Merge "Addition of OPA-PDP Helm charts"HEADmaster

14 files changed, 661 insertions, 1 deletions

diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml
index 2bf703c622..6a2e819718 100755
--- a/kubernetes/policy/Chart.yaml
+++ b/kubernetes/policy/Chart.yaml
@@ -19,7 +19,7 @@
 apiVersion: v2
 description: ONAP Policy
 name: policy
-version: 15.0.1
+version: 15.0.2
 
 dependencies:
   - name: common
@@ -53,6 +53,10 @@ dependencies:
     version: ~15.x-0
     repository: 'file://components/policy-drools-pdp'
     condition: policy-drools-pdp.enabled
+  - name: policy-opa-pdp
+    version: ~15.x-0
+    repository: 'file://components/policy-opa-pdp'
+    condition: policy-opa-pdp.enabled
   - name: policy-distribution
     version: ~15.x-0
     repository: 'file://components/policy-distribution'
diff --git a/kubernetes/policy/components/policy-opa-pdp/Chart.yaml b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml
new file mode 100755
index 0000000000..6416e5016e
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml
@@ -0,0 +1,33 @@
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+
+apiVersion: v2
+description: ONAP Policy OPA PDP (PDP-O)
+name: policy-opa-pdp
+version: 15.0.0
+
+dependencies:
+  - name: common
+    version: ~13.x-0
+    repository: '@local'
+  - name: repositoryGenerator
+    version: ~13.x-0
+    repository: '@local'
+  - name: serviceAccount
+    version: ~13.x-0
+    repository: '@local'
diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json
new file mode 100755
index 0000000000..e978b84186
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json
@@ -0,0 +1,43 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+{
+  "logging": {
+    "level": "debug"
+  },
+  "services": [
+    {
+      "name": "opa-bundle-server",
+      "url": "http://policy-opa-pdp:8282/opa/bundles"
+    }
+  ],
+  "bundles": {
+    "opabundle": {
+      "service": "opa-bundle-server",
+      "resource": "bundle.tar.gz",
+      "polling": {
+        "min_delay_seconds": 60,
+        "max_delay_seconds": 120
+      }
+    }
+  },
+  "decision_logs": {
+    "console": true
+  }
+}
diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz b/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz
new file mode 100644
index 0000000000..fa841c0191
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml
new file mode 100755
index 0000000000..e2b4537dc8
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml
@@ -0,0 +1,21 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml
new file mode 100755
index 0000000000..cc08af6937
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml
@@ -0,0 +1,42 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-configmap-config
+  namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
+data:
+{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-configmap-policies-data
+  namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
+{{- with .Files.Glob "resources/policies/*" }}
+binaryData:
+{{- range $path, $bytes := . }}
+       {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml
new file mode 100755
index 0000000000..6c25bac01c
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml
@@ -0,0 +1,137 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+  selector: {{- include "common.selectors" . | nindent 4 }}
+  replicas: {{ .Values.replicaCount }}
+  template:
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+    spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
+      initContainers:
+      - command:
+        - /bin/sh
+        args:
+          - -c
+          - |
+            echo "*** set right permissions to the different folders"
+            chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log;
+            chmod -R 755 /var/log
+            chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/;
+            chmod -R 755 /opt/*
+            tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/
+        image: {{ include "repositoryGenerator.image.busybox" . }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+        name: {{ include "common.name" . }}-readiness
+        volumeMounts:
+        - name: logs
+          mountPath: /var/log
+        - name: tmp-policies-data
+          mountPath: /tmp/policies
+        - name : opa-policies-data
+          mountPath: /opt/
+
+      containers:
+      - name: {{ include "common.name" . }}
+        {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+        image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        ports: {{ include "common.containerPorts" . | nindent 12  }}
+        # disable liveness probe when breakpoints set in debugger
+        # so K8s doesn't restart unresponsive container
+        env:
+        - name: UseSASLForKAFKA
+          value: "{{ .Values.kafka.useSASL }}"
+        - name: KAFKA_URL
+          value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
+        - name: GROUPID
+          value: "{{ .Values.kafka.groupid }}"
+        - name: LOG_LEVEL
+          value: "{{ .Values.log.loglevel }}"
+        - name: PAP_TOPIC
+          value: "{{ .Values.kafka.topic }}"
+        - name: API_USER
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }}
+        - name: API_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }}
+        - name: RESTSERVER_USER
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }}
+        - name: RESTSERVER_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }}
+        - name: JAASLOGIN
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "common.name" . }}-ku
+              key: sasl.jaas.config
+        {{- if eq .Values.liveness.enabled true }}
+        livenessProbe:
+          tcpSocket:
+            port: {{ .Values.service.internalPort }}
+          initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+          periodSeconds: {{ .Values.liveness.periodSeconds }}
+        {{ end -}}
+        readinessProbe:
+          tcpSocket:
+            port: {{ .Values.service.internalPort }}
+          initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readiness.periodSeconds }}
+        volumeMounts:
+
+        - name: opa-policies-data
+          mountPath: /opt
+        - name: opa-config
+          mountPath: /app/config
+        - name: opa-bundles
+          mountPath: /app/bundles
+        - name: logs
+          mountPath: /var/log
+        resources: {{ include "common.resources" . | nindent 12 }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end -}}
+      {{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
+      volumes:
+      - name: tmp-policies-data
+        configMap:
+          name: {{ include "common.fullname" . }}-configmap-policies-data
+          defaultMode: 0755
+      - name: opa-policies-data
+        persistentVolumeClaim:
+           claimName: {{ include "common.fullname" . }}-policies-data
+      - name: opa-config
+        configMap:
+          name: {{ include "common.fullname" . }}-configmap-config
+          defaultMode: 0755
+      - name: opa-bundles
+        emptyDir:
+          sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }}
+      - name: logs
+        emptyDir:
+          sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
+      {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml
new file mode 100755
index 0000000000..faf315356c
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml
@@ -0,0 +1,20 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+{{ include "common.kafkauser" . }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml
new file mode 100755
index 0000000000..5a1e9e3450
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml
@@ -0,0 +1,38 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "common.fullname" . }}-policies-data
+  namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.logsSize }}
+  storageClassName: {{ include "common.storageClass" . }}
+  volumeMode: Filesystem
+
+{{- end }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml
new file mode 100755
index 0000000000..0c47a8bd77
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml
@@ -0,0 +1,21 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml
new file mode 100755
index 0000000000..1d45a0baef
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml
@@ -0,0 +1,21 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml
new file mode 100755
index 0000000000..96774208de
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml
@@ -0,0 +1,23 @@
+{{/*
+# ============LICENSE_START=======================================================
+#  Copyright (c) 2024 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{- if .Values.global.prometheusEnabled }}
+{{ include "common.serviceMonitor" . }}
+{{- end }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/values.yaml b/kubernetes/policy/components/policy-opa-pdp/values.yaml
new file mode 100755
index 0000000000..20c7e513bc
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/values.yaml
@@ -0,0 +1,253 @@
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+global:
+  persistence: {}
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: api-creds
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}'
+    login: '{{ .Values.apiServer.user }}'
+    password: '{{ .Values.apiServer.password }}'
+    passwordPolicy: required
+  - uid: restserver-creds
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}'
+    login: '{{ .Values.restServer.user }}'
+    password: '{{ .Values.restServer.password }}'
+    passwordPolicy: required
+
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+# application image
+image: onap/policy-opa-pdp:1.0.0
+pullPolicy: Always
+
+componentName: &componentName policy-opa-pdp
+
+# flag to enable debugging - application support required
+debugEnabled: false
+
+log:
+  loglevel: "debug"
+
+
+# application configuration
+
+permissions:
+  uid: 100
+  gid: 102
+
+restServer:
+  user: healthcheck
+  password: zb!XztG34
+
+apiServer:
+  user: policyadmin
+  password: zb!XztG34
+
+config:
+  # Event consumption (kafka) properties
+  kafka:
+    consumer:
+      groupId: policy-opa-pdp
+  app:
+    listener:
+      policyPdpPapTopic: policy-pdp-pap
+
+securityContext:
+  user_id: 0
+  group_id : 0
+  runAsNonRoot: false
+
+
+containerSecurityContext:
+  enabled: true
+  privileged: false
+  allowPrivilegeEscalation: true
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+  runAsUser: 0
+  runAsGroup: 0
+
+
+kafka:
+  groupid: "policy-opa-pdp"
+  topic: "policy-pdp-pap"
+  useSASL: "true"
+  brokers: "onap-strimzi-kafka-bootstrap.onap:9092"
+
+persistence:
+  enabled: true
+  volumeReclaimPolicy: Retain
+  accessMode: ReadWriteMany
+  logsSize: 1Gi
+  mountPath: /dockerdata-nfs
+  mountSubPath: policy/opapdp
+  storageClass: "cinder-os"
+  enableDefaultStorageclass: false
+  parameters: {}
+  storageclassProvisioner: cinder-os
+
+
+
+# default number of instances
+replicaCount: 1
+
+nodeSelector: {}
+
+affinity: {}
+
+# probe configuration parameters
+liveness:
+  initialDelaySeconds: 20
+  periodSeconds: 10
+  # necessary to disable liveness probe when setting breakpoints
+  # in debugger so K8s doesn't restart unresponsive container
+  enabled: true
+
+readiness:
+  initialDelaySeconds: 20
+  periodSeconds: 10
+
+service:
+  type: ClusterIP
+  name: *componentName
+  internalPort: 8282
+  ports:
+    - name: http
+      port: 8282
+
+ingress:
+  enabled: false
+
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: dcae-datafile-collector-read
+      - serviceAccount: dcae-datalake-admin-ui-read
+      - serviceAccount: dcae-datalake-des-read
+      - serviceAccount: dcae-datalake-feeder-read
+      - serviceAccount: dcae-heartbeat-read
+      - serviceAccount: dcae-hv-ves-collector-read
+      - serviceAccount: dcae-kpi-ms-read
+      - serviceAccount: dcae-pm-mapper-read
+      - serviceAccount: dcae-pmsh-read
+      - serviceAccount: dcae-prh-read
+      - serviceAccount: dcae-restconf-collector-read
+      - serviceAccount: dcae-slice-analysis-ms-read
+      - serviceAccount: dcae-snmptrap-collector-read
+      - serviceAccount: dcae-son-handler-read
+      - serviceAccount: dcae-tcagen2-read
+      - serviceAccount: dcae-ves-collector-read
+      - serviceAccount: dcae-ves-mapper-read
+      - serviceAccount: dcae-ves-openapi-manager-read
+      - serviceAccount: strimzi-kafka-read
+      - serviceAccount: oof-read
+      - serviceAccount: sdnc-read
+
+flavor: small
+resources:
+  small:
+    limits:
+      cpu: "1"
+      memory: "1Gi"
+    requests:
+      cpu: "0.5"
+      memory: "1Gi"
+  large:
+    limits:
+      cpu: "2"
+      memory: "2Gi"
+    requests:
+      cpu: "1"
+      memory: "2Gi"
+  unlimited: {}
+
+
+dirSizes:
+  emptyDir:
+    sizeLimit: 1Gi
+  logDir:
+    sizeLimit: 500Mi
+  policyDir:
+    sizeLimit: 100Mi
+  bundleDir:
+    sizeLimit: 5Gi
+
+
+#Pods Service Account
+serviceAccount:
+  nameOverride: *componentName
+  roles:
+    - read
+
+metrics:
+  serviceMonitor:
+    # Override the labels based on the Prometheus config parameter: serviceMonitorSelector.
+    # The default operator for prometheus enforces the below label.
+    labels:
+      app: '{{ include "common.name" . }}'
+      helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+      app.kubernetes.io/instance: '{{ include "common.release" . }}'
+      app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+      version: '{{ .Chart.Version | replace "+" "_" }}'
+      release: prometheus
+    enabled: true
+    port: policy-opa-pdp
+    interval: 60s
+    isHttps: false
+    basicAuth:
+      enabled: true
+      externalSecretNameSuffix: policy-opa-pdp-restserver-creds
+      externalSecretUserKey: login
+      externalSecretPasswordKey: password
+    selector:
+      app: '{{ include "common.name" . }}'
+      chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+      release: '{{ include "common.release" . }}'
+      heritage: '{{ .Release.Service }}'
+
+config:
+  # Event consumption (kafka) properties
+  kafka:
+    consumer:
+      groupId: policy-opa-pdp
+  app:
+    listener:
+      policyPdpPapTopic: policy-pdp-pap
+
+# Strimzi Kafka config
+kafkaUser:
+  authenticationType: scram-sha-512
+  acls:
+    - name: policy-opa-pdp
+      type: group
+      operations: [ Create, Describe, Read, Write ]
+    - name: policy-pdp-pap
+      type: topic
+      patternType: prefix
+      operations: [ Create, Describe, Read, Write ]
diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml
index fbaeda2a9e..26d5e0e31d 100644
--- a/kubernetes/policy/values.yaml
+++ b/kubernetes/policy/values.yaml
@@ -173,6 +173,10 @@ policy-drools-pdp:
   db: *dbSecretsHook
   config:
     jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
+policy-opa-pdp:
+  enabled: true
+  config:
+    jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
 policy-distribution:
   enabled: true
   db: *dbSecretsHook