pegasystems · Saurabh-16 · Dec 9, 2024 · Aug 8, 2024 · Aug 8, 2024 · Aug 9, 2024
@@ -0,0 +1,31 @@
+default: secrets
+
+NAMESPACE := <YOUR_NAMESPACE>
+CLUSTERING_SERVICE_IMAGE := <CLUSTERING_SERVICE_IMAGE>
+ENC_KEYSTORE_PASSWORD := <ENC_KEYSTORE_PASSWORD>
+ENC_TRUSTSTORE_PASSWORD := <ENC_TRUSTSTORE_PASSWORD>
+HIGHLY_SECURE_CRYPTO_MODE_ENABLED := <HIGHLY_SECURE_CRYPTO_MODE_ENABLED>
+ALIAS := myalias
+
+ifeq ($(HIGHLY_SECURE_CRYPTO_MODE_ENABLED), true)
+secrets:
+	docker run --name hazelcast-helm-charts-certs -i -w /tmp \
+    		$(CLUSTERING_SERVICE_IMAGE) \
+            		/bin/sh -c " \
+            		         ./certs.sh HIGHLY_SECURE_CRYPTO_MODE_ENABLED $(ENC_KEYSTORE_PASSWORD) cluster-keystore $(ENC_TRUSTSTORE_PASSWORD) cluster-truststore $(ALIAS)" &&\
+                             docker cp hazelcast-helm-charts-certs:/tmp/cluster-keystore.jks ./ &&\
+                             docker cp hazelcast-helm-charts-certs:/tmp/cluster-truststore.jks ./ &&\
+                             docker rm -f hazelcast-helm-charts-certs &&\
+                             kubectl create secret generic hz-encryption-secrets --from-literal=HZ_SSL_KEYSTORE_PASSWORD=$(ENC_KEYSTORE_PASSWORD) --from-literal=HZ_SSL_TRUSTSTORE_PASSWORD=$(ENC_TRUSTSTORE_PASSWORD) --from-file=cluster-keystore.jks --from-file=cluster-truststore.jks --namespace=$(NAMESPACE)
+else
+secrets:
+	docker run --name hazelcast-helm-charts-certs -i -w /tmp \
+    		$(CLUSTERING_SERVICE_IMAGE) \
+            		/bin/sh -c " \
+            		         ./certs.sh SSL_MODE_ENABLED $(ENC_KEYSTORE_PASSWORD) cluster-keystore $(ENC_TRUSTSTORE_PASSWORD) cluster-truststore $(ALIAS)" && \
+            		docker cp hazelcast-helm-charts-certs:/tmp/cluster-keystore.jks ./ &&\
+            		docker cp hazelcast-helm-charts-certs:/tmp/cluster-truststore.jks ./ &&\
+                    docker rm -f hazelcast-helm-charts-certs &&\
+                    kubectl create secret generic hz-encryption-secrets --from-literal=HZ_SSL_KEYSTORE_PASSWORD=$(ENC_KEYSTORE_PASSWORD) --from-literal=HZ_SSL_TRUSTSTORE_PASSWORD=$(ENC_TRUSTSTORE_PASSWORD) --from-file=cluster-keystore.jks --from-file=cluster-truststore.jks --namespace=$(NAMESPACE)
+
+endif
@@ -42,6 +42,17 @@ Example:
 ```yaml
 action: "deploy"
 ```
+
+## NIST SP 800-53 and NIST SP 800-131
+
+Set the `highlySecureCryptoModeEnabled` flag to `true` to comply with NIST SP 800-53 and NIST SP 800-131.
+
+For example:
+```yaml
+global:
+   highlySecureCryptoModeEnabled: true
+```
+
 ## Kerberos Configuration
 
 Use the `kerberos` section to configure Kerberos authentication for Decisioning data flows that fetch data from Kafka or HBase streams. For more information on Decisioning data flows that use Kerberos, see [Data Set types](https://docs.pega.com/bundle/platform/page/platform/decision-management/data-set-types.html).
@@ -1233,20 +1244,21 @@ Pega Infinity version   | Clustering Service version    |    Description
 The values.yaml provides configuration options to define the deployment of Hazelcast. Apart from the below parameters when `hazelcast.enabled` is set to `true`, additional parameters are required for client-server deployment which have been documented
 here: [Additional Parameters](charts/hazelcast/README.md)
 
-Parameter   | Description   | Default value
----         | ---           | ---
-`hazelcast.image` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access. | `YOUR_HAZELCAST_IMAGE:TAG`
-`hazelcast.clusteringServiceImage` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access. | `YOUR_CLUSTERING_SERVICE_IMAGE:TAG`
-`hazelcast.enabled` |  Set to `true` if client-server deployment of Pega Platform is required; otherwise leave set to `false`. Note: To avoid an installation failure, you must set this value to `false` for Pega platform deployments using versions before 8.6. | `true`
-`hazelcast.clusteringServiceEnabled` |  Set to `true` if client-server deployment of Pega Platform is required; otherwise leave set to `false`. Note: Set this value to `false` for Pega platform versions below 8.8; if not set the installation will fail. | `false`
-`hazelcast.migration.initiateMigration` |  Set to `true` after creating parallel cluster (new Hazelcast) to establish the connection with platform and migrate the data; Set to `false` during a deployment that removes an older Hazelcast cluster. | `false`
-`hazelcast.migration.migrationJobImage` | Reference the `platform/clustering-service-kubectl` Docker image to create the migration job to run the migration script. | `YOUR_MIGRATION_JOB_IMAGE:TAG`
-`hazelcast.migration.embeddedToCSMigration` |  Set to `true` while migrating the data from existing embedded Hazelcast deployment to the new c/s Hazelcast deployment. | `false`
-`hazelcast.replicas` | Number of initial members to join the Hazelcast cluster. | `3`
-`hazelcast.username` | Configures the username to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the username in Hazelcast cluster and your Pega nodes so authentication occurs automatically.  | `""`
-`hazelcast.password` | Configures the password to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the password credential in Hazelcast cluster and your Pega nodes so authentication occurs automatically.  | `""`
-`hazelcast.external_secret_name` | If you configured a secret in an external secrets operator, enter the secret name. For details, see [this section](#optional-support-for-providing-credentialscertificates-using-external-secrets-operator).  | `""`
-`hazelcast.affinity` | Configures policy to assign the pods to the nodes. See the official [Kubernetes Documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  | `""`
+Parameter   | Description                                                                                                                                                                                                                                                                                                  | Default value
+---         |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ---
+`hazelcast.image` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access.                                                                                                                                                             | `YOUR_HAZELCAST_IMAGE:TAG`
+`hazelcast.clusteringServiceImage` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access.                                                                                                                                                             | `YOUR_CLUSTERING_SERVICE_IMAGE:TAG`
+`hazelcast.enabled` | Set to `true` if client-server deployment of Pega Platform is required; otherwise leave set to `false`. Note: To avoid an installation failure, you must set this value to `false` for Pega platform deployments using versions before 8.6.                                                                  | `true`
+`hazelcast.clusteringServiceEnabled` | Set to `true` if client-server deployment of Pega Platform is required; otherwise leave set to `false`. Note: Set this value to `false` for Pega platform versions below 8.8; if not set the installation will fail.                                                                                         | `false`
+`hazelcast.encryption.enabled` | Set to `true` if SSL connection is required; otherwise leave set to `false`. Note: Set this value to `false` for Pega platform versions below 24.2; if not set the installation will fail, see [this section](#optional-enabling-encryption-of-traffic-between-pega-and-clusteringservice)                   | `false`
+`hazelcast.migration.initiateMigration` | Set to `true` after creating parallel cluster (new Hazelcast) to establish the connection with platform and migrate the data; Set to `false` during a deployment that removes an older Hazelcast cluster.                                                                                                    | `false`
+`hazelcast.migration.migrationJobImage` | Reference the `platform/clustering-service-kubectl` Docker image to create the migration job to run the migration script.                                                                                                                                                                                    | `YOUR_MIGRATION_JOB_IMAGE:TAG`
+`hazelcast.migration.embeddedToCSMigration` | Set to `true` while migrating the data from existing embedded Hazelcast deployment to the new c/s Hazelcast deployment.                                                                                                                                                                                      | `false`
+`hazelcast.replicas` | Number of initial members to join the Hazelcast cluster.                                                                                                                                                                                                                                                     | `3`
+`hazelcast.username` | Configures the username to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the username in Hazelcast cluster and your Pega nodes so authentication occurs automatically.            | `""`
+`hazelcast.password` | Configures the password to be used in a client-server Hazelcast model for authentication between the nodes in the Pega deployment and the nodes in the Hazelcast cluster. This parameter configures the password credential in Hazelcast cluster and your Pega nodes so authentication occurs automatically. | `""`
+`hazelcast.external_secret_name` | If you configured a secret in an external secrets operator, enter the secret name. For details, see [this section](#optional-support-for-providing-credentialscertificates-using-external-secrets-operator).                                                                                                 | `""`
+`hazelcast.affinity` | Configures policy to assign the pods to the nodes. See the official [Kubernetes Documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).                                                                                                                                    | `""`
 
 #### Example
 ```yaml
@@ -1255,6 +1267,8 @@ hazelcast:
   clusteringServiceImage: "YOUR_CLUSTERING_SERVICE_IMAGE:TAG"
   enabled: true
   clusteringServiceEnabled: false
+  encryption:
+     enabled: false
   migration:
     initiateMigration: false
     migrationJobImage: "YOUR_MIGRATION_JOB_IMAGE:TAG"
@@ -1265,6 +1279,22 @@ hazelcast:
   external_secret_name: ""
 ```
 
+### (Optional) Enabling encryption of traffic between Pega and ClusteringService
+Run the make file in `charts/pega/Makefile` when encryption or HighlySecureCryptoMode is enabled to generate the certificates and mount it to the Hazelcast and Pega pods before Helm Install.
+
+Parameter   | Description                                               
+---         |------------------------------------------------------------
+`NAMESPACE` | Namespace where Pega and Hazelcast is going to be deployed.
+`CLUSTERING_SERVICE_IMAGE` | Reference the `platform/clustering-service` Docker image that you downloaded and pushed to your Docker registry that your deployment can access. 
+`ENC_KEYSTORE_PASSWORD` | Key store password.
+`ENC_TRUSTSTORE_PASSWORD` | Trust store password.
+`HIGHLY_SECURE_CRYPTO_MODE_ENABLED` |  Enable it for complying with NIST SP 800-53 and NIST SP 800-131.
+
+#### Example
+```
+make secrets NAMESPACE=pega CLUSTERING_SERVICE_IMAGE=cloudservices-docker-dev-local.bin.pega.io/platform/clustering-service:1.3.50 ENC_KEYSTORE_PASSWORD=mystorePwd ENC_TRUSTSTORE_PASSWORD=mystorePwd HIGHLY_SECURE_CRYPTO_MODE_ENABLED=true
+```
+
 ### Enabling encryption of traffic between Ingress/LoadBalancer and Pod
 
 Using Helm version `2.2.0`, Pega supports mounting and passing TLS certificates into the container to enable TLS between loadbalancer/ingress and pods during your Pega Platform deployment. Pega supports the keystore formats such as .jks, .keystore. To mount and pass your TLS certificates, use the `tls` section under `service` to specify the keystore content, the keystore password and the specified ports for https under 'web' tier in the `values.yaml` file using the format in the following example.

@@ -59,6 +59,8 @@ imagePullPolicy: "Always"
 replicas: 3
 enabled: true
 clusteringServiceEnabled: false
+encryption:
+  enabled: false
 migration:
   enabled: false
   migrationJobImage: "YOUR_MIGRATION_JOB_IMAGE:TAG"

@@ -29,6 +29,22 @@
  {{- end -}}
 {{- end }}
 
+{{- define "isEncryptionEnabled" }}
+  {{- if .Values.encryption.enabled  -}}
+   true
+  {{- else -}}
+   false
+  {{- end -}}
+{{- end -}}
+
+{{- define "isHighlySecureCryptoModeEnabled" }}
+  {{- if and ( .Values.encryption.enabled ) ( .Values.global.highlySecureCryptoModeEnabled) -}}
+   true
+  {{- else -}}
+   false
+  {{- end -}}
+{{- end -}}
+
 {{- define "hazelcastVolumeCredentials" }}hazelcast-volume-credentials{{- end }}
 
 {{- define "hazelcastVolumeTemplate" }}

@@ -37,6 +37,10 @@ spec:
           mountPath: "/opt/hazelcast/logs"
         - name: {{ template "hazelcastVolumeCredentials" }}
           mountPath: "/opt/hazelcast/secrets"
+      {{- if (eq (include "isEncryptionEnabled" .) "true") }}
+        - name: hz-encryption-secrets
+          mountPath: "/opt/hazelcast/certs"
+      {{- end }}
         envFrom:
         - configMapRef:
             name: {{ template "clusteringServiceEnvironmentConfig" }}
@@ -57,20 +61,34 @@ spec:
           periodSeconds: 10
           httpGet:
             path: /hazelcast/health/ready
+         {{- if (eq (include "isEncryptionEnabled" .) "true") }}
+            port: 8080
+         {{- else }}
             port: 5701
+         {{- end }}
         livenessProbe:
           initialDelaySeconds: 30
           periodSeconds: 10
           httpGet:
             path: /hazelcast/health/ready
+        {{- if (eq (include "isEncryptionEnabled" .) "true") }}
+            port: 8080
+        {{- else }}
             port: 5701
+        {{- end }}
       restartPolicy: Always
       volumes:
       # Volume used to mount logs folder
       - name: logs
         emptyDir: {}
       # Volume used to mount secret files.
       {{- include "hazelcastVolumeTemplate" . | indent 6 }}
+  {{- if (eq (include "isEncryptionEnabled" .) "true") }}
+      - name: hz-encryption-secrets
+        secret:
+          defaultMode: 444
+          secretName: hz-encryption-secrets
+  {{- end }}
       imagePullSecrets:
 {{- include "imagePullSecrets" . | indent 6 }}
 {{- include "podAffinity" .Values | indent 6 }}

@@ -10,6 +10,14 @@ data:
   JAVA_OPTS: {{ .Values.server.java_opts | quote }}
   SERVICE_NAME: {{ template "clusteringServiceName" . }}-service
   MIN_CLUSTER_SIZE: {{ .Values.replicas | quote }}
+{{- if (eq (include "isEncryptionEnabled" .) "true") }}
+  ENCRYPTION_ENABLED: {{ true | quote }}
+  ENCRYPTION_KEYSTORE_NAME: "cluster-keystore.jks"
+  ENCRYPTION_TRUSTSTORE_NAME: "cluster-truststore.jks"
+{{- if (eq (include "isHighlySecureCryptoModeEnabled" .) "true") }}
+  HIGHLY_SECURE_CRYPTO_MODE_ENABLED: {{ true | quote }}
+{{- end }}
+{{- end }}
 {{- if .Values.server.jmx_enabled }}
   JMX_ENABLED: {{ .Values.server.jmx_enabled | quote }}
 {{- end }}

@@ -10,7 +10,9 @@ enabled: true
 # Setting below to true will deploy the Pega Platform in client-server Hazelcast model for version 8.8 and later.
 # Note: Make sure to set this value as "false" in case of Pega platform version before "8.8". If not set this will fail the installation.
 clusteringServiceEnabled: false
-
+# Setting below to true will enforce the SSL communication between Hazelcast and Pega Infinity.
+encryption:
+  enabled: false
 # Setting related to Hazelcast migration.
 migration:
   # Set to `true` to initiate the migration job.

@@ -507,6 +507,22 @@ servicePort: use-annotation
   {{- end -}}
 {{- end -}}
 
+{{- define "isHzEncryptionEnabled" }}
+  {{- if .Values.hazelcast.encryption.enabled -}}
+    true
+  {{- else -}}
+    false
+  {{- end -}}
+{{- end -}}
+
+{{- define "isHzHighlySecureCryptoModeEnabled" }}
+  {{- if and .Values.hazelcast.encryption.enabled  .Values.global.highlySecureCryptoModeEnabled -}}
+    true
+  {{- else -}}
+    false
+  {{- end -}}
+{{- end -}}
+
 {{- define "pegaCredentialVolumeTemplate" }}
 - name: {{ template "pegaVolumeCredentials" }}
   projected:
@@ -529,5 +545,13 @@ servicePort: use-annotation
 
     - secret:
         name: {{ include "pega-diagnostic-secret-name" $}}
-
+  {{- if (eq (include "isHzEncryptionEnabled" .) "true") }}
+    - secret:
+        name: hz-encryption-secrets
+        items:
+          - key: HZ_SSL_KEYSTORE_PASSWORD
+            path: HZ_SSL_KEYSTORE_PASSWORD
+          - key: HZ_SSL_TRUSTSTORE_PASSWORD
+            path: HZ_SSL_TRUSTSTORE_PASSWORD
+  {{- end}}
 {{- end}}
@@ -77,6 +77,12 @@ spec:
           # Used to specify permissions on files within the volume.
           defaultMode: 420
 {{- include "pegaCredentialVolumeTemplate" .root | indent 6 }}
+{{- if (.root.Values.hazelcast.encryption.enabled) }}
+      - name: hz-encryption-secrets
+        secret:
+          defaultMode: 444
+          secretName: hz-encryption-secrets
+{{- end }}
 {{ if or (.root.Values.global.certificates) (.root.Values.global.certificatesSecrets) }}
 {{- include "pegaImportCertificatesTemplate" .root | indent 6 }}
 {{ end }}
@@ -289,6 +295,10 @@ spec:
         - name: {{ template "pegaKerberosConfig" }}-config
           mountPath: "/opt/pega/kerberos"
 {{- end }}
+{{- if (.root.Values.hazelcast.encryption.enabled) }}
+        - name: hz-encryption-secrets
+          mountPath: "/opt/hazelcast/certs"
+{{- end }}
 
         # LivenessProbe: indicates whether the container is live, i.e. running.
         livenessProbe:

@@ -179,6 +179,18 @@ data:
 {{- end }}
   # Hostname of Hazelcast server
   HZ_SERVER_HOSTNAME: {{ template "hzServiceName" . }}-service.{{ .Release.Namespace }}.svc.cluster.local
+{{ if (eq (include "isHzEncryptionEnabled" .) "true") }}
+  HZ_SSL_ENABLED: "true"
+  HZ_SSL_PROTOCOL: "TLS"
+  HZ_SSL_KEY_STORE_NAME: "cluster-keystore.jks"
+  HZ_SSL_TRUST_STORE_NAME: "cluster-truststore.jks"
+  {{ if (eq (include "isHzHighlySecureCryptoModeEnabled" .) "true") }}
+  HIGHLY_SECURE_CRYPTO_MODE_ENABLED: "true"
+  HZ_SSL_ALGO: "PKIX"
+  {{- else }}
+  HZ_SSL_ALGO: "SunX509"
+  {{- end }}
+{{- end }}
 {{- end }}
   # enable ssl verification for jdbc driver download
   ENABLE_CUSTOM_ARTIFACTORY_SSL_VERIFICATION: "{{ .Values.global.customArtifactory.enableSSLVerification }}"