diff --git a/.gitignore b/.gitignore
index 98fcbf979ab4abee083a94f0a743d7251de97dea..287cd8bb7fe85be73d0a5bf46e4c1a53fa723488 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,9 +8,15 @@ certs/
*rke2.yaml
*tfstate*
+*terraform.lock*
# dependencies
/node_modules
# debug
-npm-debug.log*
\ No newline at end of file
+npm-debug.log*
+
+# ignore developer specific files
+# (used frequently in deployments)
+patch.yaml
+notes
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 29cdb054ea5d093b8530d39fcb71b054aa830a0e..61876ed1f4335b63dbb5e49cc7fea669cf243b45 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,7 +8,7 @@ workflow:
# run pipeline on commits to default branch
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
# skip pipeline for branches that start with "docs"
- - if: '$CI_COMMIT_REF_NAME =~ /^docs/'
+ - if: '$CI_COMMIT_REF_NAME =~ /^doc*/i'
when: never
# include templates
@@ -39,7 +39,7 @@ variables:
- dogfood
.bigbang:
- image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.1
+ image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.1
extends: .bigbang-dogfood
after_script:
- kubectl get all -A
@@ -50,7 +50,7 @@ variables:
#
changelog:
- image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
+ image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
stage: .pre
extends:
- .bigbang-dogfood
@@ -62,7 +62,7 @@ changelog:
- ./scripts/lint_changelog.sh
version:
- image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
+ image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
stage: .pre
extends:
- .bigbang-dogfood
@@ -75,7 +75,7 @@ version:
- ./scripts/lint_version.sh
commits:
- image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
+ image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
stage: .pre
extends:
- .bigbang-dogfood
@@ -87,7 +87,7 @@ commits:
- ./scripts/lint_commits.sh
pre vars:
- image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
+ image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
stage: .pre
extends:
- .bigbang-dogfood
@@ -184,8 +184,8 @@ upgrade:
# skip job when branch name starts with "hotfix" or "patch"
- if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ /^(hotfix|patch)/'
when: never
- # run job on merge requests when manually activated
- - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+ # run infrastructure pipelines only on merges into master, and run regardless of failure
+ - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
allow_failure: false
when: manual
@@ -195,17 +195,17 @@ upgrade:
# skip job when branch name starts with "hotfix" or "patch"
- if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ /^(hotfix|patch)/'
when: never
- # run pipeline on commits to default branch
- - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
-
+ # run infrastructure pipelines only on merges into master
+ - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
+
# Abstract for jobs responsible for cleaning up infrastructure
.infra cleanup:
rules:
# skip job when branch name starts with "hotfix" or "patch"
- if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ /^(hotfix|patch)/'
when: never
- # run job on merge requests regardless of failure
- - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+ # run infrastructure pipelines only on merges into master, and run regardless of failure
+ - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
allow_failure: true
when: always
@@ -340,7 +340,7 @@ aws/rke2/cluster down:
package:
stage: package
- image: registry.dsop.io/platform-one/big-bang/umbrella/synker:0.0.1
+ image: registry.dso.mil/platform-one/big-bang/bigbang/synker:0.0.1
extends:
- .bigbang-dogfood
rules:
diff --git a/.gitlab-ci/jobs/networking/aws/dependencies/terraform/main/main.tf b/.gitlab-ci/jobs/networking/aws/dependencies/terraform/main/main.tf
index d576adf87465a210089aa01f222572b9c495ef6c..108c9153013e49d56e4a49235c7b250d8f5f0bce 100644
--- a/.gitlab-ci/jobs/networking/aws/dependencies/terraform/main/main.tf
+++ b/.gitlab-ci/jobs/networking/aws/dependencies/terraform/main/main.tf
@@ -130,7 +130,7 @@ resource "aws_security_group" "endpoints" {
# Attaches the management vpc (the hub) to the created vpc (the spokes).
#
module "spoke" {
- source = "git::https://repo1.dsop.io/platform-one/big-bang/terraform-modules/spoke-tgw-attachments.git"
+ source = "git::https://repo1.dso.mil/platform-one/big-bang/terraform-modules/spoke-tgw-attachments.git"
name = local.name
hub_vpc_id = var.hub_vpc_id
diff --git a/.gitlab-ci/jobs/rke2/dependencies/k8s-resources/aws/default-ebs-sc.yaml b/.gitlab-ci/jobs/rke2/dependencies/k8s-resources/aws/default-ebs-sc.yaml
index 0ace3effbac55bdf6623c44f29a6268cfb14b50b..93fef6bec30f5177e287c9ffc5095b4454544ba8 100644
--- a/.gitlab-ci/jobs/rke2/dependencies/k8s-resources/aws/default-ebs-sc.yaml
+++ b/.gitlab-ci/jobs/rke2/dependencies/k8s-resources/aws/default-ebs-sc.yaml
@@ -11,4 +11,4 @@ reclaimPolicy: Delete
allowVolumeExpansion: true
mountOptions:
- debug
-volumeBindingMode: Immediate
\ No newline at end of file
+volumeBindingMode: WaitForFirstConsumer
\ No newline at end of file
diff --git a/.gitlab-ci/templates.yml b/.gitlab-ci/templates.yml
index 0904d75f4ea45f458532dfa1d7cf45276051aa90..927ae6f78c8ffa1e8f5678b135bfc2151fe850de 100644
--- a/.gitlab-ci/templates.yml
+++ b/.gitlab-ci/templates.yml
@@ -10,7 +10,7 @@ include:
.terraformer:
image:
- name: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/terraform:0.13.5
+ name: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/terraform:0.13.5
entrypoint:
- /usr/bin/env
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
diff --git a/.gitlab/issue_templates/bug.md b/.gitlab/issue_templates/bug.md
new file mode 100644
index 0000000000000000000000000000000000000000..fe2c2e75b529926308ad510a8b9f6cf74117eec1
--- /dev/null
+++ b/.gitlab/issue_templates/bug.md
@@ -0,0 +1,21 @@
+# Bug
+
+## Description
+
+Describe the problem, what were you doing when you noticed the bug?
+
+Provide any steps possible used to reproduce the error (ideally in an isolated fashion).
+
+## BigBang Version
+
+What version of BigBang were you running?
+
+This can be retrieved multiple ways:
+
+```bash
+# via helm
+helm ls -n bigbang
+
+# via the deployed umbrella git tag
+kubectl get gitrepository -n bigbang
+```
\ No newline at end of file
diff --git a/.gitlab/issue_templates/feature_request.md b/.gitlab/issue_templates/feature_request.md
new file mode 100644
index 0000000000000000000000000000000000000000..0a4c3e3fd31ff1fa96a8def97782a9753a8064d6
--- /dev/null
+++ b/.gitlab/issue_templates/feature_request.md
@@ -0,0 +1,13 @@
+# Feature Request
+
+## Why
+
+What is the use case for the feature you are requesting? What are you trying to solve?
+
+The more detail here the better!
+
+## Proposed Solution
+
+If possible, provide details on the proposed solution.
+
+If your proposed solution _changes_ the existing behavior of a feature, please outline why your approach is recommended/better.
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 901aa05aa8697fa8de01e53e9ec406ddf36bc727..5a8f26701f5a1b1cd04661010eec9dcca4cc3aaf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,10 +4,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
-## [1.0.7]
+
+## [1.0.8]
* Added support for deployment of Minio operator and instance deployment of minio.
+## [1.0.7]
+
+* Added Kubernetes labels to all objects created by umbrella
+* Add OIDC integration for Grafana
+* Allow creation of wildcard cert for istio ingress to be passed to BigBang chart
## [1.0.6]
@@ -106,7 +112,7 @@ for setting ingressgateway to use nodeports
### Changed
-* Update Monitoring to [11.0.0-bb.2](https://repo1.dsop.io/platform-one/big-bang/apps/core/monitoring/-/tags/11.0.0-bb.2)
+* Update Monitoring to [11.0.0-bb.2](https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring/-/tags/11.0.0-bb.2)
---
@@ -118,11 +124,11 @@ for setting ingressgateway to use nodeports
### Changed
-* Updated Argo to [2.9.5-bb.1](https://repo1.dsop.io/platform-one/big-bang/apps/core/argocd/-/merge_requests/10) for Iron Bank images
-* Updated Authservice to [0.1.3-bb.0](https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/authservice/-/blob/master/CHANGELOG.md#013-bb0) for authservice secret generation: https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/authservice/-/blob/master/CHANGELOG.md#013-bb0
-* Updated ECK-Operator to [1.3.1-bb.1](https://repo1.dsop.io/platform-one/big-bang/apps/core/eck-operator/-/tags/1.3.0-bb.1)
-* Updated Twistlock to [0.0.2-bb.0](https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/twistlock/-/tags/0.0.2-bb.0) to add istio.enabled flag
-* Updated Elasticsearch Kibana to [0.1.2-bb.0](https://repo1.dsop.io/platform-one/big-bang/apps/core/elasticsearch-kibana/-/tags/0.1.2-bb.0) and Pass istio.enabled to Elasticsearch Kibana
+* Updated Argo to [2.9.5-bb.1](https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd/-/merge_requests/10) for Iron Bank images
+* Updated Authservice to [0.1.3-bb.0](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice/-/blob/master/CHANGELOG.md#013-bb0) for authservice secret generation: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice/-/blob/master/CHANGELOG.md#013-bb0
+* Updated ECK-Operator to [1.3.1-bb.1](https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator/-/tags/1.3.0-bb.1)
+* Updated Twistlock to [0.0.2-bb.0](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/-/tags/0.0.2-bb.0) to add istio.enabled flag
+* Updated Elasticsearch Kibana to [0.1.2-bb.0](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/-/tags/0.1.2-bb.0) and Pass istio.enabled to Elasticsearch Kibana
---
diff --git a/CODEOWNERS b/CODEOWNERS
index cd29a59f46a8a571aee566c17afe69a962acc7c3..ad659a798eaa16bac1904a702a4fb163d9614058 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,65 +1,68 @@
* @runyontr @joshwolf @megamind
-# [Chart Values]
+# ^[Chart Values]
# chart/values.yaml
# chart/Chart.yaml
-[Docs Owners]
+^[Docs Owners]
docs/ @michaelmcleroy @egoode
-[Kustomize Base Owners]
+^[Kustomize Base Owners]
base/ @michaelmcleroy
-[CI Owners]
+^[CI Owners]
.gitlab-ci/ @zdzielinksi @iahmad @toladipupo
tests/ @zdzielinksi @iahmad @toladipupo
-[Hack Owners]
+^[Hack Owners]
scripts/ @zdzielinksi @iahmad @toladipupo @michaelmcleroy @egoode
hack/ @zdzielinksi @iahmad @toladipupo @michaelmcleroy @egoode
-[Istio and Authservice]
+^[Charter Owners]
+charter/ @runyontr @joshwolf
+
+^[Istio and Authservice]
chart/Chart.yaml @kenna81 @kavitha @cmcgrath
chart/values.yaml @kenna81 @kavitha @cmcgrath
chart/templates/authservice @kenna81 @kavitha @cmcgrath
chart/templates/istio @kenna81 @kavitha @cmcgrath
-[Anchore]
+^[Anchore]
chart/Chart.yaml
# chart/values.yaml
# chart/templates/argocd
-[ArgoCD]
+^[ArgoCD]
chart/Chart.yaml @matthew.kaiser
chart/values.yaml @matthew.kaiser
chart/templates/argocd @matthew.kaiser
-# [Cluster Auditor]
+# ^[Cluster Auditor]
# chart/Chart.yaml
# chart/values.yaml
# chart/templates/clusterauditor
-# [Gatekeeper]
+# ^[Gatekeeper]
# chart/Chart.yaml
# chart/values.yaml
# chart/templates/gatekeeper
-[Logging]
+^[Logging]
chart/Chart.yaml @kavitha @ryan.j.garcia
chart/values.yaml @kavitha @ryan.j.garcia
chart/templates/logging @kavitha @ryan.j.garcia
-[Monitoring]
+^[Monitoring]
chart/Chart.yaml @lynnstill @ryan.j.garcia
chart/values.yaml @lynnstill @ryan.j.garcia
chart/templates/monitoring @lynnstill @ryan.j.garcia
-[Twistlock]
+^[Twistlock]
chart/Chart.yaml @thomas.burton
chart/values.yaml @thomas.burton
chart/templates/twistlock @thomas.burton
-[Gitlab]
+^[Gitlab]
chart/Chart.yaml @egoode @kevin.wilder
chart/values.yaml @egoode @kevin.wilder
chart/templates/gitlab @egoode @kevin.wilder
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e79eb1445bfbdc93ee4cae62ddafe052e68c4436..cf785ab3f2788677c07f7f1c497301f9a59cd9ae 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -72,7 +72,7 @@ Here is a quick tip to squash all commits for a branch named `test`:
```
git checkout test
-git reset $(git merge-base master $(git rev-parse --abbrev-ref HEAD))
+git reset $(git merge-base origin/master $(git rev-parse --abbrev-ref HEAD))
git add -A
git commit -m "feat: example conventional commit"
git push --force
@@ -80,10 +80,10 @@ git push --force
## Iron Bank Images
-Per the [charter](https://repo1.dsop.io/platform-one/big-bang/charter), all Big Bang packages will leverage container images from [IronBank](https://ironbank.dsop.io/). In order to pull these images, ImagePullSecrets must be provided to BigBang. To obtain access to these images, follow the guides below. These steps should NOT be used for production since the API keys for a user are only valid when the user is logged into [Registry1](https://registry1.dsop.io)
+Per the [charter](https://repo1.dso.mil/platform-one/big-bang/charter), all Big Bang packages will leverage container images from [IronBank](https://ironbank.dso.mil/). In order to pull these images, ImagePullSecrets must be provided to BigBang. To obtain access to these images, follow the guides below. These steps should NOT be used for production since the API keys for a user are only valid when the user is logged into [Registry1](https://registry1.dso.mil)
-1) Register for a free Ironbank account [Here](https://sso-info.il2.dsop.io/new_account.html)
-1) Log into the [Iron Bank Registry](https://registry1.dsop.io), in the top right click your *Username* and then *User Profile* to get access to your *CLI secret*/API keys.
+1) Register for a free Ironbank account [Here](https://sso-info.il2.dso.mil/new_account.html)
+1) Log into the [Iron Bank Registry](https://registry1.dso.mil), in the top right click your *Username* and then *User Profile* to get access to your *CLI secret*/API keys.
1) When installing BigBang, set the Helm Values `registryCredentials.username` and `registryCredentials.password` to match your Registry1 username and API token
## Local Kubernetes cluster
@@ -99,7 +99,7 @@ k3d cluster create --k3s-server-arg "--disable=traefik" --k3s-server-arg "--disa
For development, it is quicker to test changes without having to push to Git. To do this, we can bypass Flux2 and deploy Big Bang directly with its Helm chart.
-Start by creating `myvalues.yaml` to configure your local Big Bang. Big Bang's template repository contains a starter [development values.yaml](https://repo1.dsop.io/platform-one/big-bang/customers/template/-/blob/main/dev/configmap.yaml).
+Start by creating `myvalues.yaml` to configure your local Big Bang. Big Bang's template repository contains a starter [development values.yaml](https://repo1.dso.mil/platform-one/big-bang/customers/template/-/blob/main/dev/configmap.yaml).
Configure `myvalues.yaml` to suit your needs.
@@ -121,7 +121,7 @@ For more extensive development, use the [Development Guide](docs/c_development.m
## Testing Big Bang Development Changes
-Development changes should be tested using a full GitOps environment. The [Big Bang environment template](https://repo1.dsop.io/platform-one/big-bang/customers/template/) should be replicated, either on a branch or new repository, to start your deployment. Follow the instructions in the [template's readme](https://repo1.dsop.io/platform-one/big-bang/customers/template/-/tree/main/README.md) and in the [Big Bang docs](./docs) for configuration.
+Development changes should be tested using a full GitOps environment. The [Big Bang environment template](https://repo1.dso.mil/platform-one/big-bang/customers/template/) should be replicated, either on a branch or new repository, to start your deployment. Follow the instructions in the [template's readme](https://repo1.dso.mil/platform-one/big-bang/customers/template/-/tree/main/README.md) and in the [Big Bang docs](./docs) for configuration.
Follow the [Big Bang documentation](./docs) for testing a full deployment of Big Bang.
@@ -173,7 +173,7 @@ This stage is ran on every commit, and is a requirement for merging.
Ultimately, BigBang is designed to deploy production ready workloads on real infrastructure. While local and ephemeral clusters are excellent for fast feedback during development, changes must ultimately be tested on real clusters on real infrastructure.
-As part of BigBang's [charter](https://repo1.dsop.io/platform-one/big-bang/charter), it is expected work on any CNCF conformant kubernetes cluster, on multiple clouds, and on premise environments. By very definition, this means infrastructure testing is _slow_. To strive for a pipeline with a happy medium of providing fast feedback while still exhaustively testing against environments that closely mirror production, __infrastructure testing only occurs on manual actions on merge request commits.__
+As part of BigBang's [charter](https://repo1.dso.mil/platform-one/big-bang/charter), it is expected work on any CNCF conformant kubernetes cluster, on multiple clouds, and on premise environments. By very definition, this means infrastructure testing is _slow_. To strive for a pipeline with a happy medium of providing fast feedback while still exhaustively testing against environments that closely mirror production, __infrastructure testing only occurs on manual actions on merge request commits.__
When you are comfortable your branch is ready to be merged, opening up an merge request will trigger the creation of a suite of infrastructure testing jobs which will require a manual action from a project maintainer (assuming previous linting and smoke tests have passed). Once the commit(s) are validated against the infrastructure tests, your changes are ready to be merged!
@@ -191,7 +191,7 @@ For each cloud, a BigBang owned network will be created that conform with the ap
Several types of clusters are created within the previously provisioned network(s), and follow the vendors recommended iac approach.
-For example, an `rke2` cluster is created that leverages the upstream [terraform modules](https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform), and an `eks` cluster is created with the upstream [terraform modules](https://docs.microsoft.com/en-us/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks).
+For example, an `rke2` cluster is created that leverages the upstream [terraform modules](https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform), and an `eks` cluster is created with the upstream [terraform modules](https://docs.microsoft.com/en-us/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks).
It is a hard requriement at this stage that every cluster outputs an admin scoped `kubeconfig` as a gitlab ci artifact. This artifact will be leveraged in the following stages for interacting with the created cluster.
diff --git a/Packages.md b/Packages.md
index aec07a16b5df99b5eef937649efc770fb75d45cf..eed0978b74976abb9b735d3bd87350cc6eebedb8 100644
--- a/Packages.md
+++ b/Packages.md
@@ -4,22 +4,22 @@
| Package | Status |
| ---- | --- |
-| [Istio Operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator) |  |
-| [Istio Controlplane](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane) |  |
-| [Monitoring](https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring) |  |
-| [ECK Operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator) |  |
-| [Elasticsearch Kibana](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana) | |
-| [Fluentbit](https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit) |  |
-| [OPA Gatekeeper](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy) |  |
-| [Argocd](https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd) | |
-| [Cluster Auditor](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor) |  |
+| [Istio Operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator) |  |
+| [Istio Controlplane](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane) |  |
+| [Monitoring](https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring) |  |
+| [ECK Operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator) |  |
+| [Elasticsearch Kibana](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana) | |
+| [Fluentbit](https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit) |  |
+| [OPA Gatekeeper](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy) |  |
+| [Argocd](https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd) | |
+| [Cluster Auditor](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor) |  |
## Security
| Package | Status |
| ---- | --- |
-| [Keycloak](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak) |  |
-| [Twistlock](https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/twistlock) |  |
+| [Keycloak](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak) |  |
+| [Twistlock](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock) |  |
| [Anchore Enterprise](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise) | 
| [Authservice](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice) | 
@@ -28,4 +28,4 @@
| Package | Status |
| ---- | --- |
| [Gitlab](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab) |  |
-| [Gitlab Runner](https://repo1.dsop.io/platform-one/big-bang/apps/developer-tools/gitlab-runner) |  |
+| [Gitlab Runner](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner) |  |
diff --git a/README.md b/README.md
index 363f8d9cc688c9954b9bf3e2ccf4585fb0676e51..9c606b4ecfdc68757d6f1b5fee415585adb286d0 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ Additional information can be found in [Big Bang Overview](./docs/1_overview.md)
## Getting Started
-To start using Big Bang, you will need to create your own Big Bang environment tailored to your needs. The [Big Bang customer template](https://repo1.dsop.io/platform-one/big-bang/customers/template/) is provided for you to copy into your own Git repository and begin modifications. Follow the instructions in [Big Bang Getting Started](./docs/2_getting_started.md) to customize and deploy Big Bang.
+To start using Big Bang, you will need to create your own Big Bang environment tailored to your needs. The [Big Bang customer template](https://repo1.dso.mil/platform-one/big-bang/customers/template/) is provided for you to copy into your own Git repository and begin modifications. Follow the instructions in [Big Bang Getting Started](./docs/2_getting_started.md) to customize and deploy Big Bang.
### Contributing
diff --git a/base/gitrepository.yaml b/base/gitrepository.yaml
index 9e20f13852b766b6ce6552e87c1de9ba494826a1..30a8b8ca92b845835b7665ce5951c8f71cef3d1e 100644
--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -9,6 +9,6 @@ spec:
/**/*.txt
/**/*.sh
interval: 10m
- url: https://repo1.dsop.io/platform-one/big-bang/umbrella.git
+ url: https://repo1.dso.mil/platform-one/big-bang/umbrella.git
ref:
- tag: 1.0.5
\ No newline at end of file
+ tag: 1.0.7
\ No newline at end of file
diff --git a/chart/ingress-certs.yaml b/chart/ingress-certs.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..607501b0c0af45796a2c0df5c0d5f0cf294aa80f
--- /dev/null
+++ b/chart/ingress-certs.yaml
@@ -0,0 +1,90 @@
+istio:
+ ingress:
+ key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC/D0ec03HNoIEK
+ y1b58HynHMpf/ozsUmnQ5PRBlxMuf7kwMICaBpAwIiyKf8a34sBg3xv1KXe5hUlf
+ 0aOXhK3LRg3VMhRw0Q8bLwc3qaUViqqa3niYqsOjg3bTiTM/oQZDyN09oFJTvG2T
+ +bcpX6IdIu3elsXQL7iETtl6e3MKF+NrLh/nDXGh89suBxFmkKqlYi8OYgxa0smK
+ rRQdapRaCfdYwfhYUmpzP64YIkjBnjlHa+QM901iSC/p21Iog3iGM1VyeGKCjd3a
+ g9mm+es0MXVtvTR9nPJtVgfDN8izmdbEkKYcxsGuy9EWFkqzNpSRmIBAFmRE0RZa
+ khStc/5jAgMBAAECggEAXJb7DXUq4Yu2/ZQtQlLZFeNN79dcU+pcfW93L5IXKaGc
+ DU50BDDKD4mALF5f3x10PX3h/p1p9+4v8M+XiAY0cx4v9fGfFk06FOJljQQZjKb2
+ prbJmrKmvMco/rquq1dNwevFy+e1/f6C3ANYUCSYW6ZhwE0w8AMwWG4d1s2cona6
+ y+2dCBDmPPeZMAi6fV52G5YRULGkkfZTc9OJnx4Mivtuf8sjahNLnaLgL+kscf0s
+ amWpMqQ++EpXSj/bb1pNxqtQmm9bn9gxX8WWwUCVrZTpV4gmaoekhAU1H0CDglmH
+ 7ByeMYlVYZ40SPhTzWTqQJGQg/seSJBOHTm59vLygQKBgQDhEHpQ5QofK902RrH6
+ Nuoui8WUS4w8y3X+jJ/6WC7Wlp94H29+ag7Z9BOMw7ReKlICCwUYLpKO9oeTHKT/
+ LmIDq03Leduj34K5t/BHcMfwpGMabPRDgWM5r0rJUNxIGtqTpJmOEOHCB+yXRiTO
+ GJtuDmmL8Vkrh0S6xck7D2tHrwKBgQDZUkBwjtylRoRYflZspGwp3e5ECmNf2GYp
+ 9ZypaycDNDK06av0Jk+DNKQ3XFmRpID56lyUN4fPV/ICphPYE+C88J5rXAvdmG/7
+ 1UTZN68FaObNrwH2H1H5pdlCiaezIPXcjOfr9Fyf3q+W3mo54bnIc3uuXNTu8QSA
+ W1S4uahtjQKBgQDg9hp872M9oxebH/DYHLnZSqZ0Q0tqnShVBnUFw80Vezrs0+ca
+ 4aH0o25DHn8UPJL6Lc+qyyp9Mdhz6IbX9qHL7xd0klpDo67EOiI3FnkThQz2Jf/F
+ 1fe7egZz0ZpNjGH8f+NoyGEQE+Gdl2REiP4bdNZ1JgmuY6gEVJx+pzvhSwKBgQCU
+ ZDOYKBTFzibkfi/pM0SgOehOEYHVml/4WrvEe2RCLcxJ+BzwM5CrmLBhFPAcIOXo
+ wHzCwEA99mFMKbb3Hmug1/R0fn+jqkkc/n1qjTk3Sm//FncSZkSFYRe+9VvLVsBK
+ /vQGC++LQnVHYUvLhjRjiWd0ofLLzUszkimBkVROqQKBgQDbF8zopHsx9esG56wa
+ swAacYfmfqS6d2WOGdMVX4lLBm6i8AXjsUPDM7uCPgFYNME8nabnCUUUUp/ay9K9
+ y0MSGIBODQBuG3oQh50WFrMS9DS81CeN6Pw0OfyJbcVipfzR91enLVrtu2VHR6k/
+ yaBUIExh8TljUL3lXmmsogyTtA==
+ -----END PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFbjCCBFagAwIBAgISAw26hxsmWVkOG9m/gVhtkSG5MA0GCSqGSIb3DQEBCwUA
+ MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+ EwJSMzAeFw0yMTAxMTYwMDQwNDNaFw0yMTA0MTYwMDQwNDNaMBwxGjAYBgNVBAMM
+ ESouZGV2LmJpZ2JhbmcuZGV2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+ AQEAvw9HnNNxzaCBCstW+fB8pxzKX/6M7FJp0OT0QZcTLn+5MDCAmgaQMCIsin/G
+ t+LAYN8b9Sl3uYVJX9Gjl4Sty0YN1TIUcNEPGy8HN6mlFYqqmt54mKrDo4N204kz
+ P6EGQ8jdPaBSU7xtk/m3KV+iHSLt3pbF0C+4hE7ZentzChfjay4f5w1xofPbLgcR
+ ZpCqpWIvDmIMWtLJiq0UHWqUWgn3WMH4WFJqcz+uGCJIwZ45R2vkDPdNYkgv6dtS
+ KIN4hjNVcnhigo3d2oPZpvnrNDF1bb00fZzybVYHwzfIs5nWxJCmHMbBrsvRFhZK
+ szaUkZiAQBZkRNEWWpIUrXP+YwIDAQABo4ICkjCCAo4wDgYDVR0PAQH/BAQDAgWg
+ MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
+ A1UdDgQWBBTrbZ6+wAuQ0OIBbN8V8hXbLkufuDAfBgNVHSMEGDAWgBQULrMXt1hW
+ y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
+ Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
+ b3JnLzBjBgNVHREEXDBagg0qLmJpZ2JhbmcuZGV2ghUqLmRlZmF1bHQuYmlnYmFu
+ Zy5kZXaCESouZGV2LmJpZ2JhbmcuZGV2ghIqLnRlc3QuYmlnYmFuZy5kZXaCC2Jp
+ Z2JhbmcuZGV2MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgw
+ JgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYB
+ BAHWeQIEAgSB9ASB8QDvAHYARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2
+ gagAAAF3CNoNOwAABAMARzBFAiBCxBHYF5SXNE+UcCZRftFb+5XE+Onj8HtC4atE
+ kNm6qQIhANFpOLxz2e3JwrwHKdadcBDwc+Q2xLPYKJHpyQUVMJboAHUA9lyUL9F3
+ MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF3CNoNGgAABAMARjBEAiADpTYm
+ 547TFUjhV83thTmZWJWsYZRzsZMeo7EamHedBgIgf92OPEoJGOGTmMUHR5nmEIgv
+ OU/BA5PVyEYOrHL42mYwDQYJKoZIhvcNAQELBQADggEBAAqLJb4kCmqtYUeWIFJH
+ gpqpYN2twKos3CxVSJoWz3keU40t21/IrqziZkFffoGOTtuBzaX8xsPPz1Vpp+4G
+ WKHVZLb46ykDFPGL9+GaoUKOscxqdWHyN1abH5QFq7lYlH6AyJJ7qIj7RYIJRYIr
+ XuDGFpw7pxzM/laud/mZP9rztG3xbcFxxuYxCTqB53PUnMF1VfXAgsGz9l8Z91VU
+ KQQxckFwe2xunlB6HqUg3ahJOHNdDLuFPz6WS35Eyl+xf2gXFW1jYpxOJRpzsxp9
+ aVIrak3GIa7QgCav++5tue++YM2TqrWqq9GM1ixPG7HRCIbGYh31Hs462qlLOIAn
+ PKE=
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
+ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+ DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
+ MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
+ AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
+ jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
+ Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
+ U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
+ gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
+ /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
+ oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+ BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
+ ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
+ p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
+ AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
+ Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
+ LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
+ r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
+ AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
+ ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
+ S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
+ qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
+ O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
+ UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
+ -----END CERTIFICATE-----
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 7d880f70c297d911f473022ea70648bbb5126124..59c1ea69e50069ab656623b3f4975b22be52b605 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -71,4 +71,14 @@ Build common set of file extensions to include/exclude
/**/*.md
/**/*.txt
/**/*.sh
+{{- end -}}
+
+{{/*
+Common labels for all objects
+*/}}
+{{- define "commonLabels" -}}
+app.kubernetes.io/instance: "{{ .Release.Name }}"
+app.kubernetes.io/version: "{{ .Chart.Version }}"
+app.kubernetes.io/part-of: "bigbang"
+app.kubernetes.io/managed-by: "flux"
{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/argocd/argocd-helmrelease.yaml b/chart/templates/argocd/argocd-helmrelease.yaml
index 629c66baa7580e7933256d282910615d35d6f2d2..300e50f3d71f412cd7d550c4d185319a8bdf8ba7 100644
--- a/chart/templates/argocd/argocd-helmrelease.yaml
+++ b/chart/templates/argocd/argocd-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: argocd
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: argocd
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: argocd
chart:
@@ -31,7 +35,6 @@ spec:
timeout: {{ .rollback.timeout }}
cleanupOnFail: {{ .rollback.cleanupOnFail }}
{{- end }}
-
valuesFrom:
- name: values
kind: Secret
@@ -39,7 +42,17 @@ spec:
values:
hostname: {{ .Values.hostname }}
createNamespace: false
- imagePullSecrets:
+ global:
+ imagePullSecrets:
+ - name: private-registry
+ controller:
+ imagePullSecrets:
+ - name: private-registry
+ dex:
+ imagePullSecrets:
+ - name: private-registry
+ redis:
+ imagePullSecrets:
- name: private-registry
server:
config:
diff --git a/chart/templates/argocd/gitrepository.yaml b/chart/templates/argocd/gitrepository.yaml
index f598d536e8899cb89f8957d5f2e586c09c3645ad..35b2b9ce53c7da857decb1b1e0e82463c7631cd4 100644
--- a/chart/templates/argocd/gitrepository.yaml
+++ b/chart/templates/argocd/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: argocd
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: argocd
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.addons.argocd.git.repo }}
diff --git a/chart/templates/argocd/namespace.yaml b/chart/templates/argocd/namespace.yaml
index 5c5537b0284c6efb044b2794bef08eb09880968c..728766b1cc7420480bb974a2d29c2ef09833523e 100644
--- a/chart/templates/argocd/namespace.yaml
+++ b/chart/templates/argocd/namespace.yaml
@@ -3,7 +3,9 @@ apiVersion: v1
kind: Namespace
metadata:
labels:
- app: {{ .Release.Name }}-argocd
+ app.kubernetes.io/name: authservice
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
name: argocd
---
diff --git a/chart/templates/authservice/authservice-helmrelease.yaml b/chart/templates/authservice/authservice-helmrelease.yaml
index 1d86682814310aacf132e7558793381c9652dd11..feb288e7372511fbaf0c554115a4c6e7ad174720 100644
--- a/chart/templates/authservice/authservice-helmrelease.yaml
+++ b/chart/templates/authservice/authservice-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: authservice
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: authservice
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: authservice
chart:
@@ -38,7 +42,7 @@ spec:
valuesKey: "authservice.yaml"
values:
imagePullSecrets:
- - name: private-registry
+ - name: private-registry
global:
oidc:
host: {{ .Values.sso.oidc.host }}
diff --git a/chart/templates/authservice/gitrepository.yaml b/chart/templates/authservice/gitrepository.yaml
index d305260f1cadeb5480c1fa2af92b27849447402b..2f7ddc128c676b63393909eedbaa2b67602486f6 100644
--- a/chart/templates/authservice/gitrepository.yaml
+++ b/chart/templates/authservice/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: authservice
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: authservice
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.addons.authservice.git.repo }}
diff --git a/chart/templates/clusterauditor/clusterauditor-helmrelease.yaml b/chart/templates/clusterauditor/clusterauditor-helmrelease.yaml
index f10790a78a7e5c309f1629fe7fdeb335fab47e03..04b9724c19e3b0722a93766caf85d72ca48be661 100644
--- a/chart/templates/clusterauditor/clusterauditor-helmrelease.yaml
+++ b/chart/templates/clusterauditor/clusterauditor-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: cluster-auditor
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: cluster-auditor
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: logging
chart:
@@ -38,8 +42,9 @@ spec:
valuesKey: "clusterauditor.yaml"
values:
- #conversion from umbrella values to package values
- imagePullSecrets: [ private-registry ]
+ elasticsearch:
+ imagePullSecrets:
+ - name: private-registry
dependsOn:
- name: ek
diff --git a/chart/templates/clusterauditor/gitrepository.yaml b/chart/templates/clusterauditor/gitrepository.yaml
index 4fb205224848ba8e01a528a2cea4e32e4f4b8f69..8e90e32f25b38c802bb0a945f75f05a70844ecf4 100644
--- a/chart/templates/clusterauditor/gitrepository.yaml
+++ b/chart/templates/clusterauditor/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: cluster-auditor
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: cluster-auditor
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.clusterAuditor.git.repo }}
diff --git a/chart/templates/clusterauditor/namespace.yaml b/chart/templates/clusterauditor/namespace.yaml
deleted file mode 100644
index 5fbb31f86282a5556e059e54c4b339e27c41fce9..0000000000000000000000000000000000000000
--- a/chart/templates/clusterauditor/namespace.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-{{- if .Values.gatekeeper.enabled }}
-apiVersion: v1
-kind: Namespace
-metadata:
- labels:
- app: {{ .Release.Name }}-cluster-auditor
- name: cluster-auditor
-
----
-{{- if ( include "imagePullSecret" . ) }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: private-registry
- namespace: cluster-auditor
-type: kubernetes.io/dockerconfigjson
-data:
- .dockerconfigjson: {{ template "imagePullSecret" . }}
-{{- end }}
-{{- end }}
\ No newline at end of file
diff --git a/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml b/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
index c0b6fe44ecaa456ec4c79c32db0ef84221d2d610..b6949f8a76e6d2220604197f3f6e14e92bd0f0c0 100644
--- a/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
+++ b/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: gatekeeper
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: gatekeeper
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: gatekeeper-system
chart:
@@ -39,10 +43,10 @@ spec:
values:
image:
- repository: registry1.dsop.io/ironbank/opensource/openpolicyagent/gatekeeper
+ repository: registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper
release: v3.1.2
disableValidatingWebhook: true
createNamespace: false
imagePullSecrets:
- - name: private-registry
+ - name: private-registry
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/gatekeeper/gitrepository.yaml b/chart/templates/gatekeeper/gitrepository.yaml
index cdea27f0beaf794ea52335b416df59756b032f64..f08f226ecd59b064c47e1abc02520fb208b8ad90 100644
--- a/chart/templates/gatekeeper/gitrepository.yaml
+++ b/chart/templates/gatekeeper/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: gatekeeper
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: gatekeeper
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.gatekeeper.git.repo }}
diff --git a/chart/templates/gatekeeper/namespace.yaml b/chart/templates/gatekeeper/namespace.yaml
index 0be0ac6710e53c2245c128557c858ee9b04ff3de..e4e924baf3537e2842db9ad31a7c21abc413b57f 100644
--- a/chart/templates/gatekeeper/namespace.yaml
+++ b/chart/templates/gatekeeper/namespace.yaml
@@ -4,9 +4,11 @@ kind: Namespace
metadata:
labels:
admission.gatekeeper.sh/ignore: no-self-managing
- app: {{ .Release.Name }}-gatekeeper
control-plane: controller-manager
gatekeeper.sh/system: "yes"
+ app.kubernetes.io/name: gatekeeper
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
name: gatekeeper-system
---
@@ -16,6 +18,10 @@ kind: Secret
metadata:
name: private-registry
namespace: gatekeeper-system
+ labels:
+ app.kubernetes.io/name: gatekeeper
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecret" . }}
diff --git a/chart/templates/gitlab/gitrepository.yaml b/chart/templates/gitlab/gitrepository.yaml
index b8ce163c1813241247a1107e3d1b227e882f401e..92ac86a63c06c2dc77bb3d250f922a35c707933b 100644
--- a/chart/templates/gitlab/gitrepository.yaml
+++ b/chart/templates/gitlab/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: gitlab
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: gitlab
+ app.kubernetes.io/component: "developer-tools"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.addons.gitlab.git.repo }}
diff --git a/chart/templates/gitlab/helmrelease.yaml b/chart/templates/gitlab/helmrelease.yaml
index 5cb2f2c4659a372b5aa283d56c713f2d63eb65ed..75d2b8a218bdc3d19bff1206a908795ea2187e41 100644
--- a/chart/templates/gitlab/helmrelease.yaml
+++ b/chart/templates/gitlab/helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: gitlab
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: gitlab
+ app.kubernetes.io/component: "developer-tools"
+ {{- include "commonLabels" . | nindent 4}}
spec:
releaseName: gitlab
targetNamespace: gitlab
diff --git a/chart/templates/gitlab/namespace.yaml b/chart/templates/gitlab/namespace.yaml
index 306742c3312a36593ceaf06042f543a21e6c9415..f521cc953dacf0300b8cd2193b190fa56c4ceb5b 100644
--- a/chart/templates/gitlab/namespace.yaml
+++ b/chart/templates/gitlab/namespace.yaml
@@ -3,7 +3,9 @@ apiVersion: v1
kind: Namespace
metadata:
labels:
- app: gitlab
+ app.kubernetes.io/name: gitlab
+ app.kubernetes.io/component: "developer-tools"
+ {{- include "commonLabels" . | nindent 4}}
name: gitlab
---
{{- if ( include "imagePullSecret" . ) }}
@@ -12,6 +14,10 @@ kind: Secret
metadata:
name: private-registry
namespace: gitlab
+ labels:
+ app.kubernetes.io/name: gitlab
+ app.kubernetes.io/component: "developer-tools"
+ {{- include "commonLabels" . | nindent 4}}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecret" . }}
diff --git a/chart/templates/istio/controlplane/gitrepository.yaml b/chart/templates/istio/controlplane/gitrepository.yaml
index 676c4cd4d81b165e6e6d895f96662d9ad1e36cf6..846863a2ed57b820c8d4928f95449726cd3ca38b 100644
--- a/chart/templates/istio/controlplane/gitrepository.yaml
+++ b/chart/templates/istio/controlplane/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: istio-controlplane
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-controlplane
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.istio.git.repo }}
diff --git a/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml b/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml
index 1488bae59ab01ad7a4e8891582381ded472494a4..9c28d6af50f81be0f253c9f157083da082341aa8 100644
--- a/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml
+++ b/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: istio
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-controlplane
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: istio-system
chart:
diff --git a/chart/templates/istio/controlplane/namespace.yaml b/chart/templates/istio/controlplane/namespace.yaml
index e85b31d6f16a59d8a19020e5129f1163f893772e..451102e7ed75a3f3a6f924882ad6018163d1a6bf 100644
--- a/chart/templates/istio/controlplane/namespace.yaml
+++ b/chart/templates/istio/controlplane/namespace.yaml
@@ -3,6 +3,10 @@ apiVersion: v1
kind: Namespace
metadata:
name: istio-system
+ labels:
+ app.kubernetes.io/name: istio-controlplane
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
{{- if ( include "imagePullSecret" . ) }}
---
apiVersion: v1
@@ -10,8 +14,28 @@ kind: Secret
metadata:
name: private-registry
namespace: istio-system
+ labels:
+ app.kubernetes.io/name: istio-controlplane
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecret" . }}
{{- end }}
+---
+{{- if and .Values.istio.ingress.key .Values.istio.ingress.cert }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: wildcard-cert
+ namespace: istio-system
+ labels:
+ app.kubernetes.io/name: istio-controlplane
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ .Values.istio.ingress.cert | b64enc }}
+ tls.key: {{ .Values.istio.ingress.key | b64enc}}
+{{- end }}
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/istio/operator/gitrepository.yaml b/chart/templates/istio/operator/gitrepository.yaml
index 191ec1c2c7dffb3feb6027d3b1e556a060d2c3df..f7b7bbc59897be7f1dbe2a1b6617f5f186f084c9 100644
--- a/chart/templates/istio/operator/gitrepository.yaml
+++ b/chart/templates/istio/operator/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: istio-operator
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-operator
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.istiooperator.git.repo }}
diff --git a/chart/templates/istio/operator/istio-operator-helmrelease.yaml b/chart/templates/istio/operator/istio-operator-helmrelease.yaml
index a6d78e8a8a5d8fa74ae71112060efaf7e559cbe9..fa147fdf1363a9d7d21287813241cc03344e5faa 100644
--- a/chart/templates/istio/operator/istio-operator-helmrelease.yaml
+++ b/chart/templates/istio/operator/istio-operator-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: istio-operator
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: istio-operator
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: istio-operator
chart:
@@ -38,7 +42,7 @@ spec:
valuesKey: "istiooperator.yaml"
values:
- hub: registry1.dsop.io/ironbank/opensource/istio
+ hub: registry1.dso.mil/ironbank/opensource/istio
tag: 1.7.3
createNamespace: false
diff --git a/chart/templates/istio/operator/namespace.yaml b/chart/templates/istio/operator/namespace.yaml
index cc80d914aa650fa88f2aa17bb6ec833a1459edac..3cc5860a38515d9711412613529770277aa6361f 100644
--- a/chart/templates/istio/operator/namespace.yaml
+++ b/chart/templates/istio/operator/namespace.yaml
@@ -6,6 +6,9 @@ metadata:
labels:
istio-operator-managed: Reconcile
istio-injection: disabled
+ app.kubernetes.io/name: istio-operator
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
{{- if ( include "imagePullSecret" . ) }}
---
apiVersion: v1
@@ -13,6 +16,10 @@ kind: Secret
metadata:
name: private-registry
namespace: istio-operator
+ labels:
+ app.kubernetes.io/name: istio-operator
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecret" . }}
diff --git a/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml b/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml
index bf28ac3acf802f4772aadc9c9ca7bb82179ab50d..649b48246aa5566a0ca2c14196da3e362a1679e9 100644
--- a/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml
+++ b/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: eck-operator
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: eck-operator
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: eck-operator
chart:
diff --git a/chart/templates/logging/eck-operator/gitrepository.yaml b/chart/templates/logging/eck-operator/gitrepository.yaml
index 06430d16484adc62598a6400b512bcdb9fb08d6e..6ce19f0582985122d70afde82b931c02f42d2f29 100644
--- a/chart/templates/logging/eck-operator/gitrepository.yaml
+++ b/chart/templates/logging/eck-operator/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: eck-operator
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: eck-operator
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.eckoperator.git.repo }}
diff --git a/chart/templates/logging/eck-operator/namespace.yaml b/chart/templates/logging/eck-operator/namespace.yaml
index c6d1fdca189cdc6918401fe0adce4988ab9e11d1..fffec18f0a2125e3da9b5f663dbd2e55e608e542 100644
--- a/chart/templates/logging/eck-operator/namespace.yaml
+++ b/chart/templates/logging/eck-operator/namespace.yaml
@@ -3,7 +3,10 @@ apiVersion: v1
kind: Namespace
metadata:
name: eck-operator
-
+ labels:
+ app.kubernetes.io/name: eck-operator
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
---
{{- if ( include "imagePullSecret" . ) }}
apiVersion: v1
@@ -11,6 +14,10 @@ kind: Secret
metadata:
name: private-registry
namespace: eck-operator
+ labels:
+ app.kubernetes.io/name: eck-operator
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecret" . }}
diff --git a/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml b/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
index b67dda2c192fe23febc5ddd8d40289e399f0ee68..e735bc26f1decddfa0542d923087252b70cbdd3c 100644
--- a/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: ek
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: logging
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: logging
chart:
@@ -44,11 +48,11 @@ spec:
kibana:
version: 7.9.2
imagePullSecrets:
- - name: private-registry
+ - name: private-registry
elasticsearch:
version: 7.9.2
imagePullSecrets:
- - name: private-registry
+ - name: private-registry
{{/* ECK and Logging _always_ depend on .Values.logging being enabled, so can assume they exist here */}}
dependsOn:
diff --git a/chart/templates/logging/elasticsearch-kibana/gitrepository.yaml b/chart/templates/logging/elasticsearch-kibana/gitrepository.yaml
index c9c1902ca7ba21ff6d240bbaaa21e836e9ede61b..562ba653d6b2d6d313a90468337ef82b34ed5cb2 100644
--- a/chart/templates/logging/elasticsearch-kibana/gitrepository.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: elasticsearch-kibana
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: logging
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.logging.git.repo }}
diff --git a/chart/templates/logging/elasticsearch-kibana/namespace.yaml b/chart/templates/logging/elasticsearch-kibana/namespace.yaml
index 99fecb889d41cfce04d2fc76aad2a580570b2310..c75283668b8519d69778e5ff60e9fe2557f3adf5 100644
--- a/chart/templates/logging/elasticsearch-kibana/namespace.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/namespace.yaml
@@ -4,6 +4,10 @@ apiVersion: v1
kind: Namespace
metadata:
name: logging
+ labels:
+ app.kubernetes.io/name: logging
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
---
{{- if ( include "imagePullSecret" . ) }}
apiVersion: v1
@@ -11,6 +15,10 @@ kind: Secret
metadata:
name: private-registry
namespace: logging
+ labels:
+ app.kubernetes.io/name: logging
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecret" . }}
diff --git a/chart/templates/logging/fluentbit/fluentbit-helmrelease.yaml b/chart/templates/logging/fluentbit/fluentbit-helmrelease.yaml
index 70d1e983dcdc00bef6a269098ea1ecc518e8123c..60dcbc10ef2d8b2e55a2fad66b01ff4848dff507 100644
--- a/chart/templates/logging/fluentbit/fluentbit-helmrelease.yaml
+++ b/chart/templates/logging/fluentbit/fluentbit-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: fluent-bit
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: logging
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: logging
chart:
diff --git a/chart/templates/logging/fluentbit/gitrepository.yaml b/chart/templates/logging/fluentbit/gitrepository.yaml
index 7a5c0b29444b837a161a9a00f110f4e7a702fe6d..327d8c320334e78363007b5a451d5e5c18c5d578 100644
--- a/chart/templates/logging/fluentbit/gitrepository.yaml
+++ b/chart/templates/logging/fluentbit/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: fluentbit
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: logging
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.fluentbit.git.repo }}
diff --git a/chart/templates/monitoring/gitrepository.yaml b/chart/templates/monitoring/gitrepository.yaml
index 499084c2897ba13788a3813dcd43a2ad091e4408..8a667a26811b7cfa85183df1bdf86319bba34c17 100644
--- a/chart/templates/monitoring/gitrepository.yaml
+++ b/chart/templates/monitoring/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: monitoring
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: monitoring
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.monitoring.git.repo }}
diff --git a/chart/templates/monitoring/monitoring-helmrelease.yaml b/chart/templates/monitoring/monitoring-helmrelease.yaml
index 946a2f7ebe8373bcd5b7063d1b5259d003a5dd69..11eb3f117a6454cb2a5d6bd07f4b32e7b395158c 100644
--- a/chart/templates/monitoring/monitoring-helmrelease.yaml
+++ b/chart/templates/monitoring/monitoring-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: monitoring
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: monitoring
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: monitoring
chart:
@@ -45,11 +49,29 @@ spec:
enabled: {{ .Values.monitoring.sso.enabled }}
global:
imagePullSecrets:
- - name: private-registry
+ - name: private-registry
grafana:
image:
pullSecrets:
- private-registry
+ grafana.ini:
+{{- if .Values.istio.enabled }}
+ server:
+ root_url: https://grafana.{{ .Values.hostname }}/
+{{- end }}
+ auth:
+ signout_redirect_url: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/logout
+ auth.generic_oauth:
+ enabled: {{ .Values.monitoring.sso.enabled }}
+ client_id: {{ .Values.monitoring.sso.grafana.client_id }}
+ client_secret: {{ .Values.monitoring.sso.grafana.client_secret }}
+ scopes: {{ .Values.monitoring.sso.grafana.scopes | default "openid profile email" }}
+ auth_url: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth
+ token_url: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token
+ api_url: https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/userinfo
+ allow_sign_up: {{ .Values.monitoring.sso.grafana.allow_sign_up | default "True" }}
+ role_attribute_path: {{ .Values.monitoring.sso.grafana.role_attribute_path | default "Viewer" }}
+
prometheus-node-exporter:
serviceAccount:
imagePullSecrets:
@@ -82,4 +104,4 @@ spec:
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/chart/templates/monitoring/namespace.yaml b/chart/templates/monitoring/namespace.yaml
index b0e2c0707489c4bfb4fb6591dbac3b795c29109d..e4a13b500c9e1cfb5c99753e5ed350d9bc93d24b 100644
--- a/chart/templates/monitoring/namespace.yaml
+++ b/chart/templates/monitoring/namespace.yaml
@@ -3,6 +3,10 @@ apiVersion: v1
kind: Namespace
metadata:
name: monitoring
+ labels:
+ app.kubernetes.io/name: monitoring
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
---
{{- if ( include "imagePullSecret" . ) }}
apiVersion: v1
@@ -10,6 +14,10 @@ kind: Secret
metadata:
name: private-registry
namespace: monitoring
+ labels:
+ app.kubernetes.io/name: monitoring
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecret" . }}
diff --git a/chart/templates/twistlock/gitrepository.yaml b/chart/templates/twistlock/gitrepository.yaml
index 85893fbea7aaac6961335e9b8756d5a65da6c899..f7f285a902bddb124bda7db5740cd3ff7c8fd78b 100644
--- a/chart/templates/twistlock/gitrepository.yaml
+++ b/chart/templates/twistlock/gitrepository.yaml
@@ -4,6 +4,10 @@ kind: GitRepository
metadata:
name: twistlock
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: twistlock
+ app.kubernetes.io/component: "security"
+ {{- include "commonLabels" . | nindent 4}}
spec:
interval: {{ .Values.flux.interval }}
url: {{ .Values.twistlock.git.repo }}
diff --git a/chart/templates/twistlock/namespace.yaml b/chart/templates/twistlock/namespace.yaml
index 2757133a64ad63f39a4f00e23bf40caededd5c71..ea488c39ca474ed02a9aa65888a7c23f126dc5d6 100644
--- a/chart/templates/twistlock/namespace.yaml
+++ b/chart/templates/twistlock/namespace.yaml
@@ -3,6 +3,10 @@ apiVersion: v1
kind: Namespace
metadata:
name: twistlock
+ labels:
+ app.kubernetes.io/name: twistlock
+ app.kubernetes.io/component: "security"
+ {{- include "commonLabels" . | nindent 4}}
---
{{- if ( include "imagePullSecret" . ) }}
apiVersion: v1
@@ -10,6 +14,10 @@ kind: Secret
metadata:
name: private-registry
namespace: twistlock
+ labels:
+ app.kubernetes.io/name: twistlock
+ app.kubernetes.io/component: "security"
+ {{- include "commonLabels" . | nindent 4}}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecret" . }}
diff --git a/chart/templates/twistlock/twistlock-helmrelease.yaml b/chart/templates/twistlock/twistlock-helmrelease.yaml
index 722a9f47a5bfc1e4ee74cdc215885db03ab4ac55..f2298ee25b2426a4933dc5f669bbda25ff17eb98 100644
--- a/chart/templates/twistlock/twistlock-helmrelease.yaml
+++ b/chart/templates/twistlock/twistlock-helmrelease.yaml
@@ -4,6 +4,10 @@ kind: HelmRelease
metadata:
name: twistlock
namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: twistlock
+ app.kubernetes.io/component: "security"
+ {{- include "commonLabels" . | nindent 4}}
spec:
targetNamespace: twistlock
chart:
diff --git a/chart/values.yaml b/chart/values.yaml
index ffa4b8ea060d828270bd55458bfe7bc6c5419521..0f77edf76fafbf21704cfa37c1502cc3b06fdf35 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -6,14 +6,14 @@ offline: false
# Regisitires can be an explicit map of registries as provided here
registryCredentials:
- registry: registry1.dsop.io
+ registry: registry1.dso.mil
username: ""
password: ""
email: ""
# Or a list of registires:
# registryCredentials:
-# - registry: registry1.dsop.io
+# - registry: registry.dso.mil
# username: user.name
# password: user-secret
# email: xxx@xxx.xxx
@@ -21,7 +21,7 @@ registryCredentials:
# username: user.name
# password: user-secret
# email: xxx@xxx.xxx
-# - registry: registry.dso.mil
+# - registry: registry.example.com
# username: user.name
# password: user-secret
# email: xxx@xxx.xxx
@@ -73,9 +73,12 @@ flux:
istio:
enabled: true
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-controlplane.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
path: "./chart"
- tag: "1.7.3-bb.6"
+ tag: "1.7.3-bb.7"
+ ingress:
+ key: ""
+ cert: ""
sso:
enabled: false
kiali:
@@ -89,9 +92,9 @@ istio:
istiooperator:
enabled: true
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-operator.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git
path: "./chart"
- tag: "1.7.0-bb.0"
+ tag: "1.7.0-bb.1"
values: {}
# ----------------------------------------------------------------------------------------------------------------------
@@ -101,9 +104,9 @@ istiooperator:
clusterAuditor:
enabled: true
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/cluster-auditor.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
path: "./chart"
- tag: "0.1.7-bb.0"
+ tag: "0.1.8-bb.1"
values: {}
# ----------------------------------------------------------------------------------------------------------------------
@@ -113,9 +116,9 @@ clusterAuditor:
gatekeeper:
enabled: true
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/policy.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
path: "./chart"
- tag: "3.1.2-bb.2"
+ tag: "3.1.2-bb.3"
values: {}
# ----------------------------------------------------------------------------------------------------------------------
@@ -125,25 +128,25 @@ gatekeeper:
logging:
enabled: true
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/elasticsearch-kibana.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
path: "./chart"
- tag: "0.1.2-bb.0"
+ tag: "0.1.3-bb.1"
values: {}
eckoperator:
enabled: true
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/eck-operator.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git
path: "./chart"
- tag: "1.3.0-bb.2"
+ tag: "1.3.0-bb.3"
values: {}
fluentbit:
enabled: true
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/fluentbit.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git
path: "./chart"
- tag: "0.1.0-bb.0"
+ tag: "0.1.0-bb.1"
values: {}
# ----------------------------------------------------------------------------------------------------------------------
@@ -153,9 +156,9 @@ fluentbit:
monitoring:
enabled: true
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/monitoring.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git
path: "./chart"
- tag: "11.0.0-bb.6"
+ tag: "11.0.0-bb.10"
sso:
enabled: false
prometheus:
@@ -167,6 +170,9 @@ monitoring:
grafana:
client_id: grafana
client_secret: "change_me"
+ scopes: ""
+ allow_sign_up: "true"
+ role_attribute_path: "Viewer"
values: {}
# ----------------------------------------------------------------------------------------------------------------------
@@ -176,9 +182,9 @@ monitoring:
twistlock:
enabled: true
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/twistlock.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
path: "./chart"
- tag: "0.0.2-bb.0"
+ tag: "0.0.2-bb.1"
values: {}
# ----------------------------------------------------------------------------------------------------------------------
@@ -206,9 +212,9 @@ addons:
argocd:
enabled: false
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/argocd.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git
path: "./chart"
- tag: "2.9.5-bb.2"
+ tag: "2.9.5-bb.4"
values: {}
authservice:
@@ -220,9 +226,9 @@ addons:
# callback_uri: "https://somecallback"
enabled: false
git:
- repo: https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/authservice.git
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice.git
path: "./chart"
- tag: "0.1.6-bb.0"
+ tag: "0.1.6-bb.1"
# Dont put chain configuraitons in this section
values: {}
# Put additional chain configuration in this section
@@ -236,9 +242,9 @@ addons:
tag: "4.2.0-bb.1"
haproxy:
+ enabled: false
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy.git
path: "./chart"
tag: 1.1.2-bb.0
values: {}
-
diff --git a/charter/BigBang.md b/charter/BigBang.md
new file mode 100644
index 0000000000000000000000000000000000000000..1f1c22c3eba4d48fe2d93ea928318845b384212b
--- /dev/null
+++ b/charter/BigBang.md
@@ -0,0 +1,3 @@
+# Big Bang
+
+The end consumable of the Big Bang team is a single consumable that allows the installation of all supported [Big Bang Packages](BigBangPackages.md).
diff --git a/charter/BigBangPackages.md b/charter/BigBangPackages.md
new file mode 100644
index 0000000000000000000000000000000000000000..ae95477f39cea17708347404780e55996cca0b0d
--- /dev/null
+++ b/charter/BigBangPackages.md
@@ -0,0 +1,606 @@
+# Big Bang Packages
+
+Each Big Bang Package is present in the [Big Bang Package](https://repo1.dso.mil/platform-one/big-bang/apps) repository and broken up into several sub-groupings.
+
+Each package has _at least_ two `CODEOWNERS`. Responsibilities are outlined [here](ApplicationOwners.md).
+
+[[_TOC_]]
+
+## Dependencies
+
+```mermaid
+graph TB
+ subgraph "Core"
+ subgraph "Logging"
+ LoggingElastic(Elasticsearch)
+ LoggingKibana(Kibana)
+ LoggingECK(ECK)
+ LoggingElastic --> LoggingECK
+ LoggingKibana --> LoggingECK
+ LoggingKibana --> LoggingElastic
+ Fluentd --> LoggingElastic
+ end
+ subgraph "Monitoring"
+ Grafana --> Prometheus
+ Thanos
+ end
+ ServiceMesh
+ ArgoCD
+
+ ClusterAuditor --> LoggingECK
+ ClusterAuditor --> OPA(Policy Enforcement)
+ end
+
+ subgraph "Package Utilities"
+ Postgres
+ MinIO(S3 Compatible Storage)
+ Redis
+ MySQL
+ MongoDB
+ end
+
+ subgraph "Security"
+ Keycloak --> Postgres
+ Anchore(Anchore Enterprise) --> Postgres
+ Twistlock
+ end
+
+ subgraph "Developer Tools"
+ GitLab --> GitLabRunners(GitLab Runners)
+ GitLab --> MinIO
+ GitLab --> Redis
+ GitLab --> Postgres
+ Sonarqube --> Postgres
+ end
+
+ subgraph "Collaboration Tools"
+ Jira --> Postgres
+ Confluence --> Postgres
+ MatterMost --> MinIO
+ end
+
+```
+
+
+## Core
+
+Core packages are supported Big Bang packages that have to be enabled and are located at [Big Bang Core](https://repo1.dso.mil/platform-one/big-bang/apps/core). Core packages are platform/admin level packages that are leveraged by other packages.
+
+```mermaid
+graph TB
+ subgraph "Core"
+ subgraph "Logging"
+ LoggingElastic(Elasticsearch)
+ LoggingKibana(Kibana)
+ LoggingECK(ECK)
+ LoggingElastic --> LoggingECK
+ LoggingKibana --> LoggingECK
+ LoggingKibana --> LoggingElastic
+ Fluentd --> LoggingElastic
+ end
+ subgraph "Monitoring"
+ Grafana --> Prometheus
+ Thanos
+ end
+ ServiceMesh
+ ArgoCD
+ Twistlock
+
+ ClusterAuditor --> LoggingECK
+ ClusterAuditor --> OPA(Policy Enforcement)
+ end
+```
+
+### ArgoCD
+
+Product:
+
+* [ArgoCD](https://argoproj.github.io/argo-cd/)
+
+Repository:
+
+* [ArgoCD Repo](https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd)
+
+Dependency: None
+
+Owners:
+
+* @joshwolf - Rancher Federal
+* @karchaf
+
+Understudy:
+
+* @kavitha
+
+### Service Mesh
+
+Current implementation of Service Mesh is provided by Istio. Service Mesh should be the first Package deployed to ensure other applications are operating with visibility and security.
+
+Product:
+
+* [Istio](https://istio.io/)
+
+Repository:
+
+* [Istio-operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator)
+* [Istio-controlplane](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane)
+
+Dependency: None
+
+Owners:
+
+* @runyontr - Runyon Solutions
+
+Understudy:
+
+* Chris McGrath
+* @kavitha
+* @kenna81
+
+### Logging
+
+The logging package is responsible for deploying Elasticsearch, Kibana, and Fluentd. It is also responsible for configuring the logging pipelines to aggregate all running containers logs for viewing by both Cluster Owners and Application Operators.
+
+The logging capability is comprised of:
+
+* Elastic Cloud on Kubernetes (ECK) Operator
+* Elasticsearch
+* Kibana
+* Fluentd
+* Logging Operator
+
+Repository:
+* [Elasticsearch-kibana](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana)
+* [Fluentbit](https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit)
+* [Eck-operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator)
+
+Dependencies:
+
+* RWO StorageClass
+
+Owners:
+
+* @kavitha
+* @ryan.j.garcia
+
+Understudy:
+
+* @evan.rush
+
+### Policy Enforcement
+
+The Policy Enforcement Package installs the Open Policy Agent Gatekeeper [Operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/).
+
+Product:
+
+* [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+* [Open Policy Agent](https://www.openpolicyagent.org/)
+
+Repository:
+
+* [Policy Repo](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy)
+
+Dependencies: None
+
+Owners:
+
+* @runyontr - Runyon Solutions
+* @karchaf - Cloud Fit Software
+
+Understudy
+
+* @agudem
+* @kavitha
+
+### Monitoring
+
+Monitoring is provided by Prometheus, Grafana and Thanos.
+
+Product:
+
+* [Prometheus](https://prometheus.io/)
+* [Grafana](https://grafana.com/)
+* [Thanos](https://thanos.io/)
+
+Repository:
+
+* [Monitoring Repo](https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring)
+
+Dependencies: None
+
+Owners:
+
+* @lynnStill
+* @ryan.j.garcia
+
+### Cluster Auditor
+
+Cluster Auditor is an internal tool that provides compliance information to Cluster Owners and Application Developers for insight into Reference DevSecOps compliance
+
+Product:
+
+Repository: [Cluster Auditor](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor)
+
+Dependencies:
+
+* [Logging](#Logging)
+* [OPA Gatekeer](#policy-enforcement)
+
+Owners:
+
+* @runyontr - Runyon Solutions
+* @thomas.burton - iSenpai
+
+Understudy:
+
+* @agill17
+* @kenna81
+
+Repository:
+* [Cluster Auditor Repo](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor)
+
+### Twistlock
+
+Twistlock provides runtime vulnerability detection
+
+Product:
+
+* [Twistlock](https://www.twistlock.com/labs-/)
+
+Repository: [Twistlock Repo](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock)
+
+Dependencies:
+
+* RWO StorageClass
+
+Owners:
+
+* @runyontr - Runyon Solutions
+* @thomas.burton - iSenpai
+
+## Addons
+Addons are supported Big Bang packages that come disabled by default.
+
+### Security Tools
+
+Security Tools are hosted here: [Security Tools](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools)
+
+```mermaid
+graph TB
+
+ subgraph "Package Utilities"
+ Postgres
+ end
+
+ subgraph "Security"
+ Keycloak --> Postgres
+ Anchore(Anchore Enterprise) --> Postgres
+ end
+```
+
+#### Keycloak
+
+Keycloak provides SSO to applications.
+
+Product:
+
+* [Keycloak](https://www.keycloak.org/)
+* [Postgres](https://www.postgresql.org/)
+
+Repository: [Keycloak](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak)
+
+Dependencies:
+
+* Postgres
+
+Owners:
+
+* @megamind
+* @joshwolf
+
+Understudy:
+
+* @agudem
+* @kenna81
+
+#### Anchore Enterprise
+
+Product:
+
+* [Anchore Enterprise](https://anchore.com/enterprise/)
+
+Repository: [Anchore Enterprise Repo](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise)
+
+Dependencies:
+
+* postgres
+
+Owners:
+
+* @thomas.burton - iSenpai
+* @james.peterson - Anchore
+
+### Developer Tools
+
+Developer Tools are hosted here: [Developer Tools](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools)
+
+```mermaid
+graph TB
+
+ subgraph "Application Utilities"
+ Postgres
+ MinIO(S3 Compatible Storage)
+ Redis
+ end
+
+
+ subgraph "Package Tools"
+ GitLab --> GitLabRunners(GitLab Runners)
+ GitLab --> MinIO
+ GitLab --> Redis
+ GitLab --> Postgres
+ Sonarqube --> Postgres
+ end
+```
+
+#### GitLab
+
+GitLab is a product for providing DevOps including planning, code hosting, and CICD
+
+Product:
+
+* [GitLab](https://docs.gitlab.com/)
+
+Repository:
+
+* [GitLab Repo](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab)
+
+Dependencies:
+
+* postgres
+* S3 compatible object store (ex: [Minio](#minio))
+* Redis
+* RWO StorageClass
+
+Owners:
+
+* @ryan.j.garcia
+* @LynnStill
+
+#### GitLab Runners
+
+GitLab Runners are pods that run jobs for GitLab CI/CD
+
+Product:
+
+* [GitLab Runners](https://docs.gitlab.com/runner/)
+
+Repository:
+
+* [GitLab Runners Repo](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner)
+
+Dependencies:
+
+* [GitLab](#gitlab)
+
+Owners:
+
+* @ryan.j.garcia
+* @LynnStill
+
+Understudies
+* @kevin.wilder
+
+#### Sonarqube
+
+Sonarqube provides code reviews for code quality and security
+
+Product:
+
+* [Sonarqube](https://www.sonarqube.org/)
+
+Repository:
+
+* [Sonarqube Repo](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube)
+
+Dependencies:
+
+* postgres
+* RWO StorageClass
+
+Owners:
+
+* @kevin.wilder
+* @LynnStill
+
+#### Fortify
+
+Fortify provides code
+
+Product:
+
+*
+
+Repository:
+
+* [Fortify Repo](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/fortify)
+
+Dependencies:
+
+Owners:
+
+* @kevin.wilder
+* @LynnStill
+
+### Collaboration Tools
+
+Collaboration tools are hosted here: [Collaboration Tools](https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools)
+
+```mermaid
+graph TB
+ subgraph "Package Utilities"
+ Postgres
+ MinIO(S3 Compatible Storage)
+ end
+
+ subgraph "Collaboration Tools"
+ Jira --> Postgres
+ Confluence --> Postgres
+ MatterMost --> MinIO
+ end
+
+```
+
+#### Confluence
+
+Confluence provides a centralized workspace for collaborating on documentation
+
+Product:
+
+* [Confluence](https://www.atlassian.com/software/confluence)
+
+Repository:
+
+* [Confluence Repo](https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/confluence)
+
+Dependencies:
+
+* Postgres
+* RWM StorageClass (if HA)
+
+Owners:
+
+* @matt.kaiser
+* @branden.cobb
+
+
+#### Jira
+
+Development tool for planning and tracking team tasks
+
+Product:
+
+* [Jira](https://www.atlassian.com/software/jira)
+
+Repository:
+
+* [Jira Repo](https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/jira)
+
+Dependencies:
+
+* Postgres
+* RWM StorageClass (if HA)
+
+Owners:
+
+* @matt.kaiser
+* @branden.cobb
+
+#### Mattermost
+
+Mattermost is an open sourced messaging platform.
+
+Product:
+
+* [Mattermost](https://mattermost.com/)
+
+Repository:
+
+* [Mattermost Repo](https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost)ß
+
+Dependencies:
+
+* S3 compatible object store (ex: [Minio](#minio))
+
+Owners:
+
+* @ryan.j.garcia
+* @kevin.wilder
+
+### Package Utilities
+
+Application utilities are deployments of utilities used by one or more packages. They are usually not user facing, and are dependencies of user facing packages.
+
+A clear an obvious example of this is PostgreSQL.
+
+```mermaid
+graph TB
+ subgraph "Package Utilities"
+ Postgres
+ MinIO(S3 Compatible Storage)
+ Redis
+ MySQL
+ MongoDB
+ end
+
+```
+
+#### PostgreSQL
+
+Product:
+
+* [PostgreSQL](https://www.postgresql.org/)
+
+Repository:
+
+* TBD
+
+Owners:
+
+* TBD
+* TBD
+
+#### Minio
+
+Minio provides S3 compatible object storage
+
+Product:
+
+* [MinIO](https://min.io/)
+
+Repository: TBD
+
+Dependencies: None
+
+Owners:
+
+* @kevin.wilder - Dark Wolf Solutions
+* @branden.cobb
+
+#### MySQL
+
+Product:
+
+* [MySQL](https://www.mysql.com/)
+
+Repository:
+
+* TBD
+
+Owners:
+
+* TBD
+* TBD
+
+#### MongoDB
+
+Product:
+
+* [MongoDB](https://www.mongodb.com/)
+
+Repository:
+
+* TBD
+
+Owners:
+
+* TBD
+* TBD
+
+### Sandbox
+
+The [Sandbox](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox) is an area for packages that are currently being or will be worked that do not yet meet the requirements of a supported package. Due to the fluidity of sandbox apps, they are not tracked in the charter.
+
+Note, this is _not_ a place where packages go to die. If a package is abandoned for whatever reason it will be archived.
+
+To graduate from a sandbox package, it must meet the requirements outlined in this charter.
diff --git a/charter/DevCIWorkflow.md b/charter/DevCIWorkflow.md
new file mode 100644
index 0000000000000000000000000000000000000000..4aee57928e28ded5e72b7ed1aa3d25ba905502b4
--- /dev/null
+++ b/charter/DevCIWorkflow.md
@@ -0,0 +1,9 @@
+# Big Bang Developer / CI Workflow
+
+This diagram overviews the BigBang workflow that Developers will use in the processes of feature development, merge request submission, and subsequent release merges.
+
+This diagram also overviews the specific CI pipelines that currently exist to assist and accelerate these general processes.
+
+
+
+[Link to draw.io diagram file](diagrams/dev_ci_workflow.drawio). This diagram file should be modified on draw.io and exported into this repository when the developer / ci workflow changes. It is provided here for ease of use.
diff --git a/charter/GitOpsEngine.md b/charter/GitOpsEngine.md
new file mode 100644
index 0000000000000000000000000000000000000000..14e82810561e89fa6435df516dad48e6d66c0158
--- /dev/null
+++ b/charter/GitOpsEngine.md
@@ -0,0 +1,31 @@
+# Big Bang GitOps Engines
+
+## Management of Big Bang
+
+Big Bang will be deployed and managed with [Flux 2](https://github.com/fluxcd/flux2) and provide [Argo](https://github.com/argoproj/argo-cd/) for application developers to use for managing custom applications built on a Big Bang cluster. Big Bang will **not** advocate for use of Flux by mission app owners.
+
+### Big Bang and Flux
+
+Big Bang is composed of several Open Source and licensed products. [Helm](https://helm.sh/), as a member of the [CNCF](https://www.cncf.io/), is the de facto standard for packaging applications for Kubernetes. As a result, several vendors support the release of their product **as helm charts** and have built their packaging and lifecycle management to expect to be the engine for driving that management. As a result, Big Bang has adopted Helm as its internal deployment framework for BigBang packages and requires Helm to be treated as a first class citizen.
+
+The Flux2 Engine has native Helm support, meaning the controller deployed as part of "Flux 2" leverages the same Helm code as the CLI.
+
+### Limitations of Argo
+
+#### Helm Support
+
+Argo, has taken the ownership of rendering and managing the lifecycle of applications that does not work exactly as expected by helm. As a result, there are several vendor Helm Charts that **do not deploy successfully** with Argo because of how Argo shims Helm Hooks to Argo specific sync phases.
+
+* GitLab initial secret creation is performed via a [subchart]([https://gitlab.com/gitlab-org/charts/gitlab/-/tree/master/charts/shared-secrets](https://gitlab.com/gitlab-org/charts/gitlab/-/tree/master/charts/shared-secrets))
+* Kube Prometheus Stack - [prometheusrule admission webhook]([https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusrules-admission-webhooks](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusrules-admission-webhooks)) is created via a helm `install` hook
+* Confluent - A deletion hook is part of a subchart gets run at different point in the lifecycle
+
+As new features of Helm get developed and leveraged by the community, we would need to lean on the time and availability of the Argo developers to re-implement the capabilities.
+
+#### App of App Pattern and Secrets
+
+Argo requires all configuration options to be embedded into the ApplicationCR. Because of this, sensitive values that need to be passed into "inner" packages are forced to reside in the Custom Resource rather than referenced as a Secret.
+
+## Argo Is Still A Package
+
+As defined in the list of [Big Bang Packages](BigBangPackages.md), Big Bang comes deployed with Argo for use by Mission applications to continue to deploy and manage their applications. Similarly, even though Big Bang uses Helm internally for management of Big Bang packages, Big Bang does not advocate for Helm for use by applications run on clusters with Big Bang.
diff --git a/charter/Glossary.md b/charter/Glossary.md
new file mode 100644
index 0000000000000000000000000000000000000000..d1079009532d012b0435010ecd954780e38b9b3a
--- /dev/null
+++ b/charter/Glossary.md
@@ -0,0 +1,5 @@
+# Glossary
+
+**Big Bang Application**: Is an application deployable onto Kubernetes using manifests inside the Big Bang Application Repository that meets all the requirements of [Application Requirements](ApplicationRequirements.md).
+
+**Release**: A release is any change to the manifests that would be installed when referencing this application. It includes a change in Image tag, as well as modifications to the structure of any manifests that define the application deployment.
diff --git a/charter/NewPackageRequests.md b/charter/NewPackageRequests.md
new file mode 100644
index 0000000000000000000000000000000000000000..0f43ec6fe54e9bbe72f56079a6bf945a4387989a
--- /dev/null
+++ b/charter/NewPackageRequests.md
@@ -0,0 +1,16 @@
+# New Big Bang Packages
+
+This is the process for adding an package into Big Bang
+
+## Incubation
+
+To get into an incubation stage, an package needs the following:
+
+* Written support by **two** Big Bang Customers identifying capability gap in BigBang
+* Nomination of **two** developers from different companies, who have contributed to other big bang packages, as Package Owners.
+* Architecture Review approved by a majority of the present Big Bang Package Owners.
+* Sign-off by Government
+
+## Full Membership
+
+Once the package adheres to all [Package Requirements](Package Requirements.md), a final review of implementation details will be presented to the Big Bang Admins.
diff --git a/charter/PackageOwner.md b/charter/PackageOwner.md
new file mode 100644
index 0000000000000000000000000000000000000000..e16ff13223750649dc5f53afe77b144fa51334d7
--- /dev/null
+++ b/charter/PackageOwner.md
@@ -0,0 +1,22 @@
+# Package Owners
+
+Package owners will be responsible for the following:
+
+* Cutting Releases
+* Implementing Package requirements outlined by [Package Requirements](PackageRequirements.md)
+* Reviewing Merge Requests into the Package Repository
+* Reviewing Merge Request CI/CD pipeline execution results to ensure that there are no regressions in conformance tests nor package cypress tests.
+
+Package Owners will be identified by the use of [CODEOWNERS](https://docs.gitlab.com/ee/user/project/code_owners.html) files in the repository.
+
+There must be at least 2 (two) Package owners for each application and they shall be from different companies.
+
+## Package Shadows
+
+There can also be defined, for each package, shadows that are tracking ownership for each package. These shadows are responsible for filling in for the primary package
+owners as needed. This could be the result of a package owner being on leave, or transitioning off of the team. The shadows will maintain situational awareness on all
+Merge Requests and be ready and able to participate in resolving production issues. Shadows will be listed in the CODEOWNERS file like Package Owners.
+
+## New Package Owners
+
+A majority of Package Owners can approve the addition of a new member to the CODEOWNERs file, as long as one company does not control more than half the owners.
diff --git a/charter/PackageRequirements.md b/charter/PackageRequirements.md
new file mode 100644
index 0000000000000000000000000000000000000000..b67550c31b4d8e257b15236cc39336f88eb3c106
--- /dev/null
+++ b/charter/PackageRequirements.md
@@ -0,0 +1,121 @@
+# Package Requirements
+
+All Big Bang Packages shall adhere to the following requirements. Where possible, each package shall validate these requirements in their CI/CD processes
+
+[[_TOC_]]
+
+## PR-X. Kubernetes Cluster Requirements
+
+Each package will work with any cluster under the following criteria.
+
+* Kubernetes Versions "Latest -2". Current latest is 1.20, so also supports 1.19 and 1.18.
+* [Cloud Native Computing Federation Kubernetes Certified Distribution](https://www.cncf.io/certification/software-conformance/).
+* Default Storage Class with RWO
+
+## PR-X. Iron Bank Images
+
+Every Big Bang Package shall be configured to use exclusively Iron Bank approved images.
+
+## PR-X. Packages are Helm Charts
+
+All packages that the Big Bang product consume are helm charts. This decision is explored in depth in the ADR [here](http://about:blank). The quick summary is that helm provides the best tools for the problem statement that Big Bang is built to address: an opinionated yet configurable deployment of the Platform One baseline.
+
+### Helm Chart Types
+
+Baselining off of the assumption that all packages are helm charts, we can identify _two_ different types of packages:
+
+#### Upstream Helm Charts
+
+Many of the tools and applications that BigBang deploys have actively maintained helm charts, rather than re-inventing the wheel, it is encouraged to leverage charts maintained by vendors or the community.
+
+The unfortunate downside to helm is the lack of chart customization _without_ forking from upstream. While there are several options out there (post-rendering, etc...) that are slowly becoming more widespread, the unfortunate reality is upstream charts that BigBang consumes must be forked into repo1 and the appropriate changes must be made.
+
+Forked upstream helm charts will be configured with the appropriate BigBang _additions_, and in rare cases, _modifications_. They will be versioned in accordance with BigBangs [package versioning scheme](#pr-x.-package-versioning-scheme).
+
+#### Custom Helm Charts
+
+In the case where an accepted upstream helm chart does not exist, BigBang will create and maintain it's own custom helm chart for the package in question. The helm chart will be in conformance with the [Package Standards](#pr-x.-package-standards).
+
+## PR-X. Package Versioning Scheme
+
+Big Bang packages follow a standard semantic versioning scheme for both the package tag and the chart version. The package tag will always be in line with the chart version (not the `appVersion`). To distinguish between BigBang specific changes within the semantic version of the upstream chart, a suffix of `-bb.#` will be added to _all_ charts and tags.
+
+For example, for the upstream [`istio-operator`](https://github.com/istio/istio/tree/1.7.3/manifests/charts/istio-operator) pinned at version `1.7.3`, the big bang version (with the modified `values.yaml` for an Iron Bank image) will be tagged `1.7.3-bb.0`. If in the same `istio-operator` release, BigBang requires chart modifications (such as to support `imagePullSecrets`), then the new version becomes `1.7.3-bb.1`.
+
+For another example in using the [`kube-prometheus-stack`](https://github.com/prometheus-community/helm-charts/tree/kube-prometheus-stack-12.2.2/charts/kube-prometheus-stack), the upstream is versioned at `12.2.2`, meaning BigBang's initial fork will be `12.2.2-bb.0`. Future additions, such as adding `VirtualServices` for the ingresses, bumps to the `-bb.#` will happen in sequence every time BigBang updates the chart within the same version.
+
+## PR-X. Package Standards
+
+The common components that each package will have are defined in the following folder layout:
+
+```bash
+├── CODEOWNERS # GitLab Code Owners for Package Owners/Understudies.
+├── README.md # top level summary of package
+├── docs/ # detailed documentation folder describing package consumption details and assumptions
+├── tests/
+ ├── cypress # folder containing e2e tests using the cypress test framework
+├── chart/ # Folder containing helm chart
+```
+
+## PR-X. CI/CD pipeline is required for each Big Bang Package
+
+Each package shall contain a .gitlab-ci.yml file at the top of the package repo. This file shall reference the pipeline CI/CD infrastructure
+files and include the following contents:
+
+```bash
+include:
+ - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
+ ref: master
+ file: '/templates/package-tests.yaml'
+```
+
+## PR-X. Dependencies must be Big Bang Package
+
+If a Package has a dependency on another Package to function, the dependency shall also be a Big Bang Package
+
+## PR-X. Dependency Matrix
+
+Each Package will clearly articulate in documentation any dependent Big Bang Package and versions.
+
+## PR-X Kubernetes Component Requirements
+
+These requirements for the kubernetes components come from the Kubernetes STIG, Kubesec.io and other best practices
+
+* Resource Limits and Requests set for cpu and memory and they are [Guaranteed QoS](https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed)
+* Containers are not run in privileged mode
+* Read Only Root File System is set to true
+* Containers are not run as root
+* runAsUser > 1000
+* Each deployment/daemonset/statefulset should use its own service account with least privilege permission set
+* HostPath volumes are not allowed
+* All resources contain the [Kubernetes Common Labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/)
+* All containers contain health and liveness checks
+
+## Branching
+
+Each package will have a default branch of `main`. Immutable tags will be used to identify releases and will follow a semver versioning scheme. For more information, see the [versioning](#pr-x.-package-versioning-scheme) section.
+
+## Package Standards
+
+* Helm Packages contain one kubernetes object definition
+* Helm charts should have the flexibility to enable istio and defaults to disable
+
+```yaml
+ istio:
+ enabled: false
+```
+
+* Helm charts should have the flexibility to enable service monitors and defaults to disable
+
+```yaml
+ monitoring:
+ enabled: false
+```
+
+* Helm charts should have the flexibility to enable keycloak and defaults to disable
+* Helm dependency manage charts dependencies in Chart.yaml and the dependency chart can be enabled or disabled using condition.
+* All Chart names are lower case letters and numbers, separated with dashes. No dots, uppercase or underscores.
+* Helm Chart values variable names should begin with a lowercase letter and words should be separated with Camel case
+* Helm chart dependency version,use version ranges instead of pinning to an exact version.
+ version: ~1.2.3
+* There should be a Helm values file located at `tests/test-values.yaml` used for pipeline testing.
diff --git a/charter/README.md b/charter/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..b0092e5c6abf89bf92f5126d22f2c5609cbe8c5d
--- /dev/null
+++ b/charter/README.md
@@ -0,0 +1,26 @@
+# Big Bang
+
+## Scope
+
+Big Bang's scope is to provide publicly available installation manifests for:
+
+* a specific set of packages that adhere to the [DevSecOps Reference Architecture](https://software.af.mil/dsop/documents/#documents). The set of packages are listed here: [Big Bang Application List](BigBangPackages.md)
+* packages that facilitate development of applications that adhere to the DevSecOps Reference Architecture
+
+Big Bang also builds tooling around the testing and validation of Big Bang packages. These tools are provided as is, without support.
+
+## Big Bang Packages
+
+A Big Bang Package (BBP) is manifests that adhere to the requirements outlined in [Application Requirements](PackageRequirements.md).
+
+Each BBP has a set of Owners whose responsibility is outlined in [Package Owners](PackageOwner.md).
+
+Each BBP follows its own release cycle adhering to at least the requirements outlined in [Release Process](ReleaseProcess.md).
+
+## Change to the Charter
+
+All changes to the charter must be requested via Merge Request into the master branch.
+
+## Bi-weekly Meetings
+
+The Big Bang project will have a bi-weekly meeting to discuss global issues that are occurring across applications. Meeting minutes/notes will be kept and posted in a separate repository, and all meetings will be recorded and hosted for public availability. All policy decisions can be talked about during these meetings, but nothing is final until merged into this repository, following the requirements for updating the charter.
diff --git a/charter/ReleaseProcess.md b/charter/ReleaseProcess.md
new file mode 100644
index 0000000000000000000000000000000000000000..b4b301a23e06211059b9f47b6d1bf1924c5b5453
--- /dev/null
+++ b/charter/ReleaseProcess.md
@@ -0,0 +1,7 @@
+# Release Process
+
+Big Bang Applications shall implement a following release process adhering to the following requirements
+
+* Each Application shall maintain a long running release branch for all application version "N-2", meaning current upstream release and the previous two releases.
+* The release process shall be automated by merging into this release branch
+* The release process shall validate the application against all **supported** dependency releases using the automated [Testing Framework](Testing.md)
diff --git a/charter/Scratch.md b/charter/Scratch.md
new file mode 100644
index 0000000000000000000000000000000000000000..f6aea654f9b79f0d845fd56b2ad47c24198ea92d
--- /dev/null
+++ b/charter/Scratch.md
@@ -0,0 +1,84 @@
+#
+Comments from meetings
+
+## Apps
+
+* Should any product need to be licenced (e.g. why Anchore Enterprise and not Anchore)
+* Should everything used by apps be internal? E.g. Postgres requried for Keycloak
+* Which of Anchore vs Anchore Enterprise
+
+* Consistent Interface. Only "supported" BigBang configuration
+
+
+
+
+
+Testing stuff
+
+
+
+
+
+## Kubernetes Tools E2E Testing Frameworks:
+
+### Each Applications E2E tests
+
+Is there a way to get each applicatoin to run its own e2e tests against the deployed version?
+
+e.g. for Argo:
+https://github.com/argoproj/argo-cd/blob/master/.github/workflows/ci-build.yaml
+
+
+
+
+### Istio
+
+Istio uses Prow: https://github.com/istio/test-infra
+
+### KUTTL
+
+KUTTL allows for the verification of Kubernetes objects (and status) based on application of various kubernetes yaml objects.
+This easily allows for testing the health of all the objects (per status fields), but doesn't provide integration tests unless we
+build all the integration tests into CRDs or into Kubernetes Jobs:
+
+
+
+APP
+* manfiests/linting
+* k3d healthy"
+* smoke tests
+
+
+
+
+Integration Tests
+*
+
+
+
+Single release of all app versions in single place. Tested by BB
+
+Customer extensions need to be tested in their own moc environment
+
+
+
+Common Integration:
+* "App of Apps"
+
+
+
+
+Mock Integration environments
+* sample implementation of customer
+
+
+
+# Keycloak
+
+Table discussion
+
+
+
+API:*
+* can't change image tags
+* can change repo to allow for airgapped repos
\ No newline at end of file
diff --git a/charter/SprintPlanning.md b/charter/SprintPlanning.md
new file mode 100644
index 0000000000000000000000000000000000000000..84771f5e4046eeb2821f1954f097c10fc67be8b0
--- /dev/null
+++ b/charter/SprintPlanning.md
@@ -0,0 +1,49 @@
+# Product Team
+
+Responsible for building the COMMON Big Bang product.
+
+## Product Team Sprint Planning
+
+### Normal Rhythm
+
+* One week sprints ( Tuesday noon to Tuesday noon )
+* Continue to improve planning every week
+* All team members who have capacity to work on the PRODUCT backlog should attend the planning session
+
+### Work Breakdown
+
+* The Big Bang PRODUCT work will be continuously updated within Jira by the BB PMs, Anchors, and Epic Leads
+* The pre-planning activity will execute the following planning steps:
+
+1. Review current team objectives
+1. (Re-)prioritize work at the Epic level
+1. Assess ( ballpark ) amount of the work the team can accomplish within the next week
+
+* The planning activity will execute the following planning steps per planning "team":
+
+1. Review/update the currently OPEN and prioritized Epics provided by the pre-planning activity
+1. Decompose the Epic work into stories by writing new or updating existing stories in Jira to accomplish the Epic objectives
+1. Identify and capture any intra-story dependencies in Jira
+1. Prioritize the stories to be accomplished
+1. Add stories to the sprint backlog roughly equivalent to the team's capacity
+
+### Sprint Execution
+
+* Daily PRODUCT team standup -
+Should discuss EPIC level issues ( dependencies, issues,etc) and be less than 15 minutes
+* Daily EPIC team scrums - team members brief based on Jira Story or Task
+
+1. Review accomplishments in the last 24 hours
+1. Planned work in the next 24 hours
+1. Any blockers or helps required
+1. Individual Stories will be accepted
+1. Sprint retro ( bi-weekly to start on Thursday to inform Tues planning)
+1. Sprint DEMO - working software
+1. [FUTURE] Team capacity planning
+
+### Core Concepts
+
+* Succeed or fail as a team
+* Work pairing is highly encouraged
+* Collaboration/Communication will be key to team success
+* Look for ways to improve the PRODUCT and the process
diff --git a/charter/Support.md b/charter/Support.md
new file mode 100644
index 0000000000000000000000000000000000000000..9027d8d0daa01a255494eb0db1146e67ff36a379
--- /dev/null
+++ b/charter/Support.md
@@ -0,0 +1,3 @@
+# Support
+
+Big Bang will provide support for all Big Bang Applications. This document outlines the support model from the Big Bang team:
diff --git a/charter/TeamRhythm.md b/charter/TeamRhythm.md
new file mode 100644
index 0000000000000000000000000000000000000000..2b3e552497fddb493e2c49d84ad6a4436084c690
--- /dev/null
+++ b/charter/TeamRhythm.md
@@ -0,0 +1,26 @@
+# Team Rhythm
+
+## Internal Team meetings
+
+|Title| Purpose |Attendees | Frequency|Days|
+|:---|:----- |:----------|:--------------|:-------------------|
+|PM Tagup|Discuss Cross team issues and priorities for the week|Integration PM & Product PM|Weekly|M|
+|Team Tagup|Discuss overall team issues|BB Team|Weekly|T|
+|Sprint Planning|Plan sprint work|Epic Teams|Weekly|T|
+|T3|Team technical collab|BB Team|Weekly|R|
+|Charter Review|Charter pull request review|BB Team|Weekly|R|
+|JETT Tagup|PM & Anchor tagup & alignment|JETT|Daily|M-F|
+|Integration Standup|Discuss priorities & issues|Integration Team|Daily|M-F|
+|Product Standup|Discuss priorities & issues|Product Team|Daily|M-F|
+|Product Epic Teams Scrum|Previous Planned Issues|Product Epic Scrum Teams|Daily|M-F|
+|Integration Epic Teams Scrum|Previous Planned Issues|Integration Epic Scrum Teams|Daily|M-F|
+
+## External Team meetings
+
+|Title| Purpose |Attendees | Frequency|Days|
+|:---|:----- |:----------|:--------------|:-------------------|
+| P1 PM Tagup|Agenda driven P1 PM mtg|P1 PMs|Weekly|M|
+| P1 PM Tagup|Non-Agenda driven P1 PM mtg|P1 PMs|Weekly|F|
+| CSO/P1 Leads|Discuss xyz|P1 PMs|Bi-Weekly|F-A|
+| CSO/P1/C1/Other Leads|Discuss xyz|P1 PMs|Bi-Weekly|F-B|
+| P1 Daily|Discuss BB Current SOA|Daily crowd|Bi-Weekly|M-W2|
diff --git a/charter/Teams.md b/charter/Teams.md
new file mode 100644
index 0000000000000000000000000000000000000000..71ea30a73cf8bdf17f1b3ad386adade1d0056d50
--- /dev/null
+++ b/charter/Teams.md
@@ -0,0 +1,65 @@
+# Teams
+
+[[_TOC_]]
+
+## Engineering
+
+Big Bang consists of two primary missions: Product Development and Integration
+
+## Product Development
+
+Product development consists of improving Big Bang Applications used by all customers:
+
+* Upgrading application versions
+* Improving reliability
+* Adding configuration options used by multiple customers
+* Improving interface for customer consumption
+
+## Integration
+
+Integration consists of facilitating user adoption of Big Bang by providing:
+
+* On the ground debugging of production issues
+* Creation of Environment Bootstrap pipelines to test changes in versions of Big Bang Umbrella
+
+## Communication
+
+Execution in these two engineering efforts requires tight collaboration and feedback loop with each other and external teams as defined in the diagram below:
+
+
+
+### Product and Integration
+
+#### Product to Integration
+
+* Change logs
+* Tier 2/3 support for application specific issues in customer production environments
+
+#### Integration to Product
+
+* Bugs from customers that need to be solved in Big Bang Applications
+* Common "extensions" of Big Bang Umbrella that should be added to provide consistency across customers
+* Mock environments for Umbrella testing
+
+### Integration and Customers
+
+#### Integration To Customers
+
+* Changelog of new versions of Big Bang Umbrella
+* Building
+
+#### Customers to Integration
+
+* Bugs
+* Environment specifics that can go back into Mock Environments as defined in [Testing](testing.md)
+
+### Product and Iron Bank
+
+#### Product to Iron Bank
+
+* Requests for new/updated Iron Bank Images
+* pipelines for testing Iron Bank Image functionality
+
+#### Iron Bank to Product
+
+* Approval of Iron Bank Images
diff --git a/charter/Testing.md b/charter/Testing.md
new file mode 100644
index 0000000000000000000000000000000000000000..26dc6fad048941faba90347aea65ad75a87b6eb7
--- /dev/null
+++ b/charter/Testing.md
@@ -0,0 +1,78 @@
+# Testing
+
+There are multiple phases of testing for an application to get into a customer environment
+
+## Types of Changes
+
+* New Iron Bank Image
+* Changes to Manifests for deployments
+* Newly supported configurations of application
+
+## Testing Platform
+
+Big Bang Applications will leverage GitLab Runners to execute these common BigBang Pipelines. Each Big Bang application is required to use the Big Bang Pipelines, whose functionality is outlined here.
+
+A detailed description of the pipelines and how to execute the testing process on a local system is described in the README.md in <https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates>.
+
+## Application Testing
+
+When a Big Bang application developer submits changes to a particular Big Bang application, the application needs to be tested to ensure functionality, as well as compliance with core [Application Requirements](ApplicationRequirements.md).
+
+A core feature of all testing capabilities is its ability to be run locally by developers using their own environment, or by other teams looking to test proposed changes to the application (e.g. IronBank as part of container creation). The GitLab pipelines will be simple wrappers around these common testing and deployment tools.
+
+### Linting
+
+Initial phases of the applications tests will focus on compliance with approved formatting and rendering policies for BigBang.
+
+### Smoke Deployments
+
+The next phase of testing for each application will be to stand up healthy on a lightweight Kubernetes cluster. The GitLab Runners will standup a ephemeral Kubernetes cluster for use for the deployment, deploy the application and its dependencies and ensure the application comes up "Healthy". The testing configuration will allow for a configuration of the application and the ability to define and test functionality.
+
+Each "Test" scenario will contain the following information:
+
+1. The Kubernetes cluster to stand up. Initial implementations will only allow customization of a k3d cluster.
+2. Application configuration files. Once a repository format/tool is decided, this may look like a Helm values file, or a set of Kustomization overlays on a base deployment.
+3. A smoke test configuration file. Format TBD based on tool decided. Look at Locust.io, Selenium, Citrus
+
+The Smoke tests will be run internal on the Kubernetes cluster via a Job. The testing framework will inject a configuration object provided in the repo as a configmap for the job and run the job, ensure its successful, and provide the logs back to the user CI/CD pipeline for review.
+
+## Umbrella Testing
+
+The end consumable is the [Umbrella Application](Umbrella.md). As new versions of Big Bang Applications become available, those changes need to be integrated into the Umbrella and tested. Each Merge Request into the Umbrella Repo requires passing of an [Upgrade Tests](#upgrade-tests) and the [End to End Tests](#end-to-end-tests) for all mock environments.
+
+### Environments
+
+The Umbrella application will be tested for functionality with customer focused kubernetes environments. As the Integration team works with customers to adopt Big Bang, the team will provide feedback to Umbrella Test Environments to provide representative environments to perform full End to End regression tests. A representative environment for the e2e tests is Mock Fences, which attempts to mirror the Fences environment owned by GBSD.
+
+Each Environment will contain the Infrastructure as Code (IaC) to deploy the base infrastructure that Big Bang will be deployed onto. These tests will not validate that upgrades to IaC are successful.
+
+### Upgrade Tests
+
+The Umbrella application is responsible for not only deploying fresh environments, but managing the upgrades to existing environments. As a result, a key component of testing is to validate that upgrades are successful. The Umbrella test script will stand up the applications with the latest current release and then apply an upgrade to the changes in the Merge Request and ensure there is a safe process for upgrading. If there are custom scripts needed to perform the upgrade, the umbrella application will have those configured as part of the application definition.
+
+### End to End Tests
+
+The GitLab job will then identify each set of smoke tests defined in each application and execute those tests on the upgraded mock environment to assure proper functionality of each application.
+
+## Single Sign On (SSO)
+
+Part of testing shall provide tests for Single Sign On verification that applications are able to be configured to use Keycloak. For each application that has an SSO option, Keycloak will be deployed into the ephemeral cluster and the application will be configured to use the deployment for SSO. The application will be required to have smoke tests that validate the ability to log into Keycloak.
+
+## Testing Infrastructure
+
+### Application Testing Infrastructure
+
+The GitLab runners used for testing BigBang Applications will stand up dynamic [K3d](https://k3d.io/) or [Kind](https://kind.sigs.k8s.io/docs/) clusters. To do this dynamically in Kubernetes, the pods need access to the host. As a result, Big Bang with deploy and managed a separate Kubernetes cluster that GitLab will use to deploy ephemeral Kubernetes clusters for testing.
+
+This cluster will remain separate from the environment running GitLab since the use of privileged containers could pose a security risk to adjacent pods on the nodes.
+
+### Umbrella Testing Infrastructure
+
+The GitLab Runners used for Umbrella testing will be provided appropriate service account credentials to provision mock environments. For AWS environments, the environment will reside in the same project as GitLab. For other cloud providers, a dedicated project will be provisioned to be used exclusively by BigBang Umbrella testing. As a result, there must be the ability to have concurrent environments in the same cloud project.
+
+#### Umbrella Clusters
+
+Clusters for testing the Umbrella app will be provisioned from vendors that allow for creation of dev and test clusters without licencing limitations. Vendors will be required to provide
+
+1. A repository inside <https://repo1.dso.mil/platform-one/distros> to maintain code
+2. A GitLab pipeline task that provisions their distribution: [Vendor Distribution Integration](VendorDistroIntegration.md)
diff --git a/charter/VendorDistroIntegration.md b/charter/VendorDistroIntegration.md
new file mode 100644
index 0000000000000000000000000000000000000000..91b63c63f95d24b612ddc9a7cd83d5be75aac08b
--- /dev/null
+++ b/charter/VendorDistroIntegration.md
@@ -0,0 +1,25 @@
+# Testing Vendor Distributions in our Pipeline
+
+## Overview
+
+Vendor distributions are tested within the umbrella project's ci [pipelines][0]. These pipelines include jobs from the [umbrella-templates][1] repository.
+
+The main thing to take into account is your cluster should have:
+
+* Single stage for spinning up
+* Single stage for spinning down
+* Within each job you're allowed whatever tools/resources needed just store them in the `jobs/<your-job>/dependencies` folder
+* We provision a VPC and subnets inside a separate job, you can access this information via `terraform remote_state`
+* We expect you to export the `kubeconfig` file to connect to your cluster as a `GitLab artifact`
+
+Vendors can ignore the `smoke tests` as they are run against a k3d cluster. All other stages are important for vendors to understand. We have also made the assumption that `terraform` is the base tool that all vendors will use to deploy their clusters in our pipelines.
+
+### Working Example
+
+A working example for rke2 can be found [here][2] (Note this link is pinned to a specific commit to show you exactly where in the code it is being implemented, look at the code to get a gist then view `master` branch to make sure nothing has changed).
+
+You can find more information about specific jobs in each jobs specific README.md inside [umbrella-templates][1]
+
+[0]: https://repo1.dso.mil/platform-one/big-bang/umbrella/-/pipelines
+[1]: https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/umbrella-templates
+[2]: https://repo1.dso.mil/platform-one/big-bang/umbrella/-/blob/a1b7926ce05127a57661fe5ff72c6d7a23db0470/.gitlab-ci.yml#L148
diff --git a/charter/diagrams/dev_ci_workflow.drawio b/charter/diagrams/dev_ci_workflow.drawio
new file mode 100644
index 0000000000000000000000000000000000000000..baf7a1532161283a3eb561be6a2a616f1901745f
--- /dev/null
+++ b/charter/diagrams/dev_ci_workflow.drawio
@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2021-01-06T06:20:42.230Z" agent="5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" etag="kpGPMNrXRMedev0xIThy" version="14.1.8" type="device"><diagram id="7sAzJ7kZBJ19-CyqRDUJ" name="Page-1">7V1bd6M4Ev41Pmf2ITmYW8hjx+lLdic7vZ3u6Zl5mSODsNXBiEEiifvXry6Iq4zptB2wneQkBiFA6KsqfVWU5Ik1Wz29T0GyvMUBjCamETxNrOuJaZpT22MfvGQtS7zpVBYsUhTIokrBHfoO80IjL81QAEmtIsU4oiipF/o4jqFPa2UgTfFjvVqIo/pdE7CArYI7H0Tt0q8ooMv8KRyjLP8A0WKp7jw18iNz4N8vUpzF+f0mpvXW5b/y8Aqoa+X1yRIE+LFSZL2dWLMUYyq3Vk8zGPG+Vd0mz3u34WjR7hTGtM8JT9a3L8b11X8TZ3rx+Ol/5Pe/V/GZAovQteoQGLD+yXdxSpd4gWMQvS1Lr8RDQ35Zg+2VdX7FOGGFU1b4DVK6zsEGGcWsaElXUX6UtThd/5GfL3b+5Dvnjtq9fqoevF7ne+1HVs3HWern7f/VPSMk8J0E+jDxvyw//GexPlOSBdIFpB31HFmP90HlBnmHvod4BVl7WIUURoCih7oMgVwUF0W9Eg62kSOiR6er1Q8gyvI7XcMHGOEEpi3Y6qA8LhGFdwkQnfLINLcOQIiiaIYjnIpzrdDhv6yc0BTfw8oRV/zwM3BMK+XypwuSB5hS+NTZieqom2vIulAxuf9Y6uNUadGyoovqvJ/pd71W2KehFWZbK7T9cTkqrTBbWvEOApqlkBVepSD2l0ekHK49OuVwT0M5rLZy/DX7+7s3+3f6h3mTvQ/j35Kn9+6ZczEq7bBa2nELCOUDxvEpx+WQI4e29+1W7xO4AjFFvqCwqxWibKNNukoMpj+MQeBAL7B1GHjm3BIY7KCvLfOZfW3uzRCZp2GInJ6jtDkqO+T00oQ2hAeoCdYLaoK2r91efR0fQ187L9jX2uHesg7J6pAlSPgVIxTfdyGy1TGe7pzl5Kd+xCimJeCmVwfcaQ7V0lzmZzWwLJrxE/CeiOun8NwKvLriyw8renycV3zq+Aw27GtJiH0xLD4lJH/WENHjEwCyLMa/3YKllV7XHRVHU+2uEIe7kjjMFHF4w6BYE0QmfFB9x/7/DlMUIp+1EHeRime4k54PfV9HKuaeYzudKvV8UuH0JXC7cBv1Vs07Eavm9aUbg4Uc9VZt4JjXMFZNA5beqg1GETrbXbFqswgCZqmMm5hQwK9wcDbLbfLi4W3W5YnYrMu+TMweFVNWLw5e8VH4DPZyVz+mDOzJDDOmaMDSjynjimaqdlfGlC/JIgUBnJhuxB7kap6yrQXf+mWG4wBxbsyGGt7Eu3uUJDD41wEOO549umHnRF4/9o/MeaPSlELGSk1ZoZjJphA7IjxGdmUjU+qzy5g0gF6o1QnX9+A83I1O2E0qZmt0wn3RmPQgQZefkG3zQGXbbMs2+NaW7Rgfl4C7Qwu4fSJpisqF2KoY1si4rDkmLjvdgs+OuKwOLD2XHVdWqdlOUrliSEQ8f+5mBRaQHCBRnRpGw2gZQzPVoZXixYyWJkHlIIzWwG/yB3HAdWDpjdZg0azOduuM1ieY4OOwWTqi9aLJvfbA6Q+D6ITVWyesUemE1daJWxBngJ84izKZ9duMTn2GhB6ksjSniQwfinIGibA/J6VL2/ydv7Xrl9HleQ089pzR5ZwIDbP7JqGYo2JhQ8MziOvYGyt3XAEwu50w9BH493yK7eGNKM0wl9c3t3h/A8rxhbm6Rp6tDqM92NQqvakaGJ59k+O+WOkt1WBYdTW7Yqg+wQgCcoiGqpmv+KKGSq8JA+eWDKIJZl9NGCx3savZtUUEInbX/NKHpQrN6dAjGLPbTrhyuknCkw6l211YH+MjSlj/xzzK3vTNVQlrSPXcFk7KBUxS7ENCtmNVrlXyW0b5zfPyOuCLCPCLie0GunAaOPBCh+6le2GBHc32arr4I0C3PbVOh+7tJx2w44MxDKGrV9Lg4nJu7CpUM75ITdtveYVxe8TtuVO+94aj26Z1KrUbqdRuA4f81uxvjhb8P4j5h68CogbP0jDuraAFJOsX2oi11fo3xhyqGhh5EYjQIma7Puttdg/rivcy8kH0Jj9AOcXRysVm0HcxXDZcXPeiJ4IXe0OwTUc6ELy62oCcEaZ4NeGrbOWHcvYm0m9AHIjHiXiNIg1HXtXPUtGfbGvJBEPzrvv4pMBTL8+UFOiGVUcjBYXC714MdMuU8FcXImE2zeICRsKTZ8E8yrENYBLh9UpCKGtQSCgSOi4QFjIjJOUBpAhnfNqaj2OSrYSg5NJ0CrhPpw227PZN5CqWNNg98BuSTyoA1sx2osKLzFtKMEEUp4grrZQF4ceQxsFz5qGdL76fAMCXnrMdX51iX+4N3g2v6TfBi/J8owacsrgAMld0VfpEXxLbOaaUjTVDwOvW4bV1KU2XGnidi3NnXwC3HaJryDpuheJ8OrBEucj5JmKUlkmycsjlpYiP7rpFSkAx11gkiRMoLDzPp8VJZUpFAtMQp/Xx/Ruen7OPygzmtHC6UxhChoQPSZU0AL5Hl7BWdZ6vklUyCdYKWRHwFobyUVSD2QYDGREcn2926MuSr0j0MYgIlr2IAkBheXV5XX47JjkFacHxAxMj8fgTNQm70nuyK8oGP8qbhAAJPEP5lOviojGm5ydgHs2GH+pq/FDT1g1/+6O/nTPuSyFkYjBnjqEEk7XVNBaIRmBeVjrzI6TsptQ/IaQgYW5okiIpVEVWulSh8vo5cwILKT1cb95IkZREmtToE8Nclgi15X8xfKwoAW8FybjSSJUqDfVJiFljFL7U0WudmS7o2e7FrD0FOn9Py+GZi8S5oC4QrCtD4EvLI4QDxPwZMTMcwt4x1owlgyYJ9PnyD/Wzjh5mu2FNLnQw68j0/qIhukmJEQZBHeRXaLeGSYy6BpeJmdtUeH+rrB7UMmMbMai+VOtatHD75G1ZbySZAMPMR/rx95h9u1wvgsao+lwXOETs4c/ukKD/H1N4VixZ9AHj+xZEh7vQbTNVaQSrQB/fOmxdS59vn9syKl1pE4OvNx9ZwS1MF3LGxD8ZJO0wyuFqiGeMTkOMTQaLSIOVMINVhBGWwmCpKICKC3DKBoFwrIqaIY4i/q0ntQgAoYzZgTQg3JO74Q4/8/EnPDqifD/Wu9JRk/GO4nJIhk+/QZ9ytlgGEWS9oPzCCVkVxTzaUIZlwAry6kfPEW2NQJk6ur+L2IFeoNpareJLy6mKL13DB1ZltvYjWHl/XR5XhUnlBAkwB/cRp1wKRcQgLL5UQUbEYOk/kGwuhUdalVVuVVJpVaSUCOEoIm0Zk9No0ghDpRAEayVH4iLnlTYnG1+4P1+4CBMYHoq2rp1y77MYfM7MTSYPMyEJI/HVPUsUBDBuidoOxOvMqtsvr28MYW/Lqx/h+l56XtmXD1uDLXPX2e6T+KaHZt6fNfjwbg680O2LqcfOZ6DkpzamiTWTnK1mcFTq5y6miXU+Z1WdjpYtNzP0RqBOfchNmUT7AwTnreTPDZLCKTDjH5Ji8zcarPo/Gf8uvqsiKK4KBI8WnAhWrsWZ9uel4MTA99k5aX41P6N5PorQmSLKTqrsGigSL16wCAYU8kxAtp2JD6aXJf3O813yDMNzXe4i+wQrLnPxnCSVfmhlL74SLMndR8CwTmQIUT2/nWENtjx6Z7tfs4Z/YrLS8EOL4u2vMzR2H2YbAbrHt3R+p23c/jVg5riMaDth7BYwDs/+hKt6i4PiuyTKCNMbnsbyALpWaj+U1ROtqXuuErC3aYm9k8Q9/SvLtn/TJtgbh7IOfl2prsLXMn9bJspJPCuJbs1o4WvMr3PJupelpPaPuWF7FhXlOL2KSBEWNvcoImy3/Dp6GVdhj7pkFhryGv8H</diagram></mxfile>
\ No newline at end of file
diff --git a/charter/imgs/communication.png b/charter/imgs/communication.png
new file mode 100644
index 0000000000000000000000000000000000000000..a35665240a85583cd3b886ab6008e430837b77ff
Binary files /dev/null and b/charter/imgs/communication.png differ
diff --git a/charter/imgs/dev_ci_workflow.png b/charter/imgs/dev_ci_workflow.png
new file mode 100644
index 0000000000000000000000000000000000000000..174d32fb6cab8e094df8757afe6173d8b772d30f
Binary files /dev/null and b/charter/imgs/dev_ci_workflow.png differ
diff --git a/charter/imgs/product_epic_overlay.png b/charter/imgs/product_epic_overlay.png
new file mode 100644
index 0000000000000000000000000000000000000000..2f161d9a40c900e7f77615b32819feb6cc87be1a
Binary files /dev/null and b/charter/imgs/product_epic_overlay.png differ
diff --git a/docs/1_overview.md b/docs/1_overview.md
index 1f7a9d9d30c494dc75c92fea93eb338238717771..128926942e18c4a3b3675de6a46a08eb3e239a74 100644
--- a/docs/1_overview.md
+++ b/docs/1_overview.md
@@ -27,7 +27,7 @@ Big Bang is a declarative, continuous delivery tool for core DoD hardened and ap
### Big Bang Components
-Big Bang is made of several components that operate together. These include a [base Kustomize](../base/), a [Helm chart](../chart), [packages](../chart/templates), and an [environment](https://repo1.dsop.io/platform-one/big-bang/customers/bigbang). The environment and base Kustomize are used together to deploy the Big Bang configuration and Helm chart. The Helm chart is then used to facilitate deployment of the packages.
+Big Bang is made of several components that operate together. These include a [base Kustomize](../base/), a [Helm chart](../chart), [packages](../chart/templates), and an [environment](https://repo1.dso.mil/platform-one/big-bang/customers/bigbang). The environment and base Kustomize are used together to deploy the Big Bang configuration and Helm chart. The Helm chart is then used to facilitate deployment of the packages.
### Flux v2
@@ -57,19 +57,19 @@ The following packages are included in a default deployment of Big Bang:
|Name|Description|Helm Chart Repo|
|--|--|--|
-|[Istio](https://istio.io/)|[Service Mesh](https://www.redhat.com/en/topics/microservices/what-is-a-service-mesh)|[Link](https://repo1.dsop.io/platform-one/big-bang/apps/core/servicemesh.git)|
-|Cluster Auditor| |[Link](https://repo1.dsop.io/platform-one/big-bang/apps/core/cluster-auditor.git)|
-|[Open Policy Agent Gatekeeper](https://github.com/open-policy-agent/gatekeeper)| Policy Management | [Link](https://repo1.dsop.io/platform-one/big-bang/apps/core/policy.git)|
-|[Elastic Cloud on Kubernetes (ECK)](https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html)| Logging; Incl. Elasticsearch & Kibana |[Link](https://repo1.dsop.io/platform-one/big-bang/apps/core/elasticsearch-kibana.git)|
-|[Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/)| Monitoring |[Link](https://repo1.dsop.io/platform-one/big-bang/apps/core/monitoring.git)|
-|[Twistlock](https://www.paloaltonetworks.com/prisma/cloud)| Security Scanning |[Link](https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/twistlock.git)|
+|[Istio](https://istio.io/)|[Service Mesh](https://www.redhat.com/en/topics/microservices/what-is-a-service-mesh)|[Link](https://repo1.dso.mil/platform-one/big-bang/apps/core/servicemesh.git)|
+|Cluster Auditor| |[Link](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git)|
+|[Open Policy Agent Gatekeeper](https://github.com/open-policy-agent/gatekeeper)| Policy Management | [Link](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git)|
+|[Elastic Cloud on Kubernetes (ECK)](https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html)| Logging; Incl. Elasticsearch & Kibana |[Link](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git)|
+|[Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/)| Monitoring |[Link](https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git)|
+|[Twistlock](https://www.paloaltonetworks.com/prisma/cloud)| Security Scanning |[Link](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git)|
In addition, the following packages can be added onto the default deployment:
|Name|Description|Helm Chart Repo|
|--|--|--|
-|[Argo CD](https://argoproj.github.io/argo-cd/)| Continuous Delivery |[Link](https://repo1.dsop.io/platform-one/big-bang/apps/core/argocd.git)|
-|Auth Service|Single Sign On|[Link](https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/authservice.git)
+|[Argo CD](https://argoproj.github.io/argo-cd/)| Continuous Delivery |[Link](https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git)|
+|Auth Service|Single Sign On|[Link](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice.git)
---
diff --git a/docs/2_getting_started.md b/docs/2_getting_started.md
index 47bd4d13ed92def8994ca1a857541038d291bb6b..268c8a45103966a973d876045e1261d9dca92413 100644
--- a/docs/2_getting_started.md
+++ b/docs/2_getting_started.md
@@ -31,7 +31,7 @@ Table of Contents
[Flux v2](https://toolkit.fluxcd.io/) must be installed into the Kubernetes cluster before deploying Big Bang. There are three options for doing this:
-1. (Recommended) Deploy officially through [Iron Bank](registry1.dsop.io)
+1. (Recommended) Deploy officially through [Iron Bank](registry1.dso.mil)
```bash
# The script will do the following:
@@ -42,10 +42,10 @@ Table of Contents
hack/flux-install.sh
```
-1. Deploy unofficially through [Big Bang's Repo](https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/fluxv2/container_registry)
+1. Deploy unofficially through [Big Bang's Repo](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/fluxv2/container_registry)
```bash
- flux install --registry registry.dsop.io/platform-one/big-bang/apps/sandbox/fluxv2
+ flux install --registry registry.dso.mil/platform-one/big-bang/apps/sandbox/fluxv2
```
1. Deploy for development through [DockerHub](https://hub.docker.com/search?q=fluxcd)
@@ -56,7 +56,7 @@ Table of Contents
## Configuration Template
-A [template for configuring multi-cluster environments](https://repo1.dsop.io/platform-one/big-bang/customers/template/) is provided to assist with getting Big Bang setup correctly. You should make a copy of the `./bigbang` folder from the [customer Big Bang repository](https://repo1.dsop.io/platform-one/big-bang/customers/template) and place it into a Git repository under your control.
+A [template for configuring multi-cluster environments](https://repo1.dso.mil/platform-one/big-bang/customers/template/) is provided to assist with getting Big Bang setup correctly. You should make a copy of the `./bigbang` folder from the [customer Big Bang repository](https://repo1.dso.mil/platform-one/big-bang/customers/template) and place it into a Git repository under your control.
### Overview
@@ -68,7 +68,7 @@ The template is setup to allow you to customize the Big Bang deployment for your
- Reference to SOPS private key - See the [encryption help](3_encryption.md) for more information.
- Iron Bank pull credentials
-The [Configuration Template help](https://repo1.dsop.io/platform-one/big-bang/customers/template/-/blob/main/README.md) contains details on how to setup these items.
+The [Configuration Template help](https://repo1.dso.mil/platform-one/big-bang/customers/template/-/blob/main/README.md) contains details on how to setup these items.
If there is additional configuration you want, refer to the [configuration help](4_configuration.md) for details.
diff --git a/docs/3_encryption.md b/docs/3_encryption.md
index 792a92d65f0055d766f31030f151b94fb0f17729..d21fa4b85cdbe5b326d7a59464efab1464474263 100644
--- a/docs/3_encryption.md
+++ b/docs/3_encryption.md
@@ -107,7 +107,7 @@ TBD - [This article](https://blog.doit-intl.com/injecting-secrets-from-aws-gcp-o
## Configure Big Bang
-Big Bang needs to know how to retrieve the private key so it can deploy the encrypted secrets from Git. Decryption configuration is placed in the top-level manifest (e.g. `dev.yaml`, `prod.yaml`) from the [Big Bang template](https://repo1.dsop.io/platform-one/big-bang/customers/template). By default, the `Kustomization` resource uses a Secret named `sops-gpg` for the private key as shown here:
+Big Bang needs to know how to retrieve the private key so it can deploy the encrypted secrets from Git. Decryption configuration is placed in the top-level manifest (e.g. `dev.yaml`, `prod.yaml`) from the [Big Bang template](https://repo1.dso.mil/platform-one/big-bang/customers/template). By default, the `Kustomization` resource uses a Secret named `sops-gpg` for the private key as shown here:
```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
diff --git a/docs/4_configuration.md b/docs/4_configuration.md
index 2f4ac3ea3666a3fb59a7cb7ace7e40f5e9eef6ab..f589a748731559633b9090c09886d26f56cbc224 100644
--- a/docs/4_configuration.md
+++ b/docs/4_configuration.md
@@ -19,7 +19,7 @@ Table of Contents
## Overview
-Configuration of Big Bang is achieved by overriding default values set in the package or Big Bang using the [environment template](https://repo1.dsop.io/platform-one/big-bang/customers/template). The template has a 4 potential locations for setting values: `base/secrets.enc.yaml`, `base/configmap.yaml`, `<env>/secrets.enc.yaml`, and `<env>/configmap.yaml`. Overrides proceed as follows, with `<env>/configmap.yaml` having the highest precedence.
+Configuration of Big Bang is achieved by overriding default values set in the package or Big Bang using the [environment template](https://repo1.dso.mil/platform-one/big-bang/customers/template). The template has a 4 potential locations for setting values: `base/secrets.enc.yaml`, `base/configmap.yaml`, `<env>/secrets.enc.yaml`, and `<env>/configmap.yaml`. Overrides proceed as follows, with `<env>/configmap.yaml` having the highest precedence.
```mermaid
graph TD
@@ -31,7 +31,7 @@ graph TD
-->env-c[`<env>/configmap.yaml` values]
```
-In all four cases, Big Bang reads a single key named `values.yaml` that contains the data to override. See the [Big Bang environment template](https://repo1.dsop.io/platform-one/big-bang/customers/template) for examples on how to use these files to override values.
+In all four cases, Big Bang reads a single key named `values.yaml` that contains the data to override. See the [Big Bang environment template](https://repo1.dso.mil/platform-one/big-bang/customers/template) for examples on how to use these files to override values.
## Pre-configuration
@@ -54,7 +54,7 @@ At a minimum, the following items must be configured for a default Big Bang depl
- [SOPS private key reference](3_encryption.md).
- [Registry pull credentials](#registry-pull-credentials)
-The Big Bang [Environment Template](https://repo1.dsop.io/platform-one/big-bang/customers/template) has placeholders for all of the above.
+The Big Bang [Environment Template](https://repo1.dso.mil/platform-one/big-bang/customers/template) has placeholders for all of the above.
## Big Bang Globals
@@ -72,7 +72,7 @@ Registry credentials are used to pull images for Big Bang. By default, it point
| Key | Description | Type | Default |
|--|--|--|--|
-| `registry` | Container registry location | Domain Name | `registry1.dsop.io`
+| `registry` | Container registry location | Domain Name | `registry1.dso.mil`
| `username`* | Container registry username | String | "" |
| `password`* | User's password | String | "" |
| `email` | User's email | Email | "" |
@@ -97,7 +97,7 @@ Each package (e.g. `istio`, `clusterAuditor`) has configuration to control how B
| Key | Description | Type | Default |
|--|--|--|--|
| `enabled` | Determines if the package will get deployed or skipped | Boolean | `true` (unless its an `addon`) |
-| `git.repo` | Location of the Git repo holding the package deployment resources | URL | `https://repo1.dsop.io/platform-one/big-bang/apps/...`
+| `git.repo` | Location of the Git repo holding the package deployment resources | URL | `https://repo1.dso.mil/platform-one/big-bang/apps/...`
| `git.branch` | Branch to use for package deployment resources | string | `chart-release` or `release-vx.x.x` |
| `git.commit` | SHA of specific commit to use in Git for package deployment resources | SHA | null |
| `git.tag` | Git tag to use for package deployment resources | string | null |
@@ -124,7 +124,7 @@ In your `kustomization.yaml` under your environment, here is an example of how t
```yaml
bases:
-- https://repo1.dsop.io/platform-one/big-bang/umbrella.git/base/?ref=v1.2.*
+- https://repo1.dso.mil/platform-one/big-bang/umbrella.git/base/?ref=v1.2.*
patchesStrategicMerge:
- |-
apiVersion: source.toolkit.fluxcd.io/v1beta1
@@ -151,7 +151,7 @@ metadata:
namespace: bigbang
spec:
interval: 1m
- url: https://repo1.dsop.io/platform-one/big-bang/customers/template.git
+ url: https://repo1.dso.mil/platform-one/big-bang/customers/template.git
ref:
branch: main
---
diff --git a/docs/5_deployment.md b/docs/5_deployment.md
index bd61f0343f8b713fa193030db10c11ffd630ecc4..87fd8366e4dad084c43e895ab0d9764915ea0170 100644
--- a/docs/5_deployment.md
+++ b/docs/5_deployment.md
@@ -74,7 +74,7 @@ The following commands will help you monitor the progress of the Big Bang deploy
# `environment-repo`: STATUS should be True
NAMESPACE NAME URL READY STATUS AGE
- bigbang environment-repo https://repo1.dsop.io/platform-one/big-bang/customers/template.git True Fetched revision: main/185e252f4452d897531ab0314adc7a189562be31 2m7s
+ bigbang environment-repo https://repo1.dso.mil/platform-one/big-bang/customers/template.git True Fetched revision: main/185e252f4452d897531ab0314adc7a189562be31 2m7s
```
1. Verify the environment Kustomization properly worked
@@ -116,7 +116,7 @@ The following commands will help you monitor the progress of the Big Bang deploy
# 'bigbang' READY should be True
NAME URL READY STATUS AGE
- bigbang https://repo1.dsop.io/platform-one/big-bang/umbrella.git True Fetched revision: master/8a4a1ddd0c9edf316f5362680cf2921baf0c3451 25m
+ bigbang https://repo1.dso.mil/platform-one/big-bang/umbrella.git True Fetched revision: master/8a4a1ddd0c9edf316f5362680cf2921baf0c3451 25m
```
1. Verify the Big Bang Helm Chart was deployed
@@ -137,14 +137,14 @@ The following commands will help you monitor the progress of the Big Bang deploy
# The Git repository holding the Helm charts for each package can be seen in the URL column.
# The STATUS column shows the branch and tag of the revision being used.
NAMESPACE NAME URL READY STATUS AGE
- bigbang bigbang https://repo1.dsop.io/platform-one/big-bang/umbrella.git True Fetched revision: master/3a44686520152e576a8c2c6f264876efff497c4b 8m25s
- bigbang logging https://repo1.dsop.io/platform-one/big-bang/apps/core/logging.git True Fetched revision: release-v0.2.x/9cfe1e14c12098464ee89eb877614f781cd78fb7 8m23s
- bigbang certmanager https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/cert-manager.git True Fetched revision: release-v1.0.x/1247135baf145dcfad4a4a02ef679c48fb76d9fb 8m23s
- bigbang istio https://repo1.dsop.io/platform-one/big-bang/apps/core/servicemesh.git True Fetched revision: chart-release/2b02a51b7950ce21bac26403fa25d09e7e3f86c3 8m23s
- bigbang twistlock https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/twistlock.git True Fetched revision: chart-release/faf038197291915713e0f213a4e35991e72f73f6 8m23s
- bigbang gatekeeper https://repo1.dsop.io/platform-one/big-bang/apps/core/policy.git True Fetched revision: chart-release/1a5f32c8e7f672c3b5937b604e5f38eaa08ce246 8m23s
- bigbang monitoring https://repo1.dsop.io/platform-one/big-bang/apps/core/monitoring.git True Fetched revision: release-v0.2.x/ca60bedcc106b95beb0bf9ccdc6e0e759e6fd6bf 8m23s
- bigbang cluster-auditor https://repo1.dsop.io/platform-one/big-bang/apps/core/cluster-auditor.git True Fetched revision: chart-release/598c35670db0cbdb3a48063b2d558965afe73185 8m23s
+ bigbang bigbang https://repo1.dso.mil/platform-one/big-bang/umbrella.git True Fetched revision: master/3a44686520152e576a8c2c6f264876efff497c4b 8m25s
+ bigbang logging https://repo1.dso.mil/platform-one/big-bang/apps/core/logging.git True Fetched revision: release-v0.2.x/9cfe1e14c12098464ee89eb877614f781cd78fb7 8m23s
+ bigbang certmanager https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/cert-manager.git True Fetched revision: release-v1.0.x/1247135baf145dcfad4a4a02ef679c48fb76d9fb 8m23s
+ bigbang istio https://repo1.dso.mil/platform-one/big-bang/apps/core/servicemesh.git True Fetched revision: chart-release/2b02a51b7950ce21bac26403fa25d09e7e3f86c3 8m23s
+ bigbang twistlock https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git True Fetched revision: chart-release/faf038197291915713e0f213a4e35991e72f73f6 8m23s
+ bigbang gatekeeper https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git True Fetched revision: chart-release/1a5f32c8e7f672c3b5937b604e5f38eaa08ce246 8m23s
+ bigbang monitoring https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git True Fetched revision: release-v0.2.x/ca60bedcc106b95beb0bf9ccdc6e0e759e6fd6bf 8m23s
+ bigbang cluster-auditor https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git True Fetched revision: chart-release/598c35670db0cbdb3a48063b2d558965afe73185 8m23s
```
1. Verify the packages get deployed
diff --git a/docs/b_troubleshooting.md b/docs/b_troubleshooting.md
index c691dd96794cc550fc385ff84c8945cbacaa5d97..33be236c9c75fe6cc020e69aa262b567ad156a0e 100644
--- a/docs/b_troubleshooting.md
+++ b/docs/b_troubleshooting.md
@@ -17,7 +17,7 @@ Big Bang is configured to retry failed package installations and upgrades. Befo
| Symptom | Cause | Resolution |
|--|--|--|
-| Despite entering correct credentials, get `anauthorized: authentication required` from Iron Bank | Using a non-robot account with an expired token | Login with the non-robot account manually at `registry1.dsop.io`, then retry. For production, contact the Iron Bank team to obtain a robot account and update pull credentials to use it in your environment |
+| Despite entering correct credentials, get `anauthorized: authentication required` from Iron Bank | Using a non-robot account with an expired token | Login with the non-robot account manually at `registry1.dso.mil`, then retry. For production, contact the Iron Bank team to obtain a robot account and update pull credentials to use it in your environment |
## Flux install
diff --git a/docs/c_development.md b/docs/c_development.md
index 61726b383cea0b7cfa8c9a69439cc4dbff43f0a2..bb4925cce7409c270c6ee6cd4a0f62092d98b219 100644
--- a/docs/c_development.md
+++ b/docs/c_development.md
@@ -8,62 +8,151 @@ Included here is a setup that will allow you to checkout and begin development u
#### Access
+ [AWS GovCloud (US) EC2](https://console.amazonaws-us-gov.com/ec2)
-+ [Umbrella repository](https://repo1.dsop.io/platform-one/big-bang/umbrella)
-+ [Iron Bank registry](https://registry1.dsop.io/)
++ [Umbrella repository](https://repo1.dso.mil/platform-one/big-bang/umbrella)
++ [Iron Bank registry](https://registry1.dso.mil/)
+
+- [AWS GovCloud (US) EC2](https://console.amazonaws-us-gov.com/ec2)
+- [Umbrella repository](https://repo1.dsop.io/platform-one/big-bang/umbrella)
+- [Iron Bank registry](https://registry1.dsop.io/)
#### Utilities
-+ kubectl installed on local machine. This will also need to be installed on the remote if you wish to verify the K3D cluster using `kubectl cluster-info`
-```Bash
+
+- kubectl installed on local machine. This will also need to be installed on the remote if you wish to verify the K3D cluster using `kubectl cluster-info`
+
+```bash
# Install kubectl
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update && sudo apt-get install -y kubectl
kubectl version --client
```
-+ yq installed on local machine
-```Bash
+
+- yq installed on local machine
+
+```bash
# Install yq
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CC86BB64
sudo add-apt-repository ppa:rmescandon/yq -y
sudo apt update && sudo apt install yq -y
yq --version
```
-+ Flux CLI installed on your local machine
-```Bash
+
+- Flux CLI installed on your local machine
+
+```bash
curl -s https://toolkit.fluxcd.io/install.sh | sudo bash
flux --version
```
+- AWS CLI
+
+```bash
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+sudo ./aws/install
+aws --version
+```
+
### Manual Creation of a Development Environment
This section will cover the creation of an environment manually. This is a good place to start because it creates an understanding of everything that the automated method does for you.
Step 1: Create an Ubuntu EC2 instance with the following attributes:
- (see addendum for using Amazon Linux2)
-+ Ubuntu Server 20.04 LTS (HVM), SSD Volume Type
-+ t2.xlarge
-+ IAM Role: InstanceOpsRole (This will add support for sops encryption with KMS)
-+ User Data (as Text):
+
```bash
+
+# Note: There is an issue with aws configure import, configuration is manual.
+# https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/import.html
+# https://github.com/aws/aws-cli/issues/1201#issuecomment-642131086
+# https://console.amazonaws-us-gov.com/iam/home?region=us-gov-west-1#/security_credentials
+
+# aws configure
+# aws_access_key_id - The AWS access key part of your credentials
+# aws_secret_access_key - The AWS secret access key part of your credentials
+# region - us-gov-west-1
+# output - JSON
+
+# Verify configuration
+aws configure list
+
+# Set variables
+AWSUSERNAME=$( aws sts get-caller-identity --query Arn --output text | cut -f 2 -d '/' )
+
+# Disable local pager
+export AWS_PAGER=""
+
+# Recreate key pair
+rm -f $AWSUSERNAME.pem
+aws ec2 delete-key-pair --key-name $AWSUSERNAME
+aws ec2 create-key-pair --key-name $AWSUSERNAME --query 'KeyMaterial' --output text > $AWSUSERNAME.pem
+chmod 400 $AWSUSERNAME.pem
+
+# Verify private key
+openssl rsa -noout -inform PEM -in $AWSUSERNAME.pem
+aws ec2 describe-key-pairs --key-name $AWSUSERNAME
+
+# Get InstanceId
+AWSINSTANCEID=$( aws ec2 describe-instances \
+ --output text \
+ --query "Reservations[].Instances[].InstanceId" \
+ --filters "Name=tag:Owner,Values=$AWSUSERNAME" "Name=tag:env,Values=bigbangdev" )
+
+# Terminate existing instance
+aws ec2 terminate-instances --instance-ids $AWSINSTANCEID
+
+# Delete old Security Group
+aws ec2 delete-security-group --group-name=$AWSUSERNAME
+
+# Get current datetime
+DATETIME=$( date +%Y%m%d%H%M%S )
+
+# Create new Security Group
+# A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
+aws ec2 create-security-group \
+ --group-name $AWSUSERNAME \
+ --description "Created by $AWSUSERNAME at $DATETIME" \
+
+# Get public IP
+YOURLOCALPUBLICIP=$( curl https://checkip.amazonaws.com )
+
+# Add rule to security group
+aws ec2 authorize-security-group-ingress \
+ --group-name $AWSUSERNAME \
+ --protocol tcp \
+ --port 0-65535 \
+ --cidr $YOURLOCALPUBLICIP/32
+
+# Create userdata.txt
+# https://aws.amazon.com/premiumsupport/knowledge-center/execute-user-data-ec2/
+cat << EOF > userdata.txt
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==MYBOUNDARY=="
-
+
--==MYBOUNDARY==
Content-Type: text/x-shellscript; charset="us-ascii"
#!/bin/bash
- # Set the vm.max_map_count to 262144.
+ # Set the vm.max_map_count to 262144.
# Required for Elastic to run correctly without OOM errors.
sysctl -w vm.max_map_count=262144
+EOF
+
+# Create new instance
+aws ec2 run-instances \
+ --image-id ami-84556de5 \
+ --count 1 \
+ --instance-type t2.xlarge \
+ --key-name $AWSUSERNAME \
+ --tag-specifications "ResourceType=instance,Tags=[{Key=Owner,Value=$AWSUSERNAME},{Key=env,Value=bigbangdev}]" \
+ --block-device-mappings 'DeviceName=/dev/sda1,Ebs={VolumeSize=50}' \
+ --iam-instance-profile Name="InstanceOpsRole" \
+ --security-groups $AWSUSERNAME \
+ --user-data file://userdata.txt
```
-+ 50 Gigs of disk space
-+ Tags: ```Owner: <IAM User>```
-+ Security Group: All TCP, My IP
-+ If you have created an existing key pair that you still have access to, select it. If not, create a new key pair.
Step 2: SSH into your new EC2 instance and configure it with the following:
-+ Install Docker CE
+- Install Docker CE
```bash
# Remove any old Docker items
@@ -89,14 +178,14 @@ sudo usermod -aG docker $USER
logout
```
-+ Install K3D on the EC2 instance
+- Install K3D on the EC2 instance
```bash
wget -q -O - https://raw.githubusercontent.com/rancher/k3d/main/install.sh | bash
k3d version
```
-+ We can now spin up our dev cluster on the EC2 instance using K3D
+- We can now spin up our dev cluster on the EC2 instance using K3D
```bash
YOURPUBLICEC2IP=$( curl https://ipinfo.io/ip )
@@ -104,7 +193,7 @@ echo $YOURPUBLICEC2IP
k3d cluster create -s 1 -a 3 --k3s-server-arg "--disable=traefik" --k3s-server-arg "--disable=metrics-server" --k3s-server-arg "--tls-san=$YOURPUBLICEC2IP" -p 80:80@loadbalancer -p 443:443@loadbalancer
```
-+ ___Optionally___ you can set your image pull secret on the cluster so that you don't have to put your credentials in the code or in the command line in later steps
+- **_Optionally_** you can set your image pull secret on the cluster so that you don't have to put your credentials in the code or in the command line in later steps
```bash
# Create the directory for the k3s registry config.
@@ -113,7 +202,7 @@ mkdir ~/.k3d/
# Create the config file. Use your registry1 credentials. Copy your user name and token secret from your Harbor profile.
cat << EOF > ~/.k3d/p1-registries.yaml
configs:
- "registry1.dsop.io":
+ "registry1.dso.mil":
auth:
username: "user.name"
password: "place_token_secret_here"
@@ -124,29 +213,32 @@ k3d cluster create --servers 1 --agents 3 -v ~/.k3d/p1-registries.yaml:/etc/ranc
```
Here is a break down of what we are doing with this command:
-+ `-s 1` Creating 1 master/server
-+ `-a 3` Creating 3 agent nodes
-+ `--k3s-server-arg "--disable=traefik"` Disable the default Traefik Ingress
-+ `--k3s-server-arg "--disable=metrics-server"` Disable default metrics
-+ `--k3s-server-arg "--tls-san=<your public ec2 ip>"` This adds the public IP to the kubeapi certificate so that you can access it remotely.
-+ `-p 80:80@loadbalancer` Exposes the cluster on the host on port 80
-+ `-p 443:443@loadbalancer` Exposes the cluster on the host on port 443
+
+- `-s 1` Creating 1 master/server
+- `-a 3` Creating 3 agent nodes
+- `--k3s-server-arg "--disable=traefik"` Disable the default Traefik Ingress
+- `--k3s-server-arg "--disable=metrics-server"` Disable default metrics
+- `--k3s-server-arg "--tls-san=<your public ec2 ip>"` This adds the public IP to the kubeapi certificate so that you can access it remotely.
+- `-p 80:80@loadbalancer` Exposes the cluster on the host on port 80
+- `-p 443:443@loadbalancer` Exposes the cluster on the host on port 443
optional:
`-v ~/.k3d/p1-registries.yaml:/etc/rancher/k3s/registries.yaml` volume mount image pull secret config for k3d cluster
`--api-port 0.0.0.0:38787` Chooses a port for the API server instead of being assigned a random one. You can set this to any port number that you want.
-+ Once your cluster is up, you can copy the kubeconfig from the EC2 instance to your workstation and update the IP Address. If you do not have an existing configuration to preserve on your local workstation, you can delete and recreate the configuration file.
+- Once your cluster is up, you can copy the kubeconfig from the EC2 instance to your workstation and update the IP Address. If you do not have an existing configuration to preserve on your local workstation, you can delete and recreate the configuration file.
Copy the contents of the remote configuation file.
+
```bash
cat ~/.kube/config
```
-+ Move to your workstation and setup namespace
+- Move to your workstation and setup namespace
Update the configuration file on your local workstation.
-```Bash
+
+```bash
# Remove existing configuation if defined.
rm ~/.kube/config
@@ -160,7 +252,8 @@ chmod go-r ~/.kube/config
# Open vi to edit configuation
vi ~/.kube/config
```
-Paste the contents into the new file, and update the `server` URL to the public IP address (```$YOURPUBLICEC2IP```).
+
+Paste the contents into the new file, and update the `server` URL to the public IP address (`$YOURPUBLICEC2IP`).
```bash
# Test to see if you can connect to your cluster
@@ -171,11 +264,13 @@ kubectl get nodes
mkdir -pv ~/repos/
cd ~/repos
-git clone https://repo1.dsop.io/platform-one/big-bang/umbrella.git
+git clone https://repo1.dso.mil/platform-one/big-bang/umbrella.git
cd ~/repos/umbrella
```
+
From the base of the project
-```Bash
+
+```bash
# Flux - Install the toolkit components
flux install
@@ -183,11 +278,11 @@ flux install
kubectl create ns bigbang
```
-+ Customize your Helm values
+- Customize your Helm values
```bash
# You will be overriding values in `chart/values.yaml` for development
-# You can use the [Big Bang template's dev ConfigMap](https://repo1.dsop.io/platform-one/big-bang/customers/bigbang/-/blob/template/bigbang/dev/configmap.yaml) to start. This will minimize the resources for deploying BigBang.
+# You can use the [Big Bang template's dev ConfigMap](https://repo1.dso.mil/platform-one/big-bang/customers/bigbang/-/blob/template/bigbang/dev/configmap.yaml) to start. This will minimize the resources for deploying BigBang.
# For convenience, it is also copied here
cat << EOF > my-values.yaml
@@ -243,7 +338,7 @@ EOF
# Examples included enabling add-ons, disabling unneeded features, etc.
```
-+ Deploy secrets
+- Deploy secrets
```bash
# These are all OPTIONAL. Deploy them if you need them
@@ -261,13 +356,14 @@ sops -d ./hack/secrets/ingress-cert.yaml | kubectl apply -f -
kubectl apply -f tests/ci/shared-secrets.yaml
```
-+ Install BigBang using Iron Bank (Harbor) credentials.
+- Install BigBang using Iron Bank (Harbor) credentials.
+
```bash
# Helm install BigBang
helm upgrade -i bigbang chart -n bigbang --create-namespace --set registryCredentials.username='<your user>' --set registryCredentials.password=<your cli key> -f my-values.yaml
```
-+ You can now modify your local `/etc/hosts` file to allow for local name resolution. On Windows, this file is located at `$env:windir\System32\drivers\etc\hosts`
+- You can now modify your local `/etc/hosts` file to allow for local name resolution. On Windows, this file is located at `$env:windir\System32\drivers\etc\hosts`
```HOSTS
<X.X.X.X> kibana.bigbang.dev
@@ -276,7 +372,8 @@ helm upgrade -i bigbang chart -n bigbang --create-namespace --set registryCreden
<X.X.X.X> graphana.bigbang.dev
```
-+ You can watch your install take place with
+- You can watch your install take place with
+
```bash
# macOS does not include watch
# recommend install with brew
diff --git a/hack/flux-install.sh b/hack/flux-install.sh
index f2e0c5c1e778d4d76d8fc4fb3c925de014446c8a..f5b7509f69b1f9209f515eb190003ed9588d3f21 100755
--- a/hack/flux-install.sh
+++ b/hack/flux-install.sh
@@ -5,7 +5,7 @@
# After Flux2 is installed, the secret will be removed from the cluster
# Constants
-reg=registry1.dsop.io
+reg=registry1.dso.mil
repo=ironbank/fluxcd
fluxver="v0.2.4"
ns=flux-system
diff --git a/scripts/deploy/01_deploy_bigbang.sh b/scripts/deploy/01_deploy_bigbang.sh
index fc84dec4e6292fa55f82f6f0b04546bd8d6696c4..1f94df3c6a1ed116c5cbda61c335aff25097da75 100755
--- a/scripts/deploy/01_deploy_bigbang.sh
+++ b/scripts/deploy/01_deploy_bigbang.sh
@@ -7,32 +7,33 @@ echo "Installing Flux"
flux --version
flux check --pre
-# Install flux in the cluster
+# create flux namespace
kubectl create ns flux-system || true
-# TODO When changing the flux images to .mil this will need to chagne
+# delete flux private-registry secret
+kubectl delete secret private-registry -n flux-system || true
+
+# create flux private-registry secret
kubectl create secret docker-registry private-registry -n flux-system \
- --docker-server=registry1.dsop.io \
+ --docker-server=registry1.dso.mil \
--docker-username='robot$bigbang' \
--docker-password=${REGISTRY1_PASSWORD} \
--docker-email=bigbang@bigbang.dev || true
+
+# install flux
kubectl apply -f ./scripts/deploy/flux.yaml
-# Wait for flux
-kubectl wait --for=condition=available --timeout 300s -n "flux-system" "deployment/helm-controller"
-kubectl wait --for=condition=available --timeout 300s -n "flux-system" "deployment/source-controller"
+# wait for flux
flux check
-# Deploy BigBang using dev sized scaling
+# deploy BigBang using dev sized scaling
echo "Installing BigBang"
helm upgrade -i bigbang chart -n bigbang --create-namespace \
--set registryCredentials[0].username='robot$bigbang' --set registryCredentials[0].password=${REGISTRY1_PASSWORD} \
---set registryCredentials[0].registry=registry1.dsop.io \
---set registryCredentials[1].username='robot$bigbang' --set registryCredentials[1].password=${REGISTRY1_PASSWORD} \
---set registryCredentials[1].registry=registry1.dso.mil \
+--set registryCredentials[0].registry=registry1.dso.mil \
-f tests/ci/k3d/values.yaml
-## Apply secrets kustomization pointing to current branch
+# apply secrets kustomization pointing to current branch
echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
if [[ -z "${CI_COMMIT_TAG}" ]]; then
cat tests/ci/shared-secrets.yaml | sed 's|master|'$CI_COMMIT_REF_NAME'|g' | kubectl apply -f -
diff --git a/scripts/deploy/02_wait_for_helmrealeases.sh b/scripts/deploy/02_wait_for_helmrealeases.sh
index e619ad73bc015b1309d283931edf078c0a1db773..2849f2d996b8177202757ecc84f63119972eb87b 100755
--- a/scripts/deploy/02_wait_for_helmrealeases.sh
+++ b/scripts/deploy/02_wait_for_helmrealeases.sh
@@ -1,10 +1,10 @@
#!/usr/bin/env bash
-set -e
+set -ex
## This is an array to instantiate the order of wait conditions
-ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor authservice argocd gitlab minio-operator minio"
+ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor authservice argocd gitlab haproxy-sso minio-operator minio"
## This the actual deployed helmrelease objects in the cluster
DEPLOYED_HELMRELEASES=$(kubectl get hr --no-headers -n bigbang | awk '{ print $1}')
@@ -31,7 +31,7 @@ function array_contains() {
## $1: package name
function wait_on() {
echo "Waiting on package $1"
- kubectl wait --for=condition=Ready --timeout 500s helmrelease -n bigbang $1;
+ kubectl wait --for=condition=Ready --timeout 600s helmrelease -n bigbang $1;
}
for package in $ORDERED_HELMRELEASES;
diff --git a/scripts/deploy/flux.yaml b/scripts/deploy/flux.yaml
index 023ff79ce7099695e49b01c8f6d7e9d4249770c0..ba81d20aab8a0b218d5301bfb471e2f05ff5c9b0 100644
--- a/scripts/deploy/flux.yaml
+++ b/scripts/deploy/flux.yaml
@@ -942,7 +942,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- image: registry1.dsop.io/ironbank/fluxcd/source-controller:v0.4.0
+ image: registry1.dso.mil/ironbank/fluxcd/source-controller:v0.4.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -1290,7 +1290,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- image: registry1.dsop.io/ironbank/fluxcd/kustomize-controller:v0.4.0
+ image: registry1.dso.mil/ironbank/fluxcd/kustomize-controller:v0.4.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -1774,7 +1774,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- image: registry1.dsop.io/ironbank/fluxcd/helm-controller:v0.4.0
+ image: registry1.dso.mil/ironbank/fluxcd/helm-controller:v0.4.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -2350,7 +2350,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- image: registry1.dsop.io/ironbank/fluxcd/notification-controller:v0.4.0
+ image: registry1.dso.mil/ironbank/fluxcd/notification-controller:v0.4.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
diff --git a/scripts/package/synker.Dockerfile b/scripts/package/synker.Dockerfile
index bb1a151196a3de7a48028bf45c9fc2217a156cf5..fa6294ef626842f9f5a311de2fa30a04acfc7d30 100644
--- a/scripts/package/synker.Dockerfile
+++ b/scripts/package/synker.Dockerfile
@@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \
&& apt-get clean
# Clone the latest release of p8kr and built the binrary statically
-RUN git clone https://repo1.dsop.io/platform-one/hagrid/sync.git synker && \
+RUN git clone https://repo1.dso.mil/platform-one/hagrid/sync.git synker && \
cd synker && \
make binary-local-static DISABLE_CGO=1
diff --git a/scripts/package/synker.yaml b/scripts/package/synker.yaml
index c76a0622d4095b9a874b7ef8ee4d86206331a867..4e5aee894da0000dcc90f7a65faa75af091cc062 100644
--- a/scripts/package/synker.yaml
+++ b/scripts/package/synker.yaml
@@ -29,4 +29,4 @@ destination:
source:
authFile: /root/.docker/config.json
images:
- - registry.dsop.io/platform-one/big-bang/apps/security-tools/twistlock/defender:20.04.163
+ - registry.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/defender:20.04.163
diff --git a/tests/ci/shared-secrets.yaml b/tests/ci/shared-secrets.yaml
index f66695b22a9cef69c7b354b9f3e8798e6382da5a..1870a2b6da1fbc6ac914dcd3d330e1792dd215b2 100644
--- a/tests/ci/shared-secrets.yaml
+++ b/tests/ci/shared-secrets.yaml
@@ -20,7 +20,7 @@ spec:
interval: 1m0s
# NOTE: We could use the same "bigbang" repository, but secrets are usually committed to a consumer owned repo,
# so we are demonstrating that here with a new `GitRepository` resource pointed to the same repo
- url: https://repo1.dsop.io/platform-one/big-bang/umbrella.git
+ url: https://repo1.dso.mil/platform-one/big-bang/umbrella.git
ref:
branch: master
---
diff --git a/tests/registries.yaml.template b/tests/registries.yaml.template
index 0af845d0ce58de04b59958729ff68bb63845b921..e5e8fbf6ee954ba27f5798785d8b4b1830b9cece 100644
--- a/tests/registries.yaml.template
+++ b/tests/registries.yaml.template
@@ -1,5 +1,5 @@
configs:
- "registry1.dsop.io":
+ "registry1.dso.mil":
auth:
username: robot${DOLLAR}bigbang
password: ${REGISTRY1_PASSWORD}