Newer
Older
# -- Domain used for BigBang created exposed services, can be overridden by individual packages.
# -- (experimental) Toggle sourcing from external repos.
# All this does right now is toggle GitRepositories, it is _not_ fully functional
joshwolf
committed
offline: false
# -- List of Helm repositories/credentials to pull helm charts from.
# OCI Type: Must specify username/password or existingSecret if repository requires auth. Using "private-registry" for existingSecret will reuse credentials from registryCredentials above.
# Default Type: Must specify existingSecret with auth - see https://fluxcd.io/flux/components/source/helmrepositories/#secret-reference for details on secret data required.
helmRepositories: []
# - name: "registry1"
# repository: "oci://registry1.dso.mil/bigbang"
# existingSecret: "private-registry"
# type: "oci"
# username: ""
# password: ""
# email: ""
# # This is an array/list of public keys to be used. Template will append `.pub` to the key as required by Flux
# cosignPublicKeys: []
# key1: |
# -----BEGIN PUBLIC KEY-----
# MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIE7v9J6ttQus6itUoyfMCqMjaIqm
# R8XrntaedsdEhPPchOQuFzqTyyAPGifV1SaEu8medVRi6mVICWbVwOteNg==
# -----END PUBLIC KEY-----
# -- Single set of registry credentials used to pull all images deployed by BigBang.
registryCredentials:
registry: registry1.dso.mil
username: ""
password: ""
email: ""
joshwolf
committed
# -- Multiple sets of registry credentials used to pull all images deployed by BigBang.
# Credentials will only be created when a valid combination exists, registry, username, and password (email is optional)
# - registry: registry1.dso.mil
# username: ""
# password: ""
# email: ""
# - registry: registry.dso.mil
# username: ""
# password: ""
# email: ""
# Openshift Container Platform Feature Toggle
openshift: false
# -- Git credential settings for accessing private repositories
# Order of precedence is:
# 1. existingSecret
# 2. http credentials (username/password/caFile)
# 3. ssh credentials (privateKey/publicKey/knownHosts)
git:
# -- Existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication
# -- Chart created secrets with user defined values
# -- HTTP git credentials, both username and password must be provided
# -- HTTPS certificate authority file. Required for any repo with a self signed certificate
# -- SSH git credentials, privateKey, publicKey, and knownHosts must be provided
privateKey: ""
publicKey: ""
knownHosts: ""
# -- Global SSO values used for BigBang deployments when sso is enabled
Ryan Garcia
committed
sso:
# -- Name of the identity provider. This is used by some packages as the SSO login label.
name: SSO
# -- Base URL for the identity provider. For OIDC, this is the issuer. For SAML this is the entityID.
url: https://login.dso.mil/auth/realms/baby-yoda
# -- Certificate authority for the identity provider's certificates
certificateAuthority:
# -- The certificate authority public certificate in .pem format. Populating this will create a secret in each namespace that enables SSO.
cert: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
# -- The secret name to use for the certificate authority. Can be manually populated if cert is blank.
secretName: tls-ca-sso
saml:
# -- SAML entityDescriptor (metadata) path
entityDescriptor: "{{ .Values.sso.url }}/protocol/saml/descriptor"
# -- SAML SSO Service path
service: "{{ .Values.sso.url }}/protocol/saml"
# -- Literal SAML XML metadata retrieved from `{{ .Values.sso.saml.entityDescriptor }}`. Required for SSO in Nexus, Twistlock, or Sonarqube.
metadata: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
# NOTE: SAML attribute names may vary by package. Use the package values to setup attribute names
# -- OIDC endpoints can be retrieved from `{{ .Values.sso.url }}/.well-known/openid-configuration`
Ryan Garcia
committed
oidc:
# -- OIDC authorization path
authorization: "{{ .Values.sso.url }}/protocol/openid-connect/auth"
# -- OIDC logout / end session path
endSession: "{{ .Values.sso.url }}/protocol/openid-connect/logout"
# -- OIDC JSON Web Key Set (JWKS) path
jwksUri: "{{ .Values.sso.url }}/protocol/openid-connect/certs"
# -- OIDC token path
token: "{{ .Values.sso.url }}/protocol/openid-connect/token"
# -- OIDC user information path
userinfo: "{{ .Values.sso.url }}/protocol/openid-connect/userinfo"
# -- Literal OIDC JWKS data retrieved from JWKS Uri. Only needed if `jwsksUri` is not defined.
jwks: ""
# -- Identity provider claim names that store metadata about the authenticated user.
claims:
# -- IdP's claim name used for the user's email address.
email: email
# -- IdP's claim name used for the user's full name
name: name
# -- IdP's claim name used for the username
username: preferred_username
# -- IdP's claim name used for the user's groups or roles
groups: groups
# -- (Advanced) Flux reconciliation parameters.
# The default values provided will be sufficient for the majority of workloads.
joshwolf
committed
flux:
Ryan Garcia
committed
timeout: 10m
Ryan Garcia
committed
test:
enable: false
Ryan Garcia
committed
remediation:
Ryan Garcia
committed
remediation:
retries: 3
remediateLastFailure: true
cleanupOnFail: true
# -- Global NetworkPolicies settings
networkPolicies:
# -- Toggle all package NetworkPolicies, can disable specific packages with `package.values.networkPolicies.enabled`
# -- Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl get endpoints -n default kubernetes` to get the CIDR range needed for your cluster
# Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP of a single endpoint, broader range for multiple masters/endpoints)
# Used by package NetworkPolicies to allow Kube API access
controlPlaneCidr: 0.0.0.0/0
# -- Node CIDR, defaults to allowing "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" networks.
# use `kubectl get nodes -owide` and review the `INTERNAL-IP` column to derive CIDR range.
# Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs)
nodeCidr: ""
# -- VPC CIDR, defaults to 0.0.0.0/0
# In a production environment, it is recommended to setup a Private Endpoint for your AWS services like KMS or S3.
# Please review https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html to setup routing to AWS services that never leave the AWS network.
# Once created update `networkPolicies.vpcCidr` to match the CIDR of your VPC so Vault will be able to reach your VPCs DNS and new KMS endpoint.
vpcCidr: 0.0.0.0/0
Tawsif Siddiqui
committed
# -- Global ImagePullPolicy value for all packages
# Permitted values are: None, Always, IfNotPresent
Tawsif Siddiqui
committed
imagePullPolicy: IfNotPresent
# ----------------------------------------------------------------------------------------------------------------------
# Istio
#
# -- Toggle deployment of Istio.
mtls:
# -- STRICT = Allow only mutual TLS traffic,
# PERMISSIVE = Allow both plain text and mutual TLS traffic
mode: STRICT
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
repo: https://repo1.dso.mil/big-bang/product/packages/istio-controlplane.git
# -- If the HelmRelease should verify the cosign signature of the HelmRepo (only relevant if Repo is OCI). Set to 'false' to disable verification.
# cosignVerify:
# -- Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support,
# validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription
enterprise: false
# Ingress gateways are created based on the key name. Adding more keys will add ingress gateways.
# Ingress gateways are setup in a Horizontal Pod Autoscaler with 1 to 5 replicas
# Besides some ports needed by Istio, only ports 80 and 443 are opened
# Ingress gateways that require more configuration can be completed using `istio.values`
ingressGateways:
public-ingressgateway:
type: "LoadBalancer" # or "NodePort"
kubernetesResourceSpec: {} # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
# private-ingressgateway:
# type: "LoadBalancer" # or "NodePort"
# kubernetesResourceSpec: # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
Loading
Loading full blame...