summaryrefslogtreecommitdiffstats
path: root/kubernetes/dcaegen2
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/dcaegen2')
-rw-r--r--kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-policy_handler-inputs.yaml62
1 files changed, 55 insertions, 7 deletions
diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-policy_handler-inputs.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-policy_handler-inputs.yaml
index d53e8fdfde..d4ee73e303 100644
--- a/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-policy_handler-inputs.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-policy_handler-inputs.yaml
@@ -27,21 +27,33 @@ application_config:
# parallelize requests to policy-engine and keep them alive
pool_connections : 20
- # list of policyName prefixes (filters) that DCAE-Controller handles (=ignores any other policyName values)
- scope_prefixes : ["DCAE.Config_"]
-
# retry to getConfig from policy-engine on policy-update notification
policy_retry_count : 5
policy_retry_sleep : 5
+ # config of automatic catch_up for resiliency
+ catch_up :
+ # interval in seconds on how often to call automatic catch_up
+ # example: 1200 is 20*60 seconds that is 20 minutes
+ interval : 1200
+
+ # config of periodic reconfigure-rediscover for adaptability
+ reconfigure:
+ # interval in seconds on how often to call automatic reconfigure
+ # example: 600 is 10*60 seconds that is 10 minutes
+ interval : 600
+
# policy-engine config
# These are the url of and the auth for the external system, namely the policy-engine (PDP).
# We obtain that info manually from PDP folks at the moment.
# In long run we should figure out a way of bringing that info into consul record
# related to policy-engine itself.
+ # - k8s specific routing to policy-engine by hostname "pdp"
+ # - relying on dns to resolve hostname "pdp" to ip address
+ # - expecing to find "pdp" as the hostname in server cert from policy-engine
policy_engine :
- url : "http://{{ .Values.config.address.policy_pdp }}.{{include "common.namespace" . }}:8081"
- path_pdp : "/pdp/"
+ url : "https://{{ .Values.config.address.policy_pdp }}.{{include "common.namespace" . }}:8081"
+ path_notifications : "/pdp/notifications"
path_api : "/pdp/api/"
headers :
Accept : "application/json"
@@ -50,5 +62,41 @@ application_config:
Authorization : "Basic dGVzdHBkcDphbHBoYTEyMw=="
Environment : "TEST"
target_entity : "policy_engine"
- # name of deployment-handler service in consul for policy-handler to direct the policy-updates to
- deploy_handler : "deployment_handler"
+ # optional tls_ca_mode specifies where to find the cacert.pem for tls
+ # can be one of these:
+ # "cert_directory" - use the cacert.pem stored locally in cert_directory.
+ # this is the default if cacert.pem file is found
+ #
+ # "os_ca_bundle" - use the public ca_bundle provided by linux system.
+ # this is the default if cacert.pem file not found
+ #
+ # "do_not_verify" - special hack to turn off the verification by cacert and hostname
+ tls_ca_mode : "cert_directory"
+ # optional tls_wss_ca_mode specifies the same for the tls based web-socket
+ tls_wss_ca_mode : "cert_directory"
+ # deploy_handler config
+ # changed from string "deployment_handler" in 2.3.1 to structure in 2.4.0
+ deploy_handler :
+ # name of deployment-handler service used by policy-handler for logging
+ target_entity : "deployment_handler"
+ # url of the deployment-handler service for policy-handler to direct the policy-updates to
+ # - expecting dns to resolve the hostname deployment-handler to ip address
+ url : "http://deployment-handler:8188"
+ # limit the size of a single data segment for policy-update messages
+ # from policy-handler to deployment-handler in megabytes
+ max_msg_length_mb : 5
+ query :
+ # optionally specify the tenant name for the cloudify under deployment-handler
+ # if not specified the "default_tenant" is used by the deployment-handler
+ cfy_tenant_name : "default_tenant"
+ # optional tls_ca_mode specifies where to find the cacert.pem or skip tls verification
+ # can be one of these:
+ # "cert_directory" - use the cacert.pem stored locally in cert_directory.
+ # this is the default if cacert.pem file is found
+ #
+ # "os_ca_bundle" - use the public ca_bundle provided by linux system.
+ # this is the default if cacert.pem file not found
+ #
+ # "do_not_verify" - special hack to turn off the verification by cacert and hostname
+ tls_ca_mode : "cert_directory"
+