From be5104f21cce47c3f3c46571047d998179a679ab Mon Sep 17 00:00:00 2001 From: srinivasyanamadala Date: Fri, 20 Dec 2024 15:18:03 +0100 Subject: [PATCH] Added changes for performance and stability for opa-pdp Issue-ID: POLICY-5215 Change-Id: Iea19dfd4a46509a60d7b4a41f714fd8221ce2d0d Signed-off-by: srinivasyanamadala --- csit/resources/scripts/get-cluster-info.sh | 12 ++ csit/run-k8s-csit.sh | 15 +- helm/policy/Chart.yaml | 8 +- .../resources/config/OnapPfConfigSampleGroup.json | 4 +- helm/policy/components/policy-opa-pdp/Chart.yaml | 23 ++++ .../policy-opa-pdp/resources/config/config.json | 43 ++++++ .../resources/policies/policy-data.tar.gz | Bin 0 -> 30720 bytes .../policy-opa-pdp/templates/configmap.yaml | 49 +++++++ .../policy-opa-pdp/templates/deployment.yaml | 153 +++++++++++++++++++++ .../components/policy-opa-pdp/templates/pvc.yaml | 41 ++++++ .../policy-opa-pdp/templates/role-binding.yaml | 34 +++++ .../policy-opa-pdp/templates/secret.yaml | 33 +++++ .../policy-opa-pdp/templates/service-account.yaml | 25 ++++ .../policy-opa-pdp/templates/service.yaml | 40 ++++++ helm/policy/components/policy-opa-pdp/values.yaml | 117 ++++++++++++++++ .../policy-pap/resources/config/groups.json | 20 +++ 16 files changed, 612 insertions(+), 5 deletions(-) create mode 100755 helm/policy/components/policy-opa-pdp/Chart.yaml create mode 100755 helm/policy/components/policy-opa-pdp/resources/config/config.json create mode 100755 helm/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz create mode 100755 helm/policy/components/policy-opa-pdp/templates/configmap.yaml create mode 100755 helm/policy/components/policy-opa-pdp/templates/deployment.yaml create mode 100755 helm/policy/components/policy-opa-pdp/templates/pvc.yaml create mode 100755 helm/policy/components/policy-opa-pdp/templates/role-binding.yaml create mode 100755 helm/policy/components/policy-opa-pdp/templates/secret.yaml create mode 100755 helm/policy/components/policy-opa-pdp/templates/service-account.yaml create mode 100755 helm/policy/components/policy-opa-pdp/templates/service.yaml create mode 100755 helm/policy/components/policy-opa-pdp/values.yaml diff --git a/csit/resources/scripts/get-cluster-info.sh b/csit/resources/scripts/get-cluster-info.sh index d8e4217c..92e92ee8 100755 --- a/csit/resources/scripts/get-cluster-info.sh +++ b/csit/resources/scripts/get-cluster-info.sh @@ -1,7 +1,10 @@ #!/bin/bash # ============LICENSE_START======================================================= # Copyright (C) 2023-2024 Nordix Foundation. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ +# +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -32,6 +35,7 @@ export PF_PARTICIPANT_PORT=30008 export HTTP_PARTICIPANT_PORT=30009 export K8S_PARTICIPANT_PORT=30010 export SIM_PARTICIPANT_PORT=30011 +export OPA_PORT=30012 export SIMULATOR_PORT=30904 # Retrieve pod names @@ -41,6 +45,7 @@ function get_pod_names() { export API_POD=$(get_pod_name api) export DMAAP_POD=$(get_pod_name message-router) export XACML_POD=$(get_pod_name xacml) + export OPA_POD=$(get_pod_name opa-pdp) export DROOLS_POD=$(get_pod_name drools-pdp) export DIST_POD=$(get_pod_name distribution) export ACM_POD=$(get_pod_name acm-runtime) @@ -58,6 +63,7 @@ function get_svc_names() { export DMAAP_SVC=$(get_svc_name message-router) export DROOLS_SVC=$(get_svc_name drools-pdp) export XACML_SVC=$(get_svc_name policy-xacml-pdp) + export OPA_SVC=$(get_svc_name policy-opa-pdp) export DIST_SVC=$(get_svc_name policy-distribution) export ACM_SVC=$(get_svc_name policy-clamp-runtime-acm) export POLICY_PPNT_SVC=$(get_svc_name policy-clamp-ac-pf-ppnt) @@ -72,6 +78,7 @@ function expose_services() { expose_service $PAP_SVC expose_service $API_SVC expose_service $XACML_SVC + expose_service_opa_pdp $OPA_SVC expose_service $DROOLS_SVC expose_service $DIST_SVC expose_service $ACM_SVC @@ -93,6 +100,10 @@ function get_svc_name() { microk8s kubectl get svc --no-headers -o custom-columns=':metadata.name' | grep $1 } +function expose_service_opa_pdp() { + microk8s kubectl expose service $1 --name $1"-svc" --type NodePort --protocol TCP --port 8282 --target-port 8282 +} + function expose_service() { microk8s kubectl expose service $1 --name $1"-svc" --type NodePort --protocol TCP --port 6969 --target-port 6969 } @@ -114,6 +125,7 @@ function patch_ports() { patch_port "$DIST_SVC" $DIST_PORT patch_port "$DROOLS_SVC" $DROOLS_PORT patch_port "$XACML_SVC" $XACML_PORT + patch_port "$OPA_SVC" $OPA_PORT } function setup_message_router_svc() { diff --git a/csit/run-k8s-csit.sh b/csit/run-k8s-csit.sh index a2430623..3f6e5a44 100755 --- a/csit/run-k8s-csit.sh +++ b/csit/run-k8s-csit.sh @@ -2,7 +2,10 @@ # # ============LICENSE_START==================================================== # Copyright (C) 2022-2024 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ============================================================================= +# +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -33,6 +36,7 @@ POLICY_API_ROBOT="api-test.robot api-slas.robot" POLICY_PAP_ROBOT="pap-test.robot pap-slas.robot" POLICY_APEX_PDP_ROBOT="apex-pdp-test.robot apex-slas.robot" POLICY_XACML_PDP_ROBOT="xacml-pdp-test.robot xacml-pdp-slas.robot" +POLICY_OPA_PDP_ROBOT="opa-pdp-test.robot" POLICY_DROOLS_PDP_ROBOT="drools-pdp-test.robot" POLICY_DISTRIBUTION_ROBOT="distribution-test.robot" @@ -42,6 +46,7 @@ POLICY_CLAMP_CONTAINER="policy-clamp-runtime-acm" POLICY_APEX_CONTAINER="policy-apex-pdp" POLICY_DROOLS_CONTAINER="policy-drools-pdp" POLICY_XACML_CONTAINER="policy-xacml-pdp" +POLICY_OPA_CONTAINER="policy-opa-pdp" POLICY_DISTRIBUTION_CONTAINER="policy-distribution" POLICY_K8S_PPNT_CONTAINER="policy-clamp-ac-k8s-ppnt" POLICY_HTTP_PPNT_CONTAINER="policy-clamp-ac-http-ppnt" @@ -289,6 +294,12 @@ function set_project_config() { export SET_VALUES="--set $POLICY_XACML_CONTAINER.enabled=true" ;; + opa-pdp | policy-opa-pdp) + export ROBOT_FILE=($POLICY_OPA_PDP_ROBOT) + export READINESS_CONTAINERS=($POLICY_API_CONTAINER,$POLICY_PAP_CONTAINER,$POLICY_OPA_CONTAINER) + export SET_VALUES="--set $POLICY_OPA_CONTAINER.enabled=true" + ;; + drools-pdp | policy-drools-pdp) export ROBOT_FILE=($POLICY_DROOLS_PDP_ROBOT) export READINESS_CONTAINERS=($POLICY_DROOLS_CONTAINER) @@ -304,11 +315,11 @@ function set_project_config() { *) echo "Unknown project supplied. Enabling all policy charts for the deployment" export READINESS_CONTAINERS=($POLICY_APEX_CONTAINER,$POLICY_API_CONTAINER,$POLICY_PAP_CONTAINER, - $POLICY_DISTRIBUTION_CONTAINER,$POLICY_DROOLS_CONTAINER,$POLICY_XACML_CONTAINER, + $POLICY_DISTRIBUTION_CONTAINER,$POLICY_DROOLS_CONTAINER,$POLICY_XACML_CONTAINER,$POLICY_OPA_CONTAINER, $POLICY_CLAMP_CONTAINER,$POLICY_PF_PPNT_CONTAINER,$POLICY_K8S_PPNT_CONTAINER, $POLICY_HTTP_PPNT_CONTAINER,$POLICY_SIM_PPNT_CONTAINER) export SET_VALUES="--set $POLICY_APEX_CONTAINER.enabled=true --set $POLICY_XACML_CONTAINER.enabled=true - --set $POLICY_DISTRIBUTION_CONTAINER.enabled=true --set $POLICY_DROOLS_CONTAINER.enabled=true + --set $POLICY_OPA_CONTAINER.enabled=true --set $POLICY_DISTRIBUTION_CONTAINER.enabled=true --set $POLICY_DROOLS_CONTAINER.enabled=true --set $POLICY_CLAMP_CONTAINER.enabled=true --set $POLICY_PF_PPNT_CONTAINER.enabled=true --set $POLICY_K8S_PPNT_CONTAINER.enabled=true --set $POLICY_HTTP_PPNT_CONTAINER.enabled=true --set $POLICY_SIM_PPNT_CONTAINER.enabled=true" diff --git a/helm/policy/Chart.yaml b/helm/policy/Chart.yaml index 9eb39120..8caccf55 100755 --- a/helm/policy/Chart.yaml +++ b/helm/policy/Chart.yaml @@ -1,5 +1,7 @@ # Copyright © 2022-2024 Nordix Foundation # +# Modifications Copyright © 2024 Deutsche Telekom +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -15,7 +17,7 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 11.0.0 +version: 11.0.1 dependencies: - name: mariadb-galera @@ -54,6 +56,10 @@ dependencies: version: ~11.x-0 repository: 'file://components/policy-drools-pdp' condition: policy-drools-pdp.enabled + - name: policy-opa-pdp + version: ~11.x-0 + repository: 'file://components/policy-opa-pdp' + condition: policy-opa-pdp.enabled - name: policy-xacml-pdp version: ~11.x-0 repository: 'file://components/policy-xacml-pdp' diff --git a/helm/policy/components/policy-apex-pdp/resources/config/OnapPfConfigSampleGroup.json b/helm/policy/components/policy-apex-pdp/resources/config/OnapPfConfigSampleGroup.json index 8d197f67..70943d68 100644 --- a/helm/policy/components/policy-apex-pdp/resources/config/OnapPfConfigSampleGroup.json +++ b/helm/policy/components/policy-apex-pdp/resources/config/OnapPfConfigSampleGroup.json @@ -9,7 +9,7 @@ "prometheus": true }, "pdpStatusParameters": { - "pdpGroup": "sampleGroup", + "pdpGroup": "defaultGroup", "timeIntervalMs": 20000, "pdpType": "apex", "description": "Pdp Heartbeat", @@ -47,4 +47,4 @@ } ] } -} \ No newline at end of file +} diff --git a/helm/policy/components/policy-opa-pdp/Chart.yaml b/helm/policy/components/policy-opa-pdp/Chart.yaml new file mode 100755 index 00000000..b3c34fc6 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/Chart.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy OPA PDP +name: policy-opa-pdp +version: 11.0.0 + diff --git a/helm/policy/components/policy-opa-pdp/resources/config/config.json b/helm/policy/components/policy-opa-pdp/resources/config/config.json new file mode 100755 index 00000000..f0adf0d2 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/resources/config/config.json @@ -0,0 +1,43 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +{ + "logging": { + "level": "debug" + }, + "services": [ + { + "name": "opa-bundle-server", + "url": "http://policy-opa-pdp:8282/opa/bundles" + } + ], + "bundles": { + "opabundle": { + "service": "opa-bundle-server", + "resource": "bundle.tar.gz", + "polling": { + "min_delay_seconds": 60, + "max_delay_seconds": 120 + } + } + }, + "decision_logs": { + "console": true + } +} diff --git a/helm/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz b/helm/policy/components/policy-opa-pdp/resources/policies/policy-data.tar.gz new file mode 100755 index 0000000000000000000000000000000000000000..572e96398b3597cce29283f54ee97f31f869cdf0 GIT binary patch literal 30720 zcmeHPZExE+63*A^R}cyg?Jg48k}Nw7wg+T;dyCz>+b!CD3xb4}nOKc1`9!(CT(AHA zW=Kk+Wjm5nsdtM~2x5sZ!{IaJ%y3A_8O&%-2S}?RBfLqJo zgYn^dqrf%t{~7~Gmp^I(=L1iZjvGe#k4GbY-WPfRvjX4utNAbFKk~*P|6#{`>?HS% z&;L&rfy?GB;c0e_Bfvf#RLmlY=H>PzOUt z>sNYvn=~n}(>8GV&2ah7Src4dJGh3<%f8?mKL*$PEK0(3L1Wf5#JpDetChlU)L%hc z{pGa>?d+g2HhB!R-&SjyQSwt9Jv5E9R%&eAJkmzZN8gim&5eYSSG`zCP{fnxm^hAG59`UwGmLO*c*?|bgVtp7J9)z4E+{=I|%Q2vjs z|A)RmsjdHmp*J?`|9&LCNflSCHkGsgn&x>HO;*nmx0?|M@6 zKh5rF68&35T{<@cI3^B@|3duF=>J{f>O5_i{JS;+DE~+Fzw3|On*JXTC!W#&oeO&h zL8azt7=zB=ANXBy)cRm4Hq^cd3ZwbJ$nR!-nFR)eK?Jr`^hGM9XN=COMGj_MRWVe2 zv>~RjOcRD?MSHlus8O?*S^9y6qLjMbE~D!=BnQt>NEj+?Yk&B*=(ujKumur7kXg}70{bK&ZInCmzauYUy6MYb)px%ca0zH^FAzHHv+%e-fla&6? z(wKE__luSexBp(?jm-M5z^~6=UH)C${etfX`|tUay8R#Fmay6XEdcECSJ{6wbJwT@ z(2C16Y2$>w*Bt|yJX=IbWj-|pZlj^xDi8a!yYPafdm{+~Y_4UPZT zquDP>Z_2+P53s@ib4UKD7XKNIM<)JX%Bas9>7dws`+pDwN_C%2a{-DVLEY5YA0xJI zaP;6b;UeN(MV~5X%cjCX)m>R(WVMh@X%jF5uf4wBI*WFj>=}z0iU! ze)Z)>Ns$e1_ebbs1qY_$W#d$wQeG!tlF%GY5eWi#yXxL3tfw|HqSwIR8H}@t;1`eo0%Ce{b)Aw3ff`2Cnac z{2}~f_Ww#5^?6g5zt9E`PR8!i&YErT|Au2fkp5pO{~&rgC7+{P3>Bgcr&EZ!Y44C&M0#4+ z5x>SQ9$av5rVywsJuVU@@V8v$j`GedYZplprb$ktgo_5nn<_{H7~l{OBwFK0P%LDy zPmY!WMXT3bobsIx^5<8I0Zh6EpE62k&TW=1_Eq>{NBKOpBo>l2!0Hn+fnl9(sr1$L;jtcfF}Jv@znXhQvZ*= ziP8TZN_ju2Qvb`z|1=X2W_Zd2-X8>Y{}GOe%q%iv)6E2_R<#oH$Y7Q5+1et53SMe* z$sJe-aZFh|sCX&WW?5C0xN^inMe?dp?L`4FX&a2SZ$eev*MQ8ntXe;jzGP8mkRM(V ze`wV@|8y=Sp~{5G=l0QUZT_==!3&Ok90Pcg{x|Et{gbxCoE`H2>iXYz)%PDX{U4b9 z{|=?RpH!j$)#TsS|GKM>u{OArKBM^@_3Nbw9&=mntyTF8me11}mayOa{_edk)&OE1 zA>DRCY9Fx^)rg2oN3%z0|NN66y}ySh=P?Ad`L7@M>ogd6xc(1Z_*{(n{>x*6>nLxZ z{JS&)4gNnw`_%qlssAVD{8vZvZ6Z_Xe|_?A8-aaspkt!fBQYG=iXrp^+g*GkMkGQs zaK;?8x^(FEYT(t!93w`tgX+HW+3`uH>&2^lJyn)dCx@#dDnaI!XQQk9G6{k=ib*`n zj(j3NMMO%4v#NSB15Mg7DH{F%?fujHR^szNmF*MxZyNh1|L925|Gk|7Z*Bj_p63t8 zxc@V9;rxgB{#*Yev@ZWH?S8?1gZ=m6qcU6jKluGW^Zl;^!Tx@a$y+!veTpYdX5>Ox zZt@y-T0j|)7jJ*Oc>Nt%xYLHqI)*~;=Mg7r842M(IEl$Pp$S1EWRb#Q8FHIugpxNb zC+{FQ$jHT;UmU2%Hk0IT69+NLUXcYIX@xd@G;5fY;i*5kx+byG6J9I z68Xstj5$dYNn8$TAcs3h&@WEb^C+Av>LIWQp*dh}p{zWInyN^~)af0a5`kT^m@VMN zG~|(zFs5(>DSQM-+57dJL7!!xDBNMKy98i|4x;Wwv}Qn2-9rg+jvWgCL==wX!bi%m zaKWzTu)N^kA=e^BY$&C-u!|>|cecgD=joag_y^?9G5gu~A^cFS)fdfE4 zN^+LL2ikHjcq9wDT*B#ncw&$WduuuH3N?Ox_xo?qDA4=`D!_T?0cSJ=#A%qNoQr(n z27SMq5|om7M;Uh17%*OVufT|t;SOezfEaGO zvB%`c2OOHXr+ET5$pf(d&lP;yjXQhyI*-YPh+2pvWnwhWQb6e;pF`iB%FRW=Vl-Qn zL%&c~6S5O8NMeu|pRgc-xl%|M#HkLk>B6n*X>EM6o&g^4={s4Oiy2kWbgXAW{(>&b zq2Ne0WMSpka~9qgoXC=*eUPc%;xifJk!~)!y`re{hb@&W23nbiPtqYS+7(D(PeIBc zJ=pM-$MP@<;?&7q3CD9eq9B>$=$2~)K}Jjlt42|yq}CHyOspQ{ODt+v0IOZ0D2nk_oWQUa3hPGHx*={n1D*cB;nPn1oXqol$?OYcUCJN6|6u(8LPWj(77mjNXlnv z$N7=|0IK~byFa*TB%GW`oYGc@15g+5vHq9Q6}m6jsHh<-f7q%l>{8{3acP{2_}}FR zK}7e7Dq{C-i531hzr5GTDYxlZZHIj?{q4$t^=b(>8#VT@*QsWR8w3mj1_6VBLBJqj j5HJWB1PlTO0fT@+z#w1{FbEg~3<3rLgMdNct0C}TkcAGB literal 0 HcmV?d00001 diff --git a/helm/policy/components/policy-opa-pdp/templates/configmap.yaml b/helm/policy/components/policy-opa-pdp/templates/configmap.yaml new file mode 100755 index 00000000..36ad7cf4 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/configmap.yaml @@ -0,0 +1,49 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-configmap-policies-data + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: release + heritage: Helm + {{- with .Files.Glob "resources/policies/*" }} +binaryData: + {{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-configmap-config + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: release + heritage: Helm +data: +{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }} diff --git a/helm/policy/components/policy-opa-pdp/templates/deployment.yaml b/helm/policy/components/policy-opa-pdp/templates/deployment.yaml new file mode 100755 index 00000000..100c00bb --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/deployment.yaml @@ -0,0 +1,153 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Name }} + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: release + heritage: Helm +spec: + selector: + matchLabels: + app: {{ .Chart.Name }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ .Chart.Name }} + release: release + spec: + initContainers: + - command: + - /bin/sh + args: + - -c + - | + echo "*** set right permissions to the different folders" + chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log; + chmod -R 755 /var/log + chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/; + chmod -R 755 /opt/* + tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/ + image: busybox:latest + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + name: {{ .Chart.Name }}-readiness + volumeMounts: + - name: logs + mountPath: /var/log + - name: tmp-policies-data + mountPath: /tmp/policies + - name : opa-policies-data + mountPath: /opt/ + + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.global.image.opapdp }} + imagePullPolicy: {{ .Values.global.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + httpGet: + path: {{ .Values.readiness.api }} + port: {{ .Values.service.internalPort }} + httpHeaders: + - name: Authorization + value: Basic {{ printf "%s:%s" .Values.restServer.user .Values.restServer.password | b64enc }} + scheme: HTTP + successThreshold: {{ .Values.readiness.successThreshold }} + failureThreshold: {{ .Values.readiness.failureThreshold }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeout }} + env: + - name: UseSASLForKAFKA + value: "{{ .Values.kafka.useSASL }}" + - name: BOOSTSTRAP_SERVER + value: "{{ .Values.kafka.brokers }}" + - name: KAFKA_USERNAME + value: "{{ .Values.kafka.username }}" + - name: KAFKA_PASSWORD + value: "{{ .Values.kafka.password }}" + - name: LOG_LEVEL + value: "{{ .Values.log.loglevel }}" + - name: GROUPID + value: "{{ .Values.kafka.groupid }}" + - name: TOPIC + value: "{{ .Values.kafka.topic }}" + volumeMounts: + - name: opa-policies-data + mountPath: /opt + - name: opa-config + mountPath: /app/config + - name: opa-bundles + mountPath: /app/bundles + - name: logs + mountPath: /var/log + resources: +{{ toYaml .Values.resources.small | indent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ .Chart.Name }}-read + volumes: + - name: tmp-policies-data + configMap: + name: {{ .Chart.Name }}-configmap-policies-data + defaultMode: 0755 + - name: opa-policies-data + persistentVolumeClaim: + claimName: {{ .Chart.Name }}-policies-data + - name: opa-config + configMap: + name: {{ .Chart.Name }}-configmap-config + defaultMode: 0755 + - name: opa-bundles + emptyDir: + sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }} + + imagePullSecrets: + - name: "default-docker-registry-key" diff --git a/helm/policy/components/policy-opa-pdp/templates/pvc.yaml b/helm/policy/components/policy-opa-pdp/templates/pvc.yaml new file mode 100755 index 00000000..6f0f7e1f --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/pvc.yaml @@ -0,0 +1,41 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + + +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Chart.Name }}-policies-data + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: 13.0.1 + heritage: {{ .Release.Service }} +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5G + storageClassName: microk8s-hostpath + volumeMode: Filesystem + + diff --git a/helm/policy/components/policy-opa-pdp/templates/role-binding.yaml b/helm/policy/components/policy-opa-pdp/templates/role-binding.yaml new file mode 100755 index 00000000..cc409ca9 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/role-binding.yaml @@ -0,0 +1,34 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: rbac.authorization.k8s.io/v1 +# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. +kind: RoleBinding +metadata: + name: {{ .Chart.Name }}-read + namespace: default +subjects: + - kind: ServiceAccount + name: {{ .Chart.Name }}-read +roleRef: + kind: Role + name: read + apiGroup: rbac.authorization.k8s.io + diff --git a/helm/policy/components/policy-opa-pdp/templates/secret.yaml b/helm/policy/components/policy-opa-pdp/templates/secret.yaml new file mode 100755 index 00000000..013e474b --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/secret.yaml @@ -0,0 +1,33 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Chart.Name }}-restserver-creds + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: release + heritage: Helm +type: Opaque +stringData: + login: {{ .Values.restServer.user }} + password: {{ .Values.restServer.password }} diff --git a/helm/policy/components/policy-opa-pdp/templates/service-account.yaml b/helm/policy/components/policy-opa-pdp/templates/service-account.yaml new file mode 100755 index 00000000..709e9055 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/service-account.yaml @@ -0,0 +1,25 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-read + namespace: default diff --git a/helm/policy/components/policy-opa-pdp/templates/service.yaml b/helm/policy/components/policy-opa-pdp/templates/service.yaml new file mode 100755 index 00000000..7eef3af4 --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/templates/service.yaml @@ -0,0 +1,40 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }} + namespace: default + labels: + app: {{ .Chart.Name }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: release + heritage: Helm +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} + selector: + app: {{ .Chart.Name }} + release: release + diff --git a/helm/policy/components/policy-opa-pdp/values.yaml b/helm/policy/components/policy-opa-pdp/values.yaml new file mode 100755 index 00000000..0667987f --- /dev/null +++ b/helm/policy/components/policy-opa-pdp/values.yaml @@ -0,0 +1,117 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + image: + opapdp: nexus3.onap.org:10001/onap/policy-opa-pdp:1.0.5-SNAPSHOT +log: + loglevel: "debug" + +permissions: + uid: 100 + gid: 102 + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' +################################################################# +# Application configuration defaults. +################################################################# +# application image +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration + +restServer: + user: policyadmin + password: zb!XztG34 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 120 + api: /ready + successThreshold: 1 + failureThreshold: 3 + timeout: 60 + +service: + type: ClusterIP + name: policy-opa-pdp + portName: http + externalPort: 8282 + internalPort: 8282 + +ingress: + enabled: false + +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 100m + memory: 1Gi + unlimited: {} + +dirSizes: + bundleDir: + sizeLimit: 1000Mi + +#Pods Service Account +serviceAccount: + nameOverride: policy-opa-pdp + roles: + - read +kafka: + groupid: "policy-opa-pdp" + topic: "policy-pdp-pap" + useSASL: "false" + username: "" + password: "" + brokers: "kafka.default.svc.cluster.local:9092" + diff --git a/helm/policy/components/policy-pap/resources/config/groups.json b/helm/policy/components/policy-pap/resources/config/groups.json index 3f62ee52..2d981e7c 100644 --- a/helm/policy/components/policy-pap/resources/config/groups.json +++ b/helm/policy/components/policy-pap/resources/config/groups.json @@ -1,5 +1,25 @@ { "groups": [ + { + "name": "opaGroup", + "version": "1.0.0", + "description": "The group that registers policy types for opa.", + "pdpGroupState": "ACTIVE", + "pdpSubgroups": [ + { + "pdpType": "opa", + "desiredInstanceCount": 1, + "properties": {}, + "supportedPolicyTypes": [ + { + "name": "onap.policies.native.opa", + "version": "1.0.0" + } + ], + "policies": [] + } + ] + }, { "name": "defaultGroup", "version": "1.0.0", -- 2.16.6