Navigation :

Access Configuration

Configuring Access to Telco Network Cloud Orchestration (TNC-O)

The installation of TNC-O includes an Ingress Controller which exposes the key services externally. This needs to be configured so that access to these services will be on the required hostnames and ports.

If your environment already has an Ingress Controller available, then disable the one that comes with the TNC-O installation. You can check the status of your ingress controller with:

kubectl get service --all-namespaces | grep ingress

Otherwise proceed to Configuring the Ingress Controller

Disabling the Ingress Controller

To use an existing Ingress Controller, disable the one that comes with the TNC-O installation by adding a custom Helm value as follows:

nginx-ingress:
  enabled: false

Now proceed to Configuring the Ingress Hostnames

Configuring the Ingress Controller

By default, the installation of the controller is configured as follows:

Protocol	Port
HTTPS	32443
HTTP	32080

Configuring the Access Port

The Ingress port value, on which TNC-O is exposed externally, can be set via the Helm values for the helm-foundation chart. The value should be set as follows:

nginx-ingress:
  controller:
    service:
      nodePorts:
        http: 32080
        https: 32443

Configuring SSL Certificate

By default, a “dummy” certificate is generated by the Ingress controller. It is recommended that you generate and provide your own SSL certificate, with a valid common name (CN) value matching the host you will access the controller with.

You can do this by first generating a certificate:

openssl req -newkey rsa:2048 -nodes -keyout ingress.key -x509 -days 3650 -out ingress.cer -subj "/CN=<your-host-ip-or-host-name>"

Create a secret from the .key and .cer file produced:

kubectl create secret tls ingress-tls --key ingress.key --cert ingress.cer -n <target-install-namespace>

Now add the following to your Helm values file:

nginx-ingress:
  controller:
    extraArgs:
      default-ssl-certificate: "<target-install-namespace>/ingress-tls"

For example, if installing TNC-O into the default namespace, you would add:

nginx-ingress:
  controller:
    extraArgs:
      default-ssl-certificate: "default/ingress-tls"

Configuring the Ingress Rules

The rules applied to the Ingress controller decide how the TNC-O services can be accessed.

Hostname rule

By default, a rule is created to access the UI and API through configurable hostnames. The default values for these rules are shown below:

global:
  lm:
    extAccess:
      ui:
        host:
          ## Enable for an Ingress rule to be created which supports access through http(s)://<hostname>:<ingress-port>/ui
          ingressEnabled: true
          ## The Hostname used on the Ingress rule
          name: ui.lm
          ## Set to true if lm-configurator should generate the SSL certificate
          generateCert: true
          ## The Common Name used when generating the SSL certificate (if security is enabled) 
          commonName: ui.lm
          ## Name of the secret to create containing the SSL certificate for the host based access
          certSecretName: nimrod-host-tls
      api:
        host:
          ## Enable for an Ingress rule to be created which supports access through http(s)://<hostname>:<ingress-port>
          ingressEnabled: true
          ## The Hostname used on the Ingress rule
          name: app.lm
          ## Set to true if lm-configurator should generate the SSL certificate
          generateCert: true
          ## The Common Name used when generating the SSL certificate (if security is enabled) 
          commonName: app.lm
          ## Name of the secret to create containing the SSL certificate for the host based access
          certSecretName: ishtar-host-tls

This will allow access to TNC-O at:

Service	Secure Endpoint	Insecure Endpoint
UI	https://ui.lm:32443/ui	http://ui.lm:32080/ui
API	https://app.lm:32443	http://app.lm:32080

Disable this rule for each service by setting the ingressEnabled and generateCert properties to false.

No Host Rule

By default, an additional rule is created to access the UI and API through the IP address of the Kubernetes environment. The default values for these rules are shown below:

global:
  lm:
    extAccess:
      ui:
        noHost:
          ## Enable for an Ingress rule to be created without a host specified, allowing IP address access http(s)://<Kubernetes-IP>:<ingress-port>/ui
          ingressEnabled: true
          ## Set to true if lm-configurator should generate the SSL certificate
          generateCert: true
          ## The Common Name used when generating the SSL certificate (if security is enabled) 
          ## The default value here is acceptable but will not produce a completely valid certificate
          ## You should update this value to the IP address used to access the UI on this rule
          commonName: ui.lm
          ## Name of the secret to create containing the SSL certificate for non-host based access
          certSecretName: nimrod-nohost-tls
      api:
        noHost:
          ## Enable for an Ingress rule to be created without a host specified, allowing IP address access through http(s)://<Kubernetes-IP>:<ingress-port>/<path>
          ingressEnabled: true
          ## Subpath to access the API on. Leave empty to access the API on the root path of the Ingress host (http(s)://<Kubernetes-IP>:<ingress-port>)
          path: 
          ## Set to true if lm-configurator should generate the SSL certificate
          generateCert: true
          ## The Common Name used when generating the SSL certificate (if security is enabled) 
          ## The default value here is acceptable but will not produce a completely valid certificate
          ## You should update this value to the IP address used to access the API on this rule
          commonName: app.lm
          ## Name of the secret to create containing the SSL certificate for non-host based access
          certSecretName: ishtar-nohost-tls

This will allow access to TNC-O at:

Service	Secure Endpoint	Insecure Endpoint
UI	https://:32443/ui	http://:32080/ui
API	https://:32443	http://:32080

You should configure the commonName value to the Kubernetes IP to produce a valid SSL certificate.

Vault

An Ingress rule is created to allow access to Vault (configuration repository) UI.

By default, Vault is accessible at https://vault.lm:32443. To configure the Vault hostname you should include the following configuration values and modify the vault.lm:

vault:   
  ingress:
    hosts:
     - vault.lm
    tls:
      - secretName: vault-tls
        hosts:
          - vault.lm

Kibana

An Ingress rule is created to allow access to Kibana, the logging dashboard service provided with TNC-O.

By default, Kibana is accessible at https://kibana.lm:32080 or via NodePort at http://<Kubernetes IP>:31001. To configure the Kibana hostname or NodePort you should include the following configuration values and modify them:

kibana: 
  service:
    type: NodePort
    nodePort: 31001
  ingress:
    hosts:
    - kibana.lm

If you update the values above then you also need to update the logging-dashboard configuration, so the TNC-O UI may include hyperlinks to the dashboard when an error has occurred. Set the endpoint to your new hostname or set it the Kubernetes IP (and change the port to the NodePort) if preferred.

configurator:
  ## Logging dashboard config
  loggingDashboard:
    ## Enable logging dashboard feature in UI
    enabled: true
    ## Endpoint of the chosen logging dashboard
    endpoint: http://kibana.lm:32080

NodePort access:

configurator:
  ## Logging dashboard config
  loggingDashboard:
    ## Enable logging dashboard feature in UI
    enabled: true
    ## Endpoint of the chosen logging dashboard
    endpoint: http://<Kubernetes IP>:31001

Next steps

You can now proceed to review the configuration for Sizing

What's on this page