# Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property # Modifications Copyright (C) 2021-2023 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################# # Global configuration defaults. ################################################################# global: mariadbGalera: # flag to enable the DB creation via mariadb-operator useOperator: true # if useOperator set to "true", set "enableServiceAccount to "false" # as the SA is created by the Operator enableServiceAccount: false localCluster: true # '&mariadbConfig' means we "store" the values for later use in the file # with '*mariadbConfig' pointer. config: &mariadbConfig mysqlDatabase: policyadmin service: &mariadbService policy-mariadb internalPort: 3306 nameOverride: *mariadbService # (optional) if localCluster=false and an external secret is used set this variable #userRootSecret: prometheusEnabled: false postgres: localCluster: false service: name: pgset name2: tcp-pgset-primary name3: tcp-pgset-replica container: name: postgres kafkaBootstrap: strimzi-kafka-bootstrap:9092 policyKafkaUser: policy-kafka-user kafkaTopics: acRuntimeTopic: name: policy.clamp-runtime-acm ################################################################# # Secrets metaconfig ################################################################# secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password externalSecret: '{{ .Values.global.mariadbGalera.localCluster | ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) ) ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | ternary .Values.global.mariadbGalera.userRootSecret (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) ) ) }}' password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' policy: generate - uid: db-secret name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret' type: basicAuth externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret"))}}' login: '{{ index .Values "mariadb-galera" "db" "user" }}' password: '{{ index .Values "mariadb-galera" "db" "password" }}' passwordPolicy: generate - uid: policy-app-user-creds name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds' type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.policyAppUserExternalSecret) . }}' login: '{{ .Values.config.policyAppUserName }}' password: '{{ .Values.config.policyAppUserPassword }}' passwordPolicy: generate - uid: policy-pap-user-creds name: &policyPapCredsSecret '{{ include "common.release" . }}-policy-pap-user-creds' type: basicAuth externalSecret: '{{ tpl (default "" .Values.restServer.policyPapUserExternalSecret) . }}' login: '{{ .Values.restServer.policyPapUserName }}' password: '{{ .Values.restServer.policyPapUserPassword }}' passwordPolicy: required - uid: policy-api-user-creds name: &policyApiCredsSecret '{{ include "common.release" . }}-policy-api-user-creds' type: basicAuth externalSecret: '{{ tpl (default "" .Values.restServer.policyApiUserExternalSecret) . }}' login: '{{ .Values.restServer.policyApiUserName }}' password: '{{ .Values.restServer.policyApiUserPassword }}' passwordPolicy: required db: &dbSecretsHook credsExternalSecret: *dbSecretName policy-api: enabled: true db: *dbSecretsHook restServer: apiUserExternalSecret: *policyApiCredsSecret config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-pap: enabled: true db: *dbSecretsHook restServer: papUserExternalSecret: *policyPapCredsSecret apiUserExternalSecret: *policyApiCredsSecret config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-xacml-pdp: enabled: true db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-apex-pdp: enabled: true db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-drools-pdp: enabled: false db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-distribution: enabled: true db: *dbSecretsHook policy-clamp-ac-k8s-ppnt: enabled: true policy-clamp-ac-pf-ppnt: enabled: true restServer: apiUserExternalSecret: *policyApiCredsSecret papUserExternalSecret: *policyPapCredsSecret policy-clamp-ac-http-ppnt: enabled: true policy-clamp-ac-a1pms-ppnt: enabled: true policy-clamp-ac-kserve-ppnt: enabled: true policy-clamp-runtime-acm: enabled: true db: *dbSecretsHook config: appUserExternalSecret: *policyAppCredsSecret policy-nexus: enabled: false config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-gui: enabled: false config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' ################################################################# # DB configuration defaults. ################################################################# dbmigrator: image: onap/policy-db-migrator:3.1.2 schema: policyadmin policy_home: "/opt/app/policy" subChartsOnly: enabled: true # flag to enable debugging - application support required debugEnabled: false # default number of instances replicaCount: 1 nodeSelector: {} affinity: {} # probe configuration parameters liveness: initialDelaySeconds: 10 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true readiness: initialDelaySeconds: 10 periodSeconds: 10 config: policyAppUserName: runtimeUser policyPdpPapTopic: name: policy-pdp-pap partitions: 10 retentionMs: 7200000 segmentBytes: 1073741824 consumer: groupId: policy-group policyHeartbeatTopic: name: policy-heartbeat partitions: 10 retentionMs: 7200000 segmentBytes: 1073741824 consumer: groupId: policy-group policyNotificationTopic: name: policy-notification partitions: 10 retentionMs: 7200000 segmentBytes: 1073741824 consumer: groupId: policy-group someConfig: blah mariadb-galera: # mariadb-galera.config and global.mariadbGalera.config must be equals db: user: policy-user # password: externalSecret: *dbSecretName name: &mysqlDbName policyadmin rootUser: externalSecret: *dbRootPassSecretName nameOverride: *mariadbService # mariadb-galera.service and global.mariadbGalera.service must be equals service: name: *mariadbService replicaCount: 1 mariadbOperator: galera: enabled: false persistence: enabled: true mountSubPath: policy/maria/data serviceAccount: nameOverride: *mariadbService postgresImage: library/postgres:latest # application configuration override for postgres postgres: nameOverride: &postgresName policy-postgres service: name: *postgresName name2: policy-pg-primary name3: policy-pg-replica container: name: primary: policy-pg-primary replica: policy-pg-replica persistence: mountSubPath: policy/postgres/data mountInitPath: policy config: pgUserName: policy-user pgDatabase: policyadmin pgUserExternalSecret: *dbSecretName pgRootPasswordExternalSecret: *dbRootPassSecretName readinessCheck: wait_for_postgres: services: - '{{ .Values.global.postgres.service.name2 }}' wait_for_mariadb: services: - '{{ include "common.mariadbService" . }}' restServer: policyPapUserName: policyadmin policyPapUserPassword: zb!XztG34 policyApiUserName: policyadmin policyApiUserPassword: zb!XztG34 # Resource Limit flavor -By Default using small # Segregation for Different environment (small, large, or unlimited) flavor: small resources: small: limits: cpu: "1" memory: "4Gi" requests: cpu: "100m" memory: "1Gi" large: limits: cpu: "2" memory: "8Gi" requests: cpu: "200m" memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: nameOverride: policy roles: - read