summaryrefslogtreecommitdiffstats
path: root/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms')
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml3
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml136
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml10
3 files changed, 147 insertions, 2 deletions
diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml
index ed555b28a2..c3f5af9a90 100644
--- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml
@@ -3,6 +3,7 @@
# Copyright (c) 2021 Wipro Limited.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
# ============LICENSE_END=========================================================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE SliceAnalysis MS charts
name: dcae-slice-analysis-ms
version: 12.0.0
diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..30d173c2d8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
index e57c781ed5..6eda4836e6 100644
--- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
@@ -3,6 +3,7 @@
# Copyright (C) 2021-2022 Wipro Limited.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
# Copyright (C) 2022 Huawei Canada Limited.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -49,7 +50,7 @@ secrets:
#################################################################
# Application Image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.1.5
+image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.2.1
pullPolicy: IfNotPresent
#################################################################
@@ -99,6 +100,13 @@ service:
port: 8080
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-slice-analysis-ms-read
+
credentials:
- name: PG_USERNAME
uid: *pgUserCredsSecretUid