Merge branch 'release-1.8.0-cherry-pick' into 'master'

Release 1.8.0 See merge request platform-one/big-bang/bigbang!494

Merge branch 'release-1.8.0-cherry-pick' into 'master'
6bb4d74a · kevin.wilder · d6df22c5 · 37d2d6c0 · 6bb4d74a · 6bb4d74a
Commit 6bb4d74a authored 3 years ago by kevin.wilder
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,44 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ---
+## [1.8.0]
+
+* [!447](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/447): Sonarqube upgrade app version 8.7.1 chart version 9.2.6-bb.8
+* [!406](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/406): Authservice Support For Non Keycloak OIDC Endpoints
+* [!459](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/459): Gitlab update to fix monitoring
+* [!463](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/463),[!480](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/480): update codeowners
+* [!462](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/462): Document GitLab package architecture in charter
+* [!453](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/453): Set Global Timeout for Flux & Allow for HelmRelease Flux Settings to be Populated via Values File
+* [!466](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/466): Updating name for kiali oidc secret secret
+* [!465](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/465): Mattermost update app version 5.34.2 chart version 0.1.5-bb.0
+* [!467](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/467): update changelog for release 1.7.0
+* [!468](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/468): Modify continuous integration (CI) pipeline script execution
+* [!474](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/474): Update twistlock app version 21.04.412 chart version 0.0.4-bb.0
+* [!464](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/464): Documentation updates
+* [!475](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/475): Anchore upgrade app version 0.9.3 chart version 1.12.13-bb.0
+* [!430](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/430): Charter update for istio architecture
+* [!451](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/451),[!481](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/481),[!482](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/482): Breakout secrets into individual files in Package templates
+* [!417](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/417): update Kibana
+* [!350](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/350): Authservice Redirect URLs dont respect virtual service name overrides
+* [!485](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/485): ArgoCD upgrade app version 1.8.4 chart version 2.14.7-bb.5
+* [!476](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/476): Charter documentation updates
+* [!134](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/134),[!489](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/489): BETA release of Keycloak app version 13.0.0 helm chart version 11.0.0
+* [!342](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/342): Upgrade elasticsearch-kibana package app version 7.10.x chart version 0.1.11-bb.0
+* [!457](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/457): Add labels to authservice namespace in compliance with charter
+
+### Upgrade Notices
+* Release 1.8.0 upgrades Elasticsearch and Kibana to 7.10 versions and if the [autoRollingUpgrade](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/#autorollingupgrade) job does not complete successfully or is interfered with it could cause ECK data loss. Please leave autoRollingUpgrade enabled and read [documentation](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/-/blob/main/docs/troubleshooting.md) to prepare for upgrade issues.
+
+
+### Known Issues
+* If the following error is seen on any helm releases ```scheme "" not supported``` try updating flux to latest ib images. A simple way to do this is by adding registry credentials to the flux-system namespace and applying the flux.yaml:
+```bash
+kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=<Your IronBank Username> --docker-password=<Your IronBank Personal Access Token> --docker-email=<Your E-mail Address> -n flux-system
+curl https://repo1.dso.mil/platform-one/big-bang/bigbang/-/raw/master/scripts/deploy/flux.yaml | kubectl apply -f -
+```
+* There is a [known issue](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/329) with Velero ability to restore PersistentVolumes.
+
+
 ## [1.7.0]

 * [!453](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/453): Global Timeout for flux and allow for HR flux settings to be populated via values
@@ -23,14 +61,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 * [!462](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/462): Document GitLab package architecture in charter
 * [!463](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/463): Update CODEOWNERS

-## Upgrade Notice
+### Upgrade Notice
 This release comes with a new version of Sonarqube which requires a manual database upgrade that can be easily done through the web interface. If you see a message stating Sonarqube is under maintenance go to the following url and click update database:
 ```
 https://sonarqube.your.url/setup
 ```
 After a few minutes you should be able to log back in.

-## Known Issues
+### Known Issues
 If the following error is seen on any helm releases ```scheme "" not supported``` try updating flux to latest ib images. A simple way to do this is by adding registry credentials to the flux-system namespace and applying the flux.yaml:
 ```bash
 kubectl create -n flux-system secret docker-registry private-registry --docker-server="https://registry1.dso.mil" --docker-username='<IB_Username>' --docker-password="<CLI_TOKEN>"

--- a/README.md
+++ b/README.md
 # bigbang

-![Version: 1.7.0](https://img.shields.io/badge/Version-1.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.8.0](https://img.shields.io/badge/Version-1.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

@@ -106,7 +106,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | logging.enabled | bool | `true` | Toggle deployment of Logging (EFK). |
 | logging.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git"` |  |
 | logging.git.path | string | `"./chart"` |  |
-| logging.git.tag | string | `"0.1.8-bb.0"` |  |
+| logging.git.tag | string | `"0.1.11-bb.0"` |  |
 | logging.flux | object | `{"timeout":"20m"}` | Flux reconciliation overrides specifically for the Logging (EFK) Package |
 | logging.sso.enabled | bool | `false` | Toggle OIDC SSO for Kibana/Elasticsearch on and off. Enabling this option will auto-create any required secrets. |
 | logging.sso.client_id | string | `""` | Elasticsearch/Kibana OIDC client ID |
@@ -148,14 +148,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | twistlock.enabled | bool | `true` | Toggle deployment of Twistlock. |
 | twistlock.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git"` |  |
 | twistlock.git.path | string | `"./chart"` |  |
-| twistlock.git.tag | string | `"0.0.3-bb.3"` |  |
+| twistlock.git.tag | string | `"0.0.4-bb.0"` |  |
 | twistlock.flux | object | `{}` | Flux reconciliation overrides specifically for the Twistlock Package |
 | twistlock.values | object | `{}` | Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git |
 | twistlock.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | addons.argocd.enabled | bool | `false` | Toggle deployment of ArgoCD. |
 | addons.argocd.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git"` |  |
 | addons.argocd.git.path | string | `"./chart"` |  |
-| addons.argocd.git.tag | string | `"2.14.7-bb.3"` |  |
+| addons.argocd.git.tag | string | `"2.14.7-bb.5"` |  |
 | addons.argocd.flux | object | `{}` | Flux reconciliation overrides specifically for the ArgoCD Package |
 | addons.argocd.sso.enabled | bool | `false` | Toggle SSO for ArgoCD on and off |
 | addons.argocd.sso.client_id | string | `""` | ArgoCD OIDC client ID |
@@ -221,7 +221,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.sonarqube.enabled | bool | `false` | Toggle deployment of SonarQube. |
 | addons.sonarqube.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube.git"` |  |
 | addons.sonarqube.git.path | string | `"./chart"` |  |
-| addons.sonarqube.git.tag | string | `"9.2.6-bb.8"` |  |
+| addons.sonarqube.git.tag | string | `"9.2.6-bb.9"` |  |
 | addons.sonarqube.flux | object | `{}` | Flux reconciliation overrides specifically for the Sonarqube Package |
 | addons.sonarqube.sso.enabled | bool | `false` | Toggle OIDC SSO for SonarQube. Enabling this option will auto-create any required secrets. |
 | addons.sonarqube.sso.client_id | string | `""` | SonarQube OIDC client ID |
@@ -248,7 +248,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.anchore.enabled | bool | `false` | Toggle deployment of Anchore. |
 | addons.anchore.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git"` |  |
 | addons.anchore.git.path | string | `"./chart"` |  |
-| addons.anchore.git.tag | string | `"1.12.7-bb.2"` |  |
+| addons.anchore.git.tag | string | `"1.12.13-bb.0"` |  |
 | addons.anchore.flux | object | `{"upgrade":{"disableWait":true}}` | Flux reconciliation overrides specifically for the Anchore Package |
 | addons.anchore.adminPassword | string | `""` | Initial admin password used to authenticate to Anchore. |
 | addons.anchore.enterprise | object | `{"enabled":false,"licenseYaml":"FULL LICENSE\n"}` | Anchore Enterprise functionality. |
@@ -265,6 +265,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.anchore.database.feeds_database | string | `""` | Feeds database name to connect to on host (Note: feeds database name CANNOT contain hyphens). Only required for enterprise edition of anchore. By default, feeds database will be configured with the same username and password as the main database. For formatting examples on how to use a separate username and password for the feeds database see https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/docs/CHART.md#handling-dependencies |
 | addons.anchore.redis.host | string | `""` | Hostname of a pre-existing Redis to use for Anchore Enterprise. Entering connection info will enable external redis and will auto-create any required secrets. Anchore only requires redis for enterprise deployments and will not provision an instance if using external |
 | addons.anchore.redis.port | string | `""` | Port of a pre-existing Redis to use for Anchore Enterprise. |
+| addons.anchore.redis.username | string | `""` | OPTIONAL: Username to connect to a pre-existing Redis (for password-only auth leave empty) |
 | addons.anchore.redis.password | string | `""` | Password to connect to pre-existing Redis. |
 | addons.anchore.values | object | `{}` | Values to passthrough to the anchore chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git |
 | addons.anchore.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
@@ -278,7 +279,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.mattermost.enabled | bool | `false` | Toggle deployment of Mattermost. |
 | addons.mattermost.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git"` |  |
 | addons.mattermost.git.path | string | `"./chart"` |  |
-| addons.mattermost.git.tag | string | `"0.1.4-bb.0"` |  |
+| addons.mattermost.git.tag | string | `"0.1.5-bb.0"` |  |
 | addons.mattermost.flux | object | `{}` | Flux reconciliation overrides specifically for the Mattermost Package |
 | addons.mattermost.enterprise | object | `{"enabled":false,"license":""}` | Mattermost Enterprise functionality. |
 | addons.mattermost.enterprise.enabled | bool | `false` | Toggle the Mattermost Enterprise.  This must be accompanied by a valid license unless you plan to start a trial post-install. |
@@ -310,19 +311,19 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.velero.flux | object | `{}` | Flux reconciliation overrides specifically for the Velero Package |
 | addons.velero.values | object | `{"plugins":[]}` | Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml |
 | addons.velero.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
-| addons.keycloak.enabled | bool | `false` | Toggle deployment of Keycloak |
-| addons.keycloak.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git"` | Git repo for Keycloak Helm chart |
-| addons.keycloak.git.path | string | `"./chart"` | Path to helm chart in Git repository |
-| addons.keycloak.git.tag | string | `"x.x.x-bb.x"` | Git tag for Helm chart |
-| addons.keycloak.ingress.key | string | `-----BEGIN PRIVATE KEY-----...` | Private certificate key for Keycloak |
-| addons.keycloak.ingress.cert | string | `-----BEGIN CERTIFICATE-----...` | TLS certificate for Keycloak |
-| addons.keycloak.database.host | string | `""` | Hostname of a pre-existing database to use. Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. |
-| addons.keycloak.database.type | string | `postgres` | Specifies the database type (e.g. `postgres`, `mysql`) |
-| addons.keycloak.database.port | string | `""` | Port of a pre-existing database to use. |
-| addons.keycloak.database.database | string | `""` | Database name to connect (Note: database name CANNOT contain hyphens). |
-| addons.keycloak.database.username | string | `""` | Username for access to the external database, the user must have all privileges on the database. |
-| addons.keycloak.database.password | string | `""` | Password for the username for access to the external database. |
-| addons.keycloak.values | map | `{}` | Additional values to pass through to the Keycloak Helm chart |
+| addons.keycloak.enabled | bool | `false` | Toggle deployment of Keycloak. |
+| addons.keycloak.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git"` |  |
+| addons.keycloak.git.path | string | `"./chart"` |  |
+| addons.keycloak.git.tag | string | `"11.0.0-bb.0"` |  |
+| addons.keycloak.ingress | object | `{"cert":"","key":""}` | Certificate/Key pair to use as the certificate for exposing Keycloak |
+| addons.keycloak.database.host | string | `""` | Hostname of a pre-existing database to use for Keycloak. Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. |
+| addons.keycloak.database.type | string | `"postgres"` | Pre-existing database type (e.g. postgres) to use for Keycloak. |
+| addons.keycloak.database.port | int | `5432` | Port of a pre-existing database to use for Keycloak. |
+| addons.keycloak.database.database | string | `""` | Database name to connect to on host. |
+| addons.keycloak.database.username | string | `""` | Username to connect as to external database, the user must have all privileges on the database. |
+| addons.keycloak.database.password | string | `""` | Database password for the username used to connect to the existing database. |
+| addons.keycloak.flux | object | `{}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
+| addons.keycloak.values | object | `{}` | Values to passthrough to the keycloak chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git |

 ## Contributing


--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
  interval: 10m
  url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
  ref:
-    tag: 1.7.0
+    tag: 1.8.0
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: bigbang
-version: 1.7.0
+version: 1.8.0
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

 type: application

--- a/scripts/package/synker.yaml
+++ b/scripts/package/synker.yaml
@@ -44,5 +44,7 @@ source:
    # gitlab-runner-helper image: This image does not get captured from the release deployment
    # the gitlab-runner-helper image only gets pulled when a pipeline runs. So it must be listed here
    - registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v13.9.0
+    # Explicily add Keycloak image because Keycloak is not enabled in pipelines so the imaeg does not get pulled
+    - registry.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/keycloak-ib:13.0.0-1.0.3
    # Don't include until fortify is supported
    #- registry.il2.dso.mil/platform-one/devops/pipeline-templates/pipeline-job/dotnet-fortify:20.2.0