ONAP "Networking" Options (>=Kohn)

Communication patterns

AAF will be removed
- → No Container port encryption
Services must not use NodePorts
- → external communication only via Ingress
Ingress is the default for external communication
- Istio IngressGateway
- Nginx Ingress ?
Inter-component communication can be
- directly (as today)
- via Ingress (Seshu's proposal) ?
Communication encryption can be done:
- on Ingress level (adding certificate to Gateway)
- on SM (e.g. Istio sidecars)
- on Kernel Level (using eBPF via Cilium)

No ONAP internal encryption:
1. Intra-Component: unencrypted
2. Inter-Component: unencrypted
3. External: unencrypted/encrypted
Inter-Component encryption:
1. Intra-Component: unencrypted
2. Inter-Component: encrypted
3. External: unencrypted/encrypted
Full encryption:
1. Intra-Component: encrypted
2. Inter-Component: encrypted
3. External: unencrypted/encrypted

External communication:
- Components expose (external) interfaces to Ingress
- Encryption on Ingress (optional)
Internal communication:
- No service Mesh
- No TLS port encryption on pods
- Direct unencrypted inter-component communication

External communication:
- Components expose (external) interfaces to Ingress
- Encryption on Ingress (optional)
Internal communication:
- No service Mesh
- No TLS port encryption on pods
- Inter-component communication via Ingress (encrypted)

External communication:
- Components expose (external) interfaces to Ingress
- Encryption on Ingress (optional)
Internal communication:
- Service Mesh enabled
- No TLS port encryption on pods
- Direct encrypted inter-component communication (via sidecars)

Solution using Istio:

Solution using eBPF via Cilium: