[DCAE] Common template update for policy sidecar

Template enhanced to include policy sidecar
support for DCAE components

Issue-ID: DCAEGEN2-2689
Change-Id: Ida7eeadbcc2df2af9579fdda939d0427a7963b63
Signed-off-by: vv770d <vv770d@att.com>

diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
index a6b434f..91f21ab 100644 (file)
--- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl
+++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
@@ -1,5 +1,6 @@
 {{/*
 # Copyright © 2017 Amdocs, Bell Canada
 {{/*
 # Copyright © 2017 Amdocs, Bell Canada

+# Copyright © 2021 AT&T

 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.


@@ -86,6 +87,10 @@
   {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }}
 {{- end -}}
 
   {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }}
 {{- end -}}
 

+{{- define "repositoryGenerator.image.dcaepolicysync" -}}
+  {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }}
+{{- end -}}
+

 {{- define "repositoryGenerator.image.envsubst" -}}
   {{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }}
 {{- end -}}
 {{- define "repositoryGenerator.image.envsubst" -}}
   {{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }}
 {{- end -}}

diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml
index 386ba9b..8a68f6d 100644 (file)
--- a/kubernetes/common/repositoryGenerator/values.yaml
+++ b/kubernetes/common/repositoryGenerator/values.yaml
@@ -1,5 +1,5 @@
 # Copyright © 2020 Orange
 # Copyright © 2020 Orange

-# Copyright © 2021 Nokia
+# Copyright © 2021 Nokia, AT&T

 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.


@@ -34,6 +34,7 @@ global:
   nginxImage: bitnami/nginx:1.18-debian-10
   postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1
   readinessImage: onap/oom/readiness:3.0.1
   nginxImage: bitnami/nginx:1.18-debian-10
   postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1
   readinessImage: onap/oom/readiness:3.0.1

+  dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1

 
   # Default credentials
   # they're optional. If the target repository doesn't need them, comment them
 
   # Default credentials
   # they're optional. If the target repository doesn't need them, comment them


@@ -65,3 +66,4 @@ imageRepoMapping:
   nginxImage: dockerHubRepository
   postgresImage: dockerHubRepository
   readinessImage: repository
   nginxImage: dockerHubRepository
   postgresImage: dockerHubRepository
   readinessImage: repository

+  dcaePolicySyncImage: repository

diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
index 80b4cbc..9c9cc70 100644 (file)
--- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
+++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
@@ -2,6 +2,7 @@
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.

+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.

 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.


@@ -113,12 +114,21 @@ certificate information will include a server cert and key, in various
 formats.  It will also include the AAF CA cert.   If the microservice is
 a TLS client only (indicated by setting .Values.tlsServer to false), the
 certificate information includes only the AAF CA cert.
 formats.  It will also include the AAF CA cert.   If the microservice is
 a TLS client only (indicated by setting .Values.tlsServer to false), the
 certificate information includes only the AAF CA cert.

+
+Deployed POD may also include a Policy-sync sidecar container.
+The sidecar is included if .Values.policies is set.  The
+Policy-sync sidecar polls PolicyEngine (PDP) periodically based
+on .Values.policies.duration and configuration retrieved is shared with
+DCAE Microservice container by common volume. Policy can be retrieved based on
+list of policyID or filter

 */}}
 
 {{- define "dcaegen2-services-common.microserviceDeployment" -}}
 {{- $logDir :=  default "" .Values.logDirectory -}}
 {{- $certDir := default "" .Values.certDirectory . -}}
 {{- $tlsServer := default "" .Values.tlsServer -}}
 */}}
 
 {{- define "dcaegen2-services-common.microserviceDeployment" -}}
 {{- $logDir :=  default "" .Values.logDirectory -}}
 {{- $certDir := default "" .Values.certDirectory . -}}
 {{- $tlsServer := default "" .Values.tlsServer -}}

+{{- $policy := default "" .Values.policies -}}
+

 apiVersion: apps/v1
 kind: Deployment
 metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 apiVersion: apps/v1
 kind: Deployment
 metadata: {{- include "common.resourceMetadata" . | nindent 2 }}


@@ -236,6 +246,10 @@ spec:
         - mountPath: {{ $certDir }}
           name: tls-info
         {{- end }}
         - mountPath: {{ $certDir }}
           name: tls-info
         {{- end }}

+        {{- if $policy }}
+        - name: policy-shared
+          mountPath: /etc/policies
+        {{- end }}

       {{- if $logDir }}
       - image: {{ include "repositoryGenerator.image.logging" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
       {{- if $logDir }}
       - image: {{ include "repositoryGenerator.image.logging" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}


@@ -256,6 +270,53 @@ spec:
           name: filebeat-conf
           subPath: filebeat.yml
       {{- end }}
           name: filebeat-conf
           subPath: filebeat.yml
       {{- end }}

+      {{- if $policy }}
+      - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: policy-sync
+        env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: POLICY_SYNC_PDP_USER
+          valueFrom:
+            secretKeyRef:
+              name: onap-policy-xacml-pdp-api-creds
+              key: login
+        - name: POLICY_SYNC_PDP_PASS
+          valueFrom:
+            secretKeyRef:
+              name: onap-policy-xacml-pdp-api-creds
+              key: password
+        - name: POLICY_SYNC_PDP_URL
+          value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 
+        - name: POLICY_SYNC_OUTFILE
+          value : "/etc/policies/policies.json"
+        - name: POLICY_SYNC_V1_DECISION_ENDPOINT
+          value : "policy/pdpx/v1/decision"
+        {{- if $policy.filter }}
+        - name: POLICY_SYNC_FILTER
+          value: {{ $policy.filter }}
+        {{- end -}}
+        {{- if $policy.policyID }}
+        - name: POLICY_SYNC_ID
+          value: {{ $policy.policyID }}
+        {{- end -}}
+        {{- if $policy.duration }}
+        - name: POLICY_SYNC_DURATION
+          value: {{ $policy.duration }}
+        {{- end }}
+        resources: {{ include "common.resources" . | nindent 2 }}
+        volumeMounts:
+        - mountPath: /etc/policies
+          name: policy-shared
+        {{- if $certDir }}
+        - mountPath: /opt/ca-certificates/
+          name: tls-info
+        {{- end }}
+      {{- end }}

       hostname: {{ include "common.name" . }}
       volumes:
       - configMap:
       hostname: {{ include "common.name" . }}
       volumes:
       - configMap:


@@ -279,6 +340,10 @@ spec:
       - emptyDir: {}
         name: tls-info
       {{- end }}
       - emptyDir: {}
         name: tls-info
       {{- end }}

+      {{- if $policy }}
+      - name: policy-shared
+        emptyDir: {}
+      {{- end }}

       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end -}}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end -}}

diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
index da6dc8f..89cf134 100644 (file)
--- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
@@ -1,6 +1,7 @@
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.

+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.

 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.


@@ -35,6 +36,7 @@ filebeatConfig:
 tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
 
 tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0
 

+

 #################################################################
 # Application configuration defaults.
 #################################################################
 #################################################################
 # Application configuration defaults.
 #################################################################


@@ -84,6 +86,17 @@ service:
     - port: 9091
       name: http
 
     - port: 9091
       name: http
 

+# Policy configuraiton properties
+# if present, policy-sync side car will be deployed
+
+#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1
+#policies:
+#  duration: 300
+#  policyID: |
+#    '["onap.vfirewall.tca","abc"]'
+#  filter: |
+#    '["DCAE.Config_vfirewall_.*"]'
+

 aaiCreds:
   user: DCAE
   password: DCAE
 aaiCreds:
   user: DCAE
   password: DCAE