Assumptions
- ONAP Components:
- AAF will be removed
- → No Container port encryption
- Services must not use NodePorts
- → external communication only via Ingress
- Inter-component communication
- direct communication (as today)
- via Ingress (Seshu's proposal) ?
- Ingress support:
- Istio IngressGateway
- Nginx Ingress ?
- Communication encryption:
- on Ingress level (adding certificate to Gateway)
- on SM (e.g. Istio sidecars)
- on Kernel Level (using eBPF via Cilium)
Communication patterns
- Intra-Component communication (e.g. between so-bpmn-infra and so-sdnc-adapter)
- Inter-Component communication (e.g. between onap-cli and so)
- External communication (e.g. user → sdc-ui)
Options
No ONAP internal encryption:
- Intra-Component: unencrypted
- Inter-Component: unencrypted
- External: unencrypted/encrypted
- Inter-Component encryption:
- Intra-Component: unencrypted
- Inter-Component: encrypted
- External: unencrypted/encrypted
- Full encryption:
- Intra-Component: encrypted
- Inter-Component: encrypted
- External: unencrypted/encrypted
Implementation proposals
Option 1 (no ONAP internal Encryption)
- optional encryption on Ingress (for external communication)
- No service Mesh
- No TLS port encryption on pods
- direct connection between component pods
draw.io Diagram | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Option 2 (inter-component encryption)
- optional encryption on Ingress (for external communication)
- No service Mesh
- No TLS port encryption on pods
- connection between components via Ingress (encrypted)
draw.io Diagram | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Option 3 (full encryption)
- optional encryption on Ingress (for external communication)
- Service Mesh
- No TLS port encryption on pods
- direct connection between component pods