values.yaml

# -- Domain used for BigBang created exposed services, can be overridden by individual packages.
domain: bigbang.dev

# -- (experimental) Toggle sourcing from external repos.
# All this does right now is toggle GitRepositories, it is _not_ fully functional
offline: false

# -- Single set of registry credentials used to pull all images deployed by BigBang.
registryCredentials:
  registry: registry1.dso.mil
  username: ""
  password: ""
  email: ""

# -- Multiple sets of registry credentials used to pull all images deployed by BigBang.
# Credentials will only be created when a valid combination exists, registry, username, and password (email is optional)
# Or a list of registires:
#  - registry: registry1.dso.mil
#    username: ""
#    password: ""
#    email: ""
#  - registry: registry.dso.mil
#    username: ""
#    password: ""
#    email: ""

# Openshift Container Platform Feature Toggle
openshift: false

# -- Git credential settings for accessing private repositories
# Order of precedence is:
#   1. existingSecret
#   2. http credentials (username/password/caFile)
#   3. ssh credentials (privateKey/publicKey/knownHosts)
git:
  # -- Existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication
  existingSecret: ""

  # -- Chart created secrets with user defined values
  credentials:
    # -- HTTP git credentials, both username and password must be provided
    username: ""
    password: ""
    # -- HTTPS certificate authority file.  Required for any repo with a self signed certificate
    caFile: ""
    # -- SSH git credentials, privateKey, publicKey, and knownHosts must be provided
    privateKey: ""
    publicKey: ""
    knownHosts: ""

# -- Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages.
sso:
  oidc:
    # -- Domain for keycloak used for configuring SSO
    host: login.dso.mil
    # -- Keycloak realm containing clients
    realm: baby-yoda

  # -- Keycloak's certificate authority (PEM Format). Entered using chomp modifier (see docs/assets/configs/example/dev-sso-values.yaml for example). Used by authservice to support SSO for various packages
  certificate_authority: ""

  # -- Keycloak realm's json web key output, obtained at https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/certs
  jwks: ''

  # -- OIDC client ID used for packages authenticated through authservice
  client_id: ""

  # -- OIDC client secret used for packages authenticated through authservice
  client_secret: ""

  # -- OIDC token URL template string (to be used as default)
  token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"

  # -- OIDC auth URL template string (to be used as default)
  auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"

  # -- Kubernetes Secret containing the sso.certificate_authority value for SSO enabled application namespaces
  secretName: "tls-ca-sso"

# -- (Advanced) Flux reconciliation parameters.
# The default values provided will be sufficient for the majority of workloads.
flux:
  timeout: 10m
  interval: 2m
  test:
    enable: false
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
  rollback:
    timeout: 10m
    cleanupOnFail: true

# -- Global NetworkPolicies settings
networkPolicies:
  # -- Toggle all package NetworkPolicies, can disable specific packages with `package.values.networkPolicies.enabled`
  enabled: true
  # -- Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl get endpoints -n default kubernetes` to get the CIDR range needed for your cluster
  # Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP of a single endpoint, broader range for multiple masters/endpoints)
  # Used by package NetworkPolicies to allow Kube API access
  controlPlaneCidr: 0.0.0.0/0
  # -- Node CIDR, defaults to allowing "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" networks.
  # use `kubectl get nodes -owide` and review the `INTERNAL-IP` column to derive CIDR range.
  # Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs)
  nodeCidr: ""
  # -- VPC CIDR, defaults to 0.0.0.0/0
  # In a production environment, it is recommended to setup a Private Endpoint for your AWS services like KMS or S3.
  # Please review https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html to setup routing to AWS services that never leave the AWS network.
  # Once created update `networkPolicies.vpcCidr` to match the CIDR of your VPC so Vault will be able to reach your VPCs DNS and new KMS endpoint.
  vpcCidr: 0.0.0.0/0

# -- Global ImagePullPolicy value for all packages
# Permitted values are: None, Always, IfNotPresent
imagePullPolicy: IfNotPresent

# ----------------------------------------------------------------------------------------------------------------------
# Istio
#
istio:
  # -- Toggle deployment of Istio.
  enabled: true

  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
    path: "./chart"
    tag: "1.14.3-bb.4"

  # -- Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support,
  # validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription
  enterprise: false

  # Ingress gateways are created based on the key name.  Adding more keys will add ingress gateways.
  # Ingress gateways are setup in a Horizontal Pod Autoscaler with 1 to 5 replicas
  # Besides some ports needed by Istio, only ports 80 and 443 are opened
  # Ingress gateways that require more configuration can be completed using `istio.values`
  ingressGateways:
    public-ingressgateway:
      type: "LoadBalancer" # or "NodePort"
      kubernetesResourceSpec: {} # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec

    # private-ingressgateway:
    #   type: "LoadBalancer" # or "NodePort"
    #   kubernetesResourceSpec: # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
    #     serviceAnnotations: # Example for AWS internal load balancer
    #       service.beta.kubernetes.io/aws-load-balancer-type: nlb
    #       service.beta.kubernetes.io/aws-load-balancer-internal: "true"

    # passthrough-ingressgateway:
    #   type: "NodePort" # or "LoadBalancer"
    #   # Node ports are assigned starting from nodePortBase.  The nodePortBase specifies the start of a range of 4 unused node ports.
    #   # Node port will be assigned as follows: Port 15021 (Status) = nodePortBase, Port 80 = nodePortBase+1, Port 443 = nodePortBase+2, Port 15443 (SNI) = nodePortBase+3
    #   # Node port base should be in the range from 30000 to 32764
    #   nodePortBase: 32000  # Alternatively, the kubernetesResourceSpec can be used to configure all port parameters

  gateways:
    public:
      ingressGateway: "public-ingressgateway"
      hosts:
        - "*.{{ .Values.domain }}"
      # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
      autoHttpRedirect:
        enabled: true
      tls:
        key: ""
        cert: ""
    # private:
    #   ingressGateway: "private-ingressgateway"
    #   hosts:
    #   - "example.bigbang.dev"
    #   ports:
    #     - name: tls-2
    #       number: 1234
    #       protocol: TCP
    #     - name: tls
    #       number: 5678
    #       protocol: TCP
    #   # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
    #   autoHttpRedirect:
    #     enabled: false
    #   tls:
    #     key: ""
    #     cert: ""
    # passthrough:
    #   ingressGateway: "passthrough-ingressgateway"
    #   hosts:

    ####
    # Alternate multi-server configuration method
    ####
    # private:
    #   ingressGateway: "private-ingressgateway"
    #   servers:
    #   - hosts:
    #     - "example.bigbang.dev"
    #     port: