diff options
author | Andreas Geissler <andreas-geissler@telekom.de> | 2024-07-29 10:18:26 +0200 |
---|---|---|
committer | Andreas Geissler <andreas-geissler@telekom.de> | 2024-08-02 13:33:01 +0200 |
commit | 57681130892505f513df6d0902cbed0335f9dd29 (patch) | |
tree | 72f9302d032063eacbe344e8a1e8867395374aa3 | |
parent | bf35e55286a0ac2f4fe05f595cda7109f22a5e6a (diff) |
[POLICY] Fix Kyverno Policy violations
- Add "archive" folder for removed policy-gui charts
- Update all deployments/jobs to fix policies
- Correct KafkaUser definition to avoid deprecated attribute
- update xacml-pdp deployment to work with readOnlyFilesystem setting
Issue-ID: OOM-3307
Change-Id: I579062c1c49923666c1d836f7324c8bbd7b88695
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
84 files changed, 1293 insertions, 186 deletions
diff --git a/archive/policy/components/policy-gui/Chart.yaml b/archive/policy/components/policy-gui/Chart.yaml new file mode 100644 index 0000000000..28972b59b0 --- /dev/null +++ b/archive/policy/components/policy-gui/Chart.yaml @@ -0,0 +1,32 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021, 2024 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy GUI +name: policy-gui +version: 14.0.0 + +dependencies: + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/policy/components/policy-gui/resources/config/application.yml b/archive/policy/components/policy-gui/resources/config/application.yml new file mode 100644 index 0000000000..f81a1b452a --- /dev/null +++ b/archive/policy/components/policy-gui/resources/config/application.yml @@ -0,0 +1,19 @@ +server: + port: 2443 + ssl: + enabled: false + +clamp: + url: + disable-ssl-validation: true + disable-ssl-hostname-check: true + +apex-editor: + upload-url: + upload-userid: + +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus diff --git a/archive/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml b/archive/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml new file mode 100644 index 0000000000..0b3951726b --- /dev/null +++ b/archive/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml @@ -0,0 +1,59 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +filebeat.prospectors: +#it is mandatory, in our case it's log +- input_type: log + #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. + paths: + - /var/log/onap/*/*/*/*.log + - /var/log/onap/*/*/*.log + - /var/log/onap/*/*.log + #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive + ignore_older: 48h + # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit + clean_inactive: 96h + +# Name of the registry file. If a relative path is used, it is considered relative to the +# data path. Else full qualified file name. +#filebeat.registry_file: ${path.data}/registry + + +output.logstash: + #List of logstash server ip addresses with port number. + #But, in our case, this will be the loadbalancer IP address. + #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. + hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"] + #If enable will do load balancing among availabe Logstash, automatically. + loadbalance: true + + #The list of root certificates for server verifications. + #If certificate_authorities is empty or not set, the trusted + #certificate authorities of the host system are used. + #ssl.certificate_authorities: $ssl.certificate_authorities + + #The path to the certificate for SSL client authentication. If the certificate is not specified, + #client authentication is not available. + #ssl.certificate: $ssl.certificate + + #The client certificate key used for client authentication. + #ssl.key: $ssl.key + + #The passphrase used to decrypt an encrypted key stored in the configured key file + #ssl.key_passphrase: $ssl.key_passphrase diff --git a/archive/policy/components/policy-gui/resources/config/logback.xml b/archive/policy/components/policy-gui/resources/config/logback.xml new file mode 100644 index 0000000000..c20df8329d --- /dev/null +++ b/archive/policy/components/policy-gui/resources/config/logback.xml @@ -0,0 +1,118 @@ +<!-- + ============LICENSE_START======================================================= + policy-gui + ================================================================================ + Copyright (C) 2021-2022 Nordix Foundation. + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + ============LICENSE_END========================================================= + --> + +<configuration scan="true" scanPeriod="30 seconds" debug="false"> + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>TRACE</level> + </filter> + <encoder> + <pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n + </pattern> + </encoder> + </appender> + + <appender name="ERROR" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${POLICY_LOGS}/error.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>${POLICY_LOGS}/error.%d{yyyy-MM-dd}.%i.log.zip + </fileNamePattern> + <maxFileSize>50MB</maxFileSize> + <maxHistory>30</maxHistory> + <totalSizeCap>10GB</totalSizeCap> + </rollingPolicy> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>TRACE</level> + </filter> + <encoder> + <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> + </encoder> + </appender> + + <appender name="asyncError" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="ERROR" /> + </appender> + + <appender name="DEBUG" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${POLICY_LOGS}/debug.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>${POLICY_LOGS}/debug.%d{yyyy-MM-dd}.%i.log.zip + </fileNamePattern> + <maxFileSize>50MB</maxFileSize> + <maxHistory>30</maxHistory> + <totalSizeCap>10GB</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> + </encoder> + </appender> + + <appender name="asyncDebug" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="DEBUG" /> + </appender> + + <appender name="NETWORK" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${POLICY_LOGS}/network.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> + <fileNamePattern>${POLICY_LOGS}/network.%d{yyyy-MM-dd}.%i.log.zip + </fileNamePattern> + <maxFileSize>50MB</maxFileSize> + <maxHistory>30</maxHistory> + <totalSizeCap>10GB</totalSizeCap> + </rollingPolicy> + <encoder> + <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n</pattern> + </encoder> + </appender> + + <appender name="asyncNetwork" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="NETWORK" /> + </appender> + + <logger name="network" level="TRACE" additivity="false"> + <appender-ref ref="asyncNetwork" /> + </logger> + + <logger name="org.apache" level="TRACE" additivity="false"> + <appender-ref ref="DEBUG" /> + </logger> + + <!-- Spring related loggers --> + <logger name="org.springframework" level="TRACE" additivity="false"> + <appender-ref ref="DEBUG" /> + </logger> + + <!-- GUI related loggers --> + <logger name="org.onap.policy.gui" level="TRACE" additivity="false"> + <appender-ref ref="ERROR" /> + <appender-ref ref="DEBUG" /> + </logger> + + <!-- logback internals logging --> + <logger name="ch.qos.logback.classic" level="INFO" /> + <logger name="ch.qos.logback.core" level="INFO" /> + + <root level="TRACE"> + <appender-ref ref="asyncDebug" /> + <appender-ref ref="asyncError" /> + <appender-ref ref="asyncNetwork" /> + <appender-ref ref="STDOUT" /> + </root> +</configuration> diff --git a/archive/policy/components/policy-gui/templates/NOTES.txt b/archive/policy/components/policy-gui/templates/NOTES.txt new file mode 100644 index 0000000000..e44f333e11 --- /dev/null +++ b/archive/policy/components/policy-gui/templates/NOTES.txt @@ -0,0 +1,38 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.externalPort }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit https://127.0.0.1:8443 to use your application" + kubectl port-forward $POD_NAME 8443:{{ .Values.service.internalPort }} +{{- end }} diff --git a/archive/policy/components/policy-gui/templates/authorizationpolicy.yaml b/archive/policy/components/policy-gui/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/archive/policy/components/policy-gui/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }}
\ No newline at end of file diff --git a/archive/policy/components/policy-gui/templates/configmap.yaml b/archive/policy/components/policy-gui/templates/configmap.yaml new file mode 100644 index 0000000000..9426b0f54f --- /dev/null +++ b/archive/policy/components/policy-gui/templates/configmap.yaml @@ -0,0 +1,34 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*.{xml,yaml,yml}").AsConfig . | indent 2 }} + +{{ include "common.log.configMap" . }} diff --git a/archive/policy/components/policy-gui/templates/deployment.yaml b/archive/policy/components/policy-gui/templates/deployment.yaml new file mode 100644 index 0000000000..a236d5f558 --- /dev/null +++ b/archive/policy/components/policy-gui/templates/deployment.yaml @@ -0,0 +1,127 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: POLICY_LOGS + value: {{ .Values.log.path }} + volumeMounts: + - mountPath: /config-input + name: policy-gui-config + - mountPath: /config + name: policy-gui-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - command: + - /app/ready.py + args: + - --service-name + - policy-clamp-runtime-acm + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + # side car containers + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} + # main container + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/opt/app/policy/gui/bin/policy-gui.sh"] + env: + - name: CLAMP_URL + value: http://policy-clamp-runtime-acm:6969 + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - name: logs + mountPath: {{ .Values.log.path }} + - mountPath: /opt/app/policy/gui/etc/application.yml + name: policy-gui-config-processed + subPath: application.yml + - mountPath: /opt/app/policy/gui/etc/logback.xml + name: policy-gui-config-processed + subPath: logback.xml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }} + - name: logs + emptyDir: {} + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} + - name: policy-gui-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: policy-gui-config-processed + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/archive/policy/components/policy-gui/templates/ingress.yaml b/archive/policy/components/policy-gui/templates/ingress.yaml new file mode 100644 index 0000000000..e3dd7cb0f6 --- /dev/null +++ b/archive/policy/components/policy-gui/templates/ingress.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.ingress" . }} diff --git a/archive/policy/components/policy-gui/templates/secrets.yaml b/archive/policy/components/policy-gui/templates/secrets.yaml new file mode 100644 index 0000000000..2af7fae2d9 --- /dev/null +++ b/archive/policy/components/policy-gui/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/archive/policy/components/policy-gui/templates/service.yaml b/archive/policy/components/policy-gui/templates/service.yaml new file mode 100644 index 0000000000..36406228d5 --- /dev/null +++ b/archive/policy/components/policy-gui/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/archive/policy/components/policy-gui/values.yaml b/archive/policy/components/policy-gui/values.yaml new file mode 100644 index 0000000000..1533f823a9 --- /dev/null +++ b/archive/policy/components/policy-gui/values.yaml @@ -0,0 +1,130 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: # global defaults + nodePortPrefix: 304 + centralizedLoggingEnabled: true + +subChartsOnly: + enabled: true + +flavor: small + +# application image +image: onap/policy-gui:3.1.3 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# log configuration +log: + path: /var/log/onap/policy/gui + +################################################################# +# Application configuration defaults. +################################################################# +config: + log: + logstashServiceName: log-ls + logstashPort: 5044 + dataRootDir: /dockerdata-nfs + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 3 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + +service: + type: NodePort + name: policy-gui + internalPort: 2443 + ports: + - name: http + port: 2443 + nodePort: 43 + + # see https://wiki.onap.org/display/DW/OOM+NodePort+List + +ingress: + enabled: false + service: + - baseaddr: "policy-ui" + name: "policy-gui" + port: 2443 + config: + ssl: "redirect" + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + + #resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # + # Example: + # Configure resource requests and limits + # ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # Minimum memory for development is 2 CPU cores and 4GB memory + # Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: "1" + memory: "700Mi" + requests: + cpu: "0.5" + memory: "700Mi" + large: + limits: + cpu: "2" + memory: "1.4Gi" + requests: + cpu: "1" + memory: "1.4Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: policy-gui + roles: + - read diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index ca839f09cc..ee6dabc015 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 14.0.1 +version: 14.0.4 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index c8a2862326..4ec4725860 100755 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy APEX PDP name: policy-apex-pdp -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml index de3e6d1004..3b25dc55a3 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml @@ -3,7 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2022 Nordix Foundation -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: ["/bin/sh", "-cx"] args: @@ -62,8 +63,10 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config + {{ include "common.containerSecurityContext" . | indent 8 | trim }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: [ "/bin/sh", "-cx" ] @@ -104,7 +107,8 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: policy-logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: apexconfig-input configMap: name: {{ include "common.fullname" . }}-configmap @@ -112,4 +116,5 @@ spec: - name: apexconfig emptyDir: medium: Memory + sizeLimit: 64Mi {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml index 4259381afe..6fc37c3d01 100644 --- a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml @@ -14,4 +14,3 @@ # limitations under the License. */}} {{ include "common.kafkauser" . }} - diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index 6070bb05af..0c83a55651 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright © 2022 Nordix Foundation -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -114,12 +114,20 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + #Pods Service Account serviceAccount: nameOverride: policy-apex-pdp roles: - read +dirSizes: + logDir: + sizeLimit: 500Mi + metrics: serviceMonitor: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index 32c22cbe6c..ef0b5eae94 100755 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-api/templates/configmap.yaml b/kubernetes/policy/components/policy-api/templates/configmap.yaml index 9ab25fe2ac..6bb96fc1e5 100755 --- a/kubernetes/policy/components/policy-api/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-api/templates/configmap.yaml @@ -37,4 +37,4 @@ binaryData: {{- end }} {{- end }} data: -{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }}
\ No newline at end of file +{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index 8de035e5d1..2f135fac5e 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -7,6 +7,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - /app/ready.py @@ -25,6 +26,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} name: {{ include "common.name" . }}-readiness resources: limits: @@ -54,9 +56,11 @@ spec: name: apiconfig-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/api/bin/policy-api.sh"] @@ -85,6 +89,14 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/api/etc/logback.xml + subPath: logback.xml + name: apiconfig-processed - mountPath: /opt/app/policy/api/etc/mounted name: apiconfig-processed resources: {{ include "common.resources" . | nindent 12 }} @@ -105,4 +117,11 @@ spec: - name: apiconfig-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 70c06ccbf9..9193366422 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -77,7 +77,7 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 + initialDelaySeconds: 120 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -89,7 +89,7 @@ readiness: api: /policy/api/v1/healthcheck successThreshold: 1 failureThreshold: 3 - timeout: 60 + timeout: 120 service: type: ClusterIP @@ -125,6 +125,16 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-api diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml index e35dd3d6f0..a9d27d60a8 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022-2024 Nordix Foundation. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp A1PMS Participant name: policy-clamp-ac-a1pms-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml index 31aa1b746a..5bfa825e18 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml @@ -81,5 +81,3 @@ server: context-path: /onap/policy/clamp/acm/a1pmsparticipant ssl: enabled: false - - diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml index d34da146a5..b9eb83b3c5 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2022-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -50,9 +52,11 @@ spec: name: ac-a1pms-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/a1pms-participant.sh"] @@ -75,6 +79,14 @@ spec: volumeMounts: - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-a1pms-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-a1pms-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -93,4 +105,11 @@ spec: - name: ac-a1pms-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml index 19f522a71e..66aadf12c7 100644 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml @@ -1,21 +1,21 @@ -{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml index 6bde39dd51..a23e732c8b 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -115,6 +116,17 @@ resources: cpu: "1" memory: "2Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml index faa7014a79..979aa4f598 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2022, 2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Http Participant name: policy-clamp-ac-http-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common @@ -31,4 +32,3 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' - diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml index a04c37fe3d..d447360dd9 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml @@ -80,4 +80,3 @@ server: context-path: /onap/httpparticipant ssl: enabled: false - diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml index e502c1a091..dd7db7acee 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -50,9 +52,11 @@ spec: name: ac-http-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/http-participant.sh"] @@ -75,6 +79,14 @@ spec: volumeMounts: - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-http-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-http-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -93,4 +105,11 @@ spec: - name: ac-http-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml index e676ff13d7..be2449f890 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml @@ -1,21 +1,21 @@ -{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 3ef8d92191..8593a3d316 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -106,6 +107,17 @@ resources: cpu: "1" memory: "2Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml index aa6d08a3de..5a1cb6e80b 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2021 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2022, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop K8s Participant name: policy-clamp-ac-k8s-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml index 8a6cf830ca..efd5a6cd53 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml @@ -33,4 +33,4 @@ data: {{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }} {{ toYaml .Values.repoList | indent 4 }} {{- end }} -{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }}
\ No newline at end of file +{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml index cfc2fc7fac..a97ab22577 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -50,9 +52,11 @@ spec: name: ac-k8s-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/kubernetes-participant.sh"] @@ -75,6 +79,14 @@ spec: volumeMounts: - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-k8s-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-k8s-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -93,4 +105,11 @@ spec: - name: ac-k8s-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml index 2439223192..02a6292df7 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml @@ -36,4 +36,3 @@ subjects: - kind: ServiceAccount name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} namespace: {{ include "common.namespace" . }} - diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index d34d0e011a..5e43b94965 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -108,6 +109,16 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName @@ -145,4 +156,3 @@ kafkaUser: - name: *acRuntimeTopic type: topic operations: [Read, Write] - diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml index 44c80ff879..863d07952f 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2023-2024 Nordix Foundation. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Kserve Participant name: policy-clamp-ac-kserve-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml index 89cf9494a3..6613235050 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml @@ -96,5 +96,3 @@ server: context-path: /onap/policy/clamp/acm/kserveparticipant ssl: enabled: false - - diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml index 8574979cbc..3d1f4f8ca3 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -50,9 +52,11 @@ spec: name: ac-kserve-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/kserve-participant.sh"] @@ -75,6 +79,14 @@ spec: volumeMounts: - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-kserve-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-kserve-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -93,4 +105,11 @@ spec: - name: ac-kserve-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml index b7e7364eab..6fc37c3d01 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml @@ -1,16 +1,16 @@ -{{/*
-# Copyright © 2023 Nordix Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-{{ include "common.kafkauser" . }}
+{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml index ac5ee0b72f..073ffe9618 100644 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml @@ -1,38 +1,38 @@ -{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2023 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cluster-admin
-subjects:
- - kind: ServiceAccount
- name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
- namespace: {{ include "common.namespace" . }}
+{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + namespace: {{ include "common.namespace" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml index 63ab8adece..6f9868bc0d 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -106,6 +107,17 @@ resources: cpu: "1" memory: "1.4Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml index f860393f43..4460c18fcd 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2022, 2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Policy Participant name: policy-clamp-ac-pf-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml index 1cd4ba318c..729a455d07 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml @@ -98,4 +98,3 @@ server: context-path: /onap/policyparticipant ssl: enabled: false - diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml index 9026309fa1..c29dca9c7d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -58,9 +60,11 @@ spec: name: ac-pf-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/policy-participant.sh"] @@ -83,6 +87,14 @@ spec: volumeMounts: - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-pf-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-pf-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -101,4 +113,11 @@ spec: - name: ac-pf-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml index e676ff13d7..be2449f890 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml @@ -1,21 +1,21 @@ -{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index 2112f2510a..97bebd00d2 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -127,6 +128,17 @@ resources: cpu: "1" memory: "2Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index bdd6c99c53..0dd1f34fcf 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2021, 2024 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 14.0.0 +version: 14.0.1 dependencies: - name: common @@ -33,4 +34,3 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' - diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index b0ea909e55..462f2e517b 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - /app/ready.py @@ -41,6 +43,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-galera-config-readiness resources: limits: @@ -75,9 +78,11 @@ spec: name: ac-runtime-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/acm-runtime.sh"] @@ -98,6 +103,14 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-runtime-config-processed - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-runtime-config-processed resources: {{ include "common.resources" . | nindent 12 }} @@ -111,6 +124,12 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: ac-runtime-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -118,4 +137,5 @@ spec: - name: ac-runtime-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index b2389b963b..b030f940de 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -96,7 +97,7 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 + initialDelaySeconds: 120 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -141,6 +142,16 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName @@ -153,4 +164,4 @@ wait_for_job_container: customNaming: toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement - toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition
\ No newline at end of file + toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml index 3de47d06e9..b2d1cde724 100755 --- a/kubernetes/policy/components/policy-distribution/Chart.yaml +++ b/kubernetes/policy/components/policy-distribution/Chart.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Distribution name: policy-distribution -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml index 62a3bfc98e..fe08271288 100755 --- a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -57,9 +59,11 @@ spec: name: distributionconfig image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: @@ -86,6 +90,14 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/distribution/etc/logback.xml + subPath: logback.xml + name: distributionconfig - mountPath: /opt/app/policy/distribution/etc/mounted name: distributionconfig resources: {{ include "common.resources" . | nindent 12 }} @@ -106,4 +118,11 @@ spec: - name: distributionconfig emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index 042cbd29eb..f93dffe1ee 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2023 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -141,6 +142,16 @@ resources: memory: "1Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-distribution diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index 63c4984ac9..710a04f111 100755 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018, 2020 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml index c7322b1f94..3f45b2f6e0 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml @@ -16,4 +16,3 @@ */}} {{ include "common.service" . }} - diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml index ba0e2d1a41..3f25d964e4 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,6 +26,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - /app/ready.py @@ -39,6 +41,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-db-readiness resources: limits: @@ -69,6 +72,7 @@ spec: value: {{ .Values.config.app.listener.policyPdpPapTopic }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-readiness resources: limits: @@ -80,6 +84,7 @@ spec: {{- end }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["sh","-c"] @@ -107,6 +112,14 @@ spec: - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} volumeMounts: + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/etc/profile.d/base.conf + subPath: base.conf + name: drools-config {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} - mountPath: /tmp/policy-install/config/{{ base $path }} name: drools-secret @@ -128,6 +141,12 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: drools-config configMap: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index e35c08a15c..b1a26fb669 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs # Copyright © 2017, 2021 Bell Canada # Modifications Copyright © 2018-2022 AT&T Intellectual Property +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -171,6 +172,16 @@ resources: memory: "1.6Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-drools-pdp diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml index 8d04647a75..ae8eebe50b 100755 --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018-2020 AT&T # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml index 3d03338836..fe183cfa24 100755 --- a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,16 +25,19 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: ["sh", "-c", "chown -R 200:200 /share"] image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-init volumeMounts: - mountPath: /share name: nexus-data containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ports: {{ include "common.containerPorts" . | nindent 12 }} diff --git a/kubernetes/policy/components/policy-nexus/templates/service.yaml b/kubernetes/policy/components/policy-nexus/templates/service.yaml index 6aee4ca230..8d13879023 100755 --- a/kubernetes/policy/components/policy-nexus/templates/service.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/service.yaml @@ -15,4 +15,4 @@ # limitations under the License. */}} -{{ include "common.service" . }}
\ No newline at end of file +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml index f10d55dcee..b82785f2b8 100755 --- a/kubernetes/policy/components/policy-nexus/values.yaml +++ b/kubernetes/policy/components/policy-nexus/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -97,6 +98,10 @@ resources: memory: "1Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + #Pods Service Account serviceAccount: nameOverride: policy-nexus diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index 0634118a4f..1fd621beb0 100755 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -3,6 +3,7 @@ # Modified Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +23,7 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index 9ca8b84a47..8f00eb049f 100755 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -2,6 +2,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,6 +29,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - /app/ready.py @@ -45,6 +47,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-db-readiness resources: limits: @@ -87,9 +90,11 @@ spec: name: papconfig-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -121,8 +126,16 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: - - mountPath: /opt/app/policy/pap/etc/mounted + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/pap/etc/logback.xml + subPath: logback.xml name: papconfig-processed + - name: papconfig-processed + mountPath: /opt/app/policy/pap/etc/mounted resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -134,6 +147,12 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: papconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -141,4 +160,5 @@ spec: - name: papconfig-processed emptyDir: medium: Memory + sizeLimit: 64Mi {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 5f6fb21265..d7384a5e65 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -3,6 +3,7 @@ # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved. # Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -159,6 +160,16 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-pap @@ -224,4 +235,3 @@ kafkaUser: type: topic patternType: prefix operations: [Create, Describe, Read, Write] - diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index a46d6128e8..8bb17a53de 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,7 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 14.0.0 +version: 14.0.2 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml index cda1aa4bae..ce11fe71e5 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - /app/ready.py @@ -41,6 +43,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-readiness resources: limits: @@ -87,9 +90,11 @@ spec: name: pdpxconfig-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"] @@ -110,6 +115,44 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: + - name: policy-guard + mountPath: /opt/app/policy/pdpx/apps/guard + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/guard/xacml.properties + subPath: xacml.properties + - name: policy-match + mountPath: /opt/app/policy/pdpx/apps/match + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/match/xacml.properties + subPath: xacml.properties + - name: policy-monitoring + mountPath: /opt/app/policy/pdpx/apps/monitoring + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/monitoring/xacml.properties + subPath: xacml.properties + - name: policy-naming + mountPath: /opt/app/policy/pdpx/apps/naming + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/naming/xacml.properties + subPath: xacml.properties + - name: policy-native + mountPath: /opt/app/policy/pdpx/apps/native + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/native/xacml.properties + subPath: xacml.properties + - name: policy-optimization + mountPath: /opt/app/policy/pdpx/apps/optimization + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/optimization/xacml.properties + subPath: xacml.properties + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/pdpx/etc/logback.xml + subPath: logback.xml + name: pdpxconfig-processed - mountPath: /opt/app/policy/pdpx/etc/mounted name: pdpxconfig-processed resources: {{ include "common.resources" . | nindent 12 }} @@ -123,6 +166,30 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: policy-guard + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-match + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-monitoring + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-naming + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-native + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-optimization + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: pdpxconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -130,4 +197,5 @@ spec: - name: pdpxconfig-processed emptyDir: medium: Memory + sizeLimit: 64Mi {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml index 3e76c2ba36..6dabd951b9 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml @@ -18,4 +18,4 @@ # ============LICENSE_END========================================================= */}} -{{ include "common.service" . }}
\ No newline at end of file +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index ae216a27a0..18ddfdfeba 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -147,6 +148,18 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + policyDir: + sizeLimit: 100Mi + #Pods Service Account serviceAccount: nameOverride: *componentName @@ -194,5 +207,3 @@ kafkaUser: type: topic patternType: prefix operations: [ Create, Describe, Read, Write ] - - diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 3880d2383c..2c0ee783d5 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2020 AT&T Intellectual Property # Modifications Copyright (C) 2022 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,6 +34,7 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-galera-init spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_mariadb ) | indent 6 | trim }} @@ -40,6 +42,7 @@ spec: - name: {{ include "common.name" . }}-galera-config image: {{ include "repositoryGenerator.image.mariadb" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} volumeMounts: - mountPath: /dbcmd-config/db.sh name: {{ include "common.fullname" . }}-config @@ -48,7 +51,7 @@ spec: - /bin/sh - -cx - | - {{- if include "common.onServiceMesh" . }} + {{- if include "common.requireSidecarKiller" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} /dbcmd-config/db.sh env: @@ -61,7 +64,7 @@ spec: - name: MYSQL_PORT value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.onServiceMesh" .) }} + {{- if (include "common.requireSidecarKiller" .) }} - name: policy-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always @@ -77,6 +80,14 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -108,6 +119,7 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-pg-init spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_postgres ) | indent 6 | trim }} @@ -115,6 +127,7 @@ spec: - name: {{ include "common.name" . }}-pg-config image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} volumeMounts: - mountPath: /docker-entrypoint-initdb.d/db-pg.sh name: {{ include "common.fullname" . }}-config @@ -123,7 +136,7 @@ spec: - /bin/sh - -cx - | - {{- if include "common.onServiceMesh" . }} + {{- if include "common.requireSidecarKiller" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} /docker-entrypoint-initdb.d/db-pg.sh env: @@ -138,7 +151,7 @@ spec: - name: PG_PORT value: "{{ .Values.postgres.service.internalPort }}" resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.onServiceMesh" .) }} + {{- if (include "common.requireSidecarKiller" .) }} - name: policy-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always @@ -154,6 +167,14 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -185,9 +206,11 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-galera-config spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - name: {{ include "common.name" . }}-init-readiness + {{ include "common.containerSecurityContext" . | indent 8 | trim }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: @@ -210,17 +233,20 @@ spec: memory: "20Mi" containers: - name: {{ include "common.name" . }}-galera-db-migrator + {{ include "common.containerSecurityContext" . | indent 8 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - mountPath: /dbcmd-config/db_migrator_policy_init.sh name: {{ include "common.fullname" . }}-config subPath: db_migrator_policy_init.sh + - mountPath: /opt/app/policy/etc/db + name: db-conf command: - /bin/sh - -cx - | - {{- if include "common.onServiceMesh" . }} + {{- if include "common.requireSidecarKiller" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} /dbcmd-config/db_migrator_policy_init.sh env: @@ -237,7 +263,7 @@ spec: - name: SCRIPT_DIRECTORY value: "sql" resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.onServiceMesh" .) }} + {{- if (include "common.requireSidecarKiller" .) }} - name: policy-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always @@ -253,6 +279,14 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -264,6 +298,10 @@ spec: items: - key: db_migrator_policy_init.sh path: db_migrator_policy_init.sh + - name: db-conf + emptyDir: + medium: Memory + sizeLimit: 64Mi {{ end }} {{ if .Values.global.postgres.localCluster }} --- @@ -283,9 +321,11 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-pg-config spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - name: {{ include "common.name" . }}-init-readiness + {{ include "common.containerSecurityContext" . | indent 8 | trim }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: @@ -308,17 +348,20 @@ spec: memory: "20Mi" containers: - name: {{ include "common.name" . }}-pg-db-migrator + {{ include "common.containerSecurityContext" . | indent 8 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh name: {{ include "common.fullname" . }}-config subPath: db_migrator_pg_policy_init.sh + - mountPath: /opt/app/policy/etc/db + name: db-conf command: - /bin/sh - -cx - | - {{- if include "common.onServiceMesh" . }} + {{- if include "common.requireSidecarKiller" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} /dbcmd-config/db_migrator_pg_policy_init.sh env: @@ -337,7 +380,7 @@ spec: - name: PGPASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.onServiceMesh" .) }} + {{- if (include "common.requireSidecarKiller" .) }} - name: policy-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always @@ -353,6 +396,14 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -364,4 +415,8 @@ spec: items: - key: db_migrator_pg_policy_init.sh path: db_migrator_pg_policy_init.sh + - name: db-conf + emptyDir: + medium: Memory + sizeLimit: 64Mi {{ end }} diff --git a/kubernetes/policy/templates/policy-kafka-user.yaml b/kubernetes/policy/templates/policy-kafka-user.yaml index ed399ed9c7..d004cbe116 100644 --- a/kubernetes/policy/templates/policy-kafka-user.yaml +++ b/kubernetes/policy/templates/policy-kafka-user.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2022-2023 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,16 +30,20 @@ spec: - resource: type: group name: {{ .Values.config.policyPdpPapTopic.consumer.groupId }} - operation: All + operations: + - All - resource: type: topic name: {{ .Values.config.policyPdpPapTopic.name }} - operation: All + operations: + - All - resource: type: topic name: {{ .Values.config.policyHeartbeatTopic.name }} - operation: All + operations: + - All - resource: type: topic name: {{ .Values.config.policyNotificationTopic.name }} - operation: All + operations: + - All diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 68ce42d103..ccd8223284 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property # Modifications Copyright (C) 2021-2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -296,6 +297,10 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 65533 + #Pods Service Account serviceAccount: nameOverride: policy |