{{ toYaml $dot.Values.ingress.tls | indent 4 }}
{{- end -}}
{{- if $dot.Values.ingress.config -}}
-{{- if $dot.Values.ingress.config.tls -}}
+{{- if $dot.Values.ingress.config.tls }}
tls:
- hosts:
{{- range $dot.Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }}
spec:
selector:
matchLabels:
- app.kubernetes.io/name: <app-to-match> ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service")
+ app: <app-to-match> ("app" corresponds to a key defined in "common.labels", which is included in "common.service")
If common.useAuthorizationPolicies returns false:
Will not create an authorization policy
spec:
selector:
matchLabels:
- app.kubernetes.io/name: {{ include "common.servicename" . }}
+ app: {{ include "common.servicename" . }}
action: ALLOW
rules:
{{- if $authorizedPrincipals }}
# Copyright (C) 2021 Nordix Foundation.
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG.
# ============================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# ================================= LICENSE_END ==============================
apiVersion: v2
-appVersion: "Kohn"
+appVersion: "London"
description: DCAE PM-Mapper Helm charts
name: dcae-pm-mapper
version: 12.0.0
# Copyright (C) 2021 Nordix Foundation.
# Copyright (c) 2022 Nokia. All rights reserved.
# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved.
+# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved.
# =========================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Application Configuration Defaults.
#################################################################
# Application Image
-image: onap/org.onap.dcaegen2.services.pm-mapper:1.9.0
+image: onap/org.onap.dcaegen2.services.pm-mapper:1.10.1
pullPolicy: Always
# Log directory where logging sidecar should look for log files
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.8.1
+image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.9.0
pullPolicy: Always
# log directory where logging sidecar should look for log files
# Application configuration defaults.
#################################################################
# application images
-image: onap/dmaap/dmaap-bc:2.0.11
+image: onap/dmaap/dmaap-bc:2.0.12
pullPolicy: Always
#DMaaP Bus Controller client image for provisioning at deploy time
-dbcClientImage: onap/dmaap/dbc-client:2.0.11
+dbcClientImage: onap/dmaap/dbc-client:2.0.12
# application configuration
dmaapMessageRouterService: &mr_name message-router
# Application configuration defaults.
#################################################################
# application image
-image: onap/dmaap/datarouter-node:2.1.12
+image: onap/dmaap/datarouter-node:2.1.13
pullPolicy: Always
# default number of instances
# Application configuration defaults.
#################################################################
# application image
-image: onap/dmaap/datarouter-prov:2.1.12
+image: onap/dmaap/datarouter-prov:2.1.13
pullPolicy: Always
# default number of instances
# Application configuration defaults.
#################################################################
# application image
-image: onap/dmaap/dmaap-mr:1.4.3
+image: onap/dmaap/dmaap-mr:1.4.4
pullPolicy: Always
#Strimzi zookeeper_tunnel config
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018, 2020 AT&T
# Modifications Copyright © 2021 Orange
-# Modifications Copyright © 2021, 2022 Nordix Foundation
+# Modifications Copyright © 2021, 2022, 2023 Nordix Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
- name: mariadb-galera
version: ~12.x-0
repository: '@local'
+ condition: global.mariadb.localCluster
- name: policy-nexus
version: ~12.x-0
repository: 'file://components/policy-nexus'
- name: serviceAccount
version: ~12.x-0
repository: '@local'
+ - name: readinessCheck
+ version: ~12.x-0
+ repository: '@local'
"https": "false",
"prometheus": true
},
- "pdpStatusParameters":{
+ "pdpStatusParameters": {
"pdpGroup": "defaultGroup",
"timeIntervalMs": 120000,
"pdpType":"apex",
]
},
"topicParameterGroup": {
- "topicSources" : [{
- "topic" : "POLICY-PDP-PAP",
- "servers" : [ "message-router" ],
- "useHttps" : "false",
- "fetchTimeout": 15000,
- "topicCommInfrastructure" : "dmaap"
+ "topicSources": [{
+ "topic": "${PAP_TOPIC}",
+ "useHttps": false,
+ "fetchTimeout": 15000,
+ "servers": [ "${KAFKA_URL}" ],
+{{ if .Values.global.useStrimziKafkaPf }}
+ "topicCommInfrastructure": "kafka",
+ "additionalProps": {
+ "group.id" : "${GROUP_ID}",
+ "security.protocol": "SASL_PLAINTEXT",
+ "sasl.mechanism": "${SASL}",
+ "sasl.jaas.config": "${JAASLOGIN}"
+ }
+{{ else }}
+ "topicCommInfrastructure": "dmaap"
+{{ end }}
}],
- "topicSinks" : [{
- "topic" : "POLICY-PDP-PAP",
- "servers" : [ "message-router" ],
- "useHttps" : "false",
- "topicCommInfrastructure" : "dmaap"
- }]
+ "topicSinks" : [{
+ "topic": "${PAP_TOPIC}",
+ "useHttps": false,
+ "servers": [ "${KAFKA_URL}" ],
+{{ if .Values.global.useStrimziKafkaPf }}
+ "topicCommInfrastructure": "kafka",
+ "additionalProps": {
+ "group.id" : "${GROUP_ID}",
+ "security.protocol": "SASL_PLAINTEXT",
+ "sasl.mechanism": "${SASL}",
+ "sasl.jaas.config": "${JAASLOGIN}"
+ }
+{{ else }}
+ "topicCommInfrastructure": "dmaap"
+{{ end }}
+ }]
}
}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
*/}}
apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
spec:
selector: {{- include "common.selectors" . | nindent 4 }}
- serviceName: {{ include "common.servicename" . }}
replicas: {{ .Values.replicaCount }}
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
initContainers:
- - command:
- - sh
+{{- if not .Values.global.useStrimziKafkaPf }}
+{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
+{{- end }}
+ - command: ["/bin/sh", "-cx"]
+{{- if .Values.global.useStrimziKafkaPf }}
+ args:
+ - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`;
+ cd /config-input && for PFILE in `ls -1`;
+ do envsubst <${PFILE} >/config/${PFILE}; done
+{{ else }}
args:
- - -c
- - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ - cd /config-input && for PFILE in `ls -1`;
+ do envsubst <${PFILE} >/config/${PFILE}; done
+{{ end }}
env:
- name: RESTSERVER_USER
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }}
- name: RESTSERVER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }}
-{{- if .Values.config.useStrimziKafka }}
+{{- if .Values.global.useStrimziKafkaPf }}
- name: JAASLOGIN
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.name" . }}-ku
+ key: sasl.jaas.config
+ - name: KAFKA_URL
+ value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ - name: SASL
+ value: {{ .Values.kafkaUser.authenticationType | upper }}
+ - name: GROUP_ID
+ value: {{ .Values.config.kafka.consumer.groupId }}
+ - name: PAP_TOPIC
+ value: {{ .Values.config.app.listener.policyPdpPapTopic }}
+{{ else }}
+ - name: KAFKA_URL
+ value: message-router
+ - name: PAP_TOPIC
+ value: {{ .Values.config.app.listener.policyPdpPapTopic | upper }}
{{- end }}
volumeMounts:
- mountPath: /config-input
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command: ["sh","-c"]
- args: ["/opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json"]
+ command: [ "/bin/sh", "-cx" ]
+ args:
+ - id apexuser;
+ cat /home/apexuser/config/OnapPfConfig.json;
+ /opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json
ports: {{ include "common.containerPorts" . | nindent 12 }}
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
- mountPath: /home/apexuser/config
name: apexconfig
resources: {{ include "common.resources" . | nindent 12 }}
- {{- if .Values.nodeSelector }}
- nodeSelector:
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
{{ toYaml .Values.nodeSelector | indent 10 }}
{{- end -}}
- {{- if .Values.affinity }}
- affinity:
+ {{- if .Values.affinity }}
+ affinity:
{{ toYaml .Values.affinity | indent 10 }}
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{ if .Values.global.useStrimziKafkaPf }}
+{{ include "common.kafkauser" . }}
+{{ end }}
global:
nodePortPrefix: 302
persistence: {}
+ useStrimziKafkaPf: set-via-parent-chart-global-value
#################################################################
# Secrets metaconfig
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-apex-pdp:2.9.1
+image: onap/policy-apex-pdp:2.9.2
pullPolicy: Always
# flag to enable debugging - application support required
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# Resource Limit flavor -By Default using small
# Segregation for Different environment (Small and Large)
flavor: small
# application configuration
config:
# Event consumption (kafka) properties
- useStrimziKafka: true
+ useStrimziKafkaPf: true
kafkaBootstrap: strimzi-kafka-bootstrap
kafka:
consumer:
- groupId: policy-group
+ groupId: policy-apex
app:
listener:
policyPdpPapTopic: policy-pdp-pap
#
# Any new property can be added in the env by setting in overrides in the format mentioned below
# All the added properties must be in "key: value" format instead of yaml.
+kafkaUser:
+ authenticationType: scram-sha-512
+ acls:
+ - name: policy-apex
+ type: group
+ operations: [Create, Describe, Read, Write]
+ - name: policy-pdp-pap
+ type: topic
+ patternType: prefix
+ operations: [Create, Describe, Read, Write]
+ - name: policy-heartbeat
+ type: topic
+ patternType: prefix
+ operations: [Create, Describe, Read, Write]
+
+readinessCheck:
+ wait_for:
+ - message-router
password: "${RESTSERVER_PASSWORD}"
mvc.converters.preferred-json-mapper: gson
datasource:
- url: jdbc:mariadb://{{ .Values.db.service.name }}/policyadmin
+{{ if not .Values.global.postgres.localCluster }}
+ url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin
driverClassName: org.mariadb.jdbc.Driver
username: "${SQL_USER}"
password: "${SQL_PASSWORD}"
naming:
physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy
+{{ else }}
+ url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort}}/policyadmin
+ driverClassName: org.postgresql.Driver
+ username: "${SQL_USER}"
+ password: "${SQL_PASSWORD}"
+ hikari:
+ connectionTimeout: 30000
+ idleTimeout: 600000
+ maxLifetime: 1800000
+ maximumPoolSize: 10
+ jpa:
+ hibernate:
+ ddl-auto: none
+ naming:
+ physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
+ implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy
+ properties:
+ hibernate:
+ dialect: org.hibernate.dialect.PostgreSQLDialect
+ format_sql: true
+{{ end }}
policy-api:
name: ApiGroup
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
- /app/ready.py
args:
- --job-name
+{{ if not .Values.global.postgres.localCluster }}
- {{ include "common.release" . }}-policy-galera-config
+{{ else }}
+ - {{ include "common.release" . }}-policy-pg-config
+{{ end }}
env:
- name: NAMESPACE
valueFrom:
emptyDir:
medium: Memory
imagePullSecrets:
- - name: "{{ include "common.namespace" . }}-docker-registry-key"
\ No newline at end of file
+ - name: "{{ include "common.namespace" . }}-docker-registry-key"
global:
nodePortPrefix: 304
persistence: {}
+ postgres:
+ localCluster: false
#################################################################
# Secrets metaconfig
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-api:2.8.1
+image: onap/policy-api:2.8.2
pullPolicy: Always
# flag to enable debugging - application support required
password: policy_user
service:
name: policy-mariadb
+ pgName: policy-pg-primary
internalPort: 3306
+ internalPgPort: 5432
restServer:
user: policyadmin
- name: http
port: 6969
-
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: policy-pap-read
+
flavor: small
resources:
small:
limits:
cpu: 1
- memory: 4Gi
+ memory: 6Gi
requests:
- cpu: 100m
+ cpu: 150m
memory: 1Gi
large:
limits:
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-a1pms-ppnt:6.4.1
+image: onap/policy-clamp-ac-a1pms-ppnt:6.4.2
pullPolicy: Always
componentName: &componentName policy-clamp-ac-a1pms-ppnt
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# probe configuration parameters
liveness:
initialDelaySeconds: 20
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-http-ppnt:6.4.1
+image: onap/policy-clamp-ac-http-ppnt:6.4.2
pullPolicy: Always
componentName: &componentName policy-clamp-ac-http-ppnt
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# probe configuration parameters
liveness:
initialDelaySeconds: 20
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-k8s-ppnt:6.4.1
+image: onap/policy-clamp-ac-k8s-ppnt:6.4.2
pullPolicy: Always
componentName: &componentName policy-clamp-ac-k8s-ppnt
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
flavor: small
resources:
small:
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-kserve-ppnt:6.4.1
+image: onap/policy-clamp-ac-kserve-ppnt:6.4.2
pullPolicy: Always
componentName: &componentName policy-clamp-ac-kserve-ppnt
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# probe configuration parameters
liveness:
initialDelaySeconds: 20
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-ac-pf-ppnt:6.4.1
+image: onap/policy-clamp-ac-pf-ppnt:6.4.2
pullPolicy: Always
componentName: &componentName policy-clamp-ac-pf-ppnt
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# probe configuration parameters
liveness:
initialDelaySeconds: 20
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-clamp-runtime-acm:6.4.1
+image: onap/policy-clamp-runtime-acm:6.4.2
pullPolicy: Always
componentName: &componentName policy-clamp-runtime-acm
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ - serviceAccount: policy-gui-read
+
flavor: small
resources:
small:
limits:
cpu: 1
- memory: 4Gi
+ memory: 6Gi
requests:
- cpu: 100m
- memory: 1Gi
+ cpu: 200m
+ memory: 2Gi
large:
limits:
cpu: 2
memory: 8Gi
requests:
- cpu: 200m
- memory: 2Gi
+ cpu: 400m
+ memory: 4Gi
unlimited: {}
#Pods Service Account
wait_for_job_container:
containers:
- - '{{ include "common.release" . }}-policy-galera-config'
\ No newline at end of file
+ - '{{ include "common.release" . }}-policy-galera-config'
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-distribution:2.9.1
+image: onap/policy-distribution:2.9.2
pullPolicy: Always
# flag to enable debugging - application support required
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: policy-pap-read
+
flavor: small
resources:
small:
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-pdpd-cl:1.12.1
+image: onap/policy-pdpd-cl:1.12.2
pullPolicy: Always
# flag to enable debugging - application support required
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
server:
jvmOpts: -server -XshowSettings:vm
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
flavor: small
# application image
-image: onap/policy-gui:2.4.1
+image: onap/policy-gui:2.4.2
pullPolicy: Always
# flag to enable debugging - application support required
config:
ssl: "redirect"
-#resources: {}
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
+ #resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
## Persist data to a persitent volume
persistence:
enabled: true
- name: serviceAccount
version: ~12.x-0
repository: '@local'
+ - name: readinessCheck
+ version: ~12.x-0
+ repository: '@local'
converters:
preferred-json-mapper: gson
datasource:
- url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort}}/policyadmin
+{{ if not .Values.global.postgres.localCluster }}
+ url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin
driverClassName: org.mariadb.jdbc.Driver
username: "${SQL_USER}"
password: "${SQL_PASSWORD}"
naming:
physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy
- kafka:
- consumer:
- group-id: {{ .Values.config.kafka.consumer.groupId }}
-{{- if .Values.config.useStrimziKafka }}
- bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092
- security.protocol: SASL_PLAINTEXT
- properties.sasl:
- mechanism: SCRAM-SHA-512
- jaas.config: ${JAASLOGIN}
-{{ else }}
-{{ toYaml .Values.config.eventConsumption | nindent 2 }}
-{{- end }}
+{{- else }}
+ url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort }}/policyadmin
+ driverClassName: org.postgresql.Driver
+ username: "${SQL_USER}"
+ password: "${SQL_PASSWORD}"
+ hikari:
+ connectionTimeout: 30000
+ idleTimeout: 600000
+ maxLifetime: 1800000
+ maximumPoolSize: 10
+ jpa:
+ hibernate:
+ ddl-auto: none
+ naming:
+ physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
+ implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy
+ properties:
+ hibernate:
+ dialect: org.hibernate.dialect.PostgreSQLDialect
+ format_sql: true
+{{ end }}
server:
port: 6969
name: PapGroup
aaf: false
topic:
- pdp-pap.name: POLICY-PDP-PAP
- notification.name: POLICY-NOTIFICATION
- heartbeat.name: POLICY-HEARTBEAT
+ {{ if .Values.global.useStrimziKafkaPf }}
+ pdp-pap.name: {{ .Values.config.kafka.topics.policyPdpPap }}
+ notification.name: {{ .Values.config.kafka.topics.policyNotification }}
+ heartbeat.name: {{ .Values.config.kafka.topics.policyHeartbeat }}
+ {{ else }}
+ pdp-pap.name: {{ .Values.dmaap.topics.policyPdpPap }}
+ notification.name: {{ .Values.dmaap.topics.policyNotification }}
+ heartbeat.name: {{ .Values.dmaap.topics.policyHeartbeat }}
+ {{ end }}
pdpParameters:
heartBeatMs: 120000
updateParameters:
stateChangeParameters:
maxRetryCount: 1
maxWaitMs: 30000
- savePdpStatisticsInDb: false
+ savePdpStatisticsInDb: true
topicParameterGroup:
topicSources:
- - topic: POLICY-PDP-PAP
- servers:
- - message-router
- useHttps: false
- fetchTimeout: 15000
- topicCommInfrastructure: dmaap
- - topic: POLICY-HEARTBEAT
- effectiveTopic: POLICY-PDP-PAP
- consumerGroup: policy-pap
- servers:
- - message-router
- useHttps: false
- fetchTimeout: 15000
- topicCommInfrastructure: dmaap
+ - useHttps: false
+ fetchTimeout: 15000
+ {{ if .Values.global.useStrimziKafkaPf }}
+ topic: {{ .Values.config.kafka.topics.policyPdpPap }}
+ servers:
+ - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ topicCommInfrastructure: kafka
+ additionalProps:
+ group.id : {{ .Values.config.kafka.consumer.groupId }}
+ security.protocol: SASL_PLAINTEXT
+ sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
+ sasl.jaas.config: ${JAASLOGIN}
+ {{ else }}
+ topic: {{ .Values.dmaap.topics.policyPdpPap }}
+ servers:
+ - ${topicServer:message-router}
+ topicCommInfrastructure: dmaap
+ {{ end }}
+ - useHttps: false
+ fetchTimeout: 15000
+ {{ if .Values.global.useStrimziKafkaPf }}
+ topic: {{ .Values.config.kafka.topics.policyHeartbeat }}
+ effectiveTopic: {{ .Values.config.kafka.topics.policyPdpPap }}
+ servers:
+ - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ topicCommInfrastructure: kafka
+ additionalProps:
+ group.id : {{ .Values.config.kafka.consumer.groupId }}
+ security.protocol: SASL_PLAINTEXT
+ sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
+ sasl.jaas.config: ${JAASLOGIN}
+ {{ else }}
+ topic: {{ .Values.dmaap.topics.policyHeartbeat }}
+ effectiveTopic: {{ .Values.dmaap.topics.policyPdpPap }}
+ servers:
+ - ${topicServer:message-router}
+ topicCommInfrastructure: dmaap
+ {{ end }}
topicSinks:
- - topic: POLICY-PDP-PAP
- servers:
- - message-router
- useHttps: false
- topicCommInfrastructure: dmaap
- - topic: POLICY-NOTIFICATION
- servers:
- - message-router
- useHttps: false
- topicCommInfrastructure: dmaap
+ - useHttps: false
+ {{ if .Values.global.useStrimziKafkaPf }}
+ topic: {{ .Values.config.kafka.topics.policyPdpPap }}
+ servers:
+ - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ topicCommInfrastructure: kafka
+ additionalProps:
+ group.id : {{ .Values.config.kafka.consumer.groupId }}
+ security.protocol: SASL_PLAINTEXT
+ sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
+ sasl.jaas.config: ${JAASLOGIN}
+ {{ else }}
+ topic: {{ .Values.dmaap.topics.policyPdpPap }}
+ servers:
+ - ${topicServer:message-router}
+ topicCommInfrastructure: dmaap
+ {{ end }}
+ - useHttps: false
+ {{ if .Values.global.useStrimziKafkaPf }}
+ topic: {{ .Values.config.kafka.topics.policyNotification }}
+ servers:
+ - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+ topicCommInfrastructure: kafka
+ additionalProps:
+ group.id : {{ .Values.config.kafka.consumer.groupId }}
+ security.protocol: SASL_PLAINTEXT
+ sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
+ sasl.jaas.config: ${JAASLOGIN}
+ {{ else }}
+ topic: {{ .Values.dmaap.topics.policyNotification }}
+ servers:
+ - ${topicServer:message-router}
+ topicCommInfrastructure: dmaap
+ {{ end }}
# If Strimzi Kafka to be used for communication, replace following configuration for topicSources and topicSinks
# servers:
# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092
password: "${DISTRIBUTION_PASSWORD}"
useHttps: false
basePath: healthcheck
- - clientName: dmaap
- hostname: message-router
- port: 3904
- useHttps: false
- basePath: topics
management:
endpoints:
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
initContainers:
+{{- if not .Values.global.useStrimziKafkaPf }}
+{{ include "common.readinessCheck.waitFor" . | nindent 6 }}
+{{- end }}
- command:
- /app/ready.py
args:
- --job-name
+{{ if not .Values.global.postgres.localCluster }}
- {{ include "common.release" . }}-policy-galera-config
- env:
+{{ else }}
+ - {{ include "common.release" . }}-policy-pg-config
+{{ end }} env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- name: {{ include "common.name" . }}-readiness
+ name: {{ include "common.name" . }}-db-readiness
- command:
- sh
args:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }}
- name: DISTRIBUTION_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }}
-{{- if .Values.config.useStrimziKafka }}
+{{- if .Values.global.useStrimziKafkaPf }}
- name: JAASLOGIN
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.name" . }}-ku
+ key: sasl.jaas.config
{{- end }}
volumeMounts:
- mountPath: /config-input
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command: ["/opt/app/policy/pap/bin/policy-pap.sh"]
- args: ["/opt/app/policy/pap/etc/mounted/papParameters.yaml"]
+
+ command: [ "/bin/sh", "-cx" ]
+ args:
+ - cat /opt/app/policy/pap/etc/mounted/papParameters.yaml;
+ /opt/app/policy/pap/bin/policy-pap.sh /opt/app/policy/pap/etc/mounted/papParameters.yaml
ports: {{ include "common.containerPorts" . | nindent 12 }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{ if .Values.global.useStrimziKafkaPf }}
+{{ include "common.kafkauser" . }}
+{{ end }}
global:
nodePortPrefixExt: 304
persistence: {}
+ useStrimziKafkaPf: set-via-parent-chart-global-value
+ postgres:
+ localCluster: false
#################################################################
# Secrets metaconfig
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-pap:2.8.1
+image: onap/policy-pap:2.8.2
pullPolicy: Always
# flag to enable debugging - application support required
password: policy_user
service:
name: policy-mariadb
+ pgName: policy-pg-primary
internalPort: 3306
+ internalPgPort: 5432
restServer:
user: policyadmin
ports:
- name: http-api
port: 6969
+ - name: debug-port
+ port: 5005
+ protocol: TCP
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ - serviceAccount: portal-app-read
+
flavor: small
resources:
small:
limits:
- cpu: 1
- memory: 4Gi
+ cpu: 2
+ memory: 6Gi
requests:
- cpu: 100m
- memory: 1Gi
+ cpu: 200m
+ memory: 2Gi
large:
limits:
- cpu: 2
+ cpu: 4
memory: 8Gi
requests:
- cpu: 200m
- memory: 2Gi
+ cpu: 400m
+ memory: 4Gi
unlimited: {}
#Pods Service Account
# application configuration
config:
# Event consumption (kafka) properties
- useStrimziKafka: true
+ useStrimziKafkaPf: true
kafkaBootstrap: strimzi-kafka-bootstrap
kafka:
+ topics:
+ policyHeartbeat: policy-heartbeat
+ policyNotification: policy-notification
+ policyPdpPap: policy-pdp-pap
consumer:
- groupId: policy-group
+ groupId: policy-pap
app:
listener:
policyPdpPapTopic: policy-pdp-pap
+
+dmaap:
+ topics:
+ policyHeartbeat: POLICY-HEARTBEAT
+ policyNotification: POLICY-NOTIFICATION
+ policyPdpPap: POLICY-PDP-PAP
# If targeting a custom kafka cluster, ie useStrimziKakfa: false
# uncomment below config and target your kafka bootstrap servers,
# along with any other security config.
#
# Any new property can be added in the env by setting in overrides in the format mentioned below
# All the added properties must be in "key: value" format instead of yaml.
+kafkaUser:
+ authenticationType: scram-sha-512
+ acls:
+ - name: policy-pap
+ type: group
+ operations: [Create, Describe, Read, Write]
+ - name: policy-pdp-pap
+ type: topic
+ patternType: prefix
+ operations: [Create, Describe, Read, Write]
+ - name: policy-heartbeat
+ type: topic
+ patternType: prefix
+ operations: [Create, Describe, Read, Write]
+ - name: policy-notification
+ type: topic
+ patternType: prefix
+ operations: [Create, Describe, Read, Write]
+
+readinessCheck:
+ wait_for:
+ - message-router
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
# Application configuration defaults.
#################################################################
# application image
-image: onap/policy-xacml-pdp:2.8.1
+image: onap/policy-xacml-pdp:2.8.2
pullPolicy: Always
# flag to enable debugging - application support required
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: dcae-datafile-collector-read
+ - serviceAccount: dcae-datalake-admin-ui-read
+ - serviceAccount: dcae-datalake-des-read
+ - serviceAccount: dcae-datalake-feeder-read
+ - serviceAccount: dcae-heartbeat-read
+ - serviceAccount: dcae-hv-ves-collector-read
+ - serviceAccount: dcae-kpi-ms-read
+ - serviceAccount: dcae-pm-mapper-read
+ - serviceAccount: dcae-pmsh-read
+ - serviceAccount: dcae-prh-read
+ - serviceAccount: dcae-restconf-collector-read
+ - serviceAccount: dcae-slice-analysis-ms-read
+ - serviceAccount: dcae-snmptrap-collector-read
+ - serviceAccount: dcae-son-handler-read
+ - serviceAccount: dcae-tcagen2-read
+ - serviceAccount: dcae-ves-collector-read
+ - serviceAccount: dcae-ves-mapper-read
+ - serviceAccount: dcae-ves-openapi-manager-read
+ - serviceAccount: message-router-read
+ - serviceAccount: oof-read
+ - serviceAccount: sdnc-read
+
flavor: small
resources:
small:
limits:
- cpu: 1
- memory: 4Gi
+ cpu: 2
+ memory: 6Gi
requests:
- cpu: 100m
- memory: 1Gi
+ cpu: 200m
+ memory: 2Gi
large:
limits:
cpu: 2
memory: 8Gi
requests:
cpu: 200m
- memory: 2Gi
+ memory: 4Gi
unlimited: {}
#Pods Service Account
# limitations under the License.
*/}}
+{{ if not .Values.global.postgres.localCluster }}
apiVersion: batch/v1
kind: Job
metadata:
items:
- key: db.sh
path: db.sh
+{{ end }}
{{ if .Values.global.postgres.localCluster }}
---
/docker-entrypoint-initdb.d/db-pg.sh
env:
- name: PG_ADMIN_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 12 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }}
- name: PG_HOST
value: "{{ .Values.postgres.service.name2 }}"
- name: PG_USER
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
- name: PG_USER_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
- name: PG_PORT
value: "{{ .Values.postgres.service.internalPort }}"
resources: {{ include "common.resources" . | nindent 10 }}
{{ end }}
---
+{{ if not .Values.global.postgres.localCluster }}
apiVersion: batch/v1
kind: Job
metadata:
items:
- key: db_migrator_policy_init.sh
path: db_migrator_policy_init.sh
-
+{{ end }}
{{ if .Values.global.postgres.localCluster }}
---
apiVersion: batch/v1
- name: SQL_HOST
value: "{{ .Values.postgres.service.name2 }}"
- name: SQL_USER
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
- name: SQL_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
- name: SQL_DB
value: {{ .Values.dbmigrator.schema }}
- name: POLICY_HOME
- name: SCRIPT_DIRECTORY
value: "postgres"
- name: PGPASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
resources: {{ include "common.resources" . | nindent 10 }}
restartPolicy: Never
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-{{- if .Values.global.useStrimziKafka }}
+{{- if .Values.global.useStrimziKafkaPf }}
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
#################################################################
global:
mariadb:
+ localCluster: true
# '&mariadbConfig' means we "store" the values for later use in the file
# with '*mariadbConfig' pointer.
config: &mariadbConfig
name: postgres
#Strimzi Kafka properties
useStrimziKafka: true
+ # Temporary flag to disable strimzi for pf components - will be removed after native kafka support is added for drools and xacml
+ useStrimziKafkaPf: false
kafkaBootstrap: strimzi-kafka-bootstrap
policyKafkaUser: policy-kafka-user
kafkaTopics:
login: '{{ .Values.restServer.policyApiUserName }}'
password: '{{ .Values.restServer.policyApiUserPassword }}'
passwordPolicy: required
- - uid: pg-root-pass
- name: &pgRootPassSecretName '{{ include "common.release" . }}-policy-pg-root-pass'
- type: password
- externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "policy-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}'
- password: '{{ .Values.postgres.config.pgRootpassword }}'
- policy: generate
- - uid: pg-user-creds
- name: &pgUserCredsSecretName '{{ include "common.release" . }}-policy-pg-user-creds'
- type: basicAuth
- externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "policy-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}'
- login: '{{ .Values.postgres.config.pgUserName }}'
- password: '{{ .Values.postgres.config.pgUserPassword }}'
- passwordPolicy: generate
db: &dbSecretsHook
credsExternalSecret: *dbSecretName
#################################################################
dbmigrator:
- image: onap/policy-db-migrator:2.6.1
+ image: onap/policy-db-migrator:2.6.2
schema: policyadmin
policy_home: "/opt/app/policy"
config:
pgUserName: policy_user
pgDatabase: policyadmin
- pgUserExternalSecret: *pgUserCredsSecretName
- pgRootPasswordExternalSecret: *pgRootPassSecretName
+ pgUserExternalSecret: *dbSecretName
+ pgRootPasswordExternalSecret: *dbRootPassSecretName
readinessCheck:
wait_for:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-backend-all-plugins:1.12.3
-backendInitImage: onap/sdc-backend-init:1.12.3
+image: onap/sdc-backend-all-plugins:1.12.4
+backendInitImage: onap/sdc-backend-init:1.12.4
pullPolicy: Always
# application image
repository: nexus3.onap.org:10001
-image: onap/sdc-cassandra:1.12.3
-cassandraInitImage: onap/sdc-cassandra-init:1.12.3
+image: onap/sdc-cassandra:1.12.4
+cassandraInitImage: onap/sdc-cassandra-init:1.12.4
pullPolicy: Always
config:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-frontend:1.12.3
+image: onap/sdc-frontend:1.12.4
pullPolicy: Always
config:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-onboard-backend:1.12.3
-onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.3
+image: onap/sdc-onboard-backend:1.12.4
+onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.4
pullPolicy: Always
# flag to enable debugging - application support required
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
port: 9091
config:
ssl: "none"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: portal-app-read
+ - serviceAccount: so-read
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
nodeSelector: {}
tolerations: []
affinity: {}
port: 3904
protocol: http
uriPathPrefix: events
- topicName: unauthenticated.PNF_READY
- consumerGroup: consumerGroup
- consumerId: consumerId
+ pnfReadyTopicName: unauthenticated.PNF_READY
+ pnfUpdateTopicName: unauthenticated.PNF_UPDATE
+ consumerGroup: so-consumer
+ consumerId: so-bpmn-infra-pnfready
+ consumerIdUpdate: so-bpmn-infra-pnfupdate
topicListenerDelayInSeconds: 5
bpelURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081
msb-ip: msb-iag
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/bpmn-infra:1.11.0
+image: onap/so/bpmn-infra:1.12.1
pullPolicy: Always
bpmn:
failureThreshold: 3
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: robot-read
+ - serviceAccount: so-admin-cockpit-read
+ - serviceAccount: so-oof-adapter-read
+ - serviceAccount: so-openstack-adapter-read
+ - serviceAccount: so-read
+ - serviceAccount: so-sdc-controller-read
+ - serviceAccount: so-sdnc-adapter-read
nodeSelector: {}
tolerations: []
affinity: {}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/catalog-db-adapter:1.11.0
+image: onap/so/catalog-db-adapter:1.12.1
pullPolicy: Always
db:
failureThreshold: 3
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: robot-read
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: so-openstack-adapter-read
+ - serviceAccount: so-read
+ - serviceAccount: so-sdc-controller-read
+ - serviceAccount: so-sdnc-adapter-read
config:
openStackUserName: "vnf_user"
openStackRegion: "RegionOne"
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
failureThreshold: 3
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: so-read
nodeSelector: {}
tolerations: []
affinity: {}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/so-cnfm-as-lcm:1.12.0
+image: onap/so/so-cnfm-as-lcm:1.12.1
pullPolicy: Always
aai:
config:
ssl: 'redirect'
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: so-read
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
nodeSelector: {}
tolerations: []
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
config:
ssl: 'redirect'
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: so-read
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
nodeSelector: {}
tolerations: []
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
port: 9092
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: robot-read
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: so-etsi-nfvo-ns-lcm-read
+ - serviceAccount: so-read
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
nodeSelector: {}
tolerations: []
affinity: {}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
failureThreshold: 3
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: robot-read
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: so-read
nodeSelector: {}
tolerations: []
affinity: {}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
failureThreshold: 3
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: robot-read
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: so-read
nodeSelector: {}
tolerations: []
affinity: {}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
failureThreshold: 3
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: so-read
nodeSelector: {}
tolerations: []
affinity: {}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/openstack-adapter:1.11.0
+image: onap/so/openstack-adapter:1.12.1
pullPolicy: Always
db:
failureThreshold: 3
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: robot-read
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: so-read
config:
openStackUserName: "vnf_user"
openStackRegion: "RegionOne"
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/request-db-adapter:1.11.0
+image: onap/so/request-db-adapter:1.12.1
pullPolicy: Always
db:
failureThreshold: 3
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: robot-read
+ - serviceAccount: so-admin-cockpit-read
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: so-etsi-sol005-adapter-read
+ - serviceAccount: so-nssmf-adapter-read
+ - serviceAccount: so-openstack-adapter-read
+ - serviceAccount: so-read
+ - serviceAccount: so-sdc-controller-read
nodeSelector: {}
tolerations: []
affinity: {}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/sdc-controller:1.12.0
+image: onap/so/sdc-controller:1.12.1
pullPolicy: Always
db:
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: robot-read
+ - serviceAccount: so-read
+
nodeSelector: {}
tolerations: []
affinity: {}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/sdnc-adapter:1.11.0
+image: onap/so/sdnc-adapter:1.12.1
pullPolicy: Always
org:
failureThreshold: 3
ingress:
enabled: false
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: robot-read
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: so-read
nodeSelector: {}
tolerations: []
affinity: {}
--- /dev/null
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
tolerations: []
affinity: {}
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: so-read
+
#Pods Service Account
serviceAccount:
nameOverride: so-ve-vnfm-adapter
userName: so_user
adminName: so_admin
-image: onap/so/api-handler-infra:1.11.0
+image: onap/so/api-handler-infra:1.12.1
server:
aai:
- serviceAccount: consul-read
- serviceAccount: consul-server-read
- serviceAccount: nbi-read
+ - serviceAccount: policy-drools-pdp-read
+ - serviceAccount: so-bpmn-infra-read
+ - serviceAccount: robot-read
- serviceAccount: istio-ingress
namespace: istio-ingress
# application image
repository: nexus3.onap.org:10001
-image: onap/usecase-ui-server:5.1.3
+image: onap/usecase-ui-server:5.2.1
pullPolicy: Always
# application configuration
flavor: small
# application image
-image: onap/usecase-ui:5.1.2
+image: onap/usecase-ui:5.2.1
pullPolicy: Always
# application configuration