diff options
4 files changed, 86 insertions, 1 deletions
diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index a6b434f43a..91f21ab0c9 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -86,6 +87,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.dcaepolicysync" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.envsubst" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index 386ba9b490..8a68f6dd9c 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2020 Orange -# Copyright © 2021 Nokia +# Copyright © 2021 Nokia, AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +34,7 @@ global: nginxImage: bitnami/nginx:1.18-debian-10 postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 readinessImage: onap/oom/readiness:3.0.1 + dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -65,3 +66,4 @@ imageRepoMapping: nginxImage: dockerHubRepository postgresImage: dockerHubRepository readinessImage: repository + dcaePolicySyncImage: repository diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 80b4cbc77b..9c9cc7074d 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -2,6 +2,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -113,12 +114,21 @@ certificate information will include a server cert and key, in various formats. It will also include the AAF CA cert. If the microservice is a TLS client only (indicated by setting .Values.tlsServer to false), the certificate information includes only the AAF CA cert. + +Deployed POD may also include a Policy-sync sidecar container. +The sidecar is included if .Values.policies is set. The +Policy-sync sidecar polls PolicyEngine (PDP) periodically based +on .Values.policies.duration and configuration retrieved is shared with +DCAE Microservice container by common volume. Policy can be retrieved based on +list of policyID or filter */}} {{- define "dcaegen2-services-common.microserviceDeployment" -}} {{- $logDir := default "" .Values.logDirectory -}} {{- $certDir := default "" .Values.certDirectory . -}} {{- $tlsServer := default "" .Values.tlsServer -}} +{{- $policy := default "" .Values.policies -}} + apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -236,6 +246,10 @@ spec: - mountPath: {{ $certDir }} name: tls-info {{- end }} + {{- if $policy }} + - name: policy-shared + mountPath: /etc/policies + {{- end }} {{- if $logDir }} - image: {{ include "repositoryGenerator.image.logging" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -256,6 +270,53 @@ spec: name: filebeat-conf subPath: filebeat.yml {{- end }} + {{- if $policy }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: policy-sync + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: POLICY_SYNC_PDP_USER + valueFrom: + secretKeyRef: + name: onap-policy-xacml-pdp-api-creds + key: login + - name: POLICY_SYNC_PDP_PASS + valueFrom: + secretKeyRef: + name: onap-policy-xacml-pdp-api-creds + key: password + - name: POLICY_SYNC_PDP_URL + value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 + - name: POLICY_SYNC_OUTFILE + value : "/etc/policies/policies.json" + - name: POLICY_SYNC_V1_DECISION_ENDPOINT + value : "policy/pdpx/v1/decision" + {{- if $policy.filter }} + - name: POLICY_SYNC_FILTER + value: {{ $policy.filter }} + {{- end -}} + {{- if $policy.policyID }} + - name: POLICY_SYNC_ID + value: {{ $policy.policyID }} + {{- end -}} + {{- if $policy.duration }} + - name: POLICY_SYNC_DURATION + value: {{ $policy.duration }} + {{- end }} + resources: {{ include "common.resources" . | nindent 2 }} + volumeMounts: + - mountPath: /etc/policies + name: policy-shared + {{- if $certDir }} + - mountPath: /opt/ca-certificates/ + name: tls-info + {{- end }} + {{- end }} hostname: {{ include "common.name" . }} volumes: - configMap: @@ -279,6 +340,10 @@ spec: - emptyDir: {} name: tls-info {{- end }} + {{- if $policy }} + - name: policy-shared + emptyDir: {} + {{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" {{ end -}} diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml index da6dc8f1fc..89cf13447a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,6 +36,7 @@ filebeatConfig: tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 + ################################################################# # Application configuration defaults. ################################################################# @@ -84,6 +86,17 @@ service: - port: 9091 name: http +# Policy configuraiton properties +# if present, policy-sync side car will be deployed + +#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 +#policies: +# duration: 300 +# policyID: | +# '["onap.vfirewall.tca","abc"]' +# filter: | +# '["DCAE.Config_vfirewall_.*"]' + aaiCreds: user: DCAE password: DCAE |