
    # inint Containers image name
    name: cncc/apigw-configurationinit-init-tag
    # tag name of init Container image
    tag: helm-tag
    # Pull Policy - Possible Values are:- Always, IfNotPresent, Never
    pullPolicy: Always
     
  updateContainersImage:
    # update Containers image name
    name: cncc/apigw-configurationupdate-update-tag
    # tag name of update Container image
    tag: helm-tag
    # Pull Policy - Possible Values are:- Always, IfNotPresent, Never
    pullPolicy: Always
   
  service:
    ssl:
      tlsVersion: TLSv1.2
       
      privateKey:
        k8SecretName: cncc-iam-ingress-secret
        k8NameSpace: cncc
        rsa:
          fileName: rsa_private_key_pkcs1.pem
        ecdsa:
          fileName: ssl_ecdsa_private_key.pem
   
      certificate:
        k8SecretName: cncc-iam-ingress-secret
        k8NameSpace: cncc
        rsa:
          fileName: ssl_rsa_certificate.crt
        ecdsa:
          fileName: ssl_ecdsa_certificate.crt
   
      caBundle:
        k8SecretName: cncc-iam-ingress-secret
        k8NameSpace: cncc
        fileName: caroot.cer
   
      keyStorePassword:
        k8SecretName: cncc-iam-ingress-secret
        k8NameSpace: cncc
        fileName: ssl_keystore.txt
   
      trustStorePassword:
        k8SecretName: cncc-iam-ingress-secret
        k8NameSpace: cncc
        fileName: ssl_truststore.txt
   
      initialAlgorithm: RSA256
   
    # Labels and Annotations that are specific to service ingressgateway are added here.
    customExtension:
      labels: {}
      annotations: {}
   
    # Labels and Annotations that are specific to deployment ingressgateway are added here.
  deployment:
    customExtension:
      labels: {}
      annotations: {}
   
  ports:
    # ContainerPort represents a network port in a single container
    containerPort: 8081
    containersslPort: 8443
    actuatorPort: 9090
   
  #Set the root log level
  log:
    level:
      root: WARN
      ingress: INFO
      cncc:
        security: INFO
   
  readinessProbe:
    # tells the kubelet that it should wait second before performing the first probe
    initialDelaySeconds: 30
    # Number of seconds after which the probe times out
    timeoutSeconds: 3
    # specifies that the kubelet should perform a liveness probe every xx seconds
    periodSeconds: 10
    # Minimum consecutive successes for the probe to be considered successful after having failed
    successThreshold: 1
    # When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
    failureThreshold: 3
     
  livenessProbe:
    # tells the kubelet that it should wait second before performing the first probe
    initialDelaySeconds: 30
    # Number of seconds after which the probe times out
    timeoutSeconds: 3
    # specifies that the kubelet should perform a liveness probe every xx seconds
    periodSeconds: 15
    # Minimum consecutive successes for the probe to be considered successful after having failed
    successThreshold: 1
    # When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
    failureThreshold: 3
   
  # Resource details
  resources:
    limits:
      cpu: 2
      initServiceCpu: 1
      updateServiceCpu: 1
      memory: 2Gi
      updateServiceMemory: 1Gi
      initServiceMemory: 1Gi
    requests:
      cpu: 1
      initServiceCpu: 0.5
      updateServiceCpu: 0.5
      memory: 1Gi
      updateServiceMemory: 0.5Gi
      initServiceMemory: 0.5Gi
    target:
      averageCpuUtil: 80
   
  # Number of Pods must always be available, even during a disruption.
  minAvailable: 1
  # Min replicas to scale to maintain an average CPU utilization
  minReplicas: 1
  # Max replicas to scale to maintain an average CPU utilization
  maxReplicas: 5
   
   
  allowedCipherSuites:
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 
  cipherSuites:
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
   
  # To Initialize SSL related infrastructure in init/update container
  initssl: false
  # Server Configuration for http and https support
  enableIncomingHttp: true
  enableIncomingHttps: false
   
  ingressGwCertReloadEnabled: false
  ingressGwCertReloadPath: /ingress-gw/certificate/reload
   
  routesConfig:
  # Examples for routes cncc-iam.
  # Note: Enable addRequestHeader when ever https is enabled
  #- id: cncc-iam_route
  #  uri: http://cncc-iam-kc-http.cncc.svc.cluster.local:8285
  #  path: /
  #  filters:
  #    prefixPath: /cncc/auth/admin
  #    #addRequestHeader: # Enable this filter only incase of https
  #    #- name: X-Forwarded-Proto
  #    #  value: https 
  #- id: cncc-iam_route
  #  uri: http://cncc-iam-kc-http.cncc.svc.cluster.local:8285
  #  path: /cncc/auth/**
  #  #filters:
  #  #  addRequestHeader:
  #  #  - name: X-Forwarded-Proto
  #  #    value: https
  - id: cncc-iam_login_route
    uri: http://<helmrelease>-kc-http.<namespace>.<domain>:8285
    path: /
    filters:
      prefixPath: /cncc/auth/admin
    #  addRequestHeader: # Enable this filter only incase of https
    #  - name: X-Forwarded-Proto
    #    value: https      
  - id: cncc-iam_route
    uri: http://<helmrelease>-kc-http.<namespace>.<domain>:8285
    path: /cncc/auth/**
    #filters:
    #  addRequestHeader: # Enable this filter only incase of https
    #  - name: X-Forwarded-Proto
    #    value: https
 
  # CNCC configuration
  cncc:
    # Enable security logs
    securityLogEnabled: true
 
#########################################################
##            Section End  : Ingress Gateway attributes  #
##########################################################

Note:

When CNCC IAM is enabled with HTTPS, all the routes must be appended with addRequestHeader filter. Then the updated routesConfig under ingress section in values.yaml will be as follows:

routesConfig:
- id: cncc-iam_login_route
  uri: http://<helmrelease>-kc-http.<namespace>.<domain>:8285
  path: /
  filters:
    prefixPath: /cncc/auth/admin
    addRequestHeader: # Enable this filter only incase of https
    - name: X-Forwarded-Proto
      value: https     
- id: cncc-iam_route
  uri: http://<helmrelease>-kc-http.<namespace>.<domain>:8285
  path: /cncc/auth/**
  filters:
    addRequestHeader: # Enable this filter only incase of https
    - name: X-Forwarded-Proto
      value: https

CNC Console IAM Configuration Options During Deployment

Attribute Name	DataType	Range	Mandatory(M)/ Optional(O)/Conditional(C)	Description
kc.keycloak.image.name	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters	M	Image Name to be used for cncc-iam micro service.
kc.keycloak.image.tag	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters	M	Image Tag to be used for cncc-iam micro service.
kc.keycloak.image.pullpolicy	<String>	It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy	O	Pull Policy decides from where to pull the image.
kc.keycloak.username	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes.	M	It is the name of cncc-iam user as given by the user. Ex: admin
kc.keycloak.existingSecret	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters	M	It specifies an existing secret name to be used for the admin password Ex: cncc-iam-secret
kc.keycloak.serviceAccount.create	<Boolean>	It can take either True or False value. By default, it is false.	O	Flag for creating service account.
kc.keycloak.serviceAccount.name	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters	O	The name of service account. Applicable only if keycloak.serviceAccount.create is set to 'true'. If keycloak.serviceAccount.name is kept as empty, a default service account with name 'cncc-iam' is created by CNCC, otherwise user has to create the service account and provide its name here. kubectl create serviceaccount <name> -n <namespace>
kc.keycloak.existingSecretKey	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters	M	Applicable only if keycloak.existingSecret is provided. It is the key in the existing secret that stores the password Ex: iamAdminPasswordKey
kc.keycloak.persistence.dbVendor	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes.	M	It is the database vendor name Ex: mysql
kc.keycloak.persistence.dbName	<String>	Valid String	M	It is the name of the database used for cncc-iam. User should create DB with the same name as provided here before deploying CNCC-IAM Ex: cnccdb
kc.keycloak.persistence.dbHost	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes.	M	It the hostname for persistence db Ex: mysql-sds.default.svc.cluster.local
kc.keycloak.persistence.dbPort	<Integer>	It can range from 0-65535	M	It is the db port for cncc-iam Ex: 3306
kc.keycloak.persistence.existingSecret	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters	M	It specifies an existing secret to be used for mysql username and password Ex: cncc-db-secret
kc.keycloak.persistence.existingSecretPasswordKey	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters	M	It is the key in the existing secret that stores the password Ex: dbPasswordKey
kc.keycloak.persistence.existingSecretUsernameKey	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters	M	It is the key in the existing secret that stores the username Ex: dbUserNameKey
kc.keycloak.service.httpPort	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters	O	It is the port number which makes cncc-iam service visible to other services running within the same K8s cluster
kc.keycloak.service.customExtension.labels	<String>		O	This can be used to add custom label(s) that are specific to service and will be created by cncc-iam helm chart.
kc.keycloak.service.customExtension.annotations	<String>		O	This can be used to add custom annotations(s) that are specific to service and will be created by cncc-iam helm chart.
global.dockerRegistry	<String>	It may contain lowercase letters, digits, and separators. A separator is defined as a period, one or two underscores, or one or more dashes.	M	It is the docker registry where cncc-iam images are present.
global.publicHttpSignalingPort	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters	M	If https is enabled, this Port would be HTTP/1.0 Port (unsecured) If https is disabled, this Port would be HTTPS/1.0 Port (secured SSL)
global.publicHttpsSignallingPort	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters		If https is enabled, this Port would be HTTP/1.0 Port (unsecured) If https is disabled, this Port would be HTTPS/1.0 Port (secured SSL)
global.serviceAccountName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters	O	Service Account name
global.type	<String>	It can take ClusterIP, NodePort, LoadBalancer and ExternalName.	M	It specifies type of service - Possible values are :- ClusterIP, NodePort, LoadBalancer and ExternalName
metalLbIpAllocationEnabled	<Boolean>	It can take either True or False value. By default, it is false.	M	Enable or disable IP Address allocation from Metallb Pool
global.metalLbIpAllocationAnnotation	<String>	metallb.universe.tf/address-pool: oam	M	Address Pool Annotation for Metallb
global.staticIpAddressEnabled	<Boolean>	It can take either True or False value. By default, it is false.	O	If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress Else random IP will be assigned by the metalLB from its IP Pool
global.staticIpAddress	<String>		O	It is Static Ip and applicable only when ingress-gateway.global.staticNodePortEnabled is true.
global.staticNodePortEnabled	<Boolean>	It can take either True or False value. By default, it is false.	O	Node Port Enabled
global.staticHttpNodePort	<String>		O	It is Http Node Port and applicable only when ingress-gateway.global.staticNodePortEnabled is true.
global.nodeSelector.nodeKey	<String>		O	global node selector key
global.nodeSelector.nodeValue	<String>		O	global node value key
global.customExtension.allResources.labels	<String>	Custom Labels that needs to be added to both the subcharts of cncc-iam	O	This can be used to add custom label(s) to all k8s resources that will be created by cncc-iam helm chart.
global.customExtension.allResources.annotations	<String>	Custom Annotations that needs to be added to both the sub-charts of cncc-iam	O	This can be used to add custom annotation(s) to all k8s resources that will be created by cncc-iam helm chart.
global.customExtension.lbServices.labels	<String>	Custom Labels that needs to be added for both the sub-charts of that are considered as Load Balancer type	O	This can be used to add custom label(s) to all Load Balancer Type Services that will be created by cncc-iam helm chart.
global.customExtension.lbServices.annotations	<String>	Custom Annotations that needs to be added for both the subcharts of cncc-iam that are considered as Load Balancer type	O	This can be used to add custom annotation(s) to all Load Balancer Type Services that will be created by cncc-iam helm chart.
global.customExtension.lbDeployments.labels	<String>	Custom Labels that needs to be added for both the subcharts of cncc-iam which is of Load Balancer type	O	This can be used to add custom label(s) to all Deployments that will be created by cncc-iam helm chart which are associated to a Service which if of Load Balancer Type.
global.customExtension.lbDeployments.annotations	<String>	Custom Annotations that needs to be added to both the subcharts of cncc-iam which is of Load Balancer type	O	This can be used to add custom annotation(s) to all Deployments that will be created by cncc-iam helm chart which are associated to a Service which if of Load Balancer Type.
global.customExtension.nonlbServices.labels	<String>	Custom Labels that needs to be added to cncc-iam that are considered as not Load Balancer type	O	This can be used to add custom label(s) to all non-Load Balancer Type Services that will be created by cncc-iam helm chart.
global.customExtension.nonlbServices.annotations	<String>	Custom Annotations that needs to be added for both the subcharts of cncc-iam that are considered as not Load Balancer type	O	This can be used to add custom annotation(s) to all non-Load Balancer Type Services that will be created by cncc-iam helm chart.
global.customExtension.nonlbDeployments.labels	<String>	Custom Labels that needs to be added for both the subcharts of cncc-iam that are associated to a Service which is not of Load Balancer type	O	This can be used to add custom label(s) to all Deployments that will be created by cncc-iam helm chart which are associated to a Service which if not of Load Balancer Type.
global.customExtension.nonlbDeployments.annotations	<String>	Custom Annotations that needs to be added for both the subcharts of cncc-iam that are associated to a Service which is not of Load Balancer type	O	This can be used to add custom annotation(s) to all Deployments that will be created bycncc-iam helm chart which are associated to a Service which if not of Load Balancer Type.
global.k8sResource.container.prefix	<String>	Value that will be prefixed to all the container names of Ingress-gateway.	O	This value will be used to prefix to all the container names of OCNRF.
global.k8sResource.container.suffix	<String>	Value that will be suffixed to all the container names of OCNRF.	O	This value will be used to suffix to all the container names of OCNRF.
ingress-gateway.image.name	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters	M	Image Name to be used for "ingress-gateway" micro service
ingress-gateway.image.tag	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters	M	Image Tag to be used for "ingress-gateway" micro service
ingress-gateway.image.pullPolicy	<String>	It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy	M	Pull Policy decides from where to pull the image.
ingress-gateway.initContainersImage.name	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters	M	Image Name to be used for init container
ingress-gateway.initContainersImage.tag	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters	M	Image tag to be used for init container
ingress-gateway.initContainersImage.pullPolicy	<String>	It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy	M	Pull Policy decides from where to pull the image.
ingress-gateway.updateContainersImage.name	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters	M	Image Name to be used for update container
ingress-gateway.updateContainersImage.tag	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters	M	Image tag to be used for update container
ingress-gateway.updateContainersImage.pullPolicy	<String>	It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy	M	Pull Policy decides from where to pull the image.
ingress-gateway.service.ssl.tlsVersion		Default Value is TLSv1.2	M	TLS Version
ingress-gateway.service.ssl.privateKey.k8SecretName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Name of the privatekey secret Ex: cncc-iam-ingress-secret
ingress-gateway.service.ssl.privateKey.k8NameSpace	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Namespace of privatekey Ex: cncc
ingress-gateway.service.ssl.privateKey.rsa.fileName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	rsa private key file name Ex: rsa_private_key_pkcs1.pem
ingress-gateway.service.ssl.privateKey.ecdsa.fileName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	ecdsa private key file name Ex: ssl_ecdsa_private_key.pem
ingress-gateway.service.ssl.certificate.k8SecretName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Name of the certificate secret Ex: cncc-iam-ingress-secret
ingress-gateway.service.ssl.certificate.k8NameSpace	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Namespace of certificate Ex: cncc
ingress-gateway.service.ssl.certificate.rsa.fileName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	rsa certificate file name Ex: ssl_rsa_certificate.crt
ingress-gateway.service.ssl.certificate.ecdsa.fileName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	ecdsa certificate file name Ex: ssl_ecdsa_certificate.crt
ingress-gateway.service.ssl.caBundle.k8SecretName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Name of the caBundle secret Ex: cncc-iam-ingress-secret
ingress-gateway.service.ssl.caBundle.k8NameSpace	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Namespace of caBundle Ex: cncc
ingress-gateway.service.ssl.caBundle.fileName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	rsa caBundle file name Ex: caroot.cer
ingress-gateway.service.ssl.initialAlgorithm	<String>	Default values is RSA256	M
ingress-gateway.service.customExtension.labels	<String>	Custom Labels that needs to be added to ingress-gateway specific Service.	O	This can be used to add custom label(s) to ingress-gateway Service.
ingress-gateway.service.customExtension.annotations	<String>	Custom Annotations that needs to be added to ingress-gateway specific Services.	O	This can be used to add custom annotation(s) to ingress-gateway Service.
ingress-gateway.deployment.customExtension.labels	<String>	Custom Labels that needs to be added to ingress-gateway specific Deployment.	O	This can be used to add custom label(s) to ingress-gateway Deployment.
ingress-gateway.deployment.customExtension.annotations	<String>	Custom Annotations that needs to be added to ingress-gateway specific Deployment.	O	This can be used to add custom annotation(s) to ingress-gateway Deployment.
ingress-gateway.service.ssl.keyStorePassword.k8SecretName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Name of the keyStorePassword secret Ex: cncc-iam-ingress-secret
ingress-gateway.service.ssl.keyStorePassword.k8NameSpace	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Namespace of keyStorePassword Ex: cncc
ingress-gateway.service.ssl.keyStorePassword.fileName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	File name that has password for keyStore Ex: ssl_keystore.txt
ingress-gateway.service.ssl.trustStorePassword.k8SecretName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Name of the trustStorePassword secret Ex: cncc-iam-ingress-secret
ingress-gateway.service.ssl.trustStorePassword.k8NameSpace	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	Namespace of trustStorePassword Ex: cncc
ingress-gateway.service.ssl.trustStorePassword.fileName	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M	File name that has password for trustStore Ex: ssl_truststore.txt
ingress-gateway.ports.containerPort	<String>	It can take value in the range: 0-65535.	M	ContainerPort represents a network port in a single container
ingress-gateway.ports.containersslPort	<String>	Default value is 8443	M
ingress-gateway.ports.actuatorPort	<String>	Default value is 9090
ingress-gateway.log.level.root	<String>	It can take values like: WARN, DEBUG, INFO, TRACE etc.	M	It is the level at which user wants to see the logs. E.g. WARN
ingress-gateway.log.level.ingress	<String>	It can take values like: WARN, DEBUG, INFO, TRACE etc. Default value is INFO	M	Log level for ingress logs
ingress-gateway.log.level.cncc.security	<String>	It can take values like: WARN, DEBUG, INFO, TRACE etc. Default value is INFO	M	Log level for cncc security logs
ingress-gateway.readinessProbe.initialDelaySeconds	<String>	It can take value in the range: 0-65535. Default value:30	M	It tells the kubelet that it should wait second before performing the first probe
ingress-gateway.readinessProbe.timeoutSeconds	<String>	It can take value in the range: 0-65535. Default value:3	M	It is the number of seconds after which the probe times out
ingress-gateway.readinessProbe.periodSeconds	<String>	It can take value in the range: 0-65535. Default value:10	M	It specifies that the kubelet should perform a liveness probe every xx seconds
ingress-gateway.readinessProbe.successThreshold	<String>	It can take value in the range: 0-65535. Default value:1	M	Minimum consecutive successes for the probe to be considered successful after having failed
ingress-gateway.readinessProbe.failureThreshold	<String>	It can take value in the range: 0-65535. Default value:3	M	When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
ingress-gateway.livenessProbe.initialDelaySeconds	<String>	It can take value in the range: 0-65535. Default value:30	M	It tells the kubelet that it should wait second before performing the first probe
ingress-gateway.livenessProbe.timeoutSeconds	<String>	It can take value in the range: 0-65535. Default value:3	M	It is the number of seconds after which the probe times out
ingress-gateway.livenessProbe.periodSeconds	<String>	It can take value in the range: 0-65535. Default value:15	M	It specifies that the kubelet should perform a liveness probe every xx seconds
ingress-gateway.livenessProbe.successThreshold	<String>	It can take value in the range: 0-65535. Default value:1	M	Minimum consecutive successes for the probe to be considered successful after having failed
ingress-gateway.livenessProbe.failureThreshold	<String>	It can take value in the range: 0-65535. Default value:3	M	When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
ingress-gateway.resources.limits.cpu	<String>	Valid floating point value between 0 and 1	M	It limits the number of CPUs to be used by the microservice.
ingress-gateway.resources.limits.initServiceCpu	<String>	Default value is 1	M	Init Container CPU Limit
ingress-gateway.resources.limits.updateServiceCpu	<String>	Default value is 1	M	Update Container CPU Limit
ingress-gateway.resources.limits.memory	<String>	Valid Integer value followed by Mi/Gi etc.	M	It limits the memory utilization by the "cncc-cmservice" microservice. By default, it is set to '2'.
ingress-gateway.resources.limits.updateServiceMemory	<String>	Default value is 1Gi	M	Update Container Memory Limit
ingress-gateway.resources.limits.initServiceMemory	<String>	1Gi	M	Init Container Memory Limit
ingress-gateway.resources.requests.cpu	<String>	Valid floating point value between 0 and 1	M	It limits the number of CPUs to be used by the "cncc-cmservice" microservice. By default, it is set to '2'.
ingress-gateway.resources.requests.initServiceCpu	<String>	Default value is 1	M	Init Container CPU Limit
ingress-gateway.resources.requests.updateServiceCpu	<String>	Default value is 1	M	Update Container CPU for requests
ingress-gateway.resources.requests.memory	<String>	Valid Integer value followed by Mi/Gi etc.	M	It limits the memory utilization by the "cncc-cmservice" microservice. By default, it is set to '2'.
ingress-gateway.resources.requests.updateServiceMemory	<String>	1Gi	M	Update Container Memory for requests
ingress-gateway.resources.requests.initServiceMemory	<String>	1Gi	M	Init Container Memory for requests
ingress-gateway.resources.target.averageCpuUtil	<String>	A value in between 0-100	M	It gives the average CPU utilization percentage.
ingress-gateway.minAvailable	<String>	It can take value in the range: 0-65535. Default value:1	M	It is the number of pods that must always be available, even during a disruption.
ingress-gateway.minReplicas	<String>	It can take value in the range: 0-65535. Default value:1	M	Min replicas to scale to maintain an average CPU utilization
ingress-gateway.maxReplicas	<String>	It can take value in the range: 0-65535. Default value:5	M	Max replicas to scale to maintain an average CPU utilization
ingress-gateway.initssl	<String>	It can take either True or False value. By default, it is false.	M	To Initialize SSL related infrastructure in init/update container
ingress-gateway.enableIncomingHttp	<String>	It can take either True or False value. By default, it is false.	M	Server Configuration for http and https support
ingress-gateway.enableIncomingHttps	<String>	It can take either True or False value. By default, it is false.	M	Server Configuration for http and https support
ingress-gateway.cipherSuites	<List[String]>	TLS_ECDHE_ ECDSA_WIT H_AES_256_ GCM_SHA38 4 TLS_ECDHE_ RSA_WITH_ AES_256_GC M_SHA384 TLS_ECDHE_ RSA_WITH_ CHACHA20_ POLY1305_S HA256 TLS_DHE_RS A_WITH_AE S_256_GCM_ SHA384 TLS_ECDHE_ ECDSA_WIT H_AES_128_ GCM_SHA25 6 TLS_ECDHE_ RSA_WITH_ AES_128_GC M_SHA256	M, if ingressgateway.enableIncomingHttps is true	Allowed CipherSuites for TLS1.2
ingress-gateway.ingressGwCertReloadEnabled	<boolean>	It can take either True or False value. Default value is true	M
ingress-gateway.ingressGwCertReloadPath	<String>		M
ingress-gateway.routesConfig.[].id	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes.	M	Routes to be added for cncc-iam ingress-gateway
ingress-gateway.routesConfig.[].uri	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes.	M
ingress-gateway.routesConfig.[].path	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes.	M
ingress-gateway.routesConfig[].order	<Integer>	Valid Integer value	O
ingress-gateway.routesConfig.[].filters.addRequestHeader.[].name	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator	M
ingress-gateway.routesConfig.[].filters.addRequestHeader.[].value	<String>	Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It component may not start or end with a separator	M
ingress-gateway.cncc.securitylogEnabled	<boolean>	It can take either True or False value. By default, it is true	O	This flag is to enable/disable security logs for cncc.
ingress-gateway.nodeselector.nodeKey	<String>		O	node selector value specific to chart (note this will be looked first and then if not present global node value will be picked)
ingress-gateway.nodeselector.nodeValue	<String>		O	node selector key specific to chart (note this will be looked first and then if not present global node key will be picked)

CNC Console IAM service Access

CNC Console IAM services can be accessed as follows:

<scheme>://<cncc-iam-ingress-extrenal-ip>:<cncc-iam-ingress-service-port>

Example:

http://10.75.182.72:8080/*

CNC Console IAM Uninstall

CNC Console IAM can be uninstalled as follows:

To undeploy CNCConsole-IAM :

For Helm 2:
$ helm delete <deployment name> --purge
 Example:
$ helm delete cncc-iam --purge
For Helm 3:
$ helm uninstall <deployment name> --namespace <deployment namespace>
 Example:
$ helm uninstall cncc-iam --namespace cncc