diff --git a/.gitignore b/.gitignore
index 031c4df3828ea59c611b826db642fa277e123ba9..a0610ac16e2884fcccbc5d77aebc5a190ea14c48 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,6 +20,8 @@ npm-debug.log*
# (used frequently in deployments)
patch.yaml
notes
+ignore/*
+chart/*values.yaml
# Visual Studio Code
.vscode/*
diff --git a/chart/admin.bigbang.dev-certs.yaml b/chart/admin.bigbang.dev-certs.yaml
deleted file mode 100644
index 9104b5a745428ffef16a1a11b6d0831a511df26a..0000000000000000000000000000000000000000
--- a/chart/admin.bigbang.dev-certs.yaml
+++ /dev/null
@@ -1,88 +0,0 @@
-istio:
- ingress:
- key: |
- -----BEGIN PRIVATE KEY-----
- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8bJtY3qQC0udg
- WInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDNeJ2JoH96d1vLAm1YmHJ3
- 1aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwiDXjwv9JyOQgOrQqFxP7B
- Qab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/iiGDJ+Jvomt8opWb4mC2jZ
- MK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuTNptI3x6OySjbkYlBGhjK
- MpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHcDxwCJQQJrzGNNc5YMpn8
- 1rvltDOTAgMBAAECggEACINbrXM5s8r1mzvE12S9mcba/25RQyyVo3AJ2rDt7z6z
- Liespr79K2cwFeh6Laqrt8vGwPBWImeY3GMxgYHIp9pec6+gaHMoV3DZbd1igmdF
- gS7L9BMqgra4lo1HRpFUH8cF3yvgStTwsaiWs4bOYZmNsFc1ocgw+0EqFRnR14vw
- Q6pxlNlR0wND4WwEQ+PEFuGyaZpcnDA38vwaNyIVl99pRXXojvfco7dacYyce40o
- O02mtl2yME4ssCgYPcThonPaUDjF594q7J2kqVRp6mJ0J9lvsxPRZ3NC1tOfVgzI
- E/YVeNx7S9r0ONTJFLfRidd+udBKBCUM7NcKygqk8QKBgQDiQc0LPe7NWzfZ5Ks2
- IeZZ1S7CX/Eyv7VW90YhOUTF9g9PmmH1v539vp9xdHlo9YaF2dXuf1GsMgpNQ4IZ
- Nuz5xwvvmma3demqtOawTpHj3vHpZWOYTL0SEb5XwyPaZZIb33wxDidT8/0CpwPt
- Tlq6GQ8HPYupHT6cJQcb7PgAmQKBgQDVMZ+0WucFAKeJSEj1zDZA0EzUqiFfLCpP
- gko9+9yhPvl7Q6c+oOV0brx0ny+racLUsV0m8vzvvLFxHTubPa7CMKf5s7c3EPQv
- 8GqovlsvgzchwxRRs0KQMhQSZw1X2UDSBDci0AwZRXrJQp3odJk+0Pq5MslfCF6s
- fwWxV6C1CwKBgBSvv3ePqg3MkUayyZShdNYxz5yl+P+S15mj8h2HhuoynSPCEcLO
- Sjuw+hL9ezxFdo82Y4Dy0xzTVm3KBlMX2oLb2BOIImwTs9GPyKfGB0C2WZflVT3P
- hlnolWagyN5m+vzhahFyIdZjMHbVnl5ME6+AKweWcPZ9XgQYvpWnDOXBAoGBAL0I
- mTEUAQ+geuzxGTBI+DoT+GwAxkJbKNEDF81KC2E2M4Qmgp63j3zjy1ok4+G7jzOE
- aLJmdfwkdbl0UCvgT5qEBg0UWvoKoFn5dLlWwAeq8zGOhe/DYNv2a3G9ykkAq8cM
- Uc8eZfvqbWsTFGzPJipaplWcQI1xIHEW1/ddWXPtAoGBAInFXBnVDJiZkhq1adt9
- 3S/YVoMigw6ZD4j7E5g/5QBCs2rnZex20YFuJDvf+HAD/3eohJ6n75QRSZc0sn9j
- XO49WKI7Qd2XTEL6dGvxGyFRTqrC5dUd3v/wq4XjUz1bI6VTvvHvf7EPCGh1NJ8v
- PcJzvO/HdugGAG1xWnN7HT4g
- -----END PRIVATE KEY-----
- cert: |
- -----BEGIN CERTIFICATE-----
- MIIFLDCCBBSgAwIBAgISA87F5ACBGZuzPeSeGr2wqcY8MA0GCSqGSIb3DQEBCwUA
- MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
- EwJSMzAeFw0yMTA0MTQxNDIzMTRaFw0yMTA3MTMxNDIzMTRaMB4xHDAaBgNVBAMM
- EyouYWRtaW4uYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
- AoIBAQC8bJtY3qQC0udgWInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDN
- eJ2JoH96d1vLAm1YmHJ31aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwi
- DXjwv9JyOQgOrQqFxP7BQab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/ii
- GDJ+Jvomt8opWb4mC2jZMK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuT
- NptI3x6OySjbkYlBGhjKMpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHc
- DxwCJQQJrzGNNc5YMpn81rvltDOTAgMBAAGjggJOMIICSjAOBgNVHQ8BAf8EBAMC
- BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
- HQYDVR0OBBYEFLp8IoeSyLzb/tJ57pxDqGX4t/4nMB8GA1UdIwQYMBaAFBQusxe3
- WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
- cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
- ci5vcmcvMB4GA1UdEQQXMBWCEyouYWRtaW4uYmlnYmFuZy5kZXYwTAYDVR0gBEUw
- QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
- L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgCU
- ILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXjQ+rZ5AAAEAwBHMEUC
- IQCOtTENOPlAwvmnqNxm9LHWo1TkNpLZqdCQWffa3zc2sAIgVpNs+pLLUmJfwq0+
- FRSQJB9FyrH7js53BSZ1WyfY6GwAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5q
- l2iZfiLw1wAAAXjQ+razAAAEAwBHMEUCIQDCliAyo7EV92Kmp5zeoVfeqklvPPYi
- p43KG/yc6gbiBwIgHpQYiQ5MCcJHnnol3Ku35ZYJw8jcWy7aW2S9gHR3eeUwDQYJ
- KoZIhvcNAQELBQADggEBACUBLIHwOvyAsXlRGxqDKBGcl8BmbelWgp+XXsf9MZd0
- hYYrPlnQL95C5R78FXmYlG24J4uHLMTvz+gYe/WRv4Cjr8It+EaoGATZ8zGa2OlY
- FTfx6dLk/h2KPF9N45o5rsUtlTlTfJYGz58p30XefLwOdIrez8UtEV2fWevAWwYw
- ZGLvPczwDABye0OUou+M+BoZQOI6hrcQ3IXGlf/VQKzBp1dOOxZB7bx3mOzg1CI6
- 1AebDLxybOev4Ke25jbtst6i4HG1feFXm4yL1utNsn15uBVoQVfKeLVvMO3Y2Hyi
- DZvLATJX4qq0e2wDcETc8fxshOUnYhpzrbUctVBBncA=
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
- MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
- DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
- MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
- AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
- jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
- Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
- U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
- gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
- /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
- oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
- BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
- ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
- p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
- AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
- Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
- LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
- r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
- AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
- ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
- S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
- qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
- O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
- UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
- -----END CERTIFICATE-----
diff --git a/chart/ingress-certs.yaml b/chart/ingress-certs.yaml
index 01b3d57c77a9be5348361796cf049df9c743d87f..3b3d902092c0b7e16d3c8a1fd24f25e926fdedac 100644
--- a/chart/ingress-certs.yaml
+++ b/chart/ingress-certs.yaml
@@ -1,123 +1,125 @@
istio:
- ingress:
- key: |
- -----BEGIN PRIVATE KEY-----
- MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQD1ahjVSH4A+inh
- YyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYMU7CzoyPJCL13
- gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR/mc7YwF0IMVp
- iApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V9dCEMkodH1tq
- +BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTsLLGL/BL7E/Ba
- 8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1IozD+bpFfUvUxNH
- 1sjPo18JAgMBAAECggEBAJRaQ5LC1LDAiQqfhvE94oEDmR4AmOWFlqQi3f1vZPkb
- qTbIq/skxamk2iUoCPm8TT1MZhfheaNwLiCMg76U29CoSXY8Gq17mD08BPOBrcAQ
- EpVKpu8b85XpeQ5OMXAnOWbqc/sZWWqa2Nt3ilCVvZAU05KE4gljf20lajLUb0BE
- S+EOHgiPgbL9Upgb2HvsYjaBkgy6dMIJhH9ybyQqRJPaLceEbu53Krrv4iuZjzLD
- CIdePYRge9DfvIff0UBlAFPVgahrwJNzZoqhEv9KlvSshE51tfaNv7zzMpoEnq7z
- XqbisXXq/Pn6MaWiyF/6sYxYZDrAIHI5exmoJAYs4tECgYEA/V9eNpdh70Vzv19l
- TkpjEklaAgDzSda68TSb5hYLtINI3m3+vVN+rlth5gZN7n8hKjxIBuUI8yERMY8B
- is5g+qgIqK1jDeRHUJTKo7x+fRgM2vCTcYQgxCC4x2czkG86AifsNaGZ6j2P9y2v
- lpaozs+ONkADpGwnOu0lsCBxbVUCgYEA9/WaPrhOO/ImKlyFbXnXHZsoRXKuWVKm
- DRcs7z8LZmPH7n3ikiMZW7CUbKHB3mreL6Xv5gQ/nait2tjYRPT2OfBA+WTQi/kO
- MwHyuq92J1965WCld3hzGYeJHtB12rVjheRQ3TBeBCFFu3pgEVsgqnVV1gqceBL7
- edXnu85KSuUCgYEAxbhURvmfPR7PknmZDp1R7oU7LfEb6XUd8PiC5+wwOi9w/9KK
- RagQZXN+VAh7bC/c656a/nZgo4ocZrYYF/+xAil6iFa1w7NuS12xPFDtzCSmc3vl
- M2JOR37ZcxH/1ShW9jO9SqTO/VIJNHR8X2E2Xhzt9zvBG+AiRQOms2i92vkCgYEA
- pZ2AiZXWg0mIXlDvuaBgouCoNEKV2wlN6X5qP94PAjNxLYUdWNhirpAxgqFD+QfO
- IWsm4a5Cw04P2RVu1hf7gdVLwIeql2MhLcaGVlStiTzHu/8iZbqovgt99Xvsy8jN
- kXde323XzdBfYAorskv4dIHsdAsgWT7sgoLxxcnSa1UCgYEAh0SDR9xTdNnCRTL8
- Fz+YyN8EWm4XaiYv4fDu7mBEiAYJFQjfez/ZammSASwfv+sFcE4rCEMED2InlLin
- 73hJO8bDRMI7BEtaYKyEFcCgdNXOyDRfYhLtJllaIiJNbC8m4dW8H7Hq4Av2pTc0
- dbfd2CfWKgXWqJNl2RCGWIoqDIU=
- -----END PRIVATE KEY-----
- cert: |
- -----BEGIN CERTIFICATE-----
- MIIFITCCBAmgAwIBAgISA4QDnwfowfekJU7pBgWPPB3SMA0GCSqGSIb3DQEBCwUA
- MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
- EwJSMzAeFw0yMTA2MzAwODQxNDhaFw0yMTA5MjgwODQxNDdaMBgxFjAUBgNVBAMM
- DSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1
- ahjVSH4A+inhYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYM
- U7CzoyPJCL13gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR
- /mc7YwF0IMVpiApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V
- 9dCEMkodH1tq+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTs
- LLGL/BL7E/Ba8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1Ioz
- D+bpFfUvUxNH1sjPo18JAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD
- VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
- BBYEFLKxa8BVwd6HZjzGXLkyXZLww/DwMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
- QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
- Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
- MBgGA1UdEQQRMA+CDSouYmlnYmFuZy5kZXYwTAYDVR0gBEUwQzAIBgZngQwBAgEw
- NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
- cnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KL
- IiwN0dpNXmxPlD1h204vWE2iwgAAAXpcS8iTAAAEAwBIMEYCIQCcXRHwJqXD4XZJ
- 69yt9vwm/5d3fV5iEncCsg4XoV8APAIhALuWdIvzfv1qLlS3Yv+DrVf5t2lMGdrL
- RilySJivVC0QAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6
- XEvIqAAABAMARzBFAiEA7mPS3NK7XQQo+GxdVRq0kJX4uV3ELIKbVzPIdpXCmxYC
- IHfgadCRBTml5nnTd7xpjwRuvRNr/gsyyyIV0Xjao4DIMA0GCSqGSIb3DQEBCwUA
- A4IBAQBbccxKHBf4FOqHSP3U3+pCrU3Z3zhfTjYVaPP/gI7+rus4m6Jnq/pP21ak
- RWFJx9Yfp0zYPG33H4b65vvmG2jYzb/sLorHIodSn8O7HD11peWwFzgRLflVQ2Kx
- yPYdn/yY1BFIZ5cyz1iQNIUghMZVLc1JfqQbuRuodf2si0x7d2CTMV3k0qUvpll9
- 6KstE/OEjLA0jgRmZAq0JBHZjDeYi65LoQWF1XM6Al1p0GvhGC+x//UyYZr/sBOl
- 3FvnSe9NXeAMqeJ6QIrkFFsogPMUoTpJYs47gjMdEl6eOT2uwgchZsHpqrdHVHG6
- 9xxT5njjSqfC0xOqknR0hhhn5Pbu
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
- TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
- cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
- WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
- RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
- AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
- R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
- sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
- NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
- Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
- /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
- AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
- Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
- FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
- AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
- Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
- gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
- PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
- ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
- CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
- lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
- avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
- yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
- yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
- hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
- HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
- MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
- nLRbwHOoq7hHwg==
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
- MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
- DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
- TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
- cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
- AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
- ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
- wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
- LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
- 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
- bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
- sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
- Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
- FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
- SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
- PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
- TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
- SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
- c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
- +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
- ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
- b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
- U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
- MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
- 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
- 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
- WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
- he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
- Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
- -----END CERTIFICATE-----
+ gateways:
+ public:
+ tls:
+ key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQD1ahjVSH4A+inh
+ YyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYMU7CzoyPJCL13
+ gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR/mc7YwF0IMVp
+ iApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V9dCEMkodH1tq
+ +BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTsLLGL/BL7E/Ba
+ 8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1IozD+bpFfUvUxNH
+ 1sjPo18JAgMBAAECggEBAJRaQ5LC1LDAiQqfhvE94oEDmR4AmOWFlqQi3f1vZPkb
+ qTbIq/skxamk2iUoCPm8TT1MZhfheaNwLiCMg76U29CoSXY8Gq17mD08BPOBrcAQ
+ EpVKpu8b85XpeQ5OMXAnOWbqc/sZWWqa2Nt3ilCVvZAU05KE4gljf20lajLUb0BE
+ S+EOHgiPgbL9Upgb2HvsYjaBkgy6dMIJhH9ybyQqRJPaLceEbu53Krrv4iuZjzLD
+ CIdePYRge9DfvIff0UBlAFPVgahrwJNzZoqhEv9KlvSshE51tfaNv7zzMpoEnq7z
+ XqbisXXq/Pn6MaWiyF/6sYxYZDrAIHI5exmoJAYs4tECgYEA/V9eNpdh70Vzv19l
+ TkpjEklaAgDzSda68TSb5hYLtINI3m3+vVN+rlth5gZN7n8hKjxIBuUI8yERMY8B
+ is5g+qgIqK1jDeRHUJTKo7x+fRgM2vCTcYQgxCC4x2czkG86AifsNaGZ6j2P9y2v
+ lpaozs+ONkADpGwnOu0lsCBxbVUCgYEA9/WaPrhOO/ImKlyFbXnXHZsoRXKuWVKm
+ DRcs7z8LZmPH7n3ikiMZW7CUbKHB3mreL6Xv5gQ/nait2tjYRPT2OfBA+WTQi/kO
+ MwHyuq92J1965WCld3hzGYeJHtB12rVjheRQ3TBeBCFFu3pgEVsgqnVV1gqceBL7
+ edXnu85KSuUCgYEAxbhURvmfPR7PknmZDp1R7oU7LfEb6XUd8PiC5+wwOi9w/9KK
+ RagQZXN+VAh7bC/c656a/nZgo4ocZrYYF/+xAil6iFa1w7NuS12xPFDtzCSmc3vl
+ M2JOR37ZcxH/1ShW9jO9SqTO/VIJNHR8X2E2Xhzt9zvBG+AiRQOms2i92vkCgYEA
+ pZ2AiZXWg0mIXlDvuaBgouCoNEKV2wlN6X5qP94PAjNxLYUdWNhirpAxgqFD+QfO
+ IWsm4a5Cw04P2RVu1hf7gdVLwIeql2MhLcaGVlStiTzHu/8iZbqovgt99Xvsy8jN
+ kXde323XzdBfYAorskv4dIHsdAsgWT7sgoLxxcnSa1UCgYEAh0SDR9xTdNnCRTL8
+ Fz+YyN8EWm4XaiYv4fDu7mBEiAYJFQjfez/ZammSASwfv+sFcE4rCEMED2InlLin
+ 73hJO8bDRMI7BEtaYKyEFcCgdNXOyDRfYhLtJllaIiJNbC8m4dW8H7Hq4Av2pTc0
+ dbfd2CfWKgXWqJNl2RCGWIoqDIU=
+ -----END PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFITCCBAmgAwIBAgISA4QDnwfowfekJU7pBgWPPB3SMA0GCSqGSIb3DQEBCwUA
+ MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+ EwJSMzAeFw0yMTA2MzAwODQxNDhaFw0yMTA5MjgwODQxNDdaMBgxFjAUBgNVBAMM
+ DSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1
+ ahjVSH4A+inhYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYM
+ U7CzoyPJCL13gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR
+ /mc7YwF0IMVpiApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V
+ 9dCEMkodH1tq+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTs
+ LLGL/BL7E/Ba8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1Ioz
+ D+bpFfUvUxNH1sjPo18JAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD
+ VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
+ BBYEFLKxa8BVwd6HZjzGXLkyXZLww/DwMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
+ QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
+ Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
+ MBgGA1UdEQQRMA+CDSouYmlnYmFuZy5kZXYwTAYDVR0gBEUwQzAIBgZngQwBAgEw
+ NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
+ cnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KL
+ IiwN0dpNXmxPlD1h204vWE2iwgAAAXpcS8iTAAAEAwBIMEYCIQCcXRHwJqXD4XZJ
+ 69yt9vwm/5d3fV5iEncCsg4XoV8APAIhALuWdIvzfv1qLlS3Yv+DrVf5t2lMGdrL
+ RilySJivVC0QAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6
+ XEvIqAAABAMARzBFAiEA7mPS3NK7XQQo+GxdVRq0kJX4uV3ELIKbVzPIdpXCmxYC
+ IHfgadCRBTml5nnTd7xpjwRuvRNr/gsyyyIV0Xjao4DIMA0GCSqGSIb3DQEBCwUA
+ A4IBAQBbccxKHBf4FOqHSP3U3+pCrU3Z3zhfTjYVaPP/gI7+rus4m6Jnq/pP21ak
+ RWFJx9Yfp0zYPG33H4b65vvmG2jYzb/sLorHIodSn8O7HD11peWwFzgRLflVQ2Kx
+ yPYdn/yY1BFIZ5cyz1iQNIUghMZVLc1JfqQbuRuodf2si0x7d2CTMV3k0qUvpll9
+ 6KstE/OEjLA0jgRmZAq0JBHZjDeYi65LoQWF1XM6Al1p0GvhGC+x//UyYZr/sBOl
+ 3FvnSe9NXeAMqeJ6QIrkFFsogPMUoTpJYs47gjMdEl6eOT2uwgchZsHpqrdHVHG6
+ 9xxT5njjSqfC0xOqknR0hhhn5Pbu
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+ TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+ cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+ WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+ RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+ AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+ R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+ sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+ NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+ Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+ /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+ AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+ Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+ FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+ AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+ Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+ gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+ PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+ CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+ lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+ avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+ yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+ yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+ hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+ MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+ nLRbwHOoq7hHwg==
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+ DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+ TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+ cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+ AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+ wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+ LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+ 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+ bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+ sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+ Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+ FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+ SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+ PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+ TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+ SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+ c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+ +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+ b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+ U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+ MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+ 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+ 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+ WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+ he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+ Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+ -----END CERTIFICATE-----
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index c9b4c494c5871be2624b8eff2ab61643678f3ee6..0a49c3f570577bfe8cfff247c5b72eb3fd8dab76 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -149,13 +149,4 @@ PLATFORM ONE MATTERMOST WARNING:
You have enabled enterprise Mattermost in the values configuration, but not provided a license.
Make sure to go back and edit your values or ensure you add the license through the mattermost settings page.
{{- end }}
-{{- end }}
-
-{{ if $.Values.addons.keycloak.enabled }}
-PLATFORM ONE KEYCLOAK WARNING:
- You have enabled keycloak in the values configuration.
- Core packages are automatically moved to an `admin` subdomain (e.g. prometheus.admin.bigbang.dev).
- Addons are not accessible and not supported in the same cluster as Keycloak.
- Keycloak is still in a BETA status. This means we don't fully recommend it for production workloads quite yet, but will be rolling out support in the near future to move it to STABLE.
- Specifically, the way that multiple ingressgateways are created and specified within BigBang will make the automatic `admin` creation of core packages obsolete, and will also allow Keycloak to better function alongside other addons.
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/anchore/values.yaml b/chart/templates/anchore/values.yaml
index 9b7c16d4616afe462cc06a24f5ee28f5f5db0f43..a877f0c02b61f53987c6cbf42270bb4ebff40f64 100644
--- a/chart/templates/anchore/values.yaml
+++ b/chart/templates/anchore/values.yaml
@@ -7,12 +7,22 @@ hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
+ ui:
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.anchore.ingress.gateway }}
+ api:
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.anchore.ingress.gateway }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.addons.anchore.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
{{- if and .Values.addons.anchore.enterprise.enabled .Values.addons.anchore.enterprise.licenseYaml }}
enterpriseLicenseYaml: |
diff --git a/chart/templates/argocd/values.yaml b/chart/templates/argocd/values.yaml
index 77c990e22d7ef4ffd26066e2323ee85412eb1211..fa9a6fd0e35f7b0b2381d716c96d702b7e8ccdbc 100644
--- a/chart/templates/argocd/values.yaml
+++ b/chart/templates/argocd/values.yaml
@@ -26,6 +26,9 @@ redis-bb:
istio:
enabled: {{ .Values.istio.enabled }}
+ argocd:
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.argocd.ingress.gateway }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
@@ -33,6 +36,10 @@ monitoring:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.addons.argocd.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
{{- if .Values.addons.argocd.sso.enabled }}
sso:
diff --git a/chart/templates/authservice/values.yaml b/chart/templates/authservice/values.yaml
index 69b225d4d521e12dca9aaadc2b4810b9ce4e09a7..6e58d8f29443c3dd9f43ff3ff57c23b49ca5a56a 100644
--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
@@ -8,6 +8,10 @@ imagePullSecrets:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.addons.haproxy.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
global:
oidc:
diff --git a/chart/templates/gitlab/values.yaml b/chart/templates/gitlab/values.yaml
index ccf5b72d7f0eca7249e72be62846a1a797834fc2..06c05e43113aea610fb47b95161775f4929641b4 100644
--- a/chart/templates/gitlab/values.yaml
+++ b/chart/templates/gitlab/values.yaml
@@ -9,14 +9,24 @@ openshift: {{ .Values.openshift }}
istio:
enabled: {{ .Values.istio.enabled }}
+ gitlab:
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.gitlab.ingress.gateway }}
+ registry:
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.gitlab.ingress.gateway }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.addons.gitlab.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
-
+
{{- if .Values.addons.gitlab.database.host }}
postgresql:
install: false
diff --git a/chart/templates/haproxy/values.yaml b/chart/templates/haproxy/values.yaml
index 8a30d2d04fe4b54088c5df6df10a51c5bbbda4b0..7fa5efb750a3332fa80e68aac63cfe1b66f905bd 100644
--- a/chart/templates/haproxy/values.yaml
+++ b/chart/templates/haproxy/values.yaml
@@ -5,6 +5,9 @@
{{- define "bigbang.defaults.haproxy-sso" -}}
hostname: {{ .Values.hostname }}
+istio:
+ gateway: {{ default "public" .Values.addons.haproxy.ingress.gateway }}
+
podLabels:
protect: keycloak
config: |
diff --git a/chart/templates/istio/controlplane/secret-tls.yaml b/chart/templates/istio/controlplane/secret-tls.yaml
index a47b7ad67f774f334fa87297229a37a14c1b79ea..35d41380cac9bdcd8ed793689b997f616e7f5341 100644
--- a/chart/templates/istio/controlplane/secret-tls.yaml
+++ b/chart/templates/istio/controlplane/secret-tls.yaml
@@ -1,15 +1,27 @@
-{{- if and .Values.istio.enabled (and .Values.istio.ingress.key .Values.istio.ingress.cert ) }}
+{{- if .Values.istio.enabled }}
+
+{{/*
+For backwards compatibility, get key/cert from .Values.istio.ingress
+*/}}
+{{- $default := .Values.istio.ingress | default dict -}}
+
+{{- range $name, $values := .Values.istio.gateways }}
+{{- if or (and $values.tls.cert $values.tls.key) (and $default.cert $default.key) }}
apiVersion: v1
kind: Secret
metadata:
- name: wildcard-cert
+ name: {{ printf "%s-cert" $name }}
namespace: istio-system
labels:
app.kubernetes.io/name: istio-controlplane
app.kubernetes.io/component: "core"
- {{- include "commonLabels" . | nindent 4}}
+ {{- include "commonLabels" $ | nindent 4}}
type: kubernetes.io/tls
data:
- tls.crt: {{ .Values.istio.ingress.cert | b64enc }}
- tls.key: {{ .Values.istio.ingress.key | b64enc}}
+ tls.crt: {{ default $default.cert $values.tls.cert | b64enc }}
+ tls.key: {{ default $default.key $values.tls.key | b64enc }}
+---
+{{- end }}
+{{- end }}
+
{{- end }}
\ No newline at end of file
diff --git a/chart/templates/istio/controlplane/values.yaml b/chart/templates/istio/controlplane/values.yaml
index da3a0e2aa12d2fcb43dae5fbead3d26c297b296a..d8c7f7c0c3d35bbb71da2816362675d1003dab79 100644
--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -15,20 +15,62 @@ openshift: {{ .Values.openshift }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
-{{- if .Values.addons.keycloak.enabled }}
-extraServers:
-- port:
- name: https-keycloak
- protocol: TLS
- number: 8443
- hosts:
- - keycloak.{{ .Values.hostname }}
- tls:
- mode: PASSTHROUGH
-
-gateway:
- hosts:
- - "*.admin.{{ .Values.hostname }}"
+{{- if .Values.istio.ingressGateways }}
+ingressGateways:
+ istio-ingressgateway:
+ enabled: false
{{- end }}
-{{- end -}}
+
+{{- range $name, $values := .Values.istio.ingressGateways }}
+ {{ $name | nindent 2 }}:
+ {{- toYaml (merge (dict "k8s" $values.kubernetesResourceSpec) (fromYaml (include "istio.ingressgateway.k8s" $values))) | nindent 4 }}
+{{- end }}
+
+{{- if .Values.istio.gateways }}
+gateways:
+ main: null
+{{- end }}
+{{- range $name, $values := .Values.istio.gateways }}
+ {{ $name | nindent 2 }}:
+ selector:
+ app: {{ $values.ingressGateway }}
+ servers:
+ - hosts:
+ {{ tpl ($values.hosts | default (list) | toYaml) $ | nindent 8 }}
+ port:
+ name: https
+ number: 8443
+ protocol: HTTPS
+ tls:
+ credentialName: {{ $name }}-cert
+ mode: {{ dig "tls" "mode" "SIMPLE" $values }}
+{{- end }}
+{{- end }}
+
+{{- define "istio.ingressgateway.k8s" -}}
+k8s:
+ service:
+ type: {{ .type }}
+ {{- if .nodePortBase }}
+ ports: # Pulled from Istio gateway defaults (https://github.com/istio/istio/blob/master/manifests/charts/gateways/istio-ingress/values.yaml)
+ # Ports default to "protocol: TCP" and "targetPort = port"
+ # AWS ELB will by default perform health checks on the first port on this list. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ name: status-port
+ nodePort: {{ add .nodePortBase 0 }}
+ - port: 80
+ targetPort: 8080
+ name: http2
+ nodePort: {{ add .nodePortBase 1 }}
+ - port: 443
+ targetPort: 8443
+ name: https
+ nodePort: {{ add .nodePortBase 2 }}
+ # SNI Routing port
+ - port: 15443
+ name: tls
+ nodePort: {{ add .nodePortBase 3 }}
+ {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/jaeger/values.yaml b/chart/templates/jaeger/values.yaml
index 45e4d62292b504ab54e4a7b3bb306e204e78373b..cabe3f2106ab8d71fd3234817a6f9ad012f8d4ab 100644
--- a/chart/templates/jaeger/values.yaml
+++ b/chart/templates/jaeger/values.yaml
@@ -9,8 +9,9 @@ hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
jaeger:
- hosts:
- - tracing{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+ gateways:
+ - istio-system/{{ default "public" .Values.jaeger.ingress.gateway }}
+
monitoring:
enabled: {{ .Values.monitoring.enabled }}
elasticsearch:
@@ -27,5 +28,9 @@ openshift:
enabled: {{ .Values.openshift }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
- controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
-{{- end -}}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.jaeger.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/keycloak/values.yaml b/chart/templates/keycloak/values.yaml
index 2f77fdb564d82ca42422ca996e2951102ec1a343..8a3b08b59cf307c03cdc70f73e8568991f263673 100644
--- a/chart/templates/keycloak/values.yaml
+++ b/chart/templates/keycloak/values.yaml
@@ -14,11 +14,16 @@ istio:
enabled: {{ .Values.istio.enabled }}
keycloak:
enabled: true
- hosts:
- - keycloak.{{ .Values.hostname }}
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.keycloak.ingress.gateway }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ ingressLabels:
+ {{- $gateway := default "passthrough" .Values.addons.keycloak.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
diff --git a/chart/templates/kiali/values.yaml b/chart/templates/kiali/values.yaml
index 45719d32947c37fe433be8bed389244f128047bb..91aba537bb5556fa1c048a3f9a45f21bd6de264a 100644
--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -10,8 +10,9 @@ openshift: {{ .Values.openshift}}
istio:
enabled: {{ .Values.istio.enabled }}
kiali:
- hosts:
- - kiali{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+ gateways:
+ - istio-system/{{ default "public" .Values.kiali.ingress.gateway }}
+
monitoring:
enabled: {{ .Values.monitoring.enabled }}
elasticsearch:
@@ -41,4 +42,8 @@ cr:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.kiali.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
{{- end -}}
diff --git a/chart/templates/logging/elasticsearch-kibana/values.yaml b/chart/templates/logging/elasticsearch-kibana/values.yaml
index 830316922948cacb178a6f9bb12c684b62d599ca..a4b5aa3037b4bda183ba2cbfab71bc7f483b2e65 100644
--- a/chart/templates/logging/elasticsearch-kibana/values.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/values.yaml
@@ -7,11 +7,15 @@ hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
kibana:
- hosts:
- - kibana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+ gateways:
+ - istio-system/{{ default "public" .Values.logging.ingress.gateway }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.logging.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
{{- with .Values.logging.sso }}
{{- if .enabled }}
diff --git a/chart/templates/mattermost/mattermost/values.yaml b/chart/templates/mattermost/mattermost/values.yaml
index d5e4d8d078317b3fcf8e4b15352bc40f0eca539a..46fba1438e19b56d71527bcfd991f958d97af9de 100644
--- a/chart/templates/mattermost/mattermost/values.yaml
+++ b/chart/templates/mattermost/mattermost/values.yaml
@@ -9,6 +9,9 @@ openshift: {{ .Values.openshift }}
istio:
enabled: {{ .Values.istio.enabled }}
+ chat:
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.mattermost.ingress.gateway }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
@@ -25,6 +28,10 @@ sso:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.addons.mattermost.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
global:
imagePullSecrets:
diff --git a/chart/templates/minio/minio/values.yaml b/chart/templates/minio/minio/values.yaml
index b5aa508860f139300a3c9462bf874023a0938a2d..1ec8ad1a3d38376c1ed64ff36b26301051a3714f 100644
--- a/chart/templates/minio/minio/values.yaml
+++ b/chart/templates/minio/minio/values.yaml
@@ -7,6 +7,9 @@ hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
+ virtualService: # this key is non-standard and needs to be fixed in the package
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.minio.ingress.gateway }}
minioRootCreds: minio-root-creds-secret
@@ -15,6 +18,10 @@ monitoring:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.addons.minio.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
podAnnotations:
sidecar.istio.io/inject: "true"
diff --git a/chart/templates/monitoring/values.yaml b/chart/templates/monitoring/values.yaml
index c80d9f4fd74b1d2759a49d6562b1351339b6137d..ee8796805eab5f5f9dd7e6e33a6516e9461c3a12 100644
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -10,6 +10,10 @@ flux:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.monitoring.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
minioOperator:
enabled: {{ .Values.addons.minioOperator.enabled }}
@@ -23,8 +27,8 @@ istio:
port: 8080
namespace: authservice
{{- end }}
- hosts:
- - prometheus{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+ gateways:
+ - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
alertmanager:
enabled: true
{{- if .Values.monitoring.sso.enabled }}
@@ -32,12 +36,12 @@ istio:
port: 8080
namespace: authservice
{{- end }}
- hosts:
- - alertmanager{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+ gateways:
+ - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
grafana:
enabled: true
- hosts:
- - grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+ gateways:
+ - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
anchore:
enabled: {{ .Values.addons.anchore.enabled }}
@@ -57,7 +61,7 @@ grafana:
grafana.ini:
{{- if .Values.istio.enabled }}
server:
- root_url: https://grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}/
+ root_url: https://grafana.{{ .Values.hostname }}/
{{- end }}
auth:
diff --git a/chart/templates/nexus-repository-manager/values.yaml b/chart/templates/nexus-repository-manager/values.yaml
index d78cb5e4e3430d292f4009dce0c63327dfadef87..d72f053c585aa936e269a7103ab3d8632db386a5 100644
--- a/chart/templates/nexus-repository-manager/values.yaml
+++ b/chart/templates/nexus-repository-manager/values.yaml
@@ -7,12 +7,19 @@ domain: {{ .Values.hostname }}
hostname: nexus
istio:
enabled: {{ .Values.istio.enabled }}
+ nexus:
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.nexus.ingress.gateway }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.addons.nexus.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
nexus:
imagePullSecrets:
diff --git a/chart/templates/sonarqube/values.yaml b/chart/templates/sonarqube/values.yaml
index 9b067f5ed3349ce918365b31d9bd556837fc9b31..b84328047bce51ce77247b06f51ae8990d2e7ab1 100644
--- a/chart/templates/sonarqube/values.yaml
+++ b/chart/templates/sonarqube/values.yaml
@@ -7,12 +7,19 @@ hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
+ sonarqube:
+ gateways:
+ - istio-system/{{ default "public" .Values.addons.sonarqube.ingress.gateway }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.addons.sonarqube.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
image:
pullSecret: private-registry
diff --git a/chart/templates/twistlock/values.yaml b/chart/templates/twistlock/values.yaml
index fe8f9c306f329928f084f324ca83dcaa8196e481..43f497675d371e74e52f1501a34f0d993a6ae104 100644
--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -14,10 +14,15 @@ imagePullSecrets:
networkPolicies:
enabled: {{ .Values.networkPolicies.enabled }}
+ ingressLabels:
+ {{- $gateway := default "public" .Values.twistlock.ingress.gateway }}
+ {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+ {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
istio:
enabled: {{ .Values.istio.enabled }}
console:
- hosts:
- - twistlock{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+ gateways:
+ - istio-system/{{ default "public" .Values.twistlock.ingress.gateway }}
+
{{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
index b0d1564a463c15a11fd9fb175a29e922bde271b4..45bb9abd0d72181834f66bc04d399d9f8323c85d 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -110,17 +110,56 @@ istio:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
path: "./chart"
- tag: "1.8.4-bb.5"
+ tag: "1.8.4-bb.6"
+
+ # Ingress gateways are created based on the key name. Adding more keys will add ingress gateways.
+ # Ingress gateways are setup in a Horizontal Pod Autoscaler with 1 to 5 replicas
+ # Besides some ports needed by Istio, only ports 80 and 443 are opened
+ # Ingress gateways that require more configuration can be completed using `istio.values`
+ ingressGateways:
+ public-ingressgateway:
+ type: "LoadBalancer" # or "NodePort"
+ kubernetesResourceSpec: {} # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+
+ # private-ingressgateway:
+ # type: "LoadBalancer" # or "NodePort"
+ # kubernetesResourceSpec: # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+ # serviceAnnotations: # Example for AWS internal load balancer
+ # service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+
+ # passthrough-ingressgateway:
+ # type: "NodePort" # or "LoadBalancer"
+ # # Node ports are assigned starting from nodePortBase. The nodePortBase specifies the start of a range of 4 unused node ports.
+ # # Node port will be assigned as follows: Port 15021 (Status) = nodePortBase, Port 80 = nodePortBase+1, Port 443 = nodePortBase+2, Port 15443 (SNI) = nodePortBase+3
+ # # Node port base should be in the range from 30000 to 32764
+ # nodePortBase: 32000 # Alternatively, the kubernetesResourceSpec can be used to configure all port parameters
+
+ gateways:
+ public:
+ ingressGateway: "public-ingressgateway"
+ hosts:
+ - "*.{{ .Values.hostname }}"
+ tls:
+ key: ""
+ cert: ""
+ # private:
+ # ingressGateway: "private-ingressgateway"
+ # hosts:
+ # - "*.{{ .Values.hostname }}"
+ # tls:
+ # key: ""
+ # cert: ""
+ # passthrough:
+ # ingressGateway: "passthrough-ingressgateway"
+ # hosts:
+ # - "*.{{ .Values.hostname }}"
+ # tls:
+ # mode: "PASSTHROUGH"
# -- Flux reconciliation overrides specifically for the Istio Package
flux: {}
- # -- Certificate/Key pair to use as the default certificate for exposing BigBang created applications.
- # If nothing is provided, applications will expect a valid tls secret to exist in the `istio-system` namespace called `wildcard-cert`.
- ingress:
- key: ""
- cert: ""
-
# -- Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
values: {}
@@ -159,6 +198,10 @@ jaeger:
upgrade:
crds: CreateReplace
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle SSO for Jaeger on and off
enabled: false
@@ -186,6 +229,10 @@ kiali:
# -- Flux reconciliation overrides specifically for the Kiali Package
flux: {}
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle SSO for Kiali on and off
enabled: false
@@ -261,6 +308,10 @@ logging:
flux:
timeout: 20m
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.
# Enabling this option will auto-create any required secrets.
@@ -331,6 +382,10 @@ monitoring:
# -- Flux reconciliation overrides specifically for the Monitoring Package
flux: {}
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle SSO for monitoring components on and off
enabled: false
@@ -384,6 +439,10 @@ twistlock:
# -- Flux reconciliation overrides specifically for the Twistlock Package
flux: {}
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
# -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
values: {}
@@ -405,6 +464,10 @@ addons:
# -- Flux reconciliation overrides specifically for the ArgoCD Package
flux: {}
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle SSO for ArgoCD on and off
enabled: false
@@ -485,6 +548,10 @@ addons:
# -- Flux reconciliation overrides specifically for the Minio Package
flux: {}
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
# -- Default access key to use for minio.
accesskey: ""
@@ -513,6 +580,10 @@ addons:
# -- Flux reconciliation overrides specifically for the Gitlab Package
flux: {}
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle OIDC SSO for Gitlab on and off.
# Enabling this option will auto-create any required secrets.
@@ -601,6 +672,10 @@ addons:
# -- Base64 encoded license file.
license_key: ""
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle SAML SSO for NXRM.
# -- handles SAML SSO, a Client must be configured in Keycloak or IdP
@@ -653,6 +728,10 @@ addons:
# -- Flux reconciliation overrides specifically for the Sonarqube Package
flux: {}
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle SAML SSO for SonarQube.
# Enabling this option will auto-create any required secrets.
@@ -713,6 +792,10 @@ addons:
# -- Flux reconciliation overrides specifically for the HAProxy Package
flux: {}
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
# -- Values to passthrough to the haproxy chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy.git
values: {}
@@ -745,6 +828,10 @@ addons:
licenseYaml: |
FULL LICENSE
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle OIDC SSO for Anchore on and off.
# Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license).
@@ -839,6 +926,10 @@ addons:
# license: "eyJpZCI6InIxM205bjR3eTdkYjludG95Z3RiOD---REST---IS---HIDDEN
license: ""
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
sso:
# -- Toggle OIDC SSO for Mattermost on and off.
# Enabling this option will auto-create any required secrets.
@@ -941,18 +1032,14 @@ addons:
#
keycloak:
# -- Toggle deployment of Keycloak.
+ # if you enable Keycloak you should uncomment the istio passthrough configurations above
+ # istio.ingressGateways.passthrough-ingressgateway and istio.gateways.passthrough
enabled: false
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
path: "./chart"
tag: "11.0.1-bb.0"
- # -- Certificate/Key pair to use as the certificate for exposing Keycloak
- # Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
- ingress:
- key: ""
- cert: ""
-
database:
# -- Hostname of a pre-existing database to use for Keycloak.
# Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
@@ -976,5 +1063,14 @@ addons:
# -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
flux: {}
+ # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ # the istio gateway for keycloak must have tls.mode: PASSTHROUGH
+ gateway: "passthrough"
+ # -- Certificate/Key pair to use as the certificate for exposing Keycloak
+ # Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
+ key: ""
+ cert: ""
+
# -- Values to passthrough to the keycloak chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
values: {}
diff --git a/docs/configuration.md b/docs/configuration.md
index e03958e0751c856e1a290b1183e457620592819d..4abcf551ce7a5c1c54daa826e64cc99a625e711b 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -101,7 +101,12 @@ Each package (e.g. `istio`, `clusterAuditor`) has configuration to control how B
| `git.branch` | Branch to use for package deployment resources | string | `chart-release` or `release-vx.x.x` |
| `git.commit` | SHA of specific commit to use in Git for package deployment resources | SHA | null |
| `git.tag` | Git tag to use for package deployment resources | string | null |
+| `ingress.gateway` | Name of Istio Gateway to use for ingress (if supported) | string | "public" |
+| `sso.*` | Single sign on configuration (if supported) | | |
+| `database.*` | External database connection configuration (if supported) | | |
+| `objectStorage.*` | Object storage configuration (if supported) | | |
| `values` | Package specific values to configure | List of key/values pairs | {} |
+| `postRenderers` | See [docs/postrenderers.md](./postrenderers.md) | list | [] |
## Flux Resources
diff --git a/docs/developer/development-environment.md b/docs/developer/development-environment.md
index 772d9fc33351ac4bc81347ecb4d7ee4b15835ec3..6b77f92944b2a122f2fe60bd40e4c4739531c014 100644
--- a/docs/developer/development-environment.md
+++ b/docs/developer/development-environment.md
@@ -103,7 +103,7 @@ wget -q -O - https://raw.githubusercontent.com/rancher/k3d/main/install.sh | bas
k3d version
```
-- Start our dev cluster on the EC2 instance using K3D. See addendum for more secure way with only port 22 exposed using private ip and sshuttle.
+- Start our dev cluster on the EC2 instance using K3D. See addendum for more secure way with only port 22 exposed using private ip and sshuttle & section to have support for multi istio ingressgateways with a K3D cluster using MetalLB.
```shell
EC2_PUBLIC_IP=$( curl https://ipinfo.io/ip )
@@ -238,6 +238,127 @@ Then on your workstation edit the kubeconfig with the EC2 private ip. In a separ
sshuttle --dns -vr ec2-user@$EC2_PUBLIC_IP 172.31.0.0/16 --ssh-cmd 'ssh -i ~/.ssh/your-ec2.pem'
```
+### Multi Ingress-gateway Support with MetalLB and K3D
+
+1. If you want to utilize BigBang's multi ingress-gateway support for istio, it is possible with K3D but requires some different flags at cluster creation.
+
+```shell
+# ssh to your EC2 instance using the public IP. For Amazon Linux 2 the user is "ec2-user"
+ssh -i ~/.ssh/your-ec2.pem ubuntu@$EC2_PUBLIC_IP
+
+# set environment variable for private IP
+EC2_PRIVATE_IP=$(hostname -I | awk '{print $1}')
+
+# create the k3d cluster with SAN for private IP
+# Create k3d cluster
+k3d cluster create \
+ --servers 1 \
+ --agents 3 \
+ --volume ~/.k3d/p1-registries.yaml:/etc/rancher/k3s/registries.yaml \
+ --volume /etc/machine-id:/etc/machine-id \
+ --k3s-server-arg "--disable=traefik" \
+ --k3s-server-arg "--disable=metrics-server" \
+ --k3s-server-arg "--disable=servicelb" \
+ --k3s-server-arg "--tls-san=$EC2_PRIVATE_IP" \
+ --port 80:80@loadbalancer \
+ --port 443:443@loadbalancer \
+ --api-port 6443
+```
+ - This will create a K3D cluster just like before, except we need to ensure the built in "servicelb" add-on is disabled so we can use metallb.
+
+2. Find the Subnet for your k3d cluster's Docker network
+
+```shell
+docker network inspect k3d-k3s-default | jq .[0].IPAM.Config[0]
+```
+
+ - k3d-k3s-default is the name of the default bridge network k3d creates when creating a k3d cluster.
+ - We need the "Subnet": value to populate the correct addresses in the ConfigMap below.
+ - If my output looks like:
+ ```json
+ {
+ "Subnet": "172.21.0.0/16",
+ "Gateway": "172.21.0.1"
+ }
+ ```
+ - Then the addresses I want to input for metallb would be `172.21.1.240-172.21.1.243` so that I can reserve 4 IP addresses within the subnet of the Docker Network.
+
+3. Before installing BigBang we will need to install and configure [metallb](https://metallb.universe.tf/concepts/)
+
+```shell
+kubectl create -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/namespace.yaml
+kubectl create -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/metallb.yaml
+cat <<EOF | > metallb-config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: metallb-system
+ name: config
+data:
+ config: |
+ address-pools:
+ - name: default
+ protocol: layer2
+ addresses:
+ - 172.21.1.240-172.21.1.243
+EOF
+kubectl create -f metallb-config.yaml
+```
+
+ - The commands will create a metallb install and configure it to assign LoadBalancer IPs within the range `172.18.1.240-172.18.1.243` which is within the standard Docker Bridge Network CIDR meaning that the linux network stack will have a route to this network already.
+
+4. Verify LoadBalancers
+
+```shell
+kubectl get svc -n istio-system
+```
+
+ - You should see a result like:
+```
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+istiod ClusterIP 10.43.59.25 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 151m
+private-ingressgateway LoadBalancer 10.43.221.12 172.18.1.240 15021:31000/TCP,80:31001/TCP,443:31002/TCP,15443:31003/TCP 150m
+public-ingressgateway LoadBalancer 10.43.35.202 172.18.1.241 15021:30000/TCP,80:30001/TCP,443:30002/TCP,15443:30003/TCP 150m
+passthrough-ingressgateway LoadBalancer 10.43.173.31 172.18.1.242 15021:32000/TCP,80:32001/TCP,443:32002/TCP,15443:32003/TCP 119m
+```
+
+ - With the key information here being the assigned `EXTERNAL-IP` sections for the ingressgateways.
+
+5. Update Hosts file on ec2 instance with IPs above
+
+```shell
+sudo vim /etc/hosts
+```
+
+ - Update it with similar entries:
+ - Applications with the following values (eg for Jaeger):
+ ```yaml
+ jaeger:
+ ingress:
+ gateway: "" #(Defaults to public-ingressgateway)
+ ```
+ We will need to set to the EXTERNAL-IP of the public-ingressgateway
+ ```
+ 172.18.1.241 jaeger.bigbang.dev
+ ```
+ - Applications with the following values (eg for Logging):
+ ```yaml
+ logging:
+ ingress:
+ gateway: "private"
+ ```
+ We will need to set to the EXTERNAL-IP of the private-ingressgateway
+ ```
+ 172.18.1.240 kibana.bigbang.dev
+ ```
+ - Keycloak will need to be set to the External-IP of the passthrough-ingressgateway
+ ```
+ 172.18.1.242 keycloak.bigbang.dev
+ ```
+ - With these DNS settings in place you will now be able to reach the external *.bigbang.dev URLs from this EC2 instance.
+
+ - To reach outside the EC2 instance use either SSH or SSHUTTLE commands to specify a local port for Dynamic application-level port forwarding (ssh -D) and utilize Firefox's built in SOCKS proxy configuration to route DNS and web traffic through the application-level port forward from the SSH command.
+
### Amazon Linux 2
Here are the configuration steps if you want to use a Fedora based instance. All other steps are similar to Ubuntu.
diff --git a/docs/guides/deployment_scenarios/multiple_ingress.md b/docs/guides/deployment_scenarios/multiple_ingress.md
new file mode 100644
index 0000000000000000000000000000000000000000..f8d38092d0cb230a7fff4d84814c7fbcc11190e7
--- /dev/null
+++ b/docs/guides/deployment_scenarios/multiple_ingress.md
@@ -0,0 +1,192 @@
+# Using Big Bang with Multiple Ingress Gateways
+
+By default, Big Bang only creates one ingress for all of the packages. Although this architecture reduces complexity, it also limits the ability to independently control network access and load balancing to groups of packages. By configuring Big Bang for multiple ingress gateways through [Istio](https://istio.io/latest/), package access and load can be better controlled.
+
+## Architecture
+
+The following diagram illustrates a typical multiple ingress architecture for Big Bang with the following characteristics:
+
+- A Kubernetes cluster running on a private subnet
+- Some apps with exposure to the internet through a public network load balancer
+- Some apps without exposure to the internet through a private (aka internal) network load balancer
+- Single sign on (SSO) connected to the internet through a dedicated public network load balancer
+- A service mesh ([Istio](https://istio.io/latest/)) handling TLS for all apps except SSO
+
+Big Bang is capable of setting up everything within the private subnet using configuration. The public load balancers would need to be configured outside of Big Bang's deployment.
+
+```mermaid
+graph LR
+ internet((Internet))--http: 80<br/>https: 443-->pub_nlb & kc_nlb
+
+ subgraph "Public Subnet"
+ pub_nlb("Public Network Load Balancer")
+ kc_nlb("Keycloak Network Load Balancer")
+ end
+
+ subgraph "Private Subnet"
+ pri_nlb("Private Network Load Balancer<br/>10.0.0.0/24")--Dynamic-->pri_igw
+
+ subgraph "Kubernetes Cluster"
+ pub_nlb--status: 30000<br/>http: 30001<br/>https:30002-->pub_igw
+ kc_nlb--status: 30100<br/>http: 30101<br/>https:30102-->kc_igw
+
+ pub_igw("Public Ingress Gateway<br/>Type: NodePort")--http: 8080<br/>https: 8443-->pub_gw
+ pri_igw("Private Ingress Gateway<br/>Type: Load Balancer")--http: 8080<br/>https: 8443-->pri_gw
+ kc_igw("Keycloak Ingress Gateway"<br/>Type: NodePort)--http: 8080<br/>https: 8443-->kc_gw
+
+ pub_gw("Public Gateway<br/>TLS Terminated<br/>*.bigbang.dev")--http: 8080<br/>gitlab.bigbang.dev-->pub_vs1
+ pub_gw--http: 8080<br/>chat.bigbang.dev-->pub_vs2
+ pri_gw("Private Gateway<br/>TLS Terminated<br/>*.bigbang.dev")--http: 8080<br/>grafana.bigbang.dev-->pri_vs1
+ pri_gw--http: 8080<br/>kibana.bigbang.dev-->pri_vs2
+ kc_gw("Keycloak Gateway<br/>TLS Passthrough<br/>keycloak.bigbang.dev")--https: 8443<br/>keycloak.bigbang.dev-->kc_vs1
+
+ pub_vs1("Virtual Service<br/>Gitlab")--http-->pub_ser1("Service<br/>Gitlab")-->pub_pod1a("Pod") & pub_pod1b("Pod")
+ pub_vs2("Virtual Service<br/>Mattermost")--http-->pub_ser2("Service<br/>Mattermost")-->pub_pod2a("Pod") & pub_pod2b("Pod")
+ pri_vs1("Virtual Service<br/>Grafana")--http-->pri_ser1("Service<br/>Grafana")-->pri_pod1a("Pod") & pri_pod1b("Pod")
+ pri_vs2("Virtual Service<br/>Kibana")--http-->pri_ser2("Service<br/>Kibana")-->pri_pod2a("Pod") & pri_pod2b("Pod")
+ kc_vs1("Virtual Service<br/>Keycloak")--https-->kc_ser1("Service<br/>Keycloak")-->kc_pod1a("Pod") & kc_pod1b("Pod")
+ end
+ end
+
+```
+
+### Load Balancers
+
+Load balancers are used to insure traffic is distributed to Istio's control plane running across the Kubernetes nodes. In the diagram above, we only show one Kubernetes node for simplicity. But, most clusters are run with multiple nodes. Load balancers should be connected to all of the nodes. It is recommended that you use Layer 3/4 network load balancers in Big Bang since Istio can handle layer 7 routing and balancing.
+
+#### Public Load Balancer
+
+Public load balancers must be created independent of Big Bang. This is because the cluster is deployed in a private subnet and therefore does not have access to create resources in the public, internet-facing subnet. In order for the load balancer, in the public subnet, to communicate to the Istio's Ingress Gateway, in the private subnet, node ports must be used. Node ports will bind a port on each cluster node to a listener in the ingress gateway. The load balancer will distribute traffic on that port to the cluster nodes.
+
+> Not all deployments have a public subnet. For example, a private network that can only be accessed through a VPN would not have a public subnet and not require any public load balancers.
+
+In Big Bang, this is how you would setup an ingress gateway for Node Ports:
+
+```yaml
+istio:
+ ingressGateways:
+ public-ingressgateway: # This creates a new ingress gateway called "public-ingressgateway"
+ type: "NodePort" # Tell Big Bang this should be a node port ingress gateway rather than a load balancer type
+ nodePortBase: 30000 # Bind the following ports: Status <-> 30000; HTTP <-> 30001; HTTPS <-> 30002; SNI <-> 30003
+```
+
+The load balancer can then be setup to forward HTTP traffic to all nodes on port 30001 and HTTPS traffic on all nodes to 30002. Istio provides a ready status that can be reached via HTTP on the status port. So, the load balancer's health check can be setup for all nodes on port 30000 to the URL `/healthz/ready`. DNS entries should be created for each hostname to point to the load balancer's DNS. Package endpoints can then be accessed using the FQDN from the internet.
+
+#### Private / Internal Load Balancer
+
+Private or internal load balancers can usually be created automatically by Big Bang via Istio using service annotations. By using these annotations, a load balancer will be created for you and automatically mapped to the appropriate nodes/ports for distributing the load.
+
+Here is how you would setup Big Bang for a private load balancer on AWS. For other cloud providers, review [Kubernetes internal load balancer documentation](https://kubernetes.io/docs/concepts/services-networking/_print/#internal-load-balancer):
+
+```yaml
+istio:
+ ingressGateways:
+ private-ingressgateway: # This creates a new ingress gateway called "private-ingressgateway"
+ type: "LoadBalancer" # Tell Big Bang this should be a load balancer ingress gateway rather than a node port type
+ kubernetesResourceSpec:
+ serviceAnnotations:
+ # The following annotations tell Istio to setup an internal network load balancer through AWS
+ service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+```
+
+After the load balancer is created, you will need to setup DNS entries (e.g. Route 53 on AWS) to point to the load balancer using the host names of the applications. You should then be able to access the package endpoints from the private network using the FQDN.
+> Private network access can be achieved through SSH on a jump box (aka bastion), VPN, or other secure gateway.
+
+### Ingress Gateways
+
+Istio's Ingress Gateways are services that sit on the edge of the Kubernetes cluster and listen for incoming traffic. In Big Bang, the Ingress Gateways are either setup as Node Port or Load Balancer services. As a Node Port type, ports on the node are bound to the service and incoming traffic is routed to the nodes on those ports. As a Load Balancer type, a load balancer is automatically created and configured to communicate to the service.
+> In some cases, automatic load balancer creating oand configuration is not supported and a Node Port service must be used.
+
+Ingress Gateways will listen for incoming traffic on their assigned ports and forward that traffic to attached Gateways on the appropriate port. For example, traffic may be received on port 30002 and forwarded to all attached Gateways on port 8443.
+
+In Big Bang, ingress gateways can be created and configured using the `istio.ingressGateways` values. By adding additional keys under this value, additional ingress gateways will be created. The following is an example of setting up three Ingress Gateways to match the architecture diagram above.
+> It is recommended that you add `-ingressgateway` on the end of the name of the key to help identify the pods created in the Kubernetes cluster.
+
+```yaml
+istio:
+ ingressGateways:
+ public-ingressgateway:
+ type: "NodePort"
+ nodePortBase: 30000 # Bind the following ports: Status (15021) <-> 30000; HTTP (8080) <-> 30001; HTTPS (8443) <-> 30002; SNI (15443) <-> 30003
+
+ private-ingressgateway:
+ type: "LoadBalancer"
+ kubernetesResourceSpec:
+ # Setup an AWS internal (private) load balancer
+ serviceAnnotations:
+ service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+
+ passthrough-ingressgateway:
+ type: "NodePort"
+ nodePortBase: 30100 # Bind the following ports: Status (15021) <-> 30100; HTTP (8080) <-> 30101; HTTPS (8443) <-> 30102; SNI (15443) <-> 30103
+```
+
+The default values for Ingress Gateways will work for most situations. However, if you need finer control over the configuration, any of the settings in the [Kubernetes Resource Spec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec) can be added to `kubernetesResourceSpec` as a map. Some examples of additional settings include environmental variables, service selectors, affinity mapping, or additional ports.
+
+### Gateways
+
+While Ingress Gateways handle traffic using ports, Gateways manage traffic using protocol and hostname. Each Gateway must be assigned to one or more Ingress Gateways to receive traffic. Gateways are setup to listen on ports for specific protocols and hostnames. Traffic is then sent on to Virtual Services for further routing.
+
+Gateways can handle TLS encryption, including termination. If a Gateway is setup for TLS termination, it handles the full TLS handshake during HTTPS connections and decrypts messages at the Gateway before passing traffic on the backend in the clear. To perform this function, the Gateway must be provided a TLS private key and certificate. There are [other TLS modes](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode) supported by Gateways that may also be used.
+
+In Big Bang, Gateways can be created and configured using the `istio.gateways` values. By adding additional keys under this value, additional Gateways will be created. By default, HTTP traffic is always redirected to HTTPS traffic in the Gateway. The following is an example of setting up three Gateways to match the architecture diagram above.
+
+> By default Big Bang uses TLS termination on Gateways. For Keycloak, the package must manage the TLS encryption. In that case, we use TLS passthrough on the Gateway and setup the TLS keys in the package.
+
+```yaml
+ gateways:
+ public:
+ ingressGateway: "public-ingressgateway" # Connect to the 'public-ingressgateway'
+ hosts:
+ - "*.bigbang.dev" # Match all hostnames in the domain
+ tls:
+ key: "-----BEGIN PRIVATE KEY-----\nMIIE...." # TLS Private Key
+ cert: "-----BEGIN CERTIFICATE-----\nMIIF...." # TLS Certificate
+ private:
+ ingressGateway: "private-ingressgateway" # Connect to 'private-ingressgateway'
+ hosts:
+ - "*.bigbang.dev" # Match all hostnames in the domain
+ tls:
+ key: "-----BEGIN PRIVATE KEY-----\nMIIE...." # TLS Private Key
+ cert: "-----BEGIN CERTIFICATE-----\nMIIF...." # TLS Certificate
+ passthrough:
+ ingressGateway: "passthrough-ingressgateway" # Connect to 'passthrough-ingressgateway'
+ hosts:
+ - "keycloak.bigbang.dev" # Only match keycloak hostname
+ tls:
+ mode: "PASSTHROUGH" # Pass TLS encrypted traffic to application
+```
+
+Big Bang will automatically create a secret with the TLS key and cert provided for each Gateway. In some cases, it may be advantageous to create the secrets ahead of time and have Big Bang use them. In this case a TLS secret named `{name of gateway}-cert` can be prepopulated with the key and `tls.key` and `tls.cert` values can be left blank. For example, for the `private` Gateway, a `private-cert` TLS secret would be created.
+
+### Virtual Services
+
+Virtual services use full URL host and path information to route incoming traffic to a Service. Each package in Big Bang manages its own Virtual Services since the paths and ports vary for each package. However, in order to receive traffic at the Virtual Service, it must be connected to a Gateway. In Big Bang we configure this under each package. The followng is an example of this configuration that matches the architecture diagram above.
+
+```yaml
+monitoring:
+ ingress:
+ gateway: "private"
+logging:
+ ingress:
+ gateway: "private"
+addons:
+ gitlab:
+ enabled: true
+ ingress:
+ gateway: "public"
+ mattermost:
+ enabled: true
+ ingress:
+ gateway: "public"
+ keycloak:
+ enabled: true
+ ingress:
+ gateway: "passthrough"
+```
+
+### Services and Pods
+
+Once traffic passes through the Virtual Service, it is passed to a Service. The service may have several redundant pods and a load balancing scheme to manage incoming traffic. It will route the traffic to the appropriate pod based on these settings. Each package implements the service and pods differently and typically the default configuration is adequate for most deployments.
diff --git a/docs/guides/prerequisites/kubernetes_preconfiguration.md b/docs/guides/prerequisites/kubernetes_preconfiguration.md
index f77e0cc51c9410ae062c4a3f5e5eeae3441fc63a..fe7663c4b55b0a8567108d39e610b0860797ef33 100644
--- a/docs/guides/prerequisites/kubernetes_preconfiguration.md
+++ b/docs/guides/prerequisites/kubernetes_preconfiguration.md
@@ -1,35 +1,35 @@
-# Kubernetes Cluster Preconfiguration:
+# Kubernetes Cluster Preconfiguration:
-## Best Practices:
+## Best Practices:
* A CNI (Container Network Interface) that supports Network Policies (which are basically firewalls for the Inner Cluster Network.) (Note: k3d, which is recommended for the quickstart demo, defaults to flannel, which does not support network policies.)
* All Kubernetes Nodes and the LB associated with the kube-apiserver should all use private IPs.
-* In most case User Application Facing LBs should have Private IP Addresses and be paired with a defense in depth Ingress Protection mechanism like [P1's CNAP](https://p1.dso.mil/#/products/cnap/), a CNAP equivalent (Advanced Edge Firewall), VPN, VDI, port forwarding through a bastion, or air gap deployment.
+* In most case User Application Facing LBs should have Private IP Addresses and be paired with a defense in depth Ingress Protection mechanism like [P1's CNAP](https://p1.dso.mil/#/products/cnap/), a CNAP equivalent (Advanced Edge Firewall), VPN, VDI, port forwarding through a bastion, or air gap deployment.
* CoreDNS in the kube-system namespace should be HA with pod anti-affinity rules
* Master Nodes should be HA and tainted.
-* Consider using a licensed Kubernetes Distribution with a support contract.
+* Consider using a licensed Kubernetes Distribution with a support contract.
* [A default storage class should exist](default_storageclass.md) to support dynamic provisioning of persistent volumes.
## Service of Type Load Balancer:
BigBang's default configuration assumes the cluster you're deploying to supports dynamic load balancer provisioning. Specifically Istio defaults to creating a Kubernetes Service of type Load Balancer, which usually creates an endpoint exposed outside of the cluster that can direct traffic inside the cluster to the istio ingress gateway.
-How Kubernetes service of type LB works depends on implementation details, there are many ways of getting it to work, common methods are listed below:
-* CSP API Method: (Recommended option for Cloud Deployments)
+How Kubernetes service of type LB works depends on implementation details, there are many ways of getting it to work, common methods are listed below:
+* CSP API Method: (Recommended option for Cloud Deployments)
The Kubernetes Control Plane has a --cloud-provider flag that can be set to aws, azure, etc. If the Kubernetes Master Nodes have that flag set and CSP IAM rights. The control plane will auto provision and configure CSP LBs. (Note: a Vendors Kubernetes Distro automation, may have IaC/CaC defaults that allow this to work turn key, but if you have issues when provisioning LBs, consult with the Vendor's support for the recommended way of configuring automatic LB provisioning.)
-* External LB Method: (Good for bare metal and 0 IAM rights scenarios)
+* External LB Method: (Good for bare metal and 0 IAM rights scenarios)
You can override bigbang's helm values so istio will provision a service of type NodePort instead of type LoadBalancer. Instead of randomly generating from the port range of 30000 - 32768, the NodePorts can be pinned to convention based port numbers like 30080 & 30443. If you're in a restricted cloud env or bare metal you can ask someone to provision a CSP LB where LB:443 would map to Nodeport:30443 (of every worker node), etc.
-* No LB, Network Routing Methods: (Good options for bare metal)
- * [MetalLB](https://metallb.universe.tf/)
+* No LB, Network Routing Methods: (Good options for bare metal)
+ * [MetalLB](https://metallb.universe.tf/)
* [kubevip](https://kube-vip.io/)
* [kube-router](https://www.kube-router.io)
-## BigBang doesn't support PSPs (Pod Security Policies):
-* [PSP's are being removed from Kubernetes and will be gone by version 1.25.x](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/10)
+## BigBang doesn't support PSPs (Pod Security Policies):
+* [PSP's are being removed from Kubernetes and will be gone by version 1.25.x](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/10)
* [Open Policy Agent Gatekeeper can enforce the same security controls as PSPs](https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy#pod-security-policies), and is core component of BigBang, which operates as an elevated [validating admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to audit and enforce various [constraints](https://github.com/open-policy-agent/frameworks/tree/master/constraint) on all requests sent to the kubernetes api server.
-* We recommend users disable PSPs completely given they're being removed, we have a replacement, and PSPs can prevent OPA from deploying (and if OPA is not able to deploy, nothing else gets deployed).
-* Different ways of Disabling PSPs:
+* We recommend users disable PSPs completely given they're being removed, we have a replacement, and PSPs can prevent OPA from deploying (and if OPA is not able to deploy, nothing else gets deployed).
+* Different ways of Disabling PSPs:
* Edit the kube-apiserver's flags (methods for doing this varry per distro.)
* ```bash
kubectl patch psp system-unrestricted-psp -p '{"metadata": {"annotations":{"seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*"}}}'
@@ -39,8 +39,8 @@ You can override bigbang's helm values so istio will provision a service of type
## Kubernetes Distribution Specific Notes
-* Note: P1 has forks of various [Kubernetes Distribution Vendor Repos](https://repo1.dso.mil/platform-one/distros), there's nothing special about the P1 forks.
-* We recommend you leverage the Vendors upstream docs in addition to any docs found in P1 Repos; infact, the Vendor's upstream docs are far more likely to be up to date.
+* Note: P1 has forks of various [Kubernetes Distribution Vendor Repos](https://repo1.dso.mil/platform-one/distros), there's nothing special about the P1 forks.
+* We recommend you leverage the Vendors upstream docs in addition to any docs found in P1 Repos; infact, the Vendor's upstream docs are far more likely to be up to date.
### VMWare Tanzu Kubernetes Grid:
[Prerequisites section of VMware Kubernetes Distribution Docs's](https://repo1.dso.mil/platform-one/distros/vmware/tkg#prerequisites)
@@ -63,9 +63,9 @@ openshift: true
helm install bigbang chart --set openshift=true
```
-2) Patch the istio-cni daemonset to allow containers to run privileged (AFTER istio-cni daemonset exists).
-Note: it was unsuccessfully attempted to apply this setting via modifications to the helm chart. Online patching succeeded.
-
+2) Patch the istio-cni daemonset to allow containers to run privileged (AFTER istio-cni daemonset exists).
+Note: it was unsuccessfully attempted to apply this setting via modifications to the helm chart. Online patching succeeded.
+
```
kubectl get daemonset istio-cni-node -n kube-system -o json | jq '.spec.template.spec.containers[] += {"securityContext":{"privileged":true}}' | kubectl replace -f -
```
@@ -73,8 +73,8 @@ kubectl get daemonset istio-cni-node -n kube-system -o json | jq '.spec.template
3) Modify the OpenShift cluster(s) with the following scripts based on https://istio.io/v1.7/docs/setup/platform-setup/openshift/
```
-# Istio Openshift configurations Post Install
-oc -n istio-system expose svc/istio-ingressgateway --port=http2
+# Istio Openshift configurations Post Install
+oc -n istio-system expose svc/public-ingressgateway --port=http2
oc adm policy add-scc-to-user privileged -z istio-cni -n kube-system
oc adm policy add-scc-to-group privileged system:serviceaccounts:logging
oc adm policy add-scc-to-group anyuid system:serviceaccounts:logging
@@ -92,7 +92,7 @@ oc -n monitoring create -f NetworkAttachmentDefinition.yaml
```
### Konvoy
-* [Prerequistes can be found here](https://repo1.dso.mil/platform-one/distros/d2iq/konvoy/konvoy/-/tree/master/docs/1.5.0#prerequisites)
+* [Prerequistes can be found here](https://repo1.dso.mil/platform-one/distros/d2iq/konvoy/konvoy/-/tree/master/docs/1.5.0#prerequisites)
* [Different Deployment Scenarios have been documented here](https://repo1.dso.mil/platform-one/distros/d2iq/konvoy/konvoy/-/tree/master/docs/1.4.4/install)
### RKE2
@@ -111,5 +111,5 @@ cloud-provider-config: ...
For example, if using the aws terraform modules provided [on repo1](https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform), setting the variable: `enable_ccm = true` will ensure all the necessary resources tags.
-In the absence of an in-tree cloud provider (such as on-prem), the requirements can be met by ensuring a default storage class and automatic load balancer provisioning exist.
+In the absence of an in-tree cloud provider (such as on-prem), the requirements can be met by ensuring a default storage class and automatic load balancer provisioning exist.
diff --git a/hack/secrets/ingress-cert.yaml b/hack/secrets/ingress-cert.yaml
index 7d552e0452d3b9b3320eb6703147866f810a1e0a..976448835a237ea9eee6092493f3c20843d3da9e 100644
--- a/hack/secrets/ingress-cert.yaml
+++ b/hack/secrets/ingress-cert.yaml
@@ -4,7 +4,7 @@ data:
tls.key: ENC[AES256_GCM,data:z+pmxtd/ZbFQt3y2tcSm/5Mw99Mi4PsmA7QXxwOHQNqrSrKzB8TRIPMDYsSkSygh7N+/bVk6m8OtQl5pNongZTw9JeyC3YIaNEFM/J5UngL/W2u+mJZDiYagEj49zg6im2eaS2uheItrd/HR62Pnf4zAko3iBZn9e+5ArWRuz0kWcC8FyKc+qwIBJi0dEDfmiMhc2Ti3ab5O4jzOgWcFLzQyrTL/KN8mfHlUS7cwfPYP8SkFHSIglLCpWDWF+fNe6igWUgFeMnoKhAqdH5W5ktUuTQuvdLx+KqBPdkskZBSLcA6aRXZLjmSKETcGnwCufavV1iMtdaKT6QjddgKKn0YiebE26nC7JpbsKqk53j0MfnOe/VuhSy1gHGEbJ/dLfbWSyy1tDtFO6iK8IM6mpHy6GQ9osEEXnkVQcXOyCKVdasx0JTk1yX39ytugOo6gkxlH/Fj7ZagxBb+nQWsxpcY/iaCWbQRcbEHd0DSUTw+BJbveq6WKu3DQbotwVV1wAw+WFimHG1tvrBT4fPDVULsiz5zrTS9y6i/FLs3XQsnHqCiLBIhd7RbA3VFRtqIpB87bsdU+JBwSXafBc8USGdWt7tg+qiE0Wjp4+KGe3ZkOBloWM5EKvxssIO6p67DGradJGW6p5lwDPs5txtRHAkTx536fzQ3TTQHga7H5yxQnSVXwUG7p/7Q9uFLz7o0Q2EIwEUibDKU+iaqY2um2SC8658UBjGWPbCEUFmRYQT2rX66dKrdScnbgYk8n9lbG0715mOSWnfT++Wi57ivrDMhQ55ni8hiQsHEqgv+5kQWjPuEHgmWiCommoSyVmeNdI1wsBM8cNwHdPDmX83XzCWF8rfmz5ri0CF4DpdmelrCin6bKEi8kZyci5tj1DEsa1X080/9FwzakNodIAJ0lcXA0GJU02zW0zGSgkGQI3zcoOO8y93Yh0cNLbRuAtmqDgKgdPFCr1OGiRUUhl2bd/XSnW3DHbfTuueyGTAKRLymWhbjnYv3wdZIFZ7pXvdHp1tqSqJR/B8Nd9LdNQBxQOzMWENvTR7jYb5OJD/2UwyfreCT05zh+yom/OK+KuXGR0iI9APnbqF56GmJ+tp2EpZ9NZ+t4ra9N/E9zlNFGSVXu2C2dVQitapspOPw2a0x5iQienl3lH+RCPSp5pSbGmltU6Ww3L1U7KKlCPxz/6rIG0E80LbvCaZFAMTC8haFHW2uppX4RC45daYJOUAopiBo5TtBnVHYKrwW4k2fxvFu0Imp/+KLJUHaPnUTbe6AG9jcc9raye/j5dbLno05qHpKgfPO1y38n37Owtp3aXMMEHG5enO0NDmEtMtccn6vidQApJXg233idApZoMt80kO2u4xf1Uyzb3fHo15UlFh1QYad7Min8PtHOPnOJtR3YP2Cc9UFN2kW5eWO861Ayy3dXpeR266ByfKR9CMbCYfPrxW2i/ENkrWm4LMyg+GmXMMsH+7v3ifWMhSduYmJ1dzuEtXftYL66G3ijmqT804LVfQnevqM1cgoa3kXqxcAONxi2c/p38fPK8xnlMUzzwBK2IsTOS92JajHbO2z07X14l5RSWxmz4BdmrdSHKy0x48qbVp0h0FxmUZGPdCaFZmOxvbhnvOjsvfXxpqwjESF17POiRlN0C/Fv1hfEizduqck2+942PKrzZpq5TxyDN+k9Sy8HkvX4vSCxNSDf/MyF0Hi12TRYEZA6y0BksSNUrTWFgxzUdvV7h6gMRBlrBHD0g8wx52ZK52/tre00iSlVPFo0oPdv/lUb20PDfF3749hlODSkn4wVsxE1uazniTFiDus275ClSsZVZGWe3mbS+1WXCK2lRrX3quf4A4mCrum2sl6+vbXVdtgiz80Aj4Ekhw8+8/fzupES8eEU7eKMFcGZ4O4fKURUX39/vAz6GROuA7cdJZOEqc3WP2WbwCChe6DXadQ6CTwq7v0thW8MgJ/w6fJiDsO3NXlT/r7SpgT8KG/6LgbBd9oxCx/w671V9550A68p4XvYezUVqgvKZP6yfKL34AreLSmarVCSjgfzJjem7UbLmSLPcxaek4bz1Usao359auWjh6ejVytDw0dKrZHOsvq3g/LagVKPNYHyVmpQBHj37H5M40sypB7Zym9hty7LUc+e44sE3qjuzXWka4Aclnc+gIE452OvZfnZuQXV4tSXGjaokquCmjyl7QsmI2bvRWOGziEE6XtXG2mkqSNBc+fuVdZTzpCmJxbDAa0Qqh+Dim6SI1qS9bH0gp1fKKCluXYyGilud1LAkpMbyvKti6fFEASeojxUGIhcRZnv29B3iSkTXO4hp4XhPZwbn0MrlsmeG6TU1Qu2lGiLYJGtwWWfcWHTCAAI52kxDV4JOam+JiZuj6iN8lYKkkeYzv4cJb6ieEVkIO4rfV5UO0zAq8TzQ5/89XpLsZ3zqq/olvFvzw9eS2XxRA6Y4eHo1BiZtpNmGnYyLlfvs8lMhwuxUEhT1A1kWAmsCyZhL+wzpsHPBclgU8JHqlQEvt9p43yQCsYCZ7by9TfwKNIkp//3Mo9/J7KDOJTz+pRPKZDEPEYzWpJOLepgzE5dafQr3GzfDzi8+QWBi4BcuswEejmP8MUTRzkNGJGjEbvoN80UI3wCBaKfPk/NqhSl2kVDFiQNIen0SKujg0p2NjwJBO5vtgAK+lWiiJZQJcjST/WrBpY7hQybz4eCZ88Ny9h/aa1K129sUm3t+Ic0a6EUKjfPpGedxqjkwSBIZkE3f5WFPA9zVif4HsuMwTC+w4TkvpDvMb+abGuqkMVhyOuAE3sjEQmDFb1LeateWVGJDo7TlVBZqJN7kY4YP8RkfpxGyFFNxOk7c/ETjFiYrVzIDRXspcSBUeFuf7b6F+tusCqCreRaUHImHPVEEy9CJ+OGgLfAshHUChwVGY907oHzk/3XQbP/JJVugYCQAuKsZOzNWJDAk+nXlGRqqyweX5fVwGhmW2QWNfBTypuAxUEH/aHGZfIMaFR8t2NrPbzNav3eC5FOdRwZq7CmXQ==,iv:2DfvK3ZcnWwP49qxnBvJzQ+H/brBagE+n7moKnr4LSI=,tag:b0h5pt9avmN9vpN6oGSkaw==,type:str]
kind: Secret
metadata:
- name: wildcard-cert
+ name: public-cert
type: kubernetes.io/tls
sops:
kms: []
diff --git a/scripts/hosts.sh b/scripts/hosts.sh
index ad4ff4fbdb5336bf49694c9d223b0edb5d7e729e..6e033a257cbfcb54ff5c7eaff997417ee0edc2d1 100755
--- a/scripts/hosts.sh
+++ b/scripts/hosts.sh
@@ -1,9 +1,9 @@
-#!/bin/bash
+#!/bin/bash
set -e
-## Adds all the vs hostnames and LB IP to /etc/hosts
-## Get the LB Hostname
-INGRESS_LB_Hostname=$(kubectl get svc -n istio-system istio-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
+## Adds all the vs hostnames and LB IP to /etc/hosts
+## Get the LB Hostname
+INGRESS_LB_Hostname=$(kubectl get svc -n istio-system public-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
## Get IP address from Hostname
INGRESS_LB_IP=$(dig $INGRESS_LB_Hostname +search +short | head -1)
diff --git a/tests/bash/01_virtualservices.sh b/tests/bash/01_virtualservices.sh
index 872ecb8cccdda81b62dfdec86056d2b298843f6b..9189a6dc042b5945c68761d7a61c7b1e4a5540ed 100755
--- a/tests/bash/01_virtualservices.sh
+++ b/tests/bash/01_virtualservices.sh
@@ -4,7 +4,7 @@
set -e
# Populate /etc/hosts
-ip=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+ip=$(kubectl -n istio-system get service public-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo "Checking "
diff --git a/tests/ci/k3d/values.yaml b/tests/ci/k3d/values.yaml
index 7f159a5d75a8af14044b7d663a63a91b55678145..064ce565ab4574aa78dade98911eb5db4cb3ed93 100644
--- a/tests/ci/k3d/values.yaml
+++ b/tests/ci/k3d/values.yaml
@@ -413,6 +413,8 @@ addons:
keycloak:
enabled: false
+ ingress:
+ gateway: "public"
values:
replicas: 1
resources:
diff --git a/tests/ci/keycloak-certs/admin.bigbang.dev-secret.yaml b/tests/ci/keycloak-certs/admin.bigbang.dev-secret.yaml
index e4517a841f75eb27e7d4a003b25d7301988a06a9..025dcf12bf0539e1d43b8d4092200a417f70117b 100644
--- a/tests/ci/keycloak-certs/admin.bigbang.dev-secret.yaml
+++ b/tests/ci/keycloak-certs/admin.bigbang.dev-secret.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
- name: wildcard-cert
+ name: public-cert
namespace: istio-system
type: kubernetes.io/tls
stringData:
diff --git a/tests/ci/secrets/README.md b/tests/ci/secrets/README.md
index 24b16124ff9d924cc7df09fa3fe962e81b6e603e..a4815e613817be529f49a779f228c5bff229b779 100644
--- a/tests/ci/secrets/README.md
+++ b/tests/ci/secrets/README.md
@@ -19,7 +19,7 @@ sudo chown -R tom certs
## Unencrypt Cert
```bash
-kubectl create secret tls wildcard-cert -n istio-system --key=certs/privkey.pem --cert=certs/fullchain.pem --dry-run=client -oyaml > ingress-cert.yaml
+kubectl create secret tls public-cert -n istio-system --key=certs/privkey.pem --cert=certs/fullchain.pem --dry-run=client -oyaml > ingress-cert.yaml
```
## Recrypt Cert
diff --git a/tests/ci/secrets/ingress-cert.yaml b/tests/ci/secrets/ingress-cert.yaml
index 4ed058062d548c9d86b106f55cc8f3e1a92e6a58..660b1c1fdce7e615ae9040865f9c11d157d8d3b1 100644
--- a/tests/ci/secrets/ingress-cert.yaml
+++ b/tests/ci/secrets/ingress-cert.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
- name: wildcard-cert
+ name: public-cert
namespace: istio-system
type: kubernetes.io/tls
data: