| # Copyright © 2017 Amdocs, Bell Canada |
| # Modifications Copyright © 2018-2020 AT&T Intellectual Property |
| # Modifications Copyright (C) 2021-2024 Nordix Foundation. |
| # Modifications Copyright © 2024 Deutsche Telekom |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| ################################################################# |
| # Global configuration defaults. |
| ################################################################# |
| global: |
| mariadbGalera: |
| # flag to enable the DB creation via mariadb-operator |
| useOperator: true |
| # if useOperator set to "true", set "enableServiceAccount to "false" |
| # as the SA is created by the Operator |
| enableServiceAccount: false |
| localCluster: true |
| # '&mariadbConfig' means we "store" the values for later use in the file |
| # with '*mariadbConfig' pointer. |
| config: &mariadbConfig |
| mysqlDatabase: policyadmin |
| service: &mariadbService policy-mariadb |
| internalPort: 3306 |
| nameOverride: *mariadbService |
| # (optional) if localCluster=false and an external secret is used set this variable |
| #userRootSecret: <secretName> |
| useInPolicy: true |
| prometheusEnabled: false |
| postgres: |
| localCluster: false |
| service: |
| name: pgset |
| name2: tcp-pgset-primary |
| name3: tcp-pgset-replica |
| container: |
| name: postgres |
| useInPolicy: false |
| kafkaBootstrap: strimzi-kafka-bootstrap:9092 |
| policyKafkaUser: policy-kafka-user |
| useStrimziKafka: true |
| kafkaTopics: |
| acRuntimeTopic: |
| name: policy.clamp-runtime-acm |
| ################################################################# |
| # Secrets metaconfig |
| ################################################################# |
| secrets: |
| - uid: db-root-password |
| name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' |
| type: password |
| externalSecret: '{{ or .Values.global.postgres.useInPolicy .Values.global.mariadbGalera.useInPolicy | ternary ( |
| ( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | |
| ternary |
| "" |
| (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) |
| ) |
| ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | |
| ternary |
| .Values.global.mariadbGalera.userRootSecret |
| (include "common.mariadb.secret.rootPassSecretName" |
| (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) |
| ) |
| ) }}' |
| password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' |
| policy: generate |
| - uid: db-secret |
| name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret' |
| type: basicAuth |
| externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret"))}}' |
| login: '{{ index .Values "mariadb-galera" "db" "user" }}' |
| password: '{{ index .Values "mariadb-galera" "db" "password" }}' |
| passwordPolicy: generate |
| - uid: policy-app-user-creds |
| name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds' |
| type: basicAuth |
| externalSecret: '{{ tpl (default "" .Values.config.policyAppUserExternalSecret) . }}' |
| login: '{{ .Values.config.policyAppUserName }}' |
| password: '{{ .Values.config.policyAppUserPassword }}' |
| passwordPolicy: generate |
| - uid: policy-pap-user-creds |
| name: &policyPapCredsSecret '{{ include "common.release" . }}-policy-pap-user-creds' |
| type: basicAuth |
| externalSecret: '{{ tpl (default "" .Values.restServer.policyPapUserExternalSecret) . }}' |
| login: '{{ .Values.restServer.policyPapUserName }}' |
| password: '{{ .Values.restServer.policyPapUserPassword }}' |
| passwordPolicy: required |
| - uid: policy-api-user-creds |
| name: &policyApiCredsSecret '{{ include "common.release" . }}-policy-api-user-creds' |
| type: basicAuth |
| externalSecret: '{{ tpl (default "" .Values.restServer.policyApiUserExternalSecret) . }}' |
| login: '{{ .Values.restServer.policyApiUserName }}' |
| password: '{{ .Values.restServer.policyApiUserPassword }}' |
| passwordPolicy: required |
| |
| db: &dbSecretsHook |
| credsExternalSecret: *dbSecretName |
| |
| policy-api: |
| enabled: true |
| db: *dbSecretsHook |
| restServer: |
| apiUserExternalSecret: *policyApiCredsSecret |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-pap: |
| enabled: true |
| db: *dbSecretsHook |
| restServer: |
| papUserExternalSecret: *policyPapCredsSecret |
| apiUserExternalSecret: *policyApiCredsSecret |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-xacml-pdp: |
| enabled: true |
| db: *dbSecretsHook |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-apex-pdp: |
| enabled: true |
| db: *dbSecretsHook |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-drools-pdp: |
| enabled: false |
| db: *dbSecretsHook |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| policy-distribution: |
| enabled: true |
| db: *dbSecretsHook |
| policy-clamp-ac-k8s-ppnt: |
| enabled: true |
| policy-clamp-ac-pf-ppnt: |
| enabled: true |
| restServer: |
| apiUserExternalSecret: *policyApiCredsSecret |
| papUserExternalSecret: *policyPapCredsSecret |
| policy-clamp-ac-http-ppnt: |
| enabled: true |
| policy-clamp-ac-a1pms-ppnt: |
| enabled: true |
| policy-clamp-ac-kserve-ppnt: |
| enabled: true |
| policy-clamp-runtime-acm: |
| enabled: true |
| db: *dbSecretsHook |
| config: |
| appUserExternalSecret: *policyAppCredsSecret |
| policy-nexus: |
| enabled: false |
| config: |
| jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' |
| |
| ################################################################# |
| # DB configuration defaults. |
| ################################################################# |
| |
| dbmigrator: |
| # New released image will allow full SASL and Postgres (drools included). Tested with snapshot. Release to come later. |
| image: onap/policy-db-migrator:3.1.3 |
| # These schemas will be required with the new version of db-migrator |
| # schemas: "policyadmin clampacm pooling operationshistory" |
| schemas: "policyadmin" |
| policy_home: "/opt/app/policy" |
| |
| subChartsOnly: |
| enabled: true |
| |
| # flag to enable debugging - application support required |
| debugEnabled: false |
| |
| # default number of instances |
| replicaCount: 1 |
| |
| nodeSelector: {} |
| |
| affinity: {} |
| |
| # probe configuration parameters |
| liveness: |
| initialDelaySeconds: 10 |
| periodSeconds: 10 |
| # necessary to disable liveness probe when setting breakpoints |
| # in debugger so K8s doesn't restart unresponsive container |
| enabled: true |
| |
| readiness: |
| initialDelaySeconds: 10 |
| periodSeconds: 10 |
| |
| |
| config: |
| policyAppUserName: runtimeUser |
| policyPdpPapTopic: |
| name: policy-pdp-pap |
| partitions: 10 |
| retentionMs: 7200000 |
| segmentBytes: 1073741824 |
| consumer: |
| groupId: policy-group |
| policyHeartbeatTopic: |
| name: policy-heartbeat |
| partitions: 10 |
| retentionMs: 7200000 |
| segmentBytes: 1073741824 |
| consumer: |
| groupId: policy-group |
| policyNotificationTopic: |
| name: policy-notification |
| partitions: 10 |
| retentionMs: 7200000 |
| segmentBytes: 1073741824 |
| consumer: |
| groupId: policy-group |
| someConfig: blah |
| |
| mariadb-galera: |
| # mariadb-galera.config and global.mariadbGalera.config must be equals |
| db: |
| user: policy-user |
| # password: |
| externalSecret: *dbSecretName |
| name: &mysqlDbName policyadmin |
| rootUser: |
| externalSecret: *dbRootPassSecretName |
| nameOverride: *mariadbService |
| # mariadb-galera.service and global.mariadbGalera.service must be equals |
| service: |
| name: *mariadbService |
| replicaCount: 1 |
| mariadbOperator: |
| galera: |
| enabled: false |
| persistence: |
| enabled: true |
| mountSubPath: policy/maria/data |
| serviceAccount: |
| nameOverride: *mariadbService |
| |
| postgresImage: library/postgres:latest |
| # application configuration override for postgres |
| postgres: |
| nameOverride: &postgresName policy-postgres |
| service: |
| name: *postgresName |
| name2: policy-pg-primary |
| name3: policy-pg-replica |
| container: |
| name: |
| primary: policy-pg-primary |
| replica: policy-pg-replica |
| persistence: |
| mountSubPath: policy/postgres/data |
| mountInitPath: policy |
| config: |
| pgUserName: policy-user |
| pgDatabase: policyadmin |
| pgUserExternalSecret: *dbSecretName |
| pgRootPasswordExternalSecret: *dbRootPassSecretName |
| |
| readinessCheck: |
| wait_for_postgres: |
| services: |
| - '{{ .Values.global.postgres.service.name2 }}' |
| wait_for_mariadb: |
| services: |
| - '{{ include "common.mariadbService" . }}' |
| |
| restServer: |
| policyPapUserName: policyadmin |
| policyPapUserPassword: zb!XztG34 |
| policyApiUserName: policyadmin |
| policyApiUserPassword: zb!XztG34 |
| |
| # Resource Limit flavor -By Default using small |
| # Segregation for Different environment (small, large, or unlimited) |
| flavor: small |
| resources: |
| small: |
| limits: |
| cpu: "1" |
| memory: "4Gi" |
| requests: |
| cpu: "100m" |
| memory: "1Gi" |
| large: |
| limits: |
| cpu: "2" |
| memory: "8Gi" |
| requests: |
| cpu: "200m" |
| memory: "2Gi" |
| unlimited: {} |
| |
| securityContext: |
| user_id: 100 |
| group_id: 65533 |
| |
| #Pods Service Account |
| serviceAccount: |
| nameOverride: policy |
| roles: |
| - read |