aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--archive/policy/components/policy-gui/Chart.yaml32
-rw-r--r--archive/policy/components/policy-gui/resources/config/application.yml19
-rw-r--r--archive/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml59
-rw-r--r--archive/policy/components/policy-gui/resources/config/logback.xml118
-rw-r--r--archive/policy/components/policy-gui/templates/NOTES.txt38
-rw-r--r--archive/policy/components/policy-gui/templates/authorizationpolicy.yaml17
-rw-r--r--archive/policy/components/policy-gui/templates/configmap.yaml34
-rw-r--r--archive/policy/components/policy-gui/templates/deployment.yaml127
-rw-r--r--archive/policy/components/policy-gui/templates/ingress.yaml21
-rw-r--r--archive/policy/components/policy-gui/templates/secrets.yaml21
-rw-r--r--archive/policy/components/policy-gui/templates/service.yaml21
-rw-r--r--archive/policy/components/policy-gui/values.yaml130
-rw-r--r--kubernetes/authentication/Chart.yaml2
-rw-r--r--kubernetes/authentication/README.md299
-rw-r--r--kubernetes/authentication/templates/_utils.tpl122
-rw-r--r--kubernetes/authentication/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/authentication/templates/requestauthentication.yaml2
-rw-r--r--kubernetes/authentication/values.yaml63
-rwxr-xr-xkubernetes/policy/Chart.yaml3
-rwxr-xr-xkubernetes/policy/components/policy-apex-pdp/Chart.yaml4
-rw-r--r--kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml9
-rw-r--r--kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml1
-rwxr-xr-xkubernetes/policy/components/policy-apex-pdp/values.yaml10
-rwxr-xr-xkubernetes/policy/components/policy-api/Chart.yaml4
-rw-r--r--kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-api/templates/configmap.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-api/templates/deployment.yaml19
-rwxr-xr-xkubernetes/policy/components/policy-api/values.yaml16
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml3
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml19
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml42
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml12
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml4
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml1
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml19
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml42
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml12
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml3
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml19
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml1
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml12
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml3
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml19
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml32
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml76
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml12
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml3
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml1
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml19
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml42
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml12
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml4
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml20
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml15
-rwxr-xr-xkubernetes/policy/components/policy-distribution/Chart.yaml3
-rw-r--r--kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-distribution/templates/deployment.yaml19
-rwxr-xr-xkubernetes/policy/components/policy-distribution/values.yaml11
-rwxr-xr-xkubernetes/policy/components/policy-drools-pdp/Chart.yaml3
-rw-r--r--kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-drools-pdp/templates/service.yaml1
-rwxr-xr-xkubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml19
-rwxr-xr-xkubernetes/policy/components/policy-drools-pdp/values.yaml11
-rwxr-xr-xkubernetes/policy/components/policy-nexus/Chart.yaml3
-rw-r--r--kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-nexus/templates/deployment.yaml4
-rwxr-xr-xkubernetes/policy/components/policy-nexus/templates/service.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-nexus/values.yaml5
-rwxr-xr-xkubernetes/policy/components/policy-pap/Chart.yaml3
-rw-r--r--kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-pap/templates/deployment.yaml22
-rwxr-xr-xkubernetes/policy/components/policy-pap/values.yaml12
-rwxr-xr-xkubernetes/policy/components/policy-xacml-pdp/Chart.yaml3
-rw-r--r--kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml68
-rwxr-xr-xkubernetes/policy/components/policy-xacml-pdp/templates/service.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-xacml-pdp/values.yaml15
-rwxr-xr-xkubernetes/policy/templates/job.yaml71
-rw-r--r--kubernetes/policy/templates/policy-kafka-user.yaml13
-rwxr-xr-xkubernetes/policy/values.yaml5
-rw-r--r--kubernetes/uui/Chart.yaml5
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/.helmignore21
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/Chart.yaml35
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql23
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh31
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml31
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml74
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml82
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml17
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/templates/service.yaml17
-rw-r--r--kubernetes/uui/components/uui-llm-adaptation/values.yaml126
101 files changed, 2155 insertions, 276 deletions
diff --git a/archive/policy/components/policy-gui/Chart.yaml b/archive/policy/components/policy-gui/Chart.yaml
new file mode 100644
index 0000000000..28972b59b0
--- /dev/null
+++ b/archive/policy/components/policy-gui/Chart.yaml
@@ -0,0 +1,32 @@
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation.
+# Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2021, 2024 Nordix Foundation
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+apiVersion: v2
+description: ONAP Policy GUI
+name: policy-gui
+version: 14.0.0
+
+dependencies:
+ - name: repositoryGenerator
+ version: ~13.x-0
+ repository: '@local'
+ - name: serviceAccount
+ version: ~13.x-0
+ repository: '@local'
diff --git a/archive/policy/components/policy-gui/resources/config/application.yml b/archive/policy/components/policy-gui/resources/config/application.yml
new file mode 100644
index 0000000000..f81a1b452a
--- /dev/null
+++ b/archive/policy/components/policy-gui/resources/config/application.yml
@@ -0,0 +1,19 @@
+server:
+ port: 2443
+ ssl:
+ enabled: false
+
+clamp:
+ url:
+ disable-ssl-validation: true
+ disable-ssl-hostname-check: true
+
+apex-editor:
+ upload-url:
+ upload-userid:
+
+management:
+ endpoints:
+ web:
+ exposure:
+ include: health, metrics, prometheus
diff --git a/archive/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml b/archive/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml
new file mode 100644
index 0000000000..0b3951726b
--- /dev/null
+++ b/archive/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml
@@ -0,0 +1,59 @@
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+filebeat.prospectors:
+#it is mandatory, in our case it's log
+- input_type: log
+ #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory.
+ paths:
+ - /var/log/onap/*/*/*/*.log
+ - /var/log/onap/*/*/*.log
+ - /var/log/onap/*/*.log
+ #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive
+ ignore_older: 48h
+ # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit
+ clean_inactive: 96h
+
+# Name of the registry file. If a relative path is used, it is considered relative to the
+# data path. Else full qualified file name.
+#filebeat.registry_file: ${path.data}/registry
+
+
+output.logstash:
+ #List of logstash server ip addresses with port number.
+ #But, in our case, this will be the loadbalancer IP address.
+ #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately.
+ hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"]
+ #If enable will do load balancing among availabe Logstash, automatically.
+ loadbalance: true
+
+ #The list of root certificates for server verifications.
+ #If certificate_authorities is empty or not set, the trusted
+ #certificate authorities of the host system are used.
+ #ssl.certificate_authorities: $ssl.certificate_authorities
+
+ #The path to the certificate for SSL client authentication. If the certificate is not specified,
+ #client authentication is not available.
+ #ssl.certificate: $ssl.certificate
+
+ #The client certificate key used for client authentication.
+ #ssl.key: $ssl.key
+
+ #The passphrase used to decrypt an encrypted key stored in the configured key file
+ #ssl.key_passphrase: $ssl.key_passphrase
diff --git a/archive/policy/components/policy-gui/resources/config/logback.xml b/archive/policy/components/policy-gui/resources/config/logback.xml
new file mode 100644
index 0000000000..c20df8329d
--- /dev/null
+++ b/archive/policy/components/policy-gui/resources/config/logback.xml
@@ -0,0 +1,118 @@
+<!--
+ ============LICENSE_START=======================================================
+ policy-gui
+ ================================================================================
+ Copyright (C) 2021-2022 Nordix Foundation.
+ ================================================================================
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ ============LICENSE_END=========================================================
+ -->
+
+<configuration scan="true" scanPeriod="30 seconds" debug="false">
+ <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+ <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+ <level>TRACE</level>
+ </filter>
+ <encoder>
+ <pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n
+ </pattern>
+ </encoder>
+ </appender>
+
+ <appender name="ERROR" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${POLICY_LOGS}/error.log</file>
+ <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
+ <fileNamePattern>${POLICY_LOGS}/error.%d{yyyy-MM-dd}.%i.log.zip
+ </fileNamePattern>
+ <maxFileSize>50MB</maxFileSize>
+ <maxHistory>30</maxHistory>
+ <totalSizeCap>10GB</totalSizeCap>
+ </rollingPolicy>
+ <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+ <level>TRACE</level>
+ </filter>
+ <encoder>
+ <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern>
+ </encoder>
+ </appender>
+
+ <appender name="asyncError" class="ch.qos.logback.classic.AsyncAppender">
+ <appender-ref ref="ERROR" />
+ </appender>
+
+ <appender name="DEBUG" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${POLICY_LOGS}/debug.log</file>
+ <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
+ <fileNamePattern>${POLICY_LOGS}/debug.%d{yyyy-MM-dd}.%i.log.zip
+ </fileNamePattern>
+ <maxFileSize>50MB</maxFileSize>
+ <maxHistory>30</maxHistory>
+ <totalSizeCap>10GB</totalSizeCap>
+ </rollingPolicy>
+ <encoder>
+ <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern>
+ </encoder>
+ </appender>
+
+ <appender name="asyncDebug" class="ch.qos.logback.classic.AsyncAppender">
+ <appender-ref ref="DEBUG" />
+ </appender>
+
+ <appender name="NETWORK" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${POLICY_LOGS}/network.log</file>
+ <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
+ <fileNamePattern>${POLICY_LOGS}/network.%d{yyyy-MM-dd}.%i.log.zip
+ </fileNamePattern>
+ <maxFileSize>50MB</maxFileSize>
+ <maxHistory>30</maxHistory>
+ <totalSizeCap>10GB</totalSizeCap>
+ </rollingPolicy>
+ <encoder>
+ <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n</pattern>
+ </encoder>
+ </appender>
+
+ <appender name="asyncNetwork" class="ch.qos.logback.classic.AsyncAppender">
+ <appender-ref ref="NETWORK" />
+ </appender>
+
+ <logger name="network" level="TRACE" additivity="false">
+ <appender-ref ref="asyncNetwork" />
+ </logger>
+
+ <logger name="org.apache" level="TRACE" additivity="false">
+ <appender-ref ref="DEBUG" />
+ </logger>
+
+ <!-- Spring related loggers -->
+ <logger name="org.springframework" level="TRACE" additivity="false">
+ <appender-ref ref="DEBUG" />
+ </logger>
+
+ <!-- GUI related loggers -->
+ <logger name="org.onap.policy.gui" level="TRACE" additivity="false">
+ <appender-ref ref="ERROR" />
+ <appender-ref ref="DEBUG" />
+ </logger>
+
+ <!-- logback internals logging -->
+ <logger name="ch.qos.logback.classic" level="INFO" />
+ <logger name="ch.qos.logback.core" level="INFO" />
+
+ <root level="TRACE">
+ <appender-ref ref="asyncDebug" />
+ <appender-ref ref="asyncError" />
+ <appender-ref ref="asyncNetwork" />
+ <appender-ref ref="STDOUT" />
+ </root>
+</configuration>
diff --git a/archive/policy/components/policy-gui/templates/NOTES.txt b/archive/policy/components/policy-gui/templates/NOTES.txt
new file mode 100644
index 0000000000..e44f333e11
--- /dev/null
+++ b/archive/policy/components/policy-gui/templates/NOTES.txt
@@ -0,0 +1,38 @@
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range .Values.ingress.hosts }}
+ http://{{ . }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+ export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}'
+ export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+ echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+ export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+ echo "Visit https://127.0.0.1:8443 to use your application"
+ kubectl port-forward $POD_NAME 8443:{{ .Values.service.internalPort }}
+{{- end }}
diff --git a/archive/policy/components/policy-gui/templates/authorizationpolicy.yaml b/archive/policy/components/policy-gui/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..7158c0263f
--- /dev/null
+++ b/archive/policy/components/policy-gui/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }} \ No newline at end of file
diff --git a/archive/policy/components/policy-gui/templates/configmap.yaml b/archive/policy/components/policy-gui/templates/configmap.yaml
new file mode 100644
index 0000000000..9426b0f54f
--- /dev/null
+++ b/archive/policy/components/policy-gui/templates/configmap.yaml
@@ -0,0 +1,34 @@
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-configmap
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/*.{xml,yaml,yml}").AsConfig . | indent 2 }}
+
+{{ include "common.log.configMap" . }}
diff --git a/archive/policy/components/policy-gui/templates/deployment.yaml b/archive/policy/components/policy-gui/templates/deployment.yaml
new file mode 100644
index 0000000000..a236d5f558
--- /dev/null
+++ b/archive/policy/components/policy-gui/templates/deployment.yaml
@@ -0,0 +1,127 @@
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021-2022 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ selector: {{- include "common.selectors" . | nindent 4 }}
+ replicas: {{ .Values.replicaCount }}
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ initContainers:
+ - command:
+ - sh
+ args:
+ - -c
+ - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: POLICY_LOGS
+ value: {{ .Values.log.path }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: policy-gui-config
+ - mountPath: /config
+ name: policy-gui-config-processed
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ - command:
+ - /app/ready.py
+ args:
+ - --service-name
+ - policy-clamp-runtime-acm
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ image: {{ include "repositoryGenerator.image.readiness" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-readiness
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "500Mi"
+ requests:
+ cpu: "3m"
+ memory: "20Mi"
+ containers:
+ # side car containers
+ {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }}
+ # main container
+ - name: {{ include "common.name" . }}
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command: ["/opt/app/policy/gui/bin/policy-gui.sh"]
+ env:
+ - name: CLAMP_URL
+ value: http://policy-clamp-runtime-acm:6969
+ ports: {{ include "common.containerPorts" . | nindent 12 }}
+ # disable liveness probe when breakpoints set in debugger
+ # so K8s doesn't restart unresponsive container
+ {{- if eq .Values.liveness.enabled true }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ .Values.service.internalPort }}
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+ {{ end -}}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.service.internalPort }}
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
+ volumeMounts:
+ - name: logs
+ mountPath: {{ .Values.log.path }}
+ - mountPath: /opt/app/policy/gui/etc/application.yml
+ name: policy-gui-config-processed
+ subPath: application.yml
+ - mountPath: /opt/app/policy/gui/etc/logback.xml
+ name: policy-gui-config-processed
+ subPath: logback.xml
+ resources: {{ include "common.resources" . | nindent 12 }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 10 }}
+ {{- end -}}
+ {{- if .Values.affinity }}
+ affinity:
+{{ toYaml .Values.affinity | indent 10 }}
+ {{- end }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
+ volumes:
+ - name: {{ include "common.fullname" . }}-config
+ configMap:
+ name: {{ include "common.fullname" . }}
+ - name: logs
+ emptyDir: {}
+ {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }}
+ - name: policy-gui-config
+ configMap:
+ name: {{ include "common.fullname" . }}-configmap
+ defaultMode: 0755
+ - name: policy-gui-config-processed
+ emptyDir:
+ medium: Memory
+ {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/archive/policy/components/policy-gui/templates/ingress.yaml b/archive/policy/components/policy-gui/templates/ingress.yaml
new file mode 100644
index 0000000000..e3dd7cb0f6
--- /dev/null
+++ b/archive/policy/components/policy-gui/templates/ingress.yaml
@@ -0,0 +1,21 @@
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.ingress" . }}
diff --git a/archive/policy/components/policy-gui/templates/secrets.yaml b/archive/policy/components/policy-gui/templates/secrets.yaml
new file mode 100644
index 0000000000..2af7fae2d9
--- /dev/null
+++ b/archive/policy/components/policy-gui/templates/secrets.yaml
@@ -0,0 +1,21 @@
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.secretFast" . }}
diff --git a/archive/policy/components/policy-gui/templates/service.yaml b/archive/policy/components/policy-gui/templates/service.yaml
new file mode 100644
index 0000000000..36406228d5
--- /dev/null
+++ b/archive/policy/components/policy-gui/templates/service.yaml
@@ -0,0 +1,21 @@
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/archive/policy/components/policy-gui/values.yaml b/archive/policy/components/policy-gui/values.yaml
new file mode 100644
index 0000000000..1533f823a9
--- /dev/null
+++ b/archive/policy/components/policy-gui/values.yaml
@@ -0,0 +1,130 @@
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021-2022 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+global: # global defaults
+ nodePortPrefix: 304
+ centralizedLoggingEnabled: true
+
+subChartsOnly:
+ enabled: true
+
+flavor: small
+
+# application image
+image: onap/policy-gui:3.1.3
+pullPolicy: Always
+
+# flag to enable debugging - application support required
+debugEnabled: false
+
+# log configuration
+log:
+ path: /var/log/onap/policy/gui
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+config:
+ log:
+ logstashServiceName: log-ls
+ logstashPort: 5044
+ dataRootDir: /dockerdata-nfs
+
+# default number of instances
+replicaCount: 1
+
+nodeSelector: {}
+
+affinity: {}
+
+# probe configuration parameters
+liveness:
+ initialDelaySeconds: 120
+ periodSeconds: 10
+ timeoutSeconds: 3
+ # necessary to disable liveness probe when setting breakpoints
+ # in debugger so K8s doesn't restart unresponsive container
+ enabled: true
+
+readiness:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 3
+
+service:
+ type: NodePort
+ name: policy-gui
+ internalPort: 2443
+ ports:
+ - name: http
+ port: 2443
+ nodePort: 43
+
+ # see https://wiki.onap.org/display/DW/OOM+NodePort+List
+
+ingress:
+ enabled: false
+ service:
+ - baseaddr: "policy-ui"
+ name: "policy-gui"
+ port: 2443
+ config:
+ ssl: "redirect"
+
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
+ #resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as Minikube. If you do want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ #
+ # Example:
+ # Configure resource requests and limits
+ # ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ # Minimum memory for development is 2 CPU cores and 4GB memory
+ # Minimum memory for production is 4 CPU cores and 8GB memory
+resources:
+ small:
+ limits:
+ cpu: "1"
+ memory: "700Mi"
+ requests:
+ cpu: "0.5"
+ memory: "700Mi"
+ large:
+ limits:
+ cpu: "2"
+ memory: "1.4Gi"
+ requests:
+ cpu: "1"
+ memory: "1.4Gi"
+ unlimited: {}
+
+#Pods Service Account
+serviceAccount:
+ nameOverride: policy-gui
+ roles:
+ - read
diff --git a/kubernetes/authentication/Chart.yaml b/kubernetes/authentication/Chart.yaml
index a3ac43c4e7..e8400aeb81 100644
--- a/kubernetes/authentication/Chart.yaml
+++ b/kubernetes/authentication/Chart.yaml
@@ -16,7 +16,7 @@
# limitations under the License.
# ============LICENSE_END=========================================================
apiVersion: v2
-version: 14.0.0
+version: 14.0.1
description: ONAP Realm creation, Oauth2Proxy installation and configuration
name: authentication
sources:
diff --git a/kubernetes/authentication/README.md b/kubernetes/authentication/README.md
index 75d8f05ebd..4907a1d9f1 100644
--- a/kubernetes/authentication/README.md
+++ b/kubernetes/authentication/README.md
@@ -1,7 +1,29 @@
-TBD: Description about settings...
+# Helm Chart for Authentication Application
+This component delivers:
-```
+- Keycloak Realm creation and import
+- (Optionally) creation of AuthenticationPolicies for Ingress to enable
+ OAuth Authentication and RoleBased access to Ingress APIs and UIs
+
+## REALM Configuration settings
+
+- In the configuration section "realmSettings" multiple REALMs can be configured
+- Each REALM configuration has the following sections:
+ - [General REALM settings](#general-realm-settings)
+ - [CLIENT definitions](#client-definitions)
+ - (optional) [CLIENT SCOPE definitions](#client-scope-definitions)
+ - (optional) [Access control definitions](#access-control-definitions)
+ - (optional) [GROUP definitions](#group-definitions)
+ - (optional) [USER definitions](#user-definitions)
+ - (optional) [IDENTITY PROVIDER definitions](#identity-provider-and-mapper-definitions)
+ - (optional) [SMTP server definitions](#smtp-server-definitions)
+
+### General REALM settings
+
+This sections sets the realm general attributes shown in Keycloak
+
+```yaml
realmSettings:
- name: <Realm ID> - unique ID for a realm (e.g. "ONAP")
displayName: <Display Name> - (optional) Keycloak Display Name (e.g. "ONAP Realm")
@@ -10,45 +32,274 @@ realmSettings:
admin: <admin theme> - (optional) Keycloak Theme for Admin UI (e.g. "base")
account: <account theme> - (optional) Keycloak Theme for Account UI (e.g. "base")
email: <email theme> - (optional) Keycloak Theme for Email UI (e.g. "base")
- groups: - (optional) Group definitions
- - name: <group name> - Group name
- path: /path> - Group URL path
- realmRoles: [ <role>,... ] - (optional) List of Realm roles
- initialUsers: - (optional) List of initial users
- - username: <user name> - Name of the User
- password: <password> - Initial Password
- email: <email> - Email Address
- firstName: <first name> - (optional) First Name
- lastName: <last name> - (optional) Last Name
- groups: - (optional) group membership
- - <group name>
+ attributes:
+ frontendUrl: "<Keycloak URL>" - External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/")
```
-```
+### CLIENT definitions
+
+In this section each realm authentication client is defined e.g. portal-bff, oauth2-proxy, grafana
+
+possible "attribute" settings (maybe more):
+ - id.token.as.detached.signature: "false"
+ - exclude.session.state.from.auth.response: "false"
+ - tls.client.certificate.bound.access.tokens: "false"
+ - saml.allow.ecp.flow: "false"
+ - saml.assertion.signature: "false"
+ - saml.force.post.binding: "false"
+ - saml.multivalued.roles: "false"
+ - saml.encrypt: "false"
+ - saml.server.signature: "false"
+ - saml.server.signature.keyinfo.ext: "false"
+ - saml.artifact.binding: "false"
+ - saml_force_name_id_format: "false"
+ - saml.client.signature: "false"
+ - saml.authnstatement: "false"
+ - saml.onetimeuse.condition: "false"
+ - oidc.ciba.grant.enabled: "false"
+ - frontchannel.logout.session.required: "true"
+ - backchannel.logout.session.required: "true"
+ - backchannel.logout.revoke.offline.tokens: "false"
+ - client_credentials.use_refresh_token: "false"
+ - acr.loa.map: "{}"
+ - require.pushed.authorization.requests: "false"
+ - oauth2.device.authorization.grant.enabled: "false"
+ - display.on.consent.screen: "false"
+ - token.response.type.bearer.lower-case: "false"
+ - use.refresh.tokens: "true"
+ - post.logout.redirect.uris: '<url>'
+
+```yaml
clients:
oauth2_proxy:
- clientId: "oauth2-proxy-onap"
- name: "Oauth2 Proxy"
- secret: 5YSOkJz99WHv8enDZPknzJuGqVSerELp
- protocol: openid-connect
- portal_app:
- clientId: "portal-app"
+ clientId: "<client ID>" - client ID
+ name: "<client name>" - (optional) client name
+ secret: <client secret> - (optional) client secret
+ clientAuthenticatorType: <type> - (optional) auth type (default: client-secret)
+ protocol: <protocol> - (optional) auth protocol (default: openid-connect)
+ description: "<description>" - (optional) client description
+ baseUrl: "<base path>" - (optional) url subpath (e.g. /application)
+ rootUrl: "<root URL>" - (optional) root url
+ adminUrl: "<admin URL>" - (optional) admin url
+ bearerOnly: "<false|true>" - (optional) bearerOnly (default: false)
+ consentRequired: "<false|true>" - (optional) consentRequired (default: false)
+ standardFlowEnabled: "<false|true>" - (optional) standardFlowEnabled (default: true)
+ implicitFlowEnabled: "<false|true>" - (optional) implicitFlowEnabled (default: false)
+ directAccessGrantsEnabled: "<false|true>" - (optional) directAccessGrantsEnabled (default: true)
+ serviceAccountsEnabled: "<false|true>" - (optional) serviceAccountsEnabled (default: false)
+ frontchannelLogout: "<false|true>" - (optional) frontend channel logout (default: true)
+ surrogateAuthRequired: "<false|true>" - (optional) surrogate Auth Required (default: false)
+ publicClient: "<false|true>" - (optional) public Client (default: false)
+ attributes: - (optional) attributes settings (see code)
+ post.logout.redirect.uris: '<url>' - example
+ protocolMappers: - (optional) protocol mappers
+ - name: "Audience for Oauth2Proxy" - examples
+ protocolMapper: "oidc-audience-mapper"
+ config:
+ included.client.audience: "oauth2-proxy-onap"
+ id.token.claim: "false"
+ access.token.claim: "true"
+ included.custom.audience: "oauth2-proxy-onap"
+ - name: "SDC-User"
+ protocolMapper: "oidc-usermodel-attribute-mapper"
+ config:
+ multivalued: "false"
+ userinfo.token.claim: "true"
+ user.attribute: "sdc_user"
+ id.token.claim: "true"
+ access.token.claim: "true"
+ claim.name: "sdc_user"
+ jsonType.label: "String"
+ additionalDefaultScopes:
+ - "onap_roles"
redirectUris:
- "https://portal-$PARAM_BASE_URL/*"
- "http://localhost/*"
- protocol: openid-connect
+ webOrigins:
+ - "https://argocd-$PARAM_BASE_URL"
+ defaultClientScopes:
+ - "web-origins"
+ - "profile"
+ - "acr"
+ - "email"
+ - "roles"
+ - "groups"
```
+### CLIENT SCOPE definitions
+
+Here additional scopes besides the default scopes can be defined and set as default client scope
+
+default scopes:
+
+ - roles
+ - groups
+ - acr
+ - profile
+ - address
+ - web-origin
+ - phone
+ - email
+ - offline_access
+ - role_list
+ - microprofile-jwt
+
+```yaml
+ defaultClientScopes:
+ - "onap_roles"
+ additionalClientScopes:
+ - name: onap_roles
+ description: OpenID Connect scope for add user onap roles to the access token
+ protocolMappers:
+ - name: aud
+ protocol: openid-connect
+ protocolMapper: oidc-audience-mapper
+ consentRequired: false
+ config:
+ included.client.audience: oauth2-proxy
+ id.token.claim: 'false'
+ access.token.claim: 'true'
+ - name: client roles
+ protocol: openid-connect
+ protocolMapper: oidc-usermodel-client-role-mapper
+ consentRequired: false
+ config:
+ multivalued: 'true'
+ userinfo.token.claim: 'false'
+ id.token.claim: 'true'
+ access.token.claim: 'true'
+ claim.name: onap_roles
+ jsonType.label: String
+ usermodel.clientRoleMapping.clientId: oauth2-proxy
```
+
+### Access control definitions
+
+In this section additional roles (assignableRoles) besides the default roles can be set.
+
+default roles:
+ - user
+ - admin
+ - offline_access
+ - uma_authorization
+ - default-roles-<realm>
+
+(optional) accessRoles can be defined.
+These access roles are used in the Ingress "Auhorization Policy" to restrict the access to certain services
+The access role is assigned to a realm client (e.g. oauth2_proxy)
+
+```yaml
accessControl:
assignableRoles:
- name: onap-operator-read
description: "Allows to perform GET operations for all ONAP components"
- associatedAccessRoles: [ "dmaap-bc-api-read", "dmaap-dr-node-api-read", "dmaap-dr-prov-api-read", "dmaap-mr-api-read", "msb-consul-api-read", "msb-discovery-api-read", "msb-eag-ui-read", "msb-iag-ui-read", "nbi-api-read", "aai-api-read", "aai-babel-api-read", "aai-sparkybe-api-read", "cds-blueprintsprocessor-api-read", "cds-ui-read", "cps-core-api-read", "cps-ncmp-dmi-plugin-api-read", "cps-temporal-api-read", "reaper-dc1-read", "sdc-be-api-read", "sdc-fe-ui-read", "sdc-wfd-be-api-read", "sdc-wfd-fe-ui-read", "so-admin-cockpit-ui-read", "so-api-read", "usecase-ui-read", "uui-server-read" ]
-
+ associatedAccessRoles: [ "dmaap-bc-api-read", ... ]
accessRoles:
"oauth2_proxy":
- name: dmaap-bc-api-read
methodsAllowed: ["GET"]
servicePrefix: dmaap-bc-api
+```
+
+### GROUP definitions
+
+```yaml
+ groups: - (optional) Group definitions
+ - name: <group name> - Group name
+ path: /path> - Group URL path
+ roles: [ <role>,... ] - (optional) List of Realm roles
+```
+
+### USER definitions
+
+```yaml
+ initialUsers: - (optional) List of initial users
+ - username: <user name> - Name of the User
+ firstName: <first name> - (optional) First Name
+ lastName: <last name> - (optional) Last Name
+ email: <email> - (optional) Email Address
+ emailVerified : <true|false>- (optional)Email verified
+ credentials: - (optional) credentials
+ - type: password - (optional) initial password (<pwd>: encrypted password, <salt>: used salt)
+ secretData: "{\"value\":\"<pwd>\",\"salt\":\"<salt>\"}"
+ credentialData: "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}"
+ attributes: - (optional) additional attributes
+ sdc_user: - example attribute
+ - "cs0008"
+ realmRoles: - (optional) assigned realm roles
+ - <role name>
+ groups: - (optional) group membership
+ - <group name>
+```
+
+### Identity Provider and Mapper definitions
+
+```yaml
+ identityProviders:
+ - name: "gitlab"
+ displayName: "gitlab"
+ config:
+ userInfoUrl: "https://gitlab.devops.telekom.de/oauth/userinfo"
+ validateSignature: "true"
+ clientId: "ee4e0db734157e9cdad16733656ba285f2f813354aa7c590a8693e48ed156860"
+ tokenUrl: "https://gitlab.devops.telekom.de/oauth/token"
+ jwksUrl: "https://gitlab.devops.telekom.de/oauth/discovery/keys"
+ issuer: "https://gitlab.devops.telekom.de"
+ useJwksUrl: "true"
+ authorizationUrl: "https://gitlab.devops.telekom.de/oauth/authorize"
+ clientAuthMethod: "client_secret_post"
+ syncMode: "IMPORT"
+ clientSecret: "gloas-35267790bf6fb7c4b507aea11db46d80174cb8ef4192e77424803b595eef735e"
+ defaultScope: "openid read_user email"
+ identityProviderMappers:
+ - name: "argo-admins"
+ identityProviderAlias: "gitlab"
+ identityProviderMapper: "oidc-advanced-group-idp-mapper"
+ config:
+ claims: "[{\"key\":\"groups_direct\",\"value\":\"dt-rc\"}]"
+ syncMode: "FORCE"
+ group: "/ArgoCDAdmins"
+ - name: "ArgoCDRestricted"
+ identityProviderAlias: "gitlab"
+ identityProviderMapper: "oidc-advanced-group-idp-mapper"
+ config:
+ claims: "[{\"key\":\"groups_direct\",\"value\":\"\"}]"
+ syncMode: "FORCE"
+ group: "/ArgoCDRestricted"
+ - name: "lastName "
+ identityProviderAlias: "gitlab"
+ identityProviderMapper: "oidc-user-attribute-idp-mapper"
+ config:
+ claim: "nickname"
+ syncMode: "FORCE"
+ user.attribute: "lastName"
+```
+
+### SMTP Server definitions
+
+```yaml
+ smtpServer:
+ password: "EYcQE44+AEYcQE44A!"
+ starttls: "true"
+ auth: "true"
+ port: "587"
+ host: "mailauth.telekom.de"
+ from: "dl_t-nap_support@telekom.de"
+ fromDisplayName: "tnapsupport"
+ ssl: "false"
+ user: "tnapsupport"
+```
+
+## Ingress Authentication settings
+
+Activating the Ingress Authentication (enabled: true) will create AuthorizationPolicy resources for each defined "accessControl.accessRoles" in a REALM definition.
+
+```
+ingressAuthentication:
+ enabled: false
+ exceptions:
+ - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}'
+ - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ui") }}'
+ - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "minio-console") }}'
+ - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "uui-server") }}'
``` \ No newline at end of file
diff --git a/kubernetes/authentication/templates/_utils.tpl b/kubernetes/authentication/templates/_utils.tpl
index 0cdcd7955a..806f96164a 100644
--- a/kubernetes/authentication/templates/_utils.tpl
+++ b/kubernetes/authentication/templates/_utils.tpl
@@ -45,6 +45,7 @@ enabled: true
{{ include "auth._users" $realm }}
{{ include "auth._identity" $realm }}
{{ include "auth._identityMapper" $realm }}
+{{ include "auth._smtpServer" $realm }}
{{ include "auth._attributes" (dict "dot" $dot "realm" $realm) }}
{{- end -}}
@@ -142,84 +143,60 @@ Usage:
clients:
{{- range $index, $client := $realm.clients }}
- clientId: "{{ $client.clientId }}"
+ {{- if $client.name }}
name: "{{ $client.name }}"
- description: "{{ default "" $client.description }}"
+ {{- end }}
+ {{- if $client.description }}
+ description: "{{ $client.description }}"
+ {{- end }}
{{- if $client.rootUrl }}
rootUrl: {{ tpl $client.rootUrl $dot }}
- {{- else }}
- rootUrl: ""
{{- end }}
{{- if $client.adminUrl }}
adminUrl: {{ tpl $client.adminUrl $dot }}
- {{- else }}
- adminUrl: ""
{{- end }}
{{- if $client.baseUrl }}
baseUrl: {{ tpl $client.baseUrl $dot }}
- {{- else }}
- baseUrl: ""
{{- end }}
- surrogateAuthRequired: false
+ surrogateAuthRequired: {{ default false $client.surrogateAuthRequired }}
enabled: true
alwaysDisplayInConsole: false
- clientAuthenticatorType: "client-secret"
- secret: "{{ default "" $client.secret }}"
+ clientAuthenticatorType: {{ default "client-secret" $client.clientAuthenticatorType }}
+ {{- if $client.secret }}
+ secret: "{{ $client.secret }}"
+ {{- end }}
+ {{- if $client.redirectUris }}
redirectUris:
- {{- if $client.redirectUris }}
{{- range $index2, $url := $client.redirectUris }}
- {{ tpl $url $dot }}
{{- end }}
- {{- else }}
- - "*"
- {{- end }}
- {{- if $client.webOrigins }}
+ {{- else }}
+ redirectUris: []
+ {{- end }}
+ {{- if $client.webOrigins }}
webOrigins:
{{- range $index3, $web := $client.webOrigins }}
- - {{ $web }}
+ - {{ $web | quote }}
{{- end }}
- {{- else }}
+ {{- else }}
webOrigins: []
- {{- end }}
+ {{- end }}
notBefore: 0
- bearerOnly: false
- consentRequired: false
- standardFlowEnabled: true
- implicitFlowEnabled: false
- directAccessGrantsEnabled: true
- serviceAccountsEnabled: false
- publicClient: false
- frontchannelLogout: true
- protocol: "{{ $client.protocol }}"
+ bearerOnly: {{ default false $client.bearerOnly }}
+ consentRequired: {{ default false $client.consentRequired }}
+ standardFlowEnabled: {{ default true $client.standardFlowEnabled }}
+ implicitFlowEnabled: {{ default false $client.implicitFlowEnabled }}
+ directAccessGrantsEnabled: {{ default true $client.directAccessGrantsEnabled }}
+ serviceAccountsEnabled: {{ default false $client.serviceAccountsEnabled }}
+ publicClient: {{ default false $client.publicClient }}
+ frontchannelLogout: {{ default false $client.frontchannelLogout }}
+ protocol: "{{ default "openid-connect" $client.protocol }}"
+ {{- if $client.attributes }}
attributes:
- id.token.as.detached.signature: "false"
- saml.assertion.signature: "false"
- saml.force.post.binding: "false"
- saml.multivalued.roles: "false"
- saml.encrypt: "false"
- saml.server.signature: "false"
- saml.server.signature.keyinfo.ext: "false"
- exclude.session.state.from.auth.response: "false"
- saml.artifact.binding: "false"
- saml_force_name_id_format: "false"
- saml.client.signature: "false"
- saml.authnstatement: "false"
- saml.onetimeuse.condition: "false"
- tls-client-certificate-bound-access-tokens: "false"
- oidc.ciba.grant.enabled: "false"
- backchannel.logout.session.required: "true"
- client_credentials.use_refresh_token: "false"
- acr.loa.map: "{}"
- require.pushed.authorization.requests: "false"
- oauth2.device.authorization.grant.enabled: "false"
- display.on.consent.screen: "false"
- backchannel.logout.revoke.offline.tokens: "false"
- token.response.type.bearer.lower-case: "false"
- use.refresh.tokens: "true"
- {{- if $client.additionalAttributes }}
- {{- range $key,$value := $client.additionalAttributes }}
+ {{- range $key,$value := $client.attributes }}
{{ $key }}: {{ tpl $value $dot }}
{{- end }}
- {{- end }}
+ {{- end }}
authenticationFlowBindingOverrides: {}
fullScopeAllowed: true
nodeReRegistrationTimeout: -1
@@ -235,21 +212,27 @@ clients:
{{- end }}
{{- end }}
defaultClientScopes:
+ {{- if $client.defaultClientScopes }}
+ {{- range $index2, $scope := $client.defaultClientScopes }}
+ - {{ $scope }}
+ {{- end }}
+ {{- else }}
- web-origins
- - acr
- profile
+ - acr
- email
- {{- if $client.additionalDefaultScopes }}
- {{- range $index2, $scope := $client.additionalDefaultScopes }}
- - {{ $scope }}
- {{- end }}
{{- end }}
optionalClientScopes:
+ {{- if $client.optionalClientScopes }}
+ {{- range $index2, $scope := $client.optionalClientScopes }}
+ - {{ $scope }}
+ {{- end }}
+ {{- else }}
- address
- phone
- offline_access
- - groups
- microprofile-jwt
+ {{- end }}
{{- end }}
{{- end }}
@@ -716,7 +699,9 @@ users:
enabled: true
totp: false
email: "{{ default "" $user.email }}"
- emailVerified: true
+ emailVerified: "{{ default true $user.emailVerified }}"
+ firstName: "{{ default "" $user.firstName }}"
+ lastName: "{{ default "" $user.lastName }}"
{{- if $user.attributes }}
attributes:
{{ toYaml $user.attributes | nindent 6 }}
@@ -800,6 +785,19 @@ identityProviderMappers:
{{- end }}
{{/*
+Renders the smtpServer section in a realm.
+Usage:
+{{ include "auth._smtpServer" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._smtpServer" -}}
+{{- $dot := default . .dot -}}
+{{- if $dot.smtpServer }}
+smtpServer:
+ {{ toYaml $dot.smtpServer | nindent 2 }}
+{{- end }}
+{{- end }}
+
+{{/*
Renders the attributes section in a realm.
Usage:
{{ include "auth._attributes" ( dict "dot" . "realm" $realm ) }}
@@ -808,6 +806,6 @@ Usage:
{{- $dot := default . .dot -}}
{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}}
attributes:
- frontentUrl: {{ tpl $realm.attributes.frontendUrl $dot }}
+ frontendUrl: {{ tpl $realm.attributes.frontendUrl $dot }}
acr.loa.map: "{\"ABC\":\"5\"}"
{{- end }}
diff --git a/kubernetes/authentication/templates/authorizationpolicy.yaml b/kubernetes/authentication/templates/authorizationpolicy.yaml
index f4857bdbac..abd40725da 100644
--- a/kubernetes/authentication/templates/authorizationpolicy.yaml
+++ b/kubernetes/authentication/templates/authorizationpolicy.yaml
@@ -87,4 +87,4 @@ spec:
selector:
matchLabels:
istio: ingress
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/authentication/templates/requestauthentication.yaml b/kubernetes/authentication/templates/requestauthentication.yaml
index 036680d7cb..92bea9f48e 100644
--- a/kubernetes/authentication/templates/requestauthentication.yaml
+++ b/kubernetes/authentication/templates/requestauthentication.yaml
@@ -33,4 +33,4 @@ spec:
- issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ .Values.keycloak.relativePath }}realms/master"
jwksUri: {{ .Values.keycloak.intURL }}realms/master/protocol/openid-connect/certs
forwardOriginalToken: true
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/authentication/values.yaml b/kubernetes/authentication/values.yaml
index 94e9f7031c..ba99879e87 100644
--- a/kubernetes/authentication/values.yaml
+++ b/kubernetes/authentication/values.yaml
@@ -49,8 +49,60 @@ onap-keycloak-config-cli:
secrets:
KEYCLOAK_PASSWORD: secret
existingConfigSecret: "keycloak-config-cli-config-realms"
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ readOnlyRootFilesystem: true
+ resources:
+ limits:
+ cpu: "1"
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ memory: 10Mi
onap-oauth2-proxy:
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+
+ resources:
+ limits:
+ cpu: 500m
+ memory: 500Mi
+ requests:
+ cpu: 500m
+ memory: 500Mi
+
+ initContainers:
+ waitForRedis:
+ #image:
+ # repository: "dockerhub.devops.telekom.de/alpine"
+ # tag: "3.20"
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ resources:
+ limits:
+ cpu: 100m
+ memory: 300Mi
+ requests:
+ cpu: 100m
+ memory: 300Mi
+
# Oauth client configuration specifics
config:
# Create a new secret with the following command
@@ -99,8 +151,19 @@ onap-oauth2-proxy:
redis:
# provision an instance of the redis sub-chart
enabled: true
+ master:
+ containerSecurityContext:
+ capabilities:
+ drop: ["ALL", "CAP_NET_RAW"]
+ replica:
+ containerSecurityContext:
+ capabilities:
+ drop: ["ALL", "CAP_NET_RAW"]
sentinel:
enabled: true
+ containerSecurityContext:
+ capabilities:
+ drop: ["ALL", "CAP_NET_RAW"]
serviceAccount:
nameOverride: keycloak-init
diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml
index ca839f09cc..ee6dabc015 100755
--- a/kubernetes/policy/Chart.yaml
+++ b/kubernetes/policy/Chart.yaml
@@ -2,6 +2,7 @@
# Modifications Copyright © 2018, 2020 AT&T
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021-2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
apiVersion: v2
description: ONAP Policy
name: policy
-version: 14.0.1
+version: 14.0.4
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml
index c8a2862326..4ec4725860 100755
--- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml
@@ -2,7 +2,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@
apiVersion: v2
description: ONAP Policy APEX PDP
name: policy-apex-pdp
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml
index de3e6d1004..3b25dc55a3 100755
--- a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml
@@ -3,7 +3,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright (C) 2020 AT&T Intellectual Property.
# Modifications Copyright © 2022 Nordix Foundation
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command: ["/bin/sh", "-cx"]
args:
@@ -62,8 +63,10 @@ spec:
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-update-config
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: [ "/bin/sh", "-cx" ]
@@ -104,7 +107,8 @@ spec:
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: policy-logs
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: apexconfig-input
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -112,4 +116,5 @@ spec:
- name: apexconfig
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml
index 4259381afe..6fc37c3d01 100644
--- a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml
@@ -14,4 +14,3 @@
# limitations under the License.
*/}}
{{ include "common.kafkauser" . }}
-
diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml
index 6070bb05af..0c83a55651 100755
--- a/kubernetes/policy/components/policy-apex-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml
@@ -2,7 +2,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright (C) 2019-2021 AT&T Intellectual Property.
# Modifications Copyright © 2022 Nordix Foundation
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -114,12 +114,20 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
#Pods Service Account
serviceAccount:
nameOverride: policy-apex-pdp
roles:
- read
+dirSizes:
+ logDir:
+ sizeLimit: 500Mi
+
metrics:
serviceMonitor:
# Override the labels based on the Prometheus config parameter: serviceMonitorSelector.
diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml
index 32c22cbe6c..ef0b5eae94 100755
--- a/kubernetes/policy/components/policy-api/Chart.yaml
+++ b/kubernetes/policy/components/policy-api/Chart.yaml
@@ -2,7 +2,7 @@
# Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@
apiVersion: v2
description: ONAP Policy Design API
name: policy-api
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-api/templates/configmap.yaml b/kubernetes/policy/components/policy-api/templates/configmap.yaml
index 9ab25fe2ac..6bb96fc1e5 100755
--- a/kubernetes/policy/components/policy-api/templates/configmap.yaml
+++ b/kubernetes/policy/components/policy-api/templates/configmap.yaml
@@ -37,4 +37,4 @@ binaryData:
{{- end }}
{{- end }}
data:
-{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }} \ No newline at end of file
+{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }}
diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml
index 8de035e5d1..2f135fac5e 100755
--- a/kubernetes/policy/components/policy-api/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml
@@ -7,6 +7,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- /app/ready.py
@@ -25,6 +26,7 @@ spec:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
name: {{ include "common.name" . }}-readiness
resources:
limits:
@@ -54,9 +56,11 @@ spec:
name: apiconfig-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/api/bin/policy-api.sh"]
@@ -85,6 +89,14 @@ spec:
periodSeconds: {{ .Values.readiness.periodSeconds }}
timeoutSeconds: {{ .Values.readiness.timeout }}
volumeMounts:
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/api/etc/logback.xml
+ subPath: logback.xml
+ name: apiconfig-processed
- mountPath: /opt/app/policy/api/etc/mounted
name: apiconfig-processed
resources: {{ include "common.resources" . | nindent 12 }}
@@ -105,4 +117,11 @@ spec:
- name: apiconfig-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml
index 70c06ccbf9..9193366422 100755
--- a/kubernetes/policy/components/policy-api/values.yaml
+++ b/kubernetes/policy/components/policy-api/values.yaml
@@ -1,7 +1,7 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright (C) 2022 Bell Canada. All rights reserved.
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -77,7 +77,7 @@ affinity: {}
# probe configuration parameters
liveness:
- initialDelaySeconds: 60
+ initialDelaySeconds: 120
periodSeconds: 10
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
@@ -89,7 +89,7 @@ readiness:
api: /policy/api/v1/healthcheck
successThreshold: 1
failureThreshold: 3
- timeout: 60
+ timeout: 120
service:
type: ClusterIP
@@ -125,6 +125,16 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: policy-api
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml
index e35dd3d6f0..a9d27d60a8 100755
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2022-2024 Nordix Foundation. All rights reserved.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +20,7 @@
apiVersion: v2
description: ONAP Policy Clamp A1PMS Participant
name: policy-clamp-ac-a1pms-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml
index 31aa1b746a..5bfa825e18 100755
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml
@@ -81,5 +81,3 @@ server:
context-path: /onap/policy/clamp/acm/a1pmsparticipant
ssl:
enabled: false
-
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml
index d34da146a5..b9eb83b3c5 100755
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2022-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- sh
@@ -50,9 +52,11 @@ spec:
name: ac-a1pms-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/a1pms-participant.sh"]
@@ -75,6 +79,14 @@ spec:
volumeMounts:
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-a1pms-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-a1pms-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -93,4 +105,11 @@ spec:
- name: ac-a1pms-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml
index 19f522a71e..66aadf12c7 100644
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml
@@ -1,21 +1,21 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2022 Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml
index 6bde39dd51..a23e732c8b 100755
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2022-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -115,6 +116,17 @@ resources:
cpu: "1"
memory: "2Gi"
unlimited: {}
+
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml
index faa7014a79..979aa4f598 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2022, 2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +20,7 @@
apiVersion: v2
description: ONAP Policy Clamp Controlloop Http Participant
name: policy-clamp-ac-http-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
@@ -31,4 +32,3 @@ dependencies:
- name: serviceAccount
version: ~13.x-0
repository: '@local'
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml
index a04c37fe3d..d447360dd9 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml
@@ -80,4 +80,3 @@ server:
context-path: /onap/httpparticipant
ssl:
enabled: false
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml
index e502c1a091..dd7db7acee 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- sh
@@ -50,9 +52,11 @@ spec:
name: ac-http-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/http-participant.sh"]
@@ -75,6 +79,14 @@ spec:
volumeMounts:
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-http-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-http-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -93,4 +105,11 @@ spec:
- name: ac-http-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml
index e676ff13d7..be2449f890 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml
@@ -1,21 +1,21 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml
index 3ef8d92191..8593a3d316 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -106,6 +107,17 @@ resources:
cpu: "1"
memory: "2Gi"
unlimited: {}
+
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml
index aa6d08a3de..5a1cb6e80b 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2021 Nordix Foundation. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021-2022, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
apiVersion: v2
description: ONAP Policy Clamp Controlloop K8s Participant
name: policy-clamp-ac-k8s-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml
index 8a6cf830ca..efd5a6cd53 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml
@@ -33,4 +33,4 @@ data:
{{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }}
{{ toYaml .Values.repoList | indent 4 }}
{{- end }}
-{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} \ No newline at end of file
+{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml
index cfc2fc7fac..a97ab22577 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- sh
@@ -50,9 +52,11 @@ spec:
name: ac-k8s-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/kubernetes-participant.sh"]
@@ -75,6 +79,14 @@ spec:
volumeMounts:
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-k8s-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-k8s-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -93,4 +105,11 @@ spec:
- name: ac-k8s-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml
index 2439223192..02a6292df7 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml
@@ -36,4 +36,3 @@ subjects:
- kind: ServiceAccount
name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
namespace: {{ include "common.namespace" . }}
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml
index d34d0e011a..5e43b94965 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -108,6 +109,16 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
@@ -145,4 +156,3 @@ kafkaUser:
- name: *acRuntimeTopic
type: topic
operations: [Read, Write]
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml
index 44c80ff879..863d07952f 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2023-2024 Nordix Foundation. All rights reserved.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +20,7 @@
apiVersion: v2
description: ONAP Policy Clamp Kserve Participant
name: policy-clamp-ac-kserve-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml
index 89cf9494a3..6613235050 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml
@@ -96,5 +96,3 @@ server:
context-path: /onap/policy/clamp/acm/kserveparticipant
ssl:
enabled: false
-
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml
index 8574979cbc..3d1f4f8ca3 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- sh
@@ -50,9 +52,11 @@ spec:
name: ac-kserve-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/kserve-participant.sh"]
@@ -75,6 +79,14 @@ spec:
volumeMounts:
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-kserve-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-kserve-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -93,4 +105,11 @@ spec:
- name: ac-kserve-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml
index b7e7364eab..6fc37c3d01 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml
@@ -1,16 +1,16 @@
-{{/*
-# Copyright © 2023 Nordix Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-{{ include "common.kafkauser" . }}
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{ include "common.kafkauser" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml
index ac5ee0b72f..073ffe9618 100644
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml
@@ -1,38 +1,38 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2023 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cluster-admin
-subjects:
- - kind: ServiceAccount
- name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
- namespace: {{ include "common.namespace" . }}
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2023 Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cluster-admin
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
+ namespace: {{ include "common.namespace" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml
index 63ab8adece..6f9868bc0d 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -106,6 +107,17 @@ resources:
cpu: "1"
memory: "1.4Gi"
unlimited: {}
+
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml
index f860393f43..4460c18fcd 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2022, 2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +20,7 @@
apiVersion: v2
description: ONAP Policy Clamp Controlloop Policy Participant
name: policy-clamp-ac-pf-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml
index 1cd4ba318c..729a455d07 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml
@@ -98,4 +98,3 @@ server:
context-path: /onap/policyparticipant
ssl:
enabled: false
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml
index 9026309fa1..c29dca9c7d 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- sh
@@ -58,9 +60,11 @@ spec:
name: ac-pf-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/policy-participant.sh"]
@@ -83,6 +87,14 @@ spec:
volumeMounts:
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-pf-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-pf-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -101,4 +113,11 @@ spec:
- name: ac-pf-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml
index e676ff13d7..be2449f890 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml
@@ -1,21 +1,21 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml
index 2112f2510a..97bebd00d2 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -127,6 +128,17 @@ resources:
cpu: "1"
memory: "2Gi"
unlimited: {}
+
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml
index bdd6c99c53..0dd1f34fcf 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2021, 2024 Nordix Foundation. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021-2022 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
apiVersion: v2
description: ONAP Policy Clamp Controlloop Runtime
name: policy-clamp-runtime-acm
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
@@ -33,4 +34,3 @@ dependencies:
- name: serviceAccount
version: ~13.x-0
repository: '@local'
-
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml
index b0ea909e55..462f2e517b 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- /app/ready.py
@@ -41,6 +43,7 @@ spec:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-galera-config-readiness
resources:
limits:
@@ -75,9 +78,11 @@ spec:
name: ac-runtime-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/acm-runtime.sh"]
@@ -98,6 +103,14 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-runtime-config-processed
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-runtime-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
@@ -111,6 +124,12 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: ac-runtime-config
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -118,4 +137,5 @@ spec:
- name: ac-runtime-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml
index b2389b963b..b030f940de 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -96,7 +97,7 @@ affinity: {}
# probe configuration parameters
liveness:
- initialDelaySeconds: 60
+ initialDelaySeconds: 120
periodSeconds: 10
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
@@ -141,6 +142,16 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
@@ -153,4 +164,4 @@ wait_for_job_container:
customNaming:
toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement
- toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition \ No newline at end of file
+ toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition
diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml
index 3de47d06e9..b2d1cde724 100755
--- a/kubernetes/policy/components/policy-distribution/Chart.yaml
+++ b/kubernetes/policy/components/policy-distribution/Chart.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
apiVersion: v2
description: ONAP Policy Distribution
name: policy-distribution
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml
index 62a3bfc98e..fe08271288 100755
--- a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2020 AT&T Intellectual Property.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- sh
@@ -57,9 +59,11 @@ spec:
name: distributionconfig
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
@@ -86,6 +90,14 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/distribution/etc/logback.xml
+ subPath: logback.xml
+ name: distributionconfig
- mountPath: /opt/app/policy/distribution/etc/mounted
name: distributionconfig
resources: {{ include "common.resources" . | nindent 12 }}
@@ -106,4 +118,11 @@ spec:
- name: distributionconfig
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml
index 042cbd29eb..f93dffe1ee 100755
--- a/kubernetes/policy/components/policy-distribution/values.yaml
+++ b/kubernetes/policy/components/policy-distribution/values.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright (C) 2019-2021 AT&T Intellectual Property.
# Modifications Copyright (C) 2023 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -141,6 +142,16 @@ resources:
memory: "1Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: policy-distribution
diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml
index 63c4984ac9..710a04f111 100755
--- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml
@@ -2,6 +2,7 @@
# Modifications Copyright © 2018, 2020 AT&T Intellectual Property
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
apiVersion: v2
description: ONAP Drools Policy Engine (PDP-D)
name: policy-drools-pdp
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml
index c7322b1f94..3f45b2f6e0 100755
--- a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml
@@ -16,4 +16,3 @@
*/}}
{{ include "common.service" . }}
-
diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml
index ba0e2d1a41..3f25d964e4 100755
--- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,6 +26,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- /app/ready.py
@@ -39,6 +41,7 @@ spec:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-db-readiness
resources:
limits:
@@ -69,6 +72,7 @@ spec:
value: {{ .Values.config.app.listener.policyPdpPapTopic }}
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-readiness
resources:
limits:
@@ -80,6 +84,7 @@ spec:
{{- end }}
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["sh","-c"]
@@ -107,6 +112,14 @@ spec:
- name: SQL_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
volumeMounts:
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/etc/profile.d/base.conf
+ subPath: base.conf
+ name: drools-config
{{- range $path, $bytes := .Files.Glob "resources/secrets/*" }}
- mountPath: /tmp/policy-install/config/{{ base $path }}
name: drools-secret
@@ -128,6 +141,12 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: drools-config
configMap:
name: {{ include "common.fullname" . }}-configmap
diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml
index e35c08a15c..b1a26fb669 100755
--- a/kubernetes/policy/components/policy-drools-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml
@@ -1,6 +1,7 @@
# Copyright © 2017 Amdocs
# Copyright © 2017, 2021 Bell Canada
# Modifications Copyright © 2018-2022 AT&T Intellectual Property
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -171,6 +172,16 @@ resources:
memory: "1.6Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: policy-drools-pdp
diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml
index 8d04647a75..ae8eebe50b 100755
--- a/kubernetes/policy/components/policy-nexus/Chart.yaml
+++ b/kubernetes/policy/components/policy-nexus/Chart.yaml
@@ -2,6 +2,7 @@
# Modifications Copyright © 2018-2020 AT&T
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
apiVersion: v2
description: ONAP Policy Nexus
name: policy-nexus
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml
index 3d03338836..fe183cfa24 100755
--- a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,16 +25,19 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command: ["sh", "-c", "chown -R 200:200 /share"]
image: {{ include "repositoryGenerator.image.busybox" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-init
volumeMounts:
- mountPath: /share
name: nexus-data
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
ports: {{ include "common.containerPorts" . | nindent 12 }}
diff --git a/kubernetes/policy/components/policy-nexus/templates/service.yaml b/kubernetes/policy/components/policy-nexus/templates/service.yaml
index 6aee4ca230..8d13879023 100755
--- a/kubernetes/policy/components/policy-nexus/templates/service.yaml
+++ b/kubernetes/policy/components/policy-nexus/templates/service.yaml
@@ -15,4 +15,4 @@
# limitations under the License.
*/}}
-{{ include "common.service" . }} \ No newline at end of file
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml
index f10d55dcee..b82785f2b8 100755
--- a/kubernetes/policy/components/policy-nexus/values.yaml
+++ b/kubernetes/policy/components/policy-nexus/values.yaml
@@ -1,5 +1,6 @@
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -97,6 +98,10 @@ resources:
memory: "1Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
#Pods Service Account
serviceAccount:
nameOverride: policy-nexus
diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml
index 0634118a4f..1fd621beb0 100755
--- a/kubernetes/policy/components/policy-pap/Chart.yaml
+++ b/kubernetes/policy/components/policy-pap/Chart.yaml
@@ -3,6 +3,7 @@
# Modified Copyright (C) 2020 AT&T Intellectual Property.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +23,7 @@
apiVersion: v2
description: ONAP Policy Administration (PAP)
name: policy-pap
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml
index 9ca8b84a47..8f00eb049f 100755
--- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml
@@ -2,6 +2,7 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2020 AT&T Intellectual Property.
# Modifications Copyright (C) 2022 Bell Canada. All rights reserved.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -28,6 +29,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- /app/ready.py
@@ -45,6 +47,7 @@ spec:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-db-readiness
resources:
limits:
@@ -87,9 +90,11 @@ spec:
name: papconfig-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -121,8 +126,16 @@ spec:
periodSeconds: {{ .Values.readiness.periodSeconds }}
timeoutSeconds: {{ .Values.readiness.timeout }}
volumeMounts:
- - mountPath: /opt/app/policy/pap/etc/mounted
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/pap/etc/logback.xml
+ subPath: logback.xml
name: papconfig-processed
+ - name: papconfig-processed
+ mountPath: /opt/app/policy/pap/etc/mounted
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -134,6 +147,12 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: papconfig
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -141,4 +160,5 @@ spec:
- name: papconfig-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml
index 5f6fb21265..d7384a5e65 100755
--- a/kubernetes/policy/components/policy-pap/values.yaml
+++ b/kubernetes/policy/components/policy-pap/values.yaml
@@ -3,6 +3,7 @@
# Modifications Copyright (C) 2019-2021 AT&T Intellectual Property.
# Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved.
# Modifications Copyright © 2022 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -159,6 +160,16 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: policy-pap
@@ -224,4 +235,3 @@ kafkaUser:
type: topic
patternType: prefix
operations: [Create, Describe, Read, Write]
-
diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml
index a46d6128e8..8bb17a53de 100755
--- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
apiVersion: v2
description: ONAP Policy XACML PDP (PDP-X)
name: policy-xacml-pdp
-version: 14.0.0
+version: 14.0.2
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml
index cda1aa4bae..ce11fe71e5 100755
--- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2020 AT&T Intellectual Property.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- /app/ready.py
@@ -41,6 +43,7 @@ spec:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-readiness
resources:
limits:
@@ -87,9 +90,11 @@ spec:
name: pdpxconfig-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"]
@@ -110,6 +115,44 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
+ - name: policy-guard
+ mountPath: /opt/app/policy/pdpx/apps/guard
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/guard/xacml.properties
+ subPath: xacml.properties
+ - name: policy-match
+ mountPath: /opt/app/policy/pdpx/apps/match
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/match/xacml.properties
+ subPath: xacml.properties
+ - name: policy-monitoring
+ mountPath: /opt/app/policy/pdpx/apps/monitoring
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/monitoring/xacml.properties
+ subPath: xacml.properties
+ - name: policy-naming
+ mountPath: /opt/app/policy/pdpx/apps/naming
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/naming/xacml.properties
+ subPath: xacml.properties
+ - name: policy-native
+ mountPath: /opt/app/policy/pdpx/apps/native
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/native/xacml.properties
+ subPath: xacml.properties
+ - name: policy-optimization
+ mountPath: /opt/app/policy/pdpx/apps/optimization
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/optimization/xacml.properties
+ subPath: xacml.properties
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/pdpx/etc/logback.xml
+ subPath: logback.xml
+ name: pdpxconfig-processed
- mountPath: /opt/app/policy/pdpx/etc/mounted
name: pdpxconfig-processed
resources: {{ include "common.resources" . | nindent 12 }}
@@ -123,6 +166,30 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
+ - name: policy-guard
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-match
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-monitoring
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-naming
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-native
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-optimization
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: pdpxconfig
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -130,4 +197,5 @@ spec:
- name: pdpxconfig-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml
index 3e76c2ba36..6dabd951b9 100755
--- a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml
@@ -18,4 +18,4 @@
# ============LICENSE_END=========================================================
*/}}
-{{ include "common.service" . }} \ No newline at end of file
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml
index ae216a27a0..18ddfdfeba 100755
--- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -147,6 +148,18 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+ policyDir:
+ sizeLimit: 100Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
@@ -194,5 +207,3 @@ kafkaUser:
type: topic
patternType: prefix
operations: [ Create, Describe, Read, Write ]
-
-
diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml
index 3880d2383c..2c0ee783d5 100755
--- a/kubernetes/policy/templates/job.yaml
+++ b/kubernetes/policy/templates/job.yaml
@@ -2,6 +2,7 @@
# Copyright © 2018 Amdocs, Bell Canada
# Modifications Copyright © 2020 AT&T Intellectual Property
# Modifications Copyright (C) 2022 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -33,6 +34,7 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}-galera-init
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
initContainers:
{{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_mariadb ) | indent 6 | trim }}
@@ -40,6 +42,7 @@ spec:
- name: {{ include "common.name" . }}-galera-config
image: {{ include "repositoryGenerator.image.mariadb" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
volumeMounts:
- mountPath: /dbcmd-config/db.sh
name: {{ include "common.fullname" . }}-config
@@ -48,7 +51,7 @@ spec:
- /bin/sh
- -cx
- |
- {{- if include "common.onServiceMesh" . }}
+ {{- if include "common.requireSidecarKiller" . }}
echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
/dbcmd-config/db.sh
env:
@@ -61,7 +64,7 @@ spec:
- name: MYSQL_PORT
value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}"
resources: {{ include "common.resources" . | nindent 10 }}
- {{- if (include "common.onServiceMesh" .) }}
+ {{- if (include "common.requireSidecarKiller" .) }}
- name: policy-service-mesh-wait-for-job-container
image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
@@ -77,6 +80,14 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ resources:
+ limits:
+ cpu: 100m
+ memory: 500Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
{{- end }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
@@ -108,6 +119,7 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}-pg-init
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
initContainers:
{{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_postgres ) | indent 6 | trim }}
@@ -115,6 +127,7 @@ spec:
- name: {{ include "common.name" . }}-pg-config
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
volumeMounts:
- mountPath: /docker-entrypoint-initdb.d/db-pg.sh
name: {{ include "common.fullname" . }}-config
@@ -123,7 +136,7 @@ spec:
- /bin/sh
- -cx
- |
- {{- if include "common.onServiceMesh" . }}
+ {{- if include "common.requireSidecarKiller" . }}
echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
/docker-entrypoint-initdb.d/db-pg.sh
env:
@@ -138,7 +151,7 @@ spec:
- name: PG_PORT
value: "{{ .Values.postgres.service.internalPort }}"
resources: {{ include "common.resources" . | nindent 10 }}
- {{- if (include "common.onServiceMesh" .) }}
+ {{- if (include "common.requireSidecarKiller" .) }}
- name: policy-service-mesh-wait-for-job-container
image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
@@ -154,6 +167,14 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ resources:
+ limits:
+ cpu: 100m
+ memory: 500Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
{{- end }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
@@ -185,9 +206,11 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}-galera-config
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
initContainers:
- name: {{ include "common.name" . }}-init-readiness
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
@@ -210,17 +233,20 @@ spec:
memory: "20Mi"
containers:
- name: {{ include "common.name" . }}-galera-db-migrator
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
volumeMounts:
- mountPath: /dbcmd-config/db_migrator_policy_init.sh
name: {{ include "common.fullname" . }}-config
subPath: db_migrator_policy_init.sh
+ - mountPath: /opt/app/policy/etc/db
+ name: db-conf
command:
- /bin/sh
- -cx
- |
- {{- if include "common.onServiceMesh" . }}
+ {{- if include "common.requireSidecarKiller" . }}
echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
/dbcmd-config/db_migrator_policy_init.sh
env:
@@ -237,7 +263,7 @@ spec:
- name: SCRIPT_DIRECTORY
value: "sql"
resources: {{ include "common.resources" . | nindent 10 }}
- {{- if (include "common.onServiceMesh" .) }}
+ {{- if (include "common.requireSidecarKiller" .) }}
- name: policy-service-mesh-wait-for-job-container
image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
@@ -253,6 +279,14 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ resources:
+ limits:
+ cpu: 100m
+ memory: 500Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
{{- end }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
@@ -264,6 +298,10 @@ spec:
items:
- key: db_migrator_policy_init.sh
path: db_migrator_policy_init.sh
+ - name: db-conf
+ emptyDir:
+ medium: Memory
+ sizeLimit: 64Mi
{{ end }}
{{ if .Values.global.postgres.localCluster }}
---
@@ -283,9 +321,11 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}-pg-config
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
initContainers:
- name: {{ include "common.name" . }}-init-readiness
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
@@ -308,17 +348,20 @@ spec:
memory: "20Mi"
containers:
- name: {{ include "common.name" . }}-pg-db-migrator
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
volumeMounts:
- mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh
name: {{ include "common.fullname" . }}-config
subPath: db_migrator_pg_policy_init.sh
+ - mountPath: /opt/app/policy/etc/db
+ name: db-conf
command:
- /bin/sh
- -cx
- |
- {{- if include "common.onServiceMesh" . }}
+ {{- if include "common.requireSidecarKiller" . }}
echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
/dbcmd-config/db_migrator_pg_policy_init.sh
env:
@@ -337,7 +380,7 @@ spec:
- name: PGPASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
resources: {{ include "common.resources" . | nindent 10 }}
- {{- if (include "common.onServiceMesh" .) }}
+ {{- if (include "common.requireSidecarKiller" .) }}
- name: policy-service-mesh-wait-for-job-container
image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
@@ -353,6 +396,14 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ resources:
+ limits:
+ cpu: 100m
+ memory: 500Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
{{- end }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
@@ -364,4 +415,8 @@ spec:
items:
- key: db_migrator_pg_policy_init.sh
path: db_migrator_pg_policy_init.sh
+ - name: db-conf
+ emptyDir:
+ medium: Memory
+ sizeLimit: 64Mi
{{ end }}
diff --git a/kubernetes/policy/templates/policy-kafka-user.yaml b/kubernetes/policy/templates/policy-kafka-user.yaml
index ed399ed9c7..d004cbe116 100644
--- a/kubernetes/policy/templates/policy-kafka-user.yaml
+++ b/kubernetes/policy/templates/policy-kafka-user.yaml
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2022-2023 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -29,16 +30,20 @@ spec:
- resource:
type: group
name: {{ .Values.config.policyPdpPapTopic.consumer.groupId }}
- operation: All
+ operations:
+ - All
- resource:
type: topic
name: {{ .Values.config.policyPdpPapTopic.name }}
- operation: All
+ operations:
+ - All
- resource:
type: topic
name: {{ .Values.config.policyHeartbeatTopic.name }}
- operation: All
+ operations:
+ - All
- resource:
type: topic
name: {{ .Values.config.policyNotificationTopic.name }}
- operation: All
+ operations:
+ - All
diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml
index 68ce42d103..ccd8223284 100755
--- a/kubernetes/policy/values.yaml
+++ b/kubernetes/policy/values.yaml
@@ -1,6 +1,7 @@
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
# Modifications Copyright (C) 2021-2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -296,6 +297,10 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 65533
+
#Pods Service Account
serviceAccount:
nameOverride: policy
diff --git a/kubernetes/uui/Chart.yaml b/kubernetes/uui/Chart.yaml
index 7c4a5b78ca..900a6c97e1 100644
--- a/kubernetes/uui/Chart.yaml
+++ b/kubernetes/uui/Chart.yaml
@@ -18,7 +18,7 @@
apiVersion: v2
description: ONAP uui
name: uui
-version: 13.0.0
+version: 13.1.0
dependencies:
- name: common
@@ -39,3 +39,6 @@ dependencies:
- name: uui-intent-analysis
version: ~13.x-0
repository: 'file://components/uui-intent-analysis'
+ - name: uui-llm-adaptation
+ version: ~13.x-0
+ repository: 'file://components/uui-llm-adaptation'
diff --git a/kubernetes/uui/components/uui-llm-adaptation/.helmignore b/kubernetes/uui/components/uui-llm-adaptation/.helmignore
new file mode 100644
index 0000000000..f0c1319444
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml
new file mode 100644
index 0000000000..1c36c236ee
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml
@@ -0,0 +1,35 @@
+# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v2
+description: ONAP uui llm adaptation
+name: uui-llm-adaptation
+version: 13.0.0
+
+dependencies:
+ - name: common
+ version: ~13.x-0
+ repository: '@local'
+ - name: repositoryGenerator
+ version: ~13.x-0
+ repository: '@local'
+ - name: postgres
+ version: ~13.x-0
+ repository: '@local'
+ - name: serviceAccount
+ version: ~13.x-0
+ repository: '@local'
+ - name: readinessCheck
+ version: ~13.x-0
+ repository: '@local'
diff --git a/kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql b/kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql
new file mode 100644
index 0000000000..5379c73864
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql
@@ -0,0 +1,23 @@
+--
+-- Copyright (C) 2024 CMCC, Inc. and others. All rights reserved.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+
+create table if not exists intent(
+ intent_id varchar(255) primary key,
+ intent_name varchar(255),
+ intent_generateType VARCHAR (225)
+); \ No newline at end of file
diff --git a/kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh b/kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh
new file mode 100644
index 0000000000..f1dcefa168
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh
@@ -0,0 +1,31 @@
+{{/*
+#
+# Copyright (C) 2022 Huawei Technologies Co., Ltd. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+*/}}
+
+main_path="/home/uui"
+echo @main_path@ $main_path
+
+JAVA_PATH="$JAVA_HOME/bin/java"
+JAVA_OPTS="-Xms50m -Xmx128m"
+echo @JAVA_PATH@ $JAVA_PATH
+echo @JAVA_OPTS@ $JAVA_OPTS
+
+jar_path="$main_path/usecase-ui-llm-adaptation.jar"
+echo @jar_path@ $jar_path
+
+echo "Starting usecase-ui-llm-adaptation..."
+$JAVA_PATH $JAVA_OPTS -classpath $jar_path -jar $jar_path $SPRING_OPTS
diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml
new file mode 100644
index 0000000000..3583c416de
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml
@@ -0,0 +1,31 @@
+{{/*
+# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}
+ namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-entrypoint
+ namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/entrypoint/*").AsConfig . | indent 2 }}
diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml
new file mode 100644
index 0000000000..d2824d1bbb
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml
@@ -0,0 +1,74 @@
+{{/*
+# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ selector: {{- include "common.selectors" . | nindent 4 }}
+ replicas: {{ .Values.replicaCount }}
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
+ containers:
+ - name: {{ include "common.name" . }}
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+ imagePullPolicy: {{ .Values.pullPolicy }}
+ command: ["sh", "-c"]
+ args:
+ - ". /uui/run.sh"
+ ports: {{ include "common.containerPorts" . | nindent 10 }}
+ env:
+ - name: POSTGRES_IP
+ value: {{ .Values.postgres.service.name2 }}
+ - name: POSTGRES_PORT
+ value: "{{ .Values.postgres.service.externalPort }}"
+ - name: POSTGRES_DB_NAME
+ value: {{ .Values.postgres.config.pgDatabase }}
+ - name: POSTGRES_USERNAME
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }}
+ - name: POSTGRES_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }}
+{{- if eq .Values.liveness.enabled true }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ .Values.liveness.port }}
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+{{- end }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.readiness.port }}
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
+ resources: {{ include "common.resources" . | nindent 10 }}
+{{- if .Values.nodeSelector }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }}
+{{- end }}
+{{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 10 }}
+{{- end }}
+ volumeMounts:
+ - mountPath: /uui/run.sh
+ name: entrypoint
+ subPath: run.sh
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
+ volumes:
+ - name: entrypoint
+ configMap:
+ name: {{ include "common.fullname" . }}-entrypoint
+ defaultMode: 0755
+ {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml
new file mode 100644
index 0000000000..90d6d63dab
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml
@@ -0,0 +1,82 @@
+{{/*
+# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ include "common.fullname" . }}-init-postgres
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}-job
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+spec:
+ backoffLimit: 20
+ template:
+ metadata:
+ labels:
+ app: {{ include "common.name" . }}-job
+ release: {{ include "common.release" . }}
+ spec:
+ restartPolicy: Never
+ initContainers:
+ - command:
+ - /app/ready.py
+ args:
+ - --service-name
+ - "{{ .Values.postgres.service.name2 }}"
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ image: {{ include "repositoryGenerator.image.readiness" . }}
+ imagePullPolicy: {{ .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-readiness
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "500Mi"
+ requests:
+ cpu: "3m"
+ memory: "20Mi"
+ containers:
+ - name: {{ include "common.name" . }}-job
+ image: {{ include "repositoryGenerator.image.postgres" . }}
+ imagePullPolicy: {{ .Values.pullPolicy }}
+ env:
+ - name: PGUSER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }}
+ - name: PGPASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }}
+ command:
+ - /bin/sh
+ - -c
+ - |
+ psql -h $(UUI_ADAPTATION_PG_PRIMARY_SERVICE_HOST) -f /aaa/init/llm-adaptation-init.sql -d {{ .Values.postgres.config.pgDatabase }}
+ volumeMounts:
+ - name: init-data
+ mountPath: /aaa/init/llm-adaptation-init.sql
+ subPath: llm-adaptation-init.sql
+ {{ include "common.waitForJobContainer" . | indent 6 | trim }}
+ {{- include "common.imagePullSecrets" . | nindent 6 }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
+ volumes:
+ - name: init-data
+ configMap:
+ name: {{ include "common.fullname" . }}
diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml
new file mode 100644
index 0000000000..638e02c1e5
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/service.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/service.yaml
new file mode 100644
index 0000000000..33e96ef8c4
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/templates/service.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/uui/components/uui-llm-adaptation/values.yaml b/kubernetes/uui/components/uui-llm-adaptation/values.yaml
new file mode 100644
index 0000000000..9010bca0c1
--- /dev/null
+++ b/kubernetes/uui/components/uui-llm-adaptation/values.yaml
@@ -0,0 +1,126 @@
+# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for uui llm adaptation.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+global:
+ passwordStrength: long
+
+#Pods Service Account
+serviceAccount:
+ nameOverride: uui-llm-adaptation
+ roles:
+ - read
+
+secrets:
+ - uid: pg-root-pass
+ name: &pgRootPassSecretName '{{ include "common.release" . }}-uui-adaptation-pg-root-pass'
+ type: password
+ externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "uui-adaptation-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}'
+ password: '{{ .Values.postgres.config.pgRootpassword }}'
+ policy: generate
+ - uid: pg-user-creds
+ name: &pgUserCredsSecretName '{{ include "common.release" . }}-uui-adaptation-pg-user-creds'
+ type: basicAuth
+ externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "uui-adaptation-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}'
+ login: '{{ .Values.postgres.config.pgUserName }}'
+ password: '{{ .Values.postgres.config.pgUserPassword }}'
+ passwordPolicy: generate
+
+image: onap/usecase-ui-llm-adaptation:14.0.0
+pullPolicy: Always
+
+# flag to enable debugging - application support required
+debugEnabled: false
+flavor: small
+replicaCount: 1
+nodeSelector: {}
+affinity: {}
+
+service:
+ type: ClusterIP
+ name: uui-llm-adaptation
+ ports:
+ - name: http-rest
+ port: &svc_port 8083
+
+liveness:
+ initialDelaySeconds: 120
+ port: *svc_port
+ periodSeconds: 10
+ enabled: true
+
+readiness:
+ initialDelaySeconds: 60
+ port: *svc_port
+ periodSeconds: 10
+
+# application configuration override for postgres
+postgres:
+ nameOverride: &postgresName uui-adaptation-postgres
+ service:
+ name: *postgresName
+ name2: uui-adaptation-pg-primary
+ name3: uui-adaptation-pg-replica
+ container:
+ name:
+ primary: uui-adaptation-pg-primary
+ replica: uui-adaptation-pg-replica
+ config:
+ pgUserName: uui
+ pgDatabase: uuiadaptation
+ pgUserExternalSecret: *pgUserCredsSecretName
+ pgRootPasswordExternalSecret: *pgRootPassSecretName
+ persistence:
+ mountSubPath: uui/uuiadaptation/data
+ mountInitPath: uui
+
+readinessCheck:
+ wait_for:
+ services:
+ - '{{ .Values.postgres.service.name2 }}'
+
+wait_for_job_container:
+ containers:
+ - '{{ include "common.name" . }}-job'
+
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+#
+# Example:
+# Configure resource requests and limits
+# ref: http://kubernetes.io/docs/user-guide/compute-resources/
+# Minimum memory for development is 2 CPU cores and 4GB memory
+# Minimum memory for production is 4 CPU cores and 8GB memory
+resources:
+ small:
+ limits:
+ cpu: "2"
+ memory: "1Gi"
+ requests:
+ cpu: "1"
+ memory: "200Mi"
+ large:
+ limits:
+ cpu: "4"
+ memory: "2Gi"
+ requests:
+ cpu: "2"
+ memory: "1Gi"
+ unlimited: {}
+