From 4a9f7dfda1d5bb8c6f8dce3ff6b86baf08b96eb5 Mon Sep 17 00:00:00 2001
From: Deena Mukundan <dm00536893@techmahindra.com>
Date: Fri, 17 Jan 2025 13:18:34 +0100
Subject: [PATCH] Addition of OPA-PDP Helm charts

Issue-ID: POLICY-5142
Change-Id: I810c514940048a4a32acc00eabdfa653692cb7b2
Signed-off-by: Deena Mukundan <dm00536893@techmahindra.com>
---
 kubernetes/policy/Chart.yaml                       |   6 +-
 .../policy/components/policy-opa-pdp/Chart.yaml    |  33 +++
 .../policy-opa-pdp/resources/config/config.json    |  43 ++++
 .../resources/policies/policy-data.tar.gz          | Bin 0 -> 30720 bytes
 .../templates/authorizationpolicy.yaml             |  21 ++
 .../policy-opa-pdp/templates/configmap.yaml        |  42 ++++
 .../policy-opa-pdp/templates/deployment.yaml       | 137 +++++++++++
 .../policy-opa-pdp/templates/kafkauser.yaml        |  20 ++
 .../components/policy-opa-pdp/templates/pvc.yaml   |  38 ++++
 .../policy-opa-pdp/templates/secrets.yaml          |  21 ++
 .../policy-opa-pdp/templates/service.yaml          |  21 ++
 .../policy-opa-pdp/templates/serviceMonitor.yaml   |  23 ++
 .../policy/components/policy-opa-pdp/values.yaml   | 253 +++++++++++++++++++++
 kubernetes/policy/values.yaml                      |   4 +
 14 files changed, 661 insertions(+), 1 deletion(-)
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/Chart.yaml
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/resources/config/config.json
 create mode 100644 kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/templates/service.yaml
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml
 create mode 100755 kubernetes/policy/components/policy-opa-pdp/values.yaml

diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml
index 2bf703c622..6a2e819718 100755
--- a/kubernetes/policy/Chart.yaml
+++ b/kubernetes/policy/Chart.yaml
@@ -19,7 +19,7 @@
 apiVersion: v2
 description: ONAP Policy
 name: policy
-version: 15.0.1
+version: 15.0.2
 
 dependencies:
   - name: common
@@ -53,6 +53,10 @@ dependencies:
     version: ~15.x-0
     repository: 'file://components/policy-drools-pdp'
     condition: policy-drools-pdp.enabled
+  - name: policy-opa-pdp
+    version: ~15.x-0
+    repository: 'file://components/policy-opa-pdp'
+    condition: policy-opa-pdp.enabled
   - name: policy-distribution
     version: ~15.x-0
     repository: 'file://components/policy-distribution'
diff --git a/kubernetes/policy/components/policy-opa-pdp/Chart.yaml b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml
new file mode 100755
index 0000000000..6416e5016e
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml
@@ -0,0 +1,33 @@
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+
+apiVersion: v2
+description: ONAP Policy OPA PDP (PDP-O)
+name: policy-opa-pdp
+version: 15.0.0
+
+dependencies:
+  - name: common
+    version: ~13.x-0
+    repository: '@local'
+  - name: repositoryGenerator
+    version: ~13.x-0
+    repository: '@local'
+  - name: serviceAccount
+    version: ~13.x-0
+    repository: '@local'
diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json
new file mode 100755
index 0000000000..e978b84186
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json
@@ -0,0 +1,43 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+{
+  "logging": {
+    "level": "debug"
+  },
+  "services": [
+    {
+      "name": "opa-bundle-server",
+      "url": "http://policy-opa-pdp:8282/opa/bundles"
+    }
+  ],
+  "bundles": {
+    "opabundle": {
+      "service": "opa-bundle-server",
+      "resource": "bundle.tar.gz",
+      "polling": {
+        "min_delay_seconds": 60,
+        "max_delay_seconds": 120
+      }
+    }
+  },
+  "decision_logs": {
+    "console": true
+  }
+}
diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz b/kubernetes/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..fa841c0191c80abdcbab3c937d96e3c5d8d49268
GIT binary patch
literal 30720
zcmeHP>u=jQ63^G_uOJj0+Fc}yCHavC+XK?>-eULec8j*(f*@feCRQs;K2feO*X#d&
zGo&6g{gCWR-93~>(O7&8hrc0bhQpCVn$xqRem?{FOh%(4_~TAS1NARf;pfO5PKMsl
zAA5u0(ZF?wo_|C}{jw#gFL+KfLXH-9izHucAF-)^d(S_0O^EWRcQoj65ukuu$lo7K
z#@=K&0r`8rH#GA98VjeEKYnxG^EByvSd{;G2>W{T{vY|ikNaPd|Iqb8{)5gr*+B3c
z-~XR10w0^Rgs0gJt^xakT!})gkk$ANKXw#Ct&MWDPpUSeCQbvIM`?ofZ?lN}gC-xS
z-Y93YIm>9i$QZWs&dDpi$vk60G>`I%m<ywk*-US@jFOPg850bRoDrFwalOrSF^j?|
zf5fqdgTLt2bDHH*5VM;QCSNpj9iKd$#d^~`nlZ2wv$<e<;0;d)-l;dXD-1r@aBPFj
z(}}8(y-MSBc9-f+G{F2p8^F9~z{U<>+5p(7C19hz0P}S;RKWgDlkib*puy#hTEKPQ
zjMlJud5zmHFSjqWhB_E3T0he`W_kk+Ex!#~qh_=wj@Pud{I+PFw?}KT*Jd2)V5n&Q
zO7HKJCgpY71}?uDF5fwCg3D_M*T8w+7hL0AaJ|c-BuHm8W=%`XYo)(hDf~wLHEOHB
zy!N1-@3qDzyFmMGv7{L#KgH2w(@JZl#>UMnZP={zN9|VHURH8H(9U;(c9|?P8cyjP
z{^;#AZPv=Sm^6bnYTll$U5jD+mG*qEmG)c*L)B*g1fQ-EF5hcmDxWvQHEv-l+iuM9
zVQ>kb?ArQlZE*HYk&b{o{{=w`(T~1D0HDzKJpaQ{&@<<MT~>WOugJfr5CF=5$N7KY
z`xE{AKN+~@{NIPXb((luwW-|yH#E<)=x&iSZePe_tnK2be1fLwGGUp0VbeGYYIo13
zGgKh<1)kOiLIW2kV%x*d1_F2KU1ha)bcfiG?{DZH&^jcrsXOrS+1LPG+Uw6^|EJjl
zO``vZm`e{v0N2ER@!ug_02uwhF0JlM*5%*55kUFx(EkwYbv6AznhZxq|93C#b&7?W
zr$G!le|z9}!BOjjrC3q>A}EaJ10%ny{bdyx3<eR{O3|04P@XXw)`uLdxUOTU_-I2+
zVV))o&5H7HbE#3Y=UMum1)^2)b-j(M;gB3WLnC3RaIEd&+j8Qnxxya6pE7MZ8+`)(
z4T_?Y$m(N$0cbCEV859EU`n$%s@;SY;KUrnD$wV!L7;o{CPZsaf$JMyD-rrXOJml9
z-7kmQ-~N04WMb@piC>?8Yx#F?_e;JT>^}%wxBo+LFgEtT#IMi4h5bh}cY|sGt+*_c
zHcr@k)iIF8;VepO^QkCs8x7@Jd${+F)5rDufx9S<qvT;TCH4_-iLWXnEk+LDzCN9S
zGg1{_i*KK$^I+o~ZXPn4<l0QCjylPDw$eORmK_F{c74?^5p3j-b8&?orV8^|Q}9ue
z`Xb_Rqh3#QU*a@O=NlcbPFQcGzRr6suo_RhS{UDmR2Fkkv${isqP05_OEdYFaw#`v
zr((H}5}H8Ns9Fj8uIc9KZ62Z;u+S9{7&5m5(y9piFHbVPd4LD_e-qc_fA(qiE8433
z`|<!A{6BXH$$nb?-^erZ|4K%EevuA}-M9Y-L7-Ii*%TL`3=-(3#{L+wWrL#!*@Ux*
z^CJ3GJ6kpt4yx+P3L~q8Y$}_875Lfe>n*crv&jxw%%En4lHv*%M0vW%0^wI*t+W)?
z;C6q6Io5DsDSm9+jCYjl<SP=2qbVXm0B@Jmt;RuS4x7{}iRwvZyb$pLj928k=TDIS
zRxXd`DV*>k#(OjVpuAezfARi@JN9M%Kg9pd`yYL3eo4EMe~<5gw3NS+|L?<{v5|lO
z(my&{mA`m;bTamkb~t#0|2G)>BhCLC4F}-=oA*CD6v7r#a~gc04~*dUx2y<m+_IdY
z{GE@kWrggXF5;X(`gpn|7ca;?jXAR{`5fJ2s1R*9y@RNm@(zhbq^ETg@f*D2!2|bd
z34zYi<04T4|K^L_DZDew+C-8BX_C_@;bK7XrV7#k1~|k6i84466h|4HlcQ8X)A}_R
zr+TM@{Pjh_02bYVPZ_15bDyQNZ5@8t&^}KsiG^ehu=<2dU|8ou9rvm%y(a$^Y+?&!
zSz=Ju@~`B8)ce1`9KZwg|70>S`hUxo?X-AJ{ymt0CjCG0^!&fEJ2LveQ#o%VR_TAa
z{SPw%L55i#@ctmE`;U+!5?Ul=cdG?bttu^K%3xja*;*rm3SMe*$sJe-k*KUBDqcyo
zS#>R1TstCBk-R8Xd)WX?+6rUshbTI38$ecDmNrkMFIkio<cAl;A6VMt59dM>s!f=D
zZXeyQ_CNbKyx!PP8o(j?e{Ammw{6)@%h%-p2k3v_6~F(Wod3qIZ|?s)mGd@YrT#Cr
z|GNHHU44wT!Kct?G@qh=y%ND=Zp*v1x_-v;X&Pb+`}OZ{-`U~}AkGoeZ5O1r5j!ac
z5pn4#+(G;2p9JY`^E2hU5vcaRn(WtcFmQkUKN<{;|G!&s9o24@f44@U!T)#twfnz`
z=NkRrk%V`XDfPd){nw4awm8r+QTve?Qnq3U{lIk>Ux^Wk5Dny*gI1Rgz1j`D`j}(H
zD0WcY*FHNw$#S)MU9XnPc17lJ-J~dxwN-9(U0)SJ@TOoAbJ>wk<fn{C72&M9pR7QW
zc1+4a|Gcw5d~Ov!f2eE^<bU_dH?@dBrT=@(0pH*L``*Od|9zDOx+?!}?S46d2K(>B
zkIJmw|G>`#n){y;z#jh|lQ)nteTtbTA-NQmo4kUX7ElM|*_)S_uf78dciQl=j-k=J
zX~ao!jD+wXWMVQ-XhM((nWc~{L+;azQ1Y7P<ShgT8M%D@iv#`GYLUEc;y@A|08a9h
z#A*70(45R!&QFL)J|_8;%}$6+3B`vfBk&VlqCN@1n3FV-#O0y}a(IIT^WtPVje==G
zJpdLVGzYBB3M<c{XVD~MMfQ$LiNGyc%x3Un8uCa<5K~A&3U&Y~XTO{>n6sP{g>TsF
zApzK7f~b8Ftq>>{-=T%bW5)&n5rvdo_>nSfT(YY;EYJ9N$h9aD7fR_p+~P^*optf>
zX}aVD{sVFsSpDRC@}m%$CNc1X-oRxbZ~*8>NzO9(fwr6r9?6W(=a9V*PYg=oZY>91
zp~tUpfBy{z1)9G=2gr9m<BVp2I1RFtb5SqcKoD5A2=M3NIC;jL2j^s!Fswbm<8QEP
zX1H9U1f?Y2QidBf28@^9D=^|@c!OCMAcpI1>@j)yh)WaiG*945@(8T|YXLv)#+|Kq
zoyX)-L@h*0nOKcs3Mf71Q<%F`ySXS>jAn~==oiXvLU!T>NeuGh6E-BUS4!!EIEy4U
zRk(FOWsFbO6Tkz0`c8J{Vn>xU9qWmZzo3h9C^;$yvas{3DGNT7oXD19e2}R+;u9I;
zk!~)!y`pL14_ig8SZGxpK1qkT99JNLGX*Jw^x(o*rsZJ~#Ho{q3XZ38ML{vg)h*8m
zf{fS<mPS#bRGcTUnK(VjmspBh0qk~-qA2?pNC*aC3FQQ~i6~n|l0>jJ^5{O2>luM5
z)(I?Yp|Ea6uUoQ&7g)$0D=(+9y%aJMztx7l72<+3QugRLPBp2Lsp^7T6d)lX?pvJO
zZLKXpUqRj>svqRO6uz8yu^s?l92y6aO9DyYiV&A6JF$W#QqHZ?Pn2+2>Oes<hBxD4
zT=B?B9PwNX{1hoatw$~9p$>~Jiq~_l@H@VtDKv%9GI-jcSp>g9iaQ~Nxq(i9<nYr@
z{DMsLe9kY<&X&uilg?Qp)jH%ZB)J18!Lu+8_*o3vhUaHBq0>A)6@*R;LTB}GQaizM
zZ$IM4kPZr34f<LC|F02L{-50H9Y_A8<8pxiKXxJi+vNZC==c?+b@|I()olh?ga7Zk
z-kSeE85{q<f8oOjrNdMNwAM1f4sw~cI6u-KK(&9c`-7K8!pVt5mUfXGfVy~#^}mX)
z(S5-|MGw*W{aR;Xmug3hOXF0=|E}H(BC1bR6Z_DXSm}@Rs}Bmf!fiS(uEV~U{&sD^
zdbNbBgBpAIRkoZN#2{c0FbEg~3<3rLgMdN6AYc$M2p9wm0tNwtfI+|@U=T0}7z7Lg
Hy(92HKtKk=

literal 0
HcmV?d00001

diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml
new file mode 100755
index 0000000000..e2b4537dc8
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml
@@ -0,0 +1,21 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml
new file mode 100755
index 0000000000..cc08af6937
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml
@@ -0,0 +1,42 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-configmap-config
+  namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
+data:
+{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-configmap-policies-data
+  namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
+{{- with .Files.Glob "resources/policies/*" }}
+binaryData:
+{{- range $path, $bytes := . }}
+       {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml
new file mode 100755
index 0000000000..6c25bac01c
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml
@@ -0,0 +1,137 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+  selector: {{- include "common.selectors" . | nindent 4 }}
+  replicas: {{ .Values.replicaCount }}
+  template:
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+    spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
+      initContainers:
+      - command:
+        - /bin/sh
+        args:
+          - -c
+          - |
+            echo "*** set right permissions to the different folders"
+            chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log;
+            chmod -R 755 /var/log
+            chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/;
+            chmod -R 755 /opt/*
+            tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/
+        image: {{ include "repositoryGenerator.image.busybox" . }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
+        name: {{ include "common.name" . }}-readiness
+        volumeMounts:
+        - name: logs
+          mountPath: /var/log
+        - name: tmp-policies-data
+          mountPath: /tmp/policies
+        - name : opa-policies-data
+          mountPath: /opt/
+
+      containers:
+      - name: {{ include "common.name" . }}
+        {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+        image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        ports: {{ include "common.containerPorts" . | nindent 12  }}
+        # disable liveness probe when breakpoints set in debugger
+        # so K8s doesn't restart unresponsive container
+        env:
+        - name: UseSASLForKAFKA
+          value: "{{ .Values.kafka.useSASL }}"
+        - name: KAFKA_URL
+          value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}
+        - name: GROUPID
+          value: "{{ .Values.kafka.groupid }}"
+        - name: LOG_LEVEL
+          value: "{{ .Values.log.loglevel }}"
+        - name: PAP_TOPIC
+          value: "{{ .Values.kafka.topic }}"
+        - name: API_USER
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }}
+        - name: API_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }}
+        - name: RESTSERVER_USER
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }}
+        - name: RESTSERVER_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }}
+        - name: JAASLOGIN
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "common.name" . }}-ku
+              key: sasl.jaas.config
+        {{- if eq .Values.liveness.enabled true }}
+        livenessProbe:
+          tcpSocket:
+            port: {{ .Values.service.internalPort }}
+          initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+          periodSeconds: {{ .Values.liveness.periodSeconds }}
+        {{ end -}}
+        readinessProbe:
+          tcpSocket:
+            port: {{ .Values.service.internalPort }}
+          initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readiness.periodSeconds }}
+        volumeMounts:
+
+        - name: opa-policies-data
+          mountPath: /opt
+        - name: opa-config
+          mountPath: /app/config
+        - name: opa-bundles
+          mountPath: /app/bundles
+        - name: logs
+          mountPath: /var/log
+        resources: {{ include "common.resources" . | nindent 12 }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end -}}
+      {{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
+      volumes:
+      - name: tmp-policies-data
+        configMap:
+          name: {{ include "common.fullname" . }}-configmap-policies-data
+          defaultMode: 0755
+      - name: opa-policies-data
+        persistentVolumeClaim:
+           claimName: {{ include "common.fullname" . }}-policies-data
+      - name: opa-config
+        configMap:
+          name: {{ include "common.fullname" . }}-configmap-config
+          defaultMode: 0755
+      - name: opa-bundles
+        emptyDir:
+          sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }}
+      - name: logs
+        emptyDir:
+          sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }}
+      {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml
new file mode 100755
index 0000000000..faf315356c
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml
@@ -0,0 +1,20 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+{{ include "common.kafkauser" . }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml
new file mode 100755
index 0000000000..5a1e9e3450
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/pvc.yaml
@@ -0,0 +1,38 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "common.fullname" . }}-policies-data
+  namespace: {{ include "common.namespace" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.logsSize }}
+  storageClassName: {{ include "common.storageClass" . }}
+  volumeMode: Filesystem
+
+{{- end }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml
new file mode 100755
index 0000000000..0c47a8bd77
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml
@@ -0,0 +1,21 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml
new file mode 100755
index 0000000000..1d45a0baef
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml
@@ -0,0 +1,21 @@
+{{/*
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml
new file mode 100755
index 0000000000..96774208de
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml
@@ -0,0 +1,23 @@
+{{/*
+# ============LICENSE_START=======================================================
+#  Copyright (c) 2024 Deutsche Telekom
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+*/}}
+
+{{- if .Values.global.prometheusEnabled }}
+{{ include "common.serviceMonitor" . }}
+{{- end }}
diff --git a/kubernetes/policy/components/policy-opa-pdp/values.yaml b/kubernetes/policy/components/policy-opa-pdp/values.yaml
new file mode 100755
index 0000000000..20c7e513bc
--- /dev/null
+++ b/kubernetes/policy/components/policy-opa-pdp/values.yaml
@@ -0,0 +1,253 @@
+#  ============LICENSE_START=======================================================
+#   Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#  ============LICENSE_END=========================================================
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+global:
+  persistence: {}
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: api-creds
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}'
+    login: '{{ .Values.apiServer.user }}'
+    password: '{{ .Values.apiServer.password }}'
+    passwordPolicy: required
+  - uid: restserver-creds
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}'
+    login: '{{ .Values.restServer.user }}'
+    password: '{{ .Values.restServer.password }}'
+    passwordPolicy: required
+
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+# application image
+image: onap/policy-opa-pdp:1.0.0
+pullPolicy: Always
+
+componentName: &componentName policy-opa-pdp
+
+# flag to enable debugging - application support required
+debugEnabled: false
+
+log:
+  loglevel: "debug"
+
+
+# application configuration
+
+permissions:
+  uid: 100
+  gid: 102
+
+restServer:
+  user: healthcheck
+  password: zb!XztG34
+
+apiServer:
+  user: policyadmin
+  password: zb!XztG34
+
+config:
+  # Event consumption (kafka) properties
+  kafka:
+    consumer:
+      groupId: policy-opa-pdp
+  app:
+    listener:
+      policyPdpPapTopic: policy-pdp-pap
+
+securityContext:
+  user_id: 0
+  group_id : 0
+  runAsNonRoot: false
+
+
+containerSecurityContext:
+  enabled: true
+  privileged: false
+  allowPrivilegeEscalation: true
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+  runAsUser: 0
+  runAsGroup: 0
+
+
+kafka:
+  groupid: "policy-opa-pdp"
+  topic: "policy-pdp-pap"
+  useSASL: "true"
+  brokers: "onap-strimzi-kafka-bootstrap.onap:9092"
+
+persistence:
+  enabled: true
+  volumeReclaimPolicy: Retain
+  accessMode: ReadWriteMany
+  logsSize: 1Gi
+  mountPath: /dockerdata-nfs
+  mountSubPath: policy/opapdp
+  storageClass: "cinder-os"
+  enableDefaultStorageclass: false
+  parameters: {}
+  storageclassProvisioner: cinder-os
+
+
+
+# default number of instances
+replicaCount: 1
+
+nodeSelector: {}
+
+affinity: {}
+
+# probe configuration parameters
+liveness:
+  initialDelaySeconds: 20
+  periodSeconds: 10
+  # necessary to disable liveness probe when setting breakpoints
+  # in debugger so K8s doesn't restart unresponsive container
+  enabled: true
+
+readiness:
+  initialDelaySeconds: 20
+  periodSeconds: 10
+
+service:
+  type: ClusterIP
+  name: *componentName
+  internalPort: 8282
+  ports:
+    - name: http
+      port: 8282
+
+ingress:
+  enabled: false
+
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: dcae-datafile-collector-read
+      - serviceAccount: dcae-datalake-admin-ui-read
+      - serviceAccount: dcae-datalake-des-read
+      - serviceAccount: dcae-datalake-feeder-read
+      - serviceAccount: dcae-heartbeat-read
+      - serviceAccount: dcae-hv-ves-collector-read
+      - serviceAccount: dcae-kpi-ms-read
+      - serviceAccount: dcae-pm-mapper-read
+      - serviceAccount: dcae-pmsh-read
+      - serviceAccount: dcae-prh-read
+      - serviceAccount: dcae-restconf-collector-read
+      - serviceAccount: dcae-slice-analysis-ms-read
+      - serviceAccount: dcae-snmptrap-collector-read
+      - serviceAccount: dcae-son-handler-read
+      - serviceAccount: dcae-tcagen2-read
+      - serviceAccount: dcae-ves-collector-read
+      - serviceAccount: dcae-ves-mapper-read
+      - serviceAccount: dcae-ves-openapi-manager-read
+      - serviceAccount: strimzi-kafka-read
+      - serviceAccount: oof-read
+      - serviceAccount: sdnc-read
+
+flavor: small
+resources:
+  small:
+    limits:
+      cpu: "1"
+      memory: "1Gi"
+    requests:
+      cpu: "0.5"
+      memory: "1Gi"
+  large:
+    limits:
+      cpu: "2"
+      memory: "2Gi"
+    requests:
+      cpu: "1"
+      memory: "2Gi"
+  unlimited: {}
+
+
+dirSizes:
+  emptyDir:
+    sizeLimit: 1Gi
+  logDir:
+    sizeLimit: 500Mi
+  policyDir:
+    sizeLimit: 100Mi
+  bundleDir:
+    sizeLimit: 5Gi
+
+
+#Pods Service Account
+serviceAccount:
+  nameOverride: *componentName
+  roles:
+    - read
+
+metrics:
+  serviceMonitor:
+    # Override the labels based on the Prometheus config parameter: serviceMonitorSelector.
+    # The default operator for prometheus enforces the below label.
+    labels:
+      app: '{{ include "common.name" . }}'
+      helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+      app.kubernetes.io/instance: '{{ include "common.release" . }}'
+      app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+      version: '{{ .Chart.Version | replace "+" "_" }}'
+      release: prometheus
+    enabled: true
+    port: policy-opa-pdp
+    interval: 60s
+    isHttps: false
+    basicAuth:
+      enabled: true
+      externalSecretNameSuffix: policy-opa-pdp-restserver-creds
+      externalSecretUserKey: login
+      externalSecretPasswordKey: password
+    selector:
+      app: '{{ include "common.name" . }}'
+      chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+      release: '{{ include "common.release" . }}'
+      heritage: '{{ .Release.Service }}'
+
+config:
+  # Event consumption (kafka) properties
+  kafka:
+    consumer:
+      groupId: policy-opa-pdp
+  app:
+    listener:
+      policyPdpPapTopic: policy-pdp-pap
+
+# Strimzi Kafka config
+kafkaUser:
+  authenticationType: scram-sha-512
+  acls:
+    - name: policy-opa-pdp
+      type: group
+      operations: [ Create, Describe, Read, Write ]
+    - name: policy-pdp-pap
+      type: topic
+      patternType: prefix
+      operations: [ Create, Describe, Read, Write ]
diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml
index 2fd3c32878..b9087716b8 100644
--- a/kubernetes/policy/values.yaml
+++ b/kubernetes/policy/values.yaml
@@ -173,6 +173,10 @@ policy-drools-pdp:
   db: *dbSecretsHook
   config:
     jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
+policy-opa-pdp:
+  enabled: true
+  config:
+    jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
 policy-distribution:
   enabled: true
   db: *dbSecretsHook
-- 
2.16.6