Merge branch 'master' into srs-imagepullsecrets

README.md

@@ -146,6 +146,8 @@ Digest: <encryption verification>
 Status: Downloaded pega-docker.downloads.pega.com/platform/pega:<version>
 ```
 
+All Docker images for Pega Platform releases that are in Standard Support undergo a nightly rebuild that applies the latest available updates and patches to all third-party components. To take advantage of these updates, you must redeploy your Pega Platform with the latest available images. Pega does not guarantee nightly rebuilds for Pega Platform releases in Extended Support and stops rebuilding images for Pega Platform releases that are out of Extended Support.
+
 For details about downloading and then pushing Docker images to your repository for your deployment, see [Using Pega-provided Docker images](https://docs.pega.com/bundle/platform-88/page/platform/deployment/client-managed-cloud/pega-docker-images-manage.html).
 
 From Helm chart versions `2.2.0` and above, update your Pega Platform version to the latest patch version.

charts/backingservices/Makefile

@@ -26,3 +26,15 @@ purge-es-secrets:
 
 external-es-secrets:
 	kubectl create secret generic srs-certificates --from-file=$(PATH_TO_CERTIFICATE) --namespace=$(NAMESPACE)
+
+purge-srs-secrets:
+	kubectl delete secrets srs-certificates --namespace=$(NAMESPACE) || true
+
+purge-secrets: purge-es-secrets
+	make purge-srs-secrets
+
+update-secrets: purge-secrets
+	make es-prerequisite
+
+update-external-es-secrets: purge-srs-secrets
+	make external-es-secrets

charts/backingservices/charts/srs/templates/srsservice_deployment.yaml

@@ -82,6 +82,8 @@ spec:
                   key: password
             - name: PATH_TO_TRUSTSTORE
               value: "/usr/share/{{ .Values.srsStorage.certificateName | default "elastic-certificates.p12"}}"
+            - name: PATH_TO_KEYSTORE
+              value: "{{ .Values.srsStorage.certificatePassword | default ""}}"
             {{- end}}
             - name: APPLICATION_HOST
               value: "0.0.0.0"

charts/backingservices/requirements.yaml

@@ -3,9 +3,10 @@
 # NOTE: For kubernetes version >=1.25 or Elasticsearch version 7.17.9, 
 # use 7.17.3 for the elasticsearch 'version' parameter below (for Elasticsearch version 7.17.9, you will still use 7.17.9 in the backingservices values.yaml).
 # To disable deploying Elasticsearch in SRS, set the 'srs.srsStorage.provisionInternalESCluster' parameter in backingservices values.yaml to false.
+# The dependencies.version parameter refers to the Elastcisearch Helm chart version, not Elasticsearch server version.
 dependencies:
 - name: elasticsearch
-  version: "7.10.2"
+  version: "7.17.3"
   repository: https://helm.elastic.co/
   condition: srs.srsStorage.provisionInternalESCluster
 - name: constellation

charts/backingservices/values.yaml

@@ -57,8 +57,10 @@ srs:
     tls:
       enabled: false
     # To specify a certificate used to authenticate an external Elasticsearch service (with tls.enabled: true and srsStorage.provisionInternalESCluster: false),
-    # uncomment the following line to specify the TLS certificate name for your Elasticsearch service.
+    # uncomment the following lines to specify the TLS certificate name with password for your Elasticsearch service.
+    # Default certificatePassword value will be empty if not used.
     # certificateName: "Certificate_Name"
+    # certificatePassword: "password"
     # Set srs.srsStorage.basicAuthentication.enabled: true to enable the use of basic authentication to your Elasticsearch service
     # whether is it running as an internalized or externalized service in your SRS cluster.
     basicAuthentication:
@@ -84,9 +86,10 @@ constellation:
 # based on helm charts defined at https://github.com/elastic/helm-charts/tree/master/elasticsearch and may be modified
 # as per runtime and storage requirements.
 elasticsearch:
-  # for internally provisioned elasticsearch version is set to 7.10.2. Use this imageTag configuration to update it to 7.16.3 or
-  # 7.17.9 if required. However, we strongly recommend to use version 7.17.9.
-  imageTag: 7.10.2
+  # For internally provisioned Elasticsearch server, the imageTag parameter is set by default to 7.17.9, which is the recommended Elasticsearch server version
+  # for k8s version >= 1.25.
+  # Use this parameter to change it to 7.10.2 or 7.16.3 for k8s version < 1.25 and make sure to update the Elasticsearch helm chart version in requirements.yaml.
+  imageTag: 7.17.9
   # Permit co-located instances for solitary minikube virtual machines.
   antiAffinity: "soft"
   # Shrink default JVM heap.

charts/pega/Ephemeral-web-tier-values.yaml

@@ -94,7 +94,6 @@ global:
              <env name="database/databases/PegaRULES/dataSource" value="java:comp/env/jdbc/PegaRULES"/>
              <env name="database/databases/PegaDATA/dataSource" value="java:comp/env/jdbc/PegaRULES"/>
              <env name="security/urlaccesslog" value="NORMAL" />
-             <env name="security/urlaccessmode" value="WARN" />
              <!-- Most nodes have a 'default' classification and for these nodes, no additional changes need to be made to this file.  However,
              if this is node has a non-general purpose, for example: 'Agent', then the node classification setting should be added to this file. -->
              <!--env name="initialization/nodeclassification" value="Agent" /  -->

charts/pega/README.md

@@ -102,7 +102,7 @@ To support this option,
 2) Copy both files into the pega-helm-charts/charts/pega/templates directory of your local Helm repository.
 3) Update your local Helm repository to the latest version using the command: 
    - helm repo update pega https://pegasystems.github.io/pega-helm-charts
-4) Update your values.yaml file to refer to the external secret manager for DB password.
+4) Update the `external_secret_name` parameter in the values.yaml file to refer to the `spec.target.name` defined in the External Secret file you created in step 1. Update the parameter for each section where you want to use the External Secrets Operator.
 
 •  Pass secrets directly to your deployment using your organization's recommend practices. Pega supports the providers listed under the [Provider tab]( https://external-secrets.io/v0.8.1) as long as your implementation meets the documented guidelines for a given provider.
 
@@ -270,7 +270,7 @@ Node classification is the process of separating nodes by purpose, predefining t
 
 Specify the list of Pega node types for this deployment.  For more information about valid node types, see the Pega Community article on [Node Classification].
 
-[Node types for client-managed cloud environments](https://community.pega.com/knowledgebase/articles/performance/node-classification)
+[Node types for VM-based and containerized deployments](https://docs.pega.com/bundle/platform-88/page/platform/system-administration/node-types-on-premises.html)
 
 Example:
 
@@ -451,7 +451,7 @@ Parameter       | Description                                            | Defau
 `cpuLimit`      | CPU limit for pods in the current tier.                | `4`
 `memRequest`    | Initial memory request for pods in the current tier.   | `12Gi`
 `memLimit`      | Memory limit for pods in the current tier.             | `12Gi`
-`initialHeap`   | Specify the initial heap size of the JVM.              | `4096m`
+`initialHeap`   | Specify the initial heap size of the JVM.              | `8192m`
 `maxHeap`       | Specify the maximum heap size of the JVM.              | `8192m`
 
 ### JVM Arguments
@@ -652,6 +652,23 @@ tier:
       webXML: |-
         ...
 ```
+### Pega compressed configuration files
+
+To use [Pega configuration files](https://github.com/pegasystems/pega-helm-charts/blob/master/charts/pega/README.md#pega-configuration-files) in compressed format when deploying Pega Platform, replace each file with its compressed format file by completing the following steps:
+
+1) Compress each configuration file using the following command in your local terminal:
+```
+- cat "<path_to_actual_uncompressed_file_in_local>" | gzip -c | base64 
+```
+Example for a prconfig.xml file:
+```
+cat "pega-helm-charts/charts/pega/config/deploy/prconfig.xml" | gzip -c | base64
+```
+2) Provide the file content with the output of the command for each file executed.
+3) Set the `compressedConfigurations` in values.yaml to `true`, as in the following example:
+```yaml
+  compressedConfigurations: true
+```
 
 ### Pega diagnostic user
 
@@ -1148,7 +1165,7 @@ Parameter   | Description   | Default value
 `service.tls.traefik.insecureSkipVerify` | Set to `true` to skip verifying the certificate; do this in cases where you do not need a valid root/CA certificate but want to encrypt load balancer traffic. Leave the setting to `false` to both verify the certificate and encrypt load balancer traffic. | `false`
 
 ##### Important Points to note
-- By default, Pega provides a self-signed keystore and a custom root/CA certificate in Helm chart version `2.2.0`. To use the default keystore and CA certificate, leave the parameters service.tls.keystore, service.tls.keystorepassword and service.tls.cacertificate empty.
+- By default, Pega provides a self-signed keystore and a custom root/CA certificate in Helm chart version `2.2.0`. To use the default keystore and CA certificate, leave the parameters service.tls.keystore, service.tls.keystorepassword and service.tls.cacertificate empty. The default keystore and CA certificate expire on 25/12/2025.
 - To enable SSL, you must either provide a keystore with a keystorepassword or certificate, certificatekey and cacertificate files in PEM format. If you do not provide either, the deployment implements SSL by passing a Pega-provided default self-signed keystore and a custom root/CA certificate to the Pega web nodes.
 - The CA certificate can be issued by any valid Certificate Authorities or you can also use a self-created CA certificate with proper chaining.
 - To avoid exposing your certificates, you can use external secrets to manage your certificates. Pega also supports specifying the certificate files using the certificate parameters in the Pega values.yaml. To pass the files using these parameters, you must encode the certificate files using base64 and then enter the string output into the appropriate certificate parameter.

charts/pega/charts/hazelcast/values.yaml

@@ -38,8 +38,9 @@ client:
   clusterName: "PRPC"
 # Server side settings for Hazelcast
 server:
-  java_opts: "-Xms820m -Xmx820m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/hazelcast/logs/heapdump.hprof
-  -XX:+UseParallelGC -Xlog:gc*,gc+phases=debug:file=/opt/hazelcast/logs/gc.log:time,pid,tags:filecount=5,filesize=3m"
+  java_opts: "-XX:MaxRAMPercentage=80.0 -XX:InitialRAMPercentage=80.0 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/hazelcast/logs/heapdump.hprof
+   -XX:+UseG1GC -XX:NewRatio=3 -XshowSettings:vm -XX:InitiatingHeapOccupancyPercent=45
+   -Xlog:gc*,gc+phases=debug:file=/opt/hazelcast/logs/gc.log:time,pid,tags:filecount=5,filesize=3m"
   jmx_enabled: "true"
   health_monitoring_level: "OFF"
   operation_generic_thread_count: ""

charts/pega/charts/installer/templates/_pega-installer-job.tpl

@@ -63,6 +63,9 @@ spec:
           {{- $d := dict "deploySecret" "deployDBSecret" "deployNonExtsecret" "deployNonExtDBSecret" "extSecretName" .root.Values.global.jdbc.external_secret_name "nonExtSecretName" "pega-db-secret-name" "context" .root  -}}
           {{ include "secretResolver" $d | indent 10}}
 
+          {{- $artifactoryDict := dict "deploySecret" "deployArtifactorySecret" "deployNonExtsecret" "deployNonExtArtifactorySecret" "extSecretName" .root.Values.global.customArtifactory.authentication.external_secret_name "nonExtSecretName" "pega-custom-artifactory-secret-name" "context" .root -}}
+          {{ include "secretResolver" $artifactoryDict | indent 10}}
+
           # Fix it, Below peace of code always uses secret created from hz username & password. It cannot resolve hz external secret due to helm sub chart limitations. Modify it once hazelcast deployment is isolated.
           {{- if ( eq .root.Values.upgrade.isHazelcastClientServer "true" ) }}
           - secret:

charts/pega/config/certs/pegaca.crt

@@ -1,13 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIB+DCCAZ8CFG8/fDwY/1tqXeTTzOkWL1mZ2wO3MAoGCCqGSM49BAMCMH8xCzAJ
-BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i
-cmlkZ2UxGDAWBgNVBAoMD1BlZ2FzeXN0ZW1zIEluYzEZMBcGA1UECwwQQ2xvdWRF
-bmdpbmVlcmluZzEPMA0GA1UEAwwGcGVnYWNhMB4XDTIyMDUyNDExMDYzM1oXDTIz
-MDUyNDExMDYzM1owfzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
-dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEYMBYGA1UECgwPUGVnYXN5c3RlbXMgSW5j
-MRkwFwYDVQQLDBBDbG91ZEVuZ2luZWVyaW5nMQ8wDQYDVQQDDAZwZWdhY2EwWTAT
-BgcqhkjOPQIBBggqhkjOPQMBBwNCAASk58j/K3IzPUnsQxSrQ0LgstNaefjUneFa
-ewnBu1m2mMIIy1yEq66cai/o+95w0rzeHoaAhklxN9p3l2GIHbTwMAoGCCqGSM49
-BAMCA0cAMEQCIGHZKwtq7j7Avnq+0XakpFM6HNTBqLDCsWaegh379hElAiApObu8
-eLrNeUHdLylqMQ4dG/jSz17ovhOwgBu9A72dog==
+MIIDgTCCAmmgAwIBAgIEbZW6yjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJJ
+TjESMBAGA1UECBMJVGVsYW5nYW5hMRIwEAYDVQQHEwlIeWRlcmFiYWQxFDASBgNV
+BAoTC1BlZ2FzeXN0ZW1zMQ0wCwYDVQQLEwRQZWdhMRUwEwYDVQQDEwxQZWdhIFN5
+c3RlbXMwHhcNMjMxMjI2MTIxMDE2WhcNMjUxMjI1MTIxMDE2WjBxMQswCQYDVQQG
+EwJJTjESMBAGA1UECBMJVGVsYW5nYW5hMRIwEAYDVQQHEwlIeWRlcmFiYWQxFDAS
+BgNVBAoTC1BlZ2FzeXN0ZW1zMQ0wCwYDVQQLEwRQZWdhMRUwEwYDVQQDEwxQZWdh
+IFN5c3RlbXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsATXTQFvw
+NQtJwHPZRiCCdniD+416heVzdPT5LKLzRouiFKoq9mu449nQAzYDtYhpHhlDmgMO
+hICthhNCO2d0OWN3mJatrI9d2F8N0iJD5YH+MyaEdDZzGg/eOAVredrLxQ+jf0FY
+CtKxfPdRepdz2QfVs6O0wMDGusEH0uY9GSDnJT85sdTbbALTq+AJJGZhV9cAu3BF
+BLbx2RR4V5G9NjvkjaiZQFGrBOlvm7sRhhgDAWvZu4dMspeum/dDUkHu1nIjFuXx
+Jsg9ERUvmQWD3Xocs1wSACW41IL+OkMZ5awKSUgxpktoIXm+TZW4+uKVndGn0RSo
+TKktJuT+yD5FAgMBAAGjITAfMB0GA1UdDgQWBBRVJZ0CLMWYWSw7LuEGnLUTx3MN
+CzANBgkqhkiG9w0BAQsFAAOCAQEAKWSg7en7tHfOFlN1Ae0cZk1DHW9y8OwFpmrM
+zgGjkM03VZHPh9orF++evFKcF2EyBKK34xD5CNEUH+WUAxe+vf6+u0Z/6Ru3Zhhs
+3POKnUFoWqzioBJOXlz1xmtbhvjT1waZd2Lg0a1yhsk2fRIYk/vpIUqbWtMrporE
+nyUsR7NOeMrj5pQiu8SpX3OgtKhVhkdG46wS9SnkpPLOOGyEyQ8ou9j/gG97Mzpz
+jH4dmMoYc4YDMw0aLFIDHoINqA9fHZznGLXnkO959r9cWGDqUZH/tSyYE5Qy5D7w
+6fT429bmovOShexqCRrzLciDPqdg7X5/YWAXXuGJlM0JYO4giQ==
 -----END CERTIFICATE-----

charts/pega/config/deploy/prconfig.xml

@@ -6,7 +6,6 @@
         <env name="database/databases/PegaRULES/dataSource" value="java:comp/env/jdbc/PegaRULES"/>
         <env name="database/databases/PegaDATA/dataSource" value="java:comp/env/jdbc/PegaRULES"/>
         <env name="security/urlaccesslog" value="NORMAL" />
-        <env name="security/urlaccessmode" value="WARN" />
         <!-- Most nodes have a 'default' classification and for these nodes, no additional changes need to be made to this file.  However,
         if this is node has a non-general purpose, for example: 'Agent', then the node classification setting should be added to this file. -->
         <!--env name="initialization/nodeclassification" value="Agent" /  -->

charts/pega/config/deploy/prlog4j2.xml

@@ -160,7 +160,7 @@
         <AppenderRef ref="DATAFLOW"/>
     </Logger>
     <!-- Added for Usage Metrics -->
-    <AsyncLogger name="com.pega.pegarules.session.internal.usagemetrics" additivity="true" level="USAGE">
+    <AsyncLogger name="com.pega.pegarules.session.internal.usagemetrics" additivity="true" level="info">
         <AppenderRef ref="USAGEMETRICS"/>
     </AsyncLogger>
 </Loggers>

charts/pega/templates/_helpers.tpl

@@ -241,7 +241,7 @@ until cqlsh -u {{ $cassandraUser | quote }} -p {{ $cassandraPassword | quote }}
 {{- if .node.initialHeap }}
   value: "{{ .node.initialHeap }}"
 {{- else }}
-  value: "4096m"
+  value: "8192m"
 {{- end }}
 # Maximum JVM heap size, equivalent to -Xmx
 - name: MAX_HEAP

charts/pega/templates/_pega-pdb.tpl

@@ -10,6 +10,10 @@ kind: PodDisruptionBudget
 metadata:
   name: {{ .name }}-pdb
   namespace: {{ .root.Release.Namespace }}
+{{- if .pdb.labels }}
+  labels:
+{{ toYaml .pdb.labels | indent 4 }}
+{{- end }}
 spec:
   {{- if .pdb.minAvailable }}
   minAvailable: {{ .pdb.minAvailable }}

charts/pega/templates/_pega_hpa.tpl

@@ -10,6 +10,10 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ .name | quote}}
   namespace: {{ .root.Release.Namespace }}
+{{- if .hpa.labels }}
+  labels:
+{{ toYaml .hpa.labels | indent 4 }}
+{{- end }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1

charts/pega/templates/pega-environment-config.yaml

@@ -43,6 +43,12 @@ data:
   JDBC_TIMEOUT_PROPERTIES_RO: {{ .Values.global.jdbc.readerConnectionTimeoutProperties }}
 {{- else }}
   JDBC_TIMEOUT_PROPERTIES_RO: ""
+{{- end }}
+  # compression flag to decompress the config files of Pega Installation.
+{{- if .Values.global.compressedConfigurations }}
+  IS_PEGA_CONFIG_COMPRESSED: "{{ .Values.global.compressedConfigurations }}"
+{{- else }}
+  IS_PEGA_CONFIG_COMPRESSED: "false"
 {{- end }}
   # Rules schema of the Pega installation
 {{ if (eq (include "performUpgradeAndDeployment" .) "true") }}

charts/pega/values.yaml

@@ -121,6 +121,10 @@ global:
       serviceHost: "API_SERVICE_ADDRESS"
       httpsServicePort: "SERVICE_PORT_HTTPS"
 
+  # Set the `compressedConfigurations` parameter to `true` when the configuration files under charts/pega/config/deploy are in compressed format.
+  # For more information, see the “Pega compressed configuration files” section in the Pega Helm chart documentation.
+  compressedConfigurations: false
+
   # Specify the Pega tiers to deploy
   tier:
     - name: "web"

docs/Deploying-Pega-on-EKS.md

@@ -8,6 +8,10 @@ Pega helps enterprises and agencies quickly build business apps that deliver the
 
 Create a deployment of Pega Platform on which you can implement a scalable Pega application in a EKS cluster. You can use this deployment for a Pega Platform development environment. By completing these procedures, you deploy Pega Platform on a EKS cluster with a Amazon RDS database instance and two clustered virtual machines (VMs).
 
+*The following diagram shows how Pega Infinity 8.7 can be deployed on AWS with EKS*
+![Overview of EKS Pega Deployment](media/deploying-pega-on-eks.png)
+
+
 ## Deployment process overview
 
 Use Kubernetes tools and the customized orchestration tools and Docker images to orchestrate a deployment in a EKS cluster that you create for the deployment:

docs/upgrading-pega-deployment-zero-downtime.md

@@ -113,7 +113,7 @@ To complete an upgrade with zero downtime,  configure the following settings in
 - In the installer section of the Helm chart, update the following:
 
   - Specify `installer.installerMountVolumeClaimName` persistent Volume Claim name. This is a client-managed PVC for mounting upgrade artifacts.
-  - Specify `installer.upgradeType: "Zero-downtime"` to use the zero-downtime upgrade process.
+  - Specify `installer.upgradeType: "zero-downtime"` to use the zero-downtime upgrade process.
   - Specify `installer.targetRulesSchema: "<target-rules-schema-name>"` and `installer.targetDataSchema: "<target-data-schema-name>"` for the new target and data schema name that the process creates in your existing database for the upgrade process.
   - Specify `installer.upgrade.automaticResumeEnabled` to support resuming from point of failure
 
@@ -202,4 +202,4 @@ In this document, you specify that the Helm chart always “deploys” by using
   - `action.execute: upgrade-deploy`
   - `installer.upgrade.upgradeType: custom`
   - `installer.upgrade.upgradeSteps: disable_cluster_upgrade` to run disable_cluster_upgrade
-- Resume the upgrade process by using the `helm upgrade release --namespace mypega` command. For more information, see - [Upgrading your Pega Platform deployment using the command line](https://github.com/pegasystems/pega-helm-charts/blob/master/docs/upgrading-pega-deployment-zero-downtime.md#upgrading-your-pega-platform-deployment-using-the-command-line).
+- Resume the upgrade process by using the `helm upgrade release --namespace mypega` command. For more information, see - [Upgrading your Pega Platform deployment using the command line](https://github.com/pegasystems/pega-helm-charts/blob/master/docs/upgrading-pega-deployment-zero-downtime.md#upgrading-your-pega-platform-deployment-using-the-command-line).

terratest/src/test/backingservices/srs-deployment_test.go

@@ -211,6 +211,9 @@ func VerifyDeployment(t *testing.T, pod *k8score.PodSpec, expectedSpec srsDeploy
 	require.Equal(t, "PATH_TO_TRUSTSTORE", pod.Containers[0].Env[envIndex].Name)
 	require.Equal(t, "/usr/share/elastic-certificates.p12", pod.Containers[0].Env[envIndex].Value)
 	envIndex++
+	require.Equal(t, "PATH_TO_KEYSTORE", pod.Containers[0].Env[envIndex].Name)
+	require.Equal(t, "", pod.Containers[0].Env[envIndex].Value)
+	envIndex++
 	}
 	require.Equal(t, "APPLICATION_HOST", pod.Containers[0].Env[envIndex].Name)
     require.Equal(t, "0.0.0.0", pod.Containers[0].Env[envIndex].Value)