1. Network Slice Selection Function (NSSF) Cloud Native Installation Guide
  2. Customizing NSSF

3 Customizing NSSF

The OCNSSF deployment can be customized by overriding the default values of various configurable parameters.

A ocnssf_values.yaml file can be prepared to customize the parameters. The section NSSF Configurable Parameters is an example of OCNSSF customization file.

Configuration Options During Deployment

Basic Configuration:

  1. Once docker platform configurations are done, proceed as per NSSF Configurable Parameters .
  2. Check Registry is in place and contains latest helm charts and jar as per the release for NSSF node.

Customizing NSSF

The NSSF deployment is customized by overriding the default values of various configurable parameters in the ocnssf-custom-values-1.4.0.yaml file.

To customize the ocnssf-custom-values-1.4.0.yaml file as per the required parameters:
  1. Go to the Oracle Help Center (OHC) Web site: https://docs.oracle.com
  2. Navigate to Industries >Communications >Cloud Native Core >Release 2.2.1
  3. Click the Network Slice Selection Function (NSSF) Custom Template link to download the zip file.
  4. Unzip the file to get ocnssf-custom-configTemplates-1.4.0.0.0 file that contains the ocnssf-custom-values-1.4.0.yaml. This file is used during installation.
  5. Customize the ocnssf-custom-values-1.4.0.yaml file.
  6. Save the updated ocnssf-custom-values-1.4.0.yaml file in the helm chart directory.
The sample ocnssf-custom-values-1.4.0.yaml file created based on all the parameters described in the Configurable Parameters section .

NSSF Configurable Parameters

NS-Selection

Table 3-1 NS-Selection

Helm Parameter Description Default Value Mandatory (M)/ Optional (O) Accepted Values Notes
omeMcc MCC of PLMN of Home network   M 3 digit integer value Used when Ns-Selection GET request comes without TAI
homeMnc MNC of PLMN of Home network   M 2/3 digit integer value Used when Ns-Selection GET request comes without TAI
nrfUrl URL of NRF   M Valid URL  
reqnftime When set to true AMF can send current time as Http Header FALSE O TRUE/FALSE

This field is used when time based network slice is enabled. If set to true time sent by AMF is used to get time profile based slice

When not then current local time of NSSF is used to get Slice.
outboundProxy Value of outbound proxy for NSSF   O Host-name/IP address:port of outbound proxy  
features.nrfdiscovery Flag to enable / disable NRF discovery for each GET request on NS-Selection Initial Register and Update Config request FALSE O TRUE/FALSE  
features.relevance Flag to enable / disable Relevance feature FALSE O TRUE/FALSE

When enabled, in conjection with features.candidateResolution.

NSSF will apply relevance algorithm to select/sort Candidate AMFs as a response to Initial register or UE config update request which are part of selected Target AMF Set.
features.candidateResolution Flag to enable / disable Candidate Resolution feature FALSE O TRUE/FALSE

When this feature is set to false NSSF returns TargetAMFSetId and TargetAMFRegionId for NS-Selection GET request for Initial Register message and UE-Config update.

When this feature is set to true NSSF computes and returns Candidate AMF list for NS-Selection GET request for Initial Register message and UE-Config update.
nrfDiscoveryProperties.disclimit Max Number of AMFs set on NRF discovery request 5 Mandatory when features.nrfdiscovery is set to true 2-10 This is accepted only when nrfDiscovery is set to true.
candidateResolutionProperties.maxcandidates: Maximum number of candidate AMFs 3 Mandatory when features.candidateResolutionis set to true 2-10 This value is accepted only when candidateResolution is enabled.

global.databaseSecretName

This parameter is the name of Kubectl secret which contains Username and password for Database.

   M Kubernetes Secret file name

Creation of Secrets must be done before installation of NSSF.
mysql.primary.host Primary MYSQL Host IP or Hostname ocnssf-mysq M Primary Mysql HostName or IP

OCNSSF will connect Primary MYSQL if not available then it will connect secondary host.

For MYSQL Cluster use respective IP Address or Mysql Host or Service
mysql.secondary.host Secondary MYSQL Host IP or Hostname ocnssf-mysql M Secondary Mysql HostName or IP For MYSQL Cluster use respective Secondary IP Address or Mysql Host or Service
mysql.port Port of MYSQL Database 3306 M Port of MySQL Database  
image.repository Full Image Path   M Full image path of image  
log.level Logging level INFO O INFO, DEBUG, FATAL, ERROR, WARN Logging level

NS-Availability

Table 3-2 NS-Availability

Helm Parameter Description Default Value Mandatory (M)/ Optional (O) Accepted Values Notes
maxExpiryDuration Max duration (in Hours) upto which AMF can subscribe to NSSF 240 O 100-1000

Max Expiry duration must be more than Min Expiry duration.

Requesting more than max expiry duration will be gruanted the value which is configured.
minExpiryDuration Min duration (in Hours) of a valid subscription towards NSSF 0 O 0-100 Request lesser than configured value shall be rejected.

global.databaseSecretName

This parameter is the name of Kubectl secret which contains Username and password for Database.

   M Kubernetes Secret file name

Creation of Secrets must be done before installation of NSSF.
mysql.primary.host Primary MYSQL Host IP or Hostname ocnssf-mysq M Primary Mysql HostName or IP

OCNSSF will connect Primary MYSQL if not available then it will connect secondary host.

For MYSQL Cluster, use respective IP Address or Mysql Host or Service.
mysql.secondary.host Secondary MYSQL Host IP or Hostname ocnssf-mysql M Secondary Mysql HostName or IP For MYSQL Cluster, use respective Secondary IP Address or Mysql Host or Service.
mysql.port Port of MYSQL Database 3306 M Port of MySQL Database  
image.repository Full Image Path   M Full image path of image  
log.level Logging level INFO O INFO, DEBUG, FATAL, ERROR, WARN Logging level
contentEncodingEnabled To enable or disable response gzip compression True O True or False

If value is True content-encoding (json to gzip) is enabled at server side (ocnssf).

If value is false content-encoding is not enabled.
compressionMinimumResponseSize Minimum response size required for compression to happen (size is in bytes). 1024 O Any value Signifies the minimum size the response has to be in order for it to be compressed (and sent as gzip)
maxRequestSize Maximum limit for request size 1MB O Any Value If request is larger than "maxRequestSize", then HTTP 413 (Request Entity Too Large error) response is sent back.

NS-Config

Table 3-3 NS-Config

Helm Parameter Description Default Value Mandatory (M)/ Optional (O) Accepted Values Notes
nrf: subscription Flag to enable subscription to NRF based on Target AMF set and Region Id TRUE M TRUE/FALSE When set to true, NSSF subscribes to get all the AMFs added/deleted on Target AMF set and Target AMF region is configured to NRF. NS-Policy: nrfDiscovery and NS-Config: nrf: Subscription are mutually exclusive.
notificationHandlerUrl URL at which NS-Config MS receives notifications   When nrf.subscription is set to true then Mandatory Valid URL This is the URL where NRF sends notifications when nrf:subscription is set to true.
mysql.primary.host Primary MYSQL Host IP or Hostname ocnssf-mysql M Primary Mysql HostName or IP

OCNSSF will connect Primary MYSQL if not available then it will connect secondary host.

For MYSQL Cluster use respective IP Address or Mysql Host or Service.

global.databaseSecretName

This parameter is the name of Kubectl secret which contains Username and password for Database.

   M Kubernetes Secret file name

Creation of Secrets must be done before installation of NSSF.
mysql.secondary.host Secondary MYSQL Host IP or Hostname ocnssf-mysql M Secondary Mysql HostName or IP For MYSQL Cluster use respective Secondary IP Address or Mysql Host or Service.
mysql.port Port of MYSQL Database 3306 M Port of MySQL Database  
image.repository Full Image Path   M Full image path of image  
log.level Logging level INFO O INFO, DEBUG, FATAL, ERROR, WARN Logging level

NS-Subscription

Table 3-4 NS-Subscription

Helm Parameter Description Default Value Mandatory (M)/ Optional (O) Accepted Values Note
httpMaxRetries Number of retry s to be done when AMF does not respond to Notification. 3 M 2-5  

global.databaseSecretName

This parameter is the name of Kubectl secret which contains Username and password for Database.

   M Kubernetes Secret file name

Creation of Secrets must be done before installation of NSSF.
mysql.primary.host Primary MYSQL Host IP or Hostname ocnssf-mysq M Primary Mysql HostName or IP

OCNSSF connects Primary MYSQL, if not available then it will connect secondary host.

For MYSQL Cluster use respective IP Address or Mysql Host or Service
mysql.secondary.host Secondary MYSQL Host IP or Hostname ocnssf-mysql M Secondary Mysql HostName or IP For MYSQL Cluster use respective Secondary IP Address or Mysql Host or Service
mysql.port Port of MYSQL Database 3306 M Port of MySQL Database  
image.repository Full Image Path   M Full image path of image  
log.level Logging level INFO O INFO, DEBUG, FATAL, ERROR, WARN Logging level

Common Micro Services

Ingress Gateway

Table 3-5 Ingress Gateway

Name Description Default Value Mandatory Notes
global.dockerRegistry Name of the Docker registry which hosts Ingress docker images. ocnrf-registry.us.oracle.com:5000 Yes This is the registry which has docker images. Change this value if there is a need.
global.type type of service LoadBalancer Yes Possible values are :- ClusterIP, NodePort, LoadBalancer and ExternalName
global.serviceAccountName Service Account name '' No
global.metalLbIpAllocationEnabled Enable or disable IP Address allocation from Metallb Pool true No
global.metalLbIpAllocationAnnotation Address Pool Annotation for Metallb metallb.universe.tf/address-pool: signaling No
global.staticIpAddressEnabled If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress Else random IP will be assigned by the metalLB from its IP Pool false No
global.staticIpAddress StaticIp 10.75.212.60
global.publicHttpSignalingPort Http Signaling port 80 Yes
global.publicHttpsSignallingPort Https Signaling port 443 Yes
global.staticNodePortEnabled Node Port Enabled true No
global.staticHttpNodePort Http Node Port 30075 Yes
global.staticHttpsNodePort Https Node Port 30043 Yes
global.configServerFullNameOverride This parameter is for the usage of policy teams. Other teams can ignore this parameter.   No  
enableOutgoingHttps Enabling it for outgoing https request false Yes Change it to true for enabling https for outgoing requests.
enableIncomingHttp Enabling it for incoming http request false Yes
enableIncomingHttps Enabling it for incoming https request true Yes
enablehttp1 Enable it for http1.1 false No Change it to true to enable
dnsRefreshDelay Dns Refresh Delay in milli-seconds 120000 No  
oauthValidatorEnabled Oauth Validator Enabled false Yes Change it to true to enable oauth
jaegerTracingEnabled Enable jaeger tracing false No Change it to true if needed.
openTracing.jaeger.udpSender.host Jaeger Host jaeger-agent.cne-infra Yes (If jaegerTracingEnabled is true)
openTracing.jaeger.udpSender.port Jaeger Port 6831 Yes (If jaegerTracingEnabled is true)
openTracing.jaeger.probabilisticSampler 0.5 Yes (If jaegerTracingEnabled is true)
nfType NFType of service producer. Value to be updated accordingly Yes (When oauthValidatorEnabled)
nfInstanceId: NF InstanceId of service producer. Value to be updated accordingly Yes (When oauthValidatorEnabled)
producerScope: Comma-separate list of services hosted by service producer. Value to be updated accordingly Yes (When oauthValidatorEnabled)
allowedClockSkewSeconds set this value if clock on the parsing NF(producer) is not perfectly in sync with the clock on the NF(consumer) that created the JWT. 0 Yes (When oauthValidatorEnabled)
nrfPublicKeyKubeSecret Name of the secret which stores the public key(s) of NRF. Value to be updated accordingly Yes (When oauthValidatorEnabled)
nrfPublicKeyKubeNamespace Namespace of the NRF publicKey Secret Value to be updated accordingly Yes (When oauthValidatorEnabled)
validationType Values can be "strict" or "relaxed". "strict" means that incoming request without "Authorization" (Access Token) header will be rejected."relaxed" means that if incoming request contains "Authorization" header, it will be validated. If incoming request does not contain "Authorization" header, validation will be ignored. Value to be updated accordingly Yes (When oauthValidatorEnabled)
producerPlmnMNC MNC of service producer. Value to be updated accordingly No
producerPlmnMCC MCC of service producer. Value to be updated accordingly No
cncc.enabled

CNCC Identity-Access-Management(IAM).

 False No Change it to true if required.
cncc.core.sessionTimeoutSeconds Session Timeout Value in Seconds.

Default: 1800, Minimum: 300, Maximum: 7200

 1800 No  
cnccIamEnabled CNCC Identity-Access-Management (IAM) false No Change it to true if required
ingressGwCertReloadEnabled   true No  
rateLimiting.enabled Ratelimiting feature enabled false No  
routeRateLimiting.enabled Route based ratelimiting feature enabled true No  
globalIngressRateLimiting.enabled Global rate limiting is enabled true No  
globalIngressRateLimiting.duration Iterations of time duration (In seconds) for which bucketCapacity and refillRate are reset. 1 (in seconds) yes (if globalIngressRateLimiting.enabled)  
globalIngressRateLimiting.burstCapacity Holds maximum number of tokens in the bucket for the given duration. 1 yes (if globalIngressRateLimiting.enabled)  
globalIngressRateLimiting.refillRate Number of tokens to be added to the bucket for the given duration 1 yes (if globalIngressRateLimiting.enabled)  
identityAccessMgt.uri Identity access management uri   yes (if cnccIamEnabled)  
identityAccessMgt.path Identity access management path   yes (if cnccIamEnabled)  
identityAccessMgt.realm Identity access management realm   yes (if cnccIamEnabled)  
identityAccessMgt.clientId Identity access management client id   yes (if cnccIamEnabled)  

iam.uri

The section name is changed to iam

 Identity access management uri   yes (if cnccIamEnabled)  
iam.path Identity access management path   yes (if cnccIamEnabled)  
iam.realm Identity access management realm   yes (if cnccIamEnabled)  
iam.clientId Identity access management client id   yes (if cnccIamEnabled)  
pingDelay Delay between pings in seconds. When set to <=0,ping is disabled 60 Yes PING frame can be scheduled at Ingress-gateway to maintain connection between Ingress-gateway and backend micro-services even if the connection is idle.
cfgServer.enabled Config server switch. For the usage of Policy teams. For other NF's this has to be left false false No  
publicHttpSignalingPort Http Signalling port 80 Yes  
publicHttpsSignallingPort Https Signalling port 443 Yes  
ssl.privateKey.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.privateKey.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.privateKey.rsa.fileName rsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.privateKey.ecdsa.fileName ecdsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.certificate.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.certificate.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.certificate.rsa.fileName rsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.certificate.ecdsa.fileName ecdsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.caBundle.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.caBundle.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.caBundle.rsa.fileName rsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.keyStorePassword.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.keyStorePassword.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.keyStorePassword.fileName File name that has password for keyStore n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.trustStorePassword.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.trustStorePassword.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.trustStorePassword.fileName File name that has password for trustStore n/a Yes (If enableIncomingHttp is true otherwise No)  
publicHttpSignalingPort Http Signalling port 80 Yes  
publicHttpsSignallingPort Https Signalling port 443 Yes  
ssl.privateKey.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.privateKey.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.privateKey.rsa.fileName rsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.privateKey.ecdsa.fileName ecdsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.certificate.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.certificate.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.certificate.rsa.fileName rsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.certificate.ecdsa.fileName ecdsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.caBundle.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.caBundle.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.caBundle.rsa.fileName rsa private key file name n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.keyStorePassword.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.keyStorePassword.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.keyStorePassword.fileName File name that has password for keyStore n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.trustStorePassword.k8SecretName Name of the privatekey secret n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.trustStorePassword.k8NameSpace Namespace of privatekey n/a Yes (If enableIncomingHttp is true otherwise No)  
ssl.trustStorePassword.fil eName File name that has password for trustStore n/a Yes (If enableIncomingHttp is true otherwise No)  
uri Service name of the internal microservice of this NF   Yes  
id id of the route   Yes  
path Provide the path to be matched.   Yes  
order Provide the order of the execution of this route.   Yes  
methodRateLimiting.burstCapacity[0] burstCapacity   Yes (if routeRateLimiting.enabled)  
methodRateLimiting.refillRate[0] Refill rate   Yes (if routeRateLimiting.enabled)  
methodRateLimiting.duration[0] Duration   Yes (if routeRateLimiting.enabled)  
methodRateLimiting.method[0] Method on which ratelimiting is applicable   Yes (if routeRateLimiting.enabled)  
image.name Image name of ingress gateway ocingress_gateway No  
image.tag Image Tag name of ingress gateway 1.6.2 No  
image.pullPolicy Image Pull Policy Always No  
initContainersImage.name Image name of initContainer configurationinit No  
initContainersImage.tag Image tag name of initContainer 1.1.1 No  
initContainersImage.pullPolicy Image Pull Policy Always No  
updateContainersImage.name Image name of updateContainer configurationupdate No  
updateContainersImage.tag Image tag name of updateContainer 1.1.1 No  
updateContainersImage.pullPolicy Image Pull Policy Always No  
fullnameOverride Label to override name of api-gateway micro-service name ingress Yes  
serviceMeshCheck Load balancing will be handled by Ingress gateway, if true it would be handled by serviceMesh false Yes  
cipherSuites Supported Cipher Suites in Ingress 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 No  
maxRequestsQueuedPerDestination Jetty Client Settings 1024 No  
maxConnectionsPerDestination Jetty Client Settings 4 (This will be used when serviceMeshCheck is enabled) No  
maxConnectionsPerIp Jetty Client Settings 4 No  
connectionTimeout Jetty Client Settings 10000 No  
ingressGwCertReloadPath   /ingress-gw/certificate/reload No  
ssl.tlsVersion TLS Version TLSv1.2 Yes
ssl.initialAlgorithm RSA256 Yes ES256 can also be used, but corresponding certificates need to be used.
resources.limits.cpu CPU Limit 2  
resources.limits.memory Memory Limit 4Gi  
resources.limits.initServiceCpu Init Container CPU Limit 1  
resources.limits.updateServiceCpu Update Container CPU Limit 1  
resources.limits.initServiceMemory Init Container Memory Limit 1Gi  
resources.limits.updateServiceMemory Update Container Memory Limit 1Gi  
resources.requests.cpu CPU for requests 1  
resources.requests.memory Memory for requests 2Gi  
resources.requests.initServiceCpu Init Container CPU for requests 1  
resources.requests.updateServiceCpu Update Container CPU for requests 1  
resources.requests.initServiceMemory Init Container Memory for requests 1Gi  
resources.requests.updateServiceMemory Update Container Memory for requests 1Gi  
resources.target.averageCpuUtil 80  
minReplicas Min replicas to scale to maintain an average CPU utilization 2 Yes  
maxReplicas Max replicas to scale to maintain an average CPU utilization 5 Yes  
log.level.root Log level for root logs WARN No  
log.level.ingress Log level for ingress logs INFO No  
log.level.oauth Log level for oauth logs INFO No  
ports.containerPort ContainerPort represents a network port in a single container 8081 No  
ports.containersslPort 8443 No  
actuatorPort ActuatorPort 9090 No  

Egress Gateway

Table 3-6 Egress Gateway

Name Description Default Value Mandatory Notes
global.appinfoServiceEnable Enabled to get RBAC permission for k8s apiserver communication true Yes
global.dockerRegistry Name of the Docker registry which hosts Egress docker images. ocnrf-registry.us.oracle.com:5000 Yes Ideally this is the registry which has docker images. Change this value if there is a need.
global.serviceAccountName Service Account Name '' No
serviceEgressGateway.port 8080 No
serviceEgressGateway.sslPort SSL Port 8442 No
serviceEgressGateway.actuatorPort Actuator Port 9090 No
enableOutgoingHttps Enabling it for outgoing https request false No Change it to true for enabling https for outgoing requests.
K8ServiceCheck Enable this if loadbalancing is to be done by egress instead of K8s false No
scp.scpDefaultScheme Default scheme applicable when 3gpp-sbi-target-apiroot header is missing https No  
scp.scpIntegrationEnabled Change this to false when scp integration is not required true No  
scp.scpRerouteEnabled Set this flag to true if re-routing to multiple SCP instances is to be enabled. true No  
scp.instances.http[0].host First Scp instance HTTP IP/FQDN NA Yes(If "scp.scpIntegrationEnabled" is set to true.) More SCP instances can be configured in a similar way if required.
scp.instances.http[0].port First Scp instance Port NA Yes(If "scp.scpIntegrationEnabled" is set to true.)  
scp.instances.http[0].apiPrefix First Scp instance apiPrefix. Change this value to corresponding prefix if "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. / No Examples : XXX, Point to be noted here is that / is not required to be included when providing some data.
scp.instances.https[0].host First Scp instance HTTPS IP/FQDN NA Yes(if "scp.scpIntegrationEnabled" is set to true.) More SCP instances can be configured in a similar way if required.
scp.instances.https[0].port First Scp instance HTTPS Port NA Yes(if "scp.scpIntegrationEnabled" is set to true.)  
scp.instances.https[0].apiPrefix First Scp instance apiPrefix. Change this value to corresponding prefix if "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. / No Examples : XXX, Point to be noted here is that / is not required to be included when providing some data.
headlessServiceEnabled Enabling this will make the service type default to ClusterIP false No
cipherSuites Supported Cipher Suites in Egress TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 No Connection with other ciphers would be rejected.
log.level Log level DEBUG No
jaegerTracingEnabled Enable jaeger tracing false No Change it to true if needed.
openTracing.jaeger.udpSender.host Jaeger Host jaeger-agent.cne-infra Yes (If jaegerTracingEnabled is true)
openTracing.jaeger.udpSender.port Jaeger Port 6831 Yes (If jaegerTracingEnabled is true)
openTracing.jaeger.probabilisticSampler 0.5 Yes (If jaegerTracingEnabled is true)
nrfAuthority NRF's ${HOSTNAME}:{PORT} Modify the field with actual value, required if oAuth is enabled. Yes
nfType NFType of service consumer. Modify the field with actual value , required if oAuth is enabled. Yes
nfInstanceId: NF InstanceId of Service Consumer. Modify the field with actual value, required if oAuth is enabled. Yes
oauthClientEnabled: Flag to enable or disable oauth client. If not modified, Default value 'false' will be defaulted. false No Change it to true to enable oAuth
consumerPlmnMNC MNC of service Consumer. Modify the field with actual value , required if oAuth is enabled. No
consumerPlmnMCC MCC of service Consumer. Modify the field with actual value , required if oAuth is enabled. No
maxRequestsQueuedPerDestination jetty client configuration 1024 No
maxConnectionsPerIp Max Connections allowed per Ip 4 No
connectionTimeout Connection timeout in milliseconds 1000 No
egressGwCertReloadEnabled true No
notificationRateLimit.enabled Flag to enable rate limiting for "notification" type of messages. false No  
notificationRateLimit.duration Iterations of time duration(In seconds) for which bucketCapacity and refillRate are reset.   Yes(If notificationRateLimit.enabled is set to true)  
notificationRateLimit.bucketCapacity Holds maximum number of tokens in the bucket for the given duration.   Yes(If notificationRateLimit.enabled is set to true)  
notificationRateLimit.refillRate Number of tokens to be added to the bucket for the given duration   Yes(If notificationRateLimit.enabled is set to true)  
type type of service ClusterIP

Possible values are ClusterIP, NodePort, LoadBalancer and ExternalName

Yes  
ssl.privateKey.k8SecretName Name of the privatekey secret n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.privateKey.k8NameSpace Namespace of privatekey n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.privateKey.rsa.fileName rsa private key file name n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.privateKey.ecdsa.fileName ecdsa private key file name n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.certificate.k8SecretName Name of the privatekey secret n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.certificate.k8NameSpace Namespace of privatekey n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.certificate.rsa.fileName rsa private key file name n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.certificate.ecdsa.fileName ecdsa private key file name n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.caBundle.k8SecretName Name of the privatekey secret n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.caBundle.k8NameSpace Namespace of privatekey n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.caBundle.rsa.fileName rsa private key file name n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.keyStorePassword.k8SecretName Name of the privatekey secret n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.keyStorePassword.k8NameSpace Namespace of privatekey n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.keyStorePassword.fileName File name that has password for keyStore n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.trustStorePassword.k8SecretName Name of the privatekey secret n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.trustStorePassword.k8NameSpace Namespace of privatekey n/a Yes (If enableOutgoingHttps is true otherwise No)  
ssl.trustStorePassword.fileName File name that has password for trustStore n/a Yes (If enableOutgoingHttps is true otherwise No)  
resources.limits.cpu CPU Limit 2    
resources.limits.memory Memory Limit 4Gi  
resources.limits.initServiceCpu Init Container CPU Limit 1  
resources.limits.updateServiceCpu Update Container CPU Limit 1    
resources.limits.initServiceMemory Init Container Memory Limit 1Gi    
resources.limits.updateServiceMemory Update Container Memory Limit 1Gi  
resources.requests.cpu CPU for requests 1    
resources.requests.memory Memory for requests 2Gi  
resources.requests.initServiceCpu Init Container CPU for requests 1  
resources.requests.updateServiceCpu Update Container CPU for requests 1  
resources.requests.initServiceMemory Init Container Memory for requests 1Gi  
resources.requests.updateServiceMemory Update Container Memory for requests 1Gi  
resources.target.averageCpuUtil 80  
minReplicas Minimum replicas to scale to maintain an average CPU utilization 2    
maxReplicas Maximum replicas to scale to maintain an average CPU utilization 5    
globalretry.enabled Can be set to true if Scp re-route feature (scpRerouteEnabled) is enabled. false No  
globalretry.retries Number of re-routes to be attempted to alternate SCP instances and this property will be considered in the absence of "routesConfig[0].filterName2.retries" attribute at route level.   Yes (If "routesConfig[0].filterName2.retries" is not defined)  
routesConfig[0].id id of the route   Yes

Can be any name of your choice.

Note: Multiple routes can be configured in a similar way.
routesConfig[0].uri Provide any dummy url, existing url can also left with existing value   Yes Please note provided sample url does not make any impact (http or https) as url's will be constructed in the code.
routesConfig[0].path Provide the path to be matched.   Yes  
routesConfig[0].order Provide the order of the execution of this route.   Yes  
routesConfig[0].filterName1 Provide filtername as "ScpFilter"   Yes (If scpintegrationenabled is true) If FilterName1 is not provided then it would be considered as direct Egress Gateway path and configured accordingly during deployment.
routesConfig[0].filterName2.name Provide filtername as "ScpRetry"   Yes (If scpRerouteEnabled is true) With out FilterName1 , it is not possible to configure FilterName2.name
routesConfig[0].filterName2.retries Number of re-routes to be attempted to alternate SCP instances if request matches this route's path.   Yes (If scpRerouteEnabled is true) If this is not defined then globalretry.retries parameter is applicable when globalretry.enabled is true.
routesConfig[0].filterName2.methods The type of methods for which the re-route need to be attempted.   Yes (If scpRerouteEnabled is true)  
routesConfig[0].filterName2.statuses The type response error codes on which the re-route need to be attempted.   Yes (If scpRerouteEnabled is true)
serviceEgressGateway.port Internal port on which egress gateway is running for HTTP2 No 8080 Change this value if there is any specific need.
serviceEgressGateway.sslPort Internal port on which egress gateway is running for HTTPS No 8442 Change this value if there is any specific need.
deploymentEgressGateway.image Image name of egress gateway No ocegress_gateway N/A
deploymentEgressGateway.imageTag Image Tag name of egress gateway No 1.6.1 N/A
deploymentEgressGateway.pullPolicy Pull Policy of Image No Always N/A
initContainersImage.name Image name of initContainer No configurationinit N/A
initContainersImage.tag Image tag name of initContainer No 1.1.1 N/A
initContainersImage.pullPolicy Pull Policy of Image No Always N/A
updateContainersImage.name Image name of updateContainer No configurationupdate N/A
updateContainersImage.tag Image tag name of updateContainer No 1.1.1 N/A
updateContainersImage.pullPolicy Pull Policy of Image No Always N/A
httpClientBean To be used when oAuth is enabled. when https is enabled then it should be jettysClient , when https is disabled then it can left as '' Yes jettysClient

#Jetty bean name

#when http enabled -> ''

#when https enabled -> jettysClient

egressGwCertReloadEnabled Egress GW Certificates Reload Enabled No true N/A
jaegerTracingEnabled JaegerTracing Enabled No false N/A
ssl.tlsVersion TLS Version TLSv1.2 Yes
initialAlgorithm RSA256 Yes ES256 can also be used, but corresponding certificates need to be used.

Nrfclient

Table 3-7 Nrfclient

Parameter Description Default value Mandatory (M)/ Optional (O) Range or Possible Values (If applicable) Notes
deploymentNrfClientService.envNfNamespace Namespace in which NSSF is deployed ocnssf O    
configmapApplicationConfig.appProfiles List of NF-Profiles to register to NRF NA M NSSF-Profile is used to register to NRF List contains only one profile which is of NSSF
configmapApplicationConfig.nrfApiRoot URL of NRF NA M    
nfApiRoot URL pointing to ingress gateway of NSSF NA O    
image.repository Full Image Path   M Full image path of image  
log.level Logging level INFO O INFO, DEBUG, FATAL, ERROR, WARN Logging level

perf-info

Table 3-8 perf-info

Parameter Description Default value Mandatory (M)/ Optional (O) Range or Possible Values (If applicable) Notes
service_namespace Namespace in which NSSF is deployed ocnssf O   If no value is specified, NSSFs load reported to NRF is always 0.
configmapPerformance.prometheus Specifies Prometheus server URL No http://prometheus-server.prometheus:5802   If no value is specified, NSSFs load reported to NRF is always 0.
image.repository Full Image Path   M Full image path of image  
log.level Logging level INFO O INFO, DEBUG, FATAL, ERROR, WARN Logging level