- name: common
version: ~12.x-0
repository: '@local'
- - name: certInitializer
- version: ~12.x-0
- repository: '@local'
- name: repositoryGenerator
version: ~12.x-0
repository: '@local'
server:
# Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework.
# See springboot documentation.
- port: 8433
+ #port: 8081
http-port: 8081
ssl:
- enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }}
+ enabled: false
key-store-type: PKCS12
- key-store-password: ${KEYSTORE_PASSWORD}
- key-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
- key-password: ${KEYSTORE_PASSWORD}
- key-alias: {{ .Values.certInitializer.fqi }}
+ key-store-password: ""
+ key-store: ""
+ key-password: ""
+ key-alias: ""
app:
# Location of the component configuration file. The file will only be used if the Consul database is not used;
# configuration from the Consul will override the file.
filepath: /opt/app/policy-agent/data/application_configuration.json
webclient:
- # Configuration of the trust store used for the HTTP client (outgoing requests)
- # The file location and the password for the truststore is only relevant if trust-store-used == true
- # Note that the same keystore as for the server is used.
trust-store-used: false
- trust-store-password: ${TRUSTSORE_PASSWORD}
- trust-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+ trust-store-password: ""
+ trust-store: ""
# Configuration of usage of HTTP Proxy for the southbound accesses.
# The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s
http.proxy-host:
"controller": [
{
"name": "controller1",
- "baseUrl": "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.sdncLink .Values.sdncLinkHttp }}",
+ "baseUrl": "{{ .Values.sdncLink }}",
"userName": "${A1CONTROLLER_USER}",
"password": "${A1CONTROLLER_PASSWORD}"
}
--- /dev/null
+{{/*
+# Copyright © 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.ingress" . }}
spec:
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ initContainers:
- name: {{ include "common.name" . }}-bootstrap-config
image: {{ include "repositoryGenerator.image.envsubst" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
args:
- -c
- |
- {{- if (include "common.needTLS" .) }}
- export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop\
- | xargs -0)
- {{- end }}
cd /config-input
for PFILE in `ls -1`
do
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }}
- name: A1CONTROLLER_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- mountPath: /config-input
name: {{ include "common.fullname" . }}-policy-conf-input
- mountPath: /config
httpGet:
path: /status
port: {{ .Values.liveness.port }}
- scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }}
+ scheme: HTTP
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ volumeMounts:
- name: config
mountPath: /opt/app/policy-agent/data/application_configuration.json
subPath: application_configuration.json
mountPath: "/var/policy-management-service/database"
resources: {{ include "common.resources" . | nindent 10 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
+ volumes:
- name: {{ include "common.fullname" . }}-policy-conf-input
configMap:
name: {{ include "common.fullname" . }}-policy-conf
password: '{{ .Values.a1controller.password }}'
passwordPolicy: required
-#################################################################
-# AAF part
-#################################################################
-certInitializer:
- nameOverride: a1p-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: a1p
- fqi: a1p@a1p.onap.org
- public_fqdn: a1p.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- fqi_namespace: org.onap.a1p
- aaf_add_config: |
- echo "*** changing them into shell safe ones"
- export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- cd {{ .Values.credsPath }}
- keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
- -storepass "${cadi_keystore_password_p12}" \
- -keystore {{ .Values.fqi_namespace }}.p12
- keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \
- -storepass "${cadi_truststore_password}" \
- -keystore {{ .Values.fqi_namespace }}.trust.jks
- echo "*** save the generated passwords"
- echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
- echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop
- echo "*** change ownership of certificates to targeted user"
- chown -R 1000 .
-
image: onap/ccsdk-oran-a1policymanagementservice:1.3.2
userID: 1000 #Should match with image-defined user ID
groupID: 999 #Should match with image-defined group ID
service:
type: NodePort
name: a1policymanagement
- both_tls_and_plain: true
ports:
- name: api
- port: 8433
- plain_port: 8081
+ port: 8081
port_protocol: http
nodePort: '94'
+ingress:
+ enabled: false
+ service:
+ - baseaddr: 'a1policymanagement-api'
+ name: 'a1policymanagement'
+ port: 8081
+
# SDNC Credentials are used here
a1controller:
user: admin
password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
-sdncLink: https://sdnc.onap:8443
-sdncLinkHttp: http://sdnc.onap:8282
+sdncLink: http://sdnc.onap:8282
# The information about A1-Mediator/RICs can be added here.
# The A1 policy management service supports both STD & OSC versions.
# Alternatively, the A1 simulator from ORAN-SC can also be used. It provides STD & OSC versions for A1 termination.
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
- - name: certInitializer
- version: ~12.x-0
- repository: '@local'
- name: mongo
version: ~12.x-0
repository: '@local'
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
-{{- if .Values.global.aafEnabled }}
- initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
-{{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
ports: {{ include "common.containerPorts" . | nindent 12 }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
- {{- if .Values.global.aafEnabled }}
- command:
- - sh
- args:
- - -c
- - |
- export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
- export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \
- -Dserver.ssl.key-store={{ .Values.certInitializer.credsPath }}/org.onap.nbi.p12 \
- -Dserver.ssl.key-store-type=PKCS12 \
- -Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/org.onap.nbi.trust.jks \
- -Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \
- -Djavax.net.ssl.trustStoreType=jks\
- -Djava.security.egd=file:/dev/./urandom -Dserver.port=8443"
- exec java -XX:+UseContainerSupport $JAVA_OPTS -jar /opt/onap/app.jar
- {{- end }}
{{ if .Values.liveness.enabled }}
livenessProbe:
httpGet:
- port: {{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }}
+ port: {{ .Values.service.internalPort }}
path: {{ .Values.liveness.path }}
- scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }}
+ scheme: HTTP
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end }}
readinessProbe:
httpGet:
- port: {{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }}
+ port: {{ .Values.service.internalPort }}
path: {{ .Values.readiness.path }}
- scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }}
+ scheme: HTTP
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
- name: ONAP_K8SCLOUDOWNER
value: {{ .Values.config.k8sCloudOwner }}
- name: NBI_URL
- value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://nbi.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }}/nbi/api/v4"
+ value: "http://nbi.{{ include "common.namespace" . }}:{{ .Values.service.internalPort }}/nbi/api/v4"
- name: SDC_HOST
- value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://sdc-be.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}8443{{ else }}8080{{ end }}"
+ value: "http://sdc-be.{{ include "common.namespace" . }}:8080"
- name: SDC_HEADER_ECOMPINSTANCEID
value: {{ .Values.config.ecompInstanceId }}
- name: SDC_HEADER_AUTHORIZATION
value: {{ .Values.sdc_authorization }}
- name: AAI_HOST
- value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://aai.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}8443{{ else }}80{{ end }}"
+ value: "http://aai.{{ include "common.namespace" . }}:80"
- name: AAI_HEADER_AUTHORIZATION
value: {{ .Values.aai_authorization }}
- name: SO_HOST
value: "msb-discovery.{{ include "common.namespace" . }}"
- name: MSB_DISCOVERY_PORT
value: "10081"
- volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }}
+ volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
{{ toYaml .Values.affinity | indent 10 }}
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
+ volumes:
- name: localtime
hostPath:
path: /etc/localtime
path: spec.template.spec.containers[0].env
content:
name: SDC_HOST
- value: https://sdc-be.NAMESPACE:8443
+ value: http://sdc-be.NAMESPACE:8080
- contains:
path: spec.template.spec.containers[0].env
content:
path: spec.template.spec.containers[0].env
content:
name: AAI_HOST
- value: https://aai.NAMESPACE:8443
+ value: http://aai.NAMESPACE:80
- contains:
path: spec.template.spec.containers[0].env
content:
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
- aafEnabled: true
- msbEnabled: true
-
-#################################################################
-# AAF part
-#################################################################
-certInitializer:
- nameOverride: nbi-cert-initializer
- aafDeployFqi: deployer@people.osaaf.org
- aafDeployPass: demo123456!
- # aafDeployCredsExternalSecret: some secret
- fqdn: nbi
- fqi: nbi@nbi.onap.org
- public_fqdn: nbi.onap.org
- cadi_longitude: "0.0"
- cadi_latitude: "0.0"
- app_ns: org.osaaf.aaf
- credsPath: /opt/app/osaaf/local
- aaf_add_config: >
- echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
- echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
-
-aafConfig:
- permission_user: 1000
- permission_group: 999
+ msbEnabled: false
#################################################################
# Secrets metaconfig
type: NodePort
portName: api
name: nbi
- internalPort: 8443
- internalPlainPort: 8080
+ internalPort: 8080
ports:
- name: http
- port: 8443
- plain_port: 8080
+ port: 8080
nodePort: '74'
ingress:
service:
- baseaddr: "nbi-api"
name: "nbi"
- port: 8443
- plain_port: 8080
+ port: 8080
config:
ssl: "redirect"
# Resource Limit flavor -By Default using small
Code Review / oom.git / commitdiff