TLS Support

Beginning with the London release, ONAP is using a service mesh (Istio) to encrypt and authenticate traffic between ONAP components. In earlier releases, each component was responsible for protecting its HTTP interfaces with TLS, using certificates generated by the (now obsolete) AAF component.

Some DCAE components offer HTTP interfaces to clients outside the ONAP Kubernetes cluster. In earlier releases, ONAP offered a mechanism allowing components to obtain TLS certificates from an external source using the CMPv2 protocol. (See these design notes for details on how that approach worked in conjunction with AAF.) Beginning with the London release, external HTTP interfaces should be exposed via the Istio Gateway. The gateway can terminate TLS and can be configured with the necessary certificates.