diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d0c4a85948f5847a9145b8a8e6cffbaa90e7743f..20cbb2bdbfe8f686ac26f00206224f215421ef28 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -40,7 +40,7 @@ variables:
- generic
.bigbang:
- image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.6
+ image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k8s-ci:v1.20.4-bb.3
extends: .bigbang-dogfood
after_script:
- kubectl get all -A
@@ -103,7 +103,7 @@ clean install:
variables:
CLUSTER_NAME: "clean-${CI_COMMIT_SHORT_SHA}"
rules:
- - if: '$CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master"'
+ - if: '($CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master") || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::infra(,|$)/'
when: never
- *chart_changes
script:
@@ -128,6 +128,9 @@ upgrade:
extends:
- .k3d-ci
rules:
+ # skip job for nightly master and "test-ci::infra" labeled pipelines
+ - if: '($CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master") || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::infra(,|$)/'
+ when: never
# skip job when MR title starts with 'SKIP UPGRADE'
- if: '$CI_MERGE_REQUEST_TITLE =~ /^SKIP UPGRADE/'
when: never
@@ -244,13 +247,6 @@ aws/rke2/bigbang up:
- cp ${CI_PROJECT_DIR}/rke2.yaml ~/.kube/config
# Deploy a default storage class for aws
- kubectl apply -f ${CI_PROJECT_DIR}/.gitlab-ci/jobs/rke2/dependencies/k8s-resources/aws/default-ebs-sc.yaml
- - echo "Patching default rke2 PSPs to be less restrictive so OPA Gatekeeper can successfully deploy"
- - |
- kubectl --kubeconfig rke2.yaml patch psp global-unrestricted-psp -p '{"metadata": { "annotations": { "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*" } } }'
- - |
- kubectl --kubeconfig rke2.yaml patch psp system-unrestricted-psp -p '{ "metadata": { "annotations": { "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*" } } }'
- - |
- kubectl --kubeconfig rke2.yaml patch psp global-restricted-psp -p '{ "metadata": { "annotations": { "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*" } } }'
script:
- *deploy_bigbang
diff --git a/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml b/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
index 2248a11e6e11a08c06dd94649548782db8ebe0bb..d0c9c92b6e39fa9e41a3c67623325b27ef269372 100644
--- a/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
+++ b/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
@@ -8,7 +8,6 @@
- privileged
- dogfood
-#
# In cluster k3s using K3D with the docker daemon as a sidecar
#
# This will connect to a remote docker daemon over tls tcp (defined at installation of gitlab runners) and create
@@ -38,7 +37,6 @@
- k3d cluster delete ${CI_JOB_ID}
- docker network rm ${CI_JOB_ID}
-#
# In cluster k3s using k3s as a sidecar
#
# This will spin up k3s as a gitlab ci sidecar
diff --git a/.gitlab-ci/jobs/networking/aws/.gitlab-ci.yml b/.gitlab-ci/jobs/networking/aws/.gitlab-ci.yml
index 395a62aa44a32b6a28049ef7ba10a36326f65a4d..d84b0c8bd0939e02dec20713ffac6ab20980ab7d 100644
--- a/.gitlab-ci/jobs/networking/aws/.gitlab-ci.yml
+++ b/.gitlab-ci/jobs/networking/aws/.gitlab-ci.yml
@@ -24,4 +24,4 @@
script:
- *calc_unique_cidr
- echo "Destroying network"
- - terraform destroy -auto-approve
\ No newline at end of file
+ - terraform destroy -auto-approve
diff --git a/.gitlab-ci/jobs/rke2/.gitlab-ci.yml b/.gitlab-ci/jobs/rke2/.gitlab-ci.yml
index d5d6938fe568fd5ab93c875751a7b56b296c9748..5824f777ab469afb4e243a06f4823979374bd483 100644
--- a/.gitlab-ci/jobs/rke2/.gitlab-ci.yml
+++ b/.gitlab-ci/jobs/rke2/.gitlab-ci.yml
@@ -19,4 +19,4 @@
- .rke2 tf
- .terraform destroy workspace
script:
- - terraform destroy -input=false -auto-approve
\ No newline at end of file
+ - terraform destroy -input=false -auto-approve
diff --git a/.gitlab-ci/jobs/rke2/dependencies/terraform/main/main.tf b/.gitlab-ci/jobs/rke2/dependencies/terraform/main/main.tf
index 6f0a34008db8a3e8ef0f4be73fc213657fc3573e..a1613bce7ebf8ba4ed010623209ab82edd2174d6 100644
--- a/.gitlab-ci/jobs/rke2/dependencies/terraform/main/main.tf
+++ b/.gitlab-ci/jobs/rke2/dependencies/terraform/main/main.tf
@@ -31,7 +31,7 @@ EOF
}
module "rke2" {
- source = "git::https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git?ref=v1.1.7"
+ source = "git::https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git?ref=v1.1.8"
cluster_name = local.name
vpc_id = var.vpc_id
@@ -48,6 +48,12 @@ disable:
- rke2-ingress-nginx
EOF
+ block_device_mappings = {
+ size = 100
+ encrypted = true
+ type = "gp3"
+ }
+
enable_ccm = var.enable_ccm
download = var.download
@@ -57,7 +63,7 @@ EOF
}
module "generic_agents" {
- source = "git::https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.7"
+ source = "git::https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.8"
name = "generic-agent"
vpc_id = var.vpc_id
@@ -76,6 +82,12 @@ module "generic_agents" {
# TODO: These need to be set in pre-baked ami's
pre_userdata = local.os_prep
+ block_device_mappings = {
+ size = 150
+ encrypted = true
+ type = "gp3"
+ }
+
# Required data for identifying cluster to join
cluster_data = module.rke2.cluster_data
diff --git a/.gitlab-ci/jobs/rke2/dependencies/terraform/main/variables.tf b/.gitlab-ci/jobs/rke2/dependencies/terraform/main/variables.tf
index 94cb62544594ccba3bd3b58602a224b63b9a48b4..7911c9ae0eb2f4c07a97f6e012f48ba1512e8f4b 100644
--- a/.gitlab-ci/jobs/rke2/dependencies/terraform/main/variables.tf
+++ b/.gitlab-ci/jobs/rke2/dependencies/terraform/main/variables.tf
@@ -47,11 +47,11 @@ variable "download" {
# Server variables
#
variable "server_ami" {
- # RHEL 8.3 RKE2 v1.20.5+rke2r1 STIG: https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-image-builder
- default = "ami-017e342d9500ef3b2"
+ # RHEL 8.3 RKE2 v1.20.7+rke2r2 STIG: https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-image-builder
+ default = "ami-04fc9486a0c1633cb"
}
variable "server_instance_type" {
- default = "m5a.large"
+ default = "m5a.2xlarge"
}
variable "servers" {
default = 1
@@ -64,17 +64,17 @@ variable "rke2_version" {
# Generic agent variables
#
variable "agent_ami" {
- # RHEL 8.3 RKE2 v1.20.5+rke2r1 STIG: https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-image-builder
- default = "ami-017e342d9500ef3b2"
+ # RHEL 8.3 RKE2 v1.20.7+rke2r2 STIG: https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-image-builder
+ default = "ami-04fc9486a0c1633cb"
}
variable "agent_instance_type" {
default = "m5a.4xlarge"
}
variable "agent_asg" {
- default = { min : 2, max : 10, desired : 2 }
+ default = { min : 3, max : 10, desired : 3 }
}
variable "agent_spot" {
- default = false
+ default = true
}
variable "ci_pipeline_url" {
diff --git a/.gitlab-ci/templates.yml b/.gitlab-ci/templates.yml
index 927ae6f78c8ffa1e8f5678b135bfc2151fe850de..e54cfb5d3ec311cbc6476d94bd329034d5e4f455 100644
--- a/.gitlab-ci/templates.yml
+++ b/.gitlab-ci/templates.yml
@@ -29,4 +29,4 @@ include:
.terraform destroy workspace:
after_script:
- cd ${CI_PROJECT_DIR}/${TF_ROOT}
- - terraform workspace select default && terraform workspace delete "${TF_VAR_env}"
\ No newline at end of file
+ - terraform workspace select default && terraform workspace delete "${TF_VAR_env}"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 07e7d17343cf6cf9cec35f6e9a7b0db200782622..612b3c983cdd4da4eea921f4e7c957e2de373e77 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,14 @@
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
---
+## [1.12.0]
+
+[!1.12.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.12.0); List of Merge Requests in this Release
+
+## [1.11.0]
+
+[!1.11.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.11.0); List of Merge Requests in this Release
+
## [1.10.0]
[!1.10.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.10.0); List of Merge Requests in this Release
diff --git a/CODEOWNERS b/CODEOWNERS
index 151918087e2e278bafc80f71649effdaed468a4d..0ee1aa591a585895fa8ccf5d83fbe451352babcb 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -16,8 +16,7 @@
[Docs Owners]
# Allow any one of the listed codeowners to approve merges to the documentation
# Does not allow the creator of the merge request to be the approver.
-/docs/ @aaron.ruse @aaronbeger @barrywoodtetrate @brandencobb @cmcgrath @daryndecker @david.allen @dyoung @echuang @egoode @evan.rush @iahmad @jasonkrause @jay-rob @jennifer.kays @jcookehg @jdale @joshwolf @kavitha @kenna81 @kevin.wilder @kottoson @LynnStill @mark.sanchez @matthew.kaiser @mdutton @micah.nagel @michaelmartin @michaelmcleroy @msbrown47 @nick.kammerdiener @rkernick @runyontr @ryan.j.garcia @sean.deprefontaine @shouseba @thomas.burton @toladipupo @tsiddique1 @visuth.dy
-
+/docs/ @aaron.ruse @aaronbeger @brandencobb @cmcgrath @daryndecker @david.allen @dyoung @echuang @egoode @evan.rush @iahmad @jasonkrause @jay-rob @jennifer.kays @jcookehg @jdale @joshwolf @kavitha @kenna81 @kevin.wilder @kottoson @LynnStill @mark.sanchez @matthew.kaiser @mdutton @micah.nagel @michaelmartin @michaelmcleroy @msbrown47 @nick.kammerdiener @rkernick @runyontr @ryan.j.garcia @sean.deprefontaine @shouseba @thomas.burton @toladipupo @tsiddique1 @visuth.dy @ronwebb
################################################
# The following entries are for optional approval.
@@ -38,16 +37,16 @@ hack/ @toladipupo @michaelmcleroy @egoode
^[Charter Owners]
charter/ @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia
-^[Istio and Authservice]
-chart/Chart.yaml @kenna81 @kavitha @cmcgrath @barrywoodtetrate
-chart/values.yaml @kenna81 @kavitha @cmcgrath @barrywoodtetrate
-chart/templates/authservice @kenna81 @kavitha @cmcgrath
-chart/templates/istio @kenna81 @kavitha @cmcgrath @barrywoodtetrate
+^[Istio, Istio Operator, and Authservice]
+chart/Chart.yaml @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
+chart/values.yaml @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
+chart/templates/authservice @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
+chart/templates/istio @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
-# ^[HAProxy]
-# chart/Chart.yaml @blloyd @runyontr @ryan.j.garcia
-# chart/values.yaml @blloyd @runyontr @ryan.j.garcia
-# chart/templates/haproxy @blloyd @runyontr @ryan.j.garcia
+^[HAProxy]
+chart/Chart.yaml @blloyd @runyontr @ryan.j.garcia
+chart/values.yaml @blloyd @runyontr @ryan.j.garcia
+chart/templates/haproxy @blloyd @runyontr @ryan.j.garcia
^[Anchore]
chart/Chart.yaml @blake.hearn @micah.nagel @jasonkrause
@@ -64,15 +63,15 @@ chart/Chart.yaml @echuang @egoode @toladipupo @michaelmcleroy
chart/values.yaml @echuang @egoode @toladipupo @michaelmcleroy
chart/templates/clusterauditor @echuang @egoode @toladipupo @michaelmcleroy
-# ^[Gatekeeper]
+^[Gatekeeper]
chart/Chart.yaml @echuang @egoode @toladipupo @michaelmcleroy
chart/values.yaml @echuang @egoode @toladipupo @michaelmcleroy
chart/templates/gatekeeper @echuang @egoode @toladipupo @michaelmcleroy
-^[Logging]
-chart/Chart.yaml @kavitha @ryan.j.garcia @evan.rush
-chart/values.yaml @kavitha @ryan.j.garcia @evan.rush
-chart/templates/logging @kavitha @ryan.j.garcia @evan.rush
+^[Jaeger]
+chart/Chart.yaml @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
+chart/values.yaml @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
+chart/templates/jaegar @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
^[Monitoring]
chart/Chart.yaml @lynnstill @ryan.j.garcia @michaelmartin
@@ -99,6 +98,11 @@ chart/Chart.yaml @megamind @kevin.wilder @michaelmcleroy
chart/values.yaml @megamind @kevin.wilder @michaelmcleroy
chart/templates/keycloak @megamind @kevin.wilder @michaelmcleroy
+^[Kiali]
+chart/Chart.yaml @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
+chart/values.yaml @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
+chart/templates/kiali @runyontr @joshwolf @michaelmcleroy @micah.nagel @ryan.j.garcia
+
^[Mattermost (and operator)]
chart/Chart.yaml @micah.nagel @brandencobb @jasonkrause
chart/values.yaml @micah.nagel @brandencobb @jasonkrause
@@ -109,7 +113,27 @@ chart/Chart.yaml @LynnStill @kevin.wilder @brandencobb
chart/values.yaml @LynnStill @kevin.wilder @brandencobb
chart/templates/minio @LynnStill @kevin.wilder @brandencobb
+^[Nexus]
+chart/Chart.yaml @kavitha @kevin.wilder @ariel.shnitzer @grant.duncklee
+chart/values.yaml @kavitha @kevin.wilder @ariel.shnitzer @grant.duncklee
+chart/templates/nexus @kavitha @kevin.wilder @ariel.shnitzer @grant.duncklee
+
^[Velero]
chart/Chart.yaml @tunde @adam.toy @micah.nagel @jcarnes
chart/values.yaml @tunde @adam.toy @micah.nagel @jcarnes
chart/templates/velero @tunde @adam.toy @micah.nagel @jcarnes
+
+^[fluentbit]
+chart/Chart.yaml @kavitha @ryan.j.garcia @echuang
+chart/values.yaml @kavitha @ryan.j.garcia @echuang
+chart/templates/fluentbit @kavitha @ryan.j.garcia @echuang
+
+^[eck-operator]
+chart/Chart.yaml @kavitha @ryan.j.garcia @evan.rush @toladipupo
+chart/values.yaml @kavitha @ryan.j.garcia @evan.rush @toladipupo
+chart/templates/eck-operator @kavitha @ryan.j.garcia @evan.rush @toladipupo
+
+^[elasticsearch-kibana]
+chart/Chart.yaml @kavitha @ryan.j.garcia @evan.rush @ronwebb
+chart/values.yaml @kavitha @ryan.j.garcia @evan.rush @ronwebb
+chart/templates/elasticsearch-kibana @kavitha @ryan.j.garcia @evan.rush @ronwebb
diff --git a/README.md b/README.md
index 7503d26bbe15f470ba5d6e0119e267ed6dcefcdc..dddc1f7f6ab1060707ee42f1fed403b8fc414e09 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# bigbang
- 
+ 
Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
@@ -59,11 +59,11 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| flux | object | `{"install":{"remediation":{"retries":3}},"interval":"2m","rollback":{"cleanupOnFail":true,"timeout":"10m"},"test":{"enable":false},"timeout":"10m","upgrade":{"cleanupOnFail":true,"remediation":{"remediateLastFailure":true,"retries":3}}}` | (Advanced) Flux reconciliation parameters. The default values provided will be sufficient for the majority of workloads. |
| networkPolicies | object | `{"controlPlaneCidr":"0.0.0.0/0","enabled":true}` | Global NetworkPolicies settings |
| networkPolicies.enabled | bool | `true` | Toggle all package NetworkPolicies, can disable specific packages with `package.networkPolicies.enabled` |
-| networkPolicies.controlPlaneCidr | string | `"0.0.0.0/0"` | Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl cluster-info` to get the value for your cluster Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP) Used by package NetworkPolicies to allow Kube API access |
+| networkPolicies.controlPlaneCidr | string | `"0.0.0.0/0"` | Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl get endpoints -n default kubernetes` to get the CIDR range needed for your cluster Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP of a single endpoint, broader range for multiple masters/endpoints) Used by package NetworkPolicies to allow Kube API access |
| istio.enabled | bool | `true` | Toggle deployment of Istio. |
| istio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git"` | |
| istio.git.path | string | `"./chart"` | |
-| istio.git.tag | string | `"1.8.4-bb.2"` | |
+| istio.git.tag | string | `"1.8.4-bb.5"` | |
| istio.flux | object | `{}` | Flux reconciliation overrides specifically for the Istio Package |
| istio.ingress | object | `{"cert":"","key":""}` | Certificate/Key pair to use as the default certificate for exposing BigBang created applications. If nothing is provided, applications will expect a valid tls secret to exist in the `istio-system` namespace called `wildcard-cert`. |
| istio.values | object | `{}` | Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git |
@@ -71,14 +71,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| istiooperator.enabled | bool | `true` | Toggle deployment of Istio Operator. |
| istiooperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git"` | |
| istiooperator.git.path | string | `"./chart"` | |
-| istiooperator.git.tag | string | `"1.8.4-bb.1"` | |
+| istiooperator.git.tag | string | `"1.8.4-bb.2"` | |
| istiooperator.flux | object | `{}` | Flux reconciliation overrides specifically for the Istio Operator Package |
| istiooperator.values | object | `{}` | Values to passthrough to the istio-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git |
| istiooperator.postRenderers | list | `[]` | Post Renderers. See docs/postrenders.md |
| jaeger.enabled | bool | `true` | Toggle deployment of Jaeger. |
| jaeger.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git"` | |
| jaeger.git.path | string | `"./chart"` | |
-| jaeger.git.tag | string | `"2.19.1-bb.4"` | |
+| jaeger.git.tag | string | `"2.22.0-bb.1"` | |
| jaeger.flux | object | `{}` | Flux reconciliation overrides specifically for the Jaeger Package |
| jaeger.sso.enabled | bool | `false` | Toggle SSO for Jaeger on and off |
| jaeger.sso.client_id | string | `""` | OIDC Client ID to use for Jaeger |
@@ -88,7 +88,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| kiali.enabled | bool | `true` | Toggle deployment of Kiali. |
| kiali.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali.git"` | |
| kiali.git.path | string | `"./chart"` | |
-| kiali.git.tag | string | `"1.32.0-bb.1"` | |
+| kiali.git.tag | string | `"1.36.0-bb.2"` | |
| kiali.flux | object | `{}` | Flux reconciliation overrides specifically for the Kiali Package |
| kiali.sso.enabled | bool | `false` | Toggle SSO for Kiali on and off |
| kiali.sso.client_id | string | `""` | OIDC Client ID to use for Kiali |
@@ -98,21 +98,21 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| clusterAuditor.enabled | bool | `true` | Toggle deployment of Cluster Auditor. |
| clusterAuditor.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git"` | |
| clusterAuditor.git.path | string | `"./chart"` | |
-| clusterAuditor.git.tag | string | `"0.2.0-bb.6"` | |
+| clusterAuditor.git.tag | string | `"0.3.0-bb.2"` | |
| clusterAuditor.flux | object | `{}` | Flux reconciliation overrides specifically for the Cluster Auditor Package |
| clusterAuditor.values | object | `{}` | Values to passthrough to the cluster auditor chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git |
| clusterAuditor.postRenderers | list | `[]` | Post Renderers. See docs/postrenders.md |
| gatekeeper.enabled | bool | `true` | Toggle deployment of OPA Gatekeeper. |
| gatekeeper.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git"` | |
| gatekeeper.git.path | string | `"./chart"` | |
-| gatekeeper.git.tag | string | `"3.3.0-bb.4"` | |
+| gatekeeper.git.tag | string | `"3.4.0-bb.13"` | |
| gatekeeper.flux | object | `{}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
| gatekeeper.values | object | `{}` | Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git |
| gatekeeper.postRenderers | list | `[]` | Post Renderers. See docs/postrenders.md |
| logging.enabled | bool | `true` | Toggle deployment of Logging (EFK). |
| logging.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git"` | |
| logging.git.path | string | `"./chart"` | |
-| logging.git.tag | string | `"0.1.14-bb.1"` | |
+| logging.git.tag | string | `"0.1.16-bb.0"` | |
| logging.flux | object | `{"timeout":"20m"}` | Flux reconciliation overrides specifically for the Logging (EFK) Package |
| logging.sso.enabled | bool | `false` | Toggle OIDC SSO for Kibana/Elasticsearch on and off. Enabling this option will auto-create any required secrets. |
| logging.sso.client_id | string | `""` | Elasticsearch/Kibana OIDC client ID |
@@ -124,20 +124,20 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| eckoperator.enabled | bool | `true` | Toggle deployment of ECK Operator. |
| eckoperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git"` | |
| eckoperator.git.path | string | `"./chart"` | |
-| eckoperator.git.tag | string | `"1.4.0-bb.2"` | |
+| eckoperator.git.tag | string | `"1.6.0-bb.0"` | |
| eckoperator.flux | object | `{}` | Flux reconciliation overrides specifically for the ECK Operator Package |
| eckoperator.values | object | `{}` | Values to passthrough to the eck-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git |
| fluentbit.enabled | bool | `true` | Toggle deployment of Fluent-Bit. |
| fluentbit.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git"` | |
| fluentbit.git.path | string | `"./chart"` | |
-| fluentbit.git.tag | string | `"0.15.8-bb.5"` | |
+| fluentbit.git.tag | string | `"0.15.15-bb.0"` | |
| fluentbit.flux | object | `{}` | Flux reconciliation overrides specifically for the Fluent-Bit Package |
| fluentbit.values | object | `{}` | Values to passthrough to the fluentbit chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git |
| fluentbit.postRenderers | list | `[]` | Post Renderers. See docs/postrenders.md |
| monitoring.enabled | bool | `true` | Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager). |
| monitoring.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git"` | |
| monitoring.git.path | string | `"./chart"` | |
-| monitoring.git.tag | string | `"11.0.0-bb.24"` | |
+| monitoring.git.tag | string | `"11.0.0-bb.27"` | |
| monitoring.flux | object | `{}` | Flux reconciliation overrides specifically for the Monitoring Package |
| monitoring.sso.enabled | bool | `false` | Toggle SSO for monitoring components on and off |
| monitoring.sso.prometheus.client_id | string | `""` | Prometheus OIDC client ID |
@@ -161,7 +161,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| addons.argocd.enabled | bool | `false` | Toggle deployment of ArgoCD. |
| addons.argocd.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git"` | |
| addons.argocd.git.path | string | `"./chart"` | |
-| addons.argocd.git.tag | string | `"2.14.7-bb.5"` | |
+| addons.argocd.git.tag | string | `"3.6.8-bb.4"` | |
| addons.argocd.flux | object | `{}` | Flux reconciliation overrides specifically for the ArgoCD Package |
| addons.argocd.sso.enabled | bool | `false` | Toggle SSO for ArgoCD on and off |
| addons.argocd.sso.client_id | string | `""` | ArgoCD OIDC client ID |
@@ -173,7 +173,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| addons.authservice.enabled | bool | `false` | Toggle deployment of Authservice. if enabling authservice, a filter needs to be provided by either enabling sso for monitoring or istio, or manually adding a filter chain in the values here: values: chain: minimal: callback_uri: "https://somecallback" |
| addons.authservice.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git"` | |
| addons.authservice.git.path | string | `"./chart"` | |
-| addons.authservice.git.tag | string | `"0.4.0-bb.6"` | |
+| addons.authservice.git.tag | string | `"0.4.0-bb.8"` | |
| addons.authservice.flux | object | `{}` | Flux reconciliation overrides specifically for the Authservice Package |
| addons.authservice.values | object | `{}` | Values to passthrough to the authservice chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git |
| addons.authservice.postRenderers | list | `[]` | Post Renderers. See docs/postrenders.md |
@@ -199,7 +199,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| addons.gitlab.hostnames.registry | string | `"registry.bigbang.dev"` | |
| addons.gitlab.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git"` | |
| addons.gitlab.git.path | string | `"./chart"` | |
-| addons.gitlab.git.tag | string | `"4.10.3-bb.8"` | |
+| addons.gitlab.git.tag | string | `"4.10.3-bb.14"` | |
| addons.gitlab.flux | object | `{}` | Flux reconciliation overrides specifically for the Gitlab Package |
| addons.gitlab.sso.enabled | bool | `false` | Toggle OIDC SSO for Gitlab on and off. Enabling this option will auto-create any required secrets. |
| addons.gitlab.sso.client_id | string | `""` | Gitlab OIDC client ID |
@@ -221,13 +221,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| addons.gitlabRunner.enabled | bool | `false` | Toggle deployment of Gitlab Runner. |
| addons.gitlabRunner.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git"` | |
| addons.gitlabRunner.git.path | string | `"./chart"` | |
-| addons.gitlabRunner.git.tag | string | `"0.26.0-bb.2"` | |
+| addons.gitlabRunner.git.tag | string | `"0.26.0-bb.3"` | |
| addons.gitlabRunner.flux | object | `{}` | Flux reconciliation overrides specifically for the Gitlab Runner Package |
| addons.gitlabRunner.values | object | `{}` | Values to passthrough to the gitlab runner chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git |
+| addons.gitlabRunner.postRenderers | list | `[]` | Post Renderers. See docs/postrenders.md |
| addons.nexus.enabled | bool | `false` | Toggle deployment of Nexus. |
| addons.nexus.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus.git"` | |
| addons.nexus.git.path | string | `"./chart"` | |
-| addons.nexus.git.tag | string | `"29.1.0-bb.4"` | |
+| addons.nexus.git.tag | string | `"29.1.0-bb.5"` | |
| addons.nexus.license_key | string | `""` | Base64 encoded license file. |
| addons.nexus.sso.enabled | bool | `false` | Toggle SAML SSO for NXRM. -- handles SAML SSO, a Client must be configured in Keycloak or IdP -- to complete setup. -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599 |
| addons.nexus.sso.idp_data | object | `{"email":"","firstName":"","groups":"","idpMetadata":"","lastName":"","username":""}` | NXRM SAML SSO Integration data |
@@ -270,7 +271,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| addons.anchore.enabled | bool | `false` | Toggle deployment of Anchore. |
| addons.anchore.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git"` | |
| addons.anchore.git.path | string | `"./chart"` | |
-| addons.anchore.git.tag | string | `"1.12.16-bb.1"` | |
+| addons.anchore.git.tag | string | `"1.13.0-bb.3"` | |
| addons.anchore.flux | object | `{"upgrade":{"disableWait":true}}` | Flux reconciliation overrides specifically for the Anchore Package |
| addons.anchore.adminPassword | string | `""` | Initial admin password used to authenticate to Anchore. |
| addons.anchore.enterprise | object | `{"enabled":false,"licenseYaml":"FULL LICENSE\n"}` | Anchore Enterprise functionality. |
@@ -294,14 +295,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| addons.mattermostoperator.enabled | bool | `false` | |
| addons.mattermostoperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git"` | |
| addons.mattermostoperator.git.path | string | `"./chart"` | |
-| addons.mattermostoperator.git.tag | string | `"1.14.0-bb.1"` | |
+| addons.mattermostoperator.git.tag | string | `"1.14.0-bb.2"` | |
| addons.mattermostoperator.flux | object | `{}` | Flux reconciliation overrides specifically for the Mattermost Operator Package |
| addons.mattermostoperator.values | object | `{}` | Values to passthrough to the mattermost operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator/-/blob/main/chart/values.yaml |
| addons.mattermostoperator.postRenderers | list | `[]` | Post Renderers. See docs/postrenders.md |
| addons.mattermost.enabled | bool | `false` | Toggle deployment of Mattermost. |
| addons.mattermost.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git"` | |
| addons.mattermost.git.path | string | `"./chart"` | |
-| addons.mattermost.git.tag | string | `"0.1.6-bb.5"` | |
+| addons.mattermost.git.tag | string | `"0.1.6-bb.7"` | |
| addons.mattermost.flux | object | `{}` | Flux reconciliation overrides specifically for the Mattermost Package |
| addons.mattermost.enterprise | object | `{"enabled":false,"license":""}` | Mattermost Enterprise functionality. |
| addons.mattermost.enterprise.enabled | bool | `false` | Toggle the Mattermost Enterprise. This must be accompanied by a valid license unless you plan to start a trial post-install. |
@@ -329,7 +330,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| addons.velero.enabled | bool | `false` | Toggle deployment of Velero. |
| addons.velero.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git"` | |
| addons.velero.git.path | string | `"./chart"` | |
-| addons.velero.git.tag | string | `"2.21.1-bb.5"` | |
+| addons.velero.git.tag | string | `"2.21.1-bb.6"` | |
| addons.velero.flux | object | `{}` | Flux reconciliation overrides specifically for the Velero Package |
| addons.velero.plugins | list | `[]` | Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure |
| addons.velero.values | object | `{}` | Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml |
@@ -337,7 +338,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| addons.keycloak.enabled | bool | `false` | Toggle deployment of Keycloak. |
| addons.keycloak.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git"` | |
| addons.keycloak.git.path | string | `"./chart"` | |
-| addons.keycloak.git.tag | string | `"11.0.0-bb.4"` | |
+| addons.keycloak.git.tag | string | `"11.0.1-bb.0"` | |
| addons.keycloak.ingress | object | `{"cert":"","key":""}` | Certificate/Key pair to use as the certificate for exposing Keycloak Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart |
| addons.keycloak.database.host | string | `""` | Hostname of a pre-existing database to use for Keycloak. Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. |
| addons.keycloak.database.type | string | `"postgres"` | Pre-existing database type (e.g. postgres) to use for Keycloak. |
diff --git a/base/gitrepository.yaml b/base/gitrepository.yaml
index 0b5f91ecf7bc790c09b369a07446552cceebf8c0..3fe4f1b93e1bd28d76ffcaa33726bd76a5c1bfbb 100644
--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
interval: 10m
url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
ref:
- tag: 1.10.0
+ tag: 1.12.0
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 8fef3b2c730f2519c0202468e5b4b519a96e1e8c..9f98165f2139aa332910c2eb31dbef9d5e01ef90 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,6 +1,6 @@
apiVersion: v2
name: bigbang
-version: 1.10.0
+version: 1.12.0
description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
type: application
diff --git a/chart/templates/anchore/anchore-helmrelease.yaml b/chart/templates/anchore/anchore-helmrelease.yaml
index 45787c8229128f04954190d70255a087d5a12b28..fa0e66415b822472fbe9c68a045ed989ce0e38ca 100644
--- a/chart/templates/anchore/anchore-helmrelease.yaml
+++ b/chart/templates/anchore/anchore-helmrelease.yaml
@@ -19,6 +19,11 @@ spec:
{{- toYaml $fluxSettingsAnchore | nindent 2 }}
+ {{- if .Values.addons.anchore.postRenderers }}
+ postRenderers:
+ {{ toYaml .Values.addons.anchore.postRenderers | nindent 4 }}
+ {{- end }}
+
valuesFrom:
- name: {{ .Release.Name }}-anchore-values
kind: Secret
diff --git a/chart/templates/gatekeeper/values.yaml b/chart/templates/gatekeeper/values.yaml
index 5401c2413cd06491fcfa5aba3d11c81f434f0e98..693669ace65c7aa7427cc222948ee44d6f145aed 100644
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -3,7 +3,6 @@
{{- end }}
{{- define "bigbang.defaults.gatekeeper" -}}
-disableValidatingWebhook: true
image:
pullSecrets:
- name: private-registry
@@ -13,4 +12,7 @@ postInstall:
image:
pullSecrets:
- name: private-registry
+networkPolicies:
+ enabled: {{ .Values.networkPolicies.enabled }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
{{- end -}}
diff --git a/chart/templates/gitlab/values.yaml b/chart/templates/gitlab/values.yaml
index 89a7afdfc749bce4d32e43cf3e74e5c7ffff5878..ccf5b72d7f0eca7249e72be62846a1a797834fc2 100644
--- a/chart/templates/gitlab/values.yaml
+++ b/chart/templates/gitlab/values.yaml
@@ -5,11 +5,17 @@
{{- define "bigbang.defaults.gitlab" -}}
hostname: {{ .Values.hostname }}
+openshift: {{ .Values.openshift }}
+
istio:
enabled: {{ .Values.istio.enabled }}
+monitoring:
+ enabled: {{ .Values.monitoring.enabled }}
+
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
{{- if .Values.addons.gitlab.database.host }}
postgresql:
diff --git a/chart/templates/istio/controlplane/values.yaml b/chart/templates/istio/controlplane/values.yaml
index bafd8ec1aa107a91cee5113273fb90aebc15377d..da3a0e2aa12d2fcb43dae5fbead3d26c297b296a 100644
--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -13,6 +13,9 @@ imagePullSecrets:
openshift: {{ .Values.openshift }}
+networkPolicies:
+ enabled: {{ .Values.networkPolicies.enabled }}
+
{{- if .Values.addons.keycloak.enabled }}
extraServers:
- port:
diff --git a/chart/templates/istio/operator/values.yaml b/chart/templates/istio/operator/values.yaml
index 0e9eefc2d50839c90923e2fbd2454a08d3620f30..846c7510c73604c05dd68cae3736e0808259f08d 100644
--- a/chart/templates/istio/operator/values.yaml
+++ b/chart/templates/istio/operator/values.yaml
@@ -7,4 +7,8 @@ createNamespace: false
imagePullSecrets:
- name: private-registry
+
+networkPolicies:
+ enabled: {{ .Values.networkPolicies.enabled }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
{{- end -}}
diff --git a/chart/templates/monitoring/values.yaml b/chart/templates/monitoring/values.yaml
index 51f733ddc8ecb2b7a5e74b3921ea50a643bd9040..c80d9f4fd74b1d2759a49d6562b1351339b6137d 100644
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -39,6 +39,9 @@ istio:
hosts:
- grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+anchore:
+ enabled: {{ .Values.addons.anchore.enabled }}
+
global:
imagePullSecrets:
- name: private-registry
diff --git a/chart/templates/velero/values.yaml b/chart/templates/velero/values.yaml
index 4ccb38c016c651578e42182f3e441f4b305d960c..fcacf48090f2abe2d25c36a7eac61dc1e42f9b8b 100644
--- a/chart/templates/velero/values.yaml
+++ b/chart/templates/velero/values.yaml
@@ -18,7 +18,7 @@ networkPolicies:
imagePullSecrets:
- name: private-registry
-{{- if eq (len .Values.addons.velero.plugins) 0 }}{{- fail "At least one plugin in '.Values.addons.velero.plugins' required. Supported values: aws, azure" }}{{- end }}
+{{- if eq (len .Values.addons.velero.plugins) 0 }}{{- fail "At least one plugin in '.Values.addons.velero.plugins' required. Supported values: aws, azure, csi" }}{{- end }}
initContainers:
{{- range .Values.addons.velero.plugins }}
{{- if eq . "aws" }}
@@ -28,7 +28,8 @@ initContainers:
volumeMounts:
- mountPath: /target
name: plugins
-{{- else if eq . "azure" }}
+{{- end }}
+{{- if eq . "azure" }}
- name: velero-plugin-for-azure
image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-microsoft-azure:v1.2.0
imagePullPolicy: IfNotPresent
@@ -36,6 +37,16 @@ initContainers:
- mountPath: /target
name: plugins
{{- end }}
+{{- if eq . "csi" }}
+ - name: velero-plugin-for-csi
+ image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-csi:v0.1.2
+ imagePullPolicy: IfNotPresent
+ volumeMounts:
+ - mountPath: /target
+ name: plugins
+configuration:
+ features: EnableCSI
+{{- end }}
{{- end }}
{{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
index e99e0ed543f8a6cfad8f99c8261c51f7fd55a09e..0a9daf89fa6152cdee8e59105b15bfe2833ddcfe 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -96,8 +96,8 @@ flux:
networkPolicies:
# -- Toggle all package NetworkPolicies, can disable specific packages with `package.networkPolicies.enabled`
enabled: true
- # -- Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl cluster-info` to get the value for your cluster
- # Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP)
+ # -- Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl get endpoints -n default kubernetes` to get the CIDR range needed for your cluster
+ # Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP of a single endpoint, broader range for multiple masters/endpoints)
# Used by package NetworkPolicies to allow Kube API access
controlPlaneCidr: 0.0.0.0/0
@@ -110,7 +110,7 @@ istio:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
path: "./chart"
- tag: "1.8.4-bb.2"
+ tag: "1.8.4-bb.5"
# -- Flux reconciliation overrides specifically for the Istio Package
flux: {}
@@ -133,7 +133,7 @@ istiooperator:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git
path: "./chart"
- tag: "1.8.4-bb.1"
+ tag: "1.8.4-bb.2"
# -- Flux reconciliation overrides specifically for the Istio Operator Package
flux: {}
@@ -150,7 +150,7 @@ jaeger:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git
path: "./chart"
- tag: "2.21.4-bb.2"
+ tag: "2.22.0-bb.1"
# -- Flux reconciliation overrides specifically for the Jaeger Package
flux: {}
@@ -177,7 +177,7 @@ kiali:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali.git
path: "./chart"
- tag: "1.32.0-bb.2"
+ tag: "1.36.0-bb.2"
# -- Flux reconciliation overrides specifically for the Kiali Package
flux: {}
@@ -209,7 +209,7 @@ clusterAuditor:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
path: "./chart"
- tag: "0.3.0-bb.1"
+ tag: "0.3.0-bb.2"
# -- Flux reconciliation overrides specifically for the Cluster Auditor Package
flux: {}
@@ -230,7 +230,7 @@ gatekeeper:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
path: "./chart"
- tag: "3.4.0-bb.4"
+ tag: "3.4.0-bb.16"
# -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
flux: {}
@@ -251,7 +251,7 @@ logging:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
path: "./chart"
- tag: "0.1.15-bb.0"
+ tag: "0.1.17-bb.0"
# -- Flux reconciliation overrides specifically for the Logging (EFK) Package
flux:
@@ -301,7 +301,7 @@ fluentbit:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git
path: "./chart"
- tag: "0.15.14-bb.0"
+ tag: "0.15.15-bb.0"
# -- Flux reconciliation overrides specifically for the Fluent-Bit Package
flux: {}
@@ -396,7 +396,7 @@ addons:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git
path: "./chart"
- tag: "3.6.8-bb.3"
+ tag: "3.6.8-bb.4"
# -- Flux reconciliation overrides specifically for the ArgoCD Package
flux: {}
@@ -504,7 +504,7 @@ addons:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
path: "./chart"
- tag: "4.10.3-bb.11"
+ tag: "4.10.3-bb.14"
# -- Flux reconciliation overrides specifically for the Gitlab Package
flux: {}
@@ -721,7 +721,7 @@ addons:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git
path: "./chart"
- tag: "1.12.16-bb.1"
+ tag: "1.13.0-bb.3"
# -- Flux reconciliation overrides specifically for the Anchore Package
flux:
@@ -820,7 +820,7 @@ addons:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git
path: "./chart"
- tag: "0.1.6-bb.6"
+ tag: "0.1.6-bb.7"
# -- Flux reconciliation overrides specifically for the Mattermost Package
flux: {}
@@ -915,12 +915,12 @@ addons:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git
path: "./chart"
- tag: "2.21.1-bb.5"
+ tag: "2.23.3-bb.0"
# -- Flux reconciliation overrides specifically for the Velero Package
flux: {}
- # -- Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure
+ # -- Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure, csi
plugins: []
# - aws
diff --git a/docs/developer/development-environment.md b/docs/developer/development-environment.md
index dbc11fceb3905e1be1fa4a69411d192dcf644894..c3800ee52b7e23020c92d0c9cee5349651716b2e 100644
--- a/docs/developer/development-environment.md
+++ b/docs/developer/development-environment.md
@@ -4,7 +4,7 @@ BigBang developers use [k3d](https://k3d.io/), a lightweight wrapper to run [k3s
It is not recommend to run k3d with BigBang on your local computer. BigBang can be quite resource-intensive and it requires a huge download bandwidth for the images. It is best to use a remote k3d cluster running on an AWS EC2 instance. If you do insist on running k3d locally you should disable certain packages before deploying. You can do this in the values.yaml file by setting the package deploy to false. One of the packages that is most resource-intensive is the logging package. And you should create a local image registry cache to minimize the amount of image downloading. A script that shows how to create a local image cache is in the [BigBang Quick Start](https://repo1.dso.mil/platform-one/quick-start/big-bang/-/blob/master/init.sh)
-There are 2 methods to create a remote k3d cluster. Manually or with IaC/CaC code. For new bigbang developers the manual way is recommended so that you understand how it works. The manual steps are in this page. Here is the automated [IaC/CaC](https://repo1.dso.mil/platform-one/big-bang/terraform-modules/k3d-dev-env/-/tree/dev) code and instructions. This code has not been maintained and might not work. It would be a good idea to get a live demonstration by someone who already knows how to do it. You can also watch the [first half of this T3](https://confluence.il2.dso.mil/download/attachments/10161790/T3%20Eric%20and%20Zack.mp4) showing a Big Bang deployment or start this T3 around 17:45 to get a better handle on how BigBang works. We strive to make the documentation as good as possible but it is hard to keep it up-to-date and there are still pitfalls and gotchas.
+This page contains the manual steps to create your k3d dev environment. Various persons have automated parts of these steps with scripts and terraform but we recommened that you do it manually so that you understand how it works. Automation is left to each person. It might be helpful to get a live demonstration by someone who already knows how to do it until a good video tutorial is created. We strive to make the documentation as good as possible but it is hard to keep it up-to-date and there are still pitfalls and gotchas.
## Prerequisites
@@ -182,6 +182,20 @@ kubectl cluster-info
kubectl get nodes
```
+**STEP 4:**:
+Start deploying to your k3d cluster. The scope of this documentation is limited to creating your dev environment. How to deploy BigBang is intentionally NOT included here. Those steps are left to other documents. You will need to install flux in your cluster before deploying BigBang.
+```
+# git clone the bigbang repo somewhere on your workstation
+git clone https://repo1.dso.mil/platform-one/big-bang/bigbang.git
+# run the script to install flux in your cluster using your registry1.dso.mil image pull credentials
+cd ./bigbang
+./scripts/install_flux.sh -u your-user-name -p your-pull-secret
+```
+Or, alternatively install flux from the internet upstream
+```
+flux install
+```
+
## Addendum
### More secure method with sshuttle
diff --git a/docs/guides/README.md b/docs/guides/README.md
index ed2472135df444ed4b0f3c94a7891346adedfa7e..06fa81557102d2ff1ffb5c7ea8e1097a15514f48 100644
--- a/docs/guides/README.md
+++ b/docs/guides/README.md
@@ -7,3 +7,7 @@ Beginner friendly how to guides are intended to be added to these subfolders ove
## prerequisites
Beginner friendly comprehensive explanations of prerequisites that are generically applicable to multiple scenarios
+
+## using_bigbang
+
+Beginner friendly information on how to use Big Bang, intended to encompass how to navigate and work with BB packages
diff --git a/docs/guides/using_bigbang/default_credentials.md b/docs/guides/using_bigbang/default_credentials.md
new file mode 100644
index 0000000000000000000000000000000000000000..a38c0fd6c665e345eca92b8574cc7228a65c7d75
--- /dev/null
+++ b/docs/guides/using_bigbang/default_credentials.md
@@ -0,0 +1,30 @@
+# Credentials for Big Bang Packages
+
+This document includes details on credentials to access each package in a default install (without SSO). It is safe to assume that any packages not listed in the two categories below either have no need for authentication or use different methods (ex: velero require kubectl access).
+
+## Packages with no built in authentication
+
+Although the below applications have no built in authentication, Big Bang's helm values can be configured to deploy authservice in front of these endpoints. Authservice is an Authentication Proxy that can integrate with SSO providers like Keycloak.
+
+- Jaeger
+- Monitoring (Prometheus)
+- Monitoring (Alertmanager)
+
+## Packages with built in authentication
+
+The applications in the table below provide both SSO and built in auth. The table gives default credentials and ways to access and/or override those.
+
+| Package (Application) | Default Username | Default Password | Additional Notes |
+| --------------------- | ---------------- | ---------------- | ---------------- |
+| Kiali | N/A | (randomly generated) | Use `kubectl get secret -n kiali \| grep kiali-service-account-token \| awk '{print $1}' \| xargs kubectl get secret -n kiali -o go-template='{{.data.token \| base64decode}}'` to get the token |
+| Logging (Kibana) | `elastic` | (randomly generated) | Use `kubectl get secrets -n logging logging-ek-es-elastic-user -o go-template='{{.data.elastic \| base64decode}}'` to get the password |
+| Monitoring (Grafana) | `admin` | `prom-operator` | Default password can be overridden with Helm values `monitoring.values.grafana.adminPassword` |
+| Twistlock | N/A | N/A | Prompted to setup an admin account when you first hit the virtual service, no default user |
+| ArgoCD | `admin` | (randomly generated) | Use `kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password \| base64decode}}'` to get the password |
+| Minio | `minio` | `minio123` | Access and secret key can be overridden with Helm values `addons.minio.accesskey` and `addons.minio.secretkey` respectively |
+| Gitlab | `root` | (randomly generated) | Use `kubectl -n gitlab get secret gitlab-gitlab-initial-root-password -o go-template='{{.data.password \| base64decode}}'` to get the password |
+| Nexus | `admin` | (randomly generated) | Use `kubectl get secret -n nexus-repository-manager nexus-repository-manager-secret -o go-template='{{index .data "admin.password" \| base64decode}}'` to get the password |
+| Sonarqube | `admin` | `admin` | Default password can be overridden with Helm values `addons.sonarqube.values.account.adminPassword` |
+| Anchore | `admin` | (randomly generated) | Use `kubectl get secrets -n anchore anchore-anchore-engine-admin-pass -o go-template='{{.data.ANCHORE_ADMIN_PASSWORD \| base64decode}}'` to get the password, or override with Helm values `addons.anchore.values.anchoreGlobal.defaultAdminPassword` |
+| Mattermost | N/A | N/A | Prompted to setup an account when you first hit the virtual service - this user becomes admin, no default user |
+| Keycloak | `admin` | `password` | Default username and password can be overridden with Helm values `addons.keycloak.values.secrets.credentials.stringData.adminuser` and `addons.keycloak.values.secrets.credentials.stringData.password` respectively |
diff --git a/docs/understanding_bigbang/licensing_expectations.md b/docs/understanding_bigbang/licensing_expectations.md
index 446acbc6e664a07fa86aedd44a7dee2069f66a48..9937d3faac73cd61885b7c8f7c3b4d0664326a2f 100644
--- a/docs/understanding_bigbang/licensing_expectations.md
+++ b/docs/understanding_bigbang/licensing_expectations.md
@@ -21,7 +21,7 @@ There are 2 issues that make it difficult to figure out BigBang's license requir
* Many of the core applications are free open source software
* Twistlock is a core component that requires a license
* ElasticSearch is a core component that requires a license to unlock additional features, that could be considered required in some cases (more on this nuance below.)
- * Although BigBang is free, support can be purchased (more on that below)
+ * Although BigBang is free, support can be purchased.
4. BigBang's AddOn Applications:
* Also include a mix of free, freemium, and licensed products.
@@ -41,7 +41,7 @@ Licensing of products deployable by BigBang are not covered by the BigBang team.
|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| FluxCD | GitOps<br>(Prerequisite App) | Apache License 2.0<br>(Free/OSS) | |
| Open Policy Agent Gatekeeper | Policy Enforcement<br>(Core App) | Apache License 2.0<br>(Free/OSS) | * [Styra](https://www.openpolicyagent.org/support) is the original creator of OPA and can offer commercial support. |
-| Istio Controlplane, Istio Operator,<br>and Kiali | Service Mesh, Operator, and<br>Service Mesh Dashboard<br>(Core App) | Apache License 2.0<br>(Free/OSS) | * [Tetrate](https://www.tetrate.io/) is an Istio Vendor that can be offer commercial support. |
+| Istio Controlplane, Istio Operator,<br>and Kiali | Service Mesh, Operator, and<br>Service Mesh Dashboard<br>(Core App) | Apache License 2.0<br>(Free/OSS) | * [Tetrate](https://www.tetrate.io/) is an Istio Vendor that can offer commercial support. |
| Jaeger | APM (Application Performance Monitoring)<br>/ Tracing<br>(Core App) | Apache License 2.0<br>(Free/OSS) | |
| Prometheus Operator Stack <br>(Prometheus, Grafana, AlertManager, etc.) | Metrics, Metrics Dashboard, and Alerts<br>(Core App) | Apache License 2.0<br>[Future versions will move to GNU Affero GPL v3](https://grafana.com/blog/2021/04/20/grafana-loki-tempo-relicensing-to-agplv3/)<br>(Free/OSS) | |
| Fluentbit | Log Shipper<br>(Core App) | Apache License 2.0<br>(Free/OSS) | |
diff --git a/scripts/deploy/01_deploy_bigbang.sh b/scripts/deploy/01_deploy_bigbang.sh
index aa124ba052a8a7e6ca2e24215ec5c100b5157204..5c24a9a7c2b4407ce26a93e936d76e502a2f1a0c 100755
--- a/scripts/deploy/01_deploy_bigbang.sh
+++ b/scripts/deploy/01_deploy_bigbang.sh
@@ -4,8 +4,8 @@ set -ex
CI_VALUES_FILE="tests/ci/k3d/values.yaml"
-if [[ "${CI_COMMIT_BRANCH}" == "${CI_DEFAULT_BRANCH}" ]] || [[ ! -z "$CI_COMMIT_TAG" ]]; then
- echo "On default branch or tag, enabling all addons"
+if [[ "${CI_COMMIT_BRANCH}" == "${CI_DEFAULT_BRANCH}" ]] || [[ ! -z "$CI_COMMIT_TAG" ]] || [[ $CI_MERGE_REQUEST_LABELS =~ "all-packages" ]]; then
+ echo "all-packages label enabled, or on default branch or tag, enabling all addons"
yq e ".addons.*.enabled = "true"" $CI_VALUES_FILE > tmpfile && mv tmpfile $CI_VALUES_FILE
yq e ".addons.keycloak.enabled = "false"" $CI_VALUES_FILE > tmpfile && mv tmpfile $CI_VALUES_FILE
else
@@ -23,6 +23,12 @@ if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]
yq eval-all 'select(fileIndex == 0) * select(filename == "tests/ci/keycloak-certs/keycloak-passthrough-values.yaml")' $CI_VALUES_FILE tests/ci/keycloak-certs/keycloak-passthrough-values.yaml > tmpfile && mv tmpfile $CI_VALUES_FILE
fi
+# Set controlPlaneCidr for ci-infra jobs which are RKE2
+if [[ "$CI_PIPELINE_SOURCE" == "schedule" ]] && [[ "$CI_COMMIT_BRANCH" == "master" ]] || [[ "$CI_MERGE_REQUEST_LABELS" = *"test-ci::infra"* ]]; then
+ echo "Updating networkPolicies.controlPlaneCidr since Environment is RKE2"
+ yq e '.networkPolicies.controlPlaneCidr = "10.0.0.0/8"' $CI_VALUES_FILE > tmpfile && mv tmpfile $CI_VALUES_FILE
+fi
+
# deploy BigBang using dev sized scaling
echo "Installing BigBang with the following configurations:"
cat $CI_VALUES_FILE
@@ -37,19 +43,27 @@ helm upgrade -i bigbang chart -n bigbang --create-namespace \
# otherwise use *.bigbang.dev
if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]; then
# apply secrets kustomization pointing to current branch
- echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
- if [ -z "$CI_COMMIT_TAG" ]; then
+ if [[ $(git branch --show-current) == "${CI_DEFAULT_BRANCH}" ]]; then
+ echo "Deploying secrets from the ${CI_DEFAULT_BRANCH} branch"
+ kubectl apply -f tests/ci/keycloak.yaml
+ elif [ -z "$CI_COMMIT_TAG" ]; then
+ echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
cat tests/ci/keycloak.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
else
+ echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} tag"
# NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
cat tests/ci/keycloak.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
fi
else
- # apply secrets kustomization pointing to current branch
- echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
- if [ -z "$CI_COMMIT_TAG" ]; then
+ # apply secrets kustomization pointing to current branch or master if an upgrade job
+ if [[ $(git branch --show-current) == "${CI_DEFAULT_BRANCH}" ]]; then
+ echo "Deploying secrets from the ${CI_DEFAULT_BRANCH} branch"
+ kubectl apply -f tests/ci/shared-secrets.yaml
+ elif [ -z "$CI_COMMIT_TAG" ]; then
+ echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
cat tests/ci/shared-secrets.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
else
+ echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} tag"
# NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
cat tests/ci/shared-secrets.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
fi
diff --git a/scripts/package/synker.yaml b/scripts/package/synker.yaml
index b7bbc803a1dc4e006b433de7fc26ecee1fc4be31..b3aef79d8a38c51307f1114730e818d4fcd1c4ea 100644
--- a/scripts/package/synker.yaml
+++ b/scripts/package/synker.yaml
@@ -29,9 +29,11 @@ source:
- registry:2
- registry1.dso.mil/ironbank/twistlock/defender/defender:20.12.531
- - registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3
- - registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3
+ - registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.1.0
+ - registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.1.0
+ - registry1.dso.mil/ironbank/big-bang/base:8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:13.9.0
+ - registry1.dso.mil/ironbank/opensource/kubernetes-1.21/kubectl:v1.21.2
# Images used by pipeline-templates
# NOTE: These are __not__ fully inclusive yet, see this issue for updates: https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/145
- registry.il2.dso.mil/platform-one/devops/pipeline-templates/pipeline-job/sonar-scanner-dotnet31:4.10
diff --git a/tests/ci/k3d/values.yaml b/tests/ci/k3d/values.yaml
index 3248ff7fb5e3690b2461b43177066b920a4fbd35..7f159a5d75a8af14044b7d663a63a91b55678145 100644
--- a/tests/ci/k3d/values.yaml
+++ b/tests/ci/k3d/values.yaml
@@ -363,7 +363,8 @@ addons:
enabled: false
values:
persistence:
- storageSize: 3Gi
+ # Do NOT set this below 4Gi, nexus will fail to boot
+ storageSize: 10Gi
nexus:
# https://help.sonatype.com/repomanager3/installation/system-requirements#SystemRequirements-JVMDirectMemory
env: