repository: 'file://components/policy-drools-pdp'
condition: policy-drools-pdp.enabled
- name: policy-opa-pdp
- version: ~15.x-0
+ version: ~16.x-0
repository: 'file://components/policy-opa-pdp'
condition: policy-opa-pdp.enabled
- name: policy-distribution
apiVersion: v2
description: ONAP Policy OPA PDP (PDP-O)
name: policy-opa-pdp
-version: 15.0.0
+version: 16.0.0
dependencies:
- name: common
- name: serviceAccount
version: ~13.x-0
repository: '@local'
+ - name: readinessCheck
+ version: ~13.x-0
+ repository: '@local'
"logging": {
"level": "debug"
},
- "services": [
- {
- "name": "opa-bundle-server",
- "url": "http://policy-opa-pdp:8282/opa/bundles"
- }
- ],
- "bundles": {
- "opabundle": {
- "service": "opa-bundle-server",
- "resource": "bundle.tar.gz",
- "polling": {
- "min_delay_seconds": 60,
- "max_delay_seconds": 120
- }
- }
- },
"decision_logs": {
"console": true
}
data:
{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-configmap-policies-data
- namespace: {{ include "common.namespace" . }}
- labels: {{- include "common.labels" . | nindent 4 }}
-{{- with .Files.Glob "resources/policies/*" }}
-binaryData:
-{{- range $path, $bytes := . }}
- {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }}
-{{- end }}
-{{- end }}
spec:
{{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- - command:
- - /bin/sh
- args:
- - -c
- - |
- echo "*** set right permissions to the different folders"
- chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log;
- chmod -R 755 /var/log
- chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/;
- chmod -R 755 /opt/*
- tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/
- image: {{ include "repositoryGenerator.image.busybox" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{ include "common.containerSecurityContext" . | indent 8 | trim }}
- name: {{ include "common.name" . }}-readiness
- volumeMounts:
- - name: logs
- mountPath: /var/log
- - name: tmp-policies-data
- mountPath: /tmp/policies
- - name : opa-policies-data
- mountPath: /opt/
-
+ {{ include "common.readinessCheck.waitFor" . | nindent 8 }}
containers:
- name: {{ include "common.name" . }}
{{ include "common.containerSecurityContext" . | indent 10 | trim }}
value: "{{ .Values.kafka.useSASL }}"
- name: KAFKA_URL
value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
+ - name: POD_UID
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.uid
- name: GROUPID
- value: "{{ .Values.kafka.groupid }}"
+ value: "{{ .Values.groupIdPrefix }}-$(POD_UID)"
- name: LOG_LEVEL
value: "{{ .Values.log.loglevel }}"
- name: PAP_TOPIC
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
-
- - name: opa-policies-data
- mountPath: /opt
- name: opa-config
mountPath: /app/config
- name: opa-bundles
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- - name: tmp-policies-data
- configMap:
- name: {{ include "common.fullname" . }}-configmap-policies-data
- defaultMode: 0755
- - name: opa-policies-data
- persistentVolumeClaim:
- claimName: {{ include "common.fullname" . }}-policies-data
- name: opa-config
configMap:
name: {{ include "common.fullname" . }}-configmap-config
+++ /dev/null
-{{/*
-# ============LICENSE_START=======================================================
-# Copyright (C) 2025 Deutsche Telekom Intellectual Property.
-# ================================================================================
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# ============LICENSE_END=========================================================
-*/}}
-
-{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
-
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
- name: {{ include "common.fullname" . }}-policies-data
- namespace: {{ include "common.namespace" . }}
- labels: {{- include "common.labels" . | nindent 4 }}
-spec:
- accessModes:
- - {{ .Values.persistence.accessMode }}
- resources:
- requests:
- storage: {{ .Values.persistence.logsSize }}
- storageClassName: {{ include "common.storageClass" . }}
- volumeMode: Filesystem
-
-{{- end }}
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-opa-pdp:1.0.0
+image: onap/policy-opa-pdp:1.0.4
+
pullPolicy: Always
componentName: &componentName policy-opa-pdp
policyPdpPapTopic: policy-pdp-pap
securityContext:
- user_id: 0
- group_id : 0
- runAsNonRoot: false
+ fsGroup: 1000
+ user_id: 1000
+ group_id : 1000
+ runAsNonRoot: true
+ runAsUser: 1000
containerSecurityContext:
- enabled: true
- privileged: false
- allowPrivilegeEscalation: true
+ runAsGroup: 1000
+ runAsUser: 1000
+ runAsNonRoot: true
readOnlyRootFilesystem: false
- runAsNonRoot: false
- runAsUser: 0
- runAsGroup: 0
-
+ allowPrivilegeEscalation: true
kafka:
groupid: "policy-opa-pdp"
initialDelaySeconds: 20
periodSeconds: 10
+readinessCheck:
+ wait_for:
+ services:
+ - 'policy-pap'
+
service:
type: ClusterIP
name: *componentName
bundleDir:
sizeLimit: 5Gi
+groupIdPrefix: opa-pdp
#Pods Service Account
serviceAccount:
kafkaUser:
authenticationType: scram-sha-512
acls:
- - name: policy-opa-pdp
+ - name: opa-pdp
type: group
+ patternType: prefix
operations: [ Create, Describe, Read, Write ]
- name: policy-pdp-pap
type: topic
Code Review / oom.git / commitdiff