1 .. This work is licensed under a Creative Commons Attribution 4.0
2 .. International License.
3 .. http://creativecommons.org/licenses/by/4.0
4 .. Copyright (C) 2022 Nordix Foundation
7 .. _helm deploy: https://github.com/onap/oom/blob/master/kubernetes/helm/plugins/deploy/deploy.sh
9 .. _oom_customize_overrides:
14 The OOM `helm deploy`_ plugin requires deployment configuration as input, usually in the form of override yaml files.
15 These input files determine what ONAP components get deployed, and the configuration of the OOM deployment.
17 Other helm config options like `--set log.enabled=true|false` are available.
19 See the `helm deploy`_ plugin usage section for more detail, or it the plugin has already been installed, execute the following::
23 Users can customize the override files to suit their required deployment.
26 Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-istio.yaml`)
27 can be found in the `oom/kubernetes/onap/resources/overrides/` directory.
29 * Users can selectively enable or disable ONAP components by changing the ``enabled: true/false`` flags.
31 * Add to the command line a value for the global master password (ie. --set global.masterPassword=My_superPassw0rd).
34 Enabling/Disabling Components
35 =============================
37 Here is an example of the nominal entries that need to be provided.
38 Different values files are available for different contexts.
40 .. collapse:: Default ONAP values.yaml
42 .. include:: ../../../../kubernetes/onap/values.yaml
47 ONAP "Production" Setup
48 =======================
50 The production setup deploys ONAP components exposing its external services
51 via Ingress with TLS termination.
52 Internal traffic encryption will be ensured by using Istio ServiceMesh.
54 For external access we start to establish Authentication via Oauth2-proxy
55 and Keycloak, which will be completed in the coming release.
57 To enable both "ServiceMesh" and "Ingress" configuration entries need
58 to be set before deployment.
60 Service Mesh and Ingress configuration
61 --------------------------------------
63 Global settings relevant for ServiceMesh and Ingress:
69 # generally enable ingress for ONAP components
71 # enable all component's Ingress interfaces
73 # default Ingress base URL
74 # All http requests via ingress will be redirected
76 # Default Ingress base URL
77 # can be overwritten in component by setting ingress.baseurlOverride
78 baseurl: "simpledemo.onap.org"
80 # can be overwritten in component by setting ingress.preaddrOverride
82 # postfix for baseaddr
83 # can be overwritten in component by setting ingress.postaddrOverride
85 # All http requests via ingress will be redirected on Ingress controller
86 # only valid for Istio Gateway (ServiceMesh enabled)
89 # you can set an own Secret containing a certificate
90 # only valid for Istio Gateway (ServiceMesh enabled)
92 # secret: 'my-ingress-cert'
93 # optional: Namespace of the Istio IngressGateway
94 # only valid for Istio Gateway (ServiceMesh enabled)
95 namespace: istio-ingress
100 # be aware that linkerd is not well tested
101 engine: "istio" # valid value: istio or linkerd
108 ServiceMesh settings:
110 - enabled: true → enables ServiceMesh functionality in the ONAP Namespace (Istio: enables Sidecar deployment)
111 - tls: true → enables mTLS encryption in Sidecar communication
112 - engine: istio → sets the SM engine (currently only Istio is supported)
113 - aafEnabled: false → disables AAF usage for TLS interfaces
114 - tlsEnabled: false → disables creation of TLS in component services
115 - cmpv2Enabled: false → disable cmpv2 feature
116 - msbEnabled: false → MSB is not used in Istio setup (Open, if all components are MSB independend)
120 - enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled)
121 - enable_all: true → enables Ingress configuration in each component
122 - virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components,
123 resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride
124 - virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name for all Interfaces set by the components,
125 resulting in e.g. "pre-aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.preaddrOverride
126 - virtualhost.postaddr: "-post" → sets globally a postfix for the Application name for all Interfaces set by the components,
127 resulting in e.g. "aai-api-post.simpledemo.onap.org", can be overwritten in the component via: ingress.postaddrOverride
128 - config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443)
129 - config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret
130 - namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate
133 For the Ingress setup an example override file (`onap-all-ingress-istio.yaml`)
134 can be found in the `oom/kubernetes/onap/resources/overrides/` directory.
136 External Authentication configuration
137 -------------------------------------
139 For enabling of external authentication via Oauth2-Proxy and Keycloak
140 the following settings have to be done in the ONAP values override.
141 It will enable the deployment of the ONAP Realm to Keycloak and
142 installation and integration of the Oauth2-Proxy as external Auth-Provider.
Code Review / oom.git / blob