DCAE has different types of components/microservices

Collectors: All DCAE collectors interface with external network element (trusted/untrusted depending on protocol/interface) however data validation is done in most cases.

VESCollector/HV-VES - Data validation done on event receipt and rejected if non-conforming to the expected spec. Both collectors are expected to recieve data from any xNF.

• DFC/RESTConf/SNMPTrap - Data validation done during post processing of the events in the northbound flow. DFC and RESTConf accepts events only from configured xNF, SNMPTrap collector is listener services accepts any traps sent to it.

EventProcessors/Analytics - These components do not accept data from external sources (i.e outside ONAP) and work through data coming via DMAAP (internal to ONAP)

Not currently however need to ensure DL-Admin updates planned are compliant with this requirement in future release.

As of Kohn, DCAE component default deployment is set for non-TLS (in OOM charts) however the ServiceMesh integration will ensure both inter and intra ONAP component communication is supported under TLS. 

To be confirmed if host certificate validation is done under Service Mesh.

In general the application credentials are stored as K8S secret and application config under K8S Configmap. For application config processing simplification, these are combined into single file within K8S pod/container (true when credentials are maintained part of microservice charts).  With migration to SVC mesh, most component charts are being updated to remove independent K8S secret in Kohn, any remaining updates will be completed by London release.

Yes, most DCAE components (collectors) support secure external interfaces with exception of SNMPTRap which is based on UDP protocol. 

FTP (DFC), HTTP (VES) are supported options but disabled by default.