3 Customizing OCCM
This chapter provides information about customizing OCCM deployment in a cloud native environment.
The OCCM deployment is customized by overriding the default values of
various configurable parameters in the
occm_custom_values_<version>.yaml file.
Perform the following steps to customize the custom yaml files :
- Use the custom values and templates delivered as part of the package. For more information on how to download the package from MOS, see Downloading the OCCM Package section.
- Customize the appropriate custom value file.
- Save the updated files.
Note:
- All parameters mentioned as mandatory must be present in custom-values.yaml file.
- All fixed value parameters listed must be present in the custom values yaml file with the exact values as specified in this section.
- For installing OCCM in an existing NF deployment, see the 'Introducing OCCM in an Existing NF Deployment' section in the Oracle Communications Cloud Native Core, Certificate Management User Guide.
3.1 Configuration Options
Table 3-1 Configuration Options
| Parameter | Description | Details |
|---|---|---|
| global.dockerRegistry |
This is a mandatory parameter. Here, user provides the registry that contains OCCM images. It comprises of <registry-url> |
Data Type: String Range: It may contain lowercase letters, digits, and separators. A separator is defined as a period, one or two underscores, or one or more dashes. Default Value: cgbu-occm-dev-docker.dockerhub-iad.oci.oraclecorp.com |
| global.serviceAccountName | This is an optional parameter.
Name of service account. If this field is kept empty, then a default service account with release name will be auto created. If any value is provided, then a custom service account has to be created manually before deployment. |
Data Type: String Range: Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods, and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters. |
| global.occmAccessedNamespaces |
This is an optional field. In case of OCCM multiple namespace support, namespaces are listed here for automatic service account creation. |
Data Type: List (String) Default Value: NA Range: Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods, and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters. |
| global.customExtension |
This is an optional field. Custom extension to include custom labels and annotation. |
Data Type: String Default Value: NA Range: Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods, and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters. |
| global.customExtension.allResources.labels | This is an optional parameter. This can be used to add custom label(s) to all Kubernetes resources that will be created by OCCM helm chart. | Data Type: String Range: Custom labels that need to be added to all the OCCM Kubernetes resources. |
| global.customExtension.allResources.annotations | This is an optional parameter. This can be used to add custom annotation(s) to all Kubernetes resources that will be created by OCCM helm chart. | Data Type: String Range: Custom annotations that need to be added to all the OCCM Kubernetes resources. |
| global.customExtension.nonlbServices.labels | This is an optional parameter. This can be used to add custom label(s) to all non-Load Balancer Type Services that will be created by OCCM helm chart. | Data Type: String Range: Custom labels that need to be added to OCCM that are considered as not Load Balancer type. |
| global.customExtension.nonlbServices.annotations | This is an optional parameter. This can be used to add custom annotation(s) to all non-Load Balancer Type Services that will be created by OCCM helm chart. | Data Type: String Range: Custom annotations that need to be added to OCCM that are considered as not Load Balancer type. |
| global.customExtension.nonlbDeployments.labels | This is an optional parameter. This can be used to add custom label(s) to all Deployments that will be created by OCCM helm chart which are associated to a Service which if not of Load Balancer Type. | Data Type: String Range: Custom labels that need to be added to OCCM Deployments that are associated to a service which is not of Load Balancer type. |
| global.customExtension.nonlbDeployments.annotations | This is an optional parameter.
This can
be used to add custom annotation(s) to all Deployments that will be
created by OCCM helm chart which are associated to a Service which if
not of Load Balancer Type.
For example:
oracle.com/cnc: "true"` oracle.com.cnc/egress-network: oam |
Data Type: String Range: Custom annotations that need to be added to OCCM Deployments that are associated to a service which is not of Load Balancer type. |
| global.ephemeralStorage.limits.containersLogStorage | This is a mandatory parameter. Set value for Ephemeral Storage Limits. | Data Type: Integer
Range:
It can take values in integer that is further used in MBs. Default Value: 1000 |
| global.ephemeralStorage.limits.containersCriticalStorage | This is a mandatory parameter. Set value for Ephemeral Storage Limits. | Data Type: Integer
Range:
It can take values in integer that is further used in MBs. Default Value: 2 |
| global.ephemeralStorage.requests.containersLogStorage | This is a mandatory parameter. Set value for Ephemeral Storage Requests. | Data Type: Integer
Range:
It can take values in integer that is further used in MBs. Default Value: 50 |
| global.ephemeralStorage.requests.containersCriticalStorage | This is a mandatory parameter. Set value for Ephemeral Storage Requests. | Data Type: Integer
Range:
It can take values in integer that is further used in MBs. Default Value: 2 |
| global.hookJobResources.limit.cpu | This is an optional parameter.
It limits the number of CPUs to be used by the helm test pod. |
Data Type: Integer
Range:
Valid Integer value allowed. Default Value: 0.5 |
| global.hookJobResources.limit.memory | This is an optional parameter. It limits the memory to be used by the helm test pod. | Data Type: Integer
Range:
Valid Integer value followed by Mi/Gi etc. Default Value: 0.5Gi |
| global.hookJobResources.limit.logStorage | This is an optional parameter. It limits the logStorage (ephemeral storage) to be used by the helm test pod. | Data Type: Integer
Range:
Values will be set by global.ephemeralStorage.requests.containerLogStorage. Default Value: 50Mi |
| global.hookJobResources.limit.criticalStorage | This is an optional parameter. It limits the criticalStorage (ephemeral storage) to be used by the helm test pod. | Data Type: Integer
Range:
Values will be set by global.ephemeralStorage.limits.containersCrititcalStorage. Default Value: 2 |
| global.hookJobResources.request.cpu | This is an optional parameter. It requests the number of CPUs to be used by the helm test pod. | Data Type: Integer
Range:
Valid Integer value allowed.
Default Value: 0.5 |
| global.hookJobResources.request.memory | This is an optional parameter. It requests the memory to be used by the helm test pod. | Data Type: Integer
Range:
Valid Integer value followed by Mi/Gi etc.
Default Value: 0.5Gi |
| global.hookJobResources.request.logStorage | This is an optional parameter. It requests the logStorage (ephemeral storage) to be used by the helm test pod. | Data Type: Integer
Range:
Values will be set by
global.ephemeralStorage.requests.containerLogStorage.
Default Value: 50Mi |
| global.hookJobResources.request.criticlStorage | This is an optional parameter. It requests the criticlStorage (ephemeral storage) to be used by the helm test pod. | Data Type: Integer
Range:
Values will be set by
global.ephemeralStorage.limits.containersCrititcalStorage.
Default Value: 2 |
| global.k8sResource.container.prefix | This is an optional parameter. This value will be used to prefix to all the container names of OCCM. | Data Type: String Range: Value that will be prefixed to all the container names of Ingress Gateway. |
| global.k8sResource.container.suffix | This is an optional parameter. This value will be used to suffix to all the container names of OCCM. | Data Type: String Range: Value that will be suffixed to all the container names of Ingress Gateway. |
| global.helmTestServiceAccountName | This is an optional parameter. For helm test execution, preference goes to global.helmTestServiceAccountName first. If this is not available then global.serviceAccountName will be referred. If both of these are missing, then default service account will be created and used. | Data Type: String Range: Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods, and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters. |
| global.test.nfName | This is a mandatory parameter. Name of deployment for which helm test is done. | Data Type: String
Range: NF
Name
Default Value: OCCM |
| global.test.image.name | This is a mandatory parameter. Image name for the helm test container image. | Data Type: String
Range:
Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods, and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters. Default Value: OCCM |
| global.test.image.tag | This is a mandatory parameter. Image version tag for helm test. | Data Type: String Range: Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods. and dashes. An image name may not start with a period or a dash and may contain a maximum of 128 characters. |
| global.test.image.imagePullPolicy | This is an optional parameter. Pull Policy decides from where to pull the image. | Data Type: String
Range: It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
| global.test.config.logLevel | This is a mandatory parameter. Pull Policy decides from where to pull the image. | Data Type: String
Range:
WARN, DEBUG, INFO, etc.
Default Value: Info |
| global.test.config.timeout | This is a mandatory parameter. Timeout value for the helm test operation. If exceeded, helm test will be considered as failure. | Data Type: String
Range:
1-300 seconds
Default Value: 240 |
| global.test.resources | This is a mandatory parameter. The mentioned Kubernetes resources are logged in Helm test. | Data Type:(List) String
Range:
It takes resources and its version in the form of <resource_name>/<max_version_supportedbyNF> - horizontalpodautoscalers/v1 - deployments/v1 - serviceaccounts/v1 - roles/v1 - services/v1 - rolebindings/v1 |
| global.test.complianceEnable | This is a mandatory parameter. It will enable or disable helm test resource logging. | Data Type: Boolean
Range:
True or False
Default Value: True |
| global.extraContainers | This is a mandatory parameter. To enable or disable the debug tools container. | Data Type: enum
Range:DISABLED, ENABLED
Default Value: DISABLED |
| global.debugToolContainerMemoryLimit | This is a mandatory parameter. Debug tool container memory limit. | Data Type: String
Range:
Valid Integer value followed by Mi/Gi etc.
Default Value: debug-tools-dir |
| global.extraContainersVolumesTpl | This is a mandatory parameter. Debug tool extra container volume details. | Data Type: String
Range: It
may contain lowercase letters, digits, and separators. A separator is
defined as a period, one or two underscores, or one or more dashes.
Default Value: 4Gi |
| global.extraContainersTpl | This is a mandatory parameter. Debug tool extra container command details. | Data Type: String Range: It may contain lowercase letters, digits, and separators. A separator is defined as a period, one or two underscores, or one or more dashes. |
| image.tag | This is a mandatory parameter. Image Tag to be used for OCCM. | Data Type: enum
Range:Valid
ASCII and may contain lowercase and uppercase letters, digits,
underscores, periods, and dashes. A tag name may not start with a period
or a dash and may contain a maximum of 128 characters.
Default Value: DISABLED |
| image.name | This is a mandatory parameter. It is the image name of the OCCM. | Data Type: String Range:Valid ASCII and may contain lowercase and uppercase letters, digits, underscores, periods, and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. |
| image.pullPolicy | This is an optional parameter. Pull Policy decides from where to pull the image. | Data Type: String
Range: It can take a value from the following: IfNotPresent, Always, Never IfNotPresent is the default pullPolicy |
| ports.containerPort | This is a mandatory parameter. It is the http port of the container for the OCCM. | Data Type: Integer
Range:
0-65535
Default value: 8989 |
| ports.actuatorPort | This is a mandatory parameter. It is the actuator port of the container for the OCCM. | Data Type: Integer
Range:0-65535
Default value: 9000 |
| ports.servicePort | This is a mandatory parameter. It is the service port of the container for the OCCM. | Data Type: Integer
Range:0-65535
Default value: 8989 |
| deployment.livenessProbe.initialDelaySeconds | This is an optional parameter. It specifies that the kubelet should perform a liveness probe every xx seconds. | Data Type: Integer
Range:0-65535
Default value: 60 |
| deployment.livenessProbe.periodSeconds | This is an optional parameter. It specifies that the kubelet should perform a liveness probe every xx seconds. | Data Type: Integer
Range:
0-65535
Default value: 3 |
| deployment.livenessProbe.timeoutSeconds | This is an optional parameter. It is the number of seconds after which the probe times out. | Data Type: Integer
Range:0-65535
Default value: 15 |
| deployment.livenessProbe.successThreshold | This is an optional parameter. Minimum consecutive successes for the probe to be considered successful after having failed. | Data Type: Integer
Range:0-65535
Default value: 1 |
| deployment.livenessProbe.failureThreshold | This is an optional parameter. When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up. | Data Type: Integer
Range:0-65535
Default value: 3 |
| deployment.readinessProbe.initialDelaySeconds | This is an optional parameter. It tells the kubelet that it should wait second before performing the first probe. | Data Type: Integer
Range:0-65535
Default value: 20 |
| deployment.readinessProbe.timeoutSeconds | This is an optional parameter. It is the number of seconds after which the probe times out. | Data Type: Integer
Range:0-65535
Default value: 3 |
| deployment.readinessProbe.periodSeconds | This is an optional parameter. It specifies that the kubelet should perform a liveness probe every xx seconds. | Data Type: Integer
Range:0-65535
Default value: 10 |
| deployment.readinessProbe.successThreshold | This is an optional parameter. Minimum consecutive successes for the probe to be considered successful after having failed. | Data Type: Integer
Range:0-65535
Default value: 1 |
| deployment.readinessProbe.failureThreshold | This is an optional parameter. When a Pod starts and the probe fails, Kubernetes will try failureThreshold times before giving up. | Data Type: Integer
Range:0-65535
Default value: 3 |
| resources.limits.cpu | This is an optional parameter.
It limits the number of CPUs to be used by the OCCM. |
Data Type: Float Range:Valid floating point
value between 0 and 1
Default Value: 2 |
| resources.limits.memory | This is an optional parameter. It limits the memory utilization by the microservice. | Data Type: String
Range:Valid Integer value followed by Mi/Gi etc.
Default value: 2Gi |
| resources.limits.logStorage | This is a mandatory parameter.
It limits the logStorage (ephemeral storage) to be used by the helm test pod. |
Data Type: Integer
Range:Values will be set by
global.ephemeralStorage.limits.containersLogStorage.
Default value: 1000 |
| resources.limits.criticalStorage | This is a mandatory parameter. It limits the criticalStorage (ephemeral storage) to be used by the helm test pod. | Data Type: Integer
Range:Values will be set by
global.ephemeralStorage.limits.containersCrititcalStorage.
Default value: 2 |
| resources.requests.cpu | This is a mandatory parameter. The minimum amount of CPUs required. | Data Type: String
Range:Valid floating point value between 0 and 1.
Default value: 1 |
| resources.requests.memory | This is a mandatory parameter. The minimum amount of memory required. | Data Type: String
Range:
Valid Integer value followed by Mi/Gi etc.
Default value: 1Gi |
| resources.requests.logStorage | This is a mandatory parameter. The minimum amount of logStorage (ephemeral storage). | Data Type: Integer
Range:
Values will be set by
global.ephemeralStorage.requests.containerLogStorage.
Default value: 50 |
| resources.requests.criticalStorage | This is a mandatory parameter. The minimum amount of criticalStorage (ephemeral storage) | Data Type: Integer
Range:Values will be set by
global.ephemeralStorage.requests.containerCrititcalStorage.
Default value: 2 |
| log.level.occm | This is a mandatory parameter.
It is the level at which the user wants to see application level logs. |
Data Type: String
Range:
WARN, DEBUG, INFO, TRACE etc.
Default value: INFO |
| log.level.root | This is a mandatory parameter.
It is the level at which user wants to see root level logs. |
Data Type: String
Default value: ERROR |
| log.level.helidonFramework | This is a mandatory parameter.
It is the level at which user wants to see helidon framework level logs. |
Data Type: String
Default value: ERROR |
| occmConfig.cmp.config.useOccmCertSignForKur | This field, when set true, specifies that OCCM key and certificate will be used to sign the CMP request message. When set to false, old certificate is used as the signer certtificate. |
Data Type: boolean Default Value: false Range: True or false |
| occmConfig.cmp.config.extractCertChainFromCmpResponse | This field, when set to true, specifies that certificate chain will be extracted from CA's CMP response message. In case, the CA doesn't send the chain, operator has the flexibility to manually configure it after setting the field to false. |
Data Type: boolean Default Value: true Range: True or false |
| occmConfig.cmp.config.tls.enableX509StrictCheck | This is an optional parameter. This field, when set to true, "-x509_strict" will be included in openssl cmp cmd for strict checking of the X.509 certificates. |
Data Type: boolean Default Value: true Range: True or false |
| occmConfig.cmp.config.tls.ignoreCriticalExtensionsCheck | This is an optional parameter.
This field, when set to true, "-ignore_critical" will be included in openssl cmp cmd for checking of X.509 certificate critical extensions. |
Data Type: boolean Default Value: false Range: True or false |
| occmConfig.cmp.config.tls.minProtocol | This is an optional field.
This fields sets the minimum supported TLS version. |
Data Type: String Default Value: TLSv1.2 |
| occmConfig.cmp.config.tls.tlsNamedGroups | This is an optional field.
This is equivalent to Groups in openssl. This sets the supported groups. For clients, the groups are set using the supported groups extension. The value must be colon separated groups. |
Data Type: String Default Value: P-256:P-384:P-521:X25519:X448 |
| occmConfig.cmp.config.tls.cipherStrings | This is an optional field. This field sets the available ciphers for TLSv1.2 and below. The value should be colon separated ciphers. |
Data Type: String Default Value: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:\ ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:\ ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM |
| occmConfig.cmp.config.tls.cipherSuites | This is an optional field.
This field sets the available cipher suites for TLSv1.3. The value should be colon separated ciphers. |
Data Type: String Default Value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256 |
| occmConfig.cmp.config.tls.clientSignatureSchemes | This is an optional field.
This is equivalent to SignatureAlgorithms in openssl. This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. The value should be colon separated signature schemes. |
Data Type: String Default Value: ecdsa_secp384r1_sha384:ecdsa_secp256r1_sha256:ed448:ed25519:rsa_pss_rsae_sha512:\ rsa_pss_rsae_sha384:rsa_pss_rsae_sha256:rsa_pss_pss_sha512:rsa_pss_pss_sha384:\ rsa_pss_pss_sha256:rsa_pkcs1_sha512:rsa_pkcs1_sha384:rsa_pkcs1_sha256 |
| occmConfig.cmp.config.extractCertChainFromCmpResponse | This is an optional parameter.
This field, when set true, specifies that the certficate chain will be extracted from CA's CMP response message. |
Data Type: boolean Default Value: true |
| occmConfig.k8sSecretMonitoring | This is an optional parameter.
This field, when set true, specifies that secret monitoring feature is enabled. |
Data Type: boolean Default Value: true |