Merge branch 'master' into nexus-mtls

CHANGELOG.md

@@ -3,6 +3,14 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [1.34.0]
+
+- [!1.34.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.34.0); List of merge requests in this release.
+
+## [1.33.0]
+
+- [!1.33.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.33.0); List of merge requests in this release.
+
 ## [1.32.0]
 
 - [!1.32.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.32.0); List of merge requests in this release.

CONTRIBUTING.md

@@ -37,8 +37,8 @@ Per the [charter](https://repo1.dso.mil/platform-one/big-bang/charter), all Big
 Follow the steps below to get a local Kubernetes cluster for Big Bang  using [k3d](https://k3d.io/).
 
 ```bash
-# Create a local k3d cluster with the appropriate port forwards
-k3d cluster create --k3s-server-arg "--disable=traefik" --k3s-server-arg "--disable=metrics-server" -p 80:80@loadbalancer -p 443:443@loadbalancer
+# Create a local k3d cluster with the appropriate port forwards (tested on version 5.4.1)
+k3d cluster create --k3s-arg "--no-deploy=metrics-server,traefik@server:*" -p 80:80@loadbalancer -p 443:443@loadbalancer
 ```
 
 ## Deploying Big Bang (Quick Start)

Packages.md

@@ -35,7 +35,7 @@ Columns:
 | ----    | ---  | ---|---|---|---|---|---|
 | [Keycloak](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak) |  ![Keycloak Build](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/536) | No | No |
 | [Twistlock](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock) |  ![Twistlock Build](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/498) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1396) | No |
-| [Anchore Enterprise](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise) | ![Anchore Build](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/505) | Yes (PERMISSIVE) | No |
+| [Anchore Enterprise](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise) | ![Anchore Build](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/505) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1594) | No |
 | [Authservice](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice) | ![Authservice Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice/badges/main/pipeline.svg) | No | Yes | Yes | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/511) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1329) | No |
 | [Vault](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Vault Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault/badges/main/pipeline.svg) |  No | No | No | Yes | Yes (PERMISSIVE) | No |
 
@@ -62,8 +62,8 @@ Columns:
 
 | Package | Status | Logging | Telemetry | Tracing | Network Policies | mTLS | Behavior Detection |
 | ----    | ---  | ---|---|---|---|---|---|
-| [MinIO](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio)  | ![MinIO Build](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio/badges/main/pipeline.svg)    | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/550) | Yes (PERMISSIVE) | No |
-| [MinIO Operator](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator) |  ![MinIO Operator Build](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator/badges/main/pipeline.svg) | No | No | No | No | Yes (PERMISSIVE) |No |
+| [MinIO](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio)  | ![MinIO Build](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio/badges/main/pipeline.svg)    | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/550) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1566) | No |
+| [MinIO Operator](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator) |  ![MinIO Operator Build](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator/badges/main/pipeline.svg) | No | No | No | No | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1554) |No |
 
 ## Cluster Utilities
 

base/flux/kustomization.yaml

@@ -6,16 +6,16 @@ resources:
 images:
 - name: ghcr.io/fluxcd/helm-controller
   newName: registry1.dso.mil/ironbank/fluxcd/helm-controller
-  newTag: v0.17.1
+  newTag: v0.21.0
 - name: ghcr.io/fluxcd/kustomize-controller
   newName: registry1.dso.mil/ironbank/fluxcd/kustomize-controller
-  newTag: v0.21.1
+  newTag: v0.25.0
 - name: ghcr.io/fluxcd/notification-controller
   newName: registry1.dso.mil/ironbank/fluxcd/notification-controller
-  newTag: v0.22.2
+  newTag: v0.23.5
 - name: ghcr.io/fluxcd/source-controller
   newName: registry1.dso.mil/ironbank/fluxcd/source-controller
-  newTag: v0.21.2
+  newTag: v0.24.4
 
 patches:
   - target:

base/gitrepository.yaml

-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: bigbang
@@ -11,4 +11,4 @@ spec:
   interval: 10m
   url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
   ref:
-    tag: 1.32.0
+    tag: 1.34.0

chart/Chart.yaml

 apiVersion: v2
 name: bigbang
-version: 1.32.0
+version: 1.34.0
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
 
 type: application
@@ -23,8 +23,6 @@ maintainers:
   - name: Branden Cobb
     email: cobb_branden@bah.com
   - name: Tom Runyon
-    email: tom@runyon.dev
-  - name: Josh Wolf
-    email: josh@rancherfederal.com
+    email: tom@defenseunicorns.com
 
 icon: https://p1.dso.mil/img/Big_Bang_Color_Logo_White_text.b04263b1.png

chart/templates/anchore/gitrepository.yaml

 {{- if .Values.addons.anchore.enabled  }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: anchore

chart/templates/argocd/gitrepository.yaml

 {{- if .Values.addons.argocd.enabled  }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: argocd

chart/templates/authservice/gitrepository.yaml

 {{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: authservice

chart/templates/cluster-auditor/gitrepository.yaml

 {{- if and (not .Values.offline) .Values.clusterAuditor.enabled }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: cluster-auditor

chart/templates/gatekeeper/gitrepository.yaml

 {{- if and (not .Values.offline) (or .Values.gatekeeper.enabled .Values.clusterAuditor.enabled) }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: gatekeeper

chart/templates/gatekeeper/values.yaml

@@ -32,7 +32,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         - registry1.dso.mil
         - registry.dso.mil
 
-  {{- if or .Values.monitoring.enabled .Values.fluentbit.enabled .Values.twistlock.enabled .Values.promtail.enabled }}
+  {{- if or .Values.monitoring.enabled .Values.fluentbit.enabled .Values.twistlock.enabled .Values.promtail.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic)}}
   allowedHostFilesystem:
     parameters:
       excludedResources:
@@ -52,6 +52,10 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
       # https://github.com/grafana/helm-charts/blob/main/charts/promtail/templates/daemonset.yaml#L120
       - logging/logging-promtail-.*
       {{- end }}
+      {{- if and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic }}
+      # Restic requires hostpath volume mount access in order to facilitate backing up cluster PV/C resources
+      - velero/restic-.*
+      {{- end }}
   {{- end }}
 
   {{- if .Values.twistlock.enabled }}
@@ -122,7 +126,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
       {{- end }}
   {{- end }}
 
-  {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled .Values.monitoring.enabled .Values.promtail.enabled }}
+  {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled .Values.monitoring.enabled .Values.promtail.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic) }}
   volumeTypes:
     parameters:
       excludedResources:
@@ -146,6 +150,10 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         # https://github.com/grafana/helm-charts/blob/main/charts/promtail/templates/daemonset.yaml#L120
         - logging/logging-promtail-.*
        {{- end }}
+       {{- if and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic }}
+        # Restic requires hostpath volume mounts in order to facilitate backing up cluster PV/C resources
+        - velero/restic-.*
+       {{- end }}
   {{- end }}
 {{- end -}}
 

chart/templates/gitlab-runner/gitrepository.yaml

 {{- if and (not .Values.offline) .Values.addons.gitlabRunner.enabled }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: gitlab-runner

chart/templates/gitlab/gitrepository.yaml

 {{- if and (not .Values.offline) .Values.addons.gitlab.enabled }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: gitlab

chart/templates/haproxy/gitrepository.yaml

 {{- $monitoringInjection := dig "istio" "injection" "enabled" .Values.monitoring }}
 {{- if and .Values.istio.enabled .Values.monitoring.enabled .Values.monitoring.sso.enabled (eq $monitoringInjection "disabled") }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: haproxy

chart/templates/istio/controlplane/gitrepository.yaml

 {{- if and (not .Values.offline) .Values.istio.enabled }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: istio-controlplane

chart/templates/istio/operator/gitrepository.yaml

 {{- if and (not .Values.offline) .Values.istiooperator.enabled }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: istio-operator

chart/templates/jaeger/gitrepository.yaml

 {{- if and (not .Values.offline) .Values.jaeger.enabled }}
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: jaeger