summaryrefslogtreecommitdiffstats
path: root/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-policy_handler-inputs.yaml
blob: 9cd37b5e2a0c64ea8b393f23a7ebc04047410839 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#============LICENSE_START========================================================
#=================================================================================
# Copyright (c) 2017-2018 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2018 Amdocs, Bell Canada
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================

{{ if .Values.componentImages.policy_handler }}
policy_handler_image: {{ include "common.repository" . }}/{{ .Values.componentImages.policy_handler }}
{{ end }}
application_config:
  policy_handler :
    # parallelize the getConfig queries to policy-engine on each policy-update notification
    thread_pool_size : 4

    # parallelize requests to policy-engine and keep them alive
    pool_connections : 20

    # retry to getConfig from policy-engine on policy-update notification
    policy_retry_count : 5
    policy_retry_sleep : 5

    # mode of operation for the policy-handler
    # either active or passive
    # in passive mode the policy-hanlder will not listen to
    #                 and will not bring the policy-updates from policy-engine
    mode_of_operation : "active"

    # config of automatic catch_up for resiliency
    catch_up :
        # interval in seconds on how often to call automatic catch_up
        # example: 1200 is 20*60 seconds that is 20 minutes
        interval : 1200

    # config of periodic reconfigure-rediscover for adaptability
    reconfigure:
        # interval in seconds on how often to call automatic reconfigure
        # example: 600 is 10*60 seconds that is 10 minutes
        interval : 600

    # policy-engine config
    # These are the url of and the auth for the external system, namely the policy-engine (PDP).
    # We obtain that info manually from PDP folks at the moment.
    # In long run we should figure out a way of bringing that info into consul record
    #    related to policy-engine itself.
    # - k8s specific routing to policy-engine by hostname "pdp"
    # - relying on dns to resolve hostname "pdp" to ip address
    # - expecing to find "pdp" as the hostname in server cert from policy-engine
    policy_engine :
        url : "https://{{ .Values.config.address.policy_pdp }}.{{include "common.namespace" . }}:8081"
        path_notifications : "/pdp/notifications"
        path_api : "/pdp/api/"
        headers :
            Accept : "application/json"
            "Content-Type" : "application/json"
            ClientAuth : "cHl0aG9uOnRlc3Q="
            Authorization : "Basic dGVzdHBkcDphbHBoYTEyMw=="
            Environment : "TEST"
        target_entity : "policy_engine"
        # optional tls_ca_mode specifies where to find the cacert.pem for tls
        #   can be one of these:
        #       "cert_directory" - use the cacert.pem stored locally in cert_directory.
        #                          this is the default if cacert.pem file is found
        #
        #       "os_ca_bundle"     - use the public ca_bundle provided by linux system.
        #                          this is the default if cacert.pem file not found
        #
        #       "do_not_verify"  - special hack to turn off the verification by cacert and hostname
        tls_ca_mode : "cert_directory"
        # optional tls_wss_ca_mode specifies the same for the tls based web-socket
        tls_wss_ca_mode : "cert_directory"
        # optional timeout_in_secs specifies the timeout for the http requests
        timeout_in_secs: 60
        # optional ws_ping_interval_in_secs specifies the ping interval for the web-socket connection
        ws_ping_interval_in_secs: 30
    # deploy_handler config
    #    changed from string "deployment_handler" in 2.3.1 to structure in 2.4.0
    deploy_handler :
        # name of deployment-handler service used by policy-handler for logging
        target_entity : "deployment_handler"
        # url of the deployment-handler service for policy-handler to direct the policy-updates to
        #   - expecting dns to resolve the hostname deployment-handler to ip address
        url : "https://deployment-handler:8443"
        # limit the size of a single data segment for policy-update messages
        #       from policy-handler to deployment-handler in megabytes
        max_msg_length_mb : 5
        query :
            # optionally specify the tenant name for the cloudify under deployment-handler
            #    if not specified the "default_tenant" is used by the deployment-handler
            cfy_tenant_name : "default_tenant"
        # optional tls_ca_mode specifies where to find the cacert.pem or skip tls verification
        #   can be one of these:
        #       "cert_directory" - use the cacert.pem stored locally in cert_directory.
        #                          this is the default if cacert.pem file is found
        #
        #       "os_ca_bundle"     - use the public ca_bundle provided by linux system.
        #                          this is the default if cacert.pem file not found
        #
        #       "do_not_verify"  - special hack to turn off the verification by cacert and hostname
        tls_ca_mode : "cert_directory"
        # optional timeout_in_secs specifies the timeout for the http requests
        timeout_in_secs: 60