From: Andreas Geissler Date: Fri, 5 May 2023 08:46:04 +0000 (+0000) Subject: Merge "[CPS] Parameterize topics in application" X-Git-Tag: 12.0.0~36 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=1a76edf1159156d832e62c268b54fd727f82057f;hp=6fc407db4f8cf62fcf6ce2fba332cdb9a8762bf2;p=oom.git Merge "[CPS] Parameterize topics in application" --- diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index a9ffd70f96..db276d546c 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -356,7 +356,7 @@ spec: {{ toYaml $dot.Values.ingress.tls | indent 4 }} {{- end -}} {{- if $dot.Values.ingress.config -}} -{{- if $dot.Values.ingress.config.tls -}} +{{- if $dot.Values.ingress.config.tls }} tls: - hosts: {{- range $dot.Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index 3ba945ee8b..a3d269e4f2 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -95,7 +95,7 @@ true spec: selector: matchLabels: - app.kubernetes.io/name: ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service") + app: ("app" corresponds to a key defined in "common.labels", which is included in "common.service") If common.useAuthorizationPolicies returns false: Will not create an authorization policy @@ -115,7 +115,7 @@ metadata: spec: selector: matchLabels: - app.kubernetes.io/name: {{ include "common.servicename" . }} + app: {{ include "common.servicename" . }} action: ALLOW rules: {{- if $authorizedPrincipals }} diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml index 8f28dcaa25..9b1381fa8b 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2021 Nordix Foundation. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE PM-Mapper Helm charts name: dcae-pm-mapper version: 12.0.0 diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml index f3a7ae3977..0c90e3ae87 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2021 Nordix Foundation. # Copyright (c) 2022 Nokia. All rights reserved. # Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ========================================================================= # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -46,7 +47,7 @@ secrets: # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.pm-mapper:1.9.0 +image: onap/org.onap.dcaegen2.services.pm-mapper:1.10.1 pullPolicy: Always # Log directory where logging sidecar should look for log files diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index da48074303..9a274153f2 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -35,7 +35,7 @@ filebeatConfig: # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.8.1 +image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.9.0 pullPolicy: Always # log directory where logging sidecar should look for log files diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml index 1e234242ee..58631e1452 100644 --- a/kubernetes/dmaap/components/dmaap-bc/values.yaml +++ b/kubernetes/dmaap/components/dmaap-bc/values.yaml @@ -41,11 +41,11 @@ secrets: # Application configuration defaults. ################################################################# # application images -image: onap/dmaap/dmaap-bc:2.0.11 +image: onap/dmaap/dmaap-bc:2.0.12 pullPolicy: Always #DMaaP Bus Controller client image for provisioning at deploy time -dbcClientImage: onap/dmaap/dbc-client:2.0.11 +dbcClientImage: onap/dmaap/dbc-client:2.0.12 # application configuration dmaapMessageRouterService: &mr_name message-router diff --git a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml index d2f59455bb..00576d2326 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml @@ -23,7 +23,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-node:2.1.12 +image: onap/dmaap/datarouter-node:2.1.13 pullPolicy: Always # default number of instances diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml index 6af498d548..2e1a5b9b3f 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml @@ -38,7 +38,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-prov:2.1.12 +image: onap/dmaap/datarouter-prov:2.1.13 pullPolicy: Always # default number of instances diff --git a/kubernetes/dmaap/components/message-router/values.yaml b/kubernetes/dmaap/components/message-router/values.yaml index c68a91c689..b44991bb19 100644 --- a/kubernetes/dmaap/components/message-router/values.yaml +++ b/kubernetes/dmaap/components/message-router/values.yaml @@ -24,7 +24,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/dmaap-mr:1.4.3 +image: onap/dmaap/dmaap-mr:1.4.4 pullPolicy: Always #Strimzi zookeeper_tunnel config diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index c9d29ce2ca..c47bdd33f1 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2022 Nordix Foundation +# Modifications Copyright © 2021, 2022, 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +27,7 @@ dependencies: - name: mariadb-galera version: ~12.x-0 repository: '@local' + condition: global.mariadb.localCluster - name: policy-nexus version: ~12.x-0 repository: 'file://components/policy-nexus' diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index f7f0757558..29c9246ed9 100755 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~12.x-0 repository: '@local' + - name: readinessCheck + version: ~12.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json index 2fe354e2c0..3a38b88d56 100755 --- a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json +++ b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json @@ -8,7 +8,7 @@ "https": "false", "prometheus": true }, - "pdpStatusParameters":{ + "pdpStatusParameters": { "pdpGroup": "defaultGroup", "timeIntervalMs": 120000, "pdpType":"apex", @@ -25,18 +25,38 @@ ] }, "topicParameterGroup": { - "topicSources" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : "false", - "fetchTimeout": 15000, - "topicCommInfrastructure" : "dmaap" + "topicSources": [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "fetchTimeout": 15000, + "servers": [ "${KAFKA_URL}" ], +{{ if .Values.global.useStrimziKafkaPf }} + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } +{{ else }} + "topicCommInfrastructure": "dmaap" +{{ end }} }], - "topicSinks" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : "false", - "topicCommInfrastructure" : "dmaap" - }] + "topicSinks" : [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "servers": [ "${KAFKA_URL}" ], +{{ if .Values.global.useStrimziKafkaPf }} + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } +{{ else }} + "topicCommInfrastructure": "dmaap" +{{ end }} + }] } } diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml similarity index 71% rename from kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml rename to kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml index 6213fecb31..e68c9fd8d9 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml @@ -22,29 +22,53 @@ */}} apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} - serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - command: - - sh +{{- if not .Values.global.useStrimziKafkaPf }} +{{ include "common.readinessCheck.waitFor" . | nindent 6 }} +{{- end }} + - command: ["/bin/sh", "-cx"] +{{- if .Values.global.useStrimziKafkaPf }} + args: + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; + cd /config-input && for PFILE in `ls -1`; + do envsubst <${PFILE} >/config/${PFILE}; done +{{ else }} args: - - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + - cd /config-input && for PFILE in `ls -1`; + do envsubst <${PFILE} >/config/${PFILE}; done +{{ end }} env: - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} +{{- if .Values.global.useStrimziKafkaPf }} - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: KAFKA_URL + value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} +{{ else }} + - name: KAFKA_URL + value: message-router + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic | upper }} {{- end }} volumeMounts: - mountPath: /config-input @@ -58,8 +82,11 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["sh","-c"] - args: ["/opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json"] + command: [ "/bin/sh", "-cx" ] + args: + - id apexuser; + cat /home/apexuser/config/OnapPfConfig.json; + /opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: @@ -85,12 +112,12 @@ spec: - mountPath: /home/apexuser/config name: apexconfig resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} {{- end -}} - {{- if .Values.affinity }} - affinity: + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..d2fab9f535 --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.global.useStrimziKafkaPf }} +{{ include "common.kafkauser" . }} +{{ end }} diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index 3ea694fb06..1ae79801ae 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -25,6 +25,7 @@ global: nodePortPrefix: 302 persistence: {} + useStrimziKafkaPf: set-via-parent-chart-global-value ################################################################# # Secrets metaconfig @@ -47,7 +48,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:2.9.1 +image: onap/policy-apex-pdp:2.9.2 pullPolicy: Always # flag to enable debugging - application support required @@ -89,6 +90,11 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) flavor: small @@ -139,11 +145,11 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafka: true + useStrimziKafkaPf: true kafkaBootstrap: strimzi-kafka-bootstrap kafka: consumer: - groupId: policy-group + groupId: policy-apex app: listener: policyPdpPapTopic: policy-pdp-pap @@ -158,3 +164,21 @@ config: # # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-apex + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + +readinessCheck: + wait_for: + - message-router diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index 269ecd5f5f..4e73dc0b5b 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -31,7 +31,8 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}/policyadmin +{{ if not .Values.global.postgres.localCluster }} + url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -46,6 +47,27 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy +{{ else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort}}/policyadmin + driverClassName: org.postgresql.Driver + username: "${SQL_USER}" + password: "${SQL_PASSWORD}" + hikari: + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 + jpa: + hibernate: + ddl-auto: none + naming: + physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl + implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect + format_sql: true +{{ end }} policy-api: name: ApiGroup diff --git a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index 580dcdde86..1d7e0498af 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -12,7 +12,11 @@ spec: - /app/ready.py args: - --job-name +{{ if not .Values.global.postgres.localCluster }} - {{ include "common.release" . }}-policy-galera-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -101,4 +105,4 @@ spec: emptyDir: medium: Memory imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 2ec88ee82e..3b64507880 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -24,6 +24,8 @@ global: nodePortPrefix: 304 persistence: {} + postgres: + localCluster: false ################################################################# # Secrets metaconfig @@ -46,7 +48,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:2.8.1 +image: onap/policy-api:2.8.2 pullPolicy: Always # flag to enable debugging - application support required @@ -58,7 +60,9 @@ db: password: policy_user service: name: policy-mariadb + pgName: policy-pg-primary internalPort: 3306 + internalPgPort: 5432 restServer: user: policyadmin @@ -95,18 +99,22 @@ service: - name: http port: 6969 - ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: policy-pap-read + flavor: small resources: small: limits: cpu: 1 - memory: 4Gi + memory: 6Gi requests: - cpu: 100m + cpu: 150m memory: 1Gi large: limits: diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml index ce53abaf04..0c9fe5201a 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -42,7 +42,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-a1pms-ppnt:6.4.1 +image: onap/policy-clamp-ac-a1pms-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-a1pms-ppnt @@ -74,6 +74,11 @@ affinity: {} ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + # probe configuration parameters liveness: initialDelaySeconds: 20 diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 6f60fec111..9f043ba930 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -42,7 +42,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:6.4.1 +image: onap/policy-clamp-ac-http-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-http-ppnt @@ -64,6 +64,11 @@ affinity: {} ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + # probe configuration parameters liveness: initialDelaySeconds: 20 diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index 985399a893..3d0754c656 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -43,7 +43,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:6.4.1 +image: onap/policy-clamp-ac-k8s-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-k8s-ppnt @@ -86,6 +86,11 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + flavor: small resources: small: diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml index cef5200eb6..13e9472238 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -42,7 +42,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-kserve-ppnt:6.4.1 +image: onap/policy-clamp-ac-kserve-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-kserve-ppnt @@ -64,6 +64,11 @@ affinity: {} ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + # probe configuration parameters liveness: initialDelaySeconds: 20 diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index 83839f80bf..708bd7dad4 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -54,7 +54,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:6.4.1 +image: onap/policy-clamp-ac-pf-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-pf-ppnt @@ -84,6 +84,11 @@ affinity: {} ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + # probe configuration parameters liveness: initialDelaySeconds: 20 diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index 0ec4be4726..4ec221369b 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -49,7 +49,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:6.4.1 +image: onap/policy-clamp-runtime-acm:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-runtime-acm @@ -119,22 +119,28 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + - serviceAccount: policy-gui-read + flavor: small resources: small: limits: cpu: 1 - memory: 4Gi + memory: 6Gi requests: - cpu: 100m - memory: 1Gi + cpu: 200m + memory: 2Gi large: limits: cpu: 2 memory: 8Gi requests: - cpu: 200m - memory: 2Gi + cpu: 400m + memory: 4Gi unlimited: {} #Pods Service Account @@ -149,4 +155,4 @@ readinessCheck: wait_for_job_container: containers: - - '{{ include "common.release" . }}-policy-galera-config' \ No newline at end of file + - '{{ include "common.release" . }}-policy-galera-config' diff --git a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index e744d09920..3c71e78072 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -58,7 +58,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:2.9.1 +image: onap/policy-distribution:2.9.2 pullPolicy: Always # flag to enable debugging - application support required @@ -118,6 +118,11 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: policy-pap-read + flavor: small resources: small: diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 7cc347c519..ddc81b6980 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -41,7 +41,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pdpd-cl:1.12.1 +image: onap/policy-pdpd-cl:1.12.2 pullPolicy: Always # flag to enable debugging - application support required @@ -80,6 +80,11 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + server: jvmOpts: -server -XshowSettings:vm diff --git a/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml index 5e48e99d7a..975f103ef9 100644 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ b/kubernetes/policy/components/policy-gui/values.yaml @@ -29,7 +29,7 @@ subChartsOnly: flavor: small # application image -image: onap/policy-gui:2.4.1 +image: onap/policy-gui:2.4.2 pullPolicy: Always # flag to enable debugging - application support required @@ -89,7 +89,13 @@ ingress: config: ssl: "redirect" -#resources: {} +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + + #resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following diff --git a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml index a7fcdaf832..81456c58dc 100755 --- a/kubernetes/policy/components/policy-nexus/values.yaml +++ b/kubernetes/policy/components/policy-nexus/values.yaml @@ -64,6 +64,10 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + ## Persist data to a persitent volume persistence: enabled: true diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index ef41d38f08..1af33688d0 100755 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~12.x-0 repository: '@local' + - name: readinessCheck + version: ~12.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index 7f6f508c03..5496d93174 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -26,7 +26,8 @@ spring: converters: preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort}}/policyadmin +{{ if not .Values.global.postgres.localCluster }} + url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -41,18 +42,27 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} +{{- else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort }}/policyadmin + driverClassName: org.postgresql.Driver + username: "${SQL_USER}" + password: "${SQL_PASSWORD}" + hikari: + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 + jpa: + hibernate: + ddl-auto: none + naming: + physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl + implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect + format_sql: true +{{ end }} server: port: 6969 @@ -65,9 +75,15 @@ pap: name: PapGroup aaf: false topic: - pdp-pap.name: POLICY-PDP-PAP - notification.name: POLICY-NOTIFICATION - heartbeat.name: POLICY-HEARTBEAT + {{ if .Values.global.useStrimziKafkaPf }} + pdp-pap.name: {{ .Values.config.kafka.topics.policyPdpPap }} + notification.name: {{ .Values.config.kafka.topics.policyNotification }} + heartbeat.name: {{ .Values.config.kafka.topics.policyHeartbeat }} + {{ else }} + pdp-pap.name: {{ .Values.dmaap.topics.policyPdpPap }} + notification.name: {{ .Values.dmaap.topics.policyNotification }} + heartbeat.name: {{ .Values.dmaap.topics.policyHeartbeat }} + {{ end }} pdpParameters: heartBeatMs: 120000 updateParameters: @@ -76,34 +92,82 @@ pap: stateChangeParameters: maxRetryCount: 1 maxWaitMs: 30000 - savePdpStatisticsInDb: false + savePdpStatisticsInDb: true topicParameterGroup: topicSources: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: false - fetchTimeout: 15000 - topicCommInfrastructure: dmaap - - topic: POLICY-HEARTBEAT - effectiveTopic: POLICY-PDP-PAP - consumerGroup: policy-pap - servers: - - message-router - useHttps: false - fetchTimeout: 15000 - topicCommInfrastructure: dmaap + - useHttps: false + fetchTimeout: 15000 + {{ if .Values.global.useStrimziKafkaPf }} + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + {{ else }} + topic: {{ .Values.dmaap.topics.policyPdpPap }} + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + {{ end }} + - useHttps: false + fetchTimeout: 15000 + {{ if .Values.global.useStrimziKafkaPf }} + topic: {{ .Values.config.kafka.topics.policyHeartbeat }} + effectiveTopic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + {{ else }} + topic: {{ .Values.dmaap.topics.policyHeartbeat }} + effectiveTopic: {{ .Values.dmaap.topics.policyPdpPap }} + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + {{ end }} topicSinks: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: false - topicCommInfrastructure: dmaap - - topic: POLICY-NOTIFICATION - servers: - - message-router - useHttps: false - topicCommInfrastructure: dmaap + - useHttps: false + {{ if .Values.global.useStrimziKafkaPf }} + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + {{ else }} + topic: {{ .Values.dmaap.topics.policyPdpPap }} + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + {{ end }} + - useHttps: false + {{ if .Values.global.useStrimziKafkaPf }} + topic: {{ .Values.config.kafka.topics.policyNotification }} + servers: + - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + {{ else }} + topic: {{ .Values.dmaap.topics.policyNotification }} + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + {{ end }} # If Strimzi Kafka to be used for communication, replace following configuration for topicSources and topicSinks # servers: # - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 @@ -128,11 +192,6 @@ pap: password: "${DISTRIBUTION_PASSWORD}" useHttps: false basePath: healthcheck - - clientName: dmaap - hostname: message-router - port: 3904 - useHttps: false - basePath: topics management: endpoints: diff --git a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index 201f48776d..78907723b1 100755 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -29,12 +29,18 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: +{{- if not .Values.global.useStrimziKafkaPf }} +{{ include "common.readinessCheck.waitFor" . | nindent 6 }} +{{- end }} - command: - /app/ready.py args: - --job-name +{{ if not .Values.global.postgres.localCluster }} - {{ include "common.release" . }}-policy-galera-config - env: +{{ else }} + - {{ include "common.release" . }}-policy-pg-config +{{ end }} env: - name: NAMESPACE valueFrom: fieldRef: @@ -42,7 +48,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: {{ include "common.name" . }}-db-readiness - command: - sh args: @@ -65,9 +71,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }} - name: DISTRIBUTION_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} +{{- if .Values.global.useStrimziKafkaPf }} - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config {{- end }} volumeMounts: - mountPath: /config-input @@ -81,8 +90,11 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/opt/app/policy/pap/bin/policy-pap.sh"] - args: ["/opt/app/policy/pap/etc/mounted/papParameters.yaml"] + + command: [ "/bin/sh", "-cx" ] + args: + - cat /opt/app/policy/pap/etc/mounted/papParameters.yaml; + /opt/app/policy/pap/bin/policy-pap.sh /opt/app/policy/pap/etc/mounted/papParameters.yaml ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container diff --git a/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml new file mode 100644 index 0000000000..d2fab9f535 --- /dev/null +++ b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.global.useStrimziKafkaPf }} +{{ include "common.kafkauser" . }} +{{ end }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 8a638f60bc..a3bdba9b88 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -25,6 +25,9 @@ global: nodePortPrefixExt: 304 persistence: {} + useStrimziKafkaPf: set-via-parent-chart-global-value + postgres: + localCluster: false ################################################################# # Secrets metaconfig @@ -66,7 +69,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:2.8.1 +image: onap/policy-pap:2.8.2 pullPolicy: Always # flag to enable debugging - application support required @@ -79,7 +82,9 @@ db: password: policy_user service: name: policy-mariadb + pgName: policy-pg-primary internalPort: 3306 + internalPgPort: 5432 restServer: user: policyadmin @@ -124,26 +129,35 @@ service: ports: - name: http-api port: 6969 + - name: debug-port + port: 5005 + protocol: TCP ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + - serviceAccount: portal-app-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: 2 + memory: 6Gi requests: - cpu: 100m - memory: 1Gi + cpu: 200m + memory: 2Gi large: limits: - cpu: 2 + cpu: 4 memory: 8Gi requests: - cpu: 200m - memory: 2Gi + cpu: 400m + memory: 4Gi unlimited: {} #Pods Service Account @@ -171,14 +185,24 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafka: true + useStrimziKafkaPf: true kafkaBootstrap: strimzi-kafka-bootstrap kafka: + topics: + policyHeartbeat: policy-heartbeat + policyNotification: policy-notification + policyPdpPap: policy-pdp-pap consumer: - groupId: policy-group + groupId: policy-pap app: listener: policyPdpPapTopic: policy-pdp-pap + +dmaap: + topics: + policyHeartbeat: POLICY-HEARTBEAT + policyNotification: POLICY-NOTIFICATION + policyPdpPap: POLICY-PDP-PAP # If targeting a custom kafka cluster, ie useStrimziKakfa: false # uncomment below config and target your kafka bootstrap servers, # along with any other security config. @@ -190,3 +214,25 @@ config: # # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-pap + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-notification + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + +readinessCheck: + wait_for: + - message-router diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 44ae16de1d..f20ad9ae41 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -49,7 +49,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:2.8.1 +image: onap/policy-xacml-pdp:2.8.2 pullPolicy: Always # flag to enable debugging - application support required @@ -102,22 +102,47 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datafile-collector-read + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read + - serviceAccount: dcae-heartbeat-read + - serviceAccount: dcae-hv-ves-collector-read + - serviceAccount: dcae-kpi-ms-read + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: dcae-pmsh-read + - serviceAccount: dcae-prh-read + - serviceAccount: dcae-restconf-collector-read + - serviceAccount: dcae-slice-analysis-ms-read + - serviceAccount: dcae-snmptrap-collector-read + - serviceAccount: dcae-son-handler-read + - serviceAccount: dcae-tcagen2-read + - serviceAccount: dcae-ves-collector-read + - serviceAccount: dcae-ves-mapper-read + - serviceAccount: dcae-ves-openapi-manager-read + - serviceAccount: message-router-read + - serviceAccount: oof-read + - serviceAccount: sdnc-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: 2 + memory: 6Gi requests: - cpu: 100m - memory: 1Gi + cpu: 200m + memory: 2Gi large: limits: cpu: 2 memory: 8Gi requests: cpu: 200m - memory: 2Gi + memory: 4Gi unlimited: {} #Pods Service Account diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 4bf9def21e..f0e91e8350 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -16,6 +16,7 @@ # limitations under the License. */}} +{{ if not .Values.global.postgres.localCluster }} apiVersion: batch/v1 kind: Job metadata: @@ -83,6 +84,7 @@ spec: items: - key: db.sh path: db.sh +{{ end }} {{ if .Values.global.postgres.localCluster }} --- @@ -122,13 +124,13 @@ spec: /docker-entrypoint-initdb.d/db-pg.sh env: - name: PG_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} - name: PG_HOST value: "{{ .Values.postgres.service.name2 }}" - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - name: PG_USER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - name: PG_PORT value: "{{ .Values.postgres.service.internalPort }}" resources: {{ include "common.resources" . | nindent 10 }} @@ -145,6 +147,7 @@ spec: {{ end }} --- +{{ if not .Values.global.postgres.localCluster }} apiVersion: batch/v1 kind: Job metadata: @@ -217,7 +220,7 @@ spec: items: - key: db_migrator_policy_init.sh path: db_migrator_policy_init.sh - +{{ end }} {{ if .Values.global.postgres.localCluster }} --- apiVersion: batch/v1 @@ -272,9 +275,9 @@ spec: - name: SQL_HOST value: "{{ .Values.postgres.service.name2 }}" - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - name: SQL_DB value: {{ .Values.dbmigrator.schema }} - name: POLICY_HOME @@ -282,7 +285,7 @@ spec: - name: SCRIPT_DIRECTORY value: "postgres" - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} resources: {{ include "common.resources" . | nindent 10 }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} diff --git a/kubernetes/policy/templates/policy-kafka-topics.yaml b/kubernetes/policy/templates/policy-kafka-topics.yaml index d9d9769230..a787b8b626 100644 --- a/kubernetes/policy/templates/policy-kafka-topics.yaml +++ b/kubernetes/policy/templates/policy-kafka-topics.yaml @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.global.useStrimziKafka }} +{{- if .Values.global.useStrimziKafkaPf }} apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 7abd75d832..9027e490f0 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -19,6 +19,7 @@ ################################################################# global: mariadb: + localCluster: true # '&mariadbConfig' means we "store" the values for later use in the file # with '*mariadbConfig' pointer. config: &mariadbConfig @@ -37,6 +38,8 @@ global: name: postgres #Strimzi Kafka properties useStrimziKafka: true + # Temporary flag to disable strimzi for pf components - will be removed after native kafka support is added for drools and xacml + useStrimziKafkaPf: false kafkaBootstrap: strimzi-kafka-bootstrap policyKafkaUser: policy-kafka-user kafkaTopics: @@ -81,19 +84,6 @@ secrets: login: '{{ .Values.restServer.policyApiUserName }}' password: '{{ .Values.restServer.policyApiUserPassword }}' passwordPolicy: required - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-policy-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "policy-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-policy-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "policy-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate db: &dbSecretsHook credsExternalSecret: *dbSecretName @@ -163,7 +153,7 @@ policy-gui: ################################################################# dbmigrator: - image: onap/policy-db-migrator:2.6.1 + image: onap/policy-db-migrator:2.6.2 schema: policyadmin policy_home: "/opt/app/policy" @@ -256,8 +246,8 @@ postgres: config: pgUserName: policy_user pgDatabase: policyadmin - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName + pgUserExternalSecret: *dbSecretName + pgRootPasswordExternalSecret: *dbRootPassSecretName readinessCheck: wait_for: diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index adf4b3e04e..f6c2694992 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -39,8 +39,8 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/sdc-backend-all-plugins:1.12.3 -backendInitImage: onap/sdc-backend-init:1.12.3 +image: onap/sdc-backend-all-plugins:1.12.4 +backendInitImage: onap/sdc-backend-init:1.12.4 pullPolicy: Always diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml index c9eb535808..f58fca7a07 100644 --- a/kubernetes/sdc/components/sdc-cs/values.yaml +++ b/kubernetes/sdc/components/sdc-cs/values.yaml @@ -51,8 +51,8 @@ cassandra: # application image repository: nexus3.onap.org:10001 -image: onap/sdc-cassandra:1.12.3 -cassandraInitImage: onap/sdc-cassandra-init:1.12.3 +image: onap/sdc-cassandra:1.12.4 +cassandraInitImage: onap/sdc-cassandra-init:1.12.4 pullPolicy: Always config: diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index 62987370d5..b548c05cf4 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -23,7 +23,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/sdc-frontend:1.12.3 +image: onap/sdc-frontend:1.12.4 pullPolicy: Always config: diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml index e13d10ac3e..cd02020325 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml @@ -35,8 +35,8 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/sdc-onboard-backend:1.12.3 -onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.3 +image: onap/sdc-onboard-backend:1.12.4 +onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.4 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-admin-cockpit/values.yaml b/kubernetes/so/components/so-admin-cockpit/values.yaml index a825e16d49..de6f031435 100644 --- a/kubernetes/so/components/so-admin-cockpit/values.yaml +++ b/kubernetes/so/components/so-admin-cockpit/values.yaml @@ -143,6 +143,13 @@ ingress: port: 9091 config: ssl: "none" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: portal-app-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml index eefb33989d..e6223d7f54 100755 --- a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml @@ -46,9 +46,11 @@ pnf: port: 3904 protocol: http uriPathPrefix: events - topicName: unauthenticated.PNF_READY - consumerGroup: consumerGroup - consumerId: consumerId + pnfReadyTopicName: unauthenticated.PNF_READY + pnfUpdateTopicName: unauthenticated.PNF_UPDATE + consumerGroup: so-consumer + consumerId: so-bpmn-infra-pnfready + consumerIdUpdate: so-bpmn-infra-pnfupdate topicListenerDelayInSeconds: 5 bpelURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081 msb-ip: msb-iag diff --git a/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-bpmn-infra/values.yaml b/kubernetes/so/components/so-bpmn-infra/values.yaml index 2fc9646c1d..9d69bb7215 100755 --- a/kubernetes/so/components/so-bpmn-infra/values.yaml +++ b/kubernetes/so/components/so-bpmn-infra/values.yaml @@ -57,7 +57,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/bpmn-infra:1.11.0 +image: onap/so/bpmn-infra:1.12.1 pullPolicy: Always bpmn: @@ -158,6 +158,16 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-admin-cockpit-read + - serviceAccount: so-oof-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-sdnc-adapter-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-catalog-db-adapter/values.yaml b/kubernetes/so/components/so-catalog-db-adapter/values.yaml index 83e23d0e84..a3c5af2dbc 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/values.yaml @@ -56,7 +56,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/catalog-db-adapter:1.11.0 +image: onap/so/catalog-db-adapter:1.12.1 pullPolicy: Always db: @@ -123,6 +123,15 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-sdnc-adapter-read config: openStackUserName: "vnf_user" openStackRegion: "RegionOne" diff --git a/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-cnf-adapter/values.yaml b/kubernetes/so/components/so-cnf-adapter/values.yaml index 509925e17b..9f75e4c037 100755 --- a/kubernetes/so/components/so-cnf-adapter/values.yaml +++ b/kubernetes/so/components/so-cnf-adapter/values.yaml @@ -145,6 +145,10 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-cnfm-lcm/values.yaml b/kubernetes/so/components/so-cnfm-lcm/values.yaml index 9cb7483819..4e6adc4ef7 100644 --- a/kubernetes/so/components/so-cnfm-lcm/values.yaml +++ b/kubernetes/so/components/so-cnfm-lcm/values.yaml @@ -42,7 +42,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/so-cnfm-as-lcm:1.12.0 +image: onap/so/so-cnfm-as-lcm:1.12.1 pullPolicy: Always aai: @@ -119,6 +119,13 @@ ingress: config: ssl: 'redirect' +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress + nodeSelector: {} tolerations: [] diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml index 8790877492..be1d13ee4b 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml @@ -143,6 +143,13 @@ ingress: config: ssl: 'redirect' +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress + nodeSelector: {} tolerations: [] diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml index 98edcebb29..35a42fac78 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml @@ -114,6 +114,15 @@ ingress: port: 9092 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-etsi-nfvo-ns-lcm-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml index c571029de7..9ddbb354d8 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml @@ -119,6 +119,12 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-nssmf-adapter/values.yaml b/kubernetes/so/components/so-nssmf-adapter/values.yaml index ecf9b04dc9..4429761585 100755 --- a/kubernetes/so/components/so-nssmf-adapter/values.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/values.yaml @@ -144,6 +144,12 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-oof-adapter/values.yaml b/kubernetes/so/components/so-oof-adapter/values.yaml index c8a12690d0..10f30f1c25 100755 --- a/kubernetes/so/components/so-oof-adapter/values.yaml +++ b/kubernetes/so/components/so-oof-adapter/values.yaml @@ -126,6 +126,11 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-openstack-adapter/values.yaml b/kubernetes/so/components/so-openstack-adapter/values.yaml index 205bc9a342..80abf04b2c 100755 --- a/kubernetes/so/components/so-openstack-adapter/values.yaml +++ b/kubernetes/so/components/so-openstack-adapter/values.yaml @@ -52,7 +52,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/openstack-adapter:1.11.0 +image: onap/so/openstack-adapter:1.12.1 pullPolicy: Always db: @@ -128,6 +128,12 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read config: openStackUserName: "vnf_user" openStackRegion: "RegionOne" diff --git a/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-request-db-adapter/values.yaml b/kubernetes/so/components/so-request-db-adapter/values.yaml index 5e49316a36..430d776b3f 100755 --- a/kubernetes/so/components/so-request-db-adapter/values.yaml +++ b/kubernetes/so/components/so-request-db-adapter/values.yaml @@ -52,7 +52,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/request-db-adapter:1.11.0 +image: onap/so/request-db-adapter:1.12.1 pullPolicy: Always db: @@ -119,6 +119,17 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-admin-cockpit-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-etsi-sol005-adapter-read + - serviceAccount: so-nssmf-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdc-controller/values.yaml b/kubernetes/so/components/so-sdc-controller/values.yaml index 81ae6ae7fd..aef59cbe19 100755 --- a/kubernetes/so/components/so-sdc-controller/values.yaml +++ b/kubernetes/so/components/so-sdc-controller/values.yaml @@ -53,7 +53,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdc-controller:1.12.0 +image: onap/so/sdc-controller:1.12.1 pullPolicy: Always db: @@ -133,6 +133,12 @@ livenessProbe: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-read + nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdnc-adapter/values.yaml b/kubernetes/so/components/so-sdnc-adapter/values.yaml index 60c1f9b285..daf4db3a1c 100755 --- a/kubernetes/so/components/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/values.yaml @@ -59,7 +59,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdnc-adapter:1.11.0 +image: onap/so/sdnc-adapter:1.12.1 pullPolicy: Always org: @@ -139,6 +139,12 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml index 08911aae76..c16c7d733f 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml @@ -76,6 +76,11 @@ nodeSelector: {} tolerations: [] affinity: {} +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + #Pods Service Account serviceAccount: nameOverride: so-ve-vnfm-adapter diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 68905358c3..4a361c6516 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -139,7 +139,7 @@ dbCreds: userName: so_user adminName: so_admin -image: onap/so/api-handler-infra:1.11.0 +image: onap/so/api-handler-infra:1.12.1 server: aai: @@ -603,6 +603,9 @@ serviceMesh: - serviceAccount: consul-read - serviceAccount: consul-server-read - serviceAccount: nbi-read + - serviceAccount: policy-drools-pdp-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: robot-read - serviceAccount: istio-ingress namespace: istio-ingress diff --git a/kubernetes/uui/components/uui-server/values.yaml b/kubernetes/uui/components/uui-server/values.yaml index 4ae01bd82b..6dd917b554 100644 --- a/kubernetes/uui/components/uui-server/values.yaml +++ b/kubernetes/uui/components/uui-server/values.yaml @@ -48,7 +48,7 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/usecase-ui-server:5.1.3 +image: onap/usecase-ui-server:5.2.1 pullPolicy: Always # application configuration diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml index 325e5ccde2..4bdbd1b583 100644 --- a/kubernetes/uui/values.yaml +++ b/kubernetes/uui/values.yaml @@ -25,7 +25,7 @@ subChartsOnly: flavor: small # application image -image: onap/usecase-ui:5.1.2 +image: onap/usecase-ui:5.2.1 pullPolicy: Always # application configuration