You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Assumptions

  • ONAP Components:
    • AAF will be removed
    • → No Container port encryption
  • Services must not use NodePorts 
    • → external communication only via Ingress
    • Inter-component communication
      • direct communication (as today)
      • via Ingress (Seshu's proposal) ?
  • Ingress support:
    • Istio IngressGateway
    • Nginx Ingress ?
  • Communication encryption:
    • on Ingress level (adding certificate to Gateway)
    • on SM (e.g. Istio sidecars)
    • on Kernel Level (using eBPF via Cilium)

Communication patterns

  • Intra-Component communication (e.g. between so-bpmn-infra and so-sdnc-adapter)
  • Inter-Component communication (e.g. between onap-cli and so)
  • External communication (e.g. user → sdc-ui)

Options

  1. No ONAP internal encryption:

    1. Intra-Component: unencrypted
    2. Inter-Component: unencrypted
    3. External: unencrypted/encrypted
  2. Inter-Component encryption:
    1. Intra-Component: unencrypted
    2. Inter-Component: encrypted
    3. External: unencrypted/encrypted
  3. Full encryption:
    1. Intra-Component: encrypted
    2. Inter-Component: encrypted
    3. External: unencrypted/encrypted

Implementation proposals

Option 1 (no ONAP internal Encryption)

  • optional encryption on Ingress (for external communication)
  • No service Mesh
  • No TLS port encryption on pods
  • direct connection between component pods

Option 2 (inter-component encryption)

  • optional encryption on Ingress (for external communication)
  • No service Mesh
  • No TLS port encryption on pods
  • connection between components via Ingress (encrypted)

Option 3 (full encryption)

  • optional encryption on Ingress (for external communication)
  • Service Mesh
  • No TLS port encryption on pods
  • direct connection between component pods



  • No labels