Merge branch 'omnibang' into 'master'

Extends Big Bang using Values

Closes #1359

See merge request platform-one/big-bang/bigbang!2272

chart/templates/_helpers.tpl

@@ -83,10 +83,11 @@ Build common set of file extensions to include/exclude
 Common labels for all objects
 */}}
 {{- define "commonLabels" -}}
-app.kubernetes.io/instance: "{{ .Release.Name }}"
-app.kubernetes.io/version: "{{ .Chart.Version }}"
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ default .Chart.Version .Chart.AppVersion | replace "+" "_" }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/part-of: "bigbang"
-app.kubernetes.io/managed-by: "flux"
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
 {{- end -}}
 
 {{- define "values-secret" -}}
@@ -158,3 +159,35 @@ bigbang.dev/istioVersion: {{ .Values.istio.git.tag | trimSuffix (regexFind "-bb.
 bigbang.dev/istioVersion: {{ .Values.istio.git.branch }}
 {{- end -}}
 {{- end -}}
+
+{{- /* Helpers below this line are in support of the Big Bang extensibility feature */ -}}
+
+{{- /* Converts the string in . to a legal Kubernetes resource name */ -}}
+{{- define "resourceName" -}}
+  {{- regexReplaceAll "\\W+" . "-" | trimPrefix "-" | trunc 63 | trimSuffix "-" | kebabcase -}}
+{{- end -}}
+
+{{- /* Returns a space separated string of unique namespaces where `<package>.enabled` and key held in `.constraint` are true */ -}}
+{{- /* [Optional] Set `.constraint` to the key under <package> holding a boolean that must be true to be enabled */ -}}
+{{- /* [Optional] Set `.default` to `true` to enable a `true` result when the `constraint` key is not found */ -}}
+{{- /* To use: $ns := compact (splitList " " (include "uniqueNamespaces" (merge (dict "constraint" "some.boolean" "default" true) .))) */ -}}
+{{- define "uniqueNamespaces" -}}
+  {{- $namespaces := list -}}
+  {{- range $pkg, $vals := .Values.packages -}}
+    {{- if (dig "enabled" true $vals) -}}
+      {{- $constraint := $vals -}}
+      {{- range $key := split "." (default "" $.constraint) -}}
+        {{- $constraint = (dig $key dict $constraint) -}}
+      {{- end -}}
+      {{- if (ternary $constraint (default false $.default) (kindIs "bool" $constraint)) -}}
+        {{- $namespaces = append $namespaces (dig "namespace" "name" (include "resourceName" $pkg) $vals) -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+  {{- join " " (uniq $namespaces) | trim -}}
+{{- end -}}
+
+{{- /* Prints istio version */ -}}
+{{- define "istioVersion" -}}
+{{ regexReplaceAll "-bb.+$" (coalesce .Values.istio.git.semver .Values.istio.git.tag .Values.istio.git.branch) "" }}
+{{- end -}}

chart/templates/package/gitrepository.yaml

+{{- /* Used for GitOps on a package's Helm chart */ -}}
+{{- range $pkg, $vals := .Values.packages -}}
+{{- if (dig "enabled" true $vals) -}}
+{{- $pkg = include "resourceName" $pkg -}}
+{{- $defaults := $.Files.Get (printf "defaults/%s.yaml" $pkg) -}}
+{{- if $defaults -}}
+{{- $vals := merge $vals ($defaults | fromYaml).package -}}
+{{- end -}}
+{{- $fluxSettings := merge (dig "flux" dict $vals) $.Values.flux -}}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: {{ $pkg }}
+  namespace: {{ dig "namespace" "name" $pkg $vals }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" $ | nindent 4 }}
+spec:
+  interval: {{ default "5m" $fluxSettings.interval }}
+  url: {{ dig "git" "repo" nil $vals }}
+  ref:
+    {{- include "validRef" $vals.git | nindent 4 -}}
+  {{- include "gitCreds" $ | nindent 2 }}
+---
+{{ end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/package/helmrelease.yaml

+{{- /* Used for deploying a package using a Helm chart */ -}}
+{{- range $pkg, $vals := .Values.packages -}}
+{{- if and (dig "enabled" true $vals) (not $vals.kustomize) -}}
+{{- $pkg := include "resourceName" $pkg -}}
+{{- $defaults := $.Files.Get (printf "defaults/%s.yaml" $pkg) -}}
+{{- if $defaults -}}
+{{- $vals := merge $vals ($defaults | fromYaml).package -}}
+{{- end -}}
+{{- $fluxSettings := merge (dig "flux" dict $vals) $.Values.flux -}}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: {{ $pkg }}
+  namespace: {{ dig "namespace" "name" $pkg $vals }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" $ | nindent 4 }}
+spec:
+  releaseName: {{ $pkg }}
+  chart:
+    spec:
+      chart: {{ dig "git" "path" "chart" $vals }}
+      interval: {{ default "5m" $fluxSettings.interval }}
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: GitRepository
+        name: {{ $pkg }}
+        namespace: {{ dig "namespace" "name" $pkg $vals }}
+  {{- toYaml $fluxSettings | nindent 2 }}
+  {{- if $vals.postRenderers }}
+  postRenderers:
+  {{- toYaml $vals.postRenderers | nindent 2 }}
+  {{- end }}
+  valuesFrom:
+  - name: {{ $pkg }}-values
+    kind: Secret
+
+  {{- /* Always wait on policy enforcement */ -}}
+  {{- $gatekeeperDep := $.Values.gatekeeper.enabled -}}
+  {{- $kyvernoDep := $.Values.kyvernopolicies.enabled -}}
+  {{- /* Wait on istio if sidecar is enabled */ -}}
+  {{- $istioDep := (and $.Values.istio.enabled (dig "istio" "injection" true $vals)) -}}
+  {{- if or $gatekeeperDep $kyvernoDep $istioDep }}
+  dependsOn:
+    {{- if $gatekeeperDep }}
+    - name: gatekeeper
+      namespace: {{ default "bigbang" $.Values.namespace }}
+    {{- end }}
+    {{- if $kyvernoDep }}
+    - name: kyvernopolicies
+      namespace: {{ default "bigbang" $.Values.namespace }}
+    {{- end }}
+    {{- if $istioDep }}
+    - name: istio
+      namespace: {{ default "bigbang" $.Values.namespace }}
+    {{- end -}}
+  {{- end }}
+---
+{{ end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/package/kustomization.yaml

+{{- /* Used for deploying a package using Kustomize */ -}}
+{{- range $pkg, $vals := .Values.packages -}}
+{{- if and (dig "enabled" true $vals) $vals.kustomize -}}
+{{- $pkg := include "resourceName" $pkg -}}
+{{- $vals := merge $vals ($.Files.Get (printf "defaults/%s.yaml" $pkg) | fromYaml).package }}
+{{- $fluxSettings := merge (dig "flux" dict $vals) $.Values.flux -}}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: Kustomization
+metadata:
+  name: {{ $pkg }}
+  namespace: {{ dig "namespace" "name" $pkg $vals }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" $ | nindent 4 }}
+spec:
+  path: {{ dig "git" "path" "" $vals }}
+  sourceRef:
+    kind: GitRepository
+    name: {{ $pkg }}
+    namespace: {{ dig "namespace" "name" $pkg $vals }}
+  {{- toYaml $fluxSettings | nindent 2 }}
+  postBuild:
+    substituteFrom:
+    - name: {{ $pkg }}-values
+        kind: Secret
+
+  {{- /* Always wait on policy enforcement */ -}}
+  {{- $gatekeeperDep := $.Values.gatekeeper.enabled -}}
+  {{- $kyvernoDep := $.Values.kyvernopolicies.enabled -}}
+  {{- /* Wait on istio if sidecar is enabled */ -}}
+  {{- $istioDep := (and $.Values.istio.enabled (dig "istio" "injection" true $vals)) -}}
+  {{- if or $gatekeeperDep $kyvernoDep $istioDep }}
+  dependsOn:
+    {{- if $gatekeeperDep }}
+    - name: gatekeeper
+      namespace: {{ default "bigbang" $.Values.namespace }}
+    {{- end }}
+    {{- if $kyvernoDep }}
+    - name: kyvernopolicies
+      namespace: {{ default "bigbang" $.Values.namespace }}
+    {{- end }}
+    {{- if $istioDep }}
+    - name: istio
+      namespace: {{ default "bigbang" $.Values.namespace }}
+    {{- end -}}
+  {{- end }}
+---
+{{ end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/package/namespace.yaml

+{{- /* Used for creating namespaces that package's use. */ -}}
+{{- /* If two packages reside in the same namespace, set namespace.create=false in one of them. */ -}}
+{{- range $pkg, $vals := .Values.packages -}}
+{{- if and (dig "enabled" true $vals) (dig "namespace" "create" true $vals) -}}
+{{- $pkg = include "resourceName" $pkg -}}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ dig "namespace" "name" $pkg $vals }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}
+    {{- include "commonLabels" $ | nindent 4 }}
+    {{- if $.Values.istio.enabled }}
+    istio-injection: {{ ternary "enabled" "disabled" (dig "istio" "injection" true $vals) }}
+    {{- end -}}
+    {{- if (dig "namespace" "labels" nil $vals) -}}
+    {{- toYaml $vals.namespace.labels | nindent 4 -}}
+    {{- end -}}
+  {{- if (dig "namespace" "annotations" nil $vals) }}
+  annotations:
+    {{- toYaml $vals.namespace.annotations | nindent 4 -}}
+  {{- end }}
+---
+{{ end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/package/values.yaml

+{{- /* Used for creating values for the package's Helm chart */ -}}
+{{- range $pkg, $vals := .Values.packages -}}
+{{- if (dig "enabled" true $vals) -}}
+{{- $pkg = include "resourceName" $pkg -}}
+{{- $defaults := $.Files.Get (printf "defaults/%s.yaml" $pkg) -}}
+{{- if $defaults -}}
+{{- $vals := merge $vals ($defaults | fromYaml).package -}}
+{{- end -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $pkg }}-values
+  namespace: {{ dig "namespace" "name" $pkg $vals }}
+  labels:
+    {{- include "commonLabels" $ | nindent 4 }}
+type: Opaque
+stringData:
+  values.yaml: |
+    {{- tpl (toYaml $vals.values) $ | nindent 4 }}
+---
+{{ end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/secrets/certificateauthority.yaml

+{{- /* Used for adding a trusted custom CA for SSO.  One per namespace. */ -}}
+{{- if (dig "certificate_authority" false .Values.sso) -}}
+{{- range $ns := compact (splitList " " (include "uniqueNamespaces" (merge (dict "default" false "constraint" "sso.enabled") $))) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ default "sso-certificate-authority" $.Values.sso.secretName }}
+  namespace: {{ $ns }}
+  labels:
+    app.kubernetes.io/name: {{ $ns }}
+    {{- include "commonLabels" $ | nindent 4 }}
+type: Opaque
+data:
+  ca.pem: {{ $.Values.sso.certificate_authority | b64enc }}
+---
+{{ end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/secrets/gitcredential.yaml

+{{- /* Used for GitOps on Helm charts.  One per namespace */ -}}
+{{- if not (dig "existingSecret" nil .Values.git) -}}
+{{- with (dig "credentials" dict .Values.git) -}}
+{{- if or .username .password .caFile .privateKey .publicKey .knownHosts -}}
+{{- range $ns := compact (splitList " " (include "uniqueNamespaces" (merge (dict "default" true) $))) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-credentials
+  namespace: {{ $ns }}
+  labels:
+    app.kubernetes.io/name: git-credentials
+    {{- include "commonLabels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if .caFile }}
+  caFile: {{ .caFile | b64enc }}
+  {{- end -}}
+
+  {{- if and .username .password }}
+  username: {{ .username | b64enc }}
+  password: {{ .password | b64enc }}
+  {{- else if or .username .password -}}
+  {{- fail "When using http git credentials, all of these must be specified: username, and password" -}}
+  {{- end -}}
+
+  {{- if and .privateKey .publicKey .knownHosts }}
+  identity: {{ .privateKey | b64enc }}
+  identity.pub: {{ .publicKey | b64enc }}
+  known_hosts: {{ .knownHosts | b64enc }}
+  {{- else if or .privateKey .publicKey .knownHosts -}}
+  {{- fail "When using ssh git credentials, all of these must be specified: privateKey, publicKey, and knownHosts" -}}
+  {{- end }}
+---
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/secrets/imagepullsecret.yaml

+{{- /* Used for pulling images from custom registries.  One per namespace */ -}}
+{{- if .Values.registryCredentials -}}
+{{- range $ns := compact (splitList " " (include "uniqueNamespaces" (merge (dict "default" true) .))) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: {{ $ns }}
+  labels:
+    app.kubernetes.io/name: private-registry
+    {{- include "commonLabels" $ | nindent 4 }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" $ }}
+---
+{{- end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/wrapper/gitrepository.yaml

+{{- /* Used for GitOps of the BigBang package wrapper Helm chart.  Shared by all packages */ -}}
+{{- if .Values.wrapper -}}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: {{ .Release.Name }}-wrapper
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}-wrapper
+    {{- include "commonLabels" $ | nindent 4 }}
+spec:
+  interval: {{ dig "interval" "5m" .Values.flux }}
+  url: {{ .Values.wrapper.git.repo }}
+  ref:
+    {{- include "validRef" .Values.wrapper.git | nindent 4 -}}
+  {{- include "gitCreds" . | nindent 2 }}
+{{- end -}}
\ No newline at end of file

chart/templates/wrapper/helmrelease.yaml

+{{- /* Used for Helm chart deployment of Big Bang wrapper.  One per package. */ -}}
+{{- range $pkg, $vals := .Values.packages -}}
+{{- if (dig "enabled" true $vals) -}}
+{{- $pkg = include "resourceName" $pkg -}}
+{{- $fluxSettings := merge (dig "flux" dict $vals) $.Values.flux -}}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: {{ $pkg }}-wrapper
+  namespace: {{ dig "namespace" "name" $pkg $vals }}
+  labels:
+    app.kubernetes.io/name: {{ $pkg }}-wrapper
+    {{- include "commonLabels" $ | nindent 4 }}
+spec:
+  releaseName: {{ $pkg }}-wrapper
+  chart:
+    spec:
+      chart: {{ default "wrapper" $.Values.wrapper.git.path }}
+      interval: {{ default "5m" $fluxSettings.interval }}
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: GitRepository
+        name: {{ $.Release.Name }}-wrapper
+        namespace: {{ $.Release.Namespace }}
+  {{- toYaml $fluxSettings | nindent 2 }}
+  valuesFrom:
+    - name: {{ $pkg }}-wrapper-values
+      kind: Secret
+
+  {{- /* Always wait on policy enforcement */ -}}
+  {{- $gatekeeperDep := $.Values.gatekeeper.enabled -}}
+  {{- $kyvernoDep := $.Values.kyvernopolicies.enabled -}}
+  {{- /* Wait on istio operator if creating a Virtual Service */ -}}
+  {{- $istioOpDep := and $.Values.istio.enabled (dig "istio" "hosts" false $vals) -}}
+  {{- /* Wait on monitoring if dashboard or metrics are enabled */ -}}
+  {{- $monitoringDep := $.Values.monitoring.enabled -}}
+  {{- if or $gatekeeperDep $istioOpDep $kyvernoDep $monitoringDep }}
+  dependsOn:
+    {{- if $gatekeeperDep }}
+    - name: gatekeeper
+      namespace: {{ $.Release.Namespace }}
+    {{- end }}
+    {{- if $kyvernoDep }}
+    - name: kyvernopolicies
+      namespace: {{ $.Release.Namespace }}
+    {{- end }}
+    {{- if $istioOpDep }}
+    - name: istio-operator
+      namespace: {{ $.Release.Namespace }}
+    {{- end }}
+    {{- if $monitoringDep }}
+    - name: monitoring
+      namespace: {{ $.Release.Namespace }}
+    {{- end -}}
+  {{- end }}
+---
+{{ end -}}
+{{- end -}}
\ No newline at end of file

chart/templates/wrapper/values.yaml

+{{- /* Used for creating values to use for Helm wrapper and package Helm charts. */ -}}
+{{- range $pkg, $vals := .Values.packages -}}
+{{- if (dig "enabled" true $vals) -}}
+{{- $pkg = include "resourceName" $pkg -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $pkg }}-wrapper-values
+  namespace: {{ dig "namespace" "name" $pkg $vals }}
+type: Opaque
+stringData:
+  values.yaml: |
+    {{- $defaults := ($.Files.Get (printf "defaults/%s.yaml" $pkg) | fromYaml) -}}
+    {{- $overlays := dict "bigbang" $.Values "package" $vals -}}
+    {{- $merged := merge $overlays $defaults }}
+    package:
+      name: {{ $pkg }}
+      {{- if (omit $merged.package "git" "flux" "postRenderers") }}
+      {{- tpl (toYaml (omit $merged.package "git" "flux" "postRenderers")) $ | nindent 6 }}
+      {{- end }}
+    bigbang:
+      {{- toYaml (pick $merged.bigbang "domain" "openshift") | nindent 6 -}}
+      {{- /* For every top level map, if it has the enable key, pass it through. */ -}}
+      {{- range $bbpkg, $bbvals := $merged.bigbang -}}
+      {{- if kindIs "map" $bbvals -}}
+      {{- if hasKey $bbvals "enabled" -}}
+      {{- $bbpkg | nindent 6 -}}:
+        {{- /* For network policies, we need all of its values. */ -}}
+        {{- if eq $bbpkg "networkPolicies" -}}
+        {{- toYaml $bbvals | nindent 8 -}}
+        {{- else }}
+        enabled: {{ $bbvals.enabled }}
+        {{- end -}}
+      {{- /* For addons, pass through the enable key. */ -}}
+      {{- else if eq $bbpkg "addons" -}}
+      {{- $bbpkg | nindent 6 -}}:
+        {{- range $addpkg, $addvals := $bbvals -}}
+        {{- if hasKey $addvals "enabled" -}}
+        {{- $addpkg | nindent 8 }}:
+          enabled: {{ $addvals.enabled }}
+          {{- /* For authservice, the selector values are needed. */ -}}
+          {{- if and (eq $addpkg "authservice") (or (dig "values" "selector" "key" false $addvals) (dig "values" "selector" "value" false $addvals)) }}
+          values:
+            selector:
+              {{- if (dig "values" "selector" "key" false $addvals) -}}
+              key: {{ $addvals.values.selector.key }}
+              {{- end -}}
+              {{- if (dig "values" "selector" "value" false $addvals) -}}
+              value: {{ $addvals.values.selector.key }}
+              {{- end -}}
+          {{- end -}}
+        {{- end -}}
+        {{- end -}}
+      {{- end -}}
+      {{- end -}}
+      {{- end }}
+---
+{{ end -}}
+{{- end -}}
\ No newline at end of file

chart/values2.0.yaml

+# -- Wrapper chart for integrating Big Bang into a package
+wrapper:
+  git:
+    # -- Git repo holding the wrapper helm chart
+    repo: https://repo1.dso.mil/platform-one/big-bang/apps/wrapper
+    # -- Path inside of the git repo to find the helm chart
+    path: chart
+    # -- Git tag to check out.  Takes precedence over branch. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference)
+    tag:
+    branch: main
+
+# -- Packages to deploy with Big Bang integration
+# @default - '{}'
+packages:
+  # -- Package name.  Each package will be independently wrapped for Big Bang integration.
+  # @default -- Uses `defaults/<package name>.yaml` for defaults.  See `package` Helm chart for additional values that can be set.
+  sample:
+    # -- Toggle deployment of this package
+    # @default -- true
+    enabled: false
+    # -- Use a kustomize deployment rather than Helm
+    kustomize: false
+
+    git:
+      # -- (Required) Git repo URL holding the helm chart for this package
+      repo:
+      # -- Git commit to check out.  Takes precedence over semver, tag, and branch. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference)
+      commit:
+      # -- Git semVer tag expression to check out.  Takes precedence over tag. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference)
+      semver:
+      # -- Git tag to check out.  Takes precedence over branch. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference)
+      tag:
+      # -- Git branch to check out.  [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference).
+      # @default -- When no other reference is specified, `master` branch is used
+      branch:
+      # -- Path inside of the git repo to find the helm chart or kustomize
+      # @default -- For Helm charts `chart`.  For Kustomize `/`.
+      path:
+
+    # -- Override flux settings for this package
+    flux: {}
+
+    # -- After deployment, patch resources.  [More info](https://fluxcd.io/flux/components/helm/helmreleases/#post-renderers)
+    postRenderers: []
+
+    # -- Package details for Istio.  See [wrapper values](https://repo1.dso.mil/platform-one/big-bang/apps/wrapper/-/blob/main/chart/values.yaml) for settings.
+    istio: {}
+
+    # -- Package details for monitoring.  See [wrapper values](https://repo1.dso.mil/platform-one/big-bang/apps/wrapper/-/blob/main/chart/values.yaml) for settings.
+    monitor: {}
+
+    # -- Package details for network policies.  See [wrapper values](https://repo1.dso.mil/platform-one/big-bang/apps/wrapper/-/blob/main/chart/values.yaml) for settings.
+    network: {}
+
+    # -- Secrets that should be created prior to package installation.  See [wrapper values](https://repo1.dso.mil/platform-one/big-bang/apps/wrapper/-/blob/main/chart/values.yaml) for settings.
+    secrets: {}
+
+    # -- ConfigMaps that should be created prior to package installation.  See [wrapper values](https://repo1.dso.mil/platform-one/big-bang/apps/wrapper/-/blob/main/chart/values.yaml) for settings.
+    configMaps: {}
+
+    # -- Values to pass through to package Helm chart
+    values: {}
\ No newline at end of file