blob: 5628ade48a556ffe02b0b1d0448bae2b5335f921 [file] [log] [blame]
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
# Modifications Copyright (C) 2021-2023 Nordix Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#################################################################
# Global configuration defaults.
#################################################################
global:
mariadbGalera:
# flag to enable the DB creation via mariadb-operator
useOperator: true
# if useOperator set to "true", set "enableServiceAccount to "false"
# as the SA is created by the Operator
enableServiceAccount: false
localCluster: true
# '&mariadbConfig' means we "store" the values for later use in the file
# with '*mariadbConfig' pointer.
config: &mariadbConfig
mysqlDatabase: policyadmin
service: &mariadbService
name: &policy-mariadb policy-mariadb
internalPort: 3306
nameOverride: *policy-mariadb
# (optional) if localCluster=false and an external secret is used set this variable
#userRootSecret: <secretName>
prometheusEnabled: false
postgres:
localCluster: false
service:
name: pgset
name2: tcp-pgset-primary
name3: tcp-pgset-replica
container:
name: postgres
#Strimzi Kafka properties
useStrimziKafka: true
# Temporary flag to disable strimzi for pf components - will be removed after native kafka support is added for drools and xacml
useStrimziKafkaPf: false
kafkaBootstrap: strimzi-kafka-bootstrap
policyKafkaUser: policy-kafka-user
kafkaTopics:
acRuntimeTopic:
name: policy.clamp-runtime-acm
#################################################################
# Secrets metaconfig
#################################################################
secrets:
- uid: db-root-password
name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password'
type: password
externalSecret: '{{ .Values.global.mariadbGalera.localCluster |
ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) |
ternary
""
(tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .)
)
( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) |
ternary
.Values.global.mariadbGalera.userRootSecret
(include "common.mariadb.secret.rootPassSecretName"
(dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)
)
) }}'
password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}'
policy: generate
- uid: db-secret
name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret'
type: basicAuth
externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret"))}}'
login: '{{ index .Values "mariadb-galera" "db" "user" }}'
password: '{{ index .Values "mariadb-galera" "db" "password" }}'
passwordPolicy: generate
- uid: policy-app-user-creds
name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds'
type: basicAuth
externalSecret: '{{ tpl (default "" .Values.config.policyAppUserExternalSecret) . }}'
login: '{{ .Values.config.policyAppUserName }}'
password: '{{ .Values.config.policyAppUserPassword }}'
passwordPolicy: generate
- uid: policy-pap-user-creds
name: &policyPapCredsSecret '{{ include "common.release" . }}-policy-pap-user-creds'
type: basicAuth
externalSecret: '{{ tpl (default "" .Values.restServer.policyPapUserExternalSecret) . }}'
login: '{{ .Values.restServer.policyPapUserName }}'
password: '{{ .Values.restServer.policyPapUserPassword }}'
passwordPolicy: required
- uid: policy-api-user-creds
name: &policyApiCredsSecret '{{ include "common.release" . }}-policy-api-user-creds'
type: basicAuth
externalSecret: '{{ tpl (default "" .Values.restServer.policyApiUserExternalSecret) . }}'
login: '{{ .Values.restServer.policyApiUserName }}'
password: '{{ .Values.restServer.policyApiUserPassword }}'
passwordPolicy: required
db: &dbSecretsHook
credsExternalSecret: *dbSecretName
policy-api:
enabled: true
db: *dbSecretsHook
restServer:
apiUserExternalSecret: *policyApiCredsSecret
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-pap:
enabled: true
db: *dbSecretsHook
restServer:
papUserExternalSecret: *policyPapCredsSecret
apiUserExternalSecret: *policyApiCredsSecret
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-xacml-pdp:
enabled: true
db: *dbSecretsHook
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-apex-pdp:
enabled: true
db: *dbSecretsHook
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-drools-pdp:
enabled: true
db: *dbSecretsHook
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-distribution:
enabled: true
db: *dbSecretsHook
policy-clamp-ac-k8s-ppnt:
enabled: true
policy-clamp-ac-pf-ppnt:
enabled: true
restServer:
apiUserExternalSecret: *policyApiCredsSecret
papUserExternalSecret: *policyPapCredsSecret
policy-clamp-ac-http-ppnt:
enabled: true
policy-clamp-ac-a1pms-ppnt:
enabled: true
policy-clamp-ac-kserve-ppnt:
enabled: true
policy-clamp-runtime-acm:
enabled: true
db: *dbSecretsHook
config:
appUserExternalSecret: *policyAppCredsSecret
policy-nexus:
enabled: false
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-gui:
enabled: false
config:
jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
#################################################################
# DB configuration defaults.
#################################################################
dbmigrator:
image: onap/policy-db-migrator:3.0.2
schema: policyadmin
policy_home: "/opt/app/policy"
subChartsOnly:
enabled: true
# flag to enable debugging - application support required
debugEnabled: false
# default number of instances
replicaCount: 1
nodeSelector: {}
affinity: {}
# probe configuration parameters
liveness:
initialDelaySeconds: 10
periodSeconds: 10
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: true
readiness:
initialDelaySeconds: 10
periodSeconds: 10
config:
policyAppUserName: runtimeUser
useStrimziKafka: true
policyPdpPapTopic:
name: policy-pdp-pap
partitions: 10
retentionMs: 7200000
segmentBytes: 1073741824
consumer:
groupId: policy-group
policyHeartbeatTopic:
name: policy-heartbeat
partitions: 10
retentionMs: 7200000
segmentBytes: 1073741824
consumer:
groupId: policy-group
policyNotificationTopic:
name: policy-notification
partitions: 10
retentionMs: 7200000
segmentBytes: 1073741824
consumer:
groupId: policy-group
someConfig: blah
mariadb-galera:
# mariadb-galera.config and global.mariadbGalera.config must be equals
db:
user: policy-user
# password:
externalSecret: *dbSecretName
name: &mysqlDbName policyadmin
rootUser:
externalSecret: *dbRootPassSecretName
nameOverride: *policy-mariadb
# mariadb-galera.service and global.mariadbGalera.service must be equals
service: *mariadbService
replicaCount: 1
mariadbOperator:
galera:
enabled: false
persistence:
enabled: true
mountSubPath: policy/maria/data
serviceAccount:
nameOverride: *policy-mariadb
postgresImage: library/postgres:latest
# application configuration override for postgres
postgres:
nameOverride: &postgresName policy-postgres
service:
name: *postgresName
name2: policy-pg-primary
name3: policy-pg-replica
container:
name:
primary: policy-pg-primary
replica: policy-pg-replica
persistence:
mountSubPath: policy/postgres/data
mountInitPath: policy
config:
pgUserName: policy-user
pgDatabase: policyadmin
pgUserExternalSecret: *dbSecretName
pgRootPasswordExternalSecret: *dbRootPassSecretName
readinessCheck:
wait_for:
- '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}'
restServer:
policyPapUserName: policyadmin
policyPapUserPassword: zb!XztG34
policyApiUserName: policyadmin
policyApiUserPassword: zb!XztG34
# Resource Limit flavor -By Default using small
# Segregation for Different environment (small, large, or unlimited)
flavor: small
resources:
small:
limits:
cpu: 1
memory: 4Gi
requests:
cpu: 100m
memory: 1Gi
large:
limits:
cpu: 2
memory: 8Gi
requests:
cpu: 200m
memory: 2Gi
unlimited: {}
#Pods Service Account
serviceAccount:
nameOverride: policy
roles:
- read