diff options
Diffstat (limited to 'kubernetes/policy')
106 files changed, 1399 insertions, 1516 deletions
diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index b305ef48e1..9b631c7af5 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -1,7 +1,8 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2022, 2023, 2024 Nordix Foundation +# Modifications Copyright © 2021-2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 14.0.0 +version: 14.0.5 dependencies: - name: common @@ -27,7 +28,7 @@ dependencies: - name: mariadb-galera version: ~13.x-0 repository: '@local' - condition: global.mariadbGalera.localCluster + condition: global.mariadbGalera.useInPolicy,global.mariadbGalera.localCluster - name: policy-nexus version: ~14.x-0 repository: 'file://components/policy-nexus' @@ -80,10 +81,6 @@ dependencies: version: ~14.x-0 repository: 'file://components/policy-clamp-runtime-acm' condition: policy-clamp-runtime-acm.enabled - - name: policy-gui - version: ~14.x-0 - repository: 'file://components/policy-gui' - condition: policy-gui.enabled - name: repositoryGenerator version: ~13.x-0 repository: '@local' @@ -96,4 +93,4 @@ dependencies: - name: postgres version: ~13.x-0 repository: '@local' - condition: global.postgres.localCluster + condition: global.postgres.useInPolicy,global.postgres.localCluster diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index 2318a592eb..4ec4725860 100755 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy APEX PDP name: policy-apex-pdp -version: 14.0.0 +version: 14.0.1 dependencies: - name: common @@ -34,6 +34,3 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' - - name: readinessCheck - version: ~13.x-0 - repository: '@local' diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json index 3a38b88d56..441955f1ed 100755 --- a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json +++ b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json @@ -30,23 +30,17 @@ "useHttps": false, "fetchTimeout": 15000, "servers": [ "${KAFKA_URL}" ], -{{ if .Values.global.useStrimziKafkaPf }} "topicCommInfrastructure": "kafka", "additionalProps": { "group.id" : "${GROUP_ID}", "security.protocol": "SASL_PLAINTEXT", "sasl.mechanism": "${SASL}", "sasl.jaas.config": "${JAASLOGIN}" - } -{{ else }} - "topicCommInfrastructure": "dmaap" -{{ end }} - }], + }}], "topicSinks" : [{ "topic": "${PAP_TOPIC}", "useHttps": false, "servers": [ "${KAFKA_URL}" ], -{{ if .Values.global.useStrimziKafkaPf }} "topicCommInfrastructure": "kafka", "additionalProps": { "group.id" : "${GROUP_ID}", @@ -54,9 +48,6 @@ "sasl.mechanism": "${SASL}", "sasl.jaas.config": "${JAASLOGIN}" } -{{ else }} - "topicCommInfrastructure": "dmaap" -{{ end }} }] } } diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml index daed724cbd..3b25dc55a3 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml @@ -3,7 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2022 Nordix Foundation -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,46 +30,31 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: -{{- if not .Values.global.useStrimziKafkaPf }} -{{ include "common.readinessCheck.waitFor" . | nindent 6 }} -{{- end }} - command: ["/bin/sh", "-cx"] -{{- if .Values.global.useStrimziKafkaPf }} args: - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done -{{ else }} - args: - - cd /config-input && for PFILE in `ls -1`; - do envsubst <${PFILE} >/config/${PFILE}; done -{{ end }} env: - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} -{{- if .Values.global.useStrimziKafkaPf }} - name: JAASLOGIN valueFrom: secretKeyRef: name: {{ include "common.name" . }}-ku key: sasl.jaas.config - name: KAFKA_URL - value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} - name: SASL value: {{ .Values.kafkaUser.authenticationType | upper }} - name: GROUP_ID value: {{ .Values.config.kafka.consumer.groupId }} - name: PAP_TOPIC value: {{ .Values.config.app.listener.policyPdpPapTopic }} -{{ else }} - - name: KAFKA_URL - value: message-router - - name: PAP_TOPIC - value: {{ .Values.config.app.listener.policyPdpPapTopic | upper }} -{{- end }} volumeMounts: - mountPath: /config-input name: apexconfig-input @@ -78,8 +63,10 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config + {{ include "common.containerSecurityContext" . | indent 8 | trim }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: [ "/bin/sh", "-cx" ] @@ -104,9 +91,6 @@ spec: - name: REPLICAS value: "{{ .Values.replicaCount }}" volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /var/log/onap name: policy-logs - mountPath: /home/apexuser/config @@ -122,11 +106,9 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: policy-logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: apexconfig-input configMap: name: {{ include "common.fullname" . }}-configmap @@ -134,4 +116,5 @@ spec: - name: apexconfig emptyDir: medium: Memory + sizeLimit: 64Mi {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml index d2fab9f535..6fc37c3d01 100644 --- a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml @@ -13,6 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ if .Values.global.useStrimziKafkaPf }} {{ include "common.kafkauser" . }} -{{ end }} diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index e01cb61176..0c83a55651 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright © 2022 Nordix Foundation -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +25,6 @@ global: nodePortPrefix: 302 persistence: {} - useStrimziKafkaPf: set-via-parent-chart-global-value ################################################################# # Secrets metaconfig @@ -48,7 +47,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:3.1.0 +image: onap/policy-apex-pdp:3.1.3 pullPolicy: Always # flag to enable debugging - application support required @@ -93,7 +92,7 @@ ingress: serviceMesh: authorizationPolicy: authorizedPrincipals: - - serviceAccount: message-router-read + - serviceAccount: strimzi-kafka-read # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) @@ -115,12 +114,20 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + #Pods Service Account serviceAccount: nameOverride: policy-apex-pdp roles: - read +dirSizes: + logDir: + sizeLimit: 500Mi + metrics: serviceMonitor: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. @@ -145,25 +152,13 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafkaPf: true - kafkaBootstrap: strimzi-kafka-bootstrap kafka: consumer: groupId: policy-apex app: listener: policyPdpPapTopic: policy-pdp-pap -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# -# Any new property can be added in the env by setting in overrides in the format mentioned below -# All the added properties must be in "key: value" format instead of yaml. + kafkaUser: authenticationType: scram-sha-512 acls: @@ -178,7 +173,3 @@ kafkaUser: type: topic patternType: prefix operations: [Create, Describe, Read, Write] - -readinessCheck: - wait_for: - - message-router diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index 32c22cbe6c..f5c876646b 100755 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 14.0.0 +version: 14.0.2 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index 4e73dc0b5b..c39a27bdeb 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2022 Bell Canada. All rights reserved. # Modifications Copyright (C) 2022 AT&T Intellectual Property. # Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,7 +32,7 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: -{{ if not .Values.global.postgres.localCluster }} +{{ if .Values.global.mariadbGalera.useInPolicy }} url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" diff --git a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-api/templates/configmap.yaml b/kubernetes/policy/components/policy-api/templates/configmap.yaml index 9ab25fe2ac..6bb96fc1e5 100755 --- a/kubernetes/policy/components/policy-api/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-api/templates/configmap.yaml @@ -37,4 +37,4 @@ binaryData: {{- end }} {{- end }} data: -{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }}
\ No newline at end of file +{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index ccb1e1971b..f89945f90e 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -1,3 +1,23 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2024 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -7,15 +27,16 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - /app/ready.py args: - --job-name -{{ if not .Values.global.postgres.localCluster }} - - {{ include "common.release" . }}-policy-galera-config +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config {{ else }} - - {{ include "common.release" . }}-policy-pg-config + - {{ include "common.release" . }}-policy-pg-migrator-config {{ end }} env: - name: NAMESPACE @@ -25,6 +46,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} name: {{ include "common.name" . }}-readiness resources: limits: @@ -54,9 +76,11 @@ spec: name: apiconfig-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/api/bin/policy-api.sh"] @@ -85,9 +109,14 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/api/etc/logback.xml + subPath: logback.xml + name: apiconfig-processed - mountPath: /opt/app/policy/api/etc/mounted name: apiconfig-processed resources: {{ include "common.resources" . | nindent 12 }} @@ -101,9 +130,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: apiconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -111,4 +137,11 @@ spec: - name: apiconfig-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 530f021d85..902268f41a 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. -# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +26,9 @@ global: nodePortPrefix: 304 persistence: {} postgres: - localCluster: false + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Secrets metaconfig @@ -48,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:3.1.0 +image: onap/policy-api:3.1.3 pullPolicy: Always # flag to enable debugging - application support required @@ -77,7 +80,7 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 + initialDelaySeconds: 120 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -89,7 +92,7 @@ readiness: api: /policy/api/v1/healthcheck successThreshold: 1 failureThreshold: 3 - timeout: 60 + timeout: 120 service: type: ClusterIP @@ -125,6 +128,16 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-api diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml index 10baa90eba..a9d27d60a8 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022-2024 Nordix Foundation. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp A1PMS Participant name: policy-clamp-ac-a1pms-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common @@ -31,6 +32,3 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' - - name: readinessCheck - version: ~13.x-0 - repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml index 34d267bc26..5bfa825e18 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml @@ -41,40 +41,28 @@ participant: useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: group.id: {{ (first .Values.kafkaUser.acls).name }} allow.auto.create.topics: false security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} topicSinks: - useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} participantSupportedElementTypes: - typeName: org.onap.policy.clamp.acm.A1PMSAutomationCompositionElement @@ -93,5 +81,3 @@ server: context-path: /onap/policy/clamp/acm/a1pmsparticipant ssl: enabled: false - - diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml index 4ed282ade4..b9eb83b3c5 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2022-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,10 +28,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: -{{- if not .Values.global.useStrimziKafka }} -{{ include "common.readinessCheck.waitFor" . | nindent 6 }} -{{- end }} - command: - sh args: @@ -41,13 +40,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.global.useStrimziKafka }} - name: SASL_JAAS_CONFIG valueFrom: secretKeyRef: name: {{ include "common.name" . }}-ku key: sasl.jaas.config -{{- end }} volumeMounts: - mountPath: /config-input name: ac-a1pms-ppnt-config @@ -55,9 +52,11 @@ spec: name: ac-a1pms-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/a1pms-participant.sh"] @@ -78,11 +77,16 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-a1pms-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-a1pms-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -94,9 +98,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: ac-a1pms-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -104,4 +105,11 @@ spec: - name: ac-a1pms-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml index 92184b8e85..6fc37c3d01 100644 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml @@ -13,6 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ if .Values.global.useStrimziKafka }} {{ include "common.kafkauser" . }} -{{ end }}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml index 19f522a71e..66aadf12c7 100644 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml @@ -1,21 +1,21 @@ -{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml index ac74011463..a23e732c8b 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,8 +22,6 @@ ################################################################# global: persistence: {} - #Strimzi Kafka properties - useStrimziKafka: set-via-parent-chart-global-value kafkaTopics: acRuntimeTopic: name: &acRuntimeTopic policy.clamp-runtime-acm @@ -42,7 +41,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-a1pms-ppnt:7.1.0 +image: onap/policy-clamp-ac-a1pms-ppnt:7.1.3 pullPolicy: Always componentName: &componentName policy-clamp-ac-a1pms-ppnt @@ -77,7 +76,7 @@ ingress: serviceMesh: authorizationPolicy: authorizedPrincipals: - - serviceAccount: message-router-read + - serviceAccount: strimzi-kafka-read # probe configuration parameters liveness: @@ -117,6 +116,17 @@ resources: cpu: "1" memory: "2Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName @@ -140,7 +150,3 @@ kafkaUser: - name: *acRuntimeTopic type: topic operations: [Read, Write] - -readinessCheck: - wait_for: - - message-router
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml index abdd038607..979aa4f598 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2022, 2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Http Participant name: policy-clamp-ac-http-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common @@ -31,6 +32,3 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' - - name: readinessCheck - version: ~13.x-0 - repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml index 6cc45cc5c6..d447360dd9 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml @@ -41,40 +41,28 @@ participant: useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: group.id: {{ (first .Values.kafkaUser.acls).name }} allow.auto.create.topics: false security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} topicSinks: - useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} participantSupportedElementTypes: - typeName: org.onap.policy.clamp.acm.HttpAutomationCompositionElement @@ -92,4 +80,3 @@ server: context-path: /onap/httpparticipant ssl: enabled: false - diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml index 8d0d22901b..dd7db7acee 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,10 +28,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: -{{- if not .Values.global.useStrimziKafka }} -{{ include "common.readinessCheck.waitFor" . | nindent 6 }} -{{- end }} - command: - sh args: @@ -41,13 +40,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.global.useStrimziKafka }} - name: SASL_JAAS_CONFIG valueFrom: secretKeyRef: name: {{ include "common.name" . }}-ku key: sasl.jaas.config -{{- end }} volumeMounts: - mountPath: /config-input name: ac-http-ppnt-config @@ -55,9 +52,11 @@ spec: name: ac-http-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/http-participant.sh"] @@ -78,11 +77,16 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-http-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-http-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -94,9 +98,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: ac-http-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -104,4 +105,11 @@ spec: - name: ac-http-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml index 92184b8e85..6fc37c3d01 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml @@ -13,6 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ if .Values.global.useStrimziKafka }} {{ include "common.kafkauser" . }} -{{ end }}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml index e676ff13d7..be2449f890 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml @@ -1,21 +1,21 @@ -{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 419c2c02aa..8593a3d316 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +23,6 @@ global: persistence: {} #Strimzi Kafka properties - useStrimziKafka: set-via-parent-chart-global-value kafkaTopics: acRuntimeTopic: name: &acRuntimeTopic policy.clamp-runtime-acm @@ -42,7 +42,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:7.1.0 +image: onap/policy-clamp-ac-http-ppnt:7.1.3 pullPolicy: Always componentName: &componentName policy-clamp-ac-http-ppnt @@ -67,7 +67,7 @@ ingress: serviceMesh: authorizationPolicy: authorizedPrincipals: - - serviceAccount: message-router-read + - serviceAccount: strimzi-kafka-read # probe configuration parameters liveness: @@ -107,6 +107,17 @@ resources: cpu: "1" memory: "2Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName @@ -130,7 +141,3 @@ kafkaUser: - name: *acRuntimeTopic type: topic operations: [Read, Write] - -readinessCheck: - wait_for: - - message-router
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml index f6aade83b7..5a1cb6e80b 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2021 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2022, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop K8s Participant name: policy-clamp-ac-k8s-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common @@ -33,6 +34,3 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' - - name: readinessCheck - version: ~13.x-0 - repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml index 761f19c5e3..14deab557b 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml @@ -43,40 +43,28 @@ participant: useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: group.id: {{ (first .Values.kafkaUser.acls).name }} allow.auto.create.topics: false security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} topicSinks: - useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} participantSupportedElementTypes: - typeName: org.onap.policy.clamp.acm.K8SMicroserviceAutomationCompositionElement diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml index 8a6cf830ca..efd5a6cd53 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml @@ -33,4 +33,4 @@ data: {{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }} {{ toYaml .Values.repoList | indent 4 }} {{- end }} -{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }}
\ No newline at end of file +{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml index d69a85824e..a97ab22577 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,10 +28,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: -{{- if not .Values.global.useStrimziKafka }} -{{ include "common.readinessCheck.waitFor" . | nindent 6 }} -{{- end }} - command: - sh args: @@ -41,13 +40,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.global.useStrimziKafka }} - name: SASL_JAAS_CONFIG valueFrom: secretKeyRef: name: {{ include "common.name" . }}-ku key: sasl.jaas.config -{{- end }} volumeMounts: - mountPath: /config-input name: ac-k8s-ppnt-config @@ -55,9 +52,11 @@ spec: name: ac-k8s-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/kubernetes-participant.sh"] @@ -78,11 +77,16 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-k8s-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-k8s-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -94,9 +98,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: ac-k8s-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -104,4 +105,11 @@ spec: - name: ac-k8s-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml index 92184b8e85..6fc37c3d01 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml @@ -13,6 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ if .Values.global.useStrimziKafka }} {{ include "common.kafkauser" . }} -{{ end }}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml index 2439223192..02a6292df7 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml @@ -36,4 +36,3 @@ subjects: - kind: ServiceAccount name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} namespace: {{ include "common.namespace" . }} - diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index 5d82c83cc5..5e43b94965 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +24,6 @@ global: nodePortPrefixExt: 304 persistence: {} #Strimzi Kafka properties - useStrimziKafka: set-via-parent-chart-global-value kafkaTopics: acRuntimeTopic: name: &acRuntimeTopic policy.clamp-runtime-acm @@ -43,7 +43,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:7.1.0 +image: onap/policy-clamp-ac-k8s-ppnt:7.1.3 pullPolicy: Always componentName: &componentName policy-clamp-ac-k8s-ppnt @@ -89,7 +89,7 @@ ingress: serviceMesh: authorizationPolicy: authorizedPrincipals: - - serviceAccount: message-router-read + - serviceAccount: strimzi-kafka-read flavor: small resources: @@ -109,6 +109,16 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName @@ -146,7 +156,3 @@ kafkaUser: - name: *acRuntimeTopic type: topic operations: [Read, Write] - -readinessCheck: - wait_for: - - message-router diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml index 281f3c86ed..863d07952f 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2023-2024 Nordix Foundation. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Kserve Participant name: policy-clamp-ac-kserve-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common @@ -31,6 +32,3 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' - - name: readinessCheck - version: ~13.x-0 - repository: '@local'
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml index af9d46a807..6613235050 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml @@ -48,40 +48,28 @@ participant: useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: group.id: {{ (first .Values.kafkaUser.acls).name }} allow.auto.create.topics: false security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} topicSinks: - useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} participantSupportedElementTypes: - typeName: org.onap.policy.clamp.acm.KserveAutomationCompositionElement @@ -108,5 +96,3 @@ server: context-path: /onap/policy/clamp/acm/kserveparticipant ssl: enabled: false - - diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml index f5ecd27ee1..3d1f4f8ca3 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,10 +28,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: -{{- if not .Values.global.useStrimziKafka }} -{{ include "common.readinessCheck.waitFor" . | nindent 6 }} -{{- end }} - command: - sh args: @@ -41,13 +40,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.global.useStrimziKafka }} - name: SASL_JAAS_CONFIG valueFrom: secretKeyRef: name: {{ include "common.name" . }}-ku key: sasl.jaas.config -{{- end }} volumeMounts: - mountPath: /config-input name: ac-kserve-ppnt-config @@ -55,9 +52,11 @@ spec: name: ac-kserve-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/kserve-participant.sh"] @@ -78,11 +77,16 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-kserve-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-kserve-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -94,9 +98,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: ac-kserve-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -104,4 +105,11 @@ spec: - name: ac-kserve-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml index 16a3f72049..6fc37c3d01 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml @@ -1,18 +1,16 @@ -{{/*
-# Copyright © 2023 Nordix Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-{{ if .Values.global.useStrimziKafka }}
-{{ include "common.kafkauser" . }}
-{{ end }}
\ No newline at end of file +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml index ac5ee0b72f..073ffe9618 100644 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml @@ -1,38 +1,38 @@ -{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2023 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cluster-admin
-subjects:
- - kind: ServiceAccount
- name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
- namespace: {{ include "common.namespace" . }}
+{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + namespace: {{ include "common.namespace" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml index a432fff142..6f9868bc0d 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +23,6 @@ global: persistence: {} #Strimzi Kafka properties - useStrimziKafka: set-via-parent-chart-global-value kafkaTopics: acRuntimeTopic: name: &acRuntimeTopic policy.clamp-runtime-acm @@ -42,7 +42,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-kserve-ppnt:7.1.0 +image: onap/policy-clamp-ac-kserve-ppnt:7.1.3 pullPolicy: Always componentName: &componentName policy-clamp-ac-kserve-ppnt @@ -67,7 +67,7 @@ ingress: serviceMesh: authorizationPolicy: authorizedPrincipals: - - serviceAccount: message-router-read + - serviceAccount: strimzi-kafka-read # probe configuration parameters liveness: @@ -107,6 +107,17 @@ resources: cpu: "1" memory: "1.4Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName @@ -129,7 +140,3 @@ kafkaUser: - name: *acRuntimeTopic type: topic operations: [Read, Write] - -readinessCheck: - wait_for: - - message-router
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml index 05b3f2e61e..4460c18fcd 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2022, 2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Policy Participant name: policy-clamp-ac-pf-ppnt -version: 14.0.0 +version: 14.0.1 dependencies: - name: common @@ -31,6 +32,3 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' - - name: readinessCheck - version: ~13.x-0 - repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml index f4c26e430a..729a455d07 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml @@ -59,40 +59,28 @@ participant: useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: group.id: {{ (first .Values.kafkaUser.acls).name }} allow.auto.create.topics: false security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} topicSinks: - useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} participantSupportedElementTypes: - typeName: org.onap.policy.clamp.acm.PolicyAutomationCompositionElement @@ -110,4 +98,3 @@ server: context-path: /onap/policyparticipant ssl: enabled: false - diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml index 5786fcfabd..c29dca9c7d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,10 +28,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: -{{- if not .Values.global.useStrimziKafka }} -{{ include "common.readinessCheck.waitFor" . | nindent 6 }} -{{- end }} - command: - sh args: @@ -49,13 +48,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.global.useStrimziKafka }} - name: SASL_JAAS_CONFIG valueFrom: secretKeyRef: name: {{ include "common.name" . }}-ku key: sasl.jaas.config -{{- end }} volumeMounts: - mountPath: /config-input name: ac-pf-ppnt-config @@ -63,9 +60,11 @@ spec: name: ac-pf-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/policy-participant.sh"] @@ -86,11 +85,16 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-pf-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-pf-ppnt-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -102,9 +106,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: ac-pf-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -112,4 +113,11 @@ spec: - name: ac-pf-ppnt-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml index 92184b8e85..6fc37c3d01 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml @@ -13,6 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ if .Values.global.useStrimziKafka }} {{ include "common.kafkauser" . }} -{{ end }}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml index e676ff13d7..be2449f890 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml @@ -1,21 +1,21 @@ -{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index c867891b78..97bebd00d2 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +23,6 @@ global: persistence: {} #Strimzi Kafka properties - useStrimziKafka: set-via-parent-chart-global-value kafkaTopics: acRuntimeTopic: name: &acRuntimeTopic policy.clamp-runtime-acm @@ -54,7 +54,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:7.1.0 +image: onap/policy-clamp-ac-pf-ppnt:7.1.3 pullPolicy: Always componentName: &componentName policy-clamp-ac-pf-ppnt @@ -87,7 +87,7 @@ ingress: serviceMesh: authorizationPolicy: authorizedPrincipals: - - serviceAccount: message-router-read + - serviceAccount: strimzi-kafka-read # probe configuration parameters liveness: @@ -128,6 +128,17 @@ resources: cpu: "1" memory: "2Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName @@ -151,7 +162,3 @@ kafkaUser: - name: *acRuntimeTopic type: topic operations: [Read, Write] - -readinessCheck: - wait_for: - - message-router diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index 4f929628c7..ef9a7494ec 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021, 2024 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2021-2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 14.0.0 +version: 14.0.2 dependencies: - name: common @@ -32,7 +33,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local' - - name: readinessCheck - version: ~13.x-0 - repository: '@local' + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index 96cb265567..2e09397806 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,8 +25,13 @@ spring: converters: preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/clampacm + {{ if .Values.global.mariadbGalera.useInPolicy }} + url: jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/clampacm driverClassName: org.mariadb.jdbc.Driver + {{ else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/clampacm + driverClassName: org.postgresql.Driver + {{ end }} username: ${SQL_USER} password: ${SQL_PASSWORD} hikari: @@ -42,7 +47,11 @@ spring: implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy properties: hibernate: - dialect: org.hibernate.dialect.MariaDB103Dialect + {{ if .Values.global.mariadbGalera.useInPolicy }} + dialect: org.hibernate.dialect.MariaDBDialect + {{ else }} + dialect: org.hibernate.dialect.PostgreSQLDialect + {{ end }} format_sql: true metrics: @@ -75,40 +84,28 @@ runtime: useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: group.id: {{ (first .Values.kafkaUser.acls).name }} allow.auto.create.topics: false security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} topicSinks: - useHttps: false fetchTimeout: 15000 topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} - {{ if .Values.global.useStrimziKafka }} topicCommInfrastructure: kafka servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} additionalProps: client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${SASL_JAAS_CONFIG} - {{ else }} - topicCommInfrastructure: dmaap - servers: - - ${topicServer:message-router} - {{ end }} acmParameters: toscaElementName: {{ .Values.customNaming.toscaElementName }} toscaCompositionName: {{ .Values.customNaming.toscaCompositionName }} @@ -117,4 +114,4 @@ management: endpoints: web: exposure: - include: health, metrics, prometheus + include: health, metrics, prometheus
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index be8c35aaea..5a206b996e 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,15 +28,17 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: -{{- if not .Values.global.useStrimziKafka }} -{{ include "common.readinessCheck.waitFor" . | nindent 6 }} -{{- end }} - command: - - /app/ready.py + - /app/ready.py args: - - --job-name - - {{ include "common.release" . }}-policy-galera-config + - --job-name +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-migrator-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -44,7 +47,8 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-galera-config-readiness + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + name: {{ include "common.name" . }}-db-config-readiness resources: limits: cpu: "100m" @@ -63,7 +67,7 @@ spec: - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - name: RUNTIME_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} - name: RUNTIME_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "password") | indent 10 }} {{- if .Values.global.useStrimziKafka }} @@ -80,9 +84,11 @@ spec: name: ac-runtime-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/clamp/bin/acm-runtime.sh"] @@ -103,25 +109,39 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/policy/clamp/etc/mounted - name: ac-runtime-config-processed + - mountPath: /etc/localtime + name: localtime + readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-runtime-config-processed + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-runtime-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: - path: /etc/localtime + path: /etc/localtime + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: ac-runtime-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -129,4 +149,5 @@ spec: - name: ac-runtime-config-processed emptyDir: medium: Memory + sizeLimit: 64Mi {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml index 92184b8e85..6fc37c3d01 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml @@ -13,6 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ if .Values.global.useStrimziKafka }} {{ include "common.kafkauser" . }} -{{ end }}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index 34cceeded2..eb974d6ed2 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,8 +23,11 @@ global: nodePortPrefixExt: 304 persistence: {} + postgres: + useInPolicy: false + mariadbGalera: + useInPolicy: true #Strimzi Kafka properties - useStrimziKafka: set-via-parent-chart-global-value kafkaTopics: acRuntimeTopic: name: &acRuntimeTopic policy.clamp-runtime-acm @@ -49,7 +53,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:7.1.0 +image: onap/policy-clamp-runtime-acm:7.1.3 pullPolicy: Always componentName: &componentName policy-clamp-runtime-acm @@ -85,8 +89,10 @@ db: user: policy-user password: policy_user service: - name: policy-mariadb - internalPort: 3306 + mariadbName: policy-mariadb + mariadbPort: 3306 + pgName: policy-pg-primary + pgPort: 5432 # default number of instances replicaCount: 1 @@ -97,7 +103,7 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 + initialDelaySeconds: 120 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -122,8 +128,7 @@ ingress: serviceMesh: authorizationPolicy: authorizedPrincipals: - - serviceAccount: message-router-read - - serviceAccount: policy-gui-read + - serviceAccount: strimzi-kafka-read flavor: small resources: @@ -143,20 +148,26 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: *componentName roles: - read -readinessCheck: - wait_for: - - message-router - wait_for_job_container: containers: - - '{{ include "common.release" . }}-policy-galera-config' + - '{{ include "common.release" . }}-galera-migrator-config' customNaming: toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement - toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition
\ No newline at end of file + toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml index 3de47d06e9..b2d1cde724 100755 --- a/kubernetes/policy/components/policy-distribution/Chart.yaml +++ b/kubernetes/policy/components/policy-distribution/Chart.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Distribution name: policy-distribution -version: 14.0.0 +version: 14.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml index f4b8ff7182..fe08271288 100755 --- a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -57,9 +59,11 @@ spec: name: distributionconfig image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: @@ -86,9 +90,14 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/distribution/etc/logback.xml + subPath: logback.xml + name: distributionconfig - mountPath: /opt/app/policy/distribution/etc/mounted name: distributionconfig resources: {{ include "common.resources" . | nindent 12 }} @@ -102,9 +111,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: distributionconfig-input configMap: name: {{ include "common.fullname" . }}-configmap @@ -112,4 +118,11 @@ spec: - name: distributionconfig emptyDir: medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index fd2fe2e5df..f93dffe1ee 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2023 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,7 +59,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:3.1.0 +image: onap/policy-distribution:3.1.3 pullPolicy: Always # flag to enable debugging - application support required @@ -141,6 +142,16 @@ resources: memory: "1Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-distribution diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index 63c4984ac9..25060ae593 100755 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018, 2020 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 14.0.0 +version: 14.0.2 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf index cf3c54aab4..dc7f788405 100755..100644 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -2,6 +2,7 @@ # Copyright © 2017-2018 Amdocs, Bell Canada. # Modifications Copyright (C) 2018-2020, 2022 AT&T Intellectual Property. # Modifications Copyright (C) 2021 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ # JVM options -JVM_OPTIONS={{.Values.server.jvmOpts}} +JVM_OPTIONS={{ .Values.server.jvmOpts | quote }} # SYSTEM software configuration @@ -40,11 +41,21 @@ REPOSITORY_OFFLINE={{.Values.nexus.offline}} # Relational (SQL) DB access -SQL_HOST={{ .Values.db.name }} -SQL_PORT=3306 -JDBC_URL=jdbc:mariadb://{{ .Values.db.name }}:3306/ +{{ if .Values.global.mariadbGalera.useInPolicy }} +SQL_HOST={{ .Values.db.mariadbName }} +SQL_PORT={{ .Values.db.mariadbPort }} +JDBC_URL=jdbc:mariadb://{{ .Values.db.mariadbName }}:{{ .Values.db.mariadbPort }}/ JDBC_OPTS= +JDBC_DRIVER=org.mariadb.jdbc.Driver MYSQL_CMD= +{{ else }} +SQL_HOST={{ .Values.db.pgName }} +SQL_PORT={{ .Values.db.pgPort }} +JDBC_URL=jdbc:postgresql://{{ .Values.db.pgName }}:{{ .Values.db.pgPort }}/ +JDBC_OPTS= +JDBC_DRIVER=org.postgresql.Driver +MYSQL_CMD= +{{ end }} # Liveness LIVENESS_CONTROLLERS=* @@ -56,15 +67,15 @@ PROMETHEUS=true # PDP-D DMaaP configuration channel -PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION -PDPD_CONFIGURATION_SERVERS=message-router +PDPD_CONFIGURATION_TOPIC=pdpd_configuration +PDPD_CONFIGURATION_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} PDPD_CONFIGURATION_CONSUMER_GROUP= PDPD_CONFIGURATION_CONSUMER_INSTANCE= PDPD_CONFIGURATION_PARTITION_KEY= # PAP-PDP configuration channel -POLICY_PDP_PAP_TOPIC=POLICY-PDP-PAP +POLICY_PDP_PAP_TOPIC=policy-pdp-pap POLICY_PDP_PAP_GROUP=defaultGroup POLICY_PDP_PAP_POLICYTYPES=onap.policies.controlloop.operational.common.Drools @@ -85,14 +96,22 @@ GUARD_DISABLED=false # DCAE DMaaP -DCAE_TOPIC=unauthenticated.DCAE_CL_OUTPUT -DCAE_SERVERS=message-router +DCAE_TOPIC=unauthenticated.dcae_cl_output +DCAE_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} DCAE_CONSUMER_GROUP=dcae.policy.shared # Open DMaaP -DMAAP_SERVERS=message-router +KAFKA_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} +KAFKA_ADDITIONAL_PROPS="{ + \"group.id\": \"${GROUP_ID}\", + \"security.protocol\": \"SASL_PLAINTEXT\", + \"sasl.mechanism\": \"${SASL}\", + \"sasl.jaas.config\": \"${JAASLOGIN}\" + }" + DMAAP_HTTPS="false" +KAFKA_HTTPS="false" # AAI @@ -122,4 +141,4 @@ SDNC_CONTEXT_URI=restconf/operations/ # CDS CDS_GRPC_HOST={{.Values.cds.grpc.svcName}} -CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}} +CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties new file mode 100644 index 0000000000..d4577b577a --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties @@ -0,0 +1,37 @@ +### +# ============LICENSE_START======================================================= +# ONAP +# ================================================================================ +# Copyright (C) 2024 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + +#Database properties +{{ if .Values.global.mariadbGalera.useInPolicy }} +jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver +jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS} +jakarta.persistence.jdbc.user=${envd:SQL_USER} +jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD} +{{ else }} +jakarta.persistence.jdbc.driver=org.postgresql.Driver +jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS} +jakarta.persistence.jdbc.user=${envd:SQL_USER} +jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD} +{{ end }} + +# default property values are commented out +#distributed.locking.expire.check.seconds=900 +#distributed.locking.retry.seconds=60 +#distributed.locking.max.retries=2
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties new file mode 100644 index 0000000000..26e10122da --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties @@ -0,0 +1,41 @@ +# ============LICENSE_START======================================================= +# ONAP +# ================================================================================ +# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2024 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +lifecycle.pdp.group=${envd:POLICY_PDP_PAP_GROUP:defaultGroup} +lifecycle.pdp.type=${envd:POLICY_PDP_PAP_TYPE:drools} + +# Mandatory policy types that this PDP-D must support at a minimum +lifecycle.pdp.policytypes=${envd:POLICY_PDP_PAP_POLICYTYPES} + +kafka.source.topics=${envd:POLICY_PDP_PAP_TOPIC} +kafka.sink.topics=${envd:POLICY_PDP_PAP_TOPIC} + +kafka.source.topics.policy-pdp-pap.servers=${envd:KAFKA_SERVERS} +kafka.source.topics.policy-pdp-pap.effectiveTopic=${envd:POLICY_PDP_PAP_TOPIC} +kafka.source.topics.policy-pdp-pap.apiKey=${envd:POLICY_PDP_PAP_API_KEY} +kafka.source.topics.policy-pdp-pap.apiSecret=${envd:POLICY_PDP_PAP_API_SECRET} +kafka.source.topics.policy-pdp-pap.https=${envd:KAFKA_HTTPS:false} +kafka.source.topics.policy-pdp-pap.additionalProps=${envd:KAFKA_ADDITIONAL_PROPS} + +kafka.sink.topics.policy-pdp-pap.servers=${envd:KAFKA_SERVERS} +kafka.sink.topics.policy-pdp-pap.effectiveTopic=${envd:POLICY_PDP_PAP_TOPIC} +kafka.sink.topics.policy-pdp-pap.apiKey=${envd:POLICY_PDP_PAP_API_KEY} +kafka.sink.topics.policy-pdp-pap.apiSecret=${envd:POLICY_PDP_PAP_API_SECRET} +kafka.sink.topics.policy-pdp-pap.https=${envd:KAFKA_HTTPS:false} +kafka.sink.topics.policy-pdp-pap.additionalProps=${envd:KAFKA_ADDITIONAL_PROPS} diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf index 761e8afef8..c9277b69d3 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf @@ -1,6 +1,7 @@ {{/* # Copyright 2018-2019 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2018 Amdocs, Bell Canada. +# Modifications Copyright © 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,4 +16,4 @@ # limitations under the License. */}} -POOLING_TOPIC=POOLING +POOLING_TOPIC=policy-pdp-pooling diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml index 7158c0263f..1d571df8b7 100644 --- a/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2023 Nordix Foundation +# Copyright © 2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,5 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml index c7322b1f94..3f45b2f6e0 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml @@ -16,4 +16,3 @@ */}} {{ include "common.service" . }} - diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml index 013732e2d2..a24476cc74 100755..100644 --- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -1,6 +1,8 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property +# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,12 +27,17 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-policy-galera-config +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-migrator-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -39,6 +46,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-db-readiness resources: limits: @@ -51,7 +59,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - {{ .Values.nexus.name }} env: - name: NAMESPACE @@ -59,8 +67,17 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-readiness resources: limits: @@ -70,12 +87,43 @@ spec: cpu: "3m" memory: "20Mi" {{- end }} + - command: + - sh + args: + - -c + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done + env: + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + {{- if .Values.global.useStrimziKafka }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{- end }} + volumeMounts: + - mountPath: /config-input + name: drools-config + - mountPath: /config + name: drools-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["sh","-c"] - args: ["/opt/app/policy/bin/pdpd-cl-entrypoint.sh boot"] + args: + - ls /tmp/policy-install; + /opt/app/policy/bin/pdpd-cl-entrypoint.sh boot ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: @@ -102,30 +150,55 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true - {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} - - mountPath: /tmp/policy-install/config/{{ base $path }} - name: drools-secret - subPath: {{ base $path }} - {{- end }} - {{- range $path, $bytes := .Files.Glob "resources/configmaps/*" }} - - mountPath: /tmp/policy-install/config/{{ base $path }} + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/etc/profile.d/base.conf + subPath: base.conf + name: drools-config-processed + - mountPath: /opt/app/policy/etc/profile.d/credentials.conf + subPath: credentials.conf + name: drools-config-processed + - mountPath: /opt/app/policy/etc/profile.d/feature-pooling-messages.conf + subPath: feature-pooling-messages.conf + name: drools-config-processed + - mountPath: /opt/app/policy/config/feature-lifecycle.properties + subPath: feature-lifecycle.properties + name: drools-config-processed + - mountPath: /opt/app/policy/config/engine-system.properties + subPath: engine-system.properties + name: drools-config-processed + - mountPath: /opt/app/policy/config/feature-distributed-locking.properties + subPath: feature-distributed-locking.properties + name: drools-config-processed + - mountPath: /opt/app/policy/config/logback.xml + subPath: logback.xml name: drools-config - subPath: {{ base $path }} - {{- end }} + - mountPath: /opt/app/policy/config/settings.xml + subPath: settings.xml + name: drools-config-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: path: /etc/localtime + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: drools-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -135,6 +208,10 @@ spec: path: {{ base $path }} mode: 0755 {{- end }} + - name: drools-config-processed + emptyDir: + medium: Memory + sizeLimit: 64Mi - name: drools-secret secret: secretName: {{ include "common.fullname" . }}-secret diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 6e86b3e64a..f22d642e95 100755..100644 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -1,6 +1,8 @@ # Copyright © 2017 Amdocs # Copyright © 2017, 2021 Bell Canada # Modifications Copyright © 2018-2022 AT&T Intellectual Property +# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +21,10 @@ ################################################################# global: nodePortPrefix: 302 - + postgres: + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Secrets metaconfig ################################################################# @@ -41,7 +46,9 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pdpd-cl:2.1.0 +# The newest images have been tested with SASL and Postgres. The images released next will have the relevant fixes +image: onap/policy-pdpd-cl:2.1.3 + pullPolicy: Always # flag to enable debugging - application support required @@ -83,10 +90,10 @@ ingress: serviceMesh: authorizationPolicy: authorizedPrincipals: - - serviceAccount: message-router-read + - serviceAccount: strimzi-kafka-read server: - jvmOpts: -server -XshowSettings:vm + jvmOpts: "-server -XshowSettings:vm" telemetry: user: demo@people.osaaf.org @@ -100,7 +107,10 @@ nexus: offline: true db: - name: policy-mariadb + mariadbName: policy-mariadb + pgName: policy-pg-primary + mariadbPort: 3306 + pgPort: 5432 user: policy-user password: policy_user @@ -171,6 +181,16 @@ resources: memory: "1.6Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-drools-pdp @@ -197,3 +217,68 @@ metrics: chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' release: '{{ include "common.release" . }}' heritage: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-drools-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-drools-pdp + type: group + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: a1-p-rsp + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: a1-p + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: appc-cl + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: appc-lcm-read + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: appc-lcm-write + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: dcae_cl_rsp + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: unauthenticated.dcae_cl_output + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: dcae_topic + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: policy-cl-mgt + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: sdnr-cl-rsp + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: sdnr-cl + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] diff --git a/kubernetes/policy/components/policy-gui/Chart.yaml b/kubernetes/policy/components/policy-gui/Chart.yaml deleted file mode 100644 index 28972b59b0..0000000000 --- a/kubernetes/policy/components/policy-gui/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP Policy GUI -name: policy-gui -version: 14.0.0 - -dependencies: - - name: repositoryGenerator - version: ~13.x-0 - repository: '@local' - - name: serviceAccount - version: ~13.x-0 - repository: '@local' diff --git a/kubernetes/policy/components/policy-gui/resources/config/application.yml b/kubernetes/policy/components/policy-gui/resources/config/application.yml deleted file mode 100644 index f81a1b452a..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/application.yml +++ /dev/null @@ -1,19 +0,0 @@ -server: - port: 2443 - ssl: - enabled: false - -clamp: - url: - disable-ssl-validation: true - disable-ssl-hostname-check: true - -apex-editor: - upload-url: - upload-userid: - -management: - endpoints: - web: - exposure: - include: health, metrics, prometheus diff --git a/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml b/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 0b3951726b..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,59 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/policy/components/policy-gui/resources/config/logback.xml b/kubernetes/policy/components/policy-gui/resources/config/logback.xml deleted file mode 100644 index c20df8329d..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/logback.xml +++ /dev/null @@ -1,118 +0,0 @@ -<!-- - ============LICENSE_START======================================================= - policy-gui - ================================================================================ - Copyright (C) 2021-2022 Nordix Foundation. - ================================================================================ - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - ============LICENSE_END========================================================= - --> - -<configuration scan="true" scanPeriod="30 seconds" debug="false"> - <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> - <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> - <level>TRACE</level> - </filter> - <encoder> - <pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n - </pattern> - </encoder> - </appender> - - <appender name="ERROR" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${POLICY_LOGS}/error.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> - <fileNamePattern>${POLICY_LOGS}/error.%d{yyyy-MM-dd}.%i.log.zip - </fileNamePattern> - <maxFileSize>50MB</maxFileSize> - <maxHistory>30</maxHistory> - <totalSizeCap>10GB</totalSizeCap> - </rollingPolicy> - <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> - <level>TRACE</level> - </filter> - <encoder> - <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> - </encoder> - </appender> - - <appender name="asyncError" class="ch.qos.logback.classic.AsyncAppender"> - <appender-ref ref="ERROR" /> - </appender> - - <appender name="DEBUG" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${POLICY_LOGS}/debug.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> - <fileNamePattern>${POLICY_LOGS}/debug.%d{yyyy-MM-dd}.%i.log.zip - </fileNamePattern> - <maxFileSize>50MB</maxFileSize> - <maxHistory>30</maxHistory> - <totalSizeCap>10GB</totalSizeCap> - </rollingPolicy> - <encoder> - <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern> - </encoder> - </appender> - - <appender name="asyncDebug" class="ch.qos.logback.classic.AsyncAppender"> - <appender-ref ref="DEBUG" /> - </appender> - - <appender name="NETWORK" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <file>${POLICY_LOGS}/network.log</file> - <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> - <fileNamePattern>${POLICY_LOGS}/network.%d{yyyy-MM-dd}.%i.log.zip - </fileNamePattern> - <maxFileSize>50MB</maxFileSize> - <maxHistory>30</maxHistory> - <totalSizeCap>10GB</totalSizeCap> - </rollingPolicy> - <encoder> - <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n</pattern> - </encoder> - </appender> - - <appender name="asyncNetwork" class="ch.qos.logback.classic.AsyncAppender"> - <appender-ref ref="NETWORK" /> - </appender> - - <logger name="network" level="TRACE" additivity="false"> - <appender-ref ref="asyncNetwork" /> - </logger> - - <logger name="org.apache" level="TRACE" additivity="false"> - <appender-ref ref="DEBUG" /> - </logger> - - <!-- Spring related loggers --> - <logger name="org.springframework" level="TRACE" additivity="false"> - <appender-ref ref="DEBUG" /> - </logger> - - <!-- GUI related loggers --> - <logger name="org.onap.policy.gui" level="TRACE" additivity="false"> - <appender-ref ref="ERROR" /> - <appender-ref ref="DEBUG" /> - </logger> - - <!-- logback internals logging --> - <logger name="ch.qos.logback.classic" level="INFO" /> - <logger name="ch.qos.logback.core" level="INFO" /> - - <root level="TRACE"> - <appender-ref ref="asyncDebug" /> - <appender-ref ref="asyncError" /> - <appender-ref ref="asyncNetwork" /> - <appender-ref ref="STDOUT" /> - </root> -</configuration> diff --git a/kubernetes/policy/components/policy-gui/templates/NOTES.txt b/kubernetes/policy/components/policy-gui/templates/NOTES.txt deleted file mode 100644 index e44f333e11..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/NOTES.txt +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit https://127.0.0.1:8443 to use your application" - kubectl port-forward $POD_NAME 8443:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/policy/components/policy-gui/templates/configmap.yaml b/kubernetes/policy/components/policy-gui/templates/configmap.yaml deleted file mode 100644 index 9426b0f54f..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/configmap.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*.{xml,yaml,yml}").AsConfig . | indent 2 }} - -{{ include "common.log.configMap" . }} diff --git a/kubernetes/policy/components/policy-gui/templates/deployment.yaml b/kubernetes/policy/components/policy-gui/templates/deployment.yaml deleted file mode 100644 index ff1ae9472c..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/deployment.yaml +++ /dev/null @@ -1,127 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: POLICY_LOGS - value: {{ .Values.log.path }} - volumeMounts: - - mountPath: /config-input - name: policy-gui-config - - mountPath: /config - name: policy-gui-config-processed - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - command: - - /app/ready.py - args: - - --container-name - - policy-clamp-runtime-acm - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" - containers: - # side car containers - {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} - # main container - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/opt/app/policy/gui/bin/policy-gui.sh"] - env: - - name: CLAMP_URL - value: http://policy-clamp-runtime-acm:6969 - ports: {{ include "common.containerPorts" . | nindent 12 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - name: logs - mountPath: {{ .Values.log.path }} - - mountPath: /opt/app/policy/gui/etc/application.yml - name: policy-gui-config-processed - subPath: application.yml - - mountPath: /opt/app/policy/gui/etc/logback.xml - name: policy-gui-config-processed - subPath: logback.xml - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }} - - name: logs - emptyDir: {} - {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} - - name: policy-gui-config - configMap: - name: {{ include "common.fullname" . }}-configmap - defaultMode: 0755 - - name: policy-gui-config-processed - emptyDir: - medium: Memory - {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-gui/templates/ingress.yaml b/kubernetes/policy/components/policy-gui/templates/ingress.yaml deleted file mode 100644 index e3dd7cb0f6..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/ingress.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.ingress" . }} diff --git a/kubernetes/policy/components/policy-gui/templates/secrets.yaml b/kubernetes/policy/components/policy-gui/templates/secrets.yaml deleted file mode 100644 index 2af7fae2d9..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/secrets.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-gui/templates/service.yaml b/kubernetes/policy/components/policy-gui/templates/service.yaml deleted file mode 100644 index 36406228d5..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml deleted file mode 100644 index 3338d8f724..0000000000 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ /dev/null @@ -1,130 +0,0 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: # global defaults - nodePortPrefix: 304 - centralizedLoggingEnabled: true - -subChartsOnly: - enabled: true - -flavor: small - -# application image -image: onap/policy-gui:3.1.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# log configuration -log: - path: /var/log/onap/policy/gui - -################################################################# -# Application configuration defaults. -################################################################# -config: - log: - logstashServiceName: log-ls - logstashPort: 5044 - dataRootDir: /dockerdata-nfs - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - -service: - type: NodePort - name: policy-gui - internalPort: 2443 - ports: - - name: http - port: 2443 - nodePort: 43 - - # see https://wiki.onap.org/display/DW/OOM+NodePort+List - -ingress: - enabled: false - service: - - baseaddr: "policy-ui" - name: "policy-gui" - port: 2443 - config: - ssl: "redirect" - -serviceMesh: - authorizationPolicy: - authorizedPrincipals: - - serviceAccount: istio-ingress - namespace: istio-ingress - - #resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: "1" - memory: "700Mi" - requests: - cpu: "0.5" - memory: "700Mi" - large: - limits: - cpu: "2" - memory: "1.4Gi" - requests: - cpu: "1" - memory: "1.4Gi" - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: policy-gui - roles: - - read diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml index 8d04647a75..dcb3c3ac72 100755 --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018-2020 AT&T # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 14.0.0 +version: 14.0.2 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml index c56ed8d2b9..fe183cfa24 100755 --- a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,16 +25,19 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: ["sh", "-c", "chown -R 200:200 /share"] image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-init volumeMounts: - mountPath: /share name: nexus-data containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ports: {{ include "common.containerPorts" . | nindent 12 }} @@ -51,9 +55,6 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /sonatype-work name: nexus-data resources: @@ -72,9 +73,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: nexus-data {{- if .Values.persistence.enabled }} persistentVolumeClaim: diff --git a/kubernetes/policy/components/policy-nexus/templates/service.yaml b/kubernetes/policy/components/policy-nexus/templates/service.yaml index 6aee4ca230..8d13879023 100755 --- a/kubernetes/policy/components/policy-nexus/templates/service.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/service.yaml @@ -15,4 +15,4 @@ # limitations under the License. */}} -{{ include "common.service" . }}
\ No newline at end of file +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml index f10d55dcee..cc75a9fe15 100755 --- a/kubernetes/policy/components/policy-nexus/values.yaml +++ b/kubernetes/policy/components/policy-nexus/values.yaml @@ -1,5 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property +# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright (C) 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,6 +21,10 @@ global: nodePortPrefix: 302 persistence: {} + postgres: + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Application configuration defaults. @@ -97,6 +103,10 @@ resources: memory: "1Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + #Pods Service Account serviceAccount: nameOverride: policy-nexus diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index 697aaa1575..2122e6fb3f 100755 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -3,6 +3,7 @@ # Modified Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +23,7 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 14.0.0 +version: 14.0.2 dependencies: - name: common @@ -33,7 +34,4 @@ dependencies: repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: '@local' - - name: readinessCheck - version: ~13.x-0 - repository: '@local' + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index 5496d93174..58dfc9f497 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,7 +26,7 @@ spring: converters: preferred-json-mapper: gson datasource: -{{ if not .Values.global.postgres.localCluster }} +{{ if .Values.global.mariadbGalera.useInPolicy }} url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" @@ -34,9 +34,6 @@ spring: hikari: maximumPoolSize: 20 jpa: - properties: - hibernate: - dialect: org.hibernate.dialect.MariaDB103Dialect hibernate: ddl-auto: none naming: @@ -58,10 +55,6 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy - properties: - hibernate: - dialect: org.hibernate.dialect.PostgreSQLDialect - format_sql: true {{ end }} server: @@ -73,17 +66,10 @@ server: pap: name: PapGroup - aaf: false topic: - {{ if .Values.global.useStrimziKafkaPf }} pdp-pap.name: {{ .Values.config.kafka.topics.policyPdpPap }} notification.name: {{ .Values.config.kafka.topics.policyNotification }} heartbeat.name: {{ .Values.config.kafka.topics.policyHeartbeat }} - {{ else }} - pdp-pap.name: {{ .Values.dmaap.topics.policyPdpPap }} - notification.name: {{ .Values.dmaap.topics.policyNotification }} - heartbeat.name: {{ .Values.dmaap.topics.policyHeartbeat }} - {{ end }} pdpParameters: heartBeatMs: 120000 updateParameters: @@ -97,77 +83,49 @@ pap: topicSources: - useHttps: false fetchTimeout: 15000 - {{ if .Values.global.useStrimziKafkaPf }} topic: {{ .Values.config.kafka.topics.policyPdpPap }} servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} topicCommInfrastructure: kafka additionalProps: group.id : {{ .Values.config.kafka.consumer.groupId }} security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${JAASLOGIN} - {{ else }} - topic: {{ .Values.dmaap.topics.policyPdpPap }} - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - {{ end }} - useHttps: false fetchTimeout: 15000 - {{ if .Values.global.useStrimziKafkaPf }} topic: {{ .Values.config.kafka.topics.policyHeartbeat }} effectiveTopic: {{ .Values.config.kafka.topics.policyPdpPap }} servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} topicCommInfrastructure: kafka additionalProps: group.id : {{ .Values.config.kafka.consumer.groupId }} security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${JAASLOGIN} - {{ else }} - topic: {{ .Values.dmaap.topics.policyHeartbeat }} - effectiveTopic: {{ .Values.dmaap.topics.policyPdpPap }} - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - {{ end }} topicSinks: - useHttps: false - {{ if .Values.global.useStrimziKafkaPf }} topic: {{ .Values.config.kafka.topics.policyPdpPap }} servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} topicCommInfrastructure: kafka additionalProps: group.id : {{ .Values.config.kafka.consumer.groupId }} security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${JAASLOGIN} - {{ else }} - topic: {{ .Values.dmaap.topics.policyPdpPap }} - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - {{ end }} - useHttps: false - {{ if .Values.global.useStrimziKafkaPf }} topic: {{ .Values.config.kafka.topics.policyNotification }} servers: - - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} topicCommInfrastructure: kafka additionalProps: group.id : {{ .Values.config.kafka.consumer.groupId }} security.protocol: SASL_PLAINTEXT sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} sasl.jaas.config: ${JAASLOGIN} - {{ else }} - topic: {{ .Values.dmaap.topics.policyNotification }} - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - {{ end }} + # If Strimzi Kafka to be used for communication, replace following configuration for topicSources and topicSinks # servers: # - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 @@ -185,13 +143,6 @@ pap: password: "${API_PASSWORD}" useHttps: false basePath: policy/api/v1/healthcheck - - clientName: distribution - hostname: policy-distribution - port: 6969 - userName: "${DISTRIBUTION_USER}" - password: "${DISTRIBUTION_PASSWORD}" - useHttps: false - basePath: healthcheck management: endpoints: diff --git a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index 67a2270fb8..f7c400865f 100755..100644 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -2,6 +2,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,26 +30,26 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: -{{- if not .Values.global.useStrimziKafkaPf }} -{{ include "common.readinessCheck.waitFor" . | nindent 6 }} -{{- end }} - command: - - /app/ready.py + - /app/ready.py args: - - --job-name -{{ if not .Values.global.postgres.localCluster }} - - {{ include "common.release" . }}-policy-galera-config + - --job-name +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config {{ else }} - - {{ include "common.release" . }}-policy-pg-config -{{ end }} env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + - {{ include "common.release" . }}-policy-pg-migrator-config +{{ end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-db-readiness resources: limits: @@ -78,7 +80,7 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }} - name: DISTRIBUTION_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }} -{{- if .Values.global.useStrimziKafkaPf }} +{{- if .Values.global.useStrimziKafka }} - name: JAASLOGIN valueFrom: secretKeyRef: @@ -92,9 +94,11 @@ spec: name: papconfig-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -126,25 +130,39 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/policy/pap/etc/mounted - name: papconfig-processed + - mountPath: /etc/localtime + name: localtime + readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/pap/etc/logback.xml + subPath: logback.xml + name: papconfig-processed + - name: papconfig-processed + mountPath: /opt/app/policy/pap/etc/mounted resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: - path: /etc/localtime + path: /etc/localtime + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: papconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -152,4 +170,5 @@ spec: - name: papconfig-processed emptyDir: medium: Memory + sizeLimit: 64Mi {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml index d2fab9f535..6fc37c3d01 100644 --- a/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml +++ b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml @@ -13,6 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ if .Values.global.useStrimziKafkaPf }} {{ include "common.kafkauser" . }} -{{ end }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 365028c229..4c6f5355e0 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -2,7 +2,8 @@ # Copyright (C) 2019 Nordix Foundation. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,9 +26,10 @@ global: nodePortPrefixExt: 304 persistence: {} - useStrimziKafkaPf: set-via-parent-chart-global-value postgres: - localCluster: false + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Secrets metaconfig @@ -69,7 +71,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:3.1.0 +image: onap/policy-pap:3.1.3 pullPolicy: Always # flag to enable debugging - application support required @@ -139,7 +141,7 @@ ingress: serviceMesh: authorizationPolicy: authorizedPrincipals: - - serviceAccount: message-router-read + - serviceAccount: strimzi-kafka-read - serviceAccount: portal-app-read flavor: small @@ -160,6 +162,16 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-pap @@ -185,8 +197,6 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafkaPf: true - kafkaBootstrap: strimzi-kafka-bootstrap kafka: topics: policyHeartbeat: policy-heartbeat @@ -198,11 +208,6 @@ config: listener: policyPdpPapTopic: policy-pdp-pap -dmaap: - topics: - policyHeartbeat: POLICY-HEARTBEAT - policyNotification: POLICY-NOTIFICATION - policyPdpPap: POLICY-PDP-PAP # If targeting a custom kafka cluster, ie useStrimziKakfa: false # uncomment below config and target your kafka bootstrap servers, # along with any other security config. @@ -232,7 +237,3 @@ kafkaUser: type: topic patternType: prefix operations: [Create, Describe, Read, Write] - -readinessCheck: - wait_for: - - message-router diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index a46d6128e8..a02171ef31 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,7 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 14.0.0 +version: 14.0.3 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json index 08dcb67182..7bf6707136 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json @@ -42,18 +42,30 @@ "applicationPath": "/opt/app/policy/pdpx/apps" }, "topicParameterGroup": { - "topicSources" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : "false", - "fetchTimeout" : 15000, - "topicCommInfrastructure" : "dmaap" + "topicSources": [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "fetchTimeout": 15000, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id": "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } }], "topicSinks" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : "false", - "topicCommInfrastructure" : "dmaap" - }] + "topic": "${PAP_TOPIC}", + "useHttps": false, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id": "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } + }] } } diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties index d2e9c62edf..3df3578fd2 100755..100644 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties @@ -1,4 +1,22 @@ {{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + # # Properties that the embedded PDP engine uses to configure and load # @@ -49,8 +67,14 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome # # JPA Properties # +{{ if .Values.global.mariadbGalera.useInPolicy }} eclipselink.target-database=MySQL -javax.persistence.jdbc.driver=org.mariadb.jdbc.Driver -javax.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/operationshistory -javax.persistence.jdbc.user=${SQL_USER} -javax.persistence.jdbc.password=${SQL_PASSWORD} +jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver +jakarta.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/operationshistory +{{ else }} +eclipselink.target-database=PostgreSQL +jakarta.persistence.jdbc.driver=org.postgresql.Driver +jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/operationhistory +{{ end }} +jakarta.persistence.jdbc.user=${SQL_USER} +jakarta.persistence.jdbc.password=${SQL_PASSWORD}
\ No newline at end of file diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml index 7158c0263f..5a9baa822f 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml @@ -14,4 +14,4 @@ # limitations under the License. */}} -{{ include "common.authorizationPolicy" . }}
\ No newline at end of file +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml index b475d2ce2d..828f6ec2c7 100755..100644 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -1,6 +1,8 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,12 +29,17 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-policy-galera-config +{{ if .Values.global.mariadbGalera.useInPolicy }} + - {{ include "common.release" . }}-policy-galera-migrator-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-migrator-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -41,6 +48,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-readiness resources: limits: @@ -53,7 +61,7 @@ spec: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done env: - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} @@ -67,6 +75,19 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} volumeMounts: - mountPath: /config-input name: pdpxconfig @@ -74,9 +95,11 @@ spec: name: pdpxconfig-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"] @@ -97,25 +120,87 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: + - name: policy-guard + mountPath: /opt/app/policy/pdpx/apps/guard + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/guard/xacml.properties + subPath: xacml.properties + - name: policy-match + mountPath: /opt/app/policy/pdpx/apps/match + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/match/xacml.properties + subPath: xacml.properties + - name: policy-monitoring + mountPath: /opt/app/policy/pdpx/apps/monitoring + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/monitoring/xacml.properties + subPath: xacml.properties + - name: policy-naming + mountPath: /opt/app/policy/pdpx/apps/naming + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/naming/xacml.properties + subPath: xacml.properties + - name: policy-native + mountPath: /opt/app/policy/pdpx/apps/native + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/native/xacml.properties + subPath: xacml.properties + - name: policy-optimization + mountPath: /opt/app/policy/pdpx/apps/optimization + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/optimization/xacml.properties + subPath: xacml.properties + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/pdpx/etc/logback.xml + subPath: logback.xml + name: pdpxconfig-processed + - mountPath: /opt/app/policy/pdpx/etc/mounted + name: pdpxconfig-processed - mountPath: /etc/localtime name: localtime readOnly: true - - mountPath: /opt/app/policy/pdpx/etc/mounted - name: pdpxconfig-processed resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: policy-guard + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-match + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-monitoring + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-naming + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-native + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-optimization + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: localtime hostPath: - path: /etc/localtime + path: /etc/localtime - name: pdpxconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -123,4 +208,5 @@ spec: - name: pdpxconfig-processed emptyDir: medium: Memory + sizeLimit: 64Mi {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..1d571df8b7 --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml index 3e76c2ba36..6dabd951b9 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml @@ -18,4 +18,4 @@ # ============LICENSE_END========================================================= */}} -{{ include "common.service" . }}
\ No newline at end of file +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index b9d877fe7b..b20ab89370 100755..100644 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -1,5 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +23,10 @@ ################################################################# global: persistence: {} - + postgres: + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Secrets metaconfig ################################################################# @@ -49,9 +54,11 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:3.1.0 +image: onap/policy-xacml-pdp:3.1.3 pullPolicy: Always +componentName: &componentName policy-xacml-pdp + # flag to enable debugging - application support required debugEnabled: false @@ -61,8 +68,10 @@ db: user: policy-user password: policy_user service: - name: policy-mariadb - internalPort: 3306 + mariadbName: policy-mariadb + mariadbPort: 3306 + pgName: policy-pg-primary + pgPort: 5432 restServer: user: healthcheck @@ -93,7 +102,7 @@ readiness: service: type: ClusterIP - name: policy-xacml-pdp + name: *componentName internalPort: 6969 ports: - name: http @@ -123,7 +132,7 @@ serviceMesh: - serviceAccount: dcae-ves-collector-read - serviceAccount: dcae-ves-mapper-read - serviceAccount: dcae-ves-openapi-manager-read - - serviceAccount: message-router-read + - serviceAccount: strimzi-kafka-read - serviceAccount: oof-read - serviceAccount: sdnc-read @@ -145,9 +154,21 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + policyDir: + sizeLimit: 100Mi + #Pods Service Account serviceAccount: - nameOverride: policy-xacml-pdp + nameOverride: *componentName roles: - read @@ -171,3 +192,24 @@ metrics: chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' release: '{{ include "common.release" . }}' heritage: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-xacml-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-xacml-pdp + type: group + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] diff --git a/kubernetes/policy/resources/config/db-pg.sh b/kubernetes/policy/resources/config/db-pg.sh index f26a80fad7..913ccc7728 100644 --- a/kubernetes/policy/resources/config/db-pg.sh +++ b/kubernetes/policy/resources/config/db-pg.sh @@ -1,7 +1,7 @@ #!/bin/sh # # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,10 +20,10 @@ export PGPASSWORD=${PG_ADMIN_PASSWORD}; -psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER ${PG_USER} WITH PASSWORD '${PG_USER_PASSWORD}'" +psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER \"${PG_USER}\" WITH PASSWORD '${PG_USER_PASSWORD}'" for db in migration pooling policyadmin policyclamp operationshistory clampacm do psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE DATABASE ${db};" - psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO ${PG_USER};" -done + psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO \"${PG_USER}\";" +done
\ No newline at end of file diff --git a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh index 53921ab751..15a6e3224f 100644 --- a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh +++ b/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh @@ -1,6 +1,6 @@ #!/bin/sh {{/* -# Copyright (C) 2022 Nordix Foundation. +# Copyright (C) 2022, 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,8 +14,19 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB} -/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o upgrade -rc=$? -/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o report -exit $rc + +for schema in ${SQL_DB}; do + echo "Initializing $schema..." + /opt/app/policy/bin/prepare_upgrade.sh ${schema} + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o upgrade + rc=$? + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report + + if [ "$rc" != 0 ]; then + break + fi +done diff --git a/kubernetes/policy/resources/config/db_migrator_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_policy_init.sh index d1cc108fec..a1d8fd89ea 100644 --- a/kubernetes/policy/resources/config/db_migrator_policy_init.sh +++ b/kubernetes/policy/resources/config/db_migrator_policy_init.sh @@ -1,6 +1,6 @@ #!/bin/sh {{/* -# Copyright (C) 2021 Nordix Foundation. +# Copyright (C) 2021, 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,8 +14,21 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB} -/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o upgrade -rc=$? -/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o report -exit $rc + +for schema in ${SQL_DB}; do + echo "Initializing $schema..." + /opt/app/policy/bin/prepare_upgrade.sh ${schema} + + /opt/app/policy/bin/db-migrator -s ${schema} -o report + + /opt/app/policy/bin/db-migrator -s ${schema} -o upgrade + rc=$? + + /opt/app/policy/bin/db-migrator -s ${schema} -o report + + if [ "$rc" != 0 ]; then + break + fi +done + +exit $rc
\ No newline at end of file diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 697c25aa36..3886a85d11 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -1,7 +1,8 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2022 Nordix Foundation. +# Modifications Copyright (C) 2022-2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,7 +17,7 @@ # limitations under the License. */}} -{{ if not .Values.global.postgres.localCluster }} +{{ if .Values.global.mariadbGalera.useInPolicy }} apiVersion: batch/v1 kind: Job metadata: @@ -33,25 +34,15 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-galera-init spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - {{- if .Values.global.mariadbGalera.localCluster }} - {{- if .Values.global.mariadbGalera.useOperator }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local_operator ) | indent 6 | trim }} - {{ else }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }} - {{- end }} - {{ else }} - {{- if .Values.global.mariadbGalera.useOperator }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global_operator ) | indent 6 | trim }} - {{ else }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }} - {{- end }} - {{- end }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_mariadb ) | indent 6 | trim }} containers: - name: {{ include "common.name" . }}-galera-config image: {{ include "repositoryGenerator.image.mariadb" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} volumeMounts: - mountPath: /dbcmd-config/db.sh name: {{ include "common.fullname" . }}-config @@ -60,7 +51,7 @@ spec: - /bin/sh - -cx - | - {{- if include "common.onServiceMesh" . }} + {{- if include "common.requireSidecarKiller" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} /dbcmd-config/db.sh env: @@ -73,10 +64,11 @@ spec: - name: MYSQL_PORT value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.onServiceMesh" .) }} + {{- if (include "common.requireSidecarKiller" .) }} - name: policy-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - /bin/sh - "-c" @@ -89,6 +81,14 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -102,7 +102,7 @@ spec: path: db.sh {{ end }} -{{ if .Values.global.postgres.localCluster }} +{{ if .Values.global.postgres.useInPolicy }} --- apiVersion: batch/v1 kind: Job @@ -120,12 +120,15 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-pg-init spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} - initContainers: {{ if .Values.global.postgres.localCluster }}{{ include "common.readinessCheck.waitFor" . | nindent 6 }}{{ end }} + initContainers: + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_postgres ) | indent 6 | trim }} containers: - name: {{ include "common.name" . }}-pg-config image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} volumeMounts: - mountPath: /docker-entrypoint-initdb.d/db-pg.sh name: {{ include "common.fullname" . }}-config @@ -134,7 +137,7 @@ spec: - /bin/sh - -cx - | - {{- if include "common.onServiceMesh" . }} + {{- if include "common.requireSidecarKiller" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} /docker-entrypoint-initdb.d/db-pg.sh env: @@ -149,8 +152,9 @@ spec: - name: PG_PORT value: "{{ .Values.postgres.service.internalPort }}" resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.onServiceMesh" .) }} + {{- if (include "common.requireSidecarKiller" .) }} - name: policy-service-mesh-wait-for-job-container + {{ include "common.containerSecurityContext" . | indent 8 | trim }} image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always command: @@ -165,6 +169,14 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -177,97 +189,104 @@ spec: - key: db-pg.sh path: db-pg.sh {{ end }} - --- -{{ if not .Values.global.postgres.localCluster }} +{{ if .Values.global.mariadbGalera.useInPolicy }} apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.fullname" . }}-galera-config + name: {{ include "common.fullname" . }}-galera-migrator-config namespace: {{ include "common.namespace" . }} labels: - app: {{ include "common.name" . }}-galera-config + app: {{ include "common.name" . }}-galera-migrator-config release: {{ include "common.release" . }} spec: template: metadata: labels: - app: {{ include "common.name" . }}-galera-config + app: {{ include "common.name" . }}-galera-migrator-config release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-galera-config + name: {{ include "common.name" . }}-galera-migrator-config spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-galera-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + - name: {{ include "common.name" . }}-init-readiness + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.fullname" . }}-galera-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - - name: {{ include "common.name" . }}-galera-db-migrator - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /dbcmd-config/db_migrator_policy_init.sh - name: {{ include "common.fullname" . }}-config - subPath: db_migrator_policy_init.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.onServiceMesh" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db_migrator_policy_init.sh - env: - - name: SQL_HOST - value: "{{ index .Values "mariadb-galera" "service" "name" }}" - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - - name: SQL_DB - value: {{ .Values.dbmigrator.schema }} - - name: POLICY_HOME - value: {{ .Values.dbmigrator.policy_home }} - - name: SCRIPT_DIRECTORY - value: "sql" - resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.onServiceMesh" .) }} - - name: policy-service-mesh-wait-for-job-container - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + - name: {{ include "common.name" . }}-galera-db-migrator + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - mountPath: /opt/app/policy/etc/db/ + name: {{ include "common.fullname" . }}-migration-writable + - mountPath: /dbcmd-config/db_migrator_policy_init.sh + name: {{ include "common.fullname" . }}-config + subPath: db_migrator_policy_init.sh + command: + - /bin/sh + - -cx + - | + {{- if include "common.requireSidecarKiller" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} + /dbcmd-config/db_migrator_policy_init.sh + env: + - name: SQL_HOST + value: "{{ index .Values "mariadb-galera" "service" "name" }}" + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: SQL_DB + value: {{ .Values.dbmigrator.schemas }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "sql" + resources: {{ include "common.resources" . | nindent 12 }} + {{- if (include "common.requireSidecarKiller" .) }} + - name: policy-service-mesh-wait-for-job-container + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.image.quitQuit" . }} + imagePullPolicy: Always + command: + - /bin/sh + - "-c" + args: + - echo "waiting 10s for istio side cars to be up"; sleep 10s; + /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45; + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: {{ include "common.fullname" . }}-migration-writable + emptyDir: {} - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-db-configmap @@ -276,98 +295,106 @@ spec: - key: db_migrator_policy_init.sh path: db_migrator_policy_init.sh {{ end }} -{{ if .Values.global.postgres.localCluster }} +{{ if .Values.global.postgres.useInPolicy }} --- apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.fullname" . }}-pg-config + name: {{ include "common.fullname" . }}-pg-migrator-config namespace: {{ include "common.namespace" . }} labels: - app: {{ include "common.name" . }}-pg-config + app: {{ include "common.name" . }}-pg-migrator-config release: {{ include "common.release" . }} spec: template: metadata: labels: - app: {{ include "common.name" . }}-pg-config + app: {{ include "common.name" . }}-pg-migrator-config release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-pg-config + name: {{ include "common.name" . }}-pg-migrator-config spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-pg-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + - name: {{ include "common.name" . }}-init-readiness + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.fullname" . }}-pg-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - - name: {{ include "common.name" . }}-pg-db-migrator - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh - name: {{ include "common.fullname" . }}-config - subPath: db_migrator_pg_policy_init.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.onServiceMesh" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db_migrator_pg_policy_init.sh - env: - - name: SQL_HOST - value: "{{ .Values.postgres.service.name2 }}" - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - - name: SQL_DB - value: {{ .Values.dbmigrator.schema }} - - name: POLICY_HOME - value: {{ .Values.dbmigrator.policy_home }} - - name: SCRIPT_DIRECTORY - value: "postgres" - - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.onServiceMesh" .) }} - - name: policy-service-mesh-wait-for-job-container - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + - name: {{ include "common.name" . }}-pg-db-migrator + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh + name: {{ include "common.fullname" . }}-config + subPath: db_migrator_pg_policy_init.sh + - mountPath: /opt/app/policy/etc/db/ + name: {{ include "common.fullname" . }}-migration-writable + command: + - /bin/sh + - -cx + - | + {{- if include "common.requireSidecarKiller" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} + /dbcmd-config/db_migrator_pg_policy_init.sh + env: + - name: SQL_HOST + value: "{{ .Values.postgres.service.name2 }}" + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: SQL_DB + value: {{ .Values.dbmigrator.schemas }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "postgres" + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if (include "common.requireSidecarKiller" .) }} + - name: policy-service-mesh-wait-for-job-container + image: {{ include "repositoryGenerator.image.quitQuit" . }} + imagePullPolicy: Always + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + command: + - /bin/sh + - "-c" + args: + - echo "waiting 10s for istio side cars to be up"; sleep 10s; + /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45; + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: + - name: {{ include "common.fullname" . }}-migration-writable + emptyDir: {} - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-db-configmap @@ -375,4 +402,4 @@ spec: items: - key: db_migrator_pg_policy_init.sh path: db_migrator_pg_policy_init.sh -{{ end }} +{{ end }}
\ No newline at end of file diff --git a/kubernetes/policy/templates/policy-kafka-topics.yaml b/kubernetes/policy/templates/policy-kafka-topics.yaml index a787b8b626..feb29f3b0c 100644 --- a/kubernetes/policy/templates/policy-kafka-topics.yaml +++ b/kubernetes/policy/templates/policy-kafka-topics.yaml @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.global.useStrimziKafkaPf }} + apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: @@ -49,4 +49,3 @@ spec: config: retention.ms: {{ .Values.config.policyNotificationTopic.retentionMs }} segment.bytes: {{ .Values.config.policyNotificationTopic.segmentBytes }} -{{- end }} diff --git a/kubernetes/policy/templates/policy-kafka-user.yaml b/kubernetes/policy/templates/policy-kafka-user.yaml index c000af1b82..d004cbe116 100644 --- a/kubernetes/policy/templates/policy-kafka-user.yaml +++ b/kubernetes/policy/templates/policy-kafka-user.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2022-2023 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,7 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.global.useStrimziKafka }} + apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: @@ -29,17 +30,20 @@ spec: - resource: type: group name: {{ .Values.config.policyPdpPapTopic.consumer.groupId }} - operation: All + operations: + - All - resource: type: topic name: {{ .Values.config.policyPdpPapTopic.name }} - operation: All + operations: + - All - resource: type: topic name: {{ .Values.config.policyHeartbeatTopic.name }} - operation: All + operations: + - All - resource: type: topic name: {{ .Values.config.policyNotificationTopic.name }} - operation: All -{{- end }} + operations: + - All diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 9d08080cf7..67f4dbd1e5 100755..100644 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright (C) 2021-2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,12 +30,12 @@ global: # with '*mariadbConfig' pointer. config: &mariadbConfig mysqlDatabase: policyadmin - service: &mariadbService - name: &policy-mariadb policy-mariadb - internalPort: 3306 - nameOverride: *policy-mariadb + service: &mariadbService policy-mariadb + internalPort: 3306 + nameOverride: *mariadbService # (optional) if localCluster=false and an external secret is used set this variable #userRootSecret: <secretName> + useInPolicy: true prometheusEnabled: false postgres: localCluster: false @@ -44,16 +45,13 @@ global: name3: tcp-pgset-replica container: name: postgres - #Strimzi Kafka properties - useStrimziKafka: true - # Temporary flag to disable strimzi for pf components - will be removed after native kafka support is added for drools and xacml - useStrimziKafkaPf: false - kafkaBootstrap: strimzi-kafka-bootstrap + useInPolicy: false + kafkaBootstrap: strimzi-kafka-bootstrap:9092 policyKafkaUser: policy-kafka-user + useStrimziKafka: true kafkaTopics: acRuntimeTopic: name: policy.clamp-runtime-acm - ################################################################# # Secrets metaconfig ################################################################# @@ -61,8 +59,8 @@ secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password - externalSecret: '{{ .Values.global.mariadbGalera.localCluster | - ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + externalSecret: '{{ or .Values.global.postgres.useInPolicy .Values.global.mariadbGalera.useInPolicy | ternary ( + ( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) @@ -134,7 +132,7 @@ policy-apex-pdp: config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-drools-pdp: - enabled: true + enabled: false db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' @@ -163,18 +161,17 @@ policy-nexus: enabled: false config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -policy-gui: - enabled: false - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' ################################################################# # DB configuration defaults. ################################################################# dbmigrator: - image: onap/policy-db-migrator:3.1.0 - schema: policyadmin + # New released image will allow full SASL and Postgres (drools included). Tested with snapshot. Release to come later. + image: onap/policy-db-migrator:3.1.3 + # These schemas will be required with the new version of db-migrator + # schemas: "policyadmin clampacm pooling operationshistory" + schemas: "policyadmin" policy_home: "/opt/app/policy" subChartsOnly: @@ -205,7 +202,6 @@ readiness: config: policyAppUserName: runtimeUser - useStrimziKafka: true policyPdpPapTopic: name: policy-pdp-pap partitions: 10 @@ -238,9 +234,10 @@ mariadb-galera: name: &mysqlDbName policyadmin rootUser: externalSecret: *dbRootPassSecretName - nameOverride: *policy-mariadb + nameOverride: *mariadbService # mariadb-galera.service and global.mariadbGalera.service must be equals - service: *mariadbService + service: + name: *mariadbService replicaCount: 1 mariadbOperator: galera: @@ -249,7 +246,7 @@ mariadb-galera: enabled: true mountSubPath: policy/maria/data serviceAccount: - nameOverride: *policy-mariadb + nameOverride: *mariadbService postgresImage: library/postgres:latest # application configuration override for postgres @@ -273,20 +270,12 @@ postgres: pgRootPasswordExternalSecret: *dbRootPassSecretName readinessCheck: - wait_for: - - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}' - wait_for_global_operator: - pods: - - '{{ .Values.global.mariadbGalera.nameOverride }}-0' - wait_for_local_operator: - pods: - - '{{ index .Values "mariadb-galera" "nameOverride" }}-0' - wait_for_global: - apps: - - '{{ include "common.mariadbAppName" . }}' - wait_for_local: - apps: - - '{{ include "common.mariadbAppName" . }}' + wait_for_postgres: + services: + - '{{ .Values.global.postgres.service.name2 }}' + wait_for_mariadb: + services: + - '{{ include "common.mariadbService" . }}' restServer: policyPapUserName: policyadmin @@ -314,8 +303,12 @@ resources: memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 65533 + #Pods Service Account serviceAccount: nameOverride: policy roles: - - read + - read
\ No newline at end of file |