NSSF Pre-deployment Configuration

Verify and Create Kubernetes Namespace

his section explains how a user can verify the existence of a required namespace in the system. If the namespace does not exist, the user must create it.

Procedure

Verify whether required namespace already exists in system by executing the following command:
```
 $ kubectl get namespaces
```
If the output of the above command does not display the required namespace, create the namespace by executing the following command:
```
$ kubectl create namespace <required namespace>
```
Example:
```
$ kubectl create namespace ocnssf
```

Create MySQL Database and User for OCNSSF

Login to the server or machine which has permission to access the SQL nodes of NDB cluster.
Connect to the SQL nodes of NDB cluster one at the time.
Login to the MySQL prompt using root permission or user who has permission to create users with permissions as mentioned below.
Example:
```
mysql -h 127.0.0.1 -uroot -p
```
Check whether OCNSSF network function user already exists. If the user does not exist, create an OCNSSF network function user by executing the following queries:
1. Execute$ SELECT User FROM mysql.user; to list the users.
2. If the user does not exist, create the new user by executing:
  $ CREATE USER '<OCNSSF User Name>'@'%' IDENTIFIED BY '<OCNSSF Password>';
  Example:$ CREATE USER 'nssfusr'@'%' IDENTIFIED BY 'nssfpasswd';
Check if OCNSSF network function database already exists. If it does not exist, create an OCNSSF network function database and provide permissions to OCNSSF username created in the previous step by executing the following commands:
1. Execute $ show databases; to check if database exists.
2. If database does not exist, execute $ CREATE DATABASE IF NOT EXISTS <OCNSSF Database> CHARACTER SET utf8; for Database creation.
  Example:
  
  $CREATE DATABASE IF NOT EXISTS nssfdb CHARACTER SET utf8;
3. Granting permission to user:
  $ GRANT SELECT,INSERT,CREATE,ALTER,DROP,LOCK TABLES,CREATE TEMPORARY TABLES, DELETE,UPDATE,EXECUTE ON <OCNSSF Database>.* TO '<OCNSSF User Name>'@'%';

Create a Kubernetes Secret for Storing Database Username and Password

Create a yaml file with the username and password with the syntax shown below:
```
apiVersion: v1
kind: Secret
metadata:
  name: ocnssf-db-creds
type: Opaque
data:
  mysql-username: bnNzZnVzcg==
  mysql-password: bnNzZnBhc3N3ZA==
  mysql-db-name: bnNzZmRi
```
Note:
The values for mysql-username and mysql-password must be base64 encoded.
Execute the following command to create the kubernetes secret:

kubectl create -f yaml_file_name -n namespace

where:

yaml_file_name is a name of the yaml file that is created in step 1.

namespace is the deployment namespace used by the helm command.
Execute the following command to verify the secret creation:
$ kubectl describe secret <database secret name> -n <Namespace of MYSQL secret>

Example:$ kubectl describe secret ocnssf-db-creds -n ocnssf

Create Private Keys and Certificates for Ingress Gateway and Egress Gateway

This section describes how to create private keys and certificates in NSSF.

Creating Private Key and Certificates to enable https

To create private keys and certificates:

Generate RSA private key by executing the following command:

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout rsa_private_key -out rsa_certificate.crt

Convert private key to .pem format by executing the following command:
```
openssl rsa -in rsa_private_key -outform PEM -out rsa_private_key_pkcs1.pem
```

Generate certificate using the private key by executing the following command:

openssl req -new -key rsa_private_key -out ocegress.csr -config ssl.conf

Note:

The ssl.conf can be used to configure default entries along with storage area network (SAN) details for your certificate.

A sample of the ssl.conf is provided below:

#ssl.conf
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
 
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Karnataka
localityName = Locality Name (eg, city)
localityName_default = Bangalore
organizationName = Organization Name (eg, company)
organizationName_default = Oracle
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
 
[ req_ext ]
subjectAltName = @alt_names
 
[alt_names]
IP = 127.0.0.1
DNS.1 = localhost

Create root certificate authority (CA) by executing the following set of commands:

openssl req -new -keyout cakey.pem -out careq.pem
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer 
-extensions v3_ca
echo 1234 > serial.txt

Sign the server certificate with root CA private key by executing the following command:

openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in 
ocegress.csr -out ocegress.cer -days 365 -extfile ssl.conf -extensions 
req_ext

Note:

The ssl.conf file must be reused, as SAN contents is not packaged when signing.

Create key.txt by entering any password.
Create trust.txt by entering any password.

Creating a Secret

Note: User must create a secret for database access before deploying NSSF.

To create a secret:

Execute kubectl get namespace to list the namespaces.
If namespace does not exist, create a new namespace by executing the following command:
kubectl create namespace <NameSpace>
where:

namespace is the deployment namespace used by the helm command.

Generate secret out of the keys and certificates by executing the following command:

kubectl create secret generic k8SecretName --from-
file=rsa_private_key_pkcs1.pem --from-file=trust.txt --
from-file=key.txt --from-file=ocegress.cer 
--from-file=caroot.cer -n k8NameSpace

where:

k8NameSpace is the deployment namespace used by the helm command.

k8SecretName is the name of secret generated.

Example:

kubectl create secret generic accesstoken-secret --from-
file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt 
--from-file=ocegress.cer --from-file=caroot.cer -n ocnssf

Create Private Key and Certificates to Enable OAuth

Auth token generator, OCNRF provides its public key to NSSF.

User must create kubernetes secret to store NRF public key.

There can be multiple NRF public keys.

File Name or key (this key is of map) of Public Key must be in the following format:

"{nrfInstanceId}_{SigningAlgorithm}.pem"

where nrfInstanceIdis Instance Id of NRF.

SigningAlgorithm can have following values:

ES256: ECDSA using P-256 and SHA-256
ES384: ECDSA using P-384 and SHA-384
ES512: ECDSA using P-521 and SHA-512
RS256: RSASSA-PKCS-v1_5 using SHA-256
RS384: RSASSA-PKCS-v1_5 using SHA-384
RS512: RSASSA-PKCS-v1_5 using SHA-512
PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512

Generate secret out of the keys and certificates by executing the following command:
kubectl create secret generic <Secret_Name> --from-file={nrfInstanceId}_{SigningAlgorithm}.pem-n <NameSpace>

Example:

kubectl create secret generic nrfpublickeysecret --from-file=fe7d992b-0541-4c7d-ab84-c6d70b1b01b1_RS256.pem-n ocnssf

Create Role and Role Binding

This section describes about how to create role and do role binding with service account to access secret in namespace.

Create role

Create a file "role.yaml" with following content.
role.yaml
```
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ocnssf-role
rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["secrets"]
    verbs: ["get", "list"]
```
Run the following command to create role:

kubectl apply -f role.yaml -n ocnssf

Role Binding

Bind the role with the default service account of the namespace.

rolebinding.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ocnssf-rolebinding
subjects:
  - kind: ServiceAccount
    name: default
    namespace: ocnssf # use release reference here
roleRef:
  kind: Role
  name: ocnssf-role
  apiGroup: rbac.authorization.k8s.io

Run the following command to create rolebinding with default service:

kubectl apply -f rolebinding.yaml -n ocnssf