Integrate cert-manager into wrapper
review docs and deploy using this: https://repo1.dso.mil/big-bang/product/packages/wrapper
Info from Andrew Shoell podinfo example
kyvernoPolicies:
values:
validationFailureAction: "audit"
istio:
enabled: true
# monitoring:
# enabled: true
wrapper:
git:
repo: "https://repo1.dso.mil/big-bang/product/packages/wrapper.git"
path: "chart"
tag: null
branch: "bb-2033-remove-share-authz-policies"
packages:
podinfo:
enabled: true
sourceType: "git"
git:
repo: https://github.com/stefanprodan/podinfo.git
path: charts/podinfo
# tag: null
# tag: 6.3.4
# branch: main
# existingSecret: ""
# credentials:
# password: ""
# username: ""
flux:
timeout: 5m
postRenderers: []
# dependsOn:
# - name: monitoring
# namespace: bigbang
wrapper:
enabled: true
values:
replicaCount: 3
istio:
hardened:
enabled: true
istio:
injection: "enabled"
hardened:
enabled: true
# matchLabels:
# app.kubernetes.io/name: podinfo
customAuthorizationPolicies:
- name: "allow-nothing-1"
enabled: true
spec: {}
- name: "allow-nothing-2"
enabled: true
spec: {}
hosts:
- names:
- "podinfo"
gateways:
- "public"
destination:
port: 9898
- names:
- test-too
domain: dev.test
gateways:
- public
destination:
port: 9898
- names:
- test-3
domain: dev.bigbang.mil
gateways:
- public
destination:
port: 9898
- names:
- test-4
domains:
- bigbang.local
- dev.bigbang.mil
gateways:
- public
destination:
port: 9898
network:
additionalPolicies:
- name: policy-1
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
- name: policy-2
spec:
podSelector:
matchLabels:
role: frontend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.19.0.0/16
except:
- 172.19.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 9300renovate example
kyvernoPolicies:
enabled: true
# enabled: false
values:
policies:
restrict-host-path-write:
exclude:
any:
# allows mattermost to mount service account tokens
- resources:
namespaces:
- renovate
kinds:
- Pod
names:
- renovate-*
require-drop-all-capabilities:
exclude:
any:
# allows mattermost to mount service account tokens
- resources:
namespaces:
- renovate
kinds:
- Pod
names:
- renovate-*
packages:
renovate:
enabled: true
git:
repo: https://repo1.dso.mil/big-bang/product/packages/renovate.git
# tag: null
# branch: main
values:
redis:
enabled: true
renovate:
configIsSecret: true
config: |
{
"repositories": ["big-bang/product/packages/renovate"],
"platform": 'gitlab',
"endpoint": 'https://repo1.dso.mil/api/v4',
"token": "",
"autodiscover": false,
"hostRules": [{
"hostType": "docker",
"matchHost": "registry1.dso.mil",
"username": "",
"password": ""
}]
}
networkPolicies:
enabled: "{{ $.Values.networkPolicies.enabled }}"
istio:
enabled: "{{ $.Values.istio.enabled }}"fortify example
packages:
fortify:
enabled: true
sourceType: "git"
git:
repo: "https://repo1.dso.mil/big-bang/product/packages/fortify.git"
path: "chart"
tag: null
# branch: "55-confidential-issue"
branch: "main"
existingSecret: ""
values:
trust_store_password: dsoppassword
key_store_password: dsoppassword
key_store_cert_password : dsoppassword
fortify_autoconfig: |
# Need a license to use autoconfig
fortify_license: |
<License>
Edited by Danilo Patrucco