apiVersion: v2
description: ONAP Policy
name: policy
-version: 15.0.1
+version: 15.0.2
dependencies:
- name: common
version: ~15.x-0
repository: 'file://components/policy-drools-pdp'
condition: policy-drools-pdp.enabled
+ - name: policy-opa-pdp
+ version: ~15.x-0
+ repository: 'file://components/policy-opa-pdp'
+ condition: policy-opa-pdp.enabled
- name: policy-distribution
version: ~15.x-0
repository: 'file://components/policy-distribution'
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+apiVersion: v2
+description: ONAP Policy OPA PDP (PDP-O)
+name: policy-opa-pdp
+version: 15.0.0
+
+dependencies:
+ - name: common
+ version: ~13.x-0
+ repository: '@local'
+ - name: repositoryGenerator
+ version: ~13.x-0
+ repository: '@local'
+ - name: serviceAccount
+ version: ~13.x-0
+ repository: '@local'
--- /dev/null
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+{
+ "logging": {
+ "level": "debug"
+ },
+ "services": [
+ {
+ "name": "opa-bundle-server",
+ "url": "http://policy-opa-pdp:8282/opa/bundles"
+ }
+ ],
+ "bundles": {
+ "opabundle": {
+ "service": "opa-bundle-server",
+ "resource": "bundle.tar.gz",
+ "polling": {
+ "min_delay_seconds": 60,
+ "max_delay_seconds": 120
+ }
+ }
+ },
+ "decision_logs": {
+ "console": true
+ }
+}
--- /dev/null
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
--- /dev/null
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-configmap-config
+ namespace: {{ include "common.namespace" . }}
+ labels: {{- include "common.labels" . | nindent 4 }}
+data:
+{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-configmap-policies-data
+ namespace: {{ include "common.namespace" . }}
+ labels: {{- include "common.labels" . | nindent 4 }}
+{{- with .Files.Glob "resources/policies/*" }}
+binaryData:
+{{- range $path, $bytes := . }}
+ {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }}
+{{- end }}
+{{- end }}
--- /dev/null
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ selector: {{- include "common.selectors" . | nindent 4 }}
+ replicas: {{ .Values.replicaCount }}
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
+ initContainers:
+ - command:
+ - /bin/sh
+ args:
+ - -c
+ - |
+ echo "*** set right permissions to the different folders"
+ chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log;
+ chmod -R 755 /var/log
+ chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/;
+ chmod -R 755 /opt/*
+ tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/
+ image: {{ include "repositoryGenerator.image.busybox" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+ name: {{ include "common.name" . }}-readiness
+ volumeMounts:
+ - name: logs
+ mountPath: /var/log
+ - name: tmp-policies-data
+ mountPath: /tmp/policies
+ - name : opa-policies-data
+ mountPath: /opt/
+
+ containers:
+ - name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ ports: {{ include "common.containerPorts" . | nindent 12 }}
+ # disable liveness probe when breakpoints set in debugger
+ # so K8s doesn't restart unresponsive container
+ env:
+ - name: UseSASLForKAFKA
+ value: "{{ .Values.kafka.useSASL }}"
+ - name: KAFKA_URL
+ value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
+ - name: GROUPID
+ value: "{{ .Values.kafka.groupid }}"
+ - name: LOG_LEVEL
+ value: "{{ .Values.log.loglevel }}"
+ - name: PAP_TOPIC
+ value: "{{ .Values.kafka.topic }}"
+ - name: API_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }}
+ - name: API_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }}
+ - name: RESTSERVER_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }}
+ - name: RESTSERVER_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }}
+ - name: JAASLOGIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.name" . }}-ku
+ key: sasl.jaas.config
+ {{- if eq .Values.liveness.enabled true }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ .Values.service.internalPort }}
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+ {{ end -}}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.service.internalPort }}
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
+ volumeMounts:
+
+ - name: opa-policies-data
+ mountPath: /opt
+ - name: opa-config
+ mountPath: /app/config
+ - name: opa-bundles
+ mountPath: /app/bundles
+ - name: logs
+ mountPath: /var/log
+ resources: {{ include "common.resources" . | nindent 12 }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+ {{- end -}}
+ {{- if .Values.affinity }}
+ affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
+ volumes:
+ - name: tmp-policies-data
+ configMap:
+ name: {{ include "common.fullname" . }}-configmap-policies-data
+ defaultMode: 0755
+ - name: opa-policies-data
+ persistentVolumeClaim:
+ claimName: {{ include "common.fullname" . }}-policies-data
+ - name: opa-config
+ configMap:
+ name: {{ include "common.fullname" . }}-configmap-config
+ defaultMode: 0755
+ - name: opa-bundles
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }}
+ - name: logs
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
+ {{- include "common.imagePullSecrets" . | nindent 6 }}
--- /dev/null
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+{{ include "common.kafkauser" . }}
--- /dev/null
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: {{ include "common.fullname" . }}-policies-data
+ namespace: {{ include "common.namespace" . }}
+ labels: {{- include "common.labels" . | nindent 4 }}
+spec:
+ accessModes:
+ - {{ .Values.persistence.accessMode }}
+ resources:
+ requests:
+ storage: {{ .Values.persistence.logsSize }}
+ storageClassName: {{ include "common.storageClass" . }}
+ volumeMode: Filesystem
+
+{{- end }}
--- /dev/null
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.secretFast" . }}
--- /dev/null
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
--- /dev/null
+{{/*
+# ============LICENSE_START=======================================================
+# Copyright (c) 2024 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{- if .Values.global.prometheusEnabled }}
+{{ include "common.serviceMonitor" . }}
+{{- end }}
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+global:
+ persistence: {}
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+ - uid: api-creds
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}'
+ login: '{{ .Values.apiServer.user }}'
+ password: '{{ .Values.apiServer.password }}'
+ passwordPolicy: required
+ - uid: restserver-creds
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}'
+ login: '{{ .Values.restServer.user }}'
+ password: '{{ .Values.restServer.password }}'
+ passwordPolicy: required
+
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+# application image
+image: onap/policy-opa-pdp:1.0.0
+pullPolicy: Always
+
+componentName: &componentName policy-opa-pdp
+
+# flag to enable debugging - application support required
+debugEnabled: false
+
+log:
+ loglevel: "debug"
+
+
+# application configuration
+
+permissions:
+ uid: 100
+ gid: 102
+
+restServer:
+ user: healthcheck
+ password: zb!XztG34
+
+apiServer:
+ user: policyadmin
+ password: zb!XztG34
+
+config:
+ # Event consumption (kafka) properties
+ kafka:
+ consumer:
+ groupId: policy-opa-pdp
+ app:
+ listener:
+ policyPdpPapTopic: policy-pdp-pap
+
+securityContext:
+ user_id: 0
+ group_id : 0
+ runAsNonRoot: false
+
+
+containerSecurityContext:
+ enabled: true
+ privileged: false
+ allowPrivilegeEscalation: true
+ readOnlyRootFilesystem: false
+ runAsNonRoot: false
+ runAsUser: 0
+ runAsGroup: 0
+
+
+kafka:
+ groupid: "policy-opa-pdp"
+ topic: "policy-pdp-pap"
+ useSASL: "true"
+ brokers: "onap-strimzi-kafka-bootstrap.onap:9092"
+
+persistence:
+ enabled: true
+ volumeReclaimPolicy: Retain
+ accessMode: ReadWriteMany
+ logsSize: 1Gi
+ mountPath: /dockerdata-nfs
+ mountSubPath: policy/opapdp
+ storageClass: "cinder-os"
+ enableDefaultStorageclass: false
+ parameters: {}
+ storageclassProvisioner: cinder-os
+
+
+
+# default number of instances
+replicaCount: 1
+
+nodeSelector: {}
+
+affinity: {}
+
+# probe configuration parameters
+liveness:
+ initialDelaySeconds: 20
+ periodSeconds: 10
+ # necessary to disable liveness probe when setting breakpoints
+ # in debugger so K8s doesn't restart unresponsive container
+ enabled: true
+
+readiness:
+ initialDelaySeconds: 20
+ periodSeconds: 10
+
+service:
+ type: ClusterIP
+ name: *componentName
+ internalPort: 8282
+ ports:
+ - name: http
+ port: 8282
+
+ingress:
+ enabled: false
+
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: dcae-datafile-collector-read
+ - serviceAccount: dcae-datalake-admin-ui-read
+ - serviceAccount: dcae-datalake-des-read
+ - serviceAccount: dcae-datalake-feeder-read
+ - serviceAccount: dcae-heartbeat-read
+ - serviceAccount: dcae-hv-ves-collector-read
+ - serviceAccount: dcae-kpi-ms-read
+ - serviceAccount: dcae-pm-mapper-read
+ - serviceAccount: dcae-pmsh-read
+ - serviceAccount: dcae-prh-read
+ - serviceAccount: dcae-restconf-collector-read
+ - serviceAccount: dcae-slice-analysis-ms-read
+ - serviceAccount: dcae-snmptrap-collector-read
+ - serviceAccount: dcae-son-handler-read
+ - serviceAccount: dcae-tcagen2-read
+ - serviceAccount: dcae-ves-collector-read
+ - serviceAccount: dcae-ves-mapper-read
+ - serviceAccount: dcae-ves-openapi-manager-read
+ - serviceAccount: strimzi-kafka-read
+ - serviceAccount: oof-read
+ - serviceAccount: sdnc-read
+
+flavor: small
+resources:
+ small:
+ limits:
+ cpu: "1"
+ memory: "1Gi"
+ requests:
+ cpu: "0.5"
+ memory: "1Gi"
+ large:
+ limits:
+ cpu: "2"
+ memory: "2Gi"
+ requests:
+ cpu: "1"
+ memory: "2Gi"
+ unlimited: {}
+
+
+dirSizes:
+ emptyDir:
+ sizeLimit: 1Gi
+ logDir:
+ sizeLimit: 500Mi
+ policyDir:
+ sizeLimit: 100Mi
+ bundleDir:
+ sizeLimit: 5Gi
+
+
+#Pods Service Account
+serviceAccount:
+ nameOverride: *componentName
+ roles:
+ - read
+
+metrics:
+ serviceMonitor:
+ # Override the labels based on the Prometheus config parameter: serviceMonitorSelector.
+ # The default operator for prometheus enforces the below label.
+ labels:
+ app: '{{ include "common.name" . }}'
+ helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+ app.kubernetes.io/instance: '{{ include "common.release" . }}'
+ app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+ version: '{{ .Chart.Version | replace "+" "_" }}'
+ release: prometheus
+ enabled: true
+ port: policy-opa-pdp
+ interval: 60s
+ isHttps: false
+ basicAuth:
+ enabled: true
+ externalSecretNameSuffix: policy-opa-pdp-restserver-creds
+ externalSecretUserKey: login
+ externalSecretPasswordKey: password
+ selector:
+ app: '{{ include "common.name" . }}'
+ chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+ release: '{{ include "common.release" . }}'
+ heritage: '{{ .Release.Service }}'
+
+config:
+ # Event consumption (kafka) properties
+ kafka:
+ consumer:
+ groupId: policy-opa-pdp
+ app:
+ listener:
+ policyPdpPapTopic: policy-pdp-pap
+
+# Strimzi Kafka config
+kafkaUser:
+ authenticationType: scram-sha-512
+ acls:
+ - name: policy-opa-pdp
+ type: group
+ operations: [ Create, Describe, Read, Write ]
+ - name: policy-pdp-pap
+ type: topic
+ patternType: prefix
+ operations: [ Create, Describe, Read, Write ]
db: *dbSecretsHook
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
+policy-opa-pdp:
+ enabled: true
+ config:
+ jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-distribution:
enabled: true
db: *dbSecretsHook
Code Review / oom.git / commitdiff