From 5784be934ed5a34bf90079fb90dfb23b16ae0573 Mon Sep 17 00:00:00 2001 From: Kinga Kowalska <120555574+kingakowalska1@users.noreply.github.com> Date: Tue, 19 Nov 2024 09:22:19 +0100 Subject: [PATCH 01/11] BUG-898033 - Documentation clarification for DB support (#853) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Peterson, John Sent: Friday, November 15, 2024 4:10 PM To: Kowalska, Kinga Cc: Casavant, Dave ; Chikkam, Venkata Satya Gopal ; Talbot, Adam ; Kumar, Saurabh Subject: CMC Documentation clarification for SRS & Databases. Hi Kinga, Yes, I agree with your proposed changes. Thanks! John From: Kowalska, Kinga Sent: Thursday, November 14, 2024 8:15 AM To: Peterson, John Cc: Casavant, Dave ; Chikkam, Venkata Satya Gopal ; Talbot, Adam ; Kumar, Saurabh Subject: RE: ExtMsg: Pega Containerized Deployment on OpenShift Hi John, For Elasticsearch: In Search and Reporting Service Helm chart I would replace the following introduction paragraph: The Pega Search and Reporting Service or SRS backing service can replace the embedded search feature of Pega Infinity Platform. To use it in your deployment, you provision and deploy it independently as an external service which provides search and reporting capabilities with a Pega Infinity environment. With: The Pega Search and Reporting Service or SRS backing service provides the search and reporting capabilities of Pega Infinity Platform. To use it in your deployment, you provision and deploy it independently as an external service in a Pega Infinity environment. If we want to stress the message, I can add a note specifically saying “Embedded Elasticsearch service is not supported for containerized deployments.”, but this will become redundant once we cycle out of Pega Platform versions that support embedded search. For databases: In JDBC Configuration I can add the following sentence with a link: Use the jdbc section of the values file to specify how to connect to the Pega database. Pega must be installed to this database before deploying on Kubernetes. For more information on supported databases and jdbc driver versions, see the Platform Support Guide. Does this work for you? Best regards, Kinga Kowalska | Principal Technical Writer | Pegasystems Inc. Email: kinga.kowalska@pega.com | pega.com From: Peterson, John Sent: Friday, November 1, 2024 3:28 PM To: Kowalska, Kinga Cc: Casavant, Dave ; Chikkam, Venkata Satya Gopal ; Talbot, Adam ; Kumar, Saurabh Subject: RE: ExtMsg: Pega Containerized Deployment on OpenShift Hi Kinga, We’ve never supported running embedded search on K8S deployments, so I think the language needs to be updated, is this something you can assist with? From a database support perspective, can you also update the K8S documentation to refer the Platform Support Guide? Thanks, John From: Peterson, John Sent: Friday, November 1, 2024 10:03 AM To: Panigrahy, Chinmaya ; Oleti Venkata, Nagendra ; Thota, Srinivas Maheedhar ; Chikkam, Venkata Satya Gopal Subject: RE: ExtMsg: Pega Containerized Deployment on OpenShift Hi Chinmaya, 1. Usage of existing on-premise DB : We have existing oracle database on-premise, Can we use this existing database and schemas with the containerized deployment on OpenShift ? Yes. https://github.com/pegasystems/pega-helm-charts/tree/master/charts/pega#url-and-driver-class 2. Usage of embedded Kafka on OpenShift : As we are doing POC on 23.1.2 version of Pega , can we use embedded kafka & elastic search on OpenShift ? Embedded Kafka : Yes, but it is not recommended. https://github.com/pegasystems/pega-helm-charts/blob/1936bcfcbd0257fc047dc4390a4764a2dad6a626/charts/pega/EmbeddedStream.md#embedded-stream-with-latest-helm-chart-version Embedded Search : No. https://github.com/pegasystems/pega-helm-charts/tree/1936bcfcbd0257fc047dc4390a4764a2dad6a626/charts/backingservices/charts/srs#search-and-reporting-service-helm-chart Thanks, John --- charts/pega/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pega/README.md b/charts/pega/README.md index 7286462c5..6d58fa09a 100644 --- a/charts/pega/README.md +++ b/charts/pega/README.md @@ -58,7 +58,7 @@ global: ## JDBC Configuration -Use the `jdbc` section of the values file to specify how to connect to the Pega database. Pega must be installed to this database before deploying on Kubernetes. +Use the `jdbc` section of the values file to specify how to connect to the Pega database. Pega must be installed to this database before deploying on Kubernetes. For more information about supported databases and jdbc driver versions, see the [Platform Support Guide](https://docs.pega.com/bundle/platform/page/platform/deployment/platform-support-guide/platform-support-guide.html) ### URL and Driver Class These required connection details will point Pega to the correct database and provide the type of driver used to connect. Examples of the correct format to use are provided below. From e2a09dabe6f347beff26e33728ed5e0fb2b682f5 Mon Sep 17 00:00:00 2001 From: Kinga Kowalska <120555574+kingakowalska1@users.noreply.github.com> Date: Tue, 19 Nov 2024 09:34:44 +0100 Subject: [PATCH 02/11] BUG-898031 SRS Readme clarification on embedded ES (#852) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Peterson, John Sent: Friday, November 15, 2024 4:10 PM To: Kowalska, Kinga Cc: Casavant, Dave ; Chikkam, Venkata Satya Gopal ; Talbot, Adam ; Kumar, Saurabh Subject: CMC Documentation clarification for SRS & Databases. Hi Kinga, Yes, I agree with your proposed changes. Thanks! John From: Kowalska, Kinga Sent: Thursday, November 14, 2024 8:15 AM To: Peterson, John Cc: Casavant, Dave ; Chikkam, Venkata Satya Gopal ; Talbot, Adam ; Kumar, Saurabh Subject: RE: ExtMsg: Pega Containerized Deployment on OpenShift Hi John, For Elasticsearch: In Search and Reporting Service Helm chart I would replace the following introduction paragraph: The Pega Search and Reporting Service or SRS backing service can replace the embedded search feature of Pega Infinity Platform. To use it in your deployment, you provision and deploy it independently as an external service which provides search and reporting capabilities with a Pega Infinity environment. With: The Pega Search and Reporting Service or SRS backing service provides the search and reporting capabilities of Pega Infinity Platform. To use it in your deployment, you provision and deploy it independently as an external service in a Pega Infinity environment. If we want to stress the message, I can add a note specifically saying “Embedded Elasticsearch service is not supported for containerized deployments.”, but this will become redundant once we cycle out of Pega Platform versions that support embedded search. For databases: In JDBC Configuration I can add the following sentence with a link: Use the jdbc section of the values file to specify how to connect to the Pega database. Pega must be installed to this database before deploying on Kubernetes. For more information on supported databases and jdbc driver versions, see the Platform Support Guide. Does this work for you? Best regards, Kinga Kowalska | Principal Technical Writer | Pegasystems Inc. Email: kinga.kowalska@pega.com | pega.com From: Peterson, John Sent: Friday, November 1, 2024 3:28 PM To: Kowalska, Kinga Cc: Casavant, Dave ; Chikkam, Venkata Satya Gopal ; Talbot, Adam ; Kumar, Saurabh Subject: RE: ExtMsg: Pega Containerized Deployment on OpenShift Hi Kinga, We’ve never supported running embedded search on K8S deployments, so I think the language needs to be updated, is this something you can assist with? From a database support perspective, can you also update the K8S documentation to refer the Platform Support Guide? Thanks, John From: Peterson, John Sent: Friday, November 1, 2024 10:03 AM To: Panigrahy, Chinmaya ; Oleti Venkata, Nagendra ; Thota, Srinivas Maheedhar ; Chikkam, Venkata Satya Gopal Subject: RE: ExtMsg: Pega Containerized Deployment on OpenShift Hi Chinmaya, Usage of existing on-premise DB : We have existing oracle database on-premise, Can we use this existing database and schemas with the containerized deployment on OpenShift ? Yes. https://github.com/pegasystems/pega-helm-charts/tree/master/charts/pega#url-and-driver-class Usage of embedded Kafka on OpenShift : As we are doing POC on 23.1.2 version of Pega , can we use embedded kafka & elastic search on OpenShift ? Embedded Kafka : Yes, but it is not recommended. https://github.com/pegasystems/pega-helm-charts/blob/1936bcfcbd0257fc047dc4390a4764a2dad6a626/charts/pega/EmbeddedStream.md#embedded-stream-with-latest-helm-chart-version Embedded Search : No. https://github.com/pegasystems/pega-helm-charts/tree/1936bcfcbd0257fc047dc4390a4764a2dad6a626/charts/backingservices/charts/srs#search-and-reporting-service-helm-chart Thanks, John --- charts/backingservices/charts/srs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/backingservices/charts/srs/README.md b/charts/backingservices/charts/srs/README.md index 3b55f7a93..850a250ae 100644 --- a/charts/backingservices/charts/srs/README.md +++ b/charts/backingservices/charts/srs/README.md @@ -1,6 +1,6 @@ # Search and Reporting Service Helm chart -The Pega `Search and Reporting Service` or `SRS` backing service can replace the embedded search feature of Pega Infinity Platform. To use it in your deployment, you provision and deploy it independently as an external service which provides search and reporting capabilities with a Pega Infinity environment. +The Pega `Search and Reporting Service` or `SRS` backing service provides the search and reporting capabilities of Pega Infinity Platform. To use it in your deployment, you provision and deploy it independently as an external service in a Pega Infinity environment. ## Configuring a backing service with your pega environment From 8b45db7bbea309e3282c103cae3f28689e0717db Mon Sep 17 00:00:00 2001 From: Kinga Kowalska <120555574+kingakowalska1@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:01:46 +0100 Subject: [PATCH 03/11] US-649313 - Update OpenSearch information (#851) * US-649313 - Update OpenSearch information * US-649313 - Update OpenSearch information * US-649313 - Update OpenSearch information * US-649313 - Update OpenSearch information * US-649313 - Update OpenSearch information --- charts/backingservices/charts/srs/README.md | 48 +++++++++++++++------ docs/Deploying-Pega-on-EKS.md | 2 +- 2 files changed, 35 insertions(+), 15 deletions(-) diff --git a/charts/backingservices/charts/srs/README.md b/charts/backingservices/charts/srs/README.md index 850a250ae..8d29e3791 100644 --- a/charts/backingservices/charts/srs/README.md +++ b/charts/backingservices/charts/srs/README.md @@ -20,9 +20,10 @@ The service deployment provisions runtime service pods along with a dependency o Pega Infinity version SRS version + Docker image Kubernetes version Authentication - Certified Elasticsearch version + Certified Elasticsearch/OpenSearch version Description @@ -33,35 +34,45 @@ The service deployment provisions runtime service pods along with a dependency o NA NA NA + NA SRS can be used with Pega Infinity 8.6 and later. - >= 8.6 - 1.31.8 + >= 8.6 + 1.35.0 or later + search-n-reporting-service < 1.25 Not enabled - 7.10.2, 7.16.3 & 7.17.9 + Elasticsearch 7.10.2, 7.16.3 & 7.17.9 As a best practice, use Elasticsearch version 7.17.9. Deployments without authentication are not recommended for production environments. Enabled - 7.10.2, 7.16.3, 7.17.9 & 8.10.3 + Elasticsearch 7.10.2, 7.16.3, 7.17.9 & 8.10.3 As a best practice, use Elasticsearch version 8.10.3. >= 1.25 Not enabled - 7.17.9 + Elasticsearch 7.17.9 As a best practice, use Elasticsearch version 7.17.9. Deployments without authentication are not recommended for production environments. Enabled - 7.17.9 & 8.10.3 + Elasticsearch 7.17.9 & 8.10.3 As a best practice, use Elasticsearch version 8.10.3. + + search-n-reporting-service-os + All versions + Enabled +
  • Elasticsearch 7.10 on AWS OpenSearch service
  • OpenSearch 1.3
  • OpenSearch 2.15
+ As a best practice, use OpenSearch 2.15. + + **Note:** ### If your deployment uses the internally-provisioned Elasticsearch: ### @@ -96,7 +107,7 @@ You may enable the component of [Elasticsearch](https://github.com/helm/charts/t Note: Pega does **not** actively update the elasticsearch dependency in `requirements.yaml`. To leverage SRS, you must do one of the following: -* To use the internally-provided Elasticsearch service in the SRS cluster, use the default `srs.enabled.true` parameter and set the Elasticsearch version by updating the `elasticsearch.imageTag` parameter in the [values.yaml](./values.yaml) to match the `dependencies.version` parameter in the [requirements.yaml](../../requirements.yaml). This method streamlines the deployment process for development and testing environments, but it is not suitable for production environments, which require a fully external Elasticsearch cluster. Additionally, even though you deploy SRS and Elasticsearch together, Pega does not license the Elasticsearch cluster deployed using this method and does not maintain it as part of the Pega Platform support. +* To use the internally-provided Elasticsearch service in the SRS cluster, use the default `srs.enabled.true` parameter and set the Elasticsearch version by updating the `elasticsearch.imageTag` parameter in the [values.yaml](./values.yaml) to match the `dependencies.version` parameter in the [requirements.yaml](../../requirements.yaml). This method streamlines the deployment process for development and testing environments, but it is not suitable for production environments, which require a fully external Elasticsearch cluster. Additionally, even though you deploy SRS and Elasticsearch together, Pega does not license the Elasticsearch cluster deployed using this method and does not maintain it as part of the Pega Platform support. Note: You cannot use OpenSearch for the internally provisioned cluster. * To use an externally-provided Elasticsearch service with SRS, use the default `srs.enabled.true` parameter, update the `srs.srsStorage.provisionInternalESCluster` parameter in the [values.yaml](./values.yaml) to `false` and then provide connection details as documented below. This is the recommended method and is suitable for production environments. ### Deploying SRS with Pega-provided busybox images @@ -122,7 +133,7 @@ To configure a secure connection between the SRS cluster and internally provisio | Configuration | Usage | |------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `tls` | Set to `true` to enable the SRS service to authenticate to your organization's available Elasticsearch service. | -| `srsStorage.provisionInternalESCluster` |
  1. Set the `srsStorage.provisionInternalESCluster` parameter to `true` to provide an internally managed and secured Elasticsearch cluster.
  2. In the [requirements.yaml](../../requirements.yaml) file, set the `dependencies.version` parameter to the same version you configured for the `elasticsearch.imageTag` version in the Backing Services Helm chart [values.yaml](../../values.yaml) file.
  3. From the Backing Services Helm chart directory in your environment, run the following command to create your Elasticsearch certificates and pass them to secrets:

    `$ make es-prerequisite NAMESPACE= ELASTICSEARCH_VERSION=`

    Where `NAMESPACE` references your deployment namespace of the SRS cluster and `ELASTICSEARCH_VERSION` matches the Elasticsearch version you want to use in [values.yaml](../../values.yaml) and [requirements.yaml](../../requirements.yaml).

| +| `srsStorage.provisionInternalESCluster` | Note: You cannot use OpenSearch for the internally provisioned cluster.

  1. Set the `srsStorage.provisionInternalESCluster` parameter to `true` to provide an internally managed and secured Elasticsearch cluster.
  2. In the [requirements.yaml](../../requirements.yaml) file, set the `dependencies.version` parameter to the same version you configured for the `elasticsearch.imageTag` version in the Backing Services Helm chart [values.yaml](../../values.yaml) file.
  3. From the Backing Services Helm chart directory in your environment, run the following command to create your Elasticsearch certificates and pass them to secrets:

    `$ make es-prerequisite NAMESPACE= ELASTICSEARCH_VERSION=`

    Where `NAMESPACE` references your deployment namespace of the SRS cluster and `ELASTICSEARCH_VERSION` matches the Elasticsearch version you want to use in [values.yaml](../../values.yaml) and [requirements.yaml](../../requirements.yaml).

| To configure a secure connection between SRS and an external Elasticsearch cluster, configure the following parameters. @@ -133,12 +144,13 @@ To configure a secure connection between SRS and an external Elasticsearch clust | `certificatePassword` | Enter the tls certificate password if any. Default value will be empty if not used. | | `certsSecret` | To specify a certificate using a secret, uncomment the certsSecret parameter and provide the secret name containing your certificate and certificate password. Use the full name of the certificate file (together with file extension, for example, “certificate.p12” or“certificate.jks”) as a key name in the secret. Use this key name to configure the “certificateName”parameter.Use a key name “password” to provide the certificate password in the secret. Defaults to "srs-certificates".| | `authSecret` | Specify the secret with your Elasticsearch credentials. Use “username” and “password” as keys for your secret.This parameter applies to both basic authentication and TLS-based authentication. Defaults to "srs-elastic-credentials".| -| `esCredentials.username` | Enter the username for your available Elasticsearch service. This username value must match the values you set in the connection info section of esCredentials. | -| `esCredentials.password` | Enter the required password for your available Elasticsearch service. This password value must match the values you set in the connection info section of esCredentials. | -| `srsStorage.provisionInternalESCluster` |
  1. Set the `srsStorage.provisionInternalESCluster` parameter to `false` to disable the internally provisioned Elasticsearch cluster and connect to your available external Elasticsearch service.
  2. To secure the connection between SRS and your external Elasticsearch service, you must provide the appropriate TLS certificates in an accessible location, for example, /home/certs.
  3. To pass the required certificates to the cluster using a secrets file, run the following command:

    `$ make external-es-secrets NAMESPACE= ELASTICSEARCH_VERSION= PATH_TO_CERTIFICATE=`

    Where NAMESPACE references your deployment namespace of the SRS cluster, `ELASTICSEARCH_VERSION` matches the Elasticsearch version you want to use, and `PATH_TO_CERTIFICATE` points to the location where you copied the required certificates on your location machine, for example:

    `$ make external-es-secrets NAMESPACE=pegabackingservices ELASTICSEARCH_VERSION=7.10.2 PATH_TO_CERTIFICATE=/home/certs/truststore.jks`

  4. To update the SRS and External Elasticsearch certificates, use the following command:

    `$ make update-external-es-secrets NAMESPACE= PATH_TO_CERTIFICATE=`

| +| `esCredentials.username` | Enter the username for your available Elasticsearch service. This username value must match the values you set in the connection info section of esCredentials.
Note: This parameter will be deprecated in future releases, so as a best practice, use `authCredentials.username`. | +| `esCredentials.password` | Enter the required password for your available Elasticsearch service. This password value must match the values you set in the connection info section of esCredentials.
Note: This parameter will be deprecated in future releases, so as a best practice, use `authCredentials.password`. +| `authCredentials.username` | Enter the username for your available Elasticsearch/OpenSearch service. This username value must match the values you set in the connection info section of authCredentials. | +| `authCredentials.password` | Enter the required password for your available Elasticsearch/OpenSearch service. This password value must match the values you set in the connection info section of authCredentials. | +| `srsStorage.provisionInternalESCluster` |
  1. Set the `srsStorage.provisionInternalESCluster` parameter to `false` to disable the internally provisioned Elasticsearch cluster and connect to your available external Elasticsearch service.
  2. To secure the connection between SRS and your external Elasticsearch service, you must provide the appropriate TLS certificates in an accessible location, for example, /home/certs.
  3. To pass the required certificates to the cluster using a secrets file, run the following command:

    `$ make external-es-secrets NAMESPACE= ELASTICSEARCH_VERSION= PATH_TO_CERTIFICATE=`

    Where NAMESPACE references your deployment namespace of the SRS cluster, `ELASTICSEARCH_VERSION` matches the Elasticsearch version you want to use, and `PATH_TO_CERTIFICATE` points to the location where you copied the required certificates on your location machine, for example:

    `$ make external-es-secrets NAMESPACE=pegabackingservices ELASTICSEARCH_VERSION=7.10.2 PATH_TO_CERTIFICATE=/home/certs/truststore.jks`

  4. To update the SRS and External Elasticsearch certificates, use the following command:

    `$ make update-external-es-secrets NAMESPACE= PATH_TO_CERTIFICATE=`

    Note: Only .p12 and .jks certificates are supported.

| | `domain` | Enter the DNS entry associated with your external Elasticsearch service. | -Note: Only .p12 and .jks certificates are supported. ### Enable request authentication/authorization mechanism using identity provider(IdP) between SRS and Pega Infinity @@ -214,7 +226,15 @@ srs: # Set srs.srsStorage.basicAuthentication.enabled: true to enable the use of basic authentication to your Elasticsearch service whether is it running as an internalized or externalized service in your SRS cluster. basicAuthentication: enabled: true - # To configure basic authentication or TLS-based authentication to your externally-managed Elasticsearch service in your SRS cluster, uncomment and add the parameter details: srs.srsStorage.esCredentials.username and srs.srsStorage.esCredentials.password. + # To configure basic authentication or TLS-based authentication to your externally-managed Elasticsearch/OpenSearch service in your SRS cluster, + # uncomment and add the parameter details: srs.srsStorage.authCredentials.username and srs.srsStorage.authCredentials.password + # Auth Credentials added under authCredentials field which supports both Elasticsearch and OpenSearch credentials. + # authCredentials: + # username: "username" + # password: "password" + # for your externally managed Elasticsearch cluster. + # uncomment and add the parameter details: srs.srsStorage.esCredentials.username and srs.srsStorage.esCredentials.password for your externally managed elasticsearch cluster. + # esCredentials will be deprecated in future releases, please switch to authCredentials. # esCredentials: # username: "username" # password: "password" diff --git a/docs/Deploying-Pega-on-EKS.md b/docs/Deploying-Pega-on-EKS.md index d230e5c0a..ca4be6bd0 100644 --- a/docs/Deploying-Pega-on-EKS.md +++ b/docs/Deploying-Pega-on-EKS.md @@ -471,7 +471,7 @@ To configure the parameters in the backingservices.yaml file, download the file | global.imageCredentials.registry: username: password: | Include the URL of your Docker registry along with the registry “username” and “password” credentials. |
  • url: “\
  • username: "\"
  • password: "\"
| | global.k8sProvider: | Specify the value of your Kubernetes provider. | k8sProvider: "eks" | | srs.deploymentName: | Specify unique name for the deployment based on org app and/or SRS applicable environment name. | deploymentName: "acme-demo-dev-srs" | -| srs.srsRuntime.srsImage: | Specify the Pega-provided SRS Docker image that you downloaded and pushed to your Docker registry. To run SRS with AWS OpenSearch Elasticsearch 7.10, use the dedicated `platform-services/search-n-reporting-service-aws` Docker image. | srs.srsRuntime.srsImage: "\my-pega-srs:\". For `` tag details, see [SRS Version compatibility matrix](../charts/backingservices/charts/srs/README.md#srs-version-compatibility-matrix). | +| srs.srsRuntime.srsImage: | Specify the Pega-provided SRS Docker image that you downloaded and pushed to your Docker registry. To run SRS with Elasticsearch, use the general `platform-services/search-n-reporting-service` Docker image. To run SRS with AWS-managed OpenSearch service, use the dedicated `platform-services/search-n-reporting-service-os` Docker image. | srs.srsRuntime.srsImage: "\my-pega-srs:\". For `` tag details, see [SRS Version compatibility matrix](../charts/backingservices/charts/srs/README.md#srs-version-compatibility-matrix). | | srs.srsRuntime.imagePullSecretNames: | Specify any pre-existing image pull secrets required to pull images from your organization's registry. (Optional) | imagePullSecretNames: [secret1, secret2] | | srs.srsStorage.provisionInternalESCluster: | Enabled by default to provision an Elasticsearch cluster. |
  • Set srs.srsStorage.provisionInternalESCluster:`true` and run `$ make es-prerequisite NAMESPACE= ELASTICSEARCH_VERSION= `
  • Set srs.srsStorage.provisionInternalESCluster:`false` if you want to use an existing, externally provisioned ElasticSearch cluster.
| From 39f5b552c6e2aacefb9631c82c7375f2c66641bc Mon Sep 17 00:00:00 2001 From: Kinga Kowalska <120555574+kingakowalska1@users.noreply.github.com> Date: Wed, 20 Nov 2024 13:17:40 +0100 Subject: [PATCH 04/11] BUG-898240 - Add Elasticsearch 8.15.1 to github readme (#854) * BUG-898240 - Add Elasticsearch 8.15.1 to github readme * Add 8.15.1 to update instructions --- charts/backingservices/charts/srs/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/backingservices/charts/srs/README.md b/charts/backingservices/charts/srs/README.md index 8d29e3791..cfc8f6c20 100644 --- a/charts/backingservices/charts/srs/README.md +++ b/charts/backingservices/charts/srs/README.md @@ -48,8 +48,8 @@ The service deployment provisions runtime service pods along with a dependency o Enabled - Elasticsearch 7.10.2, 7.16.3, 7.17.9 & 8.10.3 - As a best practice, use Elasticsearch version 8.10.3. + Elasticsearch 7.10.2, 7.16.3, 7.17.9, 8.10.3 & 8.15.1 + As a best practice, use Elasticsearch version 8.15.1. >= 1.25 @@ -59,8 +59,8 @@ The service deployment provisions runtime service pods along with a dependency o Enabled - Elasticsearch 7.17.9 & 8.10.3 - As a best practice, use Elasticsearch version 8.10.3. + Elasticsearch 7.17.9, 8.10.3 & 8.15.1 + As a best practice, use Elasticsearch version 8.15.1. search-n-reporting-service-os @@ -76,25 +76,25 @@ The service deployment provisions runtime service pods along with a dependency o **Note:** ### If your deployment uses the internally-provisioned Elasticsearch: ### -To migrate to Elasticsearch version 7.17.9 or 8.10.3 from the Elasticsearch version 7.10.2 or 7.16.3, perform the following steps: +To migrate to Elasticsearch version 7.17.9, 8.10.3 or 8.15.1 from the Elasticsearch version 7.10.2 or 7.16.3, perform the following steps: 1. Update the SRS Docker image version to use v1.31.2. This version has backward compatibility with Elasticsearch versions 7.10.x and 7.16.x, so your SRS will continue to work even before you update your Elasticsearch service. 2. To update Elasticsearch version to 7.17.9 perform the following actions: * Update the Elasticsearch `dependencies.version` parameter in the [requirement.yaml](../../requirements.yaml) to 7.17.3. Note: This parameter references the Elasticsearch Helm chart version and not the Elasticsearch cluster version. * Update the elasticsearch.imageTag in the Backing Services Helm chart to 7.17.9. -3. To update Elasticsearch version to 8.10.3, perform the following actions: +3. To update Elasticsearch version to 8.10.3 or 8.15.1, perform the following actions: * Update the Elasticsearch `dependencies.version` parameter in the [requirement.yaml](../../requirements.yaml) to 8.5.1. Note: This parameter references the Elasticsearch Helm chart version and not the Elasticsearch cluster version. - * Update the elasticsearch.imageTag in the Backing Services Helm chart to 8.10.3. + * Update the elasticsearch.imageTag in the Backing Services Helm chart to 8.10.3 or 8.15.1. 4. Restart the SRS pods ### If your deployment connects to an externally-managed Elasticsearch service: ### -To migrate to Elasticsearch version 7.17.9 or 8.10.3 from the Elasticsearch version 7.10.2 or 7.16.3, perform the following steps: +To migrate to Elasticsearch version 7.17.9, 8.10.3 or 8.15.1 from the Elasticsearch version 7.10.2 or 7.16.3, perform the following steps: 1. Update the SRS Docker image version to use v1.31.2. This version has backward compatibility with Elasticsearch versions 7.10.x and 7.16.x, so your SRS will continue to work even before you update your Elasticsearch service. 2. To use Elasticsearch version 7.17.9, upgrade your external Elasticsearch cluster to 7.17.9 according to your organization’s best practices. For more information, see official Elasticsearch version 7.17 documentation. -3. To use Elasticsearch version 8.10.3, upgrade your external Elasticsearch cluster to 8.10.3 according to your organization’s best practices. For more information, see official Elasticsearch version 8.10 documentation. +3. To use Elasticsearch version 8.10.3 or 8.15.1, upgrade your external Elasticsearch cluster to 8.10.3 or 8.15.1 according to your organization’s best practices. For more information, see official Elasticsearch version 8.x documentation. 4. Restart the SRS pods ### SRS runtime configuration From 00aedee48f41ca2658ddf81155344c7dd022475e Mon Sep 17 00:00:00 2001 From: Alessandro Cattapan <31108344+alemax22@users.noreply.github.com> Date: Wed, 27 Nov 2024 11:07:30 +0100 Subject: [PATCH 05/11] Added configuration for pod labels and deployment labels in constellation and constellation messaging charts (#834) * Created keys to add custom labels to the pods and deployments, documented changes * Created Unit Tests --- .../charts/constellation-messaging/README.md | 2 + .../templates/messaging-deployment.yaml | 6 +++ .../charts/constellation/README.md | 3 ++ .../templates/clln-deployment.yaml | 6 +++ .../backingservices/constellation_test.go | 53 +++++++++++++++++++ 5 files changed, 70 insertions(+) diff --git a/charts/backingservices/charts/constellation-messaging/README.md b/charts/backingservices/charts/constellation-messaging/README.md index 88e7058c8..f2ef2bf1f 100644 --- a/charts/backingservices/charts/constellation-messaging/README.md +++ b/charts/backingservices/charts/constellation-messaging/README.md @@ -15,7 +15,9 @@ Complete information on the design of the service including architecture, scalab | `enabled` | Enable the Messaging Service deployment as a backing service. Set this parameter to `true` to deploy the service. | | `provider` | Enter your Kubernetes provider. Accepted values are aws, gke or k8s. | | `name` | Deprecated, use `deployment.name`. Specify the name of your messaging service. Your deployment creates resources prefixed with this string. | +| `podLabels` | Provide custom labels for Pods as metadata to be consumed by other tools and libraries. | | `deployment.name` | Specify the name of your messaging service. Your deployment creates resources prefixed with this string. | +| `deployment.labels` | Provide custom labels for the deployment as metadata to be consumed by other tools and libraries. | | `imagePullSecretNames` | Deprected, use `docker.imagePullSecretNames`. List pre-existing secrets to be used for pulling docker images. | | `affinity` | Define pod affinity so that it is restricted to run on particular node(s), or to prefer to run on particular nodes. | | `docker.imagePullSecretNames` | List pre-existing secrets to be used for pulling docker images. | diff --git a/charts/backingservices/charts/constellation-messaging/templates/messaging-deployment.yaml b/charts/backingservices/charts/constellation-messaging/templates/messaging-deployment.yaml index 0a4ae8b0e..90ae28957 100644 --- a/charts/backingservices/charts/constellation-messaging/templates/messaging-deployment.yaml +++ b/charts/backingservices/charts/constellation-messaging/templates/messaging-deployment.yaml @@ -7,6 +7,9 @@ metadata: name: {{ $depName }} labels: app: {{ $depName }} + {{- if and (.Values.deployment) (.Values.deployment.labels) }} + {{ toYaml .Values.deployment.labels | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.replicas }} selector: @@ -16,6 +19,9 @@ spec: metadata: labels: app: {{ $depName }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 8 }} + {{- end }} spec: imagePullSecrets: - name: {{ include "backingservicesRegistrySecret" ( dict "root" .Values "defaultname" "constellation-messaging" ) }} diff --git a/charts/backingservices/charts/constellation/README.md b/charts/backingservices/charts/constellation/README.md index 341179bf1..30d58cfb3 100644 --- a/charts/backingservices/charts/constellation/README.md +++ b/charts/backingservices/charts/constellation/README.md @@ -45,6 +45,9 @@ The values.yaml file provides configuration options to define the values for the | `cloudProvider` | Deprecated, use `provider`. Specify the cloud provider details. Accepted values are aws. | | `provider` | Enter your Kubernetes provider. Accepted values are aws, gke or k8s. | | `awsCertificateArn` | Specify the arn for the AWS ACM certificate. | +| `podLabels` | Provide custom labels for Pods as metadata to be consumed by other tools and libraries. | +| `deployment.name` | Specify the name of constellation deployment. Your deployment creates resources prefixed with this string. | +| `deployment.labels` | Provide custom labels for the deployment as metadata to be consumed by other tools and libraries. | | `service.port` | The port of the tier to be exposed to the cluster. The default value is `3000`. | | `service.targetPort` | The target port of the container to expose. The constellation container exposes web traffic on port `3000`. | | `service.serviceType` | The [type of service](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) you wish to expose. | diff --git a/charts/backingservices/charts/constellation/templates/clln-deployment.yaml b/charts/backingservices/charts/constellation/templates/clln-deployment.yaml index 2dcb3dc41..8cf2570d6 100644 --- a/charts/backingservices/charts/constellation/templates/clln-deployment.yaml +++ b/charts/backingservices/charts/constellation/templates/clln-deployment.yaml @@ -6,6 +6,9 @@ metadata: name: {{ $depName }} labels: app: {{ $depName }} + {{- if and (.Values.deployment) (.Values.deployment.labels) }} + {{ toYaml .Values.deployment.labels | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.replicas }} selector: @@ -15,6 +18,9 @@ spec: metadata: labels: app: {{ $depName }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 8 }} + {{- end }} spec: {{- if .Values.customerAssetVolumeClaimName }} volumes: diff --git a/terratest/src/test/backingservices/constellation_test.go b/terratest/src/test/backingservices/constellation_test.go index 455a70d17..1ae68a1e3 100644 --- a/terratest/src/test/backingservices/constellation_test.go +++ b/terratest/src/test/backingservices/constellation_test.go @@ -4,6 +4,7 @@ import ( "testing" "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" ) func Test_shouldNotContainConstellationResourcesWhenDisabled(t *testing.T) { @@ -95,6 +96,58 @@ func Test_shouldNotContainConstellationMessagingWhenDisabled(t *testing.T) { } } +func Test_ConstellationMessagingWithLabels(t *testing.T) { + + var deploymentName string = "constellation-msg" + + helmChartParser := NewHelmConfigParser( + NewHelmTest(t, helmChartRelativePath, map[string]string{ + "constellation-messaging.enabled": "true", + "constellation-messaging.deployment.name": deploymentName, + "constellation-messaging.deployment.labels.key1": "value1", + "constellation-messaging.podLabels.podKey1": "podValue1", + }), + ) + + var cllnMsgDeployment appsv1.Deployment + helmChartParser.getResourceYAML(SearchResourceOption{ + Name: deploymentName, + Kind: "Deployment", + }, &cllnMsgDeployment) + + require.Equal(t, cllnMsgDeployment.Name, deploymentName) + require.Equal(t, cllnMsgDeployment.Labels["key1"], "value1") + require.Equal(t, cllnMsgDeployment.Spec.Template.Labels["podKey1"], "podValue1") + require.Equal(t, cllnMsgDeployment.Labels["app"], deploymentName) + require.Equal(t, cllnMsgDeployment.Spec.Template.Labels["app"], deploymentName) +} + +func Test_ConstellationWithLabels(t *testing.T) { + + var deploymentName string = "constellation-static" + + helmChartParser := NewHelmConfigParser( + NewHelmTest(t, helmChartRelativePath, map[string]string{ + "constellation.enabled": "true", + "constellation.deployment.name": deploymentName, + "constellation.deployment.labels.key1": "value1", + "constellation.podLabels.podKey1": "podValue1", + }), + ) + + var cllnDeployment appsv1.Deployment + helmChartParser.getResourceYAML(SearchResourceOption{ + Name: deploymentName, + Kind: "Deployment", + }, &cllnDeployment) + + require.Equal(t, cllnDeployment.Name, deploymentName) + require.Equal(t, cllnDeployment.Labels["key1"], "value1") + require.Equal(t, cllnDeployment.Spec.Template.Labels["podKey1"], "podValue1") + require.Equal(t, cllnDeployment.Labels["app"], deploymentName) + require.Equal(t, cllnDeployment.Spec.Template.Labels["app"], deploymentName) +} + var constellationResources = []SearchResourceOption{ { Name: "constellation", From 0c8d6d5b5b396abf292f64c1dee0bedd814d4743 Mon Sep 17 00:00:00 2001 From: Evan1oconto Date: Thu, 5 Dec 2024 10:10:28 -0500 Subject: [PATCH 06/11] US-648252 added job labels to the installer template (#856) Co-authored-by: locoe --- charts/pega/charts/installer/templates/_helpers.tpl | 3 +++ charts/pega/charts/installer/templates/_pega-installer-job.tpl | 1 + 2 files changed, 4 insertions(+) diff --git a/charts/pega/charts/installer/templates/_helpers.tpl b/charts/pega/charts/installer/templates/_helpers.tpl index ca7a6926b..2765e4c17 100644 --- a/charts/pega/charts/installer/templates/_helpers.tpl +++ b/charts/pega/charts/installer/templates/_helpers.tpl @@ -204,6 +204,9 @@ currentFunctionPath=SYSIBM,SYSFUN,{{ include "resolvedDataSchema" . | upper }} {{- define "generatedInstallerPodLabels" }} {{- end }} +# Override this template to generate additional job labels that are dynamically composed during helm deployment (do not indent labels) +{{- define "generatedInstallerJobLabels" }} +{{- end }} # Compose REST Service URL for pre- and post- upgrade ZDT tasks {{- define "pegaRestURL" }} diff --git a/charts/pega/charts/installer/templates/_pega-installer-job.tpl b/charts/pega/charts/installer/templates/_pega-installer-job.tpl index 5130d667e..f2efb9808 100644 --- a/charts/pega/charts/installer/templates/_pega-installer-job.tpl +++ b/charts/pega/charts/installer/templates/_pega-installer-job.tpl @@ -23,6 +23,7 @@ metadata: {{- end }}{{- end }} labels: app: {{ .name }} + {{ include "generatedInstallerJobLabels" .root | indent 4 }} spec: backoffLimit: 0 template: From 0572b36cb53a5d0991b1610926c70838f4e772de Mon Sep 17 00:00:00 2001 From: Evan1oconto Date: Thu, 5 Dec 2024 15:25:43 +0000 Subject: [PATCH 07/11] Update chart versions to 3.25.1 --- charts/addons/Chart.yaml | 2 +- charts/backingservices/Chart.yaml | 2 +- charts/pega/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/addons/Chart.yaml b/charts/addons/Chart.yaml index 1640ac510..04e8e8b3c 100644 --- a/charts/addons/Chart.yaml +++ b/charts/addons/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for Kubernetes name: addons -version: "3.25.0" +version: "3.25.1" diff --git a/charts/backingservices/Chart.yaml b/charts/backingservices/Chart.yaml index 5d4593409..1c73ca726 100644 --- a/charts/backingservices/Chart.yaml +++ b/charts/backingservices/Chart.yaml @@ -17,4 +17,4 @@ description: Helm Chart to provision the latest Search and Reporting Service (SR # The chart version: Pega provides this as a useful way to track changes you make to this chart. # As a best practice, you should increment the version number each time you make changes to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "3.25.0" +version: "3.25.1" diff --git a/charts/pega/Chart.yaml b/charts/pega/Chart.yaml index 5dc7cecdc..441659b93 100644 --- a/charts/pega/Chart.yaml +++ b/charts/pega/Chart.yaml @@ -1,7 +1,7 @@ --- apiVersion: v1 name: pega -version: "3.25.0" +version: "3.25.1" description: Pega installation on kubernetes keywords: - pega From 9788a675f046ee721d0fec3f1041d43bfc623a39 Mon Sep 17 00:00:00 2001 From: vnihal72 <79415342+vnihal72@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:30:32 +0530 Subject: [PATCH 08/11] US-624029 : SSL and NIST SP 800-53 and NIST SP 800-131 support for Clustering Service (#794) * US-624029 : HZ SSL and NIST SP 800-53 and NIST SP 800-131 support --------- Co-authored-by: vermn1 Co-authored-by: kumap27 Co-authored-by: Kishor Kumar Vasantala --- charts/pega/Makefile | 31 ++++ charts/pega/README.md | 58 +++++-- charts/pega/charts/hazelcast/README.md | 2 + .../charts/hazelcast/templates/_helpers.tpl | 16 ++ .../clustering-service-deployment.yaml | 18 ++ ...clustering-service-environment-config.yaml | 8 + charts/pega/charts/hazelcast/values.yaml | 4 +- charts/pega/templates/_helpers.tpl | 26 ++- charts/pega/templates/_pega-deployment.tpl | 10 ++ .../templates/pega-environment-config.yaml | 12 ++ charts/pega/values-large.yaml | 7 +- charts/pega/values-minimal.yaml | 7 +- charts/pega/values.yaml | 7 +- .../clustering-service-deployment_test.go | 43 ++++- ...stering-service-environment-config_test.go | 104 ++++++++++-- .../pega-environment-config-with-hzcs_test.go | 160 +++++++++++++----- .../test/pega/pega-tier-deployment_test.go | 79 +++++++-- 17 files changed, 497 insertions(+), 95 deletions(-) create mode 100644 charts/pega/Makefile diff --git a/charts/pega/Makefile b/charts/pega/Makefile new file mode 100644 index 000000000..69942a8dd --- /dev/null +++ b/charts/pega/Makefile @@ -0,0 +1,31 @@ +default: secrets + +NAMESPACE := +CLUSTERING_SERVICE_IMAGE := +ENC_KEYSTORE_PASSWORD := +ENC_TRUSTSTORE_PASSWORD := +HIGHLY_SECURE_CRYPTO_MODE_ENABLED := +ALIAS := myalias + +ifeq ($(HIGHLY_SECURE_CRYPTO_MODE_ENABLED), true) +secrets: + docker run --name hazelcast-helm-charts-certs -i -w /tmp \ + $(CLUSTERING_SERVICE_IMAGE) \ + /bin/sh -c " \ + ./certs.sh HIGHLY_SECURE_CRYPTO_MODE_ENABLED $(ENC_KEYSTORE_PASSWORD) cluster-keystore $(ENC_TRUSTSTORE_PASSWORD) cluster-truststore $(ALIAS)" &&\ + docker cp hazelcast-helm-charts-certs:/tmp/cluster-keystore.jks ./ &&\ + docker cp hazelcast-helm-charts-certs:/tmp/cluster-truststore.jks ./ &&\ + docker rm -f hazelcast-helm-charts-certs &&\ + kubectl create secret generic hz-encryption-secrets --from-literal=HZ_SSL_KEYSTORE_PASSWORD=$(ENC_KEYSTORE_PASSWORD) --from-literal=HZ_SSL_TRUSTSTORE_PASSWORD=$(ENC_TRUSTSTORE_PASSWORD) --from-file=cluster-keystore.jks --from-file=cluster-truststore.jks --namespace=$(NAMESPACE) +else +secrets: + docker run --name hazelcast-helm-charts-certs -i -w /tmp \ + $(CLUSTERING_SERVICE_IMAGE) \ + /bin/sh -c " \ + ./certs.sh SSL_MODE_ENABLED $(ENC_KEYSTORE_PASSWORD) cluster-keystore $(ENC_TRUSTSTORE_PASSWORD) cluster-truststore $(ALIAS)" && \ + docker cp hazelcast-helm-charts-certs:/tmp/cluster-keystore.jks ./ &&\ + docker cp hazelcast-helm-charts-certs:/tmp/cluster-truststore.jks ./ &&\ + docker rm -f hazelcast-helm-charts-certs &&\ + kubectl create secret generic hz-encryption-secrets --from-literal=HZ_SSL_KEYSTORE_PASSWORD=$(ENC_KEYSTORE_PASSWORD) --from-literal=HZ_SSL_TRUSTSTORE_PASSWORD=$(ENC_TRUSTSTORE_PASSWORD) --from-file=cluster-keystore.jks --from-file=cluster-truststore.jks --namespace=$(NAMESPACE) + +endif \ No newline at end of file diff --git a/charts/pega/README.md b/charts/pega/README.md index 6d58fa09a..08dd406f2 100644 --- a/charts/pega/README.md +++ b/charts/pega/README.md @@ -42,6 +42,17 @@ Example: ```yaml action: "deploy" ``` + +## NIST SP 800-53 and NIST SP 800-131 + +Set the `highlySecureCryptoModeEnabled` flag to `true` to comply with NIST SP 800-53 and NIST SP 800-131. + +For example: +```yaml +global: + highlySecureCryptoModeEnabled: true +``` + ## Kerberos Configuration Use the `kerberos` section to configure Kerberos authentication for Decisioning data flows that fetch data from Kafka or HBase streams. For more information on Decisioning data flows that use Kerberos, see [Data Set types](https://docs.pega.com/bundle/platform/page/platform/decision-management/data-set-types.html). @@ -1247,20 +1258,21 @@ Pega Infinity version | Clustering Service version | Description The values.yaml provides configuration options to define the deployment of Hazelcast. Apart from the below parameters when `hazelcast.enabled` is set to `true`, additional parameters are required for client-server deployment which have been documented here: [Additional Parameters](charts/hazelcast/README.md) -Parameter | Description | Default value ---- | --- | --- -`hazelcast.image` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access. | `YOUR_HAZELCAST_IMAGE:TAG` -`hazelcast.clusteringServiceImage` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access. | `YOUR_CLUSTERING_SERVICE_IMAGE:TAG` -`hazelcast.enabled` | Set to `true` if client-server deployment of Pega Platform is required; otherwise leave set to `false`. Note: To avoid an installation failure, you must set this value to `false` for Pega platform deployments using versions before 8.6. | `true` -`hazelcast.clusteringServiceEnabled` | Set to `true` if client-server deployment of Pega Platform is required; otherwise leave set to `false`. Note: Set this value to `false` for Pega platform versions below 8.8; if not set the installation will fail. | `false` -`hazelcast.migration.initiateMigration` | Set to `true` after creating parallel cluster (new Hazelcast) to establish the connection with platform and migrate the data; Set to `false` during a deployment that removes an older Hazelcast cluster. | `false` -`hazelcast.migration.migrationJobImage` | Reference the `platform/clustering-service-kubectl` Docker image to create the migration job to run the migration script. | `YOUR_MIGRATION_JOB_IMAGE:TAG` -`hazelcast.migration.embeddedToCSMigration` | Set to `true` while migrating the data from existing embedded Hazelcast deployment to the new c/s Hazelcast deployment. | `false` -`hazelcast.replicas` | Number of initial members to join the Hazelcast cluster. | `3` -`hazelcast.username` | Configures the username to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the username in Hazelcast cluster and your Pega nodes so authentication occurs automatically. | `""` -`hazelcast.password` | Configures the password to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the password credential in Hazelcast cluster and your Pega nodes so authentication occurs automatically. | `""` -`hazelcast.external_secret_name` | If you configured a secret in an external secrets operator, enter the secret name. For details, see [this section](#optional-support-for-providing-credentialscertificates-using-external-secrets-operator). | `""` -`hazelcast.affinity` | Configures policy to assign the pods to the nodes. See the official [Kubernetes Documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). | `""` +Parameter | Description | Default value +--- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --- +`hazelcast.image` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access. | `YOUR_HAZELCAST_IMAGE:TAG` +`hazelcast.clusteringServiceImage` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access. | `YOUR_CLUSTERING_SERVICE_IMAGE:TAG` +`hazelcast.enabled` | Set to `true` if client-server deployment of Pega Platform is required; otherwise leave set to `false`. Note: To avoid an installation failure, you must set this value to `false` for Pega platform deployments using versions before 8.6. | `true` +`hazelcast.clusteringServiceEnabled` | Set to `true` if client-server deployment of Pega Platform is required; otherwise leave set to `false`. Note: Set this value to `false` for Pega platform versions below 8.8; if not set the installation will fail. | `false` +`hazelcast.encryption.enabled` | Set to `true` if you require SSL connection in your Clustering Service. Note: Highly secure crypto mode is only available in Pega Platform '24.2 and later. Set this value to `false` for Pega Platform release '24.1 and earlier or the installation will fail. | `false` +`hazelcast.migration.initiateMigration` | Set to `true` after creating parallel cluster (new Hazelcast) to establish the connection with platform and migrate the data; Set to `false` during a deployment that removes an older Hazelcast cluster. | `false` +`hazelcast.migration.migrationJobImage` | Reference the `platform/clustering-service-kubectl` Docker image to create the migration job to run the migration script. | `YOUR_MIGRATION_JOB_IMAGE:TAG` +`hazelcast.migration.embeddedToCSMigration` | Set to `true` while migrating the data from existing embedded Hazelcast deployment to the new c/s Hazelcast deployment. | `false` +`hazelcast.replicas` | Number of initial members to join the Hazelcast cluster. | `3` +`hazelcast.username` | Configures the username to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the username in Hazelcast cluster and your Pega nodes so authentication occurs automatically. | `""` +`hazelcast.password` | Configures the password to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the password credential in Hazelcast cluster and your Pega nodes so authentication occurs automatically. | `""` +`hazelcast.external_secret_name` | If you configured a secret in an external secrets operator, enter the secret name. For details, see [this section](#optional-support-for-providing-credentialscertificates-using-external-secrets-operator). | `""` +`hazelcast.affinity` | Configures policy to assign the pods to the nodes. See the official [Kubernetes Documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). | `""` #### Example ```yaml @@ -1269,6 +1281,8 @@ hazelcast: clusteringServiceImage: "YOUR_CLUSTERING_SERVICE_IMAGE:TAG" enabled: true clusteringServiceEnabled: false + encryption: + enabled: false migration: initiateMigration: false migrationJobImage: "YOUR_MIGRATION_JOB_IMAGE:TAG" @@ -1279,6 +1293,22 @@ hazelcast: external_secret_name: "" ``` +### (Optional) Enabling highly secure encryption of traffic between Pega Platform and the Clustering Service +Before Helm install, run the makefile in charts/pega/Makefile with the following parameters when you enable encryption or HighlySecureCryptoMode to generate the certificates and mount them to the Clustering Service and Pega Platform pods. + +Parameter | Description +--- |------------------------------------------------------------ +`NAMESPACE` | Namespace where you deploy Pega Platform and the Clustering Service. +`CLUSTERING_SERVICE_IMAGE` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access. +`ENC_KEYSTORE_PASSWORD` | Keystore password. +`ENC_TRUSTSTORE_PASSWORD` | Truststore password. +`HIGHLY_SECURE_CRYPTO_MODE_ENABLED` | Set to `true` to enable the highly secure crypto mode to comply with NIST SP 800-53 and NIST SP 800-131. + +#### Example +``` +make secrets NAMESPACE=pega CLUSTERING_SERVICE_IMAGE=cloudservices-docker-dev-local.bin.pega.io/platform/clustering-service:1.3.50 ENC_KEYSTORE_PASSWORD=mystorePwd ENC_TRUSTSTORE_PASSWORD=mystorePwd HIGHLY_SECURE_CRYPTO_MODE_ENABLED=true +``` + ### Enabling encryption of traffic between Ingress/LoadBalancer and Pod Using Helm version `2.2.0`, Pega supports mounting and passing TLS certificates into the container to enable TLS between loadbalancer/ingress and pods during your Pega Platform deployment. Pega supports the keystore formats such as .jks, .keystore. To mount and pass your TLS certificates, use the `tls` section under `service` to specify the keystore content, the keystore password and the specified ports for https under 'web' tier in the `values.yaml` file using the format in the following example. diff --git a/charts/pega/charts/hazelcast/README.md b/charts/pega/charts/hazelcast/README.md index 6e9768011..599dbcb2e 100644 --- a/charts/pega/charts/hazelcast/README.md +++ b/charts/pega/charts/hazelcast/README.md @@ -59,6 +59,8 @@ imagePullPolicy: "Always" replicas: 3 enabled: true clusteringServiceEnabled: false +encryption: + enabled: false migration: enabled: false migrationJobImage: "YOUR_MIGRATION_JOB_IMAGE:TAG" diff --git a/charts/pega/charts/hazelcast/templates/_helpers.tpl b/charts/pega/charts/hazelcast/templates/_helpers.tpl index bdc727080..944ff12ff 100644 --- a/charts/pega/charts/hazelcast/templates/_helpers.tpl +++ b/charts/pega/charts/hazelcast/templates/_helpers.tpl @@ -29,6 +29,22 @@ {{- end -}} {{- end }} +{{- define "isEncryptionEnabled" }} + {{- if .Values.encryption.enabled -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} + +{{- define "isHighlySecureCryptoModeEnabled" }} + {{- if and ( .Values.encryption.enabled ) ( .Values.global.highlySecureCryptoModeEnabled) -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} + {{- define "hazelcastVolumeCredentials" }}hazelcast-volume-credentials{{- end }} {{- define "hazelcastVolumeTemplate" }} diff --git a/charts/pega/charts/hazelcast/templates/clustering-service-deployment.yaml b/charts/pega/charts/hazelcast/templates/clustering-service-deployment.yaml index e8c045835..fc772f082 100644 --- a/charts/pega/charts/hazelcast/templates/clustering-service-deployment.yaml +++ b/charts/pega/charts/hazelcast/templates/clustering-service-deployment.yaml @@ -37,6 +37,10 @@ spec: mountPath: "/opt/hazelcast/logs" - name: {{ template "hazelcastVolumeCredentials" }} mountPath: "/opt/hazelcast/secrets" + {{- if (eq (include "isEncryptionEnabled" .) "true") }} + - name: hz-encryption-secrets + mountPath: "/opt/hazelcast/certs" + {{- end }} envFrom: - configMapRef: name: {{ template "clusteringServiceEnvironmentConfig" }} @@ -61,13 +65,21 @@ spec: periodSeconds: 10 httpGet: path: /hazelcast/health/ready + {{- if (eq (include "isEncryptionEnabled" .) "true") }} + port: 8080 + {{- else }} port: 5701 + {{- end }} livenessProbe: initialDelaySeconds: 30 periodSeconds: 10 httpGet: path: /hazelcast/health/ready + {{- if (eq (include "isEncryptionEnabled" .) "true") }} + port: 8080 + {{- else }} port: 5701 + {{- end }} restartPolicy: Always volumes: # Volume used to mount logs folder @@ -75,6 +87,12 @@ spec: emptyDir: {} # Volume used to mount secret files. {{- include "hazelcastVolumeTemplate" . | indent 6 }} + {{- if (eq (include "isEncryptionEnabled" .) "true") }} + - name: hz-encryption-secrets + secret: + defaultMode: 444 + secretName: hz-encryption-secrets + {{- end }} imagePullSecrets: {{- include "imagePullSecrets" . | indent 6 }} {{- include "podAffinity" .Values | indent 6 }} diff --git a/charts/pega/charts/hazelcast/templates/clustering-service-environment-config.yaml b/charts/pega/charts/hazelcast/templates/clustering-service-environment-config.yaml index 6c2833cb8..793429a55 100644 --- a/charts/pega/charts/hazelcast/templates/clustering-service-environment-config.yaml +++ b/charts/pega/charts/hazelcast/templates/clustering-service-environment-config.yaml @@ -10,6 +10,14 @@ data: JAVA_OPTS: {{ .Values.server.java_opts | quote }} SERVICE_NAME: {{ template "clusteringServiceName" . }}-service MIN_CLUSTER_SIZE: {{ .Values.replicas | quote }} +{{- if (eq (include "isEncryptionEnabled" .) "true") }} + ENCRYPTION_ENABLED: {{ true | quote }} + ENCRYPTION_KEYSTORE_NAME: "cluster-keystore.jks" + ENCRYPTION_TRUSTSTORE_NAME: "cluster-truststore.jks" +{{- if (eq (include "isHighlySecureCryptoModeEnabled" .) "true") }} + HIGHLY_SECURE_CRYPTO_MODE_ENABLED: {{ true | quote }} +{{- end }} +{{- end }} {{- if .Values.server.jmx_enabled }} JMX_ENABLED: {{ .Values.server.jmx_enabled | quote }} {{- end }} diff --git a/charts/pega/charts/hazelcast/values.yaml b/charts/pega/charts/hazelcast/values.yaml index 812656bf8..94b0f3393 100644 --- a/charts/pega/charts/hazelcast/values.yaml +++ b/charts/pega/charts/hazelcast/values.yaml @@ -10,7 +10,9 @@ enabled: true # Setting below to true will deploy the Pega Platform in client-server Hazelcast model for version 8.8 and later. # Note: Make sure to set this value as "false" in case of Pega platform version before "8.8". If not set this will fail the installation. clusteringServiceEnabled: false - +# Set to true to enforce SSL communication between the Clustering Service and Pega Platform. +encryption: + enabled: false # Setting related to Hazelcast migration. migration: # Set to `true` to initiate the migration job. diff --git a/charts/pega/templates/_helpers.tpl b/charts/pega/templates/_helpers.tpl index eab1c75e8..24a00aa7f 100644 --- a/charts/pega/templates/_helpers.tpl +++ b/charts/pega/templates/_helpers.tpl @@ -515,6 +515,22 @@ servicePort: use-annotation {{- end -}} {{- end -}} +{{- define "isHzEncryptionEnabled" }} + {{- if .Values.hazelcast.encryption.enabled -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} + +{{- define "isHzHighlySecureCryptoModeEnabled" }} + {{- if and .Values.hazelcast.encryption.enabled .Values.global.highlySecureCryptoModeEnabled -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} + {{- define "pegaCredentialVolumeTemplate" }} - name: {{ template "pegaVolumeCredentials" }} projected: @@ -537,5 +553,13 @@ servicePort: use-annotation - secret: name: {{ include "pega-diagnostic-secret-name" $}} - + {{- if (eq (include "isHzEncryptionEnabled" .) "true") }} + - secret: + name: hz-encryption-secrets + items: + - key: HZ_SSL_KEYSTORE_PASSWORD + path: HZ_SSL_KEYSTORE_PASSWORD + - key: HZ_SSL_TRUSTSTORE_PASSWORD + path: HZ_SSL_TRUSTSTORE_PASSWORD + {{- end}} {{- end}} \ No newline at end of file diff --git a/charts/pega/templates/_pega-deployment.tpl b/charts/pega/templates/_pega-deployment.tpl index c3473d32a..468d3a0fb 100644 --- a/charts/pega/templates/_pega-deployment.tpl +++ b/charts/pega/templates/_pega-deployment.tpl @@ -77,6 +77,12 @@ spec: # Used to specify permissions on files within the volume. defaultMode: 420 {{- include "pegaCredentialVolumeTemplate" .root | indent 6 }} +{{- if (.root.Values.hazelcast.encryption.enabled) }} + - name: hz-encryption-secrets + secret: + defaultMode: 444 + secretName: hz-encryption-secrets +{{- end }} {{ if or (.root.Values.global.certificates) (.root.Values.global.certificatesSecrets) }} {{- include "pegaImportCertificatesTemplate" .root | indent 6 }} {{ end }} @@ -296,6 +302,10 @@ spec: - name: {{ template "pegaKerberosConfig" }}-config mountPath: "/opt/pega/kerberos" {{- end }} +{{- if (.root.Values.hazelcast.encryption.enabled) }} + - name: hz-encryption-secrets + mountPath: "/opt/hazelcast/certs" +{{- end }} # LivenessProbe: indicates whether the container is live, i.e. running. livenessProbe: diff --git a/charts/pega/templates/pega-environment-config.yaml b/charts/pega/templates/pega-environment-config.yaml index dc5a126c0..320bf436e 100644 --- a/charts/pega/templates/pega-environment-config.yaml +++ b/charts/pega/templates/pega-environment-config.yaml @@ -179,6 +179,18 @@ data: {{- end }} # Hostname of Hazelcast server HZ_SERVER_HOSTNAME: {{ template "hzServiceName" . }}-service.{{ .Release.Namespace }}.svc.cluster.local +{{ if (eq (include "isHzEncryptionEnabled" .) "true") }} + HZ_SSL_ENABLED: "true" + HZ_SSL_PROTOCOL: "TLS" + HZ_SSL_KEY_STORE_NAME: "cluster-keystore.jks" + HZ_SSL_TRUST_STORE_NAME: "cluster-truststore.jks" + {{ if (eq (include "isHzHighlySecureCryptoModeEnabled" .) "true") }} + HIGHLY_SECURE_CRYPTO_MODE_ENABLED: "true" + HZ_SSL_ALGO: "PKIX" + {{- else }} + HZ_SSL_ALGO: "SunX509" + {{- end }} +{{- end }} {{- end }} # enable ssl verification for jdbc driver download ENABLE_CUSTOM_ARTIFACTORY_SSL_VERIFICATION: "{{ .Values.global.customArtifactory.enableSSLVerification }}" diff --git a/charts/pega/values-large.yaml b/charts/pega/values-large.yaml index 230b0d96f..58e8dba73 100644 --- a/charts/pega/values-large.yaml +++ b/charts/pega/values-large.yaml @@ -28,6 +28,9 @@ global: # Feature is used for Decisioning data flows to fetch data from Kafka or HBase streams kerberos: {} + # Set to true to comply with NIST SP 800-53 and NIST SP 800-131. + highlySecureCryptoModeEnabled: false + # If a storage class to be passed to the VolumeClaimTemplates in search and stream pods, it can be specified here: storageClassName: "" # Provide JDBC connection information to the Pega relational database @@ -570,7 +573,9 @@ hazelcast: # Setting below to true will deploy Pega Platform using a client-server Hazelcast model for version 8.8 and later. clusteringServiceEnabled: false - + # Set to true to enforce SSL communication between the Clustering Service and Pega Platform. + encryption: + enabled: false # Setting related to Hazelcast migration. migration: # Set to `true` to initiate the migration job. diff --git a/charts/pega/values-minimal.yaml b/charts/pega/values-minimal.yaml index 53da1dc4a..1172dc43e 100755 --- a/charts/pega/values-minimal.yaml +++ b/charts/pega/values-minimal.yaml @@ -24,6 +24,9 @@ global: # Feature is used for Decisioning data flows to fetch data from Kafka or HBase streams kerberos: {} + # Set to true to comply with NIST SP 800-53 and NIST SP 800-131. + highlySecureCryptoModeEnabled: false + # If a storage class to be passed to the VolumeClaimTemplates in search and stream pods, it can be specified here: storageClassName: "" # Provide JDBC connection information to the Pega relational database @@ -245,7 +248,9 @@ hazelcast: # Setting below to true will deploy Pega Platform using a client-server Hazelcast model for version 8.8 and later. clusteringServiceEnabled: false - + # Set to true to enforce SSL communication between the Clustering Service and Pega Platform. + encryption: + enabled: false # Setting related to Hazelcast migration. migration: # Set to `true` to initiate the migration job. diff --git a/charts/pega/values.yaml b/charts/pega/values.yaml index bdf042f31..8b20d862e 100644 --- a/charts/pega/values.yaml +++ b/charts/pega/values.yaml @@ -28,6 +28,9 @@ global: # Feature is used for Decisioning data flows to fetch data from Kafka or HBase streams kerberos: {} + # Set to true to comply with NIST SP 800-53 and NIST SP 800-131. + highlySecureCryptoModeEnabled: false + # If a storage class to be passed to the VolumeClaimTemplates in search and stream pods, it can be specified here: storageClassName: "" # Provide JDBC connection information to the Pega relational database @@ -523,7 +526,9 @@ hazelcast: # Setting below to true will deploy Pega Platform using a client-server Hazelcast model for version 8.8 and later. clusteringServiceEnabled: false - + # Set to true to enforce SSL communication between the Clustering Service and Pega Platform. + encryption: + enabled: false # Setting related to Hazelcast migration. migration: # Set to `true` to initiate the migration job. diff --git a/terratest/src/test/pega/clustering-service-deployment_test.go b/terratest/src/test/pega/clustering-service-deployment_test.go index 271f92ecd..06497602d 100644 --- a/terratest/src/test/pega/clustering-service-deployment_test.go +++ b/terratest/src/test/pega/clustering-service-deployment_test.go @@ -34,13 +34,41 @@ func TestClusteringServiceDeployment(t *testing.T) { } yamlContent := RenderTemplate(t, options, helmChartPath, []string{"charts/hazelcast/templates/clustering-service-deployment.yaml"}) - VerifyClusteringServiceDeployment(t, yamlContent) + VerifyClusteringServiceDeployment(t, yamlContent, false) } } } -func VerifyClusteringServiceDeployment(t *testing.T, yamlContent string) { +func TestClusteringServiceDeploymentWithSSL(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy", "install-deploy"} + + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) + + for _, vendor := range supportedVendors { + + for _, operation := range supportedOperations { + + fmt.Println(vendor + "-" + operation) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "hazelcast.clusteringServiceEnabled": "true", + "hazelcast.encryption.enabled": "true", + }, + } + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"charts/hazelcast/templates/clustering-service-deployment.yaml"}) + VerifyClusteringServiceDeployment(t, yamlContent, true) + + } + } +} + +func VerifyClusteringServiceDeployment(t *testing.T, yamlContent string, ssl bool) { var statefulsetObj appsv1beta2.StatefulSet statefulSlice := strings.Split(yamlContent, "---") for index, statefulInfo := range statefulSlice { @@ -50,9 +78,16 @@ func VerifyClusteringServiceDeployment(t *testing.T, yamlContent string) { require.Equal(t, statefulsetObj.Spec.ServiceName, "clusteringservice-service") statefulsetSpec := statefulsetObj.Spec.Template.Spec require.Equal(t, "/hazelcast/health/ready", statefulsetSpec.Containers[0].LivenessProbe.HTTPGet.Path) - require.Equal(t, intstr.FromInt(5701), statefulsetSpec.Containers[0].LivenessProbe.HTTPGet.Port) require.Equal(t, "/hazelcast/health/ready", statefulsetSpec.Containers[0].ReadinessProbe.HTTPGet.Path) - require.Equal(t, intstr.FromInt(5701), statefulsetSpec.Containers[0].ReadinessProbe.HTTPGet.Port) + if ssl { + require.Equal(t, intstr.FromInt(8080), statefulsetSpec.Containers[0].ReadinessProbe.HTTPGet.Port) + require.Equal(t, intstr.FromInt(8080), statefulsetSpec.Containers[0].LivenessProbe.HTTPGet.Port) + require.Equal(t, statefulsetSpec.Containers[0].VolumeMounts[2].Name, "hz-encryption-secrets") + require.Equal(t, statefulsetSpec.Containers[0].VolumeMounts[2].MountPath, "/opt/hazelcast/certs") + } else { + require.Equal(t, intstr.FromInt(5701), statefulsetSpec.Containers[0].ReadinessProbe.HTTPGet.Port) + require.Equal(t, intstr.FromInt(5701), statefulsetSpec.Containers[0].LivenessProbe.HTTPGet.Port) + } require.Equal(t, "1", statefulsetSpec.Containers[0].Resources.Requests.Cpu().String()) require.Equal(t, "1Gi", statefulsetSpec.Containers[0].Resources.Requests.Memory().String()) require.Equal(t, statefulsetSpec.Volumes[0].Name, "logs") diff --git a/terratest/src/test/pega/clustering-service-environment-config_test.go b/terratest/src/test/pega/clustering-service-environment-config_test.go index 2468a358e..aaad09340 100644 --- a/terratest/src/test/pega/clustering-service-environment-config_test.go +++ b/terratest/src/test/pega/clustering-service-environment-config_test.go @@ -10,37 +10,97 @@ import ( "testing" ) -func TestClusteringServiceEnvironmentConfig(t *testing.T){ - var supportedVendors = []string{"k8s","openshift","eks","gke","aks","pks"} - var supportedOperations = []string{"deploy","install-deploy"} +func TestClusteringServiceEnvironmentConfig(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy", "install-deploy"} helmChartPath, err := filepath.Abs(PegaHelmChartPath) require.NoError(t, err) - for _,vendor := range supportedVendors{ + for _, vendor := range supportedVendors { - for _,operation := range supportedOperations{ + for _, operation := range supportedOperations { fmt.Println(vendor + "-" + operation) var options = &helm.Options{ SetValues: map[string]string{ - "global.provider": vendor, - "global.actions.execute": operation, + "global.provider": vendor, + "global.actions.execute": operation, "hazelcast.clusteringServiceEnabled": "true", }, } yamlContent := RenderTemplate(t, options, helmChartPath, []string{"charts/hazelcast/templates/clustering-service-environment-config.yaml"}) - VerifyClusteringServiceEnvironmentConfig(t,yamlContent, options) + VerifyClusteringServiceEnvironmentConfig(t, yamlContent, options, false, false) } } +} + +func TestClusteringServiceEnvironmentConfigWithSSL(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy", "install-deploy"} + + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) + + for _, vendor := range supportedVendors { + + for _, operation := range supportedOperations { + + fmt.Println(vendor + "-" + operation) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "hazelcast.clusteringServiceEnabled": "true", + "hazelcast.encryption.enabled": "true", + }, + } + + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"charts/hazelcast/templates/clustering-service-environment-config.yaml"}) + VerifyClusteringServiceEnvironmentConfig(t, yamlContent, options, true, false) + + } + } } -func VerifyClusteringServiceEnvironmentConfig(t *testing.T, yamlContent string, options *helm.Options) { +func TestClusteringServiceEnvironmentConfigWithHighlySecureCryptoModeEnabled(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy", "install-deploy"} + + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) + + for _, vendor := range supportedVendors { + + for _, operation := range supportedOperations { + + fmt.Println(vendor + "-" + operation) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "hazelcast.clusteringServiceEnabled": "true", + "hazelcast.encryption.enabled": "true", + "global.highlySecureCryptoModeEnabled": "true", + }, + } + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"charts/hazelcast/templates/clustering-service-environment-config.yaml"}) + VerifyClusteringServiceEnvironmentConfig(t, yamlContent, options, true, true) + + } + } + +} + +func VerifyClusteringServiceEnvironmentConfig(t *testing.T, yamlContent string, options *helm.Options, + ssl bool, highlySecureCryptoModeEnabled bool) { var clusteringServiceEnvConfigMap k8score.ConfigMap statefulSlice := strings.Split(yamlContent, "---") @@ -52,15 +112,23 @@ func VerifyClusteringServiceEnvironmentConfig(t *testing.T, yamlContent string, require.Equal(t, clusteringServiceEnvConfigData["JAVA_OPTS"], "-XX:MaxRAMPercentage=80.0 -XX:InitialRAMPercentage=80.0 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/hazelcast/logs/heapdump.hprof -XX:+UseG1GC -XX:NewRatio=3 -XshowSettings:vm -XX:InitiatingHeapOccupancyPercent=45 -Xlog:gc*,gc+phases=debug:file=/opt/hazelcast/logs/gc.log:time,pid,tags:filecount=5,filesize=3m") require.Equal(t, clusteringServiceEnvConfigData["SERVICE_NAME"], "clusteringservice-service") require.Equal(t, clusteringServiceEnvConfigData["MIN_CLUSTER_SIZE"], "3") - require.Equal(t, clusteringServiceEnvConfigData["JMX_ENABLED"], "true") - require.Equal(t, clusteringServiceEnvConfigData["HEALTH_MONITORING_LEVEL"], "OFF") - require.Equal(t, clusteringServiceEnvConfigData["GROUP_NAME"], "prpchz") - require.Equal(t, clusteringServiceEnvConfigData["GRACEFUL_SHUTDOWN_MAX_WAIT_SECONDS"], "600") - require.Equal(t, clusteringServiceEnvConfigData["LOGGING_LEVEL"], "info") - require.Equal(t, clusteringServiceEnvConfigData["DIAGNOSTICS_ENABLED"], "true") - require.Equal(t, clusteringServiceEnvConfigData["DIAGNOSTICS_METRIC_LEVEL"], "info") - require.Equal(t, clusteringServiceEnvConfigData["DIAGNOSTICS_FILE_COUNT"], "3") - require.Equal(t, clusteringServiceEnvConfigData["DIAGNOSTIC_LOG_FILE_SIZE_MB"], "50") + require.Equal(t, clusteringServiceEnvConfigData["JMX_ENABLED"], "true") + require.Equal(t, clusteringServiceEnvConfigData["HEALTH_MONITORING_LEVEL"], "OFF") + require.Equal(t, clusteringServiceEnvConfigData["GROUP_NAME"], "prpchz") + require.Equal(t, clusteringServiceEnvConfigData["GRACEFUL_SHUTDOWN_MAX_WAIT_SECONDS"], "600") + require.Equal(t, clusteringServiceEnvConfigData["LOGGING_LEVEL"], "info") + require.Equal(t, clusteringServiceEnvConfigData["DIAGNOSTICS_ENABLED"], "true") + require.Equal(t, clusteringServiceEnvConfigData["DIAGNOSTICS_METRIC_LEVEL"], "info") + require.Equal(t, clusteringServiceEnvConfigData["DIAGNOSTICS_FILE_COUNT"], "3") + require.Equal(t, clusteringServiceEnvConfigData["DIAGNOSTIC_LOG_FILE_SIZE_MB"], "50") + if ssl { + require.Equal(t, clusteringServiceEnvConfigData["ENCRYPTION_ENABLED"], "true") + require.Equal(t, clusteringServiceEnvConfigData["ENCRYPTION_KEYSTORE_NAME"], "cluster-keystore.jks") + require.Equal(t, clusteringServiceEnvConfigData["ENCRYPTION_TRUSTSTORE_NAME"], "cluster-truststore.jks") + if highlySecureCryptoModeEnabled { + require.Equal(t, clusteringServiceEnvConfigData["HIGHLY_SECURE_CRYPTO_MODE_ENABLED"], "true") + } + } } } diff --git a/terratest/src/test/pega/pega-environment-config-with-hzcs_test.go b/terratest/src/test/pega/pega-environment-config-with-hzcs_test.go index d92dbc60f..11f5ff7b6 100644 --- a/terratest/src/test/pega/pega-environment-config-with-hzcs_test.go +++ b/terratest/src/test/pega/pega-environment-config-with-hzcs_test.go @@ -10,79 +10,140 @@ import ( "testing" ) -func TestPegaHazelcastEnvironmentConfigForClient(t *testing.T){ - var supportedVendors = []string{"k8s","openshift","eks","gke","aks","pks"} - var supportedOperations = []string{"deploy","install-deploy"} +func TestPegaHazelcastEnvironmentConfigForClient(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy", "install-deploy"} helmChartPath, err := filepath.Abs(PegaHelmChartPath) require.NoError(t, err) + for _, vendor := range supportedVendors { - for _,vendor := range supportedVendors{ + for _, operation := range supportedOperations { - for _,operation := range supportedOperations{ + fmt.Println(vendor + "-" + operation) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "hazelcast.enabled": "true", + "hazelcast.migration.embeddedToCSMigration": "false", + }, + } + + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"}) + VerifyPegaHazelcastEnvironmentConfigForClient(t, yamlContent, options) + + } + } + + for _, vendor := range supportedVendors { + + for _, operation := range supportedOperations { fmt.Println(vendor + "-" + operation) var options = &helm.Options{ SetValues: map[string]string{ - "global.provider": vendor, - "global.actions.execute": operation, - "hazelcast.enabled": "true", + "global.provider": vendor, + "global.actions.execute": operation, + "hazelcast.enabled": "false", + "hazelcast.clusteringServiceEnabled": "true", "hazelcast.migration.embeddedToCSMigration": "false", }, } yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"}) - VerifyPegaHazelcastEnvironmentConfigForClient(t,yamlContent, options) + VerifyClusteringServiceEnvironmentConfigForClient(t, yamlContent, options, false, false) } } - for _,vendor := range supportedVendors{ + for _, vendor := range supportedVendors { - for _,operation := range supportedOperations{ + for _, operation := range supportedOperations { - fmt.Println(vendor + "-" + operation) + fmt.Println(vendor + "-" + operation) - var options = &helm.Options{ - SetValues: map[string]string{ - "global.provider": vendor, - "global.actions.execute": operation, - "hazelcast.enabled": "false", - "hazelcast.clusteringServiceEnabled": "true", - "hazelcast.migration.embeddedToCSMigration": "false", - }, - } + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "hazelcast.enabled": "false", + "hazelcast.clusteringServiceEnabled": "true", + "hazelcast.migration.embeddedToCSMigration": "false", + }, + } - yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"}) - VerifyClusteringServiceEnvironmentConfigForClient(t,yamlContent, options) + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"}) + VerifyClusteringServiceEnvironmentConfigForClient(t, yamlContent, options, false, false) - } - } + } + } - for _,vendor := range supportedVendors{ +} - for _,operation := range supportedOperations{ +func TestPegaHazelcastEnvironmentConfigForClientWithSSL(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy", "install-deploy"} - fmt.Println(vendor + "-" + operation) + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) - var options = &helm.Options{ - SetValues: map[string]string{ - "global.provider": vendor, - "global.actions.execute": operation, - "hazelcast.enabled": "false", - "hazelcast.clusteringServiceEnabled": "true", - "hazelcast.migration.embeddedToCSMigration": "false", - }, - } + for _, vendor := range supportedVendors { - yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"}) - VerifyClusteringServiceEnvironmentConfigForClient(t,yamlContent, options) + for _, operation := range supportedOperations { - } - } + fmt.Println(vendor + "-" + operation) + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "hazelcast.enabled": "false", + "hazelcast.clusteringServiceEnabled": "true", + "hazelcast.encryption.enabled": "true", + "global.highlySecureCryptoModeEnabled": "false", + }, + } + + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"}) + VerifyClusteringServiceEnvironmentConfigForClient(t, yamlContent, options, true, false) + + } + } +} + +func TestPegaHazelcastEnvironmentConfigForClientWithHighlySecureCryptoModeEnabled(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy", "install-deploy"} + + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) + + for _, vendor := range supportedVendors { + + for _, operation := range supportedOperations { + + fmt.Println(vendor + "-" + operation) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "hazelcast.enabled": "false", + "hazelcast.clusteringServiceEnabled": "true", + "hazelcast.encryption.enabled": "true", + "global.highlySecureCryptoModeEnabled": "true", + }, + } + + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"}) + VerifyClusteringServiceEnvironmentConfigForClient(t, yamlContent, options, true, true) + + } + } } func VerifyPegaHazelcastEnvironmentConfigForClient(t *testing.T, yamlContent string, options *helm.Options) { @@ -101,7 +162,8 @@ func VerifyPegaHazelcastEnvironmentConfigForClient(t *testing.T, yamlContent str } } -func VerifyClusteringServiceEnvironmentConfigForClient(t *testing.T, yamlContent string, options *helm.Options) { +func VerifyClusteringServiceEnvironmentConfigForClient(t *testing.T, yamlContent string, options *helm.Options, + ssl bool, highlySecureCryptoModeEnabled bool) { var envConfigMap k8score.ConfigMap statefulSlice := strings.Split(yamlContent, "---") @@ -113,6 +175,18 @@ func VerifyClusteringServiceEnvironmentConfigForClient(t *testing.T, yamlContent require.Equal(t, envConfigData["HZ_CLIENT_MODE"], "true") require.Equal(t, envConfigData["HZ_CLUSTER_NAME"], "prpchz") require.Equal(t, envConfigData["HZ_SERVER_HOSTNAME"], "clusteringservice-service.default.svc.cluster.local") + if ssl { + require.Equal(t, envConfigData["HZ_SSL_ENABLED"], "true") + require.Equal(t, envConfigData["HZ_SSL_PROTOCOL"], "TLS") + require.Equal(t, envConfigData["HZ_SSL_KEY_STORE_NAME"], "cluster-keystore.jks") + require.Equal(t, envConfigData["HZ_SSL_TRUST_STORE_NAME"], "cluster-truststore.jks") + if highlySecureCryptoModeEnabled { + require.Equal(t, envConfigData["HIGHLY_SECURE_CRYPTO_MODE_ENABLED"], "true") + require.Equal(t, envConfigData["HZ_SSL_ALGO"], "PKIX") + } else { + require.Equal(t, envConfigData["HZ_SSL_ALGO"], "SunX509") + } + } } } -} \ No newline at end of file +} diff --git a/terratest/src/test/pega/pega-tier-deployment_test.go b/terratest/src/test/pega/pega-tier-deployment_test.go index b24e2d629..433592c39 100644 --- a/terratest/src/test/pega/pega-tier-deployment_test.go +++ b/terratest/src/test/pega/pega-tier-deployment_test.go @@ -54,6 +54,46 @@ func TestPegaTierDeployment(t *testing.T) { } } +func TestPegaTierDeploymentWithHazelcastSSL(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy", "install-deploy", "upgrade-deploy"} + var deploymentNames = []string{"pega", "myapp-dev"} + + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) + + for _, vendor := range supportedVendors { + + for _, operation := range supportedOperations { + + for _, depName := range deploymentNames { + + fmt.Println(vendor + "-" + operation) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "global.deployment.name": depName, + "installer.upgrade.upgradeType": "zero-downtime", + "global.storageClassName": "storage-class", + "hazelcast.clusteringServiceEnabled": "true", + "hazelcast.encryption.enabled": "true", + }, + } + + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-tier-deployment.yaml"}) + yamlSplit := strings.Split(yamlContent, "---") + assertWeb(t, yamlSplit[1], options) + assertBatch(t, yamlSplit[2], options) + //assertStream(t, yamlSplit[3], options) + //assertStreamWithSorageClass(t, yamlSplit[3], options) + + } + } + } +} + /*func assertStreamWithSorageClass(t *testing.T, streamYaml string, options *helm.Options) { var statefulsetObj appsv1beta2.StatefulSet UnmarshalK8SYaml(t, streamYaml, &statefulsetObj) @@ -180,25 +220,36 @@ func TestPegaTierDeploymentWithFSGroup(t *testing.T) { VerifyPegaStatefulSet(t, &statefulsetObj, pegaDeployment{getObjName(options, "-stream"), initContainers, "Stream", "900"}, options) }*/ -func assertBatch(t *testing.T, batchYaml string, options *helm.Options) { +func assertBatchWithHZSSL(t *testing.T, batchYaml string, options *helm.Options, hazelcastSSL bool) { var deploymentObj appsv1.Deployment UnmarshalK8SYaml(t, batchYaml, &deploymentObj) require.Equal(t, deploymentObj.ObjectMeta.Name, getObjName(options, "-batch")) VerifyPegaDeployment(t, &deploymentObj, - pegaDeployment{getObjName(options, "-batch"), initContainers, "BackgroundProcessing,Search,Batch,RealTime,Custom1,Custom2,Custom3,Custom4,Custom5,BIX", ""}, - options) + pegaDeployment{getObjName(options, "-batch"), initContainers, + "BackgroundProcessing,Search,Batch,RealTime,Custom1,Custom2,Custom3,Custom4,Custom5,BIX", ""}, + options, hazelcastSSL) } -func assertWeb(t *testing.T, webYaml string, options *helm.Options) { +func assertBatch(t *testing.T, batchYaml string, options *helm.Options) { + assertBatchWithHZSSL(t, batchYaml, options, false) +} + +func assertWebWithHZSSL(t *testing.T, webYaml string, options *helm.Options, hazelcastSSL bool) { var deploymentObj appsv1.Deployment UnmarshalK8SYaml(t, webYaml, &deploymentObj) require.Equal(t, deploymentObj.ObjectMeta.Name, getObjName(options, "-web")) - VerifyPegaDeployment(t, &deploymentObj, pegaDeployment{getObjName(options, "-web"), initContainers, "WebUser", "900"}, options) + VerifyPegaDeployment(t, &deploymentObj, pegaDeployment{getObjName(options, "-web"), + initContainers, "WebUser", "900"}, options, hazelcastSSL) +} + +func assertWeb(t *testing.T, webYaml string, options *helm.Options) { + assertWebWithHZSSL(t, webYaml, options, false) } // VerifyPegaStatefulSet - Performs specific Pega statefulset assertions with the values as provided in default values.yaml -func VerifyPegaStatefulSet(t *testing.T, statefulsetObj *appsv1beta2.StatefulSet, expectedStatefulset pegaDeployment, options *helm.Options) { +func VerifyPegaStatefulSet(t *testing.T, statefulsetObj *appsv1beta2.StatefulSet, + expectedStatefulset pegaDeployment, options *helm.Options, hazelcastSSL bool) { require.Equal(t, getObjName(options, "-stream"), statefulsetObj.Spec.VolumeClaimTemplates[0].Name) require.Equal(t, k8score.PersistentVolumeAccessMode("ReadWriteOnce"), statefulsetObj.Spec.VolumeClaimTemplates[0].Spec.AccessModes[0]) require.Equal(t, getObjName(options, "-stream"), statefulsetObj.Spec.ServiceName) @@ -207,11 +258,12 @@ func VerifyPegaStatefulSet(t *testing.T, statefulsetObj *appsv1beta2.StatefulSet require.Equal(t, "/opt/pega/kafkadata", statefulsetSpec.Containers[0].VolumeMounts[1].MountPath) require.Equal(t, "pega-volume-credentials", statefulsetSpec.Containers[0].VolumeMounts[2].Name) require.Equal(t, "/opt/pega/secrets", statefulsetSpec.Containers[0].VolumeMounts[2].MountPath) - VerifyDeployment(t, &statefulsetSpec, expectedStatefulset, options) + VerifyDeployment(t, &statefulsetSpec, expectedStatefulset, options, hazelcastSSL) } // VerifyPegaDeployment - Performs specific Pega deployment assertions with the values as provided in default values.yaml -func VerifyPegaDeployment(t *testing.T, deploymentObj *appsv1.Deployment, expectedDeployment pegaDeployment, options *helm.Options) { +func VerifyPegaDeployment(t *testing.T, deploymentObj *appsv1.Deployment, + expectedDeployment pegaDeployment, options *helm.Options, hazelcastSSL bool) { require.Equal(t, int32(1), *deploymentObj.Spec.Replicas) require.Equal(t, int32(2147483647), *deploymentObj.Spec.ProgressDeadlineSeconds) require.Equal(t, expectedDeployment.name, deploymentObj.Spec.Selector.MatchLabels["app"]) @@ -222,11 +274,12 @@ func VerifyPegaDeployment(t *testing.T, deploymentObj *appsv1.Deployment, expect require.NotEmpty(t, deploymentObj.Spec.Template.Annotations["config-check"]) require.NotEmpty(t, deploymentObj.Spec.Template.Annotations["config-tier-check"]) deploymentSpec := deploymentObj.Spec.Template.Spec - VerifyDeployment(t, &deploymentSpec, expectedDeployment, options) + VerifyDeployment(t, &deploymentSpec, expectedDeployment, options, hazelcastSSL) } // VerifyDeployment - Performs common pega deployment/statefulset assertions with the values as provided in default values.yaml -func VerifyDeployment(t *testing.T, pod *k8score.PodSpec, expectedSpec pegaDeployment, options *helm.Options) { +func VerifyDeployment(t *testing.T, pod *k8score.PodSpec, expectedSpec pegaDeployment, options *helm.Options, + hazelcastSSL bool) { require.Equal(t, "pega-volume-config", pod.Volumes[0].Name) require.Equal(t, expectedSpec.name, pod.Volumes[0].VolumeSource.ConfigMap.LocalObjectReference.Name) require.Equal(t, volumeDefaultModePtr, pod.Volumes[0].VolumeSource.ConfigMap.DefaultMode) @@ -330,7 +383,11 @@ func VerifyDeployment(t *testing.T, pod *k8score.PodSpec, expectedSpec pegaDeplo require.Equal(t, "/opt/pega/config", pod.Containers[0].VolumeMounts[0].MountPath) require.Equal(t, "pega-volume-config", pod.Volumes[0].Name) require.Equal(t, "pega-volume-credentials", pod.Volumes[1].Name) - + if hazelcastSSL { + require.Equal(t, "hz-encryption-secrets", pod.Volumes[2].Name) + require.Equal(t, "hz-encryption-secrets", pod.Containers[0].VolumeMounts[1].Name) + require.Equal(t, "/opt/hazelcast/certs", pod.Containers[0].VolumeMounts[1].MountPath) + } } type pegaDeployment struct { From b2acdb47cfa2dcce3067ae5bc18f9b0b1c4a4e66 Mon Sep 17 00:00:00 2001 From: Kinga Kowalska <120555574+kingakowalska1@users.noreply.github.com> Date: Wed, 11 Dec 2024 16:49:16 +0100 Subject: [PATCH 09/11] US-654940 - Remove docs-previous links from github readmes (#857) * US-654940 - Remove docs-previous links from github readmes Many links to Pega Community forward the user to the docs-previous page that is being decommissioned. * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes * US-654940 - Remove docs-previous links from github readmes --- README.md | 12 +++++------ .../charts/constellation-messaging/README.md | 2 +- .../charts/constellation/README.md | 7 ++----- charts/pega/README.md | 20 +++++++++---------- docs/Deploying-Pega-on-AKS.md | 2 +- docs/Deploying-Pega-on-EKS.md | 2 +- docs/Deploying-Pega-on-GKE.md | 2 +- docs/Deploying-Pega-on-PKS.md | 2 +- docs/Deploying-Pega-on-openshift.md | 2 +- .../building-your-own-Pega-installer-image.md | 7 +++---- docs/patching-pega-deployment.md | 9 +++++---- ...upgrading-pega-deployment-zero-downtime.md | 2 +- 12 files changed, 32 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 4896ac052..7b22c6007 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Pega deployment on Kubernetes -This project provides Helm charts and basic examples for deploying Pega on Kubernetes. You will also need to download the required [installation kit](https://community.pega.com/knowledgebase/products/platform/deploy) from the Pega Community which includes rules and data to preload into your relational database. Deploying Pega on Kubernetes requires Pega Infinity 8.3 or later. +This project provides Helm charts and basic examples for deploying Pega on Kubernetes. You will also need to download the required [Pega-provided Docker images](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html) which include rules and data to preload into your relational database. Deploying Pega on Kubernetes requires Pega Infinity 8.3 or later. [![Build Status](https://github.com/pegasystems/pega-helm-charts/actions/workflows/github-actions-build.yml/badge.svg)](https://github.com/pegasystems/pega-helm-charts/actions/workflows/github-actions-build.yml) [![GitHub release](https://img.shields.io/github/release/pegasystems/pega-helm-charts.svg)](https://github.com/pegasystems/pega-helm-charts/releases) @@ -79,7 +79,7 @@ $ helm inspect values pega/backingservices > backingservices.yaml * [Instructions to configure the Pega addons](charts/addons/README.md) * [Instructions to configure the Pega backingservices](charts/backingservices/README.md) -When making customizations for your environment, check the [Pega Platform Support Guide Resources](https://community.pega.com/knowledgebase/articles/pega-platform-support-guide-resources) to verify that those changes are supported by your Pega Platform version. +When making customizations for your environment, check the [Pega Platform Support Guide](https://docs.pega.com/bundle/platform/page/platform/deployment/platform-support-guide/platform-support-guide.html) to verify that those changes are supported by your Pega Platform version. 5. Create namespaces for your Pega deployment, backingservices and the addons (if applicable for your environment). @@ -101,7 +101,7 @@ $ helm install backingservices pega/backingservices --namespace pegabackingservi $ helm install addons pega/addons --namespace pegaaddons --values addons.yaml ``` -8. With addons and backservices deployed, you are ready to deploy Pega Infinity using the pega chart. Before installing using the chart, it is a good idea to review the detailed [deployment guide](https://community.pega.com/knowledgebase/articles/deploying-pega-platform-using-kubernetes) to understand how Pega deploys as a distributed system. Running a Helm installation using the pega chart installs a Pega Infinity instance into a specified namespace. After you edit the chart with your configuration requirements, run the following command to install the pega chart. +8. With addons and backservices deployed, you are ready to deploy Pega Infinity using the pega chart. Before installing using the chart, it is a good idea to review [Containerized deployments in Kubernetes environments](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/containerized-deployments-kubernetes.html) to understand how Pega deploys as a distributed system. Running a Helm installation using the pega chart installs a Pega Infinity instance into a specified namespace. After you edit the chart with your configuration requirements, run the following command to install the pega chart. ```bash $ helm install mypega pega/pega --namespace mypega --values pega.yaml @@ -131,7 +131,7 @@ To upgrade your strategic application, use the latest Upgrade Guide available fo ## Patches -To apply a Pega Platform patch with zero downtime to your existing Pega platform software, you must download the latest installer Docker images from Pega Digital Software Delivery and change several options in your Pega Helm chart. For details and helpful resources explaining the Pega Platform patch process, including the Pega Infinity patch policy, see [Applying the latest patch](https://community.pega.com/knowledgebase/articles/keeping-current-pega/86/applying-latest-patch). For step-by-step guidance to apply a Pega Platform patch, see the Pega-provided runbook, [Patching Pega Platform in your deployment](/docs/patching-pega-deployment.md). +To apply a Pega Platform patch with zero downtime to your existing Pega platform software, you must download the latest installer Docker images from Pega Digital Software Delivery and change several options in your Pega Helm chart. For details and helpful resources explaining the Pega Platform patch process, including the Pega Infinity patch policy, see [Pega software maintenance program](https://docs.pega.com/bundle/keeping-current/page/keeping-current/kc/pega-software-maintenance.html). For step-by-step guidance to apply a Pega Platform patch, see the Pega-provided runbook, [Patching Pega Platform in your deployment](/docs/patching-pega-deployment.md). # Downloading Docker images for your deployment @@ -148,7 +148,7 @@ Status: Downloaded pega-docker.downloads.pega.com/platform/pega: All Docker images for Pega Platform releases that are in Standard Support undergo a nightly rebuild that applies the latest available updates and patches to all third-party components. To take advantage of these updates, you must redeploy your Pega Platform with the latest available images. Pega does not guarantee nightly rebuilds for Pega Platform releases in Extended Support and stops rebuilding images for Pega Platform releases that are out of Extended Support. -For details about downloading and then pushing Docker images to your repository for your deployment, see [Using Pega-provided Docker images](https://docs.pega.com/bundle/platform-88/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html). +For details about downloading and then pushing Docker images to your repository for your deployment, see [Using Pega-provided Docker images](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html). From Helm chart versions `2.2.0` and above, update your Pega Platform version to the latest patch version. @@ -196,7 +196,7 @@ New versions of this Helm Chart may be released at any time. Versions are define ## Helm charts and Docker images compatibility -Both Helm charts and Docker images undergo frequent updates; new Helm chart releases may appear at any time, and the latest patch versions of the Docker images are rebuilt nightly as part of software maintenance (for more information, see [Pega-provided Docker images](https://docs.pega.com/bundle/platform-88/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html)). This might result in incompatibility issues during the install and upgrade process. To ensure that Helm charts and Docker images are compatible, do one of the following actions: +Both Helm charts and Docker images undergo frequent updates; new Helm chart releases may appear at any time, and the latest patch versions of the Docker images are rebuilt nightly as part of software maintenance (for more information, see [Pega-provided Docker images](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html)). This might result in incompatibility issues during the install and upgrade process. To ensure that Helm charts and Docker images are compatible, do one of the following actions: * If you update your Helm charts to the latest version to take advantage of new features, update your Docker images to the latest version as well (latest build of the latest patch). * If you upgrade your Pega Platform to a later version, use the latest Docker image build and latest Helm chart version. diff --git a/charts/backingservices/charts/constellation-messaging/README.md b/charts/backingservices/charts/constellation-messaging/README.md index f2ef2bf1f..1ffb6fa18 100644 --- a/charts/backingservices/charts/constellation-messaging/README.md +++ b/charts/backingservices/charts/constellation-messaging/README.md @@ -6,7 +6,7 @@ Once the service routing (with TLS) is set up, configure the Pega Infinity Const Only a single Messaging Service deployment is necessary to support an entire organization. Do not install the service in every namespace or for every application or project. -Complete information on the design of the service including architecture, scalability, reliability, operations and troubleshooting is available at [https://documents.constellation.pega.io/messaging/introduction.html](https://documents.constellation.pega.io/messaging/introduction.html). +Complete information on the design of the service including architecture, scalability, reliability, operations and troubleshooting is available at [Constellation service deployment](https://docs.pega.com/bundle/platform/page/platform/deployment/constellation/constellation-overview.html). ## Configuration settings diff --git a/charts/backingservices/charts/constellation/README.md b/charts/backingservices/charts/constellation/README.md index 30d58cfb3..2d984849e 100644 --- a/charts/backingservices/charts/constellation/README.md +++ b/charts/backingservices/charts/constellation/README.md @@ -1,9 +1,6 @@ # Constellation UI setup -Please refer to - > https://documents.constellation.pega.io/static/88/introduction.html - -for instructions related to the pegastatic content delivery setup. Once that is complete please proceed with the instructions below for the constellation appstatic service setup. +Please refer to [Constellation service deployment](https://docs.pega.com/bundle/platform/page/platform/deployment/constellation/constellation-overview.html) for instructions related to the pegastatic content delivery setup. Once that is complete please proceed with the instructions below for the constellation appstatic service setup. ## ConstellationUI helm chart @@ -30,7 +27,7 @@ Digest: Status: Downloaded pega-docker.downloads.pega.com/constellation-appstatic-service/docker-image:xxxxxxx ``` -For details about downloading and then pushing Docker images to your repository for your deployment, see [Using Pega-provided Docker images](https://docs.pega.com/client-managed-cloud/87/pega-provided-docker-images). +For details about downloading and then pushing Docker images to your repository for your deployment, see [Pega-provided Docker images](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html). #### Constellationui runtime configuration diff --git a/charts/pega/README.md b/charts/pega/README.md index 08dd406f2..624d49c94 100644 --- a/charts/pega/README.md +++ b/charts/pega/README.md @@ -260,7 +260,7 @@ Pega supports deployments using a multi-tier architecture model that separates a Three values.yaml files are provided to showcase real world deployment examples. These examples can be used as a starting point for customization and are not expected to deployed as-is. -For more information about the architecture for how Pega Platform runs in a Pega cluster, see [How Pega Platform and applications are deployed on Kubernetes](https://community.pega.com/knowledgebase/articles/cloud-choice/how-pega-platform-and-applications-are-deployed-kubernetes). +For more information about the architecture for how Pega Platform runs in a Pega cluster, see [Containerized deployments in Kubernetes environments](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/containerized-deployments-kubernetes.html). #### Standard deployment using two tiers @@ -302,11 +302,9 @@ name: "mycrm-prod-web" ### nodeType (*Required*) Node classification is the process of separating nodes by purpose, predefining their behavior by assigning node types. When you associate a work resource with a specific node type,you optimize work performance in your Pega application. For more information, see -[Node classification](https://community.pega.com/sites/default/files/help_v83/procomhelpmain.htm#engine/node-classification/eng-node-classification-con.htm). +[Classifying nodes](https://docs.pega.com/bundle/platform/page/platform/system-administration/node-classifying-overview.html). -Specify the list of Pega node types for this deployment. For more information about valid node types, see the Pega Community article on [Node Classification]. - -[Node types for VM-based and containerized deployments](https://docs.pega.com/bundle/platform-88/page/platform/system-administration/node-types-on-premises.html) +Specify the list of Pega node types for this deployment. For more information about valid node types, see [Node types for VM-based and containerized deployments](https://docs.pega.com/bundle/platform/page/platform/system-administration/node-types-on-premises.html) Example: @@ -944,7 +942,7 @@ Use the `pegasearch` section to configure the source Elasticsearch service that Use the chart ['backingservices'](../backingservices) to deploy the Search and Reporting Service (SRS), a Pega Platform backing service enabling the latest generation of search and reporting capabilities for your Pega applications. SRS is independent from Pega Platform and replaces the previous implementation of Elasticsearch, the legacy client-server Elasticsearch plug-in. -To use SRS, follow the deployment instructions provided at ['backingservices'](../backingservices) before you configure and deploy the Pega Helm chart. For more information, see [External Elasticsearch in your deployment](https://docs.pega.com/bundle/platform-88/page/platform/deployment/externalization-of-services/externalize-search-in-your-deployment.html). +To use SRS, follow the deployment instructions provided at ['backingservices'](../backingservices) before you configure and deploy the Pega Helm chart. For more information, see [External Elasticsearch in your deployment](https://docs.pega.com/bundle/platform/page/platform/deployment/externalization-of-services/externalize-search-in-your-deployment.html). Configure the customerDeploymentId parameter in the global section of the values.yaml to provide data isolation in SRS. The customerDeploymentId is used as a prefix for all indexes created in ElasticSearch, and must be the value of the 'guid' claim if OAuth is used for authorization between Pega and SRS. This parameter defaults to the name of the namespace when left empty. @@ -998,7 +996,7 @@ Use the following configuration to provision the legacy client-server Elasticsea Parameter | Description | Default value --- | --- | --- -`image` | Set the `pegasearch.image` parameter to a registry that can access the Pega-provided `platform/search` Docker image. Download the image from the Pega repository, tag it, and push it to your local registry. As a best practice, use the latest available image for your Pega Platform version, based on the build date specified in the tag. For example, the image tagged "8.5.6-20230829" was built on August 29, 2023. For more information, see [Pega-provided Docker images](https://docs.pega.com/bundle/platform-88/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html).| `platform/search:8.5.x-XXXXXXXX` +`image` | Set the `pegasearch.image` parameter to a registry that can access the Pega-provided `platform/search` Docker image. Download the image from the Pega repository, tag it, and push it to your local registry. As a best practice, use the latest available image for your Pega Platform version, based on the build date specified in the tag. For example, the image tagged "8.5.6-20230829" was built on August 29, 2023. For more information, see [Pega-provided Docker images](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html).| `platform/search:8.5.x-XXXXXXXX` `imagePullPolicy` | Optionally specify an imagePullPolicy for the search container. | `""` `replicas` | Specify the desired replica count. | `1` `minimumMasterNodes` | To prevent data loss, you must configure the minimumMasterNodes setting so that each master-eligible node is set to the minimum number of master-eligible nodes that must be visible in order to form a cluster. Configure this value using the formula (n/2) + 1 where n is replica count or desired capacity. For more information, see the Elasticsearch [important setting documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html) for more information. | `1` @@ -1073,7 +1071,7 @@ stream: ## Pega database installation and upgrades -Pega requires a relational database that stores the rules, data, and work objects used and generated by Pega Platform. The [Pega Platform deployment guide](https://community.pega.com/knowledgebase/products/platform/deploy) provides detailed information about the requirements and instructions for installations and upgrades. Follow the instructions for Tomcat and your environment's database server. +Pega requires a relational database that stores the rules, data, and work objects used and generated by Pega Platform. For more detailed information about the requirements and instructions for installations and upgrades, see [Containerized deployments in Kubernetes environments](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/containerized-deployments-kubernetes.html). Follow the instructions for Tomcat and your environment's database server. The Helm charts also support an automated install or upgrade with a Kubernetes Job. The Job utilizes an installation Docker image and can be activated with the `action` parameter in the Pega Helm chart. @@ -1097,11 +1095,11 @@ installer: The Pega Helm charts support zero-downtime patch and upgrades processes which synchronize the required process steps to minimize downtime. With these zero-downtime processes, you and your customers can continue to access and use their applications in your environment with minimal disruption while you patch or upgrade your system. -To **upgrade Pega Platform software** deployed in a Kubernetes environment in zero-downtime, you must download the latest Pega-provided images for the version to which you are upgrading from [Pega Digital Software Delivery](https://community.pega.com/digital-delivery) and use the Helm chart with versions 1.6.0 or later to complete the upgrade. To learn about how the upgrade process works and its requirements and the steps you must complete, see the Pega-provided runbook, [Upgrading Pega Platform in your deployment with zero-downtime](/docs/upgrading-pega-deployment-zero-downtime.md). With earlier versions of the Pega Helm charts, you must use the Pega Platform upgrade guides. To obtain the latest upgrade guide, see [Stay current with Pega](https://community.pega.com/upgrade). - +To **upgrade Pega Platform software** deployed in a Kubernetes environment in zero-downtime, you must download the latest Pega-provided images for the version to which you are upgrading from [Pega Digital Software Delivery](https://community.pega.com/digital-delivery) and use the Helm chart with versions 1.6.0 or later to complete the upgrade. To learn about how the upgrade process works and its requirements and the steps you must complete, see the Pega-provided runbook, [Upgrading Pega Platform in your deployment with zero-downtime](/docs/upgrading-pega-deployment-zero-downtime.md). + To complete your Pega Infinity upgrade, after you upgrade your Pega Platform software using the Pega Helm charts and Docker images, you must use the latest Pega application software Upgrade Guide, which is separate from Pega Platform software. You can locate the appropriate upgrade guide for your installed application from the page, [All Products](https://community.pega.com/knowledgebase/products). -To **apply a Pega Platform patch** with zero-downtime to your existing Pega platform software, you use the same "zero-downtime" parameters that you use for upgrades and use the Pega-provided `platform/installer` Docker image that you downloaded for your patch version. For step-by-step guidance to apply a Pega Platform patch, see the Pega-provided runbook, [Patching Pega Platform in your deployment](/docs/patching-pega-deployment.md). The patch process applies only changes observed between the patch and your currently running version and then separately upgrades the data. For details about Pega patches, see [Pega software maintenance and extended support policy](https://community.pega.com/knowledgebase/articles/keeping-current-pega/85/pega-software-maintenance-and-extended-support-policy). +To **apply a Pega Platform patch** with zero-downtime to your existing Pega platform software, you use the same "zero-downtime" parameters that you use for upgrades and use the Pega-provided `platform/installer` Docker image that you downloaded for your patch version. For step-by-step guidance to apply a Pega Platform patch, see the Pega-provided runbook, [Patching Pega Platform in your deployment](/docs/patching-pega-deployment.md). The patch process applies only changes observed between the patch and your currently running version and then separately upgrades the data. For details about Pega patches, see [Pega software maintenance program](https://docs.pega.com/bundle/keeping-current/page/keeping-current/kc/pega-software-maintenance.html). Use the `installer` section of the values file with the appropriate parameters to install, upgrade, or apply a patch to your Pega Platform software: diff --git a/docs/Deploying-Pega-on-AKS.md b/docs/Deploying-Pega-on-AKS.md index c20377d83..b986ad319 100644 --- a/docs/Deploying-Pega-on-AKS.md +++ b/docs/Deploying-Pega-on-AKS.md @@ -23,7 +23,7 @@ Use Kubernetes tools and the customized orchestration tools and Docker images to 4. Configure your network connections in the DNS management zone of your choice so you can log in to Pega Platform - [Logging in to Pega Platform – 10 minutes](#logging-in-to-pega-platform--10-minutes). -To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://community.pega.com/knowledgebase/articles/client-managed-cloud/cloud/understanding-pega-deployment-architecture). +To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-kubernetes-architecture.html). ## Assumptions and prerequisites diff --git a/docs/Deploying-Pega-on-EKS.md b/docs/Deploying-Pega-on-EKS.md index ca4be6bd0..93215d548 100644 --- a/docs/Deploying-Pega-on-EKS.md +++ b/docs/Deploying-Pega-on-EKS.md @@ -29,7 +29,7 @@ Use Kubernetes tools and the customized orchestration tools and Docker images to 4. Configure your network connections in the DNS management zone of your choice so you can log in to Pega Platform - [Logging in to Pega Platform – 10 minutes](#logging-in-to-pega-platform--10-minutes). -To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://community.pega.com/knowledgebase/articles/client-managed-cloud/cloud/understanding-pega-deployment-architecture). +To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-kubernetes-architecture.html). ## Assumptions and prerequisites diff --git a/docs/Deploying-Pega-on-GKE.md b/docs/Deploying-Pega-on-GKE.md index a7500faf5..38f2056d0 100644 --- a/docs/Deploying-Pega-on-GKE.md +++ b/docs/Deploying-Pega-on-GKE.md @@ -18,7 +18,7 @@ Use Kubernetes tools and the customized orchestration tools and Docker images to 4. Configure your network connections in the DNS management zone of your choice so you can log in to Pega Platform - [Logging in to Pega Platform – 10 minutes](#logging-in-to-pega-platform--10-minutes). -To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://community.pega.com/knowledgebase/articles/client-managed-cloud/cloud/understanding-pega-deployment-architecture). +To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-kubernetes-architecture.html). ## Assumptions and prerequisites diff --git a/docs/Deploying-Pega-on-PKS.md b/docs/Deploying-Pega-on-PKS.md index 244a34572..71b8bd7e2 100644 --- a/docs/Deploying-Pega-on-PKS.md +++ b/docs/Deploying-Pega-on-PKS.md @@ -25,7 +25,7 @@ Use Kubernetes tools and the customized orchestration tools and Docker images to 4. Configure your network connections in the DNS management zone of your choice so you can log in to Pega Platform - [Logging in to Pega Platform – 10 minutes](#logging-in-to-pega-platform--10-minutes). -To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://community.pega.com/knowledgebase/articles/client-managed-cloud/cloud/understanding-pega-deployment-architecture). +To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-kubernetes-architecture.html). ## Assumptions and prerequisites diff --git a/docs/Deploying-Pega-on-openshift.md b/docs/Deploying-Pega-on-openshift.md index 421c25569..0fb47a503 100644 --- a/docs/Deploying-Pega-on-openshift.md +++ b/docs/Deploying-Pega-on-openshift.md @@ -27,7 +27,7 @@ Use Kubernetes tools and the customized orchestration tools and Docker images to 4. Configure your network connections in the DNS management zone of your choice so you can log in to Pega Platform - [Logging in to Pega Platform – 10 minutes](#logging-in-to-pega-platform--10-minutes). -To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://community.pega.com/knowledgebase/articles/client-managed-cloud/cloud/understanding-pega-deployment-architecture). +To understand how Pega maps Kubernetes objects with Pega applications and services, see [Understanding the Pega deployment architecture](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-kubernetes-architecture.html). ## Assumptions and prerequisites diff --git a/docs/building-your-own-Pega-installer-image.md b/docs/building-your-own-Pega-installer-image.md index 3a99c8f95..8a08b0fbd 100644 --- a/docs/building-your-own-Pega-installer-image.md +++ b/docs/building-your-own-Pega-installer-image.md @@ -3,18 +3,17 @@ Building a Pega Platform installer docker image These instructions require the Pega Platform distribution image to install the Pega Platform onto your database. -Clients with appropriate licenses can download a distribution image from Pega. For additional instructions, see [Pega Digital Software Delivery User Guide](https://community.pega.com/knowledgebase/documents/pega-digital-software-delivery-user-guide). +Clients with appropriate licenses can download a distribution image from Pega. For additional instructions, see [Pega-provided Docker images](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html). ## Downloading a Pega Platform distribution to your local system -These instructions require the Pega Platform distribution image to install the Pega Platform onto your database. To obtain a copy, you must download an image from Pega. For detailed instructions, see [Pega Digital Software Delivery User Guide](https://community.pega.com/knowledgebase/documents/pega-digital-software-delivery-user-guide). +These instructions require the Pega Platform distribution image to install the Pega Platform onto your database. To obtain a copy, you must download an image from Pega. For detailed instructions, see [Pega-provided Docker images](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html). ### Requesting access to a Pega Platform distribution 1. In the browser of your choice, navigate to the Pega [Digital Software Delivery](https://community.pega.com/digital-delivery) site. -2. Log into the [Pega Community](https://community.pega.com/knowledgebase/articles/pega-cloud/pega-cloud-services-patch-process-releases-83x-and-later) - site with the credentials your Pega representative provided. +2. Log into the site with the credentials your Pega representative provided. 3. In the **Download and Upgrade Licensed Software** area, click **New request**. diff --git a/docs/patching-pega-deployment.md b/docs/patching-pega-deployment.md index ce0fc6244..e4406a6fb 100644 --- a/docs/patching-pega-deployment.md +++ b/docs/patching-pega-deployment.md @@ -4,15 +4,16 @@ After you deploy Pega Platform™ on your kubernetes environment, the Pega-prov Useful links to Pega software patching information: -- [Pega software maintenance and extended support policy](https://community.pega.com/knowledgebase/articles/keeping-current-pega/85/pega-software-maintenance-and-extended-support-policy) +- [Pega software maintenance program](https://docs.pega.com/bundle/keeping-current/page/keeping-current/kc/pega-software-maintenance.html) +- [Pega Extended Support program](https://docs.pega.com/bundle/keeping-current/page/keeping-current/kc/extended-support-policy.html) - [Pega Infinity patch calendar](https://community.pega.com/knowledgebase/articles/keeping-current-pega/pega-infinity-patch-calendar) -- [Pega Infinity patch frequently asked questions](https://community.pega.com/knowledgebase/articles/keeping-current-pega/85/pega-infinity-patch-frequently-asked-questions) +- [Pega software maintenance policies frequently asked questions](https://docs.pega.com/bundle/keeping-current/page/keeping-current/kc/pega-software-maintenance-faqs.html) ## Kubernetes-based patching process overview -Pega supports client-managed cloud clients applying patches for releases 8.4 and later using a zero-downtime patch process to apply the latest cumulative bundle of bug and security fixes since the last minor release. For the latest Pega Community articles, see [About client managed cloud](https://community.pega.com/knowledgebase/articles/client-managed-cloud/85/about-client-managed-cloud). +Pega supports client-managed cloud clients applying patches for releases 8.4 and later using a zero-downtime patch process to apply the latest cumulative bundle of bug and security fixes since the last minor release. For more information, see [Containerized deployments in Kubernetes environments](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/containerized-deployments-kubernetes.html). -The Pega zero-downtime patch process uses the zero-downtime patch process so you and your customers can continue working in your application while you patch your system. Pega zero-downtime patch scripts use a temporary data schema and the patch migration script moves the rules between the appropriate schema and then performs the required rolling reboot of your deployment cluster. For a detailed overview of the process, see [Applying a patch without downtime](https://community.pega.com/knowledgebase/articles/keeping-current-pega/86/applying-patch-without-downtime). +The Pega zero-downtime patch process uses the zero-downtime patch process so you and your customers can continue working in your application while you patch your system. Pega zero-downtime patch scripts use a temporary data schema and the patch migration script moves the rules between the appropriate schema and then performs the required rolling reboot of your deployment cluster. ## Client-required steps Client-managed cloud clients use the same Pega Kubernetes tools and Helm charts in the same Pega repository that you used to install Pega Platform in a supported Kubernetes environment. The client-managed cloud patch process includes the following tasks: diff --git a/docs/upgrading-pega-deployment-zero-downtime.md b/docs/upgrading-pega-deployment-zero-downtime.md index 1b496d3b3..54ec64270 100644 --- a/docs/upgrading-pega-deployment-zero-downtime.md +++ b/docs/upgrading-pega-deployment-zero-downtime.md @@ -2,7 +2,7 @@ After you deploy Pega Platform™ on your kubernetes environment, you can use a Pega-provided Docker image-based process to upgrade your Pega software with zero-downtime. The following procedures are written for any level of user, from a system administrator to a development engineer who wants to use helm charts and Pega Docker images to upgrade the Pega software you have deployed in any supported kubernetes environment. -For the latest Pega Community articles about Pega-provided docker images, see [About client managed cloud](https://community.pega.com/knowledgebase/articles/client-managed-cloud/86/about-client-managed-cloud). +For more information, see [Pega-provided Docker images](https://docs.pega.com/bundle/platform/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html). ## Kubernetes-based zero-downtime upgrade process overview From c968618ac8931931278f33fa42ceb4e695d6b208 Mon Sep 17 00:00:00 2001 From: Davis Walsh Date: Thu, 19 Dec 2024 16:04:33 -0500 Subject: [PATCH 10/11] update helm, yamllint, go, and ubuntu versions used in builds (#859) --- .github/workflows/github-actions-build.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/github-actions-build.yml b/.github/workflows/github-actions-build.yml index 7d2c7d6ef..e9e211857 100644 --- a/.github/workflows/github-actions-build.yml +++ b/.github/workflows/github-actions-build.yml @@ -2,9 +2,9 @@ name: Pega Chart Build env: HELM_URL: https://get.helm.sh - HELM_TGZ: helm-v3.14.3-linux-amd64.tar.gz - YAMLLINT_VERSION: 1.34.0 - GO_VERSION: 1.21.6 + HELM_TGZ: helm-v3.16.3-linux-amd64.tar.gz + YAMLLINT_VERSION: 1.35.1 + GO_VERSION: 1.23.4 on: @@ -23,7 +23,7 @@ concurrency: jobs: run-supplemental-validation-job: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Check out repository code uses: actions/checkout@v3 @@ -31,7 +31,7 @@ jobs: run : | sh validate_supplementals.sh run-lint-job: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Check out repository code uses: actions/checkout@v3 @@ -72,7 +72,7 @@ jobs: sh validatexml.sh run-remark-job: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Check out repository code uses: actions/checkout@v3 @@ -91,7 +91,7 @@ jobs: remark -i .remark_ignore -f -u validate-links . run-go-tests-job: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Check out repository code uses: actions/checkout@v3 @@ -144,7 +144,7 @@ jobs: go test ./backingservices | grep "FAIL" -A 8 || true ; test ${PIPESTATUS[0]} -eq 0 run-deploy-job: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [run-lint-job, run-remark-job, run-go-tests-job] if: ( github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v') ) && success() steps: From d05ffbb7c14d5f2e9907380a05ed0c1c477e943c Mon Sep 17 00:00:00 2001 From: GaneshKatta95 Date: Thu, 26 Dec 2024 11:42:01 +0530 Subject: [PATCH 11/11] US 642597: Add FIPS flag for pega infinity (#858) * Defined a new variable isPegaHighlySecureCryptoModeEnabled which is independent on hazlecast encryption * Update HIGHLY_SECURE_CRYPTO_MODE_ENABLED env param based on isPegaHighlySecureCryptoModeEnable Co-authored-by: Saurabh --- charts/pega/templates/_helpers.tpl | 10 +++++- .../templates/pega-environment-config.yaml | 5 ++- .../test/pega/pega-environment-config_test.go | 32 +++++++++++++++++++ 3 files changed, 45 insertions(+), 2 deletions(-) diff --git a/charts/pega/templates/_helpers.tpl b/charts/pega/templates/_helpers.tpl index 24a00aa7f..4b89c8f9f 100644 --- a/charts/pega/templates/_helpers.tpl +++ b/charts/pega/templates/_helpers.tpl @@ -531,6 +531,14 @@ servicePort: use-annotation {{- end -}} {{- end -}} +{{- define "isPegaHighlySecureCryptoModeEnabled" }} + {{- if .Values.global.highlySecureCryptoModeEnabled -}} + true + {{- else -}} + false + {{- end -}} +{{- end -}} + {{- define "pegaCredentialVolumeTemplate" }} - name: {{ template "pegaVolumeCredentials" }} projected: @@ -562,4 +570,4 @@ servicePort: use-annotation - key: HZ_SSL_TRUSTSTORE_PASSWORD path: HZ_SSL_TRUSTSTORE_PASSWORD {{- end}} -{{- end}} \ No newline at end of file +{{- end}} diff --git a/charts/pega/templates/pega-environment-config.yaml b/charts/pega/templates/pega-environment-config.yaml index 320bf436e..16467f2e1 100644 --- a/charts/pega/templates/pega-environment-config.yaml +++ b/charts/pega/templates/pega-environment-config.yaml @@ -185,12 +185,15 @@ data: HZ_SSL_KEY_STORE_NAME: "cluster-keystore.jks" HZ_SSL_TRUST_STORE_NAME: "cluster-truststore.jks" {{ if (eq (include "isHzHighlySecureCryptoModeEnabled" .) "true") }} - HIGHLY_SECURE_CRYPTO_MODE_ENABLED: "true" HZ_SSL_ALGO: "PKIX" {{- else }} HZ_SSL_ALGO: "SunX509" {{- end }} {{- end }} +{{- end }} + +{{ if (eq (include "isPegaHighlySecureCryptoModeEnabled" .) "true") }} + HIGHLY_SECURE_CRYPTO_MODE_ENABLED: "true" {{- end }} # enable ssl verification for jdbc driver download ENABLE_CUSTOM_ARTIFACTORY_SSL_VERIFICATION: "{{ .Values.global.customArtifactory.enableSSLVerification }}" diff --git a/terratest/src/test/pega/pega-environment-config_test.go b/terratest/src/test/pega/pega-environment-config_test.go index 9d5b41890..83395d809 100644 --- a/terratest/src/test/pega/pega-environment-config_test.go +++ b/terratest/src/test/pega/pega-environment-config_test.go @@ -77,6 +77,38 @@ func TestPegaEnvironmentConfigJDBCTimeouts(t *testing.T) { VerifyEnvValue(t, yamlContent, "JDBC_TIMEOUT_PROPERTIES_RO", "socketTimeout=150;") } +func TestPegaHighlySecureCryptoModeEnabledEnvConfigParam(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy", "install-deploy"} + + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) + + for _, vendor := range supportedVendors { + + for _, operation := range supportedOperations { + + fmt.Println(vendor + "-" + operation) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "global.highlySecureCryptoModeEnabled": "false", + }, + } + + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"}) + VerifyEnvNotPresent(t, yamlContent, "HIGHLY_SECURE_CRYPTO_MODE_ENABLED") + + options.SetValues["global.highlySecureCryptoModeEnabled"] = "true" + yamlContent = RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"}) + VerifyEnvValue(t, yamlContent, "HIGHLY_SECURE_CRYPTO_MODE_ENABLED", "true") + + } + } +} + func VerifyEnvNotPresent(t *testing.T, yamlContent string, entry string) { var envConfigMap k8score.ConfigMap UnmarshalK8SYaml(t, yamlContent, &envConfigMap)