OOM Custom Overrides
The OOM helm deploy plugin requires deployment configuration as input, usually in the form of override yaml files. These input files determine what ONAP components get deployed, and the configuration of the OOM deployment.
Other helm config options like –set log.enabled=true|false are available.
See the helm deploy plugin usage section for more detail, or it the plugin has already been installed, execute the following:
> helm deploy --help
Users can customize the override files to suit their required deployment.
Note
Standard and example override files (e.g. onap-all.yaml, onap-all-ingress-gatewayapi.yaml) can be found in the oom/kubernetes/onap/resources/overrides/ directory.
Users can selectively enable or disable ONAP components by changing the
enabled: true/false
flags.Add to the command line a value for the global master password (ie. –set global.masterPassword=My_superPassw0rd).
Enabling/Disabling Components
Here is an example of the nominal entries that need to be provided. Different values files are available for different contexts.
Default ONAP values.yaml
# Copyright © 2019 Amdocs, Bell Canada
# Copyright (c) 2020 Nordix Foundation, Modifications
# Modifications Copyright © 2020-2021 Nokia
# Modifications Copyright © 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#################################################################
# Global configuration overrides.
#
# These overrides will affect all helm charts (ie. applications)
# that are listed below and are 'enabled'.
#################################################################
global:
# Change to an unused port prefix range to prevent port conflicts
# with other instances running within the same k8s cluster
nodePortPrefix: 302
nodePortPrefixExt: 304
# ONAP Repository
# Four different repositories are used
# You can change individually these repositories to ones that will serve the
# right images. If credentials are needed for one of them, see below.
repository: nexus3.onap.org:10001
dockerHubRepository: &dockerHubRepository docker.io
elasticRepository: &elasticRepository docker.elastic.co
quayRepository: quay.io
googleK8sRepository: k8s.gcr.io
githubContainerRegistry: ghcr.io
# Default credentials
# they're optional. If the target repository doesn't need them, comment them
repositoryCred:
user: docker
password: docker
# If you want / need authentication on the repositories, please set
# Don't set them if the target repo is the same than others
# so id you've set repository to value `my.private.repo` and same for
# dockerHubRepository, you'll have to configure only repository (exclusive) OR
# dockerHubCred.
# dockerHubCred:
# user: myuser
# password: mypassord
# elasticCred:
# user: myuser
# password: mypassord
# googleK8sCred:
# user: myuser
# password: mypassord
# Default definition of the secret containing the docker image repository
# credentials. In the default ONAP deployment the secret is created by the
# repository-wrapper component, which uses the secrets defined above.
# If this is not wanted or other secrets are created, alternative secret
# names can be used
# Overrides for specific images can be done, if the "image" entry is used as
# a map and the "pullSecrets" is used, e.g.
# image:
# ...
# pullSecrets:
# - myRegistryKeySecretName
#
imagePullSecrets:
- '{{ include "common.namespace" . }}-docker-registry-key'
# common global images
# Busybox for simple shell manipulation
busyboxImage: busybox:1.34.1
# curl image
curlImage: curlimages/curl:7.80.0
# env substitution image
envsubstImage: dibi/envsubst:1
# generate htpasswd files image
# there's only latest image for htpasswd
htpasswdImage: xmartlabs/htpasswd:latest
# kubenretes client image
kubectlImage: bitnami/kubectl:1.22.4
# logging agent
loggingImage: beats/filebeat:5.5.0
# mariadb client image
mariadbImage: bitnami/mariadb:10.5.8
# nginx server image
nginxImage: bitnami/nginx:1.21.4
# postgreSQL client and server image
postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1
# readiness check image
readinessImage: onap/oom/readiness:6.0.3
# image pull policy
pullPolicy: Always
# default java image
jreImage: onap/integration-java11:10.0.0
# default clusterName
# {{ template "common.fullname" . }}.{{ template "common.namespace" . }}.svc.{{ .Values.global.clusterName }}
clusterName: cluster.local
# default mount path root directory referenced
# by persistent volumes and log files
persistence:
mountPath: /dockerdata-nfs
enableDefaultStorageclass: false
parameters: {}
storageclassProvisioner: kubernetes.io/no-provisioner
volumeReclaimPolicy: Retain
# Global flag to enable the creation of default roles instead of using
# common roles-wrapper
createDefaultRoles: false
# override default resource limit flavor for all charts
flavor: unlimited
# flag to enable debugging - application support required
debugEnabled: false
# default password complexity
# available options: phrase, name, pin, basic, short, medium, long, maximum security
# More datails: https://www.masterpasswordapp.com/masterpassword-algorithm.pdf
passwordStrength: long
# configuration to set log level to all components (the one that are using
# "common.log.level" to set this)
# can be overrided per components by setting logConfiguration.logLevelOverride
# to the desired value
# logLevel: DEBUG
# Global ingress configuration
ingress:
# generally enable ingress for ONAP components
enabled: false
# enable all component's Ingress interfaces
enable_all: false
# Provider: ingress, istio, gw-api
provider: istio
# Ingress class (only for provider "ingress"): e.g. nginx, traefik
ingressClass:
# Ingress Selector (only for provider "istio") to match with the
# ingress pod label "istio=ingress"
ingressSelector: ingress
# optional: common used Gateway (for Istio, GW-API) and listener names
commonGateway:
name: ""
httpListener: ""
httpsListener: ""
# default Ingress base URL and preAddr- and postAddr settings
# Ingress URLs result:
# <preaddr><component.ingress.service.baseaddr><postaddr>.<baseurl>
virtualhost:
# Default Ingress base URL
# can be overwritten in component by setting ingress.baseurlOverride
baseurl: "simpledemo.onap.org"
# prefix for baseaddr
# can be overwritten in component by setting ingress.preaddrOverride
preaddr: ""
# postfix for baseaddr
# can be overwritten in component by setting ingress.postaddrOverride
postaddr: ""
# All http (port 80) requests via ingress will be redirected
# to port 443 on Ingress controller
# only valid for Istio Gateway (ServiceMesh enabled)
config:
ssl: "redirect"
# you can set an own Secret containing a certificate
# only valid for Istio Gateway (ServiceMesh enabled)
# tls:
# secret: 'my-ingress-cert'
# optional: Namespace of the Istio IngressGateway or Gateway-API
# only valid for Istio Gateway (ServiceMesh enabled)
namespace: istio-ingress
# Global Service Mesh configuration
serviceMesh:
enabled: false
tls: true
# be aware that linkerd is not well tested
engine: "istio" # valid value: istio or linkerd
# Global Istio Authorization Policy configuration
authorizationPolicies:
enabled: false
# metrics part
# If enabled, exporters (for prometheus) will be deployed
# if custom resources set to yes, CRD from prometheus operartor will be
# created
# Not all components have it enabled.
#
metrics:
enabled: true
custom_resources: false
# Disabling AAF
# POC Mode, only for use in development environment
# Keep it enabled in production
aafEnabled: false
# Disabling MSB
# POC Mode, only for use in development environment
msbEnabled: true
# default values for certificates
certificate:
default:
renewBefore: 720h #30 days
duration: 8760h #365 days
subject:
organization: "Linux-Foundation"
country: "US"
locality: "San-Francisco"
province: "California"
organizationalUnit: "ONAP"
issuer:
group: certmanager.onap.org
kind: CMPv2Issuer
name: cmpv2-issuer-onap
# Enabling CMPv2
cmpv2Enabled: false
platform:
certificates:
clientSecretName: oom-cert-service-client-tls-secret
keystoreKeyRef: keystore.jks
truststoreKeyRef: truststore.jks
keystorePasswordSecretName: oom-cert-service-certificates-password
keystorePasswordSecretKey: password
truststorePasswordSecretName: oom-cert-service-certificates-password
truststorePasswordSecretKey: password
# Indicates offline deployment build
# Set to true if you are rendering helm charts for offline deployment
# Otherwise keep it disabled
offlineDeploymentBuild: false
# TLS
# Set to false if you want to disable TLS for NodePorts. Be aware that this
# will loosen your security.
# if set this element will force or not tls even if serviceMesh.tls is set.
tlsEnabled: false
# Logging
# Currently, centralized logging is not in best shape so it's disabled by
# default
centralizedLoggingEnabled: ¢ralizedLogging false
# Example of specific for the components where you want to disable TLS only for
# it:
# if set this element will force or not tls even if global.serviceMesh.tls and
# global.tlsEnabled is set otherwise.
# robot:
# tlsOverride: false
# Global storage configuration
# Set to "-" for default, or with the name of the storage class
# Please note that if you use AAF, CDS, SDC, Netbox or Robot, you need a
# storageclass with RWX capabilities (or set specific configuration for these
# components).
# persistence:
# storageClass: "-"
# Example of specific for the components which requires RWX:
# cds:
# cds-blueprints-processor:
# persistence:
# storageClassOverride: "My_RWX_Storage_Class"
# sdc:
# sdc-onboarding-be:
# persistence:
# storageClassOverride: "My_RWX_Storage_Class"
#################################################################
# Enable/disable and configure helm charts (ie. applications)
# to customize the ONAP deployment.
#################################################################
aai:
enabled: false
cassandra:
enabled: false
cds:
enabled: false
cli:
enabled: false
cps:
enabled: false
dcaegen2-services:
enabled: false
holmes:
enabled: false
dmaap:
enabled: false
message-router:
enabled: false
dmaap-dr-prov:
enabled: false
dmaap-dr-node:
enabled: false
oof:
enabled: false
mariadb-galera:
enabled: false
msb:
enabled: false
multicloud:
enabled: false
nbi:
enabled: false
config:
# openstack configuration
openStackRegion: "Yolo"
openStackVNFTenantId: "1234"
policy:
enabled: false
portal-ng:
enabled: false
robot:
enabled: false
config:
# openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment
openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e"
sdc:
enabled: false
sdnc:
enabled: false
replicaCount: 1
mysql:
replicaCount: 1
so:
enabled: false
replicaCount: 1
liveness:
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: false
# so server configuration
config:
# message router configuration
dmaapTopic: "AUTO"
# openstack configuration
openStackUserName: "vnf_user"
openStackRegion: "RegionOne"
openStackKeyStoneUrl: "http://1.2.3.4:5000"
openStackServiceTenantName: "service"
openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e"
# in order to enable static password for so-monitoring uncomment:
# so-monitoring:
# server:
# monitoring:
# password: demo123456!
strimzi:
enabled: false
# Kafka replication & disk storage should be dimensioned
# according to each given system use case.
replicaCount: 3
persistence:
kafka:
size: 10Gi
zookeeper:
size: 1Gi
# Strimzi kafka bridge is an optional http api towards
# kafka provided by https://strimzi.io/docs/bridge/latest/
strimzi-kafka-bridge:
enabled: false
uui:
enabled: false
vfc:
enabled: false
vnfsdk:
enabled: false
modeling:
enabled: false
platform:
enabled: false
a1policymanagement:
enabled: false
repository-wrapper:
enabled: true
roles-wrapper:
enabled: true
ONAP “Production” Setup
The production setup deploys ONAP components exposing its external services via Ingress with TLS termination. Internal traffic encryption will be ensured by using Istio ServiceMesh.
For external access we start to establish Authentication via Oauth2-proxy and Keycloak, which will be completed in the coming release.
To enable both “ServiceMesh” and “Ingress” configuration entries need to be set before deployment.
Service Mesh and Ingress configuration
Global settings relevant for ServiceMesh and Ingress:
global:
ingress:
# generally enable ingress for ONAP components
enabled: true
# enable all component's Ingress interfaces
enable_all: false
# Provider: ingress, istio, gw-api
provider: gw-api
# Ingress class (only for provider "ingress"): e.g. nginx, traefik
ingressClass:
# Ingress Selector (only for provider "istio") to match with the
# ingress pod label "istio=ingress"
ingressSelector: ingress
# optional: common used Gateway (for Istio, GW-API) and listener names
commonGateway:
name: ""
httpListener: ""
httpsListener: ""
# default Ingress base URL
# All http requests via ingress will be redirected
virtualhost:
# Default Ingress base URL
# can be overwritten in component by setting ingress.baseurlOverride
baseurl: "simpledemo.onap.org"
# prefix for baseaddr
# can be overwritten in component by setting ingress.preaddrOverride
preaddr: ""
# postfix for baseaddr
# can be overwritten in component by setting ingress.postaddrOverride
postaddr: ""
# All http requests via ingress will be redirected on Ingress controller
# only valid for Istio Gateway (ServiceMesh enabled)
config:
ssl: "redirect"
# you can set an own Secret containing a certificate
# only valid for Istio Gateway (ServiceMesh enabled)
# tls:
# secret: 'my-ingress-cert'
# optional: Namespace of the Istio IngressGateway
# only valid for Istio Gateway (ServiceMesh enabled)
namespace: istio-ingress
...
serviceMesh:
enabled: true
tls: true
# be aware that linkerd is not well tested
engine: "istio" # valid value: istio or linkerd
...
aafEnabled: false
cmpv2Enabled: false
tlsEnabled: false
msbEnabled: false
ServiceMesh settings:
enabled: true → enables ServiceMesh functionality in the ONAP Namespace (Istio: enables Sidecar deployment)
tls: true → enables mTLS encryption in Sidecar communication
engine: istio → sets the SM engine (currently only Istio is supported)
aafEnabled: false → disables AAF usage for TLS interfaces
tlsEnabled: false → disables creation of TLS in component services
cmpv2Enabled: false → disable cmpv2 feature
msbEnabled: false → MSB is not used in Istio setup (Open, if all components are MSB independend)
Ingress settings:
enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled)
enable_all: true → enables Ingress configuration in each component
provider: “…” → sets the Ingress provider (ingress, istio, gw-api)
ingressClass: “” → Ingress class (only for provider “ingress”): e.g. nginx, traefik
ingressSelector: “” → Selector (only for provider “istio”) to match with the ingress pod label “istio=ingress”
commonGateway: “” → optional: common used Gateway (for Istio, GW-API) and http(s) listener names
- virtualhost.baseurl: “simpledemo.onap.org” → sets globally the URL for all Interfaces set by the components,
resulting in e.g. “aai-api.simpledemo.onap.org”, can be overwritten in the component via: ingress.baseurlOverride
- virtualhost.preaddr: “pre-” → sets globally a prefix for the Application name for all Interfaces set by the components,
resulting in e.g. “pre-aai-api.simpledemo.onap.org”, can be overwritten in the component via: ingress.preaddrOverride
- virtualhost.postaddr: “-post” → sets globally a postfix for the Application name for all Interfaces set by the components,
resulting in e.g. “aai-api-post.simpledemo.onap.org”, can be overwritten in the component via: ingress.postaddrOverride
config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443)
config.tls.secret: “…” → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret
namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate
Note
For the Ingress setup example override files (onap-all-ingress-istio.yaml, onap-all-ingress-gatewayapi.yaml) can be found in the oom/kubernetes/onap/resources/overrides/ directory.
External Authentication configuration
For enabling of external authentication via Oauth2-Proxy and Keycloak the following settings have to be done in the ONAP values override. It will enable the deployment of the ONAP Realm to Keycloak and installation and integration of the Oauth2-Proxy as external Auth-Provider.
platform:
enabled: true
cmpv2-cert-service:
enabled: false
keycloak-init:
enabled: true
oauth2-proxy:
enabled: true