Newer
Older
{{ if $.Values.addons.gitlab.enabled }}
Gitlab is enabled.
Please follow the Gitlab online documentation for proper configuration.
This BigBang chart provides convenient enhancements to the Gitlab Package helm chart.
If you enable these features certain settings will be defaulted for you and any required secrets will be automatically created.
You should point to your cloud provider's RDS and object storage.
Gitlab will not provision storage for you. You will need to provision the database and the S3 buckets.
Here is an example of how to configure your deployment.
addons:
gitlab:
enabled: true
hostnames:
gitlab: gitlab.example.mil
registry: registry.example.mil
sso:
enabled: true
label: "Platform One SSO"
client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-gitlab"
client_secret: ""
database:
host: postgres.example.mil
port: 5432
username: gitlab
database: gitlab
password: mysecretpassword
objectstorage:
type: s3
endpoint: https://s3.us-gov-west-1.amazonaws.com
region: us-gov-west-1
accessKey: myaccesskey
accessSecret: mysecretkey
bucketPrefix: prod
{{ if $.Values.addons.gitlab.objectStorage.endpoint }}
GITLAB: You have enabled Gitlab external object storage.
Here is the list of buckets that you must provision in your s3 service:
{{- if .Values.addons.gitlab.objectStorage.bucketPrefix }}
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-registry
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-lfs
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-artifacts
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-uploads
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-packages
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-mr-diffs
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-terraform-state
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-dependency-proxy
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-pseudo
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-backup
{{ .Values.addons.gitlab.objectStorage.bucketPrefix }}-gitlab-backup-tmp
{{- else }}
gitlab-registry
gitlab-lfs
gitlab-artifacts
gitlab-uploads
gitlab-packages
gitlab-mr-diffs
gitlab-terraform-state
gitlab-dependency-proxy
gitlab-pseudo
gitlab-backup
gitlab-backup-tmp
{{- end }}
{{- end }}
{{ if $.Values.addons.gitlab.database.host }}
{{ else }}
You have enabled an internal postgres database in the BigBang configuration.
Platform One does not support this option for production deployments because your persistent data can be permanently lost.
This option should only be used for development or CI pipelines.
{{- end -}}
{{ if $.Values.addons.gitlab.objectStorage.endpoint }}
You have enabled a MinIO internal service in the BigBang configuration.
Platform One does not support this option for production deployments because your persistent data can be permanently lost.
This option should only be used for development or CI pipelines.
{{- end }}
{{- end }}
{{- if $.Values.addons.anchore.enabled }}
Anchore is enabled.
{{- if not (and $.Values.addons.anchore.database.host $.Values.addons.anchore.database.port $.Values.addons.anchore.database.username $.Values.addons.anchore.database.password $.Values.addons.anchore.database.database) }}
PLATFORM ONE ANCHORE WARNING:
You have enabled an internal postgres database (main-db) in the values configuration.
Platform One does not support this option for production deployments.
This option should only be used for development or CI pipelines.
{{- end }}
{{- if $.Values.addons.anchore.enterprise.enabled }}
{{- if not (and $.Values.addons.anchore.redis.host $.Values.addons.anchore.redis.port $.Values.addons.anchore.redis.password) }}
PLATFORM ONE ANCHORE WARNING:
You have enabled an internal redis database in the values configuration.
Platform One does not support this option for production deployments.
This option should only be used for development or CI pipelines.
{{- end }}
{{- if not (and $.Values.addons.anchore.database.host $.Values.addons.anchore.database.port $.Values.addons.anchore.database.username $.Values.addons.anchore.database.password $.Values.addons.anchore.database.feeds_database) }}
PLATFORM ONE ANCHORE WARNING:
You have enabled an internal postgres database (feeds-db) in the values configuration.
Platform One does not support this option for production deployments.
This option should only be used for development or CI pipelines.
{{- end }}
{{- end }}
{{- if and ($.Values.addons.anchore.enterprise.enabled) (not $.Values.addons.anchore.enterprise.licenseYaml) }}
PLATFORM ONE ANCHORE WARNING:
You have enabled an enterprise Anchore in the values configuration, but not provided a license.
Your deployment will fail without a license, please review your configuration and supply a license
or disable the enterprise features.
{{- end }}
{{- if and ($.Values.addons.anchore.sso.enabled) (not $.Values.addons.anchore.enterprise.enabled) }}
PLATFORM ONE ANCHORE WARNING:
You have enabled SSO in the values configuration, but not enabled enterprise Anchore.
Your SSO configuration will be ignored, the Anchore UI is only available for enterprise deployments.
{{- end }}
{{- end }}
{{- if and $.Values.eckOperator.enabled $.Values.elasticsearchKibana.enabled }}
{{- if $.Values.elasticsearchKibana.sso.enabled }}
{{- if and (not $.Values.elasticsearchKibana.license.trial) (not $.Values.elasticsearchKibana.license.keyJSON) }}
PLATFORM ONE LOGGING WARNING:
You have enabled SSO but not provided an enterprise license configuration to use. SSO is not functional without a license.
Edit the values for the eck-operator to specify a license key JSON or use the trial license for development.
{{- end }}
{{- end }}
{{- end }}
{{- if and .Values.promtail.enabled .Values.fluentbit.enabled }}
You have enabled both Promtail and Fluentbit (log forwarders). This is not a supported configuration and you may see conflicts as a result of both applications attempting to ship logs.
{{- end }}
{{- if and .Values.loki.enabled .Values.elasticsearchKibana.enabled }}
PLATFORM ONE LOGGING WARNING:
You have enabled both Loki and Elastic (log storage). This is not a supported configuration and you may see issues as a result of running both applications.
If using Elastic for other functionality, deploying both applications is acceptable.
{{- if and $.Values.loki.enabled (dig "values" "global" "createGlobalConfig" false $.Values.loki) }}
PLATFORM ONE LOKI WARNING:
You still have Loki global values set but this version of Loki has changed significantly, please review the latest production document within the Loki package repo: https://repo1.dso.mil/big-bang/product/packages/loki/-/blob/main/docs/production.md
{{- end }}
{{- if and $.Values.loki.enabled (dig "values" "gel" "enabled" false $.Values.loki) }}
PLATFORM ONE LOKI WARNING:
You still have Loki gel values set but this version of Loki has changed significantly, please review the latest grafana enterprise document within the Loki package repo: https://repo1.dso.mil/big-bang/product/packages/loki/-/blob/main/docs/grafana-enterprise.md
{{- end }}
{{- if and $.Values.jaeger.enabled .Values.tempo.enabled }}
PLATFORM ONE TRACING WARNING:
You have enabled both Jaeger and Tempo Tracing Engines. This is permitted during beta testing of Tempo.
After the beta period, only one Tracing engine will be supported at one time, with Tempo becoming the default supported engine over a direct Jaeger installation. Grafana has a built-in Tempo data source that can be used to query Tempo and visualize traces.
{{- end }}
{{- if $.Values.addons.mattermost.enabled }}
Mattermost is enabled.
{{- with .Values.addons.mattermost.database }}
{{- if not (and .username .password .host .port .database .ssl_mode) }}
PLATFORM ONE MATTERMOST WARNING:
You have enabled an internal postgres database in the values configuration.
Platform One does not support this option for production deployments.
This option should only be used for development or CI pipelines.
{{- end }}
{{- end }}
{{- with .Values.addons.mattermost.objectStorage }}
{{- if not (and .endpoint .accessKey .accessSecret .bucket) }}
PLATFORM ONE MATTERMOST WARNING:
You have enabled an internal Minio instance in the values configuration.
Platform One does not support this option for production deployments.
This option should only be used for development or CI pipelines.
{{- end }}
{{- end }}
{{- if and (.Values.addons.mattermost.enterprise.enabled) (not .Values.addons.mattermost.enterprise.license) }}
PLATFORM ONE MATTERMOST WARNING:
You have enabled enterprise Mattermost in the values configuration, but not provided a license.
Make sure to go back and edit your values or ensure you add the license through the mattermost settings page.
{{- end }}
{{- end }}
{{- if .Values.hostname }}
DEPRECATION NOTICE:
The top level yaml key "hostname" has been deprecated and replaced with "domain".
Please update your values override to use the "domain" key.
{{- end }}
{{- if .Values.addons.nexus }}
DEPRECATION NOTICE:
.Values.addons.nexus has been deprecated and will be removed in a future Big Bang release.
Please reconfigure your values overrides to use .Values.addons.nexusRepositoryManager
{{- $nexusOldValues := default dict .Values.addons.nexus -}}
{{- $nexusValues := merge $nexusOldValues .Values.addons.nexusRepositoryManager -}}
{{- with .Values }}
{{- if and .sso.url (coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName .elasticsearchKibana.sso.issuer .elasticsearchKibana.sso.auth_url .elasticsearchKibana.sso.token_url .elasticsearchKibana.sso.userinfo_url .elasticsearchKibana.sso.jwkset_url .elasticsearchKibana.sso.claims_principal .elasticsearchKibana.sso.endsession_url .elasticsearchKibana.sso.claims_group .elasticsearchKibana.sso.claims_mail .grafana.sso.grafana.auth_url .grafana.sso.grafana.token_url .grafana.sso.grafana.api_url .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate) }}
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
DEPRECATION NOTICE:
The following SSO keys have been deprecated. Deprecated keys will continue to work, but will be removed in a future release. Please update your overrides.
{{- if coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName }}
sso:
{{- if coalesce .sso.oidc.host .sso.oidc.realm }}
oidc:
{{- if .sso.oidc.host }}
# "host" removed. It is now implicitly defined in "sso.url".
host: {{ .sso.oidc.host }}
{{- end }}
{{- if .sso.oidc.realm }}
# "realm" removed. It is now implicitly defined in "sso.url".
realm: {{ .sso.oidc.realm }}
{{- end }}
{{- end }}
{{- if .sso.certificate_authority }}
# "certificate_authority" was moved to "sso.certificateAuthority.cert".
certificate_authority: {{ .sso.certificate_authority | trunc 27 }}
{{- end }}
{{- if .sso.jwks }}
# "jwks" was moved to "sso.oidc.jwks". If possible, switch to using "sso.oidc.jwksUri" to dynamically retrieve metadata instead
jwks: {{ .sso.jwks }}
{{- end }}
{{- if .sso.jwks_uri }}
# "jwks_uri" was moved to "sso.oidc.jwksUri"
jwks_uri: {{ .sso.jwks_uri }}
{{- end }}
{{- if .sso.client_id }}
# "client_id" was moved to "addons.authservice.sso.client_id"
client_id: {{ .sso.client_id }}
{{- end }}
{{- if .sso.client_secret }}
# "client_secret" was moved to "addons.authservice.sso.client_secret"
client_secret: {{ .sso.client_secret }}
{{- end }}
{{- if .sso.token_url }}
# "token_url" was moved to "sso.oidc.token"
token_url: {{ .sso.token_url }}
{{- end }}
{{- if .sso.auth_url }}
# "auth_url" was moved to "sso.oidc.authorization"
auth_url: {{ .sso.auth_url }}
{{- end }}
{{- if .sso.secretName }}
# "secretName" was moved to "sso.certificateAuthority.secretName"
secretName: {{ .sso.secretName }}
{{- end }}
{{- end }}
{{- if coalesce .elasticsearchKibana.sso.issuer .elasticsearchKibana.sso.auth_url .elasticsearchKibana.sso.token_url .elasticsearchKibana.sso.userinfo_url .elasticsearchKibana.sso.jwkset_url .elasticsearchKibana.sso.claims_principal .elasticsearchKibana.sso.endsession_url .elasticsearchKibana.sso.claims_group .elasticsearchKibana.sso.claims_mail }}
elasticsearchKibana:
# "auth_url" was moved to "sso.oidc.authorization"
# "token_url" was moved to "sso.oidc.token"
# "userinfo_url" was moved to "sso.oidc.userinfo"
# "jwkset_url" was moved to "sso.oidc.jwksUrl"
# "claims_principal" was moved to "sso.oidc.claims.username"
claims_principal: {{ .elasticsearchKibana.sso.claims_principal }}
# "endsession_url" was moved to "sso.oidc.endsession"
# "claims_group" was moved to "sso.oidc.claims.groups"
# "claims_mail" was moved to "sso.oidc.claims.email"
{{- if coalesce .grafana.sso.grafana.auth_url .grafana.sso.grafana.token_url .grafana.sso.grafana.api_url }}
grafana:
{{- if .grafana.sso.grafana.auth_url }}
# "auth_url" moved to "sso.oidc.authorization"
auth_url: {{ .grafana.sso.grafana.auth_url }}
{{- if .grafana.sso.grafana.token_url }}
# "token_url" moved to "sso.oidc.token"
token_url: {{ .grafana.sso.grafana.token_url }}
{{- if .grafana.sso.grafana.api_url }}
# "api_url" moved to "sso.oidc.userinfo"
api_url: {{ .grafana.sso.grafana.api_url }}
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
{{- end }}
{{- end }}
{{- if coalesce .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert }}
twistlock:
sso:
{{- if .twistlock.sso.provider_name }}
# "provider_name" moved to "sso.name"
provider_name: {{ .twistlock.sso.provider_name }}
{{- end }}
{{- if .twistlock.sso.issuer_uri }}
# "issuer_uri" moved to "sso.url"
issuer_uri: {{ .twistlock.sso.issuer_uri }}
{{- end }}
{{- if .twistlock.sso.idp_url }}
# "idp_url" moved to "sso.saml.service"
idp_url: {{ .twistlock.sso.idp_url }}
{{- end }}
{{- if .twistlock.sso.console_url }}
# "console_url" deprecated. It will be created from "twistlock.values.istio.console.hosts" or "twistlock.<domain>"
console_url: {{ .twistlock.sso.console_url }}
{{- end }}
{{- if .twistlock.sso.cert }}
# "cert" is derived from "sso.saml.metadata"
cert: {{ .twistlock.sso.cert | trunc 27 }}
{{- end }}
{{- end }}
{{- if coalesce .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate }}
addons:
{{- if .addons.argocd.sso.provider_name }}
argocd:
sso:
# "provider_name" moved to "sso.name"
provider_name: {{ .addons.argocd.sso.provider_name }}
{{- end }}
{{- if coalesce .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field -}}
gitlab:
sso:
{{- if .addons.gitlab.sso.label }}
# "label" moved to "sso.name"
label: {{ .addons.gitlab.sso.label }}
{{- end }}
{{- if .addons.gitlab.sso.issuer_uri }}
# "issuer_uri" moved to "sso.url"
issuer_uri: {{ .addons.gitlab.sso.issuer_uri }}
{{- end }}
{{- if .addons.gitlab.sso.end_session_uri }}
# "end_session_uri" moved to "sso.oidc.endSession"
end_session_uri: {{ .addons.gitlab.sso.end_session_uri }}
{{- end }}
{{- if .addons.gitlab.sso.uid_field }}
# "uid_field" moved to "sso.oidc.claims.username"
uid_field: {{ .addons.gitlab.sso.uid_field }}
{{- end }}
{{- end }}
{{- if coalesce .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint }}
mattermost:
sso:
{{- if .addons.mattermost.sso.auth_endpoint }}
# "auth_endpoint" moved to "sso.oidc.authorization"
auth_endpoint: {{ .addons.mattermost.sso.auth_endpoint }}
{{- end }}
{{- if .addons.mattermost.sso.token_endpoint }}
# "token_endpoint" moved "sso.oidc.token"
token_endpoint: {{ .addons.mattermost.sso.token_endpoint }}
{{- end }}
{{- if .addons.mattermost.sso.user_api_endpoint }}
# "user_api_endpoint" moved to "sso.oidc.userinfo"
user_api_endpoint: {{ .addons.mattermost.sso.user_api_endpoint }}
{{- end }}
{{- end }}
{{- if coalesce $nexusValues.sso.idp_data.idpMetadata }}
nexus:
sso:
{{- if $nexusValues.sso.idp_data.idpMetadata }}
# idpMetadata moved to "sso.saml.metadata"
idpMetadata: {{ $nexusValues.sso.idp_data.idpMetadata | trunc 27 }}
{{- end }}
{{- end }}
{{- if coalesce .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate }}
sonarqube:
sso:
{{- if .addons.sonarqube.sso.provider_name }}
# "provider_name" moved to "sso.name"
provider_name: {{ .addons.sonarqube.sso.provider_name }}
{{- end }}
{{- if .addons.sonarqube.sso.certificate }}
# "certificate" derived from "sso.saml.metadata"
certificate: {{ .addons.sonarqube.sso.certificate | trunc 27 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.addons.mattermostoperator }}
DEPRECATION NOTICE:
.Values.addons.mattermostoperator has been deprecated and will be removed in a future Big Bang release.
Please reconfigure your values overrides to use .Values.addons.mattermostOperator
{{- if and $.Values.addons.thanos.enabled (not (dig "values" "prometheus" "prometheusSpec" "replicas" "" $.Values.monitoring)) }}
PLATFORM ONE THANOS WARNING:
You have enabled Thanos with the default Prometheus replicas set to 1. For production deployments,
you can increase the number of replicas by adding:
monitoring:
values:
prometheus:
prometheusSpec:
{{- if (eq .Values.loki.strategy "distributed") }}
PLATFORM ONE LOKI WARNING:
BigBang does not support the Loki Distributed deployment mode. For production deployments,
please set your strategy to "scalable" or "monolithic"