# ================================================================================
# Copyright (C) 2020 Nordix Foundation. All rights reserved.
# Copyright (C) 2021 Orange. All rights reserved.
+# Copyright (C) 2025 OpenInfra Foundation Europe. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ============LICENSE_END=========================================================
#
*/}}
-spring:
- profiles:
- active: prod
- main:
- allow-bean-definition-overriding: true
- aop:
- auto: false
-management:
- endpoints:
- web:
- exposure:
- # Enabling of springboot actuator features. See springboot documentation.
- include: "loggers,logfile,health,info,metrics,threaddump,heapdump"
+app:
+ # A file containing an authorization token, which shall be inserted in each HTTP header (authorization).
+ # If the file name is empty, no authorization token is sent.
+ auth-token-file:
+ # A URL to authorization provider such as OPA. Each time an A1 Policy is accessed, a call to this
+ # authorization provider is done for access control. If this is empty, no fine grained access control is done.
+ authorization-provider:
+ # the config-file-schema-path refers to a location in the jar file. If this property is empty or missing,
+ # no schema validation will be executed.
+ config-file-schema-path: /application_configuration_schema.json
+ # Postgres database usage is enabled using the below parameter.
+ # If this is enabled, the application will use postgres database for storage.
+ # This overrides the s3(s3.bucket) or file store(vardata-directory) configuration if enabled.
+ database-enabled: {{ .Values.app.databaseEnabled | default false }}
+ # Location of the component configuration file.
+ filepath: /opt/app/policy-agent/data/application_configuration.json
+ # S3 object store usage is enabled by defining the bucket to use. This will override the vardata-directory parameter.
+ s3:
+ endpointOverride: {{ .Values.app.s3.endpointOverride | default "http://minio-service:9000" }}
+ accessKeyId: {{ .Values.app.s3.accessKeyId | default "minio" }}
+ secretAccessKey: {{ .Values.app.s3.secretAccessKey | default "miniostorage" }}
+ bucket: {{ .Values.app.s3.bucket | default "" }}
+ webclient:
+ # Configuration of usage of HTTP Proxy for the southbound accesses.
+ # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s
+ # proxy-type can be either HTTP, SOCKS4 or SOCKS5
+ http.proxy-host:
+ http.proxy-port: 0
+ http.proxy-type: HTTP
+ # Configuration of the trust store used for the HTTP client (outgoing requests)
+ # The file location and the password for the truststore is only relevant if trust-store-used == true
+ # Note that the same keystore as for the server is used.
+ trust-store-used: false
+ trust-store-password: policy_agent
+ trust-store: /opt/app/policy-agent/etc/cert/truststore.jks
+ # path where the service can store data. This parameter is not relevant if S3 Object store is configured.
+ vardata-directory: {{ .Values.app.vardataDirectory | default "/var/policy-management-service" }}
+ # Options for schema validation of the policy and policy status. Options: NONE, INFO, WARN, FAIL
+ validate-policy-instance-schema: NONE
+lifecycle:
+ timeout-per-shutdown-phase: "20s"
logging:
+ config: {{ .Values.app.logging.config }}
+ # Reactive logging filter
+ reactive-entry-exit-filter-enabled: {{ .Values.app.reactiveEntryExitFilterEnabled | default true }}
+ reactive-entry-exit-filter-exclude-paths: {{ .Values.app.reactiveEntryExitFilterExcludePaths | default "" }}
# Configuration of logging
+ file:
+ name: /var/log/policy-agent/application.log
level:
ROOT: ERROR
+ org.onap.ccsdk.oran.a1policymanagementservice: INFO
org.springframework: ERROR
org.springframework.data: ERROR
org.springframework.web.reactive.function.client.ExchangeFunctions: ERROR
- org.onap.ccsdk.oran.a1policymanagementservice: INFO
- file:
- name: /var/log/policy-agent/application.log
+ org.springframework.web.servlet.DispatcherServlet: ERROR
+ pattern:
+ console: "%d{yyyy-MM-dd HH:mm:ss.SSS} [%-5level] [%thread] %logger{20} - %msg%n"
+ file: "%d{yyyy-MM-dd HH:mm:ss.SSS} [%-5level] [%thread] %logger{20} - %msg%n"
+management:
+ endpoint:
+ shutdown:
+ enabled: true
+ endpoints:
+ web:
+ exposure:
+ # Enabling of springboot actuator features. See springboot documentation.
+ include: "loggers,logfile,health,info,metrics,threaddump,heapdump,shutdown"
+ tracing:
+ enabled: {{ .Values.global.tracing.enabled | default true }}
+ propagation:
+ produce: [{{ .Values.global.tracing.propagator.produce.type }}]
+ sampling:
+ probability: {{ .Values.global.tracing.sampling.probability | default "1.0" }}
+otel:
+ exporter:
+ otlp:
+ traces:
+ endpoint: {{ .Values.global.tracing.collector.baseUrl | default "http://jaeger:4317" }}
+ protocol: {{ .Values.global.tracing.collector.protocol | default "grpc" }}
+ logs:
+ exporter: none
+ metrics:
+ exporter: none
+ sdk:
+ {{- if not .Values.global.tracing.enabled }}
+ disabled: true
+ south: false
+ instrumentation:
+ spring-webflux:
+ enabled: false
+ {{- else }}
+ disabled: {{ .Values.global.tracing.sdk.disabled | default false }}
+ south: {{ .Values.global.tracing.sdk.south | default true }}
+ instrumentation:
+ spring-webflux:
+ enabled: {{ .Values.global.tracing.north.enabled | default true }}
+ {{- end }}
+ tracing:
+ sampler:
+ jaeger_remote:
+ endpoint: {{ .Values.global.tracing.sampling.baseUrl | default "http://jaeger:14250" }}
server:
# Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework.
# See springboot documentation.
- #port: 8081
- http-port: 8081
+ port : 8081
+ shutdown: "graceful"
ssl:
enabled: false
- key-store-type: PKCS12
- key-store-password: ""
- key-store: ""
- key-password: ""
- key-alias: ""
-app:
- # Location of the component configuration file. The file will only be used if the Consul database is not used;
- # configuration from the Consul will override the file.
- filepath: /opt/app/policy-agent/data/application_configuration.json
- webclient:
- trust-store-used: false
- trust-store-password: ""
- trust-store: ""
- # Configuration of usage of HTTP Proxy for the southbound accesses.
- # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s
- http.proxy-host:
- http.proxy-port: 0
+ # trust-store-password:
+ # trust-store:
+spring:
+ aop:
+ auto: false
+ application:
+ name: a1-pms
+ flyway:
+ # Configuration of the postgres database to be used for database migration.
+ # This is where the flyway maintains the information about the sql files loaded.
+ # These values can be passed via configmap/secret/env variable based on the installation.
+ # By default, Flyway uses location classpath:db/migration to load the sql files.
+ # This can be overridden using "flyway.locations" to have a different location.
+ baseline-on-migrate: true
+ url: "jdbc:postgresql://127.0.0.1:5432/a1pms"
+ user: a1pms
+ password: mypwd
+ main:
+ allow-bean-definition-overriding: true
+ profiles:
+ active: prod
+ r2dbc:
+ # Configuration of the postgres database to be used by the application.
+ # These values can be passed via configmap/secret/env variable based on the installation.
+ url: {{ .Values.app.r2dbc.url | default "r2dbc:postgresql://postgres-service:5432/a1pms" }}
+ username: {{ .Values.app.r2dbc.username | default "a1pms" }}
+ password: {{ .Values.app.r2dbc.password | default "mypwd" }}
+springdoc:
+ show-actuator: true
--- /dev/null
+<!--
+ ~ ============LICENSE_START=======================================================
+ ~ ONAP : ccsdk oran
+ ~ ================================================================================
+ ~ Copyright (C) 2025 OpenInfra Foundation Europe. All rights reserved.
+ ~ ================================================================================
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~ ============LICENSE_END=======================================================
+ ~
+-->
+<configuration>
+ <appender name="console" class="ch.qos.logback.core.ConsoleAppender">
+ <encoder>
+ <pattern>
+ %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ} [%thread] %-5level %logger - %msg [facility=%X{facility}, subject=%X{subject}, traceId=%mdc{traceId}] %n%xEx
+ </pattern>
+ </encoder>
+ </appender>
+
+ <root level="${ROOT_LOG_LEVEL:-INFO}">
+ <appender-ref ref="console"/>
+ </root>
+
+ <logger name="/" level="${ROOT_LOG_LEVEL:-INFO}"/>
+</configuration>
\ No newline at end of file
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }}
- name: A1CONTROLLER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }}
+ - name: LOGBACK_CONFIG_FILE
+ value: {{ .Values.app.logging.config | quote }}
+{{- if .Values.global.tracing.enabled }}
+ - name: ONAP_PROPAGATOR_PRODUCE
+ value: "[{{ .Values.global.tracing.propagator.produce.type }}]"
+ - name: ONAP_OTEL_EXPORTER_ENDPOINT
+ value: {{ .Values.global.tracing.collector.baseUrl | quote }}
+ - name: ONAP_OTEL_EXPORTER_PROTOCOL
+ value: {{ .Values.global.tracing.collector.protocol | quote }}
+ - name: ONAP_SDK_DISABLED
+ value: {{ .Values.global.tracing.sdk.disabled | quote }}
+ - name: ONAP_TRACING_SOUTHBOUND
+ value: {{ .Values.global.tracing.sdk.south | quote }}
+ - name: ONAP_TRACING_NORTHBOUND
+ value: {{ .Values.global.tracing.north.enabled | quote }}
+ - name: ONAP_OTEL_SAMPLER_JAEGER_REMOTE_ENDPOINT
+ value: {{ .Values.global.tracing.sampling.baseUrl | quote }}
+{{- end }}
volumeMounts:
- mountPath: /config-input
name: {{ include "common.fullname" . }}-policy-conf-input
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }}
- name: A1CONTROLLER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }}
+ - name: LOGBACK_CONFIG_FILE
+ value: {{ .Values.app.logging.config | quote }}
+{{- if .Values.global.tracing.enabled }}
+ - name: ONAP_PROPAGATOR_PRODUCE
+ value: "[{{ .Values.global.tracing.propagator.produce.type }}]"
+ - name: ONAP_OTEL_EXPORTER_ENDPOINT
+ value: {{ .Values.global.tracing.collector.baseUrl | quote }}
+ - name: ONAP_OTEL_EXPORTER_PROTOCOL
+ value: {{ .Values.global.tracing.collector.protocol | quote }}
+ - name: ONAP_SDK_DISABLED
+ value: {{ .Values.global.tracing.sdk.disabled | quote }}
+ - name: ONAP_TRACING_SOUTHBOUND
+ value: {{ .Values.global.tracing.sdk.south | quote }}
+ - name: ONAP_TRACING_NORTHBOUND
+ value: {{ .Values.global.tracing.north.enabled | quote }}
+ - name: ONAP_OTEL_SAMPLER_JAEGER_REMOTE_ENDPOINT
+ value: {{ .Values.global.tracing.sampling.baseUrl | quote }}
+{{- end }}
volumeMounts:
- mountPath: /tmp/scripts
name: {{ include "common.fullname" . }}-envsubst-scripts
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
volumeMounts:
+ - name: config
+ mountPath: /opt/app/policy-agent/logback-plain.xml
+ subPath: logback-plain.xml
- name: config
mountPath: /opt/app/policy-agent/data/application_configuration.json
subPath: application_configuration.json
- name: {{ include "common.fullname" . }}
mountPath: "/var/policy-management-service/database"
resources: {{ include "common.resources" . | nindent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.mainUserId }}
+ runAsGroup: {{ .Values.mainGroupId }}
+ runAsNonRoot: true
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: {{ include "common.fullname" . }}-policy-conf-input
global:
nodePortPrefix: 302
persistence: {}
+ tracing:
+ enabled: false
+ propagator:
+ produce:
+ # This can have several options included in a comma separated list W3C,B3,B3_MULTI
+ type: W3C
+ collector:
+ baseUrl: "http://jaeger:4317"
+ protocol: "grpc"
+ sampling:
+ baseUrl: "http://jaeger:14250"
+ probability: "1.0"
+ sdk:
+ south: true
+ disabled: false
+ north:
+ enabled: true
secrets:
- uid: controller-secret
password: '{{ .Values.a1controller.password }}'
passwordPolicy: required
-image: onap/ccsdk-oran-a1policymanagementservice:1.5.0
+image: onap/ccsdk-oran-a1policymanagementservice:2.1.0
userID: 1000 #Should match with image-defined user ID
groupID: 999 #Should match with image-defined group ID
+mainUserId: 1000 #Should match with image-defined user ID
+mainGroupId: 101 #Should match with image-defined group ID
+
pullPolicy: IfNotPresent
replicaCount: 1
nameOverride: a1policymanagement
roles:
- read
+
+app:
+ # False here will result in local file storage
+ databaseEnabled: false
+
+ r2dbc:
+ # The R2DBC URL for the Postgres database.
+ # Example: r2dbc:postgresql://<host>:<port>/<database>
+ url: r2dbc:postgresql://postgres-service:5432/a1pms
+ username: a1pms
+ password: mypwd
+ # Leaving bucket blank will disable S3 object store usage.
+ s3:
+ endpointOverride: http://minio-service:9000
+ accessKeyId: minio
+ secretAccessKey: miniostorage
+ bucket:
+
+ vardataDirectory: /var/policy-management-service
+
+ logging:
+ config: logback-plain.xml
+ reactiveEntryExitFilterEnabled: true
+ reactiveEntryExitFilterExcludePaths: ""
+
+