Merge branch 'master' into fix/master/srs-support-securitycontext

.github/workflows/github-actions-stale.yml

@@ -0,0 +1,25 @@
+name: Mark stale issues and pull requests
+on:
+  schedule:
+    - cron: '0 23 * * *' # once a day at 11pm UTC time zone
+jobs:
+  stale:
+    permissions:
+      issues: write # for commenting on an issue and editing labels
+      pull-requests: write # for commenting on a PR and editing labels
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          # timing
+          days-before-stale: 60 # 60 days of inactivity
+          days-before-close: 30 # 30 more days of inactivity
+          # labels to watch for, add, and remove
+          only-labels: 'pending info' # only mark issues/PRs as stale if they have this label
+          labels-to-remove-when-unstale: 'pending info' # remove label when unstale -- should be manually added back if information is insufficient
+          # automated messages to issue/PR authors
+          stale-issue-message: 'This issue has been marked as stale because it has been open for 60 days with no activity. This issue will be automatically closed in 30 days if no further activity occurs.'
+          stale-pr-message: 'This pull request has been marked as stale because it has been open for 60 days with no activity. This pull request will be automatically closed in 30 days if no further activity occurs.'
+          close-issue-message: 'This issue was closed because it has been inactive for 30 days since being marked as stale.'
+          close-pr-message: 'This pull request was closed because it has been inactive for 30 days since being marked as stale.'

charts/addons/Chart.yaml

@@ -3,4 +3,4 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
 name: addons
-version: "3.20.0"
+version: "3.23.0"

charts/backingservices/Chart.yaml

@@ -17,4 +17,4 @@ description: Helm Chart to provision the latest Search and Reporting Service (SR
 # The chart version: Pega provides this as a useful way to track changes you make to this chart.
 # As a best practice, you should increment the version number each time you make changes to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "3.20.0"
+version: "3.23.0"

charts/backingservices/charts/srs/README.md

@@ -37,7 +37,7 @@ The service deployment provisions runtime service pods along with a dependency o
         </tr>
         <tr>
             <td rowspan=4> >= 8.6 </td>
-            <td rowspan=4>1.29.1</td>
+            <td rowspan=4>1.31.2</td>
             <td rowspan=2>< 1.25</td>
             <td>Not enabled</td>
             <td>7.10.2, 7.16.3 & 7.17.9</td>
@@ -66,7 +66,7 @@ The service deployment provisions runtime service pods along with a dependency o
 
 ### If your deployment uses the internally-provisioned Elasticsearch: ###
 To migrate to Elasticsearch version 7.17.9 or 8.10.3 from the Elasticsearch version 7.10.2 or 7.16.3, perform the following steps:
-1. Update the SRS Docker image version to use v1.29.1. This version has backward compatibility with Elasticsearch versions 7.10.x and 7.16.x, so your SRS will continue to work even before you update your Elasticsearch service.
+1. Update the SRS Docker image version to use v1.31.2. This version has backward compatibility with Elasticsearch versions 7.10.x and 7.16.x, so your SRS will continue to work even before you update your Elasticsearch service.
 2. To update Elasticsearch version to 7.17.9 perform the following actions:
     * Update the Elasticsearch `dependencies.version` parameter in the [requirement.yaml](../../requirements.yaml) to 7.17.3.
 
@@ -81,7 +81,7 @@ To migrate to Elasticsearch version 7.17.9 or 8.10.3 from the Elasticsearch vers
 
 ### If your deployment connects to an externally-managed Elasticsearch service: ###
 To migrate to Elasticsearch version 7.17.9 or 8.10.3 from the Elasticsearch version 7.10.2 or 7.16.3, perform the following steps:
-1. Update the SRS Docker image version to use v1.29.1. This version has backward compatibility with Elasticsearch versions 7.10.x and 7.16.x, so your SRS will continue to work even before you update your Elasticsearch service.
+1. Update the SRS Docker image version to use v1.31.2. This version has backward compatibility with Elasticsearch versions 7.10.x and 7.16.x, so your SRS will continue to work even before you update your Elasticsearch service.
 2. To use Elasticsearch version 7.17.9, upgrade your external Elasticsearch cluster to 7.17.9 according to your organization’s best practices. For more information, see official Elasticsearch version 7.17 documentation.
 3. To use Elasticsearch version 8.10.3, upgrade your external Elasticsearch cluster to 8.10.3 according to your organization’s best practices. For more information, see official Elasticsearch version 8.10 documentation.
 4. Restart the SRS pods

charts/pega/Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: pega
-version: "3.20.0"
+version: "3.23.0"
 description: Pega installation on kubernetes
 keywords:
 - pega

charts/pega/README.md

@@ -467,17 +467,31 @@ ingress:
 
 You can optionally configure the resource allocation and limits for a tier using the following parameters. The default value is used if you do not specify an alternative value. See [Managing Kubernetes Resources](https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/) for more information about how Kubernetes manages resources.
 
+Example:
+```yaml
+resources: 
+  requests:
+    memory: "12Gi"
+    cpu: 3
+    ephemeral-storage: 
+  limits:
+    memory: "12Gi"
+    cpu: 4
+    ephemeral-storage: 
+```
+
+
 Parameter                | Description                                            | Default value
 ---                      | ---                                                    | ---
 `replicas`               | Specify the number of Pods to deploy in the tier.      | `1`
-`cpuRequest`             | Initial CPU request for pods in the current tier.      | `3`
-`cpuLimit`               | CPU limit for pods in the current tier.                | `4`
-`memRequest`             | Initial memory request for pods in the current tier.   | `12Gi`
-`memLimit`               | Memory limit for pods in the current tier.             | `12Gi`
+`cpuRequest`             | Deprecated, use `resources.requests.cpu`. Initial CPU request for pods in the current tier.      | `3`
+`cpuLimit`               | Deprecated, use `resources.limits.cpu`. CPU limit for pods in the current tier.                | `4`
+`memRequest`             | Deprecated, use `resources.requests.memory`. Initial memory request for pods in the current tier.   | `12Gi`
+`memLimit`               | Deprecated, use `resources.limits.memory`. Memory limit for pods in the current tier.             | `12Gi`
 `initialHeap`            | Specify the initial heap size of the JVM.              | `8192m`
 `maxHeap`                | Specify the maximum heap size of the JVM.              | `8192m`
-`ephemeralStorageRequest`| Ephemeral storage request for the tomcat container.    | -
-`ephemeralStorageLimit`  | Ephemeral storage limit for the tomcat container.      | -
+`ephemeralStorageRequest`| Deprecated, use `resources.requests.ephemeral-storage`. Ephemeral storage request for the tomcat container.    | -
+`ephemeralStorageLimit`  | Deprecated, use `resources.limits.ephemeral-storage`. Ephemeral storage limit for the tomcat container.      | -
 
 ### JVM Arguments
 You can optionally pass in JVM arguments to Tomcat.  Depending on the parameter/attribute used, the arguments will be placed into `JAVA_OPTS` or `CATALINA_OPTS` environmental variables.
@@ -506,6 +520,25 @@ tier:
     disktype: ssd
 ```
 
+### Tolerations
+
+Pega supports configuring tolerations for workloads. Taints are applied to nodes and tolerations are applied to pods. For more information about taints and tolerations please refer official K8S [documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/).
+
+Example:
+
+```yaml
+tier:
+- name: "my-tier"
+  nodeType: "WebUser"
+  
+  tolerations:
+  - key: "key1"
+    operator: "Equal"
+    value: "value1"
+    effect: "NoSchedule"
+  
+```
+
 ### Liveness, readiness, and startup probes
 
 Pega uses liveness, readiness, and startup probes to determine application health in your deployments. For an overview of these probes, see [Configure Liveness, Readiness and Startup Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/). Configure a probe for *liveness* to determine if a Pod has entered a broken state; configure it for *readiness* to determine if the application is available to be exposed; configure it for *startup* to determine if a pod is ready to be checked for liveness. You can configure probes independently for each tier. If not explicitly configured, default probes are used during the deployment. Set the following parameters as part of a `livenessProbe`, `readinessProbe`, or `startupProbe` configuration.

charts/pega/charts/installer/config/prlog4j2.xml

@@ -130,9 +130,6 @@
 	    <Logger name="com.pega.pegarules.engine.database.ImpExpLog" level="info">
 	    </Logger>
 
-		<Logger name="com.pega.pegarules.deploy.external.maintenance.MaintenanceDownloader" level="info">
-		</Logger>
-
 		<Logger name="com.hazelcast" additivity="false" level="info">
 			<AppenderRef ref="CLUSTER"/>
 		</Logger>

charts/pega/config/deploy/context.xml.tmpl

@@ -21,8 +21,7 @@
     minEvictableIdleTimeMillis="60000"
     />
 
-  {{ if or .Env.SET_RW .Env.JDBC_RW_URL }}
-    <Resource name="jdbc/PegaRULESLongRW"
+  <Resource name="jdbc/PegaRULESLongRW"
     auth="Container"
     type="javax.sql.DataSource"
     driverClassName="{{ .Env.JDBC_CLASS }}"
@@ -38,7 +37,6 @@
     timeBetweenEvictionRunsMillis="30000"
     minEvictableIdleTimeMillis="60000"
     />
-  {{ end }}
 
   {{ if and .Env.JDBC_RO_URL .Env.DB_RO_USERNAME .Env.DB_RO_PASSWORD }}
     <Resource name="jdbc/PegaRULESReadOnly"

charts/pega/templates/_helpers.tpl

@@ -361,6 +361,11 @@ true
 dnsConfig:
   searches:
   - {{ .Values.global.privateHostedZoneDomainName }}
+{{ if (.Values.global.serviceDNSPolicyNdots) }}
+  options:
+    - name: ndots
+      value: {{ .Values.global.serviceDNSPolicyNdots | quote }}
+  {{- end }}
 {{- end }}
 {{- end }}
 

charts/pega/templates/_pega-deployment.tpl

@@ -123,6 +123,10 @@ spec:
 {{- if .node.topologySpreadConstraints }}
       topologySpreadConstraints:
 {{ toYaml .node.topologySpreadConstraints | indent 8 }}
+{{- end }}
+{{- if .node.tolerations }}
+      tolerations:
+{{ toYaml .node.tolerations | indent 8 }}
 {{- end }}
       containers:
       # Name of the container
@@ -211,7 +215,11 @@ spec:
         - configMapRef:
             name: {{ template "pegaEnvironmentConfig" .root }}
         resources:
+{{- if .node.resources }}
+{{ toYaml .node.resources | indent 10 }}
+{{- else }}
           # Maximum CPU and Memory that the containers for {{ .name }} can use
+          # Resources are configured through deprecated settings. Use .tier[].resources instead
           limits:
           {{- if .node.cpuLimit }}
             cpu: "{{ .node.cpuLimit }}"
@@ -241,6 +249,7 @@ spec:
           {{- if .node.ephemeralStorageRequest }}
             ephemeral-storage: "{{ .node.ephemeralStorageRequest }}"
           {{- end }}
+          {{- end }}
         volumeMounts:
         # The given mountpath is mapped to volume with the specified name.  The config map files are mounted here.
         - name: {{ template "pegaVolumeConfig" }}

charts/pega/values-large.yaml

@@ -276,13 +276,29 @@ global:
       #  whenUnsatisfiable: <string>
       #  labelSelector: <object>
 
+      # Tolerations allow the scheduler to schedule pods with matching taints.
+      # For more information please refer https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration
+      # If you want to apply tolerations to other tiers, please use the same configuration as described here.
+      # tolerations:
+      #  - key: "key1"
+      #    operator: "Equal"
+      #    value: "value1"
+      #    effect: "NoSchedule"
+
       # Set enabled to true to include a Pod Disruption Budget for this tier.
       # To enable this budget, specifiy either a pdb.minAvailable or pdb.maxUnavailable
       # value and comment out the other parameter.
       pdb:
         enabled: false
         minAvailable: 1
         # maxUnavailable: "50%"
+      resources:
+        requests:
+          memory: "12Gi"
+          cpu: 3
+        limits:
+          memory: "12Gi"
+          cpu: 4
 
     - name: "batch"
       # Create a background tier for batch processing.  This tier uses
@@ -319,6 +335,13 @@ global:
         enabled: false
         minAvailable: 1
         # maxUnavailable: "50%"
+      resources:
+        requests:
+          memory: "12Gi"
+          cpu: 3
+        limits:
+          memory: "12Gi"
+          cpu: 4
 
     - name: "stream"
       # Create a stream tier for queue processing.  This tier deploys
@@ -384,6 +407,13 @@ global:
         enabled: false
         minAvailable: 1
         # maxUnavailable: "50%"
+      resources:
+        requests:
+          memory: "12Gi"
+          cpu: 3
+        limits:
+          memory: "12Gi"
+          cpu: 4
 
     - name: "bix"
       # Create a background tier for BIX processing.  This tier uses
@@ -412,6 +442,13 @@ global:
         enabled: false
         minAvailable: 1
         # maxUnavailable: "50%"
+      resources:
+        requests:
+          memory: "12Gi"
+          cpu: 3
+        limits:
+          memory: "12Gi"
+          cpu: 4
 
     - name: "realtime"
       # Create a dedicated tier for real-time data grid processing.
@@ -439,6 +476,13 @@ global:
         enabled: false
         minAvailable: 1
         # maxUnavailable: "50%"
+      resources:
+        requests:
+          memory: "12Gi"
+          cpu: 3
+        limits:
+          memory: "12Gi"
+          cpu: 4
 
 # External services
 
@@ -648,8 +692,8 @@ stream:
   # so that it is easy to distinguish them from topics created by other applications.
   # Pega supports customizing the name pattern for your Externalized Kafka configuration for each deployment.
   streamNamePattern: "pega-{stream.name}"
-  # Your replicationFactor value cannot be more than the number of Kafka brokers and 3.
-  replicationFactor: "1"
+  # Your replicationFactor value cannot be more than the number of Kafka brokers. Pega recommended value is 3.
+  replicationFactor: "3"
   # To avoid exposing trustStorePassword, keyStorePassword, and jaasConfig parameters, leave the values empty and
   # configure them using an External Secrets Manager, making sure you configure the keys in the secret in the order:
   # STREAM_TRUSTSTORE_PASSWORD, STREAM_KEYSTORE_PASSWORD and STREAM_JAAS_CONFIG.

charts/pega/values-minimal.yaml

@@ -170,13 +170,16 @@ global:
 
       # Set resource consumption to minimal levels
       replicas: 1
-      cpuRequest: 200m
-      memRequest: "6Gi"
-      cpuLimit: 2
-      memLimit: "6Gi"
       javaOpts: ""
       initialHeap: "4096m"
       maxHeap: "4096m"
+      resources:
+        requests:
+          memory: "6Gi"
+          cpu: 200m
+        limits:
+          memory: "6Gi"
+          cpu: 2
       volumeClaimTemplate:
         resources:
           requests:
@@ -294,8 +297,8 @@ stream:
   # so that it is easy to distinguish them from topics created by other applications.
   # Pega supports customizing the name pattern for your Externalized Kafka configuration for each deployment.
   streamNamePattern: "pega-{stream.name}"
-  # Your replicationFactor value cannot be more than the number of Kafka brokers and 3.
-  replicationFactor: "1"
+  # Your replicationFactor value cannot be more than the number of Kafka brokers.Pega recommended value is 3.
+  replicationFactor: "3"
   # To avoid exposing trustStorePassword, keyStorePassword, and jaasConfig parameters, leave the values empty and
   # configure them using an External Secrets Manager, making sure you configure the keys in the secret in the order:
   # STREAM_TRUSTSTORE_PASSWORD, STREAM_KEYSTORE_PASSWORD and STREAM_JAAS_CONFIG.