Users can customize the override files to suit their required deployment.
.. note::
- Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-istio.yaml`)
+ Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-gatewayapi.yaml`)
can be found in the `oom/kubernetes/onap/resources/overrides/` directory.
* Users can selectively enable or disable ONAP components by changing the ``enabled: true/false`` flags.
Enabling/Disabling Components
------------------------------
+=============================
+
Here is an example of the nominal entries that need to be provided.
Different values files are available for different contexts.
|
-Some other heading
-------------------
-adva
\ No newline at end of file
+ONAP "Production" Setup
+=======================
+
+The production setup deploys ONAP components exposing its external services
+via Ingress with TLS termination.
+Internal traffic encryption will be ensured by using Istio ServiceMesh.
+
+For external access we start to establish Authentication via Oauth2-proxy
+and Keycloak, which will be completed in the coming release.
+
+To enable both "ServiceMesh" and "Ingress" configuration entries need
+to be set before deployment.
+
+Service Mesh and Ingress configuration
+--------------------------------------
+
+Global settings relevant for ServiceMesh and Ingress:
+
+.. code-block:: yaml
+
+ global:
+ ingress:
+ # generally enable ingress for ONAP components
+ enabled: true
+ # enable all component's Ingress interfaces
+ enable_all: false
+
+ # Provider: ingress, istio, gw-api
+ provider: gw-api
+ # Ingress class (only for provider "ingress"): e.g. nginx, traefik
+ ingressClass:
+ # Ingress Selector (only for provider "istio") to match with the
+ # ingress pod label "istio=ingress"
+ ingressSelector: ingress
+ # optional: common used Gateway (for Istio, GW-API) and listener names
+ commonGateway:
+ name: ""
+ httpListener: ""
+ httpsListener: ""
+
+ # default Ingress base URL
+ # All http requests via ingress will be redirected
+ virtualhost:
+ # Default Ingress base URL
+ # can be overwritten in component by setting ingress.baseurlOverride
+ baseurl: "simpledemo.onap.org"
+ # prefix for baseaddr
+ # can be overwritten in component by setting ingress.preaddrOverride
+ preaddr: ""
+ # postfix for baseaddr
+ # can be overwritten in component by setting ingress.postaddrOverride
+ postaddr: ""
+ # All http requests via ingress will be redirected on Ingress controller
+ # only valid for Istio Gateway (ServiceMesh enabled)
+ config:
+ ssl: "redirect"
+ # you can set an own Secret containing a certificate
+ # only valid for Istio Gateway (ServiceMesh enabled)
+ # tls:
+ # secret: 'my-ingress-cert'
+ # optional: Namespace of the Istio IngressGateway
+ # only valid for Istio Gateway (ServiceMesh enabled)
+ namespace: istio-ingress
+ ...
+ serviceMesh:
+ enabled: true
+ tls: true
+ # be aware that linkerd is not well tested
+ engine: "istio" # valid value: istio or linkerd
+ ...
+ aafEnabled: false
+ cmpv2Enabled: false
+ tlsEnabled: false
+ msbEnabled: false
+
+ServiceMesh settings:
+
+- enabled: true → enables ServiceMesh functionality in the ONAP Namespace (Istio: enables Sidecar deployment)
+- tls: true → enables mTLS encryption in Sidecar communication
+- engine: istio → sets the SM engine (currently only Istio is supported)
+- aafEnabled: false → disables AAF usage for TLS interfaces
+- tlsEnabled: false → disables creation of TLS in component services
+- cmpv2Enabled: false → disable cmpv2 feature
+- msbEnabled: false → MSB is not used in Istio setup (Open, if all components are MSB independend)
+
+Ingress settings:
+
+- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled)
+- enable_all: true → enables Ingress configuration in each component
+- provider: "..." → sets the Ingress provider (ingress, istio, gw-api)
+- ingressClass: "" → Ingress class (only for provider "ingress"): e.g. nginx, traefik
+- ingressSelector: "" → Selector (only for provider "istio") to match with the ingress pod label "istio=ingress"
+- commonGateway: "" → optional: common used Gateway (for Istio, GW-API) and http(s) listener names
+- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components,
+ resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride
+- virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name for all Interfaces set by the components,
+ resulting in e.g. "pre-aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.preaddrOverride
+- virtualhost.postaddr: "-post" → sets globally a postfix for the Application name for all Interfaces set by the components,
+ resulting in e.g. "aai-api-post.simpledemo.onap.org", can be overwritten in the component via: ingress.postaddrOverride
+- config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443)
+- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret
+- namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate
+
+.. note::
+ For the Ingress setup example override files (`onap-all-ingress-istio.yaml`, `onap-all-ingress-gatewayapi.yaml`)
+ can be found in the `oom/kubernetes/onap/resources/overrides/` directory.
+
+External Authentication configuration
+-------------------------------------
+
+For enabling of external authentication via Oauth2-Proxy and Keycloak
+the following settings have to be done in the ONAP values override.
+It will enable the deployment of the ONAP Realm to Keycloak and
+installation and integration of the Oauth2-Proxy as external Auth-Provider.
+
+.. code-block:: yaml
+
+ platform:
+ enabled: true
+ cmpv2-cert-service:
+ enabled: false
+ keycloak-init:
+ enabled: true
+ oauth2-proxy:
+ enabled: true
\ No newline at end of file
Code Review / oom.git / blobdiff