diff options
Diffstat (limited to 'kubernetes/policy')
74 files changed, 1004 insertions, 1090 deletions
diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index 2bf703c622..7a4ac1f377 100755..100644 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -1,8 +1,8 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021-2024 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2021-2025 Nordix Foundation +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,66 +19,66 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 15.0.1 +version: 16.0.8 dependencies: - name: common version: ~13.x-0 repository: '@local' - - name: mariadb-galera - version: ~13.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - name: policy-nexus version: ~15.x-0 repository: 'file://components/policy-nexus' condition: policy-nexus.enabled - name: policy-api - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-api' condition: policy-api.enabled - name: policy-pap - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-pap' condition: policy-pap.enabled - name: policy-xacml-pdp - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-xacml-pdp' condition: policy-xacml-pdp.enabled - name: policy-apex-pdp - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-apex-pdp' condition: policy-apex-pdp.enabled - name: policy-drools-pdp - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-drools-pdp' condition: policy-drools-pdp.enabled + - name: policy-opa-pdp + version: ~16.x-0 + repository: 'file://components/policy-opa-pdp' + condition: policy-opa-pdp.enabled - name: policy-distribution - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-distribution' condition: policy-distribution.enabled - name: policy-clamp-ac-k8s-ppnt - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-k8s-ppnt' condition: policy-clamp-ac-k8s-ppnt.enabled - name: policy-clamp-ac-http-ppnt - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-http-ppnt' condition: policy-clamp-ac-http-ppnt.enabled - name: policy-clamp-ac-a1pms-ppnt - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-a1pms-ppnt' condition: policy-clamp-ac-a1pms-ppnt.enabled - name: policy-clamp-ac-kserve-ppnt - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-kserve-ppnt' condition: policy-clamp-ac-kserve-ppnt.enabled - name: policy-clamp-ac-pf-ppnt - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-pf-ppnt' condition: policy-clamp-ac-pf-ppnt.enabled - name: policy-clamp-runtime-acm - version: ~15.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-runtime-acm' condition: policy-clamp-runtime-acm.enabled - name: repositoryGenerator @@ -87,9 +87,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' - - name: readinessCheck - version: ~13.x-0 - repository: '@local' - name: postgres version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index 3cd9ef8e59..b406c2032f 100755..100644 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -1,8 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021,2024 Nordix Foundation -# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation +# Modification (C) 2023-2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy APEX PDP name: policy-apex-pdp -version: 15.0.0 +version: 16.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/configmap.yaml index 5e2caa989f..c67a3284f1 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/configmap.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 Nordix Foundation. # Modifications Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright (C) 2025 Deutsche Telekom. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,11 +26,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index 9cf89b4c79..1157fc6d51 100755..100644 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022, 2025 Nordix Foundation # Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -47,7 +47,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:4.0.1 +image: onap/policy-apex-pdp:4.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -133,6 +133,11 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true port: policy-apex-pdp diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index 6c3351a5df..8333f06825 100755..100644 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -1,8 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation -# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation +# Modification (C) 2023-2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 15.0.1 +version: 16.0.3 dependencies: - name: common @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index 3e357a66e7..15ee20e9f6 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -1,8 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. # Modifications Copyright (C) 2022 AT&T Intellectual Property. -# Modification (C) 2023 Deutsche Telekom. All rights reserved. -# Modifications Copyright © 2024 Nordix Foundation. +# Modification (C) 2023,2025 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2024-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,21 +32,7 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: -{{ if .Values.global.mariadbGalera.useInPolicy }} - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin - driverClassName: org.mariadb.jdbc.Driver - username: "${SQL_USER}" - password: "${SQL_PASSWORD}" - hikari: - maximumPoolSize: 20 - jpa: - hibernate: - ddl-auto: none - naming: - physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl - implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy -{{ else }} - url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort}}/policyadmin + url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/policyadmin driverClassName: org.postgresql.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -61,21 +47,11 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy -{{ end }} policy-api: name: ApiGroup aaf: false -database: - name: PolicyProviderParameterGroup - implementation: org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl - driver: org.mariadb.jdbc.Driver - url: jdbc:mariadb://{{ .Values.db.service.name }}/policyadmin - user: "${SQL_USER}" - password: "${SQL_PASSWORD}" - persistenceUnit: PolicyDb - policy-preload: policyTypes: - policytypes/onap.policies.monitoring.tcagen2.yaml @@ -106,6 +82,7 @@ policy-preload: - policytypes/onap.policies.Match.yaml - policytypes/onap.policies.native.Drools.yaml - policytypes/onap.policies.native.Xacml.yaml + - policytypes/onap.policies.native.ToscaXacml.yaml - policytypes/onap.policies.native.Apex.yaml - policytypes/onap.policies.controlloop.operational.Common.yaml - policytypes/onap.policies.controlloop.operational.common.Apex.yaml diff --git a/kubernetes/policy/resources/config/db-pg.sh b/kubernetes/policy/components/policy-api/resources/config/db-pg.sh index a7fc088d55..a7fc088d55 100644 --- a/kubernetes/policy/resources/config/db-pg.sh +++ b/kubernetes/policy/components/policy-api/resources/config/db-pg.sh diff --git a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh b/kubernetes/policy/components/policy-api/resources/config/db_migrator_pg_policy_init.sh index 15a6e3224f..15a6e3224f 100644 --- a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh +++ b/kubernetes/policy/components/policy-api/resources/config/db_migrator_pg_policy_init.sh diff --git a/kubernetes/policy/components/policy-api/templates/configmap.yaml b/kubernetes/policy/components/policy-api/templates/configmap.yaml index 6bb96fc1e5..a4962b46ed 100755 --- a/kubernetes/policy/components/policy-api/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-api/templates/configmap.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 Nordix Foundation. # Modified Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. +# Modification (C) 2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,11 +26,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} @@ -38,3 +35,12 @@ binaryData: {{- end }} data: {{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-db-configmap + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index f89945f90e..20c02befae 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. +# Modification (C) 2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,33 +29,78 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - command: - - /app/ready.py - args: - - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} + {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }} + - name: {{ include "common.name" . }}-pg-config + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} {{ include "common.containerSecurityContext" . | indent 10 | trim }} - name: {{ include "common.name" . }}-readiness + command: + - /bin/sh + - -cx + - | + /docker-entrypoint-initdb.d/db-pg.sh + env: + - name: PG_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + {{- if eq .Values.global.postgres.localCluster true }} + name: '{{ include "common.release" . }}-policy-db-root-password' + {{- else }} + name: '{{ .Values.global.postgres.userRootSecret }}' + {{- end }} + key: password + - name: PG_HOST + value: "{{ .Values.global.postgres.service.name2 }}" + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: PG_USER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: PG_PORT + value: "{{ .Values.global.postgres.service.port }}" resources: - limits: - cpu: "100m" - memory: "500Mi" requests: - cpu: "3m" - memory: "20Mi" + cpu: 50m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + volumeMounts: + - mountPath: /docker-entrypoint-initdb.d/db-pg.sh + name: {{ include "common.fullname" . }}-config + subPath: db-pg.sh + - name: {{ include "common.name" . }}-pg-db-migrator + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh + name: {{ include "common.fullname" . }}-config + subPath: db_migrator_pg_policy_init.sh + - mountPath: /opt/app/policy/etc/db/ + name: {{ include "common.fullname" . }}-migration-writable + command: + - /bin/sh + - -cx + - | + /dbcmd-config/db_migrator_pg_policy_init.sh + env: + - name: SQL_HOST + value: "{{ .Values.global.postgres.service.name2 }}" + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: SQL_DB + value: {{ .Values.dbmigrator.schemas }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "postgres" + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} - command: - sh args: @@ -62,9 +108,9 @@ spec: - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 12 }} - name: RESTSERVER_PASSWORD @@ -74,10 +120,17 @@ spec: name: apiconfig - mountPath: /config name: apiconfig-processed + name: {{ include "common.name" . }}-update-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 100m + memory: 128Mi {{ include "common.containerSecurityContext" . | indent 10 | trim }} - name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} {{ include "common.containerSecurityContext" . | indent 10 | trim }} @@ -94,7 +147,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} + {{- end }} readinessProbe: httpGet: path: {{ .Values.readiness.api }} @@ -144,4 +197,15 @@ spec: - name: logs emptyDir: sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - {{- include "common.imagePullSecrets" . | nindent 6 }} + - name: {{ include "common.fullname" . }}-migration-writable + emptyDir: + sizeLimit: {{ .Values.dirSizes.migration.sizeLimit }} + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-db-configmap + defaultMode: 0755 + items: + - key: db-pg.sh + path: db-pg.sh + - key: db_migrator_pg_policy_init.sh + path: db_migrator_pg_policy_init.sh diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 3e86ed1894..a9d0449f86 100755..100644 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -1,8 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. -# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. -# Modifications Copyright © 2024 Nordix Foundation. +# Modification (C) 2023-2025 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2024-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,15 +26,17 @@ global: nodePortPrefix: 304 persistence: {} postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig ################################################################# secrets: - - uid: db-creds + - uid: db-secret type: basicAuth externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}' login: '{{ .Values.db.user }}' @@ -48,10 +50,21 @@ secrets: passwordPolicy: required ################################################################# +# DB configuration defaults. +################################################################# + +dbmigrator: + image: onap/policy-db-migrator:4.1.0 + schemas: "policyadmin clampacm pooling operationshistory" + policy_home: "/opt/app/policy" + +postgresImage: library/postgres:17.2 + +################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:4.0.1 +image: onap/policy-api:4.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -61,11 +74,11 @@ debugEnabled: false db: user: policy-user password: policy_user - service: - name: policy-mariadb - pgName: policy-pg-primary - internalPort: 3306 - internalPgPort: 5432 + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.postgres.service.name2 }}' restServer: user: policyadmin @@ -137,6 +150,11 @@ dirSizes: sizeLimit: 1Gi logDir: sizeLimit: 500Mi + migration: + sizeLimit: 1Gi + +dbReadiness: + retryCount: 3 #Pods Service Account serviceAccount: @@ -149,9 +167,15 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true - port: policy-api + port: http + path: /policy/api/v1/metrics interval: 60s isHttps: false basicAuth: @@ -159,8 +183,9 @@ metrics: externalSecretNameSuffix: policy-api-user-creds externalSecretUserKey: login externalSecretPasswordKey: password + selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml index a89c614c4f..73015fab2f 100755..100644 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2022-2024 Nordix Foundation. All rights reserved. +# Copyright (C) 2022-2025 Nordix Foundation. All rights reserved. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp A1PMS Participant name: policy-clamp-ac-a1pms-ppnt -version: 15.0.0 +version: 16.0.2 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml index 4a0c2aaef4..7ef735bf59 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml @@ -23,11 +23,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{- if .Values.a1pmsconfig }} {{ tpl (.Files.Glob "resources/config/A1pmsParticipantParameters.yaml").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml index b882829ae3..cee5eb8e92 100755..100644 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2022-2024 Nordix Foundation. +# Copyright (C) 2022-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -43,7 +43,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-a1pms-ppnt:8.0.1 +image: onap/policy-clamp-ac-a1pms-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-a1pms-ppnt diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml index 1c3abbbc97..7ec0175f9f 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022, 2024 Nordix Foundation. +# Copyright (C) 2021-2022, 2024-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Http Participant name: policy-clamp-ac-http-ppnt -version: 15.0.0 +version: 16.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/configmap.yaml index 09cc8cd48f..ff1bc31c3a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/configmap.yaml @@ -23,10 +23,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index e7d317e9af..a422386ffc 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2023 Nordix Foundation. +# Copyright (C) 2021-2023, 2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -44,7 +44,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:8.0.1 +image: onap/policy-clamp-ac-http-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-http-ppnt diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml index 09dadf2806..b746cf80da 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# Copyright (C) 2021, 2025 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2022, 2024 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop K8s Participant name: policy-clamp-ac-k8s-ppnt -version: 15.0.0 +version: 16.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml index efd5a6cd53..b17f167286 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml @@ -23,11 +23,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{- if .Values.repoList }} {{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml index 02a6292df7..b32deab311 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml @@ -23,11 +23,7 @@ kind: ClusterRoleBinding metadata: name: {{ include "common.namespace" . }}-policy-clamp-ac-k8s-ppnt-binding namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index ea00a34dad..c9f3f9bdc3 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -45,7 +45,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:8.0.1 +image: onap/policy-clamp-ac-k8s-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-k8s-ppnt diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml index 2982043dab..3b0094fce4 100755..100644 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2023-2024 Nordix Foundation. All rights reserved. +# Copyright (C) 2023-2025 Nordix Foundation. All rights reserved. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Kserve Participant name: policy-clamp-ac-kserve-ppnt -version: 15.0.0 +version: 16.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml index d3e2833904..ae4d6ec973 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml @@ -23,10 +23,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml index 073ffe9618..4092d0ad5c 100644 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml @@ -23,11 +23,7 @@ kind: ClusterRoleBinding metadata: name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml index 2221ce83ba..61cc461b41 100755..100644 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2023 Nordix Foundation. +# Copyright (C) 2023, 2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -44,7 +44,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-kserve-ppnt:8.0.1 +image: onap/policy-clamp-ac-kserve-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-kserve-ppnt diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml index 49d7522eaf..9aa9e6c989 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022, 2024 Nordix Foundation. +# Copyright (C) 2021-2022, 2024-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -20,7 +20,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Policy Participant name: policy-clamp-ac-pf-ppnt -version: 15.0.0 +version: 16.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/configmap.yaml index 09cc8cd48f..ff1bc31c3a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/configmap.yaml @@ -23,10 +23,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index e7fbbb1f84..2bdbaa456a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -56,7 +56,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:8.0.1 +image: onap/policy-clamp-ac-pf-ppnt:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-ac-pf-ppnt diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index 8b22acd09c..61a95ce117 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -1,8 +1,8 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021, 2024 Nordix Foundation. All rights reserved. +# Copyright (C) 2021, 2025 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2024 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 15.0.0 +version: 16.0.2 dependencies: - name: common @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index f1785acb0f..d22d73a642 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,13 +25,8 @@ spring: converters: preferred-json-mapper: gson datasource: - {{ if .Values.global.mariadbGalera.useInPolicy }} - url: jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/clampacm - driverClassName: org.mariadb.jdbc.Driver - {{ else }} - url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/clampacm + url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/clampacm driverClassName: org.postgresql.Driver - {{ end }} username: ${SQL_USER} password: ${SQL_PASSWORD} hikari: @@ -47,11 +42,7 @@ spring: implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy properties: hibernate: - {{ if .Values.global.mariadbGalera.useInPolicy }} - dialect: org.hibernate.dialect.MariaDBDialect - {{ else }} dialect: org.hibernate.dialect.PostgreSQLDialect - {{ end }} format_sql: true metrics: diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml index 66c096d439..397ae817dd 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml @@ -23,11 +23,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index 5a206b996e..79120a3f33 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Copyright (C) 2021-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,32 +30,7 @@ spec: spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-db-config-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index 9f78b29dae..540b3732a5 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2024 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Copyright (C) 2021-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,9 +24,11 @@ global: nodePortPrefixExt: 304 persistence: {} postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 #Strimzi Kafka properties kafkaTopics: acRuntimeOperationTopic: @@ -55,7 +57,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:8.0.1 +image: onap/policy-clamp-runtime-acm:8.1.0 pullPolicy: Always componentName: &componentName policy-clamp-runtime-acm @@ -94,11 +96,6 @@ kafkaTopic: db: user: policy-user password: policy_user - service: - mariadbName: policy-mariadb - mariadbPort: 3306 - pgName: policy-pg-primary - pgPort: 5432 # default number of instances replicaCount: 1 @@ -170,9 +167,10 @@ serviceAccount: roles: - read -wait_for_job_container: - containers: - - '{{ include "common.release" . }}-galera-migrator-config' +readinessCheck: + wait_for: + services: + - policy-api customNaming: toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml index 3ac1d031a3..339ffad2c8 100755..100644 --- a/kubernetes/policy/components/policy-distribution/Chart.yaml +++ b/kubernetes/policy/components/policy-distribution/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy Distribution name: policy-distribution -version: 15.0.0 +version: 16.0.1 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-distribution/templates/configmap.yaml b/kubernetes/policy/components/policy-distribution/templates/configmap.yaml index 5e2caa989f..050697925a 100755 --- a/kubernetes/policy/components/policy-distribution/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/configmap.yaml @@ -25,11 +25,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index f393250045..f72d017dc1 100755..100644 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. -# Modifications Copyright (C) 2023 Nordix Foundation +# Modifications Copyright (C) 2023, 2025 Nordix Foundation # Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -59,7 +59,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:4.0.1 +image: onap/policy-distribution:4.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -163,6 +163,11 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true port: policy-distribution @@ -173,8 +178,9 @@ metrics: externalSecretNameSuffix: policy-distribution-restserver-creds externalSecretUserKey: login externalSecretPasswordKey: password + selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index 37ab25cf88..fc81c4c4d0 100755..100644 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -1,8 +1,8 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T Intellectual Property # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 15.0.0 +version: 16.0.3 dependencies: - name: common @@ -31,3 +31,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf index 64e8188f2b..e4bc752bf9 100644 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -2,7 +2,8 @@ # Copyright © 2017-2018 Amdocs, Bell Canada. # Modifications Copyright (C) 2018-2020, 2022 AT&T Intellectual Property. # Modifications Copyright (C) 2021 Bell Canada. All rights reserved. -# Modifications Copyright (C) 2024 Nordix Foundation. +# Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright (C) 2025 Deutsche Telekom. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,21 +42,11 @@ REPOSITORY_OFFLINE={{.Values.nexus.offline}} # Relational (SQL) DB access -{{ if .Values.global.mariadbGalera.useInPolicy }} -SQL_HOST={{ .Values.db.mariadbName }} -SQL_PORT={{ .Values.db.mariadbPort }} -JDBC_URL=jdbc:mariadb://{{ .Values.db.mariadbName }}:{{ .Values.db.mariadbPort }}/ -JDBC_OPTS= -JDBC_DRIVER=org.mariadb.jdbc.Driver -MYSQL_CMD= -{{ else }} -SQL_HOST={{ .Values.db.pgName }} -SQL_PORT={{ .Values.db.pgPort }} -JDBC_URL=jdbc:postgresql://{{ .Values.db.pgName }}:{{ .Values.db.pgPort }}/ +SQL_HOST={{ .Values.global.postgres.service.name2 }} +SQL_PORT={{ .Values.global.postgres.service.port }} +JDBC_URL=jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/ JDBC_OPTS= JDBC_DRIVER=org.postgresql.Driver -MYSQL_CMD= -{{ end }} # Liveness LIVENESS_CONTROLLERS=* diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties index d4577b577a..d30d93378f 100644 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties @@ -2,7 +2,7 @@ # ============LICENSE_START======================================================= # ONAP # ================================================================================ -# Copyright (C) 2024 Nordix Foundation. +# Copyright (C) 2024-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,19 +19,12 @@ ### #Database properties -{{ if .Values.global.mariadbGalera.useInPolicy }} -jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver -jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS} -jakarta.persistence.jdbc.user=${envd:SQL_USER} -jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD} -{{ else }} jakarta.persistence.jdbc.driver=org.postgresql.Driver jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS} jakarta.persistence.jdbc.user=${envd:SQL_USER} jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD} -{{ end }} # default property values are commented out #distributed.locking.expire.check.seconds=900 #distributed.locking.retry.seconds=60 -#distributed.locking.max.retries=2
\ No newline at end of file +#distributed.locking.max.retries=2 diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml index f5661429a1..7e6e2b8fa1 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml @@ -20,11 +20,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/configmaps/*{.zip,store}" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml index f986994210..e42263cc62 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml @@ -22,11 +22,7 @@ kind: Secret metadata: name: {{ include "common.fullname" . }}-secret namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml index a24476cc74..d7bcccf121 100644 --- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -1,8 +1,8 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property -# Modifications Copyright (C) 2024 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,32 +29,7 @@ spec: spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-db-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} {{- if not .Values.nexus.offline }} - command: - /app/ready.py diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 8fbd6c6446..40de912ef0 100644 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -1,8 +1,8 @@ # Copyright © 2017 Amdocs # Copyright © 2017, 2021 Bell Canada # Modifications Copyright © 2018-2022 AT&T Intellectual Property -# Modifications Copyright (C) 2024 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,9 +22,12 @@ global: nodePortPrefix: 302 postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 + ################################################################# # Secrets metaconfig ################################################################# @@ -47,7 +50,7 @@ secrets: ################################################################# # application image # The newest images have been tested with SASL and Postgres. The images released next will have the relevant fixes -image: onap/policy-pdpd-cl:3.0.1 +image: onap/policy-pdpd-cl:3.1.0 pullPolicy: Always @@ -107,11 +110,6 @@ nexus: offline: true db: - mariadbName: policy-mariadb - pgName: policy-pg-primary - mariadbPort: 3306 - pgPort: 5432 - user: policy-user password: policy_user pap: @@ -202,6 +200,11 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true port: policy-drools-pdp-9696 @@ -214,9 +217,9 @@ metrics: externalSecretPasswordKey: password selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' config: # Event consumption (kafka) properties @@ -282,3 +285,8 @@ kafkaUser: type: topic patternType: prefix operations: [ Create, Describe, Read, Write ] + +readinessCheck: + wait_for: + services: + - policy-api diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml index eb6c92e75b..59e01d82ea 100755..100644 --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 15.0.0 +version: 15.0.2 dependencies: - name: common diff --git a/kubernetes/policy/components/policy-nexus/templates/pv.yaml b/kubernetes/policy/components/policy-nexus/templates/pv.yaml index 62e66f1602..1bafeb5d6c 100755 --- a/kubernetes/policy/components/policy-nexus/templates/pv.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/pv.yaml @@ -22,12 +22,7 @@ apiVersion: v1 metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} + labels: {{- include "common.labels" . | nindent 4 }} spec: capacity: storage: {{ .Values.persistence.size }} diff --git a/kubernetes/policy/components/policy-nexus/templates/pvc.yaml b/kubernetes/policy/components/policy-nexus/templates/pvc.yaml index 1cadcc51d5..e5a06e2f64 100755 --- a/kubernetes/policy/components/policy-nexus/templates/pvc.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/pvc.yaml @@ -21,11 +21,7 @@ apiVersion: v1 metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.persistence.annotations }} annotations: {{ toYaml .Values.persistence.annotations | indent 4 }} diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml index cc75a9fe15..cc75a9fe15 100755..100644 --- a/kubernetes/policy/components/policy-nexus/values.yaml +++ b/kubernetes/policy/components/policy-nexus/values.yaml diff --git a/kubernetes/policy/components/policy-opa-pdp/Chart.yaml b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml new file mode 100644 index 0000000000..f776feae35 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml @@ -0,0 +1,36 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy OPA PDP (PDP-O) +name: policy-opa-pdp +version: 16.0.1 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json new file mode 100755 index 0000000000..bb18a3bacc --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json @@ -0,0 +1,27 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +{ + "logging": { + "level": "debug" + }, + "decision_logs": { + "console": true + } +} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml new file mode 100755 index 0000000000..e2b4537dc8 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml new file mode 100755 index 0000000000..1942a59f6f --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml @@ -0,0 +1,28 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap-config + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml new file mode 100755 index 0000000000..90ff759bb8 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml @@ -0,0 +1,109 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} + containers: + - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + env: + - name: UseSASLForKAFKA + value: "{{ .Values.kafka.useSASL }}" + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + - name: GROUPID + value: "{{ .Values.groupIdPrefix }}-$(POD_UID)" + - name: LOG_LEVEL + value: "{{ .Values.log.loglevel }}" + - name: PAP_TOPIC + value: "{{ .Values.kafka.topic }}" + - name: API_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }} + - name: API_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }} + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - name: opa-config + mountPath: /app/config + - name: opa-bundles + mountPath: /app/bundles + - name: logs + mountPath: /var/logs + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: opa-config + configMap: + name: {{ include "common.fullname" . }}-configmap-config + defaultMode: 0755 + - name: opa-bundles + emptyDir: + sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml new file mode 100755 index 0000000000..faf315356c --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml @@ -0,0 +1,20 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml new file mode 100755 index 0000000000..0c47a8bd77 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml new file mode 100755 index 0000000000..1d45a0baef --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/resources/config/db_migrator_policy_init.sh b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml index 32ccbf18d4..96774208de 100644..100755 --- a/kubernetes/policy/resources/config/db_migrator_policy_init.sh +++ b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml @@ -1,34 +1,23 @@ -#!/bin/sh {{/* -# Copyright (C) 2021, 2024 Nordix Foundation. -# +# ============LICENSE_START======================================================= +# Copyright (c) 2024 Deutsche Telekom +# ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at -# + # http://www.apache.org/licenses/LICENSE-2.0 -# + # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= */}} -for schema in ${SQL_DB}; do - echo "Initializing $schema..." - /opt/app/policy/bin/prepare_upgrade.sh ${schema} - - /opt/app/policy/bin/db-migrator -s ${schema} -o report - - /opt/app/policy/bin/db-migrator -s ${schema} -o upgrade - rc=$? - - /opt/app/policy/bin/db-migrator -s ${schema} -o report - - if [ "$rc" != 0 ]; then - break - fi -done - -exit $rc +{{- if .Values.global.prometheusEnabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} diff --git a/kubernetes/policy/components/policy-opa-pdp/values.yaml b/kubernetes/policy/components/policy-opa-pdp/values.yaml new file mode 100644 index 0000000000..0971dc8d7f --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/values.yaml @@ -0,0 +1,246 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: api-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}' + login: '{{ .Values.apiServer.user }}' + password: '{{ .Values.apiServer.password }}' + passwordPolicy: required + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-opa-pdp:1.0.4 + +pullPolicy: Always + +componentName: &componentName policy-opa-pdp + +# flag to enable debugging - application support required +debugEnabled: false + +log: + loglevel: "debug" + + +# application configuration + +permissions: + uid: 100 + gid: 102 + +restServer: + user: healthcheck + password: zb!XztG34 + +apiServer: + user: policyadmin + password: zb!XztG34 + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-opa-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +securityContext: + user_id: 1000 + group_id : 1000 + +kafka: + groupid: "policy-opa-pdp" + topic: "policy-pdp-pap" + useSASL: "true" + brokers: "onap-strimzi-kafka-bootstrap.onap:9092" + +persistence: + enabled: true + volumeReclaimPolicy: Retain + accessMode: ReadWriteMany + logsSize: 1Gi + mountPath: /dockerdata-nfs + mountSubPath: policy/opapdp + storageClass: "cinder-os" + enableDefaultStorageclass: false + parameters: {} + storageclassProvisioner: cinder-os + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 20 + periodSeconds: 10 + +readinessCheck: + wait_for: + services: + - 'policy-pap' + +service: + type: ClusterIP + name: *componentName + internalPort: 8282 + ports: + - name: http + port: 8282 + +ingress: + enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datafile-collector-read + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read + - serviceAccount: dcae-heartbeat-read + - serviceAccount: dcae-hv-ves-collector-read + - serviceAccount: dcae-kpi-ms-read + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: dcae-pmsh-read + - serviceAccount: dcae-prh-read + - serviceAccount: dcae-restconf-collector-read + - serviceAccount: dcae-slice-analysis-ms-read + - serviceAccount: dcae-snmptrap-collector-read + - serviceAccount: dcae-son-handler-read + - serviceAccount: dcae-tcagen2-read + - serviceAccount: dcae-ves-collector-read + - serviceAccount: dcae-ves-mapper-read + - serviceAccount: dcae-ves-openapi-manager-read + - serviceAccount: strimzi-kafka-read + - serviceAccount: oof-read + - serviceAccount: sdnc-read + +flavor: small +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + policyDir: + sizeLimit: 100Mi + bundleDir: + sizeLimit: 5Gi + +groupIdPrefix: opa-pdp + +#Pods Service Account +serviceAccount: + nameOverride: *componentName + roles: + - read + +metrics: + serviceMonitor: + # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. + # The default operator for prometheus enforces the below label. + labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' + release: prometheus + enabled: true + port: policy-opa-pdp + interval: 60s + isHttps: false + basicAuth: + enabled: true + externalSecretNameSuffix: policy-opa-pdp-restserver-creds + externalSecretUserKey: login + externalSecretPasswordKey: password + selector: + app: '{{ include "common.name" . }}' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ include "common.release" . }}' + heritage: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-opa-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: opa-pdp + type: group + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index 29f9ed3e72..5a676e94d7 100755..100644 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -2,8 +2,8 @@ # Copyright (C) 2019 Nordix Foundation. # Modified Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +23,7 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 15.0.0 +version: 16.0.3 dependencies: - name: common @@ -35,3 +35,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index 58dfc9f497..7b9a0f179e 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022-2024 Nordix Foundation +# Modifications Copyright © 2022-2025 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,21 +26,7 @@ spring: converters: preferred-json-mapper: gson datasource: -{{ if .Values.global.mariadbGalera.useInPolicy }} - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin - driverClassName: org.mariadb.jdbc.Driver - username: "${SQL_USER}" - password: "${SQL_PASSWORD}" - hikari: - maximumPoolSize: 20 - jpa: - hibernate: - ddl-auto: none - naming: - physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl - implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy -{{- else }} - url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort }}/policyadmin + url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/policyadmin driverClassName: org.postgresql.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -55,7 +41,6 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy -{{ end }} server: port: 6969 @@ -71,13 +56,13 @@ pap: notification.name: {{ .Values.config.kafka.topics.policyNotification }} heartbeat.name: {{ .Values.config.kafka.topics.policyHeartbeat }} pdpParameters: - heartBeatMs: 120000 + heartBeatMs: 12000000 updateParameters: - maxRetryCount: 1 - maxWaitMs: 30000 + maxRetryCount: 3 + maxWaitMs: 36000000 stateChangeParameters: - maxRetryCount: 1 - maxWaitMs: 30000 + maxRetryCount: 3 + maxWaitMs: 36000000 savePdpStatisticsInDb: true topicParameterGroup: topicSources: diff --git a/kubernetes/policy/components/policy-pap/templates/configmap.yaml b/kubernetes/policy/components/policy-pap/templates/configmap.yaml index ee03f70b00..c84fcf0533 100755 --- a/kubernetes/policy/components/policy-pap/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-pap/templates/configmap.yaml @@ -24,11 +24,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index f7c400865f..5722563b47 100644 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -2,8 +2,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. -# Modifications Copyright (C) 2024 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,32 +32,7 @@ spec: spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-db-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -155,8 +130,8 @@ spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime - hostPath: - path: /etc/localtime + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} - name: empty-dir emptyDir: sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 2a5d938a01..a7b3c5a4f2 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -2,8 +2,8 @@ # Copyright (C) 2019 Nordix Foundation. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022-2024 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2022-2025 Nordix Foundation +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,9 +27,11 @@ global: nodePortPrefixExt: 304 persistence: {} postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig @@ -71,7 +73,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:4.0.1 +image: onap/policy-pap:4.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -82,11 +84,6 @@ debugEnabled: false db: user: policy-user password: policy_user - service: - name: policy-mariadb - pgName: policy-pg-primary - internalPort: 3306 - internalPgPort: 5432 restServer: user: policyadmin @@ -133,7 +130,7 @@ service: port: 6969 - name: debug-port port: 5005 - protocol: TCP + protocol: tcp ingress: enabled: false @@ -148,17 +145,17 @@ flavor: small resources: small: limits: - cpu: "1" + cpu: "3" memory: "1Gi" requests: - cpu: "0.5" + cpu: "1" memory: "1Gi" large: limits: - cpu: "2" + cpu: "4" memory: "2Gi" requests: - cpu: "1" + cpu: "2" memory: "2Gi" unlimited: {} @@ -183,9 +180,15 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true port: http-api + path: /policy/pap/v1/metrics interval: 60s isHttps: false basicAuth: @@ -237,3 +240,8 @@ kafkaUser: type: topic patternType: prefix operations: [Create, Describe, Read, Write] + +readinessCheck: + wait_for: + services: + - policy-api diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index f4046126dd..347ca0dda2 100755..100644 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -1,8 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2024 Nordix Foundation -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright © 2021, 2024-2025 Nordix Foundation +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 15.0.0 +version: 16.0.3 dependencies: - name: common @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~13.x-0 repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties index 478cf84ca5..8641165d3c 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2024 Nordix Foundation. All rights reserved. +# Copyright (C) 2024-2025 Nordix Foundation. All rights reserved. +# Modifications (C) 2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -67,14 +68,8 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome # # JPA Properties # -{{ if .Values.global.mariadbGalera.useInPolicy }} -eclipselink.target-database=MySQL -jakarta.persistence.jdbc.driver=org.mariadb.jdbc.Driver -jakarta.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.mariadbName }}:{{ .Values.db.service.mariadbPort }}/operationshistory -{{ else }} eclipselink.target-database=PostgreSQL jakarta.persistence.jdbc.driver=org.postgresql.Driver -jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/operationhistory -{{ end }} +jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/operationshistory jakarta.persistence.jdbc.user=${SQL_USER} jakarta.persistence.jdbc.password=${SQL_PASSWORD} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/autoscaling.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml index 3b1a12399e..f93d6a8d46 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml @@ -24,11 +24,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml index 828f6ec2c7..cd23866263 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -1,8 +1,8 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. -# Modifications Copyright (C) 2024 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,38 +25,20 @@ kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{ end }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name -{{ if .Values.global.mariadbGalera.useInPolicy }} - - {{ include "common.release" . }}-policy-galera-migrator-config -{{ else }} - - {{ include "common.release" . }}-policy-pg-migrator-config -{{ end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - name: {{ include "common.name" . }}-readiness - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -82,10 +64,14 @@ spec: key: sasl.jaas.config - name: KAFKA_URL value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid - name: SASL value: {{ .Values.kafkaUser.authenticationType | upper }} - name: GROUP_ID - value: {{ .Values.config.kafka.consumer.groupId }} + value: {{ .Values.groupIdPrefix }}-$(POD_UID) - name: PAP_TOPIC value: {{ .Values.config.app.listener.policyPdpPapTopic }} volumeMounts: @@ -199,8 +185,8 @@ spec: emptyDir: sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: localtime - hostPath: - path: /etc/localtime + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} - name: pdpxconfig configMap: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index bdad532b40..ff0bea4ce6 100644 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright (C) 2024 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,9 +24,12 @@ global: persistence: {} postgres: - useInPolicy: false - mariadbGalera: - useInPolicy: true + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 + ################################################################# # Secrets metaconfig ################################################################# @@ -54,7 +57,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:4.0.1 +image: onap/policy-xacml-pdp:4.1.0 pullPolicy: Always componentName: &componentName policy-xacml-pdp @@ -67,11 +70,6 @@ debugEnabled: false db: user: policy-user password: policy_user - service: - mariadbName: policy-mariadb - mariadbPort: 3306 - pgName: policy-pg-primary - pgPort: 5432 restServer: user: healthcheck @@ -83,6 +81,12 @@ apiServer: # default number of instances replicaCount: 1 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 nodeSelector: {} @@ -100,6 +104,12 @@ readiness: initialDelaySeconds: 20 periodSeconds: 10 +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + service: type: ClusterIP name: *componentName @@ -158,6 +168,8 @@ securityContext: user_id: 100 group_id: 102 +groupIdPrefix: policy-xacml-pdp + dirSizes: emptyDir: sizeLimit: 1Gi @@ -177,9 +189,15 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true - port: policy-xacml-pdp + port: http + path: /metrics interval: 60s isHttps: false basicAuth: @@ -189,9 +207,9 @@ metrics: externalSecretPasswordKey: password selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' config: # Event consumption (kafka) properties @@ -208,8 +226,14 @@ kafkaUser: acls: - name: policy-xacml-pdp type: group + patternType: prefix operations: [ Create, Describe, Read, Write ] - name: policy-pdp-pap type: topic patternType: prefix operations: [ Create, Describe, Read, Write ] + +readinessCheck: + wait_for: + services: + - policy-api diff --git a/kubernetes/policy/resources/config/db.sh b/kubernetes/policy/resources/config/db.sh deleted file mode 100755 index d793a024df..0000000000 --- a/kubernetes/policy/resources/config/db.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh -{{/* -# Copyright © 2017 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2018, 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021 Nordix Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -mysqlcmd() { mysql -h ${MYSQL_HOST} -P ${MYSQL_PORT} "$@"; }; - -i=5 -RESULT_VARIABLE=0 -echo "Check if user ${MYSQL_USER} is created in DB ${MYSQL_HOST}" -while [ $i -gt 0 ] && [ "$RESULT_VARIABLE" != 1 ] -do - i=$(( i-1 )) - RESULT_VARIABLE="$(mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" -se "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '${MYSQL_USER}')")" - if [ "$RESULT_VARIABLE" = 1 ]; then - echo "User ${MYSQL_USER} exists" - else - echo "User ${MYSQL_USER} does not exist" - sleep 10 - fi -done -if [ "$RESULT_VARIABLE" != 1 ]; then - exit 1 -fi -for db in migration pooling policyadmin policyclamp operationshistory clampacm -do - echo "Create DB ${db}" - mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" - echo "Grand access for user ${MYSQL_USER}" - mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" -done -echo "Flush privileges" -mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/kubernetes/policy/templates/configmap.yaml b/kubernetes/policy/templates/configmap.yaml deleted file mode 100755 index c8b01ccb81..0000000000 --- a/kubernetes/policy/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021-2022 Nordix Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-db-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml deleted file mode 100755 index ad5b8fbf5a..0000000000 --- a/kubernetes/policy/templates/job.yaml +++ /dev/null @@ -1,405 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2022-2024 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ if .Values.global.mariadbGalera.useInPolicy }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-galera-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-galera-init - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-galera-init - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-galera-init - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim }} - {{- include "common.imagePullSecrets" . | nindent 6 }} - initContainers: - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_mariadb ) | indent 6 | trim }} - containers: - - name: {{ include "common.name" . }}-galera-config - image: {{ include "repositoryGenerator.image.mariadb" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - volumeMounts: - - mountPath: /dbcmd-config/db.sh - name: {{ include "common.fullname" . }}-config - subPath: db.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.requireSidecarKiller" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db.sh - env: - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 10 }} - - name: MYSQL_HOST - value: "{{ index .Values "mariadb-galera" "service" "name" }}" - - name: MYSQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - - name: MYSQL_PORT - value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" - resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.requireSidecarKiller" .) }} - - name: policy-service-mesh-wait-for-job-container - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-config -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - resources: - limits: - cpu: 100m - memory: 500Mi - requests: - cpu: 10m - memory: 10Mi - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db.sh - path: db.sh -{{ end }} - -{{ if .Values.global.postgres.useInPolicy }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-pg-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-pg-init - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-pg-init - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-pg-init - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim }} - {{- include "common.imagePullSecrets" . | nindent 6 }} - initContainers: - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_postgres ) | indent 6 | trim }} - containers: - - name: {{ include "common.name" . }}-pg-config - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - volumeMounts: - - mountPath: /docker-entrypoint-initdb.d/db-pg.sh - name: {{ include "common.fullname" . }}-config - subPath: db-pg.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.requireSidecarKiller" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /docker-entrypoint-initdb.d/db-pg.sh - env: - - name: PG_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} - - name: PG_HOST - value: "{{ .Values.postgres.service.name2 }}" - - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - - name: PG_USER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - - name: PG_PORT - value: "{{ .Values.postgres.service.internalPort }}" - resources: {{ include "common.resources" . | nindent 10 }} - {{- if (include "common.requireSidecarKiller" .) }} - - name: policy-service-mesh-wait-for-job-container - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-config -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{ include "common.containerSecurityContext" . | indent 8 | trim }} - resources: - limits: - cpu: 100m - memory: 500Mi - requests: - cpu: 10m - memory: 10Mi - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db-pg.sh - path: db-pg.sh -{{ end }} ---- -{{ if .Values.global.mariadbGalera.useInPolicy }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-galera-migrator-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-galera-migrator-config - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-galera-migrator-config - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-galera-migrator-config - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim }} - {{- include "common.imagePullSecrets" . | nindent 6 }} - initContainers: - - name: {{ include "common.name" . }}-init-readiness - {{ include "common.containerSecurityContext" . | indent 10 | trim }} - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-galera-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" - containers: - - name: {{ include "common.name" . }}-galera-db-migrator - {{ include "common.containerSecurityContext" . | indent 10 | trim }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/policy/etc/db/ - name: {{ include "common.fullname" . }}-migration-writable - - mountPath: /dbcmd-config/db_migrator_policy_init.sh - name: {{ include "common.fullname" . }}-config - subPath: db_migrator_policy_init.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.requireSidecarKiller" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db_migrator_policy_init.sh - env: - - name: SQL_HOST - value: "{{ index .Values "mariadb-galera" "service" "name" }}" - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - - name: SQL_DB - value: {{ .Values.dbmigrator.schemas }} - - name: POLICY_HOME - value: {{ .Values.dbmigrator.policy_home }} - - name: SCRIPT_DIRECTORY - value: "sql" - resources: {{ include "common.resources" . | nindent 12 }} - {{- if (include "common.requireSidecarKiller" .) }} - - name: policy-service-mesh-wait-for-job-container - {{ include "common.containerSecurityContext" . | indent 10 | trim }} - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-migration-writable - emptyDir: {} - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db_migrator_policy_init.sh - path: db_migrator_policy_init.sh -{{ end }} -{{ if .Values.global.postgres.useInPolicy }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-pg-migrator-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-pg-migrator-config - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-pg-migrator-config - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-pg-migrator-config - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim }} - {{- include "common.imagePullSecrets" . | nindent 6 }} - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 10 | trim }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-pg-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: "100m" - memory: "500Mi" - requests: - cpu: "3m" - memory: "20Mi" - containers: - - name: {{ include "common.name" . }}-pg-db-migrator - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{ include "common.containerSecurityContext" . | indent 10 | trim }} - volumeMounts: - - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh - name: {{ include "common.fullname" . }}-config - subPath: db_migrator_pg_policy_init.sh - - mountPath: /opt/app/policy/etc/db/ - name: {{ include "common.fullname" . }}-migration-writable - command: - - /bin/sh - - -cx - - | - {{- if include "common.requireSidecarKiller" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db_migrator_pg_policy_init.sh - env: - - name: SQL_HOST - value: "{{ .Values.postgres.service.name2 }}" - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - - name: SQL_DB - value: {{ .Values.dbmigrator.schemas }} - - name: POLICY_HOME - value: {{ .Values.dbmigrator.policy_home }} - - name: SCRIPT_DIRECTORY - value: "postgres" - - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if (include "common.requireSidecarKiller" .) }} - - name: policy-service-mesh-wait-for-job-container - image: {{ include "repositoryGenerator.image.quitQuit" . }} - imagePullPolicy: Always - {{ include "common.containerSecurityContext" . | indent 10 | trim }} - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-migration-writable - emptyDir: {} - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db_migrator_pg_policy_init.sh - path: db_migrator_pg_policy_init.sh -{{ end }} diff --git a/kubernetes/policy/templates/policy-kafka-topics.yaml b/kubernetes/policy/templates/policy-kafka-topics.yaml index feb29f3b0c..c76b181e18 100644 --- a/kubernetes/policy/templates/policy-kafka-topics.yaml +++ b/kubernetes/policy/templates/policy-kafka-topics.yaml @@ -18,7 +18,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: name: {{ .Values.config.policyPdpPapTopic.name }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: partitions: {{ .Values.config.policyPdpPapTopic.partitions }} @@ -30,7 +30,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: name: {{ .Values.config.policyHeartbeatTopic.name }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: partitions: {{ .Values.config.policyHeartbeatTopic.partitions }} @@ -42,7 +42,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: name: {{ .Values.config.policyNotificationTopic.name }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: partitions: {{ .Values.config.policyNotificationTopic.partitions }} diff --git a/kubernetes/policy/templates/policy-kafka-user.yaml b/kubernetes/policy/templates/policy-kafka-user.yaml index d004cbe116..86ee725c42 100644 --- a/kubernetes/policy/templates/policy-kafka-user.yaml +++ b/kubernetes/policy/templates/policy-kafka-user.yaml @@ -19,7 +19,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index fbaeda2a9e..32d374f118 100644 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021-2024 Nordix Foundation. -# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright (C) 2021-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,36 +19,17 @@ # Global configuration defaults. ################################################################# global: - mariadbGalera: - useInPolicy: false - localCluster: true - # flag to enable the DB creation via mariadb-operator - useOperator: false - # if useOperator set to "true", set "enableServiceAccount to "false" - # as the SA is created by the Operator - enableServiceAccount: true - # '&mariadbConfig' means we "store" the values for later use in the file - # with '*mariadbConfig' pointer. - config: &mariadbConfig - mysqlDatabase: policyadmin - service: &mariadbService policy-mariadb - internalPort: 3306 - nameOverride: *mariadbService - # (optional) if localCluster=false and an external secret is used set this variable - #userRootSecret: <secretName> prometheusEnabled: false postgres: - useInPolicy: true localCluster: true # flag to enable the DB creation via pgo-operator useOperator: false service: - name: pgset - name2: tcp-pgset-primary - name3: tcp-pgset-replica - container: - name: postgres - nameOverride: "policy-postgres" + name: &postgresName policy-postgres + name2: &postgresName2 policy-pg-primary + name3: &postgresName3 policy-pg-replica + port: &postgresPort 5432 + nameOverride: *postgresName # (optional) if localCluster=false and an external secret is used set this variable #userRootSecret: <secretName> kafkaBootstrap: strimzi-kafka-bootstrap:9092 @@ -66,20 +47,7 @@ secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password - externalSecret: '{{ .Values.global.mariadbGalera.useInPolicy | ternary - ( .Values.global.mariadbGalera.localCluster | ternary - ( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret") | ternary - "" - (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) - ) - ( not (empty (default "" .Values.global.mariadbGalera.userRootSecret)) | ternary - .Values.global.mariadbGalera.userRootSecret - (include "common.mariadb.secret.rootPassSecretName" - (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) - ) - ) - ) - ( .Values.global.postgres.localCluster | ternary + externalSecret: '{{ .Values.global.postgres.localCluster | ternary ( hasSuffix "policy-db-root-password" (index .Values "postgres" "config" "pgRootPasswordExternalSecret") | ternary "" (tpl (default "" (index .Values "postgres" "config" "pgRootPasswordExternalSecret")) .) @@ -90,33 +58,18 @@ secrets: (dict "dot" . "chartName" .Values.global.postgres.nameOverride) ) ) - ) }}' - password: '{{ .Values.global.mariadbGalera.useInPolicy | ternary - (index .Values "mariadb-galera" "rootUser" "password") - (index .Values "postgres" "config" "pgRootPassword") }}' + password: '{{ (index .Values "postgres" "config" "pgRootPassword") }}' policy: generate - uid: db-secret name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret' type: basicAuth - externalSecret: '{{ .Values.global.mariadbGalera.useInPolicy | ternary - ( hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret") | ternary - "" - (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) - ) - ( hasSuffix "policy-db-secret" (index .Values "postgres" "config" "pgUserExternalSecret") | ternary - "" - (tpl (default "" (index .Values "postgres" "config" "pgUserExternalSecret")) .) - ) + externalSecret: '{{ hasSuffix "policy-db-secret" (index .Values "postgres" "config" "pgUserExternalSecret") | ternary + "" + (tpl (default "" (index .Values "postgres" "config" "pgUserExternalSecret")) .) }}' - login: '{{ .Values.global.mariadbGalera.useInPolicy | ternary - (index .Values "mariadb-galera" "db" "user") - (index .Values "postgres" "config" "pgUserName") - }}' - password: '{{ .Values.global.mariadbGalera.useInPolicy | ternary - (index .Values "mariadb-galera" "db" "password") - (index .Values "postgres" "config" "pgUserPassword") - }}' + login: '{{ (index .Values "postgres" "config" "pgUserName") }}' + password: '{{ (index .Values "postgres" "config" "pgUserPassword") }}' passwordPolicy: generate - uid: policy-app-user-creds name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds' @@ -173,6 +126,10 @@ policy-drools-pdp: db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' +policy-opa-pdp: + enabled: true + config: + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-distribution: enabled: true db: *dbSecretsHook @@ -199,18 +156,6 @@ policy-nexus: config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -################################################################# -# DB configuration defaults. -################################################################# - -dbmigrator: - # New released image will allow full SASL and Postgres (drools included). Tested with snapshot. Release to come later. - image: onap/policy-db-migrator:4.0.1 - # These schemas will be required with the new version of db-migrator - # schemas: "policyadmin clampacm pooling operationshistory" - schemas: "policyadmin" - policy_home: "/opt/app/policy" - subChartsOnly: enabled: true @@ -220,9 +165,9 @@ debugEnabled: false # default number of instances replicaCount: 1 -nodeSelector: {} +nodeSelector: { } -affinity: {} +affinity: { } # probe configuration parameters liveness: @@ -236,7 +181,6 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 - config: policyAppUserName: runtimeUser policyPdpPapTopic: @@ -262,43 +206,18 @@ config: groupId: policy-group someConfig: blah -mariadb-galera: - # mariadb-galera.config and global.mariadbGalera.config must be equals - db: - user: policy-user - # password: - externalSecret: *dbSecretName - name: &mysqlDbName policyadmin - rootUser: - externalSecret: *dbRootPassSecretName - nameOverride: *mariadbService - # mariadb-galera.service and global.mariadbGalera.service must be equals - service: - name: *mariadbService - replicaCount: 1 - mariadbOperator: - galera: - enabled: false - persistence: - enabled: true - mountSubPath: policy/maria/data - size: 3Gi - serviceAccount: - nameOverride: *mariadbService - -postgresImage: library/postgres:17.2 # application configuration override for postgres postgres: nameOverride: &postgresName policy-postgres service: name: *postgresName - name2: policy-pg-primary - name3: policy-pg-replica - internalPort: 5432 + name2: *postgresName2 + name3: *postgresName3 + internalPort: *postgresPort container: name: - primary: policy-pg-primary - replica: policy-pg-replica + primary: *postgresName2 + replica: *postgresName3 persistence: mountSubPath: policy/postgres/data mountInitPath: policy @@ -309,14 +228,6 @@ postgres: pgUserExternalSecret: *dbSecretName pgRootPasswordExternalSecret: *dbRootPassSecretName -readinessCheck: - wait_for_postgres: - services: - - '{{ .Values.global.postgres.service.name2 }}' - wait_for_mariadb: - services: - - '{{ include "common.mariadbService" . }}' - restServer: policyPapUserName: policyadmin policyPapUserPassword: zb!XztG34 @@ -341,7 +252,7 @@ resources: requests: cpu: "200m" memory: "2Gi" - unlimited: {} + unlimited: { } securityContext: user_id: 100 |