Home
MATRIXX Installation and Upgrade
Encrypted Interface Engine Replay Overview
Transport-layer security (TLS) encryption can be enabled for replay between processing and publishing pods and between engines.

Welcome
MATRIXX Release Notes
MATRIXX Architecture
MATRIXX Installation and Upgrade
- About MATRIXX Installation and Upgrade
  MATRIXX Installation and Upgrade describes the tasks required to install MATRIXX components as containers using Kubernetes and Helm.
- Cloud Native Infrastructure Requirements
  Cloud native MATRIXX deployments have infrastructure requirements for third-party software versions, Kubernetes pod characteristics, and container characteristics. Nodes running MATRIXX components have operating system, memory, networking, and storage requirements.
- Topology Operator and Engine Operator Feature Differences
  Different MATRIXX features are supported depending on whether your installation is based on Topology Operator or Engine Operator.
- Installing MATRIXX
  A cloud native MATRIXX installation consists of containers installed with the MATRIXX Helm chart in a multi-node Kubernetes cluster (or clusters), requiring MATRIXX images and MATRIXX Engine custom resource definitions and controllers.
- Topology Operator Installation and Upgrade Examples
  These examples show how you can configure the installation of multiple MATRIXX Engines in a single namespace, multiple namespaces in a single cluster, and multiple clusters.
- Configuring MATRIXX
  MATRIXX is configured using Helm properties. Questions and answers in create_config.info files can also provide configuration using configuration sources. For information about how to configure MATRIXX, see the discussions of those topics in MATRIXX Configuration.
- Topology Operator
  The Topology Operator method of MATRIXX Engine pod management utilizes multiple custom resources (CRs) and operator pods working together to manage the installation and upgrade of multiple sub-domains and engines across Kubernetes clusters, including the loading of pricing and taxation data.
- Scaling MATRIXX
  Use Helm and Kubernetes to manually add or remove pods as necessary. You can also use Kubernetes to manage resources available to MATRIXX Engine pods.
- Network Enablers in a Kubernetes Cluster
  For Call Control Framework (CCF), only the deployment of Network Enablers (NEs) in a Kubernetes cluster is different from a standard deployment.
- Deploying Cloud Native CAMEL Gateway
  When deploying CAMEL Gateway as part of the reference architecture, you can use any namespace within the Kubernetes clusters. You can make multiple deployments into multiple namespaces, for example, to have different environments for testing and production.
- Enabling MEF Publishing
  An SSH key, used for password-less SSH login, is required to enable _glossary/mef.html publishing in Kubernetes. A secret holds the SSH private key, and the key is specified in Helm values. The SSH key allows administrators to write to a target directory in a secure manner without having to enter a passphrase.
- Encrypted Interface Engine Replay Overview
  Transport-layer security (TLS) encryption can be enabled for replay between processing and publishing pods and between engines.
  - Topology Operator TLS Configuration
    To enable transport-layer security (TLS) encryption in Topology Operator-based deployments, first set up the certificates, then make configuration changes in your Helm values file.
  - Engine Operator TLS Configuration
    To enable transport-layer security (TLS) encryption in Engine Operator-based deployments, first set up the certificates, then make configuration changes in your Helm values file.
  - Enabling TLS Replay
    Transport-layer security (TLS) encryption is supported for all inter-cluster interfaces: between processing and publishing pods, and between engines.
- MATRIXX Reference for MongoDB
  Cloud native MATRIXX deployments support MongoDB as an event store using the MongoDB Enterprise Operator for Kubernetes.
- MATRIXX Reference for Apache Kafka
  The Event Streaming Framework provides a connector for sending event stream data to Apache Kafka. Using 5G event streaming also requires Apache Kafka, which is not provided with MATRIXX. You can use a Helm chart to install and configure Apache Kafka.
- MATRIXX Reference for Ingress
  A Kubernetes Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.
- Debugging and Failure Recovery
  MATRIXX components store log files in persistent storage on the node by default, in a persistent volume (PV) at the location specified in global.storage.localStorageDir property (/home/data by default).
- Upgrading Engine Operator-Based MATRIXX Installations
  Upgrading cloud native MATRIXX has several stages.
- Migrating to Topology Operator
  This example shows migration from a MATRIXX version XXXX deployment managed by Engine Operator to a deployment managed by Topology Operator. The same approach applies when migrating from Engine Controller.
- Migration from a Bare Metal to a Cloud Native Deployment
  Migrating from a bare metal MATRIXX deployment to a cloud native deployment (from the same MATRIXX version) requires temporarily using a hybrid platform made up of components from both deployments. This hybrid environment allows migration to the cloud native deployment without disruption of services.
- The Admin Service
  Operations teams can use the Admin Service to administer a MATRIXX deployment with domain-specific commands based on the components that are installed. It allows administration of the installation without providing unrestricted direct access to the Kubernetes cluster. You can secure commands based on user roles and audit command usage.
- Uninstall MATRIXX Engine with Helm
  Use the helm uninstall command to uninstall MATRIXX Engine components installed from the Helm chart.
- Appendixes
MATRIXX Configuration
MATRIXX Security
MATRIXX Integration
MATRIXX Diameter Integration
MATRIXX Call Control Framework Integration
MATRIXX TM Forum Integration
MATRIXX 5G Integration
MATRIXX 5G Event Streaming
MATRIXX Event Streaming
MATRIXX Administration
MATRIXX Web App Administration
MATRIXX Monitoring and Logging
MATRIXX Policy
MATRIXX Kafka CDR Consumer
MATRIXX Pricing and Rating
MATRIXX Pay Now
MATRIXX Subscriber Management
MATRIXX Subscriber Management API
MATRIXX Business API SDK
My MATRIXX Help
MATRIXX Backoffice Customer Tool Help
MATRIXX Third-Party Licenses
Glossary

Encrypted Interface Engine Replay Overview

Transport-layer security (TLS) encryption can be enabled for replay between processing and publishing pods and between engines.

Note: TLS can only be enabled when MATRIXX versions are the same across engines.

Support for TLS replay is enabled in Helm configuration for Engine Operator-based and Topology Operator-based MATRIXX installations. TLS replay uses port 4065 by default.

Three configuration parameters must be set depending on the granularity at which certificates are defined in the installation:

global.topology.domains[x].tlsSecret.name — The name of an existing Kubernetes secret to mount in all Traffic Routing Agent (TRA-PROC and TRA-PUB) pods defined in a domain, in the folder /etc/tls-cert-key/.
global.topology.domains[x].subdomains[y].tlsSecret.name — The name of an existing Kubernetes secret to mount in all TRA-PROC and TRA-PUB pods defined in a sub-domain, in the folder /etc/ssk-key/. Other sub-domains might use other certificates.
global.topology.domains[x].subdomains[y].engines[z].tlsSecret.name — The name of an existing Kubernetes secret to mount in all TRA-PROC and TRA-PUB pods defined in an engine, in the folder /etc/ssk-key/. Other engines might use other certificates.

Note: These values are only used for replay in TRA-PROC and TRA-PUB virtual servers (VSs).

For more information, see the discussion about domain, sub-domain, and engine topology configuration in MATRIXX Configuration.

Migrating to TLS replay involves the following:

Configure the standby engine to use TLS replay.
When the reconfigured engine reaches the PRE-INIT state, enable TLS fallback so that the standby engine can communicate with the active engine before it has also been reconfigured.
Test to confirm that TLS is working between engines and between processing and publishing pods in the reconfigured engine.
Configure the remaining engine (previously active, temporarily standby) to use TLS replay.
Disable TLS fallback.

For more information, see the discussions about configuration and enabling TLS replay in this section.