aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/policy
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/policy')
-rwxr-xr-xkubernetes/policy/Chart.yaml13
-rwxr-xr-xkubernetes/policy/components/policy-apex-pdp/Chart.yaml7
-rwxr-xr-xkubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json11
-rw-r--r--kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml33
-rw-r--r--kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-apex-pdp/values.yaml33
-rwxr-xr-xkubernetes/policy/components/policy-api/Chart.yaml4
-rw-r--r--kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml3
-rw-r--r--kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-api/templates/configmap.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-api/templates/deployment.yaml51
-rwxr-xr-xkubernetes/policy/components/policy-api/values.yaml23
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml6
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml18
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml30
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml42
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml22
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml6
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml17
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml30
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml42
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml21
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml6
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml16
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml30
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml1
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml20
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml6
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml18
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml30
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml34
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml76
-rwxr-xr-xkubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml21
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml6
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml17
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml30
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml42
-rw-r--r--kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml21
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml10
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml33
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml59
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml2
-rw-r--r--kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml39
-rwxr-xr-xkubernetes/policy/components/policy-distribution/Chart.yaml3
-rw-r--r--kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-distribution/templates/deployment.yaml25
-rwxr-xr-xkubernetes/policy/components/policy-distribution/values.yaml13
-rwxr-xr-xkubernetes/policy/components/policy-drools-pdp/Chart.yaml3
-rw-r--r--[-rwxr-xr-x]kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf41
-rw-r--r--kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties37
-rw-r--r--kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties41
-rwxr-xr-xkubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf (renamed from kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf)3
-rw-r--r--kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml2
-rw-r--r--kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml (renamed from kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml)5
-rwxr-xr-xkubernetes/policy/components/policy-drools-pdp/templates/service.yaml1
-rw-r--r--[-rwxr-xr-x]kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml109
-rw-r--r--[-rwxr-xr-x]kubernetes/policy/components/policy-drools-pdp/values.yaml95
-rw-r--r--kubernetes/policy/components/policy-gui/Chart.yaml32
-rw-r--r--kubernetes/policy/components/policy-gui/resources/config/application.yml19
-rw-r--r--kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml59
-rw-r--r--kubernetes/policy/components/policy-gui/resources/config/logback.xml118
-rw-r--r--kubernetes/policy/components/policy-gui/templates/NOTES.txt38
-rw-r--r--kubernetes/policy/components/policy-gui/templates/configmap.yaml34
-rw-r--r--kubernetes/policy/components/policy-gui/templates/deployment.yaml127
-rw-r--r--kubernetes/policy/components/policy-gui/templates/ingress.yaml21
-rw-r--r--kubernetes/policy/components/policy-gui/templates/secrets.yaml21
-rw-r--r--kubernetes/policy/components/policy-gui/templates/service.yaml21
-rw-r--r--kubernetes/policy/components/policy-gui/values.yaml130
-rwxr-xr-xkubernetes/policy/components/policy-nexus/Chart.yaml3
-rw-r--r--kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-nexus/templates/deployment.yaml10
-rwxr-xr-xkubernetes/policy/components/policy-nexus/templates/service.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-nexus/values.yaml10
-rwxr-xr-xkubernetes/policy/components/policy-pap/Chart.yaml8
-rw-r--r--kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml63
-rw-r--r--kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml2
-rw-r--r--[-rwxr-xr-x]kubernetes/policy/components/policy-pap/templates/deployment.yaml69
-rw-r--r--kubernetes/policy/components/policy-pap/templates/kafkauser.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-pap/values.yaml33
-rwxr-xr-xkubernetes/policy/components/policy-xacml-pdp/Chart.yaml3
-rwxr-xr-xkubernetes/policy/components/policy-xacml-pdp/resources/config/config.json34
-rw-r--r--[-rwxr-xr-x]kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties32
-rw-r--r--kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml2
-rw-r--r--[-rwxr-xr-x]kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml104
-rw-r--r--kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml16
-rwxr-xr-xkubernetes/policy/components/policy-xacml-pdp/templates/service.yaml2
-rw-r--r--[-rwxr-xr-x]kubernetes/policy/components/policy-xacml-pdp/values.yaml56
-rw-r--r--kubernetes/policy/resources/config/db-pg.sh8
-rw-r--r--kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh23
-rw-r--r--kubernetes/policy/resources/config/db_migrator_policy_init.sh25
-rwxr-xr-xkubernetes/policy/templates/job.yaml357
-rw-r--r--kubernetes/policy/templates/policy-kafka-topics.yaml3
-rw-r--r--kubernetes/policy/templates/policy-kafka-user.yaml16
-rw-r--r--[-rwxr-xr-x]kubernetes/policy/values.yaml71
106 files changed, 1399 insertions, 1516 deletions
diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml
index b305ef48e1..9b631c7af5 100755
--- a/kubernetes/policy/Chart.yaml
+++ b/kubernetes/policy/Chart.yaml
@@ -1,7 +1,8 @@
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018, 2020 AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021, 2022, 2023, 2024 Nordix Foundation
+# Modifications Copyright © 2021-2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
apiVersion: v2
description: ONAP Policy
name: policy
-version: 14.0.0
+version: 14.0.5
dependencies:
- name: common
@@ -27,7 +28,7 @@ dependencies:
- name: mariadb-galera
version: ~13.x-0
repository: '@local'
- condition: global.mariadbGalera.localCluster
+ condition: global.mariadbGalera.useInPolicy,global.mariadbGalera.localCluster
- name: policy-nexus
version: ~14.x-0
repository: 'file://components/policy-nexus'
@@ -80,10 +81,6 @@ dependencies:
version: ~14.x-0
repository: 'file://components/policy-clamp-runtime-acm'
condition: policy-clamp-runtime-acm.enabled
- - name: policy-gui
- version: ~14.x-0
- repository: 'file://components/policy-gui'
- condition: policy-gui.enabled
- name: repositoryGenerator
version: ~13.x-0
repository: '@local'
@@ -96,4 +93,4 @@ dependencies:
- name: postgres
version: ~13.x-0
repository: '@local'
- condition: global.postgres.localCluster
+ condition: global.postgres.useInPolicy,global.postgres.localCluster
diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml
index 2318a592eb..4ec4725860 100755
--- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml
@@ -2,7 +2,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@
apiVersion: v2
description: ONAP Policy APEX PDP
name: policy-apex-pdp
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
@@ -34,6 +34,3 @@ dependencies:
- name: serviceAccount
version: ~13.x-0
repository: '@local'
- - name: readinessCheck
- version: ~13.x-0
- repository: '@local'
diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json
index 3a38b88d56..441955f1ed 100755
--- a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json
+++ b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json
@@ -30,23 +30,17 @@
"useHttps": false,
"fetchTimeout": 15000,
"servers": [ "${KAFKA_URL}" ],
-{{ if .Values.global.useStrimziKafkaPf }}
"topicCommInfrastructure": "kafka",
"additionalProps": {
"group.id" : "${GROUP_ID}",
"security.protocol": "SASL_PLAINTEXT",
"sasl.mechanism": "${SASL}",
"sasl.jaas.config": "${JAASLOGIN}"
- }
-{{ else }}
- "topicCommInfrastructure": "dmaap"
-{{ end }}
- }],
+ }}],
"topicSinks" : [{
"topic": "${PAP_TOPIC}",
"useHttps": false,
"servers": [ "${KAFKA_URL}" ],
-{{ if .Values.global.useStrimziKafkaPf }}
"topicCommInfrastructure": "kafka",
"additionalProps": {
"group.id" : "${GROUP_ID}",
@@ -54,9 +48,6 @@
"sasl.mechanism": "${SASL}",
"sasl.jaas.config": "${JAASLOGIN}"
}
-{{ else }}
- "topicCommInfrastructure": "dmaap"
-{{ end }}
}]
}
}
diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml
index daed724cbd..3b25dc55a3 100755
--- a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml
@@ -3,7 +3,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright (C) 2020 AT&T Intellectual Property.
# Modifications Copyright © 2022 Nordix Foundation
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -30,46 +30,31 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
-{{- if not .Values.global.useStrimziKafkaPf }}
-{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
-{{- end }}
- command: ["/bin/sh", "-cx"]
-{{- if .Values.global.useStrimziKafkaPf }}
args:
- JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`;
cd /config-input && for PFILE in `ls -1`;
do envsubst <${PFILE} >/config/${PFILE}; done
-{{ else }}
- args:
- - cd /config-input && for PFILE in `ls -1`;
- do envsubst <${PFILE} >/config/${PFILE}; done
-{{ end }}
env:
- name: RESTSERVER_USER
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }}
- name: RESTSERVER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }}
-{{- if .Values.global.useStrimziKafkaPf }}
- name: JAASLOGIN
valueFrom:
secretKeyRef:
name: {{ include "common.name" . }}-ku
key: sasl.jaas.config
- name: KAFKA_URL
- value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
- name: SASL
value: {{ .Values.kafkaUser.authenticationType | upper }}
- name: GROUP_ID
value: {{ .Values.config.kafka.consumer.groupId }}
- name: PAP_TOPIC
value: {{ .Values.config.app.listener.policyPdpPapTopic }}
-{{ else }}
- - name: KAFKA_URL
- value: message-router
- - name: PAP_TOPIC
- value: {{ .Values.config.app.listener.policyPdpPapTopic | upper }}
-{{- end }}
volumeMounts:
- mountPath: /config-input
name: apexconfig-input
@@ -78,8 +63,10 @@ spec:
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-update-config
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: [ "/bin/sh", "-cx" ]
@@ -104,9 +91,6 @@ spec:
- name: REPLICAS
value: "{{ .Values.replicaCount }}"
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- mountPath: /var/log/onap
name: policy-logs
- mountPath: /home/apexuser/config
@@ -122,11 +106,9 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- - name: localtime
- hostPath:
- path: /etc/localtime
- name: policy-logs
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: apexconfig-input
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -134,4 +116,5 @@ spec:
- name: apexconfig
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml
index d2fab9f535..6fc37c3d01 100644
--- a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml
@@ -13,6 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{ if .Values.global.useStrimziKafkaPf }}
{{ include "common.kafkauser" . }}
-{{ end }}
diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml
index e01cb61176..0c83a55651 100755
--- a/kubernetes/policy/components/policy-apex-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml
@@ -2,7 +2,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright (C) 2019-2021 AT&T Intellectual Property.
# Modifications Copyright © 2022 Nordix Foundation
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,7 +25,6 @@
global:
nodePortPrefix: 302
persistence: {}
- useStrimziKafkaPf: set-via-parent-chart-global-value
#################################################################
# Secrets metaconfig
@@ -48,7 +47,7 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-apex-pdp:3.1.0
+image: onap/policy-apex-pdp:3.1.3
pullPolicy: Always
# flag to enable debugging - application support required
@@ -93,7 +92,7 @@ ingress:
serviceMesh:
authorizationPolicy:
authorizedPrincipals:
- - serviceAccount: message-router-read
+ - serviceAccount: strimzi-kafka-read
# Resource Limit flavor -By Default using small
# Segregation for Different environment (Small and Large)
@@ -115,12 +114,20 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
#Pods Service Account
serviceAccount:
nameOverride: policy-apex-pdp
roles:
- read
+dirSizes:
+ logDir:
+ sizeLimit: 500Mi
+
metrics:
serviceMonitor:
# Override the labels based on the Prometheus config parameter: serviceMonitorSelector.
@@ -145,25 +152,13 @@ metrics:
# application configuration
config:
# Event consumption (kafka) properties
- useStrimziKafkaPf: true
- kafkaBootstrap: strimzi-kafka-bootstrap
kafka:
consumer:
groupId: policy-apex
app:
listener:
policyPdpPapTopic: policy-pdp-pap
-# If targeting a custom kafka cluster, ie useStrimziKakfa: false
-# uncomment below config and target your kafka bootstrap servers,
-# along with any other security config.
-#
-# eventConsumption:
-# spring.kafka.bootstrap-servers: <kafka-bootstrap>:9092
-# spring.kafka.security.protocol: PLAINTEXT
-# spring.kafka.consumer.group-id: policy-group
-#
-# Any new property can be added in the env by setting in overrides in the format mentioned below
-# All the added properties must be in "key: value" format instead of yaml.
+
kafkaUser:
authenticationType: scram-sha-512
acls:
@@ -178,7 +173,3 @@ kafkaUser:
type: topic
patternType: prefix
operations: [Create, Describe, Read, Write]
-
-readinessCheck:
- wait_for:
- - message-router
diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml
index 32c22cbe6c..f5c876646b 100755
--- a/kubernetes/policy/components/policy-api/Chart.yaml
+++ b/kubernetes/policy/components/policy-api/Chart.yaml
@@ -2,7 +2,7 @@
# Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@
apiVersion: v2
description: ONAP Policy Design API
name: policy-api
-version: 14.0.0
+version: 14.0.2
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml
index 4e73dc0b5b..c39a27bdeb 100644
--- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml
+++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2022 Bell Canada. All rights reserved.
# Modifications Copyright (C) 2022 AT&T Intellectual Property.
# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modifications Copyright © 2024 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -31,7 +32,7 @@ spring:
password: "${RESTSERVER_PASSWORD}"
mvc.converters.preferred-json-mapper: gson
datasource:
-{{ if not .Values.global.postgres.localCluster }}
+{{ if .Values.global.mariadbGalera.useInPolicy }}
url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin
driverClassName: org.mariadb.jdbc.Driver
username: "${SQL_USER}"
diff --git a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-api/templates/configmap.yaml b/kubernetes/policy/components/policy-api/templates/configmap.yaml
index 9ab25fe2ac..6bb96fc1e5 100755
--- a/kubernetes/policy/components/policy-api/templates/configmap.yaml
+++ b/kubernetes/policy/components/policy-api/templates/configmap.yaml
@@ -37,4 +37,4 @@ binaryData:
{{- end }}
{{- end }}
data:
-{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }} \ No newline at end of file
+{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }}
diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml
index ccb1e1971b..f89945f90e 100755
--- a/kubernetes/policy/components/policy-api/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml
@@ -1,3 +1,23 @@
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021-2024 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
apiVersion: apps/v1
kind: Deployment
metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
@@ -7,15 +27,16 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- /app/ready.py
args:
- --job-name
-{{ if not .Values.global.postgres.localCluster }}
- - {{ include "common.release" . }}-policy-galera-config
+{{ if .Values.global.mariadbGalera.useInPolicy }}
+ - {{ include "common.release" . }}-policy-galera-migrator-config
{{ else }}
- - {{ include "common.release" . }}-policy-pg-config
+ - {{ include "common.release" . }}-policy-pg-migrator-config
{{ end }}
env:
- name: NAMESPACE
@@ -25,6 +46,7 @@ spec:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
name: {{ include "common.name" . }}-readiness
resources:
limits:
@@ -54,9 +76,11 @@ spec:
name: apiconfig-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/api/bin/policy-api.sh"]
@@ -85,9 +109,14 @@ spec:
periodSeconds: {{ .Values.readiness.periodSeconds }}
timeoutSeconds: {{ .Values.readiness.timeout }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/api/etc/logback.xml
+ subPath: logback.xml
+ name: apiconfig-processed
- mountPath: /opt/app/policy/api/etc/mounted
name: apiconfig-processed
resources: {{ include "common.resources" . | nindent 12 }}
@@ -101,9 +130,6 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- - name: localtime
- hostPath:
- path: /etc/localtime
- name: apiconfig
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -111,4 +137,11 @@ spec:
- name: apiconfig-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml
index 530f021d85..902268f41a 100755
--- a/kubernetes/policy/components/policy-api/values.yaml
+++ b/kubernetes/policy/components/policy-api/values.yaml
@@ -1,7 +1,8 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright (C) 2022 Bell Canada. All rights reserved.
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
+# Modifications Copyright © 2024 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,7 +26,9 @@ global:
nodePortPrefix: 304
persistence: {}
postgres:
- localCluster: false
+ useInPolicy: false
+ mariadbGalera:
+ useInPolicy: true
#################################################################
# Secrets metaconfig
@@ -48,7 +51,7 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-api:3.1.0
+image: onap/policy-api:3.1.3
pullPolicy: Always
# flag to enable debugging - application support required
@@ -77,7 +80,7 @@ affinity: {}
# probe configuration parameters
liveness:
- initialDelaySeconds: 60
+ initialDelaySeconds: 120
periodSeconds: 10
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
@@ -89,7 +92,7 @@ readiness:
api: /policy/api/v1/healthcheck
successThreshold: 1
failureThreshold: 3
- timeout: 60
+ timeout: 120
service:
type: ClusterIP
@@ -125,6 +128,16 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: policy-api
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml
index 10baa90eba..a9d27d60a8 100755
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2022-2024 Nordix Foundation. All rights reserved.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +20,7 @@
apiVersion: v2
description: ONAP Policy Clamp A1PMS Participant
name: policy-clamp-ac-a1pms-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
@@ -31,6 +32,3 @@ dependencies:
- name: serviceAccount
version: ~13.x-0
repository: '@local'
- - name: readinessCheck
- version: ~13.x-0
- repository: '@local'
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml
index 34d267bc26..5bfa825e18 100755
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml
@@ -41,40 +41,28 @@ participant:
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
group.id: {{ (first .Values.kafkaUser.acls).name }}
allow.auto.create.topics: false
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
topicSinks:
-
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
participantSupportedElementTypes:
-
typeName: org.onap.policy.clamp.acm.A1PMSAutomationCompositionElement
@@ -93,5 +81,3 @@ server:
context-path: /onap/policy/clamp/acm/a1pmsparticipant
ssl:
enabled: false
-
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml
index 4ed282ade4..b9eb83b3c5 100755
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2022-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,10 +28,8 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
-{{- if not .Values.global.useStrimziKafka }}
-{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
-{{- end }}
- command:
- sh
args:
@@ -41,13 +40,11 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }}
- name: RESTSERVER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }}
-{{- if .Values.global.useStrimziKafka }}
- name: SASL_JAAS_CONFIG
valueFrom:
secretKeyRef:
name: {{ include "common.name" . }}-ku
key: sasl.jaas.config
-{{- end }}
volumeMounts:
- mountPath: /config-input
name: ac-a1pms-ppnt-config
@@ -55,9 +52,11 @@ spec:
name: ac-a1pms-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/a1pms-participant.sh"]
@@ -78,11 +77,16 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-a1pms-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-a1pms-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -94,9 +98,6 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
volumes:
- - name: localtime
- hostPath:
- path: /etc/localtime
- name: ac-a1pms-ppnt-config
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -104,4 +105,11 @@ spec:
- name: ac-a1pms-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml
index 92184b8e85..6fc37c3d01 100644
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml
@@ -13,6 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{ if .Values.global.useStrimziKafka }}
{{ include "common.kafkauser" . }}
-{{ end }} \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml
index 19f522a71e..66aadf12c7 100644
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml
@@ -1,21 +1,21 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2022 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2022 Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml
index ac74011463..a23e732c8b 100755
--- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2022-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,8 +22,6 @@
#################################################################
global:
persistence: {}
- #Strimzi Kafka properties
- useStrimziKafka: set-via-parent-chart-global-value
kafkaTopics:
acRuntimeTopic:
name: &acRuntimeTopic policy.clamp-runtime-acm
@@ -42,7 +41,7 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-a1pms-ppnt:7.1.0
+image: onap/policy-clamp-ac-a1pms-ppnt:7.1.3
pullPolicy: Always
componentName: &componentName policy-clamp-ac-a1pms-ppnt
@@ -77,7 +76,7 @@ ingress:
serviceMesh:
authorizationPolicy:
authorizedPrincipals:
- - serviceAccount: message-router-read
+ - serviceAccount: strimzi-kafka-read
# probe configuration parameters
liveness:
@@ -117,6 +116,17 @@ resources:
cpu: "1"
memory: "2Gi"
unlimited: {}
+
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
@@ -140,7 +150,3 @@ kafkaUser:
- name: *acRuntimeTopic
type: topic
operations: [Read, Write]
-
-readinessCheck:
- wait_for:
- - message-router \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml
index abdd038607..979aa4f598 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2022, 2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +20,7 @@
apiVersion: v2
description: ONAP Policy Clamp Controlloop Http Participant
name: policy-clamp-ac-http-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
@@ -31,6 +32,3 @@ dependencies:
- name: serviceAccount
version: ~13.x-0
repository: '@local'
- - name: readinessCheck
- version: ~13.x-0
- repository: '@local'
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml
index 6cc45cc5c6..d447360dd9 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml
@@ -41,40 +41,28 @@ participant:
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
group.id: {{ (first .Values.kafkaUser.acls).name }}
allow.auto.create.topics: false
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
topicSinks:
-
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
participantSupportedElementTypes:
-
typeName: org.onap.policy.clamp.acm.HttpAutomationCompositionElement
@@ -92,4 +80,3 @@ server:
context-path: /onap/httpparticipant
ssl:
enabled: false
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml
index 8d0d22901b..dd7db7acee 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,10 +28,8 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
-{{- if not .Values.global.useStrimziKafka }}
-{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
-{{- end }}
- command:
- sh
args:
@@ -41,13 +40,11 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }}
- name: RESTSERVER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }}
-{{- if .Values.global.useStrimziKafka }}
- name: SASL_JAAS_CONFIG
valueFrom:
secretKeyRef:
name: {{ include "common.name" . }}-ku
key: sasl.jaas.config
-{{- end }}
volumeMounts:
- mountPath: /config-input
name: ac-http-ppnt-config
@@ -55,9 +52,11 @@ spec:
name: ac-http-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/http-participant.sh"]
@@ -78,11 +77,16 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-http-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-http-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -94,9 +98,6 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- - name: localtime
- hostPath:
- path: /etc/localtime
- name: ac-http-ppnt-config
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -104,4 +105,11 @@ spec:
- name: ac-http-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml
index 92184b8e85..6fc37c3d01 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml
@@ -13,6 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{ if .Values.global.useStrimziKafka }}
{{ include "common.kafkauser" . }}
-{{ end }} \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml
index e676ff13d7..be2449f890 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml
@@ -1,21 +1,21 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml
index 419c2c02aa..8593a3d316 100644
--- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +23,6 @@
global:
persistence: {}
#Strimzi Kafka properties
- useStrimziKafka: set-via-parent-chart-global-value
kafkaTopics:
acRuntimeTopic:
name: &acRuntimeTopic policy.clamp-runtime-acm
@@ -42,7 +42,7 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-http-ppnt:7.1.0
+image: onap/policy-clamp-ac-http-ppnt:7.1.3
pullPolicy: Always
componentName: &componentName policy-clamp-ac-http-ppnt
@@ -67,7 +67,7 @@ ingress:
serviceMesh:
authorizationPolicy:
authorizedPrincipals:
- - serviceAccount: message-router-read
+ - serviceAccount: strimzi-kafka-read
# probe configuration parameters
liveness:
@@ -107,6 +107,17 @@ resources:
cpu: "1"
memory: "2Gi"
unlimited: {}
+
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
@@ -130,7 +141,3 @@ kafkaUser:
- name: *acRuntimeTopic
type: topic
operations: [Read, Write]
-
-readinessCheck:
- wait_for:
- - message-router \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml
index f6aade83b7..5a1cb6e80b 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2021 Nordix Foundation. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021-2022, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
apiVersion: v2
description: ONAP Policy Clamp Controlloop K8s Participant
name: policy-clamp-ac-k8s-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
@@ -33,6 +34,3 @@ dependencies:
- name: serviceAccount
version: ~13.x-0
repository: '@local'
- - name: readinessCheck
- version: ~13.x-0
- repository: '@local'
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml
index 761f19c5e3..14deab557b 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml
@@ -43,40 +43,28 @@ participant:
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
group.id: {{ (first .Values.kafkaUser.acls).name }}
allow.auto.create.topics: false
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
topicSinks:
-
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
participantSupportedElementTypes:
-
typeName: org.onap.policy.clamp.acm.K8SMicroserviceAutomationCompositionElement
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml
index 8a6cf830ca..efd5a6cd53 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml
@@ -33,4 +33,4 @@ data:
{{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }}
{{ toYaml .Values.repoList | indent 4 }}
{{- end }}
-{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} \ No newline at end of file
+{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml
index d69a85824e..a97ab22577 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,10 +28,8 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
-{{- if not .Values.global.useStrimziKafka }}
-{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
-{{- end }}
- command:
- sh
args:
@@ -41,13 +40,11 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }}
- name: RESTSERVER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }}
-{{- if .Values.global.useStrimziKafka }}
- name: SASL_JAAS_CONFIG
valueFrom:
secretKeyRef:
name: {{ include "common.name" . }}-ku
key: sasl.jaas.config
-{{- end }}
volumeMounts:
- mountPath: /config-input
name: ac-k8s-ppnt-config
@@ -55,9 +52,11 @@ spec:
name: ac-k8s-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/kubernetes-participant.sh"]
@@ -78,11 +77,16 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-k8s-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-k8s-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -94,9 +98,6 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
volumes:
- - name: localtime
- hostPath:
- path: /etc/localtime
- name: ac-k8s-ppnt-config
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -104,4 +105,11 @@ spec:
- name: ac-k8s-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml
index 92184b8e85..6fc37c3d01 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml
@@ -13,6 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{ if .Values.global.useStrimziKafka }}
{{ include "common.kafkauser" . }}
-{{ end }} \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml
index 2439223192..02a6292df7 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml
@@ -36,4 +36,3 @@ subjects:
- kind: ServiceAccount
name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
namespace: {{ include "common.namespace" . }}
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml
index 5d82c83cc5..5e43b94965 100644
--- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,7 +24,6 @@ global:
nodePortPrefixExt: 304
persistence: {}
#Strimzi Kafka properties
- useStrimziKafka: set-via-parent-chart-global-value
kafkaTopics:
acRuntimeTopic:
name: &acRuntimeTopic policy.clamp-runtime-acm
@@ -43,7 +43,7 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-k8s-ppnt:7.1.0
+image: onap/policy-clamp-ac-k8s-ppnt:7.1.3
pullPolicy: Always
componentName: &componentName policy-clamp-ac-k8s-ppnt
@@ -89,7 +89,7 @@ ingress:
serviceMesh:
authorizationPolicy:
authorizedPrincipals:
- - serviceAccount: message-router-read
+ - serviceAccount: strimzi-kafka-read
flavor: small
resources:
@@ -109,6 +109,16 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
@@ -146,7 +156,3 @@ kafkaUser:
- name: *acRuntimeTopic
type: topic
operations: [Read, Write]
-
-readinessCheck:
- wait_for:
- - message-router
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml
index 281f3c86ed..863d07952f 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2023-2024 Nordix Foundation. All rights reserved.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +20,7 @@
apiVersion: v2
description: ONAP Policy Clamp Kserve Participant
name: policy-clamp-ac-kserve-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
@@ -31,6 +32,3 @@ dependencies:
- name: serviceAccount
version: ~13.x-0
repository: '@local'
- - name: readinessCheck
- version: ~13.x-0
- repository: '@local' \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml
index af9d46a807..6613235050 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml
@@ -48,40 +48,28 @@ participant:
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
group.id: {{ (first .Values.kafkaUser.acls).name }}
allow.auto.create.topics: false
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
topicSinks:
-
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
participantSupportedElementTypes:
-
typeName: org.onap.policy.clamp.acm.KserveAutomationCompositionElement
@@ -108,5 +96,3 @@ server:
context-path: /onap/policy/clamp/acm/kserveparticipant
ssl:
enabled: false
-
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml
index f5ecd27ee1..3d1f4f8ca3 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,10 +28,8 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
-{{- if not .Values.global.useStrimziKafka }}
-{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
-{{- end }}
- command:
- sh
args:
@@ -41,13 +40,11 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }}
- name: RESTSERVER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }}
-{{- if .Values.global.useStrimziKafka }}
- name: SASL_JAAS_CONFIG
valueFrom:
secretKeyRef:
name: {{ include "common.name" . }}-ku
key: sasl.jaas.config
-{{- end }}
volumeMounts:
- mountPath: /config-input
name: ac-kserve-ppnt-config
@@ -55,9 +52,11 @@ spec:
name: ac-kserve-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/kserve-participant.sh"]
@@ -78,11 +77,16 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-kserve-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-kserve-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -94,9 +98,6 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
volumes:
- - name: localtime
- hostPath:
- path: /etc/localtime
- name: ac-kserve-ppnt-config
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -104,4 +105,11 @@ spec:
- name: ac-kserve-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml
index 16a3f72049..6fc37c3d01 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml
@@ -1,18 +1,16 @@
-{{/*
-# Copyright © 2023 Nordix Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-{{ if .Values.global.useStrimziKafka }}
-{{ include "common.kafkauser" . }}
-{{ end }} \ No newline at end of file
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{ include "common.kafkauser" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml
index ac5ee0b72f..073ffe9618 100644
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml
@@ -1,38 +1,38 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2023 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cluster-admin
-subjects:
- - kind: ServiceAccount
- name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
- namespace: {{ include "common.namespace" . }}
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2023 Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cluster-admin
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}}
+ namespace: {{ include "common.namespace" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml
index a432fff142..6f9868bc0d 100755
--- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +23,6 @@
global:
persistence: {}
#Strimzi Kafka properties
- useStrimziKafka: set-via-parent-chart-global-value
kafkaTopics:
acRuntimeTopic:
name: &acRuntimeTopic policy.clamp-runtime-acm
@@ -42,7 +42,7 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-kserve-ppnt:7.1.0
+image: onap/policy-clamp-ac-kserve-ppnt:7.1.3
pullPolicy: Always
componentName: &componentName policy-clamp-ac-kserve-ppnt
@@ -67,7 +67,7 @@ ingress:
serviceMesh:
authorizationPolicy:
authorizedPrincipals:
- - serviceAccount: message-router-read
+ - serviceAccount: strimzi-kafka-read
# probe configuration parameters
liveness:
@@ -107,6 +107,17 @@ resources:
cpu: "1"
memory: "1.4Gi"
unlimited: {}
+
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
@@ -129,7 +140,3 @@ kafkaUser:
- name: *acRuntimeTopic
type: topic
operations: [Read, Write]
-
-readinessCheck:
- wait_for:
- - message-router \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml
index 05b3f2e61e..4460c18fcd 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2022, 2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +20,7 @@
apiVersion: v2
description: ONAP Policy Clamp Controlloop Policy Participant
name: policy-clamp-ac-pf-ppnt
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
@@ -31,6 +32,3 @@ dependencies:
- name: serviceAccount
version: ~13.x-0
repository: '@local'
- - name: readinessCheck
- version: ~13.x-0
- repository: '@local'
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml
index f4c26e430a..729a455d07 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml
@@ -59,40 +59,28 @@ participant:
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
group.id: {{ (first .Values.kafkaUser.acls).name }}
allow.auto.create.topics: false
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
topicSinks:
-
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
participantSupportedElementTypes:
-
typeName: org.onap.policy.clamp.acm.PolicyAutomationCompositionElement
@@ -110,4 +98,3 @@ server:
context-path: /onap/policyparticipant
ssl:
enabled: false
-
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml
index 5786fcfabd..c29dca9c7d 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,10 +28,8 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
-{{- if not .Values.global.useStrimziKafka }}
-{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
-{{- end }}
- command:
- sh
args:
@@ -49,13 +48,11 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }}
- name: RESTSERVER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }}
-{{- if .Values.global.useStrimziKafka }}
- name: SASL_JAAS_CONFIG
valueFrom:
secretKeyRef:
name: {{ include "common.name" . }}-ku
key: sasl.jaas.config
-{{- end }}
volumeMounts:
- mountPath: /config-input
name: ac-pf-ppnt-config
@@ -63,9 +60,11 @@ spec:
name: ac-pf-ppnt-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/policy-participant.sh"]
@@ -86,11 +85,16 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- mountPath: /opt/app/policy/clamp/etc/mounted
name: ac-pf-ppnt-config-processed
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-pf-ppnt-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -102,9 +106,6 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- - name: localtime
- hostPath:
- path: /etc/localtime
- name: ac-pf-ppnt-config
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -112,4 +113,11 @@ spec:
- name: ac-pf-ppnt-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml
index 92184b8e85..6fc37c3d01 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml
@@ -13,6 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{ if .Values.global.useStrimziKafka }}
{{ include "common.kafkauser" . }}
-{{ end }} \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml
index e676ff13d7..be2449f890 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml
@@ -1,21 +1,21 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation. All rights reserved.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml
index c867891b78..97bebd00d2 100644
--- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +23,6 @@
global:
persistence: {}
#Strimzi Kafka properties
- useStrimziKafka: set-via-parent-chart-global-value
kafkaTopics:
acRuntimeTopic:
name: &acRuntimeTopic policy.clamp-runtime-acm
@@ -54,7 +54,7 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-pf-ppnt:7.1.0
+image: onap/policy-clamp-ac-pf-ppnt:7.1.3
pullPolicy: Always
componentName: &componentName policy-clamp-ac-pf-ppnt
@@ -87,7 +87,7 @@ ingress:
serviceMesh:
authorizationPolicy:
authorizedPrincipals:
- - serviceAccount: message-router-read
+ - serviceAccount: strimzi-kafka-read
# probe configuration parameters
liveness:
@@ -128,6 +128,17 @@ resources:
cpu: "1"
memory: "2Gi"
unlimited: {}
+
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
@@ -151,7 +162,3 @@ kafkaUser:
- name: *acRuntimeTopic
type: topic
operations: [Read, Write]
-
-readinessCheck:
- wait_for:
- - message-router
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml
index 4f929628c7..ef9a7494ec 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml
@@ -1,7 +1,8 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2021, 2024 Nordix Foundation. All rights reserved.
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021-2022 Nordix Foundation
+# Modifications Copyright © 2021-2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
apiVersion: v2
description: ONAP Policy Clamp Controlloop Runtime
name: policy-clamp-runtime-acm
-version: 14.0.0
+version: 14.0.2
dependencies:
- name: common
@@ -32,7 +33,4 @@ dependencies:
repository: '@local'
- name: serviceAccount
version: ~13.x-0
- repository: '@local'
- - name: readinessCheck
- version: ~13.x-0
- repository: '@local'
+ repository: '@local' \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml
index 96cb265567..2e09397806 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml
@@ -1,5 +1,5 @@
# ============LICENSE_START=======================================================
-# Copyright (C) 2021-2023 Nordix Foundation.
+# Copyright (C) 2021-2024 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,8 +25,13 @@ spring:
converters:
preferred-json-mapper: gson
datasource:
- url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/clampacm
+ {{ if .Values.global.mariadbGalera.useInPolicy }}
+ url: jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/clampacm
driverClassName: org.mariadb.jdbc.Driver
+ {{ else }}
+ url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/clampacm
+ driverClassName: org.postgresql.Driver
+ {{ end }}
username: ${SQL_USER}
password: ${SQL_PASSWORD}
hikari:
@@ -42,7 +47,11 @@ spring:
implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy
properties:
hibernate:
- dialect: org.hibernate.dialect.MariaDB103Dialect
+ {{ if .Values.global.mariadbGalera.useInPolicy }}
+ dialect: org.hibernate.dialect.MariaDBDialect
+ {{ else }}
+ dialect: org.hibernate.dialect.PostgreSQLDialect
+ {{ end }}
format_sql: true
metrics:
@@ -75,40 +84,28 @@ runtime:
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
group.id: {{ (first .Values.kafkaUser.acls).name }}
allow.auto.create.topics: false
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
topicSinks:
-
useHttps: false
fetchTimeout: 15000
topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }}
- {{ if .Values.global.useStrimziKafka }}
topicCommInfrastructure: kafka
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
additionalProps:
client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${SASL_JAAS_CONFIG}
- {{ else }}
- topicCommInfrastructure: dmaap
- servers:
- - ${topicServer:message-router}
- {{ end }}
acmParameters:
toscaElementName: {{ .Values.customNaming.toscaElementName }}
toscaCompositionName: {{ .Values.customNaming.toscaCompositionName }}
@@ -117,4 +114,4 @@ management:
endpoints:
web:
exposure:
- include: health, metrics, prometheus
+ include: health, metrics, prometheus \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml
index be8c35aaea..5a206b996e 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
-# Copyright (C) 2021-2023 Nordix Foundation.
+# Copyright (C) 2021-2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,15 +28,17 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
-{{- if not .Values.global.useStrimziKafka }}
-{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
-{{- end }}
- command:
- - /app/ready.py
+ - /app/ready.py
args:
- - --job-name
- - {{ include "common.release" . }}-policy-galera-config
+ - --job-name
+{{ if .Values.global.mariadbGalera.useInPolicy }}
+ - {{ include "common.release" . }}-policy-galera-migrator-config
+{{ else }}
+ - {{ include "common.release" . }}-policy-pg-migrator-config
+{{ end }}
env:
- name: NAMESPACE
valueFrom:
@@ -44,7 +47,8 @@ spec:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-galera-config-readiness
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ name: {{ include "common.name" . }}-db-config-readiness
resources:
limits:
cpu: "100m"
@@ -63,7 +67,7 @@ spec:
- name: SQL_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
- name: RUNTIME_USER
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }}
- name: RUNTIME_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "password") | indent 10 }}
{{- if .Values.global.useStrimziKafka }}
@@ -80,9 +84,11 @@ spec:
name: ac-runtime-config-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/clamp/bin/acm-runtime.sh"]
@@ -103,25 +109,39 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- - mountPath: /opt/app/policy/clamp/etc/mounted
- name: ac-runtime-config-processed
+ - mountPath: /etc/localtime
+ name: localtime
+ readOnly: true
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/clamp/etc/logback.xml
+ subPath: logback.xml
+ name: ac-runtime-config-processed
+ - mountPath: /opt/app/policy/clamp/etc/mounted
+ name: ac-runtime-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 10 }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 10 }}
+ affinity:
+{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: localtime
hostPath:
- path: /etc/localtime
+ path: /etc/localtime
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: ac-runtime-config
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -129,4 +149,5 @@ spec:
- name: ac-runtime-config-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml
index 92184b8e85..6fc37c3d01 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml
@@ -13,6 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{ if .Values.global.useStrimziKafka }}
{{ include "common.kafkauser" . }}
-{{ end }} \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml
index 34cceeded2..eb974d6ed2 100644
--- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml
@@ -1,5 +1,6 @@
# ============LICENSE_START=======================================================
-# Copyright (C) 2021-2023 Nordix Foundation.
+# Copyright (C) 2021-2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,8 +23,11 @@
global:
nodePortPrefixExt: 304
persistence: {}
+ postgres:
+ useInPolicy: false
+ mariadbGalera:
+ useInPolicy: true
#Strimzi Kafka properties
- useStrimziKafka: set-via-parent-chart-global-value
kafkaTopics:
acRuntimeTopic:
name: &acRuntimeTopic policy.clamp-runtime-acm
@@ -49,7 +53,7 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-runtime-acm:7.1.0
+image: onap/policy-clamp-runtime-acm:7.1.3
pullPolicy: Always
componentName: &componentName policy-clamp-runtime-acm
@@ -85,8 +89,10 @@ db:
user: policy-user
password: policy_user
service:
- name: policy-mariadb
- internalPort: 3306
+ mariadbName: policy-mariadb
+ mariadbPort: 3306
+ pgName: policy-pg-primary
+ pgPort: 5432
# default number of instances
replicaCount: 1
@@ -97,7 +103,7 @@ affinity: {}
# probe configuration parameters
liveness:
- initialDelaySeconds: 60
+ initialDelaySeconds: 120
periodSeconds: 10
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
@@ -122,8 +128,7 @@ ingress:
serviceMesh:
authorizationPolicy:
authorizedPrincipals:
- - serviceAccount: message-router-read
- - serviceAccount: policy-gui-read
+ - serviceAccount: strimzi-kafka-read
flavor: small
resources:
@@ -143,20 +148,26 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: *componentName
roles:
- read
-readinessCheck:
- wait_for:
- - message-router
-
wait_for_job_container:
containers:
- - '{{ include "common.release" . }}-policy-galera-config'
+ - '{{ include "common.release" . }}-galera-migrator-config'
customNaming:
toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement
- toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition \ No newline at end of file
+ toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition
diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml
index 3de47d06e9..b2d1cde724 100755
--- a/kubernetes/policy/components/policy-distribution/Chart.yaml
+++ b/kubernetes/policy/components/policy-distribution/Chart.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
apiVersion: v2
description: ONAP Policy Distribution
name: policy-distribution
-version: 14.0.0
+version: 14.0.1
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml
index f4b8ff7182..fe08271288 100755
--- a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2020 AT&T Intellectual Property.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- sh
@@ -57,9 +59,11 @@ spec:
name: distributionconfig
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
@@ -86,9 +90,14 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/distribution/etc/logback.xml
+ subPath: logback.xml
+ name: distributionconfig
- mountPath: /opt/app/policy/distribution/etc/mounted
name: distributionconfig
resources: {{ include "common.resources" . | nindent 12 }}
@@ -102,9 +111,6 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- - name: localtime
- hostPath:
- path: /etc/localtime
- name: distributionconfig-input
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -112,4 +118,11 @@ spec:
- name: distributionconfig
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml
index fd2fe2e5df..f93dffe1ee 100755
--- a/kubernetes/policy/components/policy-distribution/values.yaml
+++ b/kubernetes/policy/components/policy-distribution/values.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright (C) 2019-2021 AT&T Intellectual Property.
# Modifications Copyright (C) 2023 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,7 +59,7 @@ global:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-distribution:3.1.0
+image: onap/policy-distribution:3.1.3
pullPolicy: Always
# flag to enable debugging - application support required
@@ -141,6 +142,16 @@ resources:
memory: "1Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: policy-distribution
diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml
index 63c4984ac9..25060ae593 100755
--- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml
@@ -2,6 +2,7 @@
# Modifications Copyright © 2018, 2020 AT&T Intellectual Property
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
apiVersion: v2
description: ONAP Drools Policy Engine (PDP-D)
name: policy-drools-pdp
-version: 14.0.0
+version: 14.0.2
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf
index cf3c54aab4..dc7f788405 100755..100644
--- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf
+++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf
@@ -2,6 +2,7 @@
# Copyright © 2017-2018 Amdocs, Bell Canada.
# Modifications Copyright (C) 2018-2020, 2022 AT&T Intellectual Property.
# Modifications Copyright (C) 2021 Bell Canada. All rights reserved.
+# Modifications Copyright (C) 2024 Nordix Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
# JVM options
-JVM_OPTIONS={{.Values.server.jvmOpts}}
+JVM_OPTIONS={{ .Values.server.jvmOpts | quote }}
# SYSTEM software configuration
@@ -40,11 +41,21 @@ REPOSITORY_OFFLINE={{.Values.nexus.offline}}
# Relational (SQL) DB access
-SQL_HOST={{ .Values.db.name }}
-SQL_PORT=3306
-JDBC_URL=jdbc:mariadb://{{ .Values.db.name }}:3306/
+{{ if .Values.global.mariadbGalera.useInPolicy }}
+SQL_HOST={{ .Values.db.mariadbName }}
+SQL_PORT={{ .Values.db.mariadbPort }}
+JDBC_URL=jdbc:mariadb://{{ .Values.db.mariadbName }}:{{ .Values.db.mariadbPort }}/
JDBC_OPTS=
+JDBC_DRIVER=org.mariadb.jdbc.Driver
MYSQL_CMD=
+{{ else }}
+SQL_HOST={{ .Values.db.pgName }}
+SQL_PORT={{ .Values.db.pgPort }}
+JDBC_URL=jdbc:postgresql://{{ .Values.db.pgName }}:{{ .Values.db.pgPort }}/
+JDBC_OPTS=
+JDBC_DRIVER=org.postgresql.Driver
+MYSQL_CMD=
+{{ end }}
# Liveness
LIVENESS_CONTROLLERS=*
@@ -56,15 +67,15 @@ PROMETHEUS=true
# PDP-D DMaaP configuration channel
-PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION
-PDPD_CONFIGURATION_SERVERS=message-router
+PDPD_CONFIGURATION_TOPIC=pdpd_configuration
+PDPD_CONFIGURATION_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
PDPD_CONFIGURATION_CONSUMER_GROUP=
PDPD_CONFIGURATION_CONSUMER_INSTANCE=
PDPD_CONFIGURATION_PARTITION_KEY=
# PAP-PDP configuration channel
-POLICY_PDP_PAP_TOPIC=POLICY-PDP-PAP
+POLICY_PDP_PAP_TOPIC=policy-pdp-pap
POLICY_PDP_PAP_GROUP=defaultGroup
POLICY_PDP_PAP_POLICYTYPES=onap.policies.controlloop.operational.common.Drools
@@ -85,14 +96,22 @@ GUARD_DISABLED=false
# DCAE DMaaP
-DCAE_TOPIC=unauthenticated.DCAE_CL_OUTPUT
-DCAE_SERVERS=message-router
+DCAE_TOPIC=unauthenticated.dcae_cl_output
+DCAE_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
DCAE_CONSUMER_GROUP=dcae.policy.shared
# Open DMaaP
-DMAAP_SERVERS=message-router
+KAFKA_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
+KAFKA_ADDITIONAL_PROPS="{
+ \"group.id\": \"${GROUP_ID}\",
+ \"security.protocol\": \"SASL_PLAINTEXT\",
+ \"sasl.mechanism\": \"${SASL}\",
+ \"sasl.jaas.config\": \"${JAASLOGIN}\"
+ }"
+
DMAAP_HTTPS="false"
+KAFKA_HTTPS="false"
# AAI
@@ -122,4 +141,4 @@ SDNC_CONTEXT_URI=restconf/operations/
# CDS
CDS_GRPC_HOST={{.Values.cds.grpc.svcName}}
-CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}}
+CDS_GRPC_PORT={{.Values.cds.grpc.svcPort}} \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties
new file mode 100644
index 0000000000..d4577b577a
--- /dev/null
+++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties
@@ -0,0 +1,37 @@
+###
+# ============LICENSE_START=======================================================
+# ONAP
+# ================================================================================
+# Copyright (C) 2024 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+
+#Database properties
+{{ if .Values.global.mariadbGalera.useInPolicy }}
+jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver
+jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS}
+jakarta.persistence.jdbc.user=${envd:SQL_USER}
+jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD}
+{{ else }}
+jakarta.persistence.jdbc.driver=org.postgresql.Driver
+jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS}
+jakarta.persistence.jdbc.user=${envd:SQL_USER}
+jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD}
+{{ end }}
+
+# default property values are commented out
+#distributed.locking.expire.check.seconds=900
+#distributed.locking.retry.seconds=60
+#distributed.locking.max.retries=2 \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties
new file mode 100644
index 0000000000..26e10122da
--- /dev/null
+++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties
@@ -0,0 +1,41 @@
+# ============LICENSE_START=======================================================
+# ONAP
+# ================================================================================
+# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright (C) 2024 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+lifecycle.pdp.group=${envd:POLICY_PDP_PAP_GROUP:defaultGroup}
+lifecycle.pdp.type=${envd:POLICY_PDP_PAP_TYPE:drools}
+
+# Mandatory policy types that this PDP-D must support at a minimum
+lifecycle.pdp.policytypes=${envd:POLICY_PDP_PAP_POLICYTYPES}
+
+kafka.source.topics=${envd:POLICY_PDP_PAP_TOPIC}
+kafka.sink.topics=${envd:POLICY_PDP_PAP_TOPIC}
+
+kafka.source.topics.policy-pdp-pap.servers=${envd:KAFKA_SERVERS}
+kafka.source.topics.policy-pdp-pap.effectiveTopic=${envd:POLICY_PDP_PAP_TOPIC}
+kafka.source.topics.policy-pdp-pap.apiKey=${envd:POLICY_PDP_PAP_API_KEY}
+kafka.source.topics.policy-pdp-pap.apiSecret=${envd:POLICY_PDP_PAP_API_SECRET}
+kafka.source.topics.policy-pdp-pap.https=${envd:KAFKA_HTTPS:false}
+kafka.source.topics.policy-pdp-pap.additionalProps=${envd:KAFKA_ADDITIONAL_PROPS}
+
+kafka.sink.topics.policy-pdp-pap.servers=${envd:KAFKA_SERVERS}
+kafka.sink.topics.policy-pdp-pap.effectiveTopic=${envd:POLICY_PDP_PAP_TOPIC}
+kafka.sink.topics.policy-pdp-pap.apiKey=${envd:POLICY_PDP_PAP_API_KEY}
+kafka.sink.topics.policy-pdp-pap.apiSecret=${envd:POLICY_PDP_PAP_API_SECRET}
+kafka.sink.topics.policy-pdp-pap.https=${envd:KAFKA_HTTPS:false}
+kafka.sink.topics.policy-pdp-pap.additionalProps=${envd:KAFKA_ADDITIONAL_PROPS}
diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf
index 761e8afef8..c9277b69d3 100755
--- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf
+++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf
@@ -1,6 +1,7 @@
{{/*
# Copyright 2018-2019 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2018 Amdocs, Bell Canada.
+# Modifications Copyright © 2024 Nordix Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,4 +16,4 @@
# limitations under the License.
*/}}
-POOLING_TOPIC=POOLING
+POOLING_TOPIC=policy-pdp-pooling
diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml
index 7158c0263f..1d571df8b7 100644
--- a/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml
@@ -1,5 +1,5 @@
{{/*
-# Copyright © 2023 Nordix Foundation
+# Copyright © 2024 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -13,5 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.kafkauser" . }}
diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml
index c7322b1f94..3f45b2f6e0 100755
--- a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml
@@ -16,4 +16,3 @@
*/}}
{{ include "common.service" . }}
-
diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml
index 013732e2d2..a24476cc74 100755..100644
--- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml
@@ -1,6 +1,8 @@
{{/*
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property
+# Modifications Copyright (C) 2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,12 +27,17 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- /app/ready.py
args:
- --job-name
- - {{ include "common.release" . }}-policy-galera-config
+{{ if .Values.global.mariadbGalera.useInPolicy }}
+ - {{ include "common.release" . }}-policy-galera-migrator-config
+{{ else }}
+ - {{ include "common.release" . }}-policy-pg-migrator-config
+{{ end }}
env:
- name: NAMESPACE
valueFrom:
@@ -39,6 +46,7 @@ spec:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-db-readiness
resources:
limits:
@@ -51,7 +59,7 @@ spec:
- command:
- /app/ready.py
args:
- - --container-name
+ - --service-name
- {{ .Values.nexus.name }}
env:
- name: NAMESPACE
@@ -59,8 +67,17 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ - name: KAFKA_URL
+ value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
+ - name: SASL
+ value: {{ .Values.kafkaUser.authenticationType | upper }}
+ - name: GROUP_ID
+ value: {{ .Values.config.kafka.consumer.groupId }}
+ - name: PAP_TOPIC
+ value: {{ .Values.config.app.listener.policyPdpPapTopic }}
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-readiness
resources:
limits:
@@ -70,12 +87,43 @@ spec:
cpu: "3m"
memory: "20Mi"
{{- end }}
+ - command:
+ - sh
+ args:
+ - -c
+ - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done
+ env:
+ - name: KAFKA_URL
+ value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
+ - name: SASL
+ value: {{ .Values.kafkaUser.authenticationType | upper }}
+ - name: GROUP_ID
+ value: {{ .Values.config.kafka.consumer.groupId }}
+ {{- if .Values.global.useStrimziKafka }}
+ - name: JAASLOGIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.name" . }}-ku
+ key: sasl.jaas.config
+ {{- end }}
+ volumeMounts:
+ - mountPath: /config-input
+ name: drools-config
+ - mountPath: /config
+ name: drools-config-processed
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["sh","-c"]
- args: ["/opt/app/policy/bin/pdpd-cl-entrypoint.sh boot"]
+ args:
+ - ls /tmp/policy-install;
+ /opt/app/policy/bin/pdpd-cl-entrypoint.sh boot
ports: {{ include "common.containerPorts" . | nindent 12 }}
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
@@ -102,30 +150,55 @@ spec:
- mountPath: /etc/localtime
name: localtime
readOnly: true
- {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }}
- - mountPath: /tmp/policy-install/config/{{ base $path }}
- name: drools-secret
- subPath: {{ base $path }}
- {{- end }}
- {{- range $path, $bytes := .Files.Glob "resources/configmaps/*" }}
- - mountPath: /tmp/policy-install/config/{{ base $path }}
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/etc/profile.d/base.conf
+ subPath: base.conf
+ name: drools-config-processed
+ - mountPath: /opt/app/policy/etc/profile.d/credentials.conf
+ subPath: credentials.conf
+ name: drools-config-processed
+ - mountPath: /opt/app/policy/etc/profile.d/feature-pooling-messages.conf
+ subPath: feature-pooling-messages.conf
+ name: drools-config-processed
+ - mountPath: /opt/app/policy/config/feature-lifecycle.properties
+ subPath: feature-lifecycle.properties
+ name: drools-config-processed
+ - mountPath: /opt/app/policy/config/engine-system.properties
+ subPath: engine-system.properties
+ name: drools-config-processed
+ - mountPath: /opt/app/policy/config/feature-distributed-locking.properties
+ subPath: feature-distributed-locking.properties
+ name: drools-config-processed
+ - mountPath: /opt/app/policy/config/logback.xml
+ subPath: logback.xml
name: drools-config
- subPath: {{ base $path }}
- {{- end }}
+ - mountPath: /opt/app/policy/config/settings.xml
+ subPath: settings.xml
+ name: drools-config-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 10 }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 10 }}
+ affinity:
+{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: localtime
hostPath:
path: /etc/localtime
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: drools-config
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -135,6 +208,10 @@ spec:
path: {{ base $path }}
mode: 0755
{{- end }}
+ - name: drools-config-processed
+ emptyDir:
+ medium: Memory
+ sizeLimit: 64Mi
- name: drools-secret
secret:
secretName: {{ include "common.fullname" . }}-secret
diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml
index 6e86b3e64a..f22d642e95 100755..100644
--- a/kubernetes/policy/components/policy-drools-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml
@@ -1,6 +1,8 @@
# Copyright © 2017 Amdocs
# Copyright © 2017, 2021 Bell Canada
# Modifications Copyright © 2018-2022 AT&T Intellectual Property
+# Modifications Copyright (C) 2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,7 +21,10 @@
#################################################################
global:
nodePortPrefix: 302
-
+ postgres:
+ useInPolicy: false
+ mariadbGalera:
+ useInPolicy: true
#################################################################
# Secrets metaconfig
#################################################################
@@ -41,7 +46,9 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-pdpd-cl:2.1.0
+# The newest images have been tested with SASL and Postgres. The images released next will have the relevant fixes
+image: onap/policy-pdpd-cl:2.1.3
+
pullPolicy: Always
# flag to enable debugging - application support required
@@ -83,10 +90,10 @@ ingress:
serviceMesh:
authorizationPolicy:
authorizedPrincipals:
- - serviceAccount: message-router-read
+ - serviceAccount: strimzi-kafka-read
server:
- jvmOpts: -server -XshowSettings:vm
+ jvmOpts: "-server -XshowSettings:vm"
telemetry:
user: demo@people.osaaf.org
@@ -100,7 +107,10 @@ nexus:
offline: true
db:
- name: policy-mariadb
+ mariadbName: policy-mariadb
+ pgName: policy-pg-primary
+ mariadbPort: 3306
+ pgPort: 5432
user: policy-user
password: policy_user
@@ -171,6 +181,16 @@ resources:
memory: "1.6Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: policy-drools-pdp
@@ -197,3 +217,68 @@ metrics:
chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
release: '{{ include "common.release" . }}'
heritage: '{{ .Release.Service }}'
+
+config:
+ # Event consumption (kafka) properties
+ kafka:
+ consumer:
+ groupId: policy-drools-pdp
+ app:
+ listener:
+ policyPdpPapTopic: policy-pdp-pap
+
+# Strimzi Kafka config
+kafkaUser:
+ authenticationType: scram-sha-512
+ acls:
+ - name: policy-drools-pdp
+ type: group
+ operations: [ Create, Describe, Read, Write ]
+ - name: policy-pdp-pap
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: a1-p-rsp
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: a1-p
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: appc-cl
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: appc-lcm-read
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: appc-lcm-write
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: dcae_cl_rsp
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: unauthenticated.dcae_cl_output
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: dcae_topic
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: policy-cl-mgt
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: sdnr-cl-rsp
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
+ - name: sdnr-cl
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
diff --git a/kubernetes/policy/components/policy-gui/Chart.yaml b/kubernetes/policy/components/policy-gui/Chart.yaml
deleted file mode 100644
index 28972b59b0..0000000000
--- a/kubernetes/policy/components/policy-gui/Chart.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation.
-# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021, 2024 Nordix Foundation
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-
-apiVersion: v2
-description: ONAP Policy GUI
-name: policy-gui
-version: 14.0.0
-
-dependencies:
- - name: repositoryGenerator
- version: ~13.x-0
- repository: '@local'
- - name: serviceAccount
- version: ~13.x-0
- repository: '@local'
diff --git a/kubernetes/policy/components/policy-gui/resources/config/application.yml b/kubernetes/policy/components/policy-gui/resources/config/application.yml
deleted file mode 100644
index f81a1b452a..0000000000
--- a/kubernetes/policy/components/policy-gui/resources/config/application.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-server:
- port: 2443
- ssl:
- enabled: false
-
-clamp:
- url:
- disable-ssl-validation: true
- disable-ssl-hostname-check: true
-
-apex-editor:
- upload-url:
- upload-userid:
-
-management:
- endpoints:
- web:
- exposure:
- include: health, metrics, prometheus
diff --git a/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml b/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml
deleted file mode 100644
index 0b3951726b..0000000000
--- a/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-filebeat.prospectors:
-#it is mandatory, in our case it's log
-- input_type: log
- #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory.
- paths:
- - /var/log/onap/*/*/*/*.log
- - /var/log/onap/*/*/*.log
- - /var/log/onap/*/*.log
- #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive
- ignore_older: 48h
- # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit
- clean_inactive: 96h
-
-# Name of the registry file. If a relative path is used, it is considered relative to the
-# data path. Else full qualified file name.
-#filebeat.registry_file: ${path.data}/registry
-
-
-output.logstash:
- #List of logstash server ip addresses with port number.
- #But, in our case, this will be the loadbalancer IP address.
- #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately.
- hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"]
- #If enable will do load balancing among availabe Logstash, automatically.
- loadbalance: true
-
- #The list of root certificates for server verifications.
- #If certificate_authorities is empty or not set, the trusted
- #certificate authorities of the host system are used.
- #ssl.certificate_authorities: $ssl.certificate_authorities
-
- #The path to the certificate for SSL client authentication. If the certificate is not specified,
- #client authentication is not available.
- #ssl.certificate: $ssl.certificate
-
- #The client certificate key used for client authentication.
- #ssl.key: $ssl.key
-
- #The passphrase used to decrypt an encrypted key stored in the configured key file
- #ssl.key_passphrase: $ssl.key_passphrase
diff --git a/kubernetes/policy/components/policy-gui/resources/config/logback.xml b/kubernetes/policy/components/policy-gui/resources/config/logback.xml
deleted file mode 100644
index c20df8329d..0000000000
--- a/kubernetes/policy/components/policy-gui/resources/config/logback.xml
+++ /dev/null
@@ -1,118 +0,0 @@
-<!--
- ============LICENSE_START=======================================================
- policy-gui
- ================================================================================
- Copyright (C) 2021-2022 Nordix Foundation.
- ================================================================================
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- ============LICENSE_END=========================================================
- -->
-
-<configuration scan="true" scanPeriod="30 seconds" debug="false">
- <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
- <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
- <level>TRACE</level>
- </filter>
- <encoder>
- <pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n
- </pattern>
- </encoder>
- </appender>
-
- <appender name="ERROR" class="ch.qos.logback.core.rolling.RollingFileAppender">
- <file>${POLICY_LOGS}/error.log</file>
- <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
- <fileNamePattern>${POLICY_LOGS}/error.%d{yyyy-MM-dd}.%i.log.zip
- </fileNamePattern>
- <maxFileSize>50MB</maxFileSize>
- <maxHistory>30</maxHistory>
- <totalSizeCap>10GB</totalSizeCap>
- </rollingPolicy>
- <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
- <level>TRACE</level>
- </filter>
- <encoder>
- <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern>
- </encoder>
- </appender>
-
- <appender name="asyncError" class="ch.qos.logback.classic.AsyncAppender">
- <appender-ref ref="ERROR" />
- </appender>
-
- <appender name="DEBUG" class="ch.qos.logback.core.rolling.RollingFileAppender">
- <file>${POLICY_LOGS}/debug.log</file>
- <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
- <fileNamePattern>${POLICY_LOGS}/debug.%d{yyyy-MM-dd}.%i.log.zip
- </fileNamePattern>
- <maxFileSize>50MB</maxFileSize>
- <maxHistory>30</maxHistory>
- <totalSizeCap>10GB</totalSizeCap>
- </rollingPolicy>
- <encoder>
- <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n</pattern>
- </encoder>
- </appender>
-
- <appender name="asyncDebug" class="ch.qos.logback.classic.AsyncAppender">
- <appender-ref ref="DEBUG" />
- </appender>
-
- <appender name="NETWORK" class="ch.qos.logback.core.rolling.RollingFileAppender">
- <file>${POLICY_LOGS}/network.log</file>
- <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
- <fileNamePattern>${POLICY_LOGS}/network.%d{yyyy-MM-dd}.%i.log.zip
- </fileNamePattern>
- <maxFileSize>50MB</maxFileSize>
- <maxHistory>30</maxHistory>
- <totalSizeCap>10GB</totalSizeCap>
- </rollingPolicy>
- <encoder>
- <pattern>[%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n</pattern>
- </encoder>
- </appender>
-
- <appender name="asyncNetwork" class="ch.qos.logback.classic.AsyncAppender">
- <appender-ref ref="NETWORK" />
- </appender>
-
- <logger name="network" level="TRACE" additivity="false">
- <appender-ref ref="asyncNetwork" />
- </logger>
-
- <logger name="org.apache" level="TRACE" additivity="false">
- <appender-ref ref="DEBUG" />
- </logger>
-
- <!-- Spring related loggers -->
- <logger name="org.springframework" level="TRACE" additivity="false">
- <appender-ref ref="DEBUG" />
- </logger>
-
- <!-- GUI related loggers -->
- <logger name="org.onap.policy.gui" level="TRACE" additivity="false">
- <appender-ref ref="ERROR" />
- <appender-ref ref="DEBUG" />
- </logger>
-
- <!-- logback internals logging -->
- <logger name="ch.qos.logback.classic" level="INFO" />
- <logger name="ch.qos.logback.core" level="INFO" />
-
- <root level="TRACE">
- <appender-ref ref="asyncDebug" />
- <appender-ref ref="asyncError" />
- <appender-ref ref="asyncNetwork" />
- <appender-ref ref="STDOUT" />
- </root>
-</configuration>
diff --git a/kubernetes/policy/components/policy-gui/templates/NOTES.txt b/kubernetes/policy/components/policy-gui/templates/NOTES.txt
deleted file mode 100644
index e44f333e11..0000000000
--- a/kubernetes/policy/components/policy-gui/templates/NOTES.txt
+++ /dev/null
@@ -1,38 +0,0 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range .Values.ingress.hosts }}
- http://{{ . }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
- export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }})
- export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
- echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
- NOTE: It may take a few minutes for the LoadBalancer IP to be available.
- You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}'
- export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
- echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
-{{- else if contains "ClusterIP" .Values.service.type }}
- export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
- echo "Visit https://127.0.0.1:8443 to use your application"
- kubectl port-forward $POD_NAME 8443:{{ .Values.service.internalPort }}
-{{- end }}
diff --git a/kubernetes/policy/components/policy-gui/templates/configmap.yaml b/kubernetes/policy/components/policy-gui/templates/configmap.yaml
deleted file mode 100644
index 9426b0f54f..0000000000
--- a/kubernetes/policy/components/policy-gui/templates/configmap.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-configmap
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/*.{xml,yaml,yml}").AsConfig . | indent 2 }}
-
-{{ include "common.log.configMap" . }}
diff --git a/kubernetes/policy/components/policy-gui/templates/deployment.yaml b/kubernetes/policy/components/policy-gui/templates/deployment.yaml
deleted file mode 100644
index ff1ae9472c..0000000000
--- a/kubernetes/policy/components/policy-gui/templates/deployment.yaml
+++ /dev/null
@@ -1,127 +0,0 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021-2022 Nordix Foundation.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-apiVersion: apps/v1
-kind: Deployment
-metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
-spec:
- selector: {{- include "common.selectors" . | nindent 4 }}
- replicas: {{ .Values.replicaCount }}
- template:
- metadata: {{- include "common.templateMetadata" . | nindent 6 }}
- spec:
- initContainers:
- - command:
- - sh
- args:
- - -c
- - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done"
- env:
- - name: POLICY_LOGS
- value: {{ .Values.log.path }}
- volumeMounts:
- - mountPath: /config-input
- name: policy-gui-config
- - mountPath: /config
- name: policy-gui-config-processed
- image: {{ include "repositoryGenerator.image.envsubst" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-update-config
- - command:
- - /app/ready.py
- args:
- - --container-name
- - policy-clamp-runtime-acm
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- image: {{ include "repositoryGenerator.image.readiness" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-readiness
- resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
- requests:
- cpu: "3m"
- memory: "20Mi"
- containers:
- # side car containers
- {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }}
- # main container
- - name: {{ include "common.name" . }}
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command: ["/opt/app/policy/gui/bin/policy-gui.sh"]
- env:
- - name: CLAMP_URL
- value: http://policy-clamp-runtime-acm:6969
- ports: {{ include "common.containerPorts" . | nindent 12 }}
- # disable liveness probe when breakpoints set in debugger
- # so K8s doesn't restart unresponsive container
- {{- if eq .Values.liveness.enabled true }}
- livenessProbe:
- tcpSocket:
- port: {{ .Values.service.internalPort }}
- initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
- periodSeconds: {{ .Values.liveness.periodSeconds }}
- {{ end -}}
- readinessProbe:
- tcpSocket:
- port: {{ .Values.service.internalPort }}
- initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
- periodSeconds: {{ .Values.readiness.periodSeconds }}
- volumeMounts:
- - name: logs
- mountPath: {{ .Values.log.path }}
- - mountPath: /opt/app/policy/gui/etc/application.yml
- name: policy-gui-config-processed
- subPath: application.yml
- - mountPath: /opt/app/policy/gui/etc/logback.xml
- name: policy-gui-config-processed
- subPath: logback.xml
- resources: {{ include "common.resources" . | nindent 12 }}
- {{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 10 }}
- {{- end -}}
- {{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 10 }}
- {{- end }}
- serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
- - name: {{ include "common.fullname" . }}-config
- configMap:
- name: {{ include "common.fullname" . }}
- - name: logs
- emptyDir: {}
- {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }}
- - name: policy-gui-config
- configMap:
- name: {{ include "common.fullname" . }}-configmap
- defaultMode: 0755
- - name: policy-gui-config-processed
- emptyDir:
- medium: Memory
- {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-gui/templates/ingress.yaml b/kubernetes/policy/components/policy-gui/templates/ingress.yaml
deleted file mode 100644
index e3dd7cb0f6..0000000000
--- a/kubernetes/policy/components/policy-gui/templates/ingress.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.ingress" . }}
diff --git a/kubernetes/policy/components/policy-gui/templates/secrets.yaml b/kubernetes/policy/components/policy-gui/templates/secrets.yaml
deleted file mode 100644
index 2af7fae2d9..0000000000
--- a/kubernetes/policy/components/policy-gui/templates/secrets.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.secretFast" . }}
diff --git a/kubernetes/policy/components/policy-gui/templates/service.yaml b/kubernetes/policy/components/policy-gui/templates/service.yaml
deleted file mode 100644
index 36406228d5..0000000000
--- a/kubernetes/policy/components/policy-gui/templates/service.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021 Nordix Foundation.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml
deleted file mode 100644
index 3338d8f724..0000000000
--- a/kubernetes/policy/components/policy-gui/values.yaml
+++ /dev/null
@@ -1,130 +0,0 @@
-# ============LICENSE_START=======================================================
-# Copyright (C) 2021-2022 Nordix Foundation.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-
-#################################################################
-# Global configuration defaults.
-#################################################################
-global: # global defaults
- nodePortPrefix: 304
- centralizedLoggingEnabled: true
-
-subChartsOnly:
- enabled: true
-
-flavor: small
-
-# application image
-image: onap/policy-gui:3.1.0
-pullPolicy: Always
-
-# flag to enable debugging - application support required
-debugEnabled: false
-
-# log configuration
-log:
- path: /var/log/onap/policy/gui
-
-#################################################################
-# Application configuration defaults.
-#################################################################
-config:
- log:
- logstashServiceName: log-ls
- logstashPort: 5044
- dataRootDir: /dockerdata-nfs
-
-# default number of instances
-replicaCount: 1
-
-nodeSelector: {}
-
-affinity: {}
-
-# probe configuration parameters
-liveness:
- initialDelaySeconds: 120
- periodSeconds: 10
- timeoutSeconds: 3
- # necessary to disable liveness probe when setting breakpoints
- # in debugger so K8s doesn't restart unresponsive container
- enabled: true
-
-readiness:
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 3
-
-service:
- type: NodePort
- name: policy-gui
- internalPort: 2443
- ports:
- - name: http
- port: 2443
- nodePort: 43
-
- # see https://wiki.onap.org/display/DW/OOM+NodePort+List
-
-ingress:
- enabled: false
- service:
- - baseaddr: "policy-ui"
- name: "policy-gui"
- port: 2443
- config:
- ssl: "redirect"
-
-serviceMesh:
- authorizationPolicy:
- authorizedPrincipals:
- - serviceAccount: istio-ingress
- namespace: istio-ingress
-
- #resources: {}
- # We usually recommend not to specify default resources and to leave this as a conscious
- # choice for the user. This also increases chances charts run on environments with little
- # resources, such as Minikube. If you do want to specify resources, uncomment the following
- # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- #
- # Example:
- # Configure resource requests and limits
- # ref: http://kubernetes.io/docs/user-guide/compute-resources/
- # Minimum memory for development is 2 CPU cores and 4GB memory
- # Minimum memory for production is 4 CPU cores and 8GB memory
-resources:
- small:
- limits:
- cpu: "1"
- memory: "700Mi"
- requests:
- cpu: "0.5"
- memory: "700Mi"
- large:
- limits:
- cpu: "2"
- memory: "1.4Gi"
- requests:
- cpu: "1"
- memory: "1.4Gi"
- unlimited: {}
-
-#Pods Service Account
-serviceAccount:
- nameOverride: policy-gui
- roles:
- - read
diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml
index 8d04647a75..dcb3c3ac72 100755
--- a/kubernetes/policy/components/policy-nexus/Chart.yaml
+++ b/kubernetes/policy/components/policy-nexus/Chart.yaml
@@ -2,6 +2,7 @@
# Modifications Copyright © 2018-2020 AT&T
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
apiVersion: v2
description: ONAP Policy Nexus
name: policy-nexus
-version: 14.0.0
+version: 14.0.2
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml
index c56ed8d2b9..fe183cfa24 100755
--- a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,16 +25,19 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command: ["sh", "-c", "chown -R 200:200 /share"]
image: {{ include "repositoryGenerator.image.busybox" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-init
volumeMounts:
- mountPath: /share
name: nexus-data
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
ports: {{ include "common.containerPorts" . | nindent 12 }}
@@ -51,9 +55,6 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- mountPath: /sonatype-work
name: nexus-data
resources:
@@ -72,9 +73,6 @@ spec:
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}}
volumes:
- - name: localtime
- hostPath:
- path: /etc/localtime
- name: nexus-data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
diff --git a/kubernetes/policy/components/policy-nexus/templates/service.yaml b/kubernetes/policy/components/policy-nexus/templates/service.yaml
index 6aee4ca230..8d13879023 100755
--- a/kubernetes/policy/components/policy-nexus/templates/service.yaml
+++ b/kubernetes/policy/components/policy-nexus/templates/service.yaml
@@ -15,4 +15,4 @@
# limitations under the License.
*/}}
-{{ include "common.service" . }} \ No newline at end of file
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml
index f10d55dcee..cc75a9fe15 100755
--- a/kubernetes/policy/components/policy-nexus/values.yaml
+++ b/kubernetes/policy/components/policy-nexus/values.yaml
@@ -1,5 +1,7 @@
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
+# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright (C) 2024 Nordix Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,6 +21,10 @@
global:
nodePortPrefix: 302
persistence: {}
+ postgres:
+ useInPolicy: false
+ mariadbGalera:
+ useInPolicy: true
#################################################################
# Application configuration defaults.
@@ -97,6 +103,10 @@ resources:
memory: "1Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
#Pods Service Account
serviceAccount:
nameOverride: policy-nexus
diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml
index 697aaa1575..2122e6fb3f 100755
--- a/kubernetes/policy/components/policy-pap/Chart.yaml
+++ b/kubernetes/policy/components/policy-pap/Chart.yaml
@@ -3,6 +3,7 @@
# Modified Copyright (C) 2020 AT&T Intellectual Property.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +23,7 @@
apiVersion: v2
description: ONAP Policy Administration (PAP)
name: policy-pap
-version: 14.0.0
+version: 14.0.2
dependencies:
- name: common
@@ -33,7 +34,4 @@ dependencies:
repository: '@local'
- name: serviceAccount
version: ~13.x-0
- repository: '@local'
- - name: readinessCheck
- version: ~13.x-0
- repository: '@local'
+ repository: '@local' \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml
index 5496d93174..58dfc9f497 100644
--- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml
+++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml
@@ -1,6 +1,6 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2022 Bell Canada. All rights reserved.
-# Modifications Copyright © 2022 Nordix Foundation
+# Modifications Copyright © 2022-2024 Nordix Foundation
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -26,7 +26,7 @@ spring:
converters:
preferred-json-mapper: gson
datasource:
-{{ if not .Values.global.postgres.localCluster }}
+{{ if .Values.global.mariadbGalera.useInPolicy }}
url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin
driverClassName: org.mariadb.jdbc.Driver
username: "${SQL_USER}"
@@ -34,9 +34,6 @@ spring:
hikari:
maximumPoolSize: 20
jpa:
- properties:
- hibernate:
- dialect: org.hibernate.dialect.MariaDB103Dialect
hibernate:
ddl-auto: none
naming:
@@ -58,10 +55,6 @@ spring:
naming:
physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy
- properties:
- hibernate:
- dialect: org.hibernate.dialect.PostgreSQLDialect
- format_sql: true
{{ end }}
server:
@@ -73,17 +66,10 @@ server:
pap:
name: PapGroup
- aaf: false
topic:
- {{ if .Values.global.useStrimziKafkaPf }}
pdp-pap.name: {{ .Values.config.kafka.topics.policyPdpPap }}
notification.name: {{ .Values.config.kafka.topics.policyNotification }}
heartbeat.name: {{ .Values.config.kafka.topics.policyHeartbeat }}
- {{ else }}
- pdp-pap.name: {{ .Values.dmaap.topics.policyPdpPap }}
- notification.name: {{ .Values.dmaap.topics.policyNotification }}
- heartbeat.name: {{ .Values.dmaap.topics.policyHeartbeat }}
- {{ end }}
pdpParameters:
heartBeatMs: 120000
updateParameters:
@@ -97,77 +83,49 @@ pap:
topicSources:
- useHttps: false
fetchTimeout: 15000
- {{ if .Values.global.useStrimziKafkaPf }}
topic: {{ .Values.config.kafka.topics.policyPdpPap }}
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
topicCommInfrastructure: kafka
additionalProps:
group.id : {{ .Values.config.kafka.consumer.groupId }}
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${JAASLOGIN}
- {{ else }}
- topic: {{ .Values.dmaap.topics.policyPdpPap }}
- servers:
- - ${topicServer:message-router}
- topicCommInfrastructure: dmaap
- {{ end }}
- useHttps: false
fetchTimeout: 15000
- {{ if .Values.global.useStrimziKafkaPf }}
topic: {{ .Values.config.kafka.topics.policyHeartbeat }}
effectiveTopic: {{ .Values.config.kafka.topics.policyPdpPap }}
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
topicCommInfrastructure: kafka
additionalProps:
group.id : {{ .Values.config.kafka.consumer.groupId }}
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${JAASLOGIN}
- {{ else }}
- topic: {{ .Values.dmaap.topics.policyHeartbeat }}
- effectiveTopic: {{ .Values.dmaap.topics.policyPdpPap }}
- servers:
- - ${topicServer:message-router}
- topicCommInfrastructure: dmaap
- {{ end }}
topicSinks:
- useHttps: false
- {{ if .Values.global.useStrimziKafkaPf }}
topic: {{ .Values.config.kafka.topics.policyPdpPap }}
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
topicCommInfrastructure: kafka
additionalProps:
group.id : {{ .Values.config.kafka.consumer.groupId }}
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${JAASLOGIN}
- {{ else }}
- topic: {{ .Values.dmaap.topics.policyPdpPap }}
- servers:
- - ${topicServer:message-router}
- topicCommInfrastructure: dmaap
- {{ end }}
- useHttps: false
- {{ if .Values.global.useStrimziKafkaPf }}
topic: {{ .Values.config.kafka.topics.policyNotification }}
servers:
- - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
topicCommInfrastructure: kafka
additionalProps:
group.id : {{ .Values.config.kafka.consumer.groupId }}
security.protocol: SASL_PLAINTEXT
sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
sasl.jaas.config: ${JAASLOGIN}
- {{ else }}
- topic: {{ .Values.dmaap.topics.policyNotification }}
- servers:
- - ${topicServer:message-router}
- topicCommInfrastructure: dmaap
- {{ end }}
+
# If Strimzi Kafka to be used for communication, replace following configuration for topicSources and topicSinks
# servers:
# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092
@@ -185,13 +143,6 @@ pap:
password: "${API_PASSWORD}"
useHttps: false
basePath: policy/api/v1/healthcheck
- - clientName: distribution
- hostname: policy-distribution
- port: 6969
- userName: "${DISTRIBUTION_USER}"
- password: "${DISTRIBUTION_PASSWORD}"
- useHttps: false
- basePath: healthcheck
management:
endpoints:
diff --git a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml
index 67a2270fb8..f7c400865f 100755..100644
--- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml
@@ -2,6 +2,8 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2020 AT&T Intellectual Property.
# Modifications Copyright (C) 2022 Bell Canada. All rights reserved.
+# Modifications Copyright (C) 2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -28,26 +30,26 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
-{{- if not .Values.global.useStrimziKafkaPf }}
-{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
-{{- end }}
- command:
- - /app/ready.py
+ - /app/ready.py
args:
- - --job-name
-{{ if not .Values.global.postgres.localCluster }}
- - {{ include "common.release" . }}-policy-galera-config
+ - --job-name
+{{ if .Values.global.mariadbGalera.useInPolicy }}
+ - {{ include "common.release" . }}-policy-galera-migrator-config
{{ else }}
- - {{ include "common.release" . }}-policy-pg-config
-{{ end }} env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
+ - {{ include "common.release" . }}-policy-pg-migrator-config
+{{ end }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-db-readiness
resources:
limits:
@@ -78,7 +80,7 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }}
- name: DISTRIBUTION_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }}
-{{- if .Values.global.useStrimziKafkaPf }}
+{{- if .Values.global.useStrimziKafka }}
- name: JAASLOGIN
valueFrom:
secretKeyRef:
@@ -92,9 +94,11 @@ spec:
name: papconfig-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -126,25 +130,39 @@ spec:
periodSeconds: {{ .Values.readiness.periodSeconds }}
timeoutSeconds: {{ .Values.readiness.timeout }}
volumeMounts:
- - mountPath: /etc/localtime
- name: localtime
- readOnly: true
- - mountPath: /opt/app/policy/pap/etc/mounted
- name: papconfig-processed
+ - mountPath: /etc/localtime
+ name: localtime
+ readOnly: true
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/pap/etc/logback.xml
+ subPath: logback.xml
+ name: papconfig-processed
+ - name: papconfig-processed
+ mountPath: /opt/app/policy/pap/etc/mounted
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 10 }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 10 }}
+ affinity:
+{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: localtime
hostPath:
- path: /etc/localtime
+ path: /etc/localtime
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: papconfig
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -152,4 +170,5 @@ spec:
- name: papconfig-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml
index d2fab9f535..6fc37c3d01 100644
--- a/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml
+++ b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml
@@ -13,6 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{ if .Values.global.useStrimziKafkaPf }}
{{ include "common.kafkauser" . }}
-{{ end }}
diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml
index 365028c229..4c6f5355e0 100755
--- a/kubernetes/policy/components/policy-pap/values.yaml
+++ b/kubernetes/policy/components/policy-pap/values.yaml
@@ -2,7 +2,8 @@
# Copyright (C) 2019 Nordix Foundation.
# Modifications Copyright (C) 2019-2021 AT&T Intellectual Property.
# Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved.
-# Modifications Copyright © 2022 Nordix Foundation
+# Modifications Copyright © 2022-2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,9 +26,10 @@
global:
nodePortPrefixExt: 304
persistence: {}
- useStrimziKafkaPf: set-via-parent-chart-global-value
postgres:
- localCluster: false
+ useInPolicy: false
+ mariadbGalera:
+ useInPolicy: true
#################################################################
# Secrets metaconfig
@@ -69,7 +71,7 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-pap:3.1.0
+image: onap/policy-pap:3.1.3
pullPolicy: Always
# flag to enable debugging - application support required
@@ -139,7 +141,7 @@ ingress:
serviceMesh:
authorizationPolicy:
authorizedPrincipals:
- - serviceAccount: message-router-read
+ - serviceAccount: strimzi-kafka-read
- serviceAccount: portal-app-read
flavor: small
@@ -160,6 +162,16 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+
#Pods Service Account
serviceAccount:
nameOverride: policy-pap
@@ -185,8 +197,6 @@ metrics:
# application configuration
config:
# Event consumption (kafka) properties
- useStrimziKafkaPf: true
- kafkaBootstrap: strimzi-kafka-bootstrap
kafka:
topics:
policyHeartbeat: policy-heartbeat
@@ -198,11 +208,6 @@ config:
listener:
policyPdpPapTopic: policy-pdp-pap
-dmaap:
- topics:
- policyHeartbeat: POLICY-HEARTBEAT
- policyNotification: POLICY-NOTIFICATION
- policyPdpPap: POLICY-PDP-PAP
# If targeting a custom kafka cluster, ie useStrimziKakfa: false
# uncomment below config and target your kafka bootstrap servers,
# along with any other security config.
@@ -232,7 +237,3 @@ kafkaUser:
type: topic
patternType: prefix
operations: [Create, Describe, Read, Write]
-
-readinessCheck:
- wait_for:
- - message-router
diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml
index a46d6128e8..a02171ef31 100755
--- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml
@@ -2,6 +2,7 @@
# Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
apiVersion: v2
description: ONAP Policy XACML PDP (PDP-X)
name: policy-xacml-pdp
-version: 14.0.0
+version: 14.0.3
dependencies:
- name: common
diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json
index 08dcb67182..7bf6707136 100755
--- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json
+++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json
@@ -42,18 +42,30 @@
"applicationPath": "/opt/app/policy/pdpx/apps"
},
"topicParameterGroup": {
- "topicSources" : [{
- "topic" : "POLICY-PDP-PAP",
- "servers" : [ "message-router" ],
- "useHttps" : "false",
- "fetchTimeout" : 15000,
- "topicCommInfrastructure" : "dmaap"
+ "topicSources": [{
+ "topic": "${PAP_TOPIC}",
+ "useHttps": false,
+ "fetchTimeout": 15000,
+ "servers": [ "${KAFKA_URL}" ],
+ "topicCommInfrastructure": "kafka",
+ "additionalProps": {
+ "group.id": "${GROUP_ID}",
+ "security.protocol": "SASL_PLAINTEXT",
+ "sasl.mechanism": "${SASL}",
+ "sasl.jaas.config": "${JAASLOGIN}"
+ }
}],
"topicSinks" : [{
- "topic" : "POLICY-PDP-PAP",
- "servers" : [ "message-router" ],
- "useHttps" : "false",
- "topicCommInfrastructure" : "dmaap"
- }]
+ "topic": "${PAP_TOPIC}",
+ "useHttps": false,
+ "servers": [ "${KAFKA_URL}" ],
+ "topicCommInfrastructure": "kafka",
+ "additionalProps": {
+ "group.id": "${GROUP_ID}",
+ "security.protocol": "SASL_PLAINTEXT",
+ "sasl.mechanism": "${SASL}",
+ "sasl.jaas.config": "${JAASLOGIN}"
+ }
+ }]
}
}
diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties
index d2e9c62edf..3df3578fd2 100755..100644
--- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties
+++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties
@@ -1,4 +1,22 @@
{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2024 Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
#
# Properties that the embedded PDP engine uses to configure and load
#
@@ -49,8 +67,14 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome
#
# JPA Properties
#
+{{ if .Values.global.mariadbGalera.useInPolicy }}
eclipselink.target-database=MySQL
-javax.persistence.jdbc.driver=org.mariadb.jdbc.Driver
-javax.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/operationshistory
-javax.persistence.jdbc.user=${SQL_USER}
-javax.persistence.jdbc.password=${SQL_PASSWORD}
+jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver
+jakarta.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/operationshistory
+{{ else }}
+eclipselink.target-database=PostgreSQL
+jakarta.persistence.jdbc.driver=org.postgresql.Driver
+jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/operationhistory
+{{ end }}
+jakarta.persistence.jdbc.user=${SQL_USER}
+jakarta.persistence.jdbc.password=${SQL_PASSWORD} \ No newline at end of file
diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml
index 7158c0263f..5a9baa822f 100644
--- a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml
@@ -14,4 +14,4 @@
# limitations under the License.
*/}}
-{{ include "common.authorizationPolicy" . }} \ No newline at end of file
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml
index b475d2ce2d..828f6ec2c7 100755..100644
--- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml
@@ -1,6 +1,8 @@
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2020 AT&T Intellectual Property.
+# Modifications Copyright (C) 2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,12 +29,17 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- command:
- /app/ready.py
args:
- --job-name
- - {{ include "common.release" . }}-policy-galera-config
+{{ if .Values.global.mariadbGalera.useInPolicy }}
+ - {{ include "common.release" . }}-policy-galera-migrator-config
+{{ else }}
+ - {{ include "common.release" . }}-policy-pg-migrator-config
+{{ end }}
env:
- name: NAMESPACE
valueFrom:
@@ -41,6 +48,7 @@ spec:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-readiness
resources:
limits:
@@ -53,7 +61,7 @@ spec:
- sh
args:
- -c
- - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done
env:
- name: RESTSERVER_USER
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }}
@@ -67,6 +75,19 @@ spec:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
- name: SQL_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+ - name: JAASLOGIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.name" . }}-ku
+ key: sasl.jaas.config
+ - name: KAFKA_URL
+ value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
+ - name: SASL
+ value: {{ .Values.kafkaUser.authenticationType | upper }}
+ - name: GROUP_ID
+ value: {{ .Values.config.kafka.consumer.groupId }}
+ - name: PAP_TOPIC
+ value: {{ .Values.config.app.listener.policyPdpPapTopic }}
volumeMounts:
- mountPath: /config-input
name: pdpxconfig
@@ -74,9 +95,11 @@ spec:
name: pdpxconfig-processed
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"]
@@ -97,25 +120,87 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
+ - name: policy-guard
+ mountPath: /opt/app/policy/pdpx/apps/guard
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/guard/xacml.properties
+ subPath: xacml.properties
+ - name: policy-match
+ mountPath: /opt/app/policy/pdpx/apps/match
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/match/xacml.properties
+ subPath: xacml.properties
+ - name: policy-monitoring
+ mountPath: /opt/app/policy/pdpx/apps/monitoring
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/monitoring/xacml.properties
+ subPath: xacml.properties
+ - name: policy-naming
+ mountPath: /opt/app/policy/pdpx/apps/naming
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/naming/xacml.properties
+ subPath: xacml.properties
+ - name: policy-native
+ mountPath: /opt/app/policy/pdpx/apps/native
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/native/xacml.properties
+ subPath: xacml.properties
+ - name: policy-optimization
+ mountPath: /opt/app/policy/pdpx/apps/optimization
+ - name: pdpxconfig-processed
+ mountPath: /opt/app/policy/pdpx/apps/optimization/xacml.properties
+ subPath: xacml.properties
+ - name: logs
+ mountPath: /var/log/onap
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ - mountPath: /opt/app/policy/pdpx/etc/logback.xml
+ subPath: logback.xml
+ name: pdpxconfig-processed
+ - mountPath: /opt/app/policy/pdpx/etc/mounted
+ name: pdpxconfig-processed
- mountPath: /etc/localtime
name: localtime
readOnly: true
- - mountPath: /opt/app/policy/pdpx/etc/mounted
- name: pdpxconfig-processed
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 10 }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 10 }}
+ affinity:
+{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
+ - name: policy-guard
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-match
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-monitoring
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-naming
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-native
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: policy-optimization
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }}
+ - name: empty-dir
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: localtime
hostPath:
- path: /etc/localtime
+ path: /etc/localtime
- name: pdpxconfig
configMap:
name: {{ include "common.fullname" . }}-configmap
@@ -123,4 +208,5 @@ spec:
- name: pdpxconfig-processed
emptyDir:
medium: Memory
+ sizeLimit: 64Mi
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml
new file mode 100644
index 0000000000..1d571df8b7
--- /dev/null
+++ b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml
@@ -0,0 +1,16 @@
+{{/*
+# Copyright © 2024 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{ include "common.kafkauser" . }}
diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml
index 3e76c2ba36..6dabd951b9 100755
--- a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml
@@ -18,4 +18,4 @@
# ============LICENSE_END=========================================================
*/}}
-{{ include "common.service" . }} \ No newline at end of file
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml
index b9d877fe7b..b20ab89370 100755..100644
--- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml
@@ -1,5 +1,7 @@
# ============LICENSE_START=======================================================
# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright (C) 2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,7 +23,10 @@
#################################################################
global:
persistence: {}
-
+ postgres:
+ useInPolicy: false
+ mariadbGalera:
+ useInPolicy: true
#################################################################
# Secrets metaconfig
#################################################################
@@ -49,9 +54,11 @@ secrets:
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-xacml-pdp:3.1.0
+image: onap/policy-xacml-pdp:3.1.3
pullPolicy: Always
+componentName: &componentName policy-xacml-pdp
+
# flag to enable debugging - application support required
debugEnabled: false
@@ -61,8 +68,10 @@ db:
user: policy-user
password: policy_user
service:
- name: policy-mariadb
- internalPort: 3306
+ mariadbName: policy-mariadb
+ mariadbPort: 3306
+ pgName: policy-pg-primary
+ pgPort: 5432
restServer:
user: healthcheck
@@ -93,7 +102,7 @@ readiness:
service:
type: ClusterIP
- name: policy-xacml-pdp
+ name: *componentName
internalPort: 6969
ports:
- name: http
@@ -123,7 +132,7 @@ serviceMesh:
- serviceAccount: dcae-ves-collector-read
- serviceAccount: dcae-ves-mapper-read
- serviceAccount: dcae-ves-openapi-manager-read
- - serviceAccount: message-router-read
+ - serviceAccount: strimzi-kafka-read
- serviceAccount: oof-read
- serviceAccount: sdnc-read
@@ -145,9 +154,21 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 102
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+ policyDir:
+ sizeLimit: 100Mi
+
#Pods Service Account
serviceAccount:
- nameOverride: policy-xacml-pdp
+ nameOverride: *componentName
roles:
- read
@@ -171,3 +192,24 @@ metrics:
chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
release: '{{ include "common.release" . }}'
heritage: '{{ .Release.Service }}'
+
+config:
+ # Event consumption (kafka) properties
+ kafka:
+ consumer:
+ groupId: policy-xacml-pdp
+ app:
+ listener:
+ policyPdpPapTopic: policy-pdp-pap
+
+# Strimzi Kafka config
+kafkaUser:
+ authenticationType: scram-sha-512
+ acls:
+ - name: policy-xacml-pdp
+ type: group
+ operations: [ Create, Describe, Read, Write ]
+ - name: policy-pdp-pap
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
diff --git a/kubernetes/policy/resources/config/db-pg.sh b/kubernetes/policy/resources/config/db-pg.sh
index f26a80fad7..913ccc7728 100644
--- a/kubernetes/policy/resources/config/db-pg.sh
+++ b/kubernetes/policy/resources/config/db-pg.sh
@@ -1,7 +1,7 @@
#!/bin/sh
#
# ============LICENSE_START=======================================================
-# Copyright (C) 2021-2022 Nordix Foundation.
+# Copyright (C) 2021-2024 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,10 +20,10 @@
export PGPASSWORD=${PG_ADMIN_PASSWORD};
-psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER ${PG_USER} WITH PASSWORD '${PG_USER_PASSWORD}'"
+psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER \"${PG_USER}\" WITH PASSWORD '${PG_USER_PASSWORD}'"
for db in migration pooling policyadmin policyclamp operationshistory clampacm
do
psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE DATABASE ${db};"
- psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO ${PG_USER};"
-done
+ psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO \"${PG_USER}\";"
+done \ No newline at end of file
diff --git a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh
index 53921ab751..15a6e3224f 100644
--- a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh
+++ b/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh
@@ -1,6 +1,6 @@
#!/bin/sh
{{/*
-# Copyright (C) 2022 Nordix Foundation.
+# Copyright (C) 2022, 2024 Nordix Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,8 +14,19 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB}
-/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o upgrade
-rc=$?
-/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o report
-exit $rc
+
+for schema in ${SQL_DB}; do
+ echo "Initializing $schema..."
+ /opt/app/policy/bin/prepare_upgrade.sh ${schema}
+
+ /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report
+
+ /opt/app/policy/bin/db-migrator-pg -s ${schema} -o upgrade
+ rc=$?
+
+ /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report
+
+ if [ "$rc" != 0 ]; then
+ break
+ fi
+done
diff --git a/kubernetes/policy/resources/config/db_migrator_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_policy_init.sh
index d1cc108fec..a1d8fd89ea 100644
--- a/kubernetes/policy/resources/config/db_migrator_policy_init.sh
+++ b/kubernetes/policy/resources/config/db_migrator_policy_init.sh
@@ -1,6 +1,6 @@
#!/bin/sh
{{/*
-# Copyright (C) 2021 Nordix Foundation.
+# Copyright (C) 2021, 2024 Nordix Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,8 +14,21 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB}
-/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o upgrade
-rc=$?
-/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o report
-exit $rc
+
+for schema in ${SQL_DB}; do
+ echo "Initializing $schema..."
+ /opt/app/policy/bin/prepare_upgrade.sh ${schema}
+
+ /opt/app/policy/bin/db-migrator -s ${schema} -o report
+
+ /opt/app/policy/bin/db-migrator -s ${schema} -o upgrade
+ rc=$?
+
+ /opt/app/policy/bin/db-migrator -s ${schema} -o report
+
+ if [ "$rc" != 0 ]; then
+ break
+ fi
+done
+
+exit $rc \ No newline at end of file
diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml
index 697c25aa36..3886a85d11 100755
--- a/kubernetes/policy/templates/job.yaml
+++ b/kubernetes/policy/templates/job.yaml
@@ -1,7 +1,8 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada
# Modifications Copyright © 2020 AT&T Intellectual Property
-# Modifications Copyright (C) 2022 Nordix Foundation.
+# Modifications Copyright (C) 2022-2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -16,7 +17,7 @@
# limitations under the License.
*/}}
-{{ if not .Values.global.postgres.localCluster }}
+{{ if .Values.global.mariadbGalera.useInPolicy }}
apiVersion: batch/v1
kind: Job
metadata:
@@ -33,25 +34,15 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}-galera-init
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
initContainers:
- {{- if .Values.global.mariadbGalera.localCluster }}
- {{- if .Values.global.mariadbGalera.useOperator }}
- {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local_operator ) | indent 6 | trim }}
- {{ else }}
- {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }}
- {{- end }}
- {{ else }}
- {{- if .Values.global.mariadbGalera.useOperator }}
- {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global_operator ) | indent 6 | trim }}
- {{ else }}
- {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }}
- {{- end }}
- {{- end }}
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_mariadb ) | indent 6 | trim }}
containers:
- name: {{ include "common.name" . }}-galera-config
image: {{ include "repositoryGenerator.image.mariadb" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
volumeMounts:
- mountPath: /dbcmd-config/db.sh
name: {{ include "common.fullname" . }}-config
@@ -60,7 +51,7 @@ spec:
- /bin/sh
- -cx
- |
- {{- if include "common.onServiceMesh" . }}
+ {{- if include "common.requireSidecarKiller" . }}
echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
/dbcmd-config/db.sh
env:
@@ -73,10 +64,11 @@ spec:
- name: MYSQL_PORT
value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}"
resources: {{ include "common.resources" . | nindent 10 }}
- {{- if (include "common.onServiceMesh" .) }}
+ {{- if (include "common.requireSidecarKiller" .) }}
- name: policy-service-mesh-wait-for-job-container
image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
command:
- /bin/sh
- "-c"
@@ -89,6 +81,14 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ resources:
+ limits:
+ cpu: 100m
+ memory: 500Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
{{- end }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
@@ -102,7 +102,7 @@ spec:
path: db.sh
{{ end }}
-{{ if .Values.global.postgres.localCluster }}
+{{ if .Values.global.postgres.useInPolicy }}
---
apiVersion: batch/v1
kind: Job
@@ -120,12 +120,15 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}-pg-init
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
- initContainers: {{ if .Values.global.postgres.localCluster }}{{ include "common.readinessCheck.waitFor" . | nindent 6 }}{{ end }}
+ initContainers:
+ {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_postgres ) | indent 6 | trim }}
containers:
- name: {{ include "common.name" . }}-pg-config
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
volumeMounts:
- mountPath: /docker-entrypoint-initdb.d/db-pg.sh
name: {{ include "common.fullname" . }}-config
@@ -134,7 +137,7 @@ spec:
- /bin/sh
- -cx
- |
- {{- if include "common.onServiceMesh" . }}
+ {{- if include "common.requireSidecarKiller" . }}
echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
/docker-entrypoint-initdb.d/db-pg.sh
env:
@@ -149,8 +152,9 @@ spec:
- name: PG_PORT
value: "{{ .Values.postgres.service.internalPort }}"
resources: {{ include "common.resources" . | nindent 10 }}
- {{- if (include "common.onServiceMesh" .) }}
+ {{- if (include "common.requireSidecarKiller" .) }}
- name: policy-service-mesh-wait-for-job-container
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
image: {{ include "repositoryGenerator.image.quitQuit" . }}
imagePullPolicy: Always
command:
@@ -165,6 +169,14 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ resources:
+ limits:
+ cpu: 100m
+ memory: 500Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
{{- end }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
@@ -177,97 +189,104 @@ spec:
- key: db-pg.sh
path: db-pg.sh
{{ end }}
-
---
-{{ if not .Values.global.postgres.localCluster }}
+{{ if .Values.global.mariadbGalera.useInPolicy }}
apiVersion: batch/v1
kind: Job
metadata:
- name: {{ include "common.fullname" . }}-galera-config
+ name: {{ include "common.fullname" . }}-galera-migrator-config
namespace: {{ include "common.namespace" . }}
labels:
- app: {{ include "common.name" . }}-galera-config
+ app: {{ include "common.name" . }}-galera-migrator-config
release: {{ include "common.release" . }}
spec:
template:
metadata:
labels:
- app: {{ include "common.name" . }}-galera-config
+ app: {{ include "common.name" . }}-galera-migrator-config
release: {{ include "common.release" . }}
- name: {{ include "common.name" . }}-galera-config
+ name: {{ include "common.name" . }}-galera-migrator-config
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
initContainers:
- - name: {{ include "common.name" . }}-init-readiness
- image: {{ include "repositoryGenerator.image.readiness" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command:
- - /app/ready.py
- args:
- - --job-name
- - {{ include "common.fullname" . }}-galera-init
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
- requests:
- cpu: "3m"
- memory: "20Mi"
+ - name: {{ include "common.name" . }}-init-readiness
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ image: {{ include "repositoryGenerator.image.readiness" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command:
+ - /app/ready.py
+ args:
+ - --job-name
+ - {{ include "common.fullname" . }}-galera-init
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "500Mi"
+ requests:
+ cpu: "3m"
+ memory: "20Mi"
containers:
- - name: {{ include "common.name" . }}-galera-db-migrator
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- volumeMounts:
- - mountPath: /dbcmd-config/db_migrator_policy_init.sh
- name: {{ include "common.fullname" . }}-config
- subPath: db_migrator_policy_init.sh
- command:
- - /bin/sh
- - -cx
- - |
- {{- if include "common.onServiceMesh" . }}
- echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
- /dbcmd-config/db_migrator_policy_init.sh
- env:
- - name: SQL_HOST
- value: "{{ index .Values "mariadb-galera" "service" "name" }}"
- - name: SQL_USER
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
- - name: SQL_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
- - name: SQL_DB
- value: {{ .Values.dbmigrator.schema }}
- - name: POLICY_HOME
- value: {{ .Values.dbmigrator.policy_home }}
- - name: SCRIPT_DIRECTORY
- value: "sql"
- resources: {{ include "common.resources" . | nindent 10 }}
- {{- if (include "common.onServiceMesh" .) }}
- - name: policy-service-mesh-wait-for-job-container
- image: {{ include "repositoryGenerator.image.quitQuit" . }}
- imagePullPolicy: Always
- command:
- - /bin/sh
- - "-c"
- args:
- - echo "waiting 10s for istio side cars to be up"; sleep 10s;
- /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45;
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
+ - name: {{ include "common.name" . }}-galera-db-migrator
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts:
+ - mountPath: /opt/app/policy/etc/db/
+ name: {{ include "common.fullname" . }}-migration-writable
+ - mountPath: /dbcmd-config/db_migrator_policy_init.sh
+ name: {{ include "common.fullname" . }}-config
+ subPath: db_migrator_policy_init.sh
+ command:
+ - /bin/sh
+ - -cx
+ - |
+ {{- if include "common.requireSidecarKiller" . }}
+ echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
+ /dbcmd-config/db_migrator_policy_init.sh
+ env:
+ - name: SQL_HOST
+ value: "{{ index .Values "mariadb-galera" "service" "name" }}"
+ - name: SQL_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
+ - name: SQL_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
+ - name: SQL_DB
+ value: {{ .Values.dbmigrator.schemas }}
+ - name: POLICY_HOME
+ value: {{ .Values.dbmigrator.policy_home }}
+ - name: SCRIPT_DIRECTORY
+ value: "sql"
+ resources: {{ include "common.resources" . | nindent 12 }}
+ {{- if (include "common.requireSidecarKiller" .) }}
+ - name: policy-service-mesh-wait-for-job-container
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ image: {{ include "repositoryGenerator.image.quitQuit" . }}
+ imagePullPolicy: Always
+ command:
+ - /bin/sh
+ - "-c"
+ args:
+ - echo "waiting 10s for istio side cars to be up"; sleep 10s;
+ /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45;
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
{{- end }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
+ - name: {{ include "common.fullname" . }}-migration-writable
+ emptyDir: {}
- name: {{ include "common.fullname" . }}-config
configMap:
name: {{ include "common.fullname" . }}-db-configmap
@@ -276,98 +295,106 @@ spec:
- key: db_migrator_policy_init.sh
path: db_migrator_policy_init.sh
{{ end }}
-{{ if .Values.global.postgres.localCluster }}
+{{ if .Values.global.postgres.useInPolicy }}
---
apiVersion: batch/v1
kind: Job
metadata:
- name: {{ include "common.fullname" . }}-pg-config
+ name: {{ include "common.fullname" . }}-pg-migrator-config
namespace: {{ include "common.namespace" . }}
labels:
- app: {{ include "common.name" . }}-pg-config
+ app: {{ include "common.name" . }}-pg-migrator-config
release: {{ include "common.release" . }}
spec:
template:
metadata:
labels:
- app: {{ include "common.name" . }}-pg-config
+ app: {{ include "common.name" . }}-pg-migrator-config
release: {{ include "common.release" . }}
- name: {{ include "common.name" . }}-pg-config
+ name: {{ include "common.name" . }}-pg-migrator-config
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
initContainers:
- - name: {{ include "common.name" . }}-init-readiness
- image: {{ include "repositoryGenerator.image.readiness" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command:
- - /app/ready.py
- args:
- - --job-name
- - {{ include "common.fullname" . }}-pg-init
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
- requests:
- cpu: "3m"
- memory: "20Mi"
+ - name: {{ include "common.name" . }}-init-readiness
+ image: {{ include "repositoryGenerator.image.readiness" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ command:
+ - /app/ready.py
+ args:
+ - --job-name
+ - {{ include "common.fullname" . }}-pg-init
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "500Mi"
+ requests:
+ cpu: "3m"
+ memory: "20Mi"
containers:
- - name: {{ include "common.name" . }}-pg-db-migrator
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- volumeMounts:
- - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh
- name: {{ include "common.fullname" . }}-config
- subPath: db_migrator_pg_policy_init.sh
- command:
- - /bin/sh
- - -cx
- - |
- {{- if include "common.onServiceMesh" . }}
- echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
- /dbcmd-config/db_migrator_pg_policy_init.sh
- env:
- - name: SQL_HOST
- value: "{{ .Values.postgres.service.name2 }}"
- - name: SQL_USER
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
- - name: SQL_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
- - name: SQL_DB
- value: {{ .Values.dbmigrator.schema }}
- - name: POLICY_HOME
- value: {{ .Values.dbmigrator.policy_home }}
- - name: SCRIPT_DIRECTORY
- value: "postgres"
- - name: PGPASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
- resources: {{ include "common.resources" . | nindent 10 }}
- {{- if (include "common.onServiceMesh" .) }}
- - name: policy-service-mesh-wait-for-job-container
- image: {{ include "repositoryGenerator.image.quitQuit" . }}
- imagePullPolicy: Always
- command:
- - /bin/sh
- - "-c"
- args:
- - echo "waiting 10s for istio side cars to be up"; sleep 10s;
- /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45;
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
+ - name: {{ include "common.name" . }}-pg-db-migrator
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ volumeMounts:
+ - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh
+ name: {{ include "common.fullname" . }}-config
+ subPath: db_migrator_pg_policy_init.sh
+ - mountPath: /opt/app/policy/etc/db/
+ name: {{ include "common.fullname" . }}-migration-writable
+ command:
+ - /bin/sh
+ - -cx
+ - |
+ {{- if include "common.requireSidecarKiller" . }}
+ echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
+ /dbcmd-config/db_migrator_pg_policy_init.sh
+ env:
+ - name: SQL_HOST
+ value: "{{ .Values.postgres.service.name2 }}"
+ - name: SQL_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
+ - name: SQL_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
+ - name: SQL_DB
+ value: {{ .Values.dbmigrator.schemas }}
+ - name: POLICY_HOME
+ value: {{ .Values.dbmigrator.policy_home }}
+ - name: SCRIPT_DIRECTORY
+ value: "postgres"
+ - name: PGPASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
+ resources: {{ include "common.resources" . | nindent 12 }}
+ {{- if (include "common.requireSidecarKiller" .) }}
+ - name: policy-service-mesh-wait-for-job-container
+ image: {{ include "repositoryGenerator.image.quitQuit" . }}
+ imagePullPolicy: Always
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ command:
+ - /bin/sh
+ - "-c"
+ args:
+ - echo "waiting 10s for istio side cars to be up"; sleep 10s;
+ /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45;
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
{{- end }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
+ - name: {{ include "common.fullname" . }}-migration-writable
+ emptyDir: {}
- name: {{ include "common.fullname" . }}-config
configMap:
name: {{ include "common.fullname" . }}-db-configmap
@@ -375,4 +402,4 @@ spec:
items:
- key: db_migrator_pg_policy_init.sh
path: db_migrator_pg_policy_init.sh
-{{ end }}
+{{ end }} \ No newline at end of file
diff --git a/kubernetes/policy/templates/policy-kafka-topics.yaml b/kubernetes/policy/templates/policy-kafka-topics.yaml
index a787b8b626..feb29f3b0c 100644
--- a/kubernetes/policy/templates/policy-kafka-topics.yaml
+++ b/kubernetes/policy/templates/policy-kafka-topics.yaml
@@ -13,7 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{- if .Values.global.useStrimziKafkaPf }}
+
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
@@ -49,4 +49,3 @@ spec:
config:
retention.ms: {{ .Values.config.policyNotificationTopic.retentionMs }}
segment.bytes: {{ .Values.config.policyNotificationTopic.segmentBytes }}
-{{- end }}
diff --git a/kubernetes/policy/templates/policy-kafka-user.yaml b/kubernetes/policy/templates/policy-kafka-user.yaml
index c000af1b82..d004cbe116 100644
--- a/kubernetes/policy/templates/policy-kafka-user.yaml
+++ b/kubernetes/policy/templates/policy-kafka-user.yaml
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2022-2023 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -13,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{- if .Values.global.useStrimziKafka }}
+
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
@@ -29,17 +30,20 @@ spec:
- resource:
type: group
name: {{ .Values.config.policyPdpPapTopic.consumer.groupId }}
- operation: All
+ operations:
+ - All
- resource:
type: topic
name: {{ .Values.config.policyPdpPapTopic.name }}
- operation: All
+ operations:
+ - All
- resource:
type: topic
name: {{ .Values.config.policyHeartbeatTopic.name }}
- operation: All
+ operations:
+ - All
- resource:
type: topic
name: {{ .Values.config.policyNotificationTopic.name }}
- operation: All
-{{- end }}
+ operations:
+ - All
diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml
index 9d08080cf7..67f4dbd1e5 100755..100644
--- a/kubernetes/policy/values.yaml
+++ b/kubernetes/policy/values.yaml
@@ -1,6 +1,7 @@
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
-# Modifications Copyright (C) 2021-2023 Nordix Foundation.
+# Modifications Copyright (C) 2021-2024 Nordix Foundation.
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -29,12 +30,12 @@ global:
# with '*mariadbConfig' pointer.
config: &mariadbConfig
mysqlDatabase: policyadmin
- service: &mariadbService
- name: &policy-mariadb policy-mariadb
- internalPort: 3306
- nameOverride: *policy-mariadb
+ service: &mariadbService policy-mariadb
+ internalPort: 3306
+ nameOverride: *mariadbService
# (optional) if localCluster=false and an external secret is used set this variable
#userRootSecret: <secretName>
+ useInPolicy: true
prometheusEnabled: false
postgres:
localCluster: false
@@ -44,16 +45,13 @@ global:
name3: tcp-pgset-replica
container:
name: postgres
- #Strimzi Kafka properties
- useStrimziKafka: true
- # Temporary flag to disable strimzi for pf components - will be removed after native kafka support is added for drools and xacml
- useStrimziKafkaPf: false
- kafkaBootstrap: strimzi-kafka-bootstrap
+ useInPolicy: false
+ kafkaBootstrap: strimzi-kafka-bootstrap:9092
policyKafkaUser: policy-kafka-user
+ useStrimziKafka: true
kafkaTopics:
acRuntimeTopic:
name: policy.clamp-runtime-acm
-
#################################################################
# Secrets metaconfig
#################################################################
@@ -61,8 +59,8 @@ secrets:
- uid: db-root-password
name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password'
type: password
- externalSecret: '{{ .Values.global.mariadbGalera.localCluster |
- ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) |
+ externalSecret: '{{ or .Values.global.postgres.useInPolicy .Values.global.mariadbGalera.useInPolicy | ternary (
+ ( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) |
ternary
""
(tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .)
@@ -134,7 +132,7 @@ policy-apex-pdp:
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-drools-pdp:
- enabled: true
+ enabled: false
db: *dbSecretsHook
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
@@ -163,18 +161,17 @@ policy-nexus:
enabled: false
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
-policy-gui:
- enabled: false
- config:
- jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
#################################################################
# DB configuration defaults.
#################################################################
dbmigrator:
- image: onap/policy-db-migrator:3.1.0
- schema: policyadmin
+ # New released image will allow full SASL and Postgres (drools included). Tested with snapshot. Release to come later.
+ image: onap/policy-db-migrator:3.1.3
+ # These schemas will be required with the new version of db-migrator
+ # schemas: "policyadmin clampacm pooling operationshistory"
+ schemas: "policyadmin"
policy_home: "/opt/app/policy"
subChartsOnly:
@@ -205,7 +202,6 @@ readiness:
config:
policyAppUserName: runtimeUser
- useStrimziKafka: true
policyPdpPapTopic:
name: policy-pdp-pap
partitions: 10
@@ -238,9 +234,10 @@ mariadb-galera:
name: &mysqlDbName policyadmin
rootUser:
externalSecret: *dbRootPassSecretName
- nameOverride: *policy-mariadb
+ nameOverride: *mariadbService
# mariadb-galera.service and global.mariadbGalera.service must be equals
- service: *mariadbService
+ service:
+ name: *mariadbService
replicaCount: 1
mariadbOperator:
galera:
@@ -249,7 +246,7 @@ mariadb-galera:
enabled: true
mountSubPath: policy/maria/data
serviceAccount:
- nameOverride: *policy-mariadb
+ nameOverride: *mariadbService
postgresImage: library/postgres:latest
# application configuration override for postgres
@@ -273,20 +270,12 @@ postgres:
pgRootPasswordExternalSecret: *dbRootPassSecretName
readinessCheck:
- wait_for:
- - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}'
- wait_for_global_operator:
- pods:
- - '{{ .Values.global.mariadbGalera.nameOverride }}-0'
- wait_for_local_operator:
- pods:
- - '{{ index .Values "mariadb-galera" "nameOverride" }}-0'
- wait_for_global:
- apps:
- - '{{ include "common.mariadbAppName" . }}'
- wait_for_local:
- apps:
- - '{{ include "common.mariadbAppName" . }}'
+ wait_for_postgres:
+ services:
+ - '{{ .Values.global.postgres.service.name2 }}'
+ wait_for_mariadb:
+ services:
+ - '{{ include "common.mariadbService" . }}'
restServer:
policyPapUserName: policyadmin
@@ -314,8 +303,12 @@ resources:
memory: "2Gi"
unlimited: {}
+securityContext:
+ user_id: 100
+ group_id: 65533
+
#Pods Service Account
serviceAccount:
nameOverride: policy
roles:
- - read
+ - read \ No newline at end of file