Merge branch 'master' into 'add-minio-dashboard-to-grafana'

# Conflicts:
#   chart/values.yaml

.gitlab-ci.yml

@@ -40,7 +40,7 @@ variables:
     - generic
 
 .bigbang:
-  image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.6
+  image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k8s-ci:v1.20.4-bb.3
   extends: .bigbang-dogfood
   after_script:
     - kubectl get all -A
@@ -103,7 +103,7 @@ clean install:
   variables:
     CLUSTER_NAME: "clean-${CI_COMMIT_SHORT_SHA}"
   rules:
-    - if: '$CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master"'
+    - if: '($CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master") || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::infra(,|$)/'
       when: never
     - *chart_changes
   script:
@@ -128,6 +128,9 @@ upgrade:
   extends:
     - .k3d-ci
   rules:
+    # skip job for nightly master and "test-ci::infra" labeled pipelines
+    - if: '($CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master") || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::infra(,|$)/'
+      when: never
     # skip job when MR title starts with 'SKIP UPGRADE'
     - if: '$CI_MERGE_REQUEST_TITLE =~ /^SKIP UPGRADE/'
       when: never
@@ -244,13 +247,6 @@ aws/rke2/bigbang up:
     - cp ${CI_PROJECT_DIR}/rke2.yaml ~/.kube/config
     # Deploy a default storage class for aws
     - kubectl apply -f ${CI_PROJECT_DIR}/.gitlab-ci/jobs/rke2/dependencies/k8s-resources/aws/default-ebs-sc.yaml
-    - echo "Patching default rke2 PSPs to be less restrictive so OPA Gatekeeper can successfully deploy"
-    - |
-      kubectl --kubeconfig rke2.yaml patch psp global-unrestricted-psp  -p '{"metadata": { "annotations": { "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*" } } }'
-    - |
-      kubectl --kubeconfig rke2.yaml patch psp system-unrestricted-psp  -p '{ "metadata": { "annotations": { "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*" } } }'
-    - |
-      kubectl --kubeconfig rke2.yaml patch psp global-restricted-psp  -p '{ "metadata": { "annotations": { "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*" } } }'
 
   script:
     - *deploy_bigbang

.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml

@@ -8,7 +8,6 @@
     - privileged
     - dogfood
 
-#
 # In cluster k3s using K3D with the docker daemon as a sidecar
 #
 #   This will connect to a remote docker daemon over tls tcp (defined at installation of gitlab runners) and create
@@ -38,7 +37,6 @@
     - k3d cluster delete ${CI_JOB_ID}
     - docker network rm ${CI_JOB_ID}
 
-#
 # In cluster k3s using k3s as a sidecar
 #
 #   This will spin up k3s as a gitlab ci sidecar

.gitlab-ci/jobs/networking/aws/.gitlab-ci.yml

@@ -24,4 +24,4 @@
   script:
     - *calc_unique_cidr
     - echo "Destroying network"
-    - terraform destroy -auto-approve
\ No newline at end of file
+    - terraform destroy -auto-approve

.gitlab-ci/jobs/rke2/.gitlab-ci.yml

@@ -19,4 +19,4 @@
     - .rke2 tf
     - .terraform destroy workspace
   script:
-    - terraform destroy -input=false -auto-approve
\ No newline at end of file
+    - terraform destroy -input=false -auto-approve

.gitlab-ci/jobs/rke2/dependencies/terraform/main/main.tf

@@ -31,7 +31,7 @@ EOF
 }
 
 module "rke2" {
-  source = "git::https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git?ref=v1.1.7"
+  source = "git::https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git?ref=v1.1.8"
 
   cluster_name          = local.name
   vpc_id                = var.vpc_id
@@ -48,6 +48,12 @@ disable:
   - rke2-ingress-nginx
 EOF
 
+  block_device_mappings = {
+    size = 100
+    encrypted = true
+    type = "gp3"
+  }
+
   enable_ccm = var.enable_ccm
   download   = var.download
 
@@ -57,7 +63,7 @@ EOF
 }
 
 module "generic_agents" {
-  source = "git::https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.7"
+  source = "git::https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.8"
 
   name                = "generic-agent"
   vpc_id              = var.vpc_id
@@ -76,6 +82,12 @@ module "generic_agents" {
   # TODO: These need to be set in pre-baked ami's
   pre_userdata = local.os_prep
 
+  block_device_mappings = {
+    size = 150
+    encrypted = true
+    type = "gp3"
+  }
+
   # Required data for identifying cluster to join
   cluster_data = module.rke2.cluster_data
 

.gitlab-ci/jobs/rke2/dependencies/terraform/main/variables.tf

@@ -47,11 +47,11 @@ variable "download" {
 # Server variables
 #
 variable "server_ami" {
-  # RHEL 8.3 RKE2 v1.20.5+rke2r1 STIG: https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-image-builder
-  default = "ami-017e342d9500ef3b2"
+  # RHEL 8.3 RKE2 v1.20.7+rke2r2 STIG: https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-image-builder
+  default = "ami-04fc9486a0c1633cb"
 }
 variable "server_instance_type" {
-  default = "m5a.large"
+  default = "m5a.2xlarge"
 }
 variable "servers" {
   default = 1
@@ -64,17 +64,17 @@ variable "rke2_version" {
 # Generic agent variables
 #
 variable "agent_ami" {
-  # RHEL 8.3 RKE2 v1.20.5+rke2r1 STIG: https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-image-builder
-  default = "ami-017e342d9500ef3b2"
+  # RHEL 8.3 RKE2 v1.20.7+rke2r2 STIG: https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-image-builder
+  default = "ami-04fc9486a0c1633cb"
 }
 variable "agent_instance_type" {
   default = "m5a.4xlarge"
 }
 variable "agent_asg" {
-  default = { min : 2, max : 10, desired : 2 }
+  default = { min : 3, max : 10, desired : 3 }
 }
 variable "agent_spot" {
-  default = false
+  default = true
 }
 
 variable "ci_pipeline_url" {

.gitlab-ci/templates.yml

@@ -29,4 +29,4 @@ include:
 .terraform destroy workspace:
   after_script:
     - cd ${CI_PROJECT_DIR}/${TF_ROOT}
-    - terraform workspace select default && terraform workspace delete "${TF_VAR_env}"
\ No newline at end of file
+    - terraform workspace select default && terraform workspace delete "${TF_VAR_env}"

CHANGELOG.md

@@ -3,6 +3,14 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [1.12.0]
+
+[!1.12.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.12.0); List of Merge Requests in this Release
+
+## [1.11.0]
+
+[!1.11.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.11.0); List of Merge Requests in this Release
+
 ## [1.10.0]
 
 [!1.10.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.10.0); List of Merge Requests in this Release

CODEOWNERS

@@ -16,8 +16,7 @@
 [Docs Owners]
 # Allow any one of the listed codeowners to approve merges to the documentation 
 # Does not allow the creator of the merge request to be the approver.
-/docs/                          @aaron.ruse @aaronbeger @barrywoodtetrate @brandencobb @cmcgrath @daryndecker @david.allen @dyoung @echuang @egoode @evan.rush @iahmad @jasonkrause @jay-rob @jennifer.kays @jcookehg @jdale @joshwolf @kavitha @kenna81 @kevin.wilder @kottoson @LynnStill @mark.sanchez @matthew.kaiser @mdutton @micah.nagel @michaelmartin @michaelmcleroy @msbrown47 @nick.kammerdiener @rkernick @runyontr @ryan.j.garcia @sean.deprefontaine @shouseba @thomas.burton @toladipupo @tsiddique1 @visuth.dy
-
+/docs/                          @aaron.ruse @aaronbeger @brandencobb @cmcgrath @daryndecker @david.allen @dyoung @echuang @egoode @evan.rush @iahmad @jasonkrause @jay-rob @jennifer.kays @jcookehg @jdale @joshwolf @kavitha @kenna81 @kevin.wilder @kottoson @LynnStill @mark.sanchez @matthew.kaiser @mdutton @micah.nagel @michaelmartin @michaelmcleroy @msbrown47 @nick.kammerdiener @rkernick @runyontr @ryan.j.garcia @sean.deprefontaine @shouseba @thomas.burton @toladipupo @tsiddique1 @visuth.dy @ronwebb
 
 ################################################
 # The following entries are for optional approval. 
@@ -38,16 +37,16 @@ hack/                           @toladipupo @michaelmcleroy @egoode
 ^[Charter Owners]
 charter/                        @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
 
-^[Istio and Authservice]
-chart/Chart.yaml                @kenna81 @kavitha @cmcgrath @barrywoodtetrate
-chart/values.yaml               @kenna81 @kavitha @cmcgrath @barrywoodtetrate
-chart/templates/authservice     @kenna81 @kavitha @cmcgrath 
-chart/templates/istio           @kenna81 @kavitha @cmcgrath @barrywoodtetrate
+^[Istio, Istio Operator, and Authservice]
+chart/Chart.yaml                @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
+chart/values.yaml               @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
+chart/templates/authservice     @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
+chart/templates/istio           @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
 
-# ^[HAProxy]
-# chart/Chart.yaml              @blloyd @runyontr @ryan.j.garcia
-# chart/values.yaml             @blloyd @runyontr @ryan.j.garcia
-# chart/templates/haproxy       @blloyd @runyontr @ryan.j.garcia
+^[HAProxy]
+chart/Chart.yaml              @blloyd @runyontr @ryan.j.garcia
+chart/values.yaml             @blloyd @runyontr @ryan.j.garcia
+chart/templates/haproxy       @blloyd @runyontr @ryan.j.garcia
 
 ^[Anchore]
 chart/Chart.yaml                @blake.hearn @micah.nagel @jasonkrause
@@ -64,15 +63,15 @@ chart/Chart.yaml                @echuang @egoode @toladipupo @michaelmcleroy
 chart/values.yaml               @echuang @egoode @toladipupo @michaelmcleroy
 chart/templates/clusterauditor  @echuang @egoode @toladipupo @michaelmcleroy
 
-# ^[Gatekeeper]
+^[Gatekeeper]
 chart/Chart.yaml                @echuang @egoode @toladipupo @michaelmcleroy
 chart/values.yaml               @echuang @egoode @toladipupo @michaelmcleroy   
 chart/templates/gatekeeper      @echuang @egoode @toladipupo @michaelmcleroy
 
-^[Logging]
-chart/Chart.yaml                @kavitha @ryan.j.garcia @evan.rush
-chart/values.yaml               @kavitha @ryan.j.garcia @evan.rush
-chart/templates/logging         @kavitha @ryan.j.garcia @evan.rush
+^[Jaeger]
+chart/Chart.yaml                @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
+chart/values.yaml               @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia  
+chart/templates/jaegar          @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
 
 ^[Monitoring]
 chart/Chart.yaml                @lynnstill @ryan.j.garcia @michaelmartin
@@ -99,6 +98,11 @@ chart/Chart.yaml                @megamind @kevin.wilder @michaelmcleroy
 chart/values.yaml               @megamind @kevin.wilder @michaelmcleroy
 chart/templates/keycloak        @megamind @kevin.wilder @michaelmcleroy
 
+^[Kiali]
+chart/Chart.yaml                @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
+chart/values.yaml               @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
+chart/templates/kiali           @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
+
 ^[Mattermost (and operator)]
 chart/Chart.yaml                @micah.nagel @brandencobb @jasonkrause
 chart/values.yaml               @micah.nagel @brandencobb @jasonkrause
@@ -109,7 +113,27 @@ chart/Chart.yaml                @LynnStill @kevin.wilder @brandencobb
 chart/values.yaml               @LynnStill @kevin.wilder @brandencobb
 chart/templates/minio           @LynnStill @kevin.wilder @brandencobb
 
+^[Nexus]
+chart/Chart.yaml                @kavitha @kevin.wilder @ariel.shnitzer @grant.duncklee
+chart/values.yaml               @kavitha @kevin.wilder @ariel.shnitzer @grant.duncklee
+chart/templates/nexus           @kavitha @kevin.wilder @ariel.shnitzer @grant.duncklee
+
 ^[Velero]
 chart/Chart.yaml                @tunde @adam.toy @micah.nagel @jcarnes
 chart/values.yaml               @tunde @adam.toy @micah.nagel @jcarnes
 chart/templates/velero          @tunde @adam.toy @micah.nagel @jcarnes
+
+^[fluentbit]
+chart/Chart.yaml                @kavitha @ryan.j.garcia @echuang
+chart/values.yaml               @kavitha @ryan.j.garcia @echuang
+chart/templates/fluentbit       @kavitha @ryan.j.garcia @echuang
+
+^[eck-operator]
+chart/Chart.yaml                @kavitha @ryan.j.garcia @evan.rush @toladipupo
+chart/values.yaml               @kavitha @ryan.j.garcia @evan.rush @toladipupo
+chart/templates/eck-operator    @kavitha @ryan.j.garcia @evan.rush @toladipupo
+
+^[elasticsearch-kibana]
+chart/Chart.yaml                        @kavitha @ryan.j.garcia @evan.rush @ronwebb
+chart/values.yaml                       @kavitha @ryan.j.garcia @evan.rush @ronwebb
+chart/templates/elasticsearch-kibana    @kavitha @ryan.j.garcia @evan.rush @ronwebb

README.md

 # bigbang
 
-![Version: 1.10.0](https://img.shields.io/badge/Version-1.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.12.0](https://img.shields.io/badge/Version-1.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
 
@@ -59,11 +59,11 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | flux | object | `{"install":{"remediation":{"retries":3}},"interval":"2m","rollback":{"cleanupOnFail":true,"timeout":"10m"},"test":{"enable":false},"timeout":"10m","upgrade":{"cleanupOnFail":true,"remediation":{"remediateLastFailure":true,"retries":3}}}` | (Advanced) Flux reconciliation parameters. The default values provided will be sufficient for the majority of workloads. |
 | networkPolicies | object | `{"controlPlaneCidr":"0.0.0.0/0","enabled":true}` | Global NetworkPolicies settings |
 | networkPolicies.enabled | bool | `true` | Toggle all package NetworkPolicies, can disable specific packages with `package.networkPolicies.enabled` |
-| networkPolicies.controlPlaneCidr | string | `"0.0.0.0/0"` | Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl cluster-info` to get the value for your cluster Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP) Used by package NetworkPolicies to allow Kube API access |
+| networkPolicies.controlPlaneCidr | string | `"0.0.0.0/0"` | Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl get endpoints -n default kubernetes` to get the CIDR range needed for your cluster Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP of a single endpoint, broader range for multiple masters/endpoints) Used by package NetworkPolicies to allow Kube API access |
 | istio.enabled | bool | `true` | Toggle deployment of Istio. |
 | istio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git"` |  |
 | istio.git.path | string | `"./chart"` |  |
-| istio.git.tag | string | `"1.8.4-bb.2"` |  |
+| istio.git.tag | string | `"1.8.4-bb.5"` |  |
 | istio.flux | object | `{}` | Flux reconciliation overrides specifically for the Istio Package |
 | istio.ingress | object | `{"cert":"","key":""}` | Certificate/Key pair to use as the default certificate for exposing BigBang created applications. If nothing is provided, applications will expect a valid tls secret to exist in the `istio-system` namespace called `wildcard-cert`. |
 | istio.values | object | `{}` | Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git |
@@ -71,14 +71,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | istiooperator.enabled | bool | `true` | Toggle deployment of Istio Operator. |
 | istiooperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git"` |  |
 | istiooperator.git.path | string | `"./chart"` |  |
-| istiooperator.git.tag | string | `"1.8.4-bb.1"` |  |
+| istiooperator.git.tag | string | `"1.8.4-bb.2"` |  |
 | istiooperator.flux | object | `{}` | Flux reconciliation overrides specifically for the Istio Operator Package |
 | istiooperator.values | object | `{}` | Values to passthrough to the istio-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git |
 | istiooperator.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | jaeger.enabled | bool | `true` | Toggle deployment of Jaeger. |
 | jaeger.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git"` |  |
 | jaeger.git.path | string | `"./chart"` |  |
-| jaeger.git.tag | string | `"2.19.1-bb.4"` |  |
+| jaeger.git.tag | string | `"2.22.0-bb.1"` |  |
 | jaeger.flux | object | `{}` | Flux reconciliation overrides specifically for the Jaeger Package |
 | jaeger.sso.enabled | bool | `false` | Toggle SSO for Jaeger on and off |
 | jaeger.sso.client_id | string | `""` | OIDC Client ID to use for Jaeger |
@@ -88,7 +88,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | kiali.enabled | bool | `true` | Toggle deployment of Kiali. |
 | kiali.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali.git"` |  |
 | kiali.git.path | string | `"./chart"` |  |
-| kiali.git.tag | string | `"1.32.0-bb.1"` |  |
+| kiali.git.tag | string | `"1.36.0-bb.2"` |  |
 | kiali.flux | object | `{}` | Flux reconciliation overrides specifically for the Kiali Package |
 | kiali.sso.enabled | bool | `false` | Toggle SSO for Kiali on and off |
 | kiali.sso.client_id | string | `""` | OIDC Client ID to use for Kiali |
@@ -98,21 +98,21 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | clusterAuditor.enabled | bool | `true` | Toggle deployment of Cluster Auditor. |
 | clusterAuditor.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git"` |  |
 | clusterAuditor.git.path | string | `"./chart"` |  |
-| clusterAuditor.git.tag | string | `"0.2.0-bb.6"` |  |
+| clusterAuditor.git.tag | string | `"0.3.0-bb.2"` |  |
 | clusterAuditor.flux | object | `{}` | Flux reconciliation overrides specifically for the Cluster Auditor Package |
 | clusterAuditor.values | object | `{}` | Values to passthrough to the cluster auditor chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git |
 | clusterAuditor.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | gatekeeper.enabled | bool | `true` | Toggle deployment of OPA Gatekeeper. |
 | gatekeeper.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git"` |  |
 | gatekeeper.git.path | string | `"./chart"` |  |
-| gatekeeper.git.tag | string | `"3.3.0-bb.4"` |  |
+| gatekeeper.git.tag | string | `"3.4.0-bb.13"` |  |
 | gatekeeper.flux | object | `{}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
 | gatekeeper.values | object | `{}` | Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git |
 | gatekeeper.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | logging.enabled | bool | `true` | Toggle deployment of Logging (EFK). |
 | logging.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git"` |  |
 | logging.git.path | string | `"./chart"` |  |
-| logging.git.tag | string | `"0.1.14-bb.1"` |  |
+| logging.git.tag | string | `"0.1.16-bb.0"` |  |
 | logging.flux | object | `{"timeout":"20m"}` | Flux reconciliation overrides specifically for the Logging (EFK) Package |
 | logging.sso.enabled | bool | `false` | Toggle OIDC SSO for Kibana/Elasticsearch on and off. Enabling this option will auto-create any required secrets. |
 | logging.sso.client_id | string | `""` | Elasticsearch/Kibana OIDC client ID |
@@ -124,20 +124,20 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | eckoperator.enabled | bool | `true` | Toggle deployment of ECK Operator. |
 | eckoperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git"` |  |
 | eckoperator.git.path | string | `"./chart"` |  |
-| eckoperator.git.tag | string | `"1.4.0-bb.2"` |  |
+| eckoperator.git.tag | string | `"1.6.0-bb.0"` |  |
 | eckoperator.flux | object | `{}` | Flux reconciliation overrides specifically for the ECK Operator Package |
 | eckoperator.values | object | `{}` | Values to passthrough to the eck-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git |
 | fluentbit.enabled | bool | `true` | Toggle deployment of Fluent-Bit. |
 | fluentbit.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git"` |  |
 | fluentbit.git.path | string | `"./chart"` |  |
-| fluentbit.git.tag | string | `"0.15.8-bb.5"` |  |
+| fluentbit.git.tag | string | `"0.15.15-bb.0"` |  |
 | fluentbit.flux | object | `{}` | Flux reconciliation overrides specifically for the Fluent-Bit Package |
 | fluentbit.values | object | `{}` | Values to passthrough to the fluentbit chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git |
 | fluentbit.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | monitoring.enabled | bool | `true` | Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager). |
 | monitoring.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git"` |  |
 | monitoring.git.path | string | `"./chart"` |  |
-| monitoring.git.tag | string | `"11.0.0-bb.24"` |  |
+| monitoring.git.tag | string | `"11.0.0-bb.27"` |  |
 | monitoring.flux | object | `{}` | Flux reconciliation overrides specifically for the Monitoring Package |
 | monitoring.sso.enabled | bool | `false` | Toggle SSO for monitoring components on and off |
 | monitoring.sso.prometheus.client_id | string | `""` | Prometheus OIDC client ID |
@@ -161,7 +161,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.argocd.enabled | bool | `false` | Toggle deployment of ArgoCD. |
 | addons.argocd.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git"` |  |
 | addons.argocd.git.path | string | `"./chart"` |  |
-| addons.argocd.git.tag | string | `"2.14.7-bb.5"` |  |
+| addons.argocd.git.tag | string | `"3.6.8-bb.4"` |  |
 | addons.argocd.flux | object | `{}` | Flux reconciliation overrides specifically for the ArgoCD Package |
 | addons.argocd.sso.enabled | bool | `false` | Toggle SSO for ArgoCD on and off |
 | addons.argocd.sso.client_id | string | `""` | ArgoCD OIDC client ID |
@@ -173,7 +173,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.authservice.enabled | bool | `false` | Toggle deployment of Authservice. if enabling authservice, a filter needs to be provided by either enabling sso for monitoring or istio, or manually adding a filter chain in the values here: values:   chain:     minimal:       callback_uri: "https://somecallback" |
 | addons.authservice.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git"` |  |
 | addons.authservice.git.path | string | `"./chart"` |  |
-| addons.authservice.git.tag | string | `"0.4.0-bb.6"` |  |
+| addons.authservice.git.tag | string | `"0.4.0-bb.8"` |  |
 | addons.authservice.flux | object | `{}` | Flux reconciliation overrides specifically for the Authservice Package |
 | addons.authservice.values | object | `{}` | Values to passthrough to the authservice chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git |
 | addons.authservice.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
@@ -199,7 +199,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.gitlab.hostnames.registry | string | `"registry.bigbang.dev"` |  |
 | addons.gitlab.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git"` |  |
 | addons.gitlab.git.path | string | `"./chart"` |  |
-| addons.gitlab.git.tag | string | `"4.10.3-bb.8"` |  |
+| addons.gitlab.git.tag | string | `"4.10.3-bb.14"` |  |
 | addons.gitlab.flux | object | `{}` | Flux reconciliation overrides specifically for the Gitlab Package |
 | addons.gitlab.sso.enabled | bool | `false` | Toggle OIDC SSO for Gitlab on and off. Enabling this option will auto-create any required secrets. |
 | addons.gitlab.sso.client_id | string | `""` | Gitlab OIDC client ID |
@@ -221,13 +221,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.gitlabRunner.enabled | bool | `false` | Toggle deployment of Gitlab Runner. |
 | addons.gitlabRunner.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git"` |  |
 | addons.gitlabRunner.git.path | string | `"./chart"` |  |
-| addons.gitlabRunner.git.tag | string | `"0.26.0-bb.2"` |  |
+| addons.gitlabRunner.git.tag | string | `"0.26.0-bb.3"` |  |
 | addons.gitlabRunner.flux | object | `{}` | Flux reconciliation overrides specifically for the Gitlab Runner Package |
 | addons.gitlabRunner.values | object | `{}` | Values to passthrough to the gitlab runner chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git |
+| addons.gitlabRunner.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | addons.nexus.enabled | bool | `false` | Toggle deployment of Nexus. |
 | addons.nexus.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus.git"` |  |
 | addons.nexus.git.path | string | `"./chart"` |  |
-| addons.nexus.git.tag | string | `"29.1.0-bb.4"` |  |
+| addons.nexus.git.tag | string | `"29.1.0-bb.5"` |  |
 | addons.nexus.license_key | string | `""` | Base64 encoded license file. |
 | addons.nexus.sso.enabled | bool | `false` | Toggle SAML SSO for NXRM. -- handles SAML SSO, a Client must be configured in Keycloak or IdP -- to complete setup. -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599 |
 | addons.nexus.sso.idp_data | object | `{"email":"","firstName":"","groups":"","idpMetadata":"","lastName":"","username":""}` | NXRM SAML SSO Integration data |
@@ -270,7 +271,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.anchore.enabled | bool | `false` | Toggle deployment of Anchore. |
 | addons.anchore.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git"` |  |
 | addons.anchore.git.path | string | `"./chart"` |  |
-| addons.anchore.git.tag | string | `"1.12.16-bb.1"` |  |
+| addons.anchore.git.tag | string | `"1.13.0-bb.3"` |  |
 | addons.anchore.flux | object | `{"upgrade":{"disableWait":true}}` | Flux reconciliation overrides specifically for the Anchore Package |
 | addons.anchore.adminPassword | string | `""` | Initial admin password used to authenticate to Anchore. |
 | addons.anchore.enterprise | object | `{"enabled":false,"licenseYaml":"FULL LICENSE\n"}` | Anchore Enterprise functionality. |
@@ -294,14 +295,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.mattermostoperator.enabled | bool | `false` |  |
 | addons.mattermostoperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git"` |  |
 | addons.mattermostoperator.git.path | string | `"./chart"` |  |
-| addons.mattermostoperator.git.tag | string | `"1.14.0-bb.1"` |  |
+| addons.mattermostoperator.git.tag | string | `"1.14.0-bb.2"` |  |
 | addons.mattermostoperator.flux | object | `{}` | Flux reconciliation overrides specifically for the Mattermost Operator Package |
 | addons.mattermostoperator.values | object | `{}` | Values to passthrough to the mattermost operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator/-/blob/main/chart/values.yaml |
 | addons.mattermostoperator.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | addons.mattermost.enabled | bool | `false` | Toggle deployment of Mattermost. |
 | addons.mattermost.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git"` |  |
 | addons.mattermost.git.path | string | `"./chart"` |  |
-| addons.mattermost.git.tag | string | `"0.1.6-bb.5"` |  |
+| addons.mattermost.git.tag | string | `"0.1.6-bb.7"` |  |
 | addons.mattermost.flux | object | `{}` | Flux reconciliation overrides specifically for the Mattermost Package |
 | addons.mattermost.enterprise | object | `{"enabled":false,"license":""}` | Mattermost Enterprise functionality. |
 | addons.mattermost.enterprise.enabled | bool | `false` | Toggle the Mattermost Enterprise.  This must be accompanied by a valid license unless you plan to start a trial post-install. |
@@ -329,7 +330,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.velero.enabled | bool | `false` | Toggle deployment of Velero. |
 | addons.velero.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git"` |  |
 | addons.velero.git.path | string | `"./chart"` |  |
-| addons.velero.git.tag | string | `"2.21.1-bb.5"` |  |
+| addons.velero.git.tag | string | `"2.21.1-bb.6"` |  |
 | addons.velero.flux | object | `{}` | Flux reconciliation overrides specifically for the Velero Package |
 | addons.velero.plugins | list | `[]` | Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure  |
 | addons.velero.values | object | `{}` | Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml |
@@ -337,7 +338,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.keycloak.enabled | bool | `false` | Toggle deployment of Keycloak. |
 | addons.keycloak.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git"` |  |
 | addons.keycloak.git.path | string | `"./chart"` |  |
-| addons.keycloak.git.tag | string | `"11.0.0-bb.4"` |  |
+| addons.keycloak.git.tag | string | `"11.0.1-bb.0"` |  |
 | addons.keycloak.ingress | object | `{"cert":"","key":""}` | Certificate/Key pair to use as the certificate for exposing Keycloak Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart |
 | addons.keycloak.database.host | string | `""` | Hostname of a pre-existing database to use for Keycloak. Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. |
 | addons.keycloak.database.type | string | `"postgres"` | Pre-existing database type (e.g. postgres) to use for Keycloak. |

base/gitrepository.yaml

@@ -11,4 +11,4 @@ spec:
   interval: 10m
   url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
   ref:
-    tag: 1.10.0
+    tag: 1.12.0

chart/Chart.yaml

 apiVersion: v2
 name: bigbang
-version: 1.10.0
+version: 1.12.0
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
 
 type: application

chart/templates/anchore/anchore-helmrelease.yaml

@@ -19,6 +19,11 @@ spec:
 
   {{- toYaml $fluxSettingsAnchore | nindent 2 }}
 
+  {{- if .Values.addons.anchore.postRenderers }}
+  postRenderers:
+  {{ toYaml .Values.addons.anchore.postRenderers | nindent 4 }}
+  {{- end }}
+
   valuesFrom:
     - name: {{ .Release.Name }}-anchore-values
       kind: Secret

chart/templates/gatekeeper/values.yaml

@@ -3,7 +3,6 @@
 {{- end }}
 
 {{- define "bigbang.defaults.gatekeeper" -}}
-disableValidatingWebhook: true
 image:
   pullSecrets:
   - name: private-registry
@@ -13,4 +12,7 @@ postInstall:
     image:
       pullSecrets:
       - name: private-registry
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}        
 {{- end -}}

chart/templates/gitlab/values.yaml

@@ -5,11 +5,17 @@
 {{- define "bigbang.defaults.gitlab" -}}
 hostname: {{ .Values.hostname }}
 
+openshift: {{ .Values.openshift }}
+
 istio:
   enabled: {{ .Values.istio.enabled }}
 
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
   
 {{- if .Values.addons.gitlab.database.host }}
 postgresql:

chart/templates/istio/controlplane/values.yaml

@@ -13,6 +13,9 @@ imagePullSecrets:
 
 openshift: {{ .Values.openshift }}
 
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+
 {{- if .Values.addons.keycloak.enabled }}
 extraServers:
 - port:

chart/templates/istio/operator/values.yaml

@@ -7,4 +7,8 @@ createNamespace: false
 
 imagePullSecrets:
   - name: private-registry
+
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 {{- end -}}

chart/templates/monitoring/values.yaml

@@ -39,6 +39,9 @@ istio:
     hosts:
     - grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
 
+anchore:
+  enabled: {{ .Values.addons.anchore.enabled }}
+
 global:
   imagePullSecrets:
   - name: private-registry

chart/templates/velero/values.yaml

@@ -18,7 +18,7 @@ networkPolicies:
 imagePullSecrets:
 - name: private-registry
 
-{{- if eq (len .Values.addons.velero.plugins) 0 }}{{- fail "At least one plugin in '.Values.addons.velero.plugins' required. Supported values: aws, azure" }}{{- end }}
+{{- if eq (len .Values.addons.velero.plugins) 0 }}{{- fail "At least one plugin in '.Values.addons.velero.plugins' required. Supported values: aws, azure, csi" }}{{- end }}
 initContainers:
 {{- range .Values.addons.velero.plugins }}
 {{- if eq . "aws" }}
@@ -28,7 +28,8 @@ initContainers:
     volumeMounts:
       - mountPath: /target
         name: plugins
-{{- else if eq . "azure" }}
+{{- end }}
+{{- if eq . "azure" }}
   - name: velero-plugin-for-azure
     image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-microsoft-azure:v1.2.0
     imagePullPolicy: IfNotPresent
@@ -36,6 +37,16 @@ initContainers:
       - mountPath: /target
         name: plugins
 {{- end }}
+{{- if eq . "csi" }}
+  - name: velero-plugin-for-csi
+    image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-csi:v0.1.2
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - mountPath: /target
+        name: plugins
+configuration:
+  features: EnableCSI
+{{- end }}
 {{- end }}
 
 {{- end -}}

chart/values.yaml

@@ -96,8 +96,8 @@ flux:
 networkPolicies:
   # -- Toggle all package NetworkPolicies, can disable specific packages with `package.networkPolicies.enabled`
   enabled: true
-  # -- Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl cluster-info` to get the value for your cluster
-  # Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP)
+  # -- Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl get endpoints -n default kubernetes` to get the CIDR range needed for your cluster
+  # Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP of a single endpoint, broader range for multiple masters/endpoints)
   # Used by package NetworkPolicies to allow Kube API access
   controlPlaneCidr: 0.0.0.0/0
 
@@ -110,7 +110,7 @@ istio:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
     path: "./chart"
-    tag: "1.8.4-bb.2"
+    tag: "1.8.4-bb.5"
 
   # -- Flux reconciliation overrides specifically for the Istio Package
   flux: {}
@@ -133,7 +133,7 @@ istiooperator:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git
     path: "./chart"
-    tag: "1.8.4-bb.1"
+    tag: "1.8.4-bb.2"
 
   # -- Flux reconciliation overrides specifically for the Istio Operator Package
   flux: {}
@@ -150,7 +150,7 @@ jaeger:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git
     path: "./chart"
-    tag: "2.21.4-bb.2"
+    tag: "2.22.0-bb.1"
 
   # -- Flux reconciliation overrides specifically for the Jaeger Package
   flux: {}
@@ -177,7 +177,7 @@ kiali:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali.git
     path: "./chart"
-    tag: "1.32.0-bb.2"
+    tag: "1.36.0-bb.2"
 
   # -- Flux reconciliation overrides specifically for the Kiali Package
   flux: {}
@@ -209,7 +209,7 @@ clusterAuditor:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
     path: "./chart"
-    tag: "0.3.0-bb.1"
+    tag: "0.3.0-bb.2"
 
   # -- Flux reconciliation overrides specifically for the Cluster Auditor Package
   flux: {}
@@ -230,7 +230,7 @@ gatekeeper:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
     path: "./chart"
-    tag: "3.4.0-bb.4"
+    tag: "3.4.0-bb.16"
 
   # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
   flux: {}
@@ -251,7 +251,7 @@ logging:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
     path: "./chart"
-    tag: "0.1.15-bb.0"
+    tag: "0.1.17-bb.0"
 
   # -- Flux reconciliation overrides specifically for the Logging (EFK) Package
   flux:
@@ -301,7 +301,7 @@ fluentbit:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git
     path: "./chart"
-    tag: "0.15.14-bb.0"
+    tag: "0.15.15-bb.0"
 
   # -- Flux reconciliation overrides specifically for the Fluent-Bit Package
   flux: {}
@@ -396,7 +396,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git
       path: "./chart"
-      tag: "3.6.8-bb.3"
+      tag: "3.6.8-bb.4"
 
     # -- Flux reconciliation overrides specifically for the ArgoCD Package
     flux: {}
@@ -504,7 +504,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
       path: "./chart"
-      tag: "4.10.3-bb.11"
+      tag: "4.10.3-bb.14"
 
     # -- Flux reconciliation overrides specifically for the Gitlab Package
     flux: {}
@@ -721,7 +721,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git
       path: "./chart"
-      tag: "1.12.16-bb.1"
+      tag: "1.13.0-bb.3"
 
     # -- Flux reconciliation overrides specifically for the Anchore Package
     flux:
@@ -820,7 +820,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git
       path: "./chart"
-      tag: "0.1.6-bb.6"
+      tag: "0.1.6-bb.7"
 
     # -- Flux reconciliation overrides specifically for the Mattermost Package
     flux: {}
@@ -915,12 +915,12 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git
       path: "./chart"
-      tag: "2.21.1-bb.5"
+      tag: "2.23.3-bb.0"
 
     # -- Flux reconciliation overrides specifically for the Velero Package
     flux: {}
 
-    # -- Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure 
+    # -- Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure, csi 
     plugins: []
     # - aws