Tokkio Ingress#
Tokkio ingress gatekeeps all requests flowing into the backend server. It provides features like routing, authentication, authorization, session management, and etc.,
The structure of the ingress can be divided into three components:
Envoy Proxy: Envoy proxy handles user identity authentication (currently integrated with Nvidia StarFleet Staging & Prod environment) and manages Cross-Origin Resource Sharing header.
Nginx Ingress: Nginx reverse proxy mainly handles the session management. It distributes and validates client token against server. The session behavior can be configured to fixed-duration mode or auto-refresh mode depending on the use cases.
Lifecycle Manager: This module provides HTTP endpoint to probe the health of the underlying application
Tokkio ingress integrates with Nvidia StarFleet as the primary identity provider out of the box and can potentially be adapted to any identity providers that supports the [OAuth 2.0 Authorization Code Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1). Contact Nvidia representatives to onboard with Nvidia StarFleet or request integration with your own IDP.Tokkio ingress also works without IDP.
The ingress uses cookie to grant access on a first-come-first-serve basis with a capacity limit. It can be configured with the maxNumSession parameter (current release supports up to 3 concurrent streams per deployment).
By default, once a client connects, it takes up one capacity until it disconnects. You may change this behavior by configuring a timed session. To do this, you need to toggle off the enableSessionRefresh parameter. The session lasts 90 seconds by default, and you can configure the duration as well with the parameter TokenTTL. Be noted that the TokenMaxAge decides how long the client is locked out before it can request another session from the server, so it is advisable to set it to a greater number than TokenTTL to prevent a single client hogging the pipeline.
Architecture#
Usage#
Params#
Max number of session supported:
maxNumSession: "3"
Server token time to live:
tokenTTL: "90"
Client token time to live:
tokenMaxAge: "100"
Session control allow origin domains:
accessControlAllowOrigin: "\\*"
Configure whether the session token should be refreshed (only enable when operating under kiosk mode):
enableSessionRefresh: "false"
Configure whether vision triggers should be sent on session start & end (only enable for audio only mode):
enableSessionTrigger: "false"
configure whether StarFleet staging is enabled as identity provider (mutually exclusive with enableStarFleetProd):
enableStarFleetStg: false
configure whether StarFleet prod is enabled as identity provider (mutually exclusive with enableStarFleetStg):
enableStarFleetProd: false
StartFleet client id to verify during authentication, disabled when left empty:
starFleetClientId: ""
Basic authentication username (secure access to admin endpoints, not used for general access):
basicAuthUsername: "admin"
Basic authentication password (secure access to admin endpoints, not used for general access):
basicAuthPassword: "admin"
Connections#
ingress-endpoints:
- name: app
description: Ingress endpoint that routes directly into ui server
- name: health
description: Application health and session information
egress-endpoints:
- name: redis
description: Redis message broker for session token storage
- name: ui-server
description: Tokkio ui server
- name: vms
description: Tokkio video storage toolkit
Supported Platforms#
x86 Linux Ubuntu