Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

US 642597: Add FIPS flag for pega infinity #858

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
10 changes: 9 additions & 1 deletion charts/pega/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -531,6 +531,14 @@ servicePort: use-annotation
{{- end -}}
{{- end -}}

{{- define "isPegaHighlySecureCryptoModeEnabled" }}
{{- if .Values.global.highlySecureCryptoModeEnabled -}}
true
{{- else -}}
false
{{- end -}}
{{- end -}}

{{- define "pegaCredentialVolumeTemplate" }}
- name: {{ template "pegaVolumeCredentials" }}
projected:
Expand Down Expand Up @@ -562,4 +570,4 @@ servicePort: use-annotation
- key: HZ_SSL_TRUSTSTORE_PASSWORD
path: HZ_SSL_TRUSTSTORE_PASSWORD
{{- end}}
{{- end}}
{{- end}}
5 changes: 4 additions & 1 deletion charts/pega/templates/pega-environment-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -185,12 +185,15 @@ data:
HZ_SSL_KEY_STORE_NAME: "cluster-keystore.jks"
HZ_SSL_TRUST_STORE_NAME: "cluster-truststore.jks"
{{ if (eq (include "isHzHighlySecureCryptoModeEnabled" .) "true") }}
HIGHLY_SECURE_CRYPTO_MODE_ENABLED: "true"
HZ_SSL_ALGO: "PKIX"
{{- else }}
HZ_SSL_ALGO: "SunX509"
{{- end }}
{{- end }}
{{- end }}

{{ if (eq (include "isPegaHighlySecureCryptoModeEnabled" .) "true") }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we cover this functionality as part of go test in terratest module?

HIGHLY_SECURE_CRYPTO_MODE_ENABLED: "true"
{{- end }}
# enable ssl verification for jdbc driver download
ENABLE_CUSTOM_ARTIFACTORY_SSL_VERIFICATION: "{{ .Values.global.customArtifactory.enableSSLVerification }}"
Expand Down
32 changes: 32 additions & 0 deletions terratest/src/test/pega/pega-environment-config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,38 @@ func TestPegaEnvironmentConfigJDBCTimeouts(t *testing.T) {
VerifyEnvValue(t, yamlContent, "JDBC_TIMEOUT_PROPERTIES_RO", "socketTimeout=150;")
}

func TestPegaHighlySecureCryptoModeEnabledEnvConfigParam(t *testing.T) {
var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"}
var supportedOperations = []string{"deploy", "install-deploy"}

helmChartPath, err := filepath.Abs(PegaHelmChartPath)
require.NoError(t, err)

for _, vendor := range supportedVendors {

for _, operation := range supportedOperations {

fmt.Println(vendor + "-" + operation)

var options = &helm.Options{
SetValues: map[string]string{
"global.provider": vendor,
"global.actions.execute": operation,
"global.highlySecureCryptoModeEnabled": "false",
},
}

yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"})
VerifyEnvNotPresent(t, yamlContent, "HIGHLY_SECURE_CRYPTO_MODE_ENABLED")

options.SetValues["global.highlySecureCryptoModeEnabled"] = "true"
yamlContent = RenderTemplate(t, options, helmChartPath, []string{"templates/pega-environment-config.yaml"})
VerifyEnvValue(t, yamlContent, "HIGHLY_SECURE_CRYPTO_MODE_ENABLED", "true")

}
}
}

func VerifyEnvNotPresent(t *testing.T, yamlContent string, entry string) {
var envConfigMap k8score.ConfigMap
UnmarshalK8SYaml(t, yamlContent, &envConfigMap)
Expand Down