From d29756c5a480b83881a4a7d1a58f34d6847a7fb0 Mon Sep 17 00:00:00 2001
From: Ryan Thompson <ryan.thompson.44@us.af.mil>
Date: Thu, 10 Aug 2023 15:01:01 +0000
Subject: [PATCH] Big Bang Documentation Clean Up
---
docs/README.md | 12 +++-
docs/understanding-bigbang/README.md | 68 +++++--------------
.../concepts/git-ops-engine.md | 6 +-
.../concepts/glossary.md | 8 +--
docs/understanding-bigbang/licensing-model.md | 50 +++++++-------
5 files changed, 59 insertions(+), 85 deletions(-)
diff --git a/docs/README.md b/docs/README.md
index 3c396aff75..8b5b53174b 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -18,10 +18,16 @@
* Big Bang by itself is not intended to be an End to End Secure Kubernetes Cluster Solution, but rather a reusable secure component/piece of a full solution.
* A Secure Kubernetes Cluster Solution, will have multiple components, that can each be swappable and in some cases considered optional depending on use case and risk tolerance:
Example of some potential components in a full End to End Solution:
- * P1's Cloud Native Access Point to protect ingress traffic. (This can be swapped with an equivalent, or considered optional in an internet disconnected setup.)
+ * Ingress traffic protection
+ * Platform One's Cloud Native Access Point (CNAP) is one solution.
+ * CNAP can be swapped with an equivalent, or considered optional in an internet disconnected setup.
* Hardened Host OS
- * Hardened Kubernetes Distrobution and Cluster (Big Bang assumes ByoC, Bring your own Cluster) (The Big Bang team recommends consumers who are interested in a full solution, partner with vendors of Kubernetes Distributions to satisfy the prerequisite of a Hardened Kubernetes Cluster.)
- * Hardened Applications running on the Cluster (Big Bang and Iron Bank helps solve this component)
+ * Hardened Kubernetes Cluster
+ * Big Bang assumes Bring your own Cluster (BYOC)
+ * The Big Bang team recommends consumers who are interested in a full solution, partner with Vendors of Kubernetes Distributions to satisfy the prerequisite of a Hardened Kubernetes Cluster.
+ * Hardened Applications running on the Cluster
+ * Iron Bank provides hardened containers that helps solve this component.
+ * Big Bang utilizes the hardened containers in Iron Bank.
## Benefits of using Big Bang
diff --git a/docs/understanding-bigbang/README.md b/docs/understanding-bigbang/README.md
index b4081c7a96..3c6ec68aa2 100644
--- a/docs/understanding-bigbang/README.md
+++ b/docs/understanding-bigbang/README.md
@@ -1,47 +1,10 @@
# Useful Background Contextual Information
-## The purpose of this section is to help consumers of BigBang understand
+Start with the [Documentation README](../README.md), which includes the following sections:
-* BigBang's scope: what it is and isn't, goals and non-goals
-* The value add gained by using BigBang
-* What to expect in terms of prerequisites for those interested in using BigBang
-* Help those who want a deep drive concrete understanding of BigBang quickly come up to speed, via pre-reading materials, that can act as a self service new user orientation to point out features and nuances that new users wouldn't know to ask about.
-
-## BigBang's scope: what it is and isn't, goals and non-goals
-
-### What BigBang is
-
-* BigBang is a Helm Chart that is used to deploy a DevSecOps Platform composed of IronBank hardened container images on a Kubernetes Cluster.
-* See [/docs/README.md](../README.md#what-is-bigbang?) more details.
-
-### What BigBang isn't
-
-* BigBang by itself is not intended to be an End to End Secure Kubernetes Cluster Solution, but rather a reusable secure component/piece of a full solution.
-* A Secure Kubernetes Cluster Solution, will have multiple components, that can each be swappable and in some cases considered optional depending on use case and risk tolerance:
- Example of some potential components in a full End to End Solution:
- * P1's Cloud Native Access Point to protect Ingress Traffic. (This can be swapped with an equivalent, or considered optional in an internet disconnected setup.)
- * Hardened Host OS
- * Hardened Kubernetes Cluster (BigBang assumes ByoC, Bring your own Cluster) (The BigBang team recommends consumers who are interested in a full solution, partner with Vendors of Kubernetes Distributions to satisfy the prerequisite of a Hardened Kubernetes Cluster.)
- * Hardened Applications running on the Cluster (BigBang helps solve this component)
-
-## Value add gained by using BigBang
-
-* Compliant with the [DoD DevSecOps Reference Architecture Design](https://dodcio.defense.gov/Portals/0/Documents/Library/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20-%20CNCF%20Kubernetes%20w-DD1910_cleared_20211022.pdf)
-* Can be used to check some but not all of the boxes needed to achieve a cATO (Continuous Authority to Operate.)
-* Uses hardened IronBank Container Images. (left shifted security concern)
-* GitOps adds security benefits, and BigBang leverages GitOps, and can be further extended using GitOps.
- Security Benefits of GitOps:
- * Prevents config drift between state of a live cluster and IaC/CaC source of truth: By avoiding giving any humans direct kubectl access, by only allowing humans to deploy via git commits, out of band changes are limited.
- * Git Repo based deployments create an audit trail.
- * Secure Configurations become reusable, which lowers the burden of implementing secure configurations.
-* Lowers maintainability overhead involved in keeping the images of the DevSecOps Platform's up to date and maintaining a secure posture over the long term. This is achieved by pairing the GitOps pattern with the Umbrella Helm Chart Pattern.
- Let's walk through an example:
- * Initially a kustomization.yaml file in a git repo will tell the Flux GitOps operator (software deployment bot running in the cluster), to deploy version 1.0.0 of BigBang. BigBang could deploy 10 helm charts. And each helm chart could deploy 10 images. (So BigBang is managing 100 container images in this example.)
- * After a 2 week sprint version 1.1.0 of BigBang is released. A BigBang consumer updates the kustomization.yaml file in their git repo to point to version 1.1.0 of the BigBang Helm Chart. That triggers an update of 10 helm charts to a new version of the helm chart. Each updated helm chart will point to newer versions of the container images managed by the helm chart.
- * So when the end user edits the version of 1 kustomization.yaml file, that triggers a chain reaction that updates 100 container images.
- * These upgrades are pre-tested. The BigBang team "eats our own dogfood". Our CI jobs for developing the BigBang product, run against a BigBang dogfood Cluster, and as part of our release process we upgrade our dogfood cluster, before publishing each release. (Note: We don't test upgrades that skip multiple minor versions.)
- * Auto updates are also possible by setting kustomization.yaml to 1.x.x, because BigBang follows semantic versioning, flux is smart enough to read x as the most recent version number.
-* DoD Software Developers get a Developer User Experience of "SSO for free". Instead of developers coding SSO support 10 times for 10 apps. The complexity of SSO support is baked into the platform, and after an Ops team correctly configures the Platform's SSO settings, SSO works for all apps hosted on the platform. The developer's user experience for enabling SSO for their app then becomes as simple as adding the label istio-injection=enabled (which transparently injects mTLS service mesh protection into their application's Kubernetes YAML manifest) and adding the label protect=keycloak to each pod, which leverages an EnvoyFilter CustomResource to auto inject an SSO Authentication Proxy in front of the data path to get to their application.
+* [What is Big Bang](../README.md#what-is-big-bang)
+* [What Big Bang is not](../README.md#what-big-bang-isnt)
+* [Benefits of Big Bang](../README.md#benefits-of-using-big-bang)
## Acronyms
@@ -50,6 +13,7 @@
* KMS: Key Management System / Encryption as a Service (AWS/GCP KMS, Azure Key Vault, HashiCorp Transient Secret Engine)
* PGP: Pretty Good Privacy (Asymmetric Encryption Key Pair, where public key is used to encrypt, private key used to decrypt)
* SOPS: "Secret Operations" CLI tool by Mozilla, leverages KMS or PGP to encrypt secrets in a Git Repo. (Flux and P1's modified ArgoCD can use SOPS to decrypt secrets stored in a Git Repo.)
+* ATO: Authority to Operate
* cATO: continuous Authority to Operate
* AO: Authorizing Official (Government Official who determines OS and Kubernetes Cluster hardening requirements, that result in a level of acceptable remaining risk that they're willing to sign off on for a Kubernetes Cluster to receive an ATO, and a BigBang Cluster to receive a cATO)
* IaC: Infrastructure as Code
@@ -63,19 +27,21 @@
## Additional Useful Background Contextual Information
-* We are still migrating some docs from IL2 Confluence, and the BigBang Onboarding Engineering Cohort into to this repositories' /docs folder, the planned future state is for this to be a primary location for docs going forward. (Any docs hosted in other repositories, will at least have pointers hosted here.)
-* There are multiple implementations of Helm Charts (Helm repositories, .tgz, and files and folders in a git repo), whenever P1 refers to a helm chart we're always referring to the files and folders in a git repo implementation, which is stored in /chart folder in a git repo.
-* Additional pre-reading materials to develop a better understanding of BigBang before deploying can be found in this understanding_bigbang folder.
-* If you see an issue with docs or packages, please [open an issue against the main BigBang Repo](https://repo1.dso.mil/big-bang/bigbang/-/issues), instead of the individual package repo.
+* Big Bang utilizes Documents as Code stored in the main [Big Bang Repo](https://repo1.dso.mil/big-bang/bigbang/docs). For a better experience, the documentation can also be found on the [Big Bang Documentation Website](https://docs-bigbang.dso.mil).
+ * All locations use the same source code and will include pointers between them.
+* There are multiple implementations of Helm Charts (Helm repositories, `.tgz`, and files and folders in a git repo), whenever Platform One refers to a helm chart, it always referring to the files and folders in a git repo implementation, which is stored in the `/chart` folder within a git repo.
+* Additional pre-reading materials to develop a better understanding of Big Bang before deploying can be found in this `understanding_bigbang` section.
+* If you see an issue with docs or packages, please [open an issue against the main Big Bang Repo](https://repo1.dso.mil/big-bang/bigbang/-/issues), instead of the individual package repo.
## Note about Snippets of Architecture Diagrams in this folder
* The intent of sharing Architecture Diagrams is to:
- * Act as a starting point upon which further understanding can be built
- * Improve a users understanding of how BigBang components fit together, so that if the user needs to modify components or workflows flows to fit their use case they'll have an idea of what the modification might look like
- * Show potential use cases for some of BigBang's core components
+ * Act as a starting point upon which further understanding can be built.
+ * Improve a users understanding of how Big Bang components fit together.
+ * Provide insight on what it would take to modify components or workflows to fit specific use cases.
+ * Show potential use cases for some of BigBang's core components.
* These Architecture Diagrams are NOT intended to:
- * Reflect an accurate default configuration
- * Prescriptively say you must do things this way
+ * Reflect an accurate default configuration.
+ * Prescriptively show the only possible solution of a Big Bang deployment
* These Architecture Diagrams should be taken with a grain of salt:
- It's difficult to make a generic diagram with high accuracy. BigBang's Helm Values are variables, some values can produce significantly different workflows. Nuances specific to the deployment environment and hardened configurations like SELinux & Istio CNI can slightly effect parts of implementation details.
+ It's difficult to make a generic diagram with high accuracy. Big Bang's Helm Values are variables, some values can produce significantly different workflows. Nuances specific to the deployment environment and hardened configurations like SELinux & Istio CNI can slightly effect parts of implementation details.
diff --git a/docs/understanding-bigbang/concepts/git-ops-engine.md b/docs/understanding-bigbang/concepts/git-ops-engine.md
index fa24b0f813..fc991c7443 100644
--- a/docs/understanding-bigbang/concepts/git-ops-engine.md
+++ b/docs/understanding-bigbang/concepts/git-ops-engine.md
@@ -6,9 +6,9 @@ Big Bang will be deployed and managed with [Flux 2](https://github.com/fluxcd/fl
### Big Bang and Flux
-Big Bang is composed of several Open Source and licensed products. [Helm](https://helm.sh/), as a member of the [CNCF](https://www.cncf.io/), is the de facto standard for packaging applications for Kubernetes. As a result, several vendors support the release of their product **as helm charts** and have built their packaging and lifecycle management to expect to be the engine for driving that management. As a result, Big Bang has adopted Helm as its internal deployment framework for Big Bang packages and requires Helm to be treated as a first class citizen.
+Big Bang is composed of Open Source and licensed products. [Helm](https://helm.sh/), as a member of the [CNCF](https://www.cncf.io/), is the de facto standard for packaging applications for Kubernetes. As a result, several vendors support the release of their product **as helm charts** and have built their packaging and lifecycle management to expect to be the engine for driving that management. As a result, Big Bang has adopted Helm as its internal deployment framework for Big Bang packages and requires Helm to be treated as a first class citizen.
-The Flux2 Engine has native Helm support, meaning the controller deployed as part of "Flux 2" leverages the same Helm code as the CLI.
+The Flux 2 Engine has native Helm support, meaning the controller deployed as part of "Flux 2" leverages the same Helm code as the CLI.
### Limitations of Argo
@@ -28,4 +28,4 @@ Argo requires all configuration options to be embedded into the ApplicationCR.
## Argo Is Still A Package
-As defined in the list of [Big Bang Packages](../../packages.md), Big Bang comes deployed with Argo for use by Mission applications to continue to deploy and manage their applications. Similarly, even though Big Bang uses Helm internally for management of Big Bang packages, Big Bang does not advocate for Helm for use by applications run on clusters with Big Bang.
+As defined in the list of [Big Bang Packages](../../packages.md), Big Bang comes deployed with Argo for use by mission applications to continue to deploy and manage their applications. Similarly, even though Big Bang uses Helm internally for management of Big Bang packages, Big Bang does not advocate for Helm for use by applications run on clusters with Big Bang.
diff --git a/docs/understanding-bigbang/concepts/glossary.md b/docs/understanding-bigbang/concepts/glossary.md
index abe7fb4092..acc95e9265 100644
--- a/docs/understanding-bigbang/concepts/glossary.md
+++ b/docs/understanding-bigbang/concepts/glossary.md
@@ -74,13 +74,13 @@ The diagram below shows a typical deployment of Big Bang into a Kubernetes clust
1. With everything in Git, the user can [deploy BigBang](./deployment.md) using a Kubernetes manifest.
1. The manifest holds two Flux resources, one pointing to the Git repository holding the custom environment, and one telling Flux to run Kustomize on a targeted folder within the repo.
1. The repository is reconciled first, pulling the files from Git.
- 1. Next, Kustomize is run on the environment configuration
+ 1. Next, Kustomize is run on the environment configuration.
1. The Kustomize files use Big Bang's Git repo as a base before applying overlays and patches for the configuration.
- 1. Flux uses SOPS to decrypt any secrets before deploying the manifests
- 1. After completing the Kustomization process, Flux deploys two ConfigMaps, two Secrets, and flux resources for Big Bang
+ 1. Flux uses SOPS to decrypt any secrets before deploying the manifests.
+ 1. After completing the Kustomization process, Flux deploys two ConfigMaps, two Secrets, and flux resources for Big Bang.
1. Big Bang's flux resources include a Git repository holding the Helm chart and a Helm Release resource that tells Flux how to deploy the Helm chart.
1. The repository is reconciled first, pulling the Helm chart from Git.
- 1. The Helm Release will check for the Helm chart and the Secrets / ConfigMaps deployed before performing a Helm install
+ 1. The Helm Release will check for the Helm chart and the Secrets / ConfigMaps deployed before performing a Helm install.
1. Once the Helm release deploys the Helm chart for Big Bang, each package that is enabled will have a Flux Git Repository and Helm Release resource deployed.
1. All of the package Git repositories containing Helm charts will be pulled so that Flux can reconcile dependencies.
1. Each package's Helm Release has dependencies built in. Flux will reconcile these dependencies and deploy the Helm chart for the package once all of the dependencies are ready.
diff --git a/docs/understanding-bigbang/licensing-model.md b/docs/understanding-bigbang/licensing-model.md
index d0cdb12717..449d454ed2 100644
--- a/docs/understanding-bigbang/licensing-model.md
+++ b/docs/understanding-bigbang/licensing-model.md
@@ -1,41 +1,43 @@
-# BigBang Licensing Model Overview
+# Big Bang Licensing Model Overview
-While BigBang is open source and free to use, the same cannot be said of its components. The licensing requirements of components requires a nuanced explanation. The intent of this document is to be a self service resource to help consumers of BigBang make an informed decision regarding licenses they may need to successfully deploy an ATO'able DevSecOps Platform using BigBang.
+While Big Bang is open source and free to use, the same cannot be said of its components. The licensing requirements of components requires a nuanced explanation. The intent of this document is to be a self service resource to help consumers of Big Bang make an informed decision regarding licenses they may need to successfully deploy an ATO'able DevSecOps Platform using Big Bang.
-## What Licenses Do I Need for Bigbang?
+## What Licenses Do I Need for Big Bang?
-There are two issues that make it difficult to figure out BigBang's license requirements:
+There are two issues that make it difficult to figure out Big Bang's license requirements:
-1. The modular (and in some cases swappable) componentized nature of BigBang means choices affect license requirements. OS, Kubernetes Distribution, and Application decisions need to be made before license requirements can be sorted out.
+1. The modular (and in some cases swappable) componentized nature of Big Bang means choices affect license requirements. OS, Kubernetes Distribution, and Application decisions need to be made before license requirements can be sorted out.
1. Freemium applications often require a license to unlock features like HA (High Availability), advanced SSO functionality with authn, authz, and audit logging of federated users, or advanced compliance controls like FIPS 140-2 mode, compliance reporting, or audit logs.
## What Components Could Have Licenses?
-1. OS / CSP(Cloud Service Providers) VM Images
- * RHEL requires a subscription and comes with vendor support
- * CSPs often offer licensed VM Images at additional per hour cost, these add features like offloading STIG/CIS OS hardening
+1. OS / CSP(Cloud Service Providers) VM Images:
+ * RHEL requires a subscription and comes with vendor support.
+ * CSPs often offer licensed VM Images at additional per hour cost, these add features like offloading STIG/CIS OS hardening.
* Several free Linux OS Distributions exist, including Ubuntu and free RHEL alternatives like Amazon Linux 2 and others. There are also tools like [openscap](https://www.open-scap.org/), which has ansible and bash scripts to automate STIG/CIS benchmark compliance for OS security to help automate DIY hardening of the OS.
-1. Kubernetes Distributions
- * RedHat OpenShift, VMware TKG, and D2IQ Konvoy each require a license, that comes with support and additional features, they each offer 30-90 day trial licenses
+1. Kubernetes Distributions:
+ * RedHat OpenShift, VMware TKG, and D2IQ Konvoy each require a license, that comes with support and additional features, they each offer 30-90 day trial licenses.
* There are free options like kubeadm, k0s, k3s, RKE2, talos-systems, and many other CNCF compliant distributions.
* k0s, RKE2, and talos-systems are free options with optional paid Vendor Support.
-1. BigBang's Core Applications:
- * Many of the core applications are free open source software
- * Twistlock is a core component that requires a license
- * ElasticSearch is a core component that requires a license to unlock additional features, that could be considered required in some cases (more on this nuance below.)
- * Although BigBang is free, support can be purchased.
-1. BigBang's AddOn Applications:
+1. Big Bang's Core Applications:
+ * Many of the core applications are free open source software.
+ * The default deployment of Big Bang does not require any licenses.
+ * Twistlock is a core component that requires a license.
+ * ElasticSearch is a core component that requires a license to unlock additional features, that could be considered required in some cases (more on this nuance below).
+1. Big Bang's Supported AddOn Applications:
* Also include a mix of free, freemium, and licensed products.
+1. Big Bang Integration Support:
+ * Big Bang is free, but support tiers are available for purchase through Platform One.
## Who Purchases the Licenses?
-Licensing of products deployable by BigBang are not covered by the BigBang team. As a general rule of thumb the acquisition of licenses is the responsibility of the end-user's organization, and product vendors should be contacted for support of their respective products. (PartyBus is an example of an exception to the rule of thumb.)
+Licensing of products deployable by Big Bang are not covered by Big Bang or Platform One. As a general rule of thumb the acquisition of licenses is the responsibility of the end-user's organization, and product vendors should be contacted for support of their respective products. (Party Bus is an example of an exception to the rule of thumb.)
## Who Decides If a Licenced Feature in a Freemium Application Is a Hard Requirement?
-* The Consumer of BigBang, their security team, and their AO (Authorizing official) need to decide if licensed features constitute a hard requirement or if free tier functionality can be considered at lower impact levels or unique use cases.
-* In most cases licenses will be required due to Security Controls only being available in the fully licensed version; however, users may be able to hold off on licensed versions for non-ATO'd proof of concept deployments or risk acceptance by an AO for unique scenarios.
-* Even if there isn't a hard requirement for a license (like in the case of a Kubernetes Cluster), consumers of BigBang may still want to consider purchasing licenses or support contracts.
+* The Consumer of Big Bang, their security team, and their AO (Authorizing Official) need to decide if licensed features constitute a hard requirement or if free tier functionality can be considered at lower impact levels or unique use cases.
+* In most cases licenses will be required due to security controls only being available in the fully licensed version; however, users may be able to hold off on licensed versions for non-ATO'd proof of concept deployments or risk acceptance by an AO for unique scenarios.
+* Even without a hard requirement for a license (like in the case of a Kubernetes Cluster), consumers of Big Bang may still want to consider purchasing licenses or support contracts.
## Table to Help Elaborate on Nuances of Application Licensing
@@ -50,7 +52,7 @@ Licensing of products deployable by BigBang are not covered by the BigBang team.
| Fluentbit | Log Shipper (Core App) | Apache License 2.0 (Free/OSS) | |
| ECK (Elastic Cloud on Kubernetes) (ElasticSearch and Kibana) | Log Storage and Log Dashboard (Core App) | [Elastic License](https://github.com/elastic/cloud-on-k8s/blob/master/LICENSE.txt) (Freemium) | **Enterprise features of note:** Kibana SSO, authn, authz, FIPS 140-2 mode, audit logging require an enterprise tier license. **Free tier notes:** BigBang's Authservice/Authentication Proxy could be put in front of Kibana to achieve basic SSO with all or nothing access. PartyBus uses licensed ElasticSearch <https://www.elastic.co/subscriptions> [licensing](package-architecture/elasticsearch-kibana.md#licensing) |
| Cluster Auditor | Collects OPA GK events and sends them to ElasticSearch for Review (Core App) | Apache License 2.0 (Free/OSS) | |
-| Twistlock / Prisma Cloud | Runtime Security, Security Dashboard, Intrusion Prevention (Core App) | Prisma Cloud Compute License (Paid Product that requiring a license) | **Prisma Cloud License is required for an ATO'd cluster.** [Considering investigating alternatives](https://repo1.dso.mil/groups/platform-one/big-bang/-/epics/74) Licenses are sold per node. Each defender on a node uses 7 credits and the credits are purchased in bundles of 100 credits. <https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/welcome/licensing> <https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-09/prisma-cloud-compute-edition-admin/install/install_kubernetes.html> [licensing](package-architecture/twistlock.md#licensing) |
+| Twistlock / Prisma Cloud Compute | Runtime Security, Security Dashboard, Intrusion Prevention (Core App) | Prisma Cloud Compute License (Paid Product that requiring a license) | **Prisma Cloud License is required for an ATO'd cluster.** [Considering investigating alternatives](https://repo1.dso.mil/groups/platform-one/big-bang/-/epics/74) Licenses are sold per node. Each defender on a node uses 7 credits and the credits are purchased in bundles of 100 credits. <https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/welcome/licensing> <https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-09/prisma-cloud-compute-edition-admin/install/install_kubernetes.html> [licensing](package-architecture/twistlock.md#licensing) |
| ArgoCD | GitOps (AddOn App) | Apache License 2.0 (Free/OSS) | |
| Velero | Backup and Recovery of Persistent Volumes (AddOn App) | Apache License 2.0 (Free/OSS) | |
| Keycloak | SSO (Single Sign On) and Federated Authn. (AddOn App) | Apache License 2.0 (Free/OSS) | |
@@ -58,8 +60,8 @@ Licensing of products deployable by BigBang are not covered by the BigBang team.
| Mattermost, Mattermost Operator | Self Hosted Chat (AddOn App) | [Mattermost is comprised of Multiple Licenses](<https://mattermost.org/licensing/>) | **Enterprise features of note:** HA, Additional SSO options, prometheus metrics integration, Elasticsearch integration to optimize searching/indexing, Compliance Reporting, Audit Logs, Advanced roles and permissions. **Free tier notes:** A non-HA deployment can quickly auto heal thanks to Kubernetes, the free tier can use Gitlab or P1's Keycloak implementation for Federated SSO. (MM Plugins don't need the paid version, but the need a single node instance or the paid HA for cluster awareness to prevent duplicate triggering of functions.) PartyBus uses the Enterprise E20 licensed version. [licensing](package-architecture/mattermost.md#licensing) <https://mattermost.org/licensing/> <https://mattermost.com/pricing-self-managed/> |
| Minio, Minio Operator | Self Hosted S3 API compatible object storage (AddOn App) | Affero General Public License Version 3 (Free/OSS) | Commercial Support is Available: <https://min.io/pricing> |
| Nexus | Generic Artifact Repository (AddOn App) | Nexus Repository OSS: Eclipse Public License v1.0 Nexus Repository Pro: Paid Licensed product | **Enterprise features of note:** HA, SAML SSO, Auth Token Support **Free tier notes:** A non-HA deployment can quickly auto heal thanks to Kubernetes, AWS S3 blob storage. <https://www.sonatype.com/products/repository-oss-vs-pro-features> <https://www.sonatype.com/products/pricing> |
-| Gitlab, Gitlab Runners | GitRepo, Container Registry, and CICD Software Factory (AddOn App) | Gitlab Community Edition: MIT Expat license Gitlab Enterprise Edition: (multiple tiers) | **Premium features of note:** Release Controls, Project Management **Ultimate features of note:** Unlimited Guest Users, Advanced Security Testing (Note this functionality comes from container images that may not yet be in IronBank) **Free tier notes:** Free tier is fine for Proof of Concepts, but the Release Controls in Premium tier contain security controls that would be necessary for a cATO pipeline. PartyBus has multiple instances of Gitlab, most use Premium, a few use Ultimate. PartyBus's Gitlab pipelines integrate with additional licensed apps: Twistlock, Anchore, [Fortify](https://repo1.dso.mil/big-bang/apps/third-party/fortify), [SD Elements](https://www.securitycompass.com/sdelements/), and others. (This is offered as a data point, it doesn't mean these are required for a cATO pipeline, the Consumer of BigBang's AO makes that call.) <https://about.gitlab.com/pricing/#self-managed> <https://gitlab.com/gitlab-org/gitlab-foss/-/tree/master#editions> |
-| SonarQube Community Edition | Static Code Analysis (AddOn App) | SonarQube CE: GNU Lesser GPL License v3 (Community Edition is Free/OSS) | An Enterprise Edition Exists, but is not bundled by BigBang |
-| Anchore Enterprise Edition* | Vulnerability Scanner (AddOn App) | Anchore Enterprise Edition (Paid/Licensed) Anchore OpenSource Edition Apache License 2.0 (Free/OSS) | **Licensed features of note:** Proprietary Vulnerability Data Feeds for increased accuracy, NIST 800-190, Docker CIS Compliance, DoD container Policy Compliance, cATO Capable, RBAC, SSO **Free tier notes:** BigBang's values file can be set to deploy the OSS version for Proof of Concept deployments. PartyBus and other Platform One services use the licensed version <https://docs.anchore.com/3.0/docs/faq/#2> <https://anchore.com/pricing/> [licensing](package-architecture/anchore.md#licensing) <https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise/-/blob/main/docs/CHART.md#adding-enterprise-components> |
+| Gitlab, Gitlab Runners | GitRepo, Container Registry, and CICD Software Factory (AddOn App) | Gitlab Community Edition: MIT Expat license Gitlab Enterprise Edition: (multiple tiers) | **Premium features of note:** Release Controls, Project Management **Ultimate features of note:** Unlimited Guest Users, Advanced Security Testing (Note this functionality comes from container images that may not yet be in Iron Bank) **Free tier notes:** Free tier is fine for Proof of Concepts, but the Release Controls in Premium tier contain security controls that would be necessary for a cATO pipeline. Party Bus has multiple instances of Gitlab, most use Premium, a few use Ultimate. Party Bus's Gitlab pipelines integrate with additional licensed apps: Twistlock, Anchore, [Fortify](https://repo1.dso.mil/big-bang/apps/third-party/fortify), [SD Elements](https://www.securitycompass.com/sdelements/), and others. (This is offered as a data point, it doesn't mean these are required for a cATO pipeline, the Consumer of Big Bang's AO makes that call.) <https://about.gitlab.com/pricing/#self-managed> <https://gitlab.com/gitlab-org/gitlab-foss/-/tree/master#editions> |
+| SonarQube Community Edition | Static Code Analysis (AddOn App) | SonarQube CE: GNU Lesser GPL License v3 (Community Edition is Free/OSS) | An Enterprise Edition Exists, but is not bundled by Big Bang |
+| Anchore Enterprise Edition* | Vulnerability Scanner (AddOn App) | Anchore Enterprise Edition (Paid/Licensed) Anchore OpenSource Edition Apache License 2.0 (Free/OSS) | **Licensed features of note:** Proprietary Vulnerability Data Feeds for increased accuracy, NIST 800-190, Docker CIS Compliance, DoD container Policy Compliance, cATO Capable, RBAC, SSO **Free tier notes:** Big Bang's values file can be set to deploy the OSS version for Proof of Concept deployments. Party Bus and other Platform One services use the licensed version <https://docs.anchore.com/3.0/docs/faq/#2> <https://anchore.com/pricing/> [licensing](package-architecture/anchore.md#licensing) <https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise/-/blob/main/docs/CHART.md#adding-enterprise-components> |
| Vault | Secret management (AddOn App) | Mozilla Public License 2.0 | |
| Metrics Server | Scalable, efficient source of container resource metrics. (AddOn App) | Apache License 2.0 | |
\ No newline at end of file
--
GitLab