3 Customizing Policy

This chapter provides information about customizing Oracle Communications Cloud Native Core, Converged Policy (Policy) deployment in a cloud native environment.

The Policy deployment is customized by overriding the default values of various configurable parameters in the occnp_custom_values_23.4.9.yaml and occnp_custom_values_pcf23.4.9.yaml files.

Note:

From release 22.2.x onwards, the occnp-22.2.x-custom-values-pcrf.yaml file is deprecated. To deploy Policy in PCRF mode, you must use the occnp-22.2.x-custom-values-occnp.yaml file.

To customize the custom yaml files, perform the following steps:

1. Unzip Custom_Templates file available in the extracted documentation release package. For more information on how to download the package from MOS, see Downloading Policy package section.

   The following files are used to customize the deployment parameters during installation:

   • occnp_custom_values_23.4.9.yaml: This file is used to customize the deployment parameters during Converged mode and PCRF mode deployment of Policy.
   • occnp_custom_values_pcf23.4.9.yaml: This file is used to customize the deployment parameters during PCF only mode deployment of Policy.
   • occnp_custom_values_servicemesh_config_23.4.9.yaml: This file is used while configuring ASM Data Plane.
2. Customize the appropriate custom value yaml file depending on the mode of deployment.
3. Customize the occnp_custom_values_servicemesh_config_23.4.9.yaml file, in case ASM Data Plane must be configured.
4. Save the updated files.

Note:

• All parameters mentioned as mandatory must be present in occnp_custom_values_23.4.9.yaml file.
• All fixed value parameters listed must be present in the custom values yaml file with the exact values as specified in this section.

Customizing for PCRF Mode

This section provides information on how to use occnp_custom_values_23.4.9.yaml file for deploying Policy in PCRF mode. Users are required to enable only those services in the custom yaml file that are required to run Policy in PCRF mode, and bring down other services down by setting their values to false in the custom yaml file.

The following table describes the services and their corresponding parameters that are required for deploying Policy in PCRF Mode:

Service Name	Mandatory/Optional	Flag Name
AppInfo	Optional	appinfoServiceEnable
Bulwark Service	Optional	bulwarkServiceEnable
Notifier Service	Optional	notifierServiceEnable
Binding Service	Optional	bindingSvcEnabled
Diameter Connnector	Optional	diamConnectorEnable
Diameter Gateway	Optional	diamGatewayEnable
LDAP Gateway	Optional	ldapGatewayEnable
Alternate Route	Optional	alternateRouteServiceEnable
CHF Connector	Optional	chfConnectorEnable
Config Server	Mandatory	Enabled by default
Egress Gateway	Optional	NA
Ingress Gateway	Optional	NA
NRF Client-NF Discovery	Optional	nrfClientNfDiscoveryEnable
NRF Client-NF Management	Optional	nrfClientNfManagementEnable
UDR Connector	Optional	udrConnectorEnable
Audit Service	Mandatory	NA
CM Service	Mandatory	Enabled by default
PolicyDS	Mandatory	policydsEnable
PRE	Mandatory	Enabled by default
PRE Test	Optional	NA
Query Service	Mandatory	Enabled by default
AM Service	Optional	amServiceEnable
SM Service	Optional	smServiceEnable
UE Service	Optional	ueServiceEnable
PCRF-Core	Optional	pcrfCoreEnable
Perf Info	Optional	performanceServiceEnable
SOAP Connector	Optional	soapConnectorEnable
Usage Monitoring	Optional	usageMonEnable

3.1 Configurations for Pre and Post Upgrade/Install Validations

This section describes mandatory configurable parameters that you must customize in the occnp_custom_values_23.4.9.yaml file for successful validation checks required on the application, databases, and related tables before and after Policy application upgrade/install.

Table 3-1 Configuration Parameter for Pre and Post Flight Checks

Parameter	Description	Mandatory(M)/ Optional(O) Parameter	Accepted values	Default Value
global.hookValidation.dbSchemaValidate	Specifies to perform database validations in case of pre-installation, pre-upgrade/post-upgrade/post-installation. Checks if the required databases and tables exist. Validates that the required columns exist in the tables and the correct foreign key exists (for config-server).	M	true/false	false Note: By default, this flag is false. In that case, validations is performed, and if the validation fails, a warning is logged and install/upgrade will continue. If this flag is true and the validation fails, an error is thrown and installation/upgrade fails.
global.operationalState	Specifies to control deployment operationalState, mainly during fault recovery set up installation in inactive mode, i.e., complete shutdown mode.	M	NORMAL PARTIAL_SHUTDOWN COMPLETE_SHUTDOWN	&systemOperationalState NORMAL Note: Need to use this field along with enabling the field enableControlledShutdown as true
global.hookValidation.infraValidate	Specifies to perform pre-flight infrastructure related validations like Replication Status, Critical Alerts, Kubernetes Version, and cnDbtier Version. Infrastructure related validations are done in the very beginning of the upgrade/install and if it fails, then install/upgrade will fail at this stage.	M	true/false	false Note: Ensure helm parameters for replicationUri , dbTierVersionUri and alertmanagerUrl are pointing to working URI/URL respectively. Before enabling infra Validate flag, ensure that there are no critical alarms exists before upgrading/installing a new release in order to avoid failures. Also, make sure that replication is up.
appinfo.dbTierVersionUri	Specifies the URI provided by the db monitor service to query the cnDBtier Version. For example: http://mysql-cluster-db-monitor-svc.occne-cndbtier:8080/db-tier/version	M	URI	Default Value is empty string: "".
global.mySql.execution.ddlDelayTimeInMs	Adds a delay before the creation of configuration_item table, ensuring that topic_info table is created first and then the configuration_item table is created which has a foreign key dependency on topic_info. Specifies delay interval of 200 ms before inserting any entry into the ndb_replication table.	M	Interval in milliseconds	200 ms
appinfo.defaultReplicationStatusOnError	Specifies Replication Value in Case of any error on Infra Validation Replication Status	O	UP DOWN If the value is UP or empty string and the application throws an error while fetching replication status during infra-validation, the value of replication will be set as UP. If the value is DOWN, in case of any error while fetching replication status, the value of replication status will be set as DOWN.	UP
appinfo.nfReleaseVersion	Specifies the NF release version for the minViablePath validation.	O	NF release version If no value is provided, the minViablePath will validate the app-info-release version only.	Default Value is empty string: "".
global.alertmanagerUrl	Specifies the alertmanager POST uri, which will be used by the services to raise application level alerts.	O	URI	Default Value is empty string: "".

3.2 Mandatory Configurations

This section describes the configuration parameters that are mandatory during the installation of Policy in any of the three supported modes of deployment.

To configure mandatory parameters, you should configure the following configurable parameters in the occnp_custom_values_23.4.9.yaml file:

Table 3-2 Configurable Parameters for Mandatory Configurations

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.nfInstanceId	Specifies the unique NFInstanceID for each site deployed for Policy. To setup georedundancy, users must specify the value while deploying Policy; otherwise, georedundancy will not be supported. Be sure that the value of nfInstanceId is unique for each site.	Yes	string Example: "Site1"	Policy, PCF, &PCRF	Added in Release 1.10.0	For upgrade, see Upgrading Policy.
global.dockerRegistry	Specifies the name of the Docker registry, which hosts Policy docker images	Yes	Not applicable	Policy, PCF, &PCRF	Added in Release 1.0	This is a docker registry running OCCNE bastion server where all OAuth docker images are loaded. Example occne-bastion:500 occne-repo-host:5000
global.envMysqlHost	Specifies the IP address or host name of the MySql server which hosts Policy databases	Yes	Not applicable	Policy, PCF, &PCRF	Added in Release 1.0	Example 10.196.33.106
global.envMysqlPort	port of the MySql server which hosts Cloud Native Core Policy's databases	Yes	Not applicable	Policy, PCF, &PCRF	Added in Release 1.0	Example 3306
global.dbCredSecretName	Name of the Kubernetes secret object containing Database username and password	Yes	Not applicable	Policy, PCF, &PCRF	Added in Release 1.6.x
global.privilegedDbCredSecretName	Name of the Kubernetes secret object containing Database username and password for an admin user	Yes	Not applicable	Policy, PCF, &PCRF	Added in Release 1.6.x
global.releaseDbName	Name of the release database containing release version details	Yes	Not applicable	Policy, PCF, &PCRF	Added in Release 1.6.x

Here is a sample configuration for mandatory parameters in occnp_custom_values_23.4.9.yaml file:

global:
# Docker registry name
  dockerRegistry: ''
  # Primary MYSQL Host IP or Hostname
  envMysqlHost: ''
  envMysqlPort: ''
  # K8s secret object name containing OCPCF MYSQL UserName and Password
  dbCredSecretName: 'occnp-db-pass'
  privilegedDbCredSecretName: 'occnp-privileged-db-pass'
  #Release DB name containing release version details
  releaseDbName: 'occnp_release'

3.3 Enabling/Disabling Services Configurations

This section describes the configuration parameters that can be used to select the services that you want to enable or disable for your deployment.

To configure these parameters, you should configure the following configurable parameters in the occnp_custom_values_23.4.9.yaml file:

Table 3-3 Configurable Parameters for Enabling or Disabling the PCF Services

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.amServiceEnable	Specifies whether to enable or disable AM service.	No	True	Converged Policy PCF	Added in Release 1.7.1	If the user disables AM service by setting the value for this parameter as false, it is required to remove the AM service entry from core-services.pcf under appinfo.
global.smServiceEnable	Specifies whether to enable or disable SM service.	No	True	Converged Policy PCF	Added in Release 1.7.1	If the user disables SM service by setting the value for this parameter as false, it is required to remove the SM service entry from core-services.pcf under appinfo.
global.ueServiceEnable	Specifies whether to enable or disable UE service.	No	True	Converged Policy PCF	Added in Release 1.7.1	If the user disables UE service by setting the value for this parameter as false, it is required to remove the UE service entry from core-services.pcf under appinfo.

Table 3-4 Configurable Parameters for Enabling and Disabling the PCRF Core Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.pcrfCoreEnable	Specifies whether to enable or disable PCRF Core service.	No	True	Converged Policy cnPCRF	Added in Release 1.7.1

Table 3-5 Configurable Parameters for enabling or disabling Policy Data Source (PDS) Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.policydsEnable	Specifies whether to enable or disable Data Source service.	No	True	Policy, PCF, &cnPCRF	Added in Release 1.7.1	This parameter must be enabled when using LDAP, nUDR, and nCHF.
global.udrConnectorEnable	Specifies whether to enable or disable UDR connector.	No	True	Policy, PCF, &cnPCRF	Added in Release 1.9.0	Enable udr connector only when policyDS is enabled.
global.chfConnectorEnable	Specifies whether to enable or disable CHF connector.	No	True	Policy, PCF, &cnPCRF	Added in Release 1.9.0	Enable chf connector only when policyDS is enabled
global.ldapGatewayEnable	Specifies whether to enable or disable LDAP Gateway.	No	False	Policy, PCF, &cnPCRF	Added in Release 1.7.1	Applicable only when policy data source is LDAP server.
global.soapConnectorEnable	Specifies whether to enable or disable Soap connector.	No	False	Policy and PCRF	Added in Release 1.7.1
global.userServiceEnable	Specifies whether to enable or disable User service.	No	false	Policy, PCF, and PCRF		Set the value for this parameter to true only when policyDS is disabled.

Table 3-6 Configurable Parameters for Enabling or Disabling the Audit Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
auditservice.enabled	Specifies whether to enable or disable Audit service.	No	true	Policy&PCF	Added in 1.7.1
exceptionTableAuditEnabled	Specifies whether to enable or disable exception table audit.	No	false	Policy&PCF	Added in 23.4.0	Add this parameter to custom-values.yaml file for enabling the audit on exception tables.

Table 3-7 Configurable Parameters for Enabling or Disabling the Ingress and Egress Gateway

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
ingressgateway.enabled	Specifies whether to enable or disable Ingress Gateway.	No	false	Policy, cnPCRF, &PCF	Added in Release 1.5.x	When depolyed in cnPCRF mode, enable this parameter only when soap connector is enabled.
egressgateway.enabled	Specifies whether to enable or disable Egress Gateway.	No	false	Policy &PCF	Added in Release 1.5.x

Table 3-8 Configurable Parameters for Enabling or Disabling the NRF Client Services

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.nrfClientNfDiscoveryEnable	Specifies whether to enable or disable NF Discovery service. The value for this parameter must be set to true if on demand discovery is required.	No	true	Policy & PCF	Added in Release 1.7.1
global.nrfClientNfManagementEnable	Specifies whether to enable or disable NF Management service.	No	true	Policy & PCF	Added in Release 1.7.1
global.appinfoServiceEnable	Specifies whether to enable or disable app info service.	No	True	Policy & PCF	Added in Release 1.7.1
global.performanceServiceEnable	Specifies whether to enable or disable performance service.	No	True	Policy & PCF	Added in Release 1.7.1

Table 3-9 Configurable Parameters for Enabling/Disabling the Diamter Gateway/Connector

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.diamConnectorEnable	Determines if the diameter connector is enabled or not.	No	True	Policy&PCF	Added in Release 1.7.1
global.diamGatewayEnable	Determines if the diameter gateway is enabled or not.	No	True	Policy, PCF, &cnPCRF	Added in Release 1.7.1

Table 3-10 Configurable Parameters for Enabling/Disabling the Binding Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.bindingSvcEnabled	Determines whether to enable or disable Binding service.	No	true	Policy	Updated in Release 1.14.0	The default value for this parameter is set to false in PCF and PCRF-Core custom values yaml files.

Table 3-11 Configurable Parameters for Enabling or Disabling the Bulwark Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.bulwarkServiceEnable	Determines whether to enable or disable the Bulwark service.	No	true	Policy and PCF	Added in Release 1.15.0

Table 3-12 Configurable Parameters for Enabling or Disabling the Notifier Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
global.notifierServiceEnable	Determines whether to enable or disable the Notifier service.	No	false	Policy and PCF	Added in Release 22.2.0

Table 3-13 Configurable Parameters for Enabling or Disabling the NWDAF Agent

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
global.nwdafAgentServiceEnable	Determines whether to enable or disable the NWDAF Agent.	No	false	Policy and PCF	Added in Release 22.4.0

Table 3-14 Configurable Parameters for Enabling or Disabling the Usage Monitoring Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
global.usageMonEnable	Determines whether to enable or disable the Usage Monitoring service.	No	false	Policy and PCF	Added in Release 22.2.0

Table 3-15 Configurable Parameters for Enabling/Disabling the Alternate Route Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.alternateRouteServiceEnable	Enable/Disable Alternate Route service	Yes	false	Policy & PCF	Added in Release 1.8.0	Enable this flag to include Alternate Route service as part of your Helm deployment.

Table 3-16 Configurable Parameters to enable or disable the resetContext flags for AM Service and UE Policy Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.resetContextUePolicySetData	The value of this flag is set to true if there are no existing UEPolicy Associations.	No	false	Policy & PCF	Added in Release 22.3.2
global.resetContextAmPolicyData	The value of this flag is set to true if there are no existing AMService Associations.	No	false	Policy & PCF	Added in Release 22.3.2
global.resetContextSsvOnAMCreate	If this flag is set to true, PDS SSV entry's context information is updated for AM context owner. If any AM context-info associated to SSV has exceeded the guard time, such context information is deleted.	No	false	Policy & PCF	Added in Release 23.1.0	This parameter is available in values.yaml file.
global.resetContextSSVOnUECreate	If this flag is set to true, PDS SSV entry's context information is updated for UE context owner. If any UE context-info associated to SSV has exceeded the guard time, such context information is deleted.	No	false	Policy & PCF	Added in Release 23.1.0	This parameter is available in values.yaml file.
global.enableSsvIdForReqParam	You can configure ENABLE_SSVID_FOR_REQPARAM for SM Service, AM Service, and UE Policy Service. When ENABLE_SSVID_FOR_REQPARAM flag is enabled, 'pdsSsvId' is added to the list of UserIds. When ENABLE_SSVID_FOR_REQPARAM flag is disabled, 'pdsSsvId' is not listed in the UserIds. PDS will work with old flow based on SUPI/GPSI or PdsProfileId.	No	true	Policy & PCF	Added in Release 23.1.0	This parameter is available in values.yaml file.

The following is a sample configuration for configurable parameters related to service selection in the occnp_custom_values_23.4.9.yaml file used for deploying Policy:

global:
# Enable/disable PCF services 
  amServiceEnable: true
  smServiceEnable: true
  ueServiceEnable: true
  nrfClientNfDiscoveryEnable: true
  nrfClientNfManagementEnable: true
  diamConnectorEnable: true
  appinfoServiceEnable: true
  performanceServiceEnable: true
  
# Enable userService only when policyDS is not enabled.
  userServiceEnable: false
  policydsEnable: true
# Enable udr and chf connectors only when policyDS is enabled
  udrConnectorEnable: true
  chfConnectorEnable: true
# Enable/disable PCRF services
  pcrfCoreEnable: true
  soapConnectorEnable: false

# Enable/disable common services
  bulwarkServiceEnable: true
  diamGatewayEnable: true
  bindingSvcEnabled: true

  ldapGatewayEnable: false
  alternateRouteServiceEnable: false

audit-service:
  enabled: false

ingress-gateway:
  enabled: false

egress-gateway:
  enabled: false

Configurable parameters to support binding header, routing binding header, and discovery header

Table 3-17 Configurable parameters to support binding header, routing binding header, and discovery header

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.SBI_BINDINGHEADER_SENDSCOPE	Enable/Disable scope in binding header.	No	true	Policy & PCF	Added in Release 23.2.4

3.4 Tracing Configuration

This section describes the customizatons that you should make in occnp_custom_values_23.4.9.yaml files to configure tracing.

Following are the common configurations for tracing:

Table 3-18 Common Configurable Parameters for Tracing

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
envJaegerCollectorHost	Specifies the host direction where the Jaeger Collector is found.	Mandatory	occne-tracer-jaeger-collector.occne-infra	CNC Policy, PCF, & PCRF	Added in Release 23.4.0	Make sure the jaeger Collector service is up and running inside OCCNE-Infra, with port specified in values.yaml
envJaegerCollectorPort	Specifies the port where the Jaeger Collector is listening to receive spans.	Mandatory	4318	CNC Policy, PCF, & PCRF		Make sure this port matches with the one of your Jaeger Collector service port that is listening for OTLP formatted traces.
tracingEnabled	Specifies When 'true' enables the service to be instrumented by OpenTelemetry's Java Agent.	Mandatory	false	CNC Policy, PCF, & PCRF
tracingSamplerRatio	Specifies a ratio of spans which will be sent to the Jaeger Collector; i.e. of the total amount of spans, specify how many are going to be sent to the Jaeger Collector.	Mandatory	.001	CNC Policy, PCF, & PCRF		Example: A value of "0.2" specifies that only 20 % of the spans are going to be sent. Range is 0 to 1.
tracingJdbcEnabled	Specifies when 'true' OpenTelemetry Java Agent will also show spans related to Database Operations.	Mandatory	false	CNC Policy, PCF, & PCRF		If tracingEnabled is true on deployment, this will be enabled by default. In case tracingEnabled is false, this will also be false by default
tracingLogsEnabled	Specifies when 'true' enables spans and tracing logging	Mandatory	false	CNC Policy, PCF, & PCRF

Here is a sample configurations for tracing in occnp_custom_values_23.4.9.yaml file:

envJaegerCollectorHost: 'occne-tracer-jaeger-collector.occne-infra'
envJaegerCollectorPort: 4318 -> Make sure this matches with OCCNE-INFRA jaeger collector service port.          
tracing:
  tracingEnabled: 'true'
  tracingSamplerRatio: 0.001
  tracingJdbcEnabled: 'true'
  tracingLogsEnabled: 'false'

Note: These configurations are applicable to the following Policy services:

• Bulwark
• Binding Service
• Configuration Server
• PCRF core
• PRE
• LDAP Gateway
• Soap Connector
• CM Service
• Diameter Connector
• Query Service
• PCF AM Service
• PCF SM Service
• PCF UE Service
• PCF User-service
  • CHF Connector
  • UDR Connector
• PolicyDS
• Usage Monitoring

To configure tracing in ingress-gateway, you should configure the following configurable parameters in custom-value.yaml file:

Table 3-19 Configurable Parameters for Tracing Configuration in Ingress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.envJaegerAgentHost	Specifies the hostname or IP address for the jaeger agent	Yes	empty string	CNC Policy, PCF, & PCRF	Added in Release 1.0	This parameter is the FQDN of Jaeger Agent service running in OCCNE cluster under namespace occne-infra. Format is <JAEGER_SVC_NAME>.<JAEGER_NAMESPACE>
global.envJaegerQueryUrl	Specifies the query URL for the jaeger agent	Optional	empty string	CNC Policy, PCF, & PCRF	Added in Release 22.1.0
ingress-gateway.jaegerTelemetryT racingEnabled	Specifies whether to enable or disable OpenTelemetry at Ingress Gateway.	No	false	CNC Policy, PCF, & PCRF	Added in Release 23.4.0	When this flag is set to true, make sure to update all Jaeger related attributes with the correct values.
ingress-gateway.openTelemetry.ja eger.httpExporter.host	Specifies the host name of Jaeger collector host	Yes, if ingress-gateway.jaegerTelemetryT racingEnabled flag is set to true	jaegercollector. cne-infra	CNC Policy, PCF, & PCRF
ingress-gateway.openTelemetry.ja eger.httpExporter.port	Specifies the port of Jaeger collector port	Yes, if ingress-gateway.jaegerTelemetryT racingEnabled flag is set to true	4318	CNC Policy, PCF, & PCRF
ingress-gateway.openTelemetry.ja eger.probabilistic Sampler	Specifies the sampler where value is between 0.0 (no sampling) and 1.0 (sampling of every request)	Yes, if ingress-gateway.jaegerTelemetryT racingEnabled flag is set to true	0.5	CNC Policy, PCF, & PCRF		The value range for Jaeger message sampler is 0 to 1. Value 0 indicates no Trace is sent to Jaeger collector. Value 0.3 indicates 30% of message is sampled and sent to Jaeger collector. Value 1 indicates 100% of message, that is, all the messages are sampled and sent to Jaeger collector.

Here is a sample configurations for tracing in ingress-gateway in occnp_custom_values_23.4.9.yaml file:

jaegerTelemetryTracingEnabled: *tracingEnabled

  openTelemetry:
    jaeger:
      httpExporter:
        host: *envJaegerCollectorHost
        port: *envJaegerCollectorPort
      probabilisticSampler: *tracingSamplerRatio

Table 3-20 Configurable Parameters for Tracing Configuration in Egress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
egress-gateway.jaegerTelemetryTracingEnabled	Specifies whether to enable or disable Jaeger Tracing at Egress Gateway.	No	false	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x	When this flag is set to true, make sure to update all Jaeger related attributes with the correct values.
egress-gateway.openTelemetry.jaeger. httpExporter.host	Specifies the host name of Jaeger collector host	Yes, if egress-gateway.jaegerTelemetryTracingEnabled flag is set to true.	jaegercollector. cne -infra	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x
egress-gateway.openTelemetry.jaeger. httpExporter.port	Specifies the port of Jaeger collector port	Yes, if egress-gateway.jaegerTelemetryTracingEnabled flag is set to true.	4318	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x
egress-gateway.openTelemetry.jaeger. probabilisticSampler	Specifies the sampler where value is between 0.0 (no sampling) and 1.0 (sampling of every request)	Yes, if egress-gateway.jaegerTelemetryTracingEnabled flag is set to true.	0.5	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x	The value range for Jaeger message sampler is 0 to 1. Value 0 indicates no Trace is sent to Jaeger collector. Value 0.3 indicates 30% of message is sampled and sent to Jaeger collector. Value 1 indicates 100% of message, that is, all the messages are sampled and sent to Jaeger collector.

Here is a sample configurations for tracing in egress-gateway in occnp_custom_values_23.4.9.yaml file:

jaegerTelemetryTracingEnabled: *tracingEnabled

  openTelemetry:
    jaeger:
      httpExporter:
        host: *envJaegerCollectorHost
        port: *envJaegerCollectorPort
      probabilisticSampler: *tracingSamplerRatio

To configure tracing in nrfClientNfDiscovery, you should configure the following configurable parameters in occnp_custom_values_23.4.9.yaml file:

Table 3-21 Configurable Parameters for Tracing Configuration in nrfClientNfDiscovery

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
nrf-client.nrf-client-nfdiscovery.envJaegerSamplerParam			'1'	CNC Policy & PCF	Added in Release 1.7.1	Applicable only when NRF Client services are enabled.
nrf-client.nrf-client-nfdiscovery.envJaegerSamplerType			ratelimitimg	CNC Policy & PCF	Added in Release 1.7.1	Applicable only when NRF Client services are enabled.
nrf-client.nrf-client-nfdiscovery.envJaegerServiceName			pcf-nrf-client-nfdiscovery	CNC Policy & PCF	Added in Release 1.7.1	Applicable only when NRF Client services are enabled.

Here is a sample configurations for tracing in occnp_custom_values_23.4.9.yaml file:

nrf-client-nfdiscovery:
    envJaegerSamplerParam: '1'
    envJaegerSamplerType: ratelimiting
    envJaegerServiceName: pcf-nrf-client-nfdiscovery

To configure tracing in nrfclientnfmanagement, you should configure the following configurable parameters in occnp_custom_values_23.4.9.yaml file:

Table 3-22 Configurable Parameters for Tracing Configuration in nrfclientnfmanagement

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
nrf-client.nrf-client-nfmanagement.envJaegerSamplerParam			'1'	CNC Policy & PCF	Added in Release 1.7.1.0	Applicable only when NRF Client services are enabled.
nrf-client.nrf-client-nfmanagement.envJaegerSamplerType			ratelimiting	CNC Policy & PCF	Added in Release 1.7.1	Applicable only when NRF Client services are enabled.
nrf-client.nrf-client-nfmanagement.envJaegerServiceName			pcf-nrf-client-nfmanagement	CNC Policy & PCF	Added in Release 1.7.1	Applicable only when NRF Client services are enabled.

Here is a sample configurations for tracing in occnp_custom_values_23.4.9.yaml file:

nrf-client-nfmanagement:
    envJaegerSamplerParam: '1'
    envJaegerSamplerType: ratelimiting
    envJaegerServiceName: pcf-nrf-client-nfmanagement

3.5 Database Name Configuration

This section describes the configuration parameters that can be used to customize the database names.

Note:

Database name specified in the occnp_custom_values_23.4.9.yaml should be used while creating the database during installation. See Configuring Database, Creating Users, and Granting Permissions.

Note:

The values of the parameters mentioned in the occnp_custom_values_23.4.9.yaml file overrides the default values specified in the helm chart. If the envMysqlDatabase parameter is modified, then you should modify the configDbName parameter with the same value.

Table 3-23 Customizable Parameters for Database Name Configuration for PCF Services

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
am-service.envMysqlDatabase	Name of the database for AM-Service	No	occnp_pcf_am	CNC Policy & PCF	Added in Release 1.0	Applicable only when AM service is enabled.
ue-service.envMysqlDatabase	Name of the database for UE-Service	No	occnp_pcf_ue	CNC Policy & PCF	Added in Release 1.0	Applicable only when UE service is enabled.
sm-service.envMysqlDatabase	Name of the database for SM-Service	No	occnp_pcf_sm	CNC Policy & PCF	Added in Release 1.0	Applicable only when SM service is enabled.
sm-service.envMysqlDatabaseUserService	Name of the database of User Service	No	occnp_pcf_user	CNC Policy & PCF	Deprecated in Release 1.10.0	Applicable only when SM service is enabled. Value of this parameter should be same as the value of "user-service.envMysqlDatabase" parameter.
config-server.envMysqlDatabase	Name of the database for Config Server service	No	occnp_config_server	CNC Policy & PCF	Added in Release 1.0	In case of Geo-redundancy, config-server database name for each site must be different.
queryservice.envMysqlDatabaseSmService	Specify the database name of SM service	Conditional	occnp_pcf_sm	CNC Policy & PCF	Added in Release 1.6.x	Value of this parameter should be same as the value of "sm-service.envMysqlDatabase" parameter.

Table 3-24 Customizable Parameters for Database Name Configuration for Policy Data Source (PDS)

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
user-service.envMysqlDatabase	Name of the database for User-Service	No	occnp_pcf_user	CNC Policy & PCF	Deprecated in Release 1.10.0	Applicable only when user service is enabled.
policyds.envMysqlDatabase	Name of the database for Policy DS Service	No	occnp_policyds	CNC Policy, PCF, & PCRF	Added in Release 1.9.0	Applicable only when policyds is enabled.
policyds.envMysqlDatabaseConfigServer	Specify the database name of Config Server service.	No	occnp_config_server	CNC Policy, PCF, & PCRF	Added in Release 1.7.1	Applicable only when policyds is enabled.
policyds.envPdsDbMigrationFlag	It is recommended to keep the value as false for this parameter in multi-site deployment.	No	false	CNC Policy, PCF, & PCRF	Updated in Release 22.1.x	When rolling back to 1.15.x, ensure that the value of this parameter is false.

Table 3-25 Customizable Parameters for Database Name Configuration for PCRF Core Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
pcrf-core.envMysqlDatabase	Name of the database for PCRF-Core	No	occnp_pcrf_core	CNC Policy & cnPCRF	Added in Release 1.0	Applicable only when pcrf-core service is enabled.

Table 3-26 Customizable Parameters for Database Name Configuration for Binding Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
binding.envMysqlDatabase	Name of the database for Binding service	No	occnp_binding	CNC Policy, PCF, & cnPCRF	Added in Release 1.7.1	Applicable only when binding service is enabled.

Table 3-27 Customizable Parameters for Database Name Configuration for Audit Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
audit-service.envMysqlDatabase	Name of the database for Audit service	No	occnp_audit_service	CNC Policy & PCF	Added in Release 1.7.1	Applicable only when Audit service is enabled.

Table 3-28 Customizable Parameters for Database Name Configuration for CM Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
cm-service.envCommonConfigMysqlDatabase	Name of the database for CM service	No	occnp_commonconfig	CNC Policy, PCF, and PCRF	Added in Release 1.10.0	Applicable only when CM service is enabled.
cm-service.envMysqlDatabase	Name of the database for CM service.	No	occnp_cmservice	CNC Policy, PCF, and PCRF	Added in Release 1.15.0	Applicable only when CM service is enabled.
cm-service.envMysqlDatabaseConfigServer	Specify the database name of Config Server service.	No	occnp_config_server	CNC Policy, PCF, and PCRF	Added in Release 22.1.0	Applicable only when CM service is enabled.

Table 3-29 Customizable Parameters for Database Name Configuration for Notifier Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
notifier.envMysqlDatabaseConfigServer	Name of the database of Config Server for Notifier service.	No	occnp_config_server	CNC Policy & PCF	Added in Release 22.2.0	Applicable only when Notifier service is enabled.

Table 3-30 Customizable Parameters for Database Name Configuration for Usage Monitoring Service

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
usage-mon.envMysqlDatabase	Name of the database of Usage Monitoring service.	No	occnp_usagemon	CNC Policy, PCF & PCRF	Added in Release 22.2.0	Applicable only when Usage Monitoring service is enabled.

Here is a sample configuration for configurable parameters in occnp_custom_values_23.4.9.yaml file:

am-service:
  envMysqlDatabase: occnp_pcf_am

sm-service:
  envMysqlDatabase: occnp_pcf_sm
  

config-server:
  envMysqlDatabase: occnp_config_server

queryservice:
  envMysqlDatabaseSmService: occnp_pcf_sm
  

audit-service:
  envMysqlDatabase: occnp_audit_service

policyds: 
  envMysqlDatabase: 'occnp_policyds'
  envMysqlDatabaseConfigServer: 'occnp_config_server'

pcrf-core:
  # database name core service will connect to
  envMysqlDatabase: occnp_pcrf_core

binding:
  envMysqlDatabase: occnp_binding  
  

ue-service:
  envMysqlDatabase: occnp_pcf_ue

cm-service:
  envCommonConfigMysqlDatabase: occnp_commonconfig
  envMysqlDatabase: occnp_cmservice
  envMysqlDatabaseConfigServer: 'occnp_config_server'

notifier:
  envMysqlDatabaseConfigServer: 'occnp_config_server'

usage-mon:
  envMysqlDatabase: occnp_usagemon

Cofiguring Database Engine

The following table describes the parameter that you can configure to customize the default database engine used by CNC Policy:

Table 3-31 Customizable Parameters for Database Engine for CNC Policy

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
dbConfig.dbEngine	Defines the MySQL engine that is used by CNC Policy to store information in the MySQL database.	Yes	NDBCLUSTER	CNC Policy, PCF, and PCRF	Added in Release 22.1.0.	If the database engine is not NDBCLUSTER, then the value for this parameter can be changed only during fresh installation of CNC Policy. Do not change the value of this parameter during upgrade scenarios.

Table 3-32 Customizable Parameters for Database Name Configuration for NRF Client

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.nrfClientDbName	Name of the database of NRF Client.	Yes	occnp_nrf_client	CNC Policy & PCF	Added in Release 23.4.0	Applicable for NRF Client.
nrf-client-nfmanagement.dbConfig.leaderPodDbName	Name of the leader pod database for NRF Client.	Yes	occnp_leaderPodDb	CNC Policy & PCF		Applicable for NRF Client.

3.6 Database Load Balancing Configuration

This section describes the configurable parameters that can be used to configure connection load balancing across multiple MySQL nodes.

Table 3-33 Configurable Parameters for Database Load Balancing Configuration

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.envMysqlLoadBalancingEnabled	Specifies if the load balancing is enabled or disabled among all MySQL nodes.	No	false	CNC Policy, PCF, &cnPCRF	Updated in Release 1.10.4	Applicable only to AM, SM, UE and PolicyDS services. It is recommended to set its value to true when MySQL connectivity with headless service from occne is used to connect with external database.
global.envMysqlDnsSrvEnabled	Specifies if services use DNS SRV records for connecting to MySQL servers.	No	false	CNC Policy, PCF, &cnPCRF	Added in 1.10.0	Applicable only to AM, SM, UE and PolicyDS services. It is recommended to set its value to true when MySQL connectivity with headless service from occne is used to connect with external database.
global.envMysqlLoadBalanceHosts	Distributes read and/or write load across multiple MySQL server instances for Cluster. Users can configure it in the following two ways: list of mysql nodes in comma separated list format, as shown below: [_host_1][:_port_],[_host_2][:_port_] Example: 10.75.152.89:3306,10.75.152.86:3306 mysql service name to load-balance by making use of DNS SRV records Example: mysql-connectivity-service-headless.occne-infra.svc.policy-bastion Note: For this method, make sure that global.envMysqlDnsSrvEnabled parameter is set to true.	No	NA	CNC Policy, PCF, &cnPCRF	Added in Release 1.10.4	Configure this parameter only when global.envMysqlLoadBalancingEnabled parameter is set to true.

3.7 Database Connection Timers Configuration

This section describes the configurable parameters that can be used to customize the database connection timers.

Note:

In this release, the parameters described in this section are applicable to only SM service and PolicyDS.

Table 3-34 Customizable Parameters for Database Connection Timers Configuration

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.mySql.connection.maxLifeTime	Specifies the maximum lifetime (in milliseconds) of a connection.	No	540000	CNC Policy & PCF	Added in Release 1.10.4
global.mySql.connection.idleTimeout	Specifies the maximum amount of time (in milliseconds) that a connection can remain idle. On the expiry of idle timer, the connection shall be closed.	No	540000	CNC Policy & PCF	Added in Release 1.10.4
global.mySql.connection.connectionTimeout	Specifies the maximum number of milliseconds the application shall wait to get a connection from pool.	No	2000	CNC Policy & PCF	Added in Release 1.10.4
global.mySql.connection.validationTimeout	Specifies the maximum number of milliseconds that the application shall wait for a connection to be validated as alive	No	500	CNC Policy & PCF	Added in Release 1.10.4
global.mySql.connection.socketTimeout	Specifies the timout (in milliseconds) on network socket operations for a database connection.	No	3000	CNC Policy & PCF	Added in Release 1.10.4
global.mySql.loadBalance.serverBlocklistTimeout	Specifies the time (in milliseconds) between two consecutive checks on servers which are unavailable, by controlling how long a server lives in the global blocklist.	No	60000	CNC Policy PCF PCRF Core	Added in Release 1.11.1	Configure this parameter when global.envMysqlLoadBalancingEnabled is set to true. This parameter is applicable to only PolicyDS.

Here is a sample configuration for configurable parameters in occnp_custom_values_23.4.9.yaml file:

mySql:
    connection:
      maxLifeTime: '540000'
      idleTimeout: '540000'
      connectionTimeout: '2000'
      validationTimeout: '500'
      socketTimeout: '3000'
    loadBalance:
      serverBlocklistTimeout: '60000'

This section describes the configurable parameters that can be used to resolve the database conflict.

Note:

These configurations are only available if the database is MySQL cluster (NDB).

Table 3-35 Configurable Parameters to enable or disable the Conflict Resolution

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.mySql.conflictResolution.ndbConflictResolutionEnabled	This flag is used to prevent data conflicts in georeplicated deployments. When there are multiple sites with real-time replication, if a session is updated at both sites simultaneously, this is considered as a conflict. This flag configures the MySQL cluster replication to compare the updated timestamp in the session record, so the conflicts can be automatically resolved.	No	True	CNC Policy and PCF	Added in Release 1.12.0	This feature is only available if the database is MySQL cluster (NDB). For MySQL (innodb), the value for this flag must be set to false. Note: Even if its a single-site cnPolicy NF deployment, set this parameter to true. As this will keep georedundancy and geo-replication enabled among the sites during multi-site deployment.
global.mySql.conflictResolution.useMaxDeleteWinInsConflictFn	This flag is used to update the Conflict Resolution Function to MAX_DEL_WIN_INS.	No	True	CNC Policy and PCF	Added in Release 22.4.0	This feature is available if the NDB version is 8.0.30. If NDB version is less than 8.0.30, the value for this flag must be set to false.

Here is a sample configuration for configurable parameters in occnp_custom_values_23.4.9.yaml file:

global:
    mySql:
      conflictResolution:
        ndbConflictResolutionEnabled: true 
        useMaxDeleteWinInsConflictFn: true

3.8 Configurations for DB Compression

3.8.1 PCRF-Core

The corresponding configurations are detailed as follows:

Important:

You must consult the My Oracle Support (https://support.oracle.com) to enable or disable the application-based DB compression.

Table 3-36 DB Compression Configurations

Name	Default Value	custom.yaml Configurable	Helm Configurable	Advanced Settings Configurable	Description
DB_COMPRESSION_MYSQL_ENABLED	false	mySqlDbCompressionEnabled: 'false'	Yes	No	Enables or disables MySQL based data compression for 'value' column in the gxsession, rxsession, and sdsession tables in pcrf-core. Possible values: 'true', 'false'.
DB_COMPRESSION_MYSQL_COMPRESSIONSCHEME	0	mySqlDbCompressionScheme: '0'	Yes	No	For a record inserted or updated in pcrf-core's gxsession, rxsession and/or sdsession table, a column named 'compression_scheme' in those tables will reflect this (0/1) value. Possible values: '0': represents DISABLED '1': represents ZLIB_COMPRESSION_MYSQL

Table 3-37 Miscellaneous Configurations

Name	Default Value	custom.yaml Configurable	Helm Configurable	Advanced Settings Configurable	Description
DIAMETER_MSG_BUFFER_THREAD_COUNT	60	diameterMsgBufferThreadCount: 60	Yes	No	The number of threads that will be used to process read Diameter messages and process to completion. If this is set to 0, then the MsgBuffer will not be used, and the ReadThreads will process the message to completion. Using this thread pool gives you reduced latency at the expense of throughput. Note: It is recommended not to change this value without consulting My Oracle Support (https://support.oracle.com), as optimal value for this configuration depends on many factors.
DIAMETER_MSG_BUFFER_QUEUE_SIZE	8192	diameterMsgBufferQueueSize: 8192	Yes	No	The size of the queue holding pending messages which have been readoff the socket, but not yet processed. Note: It is recommended not to change this value without consulting My Oracle Support (https://support.oracle.com), as optimal value for this configuration depends on many factors.
ADMISSION_DIAMETER_REQUESTPROCESSINGLIMIT	5000	diameterRequestProcessingLimit: '5000'	Yes	No	Specifies the maximum amount of time, in milliseconds, a request can be processed before being dropped, if no answer has been sent. Possible values: The value of this key can be less than or equal to "Response Timeout (sec)" configuration in Policy.
PRRO_JDBC_QUERY_TIMEOUT	2000	envDbQueryTimeout: 2000	Yes	No	Specifies the timeout on JDBC statements, in milliseconds. When timeouts are set, the driver would wait for the given number of seconds for the query to execute and throw an SQLTimeoutException if it does not respond within that time.

3.8.2 SM Service

This section describes the customizatons that you should make in custom-value.yaml files to configure DB Compression in SM Service.

To configure DB Compression in SM Service, you should configure the following configurable parameter in custom-value.yaml file:

Table 3-38 Configurable Parameters for DB Compression in SM Service

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
smDataCompressionScheme	Specifies the control of "Data Compression Scheme" configuration in SM Service during install or upgrade. Possible values: 0, 1, or 2.	Optional	0	CNC Policy& PCF	23.2.0

3.8.3 PA Service

This section describes the customizatons that you should make in custom-value.yaml files to configure DB Compression in PA Service.

To configure DB Compression in PA Service, you should configure the following configurable parameter in custom-value.yaml file:

Table 3-39 Configurable Parameters for DB Compression in PA Service

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
paDataCompressionScheme	Specifies the control of "Data Compression Scheme" configuration in PA Service during install or upgrade. Possible values: 0, 1, or 2.	Optional	0	CNC Policy& PCF	23.2.0

3.9 NRF Client Configuration

This section describes the NRF Client configuration parameters.

Note:

These configurations are required when CNC Policy is required to register with NRF. Before configuring NRF client configuration, you must enable NRF Client services.

To configure these parameters, you should configure the following configurable parameters in the occnp_custom_values_23.4.9.yaml file:

Table 3-40 Configurable Parameters for NRF Client Configuration

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.nrfClientDbName	Contains the occnp_nrf_client database name in the global parameters.	Yes	occnp_nrf_client	CNC Policy & PCF	Added in 23.4.0
global.deploymentNrfClientService.envNfNamespace	Specifies the Kubernetes namespace of Policy.	Yes	Not Applicable	CNC Policy & PCF	Added in Release 1.6.x
nrf-client.configmapApplicationConfig	This config map is used to provide inputs to NRF-Client.	Yes	Not Applicable	CNC Policy & PCF
&configRef	This reference variable is used to take the input from the config map.	Yes	Not Applicable	CNC & Policy	Added in Release 1.14.0	Users must not make any alterations to this variable.
nrf-client.configmapApplicationConfig.profile	Contains configuration parameters that goes into nrf-client's config map	Yes	Not Applicable	CNC Policy & PCF	Added in Release 1.6.x	Refer config-map table for configurable parameters.
appinfo.infraServices	Specifies the URI for the health check of InfraServices that need to be monitored. Examples: http://mysql-cluster-db-monitor-svc.vzw1-cndbtier:8080/actuator/health http://mysql-cluster-db-replication-svc.vzw1-cndbtier/actuator/health Uncomment this parameter and set this parameter to an empty array if any one of following conditions is true: Deploying on OCCNE 1.4 or lower version Not deploying on OCCNE Do not wish to monitor infra services such as db-monitor service	Conditional	Not Applicable	CNC Policy & PCF	Added in Release 1.7.1	This parameter uses the default namespace - occne-infra. If cnDBTier is used to deploy CNC Policy, this field must be updated accordingly.
appinfo.core_services.pcf	Specifies the list of PCF services to be monitored.	Optional	- '{{ template "service-name-pcf-sm" . }}' - '{{ template "service-name-pcf-am" . }}' - '{{ template "service-name-pcf-ue" . }}'	CNC Policy & PCF	Added in Release 1.14.0
appinfo.core_services.common	Specifies the list of common services to be monitored.	Optional	- '{{ template "service-name-ingress-gateway" . }}' - '{{ template "service-name-oc-diam-gateway" . }}' - '{{ template "service-name-nrf-client-nfmanagement" . }}'	CNC Policy & PCF	Added in Release 1.14.0
perf-info.configmapPerformance.prometheus	Specifies Prometheus server URL	Conditional	http://occne-prometheus-server.occne-infra	CNC Policy & PCF	Added in Release 1.0	If no value is specified, PCF reported 0 loads to NRF.
notifySemanticValidationEnabled	Specifies wether to enable or disable the NFProfile validations.	Mandatory	True	CNC Policy & PCF	Added in Release 23.2.0	NA

Note:

For perf-info.configmapPerformance.prometheus parameter, you must provide URL in proper format, along with at least three configuration items. If any of the configuration items, as shown in the following sample code, is not provided perf-info service may not work. If jaeger is not enabled, the jaeger and jaeger_query_url parameter can be omitted. The sample values must be updated to match the Kubernetes environment.

perf-info:
  serviceMeshCheck: *serviceMeshEnabled
  istioSidecarReadyUrl: *istioSidecarReadyUrl
  istioSidecarQuitUrl: *istioSidecarQuitUrl 
  configmapPerformance:
    prometheus: http://occne-prometheus-server.occne-infra.svc
	jaeger=jaeger-agent.occne-infra
	jaeger_query_url=http://jaeger-query.occne-infra

Configurable parameters NRF Client Configuration

Parameter	Description	Allowed Values	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
configmapApplicationConfig.profile.primaryNrfApiRoot	Primary NRF hostname and port <Hostname/IP>:<Port>	valid api root	CNC Policy & PCF	Added in Release 1.6.x	For Example: nrf1-api-gateway.svc:80
configmapApplicationConfig.profile.SecondaryNrfApiRoot	secondary NRF hostname and port <Hostname/IP>:<Port>	valid api root	CNC Policy & PCF	Added in Release 1.6.x	For Example: nrf2-api-gateway.svc:80
configmapApplicationConfig.profile.retryAfterTime	When primary NRF is down, this will be the wait Time (in ISO 8601 duration format) after which request to primary NRF will be retried to detect primary NRF's availability.	valid ISO 8601 duration format	CNC Policy & PCF	Added in Release 1.6.x	For Example: PT120S
configmapApplicationConfig.profile.nrfClientType	The NfType of the NF registering. This should be set to PCF.	PCF	CNC Policy & PCF	Added in Release 1.6.x
configmapApplicationConfig.profile.nrfClientSubscribeTypes	NF Type(s) for which the NF wants to discover and subscribe to the NRF.	BSF,UDR,CHF	CNC Policy & PCF	Added in Release 1.6.x	Leave blank if PCF does not require.
configmapApplicationConfig.profile.appProfiles	NfProfile of PCF to be registered with NRF.	Valid NF Profile	CNC Policy & PCF	Added in Release 1.6.x	It is a 3GPP defined data type. To know more about its attributes, refer to 3GPP TS 29.510 version 16.4.0 Release 16. During fresh install the value of this parameter is loaded into the database and then used to trigger NfRegister or NfUpdate operation to NRF. For any subsequent changes to appProfile, REST API or CNC Console must be used. For more information, see Oracle Communications Cloud Native Core Policy REST Specification Guide or Oracle Communications Cloud Native Core Policy User Guide.
configmapApplicationConfig.profile.enableF3	Support for 29.510 Release 15.3	true/false	CNC Policy & PCF	Added in Release 1.6.x
configmapApplicationConfig.profile.enableF5	Support for 29.510 Release 15.5	true/false	CNC Policy & PCF	Added in Release 1.6.x
configmapApplicationConfig.profile.renewalTimeBeforeExpiry	Time Period(seconds) before the Subscription Validity time expires	Time in seconds	CNC Policy & PCF	Added in Release 1.6.x	For Example: 3600 (1hr)
configmapApplicationConfig.profile.validityTime	The default validity time(days) for subscriptions	Time in days	CNC Policy & PCF	Added in Release 1.6.x	For Example: 30 (30 days)
configmapApplicationConfig.profile.enableSubscriptionAutoRenewal	Enable Renewal of Subscriptions automatically	true/false	CNC Policy & PCF	Added in Release 1.6.x
configmapApplicationConfig.profile.nfHeartbeatRate	The default rate at which the NF shall heartbeat with the NRF. The value shall be configured in terms of percentage(1-100). If the heartbeatTimer is 60s, then the NF shall heartbeat at nfHeartBeatRate * 60/100	80	CNC Policy & PCF	Added in Release 1.14.0
configmapApplicationConfig.profile.acceptAdditionalAttributes	Enable additional Attributes as part of 29.510 Release 15.5	true/false	CNC Policy & PCF	Added in Release 1.6.x
configmapApplicationConfig.profile.enableVirtualNrfResolution	enable virtual NRF session retry by Alternate routing service	true/false	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.virtualNrfFqdn	virtual NRF FQDN used to query static list of route	nrf.oracle.com	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.virtualNrfScheme	Scheme to be used with the virtual FQDN	http or https	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.virtualNrfPort	port number		CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.requestTimeoutGracePeriod	An additional grace period where no response is received from the NRF.This additional period shall be added to the requestTimeout value.This will ensure that the egress-gateway shall first timeout, and send an error response to the NRF-client.	integer value	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.nrfRetryConfig	Configurations required for the NRF Retry mechanism		CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.nrfRetryConfig.serviceRequestType	Specifies the type of service request.	ALL_REQUESTS AUTONOMOUS_NFREGISTER AUTONOMOUS_NFSTATUS_SUBSCRIBE AUTONOMOUS_NFUNSUBSCRIBE AUTONOMOUS_NFSUBSCRIBE_UPDATE AUTONOMOUS_NFDISCOVER AUTONOMOUS_NFHEARTBEAT AUTONOMOUS_NFPATCH NFREGISTER NFUPDATE NF_STATUS_SUBSCRIBE NFDISCOVER NF_SUBSCRIBE_UPDATE NF_UNSUBSCRIBE NFDEREGISTER NF_PROFILE_RETRIEVAL NF_LIST_RETRIEVAL Note: serviceRequestType : "ALL_REQUESTS" is the mandatory configuration and will be applicable to all serviceRequest types, but if custom config is required for any serviceRequestType then it can defined accordingly.	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.nrfRetryConfig.primaryNRFRetryCount	Specifies the number of times a service request is retried to the primary NRF in case of failure.		CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.nrfRetryConfig.nonPrimaryNRFRetryCount	Specifies the number of times a service request is retried to the non-primary NRF in case of failure.		CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.nrfRetryConfig.alternateNRFRetryCount	Specifies the number of alternate NRFs that are retried in case of failure. When the value is specified as -1, all available NRF instances are tried.		CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.nrfRetryConfig.errorReasonsForFailure	Specifies the HTTP status codes or exceptions for which retry is attempted.	All non 2xx HTTP status codes SocketTimeoutException JsonProcessingException UnknownHostException NoRouteToHostException	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.nrfRetryConfig.gatewayErrorCodes	Specifies the HTTP status codes sent by the Egress Gateway for which retry is attempted.	All HTTP Status codes	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.nrfRetryConfig.requestTimeout	Specifies the timeout period where no response is received from the Egress Gateway.	10 seconds	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.healthCheckConfig	Configurations required for the Health check of NRFs		CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.healthCheckConfig.healthCheckCount	Specifies the number of consecutive success or failures responses required to mark an NRF instance healthy or unhealthy.	-1,Values greater than 0. -1 denotes that the feature is disabled	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.healthCheckConfig.healthCheckInterval	Specifies the interval at which a health check of an NRF is performed.	5 seconds	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.healthCheckConfig.requestTimeout	Specifies the timeout period where no response is received from the Egress Gateway.	10 seconds	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.healthCheckConfig.errorReasonsForFailure	Specifies the HTTP status codes or exceptions for which retry is attempted.	500 503 504 SocketTimeoutException JsonProcessingException UnknownHostException NoRouteToHostException	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.healthCheckConfig.gatewayErrorCodes	Specifies the HTTP status codes sent by the Egress Gateway for which retry is attempted.	All HTTP Status codes	CNC Policy & PCF	Added in Release 1.9.0
configmapApplicationConfig.profile.supportedDataSetId	The data-set value to be used in queryParams for NFs autonomous/on-demand discovery.	POLICY	CNC Policy & PCF	Added in Release 1.7.1
configmapApplicationConfig.profile.discoveryRefreshInterval	Defines the maximum ValidityPeriod for discovery results to be refreshed. The ValidityPeriod received in the discovery response shall be capped at this value. If ValidityPeriod received in discovery results is 60s, it will be capped to 10s as per configuration. If ValidityPeriod received in discovery results is 5s. No capping is applied and it is considered as 5s.	time in seconds	10	Added in Release 22.4.0
configmapApplicationConfig.profile.discoveryDurationBeforeExpiry	Defines the rate at which the NF shall resend discovery requests to NRF. If the discovery ValidityPeriod is 10s (after applying the capped value of discoveryRefreshInterval), then the discovery requests shall be sent at discoveryDurationBeforeExpiry * 10/100.	terms of percentage(1-100)	90	Added in Release 22.4.0
configmapApplicationConfig.profile.enableDiscoveryRefresh	Flag to enable Automatic Discovery Refresh	true/false	false	Added in Release 22.4.0
configmapApplicationConfig.profile.enableRediscoveryIfNoProdNFs	Flag to enable rediscovery when no producer NFs are available	true/false	false	Added in Release 22.4.0
configmapApplicationConfig.profile.offStatesForRediscoveryIfNoProdNFs	Comma separated value for states to consider producer NFs as not available	SUSPENDED,UNDISCOVERABLE,DEREGISTERED	SUSPENDED,UNDISCOVERABLE,DEREGISTERED	Added in Release 22.4.0
configmapApplicationConfig.profile.discoveryRetryInterval	Retry Interval after a failed autonomous discovery request	time	2000	Added in Release 22.4.0
configmapApplicationConfig.profile.nrfRouteList	This attribute can be used when more than two NRFs are required to be configured. Either the primaryNrfApiRoot and secondaryNrfApiRoot OR this attribute can be used. If this attribute is to be used, useNrfRouteList can be set to true.			Added in Release 23.1.0
configmapApplicationConfig.profile.useNrfRouteList	This attribute indicates that nrfRouteList can be used instead primaryNrfApiRoot and secondaryNrfApiRoot.	true/false		Added in Release 23.1.0

Here is a sample configuration for NRF client in occnp_custom_values_23.4.9.yaml file:

appinfo:
  serviceAccountName: ''
  # Set Infrastructure services to empty array if any one of below condition is met 
  #  1. Deploying on occne 1.4 or lesser version
  #  2. Not deploying on OCCNE
  #  3. Do not wish to monitor infra services such as db-monitor service
  # then the below mentioned attribute 'infra_services' should be uncommneted and epmty array should be passed as already mentioned.
  #infraServices: []

perf-info:
  configmapPerformance:
    prometheus: ''

nrf-client:
  # This config map is for providing inputs to NRF-Client
  configmapApplicationConfig:
    # primaryNrfApiRoot - Primary NRF Hostname and Port
    # SecondaryNrfApiRoot - Secondary NRF Hostname and Port
    # retryAfterTime - Default downtime(in ISO 8601 duration format) of an NRF detected to be unavailable.
    # nrfClientType - The NfType of the NF registering
    # nrfClientSubscribeTypes - the NFType for which the NF wants to subscribe to the NRF.
    # appProfiles - The NfProfile of the NF to be registered with NRF.
    # enableF3 - Support for 29.510 Release 15.3
    # enableF5 - Support for 29.510 Release 15.5
    # renewalTimeBeforeExpiry - Time Period(seconds) before the Subscription Validity time expires.
    # validityTime - The default validity time(days) for subscriptions.
    # enableSubscriptionAutoRenewal - Enable Renewal of Subscriptions automatically.
    # acceptAdditionalAttributes - Enable additionalAttributes as part of 29.510 Release 15.5
    # enableVirtualNrfResolution=false
    # virtualNrfFqdn=nf1stub.ocpcf.svc:8080
    # virtualNrfScheme=http
    # virtualNrfPort=8080
    # requestTimeoutGracePeriod=2
    # nrfRetryConfig=[{ "serviceRequestType": "ALL_REQUESTS", "primaryNRFRetryCount": 1, "nonPrimaryNRFRetryCount" : 1, "alternateNRFRetryCount" : -1, "errorReasonsForFailure": [503,504,500,"SocketTimeoutException","JsonProcessingException","UnknownHostException","NoRouteToHostException", "IOException"], "gatewayErrorCodes": [503,429], "requestTimeout": 100 },{"serviceRequestType": "AUTONOMOUS_NFREGISTER", "primaryNRFRetryCount": 1, "nonPrimaryNRFRetryCount": 1, "alternateNRFRetryCount": -1, "errorReasonsForFailure": [503,504,500,"SocketTimeoutException","JsonProcessingException","UnknownHostException","NoRouteToHostException", "IOException"], "gatewayErrorCodes": [503,429], "requestTimeout": 100 }]
    # healthCheckConfig={ "healthCheckCount": -1, "healthCheckInterval": 5, "requestTimeout": 10, "errorReasonsForFailure": [503,504,500,"SocketTimeoutException","JsonProcessingException","UnknownHostException","NoRouteToHostException", "IOException"], "gatewayErrorCodes": [503,429] }
   profile: |-
    nrfRouteList=[{"nrfApi":"nrfDeployName-nrf-1:8080","scheme":"http","weight":100,"priority":1},{"nrfApi":"nrfDeployName-nrf-2:8080","scheme":"http","weight":100,"priority":2},},{"nrfApi":"nrfDeployName-nrf-3:8080","scheme":"http","weight":100,"priority":3}]
    useNrfRouteList=true
    [appcfg]
    primaryNrfApiRoot=nrf1-api-gateway.svc:80
    secondaryNrfApiRoot=nrf2-api-gateway.svc:80
    nrfScheme=http
    retryAfterTime=PT120S
    nrfClientType=PCF
    nrfClientSubscribeTypes=CHF,UDR,BSF
    appProfiles=[{ "nfInstanceId": "fe7d992b-0541-4c7d-ab84-c6d70b1b0123", "nfSetIdList" = ["set1yz.pcfset.5gc.mnc012.mcc345", "set1a.pcfset.5gc.mnc112.mcc345"] ,"nfType": "PCF", "nfStatus": "REGISTERED", "plmnList": null, "nsiList": null, "fqdn": "occnp-ocpm-ingress-gateway.ocpcf.svc", "interPlmnFqdn": null, "ipv4Addresses": null, "ipv6Addresses": null, "priority": null, "capacity": null, "load": 80, "locality": null, "pcfInfo": { "dnnList": [ "internet", "volte" ], "supiRanges": [ { "start": "12123444444", "end": "232332323323232", "pattern": null } ] }, "customInfo": null, "recoveryTime": null, "nfServices": [ { "serviceInstanceId": "03063893-cf9e-4f7a-9827-067f6fa9dd01", "serviceName": "npcf-am-policy-control", "versions": [ { "apiVersionInUri": "v1", "apiFullVersion": "1.0.0", "expiry": null } ], "scheme": "http", "nfServiceStatus": "REGISTERED", "fqdn": "occnp-ocpm-ingress-gateway.ocpcf.svc", "interPlmnFqdn": null, "ipEndPoints": null, "apiPrefix": null, "defaultNotificationSubscriptions": null, "allowedPlmns": null, "allowedNfTypes": [ "AMF", "NEF" ], "allowedNfDomains": null, "allowedNssais": null, "priority": null, "capacity": null, "load": null, "recoveryTime": null, "supportedFeatures": null }, { "serviceInstanceId": "03063893-cf9e-4f7a-9827-067f6fa9dd02", "serviceName": "npcf-smpolicycontrol", "versions": [ { "apiVersionInUri": "v1", "apiFullVersion": "1.0.0", "expiry": null } ], "scheme": "http", "nfServiceStatus": "REGISTERED", "fqdn": "occnp-ocpm-ingress-gateway.ocpcf.svc", "interPlmnFqdn": null, "ipEndPoints": null, "apiPrefix": null, "defaultNotificationSubscriptions": null, "allowedPlmns": null, "allowedNfTypes": [ "SMF", "NEF", "AF" ], "allowedNfDomains": null, "allowedNssais": null, "priority": null, "capacity": null, "load": null, "recoveryTime": null, "supportedFeatures": null }, { "serviceInstanceId": "03063893-cf9e-4f7a-9827-067f6fa9dd03", "serviceName": "npcf-ue-policy-control", "versions": [ { "apiVersionInUri": "v1", "apiFullVersion": "1.0.0", "expiry": null } ], "scheme": "http", "nfServiceStatus": "REGISTERED", "fqdn": "occnp-ocpm-ingress-gateway.ocpcf.svc", "interPlmnFqdn": null, "ipEndPoints": null, "apiPrefix": null, "defaultNotificationSubscriptions": null, "allowedPlmns": null, "allowedNfTypes": [ "AMF" ], "allowedNfDomains": null, "allowedNssais": null, "priority": null, "capacity": null, "load": null, "recoveryTime": null, "supportedFeatures": null } ]}]
    enableF3=true
    enableF5=true
    renewalTimeBeforeExpiry=3600
    validityTime=30
    enableSubscriptionAutoRenewal=true
    nfHeartbeatRate=80
    acceptAdditionalAttributes=false
    supportedDataSetId=POLICY
    discoveryRefreshInterval=10
    discoveryDurationBeforeExpiry=90
    enableDiscoveryRefresh=false
    enableRediscoveryIfNoProdNFs=false
    offStatesForRediscoveryIfNoProdNFs=SUSPENDED,UNDISCOVERABLE,DEREGISTERED
    discoveryRetryInterval=2000

Note:

For using TLS during deployment, the value of the profile.nrfScheme and appProfiles.scheme parameters must be set to https.

Table 3-41 Configurable Parameters for nrf-client-nfdiscovery

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
nrf-client.nrf-client-nfdiscovery.configmapApplicationConfig	This config map is used to provide inputs to NRF Client for NF discovery.	Yes	Not Applicable	CNC Policy & PCF	Added in Release 1.14.0

Table 3-42 Configurable Parameters for nrf-client-nfmanagement

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
nrf-client.nrf-client-nfmanagement.configmapApplicationConfig	This config map is used to provide inputs to NRF Client for NF management.	Yes	Not Applicable	CNC Policy & PCF	Added in Release 1.14.0

3.10 PCRF-Core Configurations

This section describes the customizatons that is made in occnp_custom_values_23.4.9.yaml file to customize Pcrf-core configurations.

Table 3-43 Configurable Parameters for Pcrf-core Configuration

Parameter	Description	Mandatory/Optional Paramete	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
pcrf-core.envMysqlDatabase	Database name the pcrf-core service will connect to.	Yes	Not applicable	CNC Policy, PCF, & PCRF	Added in Release 1.7.1
pcrf-core.envDiameterRealm	Diameter Realm of PCRF	Yes	Not applicable	CNC Policy, PCF, & PCRF	Added in Release 1.7.1	Applicable only when diameter gateway is enabled. Note: Example: oracle.com
pcrf-core.envDiameterIdentity	Diameter Host of PCRF diameter gateway	Yes	Not applicable	CNC Policy, PCF, & PCRF	Added in Release 1.7.1	Applicable only when diameter gateway is enabled. Note: Example: oc-diam-gateway
pcrf-core.envDbQueryTimeout	Database Query Timeout	Yes	0	CNC Policy, PCF, & PCRF	Added in Release 22.4.5	Represents a JDBC statement timeout, in milliseconds. When timeouts are set, the driver would wait for the given number of seconds for the query to execute (i.e. executeQuery and executeUpdate) and throw an SQLTimeoutException if there is no response within that time. Note: It is recommended to set this value to zero during install/upgrade.

Here is a sample configuration in occnp_custom_values_23.4.9.yaml file:

pcrf-core: # database name core service will connect to
  envMysqlDatabase: occnp_pcrf_core
  envDiameterRealm: ''
  envDiameterIdentity: 'pcrf-core'
  envDbQueryTimeout: 2000

Load Shedding through Admission Control in PCRF-Core

Important:

These advanced configurations must not be used without consulting My Oracle Support (https://support.oracle.com).

Table 3-44 Advanced Configuration for Load Shedding

Name	Description	Type	Notes/Examples
ADMISSION.Level<i>.BusyThreshold	The number of outstanding messages required to enter this level of busy.	Int	Key: ADMISSION.Level1.BusyThresholdValue: 300 Note: “i” represents the busy level number.
ADMISSION.Level<i>.BusyTime	The minimum amount of time (in milliseconds) the system needs to have crossed the busy threshold before entering this level of busy.	Int	Key: ADMISSION.Level1.BusyTimeValue: 300 Note: “i” represents the busy level number.
ADMISSION.Level<i>.ClearThreshold	The maximum number of outstanding messages allowed to clear this level of busy.	Int	Key: ADMISSION.Level1.ClearThresholdValue: 150 Note: “i” represents the busy level number.
ADMISSION.Level<i>.ClearTime	The minimum amount of time (in milliseconds) the system needs to have crossed the clear threshold before clearing this level of busy.	Int	Key: ADMISSION.Level1.ClearTimeValue: 500 Note: “i” represents the busy level number.
ADMISSION.Level<i>.Action	Action to apply to any messages not matching any filters at this busy level. The possible values for Action are: DROP Name of a Result-Code or Experimental-Result-Code (e.g. DIAMETER_TOO_BUSY) Custom Result-Code or Experimental-Result-Code entered as vendorid:code (e.g. 10415:5011).	Int	Key: ADMISSION.Level1.ActionValue: DIAMETER_TOO_BUSY Note: “i” represents the busy level number.
ADMISSION.Level<i>.DiameterRule<j>.Filter	Filter to apply when determining which messages match this rule and should have the defined action applied. ”j” represents the rule number. “j” shall start at 1 for the first rule and increment monotonically by 1 for each subsequent rule. The syntax of the filter is as follows: <AppName>[/<MsgName>[/<AVPList>]]. The brackets denote “optionality”. As such, the MsgName and AVPListare optional. The “/” (slash) is used as a delimiter. “AppName” is the name of the application (e.g. Gx) MsgName is the name of the message (e.g. CCR) “AVPList” has the following syntax: *[<AVPName><Operand><AVPValue> [&&]]. “AVPName” is the name of the AVP (e.g. Called-Station-Id). “Operand” has two possible values: “=” or “!=”. “AVPValue” is the value of the AVP. An example of AVPList is: “CC-Request-Type=1 && Called-Station-Id=IMS” An example of a filter is: “Gx/CCR/CC-Request-Type=1 && Called-Station-Id=IMS”	Int	Key: ADMISSION.Level1.DiameterRule1.Filter Value: Gx/CCR/CC-Request-Type=1 Key: ADMISSION.Level1.DiameterRule2.Filter Value: Gx/CCR/CC-Request-Type=1 && Called-Station-Id=ims Key: ADMISSION.Level2.DiameterRule1.Filter Value: Rx/AAR/Rx-Request-Type=0 Note: “i” represents the busy level number.
ADMISSION.Level<i>.DiameterRule<j>.Action	Action to apply to any messages matching the rule’s filter when the system is in this level of busy. The possible values for Action are: · DROP · Name of a Result-Code or Experimental-Result-Code (e.g. DIAMETER_TOO_BUSY) · Custom Result-Code or Experimental-Result-Code entered as vendorid:code (e.g. 10415:5011).		Key: ADMISSION.Level1.DiameterRule1.Action Value: DIAMETER_TOO_BUSY Key: ADMISSION.Level1.DiameterRule2.Action Value: DROP Key: ADMISSION.Level2.DiameterRule1.Action Value: ACCEPT Note: “i” represents the busy level number.

3.11 Audit Service Configuration

This section describes the customizatons that you should make in custom-value.yaml file to customize Audit service configurations.

Table 3-45 Configurable Parameters for Audit Service Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
sm-service.auditSmSessionTtl	SM Policy Association normal age	No	86400	CNC Policy & PCF	Added in Release 1.6.x	Specifies age of a SM policy association after which a record is considered to be stale on PCF and the SMF is queried for presence of such associations. Applicable only when SM service is enabled.
sm-service.auditSmSessionMaxTtl	SM Policy Association maximum age	No	172800	CNC Policy & PCF	Added in Release 1.6.x	Specifies maximum age of a SM Policy Association after which a record is purged from PCF SM database without sending further queries to SMF. Applicable only when SM service is enabled.

Here is a sample configuration in custom-values.yaml.file:

sm-service:
  auditSmSessionTtl: 86400
  auditSmSessionMaxTtl: 172800

3.12 Diameter Gateway and Diameter Connector Configuration

This section describes the customizatons that you should make in occnp_custom_values_23.4.9.yaml file to customize Diameter configurations.

Table 3-46 Configurable Parameters for Diameter Gateway/Connector Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
diam-connector.envDiameterRealm	Diameter Realm of PCF	Yes	Not applicable	CNC Policy & PCF	Added in Release 1.6.x	example: oracle.com Applicable only when diameter connector is enabled.
diam-connector.envDiameterIdentity	Diameter Host of PCF	Yes	Not applicable	CNC Policy & PCF	Added in Release 1.6.x	example: ocpcfApplicable only when diameter connector is enabled.
diam-connector.envMysqlDatabaseConfigServer	Specifies the name of the database for Config server service.	Yes	occnp_config_server	CNC Policy, PCF, & PCRF	Added in Release 1.15.0
diam-gateway.envMysqlDatabaseConfigServer	Specifies the name of the database for Config server service.	Yes	occnp_config_server	CNC Policy, PCF, & PCRF	Added in 1.14.0
diam-gateway.envDiameterRealm	Diameter Realm of PCF diameter gateway	Yes	Not applicable	CNC Policy, PCF, & PCRF	Added in Release 1.7.1	example: oracle.com Applicable only when diameter gateway is enabled.
diam-gateway.envDiameterIdentity	Diameter Host of PCF diameter gateway	Yes	Not applicable	CNC Policy, PCF, & PCRF	Added in Release 1.7.1	example: oc-diam-gateway Applicable only when diameter gateway is enabled.
diam-gateway.envDiameterHostIp	Contains all the k8s cluster worker node names and corresponding IP addresses in the following format: NodeName1=<ip1>,NodeName2=<ip2> If LoadBalancer is being used, provide the LoadBalancer IP.	Optional		CNC Policy, PCF, & PCRF	Added in Release 1.12.0
diam-gateway.envDbConnStatusHttpEnabled	To monitor the database service connectivity status, set the value for this parameter to true.	Optional	false	CNC Policy, PCF, & PCRF	Added in Release 1.14.0
diam-gateway.envSupportedIpAddressType	This parameter specifies the IP address type to be configured as diameter peer nodes. When the value is specified as IPv4, hosts with IPv4 address type are configured as diameter peer nodes and hosts with IPv6 address type are ignored. When the value is specified as IPv6, hosts with IPv6 address type are configured as diameter peer nodes and hosts with IPv4 address type are ignored. To configure hosts with both IPv4 and IPv6 address types, set the value for this parameter as Both.	Mandatory	IPv4	CNC Policy, PCF, & PCRF	Added in Release 1.14.1	The values are not case-sensitive. Supported values are: IPV4 IPV6
diam-connector.envSyEnableSubsIdOnSTR	Determines whether to include Subscription-Id information in Subscription-Id AVPs when sending a STR Message.	Mandatory	false	CNC Policy, PCF, & PCRF	Added in Release 23.2.0
diam-gateway.envDiameterValidationStrictParsing	This parameter enables or disables the strict parsing.	Optional	false	CNC Policy, PCF, & PCRF	Added in Release 23.2.0	NA

Here is a sample configuration in occnp_custom_values_23.4.9.yaml file:

diam-connector:
  envDiameterRealm: 'oracle.com'
  envDiameterIdentity: 'ocpcf'
  envMysqlDatabaseConfigServer: *configServerDB
  envSyEnableSubsIdOnSTR: false

diam-gateway:
  envMysqlDatabaseConfigServer: *configServerDB
  envDiameterRealm: 'oracle.com'
  envDiameterIdentity: 'oc-diam-gateway'
  #This should contain all the k8s cluster worker node name and ip corresponding to it in a format i.e. NodeName1=<ip1>,NodeName2=<ip2>
  #If LoadBalancer is being used then give all ip as LoadBalancer's ip
  envDiameterHostIp: ''
  envDbConnStatusHttpEnabled: false
  envSupportedIpAddressType: 'IPv4'

  staticIpAddress: ''
  staticDiamNodePort: *svcDiamGatewayDiamNodePort

  deployment:
    customExtension:
      annotations: {
          # Enable this section for service-mesh based installation
  #          traffic.sidecar.istio.io/excludeOutboundPorts: "9000,5801",
  #          traffic.sidecar.istio.io/excludeInboundPorts: "9000,5801"
      }

The lbService provides the annotations and labels for service diameter gateway and the nonlbService provides annotations and labels for headless diameter gateway.

3.13 BSF Configuration

This section describes the customizatons that you should make in occnp_custom_values_23.4.9.yaml file to customize default BSF configurations.

Table 3-47 Configurable Parameters for BSF Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
sm-service.defaultBsfApiRoot	Api root of pre-configured BSF	No	Not applicable	CNC Policy & PCF	Added in Release 1.5.x	Applicable only when SM service is enabled. Required, if PCF uses pre-configured BSF. For Example: "https://bsf.apigateway:8001/"
binding.bsfEnabled	Enable/Disable the binding operation (register and deregister) with the BSF	No	False	CNC Policy & PCF	Added in Release 1.7.1	Applicable only when Binding service is enabled.

Here is a sample configuration in occnp_custom_values_23.4.9.yaml file:

sm-service:
  defaultBsfApiRoot: 'https://bsf.apigateway:8001'

binding:
    bsfEnabled: false

3.14 Kubernetes Service Account Configuration

This section describes the customizatons that you should make in occnp_custom_values_23.4.9.yaml file to customize kubernetes service account configurations.

Table 3-48 Configurable Parameters for Kubernetes Service Account Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
ldap-gateway.serviceAccountName	K8s Service Account to access (RBAC) the K8s API server to retrieve status of PCF services and pods. The account should have read access ( "get" , "watch" , "list" ) to pods, services and nodes.	Conditional	Not applicable	CNC Policy, PCF, & cnPCRF	Added in Release 1.7.1

Here is a sample configuration in occnp_custom_values_23.4.9.yaml file:

ldap-gateway:
  serviceAccountName: ''

3.15 API Root Configuration for Resource URI and Notification URI

This section describes the configuration parameters that can be used to API Root configuration.

To configure these parameters, you should configure the following configurable parameters in the occnp_custom_values_23.4.9.yaml file:

Table 3-49 Configurable Parameters for Api Root Configuration for Notification URI

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.pcfApiRoot	API root of PCF that is used in Notification URI generated by PCF when sending request to other producer NFs (like NRF, UDR, CHF, etc..) Resource URI generated by PCF, on successful creation of policy association for requests from SMF, AMF, and UE.	No	Ingress gateway service name and port	CNC Policy & PCF	Added in Release 1.5.x	If not configured then the ingress gateway service name and port will be used as default value. Example: "https://<Helm namespace>-pcf-ingress-gateway:443" pcfApiRoot: ''
global.deploymentNrfClientService.nfApiRoot	API root of PCF	Mandatory	Not Applicable	CNC Policy & PCF	Added in Release 1.6.x	Applicable only when NRF Client services are enabled. Value of this parameter should be same as the value of "global.pcfApiRoot" parameter. However, if the user has not configured pcfApiRoot, it is required to provide the values for Ingress Gateway service name and port manually. Example: https://<Helm namespace>-pcf-ingress-gateway:80

3.16 Basic Configurations in Ingress Gateway

This section describes the configuration parameters that are required for basic configurations in Ingress Gateway.

Note:

Following configurations are applicable only when ingress-gateway is enabled.

Table 3-50 Configurable Parameters for Basic Configurations in Ingress Gateway

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
global.metalLbIpAllocationEnabled	Enable or disable IP Address allocation from Metallb Pool	No	false	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x
global.metalLbIpAllocationAnnotation	Address Pool Annotation for Metallb	No	"metallb.universe.tf/address-pool: signaling"	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x
ingress-gateway.enableIncomingHttp	Enable it to accept incoming http requests	No	False	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x
ingress-gateway.ingressServer.keepAlive.enabled		No	false		Added in Release 1.7.3
ingress-gateway.ingressServer.keepAlive.idealTime		No	180 (in seconds)		Added in Release 1.7.3
ingress-gateway.ingressServer.keepAlive.count		No	9		Added in Release 1.7.3
ingress-gateway.ingressServer.keepAlive.interval		No	60 (in seconds)		Added in Release 1.7.3
ingress-gateway.isIpv6Enabled	Set the value to true for this parameter when NF is deployed in IPv6 cluster.	No	false		Added in Release 1.14.0
global.staticIpAddressEnabled	set to value to true to enable it	No	false	Converged Policy and PCF	Added in Release 23.2.0
global.staticIpAddress	set static load balancer IP, else a random IP will be assigned by the External LoadBalancer from its IP Pool.	No	NA	Converged Policy and PCF	Added in Release 23.2.0
ingress-gateway.applicationThreadPoolConfig.corePoolSize	It is preferred to use fixed size thread pool as this ensures all threads are created during startup as thread creation during runtime is expensive and can have impact on performance. This parameter indicates the minimum number of workers to keep alive without timing out. For details on the recommended application thread pool configuration, see Table 3-51.	No	8		Added in Release 23.3.0
ingress-gateway.applicationThreadPoolConfig.maxPoolSize	This defines the maximum number of threads that can ever be created. To create fixed size thread pool, corePoolSize and maxPoolSize should be same. For details on the recommended application thread pool configuration, see Table 3-51.	No	8		Added in Release 23.3.0
ingress-gateway.applicationThreadPoolConfig.queueCapacity	This indicates the number of tasks in the queue when all core pools are filled. Threads will be scalable to maximum pool size when queue is full. For details on the recommended application thread pool configuration, see Table 3-51.	No	1000		Added in Release 23.3.0

Here is a sample configuration for configurable parameters in occnp_custom_values_23.4.9.yaml file:

ingress-gateway:

  # Enable or disable IP Address allocation from Metallb Pool
  metalLbIpAllocationEnabled: false

  # Address Pool Annotation for Metallb
  metalLbIpAllocationAnnotation: "metallb.universe.tf/address-pool: signaling"
  # -----Ingress Gateway Settings - END-----

ingress-gateway:
#keep alive settings
  ingressServer:
    keepAlive:
      enabled: false
      idealTime: 180  #in seconds
      count: 9
      interval: 60 #in seconds

#Enabled when deployed in Ipv6 cluster
  isIpv6Enabled: false

ingress-gateway:
applicationThreadPoolConfig:
   corePoolSize: 8
   maxPoolSize: 8
   queueCapacity: 1000

Table 3-51 Recommended Application Threadpool Configuration

Traffic towards 1 Pod (TPS)	corePoolSize	maxPoolSize	queueCapacity
500	8	8	1000
1000	8	8	1800
1500	16	16	2500
2000	16	16	3300

3.17 Basic Configurations in Egress Gateway

This section describes the configuration parameters that are required for basic configurations in Egress Gateway.

Note:

Following configurations are applicable only when Egress-gateway is enabled.

Table 3-52 Configurable Parameters for Basic Configurations in Egress Gateway

Parameter	Description	Mandatory/Optional	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
egress-gateway.enableForwardedHeader	Enabling this parameter, egress-gateway will add Forwarded and x-Forwaredheaders	Optional	false	CNC Policy & PCF	Added in Release 1.8.3
egress-gateway.isIpv6Enabled	Set the value to true for this parameter when NF is deployed in IPv6 cluster.	Optional	false	CNC Policy & PCF	Added in Release 1.14.0
egress-gateway.http1.enableOutgoingHTTP1	Set the value for this parameter to true to enable Egress HTTP1.1 requests.	Optional	false	CNC Policy & PCF	Added in Release 22.2.0
egress-gateway.userAgentHeaderConfigMode	This parameter is used to govern the user-agent configurations from Helm or REST.	Optional	HELM	CNC Policy & PCF
egress-gateway.userAgentHeader.enabled	Specifies whether the feature is enabled or disabled.	Optional	false	CNC Policy & PCF
egress-gateway.userAgentHeader.nfType	This parameter holds the nfType that will be used to generate the user agent header.	Optional	PCF	CNC Policy & PCF
egress-gateway.userAgentHeader.nfInstanceId	This parameter represents the UUID of the CNPCF deployment that will be used to generate the user agent header.	Optional	empty string	CNC Policy & PCF
egress-gateway.userAgentHeader.addFqdnToHeader	This parameter specifies if the user agent will use the FQDN information under the module to append it when generating the user agent header.The default value is set to 'false' meaning that the FQDN information will not be encoded into the user agent header during its generation.	Optional	false	CNC Policy & PCF
egress-gateway.userAgentHeader.nfFqdn	This is an optional parameter and can be present or not, if operators want to include the FQDN string configured under this section then the parameter userAgentHeader.addFqdnToHeader needs to be enabled.	Optional	empty string	CNC Policy & PCF
egress-gateway.userAgentHeader.overwriteHeader	This parameter is used to govern if we want to include the User-Agent header generated at CNPCF Egress Gateway or forward the User-Agent received from service request. By default it will be set to true as CNPCF always generates its own service requests.	Optional	true	CNC Policy & PCF
egress-gateway.sniHeader.enabled	Enabling this parameter, egress-gateway will add SNI flag in client hello message of outbound traffic. Note: SNI enabling is depending on the initssl parameter from egress-gateway helm charts (Default value of initssl=true[TLS enable] , initssl=false[TLS disable] ) .	Optional	false	CNC Policy & PCF	23.2.0

Here is a sample configuration for configurable parameters in occnp_custom_values_23.4.9.yaml file:

egress-gateway:
  # enabling this egress-gateway will add Forwarded and x-Forwaredheaders
  enableForwardedHeader: false
  http1:
    enableOutgoingHTTP1

#Enabled when deployed in Ipv6 cluster
  isIpv6Enabled: false

Here is a sample configuration for User-Agent Header in occnp_custom_values_23.4.9.yaml file:

userAgentHeaderConfigMode: HELM
userAgentHeader:
  enabled: false # flag to enable or disable the feature
  nfType: "PCF" # NF type of consumer NF
  nfInstanceId: "" # NF type of consumer NF
  addFqdnToHeader: true # Flag to add fqdn. If enabled then user-agent header will be 
generated along with the fqdn configured otherwise fqdn will not be added
  nfFqdn: "" #fqdn of NF. This is not the fqdn of gateway
  overwriteHeader: true

3.18 Service and Container Port Configuration

This section describes the customizatons that you can make in occnp_custom_values_23.4.9.yaml file to configure service and container ports.

Note:

For upgrade scenario, changing port will cause temporary service disruption.

To override the default port numbers, used by service and container ports, and customize them as per your requirements, you can configure the following configurable parameters in custom-values.yaml file:

Table 3-53 Customizable Parameters for Service Ports Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.servicePorts.pcfAmServiceHttp	HTTP signaling port for AM service.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.pcfAmServiceHttps	HTTP signaling port for AM service.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.bulwarkServiceHttp	HTTP signaling port for Bulwark service.	Optional	8000	CNCPolicy & PCF	Added in Release 1.15.0
global.servicePorts.appInfoHttp	HTTP signaling port for app info .	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcAppInfoHttp
global.servicePorts.auditServiceHttp	HTTP signaling port for audit service.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.bindingHttp	HTTP signaling port for binding service.	Optional	8000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.servicePorts.bindingHttps	HTTPS signaling port for binding service.	Optional	9443	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.servicePorts.cmServiceHttp	HTTP signaling port for CM service.	Optional	8000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.servicePorts.configServerHttp	HTTP signaling port for config server.	Optional	8000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3	Same value as svcConfigServerHttp
global.servicePorts.diamConnectorHttp	HTTP signaling port for Diameter connector.	Optional	8000	CNCPolicy & PCF	Updated in Release 1.8.1	The name for this parameter has been updated from pcfDiamConnectorHttp to diamConnectorHttp.
global.servicePorts.diamConnectorDiameter	Port for Diameter connector.	Optional	3868	CNCPolicy & PCF	Updated in Release 1.8.1	The name for this parameter has been updated from pcfDiamConnectorDiameter to diamConnectorDiameter.
global.servicePorts.ldapGatewayHttp	HTTP signaling port for LDAP Gateway.	Optional	8000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.servicePorts.ldapGatewayHttps	HTTPS signaling port for LDAP Gateway.	Optional	9443	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.servicePorts.diamGatewayHttp	HTTP signaling port for Diameter gateway.	Optional	8000	CNCPolicy & PCF	Updated in Release 1.8.1	The name for this parameter has been updated from pcfDiamGatewayHttp to diamGatewayHttp.
global.servicePorts.diamGatewayDiameter	Port for Diameter gateway.	Optional	3868	CNCPolicy & PCF	Updated in Release 1.8.1	The name for this parameter has been updated from pcfDiamGatewayDiameter to diamGatewayDiameter.
global.servicePorts.pcrfCoreDiameter	Port for PCRF Core Diameter.	Optional	3868	CNCPolicy & cnPCRF	Added in Release 1.7.3
global.servicePorts.pcrfCoreHttp	HTTP signaling port for PCRF core service.	Optional	8000	CNCPolicy & cnPCRF	Added in Release 1.7.3
global.servicePorts.pcrfDiamGatewayHttp	HTTP signaling port for PCRF Diameter Gateway.	Optional	8080	CNCPolicy & cnPCRF	Deprecated in Release 1.8.1
global.servicePorts.pcrfDiamGatewayDiameter	Port for PCRF Diameter connector.	Optional	3868	CNCPolicy & cnPCRF	Deprecated in Release 1.8.1
global.servicePorts.perfInfoHttp	HTTP signaling port for perf info.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcPerfInfoHttp
global.servicePorts.policydsHttp	HTTP signaling port for policyds.	Optional	8000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.servicePorts.preServiceHttp	HTTP signaling port for pre service.	Optional	8000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.servicePorts.preTestHttp	HTTP signaling port for pre test.	Optional	8000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.servicePorts.queryServiceHttp	HTTP signaling port for queryservice.	Optional	8000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.servicePorts.pcfSmServiceHttp	HTTP signaling port for SM service.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.pcfSmServiceHttps	HTTPS signaling port for SM service.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.soapConnectorHttp	HTTP signaling port for Soap connector.	Optional	8000	CNCPolicy & cnPCRF	Added in Release 1.7.3
global.servicePorts.pcfUeServiceHttp	HTTP signaling port for UE service.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.pcfUeServiceHttps	HTTPS signaling port for UE service.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.udrConnectorHttp	HTTP signaling port for UDR Connector.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.udrConnectorHttps	HTTPS signaling port for UDR Connector.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.chfConnectorHttp	HTTP signaling port for CHF Connector.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.chfConnectorHttps	HTTPS signaling port for CHF Connector.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3
global.servicePorts.ingressGatewayHttp	HTTP signaling port for Ingress Gateway.	Optional	8000	CNCPolicy & PCF	Added in Release 22.1.0
global.servicePorts.egressGatewayHttp	HTTP signaling port for Egress Gateway.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcEgressGatewayHttp
global.servicePorts.nrfClientNfDiscoveryHttp	HTTP signaling port for NRF client discovery service.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcNrfClientNfDiscoveryHttp
global.servicePorts.nrfClientNfManagementHttp	HTTP signaling port for NRF client management service.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcNrfClientNfManagementHttp
global.servicePorts.nrfClientNfDiscoveryHttps	HTTPS signaling port for NRF client discovery service.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcNrfClientNfDiscoveryHttps
global.servicePorts.nrfClientNfManagementHttps	HTTPS signaling port for NRF client management service.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcNrfClientNfManagementHttps
global.servicePorts.alternateRouteServiceHttp	HTTP signaling port for alternate route service.	Optional	8000	CNCPolicy & PCF	Added in Release 1.8.0	Same value as svcAlternateRouteServiceHttp
global.servicePorts.alternateRouteServiceHazelcast	HTTP signaling port for alternate route Hazelcast service.	Optional	8000	CNC Policy & PCF	Added in Release 1.8.0	Same value as svcAlternateRouteServiceHazelcast
global.servicePorts.notifierServiceHttp	HTTP signaling port for Notifier service.	Optional	8000	CNC Policy & PCF	Added in Release 22.2.0
global.servicePorts.usageMonServiceHttp	HTTP signaling port for Usage Monitoring service.	Optional	8000	CNC Policy & PCF	Added in Release 22.2.0
global.servicePorts.usageMonServiceHttps	HTTPS signaling port for Usage Monitoring service.	Optional	8443	CNC Policy & PCF	Added in Release 22.2.0

Here is a sample of service ports configurable parameters in occnp_custom_values_23.4.9.yaml file:

servicePorts:
    pcfAmServiceHttp: 8000
    pcfAmServiceHttps: 9443
    bulwarkServiceHttp: 8000
    appInfoHttp: &svcAppInfoHttp 8000
    auditServiceHttp: 8000
    bindingHttp: 8000
    bindingHttps: 9443
    cmServiceHttp: &svcCmServiceHttp 8000
    configServerHttp: &svcConfigServerHttp 8000
    diamConnectorHttp: 8000
    diamConnectorDiameter: 3868
    ldapGatewayHttp: 8000
    ldapGatewayHttps: 9443
    diamGatewayHttp: &svcDiamGatewayHttp 8000
    diamGatewayDiameter: 3868
    pcrfCoreDiameter: 3868
    pcrfCoreHttp: 8000
    perfInfoHttp: &svcPerfInfoHttp 8000
    policydsHttp: 8000
    preServiceHttp: 8000
    preTestHttp: 8000
    queryServiceHttp: 8000
    pcfSmServiceHttp: 8000
    pcfSmServiceHttps: 9443
    soapConnectorHttp: 8000
    pcfUeServiceHttp: 8000
    pcfUeServiceHttps: 9443
    udrConnectorHttp: 8000
    udrConnectorHttps: 9443
    chfConnectorHttp: 8000
    chfConnectorHttps: 9443
    ingressGatewayHttp: &svcIngressGatewayHttp 80
    egressGatewayHttp: &svcEgressGatewayHttp 8000
    nrfClientNfDiscoveryHttp: &svcNrfClientNfDiscoveryHttp 8000
    nrfClientNfManagementHttp: &svcNrfClientNfManagementHttp 8000
    nrfClientNfDiscoveryHttps: &svcNrfClientNfDiscoveryHttps 9443
    nrfClientNfManagementHttps: &svcNrfClientNfManagementHttps 9443
    alternateRouteServiceHttp: &svcAlternateRouteServiceHttp 8000
    alternateRouteServiceHazelcast: &svcAlternateRouteServiceHazelcast 8000
    notifierServiceHttp: 8000
    usageMonServiceHttp: 8000
    usageMonServiceHttps: 8443

Table 3-54 Customizable Parameters for Container Ports Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.containerPorts.monitoringHttp	HTTP signaling port for monitoring.	Optional	9000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3	Same value as containerMonitoringHttp
global.containerPorts.pcfAmServiceHttp	HTTP signaling port for AM service.	Optional	8080	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.pcfAmServiceHttps	HTTPS signaling port for AM service.	Optional	9443	CNC Policy & PCF	Added in Release 1.7.3
global.containerPorts.bulwarkServiceHttp	HTTP signaling port for Bulwark service.	Optional	8080	CNC Policy & PCF	Added in Release 1.15.0
global.containerPorts.appInfoHttp	HTTP signaling port for app info.	Optional	5906	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.auditServiceHttp	HTTP signaling port for Auditservice.	Optional	8081	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.bindingHttp	HTTP signaling port for binding service.	Optional	8080	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.containerPorts.bindingHttps	HTTPS signaling port for binding service.	Optional	8443	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.containerPorts.cmServiceHttp	HTTP signaling port for CMservice.	Optional	5807	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.containerPorts.configServerHttp	HTTP signaling port for config server.	Optional	8001	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.containerPorts.diamConnectorHttp	HTTP signaling port for Diameter Connector.	Optional	8080	CNCPolicy & PCF	Updated in Release 1.8.1	The name for this parameter has been updated from pcfDiamConnectorHttp to diamConnectorHttp.
global.containerPorts.diamConnectorDiameter	Diameter signaling port for Diam Connector.	Optional	3868	CNCPolicy & PCF	Updated in Release 1.8.1	The name for this parameter has been updated from pcfDiamConnectorDiameter to diamConnectorDiameter.
global.containerPorts.ldapGatewayHttp	HTTP signaling port for IDAP Gateway.	Optional	8084	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.containerPorts.diamGatewayHttp	HTTP signaling port for Diameter Gateway.	Optional	8080	CNCPolicy & PCF	Updated in Release 1.8.1	This parameter name has been updated from pcfDiamGatewayHttp to diamGatewayHttp.
global.containerPorts.diamGatewayDiameter	Diameter signaling port for Diam Gateway.	Optional	3868	CNCPolicy & PCF	Updated in Release 1.8.1	This parameter name has been updated from pcfDiamGatewayDiameter to diamGatewayDiameter.
global.containerPorts.pcrfCoreDiameter	Diameter signaling port for PCRF core.	Optional	3868	CNCPolicy & cnPCRF	Added in Release 1.7.3
global.containerPorts.pcrfCoreHttp	HTTP signaling port for PCRF Core service.	Optional	9080	CNCPolicy & cnPCRF	Added in Release 1.7.3
global.containerPorts.pcrfDiamGatewayHttp	HTTP signaling port for PCRF Diameter Gateway.	Optional	8080	CNCPolicy & cnPCRF	Deprecated in Release 1.8.1
global.containerPorts.pcrfDiamGatewayDiameter	PCRF diameter gateway.	Optional	3868	CNCPolicy & cnPCRF	Deprecated in Release 1.8.1
global.containerPorts.perfInfoHttp	HTTP signaling port for perf-info.	Optional	5905	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.policydsHttp	HTTP signaling port for policyds.	Optional	8080	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.containerPorts.preServiceHttp	HTTP signaling port for pre service.	Optional	5806	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.containerPorts.preTestHttp	HTTP signaling port for pre test.	Optional	5806	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.containerPorts.queryServiceHttp	HTTP signaling port for queryservice.	Optional	8081	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3
global.containerPorts.pcfSmServiceHttp	HTTP signaling port for SM service.	Optional	8080	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.pcfSmServiceHttps	HTTPS signaling port for SM service.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.soapConnectorHttp	HTTP signaling port for soap connector.	Optional	8082	CNCPolicy & cnPCRF	Added in Release 1.7.3
global.containerPorts.pcfUeServiceHttp	HTTP signaling port for UE service.	Optional	8082	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.pcfUeServiceHttps	HTTPS signaling port for UE service.	Optional	8081	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.pcfUserServiceHttp	HTTP signaling port for User service.	Optional	8080	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.pcfUserServiceHttps	HTTPS signaling port for User service.	Optional	8443	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.udrConnectorHttp	HTTP signaling port for UDR Connector.	Optional	8080	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.udrConnectorHttps	HTTPS signaling port for UDR Connector.	Optional	8443	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.chfConnectorHttp	HTTP signaling port for CHF connector.	Optional	8080	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.chfConnectorHttps	HTTPS signaling port for CHF connector.	Optional	8443	CNCPolicy & PCF	Added in Release 1.7.3
global.containerPorts.nrfClientNfDiscoveryHttp	HTTP signaling port for NRF client discovery.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerNrfClientNfDiscoveryHttp
global.containerPorts.nrfClientNfManagementHttp	HTTP signaling port for NRF client management.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerNrfClientNfManagementHttp
global.containerPorts.nrfClientNfDiscoveryHttps	HTTPS signaling port for NRF client discovery.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerNrfClientNfDiscoveryHttps
global.containerPorts.nrfClientNfManagementHttps	HTTPS signaling port for NRF client management.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerNrfClientNfManagementHttps
global.containerPorts.ingressGatewayHttp	HTTP signaling port for Ingress Gateway.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerIngressGatewayHttp
global.containerPorts.ingressGatewayHttps	HTTPS signaling port for Ingress Gateway.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerIngressGatewayHttps
global.containerPorts.alternateRouteServiceHttp	HTTP signaling port for alternate route service.	Optional	8004	CNC Policy & PCF	Added in Release 1.8.0	Same value as containerAlternateRouteServiceHttp. This port configuration shall not be same as alternateRouteServiceHazelcast ,that is 8000, in this sample custom value file.
global.containerPorts.notifierServiceHttp	HTTP signaling port for Notifier service.	Optional	8080	CNC Policy & PCF	Added in Release 22.2.0
global.containerPorts.usageMonServiceHttp	HTTP signaling port for Usage Monitoring service.	Optional	8000	CNC Policy & PCF	Added in Release 22.2.0
global.containerPorts.usageMonServiceHttps	HTTPS signaling port for Usage Monitoring service.	Optional	8443	CNC Policy & PCF	Added in Release 22.2.0

Here is a sample of service ports configurable parameters in occnp_custom_values_23.4.9.yaml file:

containerPorts:
    monitoringHttp: &containerMonitoringHttp 9000
    pcfAmServiceHttp: 8000
    pcfAmServiceHttps: 9443
    bulwarkServiceHttp: 8080
    appInfoHttp: 8000
    auditServiceHttp: 8000
    bindingHttp: 8000
    bindingHttps: 9443
    cmServiceHttp: 8000
    configServerHttp: 8000
    diamConnectorHttp: 8000
    diamConnectorDiameter: 3868
    ldapGatewayHttp: 8000
    diamGatewayHttp: 8000
    diamGatewayDiameter: 3868
    pcrfCoreDiameter: 3868
    pcrfCoreHttp: 8000
    perfInfoHttp: 8000
    policydsHttp: 8000
    preServiceHttp: 8000
    preTestHttp: 8000
    queryServiceHttp: 8000
    pcfSmServiceHttp: 8000
    pcfSmServiceHttps: 9443
    soapConnectorHttp: 8000
    pcfUeServiceHttp: 8000
    pcfUeServiceHttps: 9443
    udrConnectorHttp: 8000
    udrConnectorHttps: 9443
    chfConnectorHttp: 8000
    chfConnectorHttps: 9443
    nrfClientNfDiscoveryHttp: &containerNrfClientNfDiscoveryHttp 8000
    nrfClientNfManagementHttp: &containerNrfClientNfManagementHttp 8000
    nrfClientNfDiscoveryHttps: &containerNrfClientNfDiscoveryHttps 9443
    nrfClientNfManagementHttps: &containerNrfClientNfManagementHttps 9443
    ingressGatewayHttp: &containerIngressGatewayHttp 8000
    ingressGatewayHttps: &containerIngressGatewayHttps 9443
    alternateRouteServiceHttp: &containerAlternateRouteServiceHttp 8004
    notifierServiceHttp: 8080
    usageMonServiceHttp: 8000
    usageMonServiceHttps: 8443

Table 3-55 Customizable Parameters for Ports Configuration in Ingress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.publicHttpSignalingPort	HTTP/2.0 Port of ingress gateway	Optional	80	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	If httpsEnabled is set to false, this Port would be HTTP/2.0 Port (unsecured).
global.publicHttpsSignallingPort	HTTPS/2.0 Port of ingress gateway	Optional	443	CNC Policy, PCF, &cnPCRF	Deprecated in Release 1.14.0	Set this parameter to 0 if HTTPS is disabled.
global.publicHttpsSignalingPort	HTTPS/2.0 Port of ingress gateway	Optional	443	CNC Policy, PCF, &cnPCRF	Added in Release 1.14.0	If httpsEnabled is set to true, this Port would be HTTPS/2.0 port (secured SSL).
global.configServerPort	HTTP signaling port for config server.	Optional	5807	CNC Policy, PCF, &cnPCRF	Added in Release 1.7.3	same vale as svcConfigServerHttp
ingress-gateway.ports.actuatorPort	Actuator Port	Optional	Optional	*containerMonitoringHttp	CNCPolicy , PCF, &cnPCRF	Added in Release 1.8.0	Same value as containerMonitoringHttp
ingress-gateway.ports.containerPort	Container Port represents a network port in a single container	Optional	*containerIngressGatewayHttp	CNCPolicy , PCF, &cnPCRF	Added in Release 1.8.0	Same value as containerIngressGatewayHttp
ingress-gateway.ports.containersslPort	Container Port represents a network ssl port in a single container	Optional	*containerIngressGatewayHttps	CNCPolicy , PCF, &cnPCRF	Added in Release 1.8.0	Same value as containerIngressGatewayHttps

Here is a sample of configurable parameters for ingress-gateway's ports in occnp_custom_values_23.4.9.yaml file:

# -----Ingress Gateway Settings - BEGIN-----
  # If httpsEnabled is false, this Port would be HTTP/2.0 Port (unsecured)
  publicHttpSignalingPort: 80
  # If httpsEnabled is true, this Port would be HTTPS/2.0 Port (secured SSL)
  publicHttpsSignallingPort: 443
  configServerPort: *svcConfigServerHttp

ingress-gateway:
  ports:
    actuatorPort: *containerMonitoringHttp
    containerPort: *containerIngressGatewayHttp
    containersslPort: *containerIngressGatewayHttps

Table 3-56 Customizable Parameters for Ports Configuration in Egress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
egress-gateway.serviceEgressGateway.actuatorPort	Actuator Port	Optional	*containerMonitoringHttp	CNCPolicy & PCF	Added in Release 1.8.0	Same value as containerMonitoringHttp
egress-gateway.serviceEgressGateway.Port	Service EgressGateway port	Optional	*svcEgressGatewayHttp	CNCPolicy , PCF, &cnPCRF	Added in Release 1.8.0	Same value as svcEgressGatewayHttp

Here is a sample of configurable parameters for egress-gateway's ports in occnp_custom_values_23.4.9.yaml file:

egress-gateway:
  serviceEgressGateway:
    actuatorPort: *containerMonitoringHttp
    port: *svcEgressGatewayHttp

Table 3-57 Customizable Parameters for Ports Configuration in nrf-client-nfdiscovery

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.nrf-client-nfdiscovery.envPlatformServicePort	HTTP signaling port for app info.	Optional	5906	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcAppInfoHttp
global.nrf-client-nfdiscovery.envPerformanceServicePort	HTTP signaling port for perf info.	Optional	5905	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcPerfInfoHttp
global.nrf-client-nfdiscovery.envCfgServerPort	HTTP signaling port for config server.	No	5807	CNC Policy, PCF, &cnPCRF	Added in Release 1.7.3	same vale as svcConfigServerHttp
global.nrf-client-nfdiscovery.containerHttpPort	HTTP signaling port for NRF client discovery.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerNrfClientNfDiscoveryHttp
global.nrf-client-nfdiscovery.containerHttpsPort	HTTPS signaling port for NRF client discovery.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerNrfClientNfDiscoveryHttps
global.nrf-client-nfdiscovery.serviceHttpPort	HTTP signaling port for NRF client discovery service.	Optional	5910	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcNrfClientNfDiscoveryHttp
global.nrf-client-nfdiscovery.serviceHttpsPort	HTTPS signaling port for NRF client discovery service.	Optional	8443	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcNrfClientNfDiscoveryHttps

Here is a sample of configurable parameters for nrf-client-nfdiscovery's ports in occnp_custom_values_23.4.9.yaml file:

nrf-client-nfdiscovery:
    envPlatformServicePort: *svcAppInfoHttp
    envPerformanceServicePort: *svcPerfInfoHttp
    envCfgServerPort: *svcConfigServerHttp
    containerHttpPort: *containerNrfClientNfDiscoveryHttp
    containerHttpsPort: *containerNrfClientNfDiscoveryHttps
    serviceHttpPort: *svcNrfClientNfDiscoveryHttp
    serviceHttpsPort: *svcNrfClientNfDiscoveryHttps

Table 3-58 Customizable Parameters for Ports Configuration in nrf-client-nfmanagement

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.nrf-client-nfmanagement.envPlatformServicePort	HTTP signaling port for app info.	Optional	5906	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcAppInfoHttp
global.nrf-client-nfmanagement.envPerformanceServicePort	HTTP signaling port for perf info.	Optional	5905	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcPerfInfoHttp
global.nrf-client-nfmanagement.envCfgServerPort	HTTP signaling port for config server.	Optional	5807	CNC Policy, PCF, &cnPCRF	Added in Release 1.7.3	same vale as svcConfigServerHttp
global.nrf-client-nfmanagement.containerHttpPort	HTTP signaling port for NRF client discovery.	Optional	8000	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerNrfClientNfManagementHttp
global.nrf-client-nfmanagement.containerHttpsPort	HTTPS signaling port for NRF client discovery.	Optional	9443	CNCPolicy & PCF	Added in Release 1.7.3	Same value as containerNrfClientNfManagementHttps
global.nrf-client-nfmanagement.serviceHttpPort	HTTP signaling port for NRF client discovery service.	Optional	5910	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcNrfClientNfManagementHttp
global.nrf-client-nfmanagement.serviceHttpsPort	HTTPS signaling port for NRF client discovery service.	Optional	8443	CNCPolicy & PCF	Added in Release 1.7.3	Same value as svcNrfClientNfManagementHttps

Here is a sample of configurable parameters for nrf-client-nfmanagement's ports in occnp_custom_values_23.4.9.yaml file:

nrf-client-nfmanagement:
    envPlatformServicePort: *svcAppInfoHttp
    envPerformanceServicePort: *svcPerfInfoHttp
    envCfgServerPort: *svcConfigServerHttp
    containerHttpPort: *containerNrfClientNfManagementHttp
    containerHttpsPort: *containerNrfClientNfManagementHttps
    serviceHttpPort: *svcNrfClientNfManagementHttp
    serviceHttpsPort: *svcNrfClientNfManagementHttps

Table 3-59 Customizable Parameters for Ports Configuration in Alternate Route Service

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
alternate-route.ports.servicePort	HTTP signaling port for alternate route service.	Optional	8000	CNCPolicy & PCF	Added in Release 1.8.0	Same value as svcAlternateRouteServiceHttp
alternate-route.ports.containerPort	HTTP signaling port for alternate route service.	Optional	8004	CNCPolicy & PCF	Added in Release 1.8.0	Same value as containerAlternateRouteServiceHttp
alternate-route.ports.actuatorPort	HTTP signaling port for monitoring.	Optional	9000	CNCPolicy , PCF, &cnPCRF	Added in Release 1.7.3	Same value as containerMonitoringHttp
alternate-route.hazelcast.port	HTTP signaling port for alternate route's Hazlecast .	Optional	8000	CNCPolicy & PCF	Added in Release 1.8.0	Same value as svcAlternateRouteServiceHazelcast

Here is a sample of configurable parameters for alternate route service's ports in occnp_custom_values_23.4.9.yaml file:

alternate-route:
  ports:
    servicePort: *svcAlternateRouteServiceHttp
    containerPort: *containerAlternateRouteServiceHttp
    actuatorPort: *containerMonitoringHttp
  hazelcast:
    port: *svcAlternateRouteServiceHazelcast

3.19 Aspen Service Mesh Configurations

This section describes the customizatons that you can make in occnp_custom_values_23.4.9.yaml files to configure Aspen Service Mesh (ASM) in the Oracle Communications Cloud Native Core Policy.

1. Enable ASM by setting the value for serviceMeshEnabled parameter, under global section, as true.
2. Configure the values for the parameters described in the following table:

   Table 3-60 Configurable Parameters for Aspen Servicemesh Configuration

   Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
   istioSidecarQuitUrl	Specifies quit URL that can be configured for side car.	Conditional	http://127.0.0.1:15000/quitquitquit	CNC Policy & PCF	Added in Release 1.10.2	Applicable only when serviceMeshEnabled parameter is set to true.
   istioSidecarReadyUrl	Specifies readiness URL that can be configured for side car.	Conditional	http://127.0.0.1:15000/ready	CNC Policy & PCF	Added in Release 1.10.2	Applicable only when serviceMeshEnabled parameter is set to true.

3. In the global section, uncomment the following annotations to include port 9000 - a Prometheus scrap port

   allResources:
         labels: {}
         annotations: {
         #Enable this section for service-mesh based installation
           # traffic.sidecar.istio.io/excludeInboundPorts: "9000",
           # traffic.sidecar.istio.io/excludeOutboundPorts: "9000"

4. (Optional) If CNC Policy is deployed with OSO, the pods need to have an annotation oracle.com/cnc: true.

   
   customExtension:
       # The `factoryLabelTemplates` and `factoryAnnotationTemplates` can
       # accept templates rather than plain text.
       factoryLabelTemplates: {}
       factoryAnnotationTemplates: {}
   
       allResources:
         labels: {}
         annotations:
             sidecar.istio.io/inject: "false"
   
       lbServices:
         labels: {}
         annotations:
             oracle.com/cnc: "true"
   
       lbDeployments:
         labels: {}
         annotations:
             oracle.com/cnc: "true"
             sidecar.istio.io/inject: "true"       
   
       nonlbServices:
         labels: {}
         annotations:
             oracle.com/cnc: "true"
   
       nonlbDeployments:
         labels: {}
         annotations:
             oracle.com/cnc: "true"
             sidecar.istio.io/inject: "true"
               

5. Uncomment the following annotations in the deployment sections of following services in their deployment sections:
   • nrf-client-nfdiscovery.nrf-client-nfmanagement
   • ingress-gateway
   • egress-gateway
   • alternate-route
   • bulwark

   deployment:
         customExtension:
           annotations: {
              #Enable this section for service-mesh based installation:          
     #           traffic.sidecar.istio.io/excludeOutboundPorts: "9000,8095,8096,7,53",
     #           traffic.sidecar.istio.io/excludeInboundPorts: "9000,8095,8096,7,53"
           }

   Here, 8095 and 8096 are Coherence ports.

   Note:

   Port 53 is included only if DNS lookup bypasses the sidecar connection management.
6. Uncomment the following annotations in the deployment sections of diam-gateway service:

   deployment:
         customExtension:
           annotations: {
              #Enable this section for service-mesh based installation:          
     #           traffic.sidecar.istio.io/excludeOutboundPorts: "9000,5801,7",
     #           traffic.sidecar.istio.io/excludeInboundPorts: "9000,5801,7"
           }

7. Disable init containers: Init containers do not work when the namespace has istio or aspen service mTLS enabled. To disable init containers, set the value for initContainerEnable to false in custom values file.

   global:
     initContainerEnable: false

3.20 OAUTH Configuration

This section describes the customizatons that you should make in occnp_custom_values_23.4.9.yaml files to configure OAUTH in Ingress and Egress Gateway.

Note:

These configurations are applicable when the Ingress Gateway and Egress Gatway are enabled and the NRF Client services are enabled.

To configure OAUTH in ingress-gateway, you should configure the following configurable parameters in occnp_custom_values_23.4.9.yaml file:

Table 3-61 Configurable Parameters for OAUTH Configuration in Ingress Gateway

Parameter	Description	Mandatory/Optional /Conditional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
ingress-gateway.oauthValidatorEnabled	Enable or disable OAuth Validator.	Optional	false	CNC Policy & PCF	Added in Release 1.5.x
ingress-gateway.nfInstanceId	NF Instance Id of service producer	Optional	6faf1bbc-6e4a-4454-a507-a14ef8e1bc11	CNC Policy & PCF	Added in Release 1.5.x
ingress-gateway.allowedClockSkewSeconds	set this value if clock on the parsing NF (producer) is not perfectly in sync with the clock on the NF (consumer) that created by JWT	Optional	0	CNC Policy & PCF	Added in Release 1.6.x
ingress-gateway.nrfPublicKeyKubeSecret	Name of the secret which stores the public key(s) of NRF	Optional		CNC Policy & PCF	Added in Release 1.5.x
ingress-gateway.nrfPublicKeyKubeNamespace	Namespace of the NRF public key secret	Optional		CNC Policy & PCF	Added in Release 1.5.x
ingress-gateway.validationType	Possible values are: strict relaxed strict- If incoming request does not contain "Authorization" (Access Token) header, the request is rejected. relaxed- if Incoming request contains "Authorization" header, it is validated. If Incoming request does not contain "Authorization" header, validation is ignored.	Optional	relaxed	CNC Policy & PCF	Added in Release 1.6.x
ingress-gateway.producerPlmnMNC	MNC of the service producer	Optional	123	CNC Policy & PCF	Added in Release 1.5.x
ingress-gateway.producerPlmnMCC	MCC of the service producer	Optional	456	CNC Policy & PCF	Added in Release 1.5.x
ingress-gateway.producerScope	Contains the NF service name(s) of the NF service producer(s). The service name(s) included in this attribute shall be any of the services defined in the ServiceName enumerated type. Note: producerScope must be configured in custom-values.yaml only if different from the default values.	Mandatory	npcf-smpolicycontrol, npcf-am-policy-control, npcf-ue-policy-control	CNC Policy & PCF	Added in Release 1.12.0

Here is a sample OAUTH configurations in ingress-gateway in occnp_custom_values_23.4.9.yaml file:

 # ----OAUTH CONFIGURATION - BEGIN ----
  oauthValidatorEnabled: false
  nfInstanceId: 6faf1bbc-6e4a-4454-a507-a14ef8e1bc11
  allowedClockSkewSeconds: 0
  nrfPublicKeyKubeSecret: ''
  nrfPublicKeyKubeNamespace: ''
  validationType: relaxed
  producerPlmnMNC: 123
  producerPlmnMCC: 456
  nfType: PCF
  # ----OAUTH CONFIGURATION - END ----

Table 3-62 Configurable Parameters for OAUTH Configuration in Egress Gateway

Parameter	Description	Mandatory/Optional/Conditional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
egress-gateway.oauthClient.enabled	Determines if the oAuthClient lookup is enabled or not (static configuration)	Optional	false	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.oauthClient.dnsSrvEnabled	Enable/Dsiable the DNS-SRV query to coreDNS Server	Optional	false	CNC Policy& PCF	Removed in Release 1.12.0
egress-gateway.oauthClient.nrfClientQueryEnabled	Determines if NRF-Client Query is enabled or not (Dynamic configuration).	Optional	false	CNC Policy& PCF	Added in Release 1.11.0
egress-gateway.oauthClient.httpsEnabled	Determines if https support is enabled or not which is a deciding factor for oauth request scheme.	Optional	false	CNC Policy& PCF	Added in Release 1.8.0
egress-gateway.oauthClient.virtualFqdn	virtualFqdn value which needs to be populated and sent in the dns-srv query.	Conditional ( If dnsSrvEnabled is set to true.)	-1	CNC Policy& PCF	Added in Release 1.8.0
egress-gateway.oauthClient.staticNrfList	List of Static NRF instances that need to be used for oAuth requests when nrfClientQueryEnabled is false.	Conditional ( If oAuth is enabled.)		CNC Policy& PCF	Added in Release 1.8.0
egress-gateway.oauthClient.nfType	NFType of service consumer.	Conditional ( If oAuth is enabled.)		CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.oauthClient.nfInstanceId	NF InstanceId of service consumer.	Optional	fe7d992b-0541-4c7d-ab84-c6d70b1b01b1	CNC Policy& PCF	Added in Release 1.5.x	Modify the parameter with actual value, if OAuth is enabled.
egress-gateway.oauthClient.consumerPlmnMNC	MNC of service Consumer	Optional	345	CNC Policy& PCF	Added in Release 1.5.x	Modify the parameter with actual value, if OAuth is enabled.
egress-gateway.oauthClient.consumerPlmnMCC	MCC of service Consumer	Optional	567	CNC Policy& PCF	Added in Release 1.5.x	Modify the parameter with actual value, if OAuth is enabled.
egress-gateway.oauthClient.maxRetry	Maximum number of retry that need to be performed to other NRF Fqdn’s in case of failure response from first contacted NRF based on the errorCodeSeries configured.	Conditional ( If oAuth is enabled.)	2	CNC Policy& PCF	Added in Release 1.8.0
egress-gateway.oauthClient.apiPrefix	apiPrefix that needs to be appended in the Oauth request flow while sending AccessToken requests to NRF instances.	Conditional ( If oAuth is enabled.)	""	CNC Policy& PCF	Added in Release 1.8.0
egress-gateway.oauthClient.errorCodeSeries	Determines the fallback condition to other non primary NRF instances if the attempts configured for the current NRF instance in use are exhausted and if the last received response from NRF matches configured value of retryErrorCodeSeries for any errorSetId (4XX, 5XX).	Conditional ( If oAuth is enabled and required a different error code series.)	4XX	CNC Policy& PCF	Added in Release 1.8.0
egress-gateway.oauthClient.retryAfter	RetryAfter value in milliseconds that needs to be set for a particular NRF Fqdn. If a retryAfter value is received from a particular NRF instance then irrespective of attempts for primary/ non-primary NRF instances count and retryErrorCodeSeries configurations at EGW, fallback to an alternate non-primary NRF instance based on its availability and priority takes place.	Conditional ( If oAuth is enabled.)	5000	CNC Policy & PCF	Added in Release 1.8.0
egress-gateway.oauthClient.nrfClientConfig	Determines the NRF-Client Mgmt Svc configurations which are required when dynamic configurations are in place at Egress-Gateway.	Optional		CNC Policy & PCF	Added in Release 1.11.0
egress-gateway.oauthClient.nrfClientConfig.serviceName	The service name of NRF-Client Mgmt Svc.	Optional	occnp-nrf-client-nfmanagement	CNC Policy & PCF	Added in Release 1.11.0
egress-gateway.oauthClient.nrfClientConfig.host	The address of NRF-Client Mgmt Svc	Optional	10.233.49.44	CNC Policy & PCF	Added in Release 1.11.0
egress-gateway.oauthClient.nrfClientConfig.port	Determines the port configuration for NRF-Client Mgmt Svc for sending Subscription requests.	Optional	8000	CNC Policy & PCF	Added in Release 1.11.0
egress-gateway.oauthClient.nrfClientRequestMap	Determines the request mapping URL for sending Subscription requests from Egress-Gateway to NRF-Client Mgmt Svc.	Optional	/v1/nrf-client/subscriptions/nrfRouteList	CNC Policy & PCF	Added in Release 1.11.0
egress-gateway.oauthClient.oauthDeltaExpiryTime	Determines the lifespan of the received tokens. This flag has default value of 0 millisecond. This value gets reduced from the TTL as received from NRF when calculating the lifespan of a received token. Here, the token is saved in the coherence cache of the Egress Gateway pod and expires after 55 seconds, so any requests after this duration requires a new token fetch and thus avoiding expired token usage.	Optional	0	CNC Policy & PCF	Added in Release 22.2.0	The duration can be fine tuned depending upon TTL. For Example: When TTL is 60 secs, then oauthDeltaExpiryTime can be set to fine tune the token fetch duration to 55 sec. A range of 3 to 7 seconds depending upon the TTL.

Here is a sample OAUTH configurations in egress-gateway in occnp_custom_values_23.4.9.yaml file:

# ---- Oauth Configuration - BEGIN ----
  oauthClient:
    enabled: false
    dnsSrvEnabled: false
    nrfClientQueryEnabled: false
    httpsEnabled: false
    virtualFqdn: nrf.oracle.com:80
    staticNrfList:
      - nrf1.oracle.com:80
    nfInstanceId: fe7d992b-0541-4c7d-ab84-c6d70b1b01b1
    consumerPlmnMNC: 345
    consumerPlmnMCC: 567
    maxRetry: 2
    apiPrefix: ""
    errorCodeSeries: 4XX
    retryAfter: 5000
    nrfClientConfig:
      serviceName: "occnp-nrf-client-nfmanagement"
      host: 10.233.49.44
      port: 8000
      nrfClientRequestMap: "/v1/nrf-client/subscriptions/nrfRouteList"
  # ---- Oauth Configuration - END ----

Authorization Request for Producer NFs

This section provides information on how to enable or disable sending oc-access-token-request-info header in the outgoing requests. When this parameter is set to NONE, PCF does not request the authorization token to any service and skip OAuth validation at the Producer NF's Ingress Gateway.

The following table describes the parameters that users can customize to enable or disable authorization for producer network functions:

Note:

The default configuration value can be changed only when OAuth client is enabled at Egress Gateway.

Table 3-63 Configurable Parameters for OAUTH Configuration in Egress Gateway

Parameter	Description	Mandatory/Optional/Conditional Parameter	Default Value	Applicable to Deployment	Notes
sm-service.envOathAccessTokenType	Specifies whether to skip or send the authorization portion of packages sent out from Egress Gateway when requesting OAuth2 tokens. When the value is set to NONE, the header will be skipped and not pegged to outgoing packages when communicating with other NFs. When the value is set to NF_TYPE, the header is included in the outgoing request and targetNfType is set to the corresponding NF. When the value is set to NF_INSTANCE_ID, the header is included in the outgoing request and targetNfInstanceId is set to the corresponding Instance ID of producer NF.	Optional	NONE	PCF
user-service.envOathAccessTokenTypeUdr	Specifies whether to skip or send the authorization portion of packages, sent out from Egress Gateway towards UDR, when requesting OAuth2 tokens. When the value is set to NONE, the header will be skipped and not pegged to outgoing packages when communicating with other NFs. When the value is set to NF_TYPE, the header is included in the outgoing request and targetNfType is set to the corresponding NF. When the value is set to NF_INSTANCE_ID, the header is included in the outgoing request and targetNfInstanceId is set to the corresponding Instance ID of producer NF.	Optional	NONE	PCF
user-service.envOathAccessTokenTypeChf	Specifies whether to skip or send the authorization portion of packages, sent out from Egress Gateway towards CHF, when requesting OAuth2 tokens. When the value is set to NONE, the header will be skipped and not pegged to outgoing packages when communicating with other NFs. When the value is set to NF_TYPE, the header is included in the outgoing request and targetNfType is set to the corresponding NF. When the value is set to NF_INSTANCE_ID, the header is included in the outgoing request and targetNfInstanceId is set to the corresponding Instance ID of producer NF.	Optional	NONE	PCF

The following is the snippet of the occnp_custom_values_23.4.9.yaml file:

sm-service:
    envOathAccessTokenType: 'NONE'
  

user-service:
  envOathAccessTokenTypeUdr: 'NONE'
  envOathAccessTokenTypeChf: 'NONE'

3.21 XFCC Header Validation Configuration

This section describes the customizatons that you can make in occnp_custom_values_23.4.9.yaml files to configure XFCC header.

XFCC introduces support for CNC Policy as a producer, to check, if Service Communication Proxy (SCP) which has sent the HTTP request is the same proxy consumer/client, which is expected to send a HTTP2 request. This is achieved by comparing the FQDN of the SCP present in the “x-forwarded-client-cert” (XFCC) of http2 header, with the FQDN of the SCPs configured in the CNC Policy.

For more information about the XFCC header, see Oracle Communications Cloud Native Core Policy User's Guide.

To configure XFCC header, you should configure the following configurable parameters in occnp_custom_values_23.4.9.yaml file:

Table 3-64 Configurable Parameters for XFCC Header Validation Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
ingress-gateway.xfccHeaderValidation.validation.enabled	Determines if the incoming XFCC header needs to be validated.	Optional	false	CNCPolicy & PCF	Added in Release 1.8.0
ingress-gateway.xfccHeaderValidation.validation.peerList	Specifies the list of configured NF FQDN’s against which the matchField entry configured, present in the XFCC Header will be validated.	Conditional ( If xfccHeader validation is enabled.)		CNC Policy & PCF	Updated in Release 22.1.0
ingress-gateway.xfccHeaderValida tion.validation.matchCerts	Specifies the number of certificates that need to be validated starting from the right most entry in the XFCC header. If the parameter is set to -1, validation is performed against all entries. Click here for Example 3-*. If parameter is set to a positive number, validation is performed from starting from the right to left. In case value is set to 2,the two right most entries will be validated to find a match. Click here for Example 3-*.	Conditional ( If xfccHeader validation is enabled.)	-1	CNC Policy & PCF	Added in Release 1.8.0	Note: If there are multiple certificates defined in XFCC header, all the entries are validated from the right to left till a match is found. If the match is found, the Ingress Gatway stops and forwards the response to backend microservice. If no match is found, 400 Bad Request is returned as a response from Ingress Gateway.
ingress-gateway.xfccHeaderValida tion.validation.matchField	Specifies a field in a corresponding XFCC header against which the configured nfList FQDN validation needs to be performed.	Conditional ( If xfccHeader validation is enabled.)	DNS	CNC Policy & PCF	Added in Release 1.8.0	Note: If there are multiple DNS entries defined in XFCC header, all the entries are validated from the right to left till a match is found. Click here for Example 3-*. If the match is found, the Ingress Gatway stops and forwards the response to backend microservice. If no match is found, 400 Bad Request is returned as a response from Ingress Gateway.
ingress-gateway.xfccHeaderValida tion.validation.dnsResolutionInterval	Specifies the interval (in milliseconds) used to resolve failed FQDNs.	Optional	300000	CNC Policy & PCF	Added in CNC Policy 22.1.0
global.xfccHeaderValidation.validation.errorTrigger[i].exceptionType	Specifies the configurable exception or error type for an error scenario in Ingress Gateway.	Optional	XFCC_HEADER_INVALID XFCC_MATCHCERTCOUNT_GREATER_THAN_CERTS_IN_HEADER XFCC_HEADER_NOT_PRESENT_OR_EMPTY	CNC Policy & PCF	Added in CNC Policy 22.1.0
global.xfccHeaderValidation.validation.errorTrigger[i].errorCode	Specifies the configurable error code to be returned when the exception or error configured in exceptionType occurs at Ingress Gateway.	Optional	401 402 403	CNC Policy & PCF	Added in CNC Policy 22.1.0
global.xfccHeaderValidation.validation.errorTrigger[i].errorCause	Specifies the configurable error cause to be returned when the exception or error configured in exceptionType occurs at Ingress Gateway.	Optional	xfcc header is invalid matchCerts count is greater than the certs in the request xfcc header is not present or empty in the request	CNC Policy & PCF	Added in CNC Policy 22.1.0
global.xfccHeaderValidation.validation.errorTrigger[i].errorTitle	Specifies the configurable error title to be returned when the exception or error configured in exceptionType occurs at Ingress Gateway.	Optional	Invalid XFCC Header	CNC Policy & PCF	Added in CNC Policy 22.1.0
global.xfccHeaderValidation.validation.errorTrigger[i].errorDescription	Specifies the configurable error description to be returned when the exception or error configured in exceptionType occurs at Ingress Gateway.	Optional	Invalid XFCC Header	CNC Policy & PCF	Added in CNC Policy 22.1.0

This is an example where XFCC header contains multiple certificates and multiple DNS entires.

If the ingressgateway.xfccHeaderValidation.validation.matchCerts parameter is set to -1, validation to be performed against all entries. All the entries written in bold are validated till the match is found.

x-forwarded-client-cert:By=http://router1.blr.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de68; Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=scp1.com"; URI=http://testenv1.blr.com; DNS=scp8.com;DNS=scp1.com; DNS=scp6.com, By=http://router1.blr.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de68; Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=scp10.com"; URI=http://testenv1.blr.com; DNS=scp10.com; DNS=scp8.com; DNS=scp9.com, By=http://routexr1.blr.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de68; Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=scp4.com"; URI=http://testenv1.blr.com; DNS=scp9.com; DNS=scp4.com;DNS=scp1.com

This is an example where XFCC header contains multiple certificates and multiple DNS entires.

If the ingressgateway.xfccHeaderValidation.validation.matchCerts parameter is set to 2, the two right most entries, written in bold, are validated to find a match.

x-forwarded-client-cert:By=http://router1.blr.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de68; Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=scp1.com"; URI=http://testenv1.blr.com; DNS=scp8.com;DNS=scp1.com; DNS=scp6.com, By=http://router1.blr.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de68; Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=scp10.com"; URI=http://testenv1.blr.com; DNS=scp10.com; DNS=scp8.com; DNS=scp9.com, By=http://routexr1.blr.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de68; Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=scp4.com"; URI=http://testenv1.blr.com; DNS=scp9.com; DNS=scp4.com;DNS=scp1.com

This is an example where XFCC header contains single certificate and multiple DNS entires.

If the ingress-gateway.xfccHeaderValida tion.validation.matchField parameter has multiple DNS entries, all entries are validated till a match is found.

x-forwarded-client-cert:By=http://router1.blr.com;Hash=468ed33be74eee6556d90c0149c1309e9ba61d6425303443c0748a02dd8de68; Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=scp1.com"; URI=http://testenv1.blr.com; DNS=scp8.com;DNS=scp1.com; DNS=scp6.com

The following is a sample snippet of XFCC Header configurations under ingress-gateway in occnp_custom_values_23.4.9.yaml file:

global:
    xfccHeaderValidation:
      validation:
        enabled: false
        peerList:
          - name: scp.com
          - name: smf.com
          - name: amf.com
          - name: scp1.com
            enabled: true
          - name: scp2.com
          - name: scp3.com
            enabled: false
          - name: xyz.test.com
            enabled: true
            scheme: http
            type: virtual
          - name: abc.test.com
            enabled: true
            scheme: https
            type: virtual
          - name: xfcc.test.com
            enabled: false
            scheme: http
            type: virtual
        matchCerts: -1
        matchField: DNS
        dnsResolutionInterval: 300000
        

XFCC Header - Route Level

To enable or disable XFCC header per route, set the validationEnabled parameter to true under each route (in Ingress Gateway):

routesConfig:
    - id: sm_create_session_route
      uri: http://{{ .Release.Name }}-occnp-pcf-sm:{{ .Values.global.servicePorts.pcfSmServiceHttp }}
      path: /npcf-smpolicycontrol/*/sm-policies
      order: 1
      method: POST
      readBodyForLog: true
      filters:
        subLog: true,CREATE,SM
      metadata:
        xfccHeaderValidation:
          validationEnabled: false

Note:

These routes are for internal consumption and determine how the incoming traffic is distributed among microservices on the basis of routing properties. To make any modification to these routes other than enabling or disabling XFCC header feature, kindly contact My Oracle Support.

3.22 Ingress/Egress Gateway HTTPS Configuration

This section describes the customizatons that you should make in occnp_custom_values_23.4.9.yaml files to configure HTTPS in ingress/egress gateway.

Note:

These configurations are applicable only when ingress/egress gateway is enabled and the following parameters are set to true in custom-yaml file:

• ingress-gateway.enableIncomingHttps
• egress-gateway.enableOutgoingHttps

To configure HTTPS in ingress-gateway, you should configure the following configurable parameters in occnp_custom_values_23.4.9.yaml file:

Table 3-65 Configurable Parameters for HTTPS Configurations in Ingress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
ingress-gateway.enableIncomingHttps	To enable https for ingress traffic	No	False	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x
ingress-gateway.service.ssl.privateKey.k8SecretName	Name of the private key secret.	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.privateKey.k8NameSpace	Namespace of private key.	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.privateKey.rsa.fileName	rsa private key file name.	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.certificate.k8SecretName	Name of the privatekey secret	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.certificate.k8NameSpace	Namespace of privatekey	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.certificate.rsa.fileName	rsa private key file name	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.caBundle.k8SecretName	Name of the privatekey secret	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.caBundle.k8NameSpace	Namespace of privatekey	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.caBundle.fileName	private key file name	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.keyStorePassword.k8SecretName	Name of the privatekey secret	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttp is true
ingress-gateway.service.ssl.keyStorePassword.k8NameSpace	Namespace of privatekey	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.keyStorePassword.fileName	File name that has password for keyStore	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.trustStorePassword.k8SecretName	Name of the privatekey secret	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.trustStorePassword.k8NameSpace	Namespace of privatekey	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingress-gateway.service.ssl.trustStorePassword.fileName	File name that has password for trustStore	No	Not Applicable	CNC Policy, PCF, &cnPCRF	Added in Release 1.5.x	required if enableIncomingHttps is true
ingressServer.keepAlive.enabled	If enabled nettyserver will send keep alive message for eachconnection	No	false		Added in Release 1.7.3
ingressServer.keepAlive.idealTime	Time after which keep alive will be tried after successful response from the peer	No	180 (in seconds)		Added in Release 1.7.3
ingressServer.keepAlive.count	Number of times it should retry if there is no response for keep alive	No	9		Added in Release 1.7.3
ingressServer.keepAlive.interval	The interval after which it should retry in case of failure	No	60 (in seconds)		Added in Release 1.7.3
global.configServerPort	The Configuration Server port	No	*svcConfigServerHttp	CNC Policy, PCF, &cnPCRF	Added in Release 1.7.3

Here is a sample HTTPS configurations in ingress-gateway in occnp_custom_values_23.4.9.yaml file:

# ---- HTTPS Configuration - BEGIN ----
  enableIncomingHttps: false

  service:
    ssl:
      privateKey:
        k8SecretName: occnp-gateway-secret
        k8NameSpace: occnp
        rsa:
          fileName: rsa_private_key_pkcs1.pem
      certificate:
        k8SecretName: occnp-gateway-secret
        k8NameSpace: occnp
        rsa:
          fileName: ocegress.cer
      caBundle:
        k8SecretName: occnp-gateway-secret
        k8NameSpace: occnp
        fileName: caroot.cer
      keyStorePassword:
        k8SecretName: occnp-gateway-secret
        k8NameSpace: occnp
        fileName: key.txt
      trustStorePassword:
        k8SecretName: occnp-gateway-secret
        k8NameSpace: occnp
        fileName: trust.txt

Table 3-66 Configurable Parameters for HTTPS Configurations in Egress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
egress-gateway.enableOutgoingHttps	Enabling it for outgoing https request	No	false	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.egressGwCertReloadEnabled	Egress Gateway Certificates Reload Enabled	No	false	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.egressGwCertReloadPath	Egress Gateway Certificates Reloading path	No	/egress-gw/store/reload	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.privateKey.k8SecretName	Name of the privatekey secret	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.privateKey.k8NameSpace	Namespace of privatekey	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.privateKey.rsa.fileName	rsa private key file name	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.privateKey.ecdsa.fileName	ecdsa private key file name	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.certificate.k8SecretName	Name of the privatekey secret	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.certificate.k8NameSpace	Namespace of privatekey	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.certificate.rsa.fileName	rsa private key file name	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.certificate.ecdsa.fileName	ecdsa private key file name	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.caBundle.k8SecretName	Name of the privatekey secret	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.caBundle.k8NameSpace	Namespace of privatekey	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.caBundle.fileName	private key file name	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.keyStorePassword.k8SecretName	Name of the privatekey secret	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.keyStorePassword.k8NameSpace	Namespace of privatekey	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.keyStorePassword.fileName	File name that has password for keyStore	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.trustStorePassword.k8SecretName	Name of the privatekey secret	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.trustStorePassword.k8NameSpace	Namespace of privatekey	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x
egress-gateway.service.ssl.trustStorePassword.fileName	File name that has password for trustStore	No	Not Applicable	CNC Policy& PCF	Added in Release 1.5.x

Here is a sample HTTPS configurations in egress-gateway in occnp_custom_values_23.4.9.yaml file:

# ---- HTTPS Configuration - BEGIN ----

  #Enabling it for egress https requests
  enableOutgoingHttps: false

  egressGwCertReloadEnabled: false
  egressGwCertReloadPath: /egress-gw/store/reload

  service:
    ssl:
      privateKey:
        k8SecretName: ocpcf-gateway-secret
        k8NameSpace: ocpcf
        rsa:
          fileName: rsa_private_key_pkcs1.pem
        ecdsa:
          fileName: ssl_ecdsa_private_key.pem
      certificate:
        k8SecretName: ocpcf-gateway-secret
        k8NameSpace: ocpcf
        rsa:
          fileName: ocegress.cer
        ecdsa:
          fileName: ssl_ecdsa_certificate.crt
      caBundle:
        k8SecretName: ocpcf-gateway-secret
        k8NameSpace: ocpcf
        fileName: caroot.cer
      keyStorePassword:
        k8SecretName: ocpcf-gateway-secret
        k8NameSpace: ocpcf
        fileName: key.txt
      trustStorePassword:
        k8SecretName: ocpcf-gateway-secret
        k8NameSpace: ocpcf
        fileName: trust.txt
  # ---- HTTPS Configuration - END ----

3.23 SCP Configuration

This section describes the customizatons that you can make in occnp_custom_values_23.4.9.yaml files to support SCP integration including SBI routing.

Important:

• Routes supporting the SBI-Routing configuration are updated in Egress Gateway only when its configuration details are provided correctly. Example: PeerSetConfiguration, PeerConfiguration, sbiroutingerrorcriteriasets, and sbiroutingerroractionsets. Routes not supporting the SBI-Routing configuration are updated only when they have valid route definition.

To configure SBI-Routing:

• Use Peerconfiguration to define the list of peers to which Egress Gateway can send request. This list contains peers that support HTTP/ HTTP-Proxy / HTTPS communication.
• Use Peersetconfiguration to logically group the peers into sets. Each set contains a list of peers that support HTTP and HTTPS communication modes.
• Use sbiRoutingErrorCriteriaSets to define an array of errorCriteriaSet , where each errorCriteriaSet depicts an ID, set of HTTP Methods, set of HTTP Response status codes set of exceptions with headerMatching functionality.
• Use sbiRoutingErrorActionSets to define an array of actionset, where each depicts an ID, action to be performed (Currently on REROUTE action is supported) and blacklist configurations.
• Use Priority for each peer in the set. Depending on the priority, it selects the primary, secondary, or tertiary peers to route requests.
• Use SbiRoutingWeightBasedEnabled for each peer in the set. If the priority of two or more peers is the same, weight is the deciding factor for selecting the peers.

Note:

• Egress Gateway accepts route configuration updates only if SBI-Routing feature is configured correctly.
• If the peer contains a virtual host address, Egress Gateway resolves the virtual host address using DNS-SRV query. If a peer is defined based on virtual host, then peerset can contain only one such peer for httpconfiguration and httpsconfiguration. User should not configure more than one virtual host based on peer in a given peerset for a given HTTP / HTTPS configuration.
• In case of peers based on virtual host, Egress Gateway does not consider priority values configured rather it retrieves priority from DNS-SRV records.

The following flags determine whether the configuration for routes and sbiRouting needs to be picked up from Helm

routeConfigMode: HELM

Note:

Currently, HELM is the only supported value for this parameter.

Configurations for SBI Routing

To enable and configure SBI Routing, perform the following configurations

• For sbiRoutingDefaultScheme parameter, the default value is http. The value specified in this field is considered when 3gpp-sbi-target-apiroot header is missing.
• Now, configure a list of peers and peer sets. Each peer must contain id, host, port, and apiPrefix. Each peer set must contain HTTP or HTTPS instances where in each instance contains priority and peer identifier, which maps to peers configured under peerConfiguration.

  No two instances should have same priority for a given HTTP or HTTPS configuration. In addition, more than one virtual FQDN should not be configured for a given HTTP or HTTPS configuration.

sbiRouting:
    # Default scheme applicable when 3gpp-sbi-target-apiroot header is missing
    sbiRoutingDefaultScheme: http
                                                                                     
                           
    peerConfiguration:
      - id: peer1
        host: scp1.test.com
        port: 80
        apiPrefix: "/"
      - id: peer2
        host: scp2.test.com
        port: 80
        apiPrefix: "/"
    peerSetConfiguration:
      - id: set0
        httpConfiguration:
          - priority: 1
            peerIdentifier: peer1
          - priority: 2
            peerIdentifier: peer2
        httpsConfiguration:
          - priority: 1
            peerIdentifier: peer1
          - priority: 2
            peerIdentifier: peer2

Note:

If required, users can configure more SCP instances in a similar way.

Route-level Configuration

Each route must have configured filters. In case, the SBIRouting functionality is required without the reroutes, then configure routes[0].metadata.sbiRoutingEnabled=true, SbiRouting in filterName1, and set arguments without the errorHandling section.

If SbiRouting functionality is required with the reroute mechanism, and the SbiRoutingWeightBasedEnabled parameter is enabled, then configure routes[0].metadata.sbiRoutingEnabled=true and routes[0].metadata.SbiRoutingWeightBasedEnabled=true, SbiRouting in filterName1, and set arguments with the errorHandling section.

The errorHandling section contains an array of errorcriteriaset and actionset mapping with priority. The errorcriteriaset and actionset are configured through Helm using sbiRoutingErrorCriteriaSets and sbiRoutingErrorActionSets.

The sbiRoutingErrorCriteriaSets contains an array of errorCriteriaSet , where each errorCriteriaSet depicts an ID, set of HTTP Methods, set of HTTP Response status codes set of exceptions with headerMatching functionality .

The sbiRoutingErrorActionSets contains an array of actionset, where each depicts an ID, action to be performed (Currently on REROUTE action is supported) and blacklist configurations.

Following is the SBI routing configuration with the Reroute functionality:

Note:

Ensure to configure sbiRoutingErrorCriteriaSets and sbiRoutingErrorActionSets.

If you have peers configured in HTTPS, but you want to select https peers only but the interaction should be on http, then, httpstargetOnly must be set to true and httpruriOnly must be set to true.

If you have peers configured in HTTPS, but you want to select https peers only and interaction should be on https, then httpstargetOnly must be set to true and httpruriOnly must be set to false.

If you have peers configured in HTTP, but you want to select http peers only and interaction should be on http, then httpstargetOnly must be set to false and httpruriOnly must be set to false.

- id: nrf_direct
#      uri: https://dummy.dontchange
#      path: /nnrf-disc/**
#      order: 4
#      metadata:
                                                                  
#        httpsTargetOnly: false
#        httpRuriOnly: false
#        sbiRoutingEnabled: false
#        sbiRoutingWeightBasedEnabled: false    
#      filterName1:
#        name: SbiRouting
#        args:
#          peerSetIdentifier: set0
#          customPeerSelectorEnabled: false
#          errorHandling:
#            - errorCriteriaSet: scp_direct2_criteria_1
#              actionSet: scp_direct2_action_1
#              priority: 1
#            - errorCriteriaSet: scp_direct2_criteria_0
#              actionSet: scp_direct2_action_0
#              priority: 2
#    - id: scp_route

Enable Rerouting

The Reroute mechanism works only for the incoming requests to Egress Gateway that are bound for SBI-Routing. The SBI-Routing bound requests must be rerouted to other instances of SBI based on certain response error codes or exceptions.

Note:

The above configuration is effective only when sbiRoutingEnabled is set to true.

The errorHandling section contains an array of errorcriteriaset and actionset mapping with priority. The errorcriteriaset and actionset are configured through Helm using sbiRoutingErrorCriteriaSets and sbiRoutingErrorActionSets.

Note:

errorcriteriaset and actionset must be configured for reroute to work.

To enable reroute functionality with SBIrouting , add the following values in the Helm configuration file:

routesConfig:
 - id: scp_direct2
   uri: https://dummy.dontchange2
   path: /<Intended Path>/**
   order: 3
   metadata:
    httpsTargetOnly: false
    httpRuriOnly: false
    sbiRoutingEnabled: false
   filterName1:
     name: SbiRouting
     args:
       peerSetIdentifier: set0
       customPeerSelectorEnabled: false
       errorHandling:
        - errorCriteriaSet: scp_direct2_criteria_1
          actionSet: scp_direct2_action_1
          priority: 1
        - errorCriteriaSet: scp_direct2_criteria_0
          actionSet: scp_direct2_action_0
          priority: 2
             
sbiRoutingErrorCriteriaSets:
 - id: scp_direct2_criteria_0
   method:
   - GET
   - POST
   - PUT
   - DELETE
   - PATCH
   exceptions:
   - java.util.concurrent.TimeoutException
   - java.net.UnknownHostException
 - id: scp_direct2_criteria_1
    method:
      - GET
      - POST
      - PUT
      - DELETE
      - PATCH
    response:
      cause:
        ignoreCauseIfMissing: false      
        path: ".cause"
        reason:
         - "cause-1"
         - "cause-2"
      statuses:
        - statusSeries: 4xx
          status:
            - 400
     headersMatchingScript: "headerCheck,server,via,.*(SEPP|UDR).*"
 
    
sbiRoutingErrorActionSets:
 - id: scp_direct2_action_0
   action: reroute
   attempts:2
   blackList:
    enabled: false
    duration: 60000
   
 - id: scp_direct2_action_1
   action: reroute
   attempts:3
   blackList:
    enabled: false
    duration: 60000

errorcriteria can also be configured only with the status code. Following is the sample:

sbiRoutingErrorCriteriaSets:  
 - id: scp_direct2_criteria_1
    method:
      - GET
      - POST
      - PUT
      - DELETE
      - PATCH
    response:
      statuses:
        - statusSeries: 4xx
          status:
            - 400
            - 404
        - statusSeries: 5xx
          status:
            - 500
            - 503

The path has to be configured per route. If /** is provided as a path, then all traffic except NRF will be SBI-routed. If a traffic to particular NF has to be SBI-routed, then the permanent start string of the URI has to be configured as a prefix. Example: For CHF, path: /nchf-spendinglimitcontrol/**. Similarly, for UDR, path: /nudr-dr/**.

Note:

Path, Reason, and ignoreCauseIfMissing parameters must not be empty when cause is configured in the errorcriteriaset. The reason parameter must contain at least one reason. The statusSeries must be configured with only one status code.

When errorcriteria is configured only with the status code, statusSeries can have multiple error codes.

When the configuration is not successful, oc_egressgateway_routing_invalid_config_detected metrics is pegged and SBI Routing feature is disabled for the route for which this criteria set is configured.

Handling Server and Via Header

This is an enhancement to the SBI routing functionality. An additional alternate routing rule is applied to the Egress Gateway when the header check is included in the configuration. This can be configured through sbiroutingerrrorcriteriaset and corresponding action can be taken by configuring sbierroractionsets.

To configure SBI Routing with Reroute functionality, see unresolvable-reference.html#GUID-4C63916E-1C2E-439C-ADEB-DD210424294B.

To enable Server and Via Header handling, add headersMatchingScript under the response entity within sbiRoutingErrorCriteriaSets.

Note:

headersMatchingScript is a configuration that accepts a single string with comma seperated tokens.

Sample sbiRoutingErrorCriteriaSets configuration:

sbiRoutingErrorCriteriaSets:
  - id: scp_direct2_criteria_1
    method:
      - GET
      - POST
      - PUT
      - DELETE
      - PATCH
    response:
      statuses:
        - statusSeries: 4xx
          status:
            - 400
            - 404
        - statusSeries: 5xx
          status:
            - 500
            - 503
      headersMatchingScript: "headerCheck,server,via,.*(SEPP|UDR).*"

The headersMatchingScript contains the following tokens:

• headerCheck - The Validation function name. It must be constant.
• server: Header name
• Via : Header Name
• *(SEPP|UDR).* : Regex expression against which the server or via header will be matched against.

This headersMatchingScript configuration gets satisfied if the response contains server or via header and the content of the header matches the regex configured. Fot the criteriaset to be matched, the response method, response status code, and headersMatchingScript configuration should be satisfied. The actionset is configured to blacklist the peer if the correspondng criteriaset is matched.

Sample sbiRoutingErrorActionSets configuration:

sbiRoutingErrorActionSets:
  - id: scp_direct2_action_0
    action: reroute
    attempts: 2
    blackList:
      enabled: true
      duration: 60000

Once the sbiRoutingErrorCriteriaSets is selected, map this actionset to the selected criteriaset in the errorHandling section. The corresponding FQDN or Host in the server header value is blacklisted for the duration mentioned in the blackList section within the sbiRoutingErrorActionSets.

Note:

While configuring the sbiRoutingErrorCriteriaSets with server header checks (headersMatchingScript), ensure that criteriaset has the highest priority in the errorHandling section. And, while configuring criteriaset without the server header checks, ensure to keep the blackList.enabled as false. This is done for server header blacklisting when server header check is required.

3.24 Alternate Route Service Configuration

This section describes the customizatons that you should make in occnp_custom_values_23.4.9.yaml files to configure alternate route service.

These configurations are applicable only when alternate route service is enabled.

To configure alternate route service, you should configure the following configurable parameters in occnp_custom_values_23.4.9.yaml file:

Table 3-67 Configurable Parameters for Alternate Route Service Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
alternate-route.isIpv6Enabled	Set the value to true for this parameter when NF is deployed in IPv6 cluster.	No	false		Added in Release 22.3.0
alternate-route.staticVirtualFqdns[0].name	Name of the virtual FQDN/FQDN	Optional		CNCPolicy & PCF	Added in Release 1.8.0
alternate-route.staticVirtualFqdns[0].alternateFqdns[0].target	Name of the alternate FQDN mapped to above virtual FQDN	Yes, if "staticVirtualFqdns[0].name" is defined		CNCPolicy & PCF	Added in Release 1.8.0
alternate-route.staticVirtualFqdns[0].alternateFqdns[0].port	Port of the alternate FQDN	Yes, if "staticVirtualFqdns[0].name" is defined	-	CNCPolicy & PCF	Added in Release 1.8.0
alternate-route.staticVirtualFqdns[0].alternateFqdns[0].priority	Priority of the alternate FQDN	Yes, if "staticVirtualFqdns[0].name" is defined		CNCPolicy & PCF	Added in Release 1.8.0
alternate-route.dnsSrvEnabled	Flag to enable the DNS-SRV query to coreDNS Server.	No	true	CNCPolicy & PCF	Added in Release 1.8.0
alternate-route.dnsSrvFqdnSetting.enabled	Flag to enable the usage of custom pattern for the FQDN while triggering DNS-SRV query	No	true	CNCPolicy & PCF	Added in Release 1.8.0	If this flag is set to false, then default value: "_{scheme}._tcp.{fqdn}." will be used.
alternate-route.dnsSrvFqdnSetting.pattern	Pattern of the FQDN which will used to format the incoming FQDN and Scheme while triggering DNS-SRV query	Yes if "dnsSrvFqdnSetting.enabled" is set to true	"_{scheme}._tcp.{fqdn}."	CNCPolicy & PCF	Added in Release 1.8.0
egress-gateway.dnsSrv.host	Host of DNS Alternate Route Service	Conditional ( If DnsSrv integration is required.)	5000	CNCPolicy & PCF	Added in Release 1.8.0
egress-gateway.dnsSrv.port	Port of DNS Alternate Route Service	Conditional ( If DnsSrv integration is required.)	5000	CNCPolicy & PCF	Added in Release 1.8.0
egress-gateway.dnsSrv.scheme	Scheme of request that need to be sent to alternate route service.	Conditional ( If DnsSrv integration is required.)	http	CNCPolicy & PCF	Added in Release 1.8.0
egress-gateway.dnsSrv.errorCodeOnDNSResolutionFailure	Configurable error code to be used incase of DNS resolution failure.	Conditional ( If DnsSrv integration is required.)	425	CNCPolicy & PCF	Added in Release 1.8.0
nrf-client-nfmanagement.alternateRouteServiceEnabled	Flag to tell nrf-client services if alternate route service is deployed or not. This flag should be set to true when the global.alternateRouteServiceEnable parameter is set as true.	No	false	CNCPolicy & PCF	Added in Release 1.8.0	Applicable only if Alternate Route Service is enabled.
nrf-client-nfdiscovery.alternateRouteServiceEnabled	Flag to tell nrf-client services if alternate route service is deployed or not. This flag should be set to true when the global.alternateRouteServiceEnable parameter is set as true.	No	false	CNCPolicy & PCF	Added in Release 1.8.0	Applicable only if Alternate Route Service is enabled.
alternate-route.isIpv6Enabled	Set the value to true for this parameter when NF is deployed in IPv6 cluster.	No	false	CNCPolicy & PCF	Added in Release 1.14.0	Applicable only if Alternate Route Service is enabled.

Here is a sample configurations for DNS-SRV in occnp_custom_values_23.4.9.yaml file:

#Static virtual FQDN Config
  staticVirtualFqdns:
    - name: https://abc.test.com
      alternateFqdns:
        - target: abc.test.com
          port: 5060
          priority: 10
        - target: xyz.test.com
          port: 5060
          priority: 20
    - name: http://xyz.test.com
      alternateFqdns:
        - target: xyz.test.com
          port: 5060
          priority: 10
        - target: abc.test.com
          port: 5060
          priority: 20  #Flag to control if DNS-SRV queries are sent to coreDNS or not
  dnsSrvEnabled: true
  #Below configuration is for customizing the format of FQDN which will used while querying coreDNS for SRV Records
  dnsSrvFqdnSetting:
    enabled: true  #If this flag is disabled, then default value of "_{scheme}._tcp.{fqdn}." will be used for Pattern
    pattern: "_{scheme}._tcp.{fqdn}."   #Ex: _http._tcp.service.example.org.

egress-gateway:
  dnsSrv:
    host: 10.75.225.67
    port: 32081
    scheme: http
    errorCodeOnDNSResolutionFailure: 425

#Enabled when deployed in Ipv6 cluster
  isIpv6Enabled: false

3.25 Logging Configuration

This section describes the customizatons that you should make in occnp_custom_values_23.4.9.yaml files to configure logging.

To configure logging in ingress-gateway, you should configure the following configurable parameters in occnp_custom_values_23.4.9.yaml file:

Table 3-68 Configurable Parameters for Logging Configuration in Ingress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
ingress-gateway.log.level.root	Log level for root logs	No	WARN	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x	Applicable only when ingress-gateway is enabled.
ingress-gateway.log.level.ingress	Log level for ingress logs	No	INFO	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x	Applicable only when ingress-gateway is enabled.
ingress-gateway.log.level.oauth	Log level for oauth logs	No	INFO	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x	Applicable only when ingress-gateway is enabled.

Here is a sample configurations for logging in ingress-gateway in occnp_custom_values_23.4.9.yaml file:

ingress-gateway:
  
  log:
    level:
      root: WARN
      ingress: INFO
      oauth: INFO

Table 3-69 Configurable Parameters for Logging Configuration in Egress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
egress-gateway.log.level.root	Log level for root logs	No	WARN	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x	Applicable only when egress-gateway is enabled.
egress-gateway.log.level.egress	Log level for egress logs	No	INFO	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x	Applicable only when egress-gateway is enabled.
egress-gateway.log.level.oauth	Log level for oauth logs	No	INFO	CNC Policy, PCF, &cnPCRF	Added in Release 1.6.x	Applicable only when egress-gateway is enabled.

Here is a sample configurations for logging in egress-gateway in occnp_custom_values_23.4.9.yaml file:

egress-gateway:
  
  log:
    level:
      root: WARN
      egress: INFO
      oauth: INFO

To configure logging in Alternate Route service, you should configure the following configurable parameters in custom-value.yaml file:

Table 3-70 Configurable Parameters for Logging Configuration in Alternate Route Service

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
alternate-route.log.level.root	Log level for root logs	No	WARN	CNC Policy & PCF	Added in Release 1.8.0	Applicable only when alternate route service is enabled.
alternate-route.log.level.altroute	Log level for alternate route logs	No	INFO	CNC Policy & PCF	Added in Release 1.8.0	Applicable only when alternate route service is enabled.

Here is a sample configurations for logging in occnp_custom_values_23.4.9.yaml file:

alternate-route:
  
  log:
    level:
      root: WARN
      altroute: INFO

Configurations for Debug Tool

At the global level, the extraContainers flag can be used to enable or disable injecting extra container, that is, Debug Tool. Users can set DISABLED (default value) or ENABLED values for this parameter.

Note:

To enable and configure Debug Tool, pre-deployment configurations need to be performed. For more information, see the "Using Debug Tool" section in Oracle Communications Cloud Native Core Converged Policy Troubleshooting Guide.

The following is a snippet from the occnp_custom_values_23.4.9.yaml file:

 # Use 'extraContainers' attribute to control the usage of extra container(DEBUG tool).
  # Allowed Values: DISABLED, ENABLED
  extraContainers: DISABLED

Configuring Size Limit for Subscriber Activity Logging Mapping Table

At the global level, the subsActMappingTableEntrySize flag can be used to configure the size limit for the mapping table used for Subscriber Activity Logging in CNC Policy and PCF deployment modes. The default value for this parameter is set to 20.

The following is a snippet from the occnp_custom_values_23.4.9.yaml file:

 # Variable to specify the size of Subscriber Activity Logging Mapping Table
  subsActMappingTableEntrySize: 20

3.26 Common Configurations for Services

This section describes the configurable parameters that can be used to perform some common configurations applicable to different services while deploying Cloud Native Core Policy.

Common Reference Configurations

You can configure some common parameters that are used in multiple services by configuring commonRef section under global parameters section of the Custom Values YAML file. The parameter values can be set under commonRef and same value is used by all the services through the reference variable for the configuration.

The following section describes the commonRef parameters for common configuration:

Table 3-71 Common Reference Configurations

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Notes
&configServerDB	Specifies the name of the config server database.	Yes	occnp_config_server	CNC Policy and PCF
&commonConfigDB	Specifies the name of the common config database.	Yes	occnp_commonconfig	CNC Policy and PCF
&commonCfgSvc.commonCfgClient.enabled	Specifies whether to enable or disable common config client for common config service.	Yes	true	CNC Policy and PCF
commonCfgSvc.commonCfgServer.port	Specifies the common config server port for common config service.	Yes	8000	CNC Policy and PCF	Same value as global.servicePorts.cmServiceHttp.
&dbCommonConfig.dbHost	Specifies the MySQL database host for services.	Yes		CNC Policy and PCF	Same value as global.envMysqlHost.
&dbCommonConfig.dbPort	Specifies MySQL database port for services.	Yes		CNC Policy and PCF	Same value as global.envMysqlPort.
&dbCommonConfig.dbName	Specifies common config database name for services to store common configurations.	Yes	occnp_commonconfig	CNC Policy and PCF	Same value as global.common.Ref.commonConfigDB
&dbCommonConfig.dbUNameLiteral	Specifies the database literal name for services to be used as per the <dbConfig.secretName>.	Yes	mysql-username	CNC Policy and PCF
&dbCommonConfig.dbPwdLiteral	Specifies the database literal password for services to be used as per the <dbConfig.secretName>.	Yes	mysql-password	CNC Policy and PCF

Common Configuration Service and Database configurations in Bulwark

The following section describes the customizable parameters for Common Configuration service in Bulwark:

Table 3-72 Common Configuration Service and Database configurations in Bulwark

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Notes
bulwark.commonCfgClient.enabled	Specifies whether to enable or disable common config client for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy and PCF	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
bulwark.commonCfgServer.port	Specifies the common config server port for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy and PCF	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
bulwark.dbConfig.dbHost	Specifies the MySQL database host for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy and PCF	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
bulwark.dbConfig.dbPort	Specifies MySQL database port for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy and PCF	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
bulwark.dbConfig.secretName	Specifies kubernetes secret object name from which MYSQL username and password is picked.	Yes	occnp-privileged-db-pass	CNC Policy and PCF	Same value as global.privilegedDbCredSecretName
bulwark.dbConfig.dbName	Specifies common config database name for services to store common configurations.	Yes	Same as the value provided in the Table 3-71	CNC Policy and PCF	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
bulwark.dbConfig.dbUNameLiteral	Specifies the database literal name for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy and PCF	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
bulwark.dbConfig.dbPwdLiteral	Specifies the database literal password for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy and PCF	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.

Common Configuration Service and Database configurations in nrf-client-nfdiscovery

Table 3-73 Common Configuration Service and Database configurations in nrf-client-nfdiscovery

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
nrf-client-nfdiscovery.commonCfgClient.enabled	Specifies whether to enable or disable common config client for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfdiscovery.commonCfgServer.port	Specifies the common config server port for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfdiscovery.dbConfig.dbHost	Specifies the MySQL database host for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfdiscovery.dbConfig.dbPort	Specifies MySQL database port for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfdiscovery.dbConfig.secretName	Specifies kubernetes secret object name from which MYSQL username and password is picked.	Yes	occnp-db-pass	CNC Policy & PCF	Added in Release 1.11.0	Same value as global.dbCredSecretName
nrf-client-nfdiscovery.dbConfig.dbName	Specifies common config database name for services to store common configurations.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfdiscovery.dbConfig.dbUNameLiteral	Specifies the database literal name for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfdiscovery.dbConfig.dbPwdLiteral	Specifies the database literal password for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.

Common Configuration Service and Database configurations in nrf-client-nfmanagement

Table 3-74 Common Configuration Service and Database configurations in nrf-client-nfmanagement

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
nrf-client-nfmanagement.commonCfgClient.enabled	Specifies whether to enable or disable common config client for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfmanagement.commonCfgServer.port	Specifies the common config server port for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfmanagement.dbConfig.dbHost	Specifies the MySQL database host for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfmanagement.dbConfig.dbPort	Specifies MySQL database port for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfmanagement.dbConfig.secretName	Specifies kubernetes secret object name from which MYSQL username and password is picked.	Yes	occnp-privileged-db-pass	CNC Policy & PCF	Added in Release 1.11.0	Same value as global.privilegedDbCredSecretName
nrf-client-nfmanagement.dbConfig.dbName	Specifies common config database name for services to store common configurations.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfmanagement.dbConfig.leaderPodDbName	Specifies the database name for LeaderPodDb database. This database is unique per site.	Yes (if multipod is supported for NRF client)	occnp_leaderPodDb	CNC Policy & PCF	Added in Release 22.2.0
nrf-client-nfmanagement.dbConfig.networkDbName	Specifies the network database name.	Yes (if multipod is supported for NRF client)	occnp_release	CNC Policy & PCF	Added in Release 22.2.0	Same value as global.releaseDbName
nrf-client-nfmanagement.dbConfig.dbUNameLiteral	Specifies the database literal name for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfmanagement.dbConfig.dbPwdLiteral	Specifies the database literal password for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
nrf-client-nfmanagement.enablePDBSupport	To enable the multi-pod support for the nrf-client the enablePDBSupport should be set true	No	False	CNC Policy & PCF	Added in Release 22.4.x	Horizontal Pod Autoscaler (HPA) resource has been included to NfManagement with minReplicas and maxReplicas set as 2 by default. For this resource there are two scenarios: Flag enableDBSupport enabled- This is multi-pod scenario and sets to minReplicas and maxReplicas for any value defined in values.yaml file. Currently, it is set as 2 for both properties by default. Flag enablePDBSupport disabled- This is single-pod scenario and set for both minReplicas and maxReplicas as 1.

Common Configuration Service and Database configurations in appinfo

Table 3-75 Common Configuration Service and Database configurations in appinfo

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
appinfo.commonCfgClient.enabled	Specifies whether to enable or disable common config client for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
appinfo.commonCfgServer.port	Specifies the common config server port for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
appinfo.dbConfig.dbHost	Specifies the MySQL database host for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
appinfo.dbConfig.dbPort	Specifies MySQL database port for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
appinfo.dbConfig.secretName	Specifies kubernetes secret object name from which MYSQL username and password is picked.	Yes	occnp-db-pass	CNC Policy & PCF	Added in Release 1.11.0	Same value as global.dbCredSecretName
appinfo.dbConfig.dbName	Specifies common config database name for services to store common configurations.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
appinfo.dbConfig.dbUNameLiteral	Specifies the database literal name for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
appinfo.dbConfig.dbPwdLiteral	Specifies the database literal password for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.

Non real-time based status API from the monitor service is dependent on the Prometheus. If Promethus-server and prometheus-kube-state-metrics is not working or installed properly then the non real-time API provides the wrong value.

It is recommended to use real-time DBstatus URIs because these URIs always provide the right values.

For example:

db_status_uri : http://occndbtier-db-monitor-svc:8080/db-tier/status/cluster/local/realtime
realtime_db_status_uri : http://occndbtier-db-monitor-svc:8080/db-tier/status/cluster/local/realtime
replication_status_uri : http://occndbtier-db-monitor-svc:8080/db-tier/status/replication/realtime

Common Configuration Service and Database configurations in perf-info

Table 3-76 Common Configuration Service and Database configurations in perf-info

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
perf-info.commonCfgClient.enabled	Specifies whether to enable or disable common config client for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
perf-info.commonCfgServer.port	Specifies the common config server port for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
perf-info.dbConfig.dbHost	Specifies the MySQL database host for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
perf-info.dbConfig.dbPort	Specifies MySQL database port for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
perf-info.dbConfig.secretName	Specifies kubernetes secret object name from which MYSQL username and password is picked.	Yes	occnp-db-pass	CNC Policy & PCF	Added in Release 1.11.0	Same value as global.dbCredSecretName
perf-info.dbConfig.dbName	Specifies common config database name for services to store common configurations.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
perf-info.dbConfig.dbUNameLiteral	Specifies the database literal name for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
perf-info.dbConfig.dbPwdLiteral	Specifies the database literal password for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.

Common Configuration Service and Database configurations in ingress-gateway

Table 3-77 Common Configuration Service and Database configurations in ingress-gateway

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
ingress-gateway.commonCfgClient.enabled	Specifies whether to enable or disable common config client for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
ingress-gateway.commonCfgServer.port	Specifies the common config server port for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
ingress-gateway.dbConfig.dbHost	Specifies the MySQL database host for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
ingress-gateway.dbConfig.dbPort	Specifies MySQL database port for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
ingress-gateway.dbConfig.secretName	Specifies kubernetes secret object name from which MYSQL username and password is picked.	Yes	occnp-db-pass	CNC Policy & PCF	Added in Release 1.11.0	Same value as global.dbCredSecretName
ingress-gateway.dbConfig.dbName	Specifies common config database name for services to store common configurations.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
ingress-gateway.dbConfig.dbUNameLiteral	Specifies the database literal name for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
ingress-gateway.dbConfig.dbPwdLiteral	Specifies the database literal password for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.

Common Configuration Service and Database configurations in egress-gateway

Table 3-78 Common Configuration Service and Database configurations in egress-gateway

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
egress-gateway.commonCfgClient.enabled	Specifies whether to enable or disable common config client for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
egress-gateway.commonCfgServer.port	Specifies the common config server port for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
egress-gateway.dbConfig.dbHost	Specifies the MySQL database host for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
egress-gateway.dbConfig.dbPort	Specifies MySQL database port for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
egress-gateway.dbConfig.secretName	Specifies kubernetes secret object name from which MYSQL username and password is picked.	Yes	occnp-db-pass	CNC Policy & PCF	Added in Release 1.11.0	Same value as global. dbCredSecretName
egress-gateway.dbConfig.dbName	Specifies common config database name for services to store common configurations.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
egress-gateway.dbConfig.dbUNameLiteral	Specifies the database literal name for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
egress-gateway.dbConfig.dbPwdLiteral	Specifies the database literal password for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.

Common Configuration Service and Database configurations in alternate-route

Table 3-79 Common Configuration Service and Database configurations in alternate-route

Parameter	Description	Mandatory Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
alternate-route.commonCfgClient.enabled	Specifies whether to enable or disable common config client for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
alternate-route.commonCfgServer.port	Specifies the common config server port for common config service.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
alternate-route.dbConfig.dbHost	Specifies the MySQL database host for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
alternate-route.dbConfig.dbPort	Specifies MySQL database port for services.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
alternate-route.dbConfig.secretName	Specifies kubernetes secret object name from which MYSQL username and password is picked.	Yes	occnp-db-pass	CNC Policy & PCF	Added in Release 1.11.0	Same value as global.dbCredSecretName
alternate-route.dbConfig.dbName	Specifies common config database name for services to store common configurations.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
alternate-route.dbConfig.dbUNameLiteral	Specifies the database literal name for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.
alternate-route.dbConfig.dbPwdLiteral	Specifies the database literal password for services to be used as per the <dbConfig.secretName>.	Yes	Same as the value provided in the Table 3-71	CNC Policy & PCF	Added in Release 1.11.0	To use a different values than the default value, remove the comment (#) from the respective parameters and edit the values.

Note:

You can add additional parameters under the dbConfig for each service by adding key value pair after the <<: *dbCommonConfig text.

The following snippet shows an example:

dbConfig:
 <<: *dbCommonConfig
 <key>:<value>

where, <key> is the parameter to be configured and <value> is the configured value for <key>.

3.27 Configuration for metrics

Global Metrics Configurations

Starting with CNE 1.9.0, if the user wants to enable monitoring via Prometheus, the following parameters must be configured:

Table 3-80 Global Configurations for Metrics

Parameter	Description	Notes
cncMetricsName	This parameter specifies the port, that is, cnc-metrics that Prometheus will scrape on.	This parameter is applicable to Converged, PCF, and PCRF deployment modes.
exposeObservabilityAtService	This parameter specifies whether to enable or disable Prometheus monitoring of services. By default. the value is set to false and services are not captured in Prometheus GUI.	This parameter is applicable to Converged, PCF, and PCRF deployment modes.

You can add prefix and suffix to metrics for CNC Policy services by using the following parameters:

metricPrefix: &metricPrefix 'occnp'
  metricSuffix: &metricSuffix ''

Table 3-81 Prefix and Suffix for Metrics

Parameter	Description	Notes
metricPrefix	This parameter specifies the prefix that you want to add to the metrics for CNC Policy services. Default value: occnp	This parameter is applicable to Converged, PCF, and PCRF deployment modes.
metricSuffix	This parameter specifies the suffix that you want to add to the metrics for CNC Policy services. Default value: empty string	This parameter is applicable to Converged, PCF, and PCRF deployment modes.

A reference is made to the metricPrefix and metricSuffix parameters, defined in the global section, under nrf-client-nfdiscovery and nrf-client-nfmanagement configurations.

Note:

• If you choose to customize prefix, then it is required to align the NF delivered Grafana charts and Prometheus alerts with the updated metric names.
• When you define a suffix for metrics, it may happen that the suffix appears in the middle of the metric name, and not towards the end. This is due to the fact that Micrometer library autogenerates some metrics and adds a suffix after the user-defined suffix.

  Example: If you define suffix as occnp, then the resulting metric name would appear in the system as http_in_conn_response_occnp_total.

3.28 Custom Container Name

This section describes how to customize the name of containers of a pod with a prefix and suffix. To do so, add the prefix and suffix to the k8sResource under global section of occnp_custom_values_23.4.9.yaml file:

global:
  k8sResource:
    container:
      prefix: ABCD
      suffix: XYZ 

Then, after installing CNC policy, you will see the container names as shown below:

Containers:
  abcd-am-service-xyz:

3.29 Overload Manager Configurations

This section describes the customizatons that can be done in occnp_custom_values_23.4.9.yaml files to configure Overload Manager feature under perf-info.

Table 3-82 Configurable Parameters for overload Manager Configuration in Perf-Info

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
perf-info.overloadManager.enabled	Specifies whether to enable or disable overload reporting.	Optional	false	CNC Policy and PCF	Added in 1.12.1
perf-info.envMysqlDatabase	Specifies the name of the database used for overload management. For georedundant setup, the value for this parameter must be unique for each site.	Conditional Note: This parameter value is required if the overload manager functionality is enabled by setting the value of perf-info.overloadManager.enabled to true.		CNC Policy and PCF	Added in 1.14.0
perf-info.overloadManager.ingressGatewaySvcName	Specifies the names of backend services	Conditional	occnp-ingress-gateway	CNC Policy and PCF	Added in 1.12.1
perf-info.overloadManager.ingressGatewayPort	Specifies the port number of Ingress Gateway	Mandatory	*svcIngressGatewayHttp	CNC Policy and PCF	Added in 1.12.1
perf-info.overloadManager.nfType	Specifies the NF type that is used to query configurration from common configuration server.	Mandatory	PCF	CNC Policy and PCF	Added in 1.12.1
perf-info.overloadManager.diamGatewayPort	Specifies the HTTP signaling port of Diameter Gateway, which is used for implementing overload control for Diameter interface.	Mandatory	*svcDiamGatewayHttp	CNC Policy, PCF, and PCRF	Added in 22.1.0

Here is a sample overloadManager configurations in perf-info in occnp_custom_values_23.4.9.yaml file:

perf-info:
  configmapPerformance:
    prometheus: ''
  # envMysqlDatabase is used for overload management.
  # If the customer does not use the overload management feature, this can be ignored.
  envMysqlDatabase: ''
  overloadManager:
    enabled: false
    ingressGatewaySvcName: occnp-ingress-gateway
    ingressGatewayPort: *svcIngressGatewayHttp
    # nfType is used to query configuration from common cfg server
    nfType: PCF
    # diam Gateway overload management feature configurations
    diamGWPort: *svcDiamGatewayHttp

3.30 Detection and Handling Late Arrival Requests Configuration

This section describes the parameters that user can configure for detection and handling of late arrival requests.

You need to configure the following global and route level Helm parameters at AM and UE services:

Table 3-83 Configurable Parameters for SBI Timer Handling at AM and UE services

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
SBI_TIMER_ENABLED	Specifies whether the AM or UE service can generate the 3gpp-sbi headers related to the timer handling, if they are not received in the request.	Optional	false	CNC Policy & PCF	Added in Release 23.1.0

Table 3-84 Configurable Parameters for Late Arrival Handling at Ingress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
ingress-gateway.isSbiTimerEnabled	Specifies whether to enable or disable SBI timer header enhancement. If the value of this parameter is set to true, SBI headers (3gpp-Sbi-Sender-Timestamp, 3gpp-Sbi-Max-Rsp-Time, and 3gpp-Sbi-Origination-Timestamp) are used along with route level (if configured) and global level request timeout to calculate final request timeout. After calculating the final request timeout, original values of 3gpp-Sbi-Sender-Timestamp, 3gpp-Sbi-Max-Rsp-Time and 3gpp-Sbi-Origination-Timestamp are published in custom headers Orig-3gpp-Sbi-Sender-Timestamp, Orig-3gpp-Sbi-Max-Rsp-Time and Orig-3gpp- Sbi-Origination-Timestamp respectively. If the value for this parameter is set to false, SBI headers are not taken into consideration even if they are present and no custom headers are published.	Optional	false	CNC Policy & PCF	Added in Release 1.15.0
ingress-gateway.publishHeaders	Specifies if the originating headers shall be populated and sent to the backend.	Optional	false	CNC Policy & PCF	Added in Release 1.15.0
ingress-gateway.sbiTimerTimezone	Specifies the time zone. It can be either set to GMT or ANY. If it is set to GMT then, the GMT should be specified in the header. If it is not specified, the time zone is assumed as GMT. If it is set to ANY then, the required time zone must be specified in the header. The timeout calculation is made as per the time zone specified in the header. If time zone is not specified then, the request is rejected and a gauge metric is pegged.	Optional	GMT	CNC Policy, PCF, & PCRF	Added in Release 1.15.0

The following is a snippet from the occnp-1.15.0-custom-values.yaml file:

isSbiTimerEnabled: false
publishHeaders: false
sbiTimerTimezone: GMT
routesConfig:
- id: demo
uri: https://demoapp.ocegress:8440/
path: /**
order: 1
#Below field is used to provide an option to enable/disable route
level xfccHeaderValidation, it will override global configuration for
xfccHeaderValidation.enabled
metadata:
# requestTimeout is used to set timeout at route level. Value
should be in milliseconds.
requestTimeout: 4000
# requiredTime is minimum time below which request will be
rejected if isSbiTimerEnabled is true. Value should be in milliseconds.
requiredTime: 3000
xfccHeaderValidation:
validationEnabled: false
oauthValidator:
enabled: false
svcName: "demo"

Table 3-85 Configurable Parameters for Late Arrival Handling at Egress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
egress-gateway.isSbiTimerEnabled	Specifies whether to enable or disable SBI timer header enhancement. If the value of this parameter is set to true, SBI headers (3gpp-Sbi-Sender-Timestamp, 3gpp-Sbi-Max-Rsp-Time, and 3gpp-Sbi-Origination-Timestamp) are used along with route level (if configured) and global level request timeout to calculate final request timeout. After calculating the final request timeout, original values of 3gpp-Sbi-Sender-Timestamp, 3gpp-Sbi-Max-Rsp-Time and 3gpp-Sbi-Origination-Timestamp are published in custom headers Orig-3gpp-Sbi-Sender-Timestamp, Orig-3gpp-Sbi-Max-Rsp-Time and Orig-3gpp- Sbi-Origination-Timestamp respectively. If the value for this parameter is set to false, SBI headers are not taken into consideration even if they are present and no custom headers are published.	Optional	false	CNC Policy & PCF	Added in Release 1.15.0
egress-gateway.sbiTimerTimezone	Specifies the time zone. It can be either set to GMT or ANY. If it is set to GMT then, the GMT should be specified in the header. If it is not specified, the time zone is assumed as GMT. If it is set to ANY then, the required time zone must be specified in the header. The timeout calculation is made as per the time zone specified in the header. If time zone is not specified then, the request is rejected and a gauge metric is pegged.	Optional	GMT	CNC Policy & PCF	Added in Release 1.15.0

To create Custom-Sbi-Sender-Timestamp it is necessary to add the following configuration to PCF ingress-gateway:

routesConfig:
    - id: sm_create_session_route
      uri: http://{{ .Release.Name }}-occnp-pcf-sm:{{ .Values.global.servicePorts.pcfSmServiceHttp }}
      path: /npcf-smpolicycontrol/*/sm-policies
      order: 1
      method: POST
      readBodyForLog: true
      filters:
        subLog: true,CREATE,SM
        customReqHeaderEntryFilter:
          headers:
            - methods:
              - POST
              headersList:
                - headerName: 3gpp-Sbi-Message-Priority
                  defaultVal: 24
                  source: incomingReq
                  sourceHeader: 3gpp-Sbi-Message-Priority
                  override: false
                - headerName: Custom-Sbi-Sender-Timestamp
                  defaultVal: func:currentTime(EEE, d MMM yyyy HH:mm:ss.SSS z,gmt)
                  source: incomingReq
                  sourceHeader: 3gpp-Sbi-Sender-Timestamp
                  override: false

Egress Gateway can be configured to avoid the headers being propagated to other NFs by using the following Helm configuration:

routesConfig:
  - id: udr_route
    uri: http://{{ .Values.global.udr_url }}:{{ .Values.global.servicePorts.udrServiceHttp }}
    path: /nudr-dr/**
    order: 1
    removeRequestHeader:
      - name: 3gpp-Sbi-Max-Rsp-Time
      - name: 3gpp-Sbi-Origination-Timestamp
      - name: 3gpp-Sbi-Sender-Timestamp


  - id: chf_route
    uri: http://{{ .Values.global.chf_url }}:{{ .Values.global.servicePorts.chfServiceHttp }}
    path: /nchf-spendinglimitcontrol/**
    order: 2
    removeRequestHeader:
      - name: 3gpp-Sbi-Max-Rsp-Time
      - name: 3gpp-Sbi-Origination-Timestamp
      - name: 3gpp-Sbi-Sender-Timestamp

Internal Microservices Timer Configurations

SM Service

- name: USER_SERVICE_CONNECTOR_TIMEOUT
value: "6000"
- name: POLICY_SERVICE_CONNECTOR_TIMEOUT
  value: "3000"
- name: BINDING_SERVICE_CONNECTOR_TIMEOUT
  value: "3000"
- name: PA_SERVICE_CONNECTOR_TIMEOUT
  value: "3000"
- name: SM_SERVICE_CONNECTOR_TIMEOUT
  value: "3000"
- name: BSF_CONNECTOR_TIMEOUT
  value: "3000"
- name: AF_CONNECTOR_TIMEOUT
  value: "3000"
- name: SMF_CONNECTOR_TIMEOUT
  value: "3000"
- name: NWDAF_AGENT_SERVICE_CONNECTOR_TIMEOUT
  value: "3000"
- name: JETTY_REQUEST_TIMEOUT
  value: "5000"

AM and UE Service

- name: AMF_CONNECTOR_TIMEOUT
  value: "3000"
- name: POLICY_SERVICE_CONNECTOR_TIMEOUT
  value: "3000"
- name: USER_SERVICE_CONNECTOR_TIMEOUT
  value: "6000"
- name: BULWARK_SERVICE_CONNECTOR_TIMEOUT
  value: "3000"
- name: JETTY_REQUEST_TIMEOUT
  value: "5000"

3.31 Server Header at Ingress Gateway

This section describes the parameters that you can configure to enable support for server header at Ingress Gateway.

Table 3-86 Configurable Parameters for Server Header at Ingress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
ingress-gateway.serverHeaderConfigMode	Specifies the mode of operation for configuring server header configuration. Since CNC Policy supports only REST mode of configuration, the feature flag "serverheaderdetails" must be enabled using REST API only. For more information, see the section "Server Header Support on Ingress Gateway" in Oracle Communications Cloud Native Core Policy REST Specification Guide.	Optional	REST	CNC Policy & PCF	Added in Release 22.1.0.

The following is a snippet from the occnp-22.1.0-custom-values.yaml file:

  #We support ServerHeader Configuration Mode as REST, the feature flag for "server" header will need to be enabled through Rest configuration.
  serverHeaderConfigMode: REST

3.32 Usage Monitoring Service Configuration

This section describes the configurable parameters that can be customized for Usage Monitoring service.

Table 3-87 Configurable Parameters for Usage Monitoring Service Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment
usage-mon.resources.limits.ephemeralStorage	Specifies the minimum limit of Ephemeral Storage.	Optional	2Gi	CNC Policy, PCF, and PCRF
usage-mon.resources.limits.cpu	Specifies the minimum limit of CPU usage for Usage Monitoring.	Optional	4	CNC Policy, PCF, and PCRF
usage-mon.resources.limits.memory	Specifies the minimum limit of memory usage for Usage Monitoring.	Optional	2Gi	CNC Policy, PCF, and PCRF
usage-mon.resources.requests.cpu	Specifies the required limit of CPU usage for Usage Monitoring.	Optional	1	CNC Policy, PCF, and PCRF
usage-mon.resources.requests.memory	Specifies the required limit of memory usage for Usage Monitoring.	Optional	1Gi	CNC Policy, PCF, and PCRF
usage-mon.minReplicas	Specifies the minimum replicas for Usage Monitoring service.	Optional	1	CNC Policy, PCF, and PCRF
usage-mon.maxReplicas	Specifies the maximum replicas for Usage Monitoring service.	Optional	1	CNC Policy, PCF, and PCRF
usage-mon.livenessProbe.timeoutSeconds	Specifies the timeout (in seconds) for Liveness Probe.	Optional	3	CNC Policy, PCF, and PCRF
usage-mon.livenessProbe.failureThreshold	Specifies the wait time before performing first liveness probe by Kubelet.	Optional	3	CNC Policy, PCF, and PCRF
usage-mon.readinessProbe.failureThreshold	When a pod starts and the probe fails, Kubernetes waits for the threshold time before giving up.	Optional	3	CNC Policy, PCF, and PCRF
usage-mon.readinessProbe.timeoutSeconds	Specifies the timeout (in seconds) for Readiness Probe.	Optional	3	CNC Policy, PCF, and PCRF

Here is a sample configuration in occnp_custom_values_23.4.9.yaml file:

usage-mon:
  envMysqlDatabase: occnp_usagemon
  resources:
    limits:
      ephemeralStorage: 2Gi
      cpu: 4
      memory: 2Gi
    requests:
      cpu: 1
      memory: 1Gi
  minReplicas: 2
  maxReplicas: 4
  livenessProbe:
    timeoutSeconds: 3
    failureThreshold: 3
  readinessProbe:
    failureThreshold: 3
    timeoutSeconds: 3

3.33 Ingress Gateway Readiness Probe Configuration

This section describes the readiness probe configurations in the Ingress Gateway.

Ingress Gateway uses the readiness logic provided by Kubernetes to determine if a pod can accept or reject the incoming requests.

This feature enhances the readiness logic to determine the status of the pod. You can configure the feature in CNC Policy only through Helm. Based on the configurations, further checks are performed to determine the health of the pod.

An in-memory cache is maintained to store the updated configuration. The cache is updated if a profile is modified, added, or deleted. Ingress gateway periodically makes a GET request to the URLs that are configured using a scheduler that runs in the background. If the GET request is successful, then other checks can take place. Otherwise, the pod is marked as unhealthy.

Note:

If there are any pending requests waiting for the response and readiness state of pod changes from READY to NOT_READY, then these requests are not considered.

The following table describes the parameters for configuring Readiness Probe in Ingress Gateway:

Table 3-88 Configurable Parameters for Readiness Probe Configuration

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Notes
readinessConfigMode	Specifies the mode to configure Readiness Probe in Ingress Gateway.	Mandatory	HELM	CNC Policy & PCF
readinessCheckEnabled	Specifies whether to enable or disable Readiness Probe in Ingress Gateway.	Mandatory	false	CNC Policy & PCF
readinessIndicatorPollingInterval	Specifies the time (in milliseconds) at which the Readiness Cache updates the readiness status of Ingress Gateway performing the probe or setting the readiness state value to onExceptionUsePreviousState.	Mandatory	3000	CNC Policy & PCF
readinessConfig.serviceProfiles.id	Specifies the ID of the profile.	Mandatory	Readiness-profile-DBStatus	CNC Policy & PCF
readinessConfig.serviceProfiles.url	Specifies the URL to which the Readiness Probe is sent out to retrieve a response, on the basis of which the state of the Ingress Gateway pod will be decided.	Mandatory	http://{{ template "service-name-app-info" . }}:{{ .Values.global.containerPorts.appInfoHttp }}/status/category/realtimedatabase	CNC Policy & PCF	In addition to the default value, you can use the following values: FQDN/IP Address. Any microservice to define dependency upon: http://<Helm Release Name>-<CNPCF Service Name>:9000/actuator/health/readiness
readinessConfig.serviceProfiles.responseCode	Specifies the response code expected from the service. If the actual response code matches with the configured one then pod will be marked as healthy.	Mandatory	200	CNC Policy & PCF
readinessConfig.serviceProfiles.responseBody	Specifies the response expected from the service. If the actual response matches with the configured one then pod will be marked as healthy.	Mandatory	Running	CNC Policy & PCF
readinessConfig.serviceProfiles.onExceptionUsePreviousState	Specifies whether to use the previous state of Ingress Gateway. When this flag is set to true, response and responseCode checks are not made irrespective of the previous state of service on Ingress Gateway.	Mandatory	true	CNC Policy & PCF
readinessConfig.serviceProfiles.initialState	Specifies the inital state to be specified. It can be either ACCEPTING_TRAFFIC (to accept all incoming requests) or REFUSING_TRAFFIC (to reject all incoming requests).	Mandatory	ACCEPTING_TRAFFIC	CNC Policy & PCF
readinessConfig.serviceProfiles.requestTimeout	Specifies the timeout value of the probe in milliseconds.	Optional	2000	CNC Policy & PCF

Check the following when the Ingress Gateway pod comes up:

1. If the service profiles are not configured, then the readiness probe of Ingress Gateway fails and the pod is marked as unhealthy.
2. If the service profiles are configured, check the mandatory parameters: id, url, onExceptionUsePreviousState, and initialState for thieir validity. If they are invalid, then the pod is marked as unhealthy.

   Note:

   You must configure one of these parameters: responseBody or responseCode in the service profile. If any of these checks fail, then the pod does not come up in the case of Helm based configuration.

3. If there is any error like connection failure or connection timeout during making a request to backend service, then onExceptionUsePreviousState attribute is checked. If it is set to true, then previous state is used for that URL. If previous state is unavailable, then initial state is used. If onExceptionUsePreviousState is false, then the pod is marked as unhealthy.

3.34 Creating Custom Headers

This section provides information on how to create custom headers for routes in CNC Policy.

You can customize the headers present in the requests and responses based on the type of HTTP methods. This framework modifies the outgoing request or response by adding a new header either with a static value or with a value based on incoming request or response headers at entry or exit points.

By setting the override attribute value as true, you can override the existing headers. It is an optional attribute. It adds a new header or replaces the value of an existing header if one of the value is mapped to the source header. The value of this attribute is false by default.

The following is a sample configuration for custom header in sm_delete_session_route:

- id: sm_delete_session_route
      uri: http://{{ .Release.Name }}-occnp-pcf-sm:{{ .Values.global.servicePorts.pcfSmServiceHttp }}
      path: /npcf-smpolicycontrol/*/sm-policies/{policy-id}/delete
      order: 2
      method: POST
      filters:
        subLog: true,DELETE,SM
        customReqHeaderEntryFilter:
          headers:
            - methods:
              - POST
              headersList:
                - headerName: 3gpp-Sbi-Message-Priority
                  defaultVal: 16
                  source: incomingReq
                  sourceHeader: 3gpp-Sbi-Message-Priority
                  override: false

Note:

The attributes headerName and sourceHeader are case sensitive. Ensure that the value is same as in the incoming request or response in order to extract values from or override value of any particular header.

3.34.1 Custom Header Name for UDR Group Id

The following table lists the parameters to define customizied header name in the incoming requests for AM/UE/SM services create session routes.

Table 3-89 Routes Configurations

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment
routesConfig.id	Routes Configurations for Policy services.	M	SM service: sm_create_session_route AM service: am_create_session_route UE service: ue_create_session_route	CNC Policy & PCF
routesConfig.id.filters.customReqHeaderEntryFilter.headers.methods.headerList.headerName	Header name in the incoming requests.	M	oc-policy-udr-group-id-list	CNC Policy & PCF
routesConfig.id.filters.customReqHeaderEntryFilter.headers.methods.headerList.sourceHeader	Source header name in the incoming request.	M	oc-policy-udr-group-id-list	CNC Policy & PCF

An example of default header structure in the occnp_custom_values_23.4.9.yaml file:

routesConfig:
    - id: sm_create_session_route
      uri: http://{{ .Release.Name }}-occnp-pcf-sm:{{ .Values.global.servicePorts.pcfSmServiceHttp }}
      path: /npcf-smpolicycontrol/*/sm-policies
      order: 1
      method: POST
      readBodyForLog: true
      filters:
        subLog: true,CREATE,SM
        customReqHeaderEntryFilter:
          headers:
            - methods:
              - POST
              headersList:
                - headerName: 3gpp-Sbi-Message-Priority
                  defaultVal: 24
                  source: incomingReq
                  sourceHeader: 3gpp-Sbi-Message-Priority
                  override: false
                - headerName: oc-policy-udr-group-id-list
                  source: incomingReq
                  sourceHeader: oc-policy-udr-group-id-list
                  override: false

3.35 Configurable Error Codes

This section describes the parameters that you can customize for configurable error codes.

Table 3-90 Configurable Parameters for Error Codes - Global

Parameter	Description	Mandatory/Optional Parameter	Default Value
configurableErrorCodes.enabled	Specifies whether to enable or disable configurable error codes that can be used for messages over Ingress Gateway and Egress Gateway.	Optional	false

For a given error scenario, you can define exceptionType, errorCode, errorDescription, errorCause, and errorTitle as shown in the following snippet from the occnp_custom_values_23.4.9.yaml file.

Following is the configuration for error codes at global level:

ingress-gateway:
 
  configurableErrorCodes:
    enabled: true
    errorScenarios:
      - exceptionType: "XFCC_HEADER_INVALID"
        errorProfileName: "ERR_1300"
      - exceptionType: "XFCC_HEADER_VALIDATION_FAILURE"
        errorProfileName: "ERR_1300"
 
  errorCodeProfiles:
    - name: ERR_1300
      errorCode: 401
      errorCause: "xfcc header is invalid"
      errorTitle: "Invalid XFCC Header"
      errorDescription: "Invalid XFCC Header"

Following points must be noted for the global level configuration:

• To enable configurable error code global configurableErrorCodes flag must be set to true. If this flag is false then the hardcoded error codes will be returned when an exception is encountered at Ingress and Egress Gateways.
• If global configurableErrorCodes flag is set to true then atleast one entry must be configured in the errorScenarios section.
• For every Exception in errorScenarios there must be an error profile with that exceptionType. Moreover, a profile with that name must be configured in errorCodeProfiles section example - if errorProfileName: "ERR_1300" has been configured then a profile with name ERR_1300 must be present in errorCodeProfiles section.
• ExceptionType field in global and in the routes section is non configurable. These are hard coded values and can be taken from custom.yaml file.

Following is the configuration for error codes at route level:

 routesConfig:
    - id: route1
      uri:
      path: /dummy/*/dummies
      order: 1
      method: POST
      metadata:
        configurableErrorCodes:
          enabled: true
          errorScenarios:
            - exceptionType: "XFCC_HEADER_INVALID"
              errorProfileName: "ERR_1300"
            - exceptionType: "XFCC_HEADER_VALIDATION_FAILURE"
              errorProfileName: "ERR_1300"

Following points must be noted for the route level configuration:

• If Route level is enabled, it has higher precedence over global level.
• For Route level configurable error codes to work, configurableErrorCodes flag must be set to true both at route level as well as global level.
• For a given exception at gateway, if there is no match at route level then global level is matched. If there is no match at global level, then hardcoded error values are returned.
• If configurableErrorCodes flag is disabled for a specific route and if an exception occurs at that route then hardcoded error responses will be returned irrespective of what is defined at global level.

Note:

For every errorScenario, exceptionType and errorCode are manadatory parameter configurations.

Configurable Error Codes - SCP Integration

The following parameters are added under Egress Gateway for SCP related configurations. These error code configurations are included in error response from Egress Gateway when it is unable to resolve DNS successfully:

dnsSrv:
    port: *svcAlternateRouteServiceHttp

For more information about the error codes, see Configurable Error Codes.

3.36 Controlled Shutdown Configurations

This section describes the customizatons that can be done in occnp_custom_values_23.4.9.yaml files to configure controlled shutdown feature.

Table 3-91 Global Parameter for Controlled Shutdown

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment
global.enableControlledShutdown	Specifies whether to enable or disable the Controlled Shutdown feature.	Mandatory	False	CNC Policy & PCF

Table 3-92 Configurable Parameters for Controlled Shutdown in Egress Gateway

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment
egress-gateway.errorcodeprofiles	Error defined by the user	Optional	NA	CNC Policy & PCF
egress-gateway.errorcodeprofiles.name	Name of the error profile	Optional	NA	CNC Policy & PCF
egress-gateway.errorcodeprofiles.errorCode	Error code of the error profile	Optional	NA	CNC Policy & PCF
egress-gateway.errorcodeprofiles.errorCause	Cause of the error profile	Optional	NA	CNC Policy & PCF
egress-gateway.errorcodeprofiles.errorTitle	Title of the error profile	Optional	NA	CNC Policy & PCF
egress-gateway.errorcodeprofiles.retry-after	Retry-after value of the error profile	Optional	NA	CNC Policy & PCF
egress-gateway.errorcodeprofiles.errorDescription	Description of the error profile	Optional	NA	CNC Policy & PCF
egress-gateway.routesConfig	Routes configuration processed by the Egress Gateway	Optional	NA	CNC Policy & PCF
egress-gateway.routesConfig.id	ID of the route	Optional	NA	CNC Policy & PCF
egress-gateway.routesConfig.uri	URI of the route	Optional	NA	CNC Policy & PCF
egress-gateway.routesConfig.path	Path of the route	Optional	NA	CNC Policy & PCF
egress-gateway.routesConfig.order	Order in which the routes will be processed	Optional	NA	CNC Policy & PCF
egress-gateway.routesConfig.filters	Conditions on the routes	Optional	NA	CNC Policy & PCF
egress-gateway.routesConfig.filters.controlledShutdownFilter	Filter specified for Controlled Shutdown feature	Optional	NA	CNC Policy & PCF
egress-gateway.routesConfig.filters.controlledShutdownFilter.applicableShutdownStates	States of Controlled shutdown feature, that is COMPLETE_SHUTDOWN	Optional	NA	CNC Policy & PCF
egress-gateway.routesConfig.filters.controlledShutdownFilter.unsupportedOperations	Operations which needs not be supported for controlled shutdown feature	Optional	NA	CNC Policy & PCF
egress-gateway.controlledShutdownErrorMapping	Array containing route ID and error profile name	Optional	NA	CNC Policy & PCF
egress-gateway.controlledShutdownErrorMapping.routeErrorProfileList	List of route ID and their corresponding error profile names	Optional	NA	CNC Policy & PCF
egress-gateway.controlledShutdownErrorMapping.routeErrorProfileList.routeId	Route ID on which the error profile name needs to be mapped	Optional	NA	CNC Policy & PCF
egress-gateway.controlledShutdownErrorMapping.routeErrorProfileList.errorProfileName	Error name from the error code profiles to be mapped in route ID	Optional	NA	CNC Policy & PCF

Here is a sample Error Codes configuratiom in Egress Gateway in the occnp_custom_values_23.4.9.yaml file:

errorcodeprofiles:
  - name: error300,
    errorCode: 300,
    errorCause: "",
    errorTitle: "",
    retry-after: "",
    errorDescription: ""
  - name: error500,
    errorCode: 500,
    errorCause: "",
    errorTitle: "",
    retryAfter: "",
    errorDescription: ""

Here is a sample routes configuration for Controlled Shutdown in Egress Gateway in the occnp_custom_values_23.4.9.yaml file:

routesConfig:
  - id: nrf_state
    uri: https://dummy.dontchange_1
    path: /nnrf-nfm/*
    order: 1
  - id: sampleRoute
    uri: https://dummy.dontchange_2
    path: /**
    order: 2
    metadata:
      httpsTargetOnly: false
      httpRuriOnly: false
      sbiRoutingEnabled: true
      oauthEnabled: false
    filterNameControlShutdown:
      name: ControlledShutdownFilter
      args:
        applicableShutdownStates:
          - COMPLETE_SHUTDOWN
        unsupportedOperations:
          - GET
          - PUT
          - PATCH
          - POST
          - DELETE

Here is a sample Error Codes Mapping configuratiom in Egress Gateway in the occnp_custom_values_23.4.9.yaml file:

controlledShutdownErrorMapping:
  routeErrorProfileList:
    - routeId: sampleRoute
      errorProfileName: "error503"

3.37 Perf-Info Configuration

Configurations for Perf-Info Capacity

This section provides information on how to configure the overall capacity and the capacity for individual services of perf-info in CNC Policy.

You can configure the perf-info capacity using the following parameters under the perf-info section of the occnp_custom_values_23.4.9.yaml file:

Table 3-93 Configurations for Perf-Info Capacity

Parameter	Description	Notes
perf-info.global.capacityConfig.overall	The overall capacity for the perf-info service.	If this value is not configured, then the default capacity value is considered.
perf-info.global.capacityConfig.serviceLevel	The service specific capacity for individual CNC Policy services.	If this value is not configured, then the default capacity value is considered.
perf-info.global.capacityConfig.default	The default capacity.	The default capacity valuethat is used when the overall and serviceLevel values are not configured. Default value: 100 Note: If no value is set for the parameter then the default value used.

The following is a sample configuration for perf-info capacity configuration in perf-info:

capacityConfig:
          overall:100
          serviceLevel:'{"occnp_pcf_am":100,"occnp_pcf_sm":100","pcf_ueservice":100}'     
          default:100

CNE Configurations for Perf-Info

To configure label names, you should configure the following configurable parameters in occnp_custom_values_23.4.9.yaml file:

Table 3-94 Configurable Parameters for Logging Configuration in Prometheus

Parameter	Description	Mandatory/Optional Parameter	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release
perf-info.tagNamespace	Specifies the Kubernetes namespace.	Mandatory	kubernetes_namespace (for CNE 1.8.0) namespace (for CNE 1.9)	CNC Policy, PCF	Added in 1.15.0
perf-info.tagContainerName	Specifies the tag used for specifying name of the container.	Mandatory	container_name (for CNE 1.8.0) container (for CNE 1.9)	CNC Policy, PCF	Added in 1.15.0
perf-info.tagServiceName	Specifies the tag used for specifying name of the service.	Mandatory	kubernetes_name (for CNE 1.8.0) service (for CNE 1.9)	CNC Policy, PCF	Added in 1.15.0

The following is a snippet from the occnp_custom_values_23.4.9.yaml file:

#Values for CNE 1.8 {tagNamespace: kubernetes_namespace, tagContainerName: container_name, tagServiceName: kubernetes_name}
#Values for CNE 1.9 {tagNamespace: namespace, tagContainerName: container, tagServiceName: service}
tagNamespace: kubernetes_namespace
tagContainerName: container_name
tagServiceName: kubernetes_name

3.38 Configurations for NodeSelector

Kubernetes nodeSelector feature is used for manual pod scheduling. A Policy pod is assigned to only those nodes that have label(s) identical to label(s) defined in the nodeSelector.

To list all the labels attached to a node you can run:

kubectl describe node pollux-k8s-node-1
Name:               pollux-k8s-node-1
Roles:              <none>
Labels:             beta.kubernetes.io/arch=amd64
                    kubernetes.io/hostname=pollux-k8s-node-1
                    kubernetes.io/os=linux
                    topology.kubernetes.io/region=RegionOne
                    topology.kubernetes.io/zone=nova

The default labels attached to kubernetes nodes are displayed. In order to assign a pod to the node in policy, you need to set custom configurations in occnp_custom_values_23.4.9.yaml file.

You can configure nodeselection field under global/local services section of the custom-values.yaml file. For ingress gateway, egress gateway and alternate route services nodeselector is configured at global section.

Table 3-95 Configurations for NodeSelector

Parameter	Description	Values	Notes
global.nodeSelection	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: ENABLED DISABLED Default Value: DISABLED	global: nodeSelection: ENABLED nodeSelector: nodeKey: key nodeValue: value For example: global: nodeSelection: ENABLED nodeSelector: nodeKey: 'kubernetes.io/os' nodeValue: 'linux'
global.nodeSelector.nodeKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
global.nodeSelector.nodeValue	Specifies valid value pair for the above key for a label for a particular node.	'Not Applicable

Table 3-96 Configurations for NodeSelector

Parameter	Description	Values	Notes
am-service.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: ENABLED DISABLED Default Value: DISABLED	am-service: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: am-service: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
am-service.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
am-service.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
bulwark.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	bulwark: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux nodeSelection: ENABLED nodeSelector: key: value For example: bulwark: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux nodeSelection: ENABLED nodeSelector: 'kubernetes.io/os': 'linux'
bulwark.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
bulwark.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node	Not Applicable
bulwark.nodeSelection	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: ENABLED DISABLED Default Value: DISABLED
bulwark.nodeSelector	Specifies the key value pair for a label of a particular node.	Not Applicable
sm-service.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	sm-service: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: sm-service: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
sm-service.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
sm-service.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
ue-service.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	ue-service: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value Sample Configuration: ue-service: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
ue-service.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
ue-service.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
user-service.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	user-service: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: user-service: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
user-service.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
user-service.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
config-server.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	config-server: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: config-server: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
config-server.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
config-server.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
queryservice.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	queryservice: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: queryservice: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
queryservice.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
queryservice.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
cm-service.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	cm-service: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: cm-service: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
cm-service.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
cm-service.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
audit-service.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	audit-service: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: audit-service: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
audit-service.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
audit-service.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
nrf-client.nrf-client-nfdiscovery.global.deploymentNrfClientService.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	nrf-client: nrf-client-nfdiscovery: global: ephemeralStorageLimit: 1024 deploymentNrfClientService: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: nrf-client: nrf-client-nfdiscovery: global: ephemeralStorageLimit: 1024 deploymentNrfClientService: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
nrf-client.nrf-client-nfdiscovery.global.deploymentNrfClientService.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
nrf-client.nrf-client-nfdiscovery.global.deploymentNrfClientService.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
nrf-client.nrf-client-nfmanagement.global.deploymentNrfClientService.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	nrf-client: nrf-client-nfmanagement: global: deploymentNrfClientService: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: nrf-client: nrf-client-nfmanagement: global: deploymentNrfClientService: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
nrf-client.nrf-client-nfmanagement.global.deploymentNrfClientService.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
nrf-clientnrf-client-nfmanagement.global.deploymentNrfClientService.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
appinfo.nodeSelection	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: ENABLED DISABLED Default Value: DISABLED	appinfo: nodeSelection: ENABLED nodeSelector: key: value For example: appinfo: nodeSelection: ENABLED nodeSelector: 'kubernetes.io/os': 'linux'
appinfo.nodeSelector	Specifies the key value pair for a label of a particular node.	Not Applicable
perf-info.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	perf-info: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: perf-info: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
perf-info.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
perf-info.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
diam-connector.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	diam-connector: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: diam-connector: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
diam-connector.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
diam-connector.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
diam-gateway.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	diam-gateway: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: diam-gateway: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
diam-gateway.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
diam-gateway.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
policyds.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	policyds: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: policyds: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
policyds.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
policyds.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
policyds.ldap-gateway.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	ldap-gateway: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: ldap-gateway: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
policyds.ldap-gateway.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
policyds.ldap-gateway.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	'Not Applicable
pre-service.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	pre-service: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: pre-service: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
pre-service.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
pre-service.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
pcrf-core.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	pcrf-core: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: pcrf-core: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
pcrf-core.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
pcrf-core.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
soap-connector.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	soap-connector: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: soap-connector: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
soap-connector.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
soap-connector.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
binding.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	binding: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: binding: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
binding.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
binding.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
notifier.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	notifier: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: notifier: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
notifier.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
notifier.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable
usage-mon.nodeSelectorEnabled	Specifies if pods needs to assigned to a specific node manually or not.	Allowed Values: true false Default Value: false	usage-mon: nodeSelectorEnabled: true nodeSelectorKey: key nodeSelectorValue: value For example: usage-mon: nodeSelectorEnabled: true nodeSelectorKey: kubernetes.io/os nodeSelectorValue: linux
usage-mon.nodeSelectorKey	Specifies a valid key that is a node label of a particular node in the cluster.	Not Applicable
usage-mon.nodeSelectorValue	Specifies valid value pair for the above key for a label of a particular node.	Not Applicable

3.39 Configurations for Anti-Affinity Rule

This section describes the configuration parameters required for pod anti-affinity scheduling. These are configurable parameters in the custom-values.yaml file.

Table 3-97 Configurable Parameters for Pods Anti-Affinity

Parameter	Description	Mandatory Parameter(Y/N)	Default Value	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
preferredDuringSchedulingIgnoredDuringExecution	Specifies that the scheduler tries to find a node that meets the anti-affinity rule	N		CNC Policy	Added in Release 22.3.0	If a matching node is not available, the scheduler still schedules the Pod.
weight	For each instance of the preferredDuringSchedulingIgnoredDuringExecutionaffinity type, you can specify a weight between 1 and 100	N	100	CNC Policy	Added in Release 22.3.0
matchExpressions.key	Defines the rules for constraining a Pod. The scheduler avoids schedulingPods having configured key.	N	NA	CNC Policy	Added in Release 22.3.0
matchExpressions.values	The scheduler avoids schedulingPods having configured value.	N	NA	CNC Policy	Added in Release 22.3.0
topologyKey	The key for the node label used to specify the domain	N	NA	CNC Policy	Added in Release 22.3.0

Sample Affinity Rule:

affinity:
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchExpressions:
            - key: "app.kubernetes.io/name"
              operator: In
              values:
                - {{ template "chart.fullname" .}}
            topologyKey: "kubernetes.io/hostname

3.40 Configuration Parameters for IPv6

Table 3-98 Configurable Parameters for IPv6

Parameter	Description	Mandatory Parameter	Default Value	Value to Enable IPv6	Applicable to Deployment	Added/Deprecated/Updated in Release	Notes
global.isIpvSixSetup	Enable HTTP communication in IPv6	No	false	True	CNC Policy, PCF, & PCRF	Added in Release 23.2.x	This value must be set to "true" if you are going to require HTTP communication over IPv6.
diam-gateway. envSupportedIpAddressType	Distinguish between the IP address types for which diam-gw would enable connectivity and not depend on the IP address type of the infrastructure.	No	IPv4	IPv6	CNC Policy, PCF, & PCRF	Added in Release 22.1.0	This parameter must be set to IPv6 if the diam-gw connectivity will be exclusively in "IPv6" or "BOTH" if the connectivity will be for IPv4 and IPv6.

Note:

You must enable the IPv6 related parameters in Alternate Route, Ingress Gateway, and Egress Gateway services configurations.

Note:

When Policy is being installed in a dual stack environment with IPv6 enabled, it is necessary to edit each service by changing "ipFamilies" and "ipFamilyPolicy" as follows:

ipFamilies:
 - IPv6
 - IPv4
ipFamilyPolicy: RequireDualStack