values.yaml

hostname: bigbang.dev

flux:
  interval: 1m
  rollback:
    cleanupOnFail: false

networkPolicies:
  controlPlaneCidr: 172.16.0.0/12

logging:
  enabled: true
  values:
    elasticsearch:
      master:
        count: 1
        persistence:
          size: 256Mi
        resources:
          requests:
            cpu: .5
          limits: {}
        heap:
          min: 1g
          max: 1g
      data:
        count: 2
        persistence:
          size: 256Mi
        resources:
          requests:
            cpu: .5
          limits: {}
        heap:
          min: 1g
          max: 1g
    kibana:
      count: 1
    bbtests:
      # TODO: Connection refused on the script test currently
      # https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/-/issues/39
      enabled: false
      cypress:
        artifacts: true
        envs:
          cypress_kibana_url: "https://kibana.bigbang.dev"
        secretEnvs:
          - name: cypress_elastic_password
            valueFrom:
              secretKeyRef:
                name: "logging-ek-es-elastic-user"
                key: elastic
      scripts:
        image: registry1.dso.mil/ironbank/stedolan/jq:1.6
        envs:
          elasticsearch_host: "https://{{ .Release.Name }}-es-http.{{ .Release.Namespace }}.svc.cluster.local:9200"
          desired_version: "{{ .Values.elasticsearch.version }}"
        secretEnvs:
          - name: ELASTIC_PASSWORD
            valueFrom:
              secretKeyRef:
                name: "logging-ek-es-elastic-user"
                key: elastic

fluentbit:
  values:
    securityContext:
      privileged: true
    bbtests:
      # TODO: Connection refused on the test currently
      # https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit/-/issues/18
      scripts:
        # Image commented out to disable the test since the BB Test Lib version being used doesn't have the enabled flag
        # image: registry1.dso.mil/ironbank/stedolan/jq:1.6
        envs:
          fluent_host: "http://{{ include \"fluent-bit.fullname\" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}"
          desired_version: "{{ .Values.image.tag }}"

istio:
  enabled: true
  values:
    kiali:
      dashboard:
        auth:
          strategy: "anonymous"

jaeger:
  enabled: true
  values:
    bbtests:
      enabled: true
      cypress:
        artifacts: true
        envs:
          cypress_url: "https://tracing.bigbang.dev"

kiali:
  enabled: true
  values:
    cr:
      spec:
        auth:
          strategy: "anonymous"
    bbtests:
      enabled: true
      cypress:
        artifacts: true
        envs:
          cypress_url: 'https://kiali.bigbang.dev'

clusterAuditor:
  enabled: true
  values:
    resources:
      requests:
        cpu: 100m
        memory: .5Gi
      limits: {}

monitoring:
  enabled: true
  values:
    prometheus:
      prometheusSpec:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
    kube-state-metrics:
      resources:
        requests:
          cpu: 10m
          memory: 32Mi
        limits: {}
    prometheus-node-exporter:
      resources:
        requests:
          cpu: 100m
          memory: 30Mi
        limits: {}
    grafana:
      testFramework:
        enabled: false
      dashboards:
        default:
          k8s-deployment:
            gnetId: 741
            revision: 1
            datasource: Prometheus
      downloadDashboards:
        resources: 
          limits:
            cpu: 20m
            memory: 20Mi
          requests:
            cpu: 20m
            memory: 20Mi
      dashboardProviders:
        dashboardproviders.yaml:
          apiVersion: 1
          providers:
          - name: 'default'
            orgId: 1
            folder: ''
            type: file
            disableDeletion: false
            editable: true
            options:
              path: /var/lib/grafana/dashboards
    bbtests:
      enabled: true
      cypress:
        artifacts: true
        envs:
          cypress_prometheus_url: 'https://prometheus.bigbang.dev'
          cypress_grafana_url: 'https://grafana.bigbang.dev'
          cypress_alertmanager_url: 'https://alertmanager.bigbang.dev'

gatekeeper:
  enabled: true
  values:
    replicas: 1
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits: {}
    violations:
      allowedCapabilities:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to not drop capabilities
          - istio-system/lb-port-.*
      allowedDockerRegistries:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to pull from public repos
          - istio-system/lb-port-.*
      allowedSecCompProfiles:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to have an undefined defined seccomp
          - istio-system/lb-port-.*
      allowedUsers:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to run as any user/group
          - istio-system/lb-port-.*
      containerRatio:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to have undefined limits/requests
          - istio-system/lb-port-.*
      hostNetworking:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to mount host ports
          - istio-system/lb-port-.*
      noBigContainers:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to have undefined limits/requests
          - istio-system/lb-port-.*
      noPrivilegedEscalation:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to have undefined security context
          - istio-system/lb-port-.*
      readOnlyRoot:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to mount filesystems read/write
          - istio-system/lb-port-.*
      requiredLabels:
        parameters:
          excludedResources:
          # Allows k3d load balancer pods to not have required labels
          - istio-system/svclb-.*
      requiredProbes:
        parameters:
          excludedResources:
          # Allows k3d load balancer containers to not have readiness/liveness probes
          - istio-system/lb-port-.*
    bbtests:
      # TODO: Test will need to be refactored at BB level to properly run since we can't turn everything to deny
      # https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/issues/133
      enabled: false
      scripts:
        image: registry1.dso.mil/ironbank/opensource/kubernetes-1.21/kubectl:v1.21.1
        additionalVolumeMounts:
          - name: "{{ .Chart.Name }}-test-config"
            mountPath: /yaml
          - name: "{{ .Chart.Name }}-kube-cache"
            mountPath: /.kube/cache
        additionalVolumes:
          - name: "{{ .Chart.Name }}-test-config"
            configMap:
              name: "{{ .Chart.Name }}-test-config"
          - name: "{{ .Chart.Name }}-kube-cache"
            emptyDir: {}

twistlock:
  enabled: true
  values:
    console:
      persistence:
        size: 256Mi
    bbtests:
      enabled: true
      cypress:
        artifacts: true
        envs:
          cypress_baseUrl: "https://twistlock.bigbang.dev"
      scripts:
        image: registry1.dso.mil/ironbank/stedolan/jq:1.6
        envs:
          twistlock_host: "https://twistlock.bigbang.dev"
          desired_version: "{{ .Values.console.image.tag }}"

# Addons are toggled based on labels in CI
addons:
  argocd:
    enabled: false
    values:
      controller:
        resources:
          requests:
            cpu: 500m
            memory: 2Gi
          limits: {}
      dex:
        resources:
          requests:
            cpu: 10m
            memory: 128Mi
          limits: {}
      redis-bb:
        master:
          persistence:
            size: 256Mi
        replica:
          persistence:
            size: 256Mi
      redis:
        resources:
          requests:
            cpu: 50m
            memory: 64Mi
          limits: {}
      server:
        resources:
          requests:
            cpu: 20m
            memory: 128Mi
          limits: {}
      repoServer:
        resources:
          requests:
            cpu: 50m
            memory: 128Mi
          limits: {}
      configs:
        secret:
          argocdServerAdminPassword: '$2a$10$rUDZDckdDZ2TEwk9PDs3QuqjkL58qR1IHE1Kj4MwDx.7/m5dytZJm'
      bbtests:
        # TODO: Disabled pending resolution of some "timing?" issues
        # https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd/-/issues/17
        enabled: false
        cypress:
          artifacts: true
          envs:
            cypress_url: "https://argocd.bigbang.dev"
            cypress_user: "admin"
            cypress_password: "Password123"

  authservice:
    enabled: false
    chains:
      minimal:
        callback_uri: "https://minimal.bigbang.dev"
    values:
      resources:
        requests:
          cpu: 100m
          memory: 100Mi
        limits: {}
      redis:
        master:
          persistence:
            size: 256Mi
        replica:
          persistence:
            size: 256Mi

  gitlab:
    enabled: false
    sso:
      enabled: false
    flux:
      timeout: 20m
    values:
      global:
        rails:
          bootstrap:
            enabled: false
      gitlab-runner:
        resources:
          requests:
            cpu: 10m
          limits: {}
      gitlab:
        webservice:
          minReplicas: 1
          maxReplicas: 1
          helmTests:
            enabled: false
        sidekiq:
          minReplicas: 1
          maxReplicas: 1
        gitlab-shell:
          minReplicas: 1
          maxReplicas: 1
        gitaly:
          persistence:
            size: 256Mi
          resources:
            requests:
              cpu: 50m
            limits: {}
        shared-secrets:
          resources:
            requests:
              cpu: 10m
            limits: {}
        migrations:
          resources:
            requests:
              cpu: 10m
            limits: {}
        task-runner:
          persistence:
            size: 256Mi
          resources:
            requests:
              cpu: 10m
            limits: {}
      registry:
        hpa:
          minReplicas: 1
          maxReplicas: 1
      postgresql:
        persistence:
          size: 256Mi
        metrics:
          resources:
            requests:
              cpu: 10m
            limits: {}
      minio:
        persistence:
          size: 256Mi
        resources:
          requests:
            cpu: 50m
          limits: {}
      redis:
        master:
          persistence:
            size: 256Mi
        slave:
          persistence:
            size: 256Mi
      bbtests:
        enabled: true
        cypress:
          artifacts: true
          envs:
            cypress_baseUrl: https://gitlab.bigbang.dev
            cypress_gitlab_first_name: "test"
            cypress_gitlab_last_name: "user"
            cypress_gitlab_username: "testuser"
            cypress_gitlab_password: "12345678"
            cypress_gitlab_email: "testuser@example.com"
            cypress_gitlab_project: "my-awesome-project"
          secretEnvs:
            - name: cypress_adminpassword
              valueFrom:
                secretKeyRef:
                  name: gitlab-gitlab-initial-root-password
                  key: password
        scripts:
          image: "registry.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/bbtests:0.0.3"
          envs:
            GITLAB_USER: "testuser"
            GITLAB_PASS: "12345678"
            GITLAB_EMAIL: "testuser@example.com"
            GITLAB_PROJECT: "my-awesome-project"
            GITLAB_REPOSITORY: https://gitlab.bigbang.dev
            GITLAB_ORIGIN: https://testuser:12345678@gitlab.bigbang.dev
            GITLAB_REGISTRY: registry.bigbang.dev

  gitlabRunner:
    enabled: false
    values:
      resources:
        requests:
          memory: 64Mi
          cpu: 50m
        limits: {}
      runners:
        protected: false
      bbtests:
        # TODO: This test runs fine locally with the same values, but fails in CI
        enabled: false
        cypress:
          artifacts: true
          secretEnvs:
            - name: cypress_adminpassword
              valueFrom:
                secretKeyRef:
                  name: gitlab-gitlab-initial-root-password
                  key: password
          envs:
            cypress_baseUrl: "https://gitlab.bigbang.dev"
            cypress_gitlab_email: "gitlab@bigbang.dev"
            cypress_gitlab_user: "gitlab_user"
            cypress_gitlab_password: "gitlab_pass"
            cypress_gitlab_project: "hello-world"

  anchore:
    enabled: false
    values:
      ensureDbJobs:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      sso:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      postgresql:
        persistence:
          size: 256Mi
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
        metrics:
          resources:
            requests:
              cpu: 100m
              memory: 200Mi
            limits: {}
      anchoreAnalyzer:
        replicaCount: 1
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchoreApi:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchoreCatalog:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchorePolicyEngine:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchoreSimpleQueue:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchoreEngineUpgradeJob:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchore-feeds-db:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
        metrics:
          resources:
            requests:
              cpu: 100m
              memory: 200Mi
            limits: {}
      anchoreEnterpriseFeeds:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchoreEnterpriseFeedsUpgradeJob:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchoreEnterpriseRbac:
        authResources:
          resources:
            requests:
              cpu: 100m
              memory: 200Mi
            limits: {}
        managerResources:
          resources:
            requests:
              cpu: 100m
              memory: 200Mi
            limits: {}
      anchoreEnterpriseReports:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchoreEnterpriseNotifications:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchoreEntperpiseUi:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      anchoreEnterpriseEngineUpgradeJob:
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      bbtests:
        enabled: true
        scripts:
          image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1
          envs:
            ANCHORE_CLI_URL: "https://anchore-api.bigbang.dev/v1"
            ANCHORE_CLI_USER: admin
          secretEnvs:
            - name: ANCHORE_CLI_PASS
              valueFrom:
                secretKeyRef:
                  name: "{{ template \"anchore-engine.fullname\" . }}-admin-pass"
                  key: ANCHORE_ADMIN_PASSWORD

  sonarqube:
    enabled: false
    values:
      plugins:
        install: []
      resources:
        requests:
          cpu: 100m
          memory: 200Mi
        limits: {}
      persistence:
        enabled: false
        size: 5Gi
      postgresql:
        persistence:
          size: 256Mi
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits: {}
      tests:
        enabled: false
      bbtests:
        enabled: true
        cypress:
          artifacts: true
          envs:
            cypress_url: "https://sonarqube.bigbang.dev"
            cypress_url_setup: "https://sonarqube.bigbang.dev/setup"
            cypress_user: "admin"
            cypress_password: "new_admin_password"
      account:
        adminPassword: new_admin_password
        currentAdminPassword: admin
      curlContainerImage: registry1.dso.mil/ironbank/big-bang/base:8.4

  minioOperator:
    enabled: false

  minio:
    enabled: false
    values:
      tenants:
        pools:
        - servers: 1
          volumesPerServer: 4
          size: 256Mi
          resources:
            requests:
              cpu: 250m
              memory: 2Gi
            limits:
              cpu: 250m
              memory: 2Gi
          securityContext:
            runAsUser: 1001
            runAsGroup: 1001
            fsGroup: 1001

      bbtests:
        # TODO: Seems like a timing issue with BB CI
        # https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio/-/issues/7
        enabled: false
        cypress:
          artifacts: true
          envs:
            cypress_url: 'http://minio.bigbang.dev/login'
          secretEnvs:
            - name: cypress_secretkey
              valueFrom:
                secretKeyRef:
                  name: "{{ .Values.tenants.secrets.name }}"
                  key: secretkey
            - name: cypress_accesskey
              valueFrom:
                secretKeyRef:
                  name: "{{ .Values.tenants.secrets.name }}"
                  key: accesskey
        scripts:
          image: registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2021-09-02T09-21-27Z
          envs:
            MINIO_PORT: '80'
            MINIO_HOST: 'http://minio'
          secretEnvs:
            - name: SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: "{{ .Values.tenants.secrets.name }}"
                  key: secretkey
            - name: ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: "{{ .Values.tenants.secrets.name }}"
                  key: accesskey

  mattermostoperator:
    enabled: false

  mattermost:
    enabled: false
    elasticsearch:
      enabled: true
    values:
      postgresql:
        persistence:
          size: 256Mi
      replicaCount: 1
      resources:
        requests:
          cpu: 100m
          memory: 128Mi
        limits: {}
      minio:
        tenants:
          pools:
          - servers: 1
            volumesPerServer: 4
            size: 256Mi
            resources:
              requests:
                cpu: 250m
                memory: 2Gi
              limits:
                cpu: 250m
                memory: 2Gi
            securityContext:
              runAsUser: 1001
              runAsGroup: 1001
              fsGroup: 1001
      bbtests:
        enabled: true
        cypress:
          artifacts: true
          envs:
            cypress_url: https://chat.bigbang.dev
            cypress_mm_email: "test@bigbang.dev"
            cypress_mm_user: "bigbang"
            cypress_mm_password: "Bigbang#123"

  nexus:
    enabled: false
    values:
      persistence:
        # Do NOT set this below 5Gi, nexus will fail to boot
        storageSize: 5Gi
      nexus:
      # https://help.sonatype.com/repomanager3/installation/system-requirements#SystemRequirements-JVMDirectMemory
        env:
          - name: install4jAddVmParams
            value: "-Xms500M -Xmx500M -XX:MaxDirectMemorySize=500M -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"
        resources:
          requests:
            cpu: 100m
            memory: 1500Mi
      bbtests:
        # TODO: Disabled pending resolution of "timing?" issues
        # https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus/-/issues/9
        enabled: false
        cypress:
          artifacts: true
          envs:
            cypress_nexus_url: "https://nexus.bigbang.dev"
            cypress_nexus_user: "admin"
            cypress_nexus_pass_new: "new_admin_password"
          secretEnvs:
            - name: cypress_nexus_pass
              valueFrom:
                secretKeyRef:
                  name: nexus-repository-manager-secret
                  key: admin.password

  velero:
    enabled: false
    plugins:
    - aws
    values:
      serviceAccount:
        server:
          name: velero
      configuration:
        # minio uses s3 provider
        provider: aws
        backupStorageLocation:
          bucket: velero
          config: &minio-config
            region: velero
            insecureSkipTLSVerify: "true"
            s3ForcePathStyle: "true"
            s3Url: &minio-address https://minio.bigbang.dev
        volumeSnapshotLocation:
          provider: aws
          config:
            region: velero
      credentials:
        useSecret: true
        secretContents:
          cloud: |
            [default]
            aws_access_key_id = minio
            aws_secret_access_key = minio123
      bbtests:
        # TODO: Velero test is messy and times out running in BB CI
        # https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/issues/9
        enabled: false
        scripts:
          image: registry1.dso.mil/ironbank/opensource/velero/velero:v1.6.0
          additionalVolumes:
            - name: transfer-kubectl
              emptyDir: {}
            - name: &yamlVolName yaml-configs
              configMap:
                name: "{{ .Chart.Name }}-backup-restore-files-config"
          additionalVolumeMounts:
            - name: transfer-kubectl
              mountPath: /usr/local/bin/kubectl
              subPath: kubectl
            - name: *yamlVolName
              mountPath: &yamlMountPath /yaml
          envs:
            MINIO_HOST: *minio-address
            TEST_YAML_DIR: *yamlMountPath
            MINIO_USER: minio
            MINIO_PASS: minio123
          secretEnvs:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace

  keycloak:
    enabled: false
    ingress:
      gateway: "public"
    values:
      replicas: 1
      resources:
        requests:
          cpu: 10m
          memory: 16Mi
        limits: {}
      bbtests:
        enabled: true
        cypress:
          artifacts: true
          envs:
            cypress_url: "https://keycloak.bigbang.dev"
            cypress_username: "admin"
            cypress_password: "password"
      # Custom dev secret configuration
      secrets:
        env:
          stringData:
            CUSTOM_REGISTRATION_CONFIG: /opt/jboss/keycloak/customreg.yaml
            KEYCLOAK_IMPORT: /opt/jboss/keycloak/realm.json
            X509_CA_BUNDLE: /etc/x509/https/cas.pem
        certauthority:
          stringData:
            cas.pem: '{{ .Files.Get "resources/dev/dod_cas.pem" }}'
        customreg:
          stringData:
            customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda.yaml" }}'
        realm:
          stringData:
            realm.json: '{{ .Files.Get "resources/dev/baby-yoda.json" }}'
      extraVolumes: |-
        - name: certauthority
          secret:
            secretName: {{ include "keycloak.fullname" . }}-certauthority
        - name: customreg
          secret:
            secretName: {{ include "keycloak.fullname" . }}-customreg
        - name: realm
          secret:
            secretName: {{ include "keycloak.fullname" . }}-realm
      extraVolumeMounts: |-
        - name: certauthority
          mountPath: /etc/x509/https/cas.pem
          subPath: cas.pem
          readOnly: true
        - name: customreg
          mountPath: /opt/jboss/keycloak/customreg.yaml
          subPath: customreg.yaml
          readOnly: true
        - name: realm
          mountPath: /opt/jboss/keycloak/realm.json
          subPath: realm.json
          readOnly: true
      
      extraVolumeMountsBigBang:
        - name: tlscert
          mountPath: /etc/x509/https/tls.crt
          subPath: tls.crt
          readOnly: true
        - name: tlskey
          mountPath: /etc/x509/https/tls.key
          subPath: tls.key
          readOnly: true