4 CNC Console Core Installation Instructions
Prerequisites for CNC Console Core Installation
- The NFs for which GUI is required must be deployed in the Kubernetes cluster.
- CNC Console IAM must be deployed.
CNCC Core Secret Configuration to Enable HTTPS
This section describes how to create secret configuration for enabling HTTPS. This section must be executed before enabling HTTPS in CNCC Core Ingress gateway.
Note:
The passwords for TrustStore and KeyStore are stored in respective password files.To create kubernetes secret for HTTPS, following files are required:
- ECDSA private key and CA signed certificate of CNCC (if initialAlgorithm is ES256)
- RSA private key and CA signed certificate of CNCC (if initialAlgorithm is RSA256)
- TrustStore password file
- KeyStore password file
- CA certificate
This section explains how to create the secrets for enabling HTTPS after required certificates and password files are generated:
- Create a secret by executing the following
command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem> --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt> --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt> --from-file=<ssl_ecdsa_certificate.crt> -n <Namespace of CNCC Core Ingress Gateway secret>
Example:
kubectl create secret generic cncc-core-ingress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt -n cncc cncc
- On successfully executing the above command, the following message will
be displayed:
secret/cncc-core-ingress-secret created
- Execute the following command to verify the secret creation:
$ kubectl describe secret cncc-core-ingress-secret -n cncc
This section explains how to update the secrets for enabling HTTPS, if they already exist:
- Create a secret by executing the following
command:
$ kubectl create secret generic <secret-name> --fromfile=<ssl_ecdsa_private_key.pem> --from-file=<rsa_private_key_pkcs1.pem> --fromfile=<ssl_truststore.txt> --from-file=<ssl_keystore.txt> --from-file=<caroot.cer> --fromfile=<ssl_rsa_certificate.crt> --from-file=<ssl_ecdsa_certificate.crt> --dry-run -o yaml -n <Namespace of CNCC Core Ingress Gateway secret> | kubectl replace -f - -n <Namespace of CNCC Core Ingress Gateway secret>
Example:
$ kubectl create secret generic cncc-core-ingress-secret --fromfile=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --fromfile=ssl_truststore.txt --from-file=ssl_keystore.txt --from-file=caroot.cer --fromfile=ssl_rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --dry-run -o yaml -n cncc | kubectl replace -f - -n cncc
- On successfully executing the above command, the following message
will be displayed:
secret/cncc-core-ingress-secret replaced
CNCC Core Configuration for Service Account
This section describes about CNCC Core Configuration for Service Account. CNCC Core provides option to configure custom service account.
Sample CNCC Core service account yaml file
## Service account yaml file for cncc-core
apiVersion: v1
kind: ServiceAccount
metadata:
name: cncc-core-sa
namespace: cncc
annotations: {}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cncc-core-role
namespace: cncc
rules:
- apiGroups:
- "" # "" indicates the core API group
resources:
- services
- configmaps
- pods
- secrets
- endpoints
- persistentvolumeclaims
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cncc-core-rolebinding
namespace: cncc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cncc-core-role
subjects:
- kind: ServiceAccount
name: cncc-core-sa
namespace: cncc
Configure service account for ingress-gateway and keycloak in cncc-core_values.yaml
Provide custom service account for ingress-gateway and cmservice under global.serviceAccountName in cncc-core_values.yaml as follows:
global:
serviceAccountName: cncc-core-sa
CNCC Core Configuration for Aspen Service Mesh (ASM)
This section describes about CNCC Core Configuration for Aspen Service Mesh (ASM).
- Annotations:Add Annotation
traffic.sidecar.istio.io/excludeInboundPorts: "\"8081\"" under
global.customExtention.lbDeployments.annotations section in
cncc-core_values.yaml to disable mTLS on cncc-core ingress container port.
global: # ******** Sub-Section Start: Common Global Parameters ************* # ******************************************************************* customExtension: lbDeployments: labels: {} annotations: traffic.sidecar.istio.io/excludeInboundPorts: "\"8081\"" # ******** Sub-Section End: Common Global Parameters ******************* # ***********************************************************************
- Service Entry and Destination Rule
- For k8s cluster domain:
Create Destination rule to disable mTLS at cncc-iam service FQDN.
Example: Destination-RuleapiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: cncc-iam-exclude-mtls namesapce: cncc spec: host: cncc-iam-ingress-gateway.cncc.svc.cluster.local trafficPolicy: tls: mode: DISABLE ---
- For custom domain:
Create service-entry and destination rule to disable mTLS at cncc-iam domain.
Example: Service-entry & Destination-ruleapiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: cncc-iam-service-entry namesapce: cncc spec: hosts: - ocnrf-cncc-iam # Custom CNCC IAM domain exportTo: - "." addresses: - 10.75.225.205 # IP of the k8s node where CNCC-IAM is deployed location: MESH_INTERNAL ports: - number: 30085 name: http protocol: HTTP resolution: NONE ------------------------------ apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: cncc-iam-exclude-mtls namesapce: cncc spec: host: ocnrf-cncc-iam # Custom CNCC IAM domain trafficPolicy: tls: mode: DISABLE ------------------------------
- For k8s cluster domain:
CNCC Core Configuration for Operations Services Overlay (OSO)
This section describes about CNCC Core Configuration for Operations Services Overlay (OSO).
Add Annotation oracle.com/cnc: "\"true\"" under global.customExtention.lbDeployments.annotations section in cncc-core_values.yaml to indicate OSO to scrape metrics from ingress pod.
global:
# ******** Sub-Section Start: Common Global Parameters *************
# *******************************************************************
customExtension:
lbDeployments:
labels: {}
annotations:
oracle.com/cnc: "\"true\""
# ******** Sub-Section End: Common Global Parameters *******************
# ***********************************************************************
Installation Sequence for CNCC Core
Installation Sequence for CNCC Core:
- Installation Preparation.
-
Configure
custom-cncc-core_values.yaml
file. This includes configuring the following based on the deployment:- Repository path
- Domain and clusterdomain
- CNC Console details
- CNC Console deployment:
- With helm repository
- With helm tar
- Verify CNC Core deployment
Deployment of CNCC Core
This procedure describes the steps to deploy CNCC Core. The below steps need to be executed from a server which has access to Kubectl and helm commands.
-
Search helm chart:Execute the following command to
search helm chart.
helm search <release_name>
Example: helm search cncc-core NAME CHART VERSION APP VERSION DESCRIPTION ocspf-helm-repo/cncc-core 1.2.1 1.0 A Helm chart for CNC Console
- Prepare
custom-cncc-core_values.yaml
file: Prepare acustom-cncc-core_values.yaml
file with the required parameter information. - Deploy CNCC Core:
Installation using helm repository
Execute the following command:
Where:For helm 2 based: helm install --name <release_name> <helm-repo> -f custom-cncc-core_values.yaml --namenamespace<deployment<namespace_name> --version <helm_version> For helm 3 based: helm install <release_name> <helm-repo> -f custom-cncc-core_values.yaml --namespace <namespace_name> --version <helm_version>
helm-repo: repository name where the helm images, charts are stored
values: helm configuration file which needs to be updated based on the docker registry
release_name and namespace_name: depends on customer configuration
Example:For helm 2 based: helm install --name cncc-core ocscp-helm-repo/ocscp -f custom-cncc-core_values.yaml --namenamespace cncc --version 1.2.1 For helm 3 based: helm install cncc-core ocscp-helm-repo/ocscp -f custom-cncc-core_values.yaml --namespace cncc --version 1.2.1
Installation using helm tar
Execute the following command:For helm 2 based: helm install --name cncc-core -f custom-cncc-core_values.yaml --name namespace <namespace> <chartpath>./<chart>.tgz For helm 3 based: helm install cncc-core -f custom-cncc-core_values.yaml --namespace <namespace> <chartpath>./<chart>.tgz
-
Check repository status:
Execute following command to
check the deployment status.
helm status <release_name>
- Check service status: Check if all the services are deployed and
running:
kubectl -n <namespace_name> get services
Example:$ kubectl -n cncc get services
cncc-core-cmservice ClusterIP 10.233.13.43 <none> 8442/TCP 6m13s cncc-core-ingress-gateway LoadBalancer 10.233.11.14 10.75.182.79 8080:31417/TCP 6m13s - Check pod status: Check if all the pods are up and running by
executing following command:
kubectl -n <namespace_name> get pods
Example:$ kubectl -n cncc get pods
NAME READY STATUS RESTARTS AGE cncc-core-cmservice-7f8b57c5bf-p4gvw 1/1 Running 0 6m18s cncc-core-ingress-gateway-5bfb8789cd-wls5p 1/1 Running 0 6m18s
CNCC Core Microservices
CNCC Core has two microservices:
- cncc-core-ingress-gateway :cncc-core-ingress-gateway is responsible to redirect the request to either producer NF or CNCC Core GUI.
- cncc-core_cmservice :cncc-core_cmservice is responsible for displaying CNCC Core GUI.
Following is an example of services CNCC Core offers:
Table 4-1 CNCC Core Microservices
NAME | TYPE | CLUSTER-IP | EXTERNAL-IP | PORT(S) | AGE |
---|---|---|---|---|---|
cncc-core-cmservice | ClusterIP | 10.233.13.43 | <none> | 8442/TCP | 6m13s |
cncc-core-ingress-gateway | LoadBalancer | 10.233.13.43 | 10.75.182.79 | 8080:31417/TCP | 6m13s |
CNCC Core Sample Custom Values
The custom-cncc-core_values.yaml file can also be downloaded from OHC.
#########################################################
# Section Start: global attributes #
#########################################################
global:
# ******** Sub-Section Start: Common Global Parameters ********
#***************************************************************
dockerRegistry: ocspf-registry.us.oracle.com:5000/ocscp
serviceAccountName: ""
customExtension:
allResources:
labels: {}
annotations: {}
lbServices:
labels: {}
annotations: {}
lbDeployments:
labels: {}
annotations: {}
# traffic.sidecar.istio.io/excludeInboundPorts: "\"8081\""
# oracle.com/cnc: "\"true\""
nonlbServices:
labels: {}
annotations: {}
nonlbDeployments:
labels: {}
annotations: {}
# ******** Sub-Section End: Common Global Parameters ********
#*************************************************************
# ******** Sub-Section Start: Ingress Gateway Global Parameters ********
#************************************************************************
# If https is enabled, this Port would be HTTP/1.0 Port (unsecured)
# If https is disabled, this Port would be HTTPS/1.0 Port (secured SSL)
publicHttpSignalingPort: 8080
publicHttpsSignallingPort: 8443
#Specify type of service - Possible values are :- ClusterIP, NodePort, LoadBalancer and ExternalName
type: LoadBalancer
#Enable or disable IP Address allocation from Metallb Pool
metalLbIpAllocationEnabled: true
#Address Pool Annotation for Metallb
metalLbIpAllocationAnnotation: "metallb.universe.tf/address-pool: oam"
#If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress
#Else random IP will be assigned by the metalLB from its IP Pool
staticIpAddressEnabled: false
staticIpAddress: ""
#If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort
#Else random node port will be assigned by K8
staticNodePortEnabled: true
staticHttpNodePort: 30075
staticHttpsNodePort: 30043
nodeSelector:
nodeKey: ""
nodeValue: ""
k8sResource:
container:
prefix: ""
suffix: ""
# ******** Sub-Section End: Ingress Gateway Global Parameters ********
#**********************************************************************
#########################################################
# Section End : global attributes #
#########################################################
###############################################################
# Section Start : cmservice attributes #
###############################################################
cmservice:
envLoggingLevelApp: WARN
image:
# image name
name: cncc/cncc-cmservice-cm-tag
# tag name of image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
# Resource details
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 1
memory: 1Gi
# Deployment details
deployment:
customExtension:
labels: {}
annotations: {}
envManageNF: SCP, NRF, UDR, POLICY
# This is the name of product which appears as brand name and can be used to mention site name as well.
# envSystemName: CNCC - Site Name
envSystemName: CNCC
# This is the version of product which appears with brand name.
envNFVersion: 1.2.1
# This is the name of the Project that appears on the Window
cmWindowName: CNCC
# Applicable for POLICY deployment, this enables Import Export buttons.
# Make cmEnableImportExport : true in case of POLICY deployment
cmEnableImportExport: false
nodeSelectorEnabled: false
nodeSelectorKey: zone
nodeSelectorValue: app
dependenciesLogging:
- name: logging.level.org.springframework
value: WARN
- name: logging.level.io.undertow
value: WARN
logging:
burst:
rate: 750
max: 3000
service:
customExtension:
labels: {}
annotations: {}
http:
port: 8442
type: ClusterIP
#########################################################
# Section End : cmservice attributes #
#########################################################
###############################################################
# Section Start : ingress gateway attributes #
###############################################################
ingress-gateway:
image:
# image name
name: cncc/cncc-apigateway-api-tag
# tag name of image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
initContainersImage:
# inint Containers image name
name: cncc/apigw-configurationinit-init-tag
# tag name of init Container image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
updateContainersImage:
# update Containers image name
name: cncc/apigw-configurationupdate-update-tag
# tag name of update Container image
tag: helm-tag
# Pull Policy - Possible Values are:- Always, IfNotPresent, Never
pullPolicy: Always
service:
ssl:
tlsVersion: TLSv1.2
privateKey:
k8SecretName: cncc-core-ingress-secret
k8NameSpace: cncc
rsa:
fileName: rsa_private_key_pkcs1.pem
ecdsa:
fileName: ssl_ecdsa_private_key.pem
certificate:
k8SecretName: cncc-core-ingress-secret
k8NameSpace: cncc
rsa:
fileName: ssl_rsa_certificate.crt
ecdsa:
fileName: ssl_ecdsa_certificate.crt
caBundle:
k8SecretName: cncc-core-ingress-secret
k8NameSpace: cncc
fileName: caroot.cer
keyStorePassword:
k8SecretName: cncc-core-ingress-secret
k8NameSpace: cncc
fileName: ssl_keystore.txt
trustStorePassword:
k8SecretName: cncc-core-ingress-secret
k8NameSpace: cncc
fileName: ssl_truststore.txt
initialAlgorithm: RSA256
# Labels and Annotations that are specific to service ingressgateway are added here.
customExtension:
labels: {}
annotations: {}
# Labels and Annotations that are specific to deployment ingressgateway are added here.
deployment:
customExtension:
labels: {}
annotations: {}
ports:
# ContainerPort represents a network port in a single container
containerPort: 8081
containersslPort: 8443
actuatorPort: 9090
# Set the root log level
log:
level:
root: WARN
ingress: INFO
cncc:
security: INFO
readinessProbe:
# tells the kubelet that it should wait second before performing the first probe
initialDelaySeconds: 30
# Number of seconds after which the probe times out
timeoutSeconds: 3
# specifies that the kubelet should perform a liveness probe every xx seconds
periodSeconds: 10
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 3
livenessProbe:
# tells the kubelet that it should wait second before performing the first probe
initialDelaySeconds: 30
# Number of seconds after which the probe times out
timeoutSeconds: 3
# specifies that the kubelet should perform a liveness probe every xx seconds
periodSeconds: 15
# Minimum consecutive successes for the probe to be considered successful after having failed
successThreshold: 1
# When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up
failureThreshold: 3
# Resource details
resources:
limits:
cpu: 2
initServiceCpu: 1
updateServiceCpu: 1
memory: 2Gi
updateServiceMemory: 1Gi
initServiceMemory: 1Gi
requests:
cpu: 1
initServiceCpu: 0.5
updateServiceCpu: 0.5
memory: 1Gi
updateServiceMemory: 0.5Gi
initServiceMemory: 0.5Gi
target:
averageCpuUtil: 80
# Nuber of Pods must always be available, even during a disruption.
minAvailable: 1
# Min replicas to scale to maintain an average CPU utilization
minReplicas: 1
# Max replicas to scale to maintain an average CPU utilization
maxReplicas: 5
allowedCipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# To Initialize SSL related infrastructure in init/update container
initssl: false
#Server Configuration for http and https support
enableIncomingHttp: true
enableIncomingHttps: false
ingressGwCertReloadEnabled: false
ingressGwCertReloadPath: /ingress-gw/certificate/reload
# Routes Configurations
routesConfig:
# Note: Update FQDN and PORT with actual values. If not remove those routes else CNCC will fail to deploy.
# CNCC requires complete routes and not placeholders.
# Default mapping should be the last route entry.
# Examples for routes
#- id: scp_configuration
# uri: http://10.75.153.121:31131
# path: /soothsayer/v1/**
#- id: default_configuration
# uri: http://cncc-core-cmservice.cncc.svc.cluster.local:8442
# path: /**
- id: scpc_configuration
uri: http://<FQDN>:<PORT>
path: /soothsayer/v1/**
- id: nrf_configuration
uri: http://<FQDN>:<PORT>
path: /nrf-configuration/v1/**
- id: udr1
uri: http://<FQDN>:<PORT>
path: /nudr-dr-prov/**,/nudr-dr-mgm/**,/nudr-group-id-map-prov/**,/slf-group-prov/**
- id: udr2
uri: http://<FQDN>:<PORT>
path: /nudr-config/**
- id: policy_configuration
uri: http://<FQDN>:<PORT>
path: /policyapi/**
filters:
rewritePath: "/policyapi(?<segment>/?.*), $\\{segment}"
- id: default_configuration # Default configuration should be the last routesConfig entry
uri: http://<helmrelease>-cmservice.<namespace>.<domain>:8442
path: /**
nodeSelector:
nodeKey: ""
nodeValue: ""
# CNCC configuration
cncc:
# Enable cncc feature including iam
enabled: true
# Enable security logs
securityLogEnabled: true
# Core Configuration
core:
# Session Timeout Value in Seconds. Default: 1800, Minimum: 300, Maximum: 7200
sessionTimeoutSeconds: 1800
# IAM Configuration
# uri should include the CNCC IAM ingress-gateway externalIp and service port (e.g. http://10.75.182.72:8080)
iam:
uri: http://<IP>:<PORT>
#########################################################
# Section End : ingress gateway attributes #
#########################################################
Note:
- The field ingress-gateway.cncc.iam.urishould include the CNCC IAM Console URL. Check Accessing CNCC IAM Services for the URL.
- For POLICY deployment set cmEnableImportExport : true , this enables Import and Export buttons. It is applicable only for POLICY deployment.
CNCC Core Configuration Parameters
Following tables provide list of configuration parameters in the Helm file:
Attribute Name | DataType | Range | Mandatory(M)/ Optional(O)/Conditional(C) | Description |
---|---|---|---|---|
global.serviceAccountName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters | O |
Name of service account. If this field is kept empty then a default service account 'cncc-core-service-account' is created. If any value is provided then a service account has to be created manually.
|
global.dockerRegistry | <String> | It may contain lowercase letters, digits, and separators. A separator is defined as a period, one or two underscores, or one or more dashes. | M |
Here user provides the registry that contains cncc core images. It comprises of the following: <registry-url>:<registry-port> e.g.: ocspf-registry.us.oracle.com:5000 |
global.publicHttpSignalingPort | <Integer> | It can take value in the range: 0-65535 | O |
It is the port on which ingress-gateway service is exposed # If httpsEnabled is false, this Port would be HTTP/2.0 Port (unsecured) publicHttpSignalingPort: 80 |
global.publicHttpsSignallingPort | <Integer> | It can take value in the range: 0-65535. | O |
It is the port on which ingress-gateway service is exposed # If httpsEnabled is true, this Port would be HTTPS/2.0 Port (secured SSL) |
global.type | <String> | It can take value LoadBalance/NodePort depending upon one wants to expose the service from outside the Kubernetes cluster or not. | O | It is used to decide where user wants to expose the service from outside the Kubernetes cluster or not. |
global.metalLbIpAllocationEnabled | <Boolean> |
True/False By default, it is true. |
O | This field enables or disables IP Address allocation from Metallb Pool |
global.metalLbIpAllocationAnnotation | <Stirng> |
Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters Default set to : metallb.universe.tf/address-pool: signaling" |
It is the address Pool Annotation for Metallb | |
global.staticIpAddressEnabled | <Boolean> |
True/False By default, it is false. |
O | If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress else random IP will be assigned by the metalLB from its IP Pool |
global.staticIpAddress | <Stirng> | Valid ASCII aserviceAccountNamend may contain lowercase and uppercase letters, digits, underscores, periods and dashes. It may not start with a period or a dash and may contain a maximum of 128 characters | O | If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress else random IP will be assigned by the metalLB from its IP Pool |
global.staticNodePortEnabled | <Boolean> |
True/False By default, it is true. |
O | If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort else random node port will be assigned by K8s |
global.staticHttpNodePort | <Integer> |
It can take value in the range: 0-65535. Default value:30075 |
O | If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort else random node port will be assigned by K8s |
global.staticHttpsNodePort | <Integer> |
It can take value in the range: 0-65535. Default value:30075 |
O | If Static node port needs to be set, then set staticNodePortEnabled flag to true and provide value for staticNodePort else random node port will be assigned by K8s |
global.nodeSelector.nodeKey | <String> | O | global node selector key | |
global.nodeSelector.nodeValue | <String> | O | global node value key | |
global.customExtension.allResources.labels | Custom Labels that needs to be added to all the Ingress-Gateway k8s resources | O | This can be used to add custom label(s) to all k8s resources that will be created by Ingress-Gateway helm chart. | |
global.customExtension.allResources.annotations | Custom Annotations that needs to be added to all the Ingress-Gateway k8s resources | O | This can be used to add custom annotation(s) to all k8s resources that will be created by Ingress-Gateway helm chart. | |
global.customExtension.lbServices.labels | Custom Labels that needs to be added to Ingress-Gateway Services that are considered as Load Balancer type | O | This can be used to add custom label(s) to all Load Balancer Type Services that will be created by Ingress-Gateway helm chart. | |
global.customExtension.lbServices.annotations | Custom Annotations that needs to be added to Ingress-Gateway Services that are considered as Load Balancer type | O | This can be used to add custom annotation(s) to all Load Balancer Type Services that will be created by Ingress-Gateway helm chart. | |
global.customExtension.lbDeployments.labels | Custom Labels that needs to be added to Ingress-Gateway Deployments that are associated to a Service which is of Load Balancer type | O | This can be used to add custom label(s) to all Deployments that will be created by Ingress-Gateway helm chart which are associated to a Service which if of Load Balancer Type. | |
global.customExtension.lbDeployments.annotations | Custom Annotations that needs to be added to Ingress-Gateway Deployments that are associated to a Service which is of Load Balancer type | O | This can be used to add custom annotation(s) to all Deployments that will be created by Ingress-Gateway helm chart which are associated to a Service which if of Load Balancer Type. | |
global.customExtension.nonlbServices.labels | Custom Labels that needs to be added to Ingress-GatewayServices that are considered as not Load Balancer type | O | This can be used to add custom label(s) to all non-Load Balancer Type Services that will be created by Ingress-Gateway helm chart. | |
global.customExtension.nonlbServices.annotations | Custom Annotations that needs to be added to Ingress-Gateway Services that are considered as not Load Balancer type | O | This can be used to add custom annotation(s) to all non-Load Balancer Type Services that will be created by Ingress-Gateway helm chart. | |
global.customExtension.nonlbDeployments.labels | Custom Labels that needs to be added to Ingress-Gateway Deployments that are associated to a Service which is not of Load Balancer type | O | This can be used to add custom label(s) to all Deployments that will be created by Ingress-Gateway helm chart which are associated to a Service which if not of Load Balancer Type. | |
global.customExtension.nonlbDeployments.annotations | Custom Annotations that needs to be added to Ingress-Gateway Deployments that are associated to a Service which is not of Load Balancer type | O | This can be used to add custom annotation(s) to all Deployments that will be created by Ingress-Gateway helm chart which are associated to a Service which if not of Load Balancer Type. | |
global.k8sResource.container.prefix | Value that will be prefixed to all the container names of Ingress-Gateway. | This value will be used to prefix to all the container names of Ingress-Gateway | ||
global.k8sResource.container.suffix | Value that will be suffixed to all the container names of Ingress-Gateway. | This value will be used to suffix to all the container names of Ingress-Gateway. | ||
cmservice.envLoggingLevelApp | <String> | It can take values like: WARN, DEBUG, INFO, TRACE etc. | O |
It is the level at which user wants to see the logs. E.g. WARN |
cmservice.image.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Name to be used for "cncc-cmservice" micro service |
cmservice.image.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Tag to be used for "cncc-cmservice" micro service |
cmservice.image.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
M | Pull Policy decides from where to pull the image. |
cmservice.resources.limits.cpu | <Float> | Valid floating point value between 0 and 1 | O | It limits the number of CPUs to be used by the "cncc-cmservice" microservice. By default, it is set to '2'. |
cmservice.resources.limits.memory | <String> | Valid Integer value followed by Mi/Gi etc. | O | It limits the memory utilization by the "cncc-cmservice" microservice. By default, it is set to '2'. |
cmservice.resources.requests.cpu | <Float> | Valid floating point value between 0 and 1 | O | It provides a given number of CPUs for the "cncc-cmservice" microservice. By default, it is set to '2'. |
cmservice.resources.requests.memory | <String> | Valid Integer value followed by Mi/Gi etc. | O | It provides a given amount of memory for the "cncc-cmservice" microservice. By default, it is set to '1. |
cmservice.deployment.envManageNF | <String> | It is the List of NFsE.g. SCP, POLICY | M | It is the list of the enabled NFs and the same NFs will be displayed in the GUI |
cmservice.deployment.envSystemName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
This is the name of product which appears as brand name and can be used to mention site name as well. E.g. envSystemName: CNCC |
cmservice.deployment.envNFVersion | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. | M |
This is the version of product which appears with brand name. E.g. envNFVersion: 1.2.0 |
cmservice.deployment.cmWindowName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M |
This is the name of the window that appears on the browser tab. E.g. cmWindowName: CNCC |
cmservice.deployment.nodeSelectorEnabled | <boolean> |
It can take either True or False value. By default, it is false. |
O | NodeSelector is the simplest recommended form of node selection constraint. NodeSelector is a field of PodSpec. It specifies a map of key-value pairs. For the pod to be eligible to run on a node, the node must have each of the indicated key-value pairs as labels |
cmservice.deployment.nodeSelectorKey | <String> | By default, its value is zone. | O | Node Selector Key |
cmservice.deployment.nodeSelectorValue | <String> | By default, its value is app. | O | Node Selector value |
cmservice.deployment.dependenciesLogging[].name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Name of the package that for which log level is to be set. Eg: logging.level.org.springframework |
cmservice.deployment.dependenciesLogging[].value | <String> | It can take values like: WARN, DEBUG, INFO, TRACE etc. | O |
It is the level at which user wants to see the logs. E.g. WARN |
cmservice.service.customExtension.labels | <String> | Custom Labels that needs to be added to all the cmservice k8s resources | O | This can be used to add custom label(s) to all k8s resources that will be created by cmservice helm chart. |
cmservice.service.customExtension.annotations | <String> | Custom Annotations that needs to be added to all the cmservice k8s resources | O | This can be used to add custom annotation(s) to all k8s resources that will be created by cmservice helm chart. |
cmservice.service.http.port | <Integer> | It can take value in the range: 0-65535 | O | It is the port number which makes cmservice visible to other services running within the same K8s cluster |
cmservice.service.type | <String> | It can take only 'ClusterIP' as the value. | O | It is used to decide where user wants to expose the service from outside the Kubernetes cluster or not. |
ingress-gateway.image.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M | It is the image name of the ingress-gateway as provided by the user |
ingress-gateway.image.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Tag to be used for ingress-gateway. |
ingress-gateway.image.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
O | Pull Policy decides from where to pull the image. |
ingress-gateway.initContainersImage.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M | Image Name to be used for "cncc-cmservice" micro service |
ingress-gateway.initContainersImage.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Tag to be used for "cncc-cmservice" micro service |
ingress-gateway.initContainersImage.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
O | Pull Policy decides from where to pull the image. |
ingress-gateway.updateContainersImage.name | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M | Image Name to be used for "cncc-cmservice" micro service |
ingress-gateway.updateContainersImage.tag | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters | M | Image Tag to be used for "cncc-cmservice" micro service |
ingress-gateway.updateContainersImage.pullPolicy | <String> |
It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
O | Pull Policy decides from where to pull the image. |
ingress-gateway.service.ssl.tlsVersion | <String> |
Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator. It is set to TLSv1.2 |
O | It is the TLS version |
ingress-gateway.service.ssl.privateKey.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Name of the privatekey secret Ex: cncc-core-ingress-secret |
ingress-gateway.service.ssl.privateKey.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Namespace of privatekey Ex: cncc |
ingress-gateway.service.ssl.privateKey.rsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
rsa private key file name Ex: rsa_private_key_pkcs1.pem |
ingress-gateway.service.ssl.privateKey.ecdsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
ecdsa private key file name Ex: ssl_ecdsa_private_key.pem |
ingress-gateway.service.ssl.certificate.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Name of the certificate secret Ex: cncc-core-ingress-secret |
ingress-gateway.service.ssl.certificate.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Namespace of certificate Ex: cncc |
ingress-gateway.service.ssl.certificate.rsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
rsa certificate file name Ex: ssl_rsa_certificate.crt |
ingress-gateway.service.ssl.certificate.ecdsa.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
ecdsa certificate file name Ex: ssl_ecdsa_certificate.crt |
ingress-gateway.service.ssl.caBundle.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Name of the caBundle secret Ex: cncc-core-ingress-secret |
ingress-gateway.service.ssl.caBundle.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Namespace of caBundle Ex: cncc |
ingress-gateway.service.ssl.caBundle.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
rsa caBundle file name Ex: caroot.cer |
ingress-gateway.service.ssl.keyStorePassword.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Name of the keyStorePassword secret Ex: cncc-core-ingress-secret |
ingress-gateway.service.ssl.keyStorePassword.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Namespace of keyStorePassword Ex: cncc |
ingress-gateway.service.ssl.keyStorePassword.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
File name that has password for keyStore Ex: ssl_keystore.txt |
ingress-gateway.service.ssl.trustStorePassword.k8SecretName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Name of the trustStorePassword secret Ex: cncc-core-ingress-secret |
ingress-gateway.service.ssl.trustStorePassword.k8NameSpace | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
Namespace of trustStorePassword Ex: cncc |
ingress-gateway.service.ssl.trustStorePassword.fileName | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O |
File name that has password for trustStore Ex: ssl_truststore.txt |
ingress-gateway.service.ssl.initialAlgorithm | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | O | Default values is RSA256 |
ingress-gateway.service.customExtension.labels | Custom Labels that needs to be added to ingress-gateway specific Service. | O | This can be used to add custom label(s) to ingress-gateway Service. | |
ingress-gateway.service.customExtension.annotations | Custom Annotations that needs to be added to ingress-gateway specific Services. | O | This can be used to add custom annotation(s) to ingress-gateway Service. | |
ingress-gateway.deployment.customExtension.labels | Custom Labels that needs to be added to ingress-gateway specific Deployment. | O | This can be used to add custom label(s) to ingress-gateway Deployment. | |
ingress-gateway.deployment.customExtension.annotations | Custom Annotations that needs to be added to ingress-gateway specific Deployment. | O | This can be used to add custom annotation(s) to ingress-gateway Deployment. | |
ingress-gateway.readinessProbe.initialDelaySeconds | <Integer> |
It can take value in the range: 0-65535. Default value:30 |
O | It tells the kubelet that it should wait second before performing the first probe |
ingress-gateway.readinessProbe.timeoutSeconds | <Integer> |
It can take value in the range: 0-65535. Default value:3 |
O | It is the number of seconds after which the probe times out |
ingress-gateway.readinessProbe.periodSeconds | <Integer> |
It can take value in the range: 0-65535. Default value:10 |
O | It specifies that the kubelet should perform a liveness probe every xx seconds |
ingress-gateway.readinessProbe.successThreshold | <Integer> |
It can take value in the range: 0-65535. Default value:1 |
O | Minimum consecutive successes for the probe to be considered successful after having failed |
ingress-gateway.readinessProbe.failureThreshold | <Integer> |
It can take value in the range: 0-65535. Default value:3 |
O | When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up |
ingress-gateway.livenessProbe.initialDelaySeconds | <Integer> |
It can take value in the range: 0-65535. Default value:30 |
O | It tells the kubelet that it should wait second before performing the first probe |
ingress-gateway.livenessProbe.timeoutSeconds | <Integer> |
It can take value in the range: 0-65535. Default value:3 |
O | It is the number of seconds after which the probe times out |
ingress-gateway.livenessProbe.periodSeconds | <Integer> |
It can take value in the range: 0-65535. Default value:15 |
O | It specifies that the kubelet should perform a liveness probe every xx seconds |
ingress-gateway.livenessProbe.successThreshold | <Integer> |
It can take value in the range: 0-65535. Default value:1 |
O | Minimum consecutive successes for the probe to be considered successful after having failed |
ingress-gateway.livenessProbe.failureThreshold | <Integer> |
It can take value in the range: 0-65535. Default value:3 |
O | When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up |
ingress-gateway.minAvailable | <Integer> |
It can take value in the range: 0-65535. Default value:1 |
O | It is the number of pods that must always be available, even during a disruption. |
ingress-gateway.minReplicas | <Integer> |
It can take value in the range: 0-65535. Default value:1 |
O | Min replicas to scale to maintain an average CPU utilization |
ingress-gateway.maxReplicas | <Integer> |
It can take value in the range: 0-65535. Default value:5 |
O | Max replicas to scale to maintain an average CPU utilization |
ingress-gateway.initssl | <Boolean> |
It can take either True or False value. By default, it is false. |
O | To Initialize SSL related infrastructure in init/update container |
ingress-gateway.enableIncomingHttp | <Boolean> |
It can take either True or False value. By default, it is false. |
O | Server Configuration for http and https support |
ingress-gateway.enableIncomingHttps | <Boolean> |
It can take either True or False value. By default, it is false. |
O | Server Configuration for http and https support |
ingress-gateway.cipherSuites | <List[String]> |
TLS_ECDHE_ ECDSA_WIT H_AES_256_ GCM_SHA38 4 TLS_ECDHE_ RSA_WITH_ AES_256_GC M_SHA384 TLS_ECDHE_ RSA_WITH_ CHACHA20_ POLY1305_S HA256 TLS_DHE_RS A_WITH_AE S_256_GCM_ SHA384 TLS_ECDHE_ ECDSA_WIT H_AES_128_ GCM_SHA25 6 TLS_ECDHE_ RSA_WITH_ AES_128_GC M_SHA256 |
M, if ingressgateway.enableIncomingHttps is true | Allowed CipherSuites for TLS1.2 |
ingress-gateway.cncc.enabled | <Boolean> |
It can take either True or False value. By default, it is true. |
M | It enables CNCC features i.e authentication and authorization on ingress |
ingress-gateway.cncc.securitylogEnabled | <boolean> |
It can take either True or False value. By default, it is true |
O | This flag is to enable/disable security logs for cncc. |
ingress-gateway.cncc.core.sessionTimeoutSeconds | <Integer> | It can take value in the range: 0-65535.Default Value: 1800 | M |
It takes the timeout value for CNCC Session in seconds. Default: 1800 Minimum: 300 Maximum: 7200 |
ingress-gateway.cncc.iam.uri | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. A name component may not start or end with a separator | M | It is the URI of the cncc-iam ingress. |
ingress-gateway.ports.containerPort | <Integer> |
It can take value in the range: 0-65535. Default value: 8081 |
O | It is the http port of the container for the ingress-gateway. |
ingress-gateway.ports.containersslPort | <Integer> |
It can take value in the range: 0-65535. Default value: 8443 |
O | It is the https port of the container for the ingress-gateway. |
ingress-gateway.ports.actuatorPort | <Integer> |
It can take value in the range: 0-65535. Default value: 9090 |
O | It is the actuator port of the container for the ingress-gateway. |
ingress-gateway.log.level.root | <String> | It can take values like: WARN, DEBUG, INFO, TRACE etc. | O |
It is the level at which user wants to see the logs. E.g. WARN |
ingress-gateway.log.level.ingress | <String> | It can take values like: WARN, DEBUG, INFO, TRACE etc. | O | Log level for ingress logs |
ingress-gateway.log.level.cncc.security | <String> | It can take values like: WARN, DEBUG, INFO, TRACE etc. | O | Log level for cncc security logs |
ingress-gateway.resources.limits.cpu | <Float> | Valid floating point value between 0 and 1 | O | It limits the number of CPUs to be used by the microservice. |
ingress-gateway.resources.limits.memory | <String> | Valid Integer value followed by Mi/Gi etc. | O | It limits the memory utilization by the microservice. |
ingress-gateway.resources.requests.cpu | <Float> | Valid floating point value between 0 and 1 | O | It provides a given number of CPUs for the microservice. |
ingress-gateway.resources.requests.memory | <String> | Valid Integer value followed by Mi/Gi etc. | O | It provides a given amount of memory for the microservice. |
ingress-gateway.resources.target.averageCpuUtil | <Integer> | A value in between 0-100 | O | It gives the average CPU utilization percentage. |
ingress-gateway.routesConfig[].id | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | If SCP route needs to be added to CNC Console Core ingress-gateway |
ingress-gateway.routesConfig[].uri | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | |
ingress-gateway.routesConfig[].path | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | |
ingress-gateway.routesConfig[].order | <Integer> | Valid Integer value | O | |
ingress-gateway.routesConfig[].filters.rewritePath | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | O | |
ingress-gateway.ingressGwCertReloadEnabled | <boolean> |
It can take either True or False value. By default, it is false. |
M | |
ingress-gateway.ingressGwCertReloadPath | <String> | Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods and dashes. | M | |
ingress-gateway.nodeSelector.nodeKey | <String> | O | node selector key specific to chart (note this will be looked first and then if not present global node key will be picked) | |
ingress-gateway.nodeSelector.nodeValue | <String> | O | node selector value specific to chart (note this will be looked first and then if not present global node value will be picked) |
CNCC Core Service Access
CNCC Core service can be accessed by following URL:
<scheme>://<cncc-core-ingress-extrenal-ip>:<cncc-core-ingress-service-port>
http://10.75.182.79:8080
Note:
Login to CNC IAM and add redirect url pointing CNCC Core. CNCC cannot be accessed before CNCC IAM is configured to redirect. Refer CNCConsole 1.2 Post Installation Steps for CNCC-IAMCNCC Core Uninstall
CNCC Core can be uninstalled as follows. The following step needs to be executed from a server that has access to Kubectl and helm commands:
Execute the following command to uninstall CNCC Core:For Helm 2:
$ helm delete <deployment name> --purge
Example:
$ helm delete cncc-core --purge
For Helm 3:
$ helm uninstall <deployment name> --namespace <deployment namespace>
Example:
$ helm uninstall cncc-core --namespace cncc
CNCC Supported NFs and Version Compatibility
SR.No | NF | NF Version | Enabling NFs | Route Configuration | Remarks |
---|---|---|---|---|---|
1 | SCP | 1.7.0 |
Update in cmservice section of values.yaml
|
Update in routeConfig under ingress section in
values.yaml
|
|
2 | NRF | 1.7.0 |
Update in cmservice section of values.yaml
|
Update in routeConfig under ingress section in
values.yaml
|
|
3 | POLICY | 1.7.0 |
Update in cmservice section of values.yaml
|
Update in routeConfig under ingress section in values.yaml
|
cmEnableImportExport: true |
6 | UDR | 1.7.0 |
Update in cmservice section of values.yaml envManageNF:UDR |
Update in routeConfig under ingress section in
values.yaml
l |