US-623222: Enable HIGH_SECURE_CRYPTO_MODE for SRS (pegasystems#793)

* US-623222: Enable HIGH_SECURE_CRYPTO_MODE for SRS

* US-623222: Lint fixes

* US-623222: Lint fixes

* US-623222: Fix liniting issues

* US-623222: Updated docs and parameter names

* US-623222: Addressed review comments

charts/backingservices/charts/srs/README.md

@@ -111,7 +111,9 @@ To deploy Pega Platform with the SRS backing service, the SRS helm chart require
 | `srsRuntime`                            | Use this section to define specific resource configuration options like image, replica count, pod affinity, cpu and memory resource settings in the SRS. The default minimum required number of replicas is 2, but as a best practice, deploy 3 replicas to maintain high availability.                                                                                                                                                                                                                                                                                                                                                            |
 | `busybox`                               | When provisioning an internally managed Elasticsearch cluster, you can customize the location and pull policy of the Alpine image used during the deployment process by specifying `busybox.image` and `busybox.imagePullPolicy`.                                                                                                                                                                                                                                                                      |
 | `elasticsearch`                         | Define the elasticsearch cluster configurations. The [Elasticsearch](https://github.com/helm/charts/tree/master/stable/elasticsearch/values.yaml) chart defines the values for Elasticsearch provisioning in the SRS cluster. For internally provisioned Elasticsearch the default version is set to `7.17.9`. Set the `elasticsearch.imageTag` parameter in values.yaml to `7.16.3` to use this supported version in the SRS cluster.                                                                |
-| `k8sProvider`                               | Specify your Kubernetes provider name. Supported values are [`eks`, `aks`, `minikube`, `gke`, `openshift`, `pks`].. 
+| `k8sProvider`                           | Specify your Kubernetes provider name. Supported values are [`eks`, `aks`, `minikube`, `gke`, `openshift`, `pks`].
+| `enableSecureCryptoMode`                | Set to true if you require a highly secured connection that complies with NIST SP 800-53 and NIST SP 800-131. Otherwise, set to false.
+| `javaOpts`                              | Use this parameter to configure values for Java options.
 
 ### Enabling security between SRS and Elasticsearch
 Enabling a secure connection between SRS and your Elasticsearch service depends on the method you chose to deploy the Elasticsearch cluster.
@@ -178,6 +180,12 @@ srs:
       AuthEnabled: false
       # When `AuthEnabled` is `true`, enter the appropriate public key URL. When `AuthEnabled` is `false`(default), leave this parameter empty.
       OAuthPublicKeyURL: ""
+
+    # Set to `true` if Highly secured connection complying NIST SP 800-53 and NIST SP 800-131 is required; otherwise leave set to `false`
+    enableSecureCryptoMode: false
+
+    # This is used to configure Java options values.
+    javaOpts: ""
 
   # This section specifies the elasticsearch cluster configuration.
   srsStorage:

charts/backingservices/charts/srs/templates/_helpers.tpl

@@ -189,6 +189,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{- end }}
 
+{{- define "javaOpts" -}}
+{{- .Values.srsRuntime.javaOpts }}
+{{- end -}}
+
 {{/*
 Network policy: `openshift-dns` for openshift cluster, `kube-dns | core-dns` for other supported providers.
 */}}

charts/backingservices/charts/srs/templates/srsservice_deployment.yaml

@@ -103,6 +103,10 @@ spec:
               value: {{ template "oAuthPublicKeyUrl" .}}
             - name: PUBLIC_KEY_URL
               value: ""
+            - name: HIGH_SECURE_CRYPTO_MODE_ENABLED
+              value: "{{ .Values.srsRuntime.enableSecureCryptoMode | default "false" }}"
+            - name: JAVA_OPTS
+              value: {{ template "javaOpts" .}}
           resources:
             {{- toYaml .Values.srsRuntime.resources | nindent 12 }}
       {{- if .Values.srsStorage.tls.enabled }}

charts/backingservices/charts/srs/values.yaml

@@ -27,3 +27,9 @@ srsRuntime:
     AuthEnabled: false
     # When `AuthEnabled` is `true`, enter the appropriate public key URL. When `AuthEnabled` is `false`(default), leave this parameter empty.
     OAuthPublicKeyURL: ""
+
+  # Set to true if you require a highly secured connection that complies with NIST SP 800-53 and NIST SP 800-131. Otherwise, set to false.
+  enableSecureCryptoMode: false
+
+  # Use this parameter to configure values for Java options.
+  javaOpts: ""

charts/backingservices/values.yaml

@@ -38,6 +38,12 @@ srs:
       # When `AuthEnabled` is `true`, enter the appropriate public key URL. When `AuthEnabled` is `false`(default), leave this parameter empty.
       OAuthPublicKeyURL: ""
 
+    # Use this parameter to configure values for Java options.
+    javaOpts: ""
+
+    # Set to true if you require a highly secured connection that complies with NIST SP 800-53 and NIST SP 800-131. Otherwise, set to false.
+    enableSecureCryptoMode: false
+
   # This section specifies the elasticsearch cluster configuration.
   srsStorage:
     # Setting srsStorage.provisionInternalESCluster to true will provision an internal elasticsearch cluster using the configuration