summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--kubernetes/aai/values.yaml10
-rw-r--r--kubernetes/common/cassandra/templates/backup/configmap.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/backup/cronjob.yaml3
-rw-r--r--kubernetes/common/cassandra/templates/backup/pv.yaml3
-rw-r--r--kubernetes/common/cassandra/templates/backup/pvc.yaml3
-rw-r--r--kubernetes/common/cassandra/templates/cassOp.yaml19
-rw-r--r--kubernetes/common/cassandra/templates/configmap.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/ingress.yaml17
-rw-r--r--kubernetes/common/cassandra/templates/pv.yaml3
-rw-r--r--kubernetes/common/cassandra/templates/secrets.yaml21
-rw-r--r--kubernetes/common/cassandra/templates/service.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/servicemonitor.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/statefulset.yaml2
-rw-r--r--kubernetes/common/cassandra/values.yaml50
-rw-r--r--kubernetes/common/common/templates/_cassOp.tpl51
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml8
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml4
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml4
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml136
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml9
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml136
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml7
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml6
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml5
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml4
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml5
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml136
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml7
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-prh/values.yaml5
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml6
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml136
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml7
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml4
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml136
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml7
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml5
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml6
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml5
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml17
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml4
-rw-r--r--kubernetes/sdc/components/sdc-cs/templates/job.yaml5
-rw-r--r--kubernetes/sdc/components/sdc-cs/values.yaml14
-rw-r--r--kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml5
-rw-r--r--kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml7
-rw-r--r--kubernetes/sdc/resources/config/cqlshrc2
-rw-r--r--kubernetes/sdc/templates/configmap.yaml13
-rw-r--r--kubernetes/sdc/values.yaml36
60 files changed, 1280 insertions, 18 deletions
diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index 87de5a3cba..c40dbe0d2d 100644
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -41,6 +41,12 @@ global: # global defaults
#Service Name of the cassandra cluster to connect to.
#Override it to aai-cassandra if localCluster is enabled.
+ #in case of using k8ssandra-operator in the common cassandra installation
+ #the service name is:
+ #serviceName: cassandra-dc1-service
+ #in case of local k8ssandra-operator instance it is
+ #serviceName: aai-cassandra-dc1-service
+ #in case the older cassandra installation is used:
serviceName: cassandra
#This should be same as shared cassandra instance or if localCluster is enabled
@@ -350,6 +356,10 @@ cassandra:
persistence:
mountSubPath: aai/cassandra
enabled: true
+ k8ssandraOperator:
+ enabled: false
+ config:
+ clusterName: aai-cassandra
readiness:
initialDelaySeconds: 10
diff --git a/kubernetes/common/cassandra/templates/backup/configmap.yaml b/kubernetes/common/cassandra/templates/backup/configmap.yaml
index 9bbc69ba04..b566b6107e 100644
--- a/kubernetes/common/cassandra/templates/backup/configmap.yaml
+++ b/kubernetes/common/cassandra/templates/backup/configmap.yaml
@@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
+{{- if not .Values.k8ssandraOperator.enabled }}
{{- if .Values.backup.enabled }}
apiVersion: v1
kind: ConfigMap
@@ -28,3 +29,4 @@ data:
{{ tpl (.Files.Glob "resources/restore.sh").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/exec.py").AsConfig . | indent 2 }}
{{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
index 27f3cc690d..e2f675a384 100644
--- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml
+++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
@@ -14,6 +14,8 @@
# limitations under the License.
*/}}
{{- if .Values.backup.enabled }}
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ else }}
apiVersion: batch/v1beta1
kind: CronJob
metadata:
@@ -243,3 +245,4 @@ spec:
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-backup-data
{{- end -}}
+{{- end -}} \ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/backup/pv.yaml b/kubernetes/common/cassandra/templates/backup/pv.yaml
index 10c310077b..23e4551c10 100644
--- a/kubernetes/common/cassandra/templates/backup/pv.yaml
+++ b/kubernetes/common/cassandra/templates/backup/pv.yaml
@@ -14,6 +14,8 @@
# limitations under the License.
*/}}
{{- if .Values.backup.enabled }}
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ else }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
{{- if eq "True" (include "common.needPV" .) -}}
---
@@ -39,3 +41,4 @@ spec:
{{- end -}}
{{- end -}}
{{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/backup/pvc.yaml b/kubernetes/common/cassandra/templates/backup/pvc.yaml
index 6fd53618bc..e60a1db510 100644
--- a/kubernetes/common/cassandra/templates/backup/pvc.yaml
+++ b/kubernetes/common/cassandra/templates/backup/pvc.yaml
@@ -14,6 +14,8 @@
# limitations under the License.
*/}}
{{- if .Values.backup.enabled }}
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ else }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
---
kind: PersistentVolumeClaim
@@ -39,3 +41,4 @@ spec:
storageClassName: {{ include "common.storageClass" . }}
{{- end -}}
{{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/cassOp.yaml b/kubernetes/common/cassandra/templates/cassOp.yaml
new file mode 100644
index 0000000000..cb6ce4adc5
--- /dev/null
+++ b/kubernetes/common/cassandra/templates/cassOp.yaml
@@ -0,0 +1,19 @@
+{{/*
+# Copyright © 2018 Amdocs, AT&T, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ include "common.k8ssandraCluster" . }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/configmap.yaml b/kubernetes/common/cassandra/templates/configmap.yaml
index ab08c82fef..8f2b39e1a1 100644
--- a/kubernetes/common/cassandra/templates/configmap.yaml
+++ b/kubernetes/common/cassandra/templates/configmap.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.k8ssandraOperator.enabled }}
{{- if .Values.configOverrides }}
apiVersion: v1
kind: ConfigMap
@@ -25,3 +26,4 @@ metadata:
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/docker-entrypoint.sh").AsConfig . | indent 2 }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/ingress.yaml b/kubernetes/common/cassandra/templates/ingress.yaml
new file mode 100644
index 0000000000..97d6155a09
--- /dev/null
+++ b/kubernetes/common/cassandra/templates/ingress.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright (C) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.ingress" . }}
diff --git a/kubernetes/common/cassandra/templates/pv.yaml b/kubernetes/common/cassandra/templates/pv.yaml
index a0d998cd07..8e2ad663c3 100644
--- a/kubernetes/common/cassandra/templates/pv.yaml
+++ b/kubernetes/common/cassandra/templates/pv.yaml
@@ -13,5 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-
+{{- if not .Values.k8ssandraOperator.enabled }}
{{ include "common.replicaPV" . }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/secrets.yaml b/kubernetes/common/cassandra/templates/secrets.yaml
new file mode 100644
index 0000000000..b776caf6b6
--- /dev/null
+++ b/kubernetes/common/cassandra/templates/secrets.yaml
@@ -0,0 +1,21 @@
+{{/*
+# Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2019 Samsung Electronics
+# Copyright © 2019-2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ include "common.secretFast" . }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/service.yaml b/kubernetes/common/cassandra/templates/service.yaml
index 8934d41c33..092c677812 100644
--- a/kubernetes/common/cassandra/templates/service.yaml
+++ b/kubernetes/common/cassandra/templates/service.yaml
@@ -14,4 +14,6 @@
# limitations under the License.
*/}}
+{{- if not .Values.k8ssandraOperator.enabled }}
{{ include "common.headlessService" . }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/servicemonitor.yaml b/kubernetes/common/cassandra/templates/servicemonitor.yaml
index 5297e692d2..759586fcdb 100644
--- a/kubernetes/common/cassandra/templates/servicemonitor.yaml
+++ b/kubernetes/common/cassandra/templates/servicemonitor.yaml
@@ -14,6 +14,8 @@
# limitations under the License.
*/}}
+{{- if not .Values.k8ssandraOperator.enabled }}
{{- if .Values.metrics.serviceMonitor.enabled }}
{{ include "common.serviceMonitor" . }}
+{{- end }}
{{- end }} \ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml
index 43367ee542..2e73309bb7 100644
--- a/kubernetes/common/cassandra/templates/statefulset.yaml
+++ b/kubernetes/common/cassandra/templates/statefulset.yaml
@@ -14,6 +14,7 @@
# limitations under the License.
*/}}
+{{- if not .Values.k8ssandraOperator.enabled }}
apiVersion: apps/v1
kind: StatefulSet
metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
@@ -214,3 +215,4 @@ spec:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- end }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml
index 43ff171abb..13137a182b 100644
--- a/kubernetes/common/cassandra/values.yaml
+++ b/kubernetes/common/cassandra/values.yaml
@@ -22,6 +22,53 @@ global: # global defaults
backup:
mountPath: /dockerdata-nfs/backup
+k8ssandraOperator:
+ enabled: false
+ cassandraVersion: 4.0.1
+ persistence:
+ storageClassName: default
+ size: 10Gi
+ config:
+ clusterName: cassandra
+ secretName: &secretName cassandra-default-user
+ superuserName: &superusername cassandra
+ superuserPassword: &superuserpassword cassandra
+ casOptions:
+ authorizer: AllowAllAuthorizer
+ jvmOptions:
+ heapSize: 512M
+ hostNetwork: false
+ datacenters:
+ - name: dc1
+ size: 3
+ stargate:
+ tag: v1.0.76
+ size: 1
+ jvmOptions:
+ heapSize: 384Mi
+
+#################################################################
+# Secrets metaconfig
+# used to store the default superuser for k8ssandra-operator
+#################################################################
+secrets:
+ - uid: *secretName
+ type: genericKV
+ externalSecret: '{{ tpl (default "" .Values.k8ssandraOperator.config.userCredentialsExternalSecret) . }}'
+ envs:
+ - name: username
+ value: *superusername
+ - name: password
+ value: *superuserpassword
+
+ingress:
+ enabled: false
+ service:
+ - baseaddr: "reaper-dc1"
+ path: "/webui"
+ name: "cassandra-dc1-reaper-service"
+ port: 8080
+
# application image
image: cassandra:3.11.4
pullPolicy: Always
@@ -108,9 +155,6 @@ podManagementPolicy: OrderedReady
updateStrategy:
type: RollingUpdate
-ingress:
- enabled: false
-
persistence:
enabled: true
diff --git a/kubernetes/common/common/templates/_cassOp.tpl b/kubernetes/common/common/templates/_cassOp.tpl
new file mode 100644
index 0000000000..f1fc75c5e5
--- /dev/null
+++ b/kubernetes/common/common/templates/_cassOp.tpl
@@ -0,0 +1,51 @@
+{{/* Cassandra Data Center. */}}
+{{- define "common.k8ssandraCluster" -}}
+{{- $global := .Values.global }}
+---
+apiVersion: k8ssandra.io/v1alpha1
+kind: K8ssandraCluster
+metadata:
+ name: {{ .Values.k8ssandraOperator.config.clusterName }}
+spec:
+ reaper:
+ containerImage:
+ registry: {{ include "repositoryGenerator.dockerHubRepository" . }}
+ heapSize: 512Mi
+ autoScheduling:
+ enabled: true
+ stargate:
+ containerImage:
+ registry: {{ include "repositoryGenerator.dockerHubRepository" . }}
+ tag: {{ .Values.k8ssandraOperator.stargate.tag }}
+ size: {{ .Values.k8ssandraOperator.stargate.size }}
+ heapSize: {{ .Values.k8ssandraOperator.stargate.jvmOptions.heapSize }}
+ cassandra:
+ serverVersion: {{ .Values.k8ssandraOperator.cassandraVersion }}
+ storageConfig:
+ cassandraDataVolumeClaimSpec:
+ storageClassName: {{ .Values.k8ssandraOperator.persistence.storageClassName }}
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: {{ .Values.k8ssandraOperator.persistence.size }}
+ superuserSecretRef:
+ name: {{ include "common.fullname" . }}-{{ .Values.k8ssandraOperator.config.secretName }}
+ config:
+ {{ if .Values.k8ssandraOperator.config.casOptions -}}
+ cassandraYaml:
+ {{ toYaml .Values.k8ssandraOperator.config.casOptions | nindent 8 }}
+ {{- end }}
+ {{ if .Values.k8ssandraOperator.config.jvmOptions -}}
+ jvmOptions:
+ {{ toYaml .Values.k8ssandraOperator.config.jvmOptions | nindent 8 }}
+ {{- end }}
+ networking:
+ hostNetwork: {{ .Values.k8ssandraOperator.config.hostNetwork }}
+ datacenters:
+ {{- range $datacenter := .Values.k8ssandraOperator.datacenters }}
+ - metadata:
+ name: {{ $datacenter.name }}
+ size: {{ $datacenter.size }}
+ {{- end }}
+{{ end }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..7158c0263f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }} \ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
index 7c6b3e9649..ee21e10109 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
@@ -125,6 +125,14 @@ ingress:
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: dcae-pm-mapper-read
+ - serviceAccount: message-router-read
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
# Data Router Publisher Credentials
drPubscriberCreds:
username: username
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..7158c0263f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }} \ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml
index 06ff279207..31a24e82b9 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml
@@ -67,6 +67,10 @@ service:
port: 8088
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
# Initial Application Configuration
applicationConfig:
FEEDER_ADDR: dl-feeder
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..7158c0263f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }} \ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml
index 9049e0a03c..12617e1405 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml
@@ -78,6 +78,10 @@ service:
port: 1681
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
#postgres configuration
postgres:
config:
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml
index 552e00cfbd..8c3fb48264 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml
@@ -80,6 +80,15 @@ service:
port: 1680
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: dcae-datalake-admin-ui-read
+ - serviceAccount: dcae-datalake-des-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-datalake-des-read
+ - serviceAccount: dcae-datalake-feeder-read
+
credentials:
- name: PG_USER
uid: *pgUserCredsSecretUid
diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
index cc33dd144b..b7b6fe0562 100644
--- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
@@ -81,6 +81,13 @@ service:
port: 10002
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-heartbeat-read
+
credentials:
- name: HEARTBEAT_PG_USERNAME
uid: *pgUserCredsSecretUid
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
index ab6d3f247c..9e123e1298 100644
--- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
@@ -115,6 +115,12 @@ ingress:
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
# initial application configuration
applicationConfig:
logLevel: INFO
diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml
index ec05caaab3..a0a6fb9611 100644
--- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml
@@ -76,6 +76,11 @@ service:
port: 8080
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# Initial Application Configuration
applicationConfig:
trust_store_path: '/opt/app/kpims/etc/cert/trust.jks'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml
index 3b47e7f70e..71a2d95eb0 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml
@@ -31,6 +31,10 @@ service:
- port: 8080
name: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
# Label on DCAE microservice deployments
# (Used by healthcheck code to find deployments
# created after initial DCAE installation)
diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml
index 0c90e3ae87..6081d354db 100644
--- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml
@@ -86,6 +86,11 @@ service:
plain_port: 8081
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# Data Router Subscriber Credentials
drSubscriberCreds:
username: username
diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml
index f6782db6c6..90d7e16485 100644
--- a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml
@@ -82,6 +82,13 @@ service:
plain_port: 8080
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-pmsh-read
+
# Initial Application Configuration
applicationConfig:
enable_tls: false
diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
index 9a274153f2..a2cce37529 100644
--- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
@@ -73,6 +73,11 @@ service:
- port: 8100
name: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
aaiCreds:
user: AAI
password: AAI
diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
index bed8f9cb3d..0a9203b908 100644
--- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
@@ -93,6 +93,12 @@ ingress:
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
# AAF Credentials
controllerCreds:
username: access
diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
index 065c19b222..6eda4836e6 100644
--- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
@@ -100,6 +100,13 @@ service:
port: 8080
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-slice-analysis-ms-read
+
credentials:
- name: PG_USERNAME
uid: *pgUserCredsSecretUid
diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml
index 5c888db790..01d4316d46 100644
--- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml
@@ -69,6 +69,10 @@ service:
nodePort: 70
useNodePortExt: true
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
# Initial Application Configuration
applicationConfig:
StormWatchPolicy: ''
diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
index 037c5866e2..8eb55b4ed1 100644
--- a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
@@ -94,6 +94,13 @@ service:
port: 8080
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-son-handler-read
+
# Credentials
cpsCreds:
identity: cps
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
index fcdcb525c5..191a5b1a7d 100644
--- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
@@ -74,6 +74,11 @@ service:
- port: 9091
name: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# mongoDB overrides
mongo:
nameOverride: dcae-mongo
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
index 526d75077c..06eaba67fa 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
@@ -111,6 +111,12 @@ ingress:
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
# application environments
applicationEnv:
CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
index ff1f7481e0..79581ad3fb 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
@@ -60,6 +60,11 @@ service:
port: 80
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# application environments
applicationEnv:
LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..5a9baa822f
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml
index 2327ac310b..7a80433a70 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml
@@ -27,6 +27,10 @@ service:
- name: &port http
port: *svc_port
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
schemaMap:
filename: "schema-map.json"
directory: "/app/mappings"
diff --git a/kubernetes/sdc/components/sdc-cs/templates/job.yaml b/kubernetes/sdc/components/sdc-cs/templates/job.yaml
index 31ab047c7a..e8f8700616 100644
--- a/kubernetes/sdc/components/sdc-cs/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-cs/templates/job.yaml
@@ -64,6 +64,8 @@ spec:
mountPath: /home/sdc/chef-solo/environments/
- name: {{ include "common.fullname" . }}-chef-cache
mountPath: /home/sdc/chef-solo/cache
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ mountPath: /home/sdc/.cassandra
env:
- name: ENVNAME
value: {{ .Values.env.name }}
@@ -98,6 +100,9 @@ spec:
defaultMode: 0755
- name: {{ include "common.fullname" . }}-chef-cache
emptyDir: {}
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ configMap:
+ name: {{ include "common.release" . }}-sdc-cqlshrc
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
restartPolicy: Never
diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml
index f58fca7a07..2f943d7c52 100644
--- a/kubernetes/sdc/components/sdc-cs/values.yaml
+++ b/kubernetes/sdc/components/sdc-cs/values.yaml
@@ -26,12 +26,22 @@ global:
#should be sdc-cs if this flag is enabled
localCluster: false
#The cassandra service name to connect to (default: shared cassandra service)
+ #in case of using k8ssandra-operator in the common cassandra installation
+ #the service name is:
+ #serviceName: cassandra-dc1-service
+ #in case of local k8ssandra-operator instance it is
+ #serviceName: sdc-cs-dc1-service
+ #in case the older cassandra installation is used:
serviceName: cassandra
+
#Shared cassandra cluster replicaCount, should be changed if localCluster is enabled
#to match with its own cluster replica
replicaCount: 3
clusterName: cassandra
+ #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod")
dataCenter: Pod
+ #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.* must be "3.4.5"
+ cqlVersion: "3.4.4"
#################################################################
# Application configuration defaults.
@@ -48,6 +58,10 @@ cassandra:
persistence:
mountSubPath: sdc/sdc-cs/CS
enabled: true
+ k8ssandraOperator:
+ enabled: false
+ config:
+ clusterName: sdc-cs
# application image
repository: nexus3.onap.org:10001
diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml
index 41996ff4cd..43a4902996 100644
--- a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml
@@ -65,6 +65,8 @@ spec:
volumeMounts:
- name: {{ include "common.fullname" . }}-environments
mountPath: /home/sdc/chef-solo/environments/
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ mountPath: /home/sdc/.cassandra
env:
- name: ENVNAME
value: {{ .Values.env.name }}
@@ -96,6 +98,9 @@ spec:
configMap:
name: {{ include "common.release" . }}-sdc-environments-configmap
defaultMode: 0755
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ configMap:
+ name: {{ include "common.release" . }}-sdc-cqlshrc
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
restartPolicy: Never
diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
index 9ba05b8631..b9abef8462 100644
--- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
@@ -65,6 +65,9 @@ spec:
- /bin/sh
- -c
{{- end }}
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ mountPath: /home/sdc/.cassandra
env:
- name: CS_HOST
value: "{{ .Values.global.sdc_cassandra.serviceName }}"
@@ -78,6 +81,10 @@ spec:
valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}}
resources: {{ include "common.resources" . | nindent 10 }}
{{ include "common.waitForJobContainer" . | indent 6 | trim }}
+ volumes:
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ configMap:
+ name: {{ include "common.release" . }}-sdc-cqlshrc
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
{{ end }}
diff --git a/kubernetes/sdc/resources/config/cqlshrc b/kubernetes/sdc/resources/config/cqlshrc
new file mode 100644
index 0000000000..cb6df94880
--- /dev/null
+++ b/kubernetes/sdc/resources/config/cqlshrc
@@ -0,0 +1,2 @@
+[cql]
+version={{.Values.global.sdc_cassandra.cqlVersion}} \ No newline at end of file
diff --git a/kubernetes/sdc/templates/configmap.yaml b/kubernetes/sdc/templates/configmap.yaml
index 712f2ecc61..dee73ba711 100644
--- a/kubernetes/sdc/templates/configmap.yaml
+++ b/kubernetes/sdc/templates/configmap.yaml
@@ -28,4 +28,17 @@ metadata:
data:
{{ tpl (.Files.Glob "resources/config/environments/*").AsConfig . | indent 2 }}
---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.release" . }}-sdc-cqlshrc
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/cqlshrc").AsConfig . | indent 2 }}
+---
{{ include "common.log.configMap" . }}
diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml
index cba33628c3..955ac4b46e 100644
--- a/kubernetes/sdc/values.yaml
+++ b/kubernetes/sdc/values.yaml
@@ -26,20 +26,28 @@ global:
keystore_password: PyhrUCFZdXIhWyohWTUhRV5mKFpLYzMx
wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==
sdc_cassandra:
- #This flag allows SDC to instantiate its own cluster, serviceName
- #should be "sdc-cs" if this flag is enabled
- localCluster: false
- #The cassandra service name to connect to (default: shared cassandra service)
- serviceName: cassandra
- #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled
- #to match with its own cluster replica
- #see "cassandra: replicaCount" in file sdc-cs/values.yaml)
- replicaCount: 3
- dbCache: true
- readConsistencyLevel: ONE
- writeConsistencyLevel: ALL
- clusterName: cassandra
- dataCenter: Pod
+ #This flag allows SDC to instantiate its own cluster, serviceName
+ #should be "sdc-cs" if this flag is enabled
+ localCluster: false
+ #The cassandra service name to connect to (default: shared cassandra service)
+ #in case of using k8ssandra-operator in the common cassandra installation
+ #the service name is:
+ #serviceName: cassandra-dc1-service
+ #in case the older cassandra installation is used:
+ serviceName: cassandra
+ #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled
+ #to match with its own cluster replica
+ #see "cassandra: replicaCount" in file sdc-cs/values.yaml)
+ replicaCount: 3
+ dbCache: true
+ readConsistencyLevel: ONE
+ writeConsistencyLevel: ALL
+ clusterName: cassandra
+ #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod")
+ dataCenter: Pod
+ #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.* must be "3.4.5"
+ cqlVersion: "3.4.4"
+
centralizedLoggingEnabled: true
# global Kafka config passed to sdc-be chart
kafka: