3 Customizing Cloud Native Core Policy
This chapter describes how to customize the Cloud Native Core Policy (CNC Policy) deployment in a cloud native environment.
The CNC Policy deployment is customized by overriding the default values of various configurable parameters in the occnp-1.7.3-custom-values-occnp.yaml, occnp-1.7.3-custom-values-pcf.yaml, and occnp-1.7.3-custom-values-pcrf.yaml files.
If you are deploying CNC Policy with Aspen service mesh, you can override the default values of configurable parameters and customize them in the custom_values_occnp-custom-values-pcf-unified-ports.yaml, custom_values_occnp-custom-values-pcrf-unified-ports.yaml, and custom_values_occnp-custom-values-occnp-unified-ports.yaml files.
To customize the custom value files as per the required parameters, perform the
following steps:
- Go to the Oracle Help Center (OHC) Web site:
- Navigate to Industries->Communications->Cloud Native Core->Release 2.2.1
- Click the CNC Policy Custom Template link to download the zip file.
- Unzip the file to get the custom value files. These files are used during installation.
- Depending on the deployment model, customize the required custom-values.yaml file based on all the parameters described in the Configurable Parameters section.
- Save the updated custom-values.yaml in the helm chart directory.
Configurable Parameters
Note:
- All parameters mentioned as mandatory must be present in custom values file.
- All fixed value parameters mentioned must be present in the custom values file with the exact values as specified here.
Global Configurations
These configuration parameters are common for all micro services.
Table 3-1 Customizable Parameters
| Parameter | Description | Mandatory Parameter | Default Value | Applicable to Deployment | Added/Deprecated/Updated in Release | Notes |
|---|---|---|---|---|---|---|
| userServiceEnable | Detremines if the user service is enabled or not. | O | True | CNC Policy&PCF | Added in Release 1.7.1 | |
| amServiceEnable | Detremines if the AM service is enabled or not. | O | True | CNC Policy&PCF | Added in Release 1.7.1 | |
| smServiceEnable | Detremines if the SM service is enabled or not. | O | True | CNC Policy&PCF | Added in Release 1.7.1 | |
| ueServiceEnable | Detremines if the UE service is enabled or not. | O | True | CNC Policy&PCF | Added in Release 1.7.1 | |
| nrfClientNfDiscoveryEnable | O | True | CNC Policy, PCF, &cnPCRF | Added in Release 1.7.1 | ||
| diamConnectorEnable | Detremines if the diameter connector is enabled or not. | O | True | CNC Policy&PCF | Added in Release 1.7.1 | |
| appinfoServiceEnable | Determines if the app info service is enabled or not. | O | True | CNC Policy&PCF | Added in Release 1.7.1 | |
| performanceServiceEnable | Determines if the performance service is enabled or not. | O | True | CNC Policy&PCF | Added in Release 1.7.1 | |
| pcrfCoreEnable | Detremines if the PCRF core service is enabled or not. | O | True | CNC Policy&cnPCRF | Added in Release 1.7.1 | |
| soapConnectorEnable | Detremines if the soap connector is enabled or not. | O | False | CNC Policy&cnPCRF | Added in Release 1.7.1 | |
| diamGatewayEnable | Detremines if the diameter gateway is enabled or not. | O | True | CNC Policy, PCF, &cnPCRF | Added in Release 1.7.1 | |
| bindingEnable | Detremines if the Binding service is enabled or not. | O | True | CNC Policy, PCF, &cnPCRF | Added in Release 1.7.1 | This Parameter value is False for PCF & cnPCRF. |
| policydsEnable | Detremines if the Data Source service is enabled or not. | O | False | CNC Policy, PCF, &cnPCRF | Added in Release 1.7.1 | |
| ldapGatewayEnable | Detremines if the LDAP Gateway is enabled or not. | O | False | CNC Policy, PCF, &cnPCRF | Added in Release 1.7.1 | |
| nrfClientNfManagementEnable | O | True | CNC Policy, PCF, &cnPCRF | Added in Release 1.7.1 | ||
| dockerRegistry | Name of the Docker registry which hosts Cloud Native Core Policy docker images | Yes | Not applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.0 |
This is a docker registry running in OCCNE bastion server where all OAuth docker images will be loaded. For example, 'occne-bastion:5000' |
| envMysqlHost |
IP address or host name of the MySql server which hosts Cloud Native Core Policy's databases |
Yes | Not applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.0 | |
| envMysqlPort | port of the MySql server which hosts Cloud Native Core Policy's databases | Yes | Not applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.0 | |
| envJaegerAgentHost | Hostname or IP address for the jaeger agent | Yes | Not applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.0 | This parameter is the fqdn of Jaeger Agent service running in OCCNE cluster under namespace occne-infra. Format is <JAEGER_SVC_NAME>.<JAEGER_NAMESPACE> |
| dbCredSecretName | Name of the Kubernetes secret object containing Database username and password | Yes | Not applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.6.x | |
| privilegedDbCredSecretName | Name of the Kubernetes secret object containing Database username and password for an admin user | Yes | Not applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.6.x | |
| releaseDbName | Name of the release database containing release version details | Yes | Not applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.6.x | |
| <service chart name>.image | Docker image name for the service | Yes | CNC Policy, PCF, &cnPCRF | Added in Release 1.0 | It is required only when you modify the image name. | |
| <service chart name>.imageTag | Tag the image used for the CNC Policy pod | Yes | CNC Policy, PCF, &cnPCRF | Added in Release 1.0 | It is required only when you modify the image tag. | |
| pcfApiRoot | API root of PCF that is used in notification URLs generated by PCF's when sending request to other producer NFs (like NRF, UDR, CHF, etc..) | No | Ingress gateway service name and port | CNC Policy & PCF | Added in Release 1.5.x |
If not configured then the ingress gateway service name and port will be used as default value. Example: "https://<Helm namespace>-pcf-ingress-gateway:443" pcfApiRoot: '' |
Core Services
Table 3-2 Customizable Parameters
| Parameter | Description | Mandatory Parameter | Default Value | Applicable to Deployment | Added/Deprecated/Updated in Release | Notes |
|---|---|---|---|---|---|---|
| am-service.envMysqlDatabase | Name of the database for AM-Service | No | occnp_pcf_am | CNC Policy & PCF | Added in Release 1.0 | |
| sm-service.envMysqlDatabase | Name of the database for SM-Service | No | occnp_pcf_sm | CNC Policy & PCF | Added in Release 1.0 | |
| sm-service.envMysqlDatabaseUserService | Name of the database of User Service | No | occnp_pcf_user | CNC Policy & PCF | Added in Release 1.6.x | Same value as "user-service.envMysqlDatabase" |
|
sm-service.auditSmSessionTtl |
SM Policy Association normal age | No | 86400 | CNC Policy & PCF | Added in Release 1.6.x | Specifies age of a SM policy association after which a record is considered to be stale on PCF and the SMF is queried for presence of such associations. |
|
sm-service.auditSmSessionMaxTtl |
SM Policy Association maximum age | No | 172800 | CNC Policy & PCF | Added in Release 1.6.x | Specifies maximum age of a SM Policy Association after which a record is purged from PCF SM database without sending further queries to SMF. |
| sm-service.defaultBsfApiRoot | Api root of pre-configured BSF | No | Not applicable | CNC Policy & PCF | Added in Release 1.5.x | Required, if PCF uses pre-configured BSF. For Example: "https://bsf.apigateway:8001/" |
| user-service.envMysqlDatabase | Name of the database for User-Service | No | occnp_pcf_user | CNC Policy & PCF | Added in Release 1.0 |
Common Services
Table 3-3 Customizable Parameters
| Parameter | Description | Mandatory Parameter | Default Value | Applicable to Deployment | Added/Deprecated/Updated in Release | Notes |
|---|---|---|---|---|---|---|
| cm-service.enableHttps | Flag to enable/disable HTTPS for cm-service GUI/API | Optional | false | CNC Policy, PCF, &cnPCRF | Added in Release 1.6.x | |
| config-server.envMysqlDatabase | Name of the database for Config Server service | No | occnp_config_server | CNC Policy & PCF | Added in Release 1.0 | |
| queryservice.envMysqlDatabaseSmService | Specify the database name of SM service | Conditional | occnp_pcf_sm | CNC Policy & PCF | Added in Release 1.6.x | |
| queryservice.envMysqlDatabaseUserService | Specify the database name of User service | Conditional | occnp_pcf_user | CNC Policy & PCF | Added in Release 1.6.x | Same value as "user-service.envMysqlDatabase" |
| audit-service.envMysqlDatabase | Name of the database for Audit service | No | occnp_audit_service | CNC Policy & PCF | Added in Release 1.7.1 | |
| perf-info.configmapPerformance.prometheus | Specifies Prometheus server URL | Conditional | http://prometheus-server.prometheus:5802 | CNC Policy & PCF | Added in Release 1.0 | If no value is specified, PCFs load reported to NRF is always 0. |
|
appinfo.serviceAccountName |
K8s Service Account to access (RBAC) the K8s API server to retrieve status of PCF services and pods. The account should have read access ( "get" , "watch" , "list" ) to pods, services and nodes |
Conditional | Not applicable | CNC Policy & PCF | Added in Release 1.6.x | If no value is specified, PCF creates a service account at the time of deployment. |
| appinfo.infraServices | Set this parameter to an empty array if any one of
below condition is met:
|
Conditional | Not Applicable | CNC Policy & PCF | Added in Release 1.7.1 | |
| policyds.envMysqlDatabaseConfigServer | Specify the database name of Config Server service | occnp_config_server | CNC Policy, PCF, & cnPCRF | Added in Release 1.7.1 | ||
| ldap-gateway.serviceAccountName | CNC Policy, PCF, & cnPCRF | Added in Release 1.7.1 | ||||
| pcrf-core.envMysqlDatabase | Name of the database for PCRF-Core | No | occnp_pcrf_core | CNC Policy & cnPCRF | Added in Release 1.0 | |
| binding.envMysqlDatabase | Name of the database for Binding service | No | occnp_binding | CNC Policy, PCF, & cnPCRF | Added in Release 1.7.1 | |
| binding.bsfEnabled | No | False | CNC Policy & PCF | Added in Release 1.7.1 |
NRF Client
Table 3-4 Customizable Parameters
| Parameter | Description | Mandatory Parameter | Default Value | Applicable to Deployment | Added/Deprecated/Updated in Release | Notes |
|---|---|---|---|---|---|---|
| global.deploymentNrfClientService.envNfNamespace | K8s namespace of PCF | Mandatory | Not Applicable | CNC Policy & PCF | Added in Release 1.6.x | |
| global.deploymentNrfClientService.nfApiRoot | Api root of PCF | Mandatory | Not Applicable | CNC Policy & PCF | Added in Release 1.6.x | same value as global.pcfApiRoot |
| nrf-client.configmapApplicationConfig.profile | Contains configuration parameters that goes into nrf-client's config map | Mandatory | Not Applicable | CNC Policy & PCF | Added in Release 1.6.x | Refer below table for config parameters in config-map |
| nrf-client-nfdiscovery.envJaegerSamplerParam | '1' | CNC Policy & PCF | Added in Release 1.7.1 | |||
| nrf-client-nfdiscovery.envJaegerSamplerType | ratelimitimg | CNC Policy & PCF | Added in Release 1.7.1 | |||
| nrf-client-nfdiscovery.envJaegerServiceName | pcf-nrf-client-nfdiscovery | CNC Policy & PCF | Added in Release 1.7.1 | |||
| nrf-client-nfmanagement.envJaegerSamplerParam | '1' | CNC Policy & PCF | Added in Release 1.7.1.0 | |||
| nrf-client-nfmanagement.envJaegerSamplerType | ratelimiting | CNC Policy & PCF | Added in Release 1.7.1 | |||
| nrf-client-nfmanagement.envJaegerServiceName | pcf-nrf-client-nfmanagement | CNC Policy & PCF | Added in Release 1.7.1 |
Config parameters in Config-map
| Parameter | Description | Allowed Values | Applicable to Deployment | Added/Deprecated/Updated in Release | Notes |
|---|---|---|---|---|---|
| primaryNrfApiRoot | Primary NRF API root <http scheme>://<Hostname/IP>:<Port> | valid api root | CNC Policy & PCF | Added in Release 1.6.x | For Example: http://nrf1-api-gateway.svc:80 |
| SecondaryNrfApiRoot | secondary NRF API root <http scheme>://<Hostname/IP>:<Port> | valid api root | CNC Policy & PCF | Added in Release 1.6.x | For Example: http://nrf2-api-gateway.svc:80 |
| retryAfterTime | When primary NRF is down, this will be the wait Time (in ISO 8601 duration format) after which request to primary NRF will be retried to detect primary NRF's availability. | valid ISO 8601 duration format | CNC Policy & PCF | Added in Release 1.6.x | For Example: PT120S |
| nrfClientType | This should be set to PCF | PCF | CNC Policy & PCF | Added in Release 1.6.x | |
| nrfClientSubscribeTypes | NF Type(s) for which the NF wants to discover and subscribe to the NRF | BSF,UDR,CHF | CNC Policy & PCF | Added in Release 1.6.x | Leave blank if PCF does not require. |
| appProfiles | NfProfile of PCF to be registered with NRF | Valid NF Profile | CNC Policy & PCF | Added in Release 1.6.x | |
| enableF3 | Support for 29.510 Release 15.3 | true/false | CNC Policy & PCF | Added in Release 1.6.x | |
| enableF5 | Support for 29.510 Release 15.5 | true/false | CNC Policy & PCF | Added in Release 1.6.x | |
| renewalTimeBeforeExpiry | Time Period(seconds) before the Subscription Validity time expires | Time in seconds | CNC Policy & PCF | Added in Release 1.6.x | For Example: 3600 (1hr) |
| validityTime | The default validity time(days) for subscriptions | Time in days | CNC Policy & PCF | Added in Release 1.6.x | For Example: 30 (30 days) |
| enableSubscriptionAutoRenewal | Enable Renewal of Subscriptions automatically | true/false | CNC Policy & PCF | Added in Release 1.6.x | |
| acceptAdditionalAttributes | Enable additionalAttributes as part of 29.510 Release 15.5 | true/false | CNC Policy & PCF | Added in Release 1.6.x | |
| supportedDataSetId | POLICY | CNC Policy & PCF | Added in Release 1.7.1 |
Diameter
Table 3-5 Customizable Parameters
| Parameter | Description | Mandatory Parameter | Default Value | Applicable to Deployment | Added/Deprecated/Updated in Release | Notes |
|---|---|---|---|---|---|---|
| diam-connector.envDiameterRealm | Diameter Realm of PCF | Yes | Not applicable | CNC Policy & PCF | Added in Release 1.6.x | example: oracle.com |
| diam-connector.envDiameterIdentity | Diameter Host of PCF | Yes | Not applicable | CNC Policy & PCF | Added in Release 1.6.x | example: ocpcf |
| diam-gateway.envGatewayMode | Diameter Gateway mode | Yes | CNC Policy, PCF, & cnPCRF | Added in Release 1.7.1 | For CNC Policy,the value is "converged". For PCF,the value is "PCF". For cnPCRF,the value is "cnPCRF". | |
| diam-gateway.envGatewayDeploymentType | Diameter Gateway deployment type (applicable only when mode is converged) | Yes | CNC Policy, PCF, & cnPCRF | Added in Release 1.7.1 | For CNC Policy,the value is "CONVERGED". For PCF,the value is "PCF". For cnPCRF,the value is "cnPCRF". | |
|
diam-gateway.envDiameterRealm |
Diameter Realm of PCF diameter gateway | Yes | Not applicable | CNC Policy, PCF, & cnPCRF | Added in Release 1.7.1 | example: oracle.com |
|
diam-gateway.envDiameterIdentity |
Diameter Host of PCF diameter gateway | Yes | Not applicable | CNC Policy, PCF, & cnPCRF | Added in Release 1.7.1 | example: oc-diam-gateway |
Ingress Gateway Service
Table 3-6 Customizable Parameters
| Parameter | Description | Mandatory Parameter | Default Value | Applicable to Deployment | Added/Deprecated/Updated in Release | Notes |
|---|---|---|---|---|---|---|
|
global.publicHttpSignalingPort |
HTTP/2.0 Port of ingress gateway | No | 80 | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | |
|
global.publicHttpsSignallingPort |
HTTPS/2.0 Port of ingress gateway | No | 443 | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | |
| global.metalLbIpAllocationEnabled | Enable or disable IP Address allocation from Metallb Pool | No | false | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | |
| global.metalLbIpAllocationAnnotation | Address Pool Annotation for Metallb | No | "metallb.universe.tf/address-pool: signaling" | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | |
| ingress-gateway.enabled | Determines if ingress gateway is enabled or not. | True | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | ||
|
ingress-gateway.serviceMeshCheck |
Enable this parameter if load balancing is handled by Service Mesh | No | False | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | |
| ingress-gateway.jaegerTracingEnabled | No | False | CNC Policy, PCF, &cnPCRF | Added in Release 1.6.x | ||
| ingress-gateway.openTracing.jaeger.udpSender.host | CNC Policy, PCF, &cnPCRF | Added in Release 1.6.x | ||||
| ingress-gateway.openTracing.jaeger.udpSender.port | CNC Policy, PCF, &cnPCRF | Added in Release 1.6.x | ||||
| ingress-gateway.openTracing. jaeger.probabilisticSampler | CNC Policy, PCF, &cnPCRF | Added in Release 1.6.x | ||||
| ingress-gateway.oauthValidatorEnabled | Enable or disable OAuth Validator | Yes | False | CNC Policy & PCF | Added in Release 1.5.x | |
| ingress-gateway.nfInstanceId | NF Instance Id of service producer | No | 6faf1bbc-6e4a-4454-a507-a14ef8e1bc11 | CNC Policy & PCF | Added in Release 1.5.x | |
| ingress-gateway.allowedClockSkewSeconds | set this value if clock on the parsing NF (producer) is not perfectly in sync with the clock on the NF (consumer) that created by JWT | No | 0 | CNC Policy & PCF | Added in Release 1.6.x | |
| ingress-gateway.nrfPublicKeyKubeSecret | Name of the secret which stores the public key(s) of NRF | No | CNC Policy & PCF | Added in Release 1.5.x | ||
| ingress-gateway.nrfPublicKeyKubeNamespace | Namespace of the NRF public key secret | No | CNC Policy & PCF | Added in Release 1.5.x | ||
| ingress-gateway.validationType | Possible values are:
strict- If incoming request does not contain "Authorization" (Access Token) header, the request is rejected. relaxed- relaxed means that if Incoming request contains "Authorization" header, it is validated. If Incoming request does not contain "Authorization" header, validation is ignored. |
No | CNC Policy & PCF | Added in Release 1.6.x | ||
| ingress-gateway.producerPlmnMNC | MNC of the service producer | No | CNC Policy & PCF | Added in Release 1.5.x | ||
| ingress-gateway.producerPlmnMCC | MCC of the service producer | No | CNC Policy & PCF | Added in Release 1.5.x | ||
|
ingress-gateway.enableIncomingHttp |
To enable http (INSECURE) for ingress traffic | No | False | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | |
| ingress-gateway.enableIncomingHttps | To enable https for ingress traffic | No | False | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | |
|
ingress-gateway.service.ssl.privateKey.k8SecretName |
Name of the privatekey secret | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.privateKey.k8NameSpace |
Namespace of privatekey | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.privateKey.rsa.fileName |
rsa private key file name | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
| ingress-gateway.service.ssl.privateKey.ecdsa.fileName | ecdsa private key file name | No | Not Applicable | Added in Release 1.5.x | required if enableIncomingHttps is true | |
|
ingress-gateway.service.ssl.certificate.k8SecretName |
Name of the privatekey secret | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.certificate.k8NameSpace |
Namespace of privatekey | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.certificate.rsa.fileName |
rsa private key file name | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.certificate.ecdsa.fileName |
ecdsa private key file name | No | Not Applicable | Added in Release 1.5.x | required if enableIncomingHttps is true | |
|
ingress-gateway.service.ssl.caBundle.k8SecretName |
Name of the privatekey secret | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.caBundle.k8NameSpace |
Namespace of privatekey | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.caBundle.fileName |
private key file name | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.keyStorePassword.k8SecretName |
Name of the privatekey secret | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttp is true |
|
ingress-gateway.service.ssl.keyStorePassword.k8NameSpace |
Namespace of privatekey | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.keyStorePassword.fileName |
File name that has password for keyStore | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.trustStorePassword.k8SecretName |
Name of the privatekey secret | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.trustStorePassword.k8NameSpace |
Namespace of privatekey | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
|
ingress-gateway.service.ssl.trustStorePassword.fileName |
File name that has password for trustStore | No | Not Applicable | CNC Policy, PCF, &cnPCRF | Added in Release 1.5.x | required if enableIncomingHttps is true |
| ingressServer.keepAlive.enabled | No | false | Added in Release 1.7.3 | |||
| ingressServer.keepAlive.idealTime | No | 180 (in seconds) | Added in Release 1.7.3 | |||
| ingressServer.keepAlive.count | No | 9 | Added in Release 1.7.3 | |||
| ingressServer.keepAlive.interval | No | 60 (in seconds) | Added in Release 1.7.3 | |||
| global.configServerPort | No | 5807 | CNC Policy, PCF, &cnPCRF | Added in Release 1.7.3 |
Egress Gateway Service
Table 3-7 Customization Parameters
| Parameter | Description | Mandatory Parameter | Default Value | Applicable to Deployment | Added/Deprecated/Modified in Release | Notes |
|---|---|---|---|---|---|---|
| egress-gateway.enabled | Determines if egress gateway is enabled or not. | True | CNC Policy, PCF, & cnPCRF | Added in Release 1.5.x | ||
| egress-gateway.jaegerTracingEnabled | No | False | CNC Policy& PCF | Added in Release 1.6.x | ||
|
egress-gateway.openTracing.jaeger.udpSender.host |
udpsender host | CNC Policy& PCF | Added in Release 1.7.1 | |||
| egress-gateway.openTracing.jaeger.udpSender.port | udpsender port | CNC Policy& PCF | Added in Release 1.7.1 | |||
| egress-gateway.openTracing.jaeger.probabilisticSampler | CNC Policy& PCF | Added in Release 1.7.1 | ||||
| egress-gateway.oauthClientEnabled | OAuth Validator Enabled | No | false | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.nrfAuthority | NRF's ${HOSTNAME}:{PORT} | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | Modify the parameter with actual value, if oAuth is enabled. |
| egress-gateway.nfInstanceId | NF InstanceId of Producer | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | Modify the parameter with actual value, if OAuth is enabled. |
| egress-gateway.consumerPlmnMNC | MNC of service Consumer | No | CNC Policy& PCF | Added in Release 1.5.x | Modify the parameter with actual value, if OAuth is enabled. | |
| egress-gateway.consumerPlmnMCC | MCC of service Consumer | No | CNC Policy& PCF | Added in Release 1.5.x | Modify the parameter with actual value, if OAuth is enabled. | |
| egress-gateway.enableOutgoingHttps | Enabling it for outgoing https request | No | CNC Policy& PCF | Added in Release 1.5.x | ||
| egress-gateway.egressGwCertReloadEnabled | No | CNC Policy& PCF | Added in Release 1.5.x | |||
| egress-gateway.egressGwCertReloadPath | No | CNC Policy& PCF | Added in Release 1.5.x | |||
| egress-gateway.service.ssl.privateKey.k8SecretName | Name of the privatekey secret | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.privateKey.k8NameSpace | Namespace of privatekey | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.privateKey.rsa.fileName | rsa private key file name | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.privateKey.ecdsa.fileName | ecdsa private key file name | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.certificate.k8SecretName | Name of the privatekey secret | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.certificate.k8NameSpace | Namespace of privatekey | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.certificate.rsa.fileName | rsa private key file name | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.certificate.ecdsa.fileName | ecdsa private key file name | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.caBundle.k8SecretName | Name of the privatekey secret | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.caBundle.k8NameSpace | Namespace of privatekey | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.caBundle.fileName | private key file name | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.keyStorePassword.k8SecretName | Name of the privatekey secret | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.keyStorePassword.k8NameSpace | Namespace of privatekey | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.keyStorePassword.fileName | File name that has password for keyStore | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.trustStorePassword.k8SecretName | Name of the privatekey secret | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.trustStorePassword.k8NameSpace | Namespace of privatekey | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.service.ssl.trustStorePassword.fileName | File name that has password for trustStore | No | Not Applicable | CNC Policy& PCF | Added in Release 1.5.x | |
| egress-gateway.scpIntegrationEnabled | Change this to false when scp integration is not required | No | false | CNC Policy& PCF | Added in Release 1.6.x | |
| egress-gateway.scp.scpRerouteEnabled | Set this flag to true if re-routing to multiple SCP instances is to be enabled. globalretry can be enabled only when scpRerouteEnabled flag is set to true. | No | false | CNC Policy& PCF | Added in Release 1.6.x | |
| egress-gateway.globalretry.enabled | globalretry can be enabled only when scpRerouteEnabled flag is set to true. And, it is applied only when no "retries" is specified under routesConfig. | O | false | CNC Policy& PCF | Added in Release 1.6.x | |
| egress-gateway.globalretry.retries | CNC Policy& PCF | Added in Release 1.6.x | ||||
| egress-gateway.scp.instances.http.host | SCP HTTP IP/FQDN | No | Not Applicable | CNC Policy& PCF | Added in Release 1.6.x | |
| egress-gateway.scp.instances.http.Port | SCP HTTP PORT | No | 80 | CNC Policy& PCF | Added in Release 1.6.x | |
| egress-gateway.scp.instances.http.ApiPrefix | Change this value to corresponding prefix "/" is not expected to be provided along. Applicable only for SCP with TLS enabled. | No | / | CNC Policy& PCF | Added in Release 1.6.x | |
| egress-gateway.scp.scpDefaultScheme | Default scheme applicable when 3gpp-sbi-target-apiroot header is missing | No | https | CNC Policy& PCF | Added in Release 1.6.x | |
| egress-gateway.K8ServiceCheck | Enable this if loadbalancing is to be done by egress instead of K8s | No | false | CNC Policy& PCF | Added in Release 1.5.x | |
| httpsScpOnly |
This is global parameter which will be taken into consideration if route (under routeConfig section ) based httpsScpOnly parameter is not available. If set to true, select SCP instances for https list only. If set to false, run existing logic as per provided scheme. |
No | false | CNC Policy& PCF | Added in Release 1.7.3 | Please note double quotes to be enclosed for values of httpScpOnly. |
| httpRuriOnly |
This is global parameter which will be taken into consideration if route (under routeConfig section) based httpRuriOnly parameter is not available. If set to true, change scheme of RURI to http. If set to false, don't change the scheme. |
No | false | CNC Policy& PCF | Added in Release 1.7.3 | Please notedouble quotes to be enclosed for values of httpsScpOnly. |
| routesConfig[0].httpRuriOnly |
If set to true, change Scheme of RURI to http. If set to false, don't change the scheme. |
No | false | CNC Policy& PCF | Added in Release 1.7.3 | Please note double quotes to be enclosed for values of httpsRuriOnly. If httpsRuriOnly under route is not present globally available value will be considered. |
| routesConfig[0].httpsScpOnly |
If set to true, select SCP instances for https list only. If set to false, run existing logic as per provided scheme. |
No | false | CNC Policy& PCF | Added in Release 1.7.3 | Please note double quotes to be enclosed for values of httpsScpOnly. If httpsScpOnly under route is not present globally available value will be considered. |
Additional Configurable Parameters for Aspen mesh
This section describes the customizatons that you can make in custom_values_occnp-custom-values-pcf-unified-ports.yaml, custom_values_occnp-custom-values-pcrf-unified-ports.yaml, and custom_values_occnp-custom-values-occnp-unified-ports.yaml files to integrate Aspen service mesh with Oracle Communications Cloud Native Core Policy.
Important:
Users may use custom values file from CNC Policy 1.7.0 to install CNC Policy with Aspen service mesh.- Unified signaling ports: To override the default port numbers,
used by containers and services, and customize them as per your requirements, you
can configure the following configurable parameters in custom values file:
Table 3-8 Customizable service ports
Parameter Description Mandatory/Optional Parameter Default Value Applicable to Deployment Added/Deprecated/Updated in Release Notes servicePorts.pcfAmServiceHttp HTTP signaling port for AM service. Optional 5904 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.pcfAmServiceHttp HTTP signaling port for AM service. Optional 5905 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.appInfoHttp HTTP signaling port for app info . Optional 5906 CNCPolicy & PCF Added in Release 1.7.3 Same value as svcAppInfoHttpservicePorts.auditServiceHttp HTTP signaling port for audit service. Optional 5807 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.bindingHttp HTTP signaling port for binding service. Optional 8080 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 servicePorts.bindingHttps HTTPS signaling port for binding service. Optional 8443 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 servicePorts.cmServiceHttp HTTP signaling port for CM service. Optional 5808 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 servicePorts.configServerHttp HTTP signaling port for config server. Optional 5807 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 Same value as svcConfigServerHttpservicePorts.pcfDiamConnectorHttp HTTP signaling port for PCF Diameter connector. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.pcfDiamConnectorDiameter Port for PCF Diameter connector. Optional 3868 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.ldapGatewayHttp HTTP signaling port for LDAP Gateway. Optional 8084 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 servicePorts.ldapGatewayHttps HTTPS signaling port for LDAP Gateway. Optional 8443 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 servicePorts.pcfDiamGatewayHttp HTTP signaling port for PCF Diameter gateway. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.pcfDiamGatewayDiameter Port for PCF Diameter gateway. Optional 3868 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.pcrfCoreDiameter Port for PCRF Core Diameter. Optional 3868 CNCPolicy & cnPCRF Added in Release 1.7.3 servicePorts.pcrfCoreHttp HTTP signaling port for PCRF core service. Optional 9080 CNCPolicy & cnPCRF Added in Release 1.7.3 servicePorts.pcrfDiamGatewayHttp HTTP signaling port for PCRF Diameter Gateway. Optional 8080 CNCPolicy & cnPCRF Added in Release 1.7.3 servicePorts.pcrfDiamGatewayDiameter Port for PCRF Diameter connector. Optional 3868 CNCPolicy & cnPCRF Added in Release 1.7.3 servicePorts.perfInfoHttp HTTP signaling port for perf info. Optional 5905 CNCPolicy & PCF Added in Release 1.7.3 Same value as svcPerfInfoHttpservicePorts.policydsHttp HTTP signaling port for policyds. Optional 8080 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 servicePorts.preServiceHttp HTTP signaling port for pre service. Optional 5806 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 servicePorts.preTestHttp HTTP signaling port for pre test. Optional 5806 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 servicePorts.queryServiceHttp HTTP signaling port for queryservice. Optional 5805 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 servicePorts.pcfSmServiceHttp HTTP signaling port for SM service. Optional 5809 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.pcfSmServiceHttps HTTPS signaling port for SM service. Optional 5805 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.soapConnectorHttp HTTP signaling port for Soap connector. Optional 8082 CNCPolicy & cnPCRF Added in Release 1.7.3 servicePorts.pcfUeServiceHttp HTTP signaling port for UE service. Optional 5809 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.pcfUeServiceHttps HTTPS signaling port for UE service. Optional 5805 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.pcfUserServiceHttp HTTP signaling port for User service. Optional 5808 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.pcfUserServiceHttps HTTPS signaling port for User service. Optional 8443 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.udrConnectorHttp HTTP signaling port for UDR Connector. Optional 5808 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.udrConnectorHttps HTTPS signaling port for UDR Connector. Optional 8443 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.chfConnectorHttp HTTP signaling port for CHF Connector. Optional 5808 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.chfConnectorHttps HTTPS signaling port for CHF Connector. Optional 8443 CNCPolicy & PCF Added in Release 1.7.3 servicePorts.egressGatewayHttp HTTP signaling port for Egress Gateway. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 Same value as svcEgressGatewayHttpservicePorts.nrfClientNfDiscoveryHttp HTTP signaling port for NRF client discovery service. Optional 5910 CNCPolicy & PCF Added in Release 1.7.3 Same value as svcNrfClientNfDiscoveryHttpservicePorts.nrfClientNfManagementHttp HTTP signaling port for NRF client management service. Optional 5910 CNCPolicy & PCF Added in Release 1.7.3 Same value as svcNrfClientNfManagementHttpservicePorts.nrfClientNfDiscoveryHttps HTTPS signaling port for NRF client discovery service. Optional 8443 CNCPolicy & PCF Added in Release 1.7.3 Same value as svcNrfClientNfDiscoveryHttpsservicePorts.nrfClientNfManagementHttps HTTPS signaling port for NRF client management service. Optional 8443 CNCPolicy & PCF Added in Release 1.7.3 Same value as svcNrfClientNfManagementHttpsTable 3-9 Customizable container ports
Parameter Description Mandatory/Optional Parameter Default Value Applicable to Deployment Added/Deprecated/Updated in Release Notes containerPorts.monitoringHttp HTTP signaling port for monitoring. Optional 9000 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 Same value as containerMonitoringHttpcontainerPorts.pcfAmServiceHttp HTTP signaling port for AM service. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.pcfAmServiceHttps HTTPS signaling port for AM service. Optional 9443 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.appInfoHttp HTTP signaling port for app info. Optional 5906 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.auditServiceHttp HTTP signaling port for Auditservice. Optional 8081 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.bindingHttp HTTP signaling port for binding service. Optional 8080 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 containerPorts.bindingHttps HTTPS signaling port for binding service. Optional 8443 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 containerPorts.cmServiceHttp HTTP signaling port for CMservice. Optional 5807 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 containerPorts.configServerHttp HTTP signaling port for config server. Optional 8001 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 containerPorts.pcfDiamConnectorHttp HTTP signaling port for Diameter Connector. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.pcfDiamConnectorDiameter PCF diameter connector. Optional 3868 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.ldapGatewayHttp HTTP signaling port for IDAP Gateway. Optional 8084 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 containerPorts.pcfDiamGatewayHttp HTTP signaling port for Diameter Gateway. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.pcfDiamGatewayDiameter PCF diameter gateway. Optional 3868 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.pcrfCoreDiameter PCRF core diameter. Optional 3868 CNCPolicy & cnPCRF Added in Release 1.7.3 containerPorts.pcrfCoreHttp HTTP signaling port for PCRF Core service. Optional 9080 CNCPolicy & cnPCRF Added in Release 1.7.3 containerPorts.pcrfDiamGatewayHttp HTTP signaling port for PCRF Diameter Gateway. Optional 8080 CNCPolicy & cnPCRF Added in Release 1.7.3 containerPorts.pcrfDiamGatewayDiameter PCRF diameter gateway. Optional 3868 CNCPolicy & cnPCRF Added in Release 1.7.3 containerPorts.perfInfoHttp HTTP signaling port for perf-info. Optional 5905 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.policydsHttp HTTP signaling port for policyds. Optional 8080 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 containerPorts.preServiceHttp HTTP signaling port for pre service. Optional 5806 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 containerPorts.preTestHttp HTTP signaling port for pre test. Optional 5806 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 containerPorts.queryServiceHttp HTTP signaling port for queryservice. Optional 8081 CNCPolicy , PCF, &cnPCRF Added in Release 1.7.3 containerPorts.pcfSmServiceHttp HTTP signaling port for SM service. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.pcfSmServiceHttps HTTPS signaling port for SM service. Optional 9443 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.soapConnectorHttp HTTP signaling port for soap connector. Optional 8082 CNCPolicy & cnPCRF Added in Release 1.7.3 containerPorts.pcfUeServiceHttp HTTP signaling port for UE service. Optional 8082 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.pcfUeServiceHttps HTTPS signaling port for UE service. Optional 8081 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.pcfUserServiceHttp HTTP signaling port for User service. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.pcfUserServiceHttps HTTPS signaling port for User service. Optional 8443 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.udrConnectorHttp HTTP signaling port for UDR Connector. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.udrConnectorHttps HTTPS signaling port for UDR Connector. Optional 8443 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.chfConnectorHttp HTTP signaling port for CHF connector. Optional 8080 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.chfConnectorHttps HTTPS signaling port for CHF connector. Optional 8443 CNCPolicy & PCF Added in Release 1.7.3 containerPorts.nrfClientNfDiscoveryHttp HTTP signaling port for NRF client discovery. Optional 8000 CNCPolicy & PCF Added in Release 1.7.3 Same value as containerNrfClientNfDiscoveryHttpcontainerPorts.nrfClientNfManagementHttp HTTP signaling port for NRF client management. Optional 8000 CNCPolicy & PCF Added in Release 1.7.3 Same value as containerNrfClientNfManagementHttpcontainerPorts.nrfClientNfDiscoveryHttps HTTPS signaling port for NRF client discovery. Optional 9443 CNCPolicy & PCF Added in Release 1.7.3 Same value as containerNrfClientNfDiscoveryHttpscontainerPorts.nrfClientNfManagementHttps HTTPS signaling port for NRF client management. Optional 9443 CNCPolicy & PCF Added in Release 1.7.3 Same value as containerNrfClientNfManagementHttpscontainerPorts.ingressGatewayHttp HTTP signaling port for Ingress Gateway. Optional 8000 CNCPolicy & PCF Added in Release 1.7.3 Same value as containerIngressGatewayHttpcontainerPorts.ingressGatewayHttps HTTPS signaling port for Ingress Gateway. Optional 9443 CNCPolicy & PCF Added in Release 1.7.3 Same value as containerIngressGatewayHttpsNote:
After you install CNC policy, you can see that all the services of type ClusterIP exposes HTTP on port 8000 and HTTPS on port 9443. - Annotation to support OSO: To deploy CNC Policy with OSO, you must add the
following annotation to the custom extension under global section of custom values
file:
global: customExtension: lbDeployments: annotations: oracle.com/cnc: "true" nonlbDeployments: annotations: oracle.com/cnc: "true"Note:
After helm install is complete, all the nodes will have the above mentioned annotation. - Custom container name: You can customize the name of containers of a pod with
a prefix and suffix. To do so, add the prefix and suffix to the k8sResource under
global section of custom values
file:
global: k8sResource: container: prefix: ABCD suffix: XYZThen, after installing CNC policy, you will see the container names as shown below:Containers: abcd-am-service-xyz: - Custom service account: You can use a custom service account for
all services by adding it to global section in the custom values
file:
global: serviceAccountName: ocpcfsaccountNote:
You can create the service account and roles before the installation as well. - Disable init containers: Init containers do not work when the namespace has
aspen service mTLS enabled. To disable init containers, set the value for
initContainerEnableto false in custom values file.global: initContainerEnable: false - PERMISSIVE rule: To set Permissive rule for Diameter Gateway and Ingress
Gateway Service, set the following flags to true in custom value
file:
global: istioIngressTlsSupport: diamGateway: trueglobal: istioIngressTlsSupport: ingressGateway: true