US-464967 - changes for external secrets mounting for DB_PASSWORD (#409)

US-464967 - changes for external secrets

charts/pega/templates/_helpers.tpl

@@ -326,11 +326,15 @@ true
 #Override this template in a subchart if your secret values are provided by seperate secrets
 {{- define "pegaCredentialVolumeTemplate" }}
 - name: {{ template "pegaVolumeCredentials" }}
-  secret:
-    # This name will be referred in the volume mounts kind.
-    secretName: {{ template "pegaCredentialsSecret" $ }}
-    # Used to specify permissions on files within the volume.
+  projected:
     defaultMode: 420
+    sources:
+    - secret:
+        name: {{ template "pegaCredentialsSecret" $ }}
+  {{ if and (.Values.global.jdbc.external_secret_name) (not .Values.global.jdbc.password) }}
+    - secret:
+        name: {{ .Values.global.jdbc.external_secret_name }}
+  {{- end }}
 {{- end}}
 
 {{- define "generatedDNSConfigAnnotations" }}

charts/pega/templates/_pega-credentials-secret.tpl

@@ -10,9 +10,14 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation
 data:
   # Base64 encoded username for connecting to the Pega DB
+  {{ if .Values.global.jdbc.username -}}
   DB_USERNAME: {{ .Values.global.jdbc.username | b64enc }}
+  {{- end }}
+
   # Base64 encoded password for connecting to the Pega DB
+  {{ if .Values.global.jdbc.password -}}
   DB_PASSWORD: {{ .Values.global.jdbc.password | b64enc }}
+  {{- end }}
 
   {{ if (eq (include "useBasicAuthForCustomArtifactory" .) "true") }}
   # Base64 encoded username for basic authentication of custom artifactory

charts/pega/values.yaml

@@ -41,6 +41,9 @@ global:
     driverUri: "YOUR_JDBC_DRIVER_URI"
     username: "YOUR_JDBC_USERNAME"
     password: "YOUR_JDBC_PASSWORD"
+    # To avoid exposing a password, leave the jdbc.password parameter empty (no quotes), configure a JDBC password
+    # in the External Secrets Manager, and enter the external secret for the JDBC password.
+    external_secret_name: "YOUR_EXTERNAL_SECRETS_NAME"
     # CUSTOM CONNECTION PROPERTIES
     # Add a list of ; delimited connections properties. The list must end with ;
     # For example: connectionProperties=user=usr;password=pwd;

docs/Deploying-Pega-on-AKS.md

@@ -446,6 +446,16 @@ Pega added for this purpose in the [pega-helm-charts](https://github.com/pegasys
 
 Make these changes before you begin deploying Pega Platform using Helm charts.
 
+#### (Optional) Add Support for providing DB credentials using External Secrets Operator
+
+Create two files following the Kubernetes documentation for External Secrets Operator [External Secrets Operator](https://external-secrets.io/v0.5.1/) :
+  •	An external secret file that specifies what information in your secret to fetch.
+  •	A secret store to define access how to access the external and placing the required files in your Helm directory.
+
+- Copy both files into the pega-helm-charts/charts/pega/templates directory of your Helm
+- Update repo to the latest-> helm repo update pega https://pegasystems.github.io/pega-helm-charts
+- Update Pega.yaml file to refer to the external secret manager for DB password.
+
 #### Updating the pega.yaml Helm chart values
 
 To configure the parameters in the pega.yaml Helm, download the file in the charts/pega folder, edit it with a text editor, and then save it to your local system using the same filename.

docs/Deploying-Pega-on-EKS.md

@@ -478,6 +478,16 @@ Pega added for this purpose in the [pega-helm-charts](https://github.com/pegasys
 
 Make these changes before you begin deploying Pega Platform using Helm charts.
 
+#### (Optional) Add Support for providing DB credentials using External Secrets Operator
+
+Create two files following the Kubernetes documentation for External Secrets Operator [External Secrets Operator](https://external-secrets.io/v0.5.1/) :
+  •	An external secret file that specifies what information in your secret to fetch.
+  •	A secret store to define access how to access the external and placing the required files in your Helm directory.
+
+- Copy both files into the pega-helm-charts/charts/pega/templates directory of your Helm
+- Update repo to the latest-> helm repo update pega https://pegasystems.github.io/pega-helm-charts
+- Update Pega.yaml file to refer to the external secret manager for DB password.
+
 #### Updating the pega.yaml Helm chart values
 
 To configure the parameters in the pega.yaml fie, download the file in the charts/pega folder, edit it with a text editor, and then save it to your local system using the same filename.

docs/Deploying-Pega-on-GKE.md

@@ -310,6 +310,16 @@ Configure the following parameters so the pega.yaml Helm chart matches your depl
 
 3. Save the file.
 
+#### (Optional) Add Support for providing DB credentials using External Secrets Operator
+
+Create two files following the Kubernetes documentation for External Secrets Operator [External Secrets Operator](https://external-secrets.io/v0.5.1/) :
+  •	An external secret file that specifies what information in your secret to fetch.
+  •	A secret store to define access how to access the external and placing the required files in your Helm directory.
+
+- Copy both files into the pega-helm-charts/charts/pega/templates directory of your Helm
+- Update repo to the latest-> helm repo update pega https://pegasystems.github.io/pega-helm-charts
+- Update Pega.yaml file to refer to the external secret manager for DB password.
+
 ### Deploying Pega Platform using the command line
 
 A Helm installation and a Pega Platform installation are separate processes. The Helm install command uses Helm to install your deployment as directed in the Helm charts, one in the **charts\\addons** folder and one in the **charts\\pega** folder.

terratest/src/test/pega/pega-custom-upgrade_test.go

@@ -59,8 +59,8 @@ func assertUpgradeJob(t *testing.T, jobYaml string, expectedJob pegaDbJob, optio
 	var containerPort int32 = 8080
 
 	require.Equal(t, jobSpec.Volumes[0].Name, "pega-volume-credentials")
-	require.Equal(t, jobSpec.Volumes[0].VolumeSource.Secret.SecretName, getObjName(options, "-credentials-secret"))
-	require.Equal(t, jobSpec.Volumes[0].VolumeSource.Secret.DefaultMode, volDefaultModePointer)
+	require.Equal(t, jobSpec.Volumes[0].VolumeSource.Projected.Sources[0].Secret.Name, getObjName(options, "-credentials-secret"))
+	require.Equal(t, jobSpec.Volumes[0].VolumeSource.Projected.DefaultMode, volDefaultModePointer)
 	require.Equal(t, jobSpec.Volumes[1].Name, "pega-volume-installer")
 
 	require.Equal(t, jobSpec.Volumes[1].VolumeSource.ConfigMap.LocalObjectReference.Name, "pega-upgrade-config")

terratest/src/test/pega/pega-hz-deployment_test.go

@@ -55,7 +55,7 @@ func VerifyHazelcastDeployment(t *testing.T, yamlContent string) {
 			require.Equal(t, "1Gi", statefulsetSpec.Containers[0].Resources.Requests.Memory().String())
 			require.Equal(t, statefulsetSpec.Volumes[0].Name, "logs")
             require.Equal(t, statefulsetSpec.Volumes[1].Name, "pega-volume-credentials")
-            require.Equal(t, statefulsetSpec.Volumes[1].Secret.SecretName, "pega-credentials-secret")
+            require.Equal(t, statefulsetSpec.Volumes[1].Projected.Sources[0].Secret.Name, "pega-credentials-secret")
             require.Equal(t, statefulsetSpec.Containers[0].VolumeMounts[0].Name, "logs")
             require.Equal(t, statefulsetSpec.Containers[0].VolumeMounts[0].MountPath, "/opt/hazelcast/logs")
             require.Equal(t, statefulsetSpec.Containers[0].VolumeMounts[1].Name, "pega-volume-credentials")

terratest/src/test/pega/pega-installer-job_test.go

@@ -85,8 +85,8 @@ func assertJob(t *testing.T, jobYaml string, expectedJob pegaDbJob, options *hel
 	var containerPort int32 = 8080
 
 	require.Equal(t, jobSpec.Volumes[0].Name, "pega-volume-credentials")
-	require.Equal(t, jobSpec.Volumes[0].VolumeSource.Secret.SecretName, getObjName(options, "-credentials-secret"))
-	require.Equal(t, jobSpec.Volumes[0].VolumeSource.Secret.DefaultMode, volDefaultModePointer)
+	require.Equal(t, jobSpec.Volumes[0].VolumeSource.Projected.Sources[0].Secret.Name, getObjName(options, "-credentials-secret"))
+	require.Equal(t, jobSpec.Volumes[0].VolumeSource.Projected.DefaultMode, volDefaultModePointer)
 	require.Equal(t, jobSpec.Volumes[1].Name, "pega-volume-installer")
         if(jobSpec.Volumes[1].VolumeSource.ConfigMap.LocalObjectReference.Name=="pega-install-config") {
             require.Equal(t, jobSpec.Volumes[1].VolumeSource.ConfigMap.LocalObjectReference.Name, "pega-install-config")

terratest/src/test/pega/pega-tier-deployment_test.go

@@ -110,8 +110,8 @@ func VerifyDeployment(t *testing.T, pod *k8score.PodSpec, expectedSpec pegaDeplo
 	require.Equal(t, expectedSpec.name, pod.Volumes[0].VolumeSource.ConfigMap.LocalObjectReference.Name)
 	require.Equal(t, volumeDefaultModePtr, pod.Volumes[0].VolumeSource.ConfigMap.DefaultMode)
 	require.Equal(t, "pega-volume-credentials", pod.Volumes[1].Name)
-	require.Equal(t, getObjName(options, "-credentials-secret"), pod.Volumes[1].VolumeSource.Secret.SecretName)
-	require.Equal(t, volumeDefaultModePtr, pod.Volumes[1].VolumeSource.Secret.DefaultMode)
+	require.Equal(t, getObjName(options, "-credentials-secret"), pod.Volumes[1].VolumeSource.Projected.Sources[0].Secret.Name)
+	require.Equal(t, volumeDefaultModePtr, pod.Volumes[1].VolumeSource.Projected.DefaultMode)
 
 	actualInitContainers := pod.InitContainers
 	count := len(actualInitContainers)
@@ -199,7 +199,7 @@ func VerifyDeployment(t *testing.T, pod *k8score.PodSpec, expectedSpec pegaDeplo
 	require.Equal(t, "/opt/pega/config", pod.Containers[0].VolumeMounts[0].MountPath)
 	require.Equal(t, "pega-volume-config", pod.Volumes[0].Name)
 	require.Equal(t, "pega-volume-credentials", pod.Volumes[1].Name)
-	require.Equal(t, getObjName(options, "-credentials-secret"), pod.Volumes[1].Secret.SecretName)
+	require.Equal(t, getObjName(options, "-credentials-secret"), pod.Volumes[1].Projected.Sources[0].Secret.Name)
 
 }