values.yaml

# -- Domain used for BigBang created exposed services, can be overridden by individual packages.
hostname: bigbang.dev

# -- (experimental) Toggle sourcing from external repos.
# All this does right now is toggle GitRepositories, it is _not_ fully functional
offline: false

# -- Single set of registry credentials used to pull all images deployed by BigBang.
registryCredentials:
  registry: registry1.dso.mil
  username: ""
  password: ""
  email: ""

# -- Multiple sets of registry credentials used to pull all images deployed by BigBang.
# Credentials will only be created when a valid combination exists, registry, username, and password (email is optional)
# Or a list of registires:
#  - registry: registry1.dso.mil
#    username: ""
#    password: ""
#    email: ""
#  - registry: registry.dso.mil
#    username: ""
#    password: ""
#    email: ""

# Openshift Container Platform Feature Toggle
openshift: false

# -- Git credential settings for accessing private repositories
# Order of precedence is:
#   1. existingSecret
#   2. http credentials (username/password)
#   3. ssh credentials (privateKey/publicKey/knownHosts)
git:
  # -- Existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication
  existingSecret: ""

  # -- Chart created secrets with user defined values
  credentials:
    # -- HTTP git credentials, both username and password must be provided
    username: ""
    password: ""

    # -- SSH git credentials, privateKey, publicKey, and knownHosts must be provided
    privateKey: ""
    publicKey: ""
    knownHosts: ""

# -- Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages.
sso:
  oidc:
    # -- Domain for keycloak used for configuring SSO
    host: login.dso.mil
    # -- Keycloak realm containing clients
    realm: baby-yoda

  # -- Keycloak's certificate authority (unencoded) used by authservice to support SSO for various packages
  certificate_authority: ""

  # -- Keycloak realm's json web key uri, obtained through https://<keycloak-server>/auth/realms/<realm>/.well-known/openid-configuration
  jwks: ""

  # -- OIDC client ID used for packages authenticated through authservice
  client_id: ""

  # -- OIDC client secret used for packages authenticated through authservice
  client_secret: ""

  # -- OIDC token URL template string (to be used as default)
  token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"
    
  # -- OIDC auth URL template string (to be used as default)
  auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"

# -- (Advanced) Flux reconciliation parameters.
# The default values provided will be sufficient for the majority of workloads.
flux:
  interval: 2m
  install:
    retries: 3
  upgrade:
    retries: 3
  rollback:
    timeout: 10m
    cleanupOnFail: true

# ----------------------------------------------------------------------------------------------------------------------
# Istio
#
istio:
  # -- Toggle deployment of Istio.
  enabled: true
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
    path: "./chart"
    tag: "1.7.3-bb.9"

  # -- Certificate/Key pair to use as the default certificate for exposing BigBang created applications.
  # If nothing is provided, applications will expect a valid tls secret to exist in the `istio-system` namespace called `wildcard-cert`.
  ingress:
    key: ""
    cert: ""

  sso:
    # -- Toggle SSO for kiali and jaeger on and off
    enabled: false

    kiali:
      # -- OIDC Client ID use for kiali
      client_id: ""
      # -- OIDC Client Secret to use for kiali
      client_secret: ""

    jaeger:
      # -- OIDC Client ID to use for jaeger
      client_id: ""
      # -- OIDC Client Secret to use for jaeger
      client_secret: ""

  # -- Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
  values: {}

istiooperator:
  # -- Toggle deployment of Istio Operator.
  enabled: true
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git
    path: "./chart"
    tag: "1.7.0-bb.1"

  # -- Values to passthrough to the istio-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git
  values: {}
# ----------------------------------------------------------------------------------------------------------------------

# ----------------------------------------------------------------------------------------------------------------------
# Cluster Auditor
#
clusterAuditor:
  # -- Toggle deployment of Cluster Auditor.
  enabled: true
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
    path: "./chart"
    tag: "0.1.9-bb.0"

  # -- Values to passthrough to the cluster auditor chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
  values: {}
# ----------------------------------------------------------------------------------------------------------------------

# ----------------------------------------------------------------------------------------------------------------------
# OPA Gatekeeper
#
gatekeeper:
  # -- Toggle deployment of OPA Gatekeeper.
  enabled: true
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
    path: "./chart"
    tag: "3.3.0-bb.0"

  # -- Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
  values: {}
# ----------------------------------------------------------------------------------------------------------------------

# ----------------------------------------------------------------------------------------------------------------------
# Logging
#
logging:
  # -- Toggle deployment of Logging (EFK).
  enabled: true
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
    path: "./chart"
    tag: "0.1.7-bb.0"

  sso:
    # -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.
    # Enabling this option will auto-create any required secrets.
    enabled: false

    # -- Elasticsearch/Kibana OIDC client ID
    client_id: ""

    # -- Elasticsearch/Kibana OIDC client secret
    client_secret: ""

  license:
    # -- Toggle trial license installation of elasticsearch.  Note that enterprise (non trial) is required for SSO to work.
    trial: false

    # -- Elasticsearch license in json format seen here: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana#enterprise-license
    keyJSON: ""

  # -- Values to passthrough to the elasticsearch-kibana chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
  values: {}

eckoperator:
  # -- Toggle deployment of ECK Operator.
  enabled: true
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git
    path: "./chart"
    tag: "1.4.0-bb.1"
  values: {}

fluentbit:
  # -- Toggle deployment of Fluent-Bit.
  enabled: true
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git
    path: "./chart"
    tag: "0.15.3-bb.0"
  values: {}
# ----------------------------------------------------------------------------------------------------------------------

# ----------------------------------------------------------------------------------------------------------------------
# Monitoring
#
monitoring:
  # -- Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager).
  enabled: true
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git
    path: "./chart"
    tag: "11.0.0-bb.17"

  sso:
    # -- Toggle SSO for monitoring components on and off
    enabled: false
    prometheus:
      # -- Prometheus OIDC client ID
      client_id: ""

      # -- Prometheus OIDC client secret
      client_secret: ""

    alertmanager:
      # -- Alertmanager OIDC client ID
      client_id: ""

      # -- Alertmanager OIDC client secret
      client_secret: ""

    grafana:
      # -- Grafana OIDC client ID
      client_id: ""

      # -- Grafana OIDC client secret
      client_secret: ""

      # -- Grafana OIDC client scopes, comma separated
      scopes: ""
      allow_sign_up: "true"
      role_attribute_path: "Viewer"

  # -- Values to passthrough to the monitoring chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git
  values: {}
# ----------------------------------------------------------------------------------------------------------------------

# ----------------------------------------------------------------------------------------------------------------------
# Twistlock
#
twistlock:
  # -- Toggle deployment of Twistlock.
  enabled: true
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
    path: "./chart"
    tag: "0.0.3-bb.3"

  # -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
  values: {}

#
# ----------------------------------------------------------------------------------------------------------------------
#
addons:
  argocd:
    # -- Toggle deployment of ArgoCD.
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git
      path: "./chart"
      tag: "2.14.7-bb.3"
    sso:
      # -- Toggle SSO for ArgoCD on and off
      enabled: false

      # -- ArgoCD OIDC client ID
      client_id: ""

      # -- ArgoCD OIDC client secret
      client_secret: ""

      # -- ArgoCD SSO login text
      provider_name: ""

      # -- ArgoCD SSO group roles, see docs for more details: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
      groups: |
        g, Impact Level 2 Authorized, role:admin

    # -- Values to passthrough to the argocd chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git
    values: {}

  authservice:
    # -- Toggle deployment of Authservice.
    # if enabling authservice, a filter needs to be provided by either enabling
    # sso for monitoring or istio, or manually adding a filter chain in the values here:
    # values:
    #   chain:
    #     minimal:
    #       callback_uri: "https://somecallback"
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git
      path: "./chart"
      tag: "0.1.6-bb.4"

    # -- Values to passthrough to the authservice chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git
    values: {}

    # -- Additional authservice chain configurations.
    chains: {}

  # ----------------------------------------------------------------------------------------------------------------------
  # Minio Operator and Instance
  #
  minioOperator:
    # -- Toggle deployment of minio operator and instance.
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git
      path: "./chart"
      tag: "2.0.9-bb.3"
    # -- Values to passthrough to the minio operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git
    values: {}

  minio:
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git
      path: "./chart"
      tag: "2.0.9-bb.9"

    # -- Default access key to use for minio.
    accesskey: ""

    # -- Default secret key to intstantiate with minio, you should change/delete this after installation.
    secretkey: ""

    # -- Values to passthrough to the minio instance chart: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git
    values: {}

  gitlab:
    # -- Toggle deployment of Gitlab.
    enabled: false

    hostnames:
      gitlab: gitlab.bigbang.dev
      registry: registry.bigbang.dev

    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
      path: "./chart"
      tag: "4.8.0-bb.3"

    sso:
      # -- Toggle OIDC SSO for Gitlab on and off.
      # Enabling this option will auto-create any required secrets.
      enabled: false

      # -- Gitlab OIDC client ID
      client_id: ""

      # -- Gitlab OIDC client secret
      client_secret: ""

      # -- Gitlab SSO login button label
      label: ""

    database:
      # -- Hostname of a pre-existing PostgreSQL database to use for Gitlab.
      # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
      host: ""

      # -- Port of a pre-existing PostgreSQL database to use for Gitlab.
      port: 5432

      # -- Database name to connect to on host.
      database: "" # example: gitlab

      # -- Username to connect as to external database, the user must have all privileges on the database.
      username: ""

      # -- Database password for the username used to connect to the existing database.
      password: ""

    objectStorage:
      # -- Type of object storage to use for Gitlab, setting to s3 will assume an external, pre-existing object storage is to be used.
      # Entering connection info will enable this option and will auto-create any required secrets
      type: ""         # supported types are "s3" or "minio"

      # -- S3 compatible endpoint to use for connection information.
      # examples: "https://s3.amazonaws.com" "https://s3.us-gov-west-1.amazonaws.com" "http://minio.minio.svc.cluster.local:9000"
      endpoint: ""

      # -- S3 compatible region to use for connection information.
      region: ""

      # -- Access key for connecting to object storage endpoint.
      accessKey: ""

      # -- Secret key for connecting to object storage endpoint.
      # Unencoded string data. This should be placed in the secret values and then encrypted
      accessSecret: ""

      # -- Bucket prefix to use for identifying buckets.
      # Example: "prod" will produce "prod-gitlab-bucket"
      bucketPrefix: ""

    # -- Values to passthrough to the gitlab chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
    values: {}

  gitlabRunner:
    # -- Toggle deployment of Gitlab Runner.
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git
      path: "./chart"
      tag: "0.26.0-bb.0"

    # -- Values to passthrough to the gitlab runner chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git
    values: {}

  sonarqube:
    # -- Toggle deployment of SonarQube.
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube.git
      path: "./chart"
      tag: "9.2.6-bb.7"

    sso:
      # -- Toggle OIDC SSO for SonarQube.
      # Enabling this option will auto-create any required secrets.
      enabled: false

      # -- SonarQube OIDC client ID
      client_id: ""

      # -- SonarQube SSO login button label
      label: ""

      # -- SonarQube plaintext SAML sso certificate.
      # example: MITCAYCBFyIEUjNBkqhkiG9w0BA....
      certificate: ""

      # -- SonarQube login sso attribute.
      login: login

      # -- SonarQube name sso attribute.
      name: name

      # -- SonarQube email sso attribute.
      email: email

      # -- (optional) SonarQube group sso attribute.
      group: group

    database:
      # -- Hostname of a pre-existing PostgreSQL database to use for SonarQube.
      host: ""

      # -- Port of a pre-existing PostgreSQL database to use for SonarQube.
      port: 5432

      # -- Database name to connect to on host.
      database: ""

      # -- Username to connect as to external database, the user must have all privileges on the database.
      username: ""

      # -- Database password for the username used to connect to the existing database.
      password: ""

    # -- Values to passthrough to the sonarqube chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube.git
    values: {}

  haproxy:
    # -- Toggle deployment of HAProxy.
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/haproxy
      path: "./chart"
      tag: 1.1.2-bb.0

    # -- Values to passthrough to the haproxy chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy.git
    values: {}

  anchore:
    # -- Toggle deployment of Anchore.
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git
      path: "./chart"
      tag: "1.12.7-bb.2"

    # -- Initial admin password used to authenticate to Anchore.
    adminPassword: ""

    # -- Anchore Enterprise functionality.
    enterprise:
      # -- Toggle the installation of Anchore Enterprise.  This must be accompanied by a valid license.
      enabled: false

      # -- License for Anchore Enterprise.
      # For formatting examples see https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/docs/CHART.md#enabling-enterprise-services
      licenseYaml: |
        FULL LICENSE

    sso:
      # -- Toggle OIDC SSO for Anchore on and off.
      # Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license).
      enabled: false

      # -- Anchore OIDC client ID
      client_id: ""

      # -- Anchore OIDC client role attribute
      role_attribute: ""

    database:
      # -- Hostname of a pre-existing PostgreSQL database to use for Anchore.
      # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
      host: ""

      # -- Port of a pre-existing PostgreSQL database to use for Anchore.
      port: ""

      # -- Username to connect as to external database, the user must have all privileges on the database.
      username: ""

      # -- Database password for the username used to connect to the existing database.
      password: ""

      # -- Database name to connect to on host (Note: database name CANNOT contain hyphens).
      database: ""

      # -- Feeds database name to connect to on host (Note: feeds database name CANNOT contain hyphens).
      # Only required for enterprise edition of anchore.
      # By default, feeds database will be configured with the same username and password as the main database. For formatting examples on how to use a separate username and password for the feeds database see https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/docs/CHART.md#handling-dependencies
      feeds_database: ""

    redis:
      # -- Hostname of a pre-existing Redis to use for Anchore Enterprise.
      # Entering connection info will enable external redis and will auto-create any required secrets.
      # Anchore only requires redis for enterprise deployments and will not provision an instance if using external
      host: ""

      # -- Port of a pre-existing Redis to use for Anchore Enterprise.
      port: ""

      # -- Password to connect to pre-existing Redis.
      password: ""

    # -- Values to passthrough to the anchore chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git
    values: {}

  # ----------------------------------------------------------------------------------------------------------------------
  # Mattermost Operator and Instance
  #
  mattermostoperator:
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git
      path: "./chart"
      tag: "1.13.0-bb.2"
    # -- Values to passthrough to the mattermost operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator/-/blob/main/chart/values.yaml
    values: {}

  mattermost:
    # -- Toggle deployment of Mattermost.
    enabled: false
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git
      path: "./chart"
      tag: "0.1.3-bb.2"

    # -- Mattermost Enterprise functionality.
    enterprise:
      # -- Toggle the Mattermost Enterprise.  This must be accompanied by a valid license unless you plan to start a trial post-install.
      enabled: false

      # -- License for Mattermost.
      # This should be the entire contents of the license file from Mattermost (should be one line), example below
      # license: "eyJpZCI6InIxM205bjR3eTdkYjludG95Z3RiOD---REST---IS---HIDDEN
      license: ""

    sso:
      # -- Toggle OIDC SSO for Mattermost on and off.
      # Enabling this option will auto-create any required secrets.
      enabled: false

      # -- Mattermost OIDC client ID
      client_id: ""

      # -- Mattermost OIDC client secret
      client_secret: ""

      # -- Mattermost OIDC auth endpoint
      # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
      auth_endpoint: ""

      # -- Mattermost OIDC token endpoint
      # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
      token_endpoint: ""

      # -- Mattermost OIDC user API endpoint
      # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values
      user_api_endpoint: ""

    database:
      # -- Hostname of a pre-existing PostgreSQL database to use for Mattermost.
      # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
      host: ""

      # -- Port of a pre-existing PostgreSQL database to use for Mattermost.
      port: ""

      # -- Username to connect as to external database, the user must have all privileges on the database.
      username: ""

      # -- Database password for the username used to connect to the existing database.
      password: ""

      # -- Database name to connect to on host.
      database: ""

      # -- SSL Mode to use when connecting to the database.
      # Allowable values for this are viewable in the postgres documentation: https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS
      ssl_mode: ""

    objectStorage:
      # -- S3 compatible endpoint to use for connection information.
      # Entering connection info will enable this option and will auto-create any required secrets.
      # examples: "s3.amazonaws.com" "s3.us-gov-west-1.amazonaws.com" "minio.minio.svc.cluster.local:9000"
      endpoint: ""

      # -- Access key for connecting to object storage endpoint.
      accessKey: ""

      # -- Secret key for connecting to object storage endpoint.
      # Unencoded string data. This should be placed in the secret values and then encrypted
      accessSecret: ""

      # -- Bucket name to use for Mattermost - will be auto-created.
      bucket: ""

    # -- Values to passthrough to the Mattermost chart: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/chart/values.yaml
    values: {}

  velero:
    # -- Toggle deployment of Velero.
    enabled: false

    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git
      path: "./chart"
      tag: "2.14.8-bb.0"

    # -- Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml
    values:
      # Requires at least one plugin installed. Current supported values: aws, azure
      plugins: []
      # - aws
  #
  # ----------------------------------------------------------------------------------------------------------------------