Merge "[AAI] Create Authorization Policies for AAI"
diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index 87de5a3..c40dbe0 100644
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -41,6 +41,12 @@
#Service Name of the cassandra cluster to connect to.
#Override it to aai-cassandra if localCluster is enabled.
+ #in case of using k8ssandra-operator in the common cassandra installation
+ #the service name is:
+ #serviceName: cassandra-dc1-service
+ #in case of local k8ssandra-operator instance it is
+ #serviceName: aai-cassandra-dc1-service
+ #in case the older cassandra installation is used:
serviceName: cassandra
#This should be same as shared cassandra instance or if localCluster is enabled
@@ -350,6 +356,10 @@
persistence:
mountSubPath: aai/cassandra
enabled: true
+ k8ssandraOperator:
+ enabled: false
+ config:
+ clusterName: aai-cassandra
readiness:
initialDelaySeconds: 10
diff --git a/kubernetes/common/cassandra/templates/backup/configmap.yaml b/kubernetes/common/cassandra/templates/backup/configmap.yaml
index 9bbc69b..b566b61 100644
--- a/kubernetes/common/cassandra/templates/backup/configmap.yaml
+++ b/kubernetes/common/cassandra/templates/backup/configmap.yaml
@@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
+{{- if not .Values.k8ssandraOperator.enabled }}
{{- if .Values.backup.enabled }}
apiVersion: v1
kind: ConfigMap
@@ -28,3 +29,4 @@
{{ tpl (.Files.Glob "resources/restore.sh").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/exec.py").AsConfig . | indent 2 }}
{{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
index 27f3cc6..e2f675a 100644
--- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml
+++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
@@ -14,6 +14,8 @@
# limitations under the License.
*/}}
{{- if .Values.backup.enabled }}
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ else }}
apiVersion: batch/v1beta1
kind: CronJob
metadata:
@@ -243,3 +245,4 @@
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-backup-data
{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/backup/pv.yaml b/kubernetes/common/cassandra/templates/backup/pv.yaml
index 10c3100..23e4551 100644
--- a/kubernetes/common/cassandra/templates/backup/pv.yaml
+++ b/kubernetes/common/cassandra/templates/backup/pv.yaml
@@ -14,6 +14,8 @@
# limitations under the License.
*/}}
{{- if .Values.backup.enabled }}
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ else }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
{{- if eq "True" (include "common.needPV" .) -}}
---
@@ -39,3 +41,4 @@
{{- end -}}
{{- end -}}
{{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/backup/pvc.yaml b/kubernetes/common/cassandra/templates/backup/pvc.yaml
index 6fd5361..e60a1db 100644
--- a/kubernetes/common/cassandra/templates/backup/pvc.yaml
+++ b/kubernetes/common/cassandra/templates/backup/pvc.yaml
@@ -14,6 +14,8 @@
# limitations under the License.
*/}}
{{- if .Values.backup.enabled }}
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ else }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
---
kind: PersistentVolumeClaim
@@ -39,3 +41,4 @@
storageClassName: {{ include "common.storageClass" . }}
{{- end -}}
{{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/cassOp.yaml b/kubernetes/common/cassandra/templates/cassOp.yaml
new file mode 100644
index 0000000..cb6ce4a
--- /dev/null
+++ b/kubernetes/common/cassandra/templates/cassOp.yaml
@@ -0,0 +1,19 @@
+{{/*
+# Copyright © 2018 Amdocs, AT&T, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ include "common.k8ssandraCluster" . }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/configmap.yaml b/kubernetes/common/cassandra/templates/configmap.yaml
index ab08c82..8f2b39e 100644
--- a/kubernetes/common/cassandra/templates/configmap.yaml
+++ b/kubernetes/common/cassandra/templates/configmap.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.k8ssandraOperator.enabled }}
{{- if .Values.configOverrides }}
apiVersion: v1
kind: ConfigMap
@@ -25,3 +26,4 @@
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/docker-entrypoint.sh").AsConfig . | indent 2 }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/ingress.yaml b/kubernetes/common/cassandra/templates/ingress.yaml
new file mode 100644
index 0000000..97d6155
--- /dev/null
+++ b/kubernetes/common/cassandra/templates/ingress.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright (C) 2023 Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.ingress" . }}
diff --git a/kubernetes/common/cassandra/templates/pv.yaml b/kubernetes/common/cassandra/templates/pv.yaml
index a0d998c..8e2ad66 100644
--- a/kubernetes/common/cassandra/templates/pv.yaml
+++ b/kubernetes/common/cassandra/templates/pv.yaml
@@ -13,5 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
-
+{{- if not .Values.k8ssandraOperator.enabled }}
{{ include "common.replicaPV" . }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/secrets.yaml b/kubernetes/common/cassandra/templates/secrets.yaml
new file mode 100644
index 0000000..b776caf
--- /dev/null
+++ b/kubernetes/common/cassandra/templates/secrets.yaml
@@ -0,0 +1,21 @@
+{{/*
+# Copyright © 2018 Amdocs, Bell Canada
+# Copyright © 2019 Samsung Electronics
+# Copyright © 2019-2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.k8ssandraOperator.enabled }}
+{{ include "common.secretFast" . }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/service.yaml b/kubernetes/common/cassandra/templates/service.yaml
index 8934d41..092c677 100644
--- a/kubernetes/common/cassandra/templates/service.yaml
+++ b/kubernetes/common/cassandra/templates/service.yaml
@@ -14,4 +14,6 @@
# limitations under the License.
*/}}
+{{- if not .Values.k8ssandraOperator.enabled }}
{{ include "common.headlessService" . }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/servicemonitor.yaml b/kubernetes/common/cassandra/templates/servicemonitor.yaml
index 5297e69..759586f 100644
--- a/kubernetes/common/cassandra/templates/servicemonitor.yaml
+++ b/kubernetes/common/cassandra/templates/servicemonitor.yaml
@@ -14,6 +14,8 @@
# limitations under the License.
*/}}
+{{- if not .Values.k8ssandraOperator.enabled }}
{{- if .Values.metrics.serviceMonitor.enabled }}
{{ include "common.serviceMonitor" . }}
+{{- end }}
{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml
index 43367ee..2e73309 100644
--- a/kubernetes/common/cassandra/templates/statefulset.yaml
+++ b/kubernetes/common/cassandra/templates/statefulset.yaml
@@ -14,6 +14,7 @@
# limitations under the License.
*/}}
+{{- if not .Values.k8ssandraOperator.enabled }}
apiVersion: apps/v1
kind: StatefulSet
metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
@@ -214,3 +215,4 @@
requests:
storage: {{ .Values.persistence.size | quote }}
{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml
index 43ff171..13137a1 100644
--- a/kubernetes/common/cassandra/values.yaml
+++ b/kubernetes/common/cassandra/values.yaml
@@ -22,6 +22,53 @@
backup:
mountPath: /dockerdata-nfs/backup
+k8ssandraOperator:
+ enabled: false
+ cassandraVersion: 4.0.1
+ persistence:
+ storageClassName: default
+ size: 10Gi
+ config:
+ clusterName: cassandra
+ secretName: &secretName cassandra-default-user
+ superuserName: &superusername cassandra
+ superuserPassword: &superuserpassword cassandra
+ casOptions:
+ authorizer: AllowAllAuthorizer
+ jvmOptions:
+ heapSize: 512M
+ hostNetwork: false
+ datacenters:
+ - name: dc1
+ size: 3
+ stargate:
+ tag: v1.0.76
+ size: 1
+ jvmOptions:
+ heapSize: 384Mi
+
+#################################################################
+# Secrets metaconfig
+# used to store the default superuser for k8ssandra-operator
+#################################################################
+secrets:
+ - uid: *secretName
+ type: genericKV
+ externalSecret: '{{ tpl (default "" .Values.k8ssandraOperator.config.userCredentialsExternalSecret) . }}'
+ envs:
+ - name: username
+ value: *superusername
+ - name: password
+ value: *superuserpassword
+
+ingress:
+ enabled: false
+ service:
+ - baseaddr: "reaper-dc1"
+ path: "/webui"
+ name: "cassandra-dc1-reaper-service"
+ port: 8080
+
# application image
image: cassandra:3.11.4
pullPolicy: Always
@@ -108,9 +155,6 @@
updateStrategy:
type: RollingUpdate
-ingress:
- enabled: false
-
persistence:
enabled: true
diff --git a/kubernetes/common/common/templates/_cassOp.tpl b/kubernetes/common/common/templates/_cassOp.tpl
new file mode 100644
index 0000000..f1fc75c
--- /dev/null
+++ b/kubernetes/common/common/templates/_cassOp.tpl
@@ -0,0 +1,51 @@
+{{/* Cassandra Data Center. */}}
+{{- define "common.k8ssandraCluster" -}}
+{{- $global := .Values.global }}
+---
+apiVersion: k8ssandra.io/v1alpha1
+kind: K8ssandraCluster
+metadata:
+ name: {{ .Values.k8ssandraOperator.config.clusterName }}
+spec:
+ reaper:
+ containerImage:
+ registry: {{ include "repositoryGenerator.dockerHubRepository" . }}
+ heapSize: 512Mi
+ autoScheduling:
+ enabled: true
+ stargate:
+ containerImage:
+ registry: {{ include "repositoryGenerator.dockerHubRepository" . }}
+ tag: {{ .Values.k8ssandraOperator.stargate.tag }}
+ size: {{ .Values.k8ssandraOperator.stargate.size }}
+ heapSize: {{ .Values.k8ssandraOperator.stargate.jvmOptions.heapSize }}
+ cassandra:
+ serverVersion: {{ .Values.k8ssandraOperator.cassandraVersion }}
+ storageConfig:
+ cassandraDataVolumeClaimSpec:
+ storageClassName: {{ .Values.k8ssandraOperator.persistence.storageClassName }}
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: {{ .Values.k8ssandraOperator.persistence.size }}
+ superuserSecretRef:
+ name: {{ include "common.fullname" . }}-{{ .Values.k8ssandraOperator.config.secretName }}
+ config:
+ {{ if .Values.k8ssandraOperator.config.casOptions -}}
+ cassandraYaml:
+ {{ toYaml .Values.k8ssandraOperator.config.casOptions | nindent 8 }}
+ {{- end }}
+ {{ if .Values.k8ssandraOperator.config.jvmOptions -}}
+ jvmOptions:
+ {{ toYaml .Values.k8ssandraOperator.config.jvmOptions | nindent 8 }}
+ {{- end }}
+ networking:
+ hostNetwork: {{ .Values.k8ssandraOperator.config.hostNetwork }}
+ datacenters:
+ {{- range $datacenter := .Values.k8ssandraOperator.datacenters }}
+ - metadata:
+ name: {{ $datacenter.name }}
+ size: {{ $datacenter.size }}
+ {{- end }}
+{{ end }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..7158c02
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
index 7c6b3e9..ee21e10 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
@@ -125,6 +125,14 @@
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: dcae-pm-mapper-read
+ - serviceAccount: message-router-read
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
# Data Router Publisher Credentials
drPubscriberCreds:
username: username
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..7158c02
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml
index 06ff279..31a24e8 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml
@@ -67,6 +67,10 @@
port: 8088
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
# Initial Application Configuration
applicationConfig:
FEEDER_ADDR: dl-feeder
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..7158c02
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml
index 9049e0a..12617e1 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml
@@ -78,6 +78,10 @@
port: 1681
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
#postgres configuration
postgres:
config:
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..30d173c
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml
index 552e00c..8c3fb48 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml
@@ -80,6 +80,15 @@
port: 1680
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: dcae-datalake-admin-ui-read
+ - serviceAccount: dcae-datalake-des-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-datalake-des-read
+ - serviceAccount: dcae-datalake-feeder-read
+
credentials:
- name: PG_USER
uid: *pgUserCredsSecretUid
diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..30d173c
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
index cc33dd1..b7b6fe0 100644
--- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml
@@ -81,6 +81,13 @@
port: 10002
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-heartbeat-read
+
credentials:
- name: HEARTBEAT_PG_USERNAME
uid: *pgUserCredsSecretUid
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
index ab6d3f2..9e123e1 100644
--- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
@@ -115,6 +115,12 @@
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
# initial application configuration
applicationConfig:
logLevel: INFO
diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml
index ec05caa..a0a6fb9 100644
--- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml
@@ -76,6 +76,11 @@
port: 8080
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# Initial Application Configuration
applicationConfig:
trust_store_path: '/opt/app/kpims/etc/cert/trust.jks'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml
index 3b47e7f..71a2d95 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml
@@ -31,6 +31,10 @@
- port: 8080
name: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
# Label on DCAE microservice deployments
# (Used by healthcheck code to find deployments
# created after initial DCAE installation)
diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml
index 0c90e3a..6081d35 100644
--- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml
@@ -86,6 +86,11 @@
plain_port: 8081
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# Data Router Subscriber Credentials
drSubscriberCreds:
username: username
diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..30d173c
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml
index f6782db..90d7e16 100644
--- a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml
@@ -82,6 +82,13 @@
plain_port: 8080
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-pmsh-read
+
# Initial Application Configuration
applicationConfig:
enable_tls: false
diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
index 9a27415..a2cce37 100644
--- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
@@ -73,6 +73,11 @@
- port: 8100
name: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
aaiCreds:
user: AAI
password: AAI
diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
index bed8f9c..0a9203b 100644
--- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml
@@ -93,6 +93,12 @@
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
# AAF Credentials
controllerCreds:
username: access
diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..30d173c
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
index 065c19b..6eda483 100644
--- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml
@@ -100,6 +100,13 @@
port: 8080
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-slice-analysis-ms-read
+
credentials:
- name: PG_USERNAME
uid: *pgUserCredsSecretUid
diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml
index 5c888db..01d4316 100644
--- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml
@@ -69,6 +69,10 @@
nodePort: 70
useNodePortExt: true
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
# Initial Application Configuration
applicationConfig:
StormWatchPolicy: ''
diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..30d173c
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml
@@ -0,0 +1,136 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "primary" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
+{{- $defaultOperationPorts := list "5432" -}}
+{{- $relName := include "common.release" . -}}
+{{- $postgresName := $dot.Values.postgres.service.name -}}
+{{- $pgHost := "replica" -}}
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ $postgresName }}-{{ $pgHost }}
+ action: ALLOW
+ rules:
+{{- if $authorizedPrincipalsPostgres }}
+{{- range $principal := $authorizedPrincipalsPostgres }}
+ - from:
+ - source:
+ principals:
+{{- $namespace := default "onap" $principal.namespace -}}
+{{- if eq "onap" $namespace }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{- else }}
+ - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{- end }}
+ to:
+ - operation:
+ ports:
+{{- range $port := $defaultOperationPorts }}
+ - "{{ $port }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
index 037c586..8eb55b4 100644
--- a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml
@@ -94,6 +94,13 @@
port: 8080
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+ authorizedPrincipalsPostgres:
+ - serviceAccount: dcae-son-handler-read
+
# Credentials
cpsCreds:
identity: cps
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
index fcdcb52..191a5b1 100644
--- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml
@@ -74,6 +74,11 @@
- port: 9091
name: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# mongoDB overrides
mongo:
nameOverride: dcae-mongo
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
index 526d750..06eaba6 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
@@ -111,6 +111,12 @@
config:
ssl: "redirect"
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: istio-ingress
+ namespace: istio-ingress
+
# application environments
applicationEnv:
CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
index ff1f748..79581ad 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml
@@ -60,6 +60,11 @@
port: 80
port_protocol: http
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals:
+ - serviceAccount: message-router-read
+
# application environments
applicationEnv:
LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true'
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml
index 2327ac3..7a80433 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml
@@ -27,6 +27,10 @@
- name: &port http
port: *svc_port
+serviceMesh:
+ authorizationPolicy:
+ authorizedPrincipals: []
+
schemaMap:
filename: "schema-map.json"
directory: "/app/mappings"
diff --git a/kubernetes/sdc/components/sdc-cs/templates/job.yaml b/kubernetes/sdc/components/sdc-cs/templates/job.yaml
index 31ab047..e8f8700 100644
--- a/kubernetes/sdc/components/sdc-cs/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-cs/templates/job.yaml
@@ -64,6 +64,8 @@
mountPath: /home/sdc/chef-solo/environments/
- name: {{ include "common.fullname" . }}-chef-cache
mountPath: /home/sdc/chef-solo/cache
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ mountPath: /home/sdc/.cassandra
env:
- name: ENVNAME
value: {{ .Values.env.name }}
@@ -98,6 +100,9 @@
defaultMode: 0755
- name: {{ include "common.fullname" . }}-chef-cache
emptyDir: {}
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ configMap:
+ name: {{ include "common.release" . }}-sdc-cqlshrc
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
restartPolicy: Never
diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml
index f58fca7..2f943d7 100644
--- a/kubernetes/sdc/components/sdc-cs/values.yaml
+++ b/kubernetes/sdc/components/sdc-cs/values.yaml
@@ -26,12 +26,22 @@
#should be sdc-cs if this flag is enabled
localCluster: false
#The cassandra service name to connect to (default: shared cassandra service)
+ #in case of using k8ssandra-operator in the common cassandra installation
+ #the service name is:
+ #serviceName: cassandra-dc1-service
+ #in case of local k8ssandra-operator instance it is
+ #serviceName: sdc-cs-dc1-service
+ #in case the older cassandra installation is used:
serviceName: cassandra
+
#Shared cassandra cluster replicaCount, should be changed if localCluster is enabled
#to match with its own cluster replica
replicaCount: 3
clusterName: cassandra
+ #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod")
dataCenter: Pod
+ #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.* must be "3.4.5"
+ cqlVersion: "3.4.4"
#################################################################
# Application configuration defaults.
@@ -48,6 +58,10 @@
persistence:
mountSubPath: sdc/sdc-cs/CS
enabled: true
+ k8ssandraOperator:
+ enabled: false
+ config:
+ clusterName: sdc-cs
# application image
repository: nexus3.onap.org:10001
diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml
index 41996ff..43a4902 100644
--- a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml
@@ -65,6 +65,8 @@
volumeMounts:
- name: {{ include "common.fullname" . }}-environments
mountPath: /home/sdc/chef-solo/environments/
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ mountPath: /home/sdc/.cassandra
env:
- name: ENVNAME
value: {{ .Values.env.name }}
@@ -96,6 +98,9 @@
configMap:
name: {{ include "common.release" . }}-sdc-environments-configmap
defaultMode: 0755
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ configMap:
+ name: {{ include "common.release" . }}-sdc-cqlshrc
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
restartPolicy: Never
diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
index 9ba05b8..b9abef8 100644
--- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
+++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml
@@ -65,6 +65,9 @@
- /bin/sh
- -c
{{- end }}
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ mountPath: /home/sdc/.cassandra
env:
- name: CS_HOST
value: "{{ .Values.global.sdc_cassandra.serviceName }}"
@@ -78,6 +81,10 @@
valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}}
resources: {{ include "common.resources" . | nindent 10 }}
{{ include "common.waitForJobContainer" . | indent 6 | trim }}
+ volumes:
+ - name: {{ include "common.fullname" . }}-cqlshrc
+ configMap:
+ name: {{ include "common.release" . }}-sdc-cqlshrc
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
{{ end }}
diff --git a/kubernetes/sdc/resources/config/cqlshrc b/kubernetes/sdc/resources/config/cqlshrc
new file mode 100644
index 0000000..cb6df94
--- /dev/null
+++ b/kubernetes/sdc/resources/config/cqlshrc
@@ -0,0 +1,2 @@
+[cql]
+version={{.Values.global.sdc_cassandra.cqlVersion}}
\ No newline at end of file
diff --git a/kubernetes/sdc/templates/configmap.yaml b/kubernetes/sdc/templates/configmap.yaml
index 712f2ec..dee73ba 100644
--- a/kubernetes/sdc/templates/configmap.yaml
+++ b/kubernetes/sdc/templates/configmap.yaml
@@ -28,4 +28,17 @@
data:
{{ tpl (.Files.Glob "resources/config/environments/*").AsConfig . | indent 2 }}
---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.release" . }}-sdc-cqlshrc
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/cqlshrc").AsConfig . | indent 2 }}
+---
{{ include "common.log.configMap" . }}
diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml
index cba3362..955ac4b 100644
--- a/kubernetes/sdc/values.yaml
+++ b/kubernetes/sdc/values.yaml
@@ -26,20 +26,28 @@
keystore_password: PyhrUCFZdXIhWyohWTUhRV5mKFpLYzMx
wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==
sdc_cassandra:
- #This flag allows SDC to instantiate its own cluster, serviceName
- #should be "sdc-cs" if this flag is enabled
- localCluster: false
- #The cassandra service name to connect to (default: shared cassandra service)
- serviceName: cassandra
- #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled
- #to match with its own cluster replica
- #see "cassandra: replicaCount" in file sdc-cs/values.yaml)
- replicaCount: 3
- dbCache: true
- readConsistencyLevel: ONE
- writeConsistencyLevel: ALL
- clusterName: cassandra
- dataCenter: Pod
+ #This flag allows SDC to instantiate its own cluster, serviceName
+ #should be "sdc-cs" if this flag is enabled
+ localCluster: false
+ #The cassandra service name to connect to (default: shared cassandra service)
+ #in case of using k8ssandra-operator in the common cassandra installation
+ #the service name is:
+ #serviceName: cassandra-dc1-service
+ #in case the older cassandra installation is used:
+ serviceName: cassandra
+ #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled
+ #to match with its own cluster replica
+ #see "cassandra: replicaCount" in file sdc-cs/values.yaml)
+ replicaCount: 3
+ dbCache: true
+ readConsistencyLevel: ONE
+ writeConsistencyLevel: ALL
+ clusterName: cassandra
+ #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod")
+ dataCenter: Pod
+ #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.* must be "3.4.5"
+ cqlVersion: "3.4.4"
+
centralizedLoggingEnabled: true
# global Kafka config passed to sdc-be chart
kafka: