Added Support for downloading JDBC driver from an artifactory which i…

…s secured with authentication (#411) * Added Support for authentication either through basic authentication or API key for downloading JDBC driver * Added support for custom artifactory ssl verification and updated docs
pegasystems · May 9, 2022 · 2757997 · 2757997
1 parent 4b256e8
commit 2757997
Show file tree

Hide file tree

Showing 29 changed files with 778 additions and 3 deletions.
diff --git a/charts/pega/README.md b/charts/pega/README.md
@@ -90,6 +90,9 @@ jdbc:
 
 Pega requires a database driver JAR to be provided for connecting to the relational database.  This JAR may either be baked into your image by extending the Pega provided Docker image, or it may be pulled in dynamically when the container is deployed.  If you want to pull in the driver during deployment, you will need to specify a URL to the driver using the `jdbc.driverUri` parameter.  This address must be visible and accessible from the process running inside the container.
 
+Use the `customArtifactory.authentication.basic` section to provide access credentials or use `customArtifactory.authentication.apiKey` to provide an APIKey value and dedicated APIKey header details if you host the driver in a custom artifactory that requires Basic or APIKey Authentication.
+If your artifactory domain server certificate is not issued by Certificate Authority, you must provide the server certificate using the `customArtifactory.certificate` parameter. To disable SSL verification, you can set `customArtifactory.enableSSLVerification` to `false` and leave the `CustomArtifactory.certificate` parameter blank.
+
 The Pega Docker images use Java 11, which requires that the JDBC driver that you specify is compatible with Java 11.
 
 ### Authentication

diff --git a/charts/pega/charts/installer/templates/_pega-installer-job.tpl b/charts/pega/charts/installer/templates/_pega-installer-job.tpl
@@ -55,7 +55,12 @@ spec:
           name: {{ template "pegaUpgradeConfig"}}
      {{- end }}
           # Used to specify permissions on files within the volume.
-          defaultMode: 420          
+          defaultMode: 420
+{{ if (eq (include "customArtifactorySSLVerificationEnabled" .root) "true") }}
+{{- if .root.Values.global.customArtifactory.certificate }}
+{{- include "pegaCustomArtifactoryCertificateTemplate" .root | indent 6 }}
+{{- end }}
+{{- end }}
       initContainers:
 {{- range $i, $val := .initContainers }}
 {{ include $val $.root | indent 6 }}
@@ -82,7 +87,13 @@ spec:
 {{- if and .root.Values.distributionKitVolumeClaimName (not .root.Values.distributionKitURL) }}          
         - name: {{ template "pegaDistributionKitVolume" }}
           mountPath: "/opt/pega/mount/kit"                           
-{{- end }} 
+{{- end }}
+{{ if (eq (include "customArtifactorySSLVerificationEnabled" .root) "true") }}
+{{- if .root.Values.global.customArtifactory.certificate }}
+        - name: {{ template "pegaVolumeCustomArtifactoryCertificate" }}
+          mountPath: "/opt/pega/artifactory/cert"
+{{- end }}
+{{- end }}
 {{- if or (eq $arg "pre-upgrade") (eq $arg "post-upgrade") (eq $arg "upgrade")  }}
         env:
         -  name: ACTION

diff --git a/charts/pega/charts/installer/templates/pega-install-environment-config.yaml b/charts/pega/charts/installer/templates/pega-install-environment-config.yaml
@@ -70,6 +70,8 @@ data:
   # Bypass loading assembly classes into database during installation
   BYPASS_LOAD_ASSEMBLED_CLASSES: {{ .Values.bypassLoadAssembledClasses | quote }}
 {{- end }}
+  # enable ssl verification for jdbc driver download
+  ENABLE_CUSTOM_ARTIFACTORY_SSL_VERIFICATION: {{ .Values.global.customArtifactory.enableSSLVerification | quote }}
 {{- if .Values.advancedSettings }}
   ADVANCED_SETTINGS: |-
 {{- range .Values.advancedSettings }}

diff --git a/charts/pega/charts/installer/templates/pega-upgrade-environment-config.yaml b/charts/pega/charts/installer/templates/pega-upgrade-environment-config.yaml
@@ -80,6 +80,8 @@ data:
   # Bypass loading assembly classes into database during installation
   BYPASS_LOAD_ASSEMBLED_CLASSES: {{ .Values.bypassLoadAssembledClasses | quote }}
 {{- end }}
+  # Enable ssl verification for jdbc driver download
+  ENABLE_CUSTOM_ARTIFACTORY_SSL_VERIFICATION: {{ .Values.global.customArtifactory.enableSSLVerification | quote }}
 {{- if .Values.advancedSettings }}
   ADVANCED_SETTINGS: |-
 {{- range .Values.advancedSettings }}

diff --git a/charts/pega/templates/_helpers.tpl b/charts/pega/templates/_helpers.tpl
@@ -20,6 +20,34 @@
     defaultMode: 420
 {{- end}}
 
+{{- define "pegaCustomArtifactoryCertificateConfig" }}
+{{- $depName := printf "%s" (include "deploymentName" $) -}}
+{{- $depName -}}-custom-artifactory-certificate-config
+{{- end }}
+
+{{- define "pegaVolumeCustomArtifactoryCertificate" }}pega-volume-custom-artifactory-certificate{{- end }}
+
+{{- define "pegaCustomArtifactoryCertificateTemplate" }}
+- name: {{ template "pegaVolumeCustomArtifactoryCertificate" }}
+  configMap:
+    # This name will be referred in the volume mounts kind.
+    name: {{ template "pegaCustomArtifactoryCertificateConfig" $ }}
+    # Used to specify permissions on files within the volume.
+    defaultMode: 420
+{{- end}}
+
+{{- define "customArtifactorySSLVerificationEnabled" }}
+{{- if (.Values.global.customArtifactory) }}
+{{- if (.Values.global.customArtifactory.enableSSLVerification) }}
+{{- if (eq .Values.global.customArtifactory.enableSSLVerification true) -}}
+true
+{{- else -}}
+false
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{- define "pegaVolumeConfig" }}pega-volume-config{{- end }}
 
 {{- define "pegaVolumeCredentials" }}pega-volume-credentials{{- end }}
@@ -66,6 +94,34 @@
   {{- end -}}
 {{- end }}
 
+{{- define "useBasicAuthForCustomArtifactory" }}
+  {{- if (.Values.global.customArtifactory) }}
+    {{- if (.Values.global.customArtifactory.authentication) }}
+      {{- if (.Values.global.customArtifactory.authentication.basic) }}
+        {{- if and (.Values.global.customArtifactory.authentication.basic.username) (.Values.global.customArtifactory.authentication.basic.password) -}}
+          true
+        {{- else -}}
+          false
+        {{- end -}}
+      {{- end -}}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- define "useApiKeyForCustomArtifactory" }}
+  {{- if (.Values.global.customArtifactory) }}
+    {{- if (.Values.global.customArtifactory.authentication) }}
+      {{- if (.Values.global.customArtifactory.authentication.apiKey) }}
+        {{- if and (.Values.global.customArtifactory.authentication.apiKey.headerName) (.Values.global.customArtifactory.authentication.apiKey.value) -}}
+          true
+        {{- else -}}
+          false
+        {{- end -}}
+      {{- end }}
+    {{- end }}
+  {{- end -}}
+{{- end }}
+
 {{- define "tlssecretsnippet" }}
   tls:
    - hosts:

diff --git a/charts/pega/templates/_pega-credentials-secret.tpl b/charts/pega/templates/_pega-credentials-secret.tpl
@@ -14,6 +14,20 @@ data:
   # Base64 encoded password for connecting to the Pega DB
   DB_PASSWORD: {{ .Values.global.jdbc.password | b64enc }}
 
+  {{ if (eq (include "useBasicAuthForCustomArtifactory" .) "true") }}
+  # Base64 encoded username for basic authentication of custom artifactory
+  CUSTOM_ARTIFACTORY_USERNAME: {{ .Values.global.customArtifactory.authentication.basic.username | b64enc }}
+  # Base64 encoded password for basic authentication of custom artifactory
+  CUSTOM_ARTIFACTORY_PASSWORD: {{ .Values.global.customArtifactory.authentication.basic.password | b64enc }}
+  {{- end }}
+
+  {{ if (eq (include "useApiKeyForCustomArtifactory" .) "true") }}
+  # Base64 encoded dedicated apikey header name and apikey value for authentication of custom artifactory
+  CUSTOM_ARTIFACTORY_APIKEY_HEADER: {{ .Values.global.customArtifactory.authentication.apiKey.headerName | b64enc }}
+  # Base64 encoded password for basic authentication of custom artifactory
+  CUSTOM_ARTIFACTORY_APIKEY: {{ .Values.global.customArtifactory.authentication.apiKey.value | b64enc }}
+  {{- end }}
+
  {{ if (eq (include "performDeployment" .) "true") }}
   # Base64 encoded username for connecting to cassandra
   CASSANDRA_USERNAME: {{ .Values.dds.username | b64enc }}

diff --git a/charts/pega/templates/_pega-custom-artifactory-certificates-config.tpl b/charts/pega/templates/_pega-custom-artifactory-certificates-config.tpl
@@ -0,0 +1,19 @@
+{{- define "pegaCustomArtifactoryCertificatesConfigTemplate" }}
+# Config map used for certificate of custom artifactory
+{{ if (eq (include "customArtifactorySSLVerificationEnabled" .) "true") }}
+{{- if .Values.global.customArtifactory.certificate }}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "pegaCustomArtifactoryCertificateConfig" $ }}
+  namespace: {{ .Release.Namespace }}
+data:
+  # cert File
+{{- if .Values.global.customArtifactory.certificate }}
+  # import certificate
+  {{ .Values.global.customArtifactory.certificate | toYaml | nindent 2 -}}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
diff --git a/charts/pega/templates/_pega-deployment.tpl b/charts/pega/templates/_pega-deployment.tpl
@@ -63,6 +63,11 @@ spec:
 {{ if .root.Values.global.certificates }}
 {{- include "pegaImportCertificatesTemplate" .root | indent 6 }}
 {{ end }}
+{{ if (eq (include "customArtifactorySSLVerificationEnabled" .root) "true") }}
+{{- if .root.Values.global.customArtifactory.certificate }}
+{{- include "pegaCustomArtifactoryCertificateTemplate" .root | indent 6 }}
+{{- end }}
+{{- end }}
 {{- if .custom }}
 {{- if .custom.volumes }}
       # Additional custom volumes
@@ -192,6 +197,12 @@ spec:
         - name: {{ template "pegaVolumeImportCertificates" }}
           mountPath: "/opt/pega/certs"
 {{ end }}
+{{ if (eq (include "customArtifactorySSLVerificationEnabled" .root) "true") }}
+{{- if .root.Values.global.customArtifactory.certificate }}
+        - name: {{ template "pegaVolumeCustomArtifactoryCertificate" }}
+          mountPath: "/opt/pega/artifactory/cert"
+{{- end }}
+{{- end }}
 {{- if (semverCompare ">= 1.18.0-0" (trimPrefix "v" .root.Capabilities.KubeVersion.GitVersion)) }}
         # LivenessProbe: indicates whether the container is live, i.e. running.
         {{- $livenessProbe := .node.livenessProbe }}

diff --git a/charts/pega/templates/pega-custom-artifactory-certificates-config.yaml b/charts/pega/templates/pega-custom-artifactory-certificates-config.yaml
@@ -0,0 +1,5 @@
+{{ if (eq (include "customArtifactorySSLVerificationEnabled" .) "true") }}
+{{- if .Values.global.customArtifactory.certificate }}
+{{- include "pegaCustomArtifactoryCertificatesConfigTemplate" . }}
+{{- end }}
+{{- end }}
diff --git a/charts/pega/templates/pega-environment-config.yaml b/charts/pega/templates/pega-environment-config.yaml
@@ -74,4 +74,6 @@ data:
   # Hostname of Hazelcast server
   HZ_SERVER_HOSTNAME: {{ template "hazelcastName" . }}-service.{{ .Release.Namespace }}.svc.cluster.local
 {{- end }}
+  # enable ssl verification for jdbc driver download
+  ENABLE_CUSTOM_ARTIFACTORY_SSL_VERIFICATION: "{{ .Values.global.customArtifactory.enableSSLVerification }}"
 {{ end }}
diff --git a/charts/pega/templates/testjob.yaml b/charts/pega/templates/testjob.yaml
diff --git a/charts/pega/values-large.yaml b/charts/pega/values-large.yaml
@@ -48,6 +48,24 @@ global:
     dataSchema: "YOUR_DATA_SCHEMA"
     customerDataSchema: ""
 
+  customArtifactory:
+    # If you use a secured custom artifactory to manager your JDBC driver,
+    # provide the authentication details below by filling in the appropriate authentication section,
+    # either basic or apiKey.
+    authentication:
+      # Provide the basic authentication credentials or the API key authentication details to satisfy your custom artifactory authentication mechanism.
+      basic:
+        username: "YOUR_ARTIFACTORY_USERNAME"
+        password: "YOUR_ARTIFACTORY_PASSWORD"
+      apiKey:
+        headerName: "YOUR_ARTIFACTORY_DEDICATED_APIKEY_HEADER"
+        value: "YOUR_ARTIFACTORY_API_KEY"
+    # Leave customArtifactory.enableSSLVerification enabled to ensure secure access to your custom artifactory;
+    # when customArtifactory.enableSSLVerification is false, SSL verification is skipped and establishes an insecure connection.
+    enableSSLVerification: true
+    # Provide a required domain certificate for your custom artifactory; if none is required, leave this field blank.
+    certificate:
+
   docker:
     # If using a custom Docker registry, supply the credentials here to pull Docker images.
     registry:

diff --git a/charts/pega/values-minimal.yaml b/charts/pega/values-minimal.yaml
@@ -44,6 +44,24 @@ global:
     dataSchema: "YOUR_DATA_SCHEMA"
     customerDataSchema: ""
 
+  customArtifactory:
+    # If you use a secured custom artifactory to manager your JDBC driver,
+    # provide the authentication details below by filling in the appropriate authentication section,
+    # either basic or apiKey.
+    authentication:
+      # Provide the basic authentication credentials or the API key authentication details to satisfy your custom artifactory authentication mechanism.
+      basic:
+        username: "YOUR_ARTIFACTORY_USERNAME"
+        password: "YOUR_ARTIFACTORY_PASSWORD"
+      apiKey:
+        headerName: "YOUR_ARTIFACTORY_DEDICATED_APIKEY_HEADER"
+        value: "YOUR_ARTIFACTORY_API_KEY"
+    # Leave customArtifactory.enableSSLVerification enabled to ensure secure access to your custom artifactory;
+    # when customArtifactory.enableSSLVerification is false, SSL verification is skipped and establishes an insecure connection.
+    enableSSLVerification: true
+    # Provide a required domain certificate for your custom artifactory; if none is required, leave this field blank.
+    certificate:
+
   docker:
     # If using a custom Docker registry, supply the credentials here to pull Docker images.
     registry:

diff --git a/charts/pega/values.yaml b/charts/pega/values.yaml
@@ -49,6 +49,24 @@ global:
     dataSchema: "YOUR_DATA_SCHEMA"
     customerDataSchema: ""
 
+  customArtifactory:
+    # If you use a secured custom artifactory to manager your JDBC driver,
+    # provide the authentication details below by filling in the appropriate authentication section,
+    # either basic or apiKey.
+    authentication:
+      # Provide the basic authentication credentials or the API key authentication details to satisfy your custom artifactory authentication mechanism.
+      basic:
+        username: "YOUR_ARTIFACTORY_USERNAME"
+        password: "YOUR_ARTIFACTORY_PASSWORD"
+      apiKey:
+        headerName: "YOUR_ARTIFACTORY_DEDICATED_APIKEY_HEADER"
+        value: "YOUR_ARTIFACTORY_API_KEY"
+    # Leave customArtifactory.enableSSLVerification enabled to ensure secure access to your custom artifactory;
+    # when customArtifactory.enableSSLVerification is false, SSL verification is skipped and establishes an insecure connection.
+    enableSSLVerification: true
+    # Provide a required domain certificate for your custom artifactory; if none is required, leave this field blank.
+    certificate:
+
   docker:
     # If using a custom Docker registry, supply the credentials here to pull Docker images.
     registry:

diff --git a/docs/Deploying-Pega-on-AKS.md b/docs/Deploying-Pega-on-AKS.md
@@ -484,6 +484,8 @@ helm inspect values pega/pega > <local filepath>/aks-demo/pega.yaml
     | Jdbc.driverUri: | Specify the database driver Pega Platform uses during the deployment. For AKS, reference the URL of the required 8.2.0. driver file that is publicly available in the referenced Maven repository. | driverUri: "https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/8.2.0.jre11/mssql-jdbc-8.2.0.jre11.jar" |
     | Jdbc: username: password: | Set the security credentials for your database server to allow installation of Pega Platform into your database.           | <ul><li>username: "\<name of your database user\>"</li><li> password: "\<password for your database user\>"</li></ul>     |
     | jdbc.rulesSchema: jdbc.dataSchema:  | Set the names of both your rules and the data schema to the values that Pega Platform uses for these two schemas.      | rulesSchema: "rules" dataSchema: "data" |
+    | customArtifactory.authentication: basic.username: basic.password: apiKey.headerName: apiKey.value: | To download a JDBC driver from your custom artifactory which is secured with Basic or APIKey Authentication. Use `customArtifactory.authentication.basic` section to provide access credentials or use `customArtifactory.authentication.apiKey` section to provide APIKey value and dedicated APIKey header details. | <ul><li>basic.username: "\<Custom artifactory basic Authentication username\>"</li><li>basic.password: "\<Custom artifactory basic Authentication password\>"</li><li>apiKey.headerName: "\<Custom artifactory dedicated APIKey Authentication header name\>"</li><li>apiKey.value: "\<Custom artifactory APIKey value for APIKey authentication\>"</li> </ul> |
+    | customArtifactory.certificate: | Custom artifactory SSL certificate verification is enabled by default. If your custom artifactory domain has a self-signed SSL certificate, provide the certificate. You can disable SSL certificate verification by setting `customArtifactory.enableSSLVerification` to `false`;however, this setting establishes an insecure connection. | <ul><li> certificate: "\<custom artifactory SSL certificate to be verified\>"</li></ul> |
     | docker.registry.url: username: password: | Include the URL of your Docker registry along with the registry “username” and “password” credentials. | <ul><li>url: “\<URL of your registry>” </li><li>username: "\<Registry account username\>"</li><li> password: "\<Registry account password\>"</li></ul> |
     | docker.pega.image:       | Specify the Pega-provided `Pega` image you downloaded and pushed to your Docker registry.  | Image: "\<Registry host name:Port\>/my-pega:\<Pega Platform version>" |
     | tier.name: ”web” tier.ingress.domain:| Set a host name for the pega-web service of the DNS zone. | <ul><li>domain: "\<the host name for your web service tier\>" </li><li>tier.ingress.tls: set to `true` to support HTTPS in the ingress and pass the SSL certificate in the cluster using a secret. For details, see step 12 in the section, **Deploying Pega Platform using the command line**.</li></ul> |

diff --git a/docs/Deploying-Pega-on-EKS.md b/docs/Deploying-Pega-on-EKS.md
@@ -514,6 +514,8 @@ Configure the parameters so the pega.yaml Helm chart matches your deployment res
    | jdbc.driverUri:         | Specify the database driver Pega Platform uses during the deployment.| <ul> <li>driverUri: "latest jar file available” </li> <li>For PostgreSQL databases, use the URL of the latest PostgreSQL driver file that is publicly available at <https://jdbc.postgresql.org/download.html>.</li></ul>    |
    | jdbc: username: password: | Set the security credentials for your database server to allow installation of Pega Platform into your database.   | <ul><li>username: "\<name of your database user\>" </li><li>password: "\<password for your database user\>"</li><li>-- For RDS postgreSQL databases, previously set default <username>.</li></ul>   |
    | jdbc.rulesSchema: jdbc.dataSchema:  | Set the names of both your rules and the data schema to the values that Pega Platform uses for these two schemas.      | <ul><li>rulesSchema: "rules" </li><li>dataSchema: "data"</li></ul>  |
+   | customArtifactory.authentication: basic.username: basic.password: apiKey.headerName: apiKey.value: | To download a JDBC driver from your custom artifactory which is secured with Basic or APIKey Authentication. Use `customArtifactory.authentication.basic` section to provide access credentials or use `customArtifactory.authentication.apiKey` section to provide APIKey value and dedicated APIKey header details. | <ul><li>basic.username: "\<Custom artifactory basic Authentication username\>"</li><li>basic.password: "\<Custom artifactory basic Authentication password\>"</li><li>apiKey.headerName: "\<Custom artifactory dedicated APIKey Authentication header name\>"</li><li>apiKey.value: "\<Custom artifactory APIKey value for APIKey authentication\>"</li> </ul> |
+   | customArtifactory.certificate: | Custom artifactory SSL certificate verification is enabled by default. If your custom artifactory domain has a self-signed SSL certificate, provide the certificate. You can disable SSL certificate verification by setting `customArtifactory.enableSSLVerification` to `false`;however, this setting establishes an insecure connection. | <ul><li> certificate: "\<custom artifactory SSL certificate to be verified\>"</li></ul> |
    | docker.registry.url: username: password: | Map the host name of a registry to an object that contains the “username” and “password” values for that registry. For more information, search for “index.docker.io/v1” in [Engine API v1.24](https://docs.docker.com/engine/api/v1.24/). | <ul><li>url: “<https://index.docker.io/v1/>” </li><li>username: "\<DockerHub account username\>"</li><li> password: "\< DockerHub account password\>"</li></ul>    |
    | docker.pega.image:       | Specify the Pega-provided `Pega` image that you downloaded and pushed to your Docker registry.  | Image: "\<Registry host name:Port\>/my-pega:\<Pega Platform version>" |
    | tier.name: ”web” tier.service.domain:| Set a host name for the pega-web service of the DNS zone. To support the use of HTTPS for ingress connectivity enable SSL/TLS termination protocols on the tier ingress and provide your ARN certificate, where `alb.ingress.kubernetes.io/certificate-arn` is the required annotation name and `<certificate-arn>` takes the form, `arn:aws:acm:<region>:<AWS account>:certificate/xxxxxxx` which you copy from the AWS console view of the load balancer configuration.| <ul><li>domain: "\<the host name for your web service tier\>" </li><li>ingress.tls.enabled: "true"</li><li>ingress.ssl_annotation: alb.ingress.kubernetes.io/certificate-arn: \<certificate-arn></li><li>Assign this host name with the DNS host name that the load balancer associates with the web tier; after the deployment is complete, you can log into Pega Platform with your host name in the URL. Your web tier host name must comply with your networking standards and be available on an external network.</li></ul> |