US 642597: Add FIPS flag for pega infinity (#858)

* Defined a new variable isPegaHighlySecureCryptoModeEnabled which is independent on hazlecast encryption * Update HIGHLY_SECURE_CRYPTO_MODE_ENABLED env param based on isPegaHighlySecureCryptoModeEnable Co-authored-by: Saurabh <Saurabh-16@users.noreply.github.com>
pegasystems · Dec 26, 2024 · d05ffbb · d05ffbb
1 parent c968618
commit d05ffbb
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 2 deletions.
diff --git a/charts/pega/templates/_helpers.tpl b/charts/pega/templates/_helpers.tpl
@@ -531,6 +531,14 @@ servicePort: use-annotation
   {{- end -}}
 {{- end -}}
 
+{{- define "isPegaHighlySecureCryptoModeEnabled" }}
+  {{- if .Values.global.highlySecureCryptoModeEnabled -}}
+    true
+  {{- else -}}
+    false
+  {{- end -}}
+{{- end -}}
+
 {{- define "pegaCredentialVolumeTemplate" }}
 - name: {{ template "pegaVolumeCredentials" }}
   projected:
@@ -562,4 +570,4 @@ servicePort: use-annotation
           - key: HZ_SSL_TRUSTSTORE_PASSWORD
             path: HZ_SSL_TRUSTSTORE_PASSWORD
   {{- end}}
-{{- end}}
+{{- end}}
diff --git a/charts/pega/templates/pega-environment-config.yaml b/charts/pega/templates/pega-environment-config.yaml
@@ -185,12 +185,15 @@ data:
   HZ_SSL_KEY_STORE_NAME: "cluster-keystore.jks"
   HZ_SSL_TRUST_STORE_NAME: "cluster-truststore.jks"
   {{ if (eq (include "isHzHighlySecureCryptoModeEnabled" .) "true") }}
-  HIGHLY_SECURE_CRYPTO_MODE_ENABLED: "true"
   HZ_SSL_ALGO: "PKIX"
   {{- else }}
   HZ_SSL_ALGO: "SunX509"
   {{- end }}
 {{- end }}
+{{- end }}
+
+{{ if (eq (include "isPegaHighlySecureCryptoModeEnabled" .) "true") }}
+  HIGHLY_SECURE_CRYPTO_MODE_ENABLED: "true"
 {{- end }}
   # enable ssl verification for jdbc driver download
   ENABLE_CUSTOM_ARTIFACTORY_SSL_VERIFICATION: "{{ .Values.global.customArtifactory.enableSSLVerification }}"

diff --git a/terratest/src/test/pega/pega-environment-config_test.go b/terratest/src/test/pega/pega-environment-config_test.go
@@ -77,6 +77,38 @@ func TestPegaEnvironmentConfigJDBCTimeouts(t *testing.T) {
 	VerifyEnvValue(t, yamlContent, "JDBC_TIMEOUT_PROPERTIES_RO", "socketTimeout=150;")
 }
 
+func TestPegaHighlySecureCryptoModeEnabledEnvConfigParam(t *testing.T) {
+	var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"}
+	var supportedOperations = []string{"deploy", "install-deploy"}
+
+	helmChartPath, err := filepath.Abs(PegaHelmChartPath)
+	require.NoError(t, err)
+
+	for _, vendor := range supportedVendors {
+
+		for _, operation := range supportedOperations {
+
+			fmt.Println(vendor + "-" + operation)
+
+			var options = &helm.Options{
+				SetValues: map[string]string{
+					"global.provider":                      vendor,
+					"global.actions.execute":               operation,
+					"global.highlySecureCryptoModeEnabled": "false",
+				},
+			}
+
+			yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"})
+			VerifyEnvNotPresent(t, yamlContent, "HIGHLY_SECURE_CRYPTO_MODE_ENABLED")
+
+			options.SetValues["global.highlySecureCryptoModeEnabled"] = "true"
+			yamlContent = RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"})
+			VerifyEnvValue(t, yamlContent, "HIGHLY_SECURE_CRYPTO_MODE_ENABLED", "true")
+
+		}
+	}
+}
+
 func VerifyEnvNotPresent(t *testing.T, yamlContent string, entry string) {
 	var envConfigMap k8score.ConfigMap
 	UnmarshalK8SYaml(t, yamlContent, &envConfigMap)