Tokkio Ingress

Tokkio ingress gatekeeps all requests flowing into the backend server. It provides features like routing, authentication, authorization, session management, and etc.,

The structure of the ingress can be divided into three components:

  1. Envoy Proxy: Envoy proxy handles user identity authentication (currently integrated with Nvidia StarFleet Staging & Prod environment) and manages Cross-Origin Resource Sharing header.

  2. Nginx Ingress: Nginx reverse proxy mainly handles the session management. It distributes and validates client token against server. The session behavior can be configured to fixed-duration mode or auto-refresh mode depending on the use cases.

  3. Lifecycle Manager: This module provides HTTP endpoint to probe the health of the underlying application

Tokkio ingress integrates with Nvidia StarFleet as the primary identity provider out of the box and can potentially be adapted to any identity providers that supports the [OAuth 2.0 Authorization Code Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1). Contact Nvidia representatives to onboard with Nvidia StarFleet or request integration with your own IDP.Tokkio ingress also works without IDP.

The ingress uses cookie to grant access on a first-come-first-serve basis with a capacity limit. It can be configured with the maxNumSession parameter (current release supports up to 3 concurrent streams per deployment).

By default, once a client connects, it takes up one capacity until it disconnects. You may change this behavior by configuring a timed session. To do this, you need to toggle off the enableSessionRefresh parameter. The session lasts 90 seconds by default, and you can configure the duration as well with the parameter TokenTTL. Be noted that the TokenMaxAge decides how long the client is locked out before it can request another session from the server, so it is advisable to set it to a greater number than TokenTTL to prevent a single client hogging the pipeline.

Architecture

Ingress Proxy with IDP

Usage

Params

Max number of session supported:

maxNumSession: "3"

Server token time to live:

tokenTTL: "90"

Client token time to live:

tokenMaxAge: "100"

Session control allow origin domains:

accessControlAllowOrigin: "\\*"

Configure whether the session token should be refreshed (only enable when operating under kiosk mode):

enableSessionRefresh: "false"

Configure whether vision triggers should be sent on session start & end (only enable for audio only mode):

enableSessionTrigger: "false"

configure whether StarFleet staging is enabled as identity provider (mutually exclusive with enableStarFleetProd):

enableStarFleetStg: false

configure whether StarFleet prod is enabled as identity provider (mutually exclusive with enableStarFleetStg):

enableStarFleetProd: false

StartFleet client id to verify during authentication, disabled when left empty:

starFleetClientId: ""

Basic authentication username (secure access to admin endpoints, not used for general access):

basicAuthUsername: "admin"

Basic authentication password (secure access to admin endpoints, not used for general access):

basicAuthPassword: "admin"

Connections

ingress-endpoints:
 - name: app
   description: Ingress endpoint that routes directly into ui server
 - name: health
   description: Application health and session information

egress-endpoints:
- name: redis
  description: Redis message broker for session token storage
- name: ui-server
  description: Tokkio ui server
- name: vms
  description: Tokkio video storage toolkit

Tokkio Ingress Source

Tokkio Ingress source can be used as a reference of further development by users.

$ ngc registry resource download-version "nvidia/ucs-ms/tokkio_ingress_source:4.0.1"

Supported Platforms

  • x86 Linux Ubuntu