diff options
Diffstat (limited to 'kubernetes/policy')
54 files changed, 759 insertions, 203 deletions
diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index 677271c241..803298aadc 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -18,70 +18,77 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: mariadb-galera - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: policy-nexus - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-nexus' condition: policy-nexus.enabled - name: policy-api - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-api' condition: policy-api.enabled - name: policy-pap - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-pap' condition: policy-pap.enabled - name: policy-xacml-pdp - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-xacml-pdp' condition: policy-xacml-pdp.enabled - name: policy-apex-pdp - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-apex-pdp' condition: policy-apex-pdp.enabled - name: policy-drools-pdp - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-drools-pdp' condition: policy-drools-pdp.enabled - name: policy-distribution - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-distribution' condition: policy-distribution.enabled - name: policy-clamp-be - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-clamp-be' condition: policy-clamp-be.enabled - name: policy-clamp-ac-k8s-ppnt - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-clamp-ac-k8s-ppnt' condition: policy-clamp-ac-k8s-ppnt.enabled - name: policy-clamp-ac-http-ppnt - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-clamp-ac-http-ppnt' condition: policy-clamp-ac-http-ppnt.enabled - name: policy-clamp-ac-pf-ppnt - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-clamp-ac-pf-ppnt' condition: policy-clamp-ac-pf-ppnt.enabled - name: policy-clamp-runtime-acm - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-clamp-runtime-acm' condition: policy-clamp-runtime-acm.enabled - name: policy-gui - version: ~10.x-0 + version: ~11.x-0 repository: 'file://components/policy-gui' condition: policy-gui.enabled - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' + - name: readinessCheck + version: ~11.x-0 + repository: '@local' + - name: postgres + version: ~11.x-0 + repository: '@local' + condition: global.postgres.localCluster diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index 7f22e9fd0e..92af552fac 100755 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -21,18 +21,18 @@ apiVersion: v2 description: ONAP Policy APEX PDP name: policy-apex-pdp -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/serviceMonitor.yaml index dbf6a7cd6a..8284c73ed1 100644 --- a/kubernetes/policy/components/policy-apex-pdp/templates/serviceMonitor.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/serviceMonitor.yaml @@ -18,6 +18,6 @@ # ============LICENSE_END========================================================= */}} -{{- if .Values.prometheus.enabled }} +{{- if .Values.global.prometheusEnabled }} {{ include "common.serviceMonitor" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index 6adf0e6609..db5251913e 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -49,7 +49,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:2.7.1 +image: onap/policy-apex-pdp:2.7.3 pullPolicy: Always # flag to enable debugging - application support required @@ -140,9 +140,6 @@ serviceAccount: roles: - read -prometheus: - enabled: true - metrics: serviceMonitor: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index 82a0f48240..d317b9e513 100755 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -21,18 +21,18 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index c08b035d53..e6cf2b3571 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -29,6 +29,8 @@ spring: driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" + hikari: + maximumPoolSize: 20 jpa: properties: hibernate: diff --git a/kubernetes/policy/components/policy-api/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-api/templates/serviceMonitor.yaml index dbf6a7cd6a..8284c73ed1 100644 --- a/kubernetes/policy/components/policy-api/templates/serviceMonitor.yaml +++ b/kubernetes/policy/components/policy-api/templates/serviceMonitor.yaml @@ -18,6 +18,6 @@ # ============LICENSE_END========================================================= */}} -{{- if .Values.prometheus.enabled }} +{{- if .Values.global.prometheusEnabled }} {{ include "common.serviceMonitor" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 89608cfb6f..0e3ada8956 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -79,7 +79,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:2.6.1 +image: onap/policy-api:2.6.3 pullPolicy: Always # flag to enable debugging - application support required @@ -156,9 +156,6 @@ serviceAccount: roles: - read -prometheus: - enabled: true - metrics: serviceMonitor: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml index 00cbd28181..2fa60d513d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml @@ -19,18 +19,18 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Http Participant name: policy-clamp-ac-http-ppnt -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local'
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml index 249aaaebda..406b59c545 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml @@ -21,6 +21,20 @@ spring: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} +{{- if .Values.config.useStrimziKafka }} + kafka: + bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 + security.protocol: SASL_PLAINTEXT + properties.sasl: + mechanism: SCRAM-SHA-512 + jaas.config: ${JAASLOGIN} +{{ else }} +{{ toYaml .Values.config.eventPublisher | nindent 2 }} +{{- end }} + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} security: enable-csrf: false diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml index 3a5b8b199f..044be0ff70 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml @@ -38,6 +38,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} +{{- if .Values.config.useStrimziKafka }} + - name: JAASLOGIN + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} +{{- end }} volumeMounts: - mountPath: /config-input name: ac-http-ppnt-config diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 8eafa463c5..5f8aa3b5a1 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -43,6 +43,13 @@ secrets: externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' password: '{{ .Values.certStores.trustStorePassword }}' passwordPolicy: required + - uid: policy-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate certStores: keyStorePassword: Pol1cy_0nap @@ -71,7 +78,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:6.2.1 +image: onap/policy-clamp-ac-http-ppnt:6.2.3 pullPolicy: Always # application configuration @@ -137,3 +144,29 @@ serviceAccount: nameOverride: policy-clamp-ac-http-ppnt roles: - read + +config: +# Event consumption (kafka) properties + useStrimziKafka: true + kafkaBootstrap: strimzi-kafka-bootstrap + kafka: + consumer: + groupId: policy-group + app: + listener: + acRuntimeTopic: policy-acruntime-participant +# If targeting a custom kafka cluster, ie useStrimziKakfa: false +# uncomment below config and target your kafka bootstrap servers, +# along with any other security config. +# +# eventConsumption: +# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 +# spring.kafka.security.protocol: PLAINTEXT +# spring.kafka.consumer.group-id: policy-group +# +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml index b55cb35649..2ca3762603 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -21,18 +21,18 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop K8s Participant name: policy-clamp-ac-k8s-ppnt -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml index 0b7e2ab22d..6c14fd2207 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml @@ -21,6 +21,20 @@ spring: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} +{{- if .Values.config.useStrimziKafka }} + kafka: + bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 + security.protocol: SASL_PLAINTEXT + properties.sasl: + mechanism: SCRAM-SHA-512 + jaas.config: ${JAASLOGIN} +{{ else }} +{{ toYaml .Values.config.eventPublisher | nindent 2 }} +{{- end }} + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} security: enable-csrf: false @@ -82,10 +96,4 @@ chart: api: enabled: false -# Sample Permitted list of helm repositories. Before deployment update the repositories where the helm charts are located. -# The Kubernetes participant accept only HTTPS Address -helm: - repos: - - - repoName: bitnami - address: https://charts.bitnami.com/bitnami +# Permitted list of helm repositories. Values are updated from values.yaml diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml index 09cc8cd48f..54c595cc8f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml @@ -30,3 +30,8 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} +{{- if .Values.repoList }} +{{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }} +{{ toYaml .Values.repoList | indent 4 }} +{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} +{{- end }}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml index 14cb6d3f4e..e8650fe350 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml @@ -38,6 +38,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} +{{- if .Values.config.useStrimziKafka }} + - name: JAASLOGIN + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} +{{- end }} volumeMounts: - mountPath: /config-input name: ac-k8s-ppnt-config diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml index 73381c9e3b..2439223192 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml @@ -18,16 +18,10 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: policy-clamp-cl-k8s-ppnt - namespace: {{ include "common.namespace" . }} ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "common.namespace" . }}-policy-clamp-cl-k8s-ppnt-binding + name: {{ include "common.namespace" . }}-policy-clamp-ac-k8s-ppnt-binding namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -40,6 +34,6 @@ roleRef: name: cluster-admin subjects: - kind: ServiceAccount - name: policy-clamp-cl-k8s-ppnt + name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} namespace: {{ include "common.namespace" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index a3fb19f1bc..2cf8d2d723 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -44,6 +44,13 @@ secrets: externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' password: '{{ .Values.certStores.trustStorePassword }}' passwordPolicy: required + - uid: policy-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate certStores: keyStorePassword: Pol1cy_0nap @@ -72,7 +79,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:6.2.1 +image: onap/policy-clamp-ac-k8s-ppnt:6.2.3 pullPolicy: Always # flag to enable debugging - application support required @@ -138,3 +145,42 @@ serviceAccount: nameOverride: policy-clamp-ac-k8s-ppnt roles: - create +# Update the config here for permitting repositories and protocols +repoList: + helm: + repos: + - + repoName: kong + address: https://charts.konghq.com + - + repoName: bitnami + address: https://charts.bitnami.com/bitnami + + protocols: + - http + - https + +config: +# Event consumption (kafka) properties + useStrimziKafka: true + kafkaBootstrap: strimzi-kafka-bootstrap + kafka: + consumer: + groupId: policy-group + app: + listener: + acRuntimeTopic: policy-acruntime-participant +# If targeting a custom kafka cluster, ie useStrimziKakfa: false +# uncomment below config and target your kafka bootstrap servers, +# along with any other security config. +# +# eventConsumption: +# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 +# spring.kafka.security.protocol: PLAINTEXT +# spring.kafka.consumer.group-id: policy-group +# +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml index ae8d03bc13..fc9d432047 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml @@ -19,18 +19,18 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Policy Participant name: policy-clamp-ac-pf-ppnt -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local'
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml index 0160ff45df..856b16d91d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml @@ -21,6 +21,20 @@ spring: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} +{{- if .Values.config.useStrimziKafka }} + kafka: + bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 + security.protocol: SASL_PLAINTEXT + properties.sasl: + mechanism: SCRAM-SHA-512 + jaas.config: ${JAASLOGIN} +{{ else }} +{{ toYaml .Values.config.eventPublisher | nindent 2 }} +{{- end }} + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} security: enable-csrf: false diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml index b13e013f47..a127885cce 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml @@ -46,6 +46,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} +{{- if .Values.config.useStrimziKafka }} + - name: JAASLOGIN + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} +{{- end }} volumeMounts: - mountPath: /config-input name: ac-pf-ppnt-config diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index c825ab1a0c..6fefa02783 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -55,6 +55,13 @@ secrets: externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' password: '{{ .Values.certStores.trustStorePassword }}' passwordPolicy: required + - uid: policy-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate certStores: keyStorePassword: Pol1cy_0nap @@ -83,7 +90,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:6.2.1 +image: onap/policy-clamp-ac-pf-ppnt:6.2.3 pullPolicy: Always # flag to enable debugging - application support required @@ -155,3 +162,28 @@ serviceAccount: nameOverride: policy-clamp-ac-pf-ppnt roles: - read + +config: +# Event consumption (kafka) properties + useStrimziKafka: true + kafkaBootstrap: strimzi-kafka-bootstrap + kafka: + consumer: + groupId: policy-group + app: + listener: + acRuntimeTopic: policy-acruntime-participant +# If targeting a custom kafka cluster, ie useStrimziKakfa: false +# uncomment below config and target your kafka bootstrap servers, +# along with any other security config. +# +# eventConsumption: +# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 +# spring.kafka.security.protocol: PLAINTEXT +# spring.kafka.consumer.group-id: policy-group +# +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 diff --git a/kubernetes/policy/components/policy-clamp-be/Chart.yaml b/kubernetes/policy/components/policy-clamp-be/Chart.yaml index e52eb76020..9b0cdf6a87 100644 --- a/kubernetes/policy/components/policy-clamp-be/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-be/Chart.yaml @@ -18,15 +18,15 @@ apiVersion: v2 description: ONAP Policy Clamp Backend name: policy-clamp-be -version: 10.0.0 +version: 11.0.0 dependencies: - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-be/values.yaml b/kubernetes/policy/components/policy-clamp-be/values.yaml index 2016b14043..c23657c421 100644 --- a/kubernetes/policy/components/policy-clamp-be/values.yaml +++ b/kubernetes/policy/components/policy-clamp-be/values.yaml @@ -71,7 +71,7 @@ secrets: flavor: small # application image -image: onap/policy-clamp-backend:6.2.1 +image: onap/policy-clamp-backend:6.2.3 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index 90e9293f56..42e02efb8d 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -21,18 +21,18 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index 2b52a2b892..219be24079 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -44,6 +44,20 @@ spring: hibernate: dialect: org.hibernate.dialect.MariaDB103Dialect format_sql: true +{{- if .Values.config.useStrimziKafka }} + kafka: + bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 + security.protocol: SASL_PLAINTEXT + properties.sasl: + mechanism: SCRAM-SHA-512 + jaas.config: ${JAASLOGIN} +{{ else }} +{{ toYaml .Values.config.eventPublisher | nindent 2 }} +{{- end }} + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} security: enable-csrf: false diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index e302704201..361045af94 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -56,6 +56,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} - name: RUNTIME_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "password") | indent 10 }} +{{- if .Values.config.useStrimziKafka }} + - name: JAASLOGIN + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} +{{- end }} volumeMounts: - mountPath: /config-input name: ac-runtime-config diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index 1b571fc502..d224aa6bc4 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -50,6 +50,13 @@ secrets: login: '{{ .Values.config.policyAppUserName }}' password: '{{ .Values.config.policyAppUserPassword }}' passwordPolicy: required + - uid: policy-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate certStores: keyStorePassword: Pol1cy_0nap @@ -78,7 +85,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:6.2.1 +image: onap/policy-clamp-runtime-acm:6.2.3 pullPolicy: Always # flag to enable debugging - application support required @@ -89,6 +96,30 @@ config: policyAppUserName: runtimeUser policyAppUserPassword: none +# Event consumption (kafka) properties + useStrimziKafka: true + kafkaBootstrap: strimzi-kafka-bootstrap + kafka: + consumer: + groupId: policy-group + app: + listener: + acRuntimeTopic: policy.policy-acruntime-participant +# If targeting a custom kafka cluster, ie useStrimziKakfa: false +# uncomment below config and target your kafka bootstrap servers, +# along with any other security config. +# +# eventConsumption: +# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 +# spring.kafka.security.protocol: PLAINTEXT +# spring.kafka.consumer.group-id: policy-group +# +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + db: user: policy_user password: policy_user diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml index b1758e53ba..6a5222f087 100755 --- a/kubernetes/policy/components/policy-distribution/Chart.yaml +++ b/kubernetes/policy/components/policy-distribution/Chart.yaml @@ -21,18 +21,18 @@ apiVersion: v2 description: ONAP Policy Distribution name: policy-distribution -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-distribution/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-distribution/templates/serviceMonitor.yaml index dbf6a7cd6a..8284c73ed1 100644 --- a/kubernetes/policy/components/policy-distribution/templates/serviceMonitor.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/serviceMonitor.yaml @@ -18,6 +18,6 @@ # ============LICENSE_END========================================================= */}} -{{- if .Values.prometheus.enabled }} +{{- if .Values.global.prometheusEnabled }} {{ include "common.serviceMonitor" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index db271a9c3f..d36f1c2275 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -67,7 +67,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:2.7.1 +image: onap/policy-distribution:2.7.3 pullPolicy: Always # flag to enable debugging - application support required @@ -162,9 +162,6 @@ serviceAccount: roles: - read -prometheus: - enabled: true - metrics: serviceMonitor: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index c8cc5523a4..1c9c73d340 100755 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -18,18 +18,18 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/serviceMonitor.yaml index 1c04296e4f..f8c450cb7e 100644 --- a/kubernetes/policy/components/policy-drools-pdp/templates/serviceMonitor.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/serviceMonitor.yaml @@ -18,6 +18,6 @@ # ============LICENSE_END========================================================= */}} -{{- if .Values.prometheus.enabled }} +{{- if .Values.global.prometheusEnabled }} {{ include "common.serviceMonitor" . }} {{- end }} diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 344a600afe..74c743cb2b 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -41,7 +41,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pdpd-cl:1.10.2 +image: onap/policy-pdpd-cl:1.10.3 pullPolicy: Always # flag to enable debugging - application support required @@ -203,9 +203,6 @@ serviceAccount: roles: - read -prometheus: - enabled: true - metrics: serviceMonitor: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. diff --git a/kubernetes/policy/components/policy-gui/Chart.yaml b/kubernetes/policy/components/policy-gui/Chart.yaml index af1adbe3c7..fed1af9895 100644 --- a/kubernetes/policy/components/policy-gui/Chart.yaml +++ b/kubernetes/policy/components/policy-gui/Chart.yaml @@ -21,15 +21,15 @@ apiVersion: v2 description: ONAP Policy GUI name: policy-gui -version: 10.0.0 +version: 11.0.0 dependencies: - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-gui/resources/config/default.conf b/kubernetes/policy/components/policy-gui/resources/config/default.conf deleted file mode 100644 index 98417cd822..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/default.conf +++ /dev/null @@ -1,32 +0,0 @@ -server { - - listen 2443 default ssl; - ssl_protocols TLSv1.2; - {{ if .Values.global.aafEnabled }} - ssl_certificate {{.Values.certInitializer.credsPath}}/{{.Values.certInitializer.clamp_pem}}; - ssl_certificate_key {{.Values.certInitializer.credsPath}}/{{.Values.certInitializer.clamp_key}}; - {{ else }} - ssl_certificate /etc/ssl/clamp.pem; - ssl_certificate_key /etc/ssl/clamp.key; - {{ end }} - - ssl_verify_client optional_no_ca; - absolute_redirect off; - - location / { - root /usr/share/nginx/html; - index index.html index.htm; - try_files $uri $uri/ =404; - } - - location /clamp/restservices/clds/ { - proxy_pass https://policy-clamp-be:8443/restservices/clds/; - proxy_set_header X-SSL-Cert $ssl_client_escaped_cert; - } - - location = /50x.html { - root /var/lib/nginx/html; - } - error_page 500 502 503 504 /50x.html; - error_log /var/log/nginx/error.log warn; -} diff --git a/kubernetes/policy/components/policy-gui/templates/deployment.yaml b/kubernetes/policy/components/policy-gui/templates/deployment.yaml index b67fa273de..a155715580 100644 --- a/kubernetes/policy/components/policy-gui/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-gui/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. +# Copyright (C) 2021-2022 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -62,6 +62,20 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} +{{- if .Values.global.aafEnabled }} + command: ["sh","-c"] + args: ["source {{ .Values.certInitializer.credsPath }}/.ci;/opt/app/policy/gui/bin/policy-gui.sh"] + env: +{{- else }} + command: ["/opt/app/policy/gui/bin/policy-gui.sh"] + env: + - name: KEYSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} + - name: TRUSTSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} +{{- end }} + - name: CLAMP_URL + value: https://policy-clamp-be:8443 ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -81,9 +95,6 @@ spec: volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - name: logs mountPath: {{ .Values.log.path }} - - mountPath: /etc/nginx/conf.d/default.conf - name: {{ include "common.fullname" . }}-config - subPath: default.conf resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -99,9 +110,6 @@ spec: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} - items: - - key: default.conf - path: default.conf - name: logs emptyDir: {} {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml index 6ee7715678..60a6ce38c4 100644 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ b/kubernetes/policy/components/policy-gui/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. +# Copyright (C) 2021-2022 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,36 +26,46 @@ global: # global defaults aafEnabled: true ################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: keystore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.keyStorePassword }}' + passwordPolicy: required + - uid: truststore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.trustStorePassword }}' + passwordPolicy: required + +certStores: + keyStorePassword: Pol1cy_0nap + trustStorePassword: Pol1cy_0nap + +################################################################# # AAF part ################################################################# certInitializer: - permission_user: 1000 - permission_group: 999 - addconfig: true - keystoreFile: "org.onap.clamp.p12" - truststoreFile: "org.onap.clamp.trust.jks" - keyFile: "org.onap.clamp.keyfile" - truststoreFileONAP: "truststoreONAPall.jks" - clamp_key: "clamp.key" - clamp_pem: "clamp.pem" - clamp_ca_certs_pem: "clamp-ca-certs.pem" nameOverride: policy-gui-cert-initializer aafDeployFqi: deployer@people.osaaf.org aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: clamp - fqi: clamp@clamp.onap.org - public_fqdn: clamp.onap.org - cadi_longitude: "0.0" + fqdn: policy + fqi: policy@policy.onap.org + public_fqdn: policy.onap.org cadi_latitude: "0.0" - app_ns: org.osaaf.aaf + cadi_longitude: "0.0" credsPath: /opt/app/osaaf/local + app_ns: org.osaaf.aaf + uid: 100 + gid: 101 aaf_add_config: > - cd {{ .Values.credsPath }}; - openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; - openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; - openssl pkcs12 -in {{ .Values.keystoreFile }} -cacerts -nokeys -chain -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_ca_certs_pem }}; - chmod a+rx *; + echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; + echo "export TRUSTSTORE='{{ .Values.credsPath }}/org.onap.policy.trust.jks'" >> {{ .Values.credsPath }}/.ci; + echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; + echo "export TRUSTSTORE_PASSWD='${cadi_truststore_password}'" >> {{ .Values.credsPath }}/.ci; + chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); subChartsOnly: enabled: true @@ -63,7 +73,7 @@ subChartsOnly: flavor: small # application image -image: onap/policy-gui:2.2.0 +image: onap/policy-gui:2.2.3 pullPolicy: Always # flag to enable debugging - application support required @@ -71,7 +81,7 @@ debugEnabled: false # log configuration log: - path: /var/log/nginx/ + path: /var/log/onap/policy/gui ################################################################# # Application configuration defaults. diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml index 48497f2c8d..e8ba92a81c 100755 --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -18,18 +18,18 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index c10d636a5d..27358908e2 100755 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -22,18 +22,18 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index 6f501b8c21..195b087ff1 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -29,6 +29,8 @@ spring: driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" + hikari: + maximumPoolSize: 20 jpa: properties: hibernate: @@ -38,6 +40,20 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy +{{- if .Values.config.useStrimziKafka }} + kafka: + bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 + security.protocol: SASL_PLAINTEXT + properties.sasl: + mechanism: SCRAM-SHA-512 + jaas.config: ${JAASLOGIN} +{{ else }} +{{ toYaml .Values.config.eventPublisher | nindent 2 }} +{{- end }} + +{{- if .Values.config.additional }} +{{ toYaml .Values.config.additional | nindent 2 }} +{{- end }} server: port: 6969 diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index c33b80f4af..6f02f8e4c0 100755 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -65,6 +65,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }} - name: DISTRIBUTION_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }} +{{- if .Values.config.useStrimziKafka }} + - name: JAASLOGIN + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} +{{- end }} volumeMounts: - mountPath: /config-input name: papconfig diff --git a/kubernetes/policy/components/policy-pap/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-pap/templates/serviceMonitor.yaml index dbf6a7cd6a..8284c73ed1 100644 --- a/kubernetes/policy/components/policy-pap/templates/serviceMonitor.yaml +++ b/kubernetes/policy/components/policy-pap/templates/serviceMonitor.yaml @@ -18,6 +18,6 @@ # ============LICENSE_END========================================================= */}} -{{- if .Values.prometheus.enabled }} +{{- if .Values.global.prometheusEnabled }} {{ include "common.serviceMonitor" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 311653b860..2c240d2347 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -64,6 +64,13 @@ secrets: externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' password: '{{ .Values.certStores.trustStorePassword }}' passwordPolicy: required + - uid: policy-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate certStores: keyStorePassword: Pol1cy_0nap @@ -92,7 +99,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:2.6.1 +image: onap/policy-pap:2.6.3 pullPolicy: Always # flag to enable debugging - application support required @@ -181,9 +188,6 @@ serviceAccount: roles: - read -prometheus: - enabled: true - metrics: serviceMonitor: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. @@ -199,3 +203,26 @@ metrics: externalSecretNameSuffix: policy-pap-user-creds externalSecretUserKey: login externalSecretPasswordKey: password + +# application configuration +config: +# Event consumption (kafka) properties + useStrimziKafka: true + kafkaBootstrap: strimzi-kafka-bootstrap + kafka: + consumer: + groupId: poicy-group + app: + listener: + policyPdpPapTopic: policy-pdp-pap +# If targeting a custom kafka cluster, ie useStrimziKakfa: false +# uncomment below config and target your kafka bootstrap servers, +# along with any other security config. +# +# eventConsumption: +# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 +# spring.kafka.security.protocol: PLAINTEXT +# spring.kafka.consumer.group-id: policy-group +# +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index 01bb146cd9..faa9d79f42 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -21,18 +21,18 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 10.0.0 +version: 11.0.0 dependencies: - name: common - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: certInitializer - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: repositoryGenerator - version: ~10.x-0 + version: ~11.x-0 repository: '@local' - name: serviceAccount - version: ~10.x-0 + version: ~11.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/serviceMonitor.yaml index dbf6a7cd6a..8284c73ed1 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/serviceMonitor.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/serviceMonitor.yaml @@ -18,6 +18,6 @@ # ============LICENSE_END========================================================= */}} -{{- if .Values.prometheus.enabled }} +{{- if .Values.global.prometheusEnabled }} {{ include "common.serviceMonitor" . }} -{{- end }}
\ No newline at end of file +{{- end }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 308b5a78af..e7e7eebefe 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -83,7 +83,7 @@ certInitializer: # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:2.6.2 +image: onap/policy-xacml-pdp:2.6.3 pullPolicy: Always # flag to enable debugging - application support required @@ -159,9 +159,6 @@ serviceAccount: roles: - read -prometheus: - enabled: true - metrics: serviceMonitor: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. diff --git a/kubernetes/policy/resources/config/db-pg.sh b/kubernetes/policy/resources/config/db-pg.sh new file mode 100644 index 0000000000..f26a80fad7 --- /dev/null +++ b/kubernetes/policy/resources/config/db-pg.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +# + +#psql() { /usr/bin/psql -h ${PG_HOST} -p ${PG_PORT} "$@"; }; + +export PGPASSWORD=${PG_ADMIN_PASSWORD}; + +psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER ${PG_USER} WITH PASSWORD '${PG_USER_PASSWORD}'" + +for db in migration pooling policyadmin policyclamp operationshistory clampacm +do + psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE DATABASE ${db};" + psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO ${PG_USER};" +done diff --git a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh new file mode 100644 index 0000000000..53921ab751 --- /dev/null +++ b/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh @@ -0,0 +1,21 @@ +#!/bin/sh +{{/* +# Copyright (C) 2022 Nordix Foundation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB} +/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o upgrade +rc=$? +/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o report +exit $rc diff --git a/kubernetes/policy/templates/configmap.yaml b/kubernetes/policy/templates/configmap.yaml index 17558f86ea..c8b01ccb81 100755 --- a/kubernetes/policy/templates/configmap.yaml +++ b/kubernetes/policy/templates/configmap.yaml @@ -1,7 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright (C) 2021-2022 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index d59b5fe770..9fea669c37 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -1,7 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright (C) 2022 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,9 +33,9 @@ spec: spec: imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: + initContainers: {{ if .Values.global.postgres.localCluster }}{{ include "common.readinessCheck.waitFor" . | nindent 6 }}{{ end }} #This container checks that all galera instances are up before initializing it. - - name: {{ include "common.name" . }}-readiness + - name: {{ include "common.name" . }}-mariadb-readiness image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: @@ -71,6 +71,33 @@ spec: value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" resources: {{ include "common.resources" . }} + {{ if .Values.global.postgres.localCluster }} + - name: {{ include "common.release" . }}-policy-pg-config + image: {{ .Values.repository }}/{{ .Values.postgresImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /docker-entrypoint-initdb.d/db-pg.sh + name: {{ include "common.fullname" . }}-config + subPath: db-pg.sh + command: + - /bin/sh + args: + - -x + - /docker-entrypoint-initdb.d/db-pg.sh + env: + - name: PG_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 12 }} + - name: PG_HOST + value: "{{ .Values.postgres.service.name2 }}" + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} + - name: PG_USER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} + - name: PG_PORT + value: "{{ .Values.postgres.service.internalPort }}" + resources: +{{ include "common.resources" . }} + {{ end }} containers: - name: {{ include "common.release" . }}-policy-galera-db-migrator image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} @@ -95,8 +122,41 @@ spec: value: {{ .Values.dbmigrator.schema }} - name: POLICY_HOME value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "sql" resources: {{ include "common.resources" . }} + {{ if .Values.global.postgres.localCluster }} + - name: {{ include "common.release" . }}-policy-pg-db-migrator + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh + name: {{ include "common.fullname" . }}-config + subPath: db_migrator_pg_policy_init.sh + command: + - /bin/sh + args: + - -x + - /dbcmd-config/db_migrator_pg_policy_init.sh + env: + - name: SQL_HOST + value: "{{ .Values.postgres.service.name2 }}" + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + - name: SQL_DB + value: {{ .Values.dbmigrator.schema }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "postgres" + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + resources: +{{ include "common.resources" . }} + {{ end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: @@ -108,3 +168,8 @@ spec: path: db.sh - key: db_migrator_policy_init.sh path: db_migrator_policy_init.sh + - key: db-pg.sh + path: db-pg.sh + - key: db_migrator_pg_policy_init.sh + path: db_migrator_pg_policy_init.sh + diff --git a/kubernetes/policy/templates/policy-kafka-topics.yaml b/kubernetes/policy/templates/policy-kafka-topics.yaml new file mode 100644 index 0000000000..1894d62a42 --- /dev/null +++ b/kubernetes/policy/templates/policy-kafka-topics.yaml @@ -0,0 +1,64 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.config.useStrimziKafka }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.config.acRuntimeTopic.name }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: {{ .Values.config.acRuntimeTopic.partitions }} + config: + retention.ms: {{ .Values.config.acRuntimeTopic.retentionMs }} + segment.bytes: {{ .Values.config.acRuntimeTopic.segmentBytes }} +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.config.policyPdpPapTopic.name }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: {{ .Values.config.policyPdpPapTopic.partitions }} + config: + retention.ms: {{ .Values.config.policyPdpPapTopic.retentionMs }} + segment.bytes: {{ .Values.config.policyPdpPapTopic.segmentBytes }} +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.config.policyHeartbeatTopic.name }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: {{ .Values.config.policyHeartbeatTopic.partitions }} + config: + retention.ms: {{ .Values.config.policyHeartbeatTopic.retentionMs }} + segment.bytes: {{ .Values.config.policyHeartbeatTopic.segmentBytes }} +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.config.policyNotificationTopic.name }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: {{ .Values.config.policyNotificationTopic.partitions }} + config: + retention.ms: {{ .Values.config.policyNotificationTopic.retentionMs }} + segment.bytes: {{ .Values.config.policyNotificationTopic.segmentBytes }} +{{- end }} diff --git a/kubernetes/policy/templates/policy-kafka-user.yaml b/kubernetes/policy/templates/policy-kafka-user.yaml new file mode 100644 index 0000000000..1bc7ab1d3a --- /dev/null +++ b/kubernetes/policy/templates/policy-kafka-user.yaml @@ -0,0 +1,41 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.config.useStrimziKafka }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }} + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: scram-sha-512 + authorization: + type: simple + acls: + - resource: + type: group + name: {{ .Values.config.acRuntimeTopic.consumer.groupId }} + operation: Read + - resource: + type: topic + name: {{ .Values.config.acRuntimeTopic.name }} + operation: Read + - resource: + type: topic + name: {{ .Values.config.acRuntimeTopic.name }} + operation: Write +{{- end }} diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 759ba56b02..d7d556a39f 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -27,6 +27,17 @@ global: service: &mariadbService name: &policy-mariadb policy-mariadb internalPort: 3306 + prometheusEnabled: false + postgres: + localCluster: false + service: + name: pgset + name2: tcp-pgset-primary + name3: tcp-pgset-replica + container: + name: postgres + kafkaBootstrap: strimzi-kafka-bootstrap + policyKafkaUser: policy-kafka-user ################################################################# # Secrets metaconfig @@ -66,6 +77,19 @@ secrets: login: '{{ .Values.restServer.policyApiUserName }}' password: '{{ .Values.restServer.policyApiUserPassword }}' passwordPolicy: required + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-policy-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "policy-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-policy-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "policy-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate db: &dbSecretsHook credsExternalSecret: *dbSecretName @@ -75,47 +99,71 @@ policy-api: db: *dbSecretsHook restServer: apiUserExternalSecret: *policyApiCredsSecret + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-pap: enabled: true db: *dbSecretsHook restServer: papUserExternalSecret: *policyPapCredsSecret apiUserExternalSecret: *policyApiCredsSecret + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-xacml-pdp: enabled: true db: *dbSecretsHook + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-apex-pdp: enabled: true db: *dbSecretsHook + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-drools-pdp: enabled: true db: *dbSecretsHook + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-distribution: enabled: true db: *dbSecretsHook + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-be: enabled: true db: *dbSecretsHook config: appUserExternalSecret: *policyAppCredsSecret + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-k8s-ppnt: enabled: true + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-pf-ppnt: enabled: true restServer: apiUserExternalSecret: *policyApiCredsSecret papUserExternalSecret: *policyPapCredsSecret + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-http-ppnt: enabled: true + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-nexus: enabled: false + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-runtime-acm: enabled: true db: *dbSecretsHook config: appUserExternalSecret: *policyAppCredsSecret + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-gui: enabled: true + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' ################################################################# # DB configuration defaults. @@ -128,7 +176,7 @@ mariadb: image: mariadb:10.5.8 dbmigrator: - image: onap/policy-db-migrator:2.4.1 + image: onap/policy-db-migrator:2.4.3 schema: policyadmin policy_home: "/opt/app/policy" @@ -160,6 +208,35 @@ readiness: config: policyAppUserName: runtimeUser + useStrimziKafka: true + acRuntimeTopic: + name: policy-acruntime-participant + partitions: 10 + retentionMs: 7200000 + segmentBytes: 1073741824 + consumer: + groupId: policy-group + policyPdpPapTopic: + name: policy-pdp-pap + partitions: 10 + retentionMs: 7200000 + segmentBytes: 1073741824 + consumer: + groupId: policy-group + policyHeartbeatTopic: + name: policy-heartbeat + partitions: 10 + retentionMs: 7200000 + segmentBytes: 1073741824 + consumer: + groupId: policy-group + policyNotificationTopic: + name: policy-notification + partitions: 10 + retentionMs: 7200000 + segmentBytes: 1073741824 + consumer: + groupId: policy-group mariadb-galera: # mariadb-galera.config and global.mariadb.config must be equals @@ -180,6 +257,31 @@ mariadb-galera: serviceAccount: nameOverride: *policy-mariadb +postgresImage: library/postgres:latest +# application configuration override for postgres +postgres: + nameOverride: &postgresName policy-postgres + service: + name: *postgresName + name2: policy-pg-primary + name3: policy-pg-replica + container: + name: + primary: policy-pg-primary + replica: policy-pg-replica + persistence: + mountSubPath: policy/postgres/data + mountInitPath: policy + config: + pgUserName: policy_user + pgDatabase: policyadmin + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName + +readinessCheck: + wait_for: + - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}' + restServer: policyPapUserName: policyadmin policyPapUserPassword: zb!XztG34 |