Current status (Kohn)
Global settings:
global settings
global:
...
# Global ingress configuration
ingress:
# generally enable ingress for ONAP components
enabled: false
# enable all component's Ingress interfaces
enable_all: false
# default Ingress base URL
# can be overwritten in component by setting ingress.baseurlOverride
virtualhost:
baseurl: "simpledemo.onap.org"
# All http requests via ingress will be redirected on Ingress controller
# only valid for Istio Gateway (ServiceMesh enabled)
config:
ssl: "redirect"
# you can set an own Secret containing a certificate
# only valid for Istio Gateway (ServiceMesh enabled)
# tls:
# secret: 'my-ingress-cert'
# optional: Namespace of the Istio IngressGateway
# only valid for Istio Gateway (ServiceMesh enabled)
namespace: istio-ingress
# Global Service Mesh configuration
# POC Mode, don't use it in production
serviceMesh:
enabled: false
tls: true
# be aware that linkerd is not well tested
engine: "istio" # valid value: istio or linkerd
Component settings (e.g. in SDNC/DGBUILDER):
component settings
dgbuilder:
ingress:
enabled: false
service:
- baseaddr: "sdnc-dgbuilder-ui"
name: "sdnc-dgbuilder"
port: 3000
- baseaddr: "sdnc-web-service-api"
name: "sdnc-web-service"
port: 8443
plain_port: 8080
config:
ssl: "redirect"
Enhancements in London
Additional parameters to modify the BaseAddess value of the composed Ingress URL
Problem:
- If ONAP is installed on multiple clusters (e.g. clusterA, clusterB)
- and a wildcard-certificate for the baseurl domain exists (e.g. *.simpledemo.onap.org)
- you cannot create cluster specific Ingress URLs for the ONAP services (e.g. sdnc-dgbuilder-ui.simpledemo.onap.org)
Solution:
- Add a cluster specific post/prefix to the baseAddr of the service to create uniqe URLs instead changing each service baseAddr
- Results using "postfix" e.g.
- sdnc-dgbuilder-ui-clusterA.simpledemo.onap.org
- sdnc-dgbuilder-ui-clusterB.simpledemo.onap.org
Ingress URL is currently composed:
Default: <component.ingress.service.baseaddr>.<global.ingress.virtualhost.baseurl>
Override: <component.ingress.service.baseaddr>.<component.ingress.baseurlOverride>
Ingress URLs result of the upper setup:
sdnc-web-service-api.simpledemo.onap.org, sdnc-dgbuilder-ui.simpledemo.onap.org
Planned enhancement:
- Additional options in "global" section
- Enhancement for the Ingress template
Enhancement for URL
# default Ingress base URL and preAddr- and postAddr settings
# Ingress URLs result:
# <preAddr><component.ingress.service.baseaddr><postAddr>.<baseurl>
virtualhost:
# Default Ingress base URL
# can be overwritten in component by setting ingress.baseurlOverride
baseurl: "simpledemo.onap.org"
# prefix for baseaddr
# can be overwritten in component by setting ingress.preAddrOverride
preAddr: ""
# postfix for baseaddr
# can be overwritten in component by setting ingress.preAddrOverride
postAddr: ""
Allow customized Ingress Gateway Ports
Problem:
- Ingress Gateways usually expose HTTP ports (80, 443), can be extended in non-NGINX gateways (e.g. Istio, Traefik)
- The existing Ingress template only supports the 80/443 ports
- If non-HTTP ports need to be exposed (e.g. Kafka Bootstrap, SDNC CallHome/TLS), this is not possible
- see: External Kafka Access via Ingress
Solution:
- In the component's ingress configuration the exposed port needs to be configurable
- the Ingress template needs to generate the respective Gateway/VC resources
Planned enhancement for components ingress definition:
Add new optional configuration parameters:
- exposedPort (custiomized Ingress-Gateway ports)
- exposedProtocol (Protocol used on the exposed port)
Enhancement for URL
ingress:
enabled: false
service:
- baseaddr: "kafka-bootstrap-api"
name: "onap-strimzi-kafka-external-bootstrap"
port: 9094
exposedPort: 9010
exposedProtocol: TLS
- baseaddr: "kafka-api"
name: "onap-strimzi-kafka-0"
port: 9094
exposedPort: 9000
exposedProtocol: TLS
- baseaddr: "kafka-api"
name: "onap-strimzi-kafka-1"
port: 9094
exposedPort: 9001
exposedProtocol: TLS
- baseaddr: "kafka-api"
name: "onap-strimzi-kafka-2"
port: 9094
exposedPort: 9002
exposedProtocol: TLS