OOM Custom Overrides
The OOM helm deploy plugin requires deployment configuration as input, usually in the form of override yaml files. These input files determine what ONAP components get deployed, and the configuration of the OOM deployment.
Other helm config options like –set log.enabled=true|false are available.
See the helm deploy plugin usage section for more detail, or it the plugin has already been installed, execute the following:
> helm deploy --help
Users can customize the override files to suit their required deployment.
Note
Standard and example override files (e.g. onap-all.yaml, onap-all-ingress-istio.yaml) can be found in the oom/kubernetes/onap/resources/overrides/ directory.
Users can selectively enable or disable ONAP components by changing the
enabled: true/falseflags.Add to the command line a value for the global master password (ie. –set global.masterPassword=My_superPassw0rd).
Enabling/Disabling Components
Here is an example of the nominal entries that need to be provided. Different values files are available for different contexts.
Default ONAP values.yaml
# Copyright © 2019 Amdocs, Bell Canada
# Copyright (c) 2020 Nordix Foundation, Modifications
# Modifications Copyright © 2020-2021 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#################################################################
# Global configuration overrides.
#
# These overrides will affect all helm charts (ie. applications)
# that are listed below and are 'enabled'.
#################################################################
global:
# Change to an unused port prefix range to prevent port conflicts
# with other instances running within the same k8s cluster
nodePortPrefix: 302
nodePortPrefixExt: 304
# Install test components
# test components are out of the scope of ONAP but allow to have a entire
# environment to test the different features of ONAP
# Current tests environments provided:
# - netbox (needed for CDS IPAM)
# - AWX (needed for XXX)
# - EJBCA Server (needed for CMPv2 tests)
# Today, "contrib" chart that hosting these components must also be enabled
# in order to make it work. So `contrib.enabled` must have the same value than
# addTestingComponents
addTestingComponents: &testing false
# ONAP Repository
# Four different repositories are used
# You can change individually these repositories to ones that will serve the
# right images. If credentials are needed for one of them, see below.
repository: nexus3.onap.org:10001
dockerHubRepository: &dockerHubRepository docker.io
elasticRepository: &elasticRepository docker.elastic.co
googleK8sRepository: k8s.gcr.io
githubContainerRegistry: ghcr.io
#/!\ DEPRECATED /!\
# Legacy repositories which will be removed at the end of migration.
# Please don't use
loggingRepository: *elasticRepository
busyboxRepository: *dockerHubRepository
# Default credentials
# they're optional. If the target repository doesn't need them, comment them
repositoryCred:
user: docker
password: docker
# If you want / need authentication on the repositories, please set
# Don't set them if the target repo is the same than others
# so id you've set repository to value `my.private.repo` and same for
# dockerHubRepository, you'll have to configure only repository (exclusive) OR
# dockerHubCred.
# dockerHubCred:
# user: myuser
# password: mypassord
# elasticCred:
# user: myuser
# password: mypassord
# googleK8sCred:
# user: myuser
# password: mypassord
# common global images
# Busybox for simple shell manipulation
busyboxImage: busybox:1.34.1
# curl image
curlImage: curlimages/curl:7.80.0
# env substitution image
envsubstImage: dibi/envsubst:1
# generate htpasswd files image
# there's only latest image for htpasswd
htpasswdImage: xmartlabs/htpasswd:latest
# kubenretes client image
kubectlImage: bitnami/kubectl:1.22.4
# logging agent
loggingImage: beats/filebeat:5.5.0
# mariadb client image
mariadbImage: bitnami/mariadb:10.5.8
# nginx server image
nginxImage: bitnami/nginx:1.21.4
# postgreSQL client and server image
postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1
# readiness check image
readinessImage: onap/oom/readiness:3.0.1
# image pull policy
pullPolicy: Always
# default java image
jreImage: onap/integration-java11:10.0.0
# default clusterName
# {{ template "common.fullname" . }}.{{ template "common.namespace" . }}.svc.{{ .Values.global.clusterName }}
clusterName: cluster.local
# default mount path root directory referenced
# by persistent volumes and log files
persistence:
mountPath: /dockerdata-nfs
enableDefaultStorageclass: false
parameters: {}
storageclassProvisioner: kubernetes.io/no-provisioner
volumeReclaimPolicy: Retain
# override default resource limit flavor for all charts
flavor: unlimited
# flag to enable debugging - application support required
debugEnabled: false
# default password complexity
# available options: phrase, name, pin, basic, short, medium, long, maximum security
# More datails: https://www.masterpasswordapp.com/masterpassword-algorithm.pdf
passwordStrength: long
# configuration to set log level to all components (the one that are using
# "common.log.level" to set this)
# can be overrided per components by setting logConfiguration.logLevelOverride
# to the desired value
# logLevel: DEBUG
# Global ingress configuration
ingress:
# generally enable ingress for ONAP components
enabled: false
# enable all component's Ingress interfaces
enable_all: false
# default Ingress base URL
# can be overwritten in component vy setting ingress.baseurlOverride
virtualhost:
baseurl: "simpledemo.onap.org"
# All http requests via ingress will be redirected on Ingress controller
# only valid for Istio Gateway (ServiceMesh enabled)
config:
ssl: "redirect"
# you can set an own Secret containing a certificate
# only valid for Istio Gateway (ServiceMesh enabled)
# tls:
# secret: 'my-ingress-cert'
# optional: Namespace of the Istio IngressGateway
# only valid for Istio Gateway (ServiceMesh enabled)
namespace: istio-ingress
# Global Service Mesh configuration
# POC Mode, don't use it in production
serviceMesh:
enabled: false
tls: true
# be aware that linkerd is not well tested
engine: "istio" # valid value: istio or linkerd
# metrics part
# If enabled, exporters (for prometheus) will be deployed
# if custom resources set to yes, CRD from prometheus operartor will be
# created
# Not all components have it enabled.
#
metrics:
enabled: true
custom_resources: false
# Disabling AAF
# POC Mode, only for use in development environment
# Keep it enabled in production
aafEnabled: true
aafAgentImage: onap/aaf/aaf_agent:2.1.20
# Disabling MSB
# POC Mode, only for use in development environment
msbEnabled: true
# default values for certificates
certificate:
default:
renewBefore: 720h #30 days
duration: 8760h #365 days
subject:
organization: "Linux-Foundation"
country: "US"
locality: "San-Francisco"
province: "California"
organizationalUnit: "ONAP"
issuer:
group: certmanager.onap.org
kind: CMPv2Issuer
name: cmpv2-issuer-onap
# Enabling CMPv2
cmpv2Enabled: true
platform:
certificates:
clientSecretName: oom-cert-service-client-tls-secret
keystoreKeyRef: keystore.jks
truststoreKeyRef: truststore.jks
keystorePasswordSecretName: oom-cert-service-certificates-password
keystorePasswordSecretKey: password
truststorePasswordSecretName: oom-cert-service-certificates-password
truststorePasswordSecretKey: password
# Indicates offline deployment build
# Set to true if you are rendering helm charts for offline deployment
# Otherwise keep it disabled
offlineDeploymentBuild: false
# TLS
# Set to false if you want to disable TLS for NodePorts. Be aware that this
# will loosen your security.
# if set this element will force or not tls even if serviceMesh.tls is set.
# tlsEnabled: false
# Logging
# Currently, centralized logging is not in best shape so it's disabled by
# default
centralizedLoggingEnabled: ¢ralizedLogging false
# Example of specific for the components where you want to disable TLS only for
# it:
# if set this element will force or not tls even if global.serviceMesh.tls and
# global.tlsEnabled is set otherwise.
# robot:
# tlsOverride: false
# Global storage configuration
# Set to "-" for default, or with the name of the storage class
# Please note that if you use AAF, CDS, SDC, Netbox or Robot, you need a
# storageclass with RWX capabilities (or set specific configuration for these
# components).
# persistence:
# storageClass: "-"
# Example of specific for the components which requires RWX:
# aaf:
# persistence:
# storageClassOverride: "My_RWX_Storage_Class"
# contrib:
# netbox:
# netbox-app:
# persistence:
# storageClassOverride: "My_RWX_Storage_Class"
# cds:
# cds-blueprints-processor:
# persistence:
# storageClassOverride: "My_RWX_Storage_Class"
# sdc:
# sdc-onboarding-be:
# persistence:
# storageClassOverride: "My_RWX_Storage_Class"
#################################################################
# Enable/disable and configure helm charts (ie. applications)
# to customize the ONAP deployment.
#################################################################
aaf:
enabled: false
aaf-sms:
cps:
# you must always set the same values as value set in cps.enabled
enabled: false
aai:
enabled: false
appc:
enabled: false
config:
openStackType: OpenStackProvider
openStackName: OpenStack
openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html
openStackServiceTenantName: default
openStackDomain: default
openStackUserName: admin
openStackEncryptedPassword: admin
cassandra:
enabled: false
cds:
enabled: false
clamp:
enabled: false
cli:
enabled: false
consul:
enabled: false
# Today, "contrib" chart that hosting these components must also be enabled
# in order to make it work. So `contrib.enabled` must have the same value than
# addTestingComponents
contrib:
enabled: *testing
cps:
enabled: false
dcaegen2-services:
enabled: false
dcaemod:
enabled: false
holmes:
enabled: false
dmaap:
enabled: false
# Today, "logging" chart that perform the central part of logging must also be
# enabled in order to make it work. So `logging.enabled` must have the same
# value than centralizedLoggingEnabled
log:
enabled: *centralizedLogging
sniro-emulator:
enabled: false
oof:
enabled: false
mariadb-galera:
enabled: false
msb:
enabled: false
multicloud:
enabled: false
nbi:
enabled: false
config:
# openstack configuration
openStackRegion: "Yolo"
openStackVNFTenantId: "1234"
policy:
enabled: false
pomba:
enabled: false
portal:
enabled: false
robot:
enabled: false
config:
# openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment
openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e"
sdc:
enabled: false
sdnc:
enabled: false
replicaCount: 1
mysql:
replicaCount: 1
so:
enabled: false
replicaCount: 1
liveness:
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: false
# so server configuration
config:
# message router configuration
dmaapTopic: "AUTO"
# openstack configuration
openStackUserName: "vnf_user"
openStackRegion: "RegionOne"
openStackKeyStoneUrl: "http://1.2.3.4:5000"
openStackServiceTenantName: "service"
openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e"
# in order to enable static password for so-monitoring uncomment:
# so-monitoring:
# server:
# monitoring:
# password: demo123456!
strimzi:
enabled: false
uui:
enabled: false
vfc:
enabled: false
vid:
enabled: false
vnfsdk:
enabled: false
modeling:
enabled: false
platform:
enabled: false
a1policymanagement:
enabled: false
cert-wrapper:
enabled: true
repository-wrapper:
enabled: true
roles-wrapper:
enabled: true
(Optional) “ONAP on Service Mesh”
To enable “ONAP on Service Mesh” both “ServiceMesh” and “Ingress” configuration entries need to be configured before deployment.
Global settings relevant for ServiceMesh:
global:
ingress:
# generally enable ingress for ONAP components
enabled: false
# enable all component's Ingress interfaces
enable_all: false
# default Ingress base URL
# can be overwritten in component by setting ingress.baseurlOverride
virtualhost:
baseurl: "simpledemo.onap.org"
# All http requests via ingress will be redirected on Ingress controller
# only valid for Istio Gateway (ServiceMesh enabled)
config:
ssl: "redirect"
# you can set an own Secret containing a certificate
# only valid for Istio Gateway (ServiceMesh enabled)
# tls:
# secret: 'my-ingress-cert'
# optional: Namespace of the Istio IngressGateway
# only valid for Istio Gateway (ServiceMesh enabled)
namespace: istio-ingress
...
serviceMesh:
enabled: true
tls: true
# be aware that linkerd is not well tested
engine: "istio" # valid value: istio or linkerd
aafEnabled: false
cmpv2Enabled: false
tlsEnabled: false
msbEnabled: false
ServiceMesh settings:
enabled: true → enables ServiceMesh functionality in the ONAP Namespace (Istio: enables Sidecar deployment)
tls: true → enables mTLS encryption in Sidecar communication
engine: istio → sets the SM engine (currently only Istio is supported)
aafEnabled: false → disables AAF usage for TLS interfaces
tlsEnabled: false → disables creation of TLS in component services
cmpv2Enabled: false → disable cmpv2 feature
msbEnabled: false → MSB is not used in Istio setup (Open, if all components are MSB independend)
Ingress settings:
enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled)
enable_all: true → enables Ingress configuration in each component
- virtualhost.baseurl: “simpledemo.onap.org” → sets globally the URL for all Interfaces set by the components,
resulting in e.g. “aai-api.simpledemo.onap.org”, can be overwritten in the component via: ingress.baseurlOverride
config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443)
config.tls.secret: “…” → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret
namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate
Note
For “ONAP on Istio” an example override file (onap-all-ingress-istio.yaml) can be found in the oom/kubernetes/onap/resources/overrides/ directory.