[PMS] Updated a1pms chart to work with new a1pms images 83/141583/5
authorsaul.gill <saul.gill@est.tech>
Wed, 16 Jul 2025 15:03:29 +0000 (16:03 +0100)
committersaul.gill <saul.gill@est.tech>
Mon, 28 Jul 2025 15:18:21 +0000 (16:18 +0100)
Update image version
Update config files
Add required env variables
Make tracing configurable globally

Issue-ID: CCSDK-4127
Change-Id: I30469af678ccc9242613b7d6520a27e41aa49fc7
Signed-off-by: saul.gill <saul.gill@est.tech>
kubernetes/a1policymanagement/resources/config/application.yaml
kubernetes/a1policymanagement/resources/config/logback-plain.xml [new file with mode: 0644]
kubernetes/a1policymanagement/templates/statefulset.yaml
kubernetes/a1policymanagement/values.yaml

index 789f3eb..e9e5479 100644 (file)
@@ -5,6 +5,7 @@
 # ================================================================================
 # Copyright (C) 2020 Nordix Foundation. All rights reserved.
 # Copyright (C) 2021 Orange. All rights reserved.
+# Copyright (C) 2025 OpenInfra Foundation Europe. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # ============LICENSE_END=========================================================
 #
 */}}
-spring:
-  profiles:
-    active: prod
-  main:
-    allow-bean-definition-overriding: true
-  aop:
-    auto: false
-management:
-  endpoints:
-    web:
-      exposure:
-        # Enabling of springboot actuator features. See springboot documentation.
-        include: "loggers,logfile,health,info,metrics,threaddump,heapdump"
+app:
+  # A file containing an authorization token, which shall be inserted in each HTTP header (authorization).
+  # If the file name is empty, no authorization token is sent.
+  auth-token-file:
+  # A URL to authorization provider such as OPA. Each time an A1 Policy is accessed, a call to this
+  # authorization provider is done for access control. If this is empty, no fine grained access control is done.
+  authorization-provider:
+  # the config-file-schema-path refers to a location in the jar file. If this property is empty or missing,
+  # no schema validation will be executed.
+  config-file-schema-path: /application_configuration_schema.json
+  # Postgres database usage is enabled using the below parameter.
+  # If this is enabled, the application will use postgres database for storage.
+  # This overrides the s3(s3.bucket) or file store(vardata-directory) configuration if enabled.
+  database-enabled: {{ .Values.app.databaseEnabled | default false }}
+  # Location of the component configuration file.
+  filepath: /opt/app/policy-agent/data/application_configuration.json
+  # S3 object store usage is enabled by defining the bucket to use. This will override the vardata-directory parameter.
+  s3:
+    endpointOverride: {{ .Values.app.s3.endpointOverride | default "http://minio-service:9000" }}
+    accessKeyId: {{ .Values.app.s3.accessKeyId | default "minio" }}
+    secretAccessKey: {{ .Values.app.s3.secretAccessKey | default "miniostorage" }}
+    bucket: {{ .Values.app.s3.bucket | default "" }}
+  webclient:
+    # Configuration of usage of HTTP Proxy for the southbound accesses.
+    # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s
+    # proxy-type can be either HTTP, SOCKS4 or SOCKS5
+    http.proxy-host:
+    http.proxy-port: 0
+    http.proxy-type: HTTP
+    # Configuration of the trust store used for the HTTP client (outgoing requests)
+    # The file location and the password for the truststore is only relevant if trust-store-used == true
+    # Note that the same keystore as for the server is used.
+    trust-store-used: false
+    trust-store-password: policy_agent
+    trust-store: /opt/app/policy-agent/etc/cert/truststore.jks
+  # path where the service can store data. This parameter is not relevant if S3 Object store is configured.
+  vardata-directory: {{ .Values.app.vardataDirectory | default "/var/policy-management-service" }}
+  # Options for schema validation of the policy and policy status. Options: NONE, INFO, WARN, FAIL
+  validate-policy-instance-schema: NONE
+lifecycle:
+  timeout-per-shutdown-phase: "20s"
 
 logging:
+  config: {{ .Values.app.logging.config }}
+  # Reactive logging filter
+  reactive-entry-exit-filter-enabled: {{ .Values.app.reactiveEntryExitFilterEnabled | default true }}
+  reactive-entry-exit-filter-exclude-paths: {{ .Values.app.reactiveEntryExitFilterExcludePaths | default "" }}
   # Configuration of logging
+  file:
+    name: /var/log/policy-agent/application.log
   level:
     ROOT: ERROR
+    org.onap.ccsdk.oran.a1policymanagementservice: INFO
     org.springframework: ERROR
     org.springframework.data: ERROR
     org.springframework.web.reactive.function.client.ExchangeFunctions: ERROR
-    org.onap.ccsdk.oran.a1policymanagementservice: INFO
-  file:
-    name: /var/log/policy-agent/application.log
+    org.springframework.web.servlet.DispatcherServlet: ERROR
+  pattern:
+    console: "%d{yyyy-MM-dd HH:mm:ss.SSS} [%-5level] [%thread] %logger{20} - %msg%n"
+    file: "%d{yyyy-MM-dd HH:mm:ss.SSS} [%-5level] [%thread] %logger{20} - %msg%n"
+management:
+  endpoint:
+    shutdown:
+      enabled: true
+  endpoints:
+    web:
+      exposure:
+        # Enabling of springboot actuator features. See springboot documentation.
+        include: "loggers,logfile,health,info,metrics,threaddump,heapdump,shutdown"
+  tracing:
+    enabled: {{ .Values.global.tracing.enabled | default true }}
+    propagation:
+      produce: [{{ .Values.global.tracing.propagator.produce.type }}]
+    sampling:
+      probability: {{ .Values.global.tracing.sampling.probability | default "1.0" }}
+otel:
+  exporter:
+    otlp:
+      traces:
+        endpoint: {{ .Values.global.tracing.collector.baseUrl | default "http://jaeger:4317" }}
+        protocol: {{ .Values.global.tracing.collector.protocol | default "grpc" }}
+  logs:
+    exporter: none
+  metrics:
+    exporter: none
+  sdk:
+  {{- if not .Values.global.tracing.enabled }}
+    disabled: true
+    south: false
+  instrumentation:
+    spring-webflux:
+      enabled: false
+  {{- else }}
+    disabled: {{ .Values.global.tracing.sdk.disabled | default false }}
+    south: {{ .Values.global.tracing.sdk.south | default true }}
+  instrumentation:
+    spring-webflux:
+      enabled: {{ .Values.global.tracing.north.enabled | default true }}
+  {{- end }}
+  tracing:
+    sampler:
+      jaeger_remote:
+        endpoint: {{ .Values.global.tracing.sampling.baseUrl | default "http://jaeger:14250" }}
 server:
   # Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework.
   # See springboot documentation.
-  #port: 8081
-  http-port: 8081
+  port : 8081
+  shutdown: "graceful"
   ssl:
     enabled: false
-    key-store-type: PKCS12
-    key-store-password: ""
-    key-store: ""
-    key-password: ""
-    key-alias: ""
-app:
-  # Location of the component configuration file. The file will only be used if the Consul database is not used;
-  # configuration from the Consul will override the file.
-  filepath: /opt/app/policy-agent/data/application_configuration.json
-  webclient:
-    trust-store-used: false
-    trust-store-password: ""
-    trust-store: ""
-    # Configuration of usage of HTTP Proxy for the southbound accesses.
-    # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s
-    http.proxy-host:
-    http.proxy-port: 0
+    # trust-store-password:
+    # trust-store:
+spring:
+  aop:
+    auto: false
+  application:
+    name: a1-pms
+  flyway:
+    # Configuration of the postgres database to be used for database migration.
+    # This is where the flyway maintains the information about the sql files loaded.
+    # These values can be passed via configmap/secret/env variable based on the installation.
+    # By default, Flyway uses location classpath:db/migration to load the sql files.
+    # This can be overridden using "flyway.locations" to have a different location.
+    baseline-on-migrate: true
+    url: "jdbc:postgresql://127.0.0.1:5432/a1pms"
+    user: a1pms
+    password: mypwd
+  main:
+    allow-bean-definition-overriding: true
+  profiles:
+    active: prod
+  r2dbc:
+    # Configuration of the postgres database to be used by the application.
+    # These values can be passed via configmap/secret/env variable based on the installation.
+    url: {{ .Values.app.r2dbc.url | default "r2dbc:postgresql://postgres-service:5432/a1pms" }}
+    username: {{ .Values.app.r2dbc.username | default "a1pms" }}
+    password: {{ .Values.app.r2dbc.password | default "mypwd" }}
+springdoc:
+  show-actuator: true
diff --git a/kubernetes/a1policymanagement/resources/config/logback-plain.xml b/kubernetes/a1policymanagement/resources/config/logback-plain.xml
new file mode 100644 (file)
index 0000000..014a983
--- /dev/null
@@ -0,0 +1,35 @@
+<!--
+  ~ ============LICENSE_START=======================================================
+  ~ ONAP : ccsdk oran
+  ~ ================================================================================
+  ~ Copyright (C) 2025 OpenInfra Foundation Europe. All rights reserved.
+  ~ ================================================================================
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  ~ ============LICENSE_END=======================================================
+  ~
+-->
+<configuration>
+    <appender name="console" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>
+                %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ} [%thread] %-5level %logger - %msg [facility=%X{facility}, subject=%X{subject}, traceId=%mdc{traceId}] %n%xEx
+            </pattern>
+        </encoder>
+    </appender>
+
+    <root level="${ROOT_LOG_LEVEL:-INFO}">
+        <appender-ref ref="console"/>
+    </root>
+
+    <logger name="/" level="${ROOT_LOG_LEVEL:-INFO}"/>
+</configuration>
\ No newline at end of file
index 4458744..3191087 100644 (file)
@@ -50,6 +50,24 @@ spec:
           {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }}
         - name: A1CONTROLLER_PASSWORD
           {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }}
+        - name: LOGBACK_CONFIG_FILE
+          value: {{ .Values.app.logging.config | quote }}
+{{- if .Values.global.tracing.enabled }}
+        - name: ONAP_PROPAGATOR_PRODUCE
+          value: "[{{ .Values.global.tracing.propagator.produce.type }}]"
+        - name: ONAP_OTEL_EXPORTER_ENDPOINT
+          value: {{ .Values.global.tracing.collector.baseUrl | quote }}
+        - name: ONAP_OTEL_EXPORTER_PROTOCOL
+          value: {{ .Values.global.tracing.collector.protocol | quote }}
+        - name: ONAP_SDK_DISABLED
+          value: {{ .Values.global.tracing.sdk.disabled | quote }}
+        - name: ONAP_TRACING_SOUTHBOUND
+          value: {{ .Values.global.tracing.sdk.south | quote }}
+        - name: ONAP_TRACING_NORTHBOUND
+          value: {{ .Values.global.tracing.north.enabled | quote }}
+        - name: ONAP_OTEL_SAMPLER_JAEGER_REMOTE_ENDPOINT
+          value: {{ .Values.global.tracing.sampling.baseUrl | quote }}
+{{- end }}
         volumeMounts:
         - mountPath: /config-input
           name: {{ include "common.fullname" . }}-policy-conf-input
@@ -72,6 +90,24 @@ spec:
           {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }}
         - name: A1CONTROLLER_PASSWORD
           {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }}
+        - name: LOGBACK_CONFIG_FILE
+          value: {{ .Values.app.logging.config | quote }}
+{{- if .Values.global.tracing.enabled }}
+        - name: ONAP_PROPAGATOR_PRODUCE
+          value: "[{{ .Values.global.tracing.propagator.produce.type }}]"
+        - name: ONAP_OTEL_EXPORTER_ENDPOINT
+          value: {{ .Values.global.tracing.collector.baseUrl | quote }}
+        - name: ONAP_OTEL_EXPORTER_PROTOCOL
+          value: {{ .Values.global.tracing.collector.protocol | quote }}
+        - name: ONAP_SDK_DISABLED
+          value: {{ .Values.global.tracing.sdk.disabled | quote }}
+        - name: ONAP_TRACING_SOUTHBOUND
+          value: {{ .Values.global.tracing.sdk.south | quote }}
+        - name: ONAP_TRACING_NORTHBOUND
+          value: {{ .Values.global.tracing.north.enabled | quote }}
+        - name: ONAP_OTEL_SAMPLER_JAEGER_REMOTE_ENDPOINT
+          value: {{ .Values.global.tracing.sampling.baseUrl | quote }}
+{{- end }}
         volumeMounts:
         - mountPath: /tmp/scripts
           name: {{ include "common.fullname" . }}-envsubst-scripts
@@ -96,6 +132,9 @@ spec:
           initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
           periodSeconds: {{ .Values.liveness.periodSeconds }}
         volumeMounts:
+        - name: config
+          mountPath: /opt/app/policy-agent/logback-plain.xml
+          subPath: logback-plain.xml
         - name: config
           mountPath: /opt/app/policy-agent/data/application_configuration.json
           subPath: application_configuration.json
@@ -105,6 +144,10 @@ spec:
         - name: {{ include "common.fullname" . }}
           mountPath: "/var/policy-management-service/database"
         resources: {{ include "common.resources" . | nindent 10 }}
+        securityContext:
+          runAsUser: {{ .Values.mainUserId }}
+          runAsGroup: {{ .Values.mainGroupId }}
+          runAsNonRoot: true
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
         - name: {{ include "common.fullname" . }}-policy-conf-input
index 9ae6b60..5253af0 100644 (file)
 global:
   nodePortPrefix: 302
   persistence: {}
+  tracing:
+    enabled: false
+    propagator:
+      produce:
+        # This can have several options included in a comma separated list W3C,B3,B3_MULTI
+        type: W3C
+    collector:
+      baseUrl: "http://jaeger:4317"
+      protocol: "grpc"
+    sampling:
+      baseUrl: "http://jaeger:14250"
+      probability: "1.0"
+    sdk:
+      south: true
+      disabled: false
+    north:
+      enabled: true
 
 secrets:
   - uid: controller-secret
@@ -30,9 +47,12 @@ secrets:
     password: '{{ .Values.a1controller.password }}'
     passwordPolicy: required
 
-image: onap/ccsdk-oran-a1policymanagementservice:1.5.0
+image: onap/ccsdk-oran-a1policymanagementservice:2.1.0
 userID: 1000 #Should match with image-defined user ID
 groupID: 999 #Should match with image-defined group ID
+mainUserId: 1000 #Should match with image-defined user ID
+mainGroupId: 101 #Should match with image-defined group ID
+
 pullPolicy: IfNotPresent
 replicaCount: 1
 
@@ -134,3 +154,29 @@ serviceAccount:
   nameOverride: a1policymanagement
   roles:
     - read
+
+app:
+  # False here will result in local file storage
+  databaseEnabled: false
+
+  r2dbc:
+    # The R2DBC URL for the Postgres database.
+    # Example: r2dbc:postgresql://<host>:<port>/<database>
+    url: r2dbc:postgresql://postgres-service:5432/a1pms
+    username: a1pms
+    password: mypwd
+  # Leaving bucket blank will disable S3 object store usage.
+  s3:
+    endpointOverride: http://minio-service:9000
+    accessKeyId: minio
+    secretAccessKey: miniostorage
+    bucket:
+
+  vardataDirectory: /var/policy-management-service
+
+  logging:
+    config: logback-plain.xml
+    reactiveEntryExitFilterEnabled: true
+    reactiveEntryExitFilterExcludePaths: ""
+
+