From abe31ba087a554fb4d628041075095383887bb9f Mon Sep 17 00:00:00 2001 From: Kinga Kowalska <120555574+kingakowalska1@users.noreply.github.com> Date: Wed, 13 Dec 2023 14:02:50 +0100 Subject: [PATCH 1/2] =?UTF-8?q?BUG-801156=20-=20Clarified=20messaging=20fo?= =?UTF-8?q?r=20Makefile=20commands=20for=20SRS=20deploy=E2=80=A6=20(#677)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * BUG-801156 - Clarified messaging for Makefile commands for SRS deployment * [BUG-801156] Updated cluster to service --- charts/backingservices/charts/srs/README.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/charts/backingservices/charts/srs/README.md b/charts/backingservices/charts/srs/README.md index 90b0f0c61..c8602b67a 100644 --- a/charts/backingservices/charts/srs/README.md +++ b/charts/backingservices/charts/srs/README.md @@ -43,8 +43,8 @@ You may enable the component of [Elasticsearch](https://github.com/helm/charts/t Note: Pega does **not** actively update the elasticsearch dependency in `requirements.yaml`. To leverage SRS, you must do one of the following: -* To use the internally-provided Elasticsearch service in the SRS cluster, use the default `srs.enabled.true` parameter and set the Elasticsearch version by updating the `elasticsearch.imageTag` parameter in the [values.yaml](./values.yaml) to match the `dependencies.version` parameter in the [requirements.yaml](../../requirements.yaml). -* To use an externally-provided Elasticsearch service with SRS, use the default `srs.enabled.true` parameter, update the `srs.srsStorage.provisionInternalESCluster` parameter in the [values.yaml](./values.yaml) to `false` and then provide connection details as documented below. +* To use the internally-provided Elasticsearch service in the SRS cluster, use the default `srs.enabled.true` parameter and set the Elasticsearch version by updating the `elasticsearch.imageTag` parameter in the [values.yaml](./values.yaml) to match the `dependencies.version` parameter in the [requirements.yaml](../../requirements.yaml). This method streamlines the deployment process for development and testing environments, but it is not suitable for production environments, which require a fully external Elasticsearch cluster. Additionally, even though you deploy SRS and Elasticsearch together, Pega does not license the Elasticsearch cluster deployed using this method and does not maintain it as part of the Pega Platform support. +* To use an externally-provided Elasticsearch service with SRS, use the default `srs.enabled.true` parameter, update the `srs.srsStorage.provisionInternalESCluster` parameter in the [values.yaml](./values.yaml) to `false` and then provide connection details as documented below. This is the recommended method and is suitable for production environments. ### Deploying SRS with Pega-provided busybox images To deploy Pega Platform with the SRS backing service, the SRS helm chart requires the use of the busybox image. For clients who want to pull this image from a registry other than Docker Hub, they must tag and push their image to another registry, and then pull it by specifying `busybox.image` and `busybox.imagePullPolicy`. @@ -61,17 +61,15 @@ To deploy Pega Platform with the SRS backing service, the SRS helm chart require | `k8sProvider` | Specify your Kubernetes provider name. Supported values are [`eks`, `aks`, `minikube`, `gke`, `openshift`, `pks`].. ### Enabling security between SRS and Elasticsearch -To configure a secure connection between the SRS cluster and Elasticsearch, add the following the settings in your backingservices configuration file to reflect your organization's connectivity setup. +Enabling a secure connection between SRS and your Elasticsearch service depends on the method you chose to deploy the Elasticsearch cluster. +To configure a secure connection between the SRS cluster and internally provisioned Elasticsearch, configure the following parameters. | Configuration | Usage | |------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `tls` | Set to `true` to enable the SRS service to authenticate to your organization's available Elasticsearch service. | -| `srsStorage.provisionInternalESCluster` | | +| `srsStorage.provisionInternalESCluster` |
  1. Set the `srsStorage.provisionInternalESCluster` parameter to `true` to provide an internally managed and secured Elasticsearch cluster.
  2. In the [requirements.yaml](../../requirements.yaml) file, set the `dependencies.version` parameter to the same version you configured for the `elasticsearch.imageTag` version in the Backing Services Helm chart [values.yaml](../../values.yaml) file.
  3. From the Backing Services Helm chart directory in your environment, run the following command to create your Elasticsearch certificates and pass them to secrets:

    `$ make es-prerequisite NAMESPACE= ELASTICSEARCH_VERSION=`

    Where `NAMESPACE` references your deployment namespace of the SRS cluster and `ELASTICSEARCH_VERSION` matches the Elasticsearch version you want to use in [values.yaml](../../values.yaml) and [requirements.yaml](../../requirements.yaml).

| -To connect to external elasticsearch below configuration needs to be made. -Certificates used by external elasticsearch need to be placed in an accessible location for make command to use. -eg: If certs are placed under /home/certs. Make command will look like this: -make external-es-secrets NAMESPACE=pegabackingservices ELASTICSEARCH_VERSION=7.10.2 PATH_TO_CERTIFICATE=/home/certs/truststore.jks +To configure a secure connection between SRS and an external Elasticsearch cluster, configure the following parameters. | Configuration | Usage | |-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -80,7 +78,7 @@ make external-es-secrets NAMESPACE=pegabackingservices ELASTICSEARCH_VERSION=7.1 | `certificatePassword` | Enter the tls certificate password if any. Default value will be empty if not used. | | `esCredentials.username` | Enter the username for your available Elasticsearch service. This username value must match the values you set in the connection info section of esCredentials. | | `esCredentials.password` | Enter the required password for your available Elasticsearch service. This password value must match the values you set in the connection info section of esCredentials. | -| `srsStorage.provisionInternalESCluster` | | +| `srsStorage.provisionInternalESCluster` |
  1. Set the `srsStorage.provisionInternalESCluster` parameter to `false` to disable the internally provisioned Elasticsearch cluster and connect to your available external Elasticsearch service.
  2. To secure the connection between SRS and your external Elasticsearch service, you must provide the appropriate TLS certificates in an accessible location, for example, /home/certs.
  3. To pass the required certificates to the cluster using a secrets file, run the following command:

    `$ make external-es-secrets NAMESPACE= ELASTICSEARCH_VERSION= PATH_TO_CERTIFICATE=`

    Where NAMESPACE references your deployment namespace of the SRS cluster, `ELASTICSEARCH_VERSION` matches the Elasticsearch version you want to use, and `PATH_TO_CERTIFICATE` points to the location where you copied the required certificates on your location machine, for example:

    `$ make external-es-secrets NAMESPACE=pegabackingservices ELASTICSEARCH_VERSION=7.10.2 PATH_TO_CERTIFICATE=/home/certs/truststore.jks`

  4. To update the SRS and External Elasticsearch certificates, use the following command:

    `$ make update-external-es-secrets NAMESPACE= PATH_TO_CERTIFICATE=`

| | `domain` | Enter the DNS entry associated with your external Elasticsearch service. | Note: Only .p12 and .jks certificates are supported. @@ -180,4 +178,4 @@ To support SRS on Kubernetes version >=1.25 you need to use Elasticsearch server ``` 5. Verify that the Elasticsearch pods status is Running. 6. Restart the old SRS pods and verify that the status of the new pods is Running. -7. Verify all pods are running and working as expected. \ No newline at end of file +7. Verify all pods are running and working as expected. From 6fc9934bc80d655d06343279f4c6503262db793b Mon Sep 17 00:00:00 2001 From: Kinga Kowalska <120555574+kingakowalska1@users.noreply.github.com> Date: Wed, 13 Dec 2023 14:21:25 +0100 Subject: [PATCH 2/2] BUG-817356 - Clarified step for configuring External Secrets Operator (#679) BUG-817356 - Helm Charts issue #603 - ESO documentation misleading --- charts/pega/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pega/README.md b/charts/pega/README.md index f56f6c8d5..37982df11 100644 --- a/charts/pega/README.md +++ b/charts/pega/README.md @@ -102,7 +102,7 @@ To support this option, 2) Copy both files into the pega-helm-charts/charts/pega/templates directory of your local Helm repository. 3) Update your local Helm repository to the latest version using the command: - helm repo update pega https://pegasystems.github.io/pega-helm-charts -4) Update your values.yaml file to refer to the external secret manager for DB password. +4) Update the `external_secret_name` parameter in the values.yaml file to refer to the `spec.target.name` defined in the External Secret file you created in step 1. Update the parameter for each section where you want to use the External Secrets Operator. • Pass secrets directly to your deployment using your organization's recommend practices. Pega supports the providers listed under the [Provider tab]( https://external-secrets.io/v0.8.1) as long as your implementation meets the documented guidelines for a given provider.