test-values.yaml

domain: bigbang.dev

sso:
  url: https://keycloak.bigbang.dev/auth/realms/baby-yoda

  # LetsEncrypt certificate authority
  certificateAuthority:
    cert: |
      -----BEGIN CERTIFICATE-----
      MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
      TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
      cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
      WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
      ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
      MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
      h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
      0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
      A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
      T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
      B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
      B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
      KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
      OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
      jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
      qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
      rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
      HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
      hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
      ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
      3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
      NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
      ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
      TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
      jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
      oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
      4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
      mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
      emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
      -----END CERTIFICATE-----
  saml:
    # Retrieve from {{ .Values.sso.url }}/protocol/saml/descriptor
    metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.bigbang.dev/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/resolve" index="0"></md:ArtifactResolutionService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>

flux:
  timeout: 20m
  interval: 1m
  rollback:
    timeout: 20m
    cleanupOnFail: false

networkPolicies:
  enabled: true
  #controlPlaneCidr: 172.16.0.0/12

istio:
  enabled: true
  ingressGateways:
    passthrough-ingressgateway:
      type: "LoadBalancer"
  gateways:
    passthrough:
      ingressGateway: "passthrough-ingressgateway"
      hosts:
      - "*.{{ .Values.domain }}"
      tls:
        mode: "PASSTHROUGH"
    public:
      tls:
        key: "" # Gets added via chart/ingress-certs.yaml
        cert: "" # Gets added via chart/ingress-certs.yaml
  values:
    kiali:
      dashboard:
        auth:
          strategy: "anonymous"

jaeger:
  enabled: false
  sso:
    enabled: false
    client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger
  values:
    istio:
      jaeger:
        enabled: true
    bbtests:
      enabled: true
      cypress:
        envs:
          cypress_url: "https://tracing.bigbang.dev"
          # uncomment following variables for sso keycloak testing in bb
          # cypress_tnr_username: "cypress"
          # cypress_tnr_password: "tnr_w!G33ZyAt@C8"
          # cypress_keycloak_test_enable: "true"

kiali:
  enabled: true
  sso:
    enabled: false
    client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_kiali
  values:
    cr:
      spec:
        auth:
          # if enabling the keycloak SSO integration test, set strategy to "openid"
          #strategy: "openid"
          strategy: "anonymous"
    bbtests:
      enabled: true
      cypress:
        envs:
          cypress_url: 'https://kiali.bigbang.dev'
          cypress_check_data: 'true'
          # uncomment these next 3 lines if enabling the keycloak SSO integration test
          #cypress_keycloak_test_enable: "true"
          #cypress_keycloak_username: "cypress"
          #cypress_keycloak_password: "tnr_w!G33ZyAt@C8"
        resources:
          requests:
            cpu: 2
            memory: 2Gi


clusterAuditor:
  enabled: false
  values:
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits: {}
    bbtests:
      enabled: true
      cypress:
        envs:
          cypress_grafana_url: 'https://grafana.bigbang.dev'
          cypress_prometheus_url: 'https://prometheus.bigbang.dev'
          cypress_url: 'https://grafana.bigbang.dev/d/YBgRZG6Mz/opa-violations?orgId=1'

gatekeeper:
  enabled: false
  values:
    replicas: 1
    controllerManager:
      resources:
        limits: {}
        requests:
          cpu: 100m
          memory: 256Mi

    violations:
      allowedCapabilities:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to not drop capabilities
          - istio-system/lb-port-.*
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
      allowedDockerRegistries:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to pull from public repos
          - istio-system/lb-port-.*
          # Allow argocd to deploy a test app in its cypress test
          - argocd/guestbook-ui
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
      allowedHostFilesystem:
        parameters:
          excludedResources:
          - argocd/argocd-cypress-test
          - cluster-auditor/cluster-auditor-cypress-test
          - fortify/fortify-cypress-test
          - fortify/fortify-ssc-cypress-test
          - gitlab/gitlab-cypress-test
          - gitlab/gitlab-runner-cypress-test
          - gitlab-runner/gitlab-runner-cypress-test
          - harbor/harbor-cypress-test
          - jaeger/jaeger-cypress-test
          - keycloak/keycloak-cypress-test
          - kiali/kiali-cypress-test
          - kyverno-reporter/kyverno-reporter-cypress-test
          - logging/elasticsearch-kibana-cypress-test
          - logging/loki-cypress-test
          - mattermost/mattermost-cypress-test
          - minio/minio-instance-cypress-test
          - monitoring/grafana-cypress-test
          - monitoring/monitoring-cypress-test
          - neuvector/neuvector-cypress-test
          - nexus-repository-manager/nexus-repository-manager-cypress-test
          - sonarqube/sonarqube-cypress-test
          - tempo/tempo-cypress-test
          - thanos/thanos-cypress-test
          - twistlock/twistlock-cypress-test
          - vault/vault-cypress-test
          # Allow kyverno test vectors for Helm test
          - default/restrict-host-path-mount-.?
          - default/restrict-host-path-write-.?
          - default/restrict-volume-types-.?
      allowedIPs:
        parameters:
          excludedResources:
          # Allow kyverno test vectors for Helm test
          - default/restrict-external-ips-.?
      allowedSecCompProfiles:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to have an undefined defined seccomp
          - istio-system/lb-port-.*
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
      allowedUsers:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to run as any user/group
          - istio-system/lb-port-.*
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
      bannedImageTags:
        parameters:
          excludedResources:
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
          - default/not-me
      containerRatio:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to have undefined limits/requests
          - istio-system/lb-port-.*
      hostNetworking:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to mount host ports
          - istio-system/lb-port-.*
          # Allow kyverno test vectors for Helm test
          - default/disallow-host-namespaces-.?
          - default/c.?
          - default/i.?
      noBigContainers:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to have undefined limits/requests
          - istio-system/lb-port-.*
      noHostNamespace:
        parameters:
          excludedResources:
          # Allow kyverno test vectors for Helm test
          - default/disallow-host-namespaces-.?
      noPrivilegedContainers:
        parameters:
          excludedResources:
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
      noPrivilegedEscalation:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to have undefined security context
          - istio-system/lb-port-.*
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
      noSysctls:
        parameters:
          excludedResources:
          # Allow kyverno test vectors for Helm test
          - default/restrict-sysctls-.?
      readOnlyRoot:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to mount filesystems read/write
          - istio-system/lb-port-.*
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
      requiredLabels:
        parameters:
          excludedResources:
          # Allows k3d load balancer pods to not have required labels
          - istio-system/svclb-.*
          # Allow kyverno test vectors for Helm test
          - default/require-labels-.?
      requiredProbes:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to not have readiness/liveness probes
          - istio-system/lb-port-.*
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
      restrictedTaint:
        parameters:
          excludedResources:
          # Allow kyverno test vectors for Helm test
          - default/disallow-tolerations-.?
      selinuxPolicy:
        parameters:
          excludedResources:
          # Allow kyverno test vectors for Helm test
          - default/c.?
          - default/i.?
          - default/disallow-selinux-options-.?
          - default/restrict-selinux-type-.?
          - default/not-me
      volumeTypes:
        parameters:
          excludedResources:
          - argocd/argocd-cypress-test
          - cluster-auditor/cluster-auditor-cypress-test
          - fortify/fortify-ssc-cypress-test
          - gitlab/gitlab-cypress-test
          - gitlab/gitlab-runner-cypress-test
          - gitlab-runner/gitlab-runner-cypress-test
          - harbor/harbor-cypress-test
          - jaeger/jaeger-cypress-test
          - keycloak/keycloak-cypress-test
          - kiali/kiali-cypress-test
          - kyverno-reporter/kyverno-reporter-cypress-test
          - logging/elasticsearch-kibana-cypress-test
          - logging/loki-cypress-test
          - mattermost/mattermost-cypress-test
          - minio/minio-instance-cypress-test
          - monitoring/grafana-cypress-test
          - monitoring/monitoring-cypress-test
          - neuvector/neuvector-cypress-test
          - nexus-repository-manager/nexus-repository-manager-cypress-test
          - sonarqube/sonarqube-cypress-test
          - tempo/tempo-cypress-test
          - thanos/thanos-cypress-test
          - twistlock/twistlock-cypress-test
          - vault/vault-cypress-test
          # Allow kyverno test vectors for Helm test
          - default/restrict-host-path-mount-.?
          - default/restrict-host-path-write-.?
          - default/restrict-volume-types-.?
    bbtests:
      enabled: true

kyverno:
  values:
    networkPolicies:
      externalRegistries:
        allowEgress: true
    admissionController:
      container:
        extraArgs:
          webhookTimeout: 30
        resources:
          limits:
            cpu: 1
            memory: 768Mi
          requests:
            cpu: 1
            memory: 768Mi
    bbtests:
      enabled: true

kyvernoReporter:
  values:
    bbtests:
      enabled: true
      cypress:
        envs:
          cypress_grafana_url: https://grafana.bigbang.dev
          cypress_prometheus_url: https://prometheus.bigbang.dev
          cypress_check_datasource: 'true'

kyvernoPolicies:
  values:
    bbtests:
      enabled: true
    excludeContainers:
    - not-me
    - or-me
    exclude:
      any:
      # Allows k3d load balancer to bypass policies.
      - resources:
          namespaces:
          - istio-system
          names:
          - svclb-*
      # Exclude gatekeeper test resources so Helm tests will work
      - resources:
          namespaces:
          - default
          names:
          - bad-test*
          - good-test*
    # Parameters are copied from kyverno policies for test vectors
    # Exclusions are for allowing other helm tests to function
    policies:
      clone-configs:
        parameters:
          clone:
          - name: clone-configs-1
            kind: ConfigMap
            namespace: "{{ .Release.Namespace }}"
          - name: clone-configs-2
            kind: Secret
            namespace: "{{ .Release.Namespace }}"
      disallow-annotations:
        parameters:
          disallow:
          - 'kyverno-policies-bbtest/test: disallowed'
          - kyverno-policies-bbtest/disallowed
      disallow-labels:
        parameters:
          disallow:
          - 'kyverno-policies-bbtest/test: disallowed'
          - kyverno-policies-bbtest/disallowed
      disallow-tolerations:
        parameters:
          disallow:
          - effect: NoSchedule
            key: notallowed
            value: 'false'
          - effect: '*NoSchedule'
            key: disa??owed
            value: 'true'
      require-annotations:
        parameters:
          require:
          - 'kyverno-policies-bbtest/test: required'
          - kyverno-policies-bbtest/required
      require-image-signature:
        enabled: true
        validationFailureAction: enforce
        parameters:
          require:
          - imageReferences:
            - "ghcr.io/kyverno/test-verify-image:*"
            attestors:
            - count: 1
              entries:
              - keys:
                  publicKeys: |-
                    -----BEGIN PUBLIC KEY-----
                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
                    5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
                    -----END PUBLIC KEY-----
                  # Skip Rekor Transparency log check
                  rekor:
                    ignoreTlog: true
                    url: ""
            mutateDigest: false
            verifyDigest: false 
          - imageReferences:
            - "registry1.dso.mil/ironbank/*"
            attestors:
            - count: 1
              entries:
              - keys:
                  publicKeys: |-
                    -----BEGIN PUBLIC KEY-----
                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
                    UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
                    -----END PUBLIC KEY-----
                  # Skip Rekor Transparency log check
                  rekor:
                    ignoreTlog: true
                    url: ""
            # Ironbank images are rebuilt nightly and tags are not immutable
            mutateDigest: false
            verifyDigest: false
      require-labels:
        parameters:
          require:
          - 'kyverno-policies-bbtest/test: required'
          - kyverno-policies-bbtest/required
      restrict-external-ips:
        parameters:
          allow:
          - 192.168.0.1
      restrict-external-names:
        enabled: true
        parameters:
          allow:
          - allowed
      restrict-host-path-mount:
        exclude:
          any:
          - resources:
              namespaces:
              - gitlab
              - gitlab-runner
              - kiali
              - cluster-auditor
              - mattermost
              - nexus-repository-manager
              - keycloak
              - jaeger
              - kyverno-reporter
              - monitoring
              - vault
              - logging
              - twistlock
              - sonarqube
              - logging
              - tempo
              - argocd
              - minio
              - neuvector
              - harbor
              - fortify
              - thanos
              names:
              - "*-cypress-test*"
        parameters:
          allow:
          - /tmp/allowed
      restrict-host-path-mount-pv:
        parameters:
          allow:
          - /tmp/allowed
          - /var/lib/rancher/k3s/storage/pvc-*
      restrict-host-path-write:
        exclude:
          any:
          - resources:
              namespaces:
              - gitlab
              - gitlab-runner
              - kiali
              - cluster-auditor
              - mattermost
              - nexus-repository-manager
              - keycloak
              - kyverno-reporter
              - jaeger
              - monitoring
              - vault
              - logging
              - twistlock
              - sonarqube
              - logging
              - tempo
              - argocd
              - minio
              - neuvector
              - harbor
              - fortify
              - thanos
              names:
              - "*-cypress-test*"
          - resources:
              namespaces:
              - neuvector
              names:
              - "neuvector-enforcer-*"
              - "neuvector-manager-*"
        parameters:
          allow:
          - /tmp/allowed
      restrict-host-ports:
        parameters:
          allow:
          - '63999'
          - '>= 64000 & < 65000'
          - '> 65000'
      restrict-image-registries:
        exclude:
          any:
          # ArgoCD deploys a test app as part of its Cypress test
          - resources:
              namespaces:
              - argocd
              names:
              - guestbook-ui-*
      restrict-volume-types:
        exclude:
          any:
          - resources:
              namespaces:
              - gitlab
              - gitlab-runner
              - kiali
              - cluster-auditor
              - mattermost
              - nexus-repository-manager
              - keycloak
              - kyverno-reporter
              - jaeger
              - monitoring
              - vault
              - logging
              - twistlock
              - sonarqube
              - logging
              - tempo
              - argocd
              - minio
              - neuvector
              - harbor
              - fortify
              - thanos
              names:
              - "*-cypress-test*"
      update-image-pull-policy:
        parameters:
          update:
          - to: Always
      update-image-registry:
        parameters:
          update:
          - from: replace.image.registry
            to: registry1.dso.mil
      require-drop-all-capabilities:
        exclude:
          any:
          # Gitlab Minio sub-chart does not have configurable securityContext values from upstream. Minio installation
          # is only recommended for Dev/CI environments.
          - resources:
              namespaces:
              - gitlab
              names:
              - gitlab-minio-*
      require-non-root-group:
        exclude:
          any:
          # Gitlab Minio sub-chart does not have configurable securityContext values from upstream. Minio installation
          # is only recommended for Dev/CI environments.
          - resources:
              namespaces:
              - gitlab
              - fortify
              names:
              - gitlab-minio-*
              - fortify-mysql-* # mysql breaks if you give it a different group
      require-non-root-user:
        exclude:
          any:
          # Gitlab Minio sub-chart does not have configurable securityContext values from upstream. Minio installation
          # is only recommended for Dev/CI environments.
          - resources:
              namespaces:
              - gitlab
              names:
              - gitlab-minio-*
          - resources:
              namespaces:
              - metallb-system
              names:
              - speaker-*
          - resources:
              namespaces:
              - argocd
              names:
              - guestbook*    
          - resources:
              namespaces:
              - velero
              names:
              - velero-backup-restore-test*  
      disallow-namespaces:
        parameters:
          disallow:
          - bigbang

elasticsearchKibana:
  enabled: false
  sso:
    enabled: false
    client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_kibana
  license:
    trial: false
  values:
    elasticsearch:
      master:
        count: 1
        persistence:
          size: 256Mi
        resources:
          requests:
            cpu: .5
          limits: {}
        heap:
          min: 1g
          max: 1g
      data:
        count: 2
        persistence:
          size: 256Mi
        resources:
          requests:
            cpu: .5
          limits: {}
        heap:
          min: 1g
          max: 1g
    kibana:
      count: 1
    bbtests:
      enabled: true
      cypress:
        artifacts: true
        envs:
          cypress_expect_logs: "true"
          cypress_kibana_url: "https://kibana.bigbang.dev"

fluentbit:
  enabled: false
  values:
    securityContext:
      privileged: true
    bbtests:
      enabled: true

loki:
  strategy: scalable
  values:
    minio:
      enabled: true
    write:
      replicas: 3
      persistence:
        size: 2Gi
      resources:
        limits:
          cpu: 1
          memory: 1G
        requests:
          cpu: 1
          memory: 1G
    backend:
      replicas: 3
      persistence:
        size: 2Gi
      resources:
        limits:
          cpu: 500m
          memory: 1G
        requests:
          cpu: 500m
          memory: 1G
    read:
      replicas: 3
      persistence:
        size: 2Gi
      resources:
        limits:
          cpu: 400m
          memory: 500Mi
        requests:
          cpu: 400m
          memory: 500Mi
    bbtests:
      enabled: true
      cypress:
        envs:
          cypress_check_datasource: 'true'
          cypress_grafana_url: 'https://grafana.bigbang.dev'
      scripts:
        envs:
          LOKI_URL: 'http://logging-loki-write.logging.svc:3100'

tempo:
  sso:
    enabled: false
    client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_tempo
  values:
    istio:
      tempoQuery:
        hosts:
          - "tempo.{{ .Values.domain }}"
    tempo:
      resources:
        limits: null
        requests:
          cpu: 200m
          memory: 128Mi
    bbtests:
      enabled: true
      cypress:
        artifacts: true
        envs:
          cypress_url: 'https://tempo.bigbang.dev'
          cypress_tempo_datasource: 'http://tempo-tempo.tempo.svc:3100'
          cypress_check_datasource: 'true'
          cypress_grafana_url: 'https://grafana.bigbang.dev'
          # uncomment following variables for sso keycloak testing in bb
          #cypress_tnr_username: "cypress"
          #cypress_tnr_password: "tnr_w!G33ZyAt@C8"
          #cypress_keycloak_test_enable: "true"
      scripts:
        enabled: false
        envs:
          TEMPO_METRICS_URL: 'http://tempo-tempo.tempo.svc:3100'

    persistence:
      enabled: true
      # storageClassName: local-path
      accessModes:
        - ReadWriteOnce
      size: 5Gi

    tempoQuery:
      resources:
        limits: null
        requests:
          cpu: 200m
          memory: 128Mi

promtail:
  enabled: true

monitoring:
  enabled: true
  flux:
    timeout: 20m
    install:
      disableOpenAPIValidation: true
      crds: CreateReplace
    upgrade:
      disableOpenAPIValidation: true
      crds: CreateReplace
  sso:
    enabled: false
    prometheus:
      client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_prometheus
    alertmanager:
      client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_alertmanager
  values:
    prometheus:
      prometheusSpec:
        replicas: 1
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}

    kube-state-metrics:
      resources:
        requests:
          cpu: 10m
          memory: 32Mi
        limits: {}
    prometheus-node-exporter:
      resources:
        requests:
          cpu: 100m
          memory: 30Mi
        limits: {}
    bbtests:
      enabled: true
      cypress:
        envs:
          cypress_prometheus_url: 'https://prometheus.bigbang.dev'
          cypress_grafana_url: 'https://grafana.bigbang.dev'
          cypress_alertmanager_url: 'https://alertmanager.bigbang.dev'
          cypress_check_istio_dashboards: 'true'
          cypress_keycloak_test_enable: 'false'
          cypress_tnr_username: "cypress"
          cypress_tnr_password: "tnr_w!G33ZyAt@C8"

grafana:
  enabled: true
  sso:
    enabled: false
    grafana:
      client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_grafana
      scopes: "openid Grafana"
  values:
    dashboards:
      default:
        k8s-deployment:
          gnetId: 741
          revision: 1
          datasource: Prometheus
    downloadDashboards:
      resources:
        limits:
          cpu: 20m
          memory: 20Mi
        requests:
          cpu: 20m
          memory: 20Mi
    dashboardProviders:
      dashboardproviders.yaml:
        apiVersion: 1
        providers:
        - name: 'default'
          orgId: 1
          folder: ''
          type: file
          disableDeletion: false
          editable: true
          options:
            path: /var/lib/grafana/dashboards
    bbtests:
      enabled: true
      cypress:
        artifacts: true
        envs:
          cypress_grafana_url: 'https://grafana.bigbang.dev'

neuvector:
  values:
    k3s:
      enabled: true
    bbtests:
      enabled: true
      cypress:
        artifacts: true
        envs:
          cypress_url: https://neuvector.bigbang.dev

twistlock:
  enabled: false
  sso:
    enabled: false
    client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_twistlock-saml
  values:
    console:
      persistence:
        size: 256Mi
      localVolumeUpgrade: true
    bbtests:
      enabled: true
      scripts:
        envs:
          twistlock_host: "https://twistlock.bigbang.dev"

# Addons are toggled based on labels in CI
addons:
  argocd:
    enabled: false
    sso:
      enabled: false
      client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_argocd
      client_secret: anything-for-dev
      groups: |
        g, Impact Level 2 Authorized, role:admin
    values:
      sso:
        rbac:
          policy.default: role:admin
      controller:
        resources:
          requests:
            cpu: 500m
            memory: 2Gi
          limits: {}
      dex:
        resources:
          requests:
            cpu: 10m
            memory: 128Mi
          limits: {}
      redis-bb:
        master:
          persistence:
            size: 512Mi
        replica:
          replicaCount: 0
          autoscaling:
            enabled: false
          persistence:
            size: 512Mi
      redis:
        resources:
          requests:
            cpu: 50m
            memory: 256Mi
          limits: {}
      server:
        autoscaling:
          enabled: false
        resources:
          requests:
            cpu: 20m
            memory: 128Mi
          limits: {}
      repoServer:
        autoscaling:
          enabled: false
        resources:
          requests:
            cpu: 50m
            memory: 128Mi
          limits: {}
      configs:
        secret:
          argocdServerAdminPassword: '$2a$10$rUDZDckdDZ2TEwk9PDs3QuqjkL58qR1IHE1Kj4MwDx.7/m5dytZJm'
      bbtests:
        enabled: true
        cypress:
          envs:
            cypress_url: "https://argocd.bigbang.dev"
          resources:
            requests:
              cpu: 2
              memory: 2Gi
        istio: