# Modifications Copyright © 2018, 2020 AT&T
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021-2025 Nordix Foundation
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v2
description: ONAP Policy
name: policy
-version: 16.0.2
+version: 16.0.8
dependencies:
- name: common
- name: serviceAccount
version: ~13.x-0
repository: '@local'
- - name: readinessCheck
- version: ~13.x-0
- repository: '@local'
- name: postgres
version: ~13.x-0
repository: '@local'
apiVersion: v2
description: ONAP Policy Design API
name: policy-api
-version: 16.0.1
+version: 16.0.3
dependencies:
- name: common
- name: serviceAccount
version: ~13.x-0
repository: '@local'
+ - name: readinessCheck
+ version: ~13.x-0
+ repository: '@local'
# ============LICENSE_START=======================================================
# Copyright (C) 2022 Bell Canada. All rights reserved.
# Modifications Copyright (C) 2022 AT&T Intellectual Property.
-# Modification (C) 2023 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023,2025 Deutsche Telekom. All rights reserved.
# Modifications Copyright © 2024-2025 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
password: "${RESTSERVER_PASSWORD}"
mvc.converters.preferred-json-mapper: gson
datasource:
- url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort}}/policyadmin
+ url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/policyadmin
driverClassName: org.postgresql.Driver
username: "${SQL_USER}"
password: "${SQL_PASSWORD}"
# Copyright (C) 2018 Ericsson. All rights reserved.
# Modifications Copyright (C) 2020 Nordix Foundation.
# Modified Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+# Modification (C) 2025 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{- end }}
data:
{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-db-configmap
+ namespace: {{ include "common.namespace" . }}
+ labels: {{- include "common.labels" . | nindent 4 }}
+data:
+{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }}
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2025 Nordix Foundation.
+# Modification (C) 2025 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
{{ include "common.podSecurityContext" . | indent 6 | trim }}
+ {{- include "common.imagePullSecrets" . | nindent 6 }}
initContainers:
- - command:
- - /app/ready.py
- args:
- - --job-name
- - {{ include "common.release" . }}-policy-pg-migrator-config
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- image: {{ include "repositoryGenerator.image.readiness" . }}
+ {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }}
+ - name: {{ include "common.name" . }}-pg-config
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
{{ include "common.containerSecurityContext" . | indent 10 | trim }}
- name: {{ include "common.name" . }}-readiness
+ command:
+ - /bin/sh
+ - -cx
+ - |
+ /docker-entrypoint-initdb.d/db-pg.sh
+ env:
+ - name: PG_ADMIN_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ {{- if eq .Values.global.postgres.localCluster true }}
+ name: '{{ include "common.release" . }}-policy-db-root-password'
+ {{- else }}
+ name: '{{ .Values.global.postgres.userRootSecret }}'
+ {{- end }}
+ key: password
+ - name: PG_HOST
+ value: "{{ .Values.global.postgres.service.name2 }}"
+ - name: PG_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
+ - name: PG_USER_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
+ - name: PG_PORT
+ value: "{{ .Values.global.postgres.service.port }}"
resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
requests:
- cpu: "3m"
- memory: "20Mi"
+ cpu: 50m
+ memory: 64Mi
+ limits:
+ cpu: 300m
+ memory: 128Mi
+ volumeMounts:
+ - mountPath: /docker-entrypoint-initdb.d/db-pg.sh
+ name: {{ include "common.fullname" . }}-config
+ subPath: db-pg.sh
+ - name: {{ include "common.name" . }}-pg-db-migrator
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ volumeMounts:
+ - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh
+ name: {{ include "common.fullname" . }}-config
+ subPath: db_migrator_pg_policy_init.sh
+ - mountPath: /opt/app/policy/etc/db/
+ name: {{ include "common.fullname" . }}-migration-writable
+ command:
+ - /bin/sh
+ - -cx
+ - |
+ /dbcmd-config/db_migrator_pg_policy_init.sh
+ env:
+ - name: SQL_HOST
+ value: "{{ .Values.global.postgres.service.name2 }}"
+ - name: SQL_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
+ - name: SQL_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
+ - name: SQL_DB
+ value: {{ .Values.dbmigrator.schemas }}
+ - name: POLICY_HOME
+ value: {{ .Values.dbmigrator.policy_home }}
+ - name: SCRIPT_DIRECTORY
+ value: "postgres"
+ - name: PGPASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
+ resources: {{ include "common.resources" . | nindent 12 }}
- command:
- sh
args:
- "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done"
env:
- name: SQL_USER
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
- name: SQL_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
- name: RESTSERVER_USER
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 12 }}
- name: RESTSERVER_PASSWORD
name: apiconfig
- mountPath: /config
name: apiconfig-processed
+ name: {{ include "common.name" . }}-update-config
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources:
+ requests:
+ cpu: 10m
+ memory: 64Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
{{ include "common.containerSecurityContext" . | indent 10 | trim }}
- name: {{ include "common.name" . }}-update-config
containers:
- name: {{ include "common.name" . }}
{{ include "common.containerSecurityContext" . | indent 10 | trim }}
port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
- {{ end -}}
+ {{- end }}
readinessProbe:
httpGet:
path: {{ .Values.readiness.api }}
- name: logs
emptyDir:
sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- {{- include "common.imagePullSecrets" . | nindent 6 }}
+ - name: {{ include "common.fullname" . }}-migration-writable
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.migration.sizeLimit }}
+ - name: {{ include "common.fullname" . }}-config
+ configMap:
+ name: {{ include "common.fullname" . }}-db-configmap
+ defaultMode: 0755
+ items:
+ - key: db-pg.sh
+ path: db-pg.sh
+ - key: db_migrator_pg_policy_init.sh
+ path: db_migrator_pg_policy_init.sh
# ============LICENSE_START=======================================================
# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright (C) 2022 Bell Canada. All rights reserved.
-# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved.
+# Modification (C) 2023-2025 Deutsche Telekom. All rights reserved.
# Modifications Copyright © 2024-2025 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
global:
nodePortPrefix: 304
persistence: {}
+ postgres:
+ service:
+ name: policy-postgres
+ name2: policy-pg-primary
+ name3: policy-pg-replica
+ port: 5432
#################################################################
# Secrets metaconfig
#################################################################
secrets:
- - uid: db-creds
+ - uid: db-secret
type: basicAuth
externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}'
login: '{{ .Values.db.user }}'
password: '{{ .Values.restServer.password }}'
passwordPolicy: required
+#################################################################
+# DB configuration defaults.
+#################################################################
+
+dbmigrator:
+ image: onap/policy-db-migrator:4.1.0
+ schemas: "policyadmin clampacm pooling operationshistory"
+ policy_home: "/opt/app/policy"
+
+postgresImage: library/postgres:17.2
+
#################################################################
# Application configuration defaults.
#################################################################
db:
user: policy-user
password: policy_user
- service:
- pgName: policy-pg-primary
- internalPgPort: 5432
+
+readinessCheck:
+ wait_for:
+ services:
+ - '{{ .Values.global.postgres.service.name2 }}'
restServer:
user: policyadmin
sizeLimit: 1Gi
logDir:
sizeLimit: 500Mi
+ migration:
+ sizeLimit: 1Gi
+
+dbReadiness:
+ retryCount: 3
#Pods Service Account
serviceAccount:
# Copyright (C) 2021, 2025 Nordix Foundation. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021-2024 Nordix Foundation
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v2
description: ONAP Policy Clamp Controlloop Runtime
name: policy-clamp-runtime-acm
-version: 16.0.0
+version: 16.0.2
dependencies:
- name: common
- name: serviceAccount
version: ~13.x-0
repository: '@local'
+ - name: readinessCheck
+ version: ~13.x-0
+ repository: '@local'
converters:
preferred-json-mapper: gson
datasource:
- url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/clampacm
+ url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/clampacm
driverClassName: org.postgresql.Driver
username: ${SQL_USER}
password: ${SQL_PASSWORD}
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2025 Nordix Foundation.
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
spec:
{{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- - command:
- - /app/ready.py
- args:
- - --job-name
- - {{ include "common.release" . }}-policy-pg-migrator-config
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- image: {{ include "repositoryGenerator.image.readiness" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{ include "common.containerSecurityContext" . | indent 8 | trim }}
- name: {{ include "common.name" . }}-db-config-readiness
- resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
- requests:
- cpu: "3m"
- memory: "20Mi"
+ {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
- command:
- sh
args:
# ============LICENSE_START=======================================================
# Copyright (C) 2021-2025 Nordix Foundation.
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
global:
nodePortPrefixExt: 304
persistence: {}
+ postgres:
+ service:
+ name: policy-postgres
+ name2: policy-pg-primary
+ name3: policy-pg-replica
+ port: 5432
#Strimzi Kafka properties
kafkaTopics:
acRuntimeOperationTopic:
db:
user: policy-user
password: policy_user
- service:
- pgName: policy-pg-primary
- pgPort: 5432
# default number of instances
replicaCount: 1
roles:
- read
-wait_for_job_container:
- containers:
- - '{{ include "common.release" . }}-galera-migrator-config'
+readinessCheck:
+ wait_for:
+ services:
+ - policy-api
customNaming:
toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement
# Modifications Copyright © 2018, 2020 AT&T Intellectual Property
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024-2025 Nordix Foundation
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v2
description: ONAP Drools Policy Engine (PDP-D)
name: policy-drools-pdp
-version: 16.0.1
+version: 16.0.3
dependencies:
- name: common
- name: serviceAccount
version: ~13.x-0
repository: '@local'
+ - name: readinessCheck
+ version: ~13.x-0
+ repository: '@local'
# Modifications Copyright (C) 2018-2020, 2022 AT&T Intellectual Property.
# Modifications Copyright (C) 2021 Bell Canada. All rights reserved.
# Modifications Copyright (C) 2024-2025 Nordix Foundation.
+# Modifications Copyright (C) 2025 Deutsche Telekom. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Relational (SQL) DB access
-SQL_HOST={{ .Values.db.pgName }}
-SQL_PORT={{ .Values.db.pgPort }}
-JDBC_URL=jdbc:postgresql://{{ .Values.db.pgName }}:{{ .Values.db.pgPort }}/
+SQL_HOST={{ .Values.global.postgres.service.name2 }}
+SQL_PORT={{ .Values.global.postgres.service.port }}
+JDBC_URL=jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/
JDBC_OPTS=
JDBC_DRIVER=org.postgresql.Driver
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property
# Modifications Copyright (C) 2024-2025 Nordix Foundation.
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
spec:
{{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- - command:
- - /app/ready.py
- args:
- - --job-name
- - {{ include "common.release" . }}-policy-pg-migrator-config
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- image: {{ include "repositoryGenerator.image.readiness" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{ include "common.containerSecurityContext" . | indent 8 | trim }}
- name: {{ include "common.name" . }}-db-readiness
- resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
- requests:
- cpu: "3m"
- memory: "20Mi"
+ {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
{{- if not .Values.nexus.offline }}
- command:
- /app/ready.py
# Copyright © 2017, 2021 Bell Canada
# Modifications Copyright © 2018-2022 AT&T Intellectual Property
# Modifications Copyright (C) 2024-2025 Nordix Foundation.
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#################################################################
global:
nodePortPrefix: 302
+ postgres:
+ service:
+ name: policy-postgres
+ name2: policy-pg-primary
+ name3: policy-pg-replica
+ port: 5432
#################################################################
# Secrets metaconfig
offline: true
db:
- pgName: policy-pg-primary
- pgPort: 5432
password: policy_user
pap:
type: topic
patternType: prefix
operations: [ Create, Describe, Read, Write ]
+
+readinessCheck:
+ wait_for:
+ services:
+ - policy-api
apiVersion: v2
description: ONAP Policy OPA PDP (PDP-O)
name: policy-opa-pdp
-version: 16.0.0
+version: 16.0.1
dependencies:
- name: common
labels: {{- include "common.labels" . | nindent 4 }}
data:
{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }}
-
- name: opa-bundles
mountPath: /app/bundles
- name: logs
- mountPath: /var/log
+ mountPath: /var/logs
resources: {{ include "common.resources" . | nindent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
policyPdpPapTopic: policy-pdp-pap
securityContext:
- fsGroup: 1000
user_id: 1000
group_id : 1000
- runAsNonRoot: true
- runAsUser: 1000
-
-
-containerSecurityContext:
- runAsGroup: 1000
- runAsUser: 1000
- runAsNonRoot: true
- readOnlyRootFilesystem: false
- allowPrivilegeEscalation: true
kafka:
groupid: "policy-opa-pdp"
parameters: {}
storageclassProvisioner: cinder-os
-
-
# default number of instances
replicaCount: 1
memory: "2Gi"
unlimited: {}
-
dirSizes:
emptyDir:
sizeLimit: 1Gi
# Modified Copyright (C) 2020 AT&T Intellectual Property.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024-2025 Nordix Foundation
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v2
description: ONAP Policy Administration (PAP)
name: policy-pap
-version: 16.0.1
+version: 16.0.3
dependencies:
- name: common
- name: serviceAccount
version: ~13.x-0
repository: '@local'
+ - name: readinessCheck
+ version: ~13.x-0
+ repository: '@local'
converters:
preferred-json-mapper: gson
datasource:
- url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort }}/policyadmin
+ url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/policyadmin
driverClassName: org.postgresql.Driver
username: "${SQL_USER}"
password: "${SQL_PASSWORD}"
# Copyright (C) 2020 AT&T Intellectual Property.
# Modifications Copyright (C) 2022 Bell Canada. All rights reserved.
# Modifications Copyright (C) 2024-2025 Nordix Foundation.
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
spec:
{{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- - command:
- - /app/ready.py
- args:
- - --job-name
- - {{ include "common.release" . }}-policy-pg-migrator-config
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- image: {{ include "repositoryGenerator.image.readiness" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{ include "common.containerSecurityContext" . | indent 8 | trim }}
- name: {{ include "common.name" . }}-db-readiness
- resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
- requests:
- cpu: "3m"
- memory: "20Mi"
+ {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
- command:
- sh
args:
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: localtime
- hostPath:
- path: /etc/localtime
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
- name: empty-dir
emptyDir:
sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
# Modifications Copyright (C) 2019-2021 AT&T Intellectual Property.
# Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved.
# Modifications Copyright © 2022-2025 Nordix Foundation
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
global:
nodePortPrefixExt: 304
persistence: {}
+ postgres:
+ service:
+ name: policy-postgres
+ name2: policy-pg-primary
+ name3: policy-pg-replica
+ port: 5432
#################################################################
# Secrets metaconfig
db:
user: policy-user
password: policy_user
- service:
- pgName: policy-pg-primary
- internalPgPort: 5432
restServer:
user: policyadmin
type: topic
patternType: prefix
operations: [Create, Describe, Read, Write]
+
+readinessCheck:
+ wait_for:
+ services:
+ - policy-api
# Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021, 2024-2025 Nordix Foundation
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v2
description: ONAP Policy XACML PDP (PDP-X)
name: policy-xacml-pdp
-version: 16.0.1
+version: 16.0.3
dependencies:
- name: common
- name: serviceAccount
version: ~13.x-0
repository: '@local'
+ - name: readinessCheck
+ version: ~13.x-0
+ repository: '@local'
{{/*
# ============LICENSE_START=======================================================
# Copyright (C) 2024-2025 Nordix Foundation. All rights reserved.
+# Modifications (C) 2025 Deutsche Telekom. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#
eclipselink.target-database=PostgreSQL
jakarta.persistence.jdbc.driver=org.postgresql.Driver
-jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.pgPort }}/operationhistory
+jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/operationshistory
jakarta.persistence.jdbc.user=${SQL_USER}
jakarta.persistence.jdbc.password=${SQL_PASSWORD}
# ============LICENSE_START=======================================================
# Copyright (C) 2020 AT&T Intellectual Property.
# Modifications Copyright (C) 2024-2025 Nordix Foundation.
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
spec:
{{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers:
- - command:
- - /app/ready.py
- args:
- - --job-name
- - {{ include "common.release" . }}-policy-pg-migrator-config
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- image: {{ include "repositoryGenerator.image.readiness" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{ include "common.containerSecurityContext" . | indent 8 | trim }}
- name: {{ include "common.name" . }}-readiness
- resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
- requests:
- cpu: "3m"
- memory: "20Mi"
+ {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
- command:
- sh
args:
emptyDir:
sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
- name: localtime
- hostPath:
- path: /etc/localtime
+ emptyDir:
+ sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }}
- name: pdpxconfig
configMap:
name: {{ include "common.fullname" . }}-configmap
# ============LICENSE_START=======================================================
# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved.
# Modifications Copyright (C) 2024-2025 Nordix Foundation.
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#################################################################
global:
persistence: {}
+ postgres:
+ service:
+ name: policy-postgres
+ name2: policy-pg-primary
+ name3: policy-pg-replica
+ port: 5432
#################################################################
# Secrets metaconfig
db:
user: policy-user
password: policy_user
- service:
- pgName: policy-pg-primary
- pgPort: 5432
restServer:
user: healthcheck
type: topic
patternType: prefix
operations: [ Create, Describe, Read, Write ]
+
+readinessCheck:
+ wait_for:
+ services:
+ - policy-api
+++ /dev/null
-{{/*
-# Copyright © 2017 Amdocs, Bell Canada
-# Modifications Copyright © 2018, 2020 AT&T Intellectual Property
-# Modifications Copyright (C) 2021-2022 Nordix Foundation.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "common.fullname" . }}-db-configmap
- namespace: {{ include "common.namespace" . }}
- labels: {{- include "common.labels" . | nindent 4 }}
-data:
-{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }}
+++ /dev/null
-{{/*
-# Copyright © 2018 Amdocs, Bell Canada
-# Modifications Copyright © 2020 AT&T Intellectual Property
-# Modifications Copyright (C) 2022-2025 Nordix Foundation.
-# Modifications Copyright © 2024 Deutsche Telekom
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: {{ include "common.fullname" . }}-pg-init
- namespace: {{ include "common.namespace" . }}
- labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "pg-init") | nindent 4 }}
- {{- if .Values.jobAnnotations }}
- annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }}
- {{- end }}
-spec:
- template:
- metadata:
- labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "pg-init") | nindent 8 }}
- name: {{ include "common.name" . }}-pg-init
- spec:
- {{ include "common.podSecurityContext" . | indent 6 | trim }}
- {{- include "common.imagePullSecrets" . | nindent 6 }}
- initContainers:
- {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_postgres ) | indent 6 | trim }}
- containers:
- - name: {{ include "common.name" . }}-pg-config
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{ include "common.containerSecurityContext" . | indent 8 | trim }}
- volumeMounts:
- - mountPath: /docker-entrypoint-initdb.d/db-pg.sh
- name: {{ include "common.fullname" . }}-config
- subPath: db-pg.sh
- command:
- - /bin/sh
- - -cx
- - |
- {{- if include "common.requireSidecarKiller" . }}
- echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
- /docker-entrypoint-initdb.d/db-pg.sh
- env:
- - name: PG_ADMIN_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }}
- - name: PG_HOST
- value: "{{ .Values.postgres.service.name2 }}"
- - name: PG_USER
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
- - name: PG_USER_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
- - name: PG_PORT
- value: "{{ .Values.postgres.service.internalPort }}"
- resources: {{ include "common.resources" . | nindent 10 }}
- {{- if (include "common.requireSidecarKiller" .) }}
- - name: policy-service-mesh-wait-for-job-container
- {{ include "common.containerSecurityContext" . | indent 8 | trim }}
- image: {{ include "repositoryGenerator.image.quitQuit" . }}
- imagePullPolicy: Always
- command:
- - /bin/sh
- - "-c"
- args:
- - echo "waiting 10s for istio side cars to be up"; sleep 10s;
- /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-config -t 45;
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- {{ include "common.containerSecurityContext" . | indent 8 | trim }}
- resources:
- limits:
- cpu: 100m
- memory: 500Mi
- requests:
- cpu: 10m
- memory: 10Mi
- {{- end }}
- restartPolicy: Never
- serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
- - name: {{ include "common.fullname" . }}-config
- configMap:
- name: {{ include "common.fullname" . }}-db-configmap
- defaultMode: 0755
- items:
- - key: db-pg.sh
- path: db-pg.sh
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: {{ include "common.fullname" . }}-pg-migrator-config
- namespace: {{ include "common.namespace" . }}
- labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "pg-migrator-config") | nindent 4 }}
- {{- if .Values.jobAnnotations }}
- annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }}
- {{- end }}
-spec:
- template:
- metadata:
- labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "pg-migrator-config") | nindent 8 }}
- name: {{ include "common.name" . }}-pg-migrator-config
- spec:
- {{ include "common.podSecurityContext" . | indent 6 | trim }}
- {{- include "common.imagePullSecrets" . | nindent 6 }}
- initContainers:
- - name: {{ include "common.name" . }}-init-readiness
- image: {{ include "repositoryGenerator.image.readiness" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{ include "common.containerSecurityContext" . | indent 10 | trim }}
- command:
- - /app/ready.py
- args:
- - --job-name
- - {{ include "common.fullname" . }}-pg-init
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
- requests:
- cpu: "3m"
- memory: "20Mi"
- containers:
- - name: {{ include "common.name" . }}-pg-db-migrator
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- {{ include "common.containerSecurityContext" . | indent 10 | trim }}
- volumeMounts:
- - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh
- name: {{ include "common.fullname" . }}-config
- subPath: db_migrator_pg_policy_init.sh
- - mountPath: /opt/app/policy/etc/db/
- name: {{ include "common.fullname" . }}-migration-writable
- command:
- - /bin/sh
- - -cx
- - |
- {{- if include "common.requireSidecarKiller" . }}
- echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
- /dbcmd-config/db_migrator_pg_policy_init.sh
- env:
- - name: SQL_HOST
- value: "{{ .Values.postgres.service.name2 }}"
- - name: SQL_USER
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
- - name: SQL_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
- - name: SQL_DB
- value: {{ .Values.dbmigrator.schemas }}
- - name: POLICY_HOME
- value: {{ .Values.dbmigrator.policy_home }}
- - name: SCRIPT_DIRECTORY
- value: "postgres"
- - name: PGPASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
- resources: {{ include "common.resources" . | nindent 12 }}
- {{- if (include "common.requireSidecarKiller" .) }}
- - name: policy-service-mesh-wait-for-job-container
- image: {{ include "repositoryGenerator.image.quitQuit" . }}
- imagePullPolicy: Always
- {{ include "common.containerSecurityContext" . | indent 10 | trim }}
- command:
- - /bin/sh
- - "-c"
- args:
- - echo "waiting 10s for istio side cars to be up"; sleep 10s;
- /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45;
- env:
- - name: NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- {{- end }}
- restartPolicy: Never
- serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
- - name: {{ include "common.fullname" . }}-migration-writable
- emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
- configMap:
- name: {{ include "common.fullname" . }}-db-configmap
- defaultMode: 0755
- items:
- - key: db_migrator_pg_policy_init.sh
- path: db_migrator_pg_policy_init.sh
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
# Modifications Copyright (C) 2021-2025 Nordix Foundation.
-# Modifications Copyright © 2024 Deutsche Telekom
+# Modifications Copyright © 2024-2025 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# flag to enable the DB creation via pgo-operator
useOperator: false
service:
- name: pgset
- name2: tcp-pgset-primary
- name3: tcp-pgset-replica
- container:
- name: postgres
- nameOverride: "policy-postgres"
+ name: &postgresName policy-postgres
+ name2: &postgresName2 policy-pg-primary
+ name3: &postgresName3 policy-pg-replica
+ port: &postgresPort 5432
+ nameOverride: *postgresName
# (optional) if localCluster=false and an external secret is used set this variable
#userRootSecret: <secretName>
kafkaBootstrap: strimzi-kafka-bootstrap:9092
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
-#################################################################
-# DB configuration defaults.
-#################################################################
-
-dbmigrator:
- image: onap/policy-db-migrator:4.1.0
- schemas: "policyadmin clampacm pooling operationshistory"
- policy_home: "/opt/app/policy"
-
subChartsOnly:
enabled: true
groupId: policy-group
someConfig: blah
-postgresImage: library/postgres:17.2
# application configuration override for postgres
postgres:
nameOverride: &postgresName policy-postgres
service:
name: *postgresName
- name2: policy-pg-primary
- name3: policy-pg-replica
- internalPort: 5432
+ name2: *postgresName2
+ name3: *postgresName3
+ internalPort: *postgresPort
container:
name:
- primary: policy-pg-primary
- replica: policy-pg-replica
+ primary: *postgresName2
+ replica: *postgresName3
persistence:
mountSubPath: policy/postgres/data
mountInitPath: policy
pgUserExternalSecret: *dbSecretName
pgRootPasswordExternalSecret: *dbRootPassSecretName
-readinessCheck:
- wait_for_postgres:
- services:
- - '{{ .Values.global.postgres.service.name2 }}'
-
restServer:
policyPapUserName: policyadmin
policyPapUserPassword: zb!XztG34
nameOverride: policy
roles:
- read
-
-# Annotations to control the execution and deletion of the job
-# Can be used to delete a job before an Upgrade
-#
-# jobAnnotations:
-# # In case of an ArgoCD deployment this Hook deletes the job before syncing
-# argocd.argoproj.io/hook: Sync
-# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
-#
-# # In case of an Helm/Flux deployment this Hook deletes the job
-# # This is what defines this resource as a hook. Without this line, the
-# # job is considered part of the release.
-# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install"
-# "helm.sh/hook-delete-policy": "before-hook-creation"
-# "helm.sh/hook-weight": "1"
Code Review / oom.git / commitdiff