From: saul.gill Date: Wed, 26 Apr 2023 15:16:05 +0000 (+0100) Subject: [POLICY] Update docker images to latest versions X-Git-Tag: 12.0.0~37^2 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=ef208b0677fca2b5982c5a822c0aec188ffe72d8 [POLICY] Update docker images to latest versions The image versions in policy values.yaml files have been updated Added native configurable support in pap and api for strimzi Added configurable support in api and pap for postgres *** This commit is generated by a PF release script *** Issue-ID: POLICY-4648 Change-Id: Ia91ea4a8babc850d0854e299eb80541c1d38285d Signed-off-by: saul.gill --- diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index c9d29ce2ca..c47bdd33f1 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2022 Nordix Foundation +# Modifications Copyright © 2021, 2022, 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +27,7 @@ dependencies: - name: mariadb-galera version: ~12.x-0 repository: '@local' + condition: global.mariadb.localCluster - name: policy-nexus version: ~12.x-0 repository: 'file://components/policy-nexus' diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index f7f0757558..29c9246ed9 100755 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~12.x-0 repository: '@local' + - name: readinessCheck + version: ~12.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json index 2fe354e2c0..3a38b88d56 100755 --- a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json +++ b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json @@ -8,7 +8,7 @@ "https": "false", "prometheus": true }, - "pdpStatusParameters":{ + "pdpStatusParameters": { "pdpGroup": "defaultGroup", "timeIntervalMs": 120000, "pdpType":"apex", @@ -25,18 +25,38 @@ ] }, "topicParameterGroup": { - "topicSources" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : "false", - "fetchTimeout": 15000, - "topicCommInfrastructure" : "dmaap" + "topicSources": [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "fetchTimeout": 15000, + "servers": [ "${KAFKA_URL}" ], +{{ if .Values.global.useStrimziKafkaPf }} + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } +{{ else }} + "topicCommInfrastructure": "dmaap" +{{ end }} }], - "topicSinks" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : "false", - "topicCommInfrastructure" : "dmaap" - }] + "topicSinks" : [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "servers": [ "${KAFKA_URL}" ], +{{ if .Values.global.useStrimziKafkaPf }} + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } +{{ else }} + "topicCommInfrastructure": "dmaap" +{{ end }} + }] } } diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml similarity index 71% rename from kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml rename to kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml index 6213fecb31..e68c9fd8d9 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml @@ -22,29 +22,53 @@ */}} apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} - serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - command: - - sh +{{- if not .Values.global.useStrimziKafkaPf }} +{{ include "common.readinessCheck.waitFor" . | nindent 6 }} +{{- end }} + - command: ["/bin/sh", "-cx"] +{{- if .Values.global.useStrimziKafkaPf }} + args: + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; + cd /config-input && for PFILE in `ls -1`; + do envsubst <${PFILE} >/config/${PFILE}; done +{{ else }} args: - - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + - cd /config-input && for PFILE in `ls -1`; + do envsubst <${PFILE} >/config/${PFILE}; done +{{ end }} env: - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} +{{- if .Values.global.useStrimziKafkaPf }} - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: KAFKA_URL + value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} +{{ else }} + - name: KAFKA_URL + value: message-router + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic | upper }} {{- end }} volumeMounts: - mountPath: /config-input @@ -58,8 +82,11 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["sh","-c"] - args: ["/opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json"] + command: [ "/bin/sh", "-cx" ] + args: + - id apexuser; + cat /home/apexuser/config/OnapPfConfig.json; + /opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: @@ -85,12 +112,12 @@ spec: - mountPath: /home/apexuser/config name: apexconfig resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} {{- end -}} - {{- if .Values.affinity }} - affinity: + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..d2fab9f535 --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.global.useStrimziKafkaPf }} +{{ include "common.kafkauser" . }} +{{ end }} diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index 3ea694fb06..46eaca22e1 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -25,6 +25,7 @@ global: nodePortPrefix: 302 persistence: {} + useStrimziKafkaPf: set-via-parent-chart-global-value ################################################################# # Secrets metaconfig @@ -47,7 +48,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:2.9.1 +image: onap/policy-apex-pdp:2.9.2 pullPolicy: Always # flag to enable debugging - application support required @@ -139,11 +140,11 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafka: true + useStrimziKafkaPf: true kafkaBootstrap: strimzi-kafka-bootstrap kafka: consumer: - groupId: policy-group + groupId: policy-apex app: listener: policyPdpPapTopic: policy-pdp-pap @@ -158,3 +159,21 @@ config: # # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-apex + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + +readinessCheck: + wait_for: + - message-router diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index 269ecd5f5f..4e73dc0b5b 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -31,7 +31,8 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}/policyadmin +{{ if not .Values.global.postgres.localCluster }} + url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -46,6 +47,27 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy +{{ else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort}}/policyadmin + driverClassName: org.postgresql.Driver + username: "${SQL_USER}" + password: "${SQL_PASSWORD}" + hikari: + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 + jpa: + hibernate: + ddl-auto: none + naming: + physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl + implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect + format_sql: true +{{ end }} policy-api: name: ApiGroup diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index 580dcdde86..1d7e0498af 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -12,7 +12,11 @@ spec: - /app/ready.py args: - --job-name +{{ if not .Values.global.postgres.localCluster }} - {{ include "common.release" . }}-policy-galera-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -101,4 +105,4 @@ spec: emptyDir: medium: Memory imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 2ec88ee82e..ab8c31ff20 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -24,6 +24,8 @@ global: nodePortPrefix: 304 persistence: {} + postgres: + localCluster: false ################################################################# # Secrets metaconfig @@ -46,7 +48,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:2.8.1 +image: onap/policy-api:2.8.2 pullPolicy: Always # flag to enable debugging - application support required @@ -58,7 +60,9 @@ db: password: policy_user service: name: policy-mariadb + pgName: policy-pg-primary internalPort: 3306 + internalPgPort: 5432 restServer: user: policyadmin @@ -104,9 +108,9 @@ resources: small: limits: cpu: 1 - memory: 4Gi + memory: 6Gi requests: - cpu: 100m + cpu: 150m memory: 1Gi large: limits: diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml index ce53abaf04..47b0955f01 100755 --- a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -42,7 +42,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-a1pms-ppnt:6.4.1 +image: onap/policy-clamp-ac-a1pms-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-a1pms-ppnt diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 6f60fec111..808c60ef86 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -42,7 +42,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:6.4.1 +image: onap/policy-clamp-ac-http-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-http-ppnt diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index 985399a893..99f6206b20 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -43,7 +43,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:6.4.1 +image: onap/policy-clamp-ac-k8s-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-k8s-ppnt diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml index cef5200eb6..28718505df 100755 --- a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -42,7 +42,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-kserve-ppnt:6.4.1 +image: onap/policy-clamp-ac-kserve-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-kserve-ppnt diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index 83839f80bf..c2c43c7313 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -54,7 +54,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:6.4.1 +image: onap/policy-clamp-ac-pf-ppnt:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-ac-pf-ppnt diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index 0ec4be4726..fef8598ef7 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -49,7 +49,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:6.4.1 +image: onap/policy-clamp-runtime-acm:6.4.2 pullPolicy: Always componentName: &componentName policy-clamp-runtime-acm @@ -124,17 +124,17 @@ resources: small: limits: cpu: 1 - memory: 4Gi + memory: 6Gi requests: - cpu: 100m - memory: 1Gi + cpu: 200m + memory: 2Gi large: limits: cpu: 2 memory: 8Gi requests: - cpu: 200m - memory: 2Gi + cpu: 400m + memory: 4Gi unlimited: {} #Pods Service Account @@ -149,4 +149,4 @@ readinessCheck: wait_for_job_container: containers: - - '{{ include "common.release" . }}-policy-galera-config' \ No newline at end of file + - '{{ include "common.release" . }}-policy-galera-config' diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index e744d09920..e367dd0e15 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -58,7 +58,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:2.9.1 +image: onap/policy-distribution:2.9.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 7cc347c519..6b6c576e6a 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -41,7 +41,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pdpd-cl:1.12.1 +image: onap/policy-pdpd-cl:1.12.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml index 5e48e99d7a..330161e316 100644 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ b/kubernetes/policy/components/policy-gui/values.yaml @@ -29,7 +29,7 @@ subChartsOnly: flavor: small # application image -image: onap/policy-gui:2.4.1 +image: onap/policy-gui:2.4.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index ef41d38f08..1af33688d0 100755 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -34,3 +34,6 @@ dependencies: - name: serviceAccount version: ~12.x-0 repository: '@local' + - name: readinessCheck + version: ~12.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index 7f6f508c03..5496d93174 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -26,7 +26,8 @@ spring: converters: preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort}}/policyadmin +{{ if not .Values.global.postgres.localCluster }} + url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -41,18 +42,27 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} +{{- else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort }}/policyadmin + driverClassName: org.postgresql.Driver + username: "${SQL_USER}" + password: "${SQL_PASSWORD}" + hikari: + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 + jpa: + hibernate: + ddl-auto: none + naming: + physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl + implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect + format_sql: true +{{ end }} server: port: 6969 @@ -65,9 +75,15 @@ pap: name: PapGroup aaf: false topic: - pdp-pap.name: POLICY-PDP-PAP - notification.name: POLICY-NOTIFICATION - heartbeat.name: POLICY-HEARTBEAT + {{ if .Values.global.useStrimziKafkaPf }} + pdp-pap.name: {{ .Values.config.kafka.topics.policyPdpPap }} + notification.name: {{ .Values.config.kafka.topics.policyNotification }} + heartbeat.name: {{ .Values.config.kafka.topics.policyHeartbeat }} + {{ else }} + pdp-pap.name: {{ .Values.dmaap.topics.policyPdpPap }} + notification.name: {{ .Values.dmaap.topics.policyNotification }} + heartbeat.name: {{ .Values.dmaap.topics.policyHeartbeat }} + {{ end }} pdpParameters: heartBeatMs: 120000 updateParameters: @@ -76,34 +92,82 @@ pap: stateChangeParameters: maxRetryCount: 1 maxWaitMs: 30000 - savePdpStatisticsInDb: false + savePdpStatisticsInDb: true topicParameterGroup: topicSources: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: false - fetchTimeout: 15000 - topicCommInfrastructure: dmaap - - topic: POLICY-HEARTBEAT - effectiveTopic: POLICY-PDP-PAP - consumerGroup: policy-pap - servers: - - message-router - useHttps: false - fetchTimeout: 15000 - topicCommInfrastructure: dmaap + - useHttps: false + fetchTimeout: 15000 + {{ if .Values.global.useStrimziKafkaPf }} + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + {{ else }} + topic: {{ .Values.dmaap.topics.policyPdpPap }} + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + {{ end }} + - useHttps: false + fetchTimeout: 15000 + {{ if .Values.global.useStrimziKafkaPf }} + topic: {{ .Values.config.kafka.topics.policyHeartbeat }} + effectiveTopic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + {{ else }} + topic: {{ .Values.dmaap.topics.policyHeartbeat }} + effectiveTopic: {{ .Values.dmaap.topics.policyPdpPap }} + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + {{ end }} topicSinks: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: false - topicCommInfrastructure: dmaap - - topic: POLICY-NOTIFICATION - servers: - - message-router - useHttps: false - topicCommInfrastructure: dmaap + - useHttps: false + {{ if .Values.global.useStrimziKafkaPf }} + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + {{ else }} + topic: {{ .Values.dmaap.topics.policyPdpPap }} + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + {{ end }} + - useHttps: false + {{ if .Values.global.useStrimziKafkaPf }} + topic: {{ .Values.config.kafka.topics.policyNotification }} + servers: + - {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + {{ else }} + topic: {{ .Values.dmaap.topics.policyNotification }} + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + {{ end }} # If Strimzi Kafka to be used for communication, replace following configuration for topicSources and topicSinks # servers: # - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 @@ -128,11 +192,6 @@ pap: password: "${DISTRIBUTION_PASSWORD}" useHttps: false basePath: healthcheck - - clientName: dmaap - hostname: message-router - port: 3904 - useHttps: false - basePath: topics management: endpoints: diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index 201f48776d..78907723b1 100755 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -29,12 +29,18 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: +{{- if not .Values.global.useStrimziKafkaPf }} +{{ include "common.readinessCheck.waitFor" . | nindent 6 }} +{{- end }} - command: - /app/ready.py args: - --job-name +{{ if not .Values.global.postgres.localCluster }} - {{ include "common.release" . }}-policy-galera-config - env: +{{ else }} + - {{ include "common.release" . }}-policy-pg-config +{{ end }} env: - name: NAMESPACE valueFrom: fieldRef: @@ -42,7 +48,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: {{ include "common.name" . }}-db-readiness - command: - sh args: @@ -65,9 +71,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }} - name: DISTRIBUTION_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} +{{- if .Values.global.useStrimziKafkaPf }} - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config {{- end }} volumeMounts: - mountPath: /config-input @@ -81,8 +90,11 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/opt/app/policy/pap/bin/policy-pap.sh"] - args: ["/opt/app/policy/pap/etc/mounted/papParameters.yaml"] + + command: [ "/bin/sh", "-cx" ] + args: + - cat /opt/app/policy/pap/etc/mounted/papParameters.yaml; + /opt/app/policy/pap/bin/policy-pap.sh /opt/app/policy/pap/etc/mounted/papParameters.yaml ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container diff --git a/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml new file mode 100644 index 0000000000..d2fab9f535 --- /dev/null +++ b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.global.useStrimziKafkaPf }} +{{ include "common.kafkauser" . }} +{{ end }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 8a638f60bc..6674effd62 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -25,6 +25,9 @@ global: nodePortPrefixExt: 304 persistence: {} + useStrimziKafkaPf: set-via-parent-chart-global-value + postgres: + localCluster: false ################################################################# # Secrets metaconfig @@ -66,7 +69,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:2.8.1 +image: onap/policy-pap:2.8.2 pullPolicy: Always # flag to enable debugging - application support required @@ -79,7 +82,9 @@ db: password: policy_user service: name: policy-mariadb + pgName: policy-pg-primary internalPort: 3306 + internalPgPort: 5432 restServer: user: policyadmin @@ -124,6 +129,9 @@ service: ports: - name: http-api port: 6969 + - name: debug-port + port: 5005 + protocol: TCP ingress: enabled: false @@ -132,18 +140,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: 2 + memory: 6Gi requests: - cpu: 100m - memory: 1Gi + cpu: 200m + memory: 2Gi large: limits: - cpu: 2 + cpu: 4 memory: 8Gi requests: - cpu: 200m - memory: 2Gi + cpu: 400m + memory: 4Gi unlimited: {} #Pods Service Account @@ -171,14 +179,24 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafka: true + useStrimziKafkaPf: true kafkaBootstrap: strimzi-kafka-bootstrap kafka: + topics: + policyHeartbeat: policy-heartbeat + policyNotification: policy-notification + policyPdpPap: policy-pdp-pap consumer: - groupId: policy-group + groupId: policy-pap app: listener: policyPdpPapTopic: policy-pdp-pap + +dmaap: + topics: + policyHeartbeat: POLICY-HEARTBEAT + policyNotification: POLICY-NOTIFICATION + policyPdpPap: POLICY-PDP-PAP # If targeting a custom kafka cluster, ie useStrimziKakfa: false # uncomment below config and target your kafka bootstrap servers, # along with any other security config. @@ -190,3 +208,25 @@ config: # # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-pap + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-notification + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + +readinessCheck: + wait_for: + - message-router diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 44ae16de1d..e589c4b315 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -49,7 +49,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:2.8.1 +image: onap/policy-xacml-pdp:2.8.2 pullPolicy: Always # flag to enable debugging - application support required @@ -106,18 +106,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: 2 + memory: 6Gi requests: - cpu: 100m - memory: 1Gi + cpu: 200m + memory: 2Gi large: limits: cpu: 2 memory: 8Gi requests: cpu: 200m - memory: 2Gi + memory: 4Gi unlimited: {} #Pods Service Account diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 4bf9def21e..f0e91e8350 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -16,6 +16,7 @@ # limitations under the License. */}} +{{ if not .Values.global.postgres.localCluster }} apiVersion: batch/v1 kind: Job metadata: @@ -83,6 +84,7 @@ spec: items: - key: db.sh path: db.sh +{{ end }} {{ if .Values.global.postgres.localCluster }} --- @@ -122,13 +124,13 @@ spec: /docker-entrypoint-initdb.d/db-pg.sh env: - name: PG_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} - name: PG_HOST value: "{{ .Values.postgres.service.name2 }}" - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - name: PG_USER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - name: PG_PORT value: "{{ .Values.postgres.service.internalPort }}" resources: {{ include "common.resources" . | nindent 10 }} @@ -145,6 +147,7 @@ spec: {{ end }} --- +{{ if not .Values.global.postgres.localCluster }} apiVersion: batch/v1 kind: Job metadata: @@ -217,7 +220,7 @@ spec: items: - key: db_migrator_policy_init.sh path: db_migrator_policy_init.sh - +{{ end }} {{ if .Values.global.postgres.localCluster }} --- apiVersion: batch/v1 @@ -272,9 +275,9 @@ spec: - name: SQL_HOST value: "{{ .Values.postgres.service.name2 }}" - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - name: SQL_DB value: {{ .Values.dbmigrator.schema }} - name: POLICY_HOME @@ -282,7 +285,7 @@ spec: - name: SCRIPT_DIRECTORY value: "postgres" - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} resources: {{ include "common.resources" . | nindent 10 }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} diff --git a/kubernetes/policy/templates/policy-kafka-topics.yaml b/kubernetes/policy/templates/policy-kafka-topics.yaml index d9d9769230..a787b8b626 100644 --- a/kubernetes/policy/templates/policy-kafka-topics.yaml +++ b/kubernetes/policy/templates/policy-kafka-topics.yaml @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.global.useStrimziKafka }} +{{- if .Values.global.useStrimziKafkaPf }} apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 7abd75d832..9027e490f0 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -19,6 +19,7 @@ ################################################################# global: mariadb: + localCluster: true # '&mariadbConfig' means we "store" the values for later use in the file # with '*mariadbConfig' pointer. config: &mariadbConfig @@ -37,6 +38,8 @@ global: name: postgres #Strimzi Kafka properties useStrimziKafka: true + # Temporary flag to disable strimzi for pf components - will be removed after native kafka support is added for drools and xacml + useStrimziKafkaPf: false kafkaBootstrap: strimzi-kafka-bootstrap policyKafkaUser: policy-kafka-user kafkaTopics: @@ -81,19 +84,6 @@ secrets: login: '{{ .Values.restServer.policyApiUserName }}' password: '{{ .Values.restServer.policyApiUserPassword }}' passwordPolicy: required - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-policy-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "policy-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-policy-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "policy-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate db: &dbSecretsHook credsExternalSecret: *dbSecretName @@ -163,7 +153,7 @@ policy-gui: ################################################################# dbmigrator: - image: onap/policy-db-migrator:2.6.1 + image: onap/policy-db-migrator:2.6.2 schema: policyadmin policy_home: "/opt/app/policy" @@ -256,8 +246,8 @@ postgres: config: pgUserName: policy_user pgDatabase: policyadmin - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName + pgUserExternalSecret: *dbSecretName + pgRootPasswordExternalSecret: *dbRootPassSecretName readinessCheck: wait_for: