NSSF Pre-deployment Configuration
This section describes about the various NSSF pre-deployment configuration steps. It includes the following:
- Verify and Create kubernetes Namespace
- Create MySql Database and User for OCNSSF
- Create a Kubernetes Secret for Storing Database Username and Password
- Create Private Keys and Certificates for Ingress Gateway and Egress Gateway
- Create Private Key and Certificates to enable OAuth
- Create Role and Role Binding
Verify and Create Kubernetes Namespace
his section explains how a user can verify the existence of a required namespace in the system. If the namespace does not exist, the user must create it.
Procedure
- Verify whether required namespace already exists in system by
executing the following command:
$ kubectl get namespaces
- If the output of the above command does not display the required
namespace, create the namespace by executing the following command:
$ kubectl create namespace <required namespace>
Example:$ kubectl create namespace ocnssf
Create MySQL Database and User for OCNSSF
- Login to the server or machine which has permission to access the SQL nodes of NDB cluster.
- Connect to the SQL nodes of NDB cluster one at the time.
- Login to the MySQL prompt using root permission or user who has
permission to create users with permissions as mentioned below.
Example:
mysql -h 127.0.0.1 -uroot -p
- Check whether OCNSSF network function user already exists. If the
user does not exist, create an OCNSSF network function user by executing the
following queries:
- Execute
$ SELECT User FROM mysql.user;
to list the users. - If the user does not exist, create the new user by
executing:
$ CREATE USER '<OCNSSF User Name>'@'%' IDENTIFIED BY '<OCNSSF Password>';
Example:
$ CREATE USER 'nssfusr'@'%' IDENTIFIED BY 'nssfpasswd';
- Execute
- Check if OCNSSF network function database already exists. If it does
not exist, create an OCNSSF network function database and provide permissions to
OCNSSF username created in the previous step by executing the following
commands:
- Execute
$ show databases;
to check if database exists. - If database does not exist, execute
$ CREATE DATABASE IF NOT EXISTS <OCNSSF Database> CHARACTER SET utf8;
for Database creation.Example:
$
CREATE DATABASE IF NOT EXISTS nssfdb CHARACTER SET utf8;
- Granting permission to user:
$ GRANT SELECT,INSERT,CREATE,ALTER,DROP,LOCK TABLES,CREATE TEMPORARY TABLES, DELETE,UPDATE,EXECUTE ON <OCNSSF Database>.* TO '<OCNSSF User Name>'@'%';
- Execute
Create a Kubernetes Secret for Storing Database Username and Password
- Create a yaml file with the username and password with the syntax
shown
below:
apiVersion: v1 kind: Secret metadata: name: ocnssf-db-creds type: Opaque data: mysql-username: bnNzZnVzcg== mysql-password: bnNzZnBhc3N3ZA== mysql-db-name: bnNzZmRi
Note:
The values for mysql-username and mysql-password must be base64 encoded. - Execute the following command to create the kubernetes secret:
kubectl create -f yaml_file_name -n namespace
where:
yaml_file_name is a name of the yaml file that is created in step 1.
namespace is the deployment namespace used by the helm command.
- Execute the following command to verify the secret creation:
$ kubectl describe secret <database secret name> -n <Namespace of MYSQL secret>
Example:$ kubectl describe secret ocnssf-db-creds -n ocnssf
Create Private Keys and Certificates for Ingress Gateway and Egress Gateway
This section describes how to create private keys and certificates in NSSF.
Creating Private Key and Certificates to enable https
To create private keys and certificates:
- Generate RSA private key by executing the following
command:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout rsa_private_key -out rsa_certificate.crt
- Convert private key to .pem format by executing the following
command:
openssl rsa -in rsa_private_key -outform PEM -out rsa_private_key_pkcs1.pem
- Generate certificate using the private key by executing the
following
command:
openssl req -new -key rsa_private_key -out ocegress.csr -config ssl.conf
Note:
Thessl.conf
can be used to configure default entries along with storage area network (SAN) details for your certificate.A sample of thessl.conf
is provided below:#ssl.conf [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = IN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Karnataka localityName = Locality Name (eg, city) localityName_default = Bangalore organizationName = Organization Name (eg, company) organizationName_default = Oracle commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = localhost [ req_ext ] subjectAltName = @alt_names [alt_names] IP = 127.0.0.1 DNS.1 = localhost
- Create root certificate authority (CA) by executing the following
set of commands:
openssl req -new -keyout cakey.pem -out careq.pem openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca echo 1234 > serial.txt
- Sign the server certificate with root CA private key by executing
the following
command:
openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in ocegress.csr -out ocegress.cer -days 365 -extfile ssl.conf -extensions req_ext
Note:
The ssl.conf file must be reused, as SAN contents is not packaged when signing.
- Create key.txt by entering any password.
- Create trust.txt by entering any password.
Creating a Secret
Note: User must create a secret for database access before deploying NSSF.
To create a secret:
- Execute
kubectl get namespace
to list the namespaces. - If namespace does not exist, create a new namespace by executing the
following command:
kubectl create namespace <NameSpace>
where:
namespace is the deployment namespace used by the helm command.
- Generate secret out of the keys and certificates by executing the
following
command:
kubectl create secret generic k8SecretName --from- file=rsa_private_key_pkcs1.pem --from-file=trust.txt -- from-file=key.txt --from-file=ocegress.cer --from-file=caroot.cer -n k8NameSpace
where:
k8NameSpace is the deployment namespace used by the helm command.
k8SecretName is the name of secret generated.
Example:
kubectl create secret generic accesstoken-secret --from- file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=ocegress.cer --from-file=caroot.cer -n ocnssf
Create Private Key and Certificates to Enable OAuth
- Auth token generator, OCNRF provides its public key to NSSF.
- User must create kubernetes secret to store NRF public key.
There can be multiple NRF public keys.
File Name or key (this key is of map) of Public Key must be in the following format:
"{nrfInstanceId}_{SigningAlgorithm}.pem
"where
nrfInstanceId
is Instance Id of NRF.SigningAlgorithm
can have following values:ES256: ECDSA using P-256 and SHA-256 ES384: ECDSA using P-384 and SHA-384 ES512: ECDSA using P-521 and SHA-512 RS256: RSASSA-PKCS-v1_5 using SHA-256 RS384: RSASSA-PKCS-v1_5 using SHA-384 RS512: RSASSA-PKCS-v1_5 using SHA-512 PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512
- Generate secret out of the keys and certificates by executing
the following command:
kubectl create secret generic <Secret_Name> --from-file={nrfInstanceId}_{SigningAlgorithm}.pem-n <NameSpace>
Example:
kubectl create secret generic nrfpublickeysecret --from-file=fe7d992b-0541-4c7d-ab84-c6d70b1b01b1_RS256.pem-n ocnssf
Create Role and Role Binding
This section describes about how to create role and do role binding with service account to access secret in namespace.
- Create role
Create a file "role.yaml" with following content.
role.yamlkind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ocnssf-role rules: - apiGroups: [""] # "" indicates the core API group resources: ["secrets"] verbs: ["get", "list"]
Run the following command to create role:
kubectl apply -f role.yaml -n ocnssf
- Role Binding
Bind the role with the default service account of the namespace.
rolebinding.yamlkind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: ocnssf-rolebinding subjects: - kind: ServiceAccount name: default namespace: ocnssf # use release reference here roleRef: kind: Role name: ocnssf-role apiGroup: rbac.authorization.k8s.io
Run the following command to create rolebinding with default service:
kubectl apply -f rolebinding.yaml -n ocnssf