Newer
Older
url: https://keycloak.bigbang.dev/auth/realms/baby-yoda
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# LetsEncrypt certificate authority
certificateAuthority:
cert: |
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
saml:
# Retrieve from {{ .Values.sso.url }}/protocol/saml/descriptor
metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.bigbang.dev/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/resolve" index="0"></md:ArtifactResolutionService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>
ingressGateways:
passthrough-ingressgateway:
type: "LoadBalancer"
gateways:
passthrough:
ingressGateway: "passthrough-ingressgateway"
hosts:
- "*.{{ .Values.domain }}"
tls:
mode: "PASSTHROUGH"
public:
tls:
key: "" # Gets added via chart/ingress-certs.yaml
cert: "" # Gets added via chart/ingress-certs.yaml
values:
kiali:
dashboard:
auth:
strategy: "anonymous"
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger
istio:
jaeger:
enabled: true
bbtests:
enabled: true
cypress:
envs:
cypress_url: "https://tracing.bigbang.dev"
# uncomment following variables for sso keycloak testing in bb
# cypress_tnr_username: "cypress"
# cypress_tnr_password: "tnr_w!G33ZyAt@C8"
# cypress_keycloak_test_enable: "true"
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_kiali
# if enabling the keycloak SSO integration test, set strategy to "openid"
#strategy: "openid"
bbtests:
enabled: true
cypress:
envs:
cypress_url: 'https://kiali.bigbang.dev'
# uncomment these next 3 lines if enabling the keycloak SSO integration test
#cypress_keycloak_test_enable: "true"
#cypress_keycloak_username: "cypress"
#cypress_keycloak_password: "tnr_w!G33ZyAt@C8"
cpu: 3
memory: 4Gi
cpu: 3
memory: 4Gi
Josh Wolf
committed
values:
resources:
requests:
cpu: 100m
Josh Wolf
committed
limits: {}
bbtests:
enabled: true
cypress:
envs:
cypress_grafana_url: 'https://grafana.bigbang.dev'
cypress_prometheus_url: 'https://prometheus.bigbang.dev'
cypress_url: 'https://grafana.bigbang.dev/d/YBgRZG6Mz/opa-violations?orgId=1'
controllerManager:
resources:
limits: {}
requests:
cpu: 100m
memory: 256Mi
allowedCapabilities:
parameters:
excludedResources:
# Allows k3d load balancer containers to not drop capabilities
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
parameters:
excludedResources:
# Allows k3d load balancer containers to pull from public repos
- istio-system/lb-port-.*
# Allow argocd to deploy a test app in its cypress test
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
allowedHostFilesystem:
parameters:
excludedResources:
- cluster-auditor/cluster-auditor-cypress-test
- fortify/fortify-cypress-test
- fortify/fortify-ssc-cypress-test
- gitlab/gitlab-cypress-test
- gitlab/gitlab-runner-cypress-test
- gitlab-runner/gitlab-runner-cypress-test
- harbor/harbor-cypress-test
- jaeger/jaeger-cypress-test
- keycloak/keycloak-cypress-test
- kyverno-reporter/kyverno-reporter-cypress-test
- logging/elasticsearch-kibana-cypress-test
- logging/loki-cypress-test
- mattermost/mattermost-cypress-test
- minio/minio-instance-cypress-test
- monitoring/grafana-cypress-test
- monitoring/monitoring-cypress-test
- neuvector/neuvector-cypress-test
- nexus-repository-manager/nexus-repository-manager-cypress-test
- sonarqube/sonarqube-cypress-test
- tempo/tempo-cypress-test
- thanos/thanos-cypress-test
- twistlock/twistlock-cypress-test
- vault/vault-cypress-test
# Allow kyverno test vectors for Helm test
- default/restrict-host-path-mount-.?
- default/restrict-host-path-write-.?
- default/restrict-volume-types-.?
allowedIPs:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/restrict-external-ips-.?
allowedSecCompProfiles:
parameters:
excludedResources:
# Allows k3d load balancer containers to have an undefined defined seccomp
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
allowedUsers:
parameters:
excludedResources:
# Allows k3d load balancer containers to run as any user/group
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
bannedImageTags:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
containerRatio:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
parameters:
excludedResources:
# Allows k3d load balancer containers to mount host ports
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
noBigContainers:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
noHostNamespace:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/disallow-host-namespaces-.?
noPrivilegedContainers:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
noPrivilegedEscalation:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined security context
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
noSysctls:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/restrict-sysctls-.?
readOnlyRoot:
parameters:
excludedResources:
# Allows k3d load balancer containers to mount filesystems read/write
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
requiredLabels:
parameters:
excludedResources:
# Allows k3d load balancer pods to not have required labels
- istio-system/svclb-.*
# Allow kyverno test vectors for Helm test
- default/require-labels-.?
requiredProbes:
parameters:
excludedResources:
# Allows k3d load balancer containers to not have readiness/liveness probes
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
restrictedTaint:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/disallow-tolerations-.?
selinuxPolicy:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
- default/disallow-selinux-options-.?
- default/restrict-selinux-type-.?
volumeTypes:
parameters:
excludedResources:
- cluster-auditor/cluster-auditor-cypress-test
- gitlab/gitlab-cypress-test
- gitlab/gitlab-runner-cypress-test
- gitlab-runner/gitlab-runner-cypress-test
- harbor/harbor-cypress-test
- jaeger/jaeger-cypress-test
- keycloak/keycloak-cypress-test
- kyverno-reporter/kyverno-reporter-cypress-test
- logging/elasticsearch-kibana-cypress-test
- logging/loki-cypress-test
- mattermost/mattermost-cypress-test
- minio/minio-instance-cypress-test
- monitoring/grafana-cypress-test
- monitoring/monitoring-cypress-test
- neuvector/neuvector-cypress-test
- nexus-repository-manager/nexus-repository-manager-cypress-test
- sonarqube/sonarqube-cypress-test
- tempo/tempo-cypress-test
- thanos/thanos-cypress-test
- twistlock/twistlock-cypress-test
- vault/vault-cypress-test
# Allow kyverno test vectors for Helm test
- default/restrict-host-path-mount-.?
- default/restrict-host-path-write-.?
- default/restrict-volume-types-.?
networkPolicies:
externalRegistries:
allowEgress: true
admissionController:
container:
extraArgs:
webhookTimeout: 30
resources:
limits:
cpu: 1
memory: 768Mi
requests:
cpu: 1
memory: 768Mi
cypress:
envs:
cypress_grafana_url: https://grafana.bigbang.dev
cypress_prometheus_url: https://prometheus.bigbang.dev
resources:
requests:
cpu: 2
memory: 3Gi
limits:
cpu: 2
memory: 3Gi
values:
bbtests:
enabled: true
excludeContainers:
- not-me
- or-me
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
exclude:
any:
# Allows k3d load balancer to bypass policies.
- resources:
namespaces:
- istio-system
names:
- svclb-*
# Exclude gatekeeper test resources so Helm tests will work
- resources:
namespaces:
- default
names:
- bad-test*
- good-test*
# Parameters are copied from kyverno policies for test vectors
# Exclusions are for allowing other helm tests to function
policies:
clone-configs:
parameters:
clone:
- name: clone-configs-1
kind: ConfigMap
namespace: "{{ .Release.Namespace }}"
- name: clone-configs-2
kind: Secret
namespace: "{{ .Release.Namespace }}"
disallow-annotations:
parameters:
disallow:
- 'kyverno-policies-bbtest/test: disallowed'
- kyverno-policies-bbtest/disallowed
disallow-labels:
parameters:
disallow:
- 'kyverno-policies-bbtest/test: disallowed'
- kyverno-policies-bbtest/disallowed
disallow-tolerations:
parameters:
disallow:
- effect: NoSchedule
key: notallowed
value: 'false'
- effect: '*NoSchedule'
key: disa??owed
value: 'true'
require-annotations:
parameters:
require:
- 'kyverno-policies-bbtest/test: required'
- kyverno-policies-bbtest/required
require-image-signature:
# set to Audit for now -- having signature issues with registry1.dso.mil/ironbank/bitnami/redis:7.0.0-debian-10-r3
validationFailureAction: Audit
parameters:
require:
- imageReferences:
- "ghcr.io/kyverno/test-verify-image:*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
# Skip Rekor Transparency log check
rekor:
ignoreTlog: true
url: ""
mutateDigest: false
verifyDigest: false
- imageReferences:
- "registry1.dso.mil/ironbank/*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
-----END PUBLIC KEY-----
# Skip Rekor Transparency log check
rekor:
ignoreTlog: true
url: ""
# Ironbank images are rebuilt nightly and tags are not immutable
mutateDigest: false
verifyDigest: false
require-labels:
parameters:
require:
- 'kyverno-policies-bbtest/test: required'
- kyverno-policies-bbtest/required
restrict-external-ips:
parameters:
allow:
- 192.168.0.1
restrict-external-names:
enabled: true
parameters:
allow:
- allowed
restrict-host-path-mount:
exclude:
any:
- resources:
namespaces:
- gitlab
- mattermost
- nexus-repository-manager
- vault
- tempo
names:
- "*-cypress-test*"
parameters:
allow:
- /tmp/allowed
restrict-host-path-mount-pv:
parameters:
allow:
- /tmp/allowed
- /var/lib/rancher/k3s/storage/pvc-*
restrict-host-path-write:
exclude:
any:
- resources:
namespaces:
- gitlab
- mattermost
- nexus-repository-manager
- vault
- tempo
names:
- "*-cypress-test*"
- resources:
namespaces:
- neuvector
names:
- "neuvector-enforcer-*"
- "neuvector-manager-*"
parameters:
allow:
- /tmp/allowed
restrict-host-ports:
parameters:
allow:
- '63999'
- '>= 64000 & < 65000'
- '> 65000'
restrict-image-registries:
exclude:
any:
# ArgoCD deploys a test app as part of its Cypress test
- resources:
namespaces:
- argocd
names:
restrict-volume-types:
exclude:
any:
- resources:
namespaces:
- gitlab
- mattermost
- nexus-repository-manager
- vault
- tempo
names:
- "*-cypress-test*"
update-image-pull-policy:
parameters:
update:
- to: Always
update-image-registry:
parameters:
update:
- from: replace.image.registry
to: registry1.dso.mil
require-drop-all-capabilities:
exclude:
any:
# Gitlab Minio sub-chart does not have configurable securityContext values from upstream. Minio installation
# is only recommended for Dev/CI environments.
- resources:
namespaces:
- gitlab
names:
- gitlab-minio-*
require-non-root-group:
exclude:
any:
# Gitlab Minio sub-chart does not have configurable securityContext values from upstream. Minio installation
# is only recommended for Dev/CI environments.
- resources:
namespaces:
- gitlab
- resources:
namespaces:
- fortify
names:
- fortify-mysql-* # mysql breaks if you give it a different group
- resources:
namespaces:
- metallb-system
names:
- speaker-*
- controller-*
- resources:
namespaces:
- velero
names:
- velero-backup-restore-test*
require-non-root-user:
exclude:
any:
# Gitlab Minio sub-chart does not have configurable securityContext values from upstream. Minio installation
# is only recommended for Dev/CI environments.
- resources:
namespaces:
- gitlab
- resources:
namespaces:
- metallb-system
names:
- speaker-*
- resources:
namespaces:
- argocd
names:
- guestbook*
- resources:
namespaces:
- velero
names:
- velero-backup-restore-test*
- resources:
namespaces:
- twistlock
names:
- volume-upgrade-job*
disallow-namespaces:
parameters:
disallow:
- bigbang
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_kibana
istio:
hardened:
enabled: true
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
elasticsearch:
master:
count: 1
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
data:
count: 2
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
kibana:
count: 1
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_kibana_url: "https://kibana.bigbang.dev"
fluentbit:
values:
securityContext:
privileged: true
bbtests:
enabled: true
minio:
enabled: true
write:
persistence:
size: 2Gi
resources:
limits:
persistence:
size: 2Gi
resources:
limits:
persistence:
size: 2Gi
resources:
limits:
bbtests:
enabled: true
cypress:
envs:
cypress_check_datasource: 'true'
cypress_grafana_url: 'https://grafana.bigbang.dev'
scripts:
envs:
LOKI_URL: 'http://logging-loki-write.logging.svc:3100'
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_tempo
values:
istio:
tempoQuery:
hosts:
- "tempo.{{ .Values.domain }}"
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: 'https://tempo.bigbang.dev'
cypress_tempo_datasource: 'http://tempo-tempo.tempo.svc:3100'
cypress_check_datasource: 'true'
cypress_grafana_url: 'https://grafana.bigbang.dev'
# uncomment following variables for sso keycloak testing in bb
#cypress_tnr_username: "cypress"
#cypress_tnr_password: "tnr_w!G33ZyAt@C8"
#cypress_keycloak_test_enable: "true"
envs:
TEMPO_METRICS_URL: 'http://tempo-tempo.tempo.svc:3100'
persistence:
enabled: true
# storageClassName: local-path
accessModes:
- ReadWriteOnce
size: 5Gi
tempoQuery:
resources:
requests:
cpu: 200m
memory: 128Mi
values:
istio:
hardened:
enabled: true
flux:
timeout: 20m
install:
disableOpenAPIValidation: true
crds: CreateReplace
upgrade:
disableOpenAPIValidation: true
crds: CreateReplace
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_prometheus
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_alertmanager
values:
prometheus:
prometheusSpec:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
kube-state-metrics:
resources:
requests:
cpu: 10m
memory: 32Mi
limits: {}
prometheus-node-exporter:
resources:
requests:
cpu: 100m
memory: 30Mi
limits: {}
bbtests:
enabled: true
cypress:
envs:
cypress_prometheus_url: 'https://prometheus.bigbang.dev'
cypress_grafana_url: 'https://grafana.bigbang.dev'
cypress_alertmanager_url: 'https://alertmanager.bigbang.dev'
cypress_check_istio_dashboards: 'true'
cypress_keycloak_test_enable: 'false'
cypress_tnr_username: "cypress"
cypress_tnr_password: "tnr_w!G33ZyAt@C8"
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
grafana:
enabled: true
sso:
enabled: false
grafana:
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_grafana
scopes: "openid Grafana"
values:
dashboards:
default:
k8s-deployment:
gnetId: 741
revision: 1
datasource: Prometheus
downloadDashboards:
resources:
limits:
cpu: 20m
memory: 20Mi
requests:
cpu: 20m
memory: 20Mi
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
providers:
- name: 'default'
orgId: 1
folder: ''
type: file
disableDeletion: false
editable: true
options:
path: /var/lib/grafana/dashboards
bbtests:
enabled: true
cypress:
envs:
cypress_grafana_url: 'https://grafana.bigbang.dev'
neuvector:
values:
k3s:
enabled: true
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: https://neuvector.bigbang.dev
resources:
requests:
cpu: "2"
memory: "1500M"
limits:
cpu: "2"
memory: "1500M"
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_twistlock-saml
values:
console:
persistence:
localVolumeUpgrade: true
bbtests:
enabled: true
scripts:
envs:
twistlock_host: "https://twistlock.bigbang.dev"
Josh Wolf
committed
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_argocd
client_secret: anything-for-dev
groups: |
g, Impact Level 2 Authorized, role:admin
Josh Wolf
committed
values:
sso:
rbac:
policy.default: role:admin
Josh Wolf
committed
controller:
resources:
requests: