| # Copyright © 2017 Amdocs, Bell Canada |
| # Modifications Copyright © 2018-2020 AT&T Intellectual Property |
| # Modifications Copyright (C) 2021-2023 Nordix Foundation. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| ################################################################# |
| # Global configuration defaults. |
| ################################################################# |
| global: |
| mariadb: |
| localCluster: true |
| # '&mariadbConfig' means we "store" the values for later use in the file |
| # with '*mariadbConfig' pointer. |
| config: &mariadbConfig |
| mysqlDatabase: policyadmin |
| service: &mariadbService |
| name: &policy-mariadb policy-mariadb |
| internalPort: 3306 |
| prometheusEnabled: false |
| postgres: |
| localCluster: false |
| service: |
| name: pgset |
| name2: tcp-pgset-primary |
| name3: tcp-pgset-replica |
| container: |
| name: postgres |
| #Strimzi Kafka properties |
| useStrimziKafka: true |
| # Temporary flag to disable strimzi for pf components - will be removed after native kafka support is added for drools and xacml |
| useStrimziKafkaPf: false |
| kafkaBootstrap: strimzi-kafka-bootstrap |
| policyKafkaUser: policy-kafka-user |
| kafkaTopics: |
| acRuntimeTopic: |
| name: policy.clamp-runtime-acm |
| |
| ################################################################# |
| # Secrets metaconfig |
| ################################################################# |
| secrets: |
| - uid: db-root-password |
| name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' |
| type: password |
| externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) (hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret"))}}' |
| password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' |
| policy: generate |
| - uid: db-secret |
| name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret' |
| type: basicAuth |
| externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret"))}}' |
| login: '{{ index .Values "mariadb-galera" "db" "user" }}' |
| password: '{{ index .Values "mariadb-galera" "db" "password" }}' |
| passwordPolicy: generate |
| - uid: policy-app-user-creds |
| name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds' |
| type: basicAuth |
| externalSecret: '{{ tpl (default "" .Values.config.policyAppUserExternalSecret) . }}' |
| login: '{{ .Values.config.policyAppUserName }}' |
| password: '{{ .Values.config.policyAppUserPassword }}' |
| passwordPolicy: generate |
| - uid: policy-pap-user-creds |
| name: &policyPapCredsSecret '{{ include "common.release" . }}-policy-pap-user-creds' |
| type: basicAuth |
| externalSecret: '{{ tpl (default "" .Values.restServer.policyPapUserExternalSecret) . }}' |
| login: '{{ .Values.restServer.policyPapUserName }}' |
| password: '{{ .Values.restServer.policyPapUserPassword }}' |
| passwordPolicy: required |
| - uid: policy-api-user-creds |
| name: &policyApiCredsSecret '{{ include "common.release" . }}-policy-api-user-creds' |
| type: basicAuth |
| externalSecret: '{{ tpl (default "" .Values.restServer.policyApiUserExternalSecret) . }}' |
| login: '{{ .Values.restServer.policyApiUserName }}' |
| password: '{{ .Values.restServer.policyApiUserPassword }}' |
| passwordPolicy: required |
| |
| db: &dbSecretsHook |
| credsExternalSecret: *dbSecretName |
| |
| policy-api: |
| enabled: true |
| db: *dbSecretsHook |
| restServer: |
| apiUserExternalSecret: *policyApiCredsSecret |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-pap: |
| enabled: true |
| db: *dbSecretsHook |
| restServer: |
| papUserExternalSecret: *policyPapCredsSecret |
| apiUserExternalSecret: *policyApiCredsSecret |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-xacml-pdp: |
| enabled: true |
| db: *dbSecretsHook |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-apex-pdp: |
| enabled: true |
| db: *dbSecretsHook |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-drools-pdp: |
| enabled: true |
| db: *dbSecretsHook |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-distribution: |
| enabled: true |
| db: *dbSecretsHook |
| policy-clamp-ac-k8s-ppnt: |
| enabled: true |
| policy-clamp-ac-pf-ppnt: |
| enabled: true |
| restServer: |
| apiUserExternalSecret: *policyApiCredsSecret |
| papUserExternalSecret: *policyPapCredsSecret |
| policy-clamp-ac-http-ppnt: |
| enabled: true |
| policy-clamp-ac-a1pms-ppnt: |
| enabled: true |
| policy-clamp-ac-kserve-ppnt: |
| enabled: true |
| policy-clamp-runtime-acm: |
| enabled: true |
| db: *dbSecretsHook |
| config: |
| appUserExternalSecret: *policyAppCredsSecret |
| policy-nexus: |
| enabled: false |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-gui: |
| enabled: false |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| |
| ################################################################# |
| # DB configuration defaults. |
| ################################################################# |
| |
| dbmigrator: |
| image: onap/policy-db-migrator:2.6.2 |
| schema: policyadmin |
| policy_home: "/opt/app/policy" |
| |
| subChartsOnly: |
| enabled: true |
| |
| # flag to enable debugging - application support required |
| debugEnabled: false |
| |
| # default number of instances |
| replicaCount: 1 |
| |
| nodeSelector: {} |
| |
| affinity: {} |
| |
| # probe configuration parameters |
| liveness: |
| initialDelaySeconds: 10 |
| periodSeconds: 10 |
| # necessary to disable liveness probe when setting breakpoints |
| # in debugger so K8s doesn't restart unresponsive container |
| enabled: true |
| |
| readiness: |
| initialDelaySeconds: 10 |
| periodSeconds: 10 |
| |
| |
| config: |
| policyAppUserName: runtimeUser |
| useStrimziKafka: true |
| policyPdpPapTopic: |
| name: policy-pdp-pap |
| partitions: 10 |
| retentionMs: 7200000 |
| segmentBytes: 1073741824 |
| consumer: |
| groupId: policy-group |
| policyHeartbeatTopic: |
| name: policy-heartbeat |
| partitions: 10 |
| retentionMs: 7200000 |
| segmentBytes: 1073741824 |
| consumer: |
| groupId: policy-group |
| policyNotificationTopic: |
| name: policy-notification |
| partitions: 10 |
| retentionMs: 7200000 |
| segmentBytes: 1073741824 |
| consumer: |
| groupId: policy-group |
| someConfig: blah |
| |
| mariadb-galera: |
| # mariadb-galera.config and global.mariadb.config must be equals |
| db: |
| user: policy-user |
| # password: |
| externalSecret: *dbSecretName |
| name: &mysqlDbName policyadmin |
| rootUser: |
| externalSecret: *dbRootPassSecretName |
| nameOverride: *policy-mariadb |
| # mariadb-galera.service and global.mariadb.service must be equals |
| service: *mariadbService |
| replicaCount: 1 |
| mariadbOperator: |
| galera: |
| enabled: false |
| persistence: |
| enabled: true |
| mountSubPath: policy/maria/data |
| serviceAccount: |
| nameOverride: *policy-mariadb |
| |
| postgresImage: library/postgres:latest |
| # application configuration override for postgres |
| postgres: |
| nameOverride: &postgresName policy-postgres |
| service: |
| name: *postgresName |
| name2: policy-pg-primary |
| name3: policy-pg-replica |
| container: |
| name: |
| primary: policy-pg-primary |
| replica: policy-pg-replica |
| persistence: |
| mountSubPath: policy/postgres/data |
| mountInitPath: policy |
| config: |
| pgUserName: policy-user |
| pgDatabase: policyadmin |
| pgUserExternalSecret: *dbSecretName |
| pgRootPasswordExternalSecret: *dbRootPassSecretName |
| |
| readinessCheck: |
| wait_for: |
| - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}' |
| |
| restServer: |
| policyPapUserName: policyadmin |
| policyPapUserPassword: zb!XztG34 |
| policyApiUserName: policyadmin |
| policyApiUserPassword: zb!XztG34 |
| |
| # Resource Limit flavor -By Default using small |
| # Segregation for Different environment (small, large, or unlimited) |
| flavor: small |
| resources: |
| small: |
| limits: |
| cpu: 1 |
| memory: 4Gi |
| requests: |
| cpu: 100m |
| memory: 1Gi |
| large: |
| limits: |
| cpu: 2 |
| memory: 8Gi |
| requests: |
| cpu: 200m |
| memory: 2Gi |
| unlimited: {} |
| |
| #Pods Service Account |
| serviceAccount: |
| nameOverride: policy |
| roles: |
| - read |