...
- Every component in it's own namespace
- All "common" components in separate namespaces
- No implicit dependencies between common components and ONAP
- No nodeports unless really required
- istio-ingress used as ingress controller
- Up to 4 entrypoints for deployment. For example
- simpledemo.onap.org (UI)
- south.simpledemo.onap.org (southbound interfaces)
- iam.simpledemo.onap.org (keycloak)
- api.simpledemo.onap.org (API for OSS/BSS)
- Every entrypoint exposed as a separate ingress instance
- Every ingress gateway does the SSL termination and reencrypts the traffic and send to the component using mTLS
- Istio network policy configured in a way that only desired services can communicate with each other
- Auth between services done using certs (mTLS)
- OpenID Connect used to authenticate user
- In testing deployment keycloak is used but can be replaced with anything else compatible with OIDC
- Cert-manager and citadel used to retrieve certificates
- Kubernetes is configured to use encryption at rest plugin
- ISTIO automated sidecar injection is configured in underlying kubernetes
- No root pods
- All DB are considered as external
- Documented roles
- Ability to integrate with LDAP, Kerberos, AAF as IdP
- Ability to retrieve the certificate from external CA
| Drawio | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Drawio | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|