3 CNC Console IAM Installation Instructions
Prerequisites for CNC Console IAM
Following are the prerequisites for the installation of CNC Console IAM:
Create MySQL Database and User
This section explains how to create CNCC user and CNCC database.
- Login to the server or machine which has permission to access the SQL nodes of NDB cluster.
- Connect to the SQL nodes of NDB cluster one by one.
- Execute the following command to login to the MySQL prompt using
root permission or user, which has permission to create users with permissions:
mysql -h -uroot -p
Note:
After writing the command mentioned above, user must enter MySql password. - Check whether CNCC user already exists. If user does not exist,
create a CNCC user by executing following commands:
- Execute
$ SELECT User FROM mysql.user;
to list the users. - If user does not exist, create the new user by executing
$ CREATE USER '<CNCC User Name>'@'%' IDENTIFIED BY '<CNCC Password>';
- Execute
- Check if CNCC database already exists. If the database does not
exist, create a CNCC database and provide permissions to CNCC user created in
the previous step:
- Execute
$ show databases;
to check if database exists. - If MySql has CNCC database created as per release 1.0.0,
drop it before creating cnccdb by executing the following command:
DROP DATABASE cnccdb
- Execute
$ CREATE DATABASE IF NOT EXISTS <CNCC Database> CHARACTER SET utf8;
for Database creation. - Grant permission to user by executing the following
command:
$ GRANT SELECT,INSERT,CREATE,ALTER,DROP,LOCK TABLES,CREATE TEMPORARY TABLES, DELETE,UPDATE,EXECUTE ON <CNCC Database>.* TO '<CNCC User Name>'@'%';
- Execute
# Login to MySql prompt:-
$ mysql -u root -p
Check user already exists or not
$ SELECT User FROM mysql.user;
# In case, user already exists, move to next step. Command to create new user is as mentioned below:-
$ CREATE USER 'cnccusr'@'%' IDENTIFIED BY 'cnccpasswd'
# Command to check if database exists:-
$ show databases;
# Check if required database is already in list. If MySql has cnccdb already created as per 1.0.0 release creation, drop it.
$ DROP DATABASE cnccdb;
# Database creation for CNCC
$ CREATE DATABASE IF NOT EXISTS cnccdb CHARACTER SET utf8;
#Granting permission to user:-
$ GRANT SELECT, INSERT, CREATE, ALTER, DROP, LOCK TABLES, CREATE TEMPORARY TABLES, DELETE, UPDATE, EXECUTE ON cnccdb .* TO'cnccusr'@'%';
Populate CNCC Database with CNCC IAM Tables
The user must load the CNCC database created with
cnccdb_<version>.sql
file provided in the
cncc-custom-configtemplate
package file. This section describes how to polulate
CNCC database with CNCC IAM tables.
- Load the database with tables from
cnccdb_<version>.sql.
Ensurecnccdb_<version>.sql
is in/home/admusr/
directory of the MySql Query Node.mysql -u <username> -p <databasename> cnccdb_<version>.sql
Note:
The user must enter the mysql password. - Verify the tables are loaded into the database using command:
$ use <databasename>;
$ show tables;
Note:
It shows a list of 93 tables related to CNCC-IAM. - Exit from MySql Query Node using following command:
$ exit;
Example to demonstrate loading of cnccdb with tables from
cnccdb_<version>.sql
:
#mysql -h 127.0.0.1 -uroot -pNextGenCne cnccdb < /home/admusr/cnccdb.sql
#mysql -h 127.0.0.1 -uroot -pNextGenCne
mysql>use cnccdb;
mysql> show tables;
Create a Kubernetes Secret for MySQL
This section describes how to create a kubernetes secret for MySQL.
- Execute the following command to create the
kubernetes secret for MySQL:
kubectl create secret generic <database secret name> --from-literal=dbUserNameKey=<CNCC Mysql database username> --from-literal=dbPasswordKey=<CNCC Mysql database passsword> -n <Namespace of MYSQL secret
- Execute the following command to verify the secret
creation:
$ kubectl describe secret <database secret name> -n <Namespace of MYSQL secret>
Example:$ kubectl create secret generic cncc-db-secret --from-literal=dbUserNameKey=root --from- literal=dbPasswordKey=mypass -n cncc $ kubectl describe secret cncc-db-secret -n cncc
Create a Kubernetes Secret for Admin User
This section describes how to create a kubernetes secret for admin user.
- Execute the following command to create the kubernetes secret for
MySQL:
$ kubectl create secret generic <secret-name> --from-literal=iamAdminPasswordKey=<password> --namespace <namespace>
- Execute the following command to verify the secret creation:
$ kubectl describe secret <secret name> -n <namespace>
Example:$ kubectl create secret generic cncc-iam-secret --from-literal=iamAdminPasswordKey=cncciampasswordvalue --namespace cncc $ kubectl describe secret cncc-iam-secret -n cncc
CNCC IAM Secret Configuration to Enable HTTPS
This section describes how to create secret configuration for enabling HTTPS. This section must be executed before enabling HTTPS in CNCC Core Ingress gateway.
Note:
The passwords for TrustStore and KeyStore are stored in respective password files.To create kubernetes secret for HTTPS, following files are required:
- ECDSA private key and CA signed certificate of CNCC (if initialAlgorithm is ES256)
- RSA private key and CA signed certificate of CNCC (if initialAlgorithm is RSA256)
- TrustStore password file
- KeyStore password file
- CA certificate
This section explains how to create the secrets for enabling HTTPS after required certificates and password files are generated:
- Create a secret by executing the following
command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem> --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt> --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt> --from-file=<ssl_ecdsa_certificate.crt> -n <Namespace of CNCC IAM Ingress Gateway secret>
Example:
$ kubectl create secret generic cncc-iam-ingress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt -n cncc
- On successfully executing the above command, the following message will
be displayed:
secret/cncc-iam-ingress-secret created
- Execute the following command to verify the secret creation:
:
$ kubectl describe secret cncc-iam-ingress-secret -n cncc
This section explains how to update the secrets for enabling HTTPS, if they already exist:
- Create a secret by executing the following
command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem> --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt> --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt> --from-file=<ssl_ecdsa_certificate.crt> --dry-run -o yaml -n <Namespace of CNCC IAM Ingress Gateway secret> | kubectl replace -f - -n <Namespace of CNCC IAM Ingress Gateway secret>
Example:
$ kubectl create secret generic cncc-iam-ingress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --dry-run -o yaml -n cncc | kubectl replace -f - -n cncc
- On successfully executing the above command, the following message
will be displayed:
secret/cncc-iam-ingress-secret replaced
CNCC IAM Configuration for Service Account
This section describes about the CNCC IAM Configuration for Service Account. CNCC IAM provides option to configure custom service account.
Sample CNCC IAM service account yaml file
## Service account yaml file for cncc-iam
apiVersion: v1
kind: ServiceAccount
metadata:
name: cncc-iam-sa
namespace: cncc
annotations: {}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cncc-iam-role
namespace: cncc
rules:
- apiGroups:
- "" # "" indicates the core API group
resources:
- services
- configmaps
- pods
- secrets
- endpoints
- persistentvolumeclaims
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cncc-iam-rolebinding
namespace: cncc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cncc-iam-role
subjects:
- kind: ServiceAccount
name: cncc-iam-sa
namespace: cncc
Configure service account for ingress-gateway and keycloak in cncc-iam_values.yaml as follows:
- For ingress-gateway provide custom service account under
global.serviceAccountName.
global: # ******** Sub-Section Start: Ingress Gateway Global Parameters ******** # *********************************************************************** serviceAccountName: cncc-iam-sa
- For keycloak provide custom service account under
kc.keycloak.serviceAccount.name.serviceAccountName.
kc: keycloak: serviceAccount: # Specifies whether a service account should be created create: false # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: cncc-iam-sa
CNCC IAM Configuration for Aspen Service Mesh (ASM)
This section describes about CNCC IAM Configuration for Aspen Service Mesh (ASM).
- Annotation:
- Add traffic.sidecar.istio.io/excludeInboundPorts:
"\"8081\"" annotation under
global.customExtention.lbDeployments.annotations section in
cncc-iam_values.yaml to disable mTLS on cncc-iam ingress container
port.
global: # ******** Sub-Section Start: Common Global Parameters ************* # ******************************************************************* customExtension: lbDeployments: labels: {} annotations: traffic.sidecar.istio.io/excludeInboundPorts: "\"8081\"" # ******** Sub-Section End: Common Global Parameters ******************* # ***********************************************************************
- Add sidecar.istio.io/rewriteAppHTTPProbers:
"\"true\""under global.customExtention.allResources.annotations
section in cncc-iam_values.yaml for readiness and liveness probe to
work.
global: # ******** Sub-Section Start: Common Global Parameters ************* # ******************************************************************* customExtension: allResources: labels: {} annotations: sidecar.istio.io/rewriteAppHTTPProbers: "\"true\"" # ******** Sub-Section End: Common Global Parameters ******************* # ***********************************************************************x
Note:
This is only required when deployed ASM is configured with rewriteAppHTTPProbe set to false.
sidecarInjectorWebhook: rewriteAppHTTPProbe: false # To enable istio to rewrite probes when mTLS is enabled
- Add traffic.sidecar.istio.io/excludeInboundPorts:
"\"8081\"" annotation under
global.customExtention.lbDeployments.annotations section in
cncc-iam_values.yaml to disable mTLS on cncc-iam ingress container
port.
- External MySQL DB:
Note:
Skip this step, if
CNCC IAM is deployed in same namespace as other 5G NFs and those NFs are already configure with MySQL service then user can use same service for CNCC IAM also.
Refer CNCC IAM configuration for MySQL section to configure and populate db with required configuration.
- Create Service & Endpoint for External MySQL instance.
Example: service and endpoint
apiVersion: v1 kind: Endpoints metadata: name: mysql-connectivity-service-headless namespace: cncc subsets: - addresses: - ip: 10.75.203.49 # IP of cluster where MySQL is running ports: - port: 3306 protocol: TCP --- apiVersion: v1 kind: Service metadata: name: mysql-connectivity-service-headless namespace: cncc spec: clusterIP: None ports: - port: 3306 protocol: TCP targetPort: 3306 sessionAffinity: None type: ClusterIP --- apiVersion: v1 kind: Service metadata: name: mysql-connectivity-service namespace: cncc spec: externalName: mysql-connectivity-service-headless.cncc.svc.cluster.local sessionAffinity: None type: ExternalName ---
- Create service-entry and destination rule for MySQL
service.
Example: service-entry and destination-rule
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: mysql-external-se namespace: cncc spec: hosts: - mysql-connectivity-service-headless.cncc.svc.cluster.local ports: - number: 3306 name: mysql protocol: MySQL location: MESH_EXTERNAL --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: mysql-external-dr namespace: cncc spec: host: mysql-connectivity-service-headless.cncc.svc.cluster.local trafficPolicy: tls: mode: DISABLE
- In cncc-iam_values.yaml under keycloak section provide MySQL
service FQDN as
follows:
dbName: cnccdb dbHost: mysql-connectivity-service dbPort: 3306
- Create Service & Endpoint for External MySQL instance.
CNCC IAM Configuration for Operations Services Overlay (OSO)
This section describes about CNCC IAM Configuration for Operations Services Overlay (OSO).
Add Annotation oracle.com/cnc: "\"true\"" under global.customExtention.lbDeployments.annotations section in cncc-iam_values.yaml to indicate OSO to scrape metrics from ingress pod.
global:
# ******** Sub-Section Start: Common Global Parameters *************
# *******************************************************************
customExtension:
lbDeployments:
labels: {}
annotations:
oracle.com/cnc: "\"true\""
# ******** Sub-Section End: Common Global Parameters *******************
# ***********************************************************************
Installation Sequence for CNC Console IAM
- Installation Preparation.
- Configure
custom-cncc-iam_values_<version>.yaml
file. This includes configuring the following based on the deployment:- Repository path
- cncc-iam details
- cncc-iam deployment:
- With helm repository
- With helm tar
- Verify cncc-iam deployment.
Deployment of CNC Console IAM
- Search helm chart:Execute the following command to check
the version of the helm chart installation.
helm search <release_name>
Example: helm search cncc-iam NAME CHART VERSION APP VERSION DESCRIPTION ocspf-helm-repo/cncc-iam 3.0.0 8.0.1 Open Source Identity and Access Management For Modern App
- Prepare
custom-cncc-iam_values_<version>.yaml
file:Prepare a
custom-cncc-iam_values_<version>.yaml
file with the required parameter information. - Deploy cncc-iam: Installation using helm
repository
For helm 2 based: helm install --name <release_name> <helm-repo> -f custom-cncc-iam_values_<version>.yaml --namenamespace<deployment<namespace_name> --version <helm_version> For helm 3 based: helm install <release_name> <helm-repo> -f custom-cncc-iam_values_<version>.yaml --namespace <namespace_name> --version <helm_version>
Where:
helm-repo: repository name where the helm images, charts are stored
values: helm configuration file which needs to be updated based on the docker registry
release_name and namespace_name : depends on customer configuration
Example:For helm 2 based: helm install --name cncc-iam ocscp-helm-repo/ocscp -f custom-cncc-iam_values_1.2.1.yaml --namenamespace cncc-iam --version 1.2.1 For helm 3 based: helm install cncc-iam ocscp-helm-repo/ocscp -f custom-cncc-iam_values_1.2.1.yaml --namespace cncc-iam --version 1.2.1
Note: Update dbVendor, dbHost , dbName fields in
custom-cncc-iam_values_<version>.yaml
Example:dbVendor: mysql dbName: cnccdb dbHost: mysql-sds.default.svc.cluster.local dbPort: 3306
Installation using helm tar
Execute the following command:For helm 2 based: helm install --name cncc-iam -f custom-cncc-iam_values_<version>.yaml --name namespace <namespace> <chartpath>./<chart>.tgz For helm 3 based: helm install cncc-iam -f custom-cncc-iam_values_<version>.yaml --namespace <namespace> <chartpath>./<chart>.tgz
Example:For helm 2 based: helm install --name cncc-iam -f custom-cncc-iam_values_1.2.1.yaml --namenamespace cncc-iam ./cncc-iam.tgz For helm 3 based: helm install cncc-iam -f custom-cncc-iam_values_1.2.1.yaml --namespace cncc-iam ./cncc-iam.tgz
-
Check repository status:
Execute the following command to check the deployment status.
helm status <release_name>
-
Check service status: Check if all the services are deployed and
running:
kubectl -n <namespace_name> get services
Example:
$ kubectl -n cncc get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cncc-iam-kc-headless ClusterIP None <none> 8285/TCP 9m13s cncc-iam-kc-http ClusterIP 10.233.25.75 <none> 8285/TCP 9m13s cncc-iam-ingress-gateway LoadBalancer 10.233.7.236 10.75.182.72 8080:30346/TCP 9m13s - Check pod status :Check if all the pods are up and running by
executing the following command:
kubectl -n <namespace_name> get pods
Example:
$ kubectl -n cncc get pods
NAME READY STATUS RESTARTS AGE cncc-iam-kc-0 1/1 Running 0 44h cncc-iam-ingress-gateway-6748d55f98-szdqm 1/1 Running 0 12h
CNC Console IAM Microservices
CNC Console IAM has three microservices, which are responsible for Identity Access Management:
- cncc-iam-kc-headless
- cncc-iam-kc-http
- cncc-iam-ingress-gateway
Table 3-1 CNC Console IAM Microservices
NAME | TYPE | CLUSTER-IP | EXTERNAL-IP | PORT(S) | AGE |
---|---|---|---|---|---|
cncc-iam-kc-headless | ClusterIP | None | <none> | 8285/TCP | 9m13s |
cncc-iam-kc-http | NodePort | 10.233.25.75 | <none> | 8285/TCP | 9m13s |
cncc-iam-ingress-gateway | LoadBalancer | 10.233.7.236 | 10.75.182.72 | 8080:30346/TCP | 9m13s |
CNC Console IAM Sample Custom Values
custom-cncc-iam_values_1.2.1.yaml
with helm chart version 1.2.1
#########################################################
# Section Start: global attributes #
#########################################################
global:
# ******** Sub-Section Start: Common Global Parameters *************
# *******************************************************************
dockerRegistry: ocspf-registry.us.oracle.com:5000/ocscp
customExtension:
allResources:
labels: {}
annotations: {}
# sidecar.istio.io/rewriteAppHTTPProbers: "\"true\""
lbServices:
labels: {}
annotations: {}
lbDeployments:
labels: {}
annotations: {}
# traffic.sidecar.istio.io/excludeInboundPorts: "\"8081\""
# oracle.com/cnc: "\"true\""
nonlbServices:
labels: {}
annotations: {}
nonlbDeployments:
labels: {}
annotations: {}
# ******** Sub-Section End: Common Global Parameters *******************
# ***********************************************************************
# ******** Sub-Section Start: Ingress Gateway Global Parameters ********
# ***********************************************************************
# If https is enabled, this Port would be HTTP/1.0 Port (unsecured)
# If https is disabled, this Port would be HTTPS/1.0 Port (secured SSL)
publicHttpSignalingPort: 8080
publicHttpsSignallingPort: 8443
serviceAccountName: ""
# Specify type of service - Possible values are :- ClusterIP, NodePort, LoadBalancer and ExternalName
type: LoadBalancer
# Enable or disable IP Address allocation from Metallb Pool
metalLbIpAllocationEnabled: true
# Address Pool Annotation for Metallb
metalLbIpAllocationAnnotation: "metallb.universe.tf/address-pool: oam"
# If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress
# Else random IP will be assigned by the metalLB from its IP Pool
staticIpAddressEnabled: false
staticIpAddress: 10.75.212.60
# If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort
# Else random node port will be assigned by K8
staticNodePortEnabled: true
staticHttpNodePort: 30085
staticHttpsNodePort: 30053
nodeSelector:
nodeKey: ""
nodeValue: ""
k8sResource:
container:
prefix: ""
suffix: ""
# ******** Sub-Section End: Ingress Gateway Global Parameters ********
# *********************************************************************
#########################################################
# Section End : global attributes #
#########################################################
#########################################################
# Section Start : IAM attributes #
#########################################################
kc:
keycloak:
image:
name: cncc/cncc-iam
tag: 1.2.1
pullPolicy: Always
## Username for the initial CNCConsole-IAM admin user
username: admin
# Specifies an existing secret to be used for the admin password
existingSecret: cncc-iam-secret
# The key in the existing secret that stores the password
existingSecretKey: iamAdminPasswordKey
serviceAccount:
# Specifies whether a service account should be created
create: false
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
## Persistence configuration
persistence:
# The database vendor. Can be either "mysql", "mariadb", or "h2"
dbVendor: mysql
## The database name, host and port
## If dbVendor is 'mysql", then database should be created in mysql prior to installing cncn-iam
dbName: cnccdb
dbHost: ""
dbPort: ""
## Database Credentials are loaded from a Secret residing in the same Namespace as keycloak.
## The Chart can read credentials from an existing Secret OR it can provision its own Secret.
## Specify existing Secret
# If set, specifies the Name of an existing Secret to read db credentials from.
existingSecret: cncc-db-secret
existingSecretPasswordKey: dbPasswordKey # read keycloak db password from existingSecret under this Key
existingSecretUsernameKey: dbUserNameKey # read keycloak db user from existingSecret under this Key
service:
# Labels and Annotations that are specific to service IAM are added here.
customExtension:
labels: {}
annotations: {}
httpPort: 8285
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 1
memory: 1Gi
#########################################################
## Section End : IAM attributes #
##########################################################
##########################################################
## Section Start : Ingress Gateway attributes #
##########################################################
ingress-gateway:
image:
# image name
name: cncc/cncc-apigateway-api-tag
# tag name of image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
initContainersImage:
# inint Containers image name
name: cncc/apigw-configurationinit-init-tag
# tag name of init Container image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
updateContainersImage:
# update Containers image name
name: cncc/apigw-configurationupdate-update-tag
# tag name of update Container image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
service:
ssl:
tlsVersion: TLSv1.2
privateKey:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
rsa:
fileName: rsa_private_key_pkcs1.pem
ecdsa:
fileName: ssl_ecdsa_private_key.pem
certificate:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
rsa:
fileName: ssl_rsa_certificate.crt
ecdsa:
fileName: ssl_ecdsa_certificate.crt
caBundle:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
fileName: caroot.cer
keyStorePassword:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
fileName: ssl_keystore.txt
trustStorePassword:
k8SecretName: cncc-iam-ingress-secret
k8NameSpace: cncc
fileName: ssl_truststore.txt
initialAlgorithm: RSA256
# Labels and Annotations that are specific to service ingressgateway are added here.
customExtension:
labels: {}
annotations: {}
# Labels and Annotations that are specific to deployment ingressgateway are added here.
deployment:
customExtension:
labels: {}
annotations: {}
ports:
# ContainerPort represents a network port in a single container
containerPort: 8081
containersslPort: 8443
actuatorPort: 9090
#Set the root log level
log:
level:
root: WARN
ingress: INFO
cncc:
security: INFO
readinessProbe:
# tells the kubelet that it should wait second before performing the first probe
initialDelaySeconds: 30
# Number of seconds after which the probe times out
timeoutSeconds: 3
# specifies that the kubelet should perform a liveness probe every xx seconds
periodSeconds: 10
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 3
livenessProbe:
# tells the kubelet that it should wait second before performing the first probe
initialDelaySeconds: 30
# Number of seconds after which the probe times out
timeoutSeconds: 3
# specifies that the kubelet should perform a liveness probe every xx seconds
periodSeconds: 15
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 3
# Resource details
resources:
limits:
cpu: 2
initServiceCpu: 1
updateServiceCpu: 1
memory: 2Gi
updateServiceMemory: 1Gi
initServiceMemory: 1Gi
requests:
cpu: 1
initServiceCpu: 0.5
updateServiceCpu: 0.5
memory: 1Gi
updateServiceMemory: 0.5Gi
initServiceMemory: 0.5Gi
target:
averageCpuUtil: 80
# Number of Pods must always be available, even during a disruption.
minAvailable: 1
# Min replicas to scale to maintain an average CPU utilization
minReplicas: 1
# Max replicas to scale to maintain an average CPU utilization
maxReplicas: 5
allowedCipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# To Initialize SSL related infrastructure in init/update container
initssl: false
# Server Configuration for http and https support
enableIncomingHttp: true
enableIncomingHttps: false
ingressGwCertReloadEnabled: false
ingressGwCertReloadPath: /ingress-gw/certificate/reload
routesConfig:
# Examples for routes cncc-iam.
# Note: Enable addRequestHeader when ever https is enabled
#- id: cncc-iam_route
# uri: http://cncc-iam-kc-http.cncc.svc.cluster.local:8285
# path: /
# filters:
# prefixPath: /cncc/auth/admin
# #addRequestHeader: # Enable this filter only incase of https
# #- name: X-Forwarded-Proto
# # value: https
#- id: cncc-iam_route
# uri: http://cncc-iam-kc-http.cncc.svc.cluster.local:8285
# path: /cncc/auth/**
# #filters:
# # addRequestHeader:
# # - name: X-Forwarded-Proto
# # value: https
- id: cncc-iam_login_route
uri: http://<helmrelease>-kc-http.<namespace>.<domain>:8285
path: /
filters:
prefixPath: /cncc/auth/admin
# addRequestHeader: # Enable this filter only incase of https
# - name: X-Forwarded-Proto
# value: https
- id: cncc-iam_route
uri: http://<helmrelease>-kc-http.<namespace>.<domain>:8285
path: /cncc/auth/**
#filters:
# addRequestHeader: # Enable this filter only incase of https
# - name: X-Forwarded-Proto
# value: https
# CNCC configuration
cncc:
# Enable security logs
securityLogEnabled: true
#########################################################
## Section End : Ingress Gateway attributes #
##########################################################
Note:
When CNCC IAM is enabled with HTTPS, all the routes must be appended withaddRequestHeader
filter. Then the updated
routesConfig
under ingress
section in values.yaml will
be as
follows:routesConfig:
- id: cncc-iam_login_route
uri: http://<helmrelease>-kc-http.<namespace>.<domain>:8285
path: /
filters:
prefixPath: /cncc/auth/admin
addRequestHeader: # Enable this filter only incase of https
- name: X-Forwarded-Proto
value: https
- id: cncc-iam_route
uri: http://<helmrelease>-kc-http.<namespace>.<domain>:8285
path: /cncc/auth/**
filters:
addRequestHeader: # Enable this filter only incase of https
- name: X-Forwarded-Proto
value: https
CNC Console IAM Configuration Options During Deployment
Attribute Name | DataType | Range | Mandatory(M)/ Optional(O)/Conditional(C) | Description |
---|---|---|---|---|
kc.keycloak.image.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Name to be used for cncc-iam micro service. |
kc.keycloak.image.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Tag to be used for cncc-iam micro service. |
kc.keycloak.image.pullpolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
O | Pull Policy decides from where to pull the image. |
kc.keycloak.username | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M |
It is the name of cncc-iam user as given by the user. Ex: admin |
kc.keycloak.existingSecret | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | M |
It specifies an existing secret name to be used for the admin password Ex: cncc-iam-secret |
kc.keycloak.serviceAccount.create | <Boolean> |
It can take either True or False value. By default, it is false. |
O | Flag for creating service account. |
kc.keycloak.serviceAccount.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | O |
The name of service account. Applicable only if keycloak.serviceAccount.create is set to 'true'. If keycloak.serviceAccount.name is kept as empty, a default service account with name 'cncc-iam' is created by CNCC, otherwise user has to create the service account and provide its name here.
|
kc.keycloak.existingSecretKey | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | M |
Applicable only if keycloak.existingSecret is provided. It is the key in the existing secret that stores the password Ex: iamAdminPasswordKey |
kc.keycloak.persistence.dbVendor | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M |
It is the database vendor name Ex: mysql |
kc.keycloak.persistence.dbName | <String> | Valid String | M |
It is the name of the database used for cncc-iam. User should create DB with the same name as provided here before deploying CNCC-IAM Ex: cnccdb |
kc.keycloak.persistence.dbHost | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M |
It the hostname for persistence db Ex: mysql-sds.default.svc.cluster.local |
kc.keycloak.persistence.dbPort | <Integer> | It can range from 0-65535 | M |
It is the db port for cncc-iam Ex: 3306 |
kc.keycloak.persistence.existingSecret | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | M |
It specifies an existing secret to be used for mysql username and password Ex: cncc-db-secret |
kc.keycloak.persistence.existingSecretPasswordKey | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | M |
It is the key in the existing secret that stores the password Ex: dbPasswordKey |
kc.keycloak.persistence.existingSecretUsernameKey | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | M |
It is the key in the existing secret that stores the username Ex: dbUserNameKey |
kc.keycloak.service.httpPort | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | O | It is the port number which makes cncc-iam service visible to other services running within the same K8s cluster |
kc.keycloak.service.customExtension.labels | <String> | O | This can be used to add custom label(s) that are specific to service and will be created by cncc-iam helm chart. | |
kc.keycloak.service.customExtension.annotations | <String> | O | This can be used to add custom annotations(s) that are specific to service and will be created by cncc-iam helm chart. | |
global.dockerRegistry | <String> | It may contain lowercase letters, digits, and separators. A separator is defined as a period, one or two underscores, or one or more dashes. | M | It is the docker registry where cncc-iam images are present. |
global.publicHttpSignalingPort | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | M |
If https is enabled, this Port would be HTTP/1.0 Port (unsecured) If https is disabled, this Port would be HTTPS/1.0 Port (secured SSL) |
global.publicHttpsSignallingPort | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters |
If https is enabled, this Port would be HTTP/1.0 Port (unsecured) If https is disabled, this Port would be HTTPS/1.0 Port (secured SSL) |
|
global.serviceAccountName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | O | Service Account name |
global.type | <String> | It can take ClusterIP, NodePort, LoadBalancer and ExternalName. | M | It specifies type of service - Possible values are :- ClusterIP, NodePort, LoadBalancer and ExternalName |
metalLbIpAllocationEnabled | <Boolean> |
It can take either True or False value. By default, it is false. |
M | Enable or disable IP Address allocation from Metallb Pool |
global.metalLbIpAllocationAnnotation | <String> | metallb.universe.tf/address-pool: oam | M | Address Pool Annotation for Metallb |
global.staticIpAddressEnabled | <Boolean> |
It can take either True or False value. By default, it is false. |
O |
If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress Else random IP will be assigned by the metalLB from its IP Pool |
global.staticIpAddress | <String> | O | It is Static Ip and applicable only when ingress-gateway.global.staticNodePortEnabled is true. | |
global.staticNodePortEnabled | <Boolean> |
It can take either True or False value. By default, it is false. |
O | Node Port Enabled |
global.staticHttpNodePort | <String> | O | It is Http Node Port and applicable only when ingress-gateway.global.staticNodePortEnabled is true. | |
global.nodeSelector.nodeKey | <String> | O | global node selector key | |
global.nodeSelector.nodeValue | <String> | O | global node value key | |
global.customExtension.allResources.labels | <String> | Custom Labels that needs to be added to both the subcharts of cncc-iam | O | This can be used to add custom label(s) to all k8s resources that will be created by cncc-iam helm chart. |
global.customExtension.allResources.annotations | <String> | Custom Annotations that needs to be added to both the sub-charts of cncc-iam | O | This can be used to add custom annotation(s) to all k8s resources that will be created by cncc-iam helm chart. |
global.customExtension.lbServices.labels | <String> | Custom Labels that needs to be added for both the sub-charts of that are considered as Load Balancer type | O | This can be used to add custom label(s) to all Load Balancer Type Services that will be created by cncc-iam helm chart. |
global.customExtension.lbServices.annotations | <String> | Custom Annotations that needs to be added for both the subcharts of cncc-iam that are considered as Load Balancer type | O | This can be used to add custom annotation(s) to all Load Balancer Type Services that will be created by cncc-iam helm chart. |
global.customExtension.lbDeployments.labels | <String> | Custom Labels that needs to be added for both the subcharts of cncc-iam which is of Load Balancer type | O | This can be used to add custom label(s) to all Deployments that will be created by cncc-iam helm chart which are associated to a Service which if of Load Balancer Type. |
global.customExtension.lbDeployments.annotations | <String> | Custom Annotations that needs to be added to both the subcharts of cncc-iam which is of Load Balancer type | O | This can be used to add custom annotation(s) to all Deployments that will be created by cncc-iam helm chart which are associated to a Service which if of Load Balancer Type. |
global.customExtension.nonlbServices.labels | <String> | Custom Labels that needs to be added to cncc-iam that are considered as not Load Balancer type | O | This can be used to add custom label(s) to all non-Load Balancer Type Services that will be created by cncc-iam helm chart. |
global.customExtension.nonlbServices.annotations | <String> | Custom Annotations that needs to be added for both the subcharts of cncc-iam that are considered as not Load Balancer type | O | This can be used to add custom annotation(s) to all non-Load Balancer Type Services that will be created by cncc-iam helm chart. |
global.customExtension.nonlbDeployments.labels | <String> | Custom Labels that needs to be added for both the subcharts of cncc-iam that are associated to a Service which is not of Load Balancer type | O | This can be used to add custom label(s) to all Deployments that will be created by cncc-iam helm chart which are associated to a Service which if not of Load Balancer Type. |
global.customExtension.nonlbDeployments.annotations | <String> | Custom Annotations that needs to be added for both the subcharts of cncc-iam that are associated to a Service which is not of Load Balancer type | O | This can be used to add custom annotation(s) to all Deployments that will be created bycncc-iam helm chart which are associated to a Service which if not of Load Balancer Type. |
global.k8sResource.container.prefix | <String> | Value that will be prefixed to all the container names of Ingress-gateway. | O | This value will be used to prefix to all the container names of OCNRF. |
global.k8sResource.container.suffix | <String> | Value that will be suffixed to all the container names of OCNRF. | O | This value will be used to suffix to all the container names of OCNRF. |
ingress-gateway.image.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Name to be used for "ingress-gateway" micro service |
ingress-gateway.image.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Tag to be used for "ingress-gateway" micro service |
ingress-gateway.image.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
M | Pull Policy decides from where to pull the image. |
ingress-gateway.initContainersImage.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Name to be used for init container |
ingress-gateway.initContainersImage.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image tag to be used for init container |
ingress-gateway.initContainersImage.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
M | Pull Policy decides from where to pull the image. |
ingress-gateway.updateContainersImage.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Name to be used for update container |
ingress-gateway.updateContainersImage.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image tag to be used for update container |
ingress-gateway.updateContainersImage.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
M | Pull Policy decides from where to pull the image. |
ingress-gateway.service.ssl.tlsVersion | Default Value is TLSv1.2 | M | TLS Version | |
ingress-gateway.service.ssl.privateKey.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Name of the privatekey secret Ex: cncc-iam-ingress-secret |
ingress-gateway.service.ssl.privateKey.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Namespace of privatekey Ex: cncc |
ingress-gateway.service.ssl.privateKey.rsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
rsa private key file name Ex: rsa_private_key_pkcs1.pem |
ingress-gateway.service.ssl.privateKey.ecdsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
ecdsa private key file name Ex: ssl_ecdsa_private_key.pem |
ingress-gateway.service.ssl.certificate.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Name of the certificate secret Ex: cncc-iam-ingress-secret |
ingress-gateway.service.ssl.certificate.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Namespace of certificate Ex: cncc |
ingress-gateway.service.ssl.certificate.rsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
rsa certificate file name Ex: ssl_rsa_certificate.crt |
ingress-gateway.service.ssl.certificate.ecdsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
ecdsa certificate file name Ex: ssl_ecdsa_certificate.crt |
ingress-gateway.service.ssl.caBundle.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Name of the caBundle secret Ex: cncc-iam-ingress-secret |
ingress-gateway.service.ssl.caBundle.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Namespace of caBundle Ex: cncc |
ingress-gateway.service.ssl.caBundle.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
rsa caBundle file name Ex: caroot.cer |
ingress-gateway.service.ssl.initialAlgorithm | <String> | Default values is RSA256 | M | |
ingress-gateway.service.customExtension.labels | <String> | Custom Labels that needs to be added to ingress-gateway specific Service. | O | This can be used to add custom label(s) to ingress-gateway Service. |
ingress-gateway.service.customExtension.annotations | <String> | Custom Annotations that needs to be added to ingress-gateway specific Services. | O | This can be used to add custom annotation(s) to ingress-gateway Service. |
ingress-gateway.deployment.customExtension.labels | <String> | Custom Labels that needs to be added to ingress-gateway specific Deployment. | O | This can be used to add custom label(s) to ingress-gateway Deployment. |
ingress-gateway.deployment.customExtension.annotations | <String> | Custom Annotations that needs to be added to ingress-gateway specific Deployment. | O | This can be used to add custom annotation(s) to ingress-gateway Deployment. |
ingress-gateway.service.ssl.keyStorePassword.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Name of the keyStorePassword secret Ex: cncc-iam-ingress-secret |
ingress-gateway.service.ssl.keyStorePassword.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Namespace of keyStorePassword Ex: cncc |
ingress-gateway.service.ssl.keyStorePassword.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
File name that has password for keyStore Ex: ssl_keystore.txt |
ingress-gateway.service.ssl.trustStorePassword.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Name of the trustStorePassword secret Ex: cncc-iam-ingress-secret |
ingress-gateway.service.ssl.trustStorePassword.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
Namespace of trustStorePassword Ex: cncc |
ingress-gateway.service.ssl.trustStorePassword.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
File name that has password for trustStore Ex: ssl_truststore.txt |
ingress-gateway.ports.containerPort | <String> | It can take value in the range: 0-65535. | M | ContainerPort represents a network port in a single container |
ingress-gateway.ports.containersslPort | <String> | Default value is 8443 | M | |
ingress-gateway.ports.actuatorPort | <String> | Default value is 9090 | ||
ingress-gateway.log.level.root | <String> | It can take values like: WARN, DEBUG, INFO, TRACE etc. | M |
It is the level at which user wants to see the logs. E.g. WARN |
ingress-gateway.log.level.ingress | <String> |
It can take values like: WARN, DEBUG, INFO, TRACE etc. Default value is INFO |
M | Log level for ingress logs |
ingress-gateway.log.level.cncc.security | <String> |
It can take values like: WARN, DEBUG, INFO, TRACE etc. Default value is INFO |
M | Log level for cncc security logs |
ingress-gateway.readinessProbe.initialDelaySeconds | <String> |
It can take value in the range: 0-65535. Default value:30 |
M | It tells the kubelet that it should wait second before performing the first probe |
ingress-gateway.readinessProbe.timeoutSeconds | <String> |
It can take value in the range: 0-65535. Default value:3 |
M | It is the number of seconds after which the probe times out |
ingress-gateway.readinessProbe.periodSeconds | <String> |
It can take value in the range: 0-65535. Default value:10 |
M | It specifies that the kubelet should perform a liveness probe every xx seconds |
ingress-gateway.readinessProbe.successThreshold | <String> |
It can take value in the range: 0-65535. Default value:1 |
M | Minimum consecutive successes for the probe to be considered successful after having failed |
ingress-gateway.readinessProbe.failureThreshold | <String> |
It can take value in the range: 0-65535. Default value:3 |
M | When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up |
ingress-gateway.livenessProbe.initialDelaySeconds | <String> |
It can take value in the range: 0-65535. Default value:30 |
M | It tells the kubelet that it should wait second before performing the first probe |
ingress-gateway.livenessProbe.timeoutSeconds | <String> |
It can take value in the range: 0-65535. Default value:3 |
M | It is the number of seconds after which the probe times out |
ingress-gateway.livenessProbe.periodSeconds | <String> |
It can take value in the range: 0-65535. Default value:15 |
M | It specifies that the kubelet should perform a liveness probe every xx seconds |
ingress-gateway.livenessProbe.successThreshold | <String> |
It can take value in the range: 0-65535. Default value:1 |
M | Minimum consecutive successes for the probe to be considered successful after having failed |
ingress-gateway.livenessProbe.failureThreshold | <String> |
It can take value in the range: 0-65535. Default value:3 |
M | When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up |
ingress-gateway.resources.limits.cpu | <String> | Valid floating point value between 0 and 1 | M | It limits the number of CPUs to be used by the microservice. |
ingress-gateway.resources.limits.initServiceCpu | <String> | Default value is 1 | M | Init Container CPU Limit |
ingress-gateway.resources.limits.updateServiceCpu | <String> | Default value is 1 | M | Update Container CPU Limit |
ingress-gateway.resources.limits.memory | <String> | Valid Integer value followed by Mi/Gi etc. | M | It limits the memory utilization by the "cncc-cmservice" microservice. By default, it is set to '2'. |
ingress-gateway.resources.limits.updateServiceMemory | <String> | Default value is 1Gi | M | Update Container Memory Limit |
ingress-gateway.resources.limits.initServiceMemory | <String> | 1Gi | M | Init Container Memory Limit |
ingress-gateway.resources.requests.cpu | <String> | Valid floating point value between 0 and 1 | M | It limits the number of CPUs to be used by the "cncc-cmservice" microservice. By default, it is set to '2'. |
ingress-gateway.resources.requests.initServiceCpu | <String> | Default value is 1 | M | Init Container CPU Limit |
ingress-gateway.resources.requests.updateServiceCpu | <String> | Default value is 1 | M | Update Container CPU for requests |
ingress-gateway.resources.requests.memory | <String> | Valid Integer value followed by Mi/Gi etc. | M | It limits the memory utilization by the "cncc-cmservice" microservice. By default, it is set to '2'. |
ingress-gateway.resources.requests.updateServiceMemory | <String> | 1Gi | M | Update Container Memory for requests |
ingress-gateway.resources.requests.initServiceMemory | <String> | 1Gi | M | Init Container Memory for requests |
ingress-gateway.resources.target.averageCpuUtil | <String> | A value in between 0-100 | M | It gives the average CPU utilization percentage. |
ingress-gateway.minAvailable | <String> |
It can take value in the range: 0-65535. Default value:1 |
M | It is the number of pods that must always be available, even during a disruption. |
ingress-gateway.minReplicas | <String> |
It can take value in the range: 0-65535. Default value:1 |
M | Min replicas to scale to maintain an average CPU utilization |
ingress-gateway.maxReplicas | <String> |
It can take value in the range: 0-65535. Default value:5 |
M | Max replicas to scale to maintain an average CPU utilization |
ingress-gateway.initssl | <String> |
It can take either True or False value. By default, it is false. |
M | To Initialize SSL related infrastructure in init/update container |
ingress-gateway.enableIncomingHttp | <String> |
It can take either True or False value. By default, it is false. |
M | Server Configuration for http and https support |
ingress-gateway.enableIncomingHttps | <String> |
It can take either True or False value. By default, it is false. |
M | Server Configuration for http and https support |
ingress-gateway.cipherSuites | <List[String]> |
TLS_ECDHE_ ECDSA_WIT H_AES_256_ GCM_SHA38 4 TLS_ECDHE_ RSA_WITH_ AES_256_GC M_SHA384 TLS_ECDHE_ RSA_WITH_ CHACHA20_ POLY1305_S HA256 TLS_DHE_RS A_WITH_AE S_256_GCM_ SHA384 TLS_ECDHE_ ECDSA_WIT H_AES_128_ GCM_SHA25 6 TLS_ECDHE_ RSA_WITH_ AES_128_GC M_SHA256 |
M, if ingressgateway.enableIncomingHttps is true | Allowed CipherSuites for TLS1.2 |
ingress-gateway.ingressGwCertReloadEnabled | <boolean> |
It can take either True or False value. Default value is true |
M | |
ingress-gateway.ingressGwCertReloadPath | <String> | M | ||
ingress-gateway.routesConfig.[].id | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | Routes to be added for cncc-iam ingress-gateway |
ingress-gateway.routesConfig.[].uri | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | |
ingress-gateway.routesConfig.[].path | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | |
ingress-gateway.routesConfig[].order | <Integer> | Valid Integer value | O | |
ingress-gateway.routesConfig.[].filters.addRequestHeader.[].name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M | |
ingress-gateway.routesConfig.[].filters.addRequestHeader.[].value | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It component may not start or end with a separator | M | |
ingress-gateway.cncc.securitylogEnabled | <boolean> |
It can take either True or False value. By default, it is true |
O | This flag is to enable/disable security logs for cncc. |
ingress-gateway.nodeselector.nodeKey | <String> | O | node selector value specific to chart (note this will be looked first and then if not present global node value will be picked) | |
ingress-gateway.nodeselector.nodeValue | <String> | O | node selector key specific to chart (note this will be looked first and then if not present global node key will be picked) |
CNC Console IAM service Access
CNC Console IAM services can be accessed as follows:
<scheme>://<cncc-iam-ingress-extrenal-ip>:<cncc-iam-ingress-service-port>
Example:
http://10.75.182.72:8080/*
CNC Console IAM Uninstall
CNC Console IAM can be uninstalled as follows:
To undeploy CNCConsole-IAM :
For Helm 2:
$ helm delete <deployment name> --purge
Example:
$ helm delete cncc-iam --purge
For Helm 3:
$ helm uninstall <deployment name> --namespace <deployment namespace>
Example:
$ helm uninstall cncc-iam --namespace cncc