Users can customize the override files to suit their required deployment.
.. note::
- Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-istio.yaml`)
+ Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-gatewayapi.yaml`)
can be found in the `oom/kubernetes/onap/resources/overrides/` directory.
* Users can selectively enable or disable ONAP components by changing the ``enabled: true/false`` flags.
Enabling/Disabling Components
-*****************************
+=============================
+
Here is an example of the nominal entries that need to be provided.
Different values files are available for different contexts.
|
-(Optional) "ONAP on Service Mesh"
-*********************************
+ONAP "Production" Setup
+=======================
+
+The production setup deploys ONAP components exposing its external services
+via Ingress with TLS termination.
+Internal traffic encryption will be ensured by using Istio ServiceMesh.
+
+For external access we start to establish Authentication via Oauth2-proxy
+and Keycloak, which will be completed in the coming release.
+
+To enable both "ServiceMesh" and "Ingress" configuration entries need
+to be set before deployment.
-To enable "ONAP on Service Mesh" both "ServiceMesh" and "Ingress"
-configuration entries need to be configured before deployment.
+Service Mesh and Ingress configuration
+--------------------------------------
-Global settings relevant for ServiceMesh:
+Global settings relevant for ServiceMesh and Ingress:
.. code-block:: yaml
global:
ingress:
# generally enable ingress for ONAP components
- enabled: false
+ enabled: true
# enable all component's Ingress interfaces
enable_all: false
+
+ # Provider: ingress, istio, gw-api
+ provider: gw-api
+ # Ingress class (only for provider "ingress"): e.g. nginx, traefik
+ ingressClass:
+ # Ingress Selector (only for provider "istio") to match with the
+ # ingress pod label "istio=ingress"
+ ingressSelector: ingress
+ # optional: common used Gateway (for Istio, GW-API) and listener names
+ commonGateway:
+ name: ""
+ httpListener: ""
+ httpsListener: ""
+
# default Ingress base URL
- # can be overwritten in component by setting ingress.baseurlOverride
+ # All http requests via ingress will be redirected
virtualhost:
+ # Default Ingress base URL
+ # can be overwritten in component by setting ingress.baseurlOverride
baseurl: "simpledemo.onap.org"
+ # prefix for baseaddr
+ # can be overwritten in component by setting ingress.preaddrOverride
+ preaddr: ""
+ # postfix for baseaddr
+ # can be overwritten in component by setting ingress.postaddrOverride
+ postaddr: ""
# All http requests via ingress will be redirected on Ingress controller
# only valid for Istio Gateway (ServiceMesh enabled)
config:
tls: true
# be aware that linkerd is not well tested
engine: "istio" # valid value: istio or linkerd
+ ...
aafEnabled: false
cmpv2Enabled: false
tlsEnabled: false
- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled)
- enable_all: true → enables Ingress configuration in each component
+- provider: "..." → sets the Ingress provider (ingress, istio, gw-api)
+- ingressClass: "" → Ingress class (only for provider "ingress"): e.g. nginx, traefik
+- ingressSelector: "" → Selector (only for provider "istio") to match with the ingress pod label "istio=ingress"
+- commonGateway: "" → optional: common used Gateway (for Istio, GW-API) and http(s) listener names
- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components,
resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride
+- virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name for all Interfaces set by the components,
+ resulting in e.g. "pre-aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.preaddrOverride
+- virtualhost.postaddr: "-post" → sets globally a postfix for the Application name for all Interfaces set by the components,
+ resulting in e.g. "aai-api-post.simpledemo.onap.org", can be overwritten in the component via: ingress.postaddrOverride
- config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443)
- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret
- namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate
.. note::
- For "ONAP on Istio" an example override file (`onap-all-ingress-istio.yaml`)
+ For the Ingress setup example override files (`onap-all-ingress-istio.yaml`, `onap-all-ingress-gatewayapi.yaml`)
can be found in the `oom/kubernetes/onap/resources/overrides/` directory.
+
+External Authentication configuration
+-------------------------------------
+
+For enabling of external authentication via Oauth2-Proxy and Keycloak
+the following settings have to be done in the ONAP values override.
+It will enable the deployment of the ONAP Realm to Keycloak and
+installation and integration of the Oauth2-Proxy as external Auth-Provider.
+
+.. code-block:: yaml
+
+ platform:
+ enabled: true
+ cmpv2-cert-service:
+ enabled: false
+ keycloak-init:
+ enabled: true
+ oauth2-proxy:
+ enabled: true
\ No newline at end of file