From 68526fb7a3319e0af76919b367edbd4558411879 Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Tue, 12 Dec 2023 09:10:54 -0800 Subject: [PATCH 01/11] ISSUE-680 Fix OAuth Client Secret env variable --- charts/pega/templates/_pega-deployment.tpl | 2 +- ...-deployment-with-srs-auth-enabled-and-disabled_test.go | 8 ++++---- .../pega-environment-config-with-external-srs_test.go | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/pega/templates/_pega-deployment.tpl b/charts/pega/templates/_pega-deployment.tpl index 974b1ca61..42a3f604e 100644 --- a/charts/pega/templates/_pega-deployment.tpl +++ b/charts/pega/templates/_pega-deployment.tpl @@ -188,7 +188,7 @@ spec: - name: MAX_RETRIES value: {{ include "tierClassloaderMaxRetries" (dict "failureThreshold" $livenessProbeFailureThreshold "periodSeconds" $livenessProbePeriodSeconds ) | quote }} {{- if and (.root.Values.pegasearch.externalSearchService) ((.root.Values.pegasearch.srsAuth).enabled) }} - - name: SERV_AUTH_PRIVATE_KEY + - name: SERV_AUTH_CLIENT_SECRET valueFrom: secretKeyRef: name: pega-srs-auth-secret diff --git a/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go b/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go index 06507a821..a1ac354c4 100644 --- a/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go +++ b/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go @@ -93,8 +93,8 @@ func assertNoSRSAuthSettings(t *testing.T, pegaTierDeployment string) { UnmarshalK8SYaml(t, pegaTierDeployment, &deployment) for _, container := range deployment.Spec.Template.Spec.Containers { for _, envVar := range container.Env { - if "SERV_AUTH_PRIVATE_KEY" == envVar.Name { - require.Fail(t, "container '"+container.Name+"' should not have 'SERV_AUTH_PRIVATE_KEY' environment variable") + if "SERV_AUTH_CLIENT_SECRET" == envVar.Name { + require.Fail(t, "container '"+container.Name+"' should not have 'SERV_AUTH_CLIENT_SECRET' environment variable") } } } @@ -106,12 +106,12 @@ func assertHasSRSAuthSettings(t *testing.T, pegaTierDeployment string) { for _, container := range deployment.Spec.Template.Spec.Containers { hasPrivateKey := false for _, envVar := range container.Env { - if "SERV_AUTH_PRIVATE_KEY" == envVar.Name { + if "SERV_AUTH_CLIENT_SECRET" == envVar.Name { require.Equal(t, "pega-srs-auth-secret", envVar.ValueFrom.SecretKeyRef.Name) require.Equal(t, "privateKey", envVar.ValueFrom.SecretKeyRef.Key) hasPrivateKey = true } } - require.True(t, hasPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_PRIVATE_KEY' environment variable") + require.True(t, hasPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_CLIENT_SECRET' environment variable") } } diff --git a/terratest/src/test/pega/pega-environment-config-with-external-srs_test.go b/terratest/src/test/pega/pega-environment-config-with-external-srs_test.go index b0c89b93a..355caf58b 100644 --- a/terratest/src/test/pega/pega-environment-config-with-external-srs_test.go +++ b/terratest/src/test/pega/pega-environment-config-with-external-srs_test.go @@ -190,7 +190,7 @@ func VerifyPegaWithoutExternalSRSEnvironmentConfig(t *testing.T, yamlContent str } func VerifyEnvConfigDataWithoutAuthVariables(t *testing.T, envConfigData map[string]string) { - authEnvironmentVariables := []string{"SERV_AUTH_URL", "SERV_AUTH_CLIENT_ID", "SERV_AUTH_SCOPES", "SERV_AUTH_PRIVATE_KEY_ALGORITHM", "SERV_AUTH_PRIVATE_KEY"} + authEnvironmentVariables := []string{"SERV_AUTH_URL", "SERV_AUTH_CLIENT_ID", "SERV_AUTH_SCOPES", "SERV_AUTH_PRIVATE_KEY_ALGORITHM", "SERV_AUTH_CLIENT_SECRET"} for _, authEnvironmentVariable := range authEnvironmentVariables { require.Emptyf(t, envConfigData[authEnvironmentVariable], "Environment variable '%s' should be empty", authEnvironmentVariable) } @@ -201,6 +201,6 @@ func VerifyEnvConfigDataWithAuthVariables(t *testing.T, envConfigData map[string require.Equal(t, "client-id", envConfigData["SERV_AUTH_CLIENT_ID"]) require.Equal(t, expectedScope, envConfigData["SERV_AUTH_SCOPES"]) require.Equal(t, expectedAlgorithm, envConfigData["SERV_AUTH_PRIVATE_KEY_ALGORITHM"]) - _, hasPrivateKey := envConfigData["SERV_AUTH_PRIVATE_KEY"] + _, hasPrivateKey := envConfigData["SERV_AUTH_CLIENT_SECRET"] require.False(t, hasPrivateKey) } From 4f1026e5baaac05189e6bbb01bd82268d767fbbc Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Thu, 14 Dec 2023 07:13:01 -0800 Subject: [PATCH 02/11] Add additional SERV_AUTH_CLIENT_SECRET variable --- charts/pega/templates/_pega-deployment.tpl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/charts/pega/templates/_pega-deployment.tpl b/charts/pega/templates/_pega-deployment.tpl index 42a3f604e..c719ab6dc 100644 --- a/charts/pega/templates/_pega-deployment.tpl +++ b/charts/pega/templates/_pega-deployment.tpl @@ -188,6 +188,11 @@ spec: - name: MAX_RETRIES value: {{ include "tierClassloaderMaxRetries" (dict "failureThreshold" $livenessProbeFailureThreshold "periodSeconds" $livenessProbePeriodSeconds ) | quote }} {{- if and (.root.Values.pegasearch.externalSearchService) ((.root.Values.pegasearch.srsAuth).enabled) }} + - name: SERV_AUTH_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: pega-srs-auth-secret + key: privateKey - name: SERV_AUTH_CLIENT_SECRET valueFrom: secretKeyRef: From 9302f1e5f613251a23735bf1e9c1c6c1efc5b1d9 Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Thu, 14 Dec 2023 07:47:55 -0800 Subject: [PATCH 03/11] Update terratest --- ...ment-with-srs-auth-enabled-and-disabled_test.go | 14 ++++++++++++-- ...ga-environment-config-with-external-srs_test.go | 6 ++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go b/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go index a1ac354c4..2047c728f 100644 --- a/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go +++ b/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go @@ -93,6 +93,9 @@ func assertNoSRSAuthSettings(t *testing.T, pegaTierDeployment string) { UnmarshalK8SYaml(t, pegaTierDeployment, &deployment) for _, container := range deployment.Spec.Template.Spec.Containers { for _, envVar := range container.Env { + if "SERV_AUTH_PRIVATE_KEY" == envVar.Name { + require.Fail(t, "container '"+container.Name+"' should not have 'SERV_AUTH_PRIVATE_KEY' environment variable") + } if "SERV_AUTH_CLIENT_SECRET" == envVar.Name { require.Fail(t, "container '"+container.Name+"' should not have 'SERV_AUTH_CLIENT_SECRET' environment variable") } @@ -105,13 +108,20 @@ func assertHasSRSAuthSettings(t *testing.T, pegaTierDeployment string) { UnmarshalK8SYaml(t, pegaTierDeployment, &deployment) for _, container := range deployment.Spec.Template.Spec.Containers { hasPrivateKey := false + hasClientPrivateKey := false for _, envVar := range container.Env { - if "SERV_AUTH_CLIENT_SECRET" == envVar.Name { + if "SERV_AUTH_PRIVATE_KEY" == envVar.Name { require.Equal(t, "pega-srs-auth-secret", envVar.ValueFrom.SecretKeyRef.Name) require.Equal(t, "privateKey", envVar.ValueFrom.SecretKeyRef.Key) hasPrivateKey = true } + if "SERV_AUTH_CLIENT_SECRET" == envVar.Name { + require.Equal(t, "pega-srs-auth-secret", envVar.ValueFrom.SecretKeyRef.Name) + require.Equal(t, "privateKey", envVar.ValueFrom.SecretKeyRef.Key) + hasClientPrivateKey = true + } } - require.True(t, hasPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_CLIENT_SECRET' environment variable") + require.True(t, hasPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_PRIVATE_KEY' environment variable") + require.True(t, hasClientPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_CLIENT_SECRET' environment variable") } } diff --git a/terratest/src/test/pega/pega-environment-config-with-external-srs_test.go b/terratest/src/test/pega/pega-environment-config-with-external-srs_test.go index 355caf58b..51eec66a1 100644 --- a/terratest/src/test/pega/pega-environment-config-with-external-srs_test.go +++ b/terratest/src/test/pega/pega-environment-config-with-external-srs_test.go @@ -190,7 +190,7 @@ func VerifyPegaWithoutExternalSRSEnvironmentConfig(t *testing.T, yamlContent str } func VerifyEnvConfigDataWithoutAuthVariables(t *testing.T, envConfigData map[string]string) { - authEnvironmentVariables := []string{"SERV_AUTH_URL", "SERV_AUTH_CLIENT_ID", "SERV_AUTH_SCOPES", "SERV_AUTH_PRIVATE_KEY_ALGORITHM", "SERV_AUTH_CLIENT_SECRET"} + authEnvironmentVariables := []string{"SERV_AUTH_URL", "SERV_AUTH_CLIENT_ID", "SERV_AUTH_SCOPES", "SERV_AUTH_PRIVATE_KEY_ALGORITHM", "SERV_AUTH_PRIVAYE_KEY", "SERV_AUTH_CLIENT_SECRET"} for _, authEnvironmentVariable := range authEnvironmentVariables { require.Emptyf(t, envConfigData[authEnvironmentVariable], "Environment variable '%s' should be empty", authEnvironmentVariable) } @@ -201,6 +201,8 @@ func VerifyEnvConfigDataWithAuthVariables(t *testing.T, envConfigData map[string require.Equal(t, "client-id", envConfigData["SERV_AUTH_CLIENT_ID"]) require.Equal(t, expectedScope, envConfigData["SERV_AUTH_SCOPES"]) require.Equal(t, expectedAlgorithm, envConfigData["SERV_AUTH_PRIVATE_KEY_ALGORITHM"]) - _, hasPrivateKey := envConfigData["SERV_AUTH_CLIENT_SECRET"] + _, hasPrivateKey := envConfigData["SERV_AUTH_PRIVATE_KEY"] require.False(t, hasPrivateKey) + _, hasClientPrivateKey := envConfigData["SERV_AUTH_CLIENT_SECRET"] + require.False(t, hasClientPrivateKey) } From 55271dee7c81fce4b640e7e07169cbf0ab5257b6 Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Mon, 18 Dec 2023 10:23:48 -0800 Subject: [PATCH 04/11] Support both privateKey and clientSecret for SRS auth --- charts/pega/README.md | 5 ++- charts/pega/templates/_helpers.tpl | 9 +++- charts/pega/templates/_pega-deployment.tpl | 4 ++ ...with-srs-auth-enabled-and-disabled_test.go | 43 +++++++++++-------- 4 files changed, 40 insertions(+), 21 deletions(-) diff --git a/charts/pega/README.md b/charts/pega/README.md index f56f6c8d5..4ea43509c 100644 --- a/charts/pega/README.md +++ b/charts/pega/README.md @@ -830,10 +830,11 @@ To configure authorization for the connection between Pega Infinity and the Sear | Parameter | Description | Default value | |-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| | `enabled` | Set the `pegasearch.srsAuth.enabled` to 'true' to use OAuth between Infinity and SRS. | false | -| `url` | Set the `pegasearch.srsAuth.url` value to the URL of the OAuth service endpoint to get the token for SRS. | `""` | +| `url` | Set the `pegasearch.srsAuth.url` value to the URL of the OAuth token endpoint to get the token for SRS. | `""` | | `clientId` | Set the `pegasearch.srsAuth.clientId` value to the client id used in OAuth service. | `""` | | `scopes` | Set the `pegasearch.srsAuth.scopes` value to "pega.search:full", the scope set in the OAuth service required to grant access to SRS. | "pega.search:full" | -| `privateKey` | Set the `pegasearch.srsAuth,privateKey` value to the OAuth private PKCS8 key (additionally encoded with base64) used to get an authorization token for the connection between Pega tiers and SRS. | `""` | +| `clientSecret` | Set the `pegasearch.srsAuth,privateKey` value to the OAuth private PKCS8 key (additionally encoded with base64) used to get an authorization token for the connection between Pega tiers and SRS using basic authentication with the token endpoint. | `""` | +| `privateKey` | Set the `pegasearch.srsAuth,privateKey` value to the OAuth private PKCS8 key (additionally encoded with base64) used to get an authorization token for the connection between Pega tiers and SRS using a JWT client assertion to authenticate with the token endpoint. | `""` | | `privateKeyAlgorithm` | Set the `pegasearch.srsAuth.privateKeyAlgorithm` value to the algorithm used to generate a private key used by the OAuth client. Allowed values: RS256 (default), RS384, RS512, ES256, ES384, ES512. | "RS256" | Example: diff --git a/charts/pega/templates/_helpers.tpl b/charts/pega/templates/_helpers.tpl index dfa3a714b..f817292de 100644 --- a/charts/pega/templates/_helpers.tpl +++ b/charts/pega/templates/_helpers.tpl @@ -368,10 +368,15 @@ dnsConfig: {{- define "srsAuthPrivateKey" -}} {{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) }} + {{ if not (or .Values.pegasearch.srsAuth.privateKey .Values.pegasearch.srsAuth.clientSecret) }} + {{- fail "A valid entry is required for pegasearch.srsAuth.clientSecret or pegasearch.srsAuth.privateKey, when request authentication mechanism (IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true." | quote}} + {{ else if and .Values.pegasearch.srsAuth.privateKey .Values.pegasearch.srsAuth.clientSecret }} + {{- fail "Set only one of pegasearch.srsAuth.privateKey or pegasearch.srsAuth.clientSecret" }} + {{ end }} {{- if (.Values.pegasearch.srsAuth).privateKey }} {{- .Values.pegasearch.srsAuth.privateKey | b64enc }} - {{- else }} - {{- fail "A valid entry is required for pegasearch.srsAuth.privateKey, when request authentication mechanism(IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true." | quote}} + {{- else if .Values.pegasearch.srsAuth.clientSecret }} + {{- .Values.pegasearch.srsAuth.clientSecret | b64enc }} {{- end }} {{- end }} {{- end }} diff --git a/charts/pega/templates/_pega-deployment.tpl b/charts/pega/templates/_pega-deployment.tpl index c719ab6dc..2eec0a7c6 100644 --- a/charts/pega/templates/_pega-deployment.tpl +++ b/charts/pega/templates/_pega-deployment.tpl @@ -188,16 +188,20 @@ spec: - name: MAX_RETRIES value: {{ include "tierClassloaderMaxRetries" (dict "failureThreshold" $livenessProbeFailureThreshold "periodSeconds" $livenessProbePeriodSeconds ) | quote }} {{- if and (.root.Values.pegasearch.externalSearchService) ((.root.Values.pegasearch.srsAuth).enabled) }} +{{- if .root.Values.pegasearch.srsAuth.privateKey }} - name: SERV_AUTH_PRIVATE_KEY valueFrom: secretKeyRef: name: pega-srs-auth-secret key: privateKey +{{- end }} +{{- if .root.Values.pegasearch.srsAuth.clientSecret }} - name: SERV_AUTH_CLIENT_SECRET valueFrom: secretKeyRef: name: pega-srs-auth-secret key: privateKey +{{- end }} {{- end }} envFrom: - configMapRef: diff --git a/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go b/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go index 2047c728f..0f97baeeb 100644 --- a/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go +++ b/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go @@ -63,26 +63,28 @@ func TestPegaDeploymentWithSRSAuthDisabled(t *testing.T) { func TestPegaDeploymentWithSRSAuthEnabled(t *testing.T) { var supportedVendors = []string{"k8s", "eks", "gke", "aks"} var supportedOperations = []string{"deploy", "install-deploy"} + var supportedSrsAuthenticationKeys = []string{"privateKey", "clientSecret"} helmChartPath, err := filepath.Abs(PegaHelmChartPath) require.NoError(t, err) for _, vendor := range supportedVendors { for _, operation := range supportedOperations { - - var options = &helm.Options{ - SetValues: map[string]string{ - "global.provider": vendor, - "global.actions.execute": operation, - "pegasearch.externalSearchService": "true", - "pegasearch.srsAuth.enabled": "true", - "pegasearch.srsAuth.privateKey": SRSAuthPrivateKeyExample, - }, - } - deploymentYaml := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-tier-deployment.yaml"}) - deployments := strings.Split(deploymentYaml, "---") - for _, deployment := range deployments { - assertHasSRSAuthSettings(t, deployment) + for _, key := range supportedSrsAuthenticationKeys { + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "pegasearch.externalSearchService": "true", + "pegasearch.srsAuth.enabled": "true", + "pegasearch.srsAuth." + key: SRSAuthPrivateKeyExample, + }, + } + deploymentYaml := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-tier-deployment.yaml"}) + deployments := strings.Split(deploymentYaml, "---") + for _, deployment := range deployments { + assertHasSRSAuthSettings(t, deployment, key) + } } } } @@ -103,7 +105,7 @@ func assertNoSRSAuthSettings(t *testing.T, pegaTierDeployment string) { } } -func assertHasSRSAuthSettings(t *testing.T, pegaTierDeployment string) { +func assertHasSRSAuthSettings(t *testing.T, pegaTierDeployment string, authKey string) { var deployment appsv1.Deployment UnmarshalK8SYaml(t, pegaTierDeployment, &deployment) for _, container := range deployment.Spec.Template.Spec.Containers { @@ -121,7 +123,14 @@ func assertHasSRSAuthSettings(t *testing.T, pegaTierDeployment string) { hasClientPrivateKey = true } } - require.True(t, hasPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_PRIVATE_KEY' environment variable") - require.True(t, hasClientPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_CLIENT_SECRET' environment variable") + if authKey == "privateKey" { + require.True(t, hasPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_PRIVATE_KEY' environment variable") + require.False(t, hasClientPrivateKey, "container '"+container.Name+"' should not have 'SERV_AUTH_CLIENT_SECRET' environment variable") + } + + if authKey == "clientSecret" { + require.True(t, hasClientPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_CLIENT_SECRET' environment variable") + require.False(t, hasPrivateKey, "container '"+container.Name+"' should not have 'SERV_AUTH_PRIVATE_KEY' environment variable") + } } } From 420f92c11acc5c6620a802aac798764a9310d2ef Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Mon, 18 Dec 2023 10:35:12 -0800 Subject: [PATCH 05/11] Support both privateKey and clientSecret for SRS auth --- terratest/src/test/pega/pega-srs-auth-secret_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terratest/src/test/pega/pega-srs-auth-secret_test.go b/terratest/src/test/pega/pega-srs-auth-secret_test.go index 7138e1be0..07bff85d4 100644 --- a/terratest/src/test/pega/pega-srs-auth-secret_test.go +++ b/terratest/src/test/pega/pega-srs-auth-secret_test.go @@ -89,8 +89,8 @@ func TestPegaSRSAuthSecretNotCreatedForMissingPrivateKey(t *testing.T) { } yamlContent, err := RenderTemplateE(t, options, helmChartPath, []string{"templates/pega-srs-auth-secret.yaml"}) - require.Contains(t, yamlContent, "A valid entry is required for pegasearch.srsAuth.privateKey, when request authentication mechanism(IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true") - require.Contains(t, err.Error(), "A valid entry is required for pegasearch.srsAuth.privateKey, when request authentication mechanism(IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true") + require.Contains(t, yamlContent, "A valid entry is required for pegasearch.srsAuth.clientSecret or pegasearch.srsAuth.privateKey, when request authentication mechanism (IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true.") + require.Contains(t, err.Error(), "A valid entry is required for pegasearch.srsAuth.clientSecret or pegasearch.srsAuth.privateKey, when request authentication mechanism (IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true.") } } } From d79a514b36037fc0b62c1846c78c5f84ba98e4d5 Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Wed, 20 Dec 2023 10:55:32 -0800 Subject: [PATCH 06/11] add authType property and support for external secrets --- charts/pega/README.md | 4 +- charts/pega/templates/_helpers.tpl | 25 ++++--- charts/pega/templates/_pega-deployment.tpl | 13 ++-- .../pega/templates/pega-srs-auth-secret.yaml | 2 +- ...with-srs-auth-enabled-and-disabled_test.go | 65 ++++++++++++------- .../test/pega/pega-srs-auth-secret_test.go | 34 +++++++++- 6 files changed, 96 insertions(+), 47 deletions(-) diff --git a/charts/pega/README.md b/charts/pega/README.md index 4ea43509c..f22bcfd69 100644 --- a/charts/pega/README.md +++ b/charts/pega/README.md @@ -833,8 +833,8 @@ To configure authorization for the connection between Pega Infinity and the Sear | `url` | Set the `pegasearch.srsAuth.url` value to the URL of the OAuth token endpoint to get the token for SRS. | `""` | | `clientId` | Set the `pegasearch.srsAuth.clientId` value to the client id used in OAuth service. | `""` | | `scopes` | Set the `pegasearch.srsAuth.scopes` value to "pega.search:full", the scope set in the OAuth service required to grant access to SRS. | "pega.search:full" | -| `clientSecret` | Set the `pegasearch.srsAuth,privateKey` value to the OAuth private PKCS8 key (additionally encoded with base64) used to get an authorization token for the connection between Pega tiers and SRS using basic authentication with the token endpoint. | `""` | -| `privateKey` | Set the `pegasearch.srsAuth,privateKey` value to the OAuth private PKCS8 key (additionally encoded with base64) used to get an authorization token for the connection between Pega tiers and SRS using a JWT client assertion to authenticate with the token endpoint. | `""` | +| `authType` | Set the `pegasearch.srsAuth.authType` value to to authentication type use when connecting to the OAuth token endpoint. Use client_secret_basic for basic authentication or private_key_jwt to use a client assertion JWT. | `""` | +| `privateKey` | Set the `pegasearch.srsAuth.privateKey` value to the OAuth private PKCS8 key (additionally encoded with base64) used to get an authorization token for the connection between Pega tiers and SRS. | `""` | | `privateKeyAlgorithm` | Set the `pegasearch.srsAuth.privateKeyAlgorithm` value to the algorithm used to generate a private key used by the OAuth client. Allowed values: RS256 (default), RS384, RS512, ES256, ES384, ES512. | "RS256" | Example: diff --git a/charts/pega/templates/_helpers.tpl b/charts/pega/templates/_helpers.tpl index f817292de..235c7e198 100644 --- a/charts/pega/templates/_helpers.tpl +++ b/charts/pega/templates/_helpers.tpl @@ -368,16 +368,21 @@ dnsConfig: {{- define "srsAuthPrivateKey" -}} {{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) }} - {{ if not (or .Values.pegasearch.srsAuth.privateKey .Values.pegasearch.srsAuth.clientSecret) }} - {{- fail "A valid entry is required for pegasearch.srsAuth.clientSecret or pegasearch.srsAuth.privateKey, when request authentication mechanism (IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true." | quote}} - {{ else if and .Values.pegasearch.srsAuth.privateKey .Values.pegasearch.srsAuth.clientSecret }} - {{- fail "Set only one of pegasearch.srsAuth.privateKey or pegasearch.srsAuth.clientSecret" }} - {{ end }} - {{- if (.Values.pegasearch.srsAuth).privateKey }} - {{- .Values.pegasearch.srsAuth.privateKey | b64enc }} - {{- else if .Values.pegasearch.srsAuth.clientSecret }} - {{- .Values.pegasearch.srsAuth.clientSecret | b64enc }} - {{- end }} + {{- if (.Values.pegasearch.srsAuth).privateKey }} + {{- .Values.pegasearch.srsAuth.privateKey | b64enc }} + {{- else }} + {{- fail "A valid entry is required for pegasearch.srsAuth.privateKey or pegasearch.srsAuth.external_secret_name, when request authentication mechanism(IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true." | quote}} + {{- end }} +{{- end }} +{{- end }} + +{{- define "srsAuthEnvSecretFrom" }} +{{- if .Values.pegasearch.srsAuth.external_secret_name }} +name: {{ .Values.pegasearch.srsAuth.external_secret_name }} +key: SRS_OAUTH_PRIVATE_KEY +{{- else }} +name: pega-srs-auth-secret +key: privateKey {{- end }} {{- end }} diff --git a/charts/pega/templates/_pega-deployment.tpl b/charts/pega/templates/_pega-deployment.tpl index 2eec0a7c6..d965c8358 100644 --- a/charts/pega/templates/_pega-deployment.tpl +++ b/charts/pega/templates/_pega-deployment.tpl @@ -188,19 +188,18 @@ spec: - name: MAX_RETRIES value: {{ include "tierClassloaderMaxRetries" (dict "failureThreshold" $livenessProbeFailureThreshold "periodSeconds" $livenessProbePeriodSeconds ) | quote }} {{- if and (.root.Values.pegasearch.externalSearchService) ((.root.Values.pegasearch.srsAuth).enabled) }} -{{- if .root.Values.pegasearch.srsAuth.privateKey }} +{{- if or (not .root.Values.pegasearch.srsAuth.authType) (eq .root.Values.pegasearch.srsAuth.authType "private_key_jwt") }} - name: SERV_AUTH_PRIVATE_KEY valueFrom: secretKeyRef: - name: pega-srs-auth-secret - key: privateKey -{{- end }} -{{- if .root.Values.pegasearch.srsAuth.clientSecret }} +{{- include "srsAuthEnvSecretFrom" .root | indent 14 }} +{{- else if eq .root.Values.pegasearch.srsAuth.authType "client_secret_basic" }} - name: SERV_AUTH_CLIENT_SECRET valueFrom: secretKeyRef: - name: pega-srs-auth-secret - key: privateKey +{{- include "srsAuthEnvSecretFrom" .root | indent 14 }} +{{- else }} + {{- fail "pegasearch.srsAuth.authType must be either private_key_jwt or client_secret_basic." }} {{- end }} {{- end }} envFrom: diff --git a/charts/pega/templates/pega-srs-auth-secret.yaml b/charts/pega/templates/pega-srs-auth-secret.yaml index 275638bec..2b11f9a45 100644 --- a/charts/pega/templates/pega-srs-auth-secret.yaml +++ b/charts/pega/templates/pega-srs-auth-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) }} +{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) (not .Values.pegasearch.srsAuth.external_secret_name)}} # Secret for OAuth private key used to get an authorization token for Pega Infinity connection to Search and Reporting Service apiVersion: v1 kind: Secret diff --git a/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go b/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go index 0f97baeeb..a21513659 100644 --- a/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go +++ b/terratest/src/test/pega/pega-deployment-with-srs-auth-enabled-and-disabled_test.go @@ -10,7 +10,7 @@ import ( ) func TestPegaDeploymentWithSRSDisabled(t *testing.T) { - var supportedVendors = []string{"k8s", "eks", "gke", "aks"} + var supportedVendors = []string{"k8s", "eks", "gke", "aks", "pks", "openshift"} var supportedOperations = []string{"deploy", "install-deploy"} helmChartPath, err := filepath.Abs(PegaHelmChartPath) @@ -35,7 +35,7 @@ func TestPegaDeploymentWithSRSDisabled(t *testing.T) { } func TestPegaDeploymentWithSRSAuthDisabled(t *testing.T) { - var supportedVendors = []string{"k8s", "eks", "gke", "aks"} + var supportedVendors = []string{"k8s", "eks", "gke", "aks", "pks", "openshift"} var supportedOperations = []string{"deploy", "install-deploy"} helmChartPath, err := filepath.Abs(PegaHelmChartPath) @@ -61,29 +61,34 @@ func TestPegaDeploymentWithSRSAuthDisabled(t *testing.T) { } func TestPegaDeploymentWithSRSAuthEnabled(t *testing.T) { - var supportedVendors = []string{"k8s", "eks", "gke", "aks"} + var supportedVendors = []string{"k8s", "eks", "gke", "aks", "pks", "openshift"} var supportedOperations = []string{"deploy", "install-deploy"} - var supportedSrsAuthenticationKeys = []string{"privateKey", "clientSecret"} + var supportedSrsAuthTypes = []string{"", "private_key_jwt", "client_secret_basic"} + var supportedExternalSecrets = []string{"", "test-external-secret"} helmChartPath, err := filepath.Abs(PegaHelmChartPath) require.NoError(t, err) for _, vendor := range supportedVendors { for _, operation := range supportedOperations { - for _, key := range supportedSrsAuthenticationKeys { - var options = &helm.Options{ - SetValues: map[string]string{ - "global.provider": vendor, - "global.actions.execute": operation, - "pegasearch.externalSearchService": "true", - "pegasearch.srsAuth.enabled": "true", - "pegasearch.srsAuth." + key: SRSAuthPrivateKeyExample, - }, - } - deploymentYaml := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-tier-deployment.yaml"}) - deployments := strings.Split(deploymentYaml, "---") - for _, deployment := range deployments { - assertHasSRSAuthSettings(t, deployment, key) + for _, authType := range supportedSrsAuthTypes { + for _, externalSecret := range supportedExternalSecrets { + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "pegasearch.externalSearchService": "true", + "pegasearch.srsAuth.enabled": "true", + "pegasearch.srsAuth.privateKey": SRSAuthPrivateKeyExample, + "pegasearch.srsAuth.authType": authType, + "pegasearch.srsAuth.external_secret_name": externalSecret, + }, + } + deploymentYaml := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-tier-deployment.yaml"}) + deployments := strings.Split(deploymentYaml, "---") + for _, deployment := range deployments { + assertHasSRSAuthSettings(t, deployment, authType, externalSecret) + } } } } @@ -105,7 +110,7 @@ func assertNoSRSAuthSettings(t *testing.T, pegaTierDeployment string) { } } -func assertHasSRSAuthSettings(t *testing.T, pegaTierDeployment string, authKey string) { +func assertHasSRSAuthSettings(t *testing.T, pegaTierDeployment string, authType string, externalSecret string) { var deployment appsv1.Deployment UnmarshalK8SYaml(t, pegaTierDeployment, &deployment) for _, container := range deployment.Spec.Template.Spec.Containers { @@ -113,22 +118,32 @@ func assertHasSRSAuthSettings(t *testing.T, pegaTierDeployment string, authKey s hasClientPrivateKey := false for _, envVar := range container.Env { if "SERV_AUTH_PRIVATE_KEY" == envVar.Name { - require.Equal(t, "pega-srs-auth-secret", envVar.ValueFrom.SecretKeyRef.Name) - require.Equal(t, "privateKey", envVar.ValueFrom.SecretKeyRef.Key) + if externalSecret == "" { + require.Equal(t, "pega-srs-auth-secret", envVar.ValueFrom.SecretKeyRef.Name) + require.Equal(t, "privateKey", envVar.ValueFrom.SecretKeyRef.Key) + } else { + require.Equal(t, externalSecret, envVar.ValueFrom.SecretKeyRef.Name) + require.Equal(t, "SRS_OAUTH_PRIVATE_KEY", envVar.ValueFrom.SecretKeyRef.Key) + } hasPrivateKey = true } if "SERV_AUTH_CLIENT_SECRET" == envVar.Name { - require.Equal(t, "pega-srs-auth-secret", envVar.ValueFrom.SecretKeyRef.Name) - require.Equal(t, "privateKey", envVar.ValueFrom.SecretKeyRef.Key) + if externalSecret == "" { + require.Equal(t, "pega-srs-auth-secret", envVar.ValueFrom.SecretKeyRef.Name) + require.Equal(t, "privateKey", envVar.ValueFrom.SecretKeyRef.Key) + } else { + require.Equal(t, externalSecret, envVar.ValueFrom.SecretKeyRef.Name) + require.Equal(t, "SRS_OAUTH_PRIVATE_KEY", envVar.ValueFrom.SecretKeyRef.Key) + } hasClientPrivateKey = true } } - if authKey == "privateKey" { + if authType == "private_key_jwt" || authType == "" { require.True(t, hasPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_PRIVATE_KEY' environment variable") require.False(t, hasClientPrivateKey, "container '"+container.Name+"' should not have 'SERV_AUTH_CLIENT_SECRET' environment variable") } - if authKey == "clientSecret" { + if authType == "client_secret_basic" { require.True(t, hasClientPrivateKey, "container '"+container.Name+"' should have 'SERV_AUTH_CLIENT_SECRET' environment variable") require.False(t, hasPrivateKey, "container '"+container.Name+"' should not have 'SERV_AUTH_PRIVATE_KEY' environment variable") } diff --git a/terratest/src/test/pega/pega-srs-auth-secret_test.go b/terratest/src/test/pega/pega-srs-auth-secret_test.go index 07bff85d4..9c935c506 100644 --- a/terratest/src/test/pega/pega-srs-auth-secret_test.go +++ b/terratest/src/test/pega/pega-srs-auth-secret_test.go @@ -89,8 +89,38 @@ func TestPegaSRSAuthSecretNotCreatedForMissingPrivateKey(t *testing.T) { } yamlContent, err := RenderTemplateE(t, options, helmChartPath, []string{"templates/pega-srs-auth-secret.yaml"}) - require.Contains(t, yamlContent, "A valid entry is required for pegasearch.srsAuth.clientSecret or pegasearch.srsAuth.privateKey, when request authentication mechanism (IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true.") - require.Contains(t, err.Error(), "A valid entry is required for pegasearch.srsAuth.clientSecret or pegasearch.srsAuth.privateKey, when request authentication mechanism (IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true.") + require.Contains(t, yamlContent, "A valid entry is required for pegasearch.srsAuth.privateKey or pegasearch.srsAuth.external_secret_name, when request authentication mechanism(IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true.") + require.Contains(t, err.Error(), "A valid entry is required for pegasearch.srsAuth.privateKey or pegasearch.srsAuth.external_secret_name, when request authentication mechanism(IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true.") + } + } + } +} + +func TestPegaSRSAuthSecretNotCreatedForDeploymentWithEnabledSRSAuthAndExternalSecret(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"install", "install-deploy"} + var deploymentNames = []string{"pega", "myapp-dev"} + + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) + + for _, vendor := range supportedVendors { + for _, operation := range supportedOperations { + for _, depName := range deploymentNames { + fmt.Println(vendor + "-" + operation + "-" + depName) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.deployment.name": depName, + "global.provider": vendor, + "pegasearch.externalSearchService": "true", + "pegasearch.srsAuth.enabled": "true", + "pegasearch.srsAuth.external_secret_name": "test-external-secret", + }, + } + + yamlContent, err := RenderTemplateE(t, options, helmChartPath, []string{"templates/pega-srs-auth-secret.yaml"}) + VerifySRSAuthSecretIsNotCreated(t, yamlContent, err) } } } From 4fcb06e1e8a848f41870fa4735c0286e24937b76 Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Wed, 20 Dec 2023 13:43:07 -0800 Subject: [PATCH 07/11] external_secret_name default value --- charts/pega/templates/pega-srs-auth-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pega/templates/pega-srs-auth-secret.yaml b/charts/pega/templates/pega-srs-auth-secret.yaml index 2b11f9a45..432c8f3f5 100644 --- a/charts/pega/templates/pega-srs-auth-secret.yaml +++ b/charts/pega/templates/pega-srs-auth-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) (not .Values.pegasearch.srsAuth.external_secret_name)}} +{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) (not (default .Values.pegasearch.srsAuth.external_secret_name "")) }} # Secret for OAuth private key used to get an authorization token for Pega Infinity connection to Search and Reporting Service apiVersion: v1 kind: Secret From f0515d2e3b2894c0cc0b32fa20fa9983e4e021a0 Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Wed, 20 Dec 2023 16:39:15 -0800 Subject: [PATCH 08/11] nil pointer fix --- charts/pega/templates/pega-srs-auth-secret.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/pega/templates/pega-srs-auth-secret.yaml b/charts/pega/templates/pega-srs-auth-secret.yaml index 432c8f3f5..1f2b322fd 100644 --- a/charts/pega/templates/pega-srs-auth-secret.yaml +++ b/charts/pega/templates/pega-srs-auth-secret.yaml @@ -1,4 +1,5 @@ -{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) (not (default .Values.pegasearch.srsAuth.external_secret_name "")) }} +{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) }} +{{- if not .Values.pegasearch.srsAuth.external_secret_name }} # Secret for OAuth private key used to get an authorization token for Pega Infinity connection to Search and Reporting Service apiVersion: v1 kind: Secret @@ -9,3 +10,4 @@ type: Opaque data: privateKey: {{ template "srsAuthPrivateKey" . }} {{- end }} +{{- end }} From b2dfdb2d0cd1191c3901079cb0b9bfe2eb602005 Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Wed, 20 Dec 2023 17:09:58 -0800 Subject: [PATCH 09/11] nil pointer fix --- charts/pega/templates/pega-srs-auth-secret.yaml | 4 +--- charts/pega/values-large.yaml | 10 +++++++++- charts/pega/values-minimal.yaml | 10 +++++++++- charts/pega/values.yaml | 10 +++++++++- 4 files changed, 28 insertions(+), 6 deletions(-) diff --git a/charts/pega/templates/pega-srs-auth-secret.yaml b/charts/pega/templates/pega-srs-auth-secret.yaml index 1f2b322fd..2b11f9a45 100644 --- a/charts/pega/templates/pega-srs-auth-secret.yaml +++ b/charts/pega/templates/pega-srs-auth-secret.yaml @@ -1,5 +1,4 @@ -{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) }} -{{- if not .Values.pegasearch.srsAuth.external_secret_name }} +{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) (not .Values.pegasearch.srsAuth.external_secret_name)}} # Secret for OAuth private key used to get an authorization token for Pega Infinity connection to Search and Reporting Service apiVersion: v1 kind: Secret @@ -10,4 +9,3 @@ type: Opaque data: privateKey: {{ template "srsAuthPrivateKey" . }} {{- end }} -{{- end }} diff --git a/charts/pega/values-large.yaml b/charts/pega/values-large.yaml index 49dcddf82..fa6aec2a6 100644 --- a/charts/pega/values-large.yaml +++ b/charts/pega/values-large.yaml @@ -401,11 +401,19 @@ dds: # Elasticsearch deployment settings. # Note: This Elasticsearch deployment is used for Pega search, and is not the same Elasticsearch deployment used by the EFK stack. # These search nodes will be deployed regardless of the Elasticsearch configuration above. -# Refer to README document to configure `Search and Reporting Service` as a search functionality provider under this section. pegasearch: image: "pegasystems/search" memLimit: "3Gi" + # Set externalSearchService to true to use the Search and Reporting Service. + # Refer to the README document to configure SRS as a search functionality provider under this section. + externalSearchService: false + externalURL: + srsAuth: + enabled: false + privateKey: "" + external_secret_name: "" + # Pega Installer settings installer: image: "YOUR_INSTALLER_IMAGE:TAG" diff --git a/charts/pega/values-minimal.yaml b/charts/pega/values-minimal.yaml index af6b8e50b..cad59c75c 100755 --- a/charts/pega/values-minimal.yaml +++ b/charts/pega/values-minimal.yaml @@ -204,11 +204,19 @@ dds: # Elasticsearch deployment settings. # Note: This Elasticsearch deployment is used for Pega search, and is not the same Elasticsearch deployment used by the EFK stack. # These search nodes will be deployed regardless of the Elasticsearch configuration above. -# Refer to README document to configure `Search and Reporting Service` as a search functionality provider under this section. pegasearch: image: "pegasystems/search" memLimit: "3Gi" + # Set externalSearchService to true to use the Search and Reporting Service. + # Refer to the README document to configure SRS as a search functionality provider under this section. + externalSearchService: false + externalURL: + srsAuth: + enabled: false + privateKey: "" + external_secret_name: "" + # Pega Installer settings installer: image: "YOUR_INSTALLER_IMAGE:TAG" diff --git a/charts/pega/values.yaml b/charts/pega/values.yaml index 83c9cdf5b..f05fc6dad 100644 --- a/charts/pega/values.yaml +++ b/charts/pega/values.yaml @@ -447,12 +447,20 @@ dds: # Elasticsearch deployment settings. # Note: This Elasticsearch deployment is used for Pega search, and is not the same Elasticsearch deployment used by the EFK stack. # These search nodes will be deployed regardless of the Elasticsearch configuration above. -# Refer to README document to configure `Search and Reporting Service` as a search functionality provider under this section. pegasearch: image: "pegasystems/search" memLimit: "3Gi" replicas: 1 + # Set externalSearchService to true to use the Search and Reporting Service. + # Refer to the README document to configure SRS as a search functionality provider under this section. + externalSearchService: false + externalURL: + srsAuth: + enabled: false + privateKey: "" + external_secret_name: "" + # Pega Installer settings. installer: image: "YOUR_INSTALLER_IMAGE:TAG" From cffb46d4c5279b1438a003d28006c450c2b8770e Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Wed, 20 Dec 2023 17:18:56 -0800 Subject: [PATCH 10/11] nil pointer fix --- charts/pega/values-large.yaml | 1 + charts/pega/values-minimal.yaml | 1 + charts/pega/values.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/charts/pega/values-large.yaml b/charts/pega/values-large.yaml index fa6aec2a6..86e0db1d7 100644 --- a/charts/pega/values-large.yaml +++ b/charts/pega/values-large.yaml @@ -411,6 +411,7 @@ pegasearch: externalURL: srsAuth: enabled: false + authType: "" privateKey: "" external_secret_name: "" diff --git a/charts/pega/values-minimal.yaml b/charts/pega/values-minimal.yaml index cad59c75c..99a62940c 100755 --- a/charts/pega/values-minimal.yaml +++ b/charts/pega/values-minimal.yaml @@ -214,6 +214,7 @@ pegasearch: externalURL: srsAuth: enabled: false + authType: "" privateKey: "" external_secret_name: "" diff --git a/charts/pega/values.yaml b/charts/pega/values.yaml index f05fc6dad..449e15d87 100644 --- a/charts/pega/values.yaml +++ b/charts/pega/values.yaml @@ -458,6 +458,7 @@ pegasearch: externalURL: srsAuth: enabled: false + authType: "" privateKey: "" external_secret_name: "" From 1cbc38eb37a08d38d102e4eba5b1efc80a47c997 Mon Sep 17 00:00:00 2001 From: maracle6 <45719028+maracle6@users.noreply.github.com> Date: Wed, 20 Dec 2023 22:37:55 -0800 Subject: [PATCH 11/11] Improved README and formatting --- charts/pega/README.md | 6 ++++-- charts/pega/templates/_helpers.tpl | 10 +++++----- charts/pega/templates/pega-srs-auth-secret.yaml | 2 +- charts/pega/values-large.yaml | 2 ++ charts/pega/values-minimal.yaml | 2 ++ charts/pega/values.yaml | 2 ++ 6 files changed, 16 insertions(+), 8 deletions(-) diff --git a/charts/pega/README.md b/charts/pega/README.md index f22bcfd69..f9ed061aa 100644 --- a/charts/pega/README.md +++ b/charts/pega/README.md @@ -833,8 +833,9 @@ To configure authorization for the connection between Pega Infinity and the Sear | `url` | Set the `pegasearch.srsAuth.url` value to the URL of the OAuth token endpoint to get the token for SRS. | `""` | | `clientId` | Set the `pegasearch.srsAuth.clientId` value to the client id used in OAuth service. | `""` | | `scopes` | Set the `pegasearch.srsAuth.scopes` value to "pega.search:full", the scope set in the OAuth service required to grant access to SRS. | "pega.search:full" | -| `authType` | Set the `pegasearch.srsAuth.authType` value to to authentication type use when connecting to the OAuth token endpoint. Use client_secret_basic for basic authentication or private_key_jwt to use a client assertion JWT. | `""` | -| `privateKey` | Set the `pegasearch.srsAuth.privateKey` value to the OAuth private PKCS8 key (additionally encoded with base64) used to get an authorization token for the connection between Pega tiers and SRS. | `""` | +| `authType` | Set the `pegasearch.srsAuth.authType` value to to authentication type use when connecting to the OAuth token endpoint. Use client_secret_basic for basic authentication or private_key_jwt to use a client assertion JWT. | `""` | +| `external_secret_name`| Set the `pegasearch.srsAuth.external_secret_name` value to the secret that contains the OAuth private PKCS8 key (additionally encoded with base64) used to get an authorization token for the connection between Pega tiers and SRS. The private key should be contained in the secret key SRS_OAUTH_PRIVATE_KEY. | `""` | +| `privateKey` | When not using an external secret, set the `pegasearch.srsAuth.privateKey` value to the OAuth private PKCS8 key (additionally encoded with base64) used to get an authorization token for the connection between Pega tiers and SRS. | `""` | | `privateKeyAlgorithm` | Set the `pegasearch.srsAuth.privateKeyAlgorithm` value to the algorithm used to generate a private key used by the OAuth client. Allowed values: RS256 (default), RS384, RS512, ES256, ES384, ES512. | "RS256" | Example: @@ -847,6 +848,7 @@ pegasearch: enabled: true url: "https:/your-authorization-service-host/oauth2/v1/token" clientId: "your-client-id" + authType: client_secret_basic scopes: "pega.search:full" privateKey: "LS0tLS1CRUdJTiBSU0Eg..." privateKeyAlgorithm: "RS256" diff --git a/charts/pega/templates/_helpers.tpl b/charts/pega/templates/_helpers.tpl index 235c7e198..88f884b25 100644 --- a/charts/pega/templates/_helpers.tpl +++ b/charts/pega/templates/_helpers.tpl @@ -368,11 +368,11 @@ dnsConfig: {{- define "srsAuthPrivateKey" -}} {{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) }} - {{- if (.Values.pegasearch.srsAuth).privateKey }} - {{- .Values.pegasearch.srsAuth.privateKey | b64enc }} - {{- else }} - {{- fail "A valid entry is required for pegasearch.srsAuth.privateKey or pegasearch.srsAuth.external_secret_name, when request authentication mechanism(IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true." | quote}} - {{- end }} + {{- if (.Values.pegasearch.srsAuth).privateKey }} + {{- .Values.pegasearch.srsAuth.privateKey | b64enc }} + {{- else }} + {{- fail "A valid entry is required for pegasearch.srsAuth.privateKey or pegasearch.srsAuth.external_secret_name, when request authentication mechanism(IDP) is enabled between SRS and Pega Infinity i.e. pegasearch.srsAuth.enabled is true." | quote }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/pega/templates/pega-srs-auth-secret.yaml b/charts/pega/templates/pega-srs-auth-secret.yaml index 2b11f9a45..5e5b9080a 100644 --- a/charts/pega/templates/pega-srs-auth-secret.yaml +++ b/charts/pega/templates/pega-srs-auth-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) (not .Values.pegasearch.srsAuth.external_secret_name)}} +{{- if and (.Values.pegasearch.externalSearchService) ((.Values.pegasearch.srsAuth).enabled) (not .Values.pegasearch.srsAuth.external_secret_name) }} # Secret for OAuth private key used to get an authorization token for Pega Infinity connection to Search and Reporting Service apiVersion: v1 kind: Secret diff --git a/charts/pega/values-large.yaml b/charts/pega/values-large.yaml index 86e0db1d7..195847370 100644 --- a/charts/pega/values-large.yaml +++ b/charts/pega/values-large.yaml @@ -411,6 +411,8 @@ pegasearch: externalURL: srsAuth: enabled: false + url: "" + clientId: "" authType: "" privateKey: "" external_secret_name: "" diff --git a/charts/pega/values-minimal.yaml b/charts/pega/values-minimal.yaml index 99a62940c..ac8d5a849 100755 --- a/charts/pega/values-minimal.yaml +++ b/charts/pega/values-minimal.yaml @@ -214,6 +214,8 @@ pegasearch: externalURL: srsAuth: enabled: false + url: "" + clientId: "" authType: "" privateKey: "" external_secret_name: "" diff --git a/charts/pega/values.yaml b/charts/pega/values.yaml index 449e15d87..7ffa81d36 100644 --- a/charts/pega/values.yaml +++ b/charts/pega/values.yaml @@ -458,6 +458,8 @@ pegasearch: externalURL: srsAuth: enabled: false + url: "" + clientId: "" authType: "" privateKey: "" external_secret_name: ""