3 Customizing NSSF
The OCNSSF deployment can be customized by overriding the default values of various configurable parameters.
A ocnssf_values.yaml
file can be prepared to customize the
parameters. The section NSSF Configurable Parameters is an example of OCNSSF
customization file.
Configuration Options During Deployment
Basic Configuration:
- Once docker platform configurations are done, proceed as per NSSF Configurable Parameters .
- Check Registry is in place and contains latest helm charts and jar as per the release for NSSF node.
Customizing NSSF
The NSSF deployment is customized by overriding the default values of various configurable parameters in the ocnssf-custom-values-1.4.0.yaml file.
- Go to the Oracle Help Center (OHC) Web site: https://docs.oracle.com
- Navigate to Industries >Communications >Cloud Native Core >Release 2.2.1
- Click the Network Slice Selection Function (NSSF) Custom Template link to download the zip file.
- Unzip the file to get ocnssf-custom-configTemplates-1.4.0.0.0 file that contains the ocnssf-custom-values-1.4.0.yaml. This file is used during installation.
- Customize the ocnssf-custom-values-1.4.0.yaml file.
- Save the updated ocnssf-custom-values-1.4.0.yaml file in the helm chart directory.
NSSF Configurable Parameters
NS-Availability
Table 3-2 NS-Availability
Helm Parameter | Description | Default Value | Mandatory (M)/ Optional (O) | Accepted Values | Notes |
---|---|---|---|---|---|
maxExpiryDuration | Max duration (in Hours) upto which AMF can subscribe to NSSF | 240 | O | 100-1000 |
Max Expiry duration must be more than Min Expiry duration. Requesting more than max expiry duration will be gruanted the value which is configured. |
minExpiryDuration | Min duration (in Hours) of a valid subscription towards NSSF | 0 | O | 0-100 | Request lesser than configured value shall be rejected. |
global.databaseSecretName |
This parameter is the name of Kubectl secret which contains Username and password for Database. |
M | Kubernetes Secret file name |
Creation of Secrets must be done before installation of NSSF. |
|
mysql.primary.host | Primary MYSQL Host IP or Hostname | ocnssf-mysq | M | Primary Mysql HostName or IP |
OCNSSF will connect Primary MYSQL if not available then it will connect secondary host. For MYSQL Cluster, use respective IP Address or Mysql Host or Service. |
mysql.secondary.host | Secondary MYSQL Host IP or Hostname | ocnssf-mysql | M | Secondary Mysql HostName or IP | For MYSQL Cluster, use respective Secondary IP Address or Mysql Host or Service. |
mysql.port | Port of MYSQL Database | 3306 | M | Port of MySQL Database | |
image.repository | Full Image Path | M | Full image path of image | ||
log.level | Logging level | INFO | O | INFO, DEBUG, FATAL, ERROR, WARN | Logging level |
contentEncodingEnabled | To enable or disable response gzip compression | True | O | True or False |
If value is True content-encoding (json to gzip) is enabled at server side (ocnssf). If value is false content-encoding is not enabled. |
compressionMinimumResponseSize | Minimum response size required for compression to happen (size is in bytes). | 1024 | O | Any value | Signifies the minimum size the response has to be in order for it to be compressed (and sent as gzip) |
maxRequestSize | Maximum limit for request size | 1MB | O | Any Value | If request is larger than "maxRequestSize", then HTTP 413 (Request Entity Too Large error) response is sent back. |
NS-Config
Table 3-3 NS-Config
Helm Parameter | Description | Default Value | Mandatory (M)/ Optional (O) | Accepted Values | Notes |
---|---|---|---|---|---|
nrf: subscription | Flag to enable subscription to NRF based on Target AMF set and Region Id | TRUE | M | TRUE/FALSE | When set to true, NSSF subscribes to get all the AMFs added/deleted on Target AMF set and Target AMF region is configured to NRF. NS-Policy: nrfDiscovery and NS-Config: nrf: Subscription are mutually exclusive. |
notificationHandlerUrl | URL at which NS-Config MS receives notifications | When nrf.subscription is set to true then Mandatory | Valid URL | This is the URL where NRF sends notifications when nrf:subscription is set to true. | |
mysql.primary.host | Primary MYSQL Host IP or Hostname | ocnssf-mysql | M | Primary Mysql HostName or IP |
OCNSSF will connect Primary MYSQL if not available then it will connect secondary host. For MYSQL Cluster use respective IP Address or Mysql Host or Service. |
global.databaseSecretName |
This parameter is the name of Kubectl secret which contains Username and password for Database. |
M | Kubernetes Secret file name |
Creation of Secrets must be done before installation of NSSF. |
|
mysql.secondary.host | Secondary MYSQL Host IP or Hostname | ocnssf-mysql | M | Secondary Mysql HostName or IP | For MYSQL Cluster use respective Secondary IP Address or Mysql Host or Service. |
mysql.port | Port of MYSQL Database | 3306 | M | Port of MySQL Database | |
image.repository | Full Image Path | M | Full image path of image | ||
log.level | Logging level | INFO | O | INFO, DEBUG, FATAL, ERROR, WARN | Logging level |
NS-Subscription
Table 3-4 NS-Subscription
Helm Parameter | Description | Default Value | Mandatory (M)/ Optional (O) | Accepted Values | Note |
---|---|---|---|---|---|
httpMaxRetries | Number of retry s to be done when AMF does not respond to Notification. | 3 | M | 2-5 | |
global.databaseSecretName |
This parameter is the name of Kubectl secret which contains Username and password for Database. |
M | Kubernetes Secret file name |
Creation of Secrets must be done before installation of NSSF. |
|
mysql.primary.host | Primary MYSQL Host IP or Hostname | ocnssf-mysq | M | Primary Mysql HostName or IP |
OCNSSF connects Primary MYSQL, if not available then it will connect secondary host. For MYSQL Cluster use respective IP Address or Mysql Host or Service |
mysql.secondary.host | Secondary MYSQL Host IP or Hostname | ocnssf-mysql | M | Secondary Mysql HostName or IP | For MYSQL Cluster use respective Secondary IP Address or Mysql Host or Service |
mysql.port | Port of MYSQL Database | 3306 | M | Port of MySQL Database | |
image.repository | Full Image Path | M | Full image path of image | ||
log.level | Logging level | INFO | O | INFO, DEBUG, FATAL, ERROR, WARN | Logging level |
Common Micro Services
Ingress Gateway
Table 3-5 Ingress Gateway
Name | Description | Default Value | Mandatory | Notes |
---|---|---|---|---|
global.dockerRegistry | Name of the Docker registry which hosts Ingress docker images. | ocnrf-registry.us.oracle.com:5000 | Yes | This is the registry which has docker images. Change this value if there is a need. |
global.type | type of service | LoadBalancer | Yes | Possible values are :- ClusterIP, NodePort, LoadBalancer and ExternalName |
global.serviceAccountName | Service Account name | '' | No | |
global.metalLbIpAllocationEnabled | Enable or disable IP Address allocation from Metallb Pool | true | No | |
global.metalLbIpAllocationAnnotation | Address Pool Annotation for Metallb | metallb.universe.tf/address-pool: signaling | No | |
global.staticIpAddressEnabled | If Static load balancer IP needs to be set, then set staticIpAddressEnabled flag to true and provide value for staticIpAddress Else random IP will be assigned by the metalLB from its IP Pool | false | No | |
global.staticIpAddress | StaticIp | 10.75.212.60 | ||
global.publicHttpSignalingPort | Http Signaling port | 80 | Yes | |
global.publicHttpsSignallingPort | Https Signaling port | 443 | Yes | |
global.staticNodePortEnabled | Node Port Enabled | true | No | |
global.staticHttpNodePort | Http Node Port | 30075 | Yes | |
global.staticHttpsNodePort | Https Node Port | 30043 | Yes | |
global.configServerFullNameOverride | This parameter is for the usage of policy teams. Other teams can ignore this parameter. | No | ||
enableOutgoingHttps | Enabling it for outgoing https request | false | Yes | Change it to true for enabling https for outgoing requests. |
enableIncomingHttp | Enabling it for incoming http request | false | Yes | |
enableIncomingHttps | Enabling it for incoming https request | true | Yes | |
enablehttp1 | Enable it for http1.1 | false | No | Change it to true to enable |
dnsRefreshDelay | Dns Refresh Delay in milli-seconds | 120000 | No | |
oauthValidatorEnabled | Oauth Validator Enabled | false | Yes | Change it to true to enable oauth |
jaegerTracingEnabled | Enable jaeger tracing | false | No | Change it to true if needed. |
openTracing.jaeger.udpSender.host | Jaeger Host | jaeger-agent.cne-infra | Yes (If jaegerTracingEnabled is true) | |
openTracing.jaeger.udpSender.port | Jaeger Port | 6831 | Yes (If jaegerTracingEnabled is true) | |
openTracing.jaeger.probabilisticSampler | 0.5 | Yes (If jaegerTracingEnabled is true) | ||
nfType | NFType of service producer. | Value to be updated accordingly | Yes (When oauthValidatorEnabled) | |
nfInstanceId: | NF InstanceId of service producer. | Value to be updated accordingly | Yes (When oauthValidatorEnabled) | |
producerScope: | Comma-separate list of services hosted by service producer. | Value to be updated accordingly | Yes (When oauthValidatorEnabled) | |
allowedClockSkewSeconds | set this value if clock on the parsing NF(producer) is not perfectly in sync with the clock on the NF(consumer) that created the JWT. | 0 | Yes (When oauthValidatorEnabled) | |
nrfPublicKeyKubeSecret | Name of the secret which stores the public key(s) of NRF. | Value to be updated accordingly | Yes (When oauthValidatorEnabled) | |
nrfPublicKeyKubeNamespace | Namespace of the NRF publicKey Secret | Value to be updated accordingly | Yes (When oauthValidatorEnabled) | |
validationType | Values can be "strict" or "relaxed". "strict" means that incoming request without "Authorization" (Access Token) header will be rejected."relaxed" means that if incoming request contains "Authorization" header, it will be validated. If incoming request does not contain "Authorization" header, validation will be ignored. | Value to be updated accordingly | Yes (When oauthValidatorEnabled) | |
producerPlmnMNC | MNC of service producer. | Value to be updated accordingly | No | |
producerPlmnMCC | MCC of service producer. | Value to be updated accordingly | No | |
cncc.enabled |
CNCC Identity-Access-Management(IAM). |
False | No | Change it to true if required. |
cncc.core.sessionTimeoutSeconds | Session Timeout Value in Seconds.
Default: 1800, Minimum: 300, Maximum: 7200 |
1800 | No | |
cnccIamEnabled | CNCC Identity-Access-Management (IAM) | false | No | Change it to true if required |
ingressGwCertReloadEnabled | true | No | ||
rateLimiting.enabled | Ratelimiting feature enabled | false | No | |
routeRateLimiting.enabled | Route based ratelimiting feature enabled | true | No | |
globalIngressRateLimiting.enabled | Global rate limiting is enabled | true | No | |
globalIngressRateLimiting.duration | Iterations of time duration (In seconds) for which bucketCapacity and refillRate are reset. | 1 (in seconds) | yes (if globalIngressRateLimiting.enabled) | |
globalIngressRateLimiting.burstCapacity | Holds maximum number of tokens in the bucket for the given duration. | 1 | yes (if globalIngressRateLimiting.enabled) | |
globalIngressRateLimiting.refillRate | Number of tokens to be added to the bucket for the given duration | 1 | yes (if globalIngressRateLimiting.enabled) | |
identityAccessMgt.uri | Identity access management uri | yes (if cnccIamEnabled) | ||
identityAccessMgt.path | Identity access management path | yes (if cnccIamEnabled) | ||
identityAccessMgt.realm | Identity access management realm | yes (if cnccIamEnabled) | ||
identityAccessMgt.clientId | Identity access management client id | yes (if cnccIamEnabled) | ||
iam.uri The section name is changed to iam |
Identity access management uri | yes (if cnccIamEnabled) | ||
iam.path | Identity access management path | yes (if cnccIamEnabled) | ||
iam.realm | Identity access management realm | yes (if cnccIamEnabled) | ||
iam.clientId | Identity access management client id | yes (if cnccIamEnabled) | ||
pingDelay | Delay between pings in seconds. When set to <=0,ping is disabled | 60 | Yes | PING frame can be scheduled at Ingress-gateway to maintain connection between Ingress-gateway and backend micro-services even if the connection is idle. |
cfgServer.enabled | Config server switch. For the usage of Policy teams. For other NF's this has to be left false | false | No | |
publicHttpSignalingPort | Http Signalling port | 80 | Yes | |
publicHttpsSignallingPort | Https Signalling port | 443 | Yes | |
ssl.privateKey.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.privateKey.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.privateKey.rsa.fileName | rsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.privateKey.ecdsa.fileName | ecdsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.certificate.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.certificate.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.certificate.rsa.fileName | rsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.certificate.ecdsa.fileName | ecdsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.caBundle.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.caBundle.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.caBundle.rsa.fileName | rsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.keyStorePassword.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.keyStorePassword.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.keyStorePassword.fileName | File name that has password for keyStore | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.trustStorePassword.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.trustStorePassword.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.trustStorePassword.fileName | File name that has password for trustStore | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
publicHttpSignalingPort | Http Signalling port | 80 | Yes | |
publicHttpsSignallingPort | Https Signalling port | 443 | Yes | |
ssl.privateKey.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.privateKey.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.privateKey.rsa.fileName | rsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.privateKey.ecdsa.fileName | ecdsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.certificate.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.certificate.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.certificate.rsa.fileName | rsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.certificate.ecdsa.fileName | ecdsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.caBundle.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.caBundle.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.caBundle.rsa.fileName | rsa private key file name | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.keyStorePassword.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.keyStorePassword.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.keyStorePassword.fileName | File name that has password for keyStore | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.trustStorePassword.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.trustStorePassword.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
ssl.trustStorePassword.fil eName | File name that has password for trustStore | n/a | Yes (If enableIncomingHttp is true otherwise No) | |
uri | Service name of the internal microservice of this NF | Yes | ||
id | id of the route | Yes | ||
path | Provide the path to be matched. | Yes | ||
order | Provide the order of the execution of this route. | Yes | ||
methodRateLimiting.burstCapacity[0] | burstCapacity | Yes (if routeRateLimiting.enabled) | ||
methodRateLimiting.refillRate[0] | Refill rate | Yes (if routeRateLimiting.enabled) | ||
methodRateLimiting.duration[0] | Duration | Yes (if routeRateLimiting.enabled) | ||
methodRateLimiting.method[0] | Method on which ratelimiting is applicable | Yes (if routeRateLimiting.enabled) | ||
image.name | Image name of ingress gateway | ocingress_gateway | No | |
image.tag | Image Tag name of ingress gateway | 1.6.2 | No | |
image.pullPolicy | Image Pull Policy | Always | No | |
initContainersImage.name | Image name of initContainer | configurationinit | No | |
initContainersImage.tag | Image tag name of initContainer | 1.1.1 | No | |
initContainersImage.pullPolicy | Image Pull Policy | Always | No | |
updateContainersImage.name | Image name of updateContainer | configurationupdate | No | |
updateContainersImage.tag | Image tag name of updateContainer | 1.1.1 | No | |
updateContainersImage.pullPolicy | Image Pull Policy | Always | No | |
fullnameOverride | Label to override name of api-gateway micro-service name | ingress | Yes | |
serviceMeshCheck | Load balancing will be handled by Ingress gateway, if true it would be handled by serviceMesh | false | Yes | |
cipherSuites | Supported Cipher Suites in Ingress |
|
No | |
maxRequestsQueuedPerDestination | Jetty Client Settings | 1024 | No | |
maxConnectionsPerDestination | Jetty Client Settings | 4 (This will be used when
serviceMeshCheck is enabled)
|
No | |
maxConnectionsPerIp | Jetty Client Settings | 4 | No | |
connectionTimeout | Jetty Client Settings | 10000 | No | |
ingressGwCertReloadPath | /ingress-gw/certificate/reload |
No | ||
ssl.tlsVersion | TLS Version | TLSv1.2 | Yes | |
ssl.initialAlgorithm | RSA256 | Yes | ES256 can also be used, but corresponding certificates need to be used. | |
resources.limits.cpu | CPU Limit | 2 | ||
resources.limits.memory | Memory Limit | 4Gi | ||
resources.limits.initServiceCpu | Init Container CPU Limit | 1 | ||
resources.limits.updateServiceCpu | Update Container CPU Limit | 1 | ||
resources.limits.initServiceMemory | Init Container Memory Limit | 1Gi | ||
resources.limits.updateServiceMemory | Update Container Memory Limit | 1Gi | ||
resources.requests.cpu | CPU for requests | 1 | ||
resources.requests.memory | Memory for requests | 2Gi | ||
resources.requests.initServiceCpu | Init Container CPU for requests | 1 | ||
resources.requests.updateServiceCpu | Update Container CPU for requests | 1 | ||
resources.requests.initServiceMemory | Init Container Memory for requests | 1Gi | ||
resources.requests.updateServiceMemory | Update Container Memory for requests | 1Gi | ||
resources.target.averageCpuUtil | 80 | |||
minReplicas | Min replicas to scale to maintain an average CPU utilization | 2 | Yes | |
maxReplicas | Max replicas to scale to maintain an average CPU utilization | 5 | Yes | |
log.level.root | Log level for root logs | WARN | No | |
log.level.ingress | Log level for ingress logs | INFO | No | |
log.level.oauth | Log level for oauth logs | INFO | No | |
ports.containerPort | ContainerPort represents a network port in a single container | 8081 | No | |
ports.containersslPort | 8443 | No | ||
actuatorPort | ActuatorPort | 9090 | No |
Egress Gateway
Table 3-6 Egress Gateway
Name | Description | Default Value | Mandatory | Notes |
---|---|---|---|---|
global.appinfoServiceEnable | Enabled to get RBAC permission for k8s apiserver communication | true | Yes | |
global.dockerRegistry | Name of the Docker registry which hosts Egress docker images. | ocnrf-registry.us.oracle.com:5000 | Yes | Ideally this is the registry which has docker images. Change this value if there is a need. |
global.serviceAccountName | Service Account Name | '' | No | |
serviceEgressGateway.port | 8080 | No | ||
serviceEgressGateway.sslPort | SSL Port | 8442 | No | |
serviceEgressGateway.actuatorPort | Actuator Port | 9090 | No | |
enableOutgoingHttps | Enabling it for outgoing https request | false | No | Change it to true for enabling https for outgoing requests. |
K8ServiceCheck | Enable this if loadbalancing is to be done by egress instead of K8s | false | No | |
scp.scpDefaultScheme | Default scheme applicable when 3gpp-sbi-target-apiroot header is missing | https | No | |
scp.scpIntegrationEnabled | Change this to false when scp integration is not required | true | No | |
scp.scpRerouteEnabled | Set this flag to true if re-routing to multiple SCP instances is to be enabled. | true | No | |
scp.instances.http[0].host | First Scp instance HTTP IP/FQDN | NA | Yes(If "scp.scpIntegrationEnabled" is set to true.) | More SCP instances can be configured in a similar way if required. |
scp.instances.http[0].port | First Scp instance Port | NA | Yes(If "scp.scpIntegrationEnabled" is set to true.) | |
scp.instances.http[0].apiPrefix | First Scp instance apiPrefix. Change this value to corresponding prefix if "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. | / | No | Examples : XXX, Point to be noted here is that / is not required to be included when providing some data. |
scp.instances.https[0].host | First Scp instance HTTPS IP/FQDN | NA | Yes(if "scp.scpIntegrationEnabled" is set to true.) | More SCP instances can be configured in a similar way if required. |
scp.instances.https[0].port | First Scp instance HTTPS Port | NA | Yes(if "scp.scpIntegrationEnabled" is set to true.) | |
scp.instances.https[0].apiPrefix | First Scp instance apiPrefix. Change this value to corresponding prefix if "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. | / | No | Examples : XXX, Point to be noted here is that / is not required to be included when providing some data. |
headlessServiceEnabled | Enabling this will make the service type default to ClusterIP | false | No | |
cipherSuites | Supported Cipher Suites in Egress | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
No | Connection with other ciphers would be rejected. |
log.level | Log level | DEBUG | No | |
jaegerTracingEnabled | Enable jaeger tracing | false | No | Change it to true if needed. |
openTracing.jaeger.udpSender.host | Jaeger Host | jaeger-agent.cne-infra | Yes (If jaegerTracingEnabled is true) | |
openTracing.jaeger.udpSender.port | Jaeger Port | 6831 | Yes (If jaegerTracingEnabled is true) | |
openTracing.jaeger.probabilisticSampler | 0.5 | Yes (If jaegerTracingEnabled is true) | ||
nrfAuthority | NRF's ${HOSTNAME}:{PORT} | Modify the field with actual value, required if oAuth is enabled. | Yes | |
nfType | NFType of service consumer. | Modify the field with actual value , required if oAuth is enabled. | Yes | |
nfInstanceId: | NF InstanceId of Service Consumer. | Modify the field with actual value, required if oAuth is enabled. | Yes | |
oauthClientEnabled: | Flag to enable or disable oauth client. If not modified, Default value 'false' will be defaulted. | false | No | Change it to true to enable oAuth |
consumerPlmnMNC | MNC of service Consumer. | Modify the field with actual value , required if oAuth is enabled. | No | |
consumerPlmnMCC | MCC of service Consumer. | Modify the field with actual value , required if oAuth is enabled. | No | |
maxRequestsQueuedPerDestination | jetty client configuration | 1024 | No | |
maxConnectionsPerIp | Max Connections allowed per Ip | 4 | No | |
connectionTimeout | Connection timeout in milliseconds | 1000 | No | |
egressGwCertReloadEnabled | true | No | ||
notificationRateLimit.enabled | Flag to enable rate limiting for "notification" type of messages. | false | No | |
notificationRateLimit.duration | Iterations of time duration(In seconds) for which bucketCapacity and refillRate are reset. | Yes(If notificationRateLimit.enabled is set to true) | ||
notificationRateLimit.bucketCapacity | Holds maximum number of tokens in the bucket for the given duration. | Yes(If notificationRateLimit.enabled is set to true) | ||
notificationRateLimit.refillRate | Number of tokens to be added to the bucket for the given duration | Yes(If notificationRateLimit.enabled is set to true) | ||
type | type of service | ClusterIP
Possible values are ClusterIP, NodePort, LoadBalancer and ExternalName |
Yes | |
ssl.privateKey.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.privateKey.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.privateKey.rsa.fileName | rsa private key file name | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.privateKey.ecdsa.fileName | ecdsa private key file name | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.certificate.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.certificate.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.certificate.rsa.fileName | rsa private key file name | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.certificate.ecdsa.fileName | ecdsa private key file name | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.caBundle.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.caBundle.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.caBundle.rsa.fileName | rsa private key file name | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.keyStorePassword.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.keyStorePassword.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.keyStorePassword.fileName | File name that has password for keyStore | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.trustStorePassword.k8SecretName | Name of the privatekey secret | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.trustStorePassword.k8NameSpace | Namespace of privatekey | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
ssl.trustStorePassword.fileName | File name that has password for trustStore | n/a | Yes (If enableOutgoingHttps is true otherwise No) | |
resources.limits.cpu | CPU Limit | 2 | ||
resources.limits.memory | Memory Limit | 4Gi | ||
resources.limits.initServiceCpu | Init Container CPU Limit | 1 | ||
resources.limits.updateServiceCpu | Update Container CPU Limit | 1 | ||
resources.limits.initServiceMemory | Init Container Memory Limit | 1Gi | ||
resources.limits.updateServiceMemory | Update Container Memory Limit | 1Gi | ||
resources.requests.cpu | CPU for requests | 1 | ||
resources.requests.memory | Memory for requests | 2Gi | ||
resources.requests.initServiceCpu | Init Container CPU for requests | 1 | ||
resources.requests.updateServiceCpu | Update Container CPU for requests | 1 | ||
resources.requests.initServiceMemory | Init Container Memory for requests | 1Gi | ||
resources.requests.updateServiceMemory | Update Container Memory for requests | 1Gi | ||
resources.target.averageCpuUtil | 80 | |||
minReplicas | Minimum replicas to scale to maintain an average CPU utilization | 2 | ||
maxReplicas | Maximum replicas to scale to maintain an average CPU utilization | 5 | ||
globalretry.enabled | Can be set to true if Scp re-route feature
(scpRerouteEnabled ) is enabled.
|
false | No | |
globalretry.retries | Number of re-routes to be attempted to alternate SCP instances and this property will be considered in the absence of "routesConfig[0].filterName2.retries" attribute at route level. | Yes (If
"routesConfig[0].filterName2.retries" is not
defined)
|
||
routesConfig[0].id | id of the route | Yes |
Can be any name of your choice. Note: Multiple routes can be configured in a similar way. |
|
routesConfig[0].uri | Provide any dummy url, existing url can also left with existing value | Yes | Please note provided sample url does not make any impact (http or https) as url's will be constructed in the code. | |
routesConfig[0].path | Provide the path to be matched. | Yes | ||
routesConfig[0].order | Provide the order of the execution of this route. | Yes | ||
routesConfig[0].filterName1 | Provide filtername as "ScpFilter" | Yes (If scpintegrationenabled is true) | If FilterName1 is not provided then it would be considered as direct Egress Gateway path and configured accordingly during deployment. | |
routesConfig[0].filterName2.name | Provide filtername as "ScpRetry" | Yes (If scpRerouteEnabled is true) | With out FilterName1 , it is not possible to configure FilterName2.name | |
routesConfig[0].filterName2.retries | Number of re-routes to be attempted to alternate SCP instances if request matches this route's path. | Yes (If scpRerouteEnabled is true) | If this is not defined then globalretry.retries parameter is applicable when globalretry.enabled is true. | |
routesConfig[0].filterName2.methods | The type of methods for which the re-route need to be attempted. | Yes (If scpRerouteEnabled is true) | ||
routesConfig[0].filterName2.statuses | The type response error codes on which the re-route need to be attempted. | Yes (If scpRerouteEnabled is true) | ||
serviceEgressGateway.port | Internal port on which egress gateway is running for HTTP2 | No | 8080 | Change this value if there is any specific need. |
serviceEgressGateway.sslPort | Internal port on which egress gateway is running for HTTPS | No | 8442 | Change this value if there is any specific need. |
deploymentEgressGateway.image | Image name of egress gateway | No | ocegress_gateway | N/A |
deploymentEgressGateway.imageTag | Image Tag name of egress gateway | No | 1.6.1 | N/A |
deploymentEgressGateway.pullPolicy | Pull Policy of Image | No | Always | N/A |
initContainersImage.name | Image name of initContainer | No | configurationinit | N/A |
initContainersImage.tag | Image tag name of initContainer | No | 1.1.1 | N/A |
initContainersImage.pullPolicy | Pull Policy of Image | No | Always | N/A |
updateContainersImage.name | Image name of updateContainer | No | configurationupdate | N/A |
updateContainersImage.tag | Image tag name of updateContainer | No | 1.1.1 | N/A |
updateContainersImage.pullPolicy | Pull Policy of Image | No | Always | N/A |
httpClientBean | To be used when oAuth is enabled. when https is enabled then it should be jettysClient , when https is disabled then it can left as '' | Yes | jettysClient |
#Jetty bean name #when http enabled -> '' #when https enabled -> jettysClient |
egressGwCertReloadEnabled | Egress GW Certificates Reload Enabled | No | true | N/A |
jaegerTracingEnabled | JaegerTracing Enabled | No | false | N/A |
ssl.tlsVersion | TLS Version | TLSv1.2 | Yes | |
initialAlgorithm | RSA256 | Yes | ES256 can also be used, but corresponding certificates need to be used. |
Nrfclient
Table 3-7 Nrfclient
Parameter | Description | Default value | Mandatory (M)/ Optional (O) | Range or Possible Values (If applicable) | Notes |
---|---|---|---|---|---|
deploymentNrfClientService.envNfNamespace | Namespace in which NSSF is deployed | ocnssf | O | ||
configmapApplicationConfig.appProfiles | List of NF-Profiles to register to NRF | NA | M | NSSF-Profile is used to register to NRF | List contains only one profile which is of NSSF |
configmapApplicationConfig.nrfApiRoot | URL of NRF | NA | M | ||
nfApiRoot | URL pointing to ingress gateway of NSSF | NA | O | ||
image.repository | Full Image Path | M | Full image path of image | ||
log.level | Logging level | INFO | O | INFO, DEBUG, FATAL, ERROR, WARN | Logging level |
perf-info
Table 3-8 perf-info
Parameter | Description | Default value | Mandatory (M)/ Optional (O) | Range or Possible Values (If applicable) | Notes |
---|---|---|---|---|---|
service_namespace | Namespace in which NSSF is deployed | ocnssf | O | If no value is specified, NSSFs load reported to NRF is always 0. | |
configmapPerformance.prometheus | Specifies Prometheus server URL | No | http://prometheus-server.prometheus:5802 | If no value is specified, NSSFs load reported to NRF is always 0. | |
image.repository | Full Image Path | M | Full image path of image | ||
log.level | Logging level | INFO | O | INFO, DEBUG, FATAL, ERROR, WARN | Logging level |