diff options
Diffstat (limited to 'kubernetes/policy/components')
30 files changed, 312 insertions, 282 deletions
diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index b457a7b100..8333f06825 100644 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 16.0.1 +version: 16.0.3 dependencies: - name: common @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index 16292b8e60..15ee20e9f6 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. # Modifications Copyright (C) 2022 AT&T Intellectual Property. -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023,2025 Deutsche Telekom. All rights reserved. # Modifications Copyright © 2024-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -32,7 +32,7 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: - url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort}}/policyadmin + url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/policyadmin driverClassName: org.postgresql.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" diff --git a/kubernetes/policy/components/policy-api/resources/config/db-pg.sh b/kubernetes/policy/components/policy-api/resources/config/db-pg.sh new file mode 100644 index 0000000000..a7fc088d55 --- /dev/null +++ b/kubernetes/policy/components/policy-api/resources/config/db-pg.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2024 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +# + +#psql() { /usr/bin/psql -h ${PG_HOST} -p ${PG_PORT} "$@"; }; + +export PGPASSWORD=${PG_ADMIN_PASSWORD}; + +echo "Create user ${PG_USER} is created in Host ${PG_HOST}" +psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER \"${PG_USER}\" WITH PASSWORD '${PG_USER_PASSWORD}'" + +for db in migration pooling policyadmin policyclamp operationshistory clampacm +do + echo "Create DB ${db}" + psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE DATABASE ${db};" + echo "Grant privileges to DB ${db} for user ${PG_USER}" + psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO \"${PG_USER}\";" + echo "Grant privileges to SCHEMA public for user ${PG_USER}" + psql -h ${PG_HOST} -p ${PG_PORT} -d ${db} -U postgres --command "GRANT ALL ON SCHEMA public TO \"${PG_USER}\";" +done diff --git a/kubernetes/policy/components/policy-api/resources/config/db_migrator_pg_policy_init.sh b/kubernetes/policy/components/policy-api/resources/config/db_migrator_pg_policy_init.sh new file mode 100644 index 0000000000..15a6e3224f --- /dev/null +++ b/kubernetes/policy/components/policy-api/resources/config/db_migrator_pg_policy_init.sh @@ -0,0 +1,32 @@ +#!/bin/sh +{{/* +# Copyright (C) 2022, 2024 Nordix Foundation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +for schema in ${SQL_DB}; do + echo "Initializing $schema..." + /opt/app/policy/bin/prepare_upgrade.sh ${schema} + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o upgrade + rc=$? + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report + + if [ "$rc" != 0 ]; then + break + fi +done diff --git a/kubernetes/policy/components/policy-api/templates/configmap.yaml b/kubernetes/policy/components/policy-api/templates/configmap.yaml index 0b1873afd4..a4962b46ed 100755 --- a/kubernetes/policy/components/policy-api/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-api/templates/configmap.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 Nordix Foundation. # Modified Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. +# Modification (C) 2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,3 +35,12 @@ binaryData: {{- end }} data: {{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-db-configmap + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index 063bc80445..20c02befae 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2021-2025 Nordix Foundation. +# Modification (C) 2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,29 +29,78 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-pg-migrator-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} + {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }} + - name: {{ include "common.name" . }}-pg-config + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} {{ include "common.containerSecurityContext" . | indent 10 | trim }} - name: {{ include "common.name" . }}-readiness + command: + - /bin/sh + - -cx + - | + /docker-entrypoint-initdb.d/db-pg.sh + env: + - name: PG_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + {{- if eq .Values.global.postgres.localCluster true }} + name: '{{ include "common.release" . }}-policy-db-root-password' + {{- else }} + name: '{{ .Values.global.postgres.userRootSecret }}' + {{- end }} + key: password + - name: PG_HOST + value: "{{ .Values.global.postgres.service.name2 }}" + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: PG_USER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: PG_PORT + value: "{{ .Values.global.postgres.service.port }}" resources: - limits: - cpu: "100m" - memory: "500Mi" requests: - cpu: "3m" - memory: "20Mi" + cpu: 50m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + volumeMounts: + - mountPath: /docker-entrypoint-initdb.d/db-pg.sh + name: {{ include "common.fullname" . }}-config + subPath: db-pg.sh + - name: {{ include "common.name" . }}-pg-db-migrator + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh + name: {{ include "common.fullname" . }}-config + subPath: db_migrator_pg_policy_init.sh + - mountPath: /opt/app/policy/etc/db/ + name: {{ include "common.fullname" . }}-migration-writable + command: + - /bin/sh + - -cx + - | + /dbcmd-config/db_migrator_pg_policy_init.sh + env: + - name: SQL_HOST + value: "{{ .Values.global.postgres.service.name2 }}" + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: SQL_DB + value: {{ .Values.dbmigrator.schemas }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "postgres" + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} - command: - sh args: @@ -58,9 +108,9 @@ spec: - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 12 }} - name: RESTSERVER_PASSWORD @@ -70,10 +120,17 @@ spec: name: apiconfig - mountPath: /config name: apiconfig-processed + name: {{ include "common.name" . }}-update-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 100m + memory: 128Mi {{ include "common.containerSecurityContext" . | indent 10 | trim }} - name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} {{ include "common.containerSecurityContext" . | indent 10 | trim }} @@ -90,7 +147,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} + {{- end }} readinessProbe: httpGet: path: {{ .Values.readiness.api }} @@ -140,4 +197,15 @@ spec: - name: logs emptyDir: sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - {{- include "common.imagePullSecrets" . | nindent 6 }} + - name: {{ include "common.fullname" . }}-migration-writable + emptyDir: + sizeLimit: {{ .Values.dirSizes.migration.sizeLimit }} + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-db-configmap + defaultMode: 0755 + items: + - key: db-pg.sh + path: db-pg.sh + - key: db_migrator_pg_policy_init.sh + path: db_migrator_pg_policy_init.sh diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index f65ce801f4..a9d0449f86 100644 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. -# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2025 Deutsche Telekom. All rights reserved. # Modifications Copyright © 2024-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -25,12 +25,18 @@ global: nodePortPrefix: 304 persistence: {} + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig ################################################################# secrets: - - uid: db-creds + - uid: db-secret type: basicAuth externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}' login: '{{ .Values.db.user }}' @@ -44,6 +50,17 @@ secrets: passwordPolicy: required ################################################################# +# DB configuration defaults. +################################################################# + +dbmigrator: + image: onap/policy-db-migrator:4.1.0 + schemas: "policyadmin clampacm pooling operationshistory" + policy_home: "/opt/app/policy" + +postgresImage: library/postgres:17.2 + +################################################################# # Application configuration defaults. ################################################################# # application image @@ -57,9 +74,11 @@ debugEnabled: false db: user: policy-user password: policy_user - service: - pgName: policy-pg-primary - internalPgPort: 5432 + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.postgres.service.name2 }}' restServer: user: policyadmin @@ -131,6 +150,11 @@ dirSizes: sizeLimit: 1Gi logDir: sizeLimit: 500Mi + migration: + sizeLimit: 1Gi + +dbReadiness: + retryCount: 3 #Pods Service Account serviceAccount: diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index 5d26bfdad9..61a95ce117 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2021, 2025 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2024 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 16.0.0 +version: 16.0.2 dependencies: - name: common @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index a296e8c7a4..d22d73a642 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -25,7 +25,7 @@ spring: converters: preferred-json-mapper: gson datasource: - url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/clampacm + url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/clampacm driverClassName: org.postgresql.Driver username: ${SQL_USER} password: ${SQL_PASSWORD} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index c09a3616b0..79120a3f33 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2021-2025 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,28 +30,7 @@ spec: spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-pg-migrator-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-db-config-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index 00bd0acdbd..540b3732a5 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2025 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +23,12 @@ global: nodePortPrefixExt: 304 persistence: {} + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 #Strimzi Kafka properties kafkaTopics: acRuntimeOperationTopic: @@ -90,9 +96,6 @@ kafkaTopic: db: user: policy-user password: policy_user - service: - pgName: policy-pg-primary - pgPort: 5432 # default number of instances replicaCount: 1 @@ -164,9 +167,10 @@ serviceAccount: roles: - read -wait_for_job_container: - containers: - - '{{ include "common.release" . }}-galera-migrator-config' +readinessCheck: + wait_for: + services: + - policy-api customNaming: toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index 05615a28c1..fc81c4c4d0 100644 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -2,7 +2,7 @@ # Modifications Copyright © 2018, 2020 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024-2025 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 16.0.1 +version: 16.0.3 dependencies: - name: common @@ -31,3 +31,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf index b1a7f04b58..e4bc752bf9 100644 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -3,6 +3,7 @@ # Modifications Copyright (C) 2018-2020, 2022 AT&T Intellectual Property. # Modifications Copyright (C) 2021 Bell Canada. All rights reserved. # Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright (C) 2025 Deutsche Telekom. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,9 +42,9 @@ REPOSITORY_OFFLINE={{.Values.nexus.offline}} # Relational (SQL) DB access -SQL_HOST={{ .Values.db.pgName }} -SQL_PORT={{ .Values.db.pgPort }} -JDBC_URL=jdbc:postgresql://{{ .Values.db.pgName }}:{{ .Values.db.pgPort }}/ +SQL_HOST={{ .Values.global.postgres.service.name2 }} +SQL_PORT={{ .Values.global.postgres.service.port }} +JDBC_URL=jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/ JDBC_OPTS= JDBC_DRIVER=org.postgresql.Driver diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml index e8c0a5edea..d7bcccf121 100644 --- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -2,7 +2,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property # Modifications Copyright (C) 2024-2025 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,28 +29,7 @@ spec: spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-pg-migrator-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-db-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} {{- if not .Values.nexus.offline }} - command: - /app/ready.py diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index d84c26eeea..40de912ef0 100644 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -2,7 +2,7 @@ # Copyright © 2017, 2021 Bell Canada # Modifications Copyright © 2018-2022 AT&T Intellectual Property # Modifications Copyright (C) 2024-2025 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,6 +21,12 @@ ################################################################# global: nodePortPrefix: 302 + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig @@ -104,8 +110,6 @@ nexus: offline: true db: - pgName: policy-pg-primary - pgPort: 5432 password: policy_user pap: @@ -281,3 +285,8 @@ kafkaUser: type: topic patternType: prefix operations: [ Create, Describe, Read, Write ] + +readinessCheck: + wait_for: + services: + - policy-api diff --git a/kubernetes/policy/components/policy-opa-pdp/Chart.yaml b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml index 6416e5016e..f776feae35 100644 --- a/kubernetes/policy/components/policy-opa-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Policy OPA PDP (PDP-O) name: policy-opa-pdp -version: 15.0.0 +version: 16.0.1 dependencies: - name: common @@ -31,3 +31,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json index e978b84186..bb18a3bacc 100755 --- a/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json +++ b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json @@ -21,22 +21,6 @@ "logging": { "level": "debug" }, - "services": [ - { - "name": "opa-bundle-server", - "url": "http://policy-opa-pdp:8282/opa/bundles" - } - ], - "bundles": { - "opabundle": { - "service": "opa-bundle-server", - "resource": "bundle.tar.gz", - "polling": { - "min_delay_seconds": 60, - "max_delay_seconds": 120 - } - } - }, "decision_logs": { "console": true } diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz b/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz Binary files differdeleted file mode 100644 index fa841c0191..0000000000 --- a/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz +++ /dev/null diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml index cc08af6937..1942a59f6f 100755 --- a/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml @@ -26,17 +26,3 @@ metadata: labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }} - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap-policies-data - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} -{{- with .Files.Glob "resources/policies/*" }} -binaryData: -{{- range $path, $bytes := . }} - {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml index 6c25bac01c..90ff759bb8 100755 --- a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml @@ -29,29 +29,7 @@ spec: spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /bin/sh - args: - - -c - - | - echo "*** set right permissions to the different folders" - chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log; - chmod -R 755 /var/log - chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/; - chmod -R 755 /opt/* - tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/ - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-readiness - volumeMounts: - - name: logs - mountPath: /var/log - - name: tmp-policies-data - mountPath: /tmp/policies - - name : opa-policies-data - mountPath: /opt/ - + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} containers: - name: {{ include "common.name" . }} {{ include "common.containerSecurityContext" . | indent 10 | trim }} @@ -65,8 +43,12 @@ spec: value: "{{ .Values.kafka.useSASL }}" - name: KAFKA_URL value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid - name: GROUPID - value: "{{ .Values.kafka.groupid }}" + value: "{{ .Values.groupIdPrefix }}-$(POD_UID)" - name: LOG_LEVEL value: "{{ .Values.log.loglevel }}" - name: PAP_TOPIC @@ -97,15 +79,12 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - - name: opa-policies-data - mountPath: /opt - name: opa-config mountPath: /app/config - name: opa-bundles mountPath: /app/bundles - name: logs - mountPath: /var/log + mountPath: /var/logs resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -117,13 +96,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: tmp-policies-data - configMap: - name: {{ include "common.fullname" . }}-configmap-policies-data - defaultMode: 0755 - - name: opa-policies-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }}-policies-data - name: opa-config configMap: name: {{ include "common.fullname" . }}-configmap-config diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml deleted file mode 100755 index 5a1e9e3450..0000000000 --- a/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2025 Deutsche Telekom Intellectual Property. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} - -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "common.fullname" . }}-policies-data - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.logsSize }} - storageClassName: {{ include "common.storageClass" . }} - volumeMode: Filesystem - -{{- end }} diff --git a/kubernetes/policy/components/policy-opa-pdp/values.yaml b/kubernetes/policy/components/policy-opa-pdp/values.yaml index 20c7e513bc..0971dc8d7f 100644 --- a/kubernetes/policy/components/policy-opa-pdp/values.yaml +++ b/kubernetes/policy/components/policy-opa-pdp/values.yaml @@ -43,7 +43,8 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-opa-pdp:1.0.0 +image: onap/policy-opa-pdp:1.0.4 + pullPolicy: Always componentName: &componentName policy-opa-pdp @@ -79,20 +80,8 @@ config: policyPdpPapTopic: policy-pdp-pap securityContext: - user_id: 0 - group_id : 0 - runAsNonRoot: false - - -containerSecurityContext: - enabled: true - privileged: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: false - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 0 - + user_id: 1000 + group_id : 1000 kafka: groupid: "policy-opa-pdp" @@ -112,8 +101,6 @@ persistence: parameters: {} storageclassProvisioner: cinder-os - - # default number of instances replicaCount: 1 @@ -133,6 +120,11 @@ readiness: initialDelaySeconds: 20 periodSeconds: 10 +readinessCheck: + wait_for: + services: + - 'policy-pap' + service: type: ClusterIP name: *componentName @@ -187,7 +179,6 @@ resources: memory: "2Gi" unlimited: {} - dirSizes: emptyDir: sizeLimit: 1Gi @@ -198,6 +189,7 @@ dirSizes: bundleDir: sizeLimit: 5Gi +groupIdPrefix: opa-pdp #Pods Service Account serviceAccount: @@ -244,8 +236,9 @@ config: kafkaUser: authenticationType: scram-sha-512 acls: - - name: policy-opa-pdp + - name: opa-pdp type: group + patternType: prefix operations: [ Create, Describe, Read, Write ] - name: policy-pdp-pap type: topic diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index 6f5905e8ee..5a676e94d7 100644 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -3,7 +3,7 @@ # Modified Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024-2025 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +23,7 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 16.0.1 +version: 16.0.3 dependencies: - name: common @@ -35,3 +35,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index 614cff344f..7b9a0f179e 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -26,7 +26,7 @@ spring: converters: preferred-json-mapper: gson datasource: - url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort }}/policyadmin + url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/policyadmin driverClassName: org.postgresql.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index e94e82764d..5722563b47 100644 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -3,7 +3,7 @@ # Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. # Modifications Copyright (C) 2024-2025 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,28 +32,7 @@ spec: spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-pg-migrator-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-db-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -151,8 +130,8 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime - hostPath: - path: /etc/localtime + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} - name: empty-dir emptyDir: sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 7f421fff5e..a7b3c5a4f2 100644..100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -3,7 +3,7 @@ # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved. # Modifications Copyright © 2022-2025 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,6 +26,12 @@ global: nodePortPrefixExt: 304 persistence: {} + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig @@ -78,9 +84,6 @@ debugEnabled: false db: user: policy-user password: policy_user - service: - pgName: policy-pg-primary - internalPgPort: 5432 restServer: user: policyadmin @@ -237,3 +240,8 @@ kafkaUser: type: topic patternType: prefix operations: [Create, Describe, Read, Write] + +readinessCheck: + wait_for: + services: + - policy-api diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index 9ec8f21457..347ca0dda2 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024-2025 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 16.0.1 +version: 16.0.3 dependencies: - name: common @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties index 46d6b2a842..8641165d3c 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2024-2025 Nordix Foundation. All rights reserved. +# Modifications (C) 2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -69,6 +70,6 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome # eclipselink.target-database=PostgreSQL jakarta.persistence.jdbc.driver=org.postgresql.Driver -jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/operationhistory +jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/operationshistory jakarta.persistence.jdbc.user=${SQL_USER} jakarta.persistence.jdbc.password=${SQL_PASSWORD} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml index 4cebd27f74..cd23866263 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -2,7 +2,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2024-2025 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,28 +38,7 @@ spec: spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-pg-migrator-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -206,8 +185,8 @@ spec: emptyDir: sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: localtime - hostPath: - path: /etc/localtime + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} - name: pdpxconfig configMap: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 2f315838e0..ff0bea4ce6 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2024-2025 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +23,12 @@ ################################################################# global: persistence: {} + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig @@ -64,9 +70,6 @@ debugEnabled: false db: user: policy-user password: policy_user - service: - pgName: policy-pg-primary - pgPort: 5432 restServer: user: healthcheck @@ -229,3 +232,8 @@ kafkaUser: type: topic patternType: prefix operations: [ Create, Describe, Read, Write ] + +readinessCheck: + wait_for: + services: + - policy-api |