Merge pull request #1162 from santhosh-tg/helmchart

Add helm chart

helm/learner/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+*_test.rego
\ No newline at end of file

helm/learner/Chart.lock

+dependencies:
+- name: common_opa_policies
+  repository: https://keshavprasadms.github.io/sunbird-helmchart-templates
+  version: 0.1.0
+- name: learner_opa_policies
+  repository: https://keshavprasadms.github.io/sunbird-lms-service
+  version: 0.1.0
+digest: sha256:1d739f27fd24f4b32e2b3c2438886d369107bd65c85b99ef9151a0b6ae51b63a
+generated: "2023-02-19T08:47:55.332813+05:30"

helm/learner/Chart.yaml

+apiVersion: v2
+name: learner
+description: A helm chart for learner service
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "5.0.0"
+
+dependencies:
+  - name: common_opa_policies
+    repository: https://keshavprasadms.github.io/sunbird-helmchart-templates
+    version: 0.1.0
+  - name: learner_opa_policies
+    repository: https://keshavprasadms.github.io/sunbird-lms-service
+    version: 0.1.0
\ No newline at end of file

helm/learner/learner_sample_values.yaml

+## This section has mandatory variables
+## You must provide a value for these
+## If you don't provide a value for these variables, the chart installation will not proceed
+
+## The domain name or Public IP address
+## The domain name should start with http or https
+## For example https://example.com
+domain: "https://abc.com"
+
+## Can be one of - azure, aws, gcloud
+cloud_service_provider: "aws"
+
+## Public storage bucket details
+cloud_public_storage_accountname: "public"
+cloud_public_storage_secret: "publicsecret"
+
+## Private storage bucket details
+cloud_private_storage_accountname: "private"
+cloud_private_storage_secret: "privatesecret"
+
+
+## This section has optional variables
+## It is strongly recommended to provide a value for these
+## If you don't provide a value for these variables, they will default to empty values
+## If these variables are empty, some features on the application might not work as expected 
+google_captcha_mobile_private_key: ""
+google_captcha_private_key: ""
+sunbird_mail_server_from_email: ""
+sunbird_mail_server_host: ""
+sunbird_mail_server_password: ""
+sunbird_mail_server_port: ""
+sunbird_mail_server_username: ""
+sunbird_msg_91_auth: ""
+sunbird_msg_sender: ""
+sunbird_url_shortner_access_token: ""
+
+
+## The merge domain name or Public IP address
+## The merge domain name should start with http or https
+## For example https://merge.example.com
+merge_domain: "https://merge.example.com"
+
+## This section has optional variables
+## If you provide a value to the variable, then that will have the highest precedence
+## If you don't provide a value, then it's fetched from kubernetes secret or subchart template
+## If the value is empty or nil, installation will be halted
+ekstep_authorization: "EKSTEP_AUTHORIZATION_KEY"
+sunbird_authorization: "SUNBIRD_AUTHORIZATION_KEY"
+sunbird_keycloak_user_federation_provider_id: "SUNBIRD_KEYCLOAK_USER_FEDERATION_PROVIDER_ID"
+sunbird_pg_user: "SUNBIRD_PG_USER"
+sunbird_pg_password: "SUNBIRD_PG_PASSWORD"
+sunbird_sso_client_secret: "SUNBIRD_SSO_CLIENT_SECRET"
+sunbird_sso_publickey: "SUNBIRD_SSO_PUBLICKEY"
+
+# Subchart variables and values
+global:
+  keycloak_sunbird_realm_kid: "ABCDEFGHIKLMN"
+  keycloak_sunbird_realm_public_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHJ4vh0HbIGsqDBDHBLIXJtla+a00jGd7UYHFOPpp7+Pcieu6ujYf/kvh2i66aYB9P2lZjaGVoy1bYhI8+ny33r616AvfwP8H2kujboFRxEGdIkrVgmx+YcWU6SjmpcE9nvRpo2HqxiCggk6HB/yM8VQBSh5v8Gk13JaK6qAH737ybtIBW/0CEN2aF64JpPmcri8fFdl+xeycYOq+ueSZ7NXRyOL4CLSk+M5StHn4mz14m/RqNtdIgaTc42F74+pgWt0o4T9kkMbjZI7ujjZN+eJBBdjdRUl/gYLDGbG1gF+gCndicd2InpSFFfTugmSc3jsAGjZ4jiSv1uxm+QihwIDAQAB"
+  user_access_private_keys:
+    accessv1_key1: |
+      -----BEGIN PRIVATE KEY-----
+      MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5GDQK2PSrnojv
+      g3vYBuJuHslvgv+IdqtnFhMEwQrfJJd4PNkxATR69/OO2OO4xd8tC+bQYkPcImO0
+      Y3ynvsVwbJ2che2dS6RvsZh5Es7dpcf7UVp9AQb4QPTvGDYagrekf3cpdy3CoeZm
+      lb1jOmJKP6YS4PIqmeO4dfsz0p2rNraeg42Dpgt6wcievSvyXIf6QqDwCpp/HnK4
+      Kso2yL9XSUE87Khhb6itbAos9TnRpraVZYho2WuDTXQYfYZHEr8EzX1mS8dQhJTr
+      N6Nl7PVteVfxFqQR41a1WB/w5Lx3iYawhmuI1eSuAmZT3PoeRTXFalJlyNJb74je
+      DgOYCYiTAgMBAAECggEAM4DkmlAcZNTMTblMcKQZxYKTko/lAtfigeDGkgAVQlow
+      O6jS1qv7KmxsPUdktjl5DFPPehSdxVdcXwl/2j1fOxU+Fhu+LpKpwtqsDqSJI2vJ
+      5ciRYU8z3UhV32HhTCcran59bfBXr1zVe54XANFyIC7tyzsEp44Cq4VIzPbCIK2z
+      oSYul4ydJmuJ6THsDNdWSWGyE/1iNGD94JnlIuQZ+0r/GXRf9BDLnNPKVfj2lcO5
+      OuNTZE5jkrgSC+TXoHV7m32V/4XQRpJZ2aAr2LrBCW4iy+3/IbgFmKr6HfQIoHWY
+      K9Vgk8wdcBnfcTdoCHVE42fzHqIom/R8STRFVNHswQKBgQDdy3AcFhW9TFRw0Sa+
+      JOG2qXgKLQWyKxaH5jfdGsQw0nUT08fgTlDCxcC64ByIzmc02l4kB23a6XzViR4v
+      /K3519A5iKfC1alfMFcDokDjPRkdiZ5hHaPfWBrLp+KL0GtoAogR6qyE9i47XFqQ
+      VC/zAPoRoBjwFFO6RGkTkuwcCQKBgQDVo9N9I7vtG2G2+LcXoCxUFcZw8ogpYmrT
+      m1DKAMQxid5rc/0P1OSdudtjYMpdXPKXeyztHhFxBwlvZG5kiPz/yRO0jHJTQbZP
+      yP/hZOf2Dcwmf0RyIFbynBD8Vkla/ChjDbZM6Sv+6GkXU4DvjAQdh1Um5923EZML
+      OKkraggeuwKBgQDVXivI6ToatL6bFaomzAZUGi4/49YR87+mF0RwsZpBuYUmANvN
+      Hqo05dcmMAljVuUUhGqCUJ9PNMWCC3n+AiBANWy8nIl/NtrMlw1ukn3H3fQ2ZTj3
+      BnOqnfCRMT4Q8P0SvzS1v8Qd2VLailsZc9P4+1yW7iRvea6eh8dqLDJ2OQKBgCbO
+      Gxwf4YKv9o/FnXwtG+AqFGFvrEvYFI9bJtGKUhitcjkSWGUHxn7fw3nJmvhaabYa
+      KY7oZ0KghJY3J9YbC9lqLKoe2KVGylazq8bFDV0kJHDZrRUNyr1Gm8853RkptCxJ
+      0VMnB1bF4FDcWg8o35Z9fnoSo7Mc/hiLsi6wk8kBAoGAVaojV+zrC07VDcLKNtsh
+      R+87iJCNldFV1X2rfPYFMLDWyLubd0g1v8ulYlk3KRv2MNYftaNHT4PXNSZuhfJy
+      mg13rZDoFKFB5DRpfv6ybZIaGxrZ9R+2lV2pFCgFuTExtAufN/JeXM6hNzdAzRgK
+      dhMts6drDP0QTO0yK99dPa4=
+      -----END PRIVATE KEY-----
+    accessv1_key2: |
+      -----BEGIN PRIVATE KEY-----
+      MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDoxlV1cR2IXQtj
+      3kEpgnTySHWncmdtBOeNKVBQetZ14CSqVadLHsK+sZgeRm0zY6GURn6IxWaxUbhG
+      sHhc6WKKOhKFOOgjv38E7eDq6llnH2hOA8Lypu63Ijdbc2ifYCpuyfwRT9vEpbFo
+      vE1SqSZmplkOh1+zFjzf2TypZcdLLRABkGd/0ZelOG9qx7bM2th8nOcH/uVsFO5R
+      YELvRkEUUegNvIUq6MtVRH4A1hE3a5EYtPQD9KV8VcyMVET883MgL5tSI8Mhu2nL
+      mNY6Q7Stnp6VemuCCe5hd9SRnfr0ytV0K9JaA4zAS4isEHwcP97oyhNs6IhL64iw
+      7FQwshxnAgMBAAECggEBAIq/bcELI6dcjqWAnSa49CxWtIqSzsNU4RBrR8ww7BRm
+      /nPpikZkl4BDK4EgSYcQJAfV3SZ5Q7T+GPFJzvTSyEHMS63NNdHZG0U85YwhFBk7
+      x1h5NYKdrjzK0GRabkpRb/mJvA41o7GbchwT4aMb4B/fl8XpO0nsP2zOeDIg0KIl
+      nxiZToaZocwJh4IkfYMnOhSp617ZBbLb25cdRAIEQaGLRuoqibfmB+cBMmQUGFNB
+      O9/efJLVTAWk5NvmOWMZ2Wgs6cjIWZPVDXXbAzz+XWQqi4+6He3NGaJ+vq2NdXGc
+      hw3V8BwJGsh9/3usoc2lS9QXDkX771N7WFzmOw3u/EECgYEA9P+cUJNTsvuy0RJC
+      ZhewTidY15WkwxBPoUqmTOnfFEMw/DO4jC6JWXFb45lANuooFiQwb8svM6Y+o6hP
+      NkPaxt426fEU0F4beBid1vUrOk/4a6SRFUdwPzDaDUwc2+Wwo0QxNlXG6mKPtC12
+      dnOtF139edQ24uNdi6oegR2qsu0CgYEA8zo0bEZ0gZdBcMNJtVEoQHAv4DSDGieL
+      HghLKaqLsVBWFDysV4w7y8Tqy8GPRUG4MCKIa1zhjY0AY92afdvwYStVhyNj+BWT
+      qvTTTYsFvvnUO0MUV5ewwX1QcPLns27SGteN/p5PrEOsJ5R9NDLUJWCGOk3QYscd
+      dI7cWNcXfiMCgYBpDt8x8is3GhWw75qHeusAaIEBWUsg1nK/IGq1mqgtYS61R1yA
+      yEffkeusaoANzFVKQVR/6+oexNAhj7//7hL3qjx0Dww02dX/ptawYcuaosZNKnGI
+      ZWztu/4VK6lIZnNbX5eWzCuTQJaM1d3xp2L3HTffsS+kFYl8pYOVLGqRdQKBgEH0
+      F4EAvdjiFfmoytTi0+JdSW4nbyFpdZzILPF4cHa9TQohxa3btd80X2Ku8tWZ04Mh
+      6hIK1pKWmHN8BMd6Gz2ODZweaZ4845To3F9bgkxd3EHRl7OEy4Y8H9Lw2wlZ1Jk4
+      uCVB8mLI2ubEqgq8ebBE80DeFtKiIYeYsYFZmeI3AoGBAKUWA7KqJ+Gw5QIbJ680
+      bZqKZliuCzI4HkXeNNFYv9+8ec+P6prbfP6WlAsjLsPVJj5gV1A/55syhvPzfSXw
+      GAcMqQqWTYIyoLJ+idyitJVuFmXi/eAaNDIh001Itz8R6uPWIR/KqIJUagc8ZzcS
+      S/euzu2m6qX8poTQAo+NoUp2
+      -----END PRIVATE KEY----  
+  user_access_public_keys:
+    accessv1_key1: |
+      -----BEGIN PUBLIC KEY-----
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuRg0Ctj0q56I74N72Abi
+      bh7Jb4L/iHarZxYTBMEK3ySXeDzZMQE0evfzjtjjuMXfLQvm0GJD3CJjtGN8p77F
+      cGydnIXtnUukb7GYeRLO3aXH+1FafQEG+ED07xg2GoK3pH93KXctwqHmZpW9Yzpi
+      Sj+mEuDyKpnjuHX7M9Kdqza2noONg6YLesHInr0r8lyH+kKg8Aqafx5yuCrKNsi/
+      V0lBPOyoYW+orWwKLPU50aa2lWWIaNlrg010GH2GRxK/BM19ZkvHUISU6zejZez1
+      bXlX8RakEeNWtVgf8OS8d4mGsIZriNXkrgJmU9z6HkU1xWpSZcjSW++I3g4DmAmI
+      kwIDAQAB
+      -----END PUBLIC KEY-----
+    accessv1_key2: |
+      -----BEGIN PUBLIC KEY-----
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MZVdXEdiF0LY95BKYJ0
+      8kh1p3JnbQTnjSlQUHrWdeAkqlWnSx7CvrGYHkZtM2OhlEZ+iMVmsVG4RrB4XOli
+      ijoShTjoI79/BO3g6upZZx9oTgPC8qbutyI3W3Non2Aqbsn8EU/bxKWxaLxNUqkm
+      ZqZZDodfsxY839k8qWXHSy0QAZBnf9GXpThvase2zNrYfJznB/7lbBTuUWBC70ZB
+      FFHoDbyFKujLVUR+ANYRN2uRGLT0A/SlfFXMjFRE/PNzIC+bUiPDIbtpy5jWOkO0
+      rZ6elXprggnuYXfUkZ369MrVdCvSWgOMwEuIrBB8HD/e6MoTbOiIS+uIsOxUMLIc
+      ZwIDAQAB
+      -----END PUBLIC KEY-----  

helm/learner/templates/deployment.yaml

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Chart.Name }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: {{ .Values.replicaCount }}
+  strategy:
+     rollingUpdate:
+        maxSurge: {{ .Values.strategy.maxSurge }}
+        maxUnavailable: {{ .Values.strategy.maxUnavailable }}
+  selector:
+    matchLabels:
+      app: {{ .Chart.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Chart.Name }}
+    spec:
+{{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+      - name: {{ .Values.imagePullSecrets }}
+{{- end }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: Always
+        env:
+        - name: JAVA_OPTIONS
+          value: {{ .Values.javaOptions }}
+        - name: _JAVA_OPTIONS
+          value: -Dlog4j2.formatMsgNoLookups=true
+        envFrom:
+        - configMapRef:
+            name: {{ .Chart.Name }}-config
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+        ports:
+        - containerPort: {{ .Values.port }}
+        livenessProbe:
+{{ toYaml .Values.livenessProbe | indent 10 }}
+        readinessProbe:
+{{ toYaml .Values.readinessProbe | indent 10 }}
+        volumeMounts:
+        - name: {{ .Chart.Name }}-logback-config
+          mountPath: /home/sunbird/learner/learning-service-1.0-SNAPSHOT/config
+        - mountPath: {{ .Values.accesstoken.publickey.basepath }}
+          name: {{ .Values.external_configmaps.access_public_keys.name }}
+{{- if .Values.opa_sidecar }}
+      - args:
+        - envoy
+        - --config-path
+        - /config/envoy-config.yaml
+        env:
+        - name: ENVOY_UID
+          value: "1111"
+        image: envoyproxy/envoy:v1.20.0
+        imagePullPolicy: IfNotPresent
+        name: envoy
+        livenessProbe:
+{{ toYaml .Values.envoy_livenessProbe | indent 10 }}
+        readinessProbe:
+{{ toYaml .Values.envoy_readinessProbe | indent 10 }}
+        resources:
+{{ toYaml .Values.envoy_resources | indent 10 }}
+        volumeMounts:
+        - mountPath: /config
+          name: {{ .Chart.Name }}-envoy-config
+          readOnly: true
+      - args:
+        - run
+        - --server
+        - /policies
+        - --addr=localhost:8181
+        - --diagnostic-addr=0.0.0.0:8282
+        - --set=plugins.envoy_ext_authz_grpc.addr=:9191
+        - --set=plugins.envoy_ext_authz_grpc.path=main/allow
+        - --set=decision_logs.plugin=print_decision_logs_on_failure
+        - --set=plugins.print_decision_logs_on_failure.stdout=true
+        - --log-level=error
+        - --ignore=.*
+        image: sunbird/opa:0.34.2-envoy
+        imagePullPolicy: IfNotPresent
+        name: opa
+        livenessProbe:
+{{ toYaml .Values.opa_livenessProbe | indent 10 }}
+        readinessProbe:
+{{ toYaml .Values.opa_readinessProbe | indent 10 }}
+        resources:
+{{ toYaml .Values.opa_resources | indent 10 }}
+        volumeMounts:
+        - mountPath: /policies
+          name: opa-policies
+          readOnly: true
+      initContainers:
+      - args:
+        - -p
+        - "9999"
+        - -u
+        - "1111"
+        - -w
+        - "8282,10000"
+        image: openpolicyagent/proxy_init:v5
+        imagePullPolicy: IfNotPresent
+        name: proxy-init
+        resources:
+{{ toYaml .Values.initcontainer_resources | indent 10 }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+          runAsNonRoot: false
+          runAsUser: 0
+{{- end }}
+      volumes:
+      - name: {{ .Chart.Name }}-logback-config
+        configMap:
+          name: {{ .Chart.Name }}-logback-config
+      - name: {{ .Values.external_configmaps.access_public_keys.name }}
+        secret:
+          secretName: {{ .Values.external_configmaps.access_public_keys.name }}
+{{- if .Values.opa_sidecar }}
+      - name: {{ .Chart.Name }}-envoy-config
+        configMap:
+          name: {{ .Chart.Name }}-envoy-config
+      - name: opa-policies
+        projected:
+          sources:
+          - configMap:
+              name: {{ .Values.external_configmaps.common_opa_policies_keys.name }}
+          - configMap:
+              name: {{ .Values.external_configmaps.common_opa_policies.name }}
+          - configMap:
+              name: {{ .Chart.Name }}-opa-policies
+{{- end }}
\ No newline at end of file

helm/learner/templates/envoy-config.yaml

+---
+{{- if .Values.opa_sidecar }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Chart.Name }}-envoy-config
+  namespace: {{ .Release.Namespace }}
+data:
+  envoy-config.yaml: |
+    static_resources:
+      listeners:
+      - name: listener_0
+        address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 9999
+        per_connection_buffer_limit_bytes: 62914560
+        filter_chains:
+        - filters:
+          - name: envoy.http_connection_manager
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+              codec_type: auto
+              stat_prefix: ingress_http
+              access_log:
+              - name: envoy.access_loggers.stdout
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+                  log_format:
+                    text_format: "%DOWNSTREAM_DIRECT_REMOTE_ADDRESS_WITHOUT_PORT% - - [%START_TIME(%d/%b/%Y:%H:%M:%S %z)%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(X-DEVICE-ID)%\" \"%REQ(X-CHANNEL-ID)%\" \"%REQ(X-APP-ID)%\" \"%REQ(X-APP-VER)%\" \"%REQ(X-SESSION-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\"\n"
+              route_config:
+                name: local_route
+                virtual_hosts:
+                - name: backend
+                  domains:
+                  - "*"
+                  routes:
+                  - match:
+                      prefix: "/opa/metrics"
+                    route:
+                      prefix_rewrite: "/metrics"
+                      cluster: opa
+                    typed_per_filter_config:
+                      envoy.filters.http.ext_authz:
+                        "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                        disabled: true
+                  - match:
+                      prefix: "{{ .Values.livenessProbe.httpGet.path }}"
+                    route:
+                      cluster: service
+                    typed_per_filter_config:
+                      envoy.filters.http.ext_authz:
+                        "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                        disabled: true
+                  - match:
+                      prefix: "{{ .Values.readinessProbe.httpGet.path }}"
+                    route:
+                      cluster: service
+                    typed_per_filter_config:
+                      envoy.filters.http.ext_authz:
+                        "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                        disabled: true
+                  - match:
+                      prefix: "/"
+                    route:
+                      cluster: service
+                      timeout: 60s
+              http_filters:
+              - name: envoy.filters.http.ext_authz
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+                  transport_api_version: V3
+                  with_request_body:
+                    max_request_bytes: 62914560
+                    allow_partial_message: true
+                  failure_mode_allow: true
+                  grpc_service:
+                    google_grpc:
+                      target_uri: 127.0.0.1:9191
+                      stat_prefix: ext_authz
+                    timeout: 5s
+              - name: envoy.filters.http.router
+      clusters:
+      - name: service
+        connect_timeout: 5s
+        per_connection_buffer_limit_bytes: 62914560
+        type: static
+        load_assignment:
+          cluster_name: service
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: {{ .Values.targetPort }}
+      - name: opa
+        connect_timeout: 5s
+        type: static
+        load_assignment:
+          cluster_name: opa
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 8181
+    admin:
+      access_log_path: "/dev/stdout"
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 10000
+{{ end }}
\ No newline at end of file

helm/learner/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Chart.Name }}-service
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}
+spec:
+  ports:
+  - name: http-{{ .Chart.Name }}
+    protocol: TCP
+    port: {{ .Values.targetPort }}
+{{- if .Values.opa_sidecar }}
+  - name: opa-metrics
+    port: 8181
+    protocol: TCP
+    targetPort: 8181
+  - name: envoy-metrics
+    port: 10000
+    protocol: TCP
+    targetPort: 10000
+{{- end }}
+  selector:
+    app: {{ .Chart.Name }}
\ No newline at end of file

helm/learner/values.yaml

+## This section has mandatory variables
+## You must provide a value for these
+## If you don't provide a value for these variables, the chart installation will not proceed
+
+## The domain name or Public IP address
+## The domain name should start with http or https
+## For example https://example.com
+domain: ""
+
+## Can be one of - azure, aws, gcloud
+cloud_service_provider: ""
+
+## Public storage bucket details
+cloud_public_storage_accountname: ""
+cloud_public_storage_secret: ""
+
+## Private storage bucket details
+cloud_private_storage_accountname: ""
+cloud_private_storage_secret: ""
+
+
+## This section has optional variables
+## It is strongly recommended to provide a value for these
+## If you don't provide a value for these variables, they will default to empty values
+## If these variables are empty, some features on the application might not work as expected 
+google_captcha_mobile_private_key: ""
+google_captcha_private_key: ""
+sunbird_mail_server_from_email: ""
+sunbird_mail_server_host: ""
+sunbird_mail_server_password: ""
+sunbird_mail_server_port: ""
+sunbird_mail_server_username: ""
+sunbird_msg_91_auth: ""
+sunbird_msg_sender: ""
+sunbird_url_shortner_access_token: ""
+
+
+## The merge domain name or Public IP address
+## The merge domain name should start with http or https
+## For example https://merge.example.com
+merge_domain: ""
+
+
+## This section has optional variables
+## If you provide a value to the variable, then that will have the highest precedence
+## If you don't provide a value, then it's auto generated
+
+
+## This section has optional variables
+## If you provide a value to the variable, then that will have the highest precedence
+## If you don't provide a value, then it's fetched from kubernetes secret or subchart template
+## If the value is empty or nil, installation will be halted
+ekstep_authorization: ""
+sunbird_authorization: ""
+sunbird_keycloak_user_federation_provider_id: ""
+sunbird_pg_user: ""
+sunbird_pg_password: ""
+sunbird_sso_publickey: ""
+sunbird_sso_client_secret: ""
+
+## This section has variables with default values
+## These are standard defaults that work well
+## You can override these if you have a use case for it
+ENV_NAME: dev
+PORTAL_SERVICE_PORT: http://player.ed.svc.cluster.local:3000
+SUNBIRD_KAFKA_URL: http://kafka.lern.svc.cluster.local:9092
+accesstoken:
+  publickey:
+    basepath: /keys/
+actor_hostname: actor-service
+api_actor_provider: local
+background_actor_provider: local
+bind_hostname: 0.0.0.0
+ekstep_api_base_url: http://learning.knowlg.svc.cluster.local:8080/learning-service
+feed_limit: 30
+form_api_endpoint: /plugin/v1/form/read
+isMultiDCEnabled: false
+kafka_urls: http://kafka.lern.svc.cluster.local:9092
+learner_in_memory_cache_ttl: 600
+notification_service_base_url: http://notification-service.lern.svc.cluster.local:9000
+org_index_alias: org_alias
+quartz_shadow_user_migration_timer: 0 0 1 1/1 * ? *
+sunbird_analytics_api_base_url: http://analytics-service.obsrv.svc.cluster.local:9000
+sunbird_api_base_url: http://knowledge-mw-service.knowlg.svc.cluster.local:5000
+sunbird_api_mgr_base_url: http://knowledge-mw-service.knowlg.svc.cluster.local:5000
+sunbird_app_name: sunbird
+sunbird_cache_enable: true
+sunbird_cassandra_consistency_level: local_quorum
+sunbird_cassandra_host: http://cassandra.lern.svc.cluster.local
+sunbird_cassandra_password: passwod
+sunbird_cassandra_port: 9042
+sunbird_cassandra_username: admin
+sunbird_cert_service_base_url: http://cert-service.lern.svc.cluster.local:9000
+## Storage bucket name where the contents are stores
+sunbird_content_azure_storage_container: contents
+sunbird_course_batch_notification_enabled: true
+sunbird_course_batch_notification_signature: sunbird
+sunbird_cs_base_url: http://knowledge-mw-service.knowlg.svc.cluster.local:5000
+sunbird_cs_search_path: /v1/content/search
+sunbird_default_channel: sunbird
+sunbird_email_max_recipients_limit: 100
+sunbird_encryption_key: encryptionkey
+sunbird_encryption_mode: local
+sunbird_env_logo_url: ""
+sunbird_environment: dev
+sunbird_es_host: http://elasticsearch.lern.svc.cluster.local
+sunbird_es_port: 9300
+sunbird_fuzzy_search_threshold: 0.5
+sunbird_gzip_enable: true
+sunbird_gzip_size_threshold: 262144
+sunbird_health_check_enable: false
+sunbird_installation: sunbird
+sunbird_installation_display_name: sunbirddev
+sunbird_installation_display_name_for_sms: sunbird
+sunbird_installation_email: info@sunbird.org
+sunbird_instance: sunbird
+sunbird_keycloak_required_action_link_expiration_seconds: "2592000"
+sunbird_mw_system_host: learner-service
+sunbird_mw_system_port: 8088
+sunbird_open_saber_bridge_enable: false
+sunbird_otp_allowed_attempt: 2
+sunbird_otp_expiration: 1800
+sunbird_otp_length: 6
+sunbird_pg_db: quartz
+sunbird_pg_host: postgresql.lern.svc.cluster.local
+sunbird_pg_port: 5432
+sunbird_quartz_mode: cluster
+sunbird_redis_host: redis.lern.svc.cluster.local
+sunbird_redis_port: 6379
+sunbird_registry_service_baseurl: http://registry-service.registry.svc.cluster.local:8081/
+sunbird_remote_bg_req_router_path: akka.tcp://SunbirdMWSystem@actor-service:8088/user/BackgroundRequestRouter
+sunbird_remote_req_router_path: akka.tcp://SunbirdMWSystem@actor-service:8088/user/RequestRouter
+sunbird_reset_pass_msg: 'You have requested to reset password. Click on the link to set a password: {0}'
+sunbird_search_service_api_base_url: http://search-service.knowlg.svc.cluster.local:9000
+sunbird_sso_lb_ip: http://keycloak.lern.svc.cluster.local:8080
+sunbird_telemetry_base_url: http://telemetry-service.obsrv.svc.cluster.local:9001
+sunbird_time_zone: Asia/Kolkata
+sunbird_url_shortner_enable: false
+sunbird_user_bulk_upload_size: 1001
+sunbird_user_cert_kafka_topic: cert
+sunbird_user_profile_field_default_visibility: private
+telemetry_pdata_id: learner
+telemetry_pdata_pid: learner-service
+telemetry_queue_threshold_value: 100
+user_index_alias: user_alias
+
+
+## Variables that can be deprecated
+## Need a review with the team
+sunbird_sso_username: ""
+sunbird_sso_password: ""
+
+## Helper variables which are used to construct other variables
+keycloak_auth_endpoint: "/auth/"
+sunbird_encryption_key_length: 10
+external_secrets:
+  kong:
+    name: kong-api-tokens
+    key: learner-api-token
+  keycloak_federation:
+    name: keycloak-federation
+    key: cassandra-storage-provider
+  keycloak_client_secret:
+    name: keycloak-clients
+    key: lms
+  keycloak_realm_public_key:
+    name: keycloak-realms
+    key: sunbird
+  postgresql_user:
+    name: postgresql
+    key: postgres-user
+  postgresql_password:
+    name: postgresql
+    key: postgresql-password
+
+external_configmaps:
+  common_opa_policies:
+    name: common-opa-policies
+  common_opa_policies_keys:
+    name: common-opa-policies-public-keys
+  access_public_keys:
+    name: user-access-keys-public
+
+
+## This section has other kubernetes variables
+## These are standard defaults that work well
+## You can override these if you have a use case for it
+image:
+  registry: docker.io
+  repository: keshavprasad/learner
+  tag: release-5.0.0
+
+replicaCount: 1
+
+strategy:
+  maxSurge: 25%
+  maxUnavailable: 25%
+
+imagePullSecrets: ""
+
+javaOptions: -Xmx600m
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 100M
+  limits:
+    cpu: 1
+    memory: 1G
+
+port: 9000
+
+targetPort: 9000
+
+livenessProbe:
+  failureThreshold: 2
+  httpGet:
+      path: /service/health
+      port: 9000
+  initialDelaySeconds: 15
+  periodSeconds: 15
+  timeoutSeconds: 5
+
+readinessProbe:
+  failureThreshold: 2
+  httpGet:
+      path: /service/health
+      port: 9000
+  initialDelaySeconds: 15
+  periodSeconds: 15
+  timeoutSeconds: 5
+
+opa_sidecar: true
+
+envoy_livenessProbe:
+  failureThreshold: 2
+  httpGet:
+      path: /ready
+      port: 10000
+      scheme: HTTP
+  initialDelaySeconds: 5
+  periodSeconds: 15
+  timeoutSeconds: 5
+
+envoy_readinessProbe:
+  failureThreshold: 2
+  httpGet:
+      path: /ready
+      port: 10000
+      scheme: HTTP
+  initialDelaySeconds: 5
+  periodSeconds: 15
+  timeoutSeconds: 5
+
+opa_livenessProbe:
+  failureThreshold: 2
+  httpGet:
+      path: /health?plugins
+      port: 8282
+      scheme: HTTP
+  initialDelaySeconds: 5
+  periodSeconds: 15
+  timeoutSeconds: 5
+
+opa_readinessProbe:
+  failureThreshold: 2
+  httpGet:
+      path: /health?bundle=true
+      port: 8282
+      scheme: HTTP
+  initialDelaySeconds: 5
+  periodSeconds: 15
+  timeoutSeconds: 5
+
+envoy_resources:
+  requests:
+    cpu: 100m
+    memory: 100M
+  limits:
+    cpu: 1
+    memory: 1G
+
+opa_resources:
+  requests:
+    cpu: 100m
+    memory: 100M
+  limits:
+    cpu: 1
+    memory: 1G
+
+initcontainer_resources:
+  requests:
+    cpu: 100m
+    memory: 100M
+  limits:
+    cpu: 100m
+    memory: 100M
+
+
+## List of variables that are accepted by the service but not being referenced in configmap
+## The value for these variables will be constructed using other variables, so you cannot pass a value to these
+## If you want to provide values to them and override, you will need to change the configmap to reference these vars
+## This list is shown here only for reference
+
+# Refers to domain/auth
+# sunbird_sso_url: ""
+# sunbird_subdomain_keycloak_base_url: ""
+
+# Refers to domain
+# sunbird_web_url: ""
+
+## Refers to cloud_service_provider
+# sunbird_cloud_service_provider: ""
+
+## Refers to public storage bucket details
+# sunbird_account_name: ""
+# sunbird_account_key: ""
+
+## Refers to private storage bucket details
+# sunbird_analytics_blob_account_name: ""
+# sunbird_analytics_blob_account_key: ""
+
+## Uses the keycloak lms client from sunbird realm
+#sunbird_sso_client_id: lms
+#sunbird_sso_realm: sunbird
\ No newline at end of file

helm/learner_opa_policies/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+*_test.rego
\ No newline at end of file

helm/learner_opa_policies/Chart.yaml

+apiVersion: v2
+name: learner_opa_policies
+description: A helm chart for learner opa policies
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "5.0.0"
\ No newline at end of file

helm/learner_opa_policies/service-policies/policies.rego

+package policies
+
+import data.common as super
+import future.keywords.in
+import input.attributes.request.http as http_request
+
+urls_to_action_mapping := {
+  "/v1/user/tnc/accept": "acceptTermsAndCondition",
+  "/v1/user/update": "updateUser",
+  "/v1/user/assign/role": "assignRole",
+  "/v2/user/assign/role": "assignRoleV2",
+  "/v1/user/read": "getUserProfile",
+  "/v2/user/read": "getUserProfileV2",
+  "/v3/user/read": "getUserProfileV3",
+  "/v4/user/read": "getUserProfileV4",
+  "/v5/user/read": "getUserProfileV5",
+  "/v1/user/feed": "userFeed",
+  "/v1/user/feed/create": "userFeedCreate",
+  "/v1/user/feed/delete": "userFeedDelete",
+  "/v1/user/feed/update": "userFeedUpdate",
+  "/v2/user/update": "updateUserV2",
+  "/v3/user/update": "updateUserV3",
+  "/v1/user/declarations": "updateUserDeclarations",
+  "/v1/manageduser/create": "managedUserV1Create",
+  "/v1/user/managed": "searchManagedUser",
+  "/v1/user/consent/read": "readUserConsent",
+  "/v1/user/consent/update": "updateUserConsent",
+  "/v2/org/preferences/read": "readTenantPreferences",
+  "/v2/org/preferences/create": "createTenantPreferences",
+  "/v2/org/preferences/update": "updateTenantPreferences"
+}
+
+# Tnc API policy updates to handle different scenarios as explained below
+# When some or all payloads are missing:
+# 1. Missing userid and tnc type
+# 2. Missing tnc type
+# 3. Missing userid and tnc type not as orgAdminTnc / reportViewerTnc
+# 4. Missing userid but tnc type as orgAdminTnc / reportViewerTnc
+# When all payloads are present:
+# 5. Both userid, tnc type present and tnc type not as orgAdminTnc / reportViewerTnc
+# 6. Both userid, tnc type present and tnc type as orgAdminTnc / reportViewerTnc
+# Issue identified as part of -
+# - https://project-sunbird.atlassian.net/browse/SB-29723
+# - https://project-sunbird.atlassian.net/browse/SB-29996
+
+# Point #1
+acceptTermsAndCondition {
+  super.public_role_check
+  not input.parsed_body.request.userId
+  not input.parsed_body.request.tncType
+}
+
+# Point #2
+acceptTermsAndCondition {
+  super.public_role_check
+  input.parsed_body.request.userId == super.userid
+  not input.parsed_body.request.tncType
+}
+
+# Point #3
+acceptTermsAndCondition {
+  super.public_role_check
+  not input.parsed_body.request.userId
+  not input.parsed_body.request.tncType in ["orgAdminTnc", "reportViewerTnc"]
+}
+
+# Point #4 - As orgAdminTnc
+acceptTermsAndCondition {
+  acls := ["acceptTnc"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+  not input.parsed_body.request.userId
+  "orgAdminTnc" == input.parsed_body.request.tncType
+}
+
+# Point #4 - As reportViewerTnc
+acceptTermsAndCondition {
+  acls := ["acceptTnc"]
+  roles := ["REPORT_VIEWER", "REPORT_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+  not input.parsed_body.request.userId
+  "reportViewerTnc" == input.parsed_body.request.tncType
+}
+
+# Point #5
+acceptTermsAndCondition {
+  super.public_role_check
+  input.parsed_body.request.userId == super.userid
+  not input.parsed_body.request.tncType in ["orgAdminTnc", "reportViewerTnc"]
+}
+
+# Point #6 - As orgAdminTnc
+acceptTermsAndCondition {
+  acls := ["acceptTnc"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+  input.parsed_body.request.userId == super.userid
+  "orgAdminTnc" == input.parsed_body.request.tncType
+}
+
+# Point #6 - As reportViewerTnc
+acceptTermsAndCondition {
+  acls := ["acceptTnc"]
+  roles := ["REPORT_VIEWER", "REPORT_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+  input.parsed_body.request.userId == super.userid
+  "reportViewerTnc" == input.parsed_body.request.tncType
+}
+
+updateUser {
+  super.public_role_check
+  input.parsed_body.request.userId == super.userid
+}
+
+assignRole {
+  acls := ["assignRole"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  # Org check will do an implicit role check so there is no need to invoke super.role_check(roles)
+  token_organisationids := super.org_check(roles)
+  input.parsed_body.request.organisationId in token_organisationids
+}
+
+assignRoleV2 {
+  acls := ["assignRole"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  # Org check will do an implicit role check so there is no need to invoke super.role_check(roles)
+  token_orgs := super.org_check(roles)
+
+  # In the below code, we use sets and compare them
+  # This can be done using arrays also
+  # Take a look at the audience check (commented out) in common.rego which uses the array logic
+
+  payload_orgs := {ids | ids := input.parsed_body.request.roles[_].scope[_].organisationId}
+  matching_orgs := {orgs | some i; payload_orgs[i] in token_orgs; orgs := i}
+  payload_orgs == matching_orgs
+}
+
+# https://project-sunbird.atlassian.net/browse/SB-30186
+# Allow the request to go through if the organisationId is an array type in order to receive a 400 Bad Request error from backend
+assignRoleV2 {
+  acls := ["assignRole"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  type_name(input.parsed_body.request.roles[_].scope[_].organisationId) == "array"
+}
+
+getUserProfile {
+  super.public_role_check
+  user_id := split(http_request.path, "/")[4]
+  split(user_id, "?")[0] == super.userid
+}
+
+getUserProfileV2 {
+  super.public_role_check
+  user_id := split(http_request.path, "/")[4]
+  split(user_id, "?")[0] == super.userid
+}
+
+getUserProfileV3 {
+  super.public_role_check
+  user_id := split(http_request.path, "/")[4]
+  split(user_id, "?")[0] == super.userid
+}
+
+getUserProfileV4 {
+  super.public_role_check
+  user_id := split(http_request.path, "/")[4]
+  split(user_id, "?")[0] == super.userid
+}
+
+getUserProfileV5 {
+  super.public_role_check
+  user_id := split(http_request.path, "/")[4]
+  split(user_id, "?")[0] == super.userid
+}
+
+# Org admin is allowed to retrive any user info using the /v5/user/read endpoint
+getUserProfileV5 {
+  acls := ["getUserProfileV5"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+}
+
+# Allow the API call when using ?withTokens=true as query param - https://project-sunbird.atlassian.net/browse/SB-29676
+getUserProfileV5 {
+  super.public_role_check
+  contains(http_request.path, "?withTokens=true")
+}
+
+userFeed {
+  super.public_role_check
+  user_id := split(http_request.path, "/")[4]
+  split(user_id, "?")[0] == super.userid
+}
+
+# https://project-sunbird.atlassian.net/browse/SB-29951
+# Temporary fix as all feed url's begin with /v1/user/feed
+# Having only the userFeed (/v1/user/feed/:userid) block is causing issues for other similar routes like /v1/user/feed/create, /v1/user/feed/delete and /v1/user/feed/update
+# Adding the other url blocks below and making them a pass through to avoid rejecting the API incorrectly
+
+userFeedCreate {
+  true
+}
+
+userFeedDelete {
+  true
+}
+
+userFeedUpdate {
+  true
+}
+
+updateUserV2 {
+  super.public_role_check
+  input.parsed_body.request.userId == super.userid
+}
+
+# Org admin is allowed to update any user info using the /v2/user/update endpoint
+updateUserV2 {
+  acls := ["updateUserV2"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+}
+
+updateUserV3 {
+  super.public_role_check
+  input.parsed_body.request.userId == super.userid
+}
+
+updateUserDeclarations {
+  super.public_role_check
+  payload_userids := {ids | ids := input.parsed_body.request.declarations[_].userId}
+  count(payload_userids) == 1
+  payload_userids[super.userid] == super.userid
+}
+
+# If for token exists, check request.managedBy matches for_token_parentid
+managedUserV1Create {
+  super.public_role_check
+  input.parsed_body.request.managedBy == super.for_token_parentid
+}
+
+# If for token doesn't exist, check request.managedBy matches userid
+managedUserV1Create {
+  super.public_role_check
+  input.parsed_body.request.managedBy == super.userid
+}
+
+# If for token exists, check userid in url matches for token parent id
+searchManagedUser {
+  super.public_role_check
+  super.for_token_exists
+  user_id := split(http_request.path, "/")[4]
+  split(user_id, "?")[0] == super.for_token_parentid
+}
+
+# If for token doesn't exist, check userid in url matches the x-authenticated-user-token userid
+searchManagedUser {
+  super.public_role_check
+  not super.for_token_exists
+  user_id := split(http_request.path, "/")[4]
+  split(user_id, "?")[0] == super.userid
+}
+
+readUserConsent {
+  super.public_role_check
+  input.parsed_body.request.consent.filters.userId == super.userid
+}
+
+# Org admin is allowed to read any user's consent using the /v1/user/consent/read endpoint
+readUserConsent {
+  acls := ["readUserConsent"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+}
+
+updateUserConsent {
+  super.public_role_check
+  input.parsed_body.request.consent.userId == super.userid
+}
+
+readTenantPreferences {
+  super.public_role_check
+}
+
+createTenantPreferences {
+  acls := ["createTenantPreferences"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+}
+
+updateTenantPreferences {
+  acls := ["updateTenantPreferences"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+}
\ No newline at end of file

helm/learner_opa_policies/templates/configmap.yaml

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Chart.Name | replace "_" "-" }}
+  namespace: {{ .Release.Namespace }}
+data:
+{{ (.Files.Glob "service-policies/*").AsConfig | indent 2 }}
\ No newline at end of file

helm/learner_opa_policies/values.yaml

+## Learner service opa policies chart
\ No newline at end of file