diff options
| author |   srinivasyanamadala <srinivas.yanamadala@techmahindra.com> | 2024-12-20 15:18:03 +0100 |
|---|---|---|
| committer | srinivasyanamadala <srinivas.yanamadala@techmahindra.com> | 2024-12-23 06:16:16 +0100 |
| commit | be5104f21cce47c3f3c46571047d998179a679ab (patch) | |
| tree | 538ee7ffdce7494bc47fc9eec665bfa2287a990d | |
| parent | 32fd1f3c1e22dbeb69e3cc150a6fb1b72ea0ed53 (diff) | |
Added changes for performance and stability for opa-pdp
Issue-ID: POLICY-5215
Change-Id: Iea19dfd4a46509a60d7b4a41f714fd8221ce2d0d
Signed-off-by: srinivasyanamadala <srinivas.yanamadala@techmahindra.com>
16 files changed, 612 insertions, 5 deletions
diff --git a/csit/resources/scripts/get-cluster-info.sh b/csit/resources/scripts/get-cluster-info.sh index d8e4217c..92e92ee8 100755 --- a/csit/resources/scripts/get-cluster-info.sh +++ b/csit/resources/scripts/get-cluster-info.sh @@ -1,7 +1,10 @@ #!/bin/bash # ============LICENSE_START======================================================= # Copyright (C) 2023-2024 Nordix Foundation. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ +# +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -32,6 +35,7 @@ export PF_PARTICIPANT_PORT=30008 export HTTP_PARTICIPANT_PORT=30009 export K8S_PARTICIPANT_PORT=30010 export SIM_PARTICIPANT_PORT=30011 +export OPA_PORT=30012 export SIMULATOR_PORT=30904 # Retrieve pod names @@ -41,6 +45,7 @@ function get_pod_names() { export API_POD=$(get_pod_name api) export DMAAP_POD=$(get_pod_name message-router) export XACML_POD=$(get_pod_name xacml) + export OPA_POD=$(get_pod_name opa-pdp) export DROOLS_POD=$(get_pod_name drools-pdp) export DIST_POD=$(get_pod_name distribution) export ACM_POD=$(get_pod_name acm-runtime) @@ -58,6 +63,7 @@ function get_svc_names() { export DMAAP_SVC=$(get_svc_name message-router) export DROOLS_SVC=$(get_svc_name drools-pdp) export XACML_SVC=$(get_svc_name policy-xacml-pdp) + export OPA_SVC=$(get_svc_name policy-opa-pdp) export DIST_SVC=$(get_svc_name policy-distribution) export ACM_SVC=$(get_svc_name policy-clamp-runtime-acm) export POLICY_PPNT_SVC=$(get_svc_name policy-clamp-ac-pf-ppnt) @@ -72,6 +78,7 @@ function expose_services() { expose_service $PAP_SVC expose_service $API_SVC expose_service $XACML_SVC + expose_service_opa_pdp $OPA_SVC expose_service $DROOLS_SVC expose_service $DIST_SVC expose_service $ACM_SVC @@ -93,6 +100,10 @@ function get_svc_name() { microk8s kubectl get svc --no-headers -o custom-columns=':metadata.name' | grep $1 } +function expose_service_opa_pdp() { + microk8s kubectl expose service $1 --name $1"-svc" --type NodePort --protocol TCP --port 8282 --target-port 8282 +} + function expose_service() { microk8s kubectl expose service $1 --name $1"-svc" --type NodePort --protocol TCP --port 6969 --target-port 6969 } @@ -114,6 +125,7 @@ function patch_ports() { patch_port "$DIST_SVC" $DIST_PORT patch_port "$DROOLS_SVC" $DROOLS_PORT patch_port "$XACML_SVC" $XACML_PORT + patch_port "$OPA_SVC" $OPA_PORT } function setup_message_router_svc() { diff --git a/csit/run-k8s-csit.sh b/csit/run-k8s-csit.sh index a2430623..3f6e5a44 100755 --- a/csit/run-k8s-csit.sh +++ b/csit/run-k8s-csit.sh @@ -2,7 +2,10 @@ # # ============LICENSE_START==================================================== # Copyright (C) 2022-2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ============================================================================= +# +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -33,6 +36,7 @@ POLICY_API_ROBOT="api-test.robot api-slas.robot" POLICY_PAP_ROBOT="pap-test.robot pap-slas.robot" POLICY_APEX_PDP_ROBOT="apex-pdp-test.robot apex-slas.robot" POLICY_XACML_PDP_ROBOT="xacml-pdp-test.robot xacml-pdp-slas.robot" +POLICY_OPA_PDP_ROBOT="opa-pdp-test.robot" POLICY_DROOLS_PDP_ROBOT="drools-pdp-test.robot" POLICY_DISTRIBUTION_ROBOT="distribution-test.robot" @@ -42,6 +46,7 @@ POLICY_CLAMP_CONTAINER="policy-clamp-runtime-acm" POLICY_APEX_CONTAINER="policy-apex-pdp" POLICY_DROOLS_CONTAINER="policy-drools-pdp" POLICY_XACML_CONTAINER="policy-xacml-pdp" +POLICY_OPA_CONTAINER="policy-opa-pdp" POLICY_DISTRIBUTION_CONTAINER="policy-distribution" POLICY_K8S_PPNT_CONTAINER="policy-clamp-ac-k8s-ppnt" POLICY_HTTP_PPNT_CONTAINER="policy-clamp-ac-http-ppnt" @@ -289,6 +294,12 @@ function set_project_config() { export SET_VALUES="--set $POLICY_XACML_CONTAINER.enabled=true" ;; + opa-pdp | policy-opa-pdp) + export ROBOT_FILE=($POLICY_OPA_PDP_ROBOT) + export READINESS_CONTAINERS=($POLICY_API_CONTAINER,$POLICY_PAP_CONTAINER,$POLICY_OPA_CONTAINER) + export SET_VALUES="--set $POLICY_OPA_CONTAINER.enabled=true" + ;; + drools-pdp | policy-drools-pdp) export ROBOT_FILE=($POLICY_DROOLS_PDP_ROBOT) export READINESS_CONTAINERS=($POLICY_DROOLS_CONTAINER) @@ -304,11 +315,11 @@ function set_project_config() { *) echo "Unknown project supplied. Enabling all policy charts for the deployment" export READINESS_CONTAINERS=($POLICY_APEX_CONTAINER,$POLICY_API_CONTAINER,$POLICY_PAP_CONTAINER, - $POLICY_DISTRIBUTION_CONTAINER,$POLICY_DROOLS_CONTAINER,$POLICY_XACML_CONTAINER, + $POLICY_DISTRIBUTION_CONTAINER,$POLICY_DROOLS_CONTAINER,$POLICY_XACML_CONTAINER,$POLICY_OPA_CONTAINER, $POLICY_CLAMP_CONTAINER,$POLICY_PF_PPNT_CONTAINER,$POLICY_K8S_PPNT_CONTAINER, $POLICY_HTTP_PPNT_CONTAINER,$POLICY_SIM_PPNT_CONTAINER) export SET_VALUES="--set $POLICY_APEX_CONTAINER.enabled=true --set $POLICY_XACML_CONTAINER.enabled=true - --set $POLICY_DISTRIBUTION_CONTAINER.enabled=true --set $POLICY_DROOLS_CONTAINER.enabled=true + --set $POLICY_OPA_CONTAINER.enabled=true --set $POLICY_DISTRIBUTION_CONTAINER.enabled=true --set $POLICY_DROOLS_CONTAINER.enabled=true --set $POLICY_CLAMP_CONTAINER.enabled=true --set $POLICY_PF_PPNT_CONTAINER.enabled=true --set $POLICY_K8S_PPNT_CONTAINER.enabled=true --set $POLICY_HTTP_PPNT_CONTAINER.enabled=true --set $POLICY_SIM_PPNT_CONTAINER.enabled=true" diff --git a/helm/policy/Chart.yaml b/helm/policy/Chart.yaml index 9eb39120..8caccf55 100755 --- a/helm/policy/Chart.yaml +++ b/helm/policy/Chart.yaml @@ -1,5 +1,7 @@ # Copyright © 2022-2024 Nordix Foundation # +# Modifications Copyright © 2024 Deutsche Telekom +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -15,7 +17,7 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 11.0.0 +version: 11.0.1 dependencies: - name: mariadb-galera @@ -54,6 +56,10 @@ dependencies: version: ~11.x-0 repository: 'file://components/policy-drools-pdp' condition: policy-drools-pdp.enabled + - name: policy-opa-pdp + version: ~11.x-0 + repository: 'file://components/policy-opa-pdp' + condition: policy-opa-pdp.enabled - name: policy-xacml-pdp version: ~11.x-0 repository: 'file://components/policy-xacml-pdp' diff --git a/helm/policy/components/policy-apex-pdp/resources/config/OnapPfConfigSampleGroup.json b/helm/policy/components/policy-apex-pdp/resources/config/OnapPfConfigSampleGroup.json index 8d197f67..70943d68 100644 --- a/helm/policy/components/policy-apex-pdp/resources/config/OnapPfConfigSampleGroup.json +++ b/helm/policy/components/policy-apex-pdp/resources/config/OnapPfConfigSampleGroup.json @@ -9,7 +9,7 @@ "prometheus": true }, "pdpStatusParameters": { - "pdpGroup": "sampleGroup", + "pdpGroup": "defaultGroup", "timeIntervalMs": 20000, "pdpType": "apex", "description": "Pdp Heartbeat", @@ -47,4 +47,4 @@ } ] } -}
\ No newline at end of file +} diff --git a/helm/policy/components/policy-opa-pdp/Chart.yaml b/helm/policy/components/policy-opa-pdp/Chart.yaml new file mode 100755 index 00000000..b3c34fc6 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/Chart.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START=======================================================
+# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+apiVersion: v2
+description: ONAP Policy OPA PDP
+name: policy-opa-pdp
+version: 11.0.0
+
diff --git a/helm/policy/components/policy-opa-pdp/resources/config/config.json b/helm/policy/components/policy-opa-pdp/resources/config/config.json new file mode 100755 index 00000000..f0adf0d2 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/resources/config/config.json @@ -0,0 +1,43 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +{ + "logging": { + "level": "debug" + }, + "services": [ + { + "name": "opa-bundle-server", + "url": "http://policy-opa-pdp:8282/opa/bundles" + } + ], + "bundles": { + "opabundle": { + "service": "opa-bundle-server", + "resource": "bundle.tar.gz", + "polling": { + "min_delay_seconds": 60, + "max_delay_seconds": 120 + } + } + }, + "decision_logs": { + "console": true + } +} diff --git a/helm/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz b/helm/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz Binary files differnew file mode 100755 index 00000000..572e9639 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz diff --git a/helm/policy/components/policy-opa-pdp/templates/configmap.yaml b/helm/policy/components/policy-opa-pdp/templates/configmap.yaml new file mode 100755 index 00000000..36ad7cf4 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/configmap.yaml @@ -0,0 +1,49 @@ +{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ .Chart.Name }}-configmap-policies-data
+ namespace: default
+ labels:
+ app: {{ .Chart.Name }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: release
+ heritage: Helm
+ {{- with .Files.Glob "resources/policies/*" }}
+binaryData:
+ {{- range $path, $bytes := . }}
+ {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }}
+ {{- end }}
+ {{- end }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ .Chart.Name }}-configmap-config
+ namespace: default
+ labels:
+ app: {{ .Chart.Name }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: release
+ heritage: Helm
+data:
+{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }}
diff --git a/helm/policy/components/policy-opa-pdp/templates/deployment.yaml b/helm/policy/components/policy-opa-pdp/templates/deployment.yaml new file mode 100755 index 00000000..100c00bb --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/deployment.yaml @@ -0,0 +1,153 @@ +{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ .Chart.Name }}
+ namespace: default
+ labels:
+ app: {{ .Chart.Name }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: release
+ heritage: Helm
+spec:
+ selector:
+ matchLabels:
+ app: {{ .Chart.Name }}
+ replicas: {{ .Values.replicaCount }}
+ template:
+ metadata:
+ labels:
+ app: {{ .Chart.Name }}
+ release: release
+ spec:
+ initContainers:
+ - command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ echo "*** set right permissions to the different folders"
+ chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log;
+ chmod -R 755 /var/log
+ chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/;
+ chmod -R 755 /opt/*
+ tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/
+ image: busybox:latest
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1000
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ name: {{ .Chart.Name }}-readiness
+ volumeMounts:
+ - name: logs
+ mountPath: /var/log
+ - name: tmp-policies-data
+ mountPath: /tmp/policies
+ - name : opa-policies-data
+ mountPath: /opt/
+
+ containers:
+ - name: {{ .Chart.Name }}
+ image: {{ .Values.global.image.opapdp }}
+ imagePullPolicy: {{ .Values.global.pullPolicy }}
+ ports:
+ - containerPort: {{ .Values.service.internalPort }}
+ # disable liveness probe when breakpoints set in debugger
+ # so K8s doesn't restart unresponsive container
+ {{- if eq .Values.liveness.enabled true }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ .Values.service.internalPort }}
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+ {{ end -}}
+ readinessProbe:
+ httpGet:
+ path: {{ .Values.readiness.api }}
+ port: {{ .Values.service.internalPort }}
+ httpHeaders:
+ - name: Authorization
+ value: Basic {{ printf "%s:%s" .Values.restServer.user .Values.restServer.password | b64enc }}
+ scheme: HTTP
+ successThreshold: {{ .Values.readiness.successThreshold }}
+ failureThreshold: {{ .Values.readiness.failureThreshold }}
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
+ timeoutSeconds: {{ .Values.readiness.timeout }}
+ env:
+ - name: UseSASLForKAFKA
+ value: "{{ .Values.kafka.useSASL }}"
+ - name: BOOSTSTRAP_SERVER
+ value: "{{ .Values.kafka.brokers }}"
+ - name: KAFKA_USERNAME
+ value: "{{ .Values.kafka.username }}"
+ - name: KAFKA_PASSWORD
+ value: "{{ .Values.kafka.password }}"
+ - name: LOG_LEVEL
+ value: "{{ .Values.log.loglevel }}"
+ - name: GROUPID
+ value: "{{ .Values.kafka.groupid }}"
+ - name: TOPIC
+ value: "{{ .Values.kafka.topic }}"
+ volumeMounts:
+ - name: opa-policies-data
+ mountPath: /opt
+ - name: opa-config
+ mountPath: /app/config
+ - name: opa-bundles
+ mountPath: /app/bundles
+ - name: logs
+ mountPath: /var/log
+ resources:
+{{ toYaml .Values.resources.small | indent 12 }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 10 }}
+ {{- end -}}
+ {{- if .Values.affinity }}
+ affinity:
+{{ toYaml .Values.affinity | indent 10 }}
+ {{- end }}
+ serviceAccountName: {{ .Chart.Name }}-read
+ volumes:
+ - name: tmp-policies-data
+ configMap:
+ name: {{ .Chart.Name }}-configmap-policies-data
+ defaultMode: 0755
+ - name: opa-policies-data
+ persistentVolumeClaim:
+ claimName: {{ .Chart.Name }}-policies-data
+ - name: opa-config
+ configMap:
+ name: {{ .Chart.Name }}-configmap-config
+ defaultMode: 0755
+ - name: opa-bundles
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }}
+
+ imagePullSecrets:
+ - name: "default-docker-registry-key"
diff --git a/helm/policy/components/policy-opa-pdp/templates/pvc.yaml b/helm/policy/components/policy-opa-pdp/templates/pvc.yaml new file mode 100755 index 00000000..6f0f7e1f --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/pvc.yaml @@ -0,0 +1,41 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + + +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Chart.Name }}-policies-data + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: 13.0.1 + heritage: {{ .Release.Service }} +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5G + storageClassName: microk8s-hostpath + volumeMode: Filesystem + + diff --git a/helm/policy/components/policy-opa-pdp/templates/role-binding.yaml b/helm/policy/components/policy-opa-pdp/templates/role-binding.yaml new file mode 100755 index 00000000..cc409ca9 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/role-binding.yaml @@ -0,0 +1,34 @@ +{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: rbac.authorization.k8s.io/v1
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
+kind: RoleBinding
+metadata:
+ name: {{ .Chart.Name }}-read
+ namespace: default
+subjects:
+ - kind: ServiceAccount
+ name: {{ .Chart.Name }}-read
+roleRef:
+ kind: Role
+ name: read
+ apiGroup: rbac.authorization.k8s.io
+
diff --git a/helm/policy/components/policy-opa-pdp/templates/secret.yaml b/helm/policy/components/policy-opa-pdp/templates/secret.yaml new file mode 100755 index 00000000..013e474b --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/secret.yaml @@ -0,0 +1,33 @@ +{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Chart.Name }}-restserver-creds
+ namespace: default
+ labels:
+ app: {{ .Chart.Name }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: release
+ heritage: Helm
+type: Opaque
+stringData:
+ login: {{ .Values.restServer.user }}
+ password: {{ .Values.restServer.password }}
diff --git a/helm/policy/components/policy-opa-pdp/templates/service-account.yaml b/helm/policy/components/policy-opa-pdp/templates/service-account.yaml new file mode 100755 index 00000000..709e9055 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/service-account.yaml @@ -0,0 +1,25 @@ +{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ .Chart.Name }}-read
+ namespace: default
diff --git a/helm/policy/components/policy-opa-pdp/templates/service.yaml b/helm/policy/components/policy-opa-pdp/templates/service.yaml new file mode 100755 index 00000000..7eef3af4 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/service.yaml @@ -0,0 +1,40 @@ +{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ .Chart.Name }}
+ namespace: default
+ labels:
+ app: {{ .Chart.Name }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: release
+ heritage: Helm
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: {{ .Values.service.externalPort }}
+ targetPort: {{ .Values.service.internalPort }}
+ name: {{ .Values.service.portName }}
+ selector:
+ app: {{ .Chart.Name }}
+ release: release
+
diff --git a/helm/policy/components/policy-opa-pdp/values.yaml b/helm/policy/components/policy-opa-pdp/values.yaml new file mode 100755 index 00000000..0667987f --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/values.yaml @@ -0,0 +1,117 @@ +# ============LICENSE_START=======================================================
+# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+global:
+ persistence: {}
+ image:
+ opapdp: nexus3.onap.org:10001/onap/policy-opa-pdp:1.0.5-SNAPSHOT
+log:
+ loglevel: "debug"
+
+permissions:
+ uid: 100
+ gid: 102
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: restserver-creds
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}'
+ login: '{{ .Values.restServer.user }}'
+ password: '{{ .Values.restServer.password }}'
+#################################################################
+# Application configuration defaults.
+#################################################################
+# application image
+pullPolicy: Always
+
+# flag to enable debugging - application support required
+debugEnabled: false
+
+# application configuration
+
+restServer:
+ user: policyadmin
+ password: zb!XztG34
+
+# default number of instances
+replicaCount: 1
+
+nodeSelector: {}
+
+affinity: {}
+
+# probe configuration parameters
+liveness:
+ initialDelaySeconds: 20
+ periodSeconds: 10
+ # necessary to disable liveness probe when setting breakpoints
+ # in debugger so K8s doesn't restart unresponsive container
+ enabled: true
+
+readiness:
+ initialDelaySeconds: 10
+ periodSeconds: 120
+ api: /ready
+ successThreshold: 1
+ failureThreshold: 3
+ timeout: 60
+
+service:
+ type: ClusterIP
+ name: policy-opa-pdp
+ portName: http
+ externalPort: 8282
+ internalPort: 8282
+
+ingress:
+ enabled: false
+
+flavor: small
+resources:
+ small:
+ limits:
+ cpu: 1
+ memory: 4Gi
+ requests:
+ cpu: 100m
+ memory: 1Gi
+ unlimited: {}
+
+dirSizes:
+ bundleDir:
+ sizeLimit: 1000Mi
+
+#Pods Service Account
+serviceAccount:
+ nameOverride: policy-opa-pdp
+ roles:
+ - read
+kafka:
+ groupid: "policy-opa-pdp"
+ topic: "policy-pdp-pap"
+ useSASL: "false"
+ username: ""
+ password: ""
+ brokers: "kafka.default.svc.cluster.local:9092"
+
diff --git a/helm/policy/components/policy-pap/resources/config/groups.json b/helm/policy/components/policy-pap/resources/config/groups.json index 3f62ee52..2d981e7c 100644 --- a/helm/policy/components/policy-pap/resources/config/groups.json +++ b/helm/policy/components/policy-pap/resources/config/groups.json @@ -1,6 +1,26 @@ { "groups": [ { + "name": "opaGroup", + "version": "1.0.0", + "description": "The group that registers policy types for opa.", + "pdpGroupState": "ACTIVE", + "pdpSubgroups": [ + { + "pdpType": "opa", + "desiredInstanceCount": 1, + "properties": {}, + "supportedPolicyTypes": [ + { + "name": "onap.policies.native.opa", + "version": "1.0.0" + } + ], + "policies": [] + } + ] + }, + { "name": "defaultGroup", "version": "1.0.0", "description": "The default group that registers all supported policy types and pdps.", |