3 files changed, 163 insertions, 8 deletions
diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
index c03be83264..9c9cc7074d 100644
--- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
+++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
@@ -2,6 +2,7 @@
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,6 +18,56 @@
 # ============LICENSE_END=========================================================
 */}}
 {{/*
+For internal use only!
+
+dcaegen2-services-common._ms-specific-env-vars:
+This template generates a list of microservice-specific environment variables
+as specified in .Values.applicationEnv.  The
+dcaegen2-services-common.microServiceDeployment uses this template
+to add the microservice-specific environment variables to the microservice's container.
+These environment variables are in addition to a standard set of environment variables
+provided to all microservices.
+
+The template expects a single argument, pointing to the caller's global context.
+
+Microservice-specific environment variables can be specified in two ways:
+  1. As literal string values.
+  2. As values that are sourced from a secret, identified by the secret's
+     uid and the key within the secret that provides the value.
+
+The following example shows an example of each type.  The example assumes
+that a secret has been created using the OOM common secret mechanism, with
+a secret uid "example-secret" and a key called "password".
+
+applicationEnv:
+  APPLICATION_PASSWORD:
+    secretUid: example-secret
+    key: password
+  APPLICATION_EXAMPLE: "An example value"
+
+The example would set two environment variables on the microservice's container,
+one called "APPLICATION_PASSWORD" with the value set from the "password" key in
+the secret with uid "example-secret", and one called "APPLICATION_EXAMPLE" set to
+the the literal string "An example value".
+*/}}
+{{- define "dcaegen2-services-common._ms-specific-env-vars" -}}
+  {{- $global := . }}
+  {{- if .Values.applicationEnv }}
+    {{- range $envName, $envValue := .Values.applicationEnv }}
+      {{- if kindIs "string" $envValue }}
+- name: {{ $envName }}
+  value: {{ $envValue | quote }}
+      {{- else }}
+        {{ if or (not $envValue.secretUid) (not $envValue.key) }}
+          {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }}
+        {{- end }}
+- name: {{ $envName }}
+  {{- include "common.secret.envFromSecretFast" (dict "global" $global "uid" $envValue.secretUid "key" $envValue.key) | indent 2 }}
+      {{- end -}}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+{{/*
 dcaegen2-services-common.microserviceDeployment:
 This template produces a Kubernetes Deployment for a DCAE microservice.
 
@@ -63,12 +114,21 @@ certificate information will include a server cert and key, in various
 formats.  It will also include the AAF CA cert.   If the microservice is
 a TLS client only (indicated by setting .Values.tlsServer to false), the
 certificate information includes only the AAF CA cert.
+
+Deployed POD may also include a Policy-sync sidecar container.
+The sidecar is included if .Values.policies is set.  The
+Policy-sync sidecar polls PolicyEngine (PDP) periodically based
+on .Values.policies.duration and configuration retrieved is shared with
+DCAE Microservice container by common volume. Policy can be retrieved based on
+list of policyID or filter
 */}}
 
 {{- define "dcaegen2-services-common.microserviceDeployment" -}}
 {{- $logDir :=  default "" .Values.logDirectory -}}
 {{- $certDir := default "" .Values.certDirectory . -}}
 {{- $tlsServer := default "" .Values.tlsServer -}}
+{{- $policy := default "" .Values.policies -}}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
@@ -150,12 +210,7 @@ spec:
             fieldRef:
               apiVersion: v1
               fieldPath: status.podIP
-        {{- if .Values.applicationEnv }}
-        {{- range $envName, $envValue := .Values.applicationEnv }}
-        - name: {{ $envName }}
-          value: {{ $envValue | quote }}
-        {{- end }}
-        {{- end }}
+        {{- include "dcaegen2-services-common._ms-specific-env-vars" . | nindent 8 }}
         {{- if .Values.service }}
         ports: {{ include "common.containerPorts" . | nindent 10 }}
         {{- end }}
@@ -180,8 +235,9 @@ spec:
           {{- end }}
         {{- end }}
         resources: {{ include "common.resources" . | nindent 2 }}
-        {{- if or $logDir $certDir  }}
         volumeMounts:
+        - mountPath: /app-config
+          name: app-config
         {{- if $logDir }}
         - mountPath: {{ $logDir}}
           name: component-log
@@ -190,6 +246,9 @@ spec:
         - mountPath: {{ $certDir }}
           name: tls-info
         {{- end }}
+        {{- if $policy }}
+        - name: policy-shared
+          mountPath: /etc/policies
         {{- end }}
       {{- if $logDir }}
       - image: {{ include "repositoryGenerator.image.logging" . }}
@@ -211,6 +270,53 @@ spec:
           name: filebeat-conf
           subPath: filebeat.yml
       {{- end }}
+      {{- if $policy }}
+      - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: policy-sync
+        env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: POLICY_SYNC_PDP_USER
+          valueFrom:
+            secretKeyRef:
+              name: onap-policy-xacml-pdp-api-creds
+              key: login
+        - name: POLICY_SYNC_PDP_PASS
+          valueFrom:
+            secretKeyRef:
+              name: onap-policy-xacml-pdp-api-creds
+              key: password
+        - name: POLICY_SYNC_PDP_URL
+          value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 
+        - name: POLICY_SYNC_OUTFILE
+          value : "/etc/policies/policies.json"
+        - name: POLICY_SYNC_V1_DECISION_ENDPOINT
+          value : "policy/pdpx/v1/decision"
+        {{- if $policy.filter }}
+        - name: POLICY_SYNC_FILTER
+          value: {{ $policy.filter }}
+        {{- end -}}
+        {{- if $policy.policyID }}
+        - name: POLICY_SYNC_ID
+          value: {{ $policy.policyID }}
+        {{- end -}}
+        {{- if $policy.duration }}
+        - name: POLICY_SYNC_DURATION
+          value: {{ $policy.duration }}
+        {{- end }}
+        resources: {{ include "common.resources" . | nindent 2 }}
+        volumeMounts:
+        - mountPath: /etc/policies
+          name: policy-shared
+        {{- if $certDir }}
+        - mountPath: /opt/ca-certificates/
+          name: tls-info
+        {{- end }}
+      {{- end }}
       hostname: {{ include "common.name" . }}
       volumes:
       - configMap:
@@ -234,6 +340,10 @@ spec:
       - emptyDir: {}
         name: tls-info
       {{- end }}
+      {{- if $policy }}
+      - name: policy-shared
+        emptyDir: {}
+      {{- end }}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end -}}
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
index 19144b4ea5..cec332218d 100644
--- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
@@ -39,7 +39,7 @@ consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.
 # Application configuration defaults.
 #################################################################
 # application image
-image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.6.0
+image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.8.0
 pullPolicy: Always
 
 # log directory where logging sidecar should look for log files
@@ -111,6 +111,38 @@ applicationConfig:
   security.keys.trustStoreFile: /etc/ves-hv/ssl/trust.jks
   security.keys.trustStorePasswordFile: /etc/ves-hv/ssl/trust.pass
   streams_publishes:
+    ves-3gpp-fault-supervision:
+      type: kafka
+      aaf_credentials:
+        username: ${AAF_USER}
+        password: ${AAF_PASSWORD}
+      kafka_info:
+        bootstrap_servers: message-router-kafka:9092
+        topic_name: SEC_3GPP_FAULTSUPERVISION_OUTPUT
+    ves-3gpp-provisioning:
+      type: kafka
+      aaf_credentials:
+        username: ${AAF_USER}
+        password: ${AAF_PASSWORD}
+      kafka_info:
+        bootstrap_servers: message-router-kafka:9092
+        topic_name: SEC_3GPP_PROVISIONING_OUTPUT
+    ves-3gpp-heartbeat:
+      type: kafka
+      aaf_credentials:
+        username: ${AAF_USER}
+        password: ${AAF_PASSWORD}
+      kafka_info:
+        bootstrap_servers: message-router-kafka:9092
+        topic_name: SEC_3GPP_HEARTBEAT_OUTPUT
+    ves-3gpp-performance-assurance:
+      type: kafka
+      aaf_credentials:
+        username: ${AAF_USER}
+        password: ${AAF_PASSWORD}
+      kafka_info:
+        bootstrap_servers: message-router-kafka:9092
+        topic_name: SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT
     perf3gpp:
       type: kafka
       aaf_credentials:
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
index da6dc8f1fc..89cf13447a 100644
--- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
@@ -1,6 +1,7 @@
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.
+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -35,6 +36,7 @@ filebeatConfig:
 tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
 
+
 #################################################################
 # Application configuration defaults.
 #################################################################
@@ -84,6 +86,17 @@ service:
     - port: 9091
       name: http
 
+# Policy configuraiton properties
+# if present, policy-sync side car will be deployed
+
+#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1
+#policies:
+#  duration: 300
+#  policyID: |
+#    '["onap.vfirewall.tca","abc"]'
+#  filter: |
+#    '["DCAE.Config_vfirewall_.*"]'
+
 aaiCreds:
   user: DCAE
   password: DCAE