From 3f8b4921d8d00c52cda47ea6d4e0bf4f98839ff6 Mon Sep 17 00:00:00 2001 From: "saul.gill" Date: Wed, 16 Jul 2025 16:03:29 +0100 Subject: [PATCH] [PMS] Updated a1pms chart to work with new a1pms images Update image version Update config files Add required env variables Make tracing configurable globally Issue-ID: CCSDK-4127 Change-Id: I30469af678ccc9242613b7d6520a27e41aa49fc7 Signed-off-by: saul.gill --- .../resources/config/application.yaml | 162 ++++++++++++++++----- .../resources/config/logback-plain.xml | 35 +++++ .../a1policymanagement/templates/statefulset.yaml | 43 ++++++ kubernetes/a1policymanagement/values.yaml | 48 +++++- 4 files changed, 252 insertions(+), 36 deletions(-) create mode 100644 kubernetes/a1policymanagement/resources/config/logback-plain.xml diff --git a/kubernetes/a1policymanagement/resources/config/application.yaml b/kubernetes/a1policymanagement/resources/config/application.yaml index 789f3eb673..e9e54799ac 100644 --- a/kubernetes/a1policymanagement/resources/config/application.yaml +++ b/kubernetes/a1policymanagement/resources/config/application.yaml @@ -5,6 +5,7 @@ # ================================================================================ # Copyright (C) 2020 Nordix Foundation. All rights reserved. # Copyright (C) 2021 Orange. All rights reserved. +# Copyright (C) 2025 OpenInfra Foundation Europe. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,51 +23,142 @@ # ============LICENSE_END========================================================= # */}} -spring: - profiles: - active: prod - main: - allow-bean-definition-overriding: true - aop: - auto: false -management: - endpoints: - web: - exposure: - # Enabling of springboot actuator features. See springboot documentation. - include: "loggers,logfile,health,info,metrics,threaddump,heapdump" +app: + # A file containing an authorization token, which shall be inserted in each HTTP header (authorization). + # If the file name is empty, no authorization token is sent. + auth-token-file: + # A URL to authorization provider such as OPA. Each time an A1 Policy is accessed, a call to this + # authorization provider is done for access control. If this is empty, no fine grained access control is done. + authorization-provider: + # the config-file-schema-path refers to a location in the jar file. If this property is empty or missing, + # no schema validation will be executed. + config-file-schema-path: /application_configuration_schema.json + # Postgres database usage is enabled using the below parameter. + # If this is enabled, the application will use postgres database for storage. + # This overrides the s3(s3.bucket) or file store(vardata-directory) configuration if enabled. + database-enabled: {{ .Values.app.databaseEnabled | default false }} + # Location of the component configuration file. + filepath: /opt/app/policy-agent/data/application_configuration.json + # S3 object store usage is enabled by defining the bucket to use. This will override the vardata-directory parameter. + s3: + endpointOverride: {{ .Values.app.s3.endpointOverride | default "http://minio-service:9000" }} + accessKeyId: {{ .Values.app.s3.accessKeyId | default "minio" }} + secretAccessKey: {{ .Values.app.s3.secretAccessKey | default "miniostorage" }} + bucket: {{ .Values.app.s3.bucket | default "" }} + webclient: + # Configuration of usage of HTTP Proxy for the southbound accesses. + # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s + # proxy-type can be either HTTP, SOCKS4 or SOCKS5 + http.proxy-host: + http.proxy-port: 0 + http.proxy-type: HTTP + # Configuration of the trust store used for the HTTP client (outgoing requests) + # The file location and the password for the truststore is only relevant if trust-store-used == true + # Note that the same keystore as for the server is used. + trust-store-used: false + trust-store-password: policy_agent + trust-store: /opt/app/policy-agent/etc/cert/truststore.jks + # path where the service can store data. This parameter is not relevant if S3 Object store is configured. + vardata-directory: {{ .Values.app.vardataDirectory | default "/var/policy-management-service" }} + # Options for schema validation of the policy and policy status. Options: NONE, INFO, WARN, FAIL + validate-policy-instance-schema: NONE +lifecycle: + timeout-per-shutdown-phase: "20s" logging: + config: {{ .Values.app.logging.config }} + # Reactive logging filter + reactive-entry-exit-filter-enabled: {{ .Values.app.reactiveEntryExitFilterEnabled | default true }} + reactive-entry-exit-filter-exclude-paths: {{ .Values.app.reactiveEntryExitFilterExcludePaths | default "" }} # Configuration of logging + file: + name: /var/log/policy-agent/application.log level: ROOT: ERROR + org.onap.ccsdk.oran.a1policymanagementservice: INFO org.springframework: ERROR org.springframework.data: ERROR org.springframework.web.reactive.function.client.ExchangeFunctions: ERROR - org.onap.ccsdk.oran.a1policymanagementservice: INFO - file: - name: /var/log/policy-agent/application.log + org.springframework.web.servlet.DispatcherServlet: ERROR + pattern: + console: "%d{yyyy-MM-dd HH:mm:ss.SSS} [%-5level] [%thread] %logger{20} - %msg%n" + file: "%d{yyyy-MM-dd HH:mm:ss.SSS} [%-5level] [%thread] %logger{20} - %msg%n" +management: + endpoint: + shutdown: + enabled: true + endpoints: + web: + exposure: + # Enabling of springboot actuator features. See springboot documentation. + include: "loggers,logfile,health,info,metrics,threaddump,heapdump,shutdown" + tracing: + enabled: {{ .Values.global.tracing.enabled | default true }} + propagation: + produce: [{{ .Values.global.tracing.propagator.produce.type }}] + sampling: + probability: {{ .Values.global.tracing.sampling.probability | default "1.0" }} +otel: + exporter: + otlp: + traces: + endpoint: {{ .Values.global.tracing.collector.baseUrl | default "http://jaeger:4317" }} + protocol: {{ .Values.global.tracing.collector.protocol | default "grpc" }} + logs: + exporter: none + metrics: + exporter: none + sdk: + {{- if not .Values.global.tracing.enabled }} + disabled: true + south: false + instrumentation: + spring-webflux: + enabled: false + {{- else }} + disabled: {{ .Values.global.tracing.sdk.disabled | default false }} + south: {{ .Values.global.tracing.sdk.south | default true }} + instrumentation: + spring-webflux: + enabled: {{ .Values.global.tracing.north.enabled | default true }} + {{- end }} + tracing: + sampler: + jaeger_remote: + endpoint: {{ .Values.global.tracing.sampling.baseUrl | default "http://jaeger:14250" }} server: # Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework. # See springboot documentation. - #port: 8081 - http-port: 8081 + port : 8081 + shutdown: "graceful" ssl: enabled: false - key-store-type: PKCS12 - key-store-password: "" - key-store: "" - key-password: "" - key-alias: "" -app: - # Location of the component configuration file. The file will only be used if the Consul database is not used; - # configuration from the Consul will override the file. - filepath: /opt/app/policy-agent/data/application_configuration.json - webclient: - trust-store-used: false - trust-store-password: "" - trust-store: "" - # Configuration of usage of HTTP Proxy for the southbound accesses. - # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s - http.proxy-host: - http.proxy-port: 0 + # trust-store-password: + # trust-store: +spring: + aop: + auto: false + application: + name: a1-pms + flyway: + # Configuration of the postgres database to be used for database migration. + # This is where the flyway maintains the information about the sql files loaded. + # These values can be passed via configmap/secret/env variable based on the installation. + # By default, Flyway uses location classpath:db/migration to load the sql files. + # This can be overridden using "flyway.locations" to have a different location. + baseline-on-migrate: true + url: "jdbc:postgresql://127.0.0.1:5432/a1pms" + user: a1pms + password: mypwd + main: + allow-bean-definition-overriding: true + profiles: + active: prod + r2dbc: + # Configuration of the postgres database to be used by the application. + # These values can be passed via configmap/secret/env variable based on the installation. + url: {{ .Values.app.r2dbc.url | default "r2dbc:postgresql://postgres-service:5432/a1pms" }} + username: {{ .Values.app.r2dbc.username | default "a1pms" }} + password: {{ .Values.app.r2dbc.password | default "mypwd" }} +springdoc: + show-actuator: true diff --git a/kubernetes/a1policymanagement/resources/config/logback-plain.xml b/kubernetes/a1policymanagement/resources/config/logback-plain.xml new file mode 100644 index 0000000000..014a983a38 --- /dev/null +++ b/kubernetes/a1policymanagement/resources/config/logback-plain.xml @@ -0,0 +1,35 @@ + + + + + + %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ} [%thread] %-5level %logger - %msg [facility=%X{facility}, subject=%X{subject}, traceId=%mdc{traceId}] %n%xEx + + + + + + + + + + \ No newline at end of file diff --git a/kubernetes/a1policymanagement/templates/statefulset.yaml b/kubernetes/a1policymanagement/templates/statefulset.yaml index 4458744a55..3191087723 100644 --- a/kubernetes/a1policymanagement/templates/statefulset.yaml +++ b/kubernetes/a1policymanagement/templates/statefulset.yaml @@ -50,6 +50,24 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} - name: A1CONTROLLER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} + - name: LOGBACK_CONFIG_FILE + value: {{ .Values.app.logging.config | quote }} +{{- if .Values.global.tracing.enabled }} + - name: ONAP_PROPAGATOR_PRODUCE + value: "[{{ .Values.global.tracing.propagator.produce.type }}]" + - name: ONAP_OTEL_EXPORTER_ENDPOINT + value: {{ .Values.global.tracing.collector.baseUrl | quote }} + - name: ONAP_OTEL_EXPORTER_PROTOCOL + value: {{ .Values.global.tracing.collector.protocol | quote }} + - name: ONAP_SDK_DISABLED + value: {{ .Values.global.tracing.sdk.disabled | quote }} + - name: ONAP_TRACING_SOUTHBOUND + value: {{ .Values.global.tracing.sdk.south | quote }} + - name: ONAP_TRACING_NORTHBOUND + value: {{ .Values.global.tracing.north.enabled | quote }} + - name: ONAP_OTEL_SAMPLER_JAEGER_REMOTE_ENDPOINT + value: {{ .Values.global.tracing.sampling.baseUrl | quote }} +{{- end }} volumeMounts: - mountPath: /config-input name: {{ include "common.fullname" . }}-policy-conf-input @@ -72,6 +90,24 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} - name: A1CONTROLLER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} + - name: LOGBACK_CONFIG_FILE + value: {{ .Values.app.logging.config | quote }} +{{- if .Values.global.tracing.enabled }} + - name: ONAP_PROPAGATOR_PRODUCE + value: "[{{ .Values.global.tracing.propagator.produce.type }}]" + - name: ONAP_OTEL_EXPORTER_ENDPOINT + value: {{ .Values.global.tracing.collector.baseUrl | quote }} + - name: ONAP_OTEL_EXPORTER_PROTOCOL + value: {{ .Values.global.tracing.collector.protocol | quote }} + - name: ONAP_SDK_DISABLED + value: {{ .Values.global.tracing.sdk.disabled | quote }} + - name: ONAP_TRACING_SOUTHBOUND + value: {{ .Values.global.tracing.sdk.south | quote }} + - name: ONAP_TRACING_NORTHBOUND + value: {{ .Values.global.tracing.north.enabled | quote }} + - name: ONAP_OTEL_SAMPLER_JAEGER_REMOTE_ENDPOINT + value: {{ .Values.global.tracing.sampling.baseUrl | quote }} +{{- end }} volumeMounts: - mountPath: /tmp/scripts name: {{ include "common.fullname" . }}-envsubst-scripts @@ -96,6 +132,9 @@ spec: initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} volumeMounts: + - name: config + mountPath: /opt/app/policy-agent/logback-plain.xml + subPath: logback-plain.xml - name: config mountPath: /opt/app/policy-agent/data/application_configuration.json subPath: application_configuration.json @@ -105,6 +144,10 @@ spec: - name: {{ include "common.fullname" . }} mountPath: "/var/policy-management-service/database" resources: {{ include "common.resources" . | nindent 10 }} + securityContext: + runAsUser: {{ .Values.mainUserId }} + runAsGroup: {{ .Values.mainGroupId }} + runAsNonRoot: true serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-policy-conf-input diff --git a/kubernetes/a1policymanagement/values.yaml b/kubernetes/a1policymanagement/values.yaml index 9ae6b60626..5253af0a0e 100644 --- a/kubernetes/a1policymanagement/values.yaml +++ b/kubernetes/a1policymanagement/values.yaml @@ -21,6 +21,23 @@ global: nodePortPrefix: 302 persistence: {} + tracing: + enabled: false + propagator: + produce: + # This can have several options included in a comma separated list W3C,B3,B3_MULTI + type: W3C + collector: + baseUrl: "http://jaeger:4317" + protocol: "grpc" + sampling: + baseUrl: "http://jaeger:14250" + probability: "1.0" + sdk: + south: true + disabled: false + north: + enabled: true secrets: - uid: controller-secret @@ -30,9 +47,12 @@ secrets: password: '{{ .Values.a1controller.password }}' passwordPolicy: required -image: onap/ccsdk-oran-a1policymanagementservice:1.5.0 +image: onap/ccsdk-oran-a1policymanagementservice:2.1.0 userID: 1000 #Should match with image-defined user ID groupID: 999 #Should match with image-defined group ID +mainUserId: 1000 #Should match with image-defined user ID +mainGroupId: 101 #Should match with image-defined group ID + pullPolicy: IfNotPresent replicaCount: 1 @@ -134,3 +154,29 @@ serviceAccount: nameOverride: a1policymanagement roles: - read + +app: + # False here will result in local file storage + databaseEnabled: false + + r2dbc: + # The R2DBC URL for the Postgres database. + # Example: r2dbc:postgresql://:/ + url: r2dbc:postgresql://postgres-service:5432/a1pms + username: a1pms + password: mypwd + # Leaving bucket blank will disable S3 object store usage. + s3: + endpointOverride: http://minio-service:9000 + accessKeyId: minio + secretAccessKey: miniostorage + bucket: + + vardataDirectory: /var/policy-management-service + + logging: + config: logback-plain.xml + reactiveEntryExitFilterEnabled: true + reactiveEntryExitFilterExcludePaths: "" + + -- 2.16.6