Merge "kafka groupid and OPA-PDP Phase-2 changes"

8 files changed, 30 insertions, 115 deletions

diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml
index 52e3bf302a..f7e1e50ff0 100644
--- a/kubernetes/policy/Chart.yaml
+++ b/kubernetes/policy/Chart.yaml
@@ -50,7 +50,7 @@ dependencies:
     repository: 'file://components/policy-drools-pdp'
     condition: policy-drools-pdp.enabled
   - name: policy-opa-pdp
-    version: ~15.x-0
+    version: ~16.x-0
     repository: 'file://components/policy-opa-pdp'
     condition: policy-opa-pdp.enabled
   - name: policy-distribution
diff --git a/kubernetes/policy/components/policy-opa-pdp/Chart.yaml b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml
index 6416e5016e..78a804a75c 100644
--- a/kubernetes/policy/components/policy-opa-pdp/Chart.yaml
+++ b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml
@@ -19,7 +19,7 @@
 apiVersion: v2
 description: ONAP Policy OPA PDP (PDP-O)
 name: policy-opa-pdp
-version: 15.0.0
+version: 16.0.0
 
 dependencies:
   - name: common
@@ -31,3 +31,6 @@ dependencies:
   - name: serviceAccount
     version: ~13.x-0
     repository: '@local'
+  - name: readinessCheck
+    version: ~13.x-0
+    repository: '@local'
diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json
index e978b84186..bb18a3bacc 100755
--- a/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json
+++ b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json
@@ -21,22 +21,6 @@
   "logging": {
     "level": "debug"
   },
-  "services": [
-    {
-      "name": "opa-bundle-server",
-      "url": "http://policy-opa-pdp:8282/opa/bundles"
-    }
-  ],
-  "bundles": {
-    "opabundle": {
-      "service": "opa-bundle-server",
-      "resource": "bundle.tar.gz",
-      "polling": {
-        "min_delay_seconds": 60,
-        "max_delay_seconds": 120
-      }
-    }
-  },
   "decision_logs": {
     "console": true
   }
diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz b/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz
deleted file mode 100644
index fa841c0191..0000000000
--- a/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz
+++ /dev/null
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml
index cc08af6937..4a3f85ead7 100755
--- a/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml
@@ -27,16 +27,3 @@ metadata:
 data:
 {{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }}
 
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "common.fullname" . }}-configmap-policies-data
-  namespace: {{ include "common.namespace" . }}
-  labels: {{- include "common.labels" . | nindent 4 }}
-{{- with .Files.Glob "resources/policies/*" }}
-binaryData:
-{{- range $path, $bytes := . }}
-       {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }}
-{{- end }}
-{{- end }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml
index 6c25bac01c..744562d261 100755
--- a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml
@@ -29,29 +29,7 @@ spec:
     spec:
       {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers:
-      - command:
-        - /bin/sh
-        args:
-          - -c
-          - |
-            echo "*** set right permissions to the different folders"
-            chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log;
-            chmod -R 755 /var/log
-            chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/;
-            chmod -R 755 /opt/*
-            tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/
-        image: {{ include "repositoryGenerator.image.busybox" . }}
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
-        name: {{ include "common.name" . }}-readiness
-        volumeMounts:
-        - name: logs
-          mountPath: /var/log
-        - name: tmp-policies-data
-          mountPath: /tmp/policies
-        - name : opa-policies-data
-          mountPath: /opt/
-
+        {{ include "common.readinessCheck.waitFor" . | nindent 8 }}
       containers:
       - name: {{ include "common.name" . }}
         {{ include "common.containerSecurityContext" . | indent 10 | trim }}
@@ -65,8 +43,12 @@ spec:
           value: "{{ .Values.kafka.useSASL }}"
         - name: KAFKA_URL
           value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
+        - name: POD_UID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.uid
         - name: GROUPID
-          value: "{{ .Values.kafka.groupid }}"
+          value: "{{ .Values.groupIdPrefix }}-$(POD_UID)"
         - name: LOG_LEVEL
           value: "{{ .Values.log.loglevel }}"
         - name: PAP_TOPIC
@@ -97,9 +79,6 @@ spec:
           initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
           periodSeconds: {{ .Values.readiness.periodSeconds }}
         volumeMounts:
-
-        - name: opa-policies-data
-          mountPath: /opt
         - name: opa-config
           mountPath: /app/config
         - name: opa-bundles
@@ -117,13 +96,6 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
-      - name: tmp-policies-data
-        configMap:
-          name: {{ include "common.fullname" . }}-configmap-policies-data
-          defaultMode: 0755
-      - name: opa-policies-data
-        persistentVolumeClaim:
-           claimName: {{ include "common.fullname" . }}-policies-data
       - name: opa-config
         configMap:
           name: {{ include "common.fullname" . }}-configmap-config
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml
deleted file mode 100755
index 5a1e9e3450..0000000000
--- a/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-{{/*
-#  ============LICENSE_START=======================================================
-#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
-#  ================================================================================
-#  Licensed under the Apache License, Version 2.0 (the "License");
-#  you may not use this file except in compliance with the License.
-#  You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-#  Unless required by applicable law or agreed to in writing, software
-#  distributed under the License is distributed on an "AS IS" BASIS,
-#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#  See the License for the specific language governing permissions and
-#  limitations under the License.
-#
-#  SPDX-License-Identifier: Apache-2.0
-#  ============LICENSE_END=========================================================
-*/}}
-
-{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
-
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "common.fullname" . }}-policies-data
-  namespace: {{ include "common.namespace" . }}
-  labels: {{- include "common.labels" . | nindent 4 }}
-spec:
-  accessModes:
-    - {{ .Values.persistence.accessMode }}
-  resources:
-    requests:
-      storage: {{ .Values.persistence.logsSize }}
-  storageClassName: {{ include "common.storageClass" . }}
-  volumeMode: Filesystem
-
-{{- end }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/values.yaml b/kubernetes/policy/components/policy-opa-pdp/values.yaml
index 20c7e513bc..b7a5944ea4 100644
--- a/kubernetes/policy/components/policy-opa-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-opa-pdp/values.yaml
@@ -43,7 +43,8 @@ secrets:
 # Application configuration defaults.
 #################################################################
 # application image
-image: onap/policy-opa-pdp:1.0.0
+image: onap/policy-opa-pdp:1.0.4
+
 pullPolicy: Always
 
 componentName: &componentName policy-opa-pdp
@@ -79,20 +80,19 @@ config:
       policyPdpPapTopic: policy-pdp-pap
 
 securityContext:
-  user_id: 0
-  group_id : 0
-  runAsNonRoot: false
+  fsGroup: 1000
+  user_id: 1000
+  group_id : 1000
+  runAsNonRoot: true
+  runAsUser: 1000
 
 
 containerSecurityContext:
-  enabled: true
-  privileged: false
-  allowPrivilegeEscalation: true
+  runAsGroup: 1000
+  runAsUser: 1000
+  runAsNonRoot: true
   readOnlyRootFilesystem: false
-  runAsNonRoot: false
-  runAsUser: 0
-  runAsGroup: 0
-
+  allowPrivilegeEscalation: true
 
 kafka:
   groupid: "policy-opa-pdp"
@@ -133,6 +133,11 @@ readiness:
   initialDelaySeconds: 20
   periodSeconds: 10
 
+readinessCheck:
+  wait_for:
+    services:
+      - 'policy-pap'
+
 service:
   type: ClusterIP
   name: *componentName
@@ -198,6 +203,7 @@ dirSizes:
   bundleDir:
     sizeLimit: 5Gi
 
+groupIdPrefix: opa-pdp
 
 #Pods Service Account
 serviceAccount:
@@ -244,8 +250,9 @@ config:
 kafkaUser:
   authenticationType: scram-sha-512
   acls:
-    - name: policy-opa-pdp
+    - name: opa-pdp
       type: group
+      patternType: prefix
       operations: [ Create, Describe, Read, Write ]
     - name: policy-pdp-pap
       type: topic