Rebase and formatting

5f9c5a2c · Zachariah Dzielinski · 2a102c70 · fe61db78 · 5f9c5a2c · 5f9c5a2c
Commit 5f9c5a2c authored 4 years ago by Zachariah Dzielinski
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,10 +4,48 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

-## [Unreleased]
+## [1.0.3]
+
+* Added [Gitlab](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab)
+* Added ability to provide multiple registry credentials while maintaining current capabilities:
+
+```
+registryCredentials:
+  username: registry1user
+  password: somesecretpassword
+```
+
+or
+```
+registryCredentials:
+- registry: registry1.dso.mil
+  username: registry1user
+  password: somesecretpassword
+- registry: registry.dsop.io
+  username: registry1user
+  password: somesecretpassword
+- registry: somewhere.else.io
+  username: someuser
+  password: someothersecret
+```
+will correctly create the ImagePullSecrets for all those registries
+
+
+## [1.0.2]

 ### Changed

+* Updated istio-controlplane to [1.7.3-bb.5](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane/-/tags/1.7.3-bb.5) to allow
+for setting ingressgateway to use nodeports
+
+## [1.0.1]
+
+
+### Changed
+
+* Updated Istio Control plane to support Node Ports for ingressGateway
+* Update Istio Control plane to support SSO for Kiali and Jaeger
+* Update Authservice to refact definitions of filter chains
 * Updated documentation

 ---

--- a/Packages.md
+++ b/Packages.md
@@ -4,25 +4,28 @@

 | Package | Status |
 | ----    | ---  |
-| Istio Operator |  ![Istio Operator Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-operator/badges/main/pipeline.svg) |
-| Istio Controlplane | ![Istio Controlplane Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-controlplane/badges/main/pipeline.svg) | 
-| Monitoring | ![Monitoring Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/monitoring/badges/main/pipeline.svg) |
-| ECK Operator | ![ECK Operator Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/eck-operator/badges/main/pipeline.svg) | 
-| Elasticsearch Kibana |![EK Operator Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/elasticsearch-kibana/badges/main/pipeline.svg)  |
-| Fluentbit | ![Fluentbit Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/fluentbit/badges/main/pipeline.svg)  |
-| OPA Gatekeeper | ![OPA Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/policy/badges/main/pipeline.svg) |
-| Argocd |![Argo Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/argocd/badges/main/pipeline.svg)  |
-| Cluster Auditor | ![Cluster Auditor Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/cluster-auditor/badges/main/pipeline.svg)  |
+| [Istio Operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator) |  ![Istio Operator Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-operator/badges/main/pipeline.svg) |
+| [Istio Controlplane](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane) | ![Istio Controlplane Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-controlplane/badges/main/pipeline.svg) | 
+| [Monitoring](https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring) | ![Monitoring Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/monitoring/badges/main/pipeline.svg) |
+| [ECK Operator](https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator) | ![ECK Operator Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/eck-operator/badges/main/pipeline.svg) | 
+| [Elasticsearch Kibana](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana) |![EK Operator Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/elasticsearch-kibana/badges/main/pipeline.svg)  |
+| [Fluentbit](https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit) | ![Fluentbit Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/fluentbit/badges/main/pipeline.svg)  |
+| [OPA Gatekeeper](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy) | ![OPA Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/policy/badges/main/pipeline.svg) |
+| [Argocd](https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd) |![Argo Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/argocd/badges/main/pipeline.svg)  |
+| [Cluster Auditor](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor) | ![Cluster Auditor Build](https://repo1.dsop.io/platform-one/big-bang/apps/core/cluster-auditor/badges/main/pipeline.svg)  |


 ## Security
 | Package | Status |
 | ----    | ---  |
-| Keycloak |  ![Keycloak Build](https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/keycloak/badges/main/pipeline.svg) |
-| Twistlock |  ![Twistlock Build](https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/twistlock/badges/main/pipeline.svg) |
+| [Keycloak](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak) |  ![Keycloak Build](https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/keycloak/badges/main/pipeline.svg) |
+| [Twistlock](https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/twistlock) |  ![Twistlock Build](https://repo1.dsop.io/platform-one/big-bang/apps/security-tools/twistlock/badges/main/pipeline.svg) |
+| [Anchore Enterprise](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise) | ![Anchore Build](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/badges/main/pipeline.svg)
+| [Authservice](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice) | ![Authservice Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice/badges/main/pipeline.svg)

 ## Development Tools

 | Package | Status |
 | ----    | ---  |
-| Gitlab Runner |  ![Gitlab Runner Build](https://repo1.dsop.io/platform-one/big-bang/apps/developer-tools/gitlab-runner/badges/main/pipeline.svg) |
+| [Gitlab](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab)  | ![Gitlab Build](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/badges/main/pipeline.svg)    |
+| [Gitlab Runner](https://repo1.dsop.io/platform-one/big-bang/apps/developer-tools/gitlab-runner) |  ![Gitlab Runner Build](https://repo1.dsop.io/platform-one/big-bang/apps/developer-tools/gitlab-runner/badges/main/pipeline.svg) |
--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
  interval: 10m
  url: https://repo1.dsop.io/platform-one/big-bang/umbrella.git
  ref:
-    tag: 0.0.2
\ No newline at end of file
+    tag: 1.0.3
\ No newline at end of file
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: bigbang
-version: 1.0.2
+version: 1.0.3
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
+Thank you for supporting PlatformOne! 
+
+{{ if $.Values.addons.gitlab.enabled }}
+Gitlab is enabled.
+Please follow the Gitlab online documentation for proper configuration. 
+Here is an example of how to configure external perstistent storage for postgres DB and object storage.
+
+addons:
+  gitlab:
+    enabled: true
+    values:
+      postgresql:
+        install: false
+      global:
+        minio:
+          enabled: false
+        psql:
+          host: postgres-postgresql-headless.postgres.svc.cluster.local
+          port: 5432
+          username: postgres
+          database: postgres
+          password:
+            secret: db-credentials
+            key: PGPASSWORD
+        registry:
+          bucket: gitlab-registry-storage
+        appConfig:
+          lfs:
+            bucket: gitlab-lfs
+            connection:
+              secret: gitlab-object-storage
+              key: rails
+          artifacts:
+            bucket: gitlab-artifacts
+            connection:
+              secret: gitlab-object-storage
+              key: rails
+          uploads:
+            bucket: gitlab-uploads
+            connection:
+              secret: gitlab-object-storage
+              key: rails
+          packages:
+            bucket: gitlab-packages
+            connection:
+              secret: gitlab-object-storage
+              key: rails
+          externalDiffs:
+            bucket: gitlab-mr-diffs
+            connection:
+              secret: gitlab-object-storage
+              key: rails
+          terraformState:
+            enabled: false
+            bucket: gitlab-terraform-state
+            connection:
+              secret: gitlab-object-storage
+              key: rails
+          backups:
+            bucket: gitlab-backup
+            tmpBucket: gitlab-backup-tmp
+      gitlab:
+        task-runner:
+          psql:
+            host: postgres-postgresql-headless.postgres.svc.cluster.local
+            port: 5432
+            username: postgres
+            database: postgres
+            password:
+              secret: db-credentials
+              key: PGPASSWORD
+          backups:
+            objectStorage:
+              config:
+                secret: gitlab-object-storage
+                key: backups
+      registry:
+        storage:
+          secret: gitlab-object-storage
+          key: registry
+
+
+{{- if $.Values.addons.gitlab.values.postgresql.install }}
+PLATFORM ONE GITLAB WARNING:
+  You have enabled an internal postgres database in the values configuration.
+  PlatformOne does not support this option for production deployments because your persistent data can be permanently lost.
+  This option should only be used for development or CI pipelines.
+{{- end -}}
+
+{{- if $.Values.addons.gitlab.values.global.minio.enabled }}
+PLATFORM ONE GITLAB WARNING: 
+  You have enabled a MinIO internal service in the values configuration.
+  PlatformOne does not support this option for production deployments because your persistent data can be permanently lost.
+  This option should only be used for development or CI pipelines.
+{{- end }}
+{{- end }}
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
 {{- define "imagePullSecret" }}
-{{- with .Values.registryCredentials }}
-{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
+  {{- if .Values.registryCredentials -}}
+    {{- $credType := typeOf .Values.registryCredentials -}}
+          {{- /* If we have a list, embed that here directly. This allows for complex configuration from configmap, downward API, etc. */ -}}
+    {{- if eq $credType "[]interface {}" -}}
+    {{- include "multipleCreds" . | b64enc }}
+    {{- else if eq $credType "map[string]interface {}" }}
+      {{- /* If we have a map, treat those as key-value pairs. */ -}}
+      {{- with .Values.registryCredentials }}
+      {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
+      {{- end }}
+    {{- end -}}
+  {{- end }}
 {{- end }}
+
+{{- define "multipleCreds" -}}
+{
+  "auths": {
+    {{- $length := len .Values.registryCredentials }}
+    {{- range $index, $entry := .Values.registryCredentials }}
+    "{{- $entry.registry }}": {
+      "username{{ $index }}":"{{- $entry.username }}",
+      "password":"{{- $entry.password }}",
+      "email":"{{- $entry.email }}",
+      "auth":"{{- (printf "%s:%s" $entry.username $entry.password | b64enc) }}"
+    }{{- if ne $length (add $index 1) }},{{- end }}
+    {{- end }}
+  }
+}
 {{- end }}

 {{/*

--- a/chart/templates/argocd/namespace.yaml
+++ b/chart/templates/argocd/namespace.yaml
@@ -7,7 +7,7 @@ metadata:
  name: argocd

 ---
-{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+{{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret
 metadata:

--- a/chart/templates/clusterauditor/namespace.yaml
+++ b/chart/templates/clusterauditor/namespace.yaml
@@ -7,7 +7,7 @@ metadata:
  name: cluster-auditor

 ---
-{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+{{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret
 metadata:

--- a/chart/templates/gatekeeper/namespace.yaml
+++ b/chart/templates/gatekeeper/namespace.yaml
@@ -10,7 +10,7 @@ metadata:
  name: gatekeeper-system

 ---
-{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+{{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret
 metadata:

--- a/chart/templates/gitlab/gitrepository.yaml
+++ b/chart/templates/gitlab/gitrepository.yaml
+{{- if and (not .Values.offline) .Values.addons.gitlab.enabled }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: gitlab
+  namespace: {{ .Release.Namespace }}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.addons.gitlab.git.repo }}
+  ref:
+    {{- include "validRef" .Values.addons.gitlab.git | nindent 4 }}
+  {{- include "gitCreds" .Values.git | nindent 2 }}
+{{- end }}
--- a/chart/templates/gitlab/helmrelease.yaml
+++ b/chart/templates/gitlab/helmrelease.yaml
+{{- if .Values.addons.gitlab.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: gitlab
+  namespace: {{ .Release.Namespace }}
+spec:
+  releaseName: gitlab
+  targetNamespace: gitlab
+  chart:
+    spec:
+      chart: {{ .Values.addons.gitlab.git.path }}
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: gitlab
+        namespace: {{ .Release.Namespace }}
+
+{{- with .Values.flux }}
+  interval: {{ .interval }}
+  test:
+    enable: false
+  install:
+    remediation:
+      retries: {{ .install.retries }}
+  upgrade:
+    remediation:
+      retries: {{ .upgrade.retries }}
+      remediateLastFailure: true
+    cleanupOnFail: true
+  rollback:
+    timeout: {{ .rollback.timeout }}
+    cleanupOnFail: {{ .rollback.cleanupOnFail }}
+  {{- end }}
+
+  valuesFrom:
+    - name: values
+      kind: Secret
+      valuesKey: "gitlab.yaml"
+
+  values:
+    hostname: {{ .Values.hostname }}
+    istio:
+      enabled: {{ .Values.istio.enabled }}
+    monitoring:
+      enabled: {{ .Values.monitoring.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+    ## values for image pull secrets
+    redis:
+      metrics:
+        image:
+          pullSecrets: 
+          - private-registry
+      image:
+        pullSecrets: 
+        - private-registry
+    registry:
+      image:
+        pullSecrets:
+        - name: private-registry
+    shared-secrets:
+      selfsign:
+        image:
+          pullSecrets:
+          - name: private-registry
+    gitlab:
+      task-runner:
+        image:
+          pullSecrets:
+          - name: private-registry
+      migrations:
+        image:
+          pullSecrets:
+          - name: private-registry
+      webservice:
+        image:
+          pullSecrets:
+          - name: private-registry 
+        workhorse:
+          pullSecrets:
+          - name: private-registry 
+      sidekiq:
+        image:
+          pullSecrets:
+          - name: private-registry
+      gitaly:
+        image:
+          pullSecrets:
+          - name: private-registry
+      gitlab-shell:
+        image:
+          pullSecrets:
+          - name: private-registry
+      gitlab-exporter:
+        image:
+          pullSecrets:
+          - name: private-registry
+    minio:
+      pullSecrets:
+      - name: private-registry
+    {{- end }}
+    global:
+      hosts:
+        domain: code.{{ .Values.hostname }}
+        gitlab:
+          name: code.{{ .Values.hostname }}
+        registry:
+          name: registry.{{ .Values.hostname }}
+{{- if ( include "imagePullSecret" . ) }}
+      ## values for image pull secrets
+      certificates:
+        image:
+          pullSecrets:
+          - name: private-registry
+      kubectl:
+        image:
+          pullSecrets:
+          - name: private-registry
+      {{ end }}
+
+  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.monitoring.enabled }}
+  dependsOn:
+  {{- if .Values.gatekeeper.enabled }}
+  - name: gatekeeper
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.istio.enabled }}
+  - name: istio
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.monitoring.enabled }}
+  - name: monitoring
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/gitlab/namespace.yaml
+++ b/chart/templates/gitlab/namespace.yaml
+{{- if .Values.addons.gitlab.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app: gitlab
+  name: gitlab
+---
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: gitlab
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/istio/controlplane/namespace.yaml
+++ b/chart/templates/istio/controlplane/namespace.yaml
@@ -3,8 +3,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: istio-system
-
-{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+{{- if ( include "imagePullSecret" . ) }}
 ---
 apiVersion: v1
 kind: Secret

--- a/chart/templates/istio/operator/namespace.yaml
+++ b/chart/templates/istio/operator/namespace.yaml
@@ -6,8 +6,7 @@ metadata:
  labels:
    istio-operator-managed: Reconcile
    istio-injection: disabled
-
-{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+{{- if ( include "imagePullSecret" . ) }}
 ---
 apiVersion: v1
 kind: Secret

--- a/chart/templates/logging/eck-operator/namespace.yaml
+++ b/chart/templates/logging/eck-operator/namespace.yaml
@@ -5,7 +5,7 @@ metadata:
  name: eck-operator

 ---
-{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+{{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret
 metadata:

--- a/chart/templates/logging/elasticsearch-kibana/namespace.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/namespace.yaml
@@ -4,13 +4,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: logging
-  {{- if .Values.istio.enabled }}
-  labels:
-    istio-injection: enabled
-  {{- end}}
-
 ---
-  {{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+{{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret
 metadata:

--- a/chart/templates/monitoring/namespace.yaml
+++ b/chart/templates/monitoring/namespace.yaml
@@ -3,9 +3,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
-
-{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
 ---
+{{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret
 metadata:

--- a/chart/templates/twistlock/namespace.yaml
+++ b/chart/templates/twistlock/namespace.yaml
@@ -3,9 +3,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: twistlock
-
-{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
 ---
+{{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret
 metadata:

--- a/chart/templates/values.yaml
+++ b/chart/templates/values.yaml
@@ -29,4 +29,6 @@ stringData:
 {{ toYaml .Values.twistlock.values | indent 4 }} 
  clusterauditor.yaml: |
 {{ toYaml .Values.twistlock.values | indent 4 }}
+  gitlab.yaml: |
+{{ toYaml .Values.addons.gitlab.values | indent 4 }}
 data:
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -4,13 +4,28 @@ hostname: bigbang.dev
 # TODO: All this does right now is toggle GitRepositories, it is _not_ fully functional
 offline: false

-# Registry credentials to use from pulling images from private registry, will create an appropriate imagePullSecret in all relevant namespaces
+# Regisitires can be an explicit map of registries as provided here
 registryCredentials:
  registry: registry1.dsop.io
  username: ""
  password: ""
  email: ""

+# Or a list of registires:
+# registryCredentials:
+# - registry: registry1.dsop.io
+#   username: user.name
+#   password: user-secret
+#   email: xxx@xxx.xxx
+# - registry: registry1.dso.mil
+#   username: user.name
+#   password: user-secret
+#   email: xxx@xxx.xxx
+# - registry: registry.dso.mil
+#   username: user.name
+#   password: user-secret
+#   email: xxx@xxx.xxx
+
 # Global git values
 # Order of precedence is:
 #   1. existingSecret
@@ -39,7 +54,7 @@ flux:
  upgrade:
    retries: 3
  rollback:
-    timeout: 5m
+    timeout: 10m
    cleanupOnFail: true

 # ----------------------------------------------------------------------------------------------------------------------
@@ -152,5 +167,12 @@ addons:
    git:
      repo: https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/authservice.git
      path: "./chart"
-      tag: "0.1.4-bb.0"
-    values: {}
\ No newline at end of file
+      tag: "0.1.6-bb.0"
+    values: {}
+
+  gitlab:
+    enabled: false
+    git:
+      repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
+      path: "./chart"
+      tag: "4.2.0-bb.1"