kubernetes/policy/values.yaml

# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018-2020 AT&T Intellectual Property
# Modifications Copyright (C) 2021-2024 Nordix Foundation.
# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#################################################################
# Global configuration defaults.
#################################################################
global:
  mariadbGalera:
    # flag to enable the DB creation via mariadb-operator
    useOperator: true
    # if useOperator set to "true", set "enableServiceAccount to "false"
    # as the SA is created by the Operator
    enableServiceAccount: false
    localCluster: true
    # '&mariadbConfig' means we "store" the values for  later use in the file
    # with '*mariadbConfig' pointer.
    config: &mariadbConfig
      mysqlDatabase: policyadmin
    service: &mariadbService policy-mariadb
    internalPort: 3306
    nameOverride: *mariadbService
    # (optional) if localCluster=false and an external secret is used set this variable
    #userRootSecret: <secretName>
  prometheusEnabled: false
  postgres:
    localCluster: false
    service:
      name: pgset
      name2: tcp-pgset-primary
      name3: tcp-pgset-replica
    container:
      name: postgres
  kafkaBootstrap: strimzi-kafka-bootstrap:9092
  policyKafkaUser: policy-kafka-user
  kafkaTopics:
    acRuntimeTopic:
      name: policy.clamp-runtime-acm
#################################################################
# Secrets metaconfig
#################################################################
secrets:
  - uid: db-root-password
    name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password'
    type: password
    externalSecret: '{{ .Values.global.mariadbGalera.localCluster |
      ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) |
               ternary
                  ""
                  (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .)
               )
               ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) |
                 ternary
                   .Values.global.mariadbGalera.userRootSecret
                   (include "common.mariadb.secret.rootPassSecretName"
                     (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)
                   )
               ) }}'
    password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}'
    policy: generate
  - uid: db-secret
    name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret'
    type: basicAuth
    externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret"))}}'
    login: '{{ index .Values "mariadb-galera" "db" "user" }}'
    password: '{{ index .Values "mariadb-galera" "db" "password" }}'
    passwordPolicy: generate
  - uid: policy-app-user-creds
    name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds'
    type: basicAuth
    externalSecret: '{{ tpl (default "" .Values.config.policyAppUserExternalSecret) . }}'
    login: '{{ .Values.config.policyAppUserName }}'
    password: '{{ .Values.config.policyAppUserPassword }}'
    passwordPolicy: generate
  - uid: policy-pap-user-creds
    name: &policyPapCredsSecret '{{ include "common.release" . }}-policy-pap-user-creds'
    type: basicAuth
    externalSecret: '{{ tpl (default "" .Values.restServer.policyPapUserExternalSecret) . }}'
    login: '{{ .Values.restServer.policyPapUserName }}'
    password: '{{ .Values.restServer.policyPapUserPassword }}'
    passwordPolicy: required
  - uid: policy-api-user-creds
    name: &policyApiCredsSecret '{{ include "common.release" . }}-policy-api-user-creds'
    type: basicAuth
    externalSecret: '{{ tpl (default "" .Values.restServer.policyApiUserExternalSecret) . }}'
    login: '{{ .Values.restServer.policyApiUserName }}'
    password: '{{ .Values.restServer.policyApiUserPassword }}'
    passwordPolicy: required

db: &dbSecretsHook
  credsExternalSecret: *dbSecretName

policy-api:
  enabled: true
  db: *dbSecretsHook
  restServer:
    apiUserExternalSecret: *policyApiCredsSecret
  config:
    jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-pap:
  enabled: true
  db: *dbSecretsHook
  restServer:
    papUserExternalSecret: *policyPapCredsSecret
    apiUserExternalSecret: *policyApiCredsSecret
  config:
    jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-xacml-pdp:
  enabled: true
  db: *dbSecretsHook
  config:
    jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-apex-pdp:
  enabled: true
  db: *dbSecretsHook
  config:
    jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-drools-pdp:
  enabled: false
  db: *dbSecretsHook
  config:
    jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'
policy-distribution:
  enabled: true
  db: *dbSecretsHook
policy-clamp-ac-k8s-ppnt:
  enabled: true
policy-clamp-ac-pf-ppnt:
  enabled: true
  restServer:
    apiUserExternalSecret: *policyApiCredsSecret
    papUserExternalSecret: *policyPapCredsSecret
policy-clamp-ac-http-ppnt:
  enabled: true
policy-clamp-ac-a1pms-ppnt:
  enabled: true
policy-clamp-ac-kserve-ppnt:
  enabled: true
policy-clamp-runtime-acm:
  enabled: true
  db: *dbSecretsHook
  config:
    appUserExternalSecret: *policyAppCredsSecret
policy-nexus:
  enabled: false
  config:
    jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}'

#################################################################
# DB configuration defaults.
#################################################################

dbmigrator:
  image: onap/policy-db-migrator:3.1.3
  schema: policyadmin
  policy_home: "/opt/app/policy"

subChartsOnly:
  enabled: true

# flag to enable debugging - application support required
debugEnabled: false

# default number of instances
replicaCount: 1

nodeSelector: {}

affinity: {}

# probe configuration parameters
liveness:
  initialDelaySeconds: 10
  periodSeconds: 10
  # necessary to disable liveness probe when setting breakpoints
  # in debugger so K8s doesn't restart unresponsive container
  enabled: true

readiness:
  initialDelaySeconds: 10
  periodSeconds: 10


config:
  policyAppUserName: runtimeUser
  policyPdpPapTopic:
    name: policy-pdp-pap
    partitions: 10
    retentionMs: 7200000
    segmentBytes: 1073741824
    consumer:
      groupId: policy-group
  policyHeartbeatTopic:
    name: policy-heartbeat
    partitions: 10
    retentionMs: 7200000
    segmentBytes: 1073741824
    consumer:
      groupId: policy-group
  policyNotificationTopic:
    name: policy-notification
    partitions: 10
    retentionMs: 7200000
    segmentBytes: 1073741824
    consumer:
      groupId: policy-group
  someConfig: blah

mariadb-galera:
  # mariadb-galera.config and global.mariadbGalera.config must be equals
  db:
    user: policy-user
    # password:
    externalSecret: *dbSecretName
    name: &mysqlDbName policyadmin
  rootUser:
    externalSecret: *dbRootPassSecretName
  nameOverride: *mariadbService
  # mariadb-galera.service and global.mariadbGalera.service must be equals
  service:
    name: *mariadbService
  replicaCount: 1
  mariadbOperator:
    galera:
      enabled: false
  persistence:
    enabled: true
    mountSubPath: policy/maria/data
  serviceAccount:
    nameOverride: *mariadbService

postgresImage: library/postgres:latest
# application configuration override for postgres
postgres:
  nameOverride: &postgresName policy-postgres
  service:
    name: *postgresName
    name2: policy-pg-primary
    name3: policy-pg-replica
  container:
    name:
      primary: policy-pg-primary
      replica: policy-pg-replica
  persistence:
    mountSubPath: policy/postgres/data
    mountInitPath: policy
  config:
    pgUserName: policy-user
    pgDatabase: policyadmin
    pgUserExternalSecret: *dbSecretName
    pgRootPasswordExternalSecret: *dbRootPassSecretName

readinessCheck:
  wait_for_postgres:
    services:
      - '{{ .Values.global.postgres.service.name2 }}'
  wait_for_mariadb:
    services:
      - '{{ include "common.mariadbService" . }}'

restServer:
  policyPapUserName: policyadmin
  policyPapUserPassword: zb!XztG34
  policyApiUserName: policyadmin
  policyApiUserPassword: zb!XztG34

# Resource Limit flavor -By Default using small
# Segregation for Different environment (small, large, or unlimited)
flavor: small
resources:
  small:
    limits:
      cpu: "1"
      memory: "4Gi"
    requests:
      cpu: "100m"
      memory: "1Gi"
  large:
    limits:
      cpu: "2"
      memory: "8Gi"
    requests:
      cpu: "200m"
      memory: "2Gi"
  unlimited: {}

securityContext:
  user_id: 100
  group_id: 65533

#Pods Service Account
serviceAccount:
  nameOverride: policy
  roles:
    - read