Compare revisions

Jason Krause · Jason Krause · Jason Krause · Jason Krause · Ronnie Webb · Micah Nagel
--- a/.gitignore
+++ b/.gitignore
@@ -21,7 +21,6 @@ npm-debug.log*
 patch.yaml
 notes
 ignore/*
-chart/*values.yaml

 # Visual Studio Code
 .vscode/*

--- a/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
+++ b/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
@@ -27,6 +27,8 @@
    DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
    DOCKER_DRIVER: overlay2
  before_script:
+    # Give docker-in-docker time to come alive
+    - i=0; while [ "$i" -lt 12 ]; do docker info &>/dev/null && break; sleep 5; i=$(( i + 1 )) ; done
    - docker network create ${CI_JOB_ID} --driver=bridge -o "com.docker.network.driver.mtu"="1450"
    - k3d cluster create ${CI_JOB_ID} --config tests/ci/k3d/config.yaml --network ${CI_JOB_ID}
    - until kubectl get deployment coredns -n kube-system -o go-template='{{.status.availableReplicas}}' | grep -v -e '<no value>'; do sleep 1s; done

--- a/.gitlab/merge_request_templates/package_owner.md
+++ b/.gitlab/merge_request_templates/package_owner.md
@@ -14,9 +14,9 @@ If possible, provide additional details that will help with the merge request.

 Known issues or expected conflicts?

-Also, include any issues closed with "Closes #ISSUENUMBER". See example:
+Also, include any issues closed with "Closes #ISSUE_NUMBER". See example:

-Closes #123
+Closes #ISSUE_NUMBER

 Add any labels for affected packages so that they are deployed in CI. See example:


--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,19 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ---
+## [1.14.0]
+
+* [!1.14.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.14.0); List of merge requests in this release.
+
+## [1.13.1]
+
+* [!722](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/722): Bumping Gatekeeper tag, reducing pod footprint, cleaning up constraints
+* [!730](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/730): Bumping Gatekeeper tag, properly excluding all of "kube-system" namespace from gatekeeper via upstream recommendation, removing "kube-system" exclusions from package values.
+
+## [1.13.0]
+
+[!1.13.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.13.0); List of Merge Requests in this Release
+
 ## [1.12.0]

 [!1.12.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.12.0); List of Merge Requests in this Release

--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -40,7 +40,7 @@ charter/                        @gabe.scarberry @joshwolf @megamind @micah.nagel
 ^[Istio, Istio Operator, and Authservice]
 chart/Chart.yaml                @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
 chart/values.yaml               @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
-chart/templates/authservice     @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
+chart/templates/authservice     @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher @cdevarenne
 chart/templates/istio           @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher

 ^[HAProxy]

--- a/README.md
+++ b/README.md
 # bigbang

-![Version: 1.12.0](https://img.shields.io/badge/Version-1.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.14.0](https://img.shields.io/badge/Version-1.14.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

@@ -63,9 +63,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | istio.enabled | bool | `true` | Toggle deployment of Istio. |
 | istio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git"` |  |
 | istio.git.path | string | `"./chart"` |  |
-| istio.git.tag | string | `"1.8.4-bb.5"` |  |
+| istio.git.tag | string | `"1.8.4-bb.6"` |  |
+| istio.ingressGateways.public-ingressgateway.type | string | `"LoadBalancer"` |  |
+| istio.ingressGateways.public-ingressgateway.kubernetesResourceSpec | object | `{}` |  |
+| istio.gateways.public.ingressGateway | string | `"public-ingressgateway"` |  |
+| istio.gateways.public.hosts[0] | string | `"*.{{ .Values.hostname }}"` |  |
+| istio.gateways.public.tls.key | string | `""` |  |
+| istio.gateways.public.tls.cert | string | `""` |  |
 | istio.flux | object | `{}` | Flux reconciliation overrides specifically for the Istio Package |
-| istio.ingress | object | `{"cert":"","key":""}` | Certificate/Key pair to use as the default certificate for exposing BigBang created applications. If nothing is provided, applications will expect a valid tls secret to exist in the `istio-system` namespace called `wildcard-cert`. |
 | istio.values | object | `{}` | Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git |
 | istio.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | istiooperator.enabled | bool | `true` | Toggle deployment of Istio Operator. |
@@ -78,8 +83,9 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | jaeger.enabled | bool | `true` | Toggle deployment of Jaeger. |
 | jaeger.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git"` |  |
 | jaeger.git.path | string | `"./chart"` |  |
-| jaeger.git.tag | string | `"2.22.0-bb.1"` |  |
-| jaeger.flux | object | `{}` | Flux reconciliation overrides specifically for the Jaeger Package |
+| jaeger.git.tag | string | `"2.23.0-bb.1"` |  |
+| jaeger.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the Jaeger Package |
+| jaeger.ingress.gateway | string | `""` |  |
 | jaeger.sso.enabled | bool | `false` | Toggle SSO for Jaeger on and off |
 | jaeger.sso.client_id | string | `""` | OIDC Client ID to use for Jaeger |
 | jaeger.sso.client_secret | string | `""` | OIDC Client Secret to use for Jaeger |
@@ -88,8 +94,9 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | kiali.enabled | bool | `true` | Toggle deployment of Kiali. |
 | kiali.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali.git"` |  |
 | kiali.git.path | string | `"./chart"` |  |
-| kiali.git.tag | string | `"1.36.0-bb.2"` |  |
+| kiali.git.tag | string | `"1.37.0-bb.0"` |  |
 | kiali.flux | object | `{}` | Flux reconciliation overrides specifically for the Kiali Package |
+| kiali.ingress.gateway | string | `""` |  |
 | kiali.sso.enabled | bool | `false` | Toggle SSO for Kiali on and off |
 | kiali.sso.client_id | string | `""` | OIDC Client ID to use for Kiali |
 | kiali.sso.client_secret | string | `""` | OIDC Client Secret to use for Kiali |
@@ -98,22 +105,23 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | clusterAuditor.enabled | bool | `true` | Toggle deployment of Cluster Auditor. |
 | clusterAuditor.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git"` |  |
 | clusterAuditor.git.path | string | `"./chart"` |  |
-| clusterAuditor.git.tag | string | `"0.3.0-bb.2"` |  |
+| clusterAuditor.git.tag | string | `"0.3.0-bb.5"` |  |
 | clusterAuditor.flux | object | `{}` | Flux reconciliation overrides specifically for the Cluster Auditor Package |
 | clusterAuditor.values | object | `{}` | Values to passthrough to the cluster auditor chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git |
 | clusterAuditor.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | gatekeeper.enabled | bool | `true` | Toggle deployment of OPA Gatekeeper. |
 | gatekeeper.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git"` |  |
 | gatekeeper.git.path | string | `"./chart"` |  |
-| gatekeeper.git.tag | string | `"3.4.0-bb.13"` |  |
-| gatekeeper.flux | object | `{}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
+| gatekeeper.git.tag | string | `"3.5.1-bb.8"` |  |
+| gatekeeper.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
 | gatekeeper.values | object | `{}` | Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git |
 | gatekeeper.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | logging.enabled | bool | `true` | Toggle deployment of Logging (EFK). |
 | logging.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git"` |  |
 | logging.git.path | string | `"./chart"` |  |
-| logging.git.tag | string | `"0.1.16-bb.0"` |  |
+| logging.git.tag | string | `"0.1.18-bb.0"` |  |
 | logging.flux | object | `{"timeout":"20m"}` | Flux reconciliation overrides specifically for the Logging (EFK) Package |
+| logging.ingress.gateway | string | `""` |  |
 | logging.sso.enabled | bool | `false` | Toggle OIDC SSO for Kibana/Elasticsearch on and off. Enabling this option will auto-create any required secrets. |
 | logging.sso.client_id | string | `""` | Elasticsearch/Kibana OIDC client ID |
 | logging.sso.client_secret | string | `""` | Elasticsearch/Kibana OIDC client secret |
@@ -124,21 +132,22 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | eckoperator.enabled | bool | `true` | Toggle deployment of ECK Operator. |
 | eckoperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git"` |  |
 | eckoperator.git.path | string | `"./chart"` |  |
-| eckoperator.git.tag | string | `"1.6.0-bb.0"` |  |
+| eckoperator.git.tag | string | `"1.6.0-bb.2"` |  |
 | eckoperator.flux | object | `{}` | Flux reconciliation overrides specifically for the ECK Operator Package |
 | eckoperator.values | object | `{}` | Values to passthrough to the eck-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git |
 | fluentbit.enabled | bool | `true` | Toggle deployment of Fluent-Bit. |
 | fluentbit.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git"` |  |
 | fluentbit.git.path | string | `"./chart"` |  |
-| fluentbit.git.tag | string | `"0.15.15-bb.0"` |  |
+| fluentbit.git.tag | string | `"0.16.1-bb.0"` |  |
 | fluentbit.flux | object | `{}` | Flux reconciliation overrides specifically for the Fluent-Bit Package |
 | fluentbit.values | object | `{}` | Values to passthrough to the fluentbit chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git |
 | fluentbit.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | monitoring.enabled | bool | `true` | Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager). |
 | monitoring.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git"` |  |
 | monitoring.git.path | string | `"./chart"` |  |
-| monitoring.git.tag | string | `"11.0.0-bb.27"` |  |
-| monitoring.flux | object | `{}` | Flux reconciliation overrides specifically for the Monitoring Package |
+| monitoring.git.tag | string | `"14.0.0-bb.3"` |  |
+| monitoring.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the Monitoring Package |
+| monitoring.ingress.gateway | string | `""` |  |
 | monitoring.sso.enabled | bool | `false` | Toggle SSO for monitoring components on and off |
 | monitoring.sso.prometheus.client_id | string | `""` | Prometheus OIDC client ID |
 | monitoring.sso.prometheus.client_secret | string | `""` | Prometheus OIDC client secret |
@@ -154,15 +163,17 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | twistlock.enabled | bool | `true` | Toggle deployment of Twistlock. |
 | twistlock.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git"` |  |
 | twistlock.git.path | string | `"./chart"` |  |
-| twistlock.git.tag | string | `"0.0.6-bb.0"` |  |
+| twistlock.git.tag | string | `"0.0.6-bb.1"` |  |
 | twistlock.flux | object | `{}` | Flux reconciliation overrides specifically for the Twistlock Package |
+| twistlock.ingress.gateway | string | `""` |  |
 | twistlock.values | object | `{}` | Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git |
 | twistlock.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | addons.argocd.enabled | bool | `false` | Toggle deployment of ArgoCD. |
 | addons.argocd.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git"` |  |
 | addons.argocd.git.path | string | `"./chart"` |  |
-| addons.argocd.git.tag | string | `"3.6.8-bb.4"` |  |
+| addons.argocd.git.tag | string | `"3.6.8-bb.5"` |  |
 | addons.argocd.flux | object | `{}` | Flux reconciliation overrides specifically for the ArgoCD Package |
+| addons.argocd.ingress.gateway | string | `""` |  |
 | addons.argocd.sso.enabled | bool | `false` | Toggle SSO for ArgoCD on and off |
 | addons.argocd.sso.client_id | string | `""` | ArgoCD OIDC client ID |
 | addons.argocd.sso.client_secret | string | `""` | ArgoCD OIDC client secret |
@@ -173,7 +184,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.authservice.enabled | bool | `false` | Toggle deployment of Authservice. if enabling authservice, a filter needs to be provided by either enabling sso for monitoring or istio, or manually adding a filter chain in the values here: values:   chain:     minimal:       callback_uri: "https://somecallback" |
 | addons.authservice.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git"` |  |
 | addons.authservice.git.path | string | `"./chart"` |  |
-| addons.authservice.git.tag | string | `"0.4.0-bb.8"` |  |
+| addons.authservice.git.tag | string | `"0.4.0-bb.10"` |  |
 | addons.authservice.flux | object | `{}` | Flux reconciliation overrides specifically for the Authservice Package |
 | addons.authservice.values | object | `{}` | Values to passthrough to the authservice chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git |
 | addons.authservice.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
@@ -188,8 +199,9 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.minio.enabled | bool | `false` | Toggle deployment of minio. |
 | addons.minio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git"` |  |
 | addons.minio.git.path | string | `"./chart"` |  |
-| addons.minio.git.tag | string | `"2.0.9-bb.12"` |  |
+| addons.minio.git.tag | string | `"2.0.9-bb.13"` |  |
 | addons.minio.flux | object | `{}` | Flux reconciliation overrides specifically for the Minio Package |
+| addons.minio.ingress.gateway | string | `""` |  |
 | addons.minio.accesskey | string | `""` | Default access key to use for minio. |
 | addons.minio.secretkey | string | `""` | Default secret key to intstantiate with minio, you should change/delete this after installation. |
 | addons.minio.values | object | `{}` | Values to passthrough to the minio instance chart: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git |
@@ -201,6 +213,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.gitlab.git.path | string | `"./chart"` |  |
 | addons.gitlab.git.tag | string | `"4.10.3-bb.14"` |  |
 | addons.gitlab.flux | object | `{}` | Flux reconciliation overrides specifically for the Gitlab Package |
+| addons.gitlab.ingress.gateway | string | `""` |  |
 | addons.gitlab.sso.enabled | bool | `false` | Toggle OIDC SSO for Gitlab on and off. Enabling this option will auto-create any required secrets. |
 | addons.gitlab.sso.client_id | string | `""` | Gitlab OIDC client ID |
 | addons.gitlab.sso.client_secret | string | `""` | Gitlab OIDC client secret |
@@ -228,8 +241,9 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.nexus.enabled | bool | `false` | Toggle deployment of Nexus. |
 | addons.nexus.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus.git"` |  |
 | addons.nexus.git.path | string | `"./chart"` |  |
-| addons.nexus.git.tag | string | `"29.1.0-bb.5"` |  |
+| addons.nexus.git.tag | string | `"29.1.0-bb.7"` |  |
 | addons.nexus.license_key | string | `""` | Base64 encoded license file. |
+| addons.nexus.ingress.gateway | string | `""` |  |
 | addons.nexus.sso.enabled | bool | `false` | Toggle SAML SSO for NXRM. -- handles SAML SSO, a Client must be configured in Keycloak or IdP -- to complete setup. -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599 |
 | addons.nexus.sso.idp_data | object | `{"email":"","firstName":"","groups":"","idpMetadata":"","lastName":"","username":""}` | NXRM SAML SSO Integration data |
 | addons.nexus.sso.idp_data.username | string | `""` | IdP Field Mappings -- NXRM username attribute |
@@ -246,6 +260,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.sonarqube.git.path | string | `"./chart"` |  |
 | addons.sonarqube.git.tag | string | `"9.2.6-bb.13"` |  |
 | addons.sonarqube.flux | object | `{}` | Flux reconciliation overrides specifically for the Sonarqube Package |
+| addons.sonarqube.ingress.gateway | string | `""` |  |
 | addons.sonarqube.sso.enabled | bool | `false` | Toggle SAML SSO for SonarQube. Enabling this option will auto-create any required secrets. |
 | addons.sonarqube.sso.client_id | string | `""` | SonarQube SAML client ID |
 | addons.sonarqube.sso.label | string | `""` | SonarQube SSO login button label |
@@ -266,17 +281,19 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.haproxy.git.path | string | `"./chart"` |  |
 | addons.haproxy.git.tag | string | `"1.1.2-bb.0"` |  |
 | addons.haproxy.flux | object | `{}` | Flux reconciliation overrides specifically for the HAProxy Package |
+| addons.haproxy.ingress.gateway | string | `""` |  |
 | addons.haproxy.values | object | `{}` | Values to passthrough to the haproxy chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy.git |
 | addons.haproxy.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | addons.anchore.enabled | bool | `false` | Toggle deployment of Anchore. |
 | addons.anchore.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git"` |  |
 | addons.anchore.git.path | string | `"./chart"` |  |
-| addons.anchore.git.tag | string | `"1.13.0-bb.3"` |  |
+| addons.anchore.git.tag | string | `"1.13.0-bb.4"` |  |
 | addons.anchore.flux | object | `{"upgrade":{"disableWait":true}}` | Flux reconciliation overrides specifically for the Anchore Package |
 | addons.anchore.adminPassword | string | `""` | Initial admin password used to authenticate to Anchore. |
 | addons.anchore.enterprise | object | `{"enabled":false,"licenseYaml":"FULL LICENSE\n"}` | Anchore Enterprise functionality. |
 | addons.anchore.enterprise.enabled | bool | `false` | Toggle the installation of Anchore Enterprise.  This must be accompanied by a valid license. |
 | addons.anchore.enterprise.licenseYaml | string | `"FULL LICENSE\n"` | License for Anchore Enterprise. For formatting examples see https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/docs/CHART.md#enabling-enterprise-services |
+| addons.anchore.ingress.gateway | string | `""` |  |
 | addons.anchore.sso.enabled | bool | `false` | Toggle OIDC SSO for Anchore on and off. Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license). |
 | addons.anchore.sso.client_id | string | `""` | Anchore OIDC client ID |
 | addons.anchore.sso.role_attribute | string | `""` | Anchore OIDC client role attribute |
@@ -302,11 +319,12 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.mattermost.enabled | bool | `false` | Toggle deployment of Mattermost. |
 | addons.mattermost.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git"` |  |
 | addons.mattermost.git.path | string | `"./chart"` |  |
-| addons.mattermost.git.tag | string | `"0.1.6-bb.7"` |  |
+| addons.mattermost.git.tag | string | `"0.1.6-bb.8"` |  |
 | addons.mattermost.flux | object | `{}` | Flux reconciliation overrides specifically for the Mattermost Package |
 | addons.mattermost.enterprise | object | `{"enabled":false,"license":""}` | Mattermost Enterprise functionality. |
 | addons.mattermost.enterprise.enabled | bool | `false` | Toggle the Mattermost Enterprise.  This must be accompanied by a valid license unless you plan to start a trial post-install. |
 | addons.mattermost.enterprise.license | string | `""` | License for Mattermost. This should be the entire contents of the license file from Mattermost (should be one line), example below license: "eyJpZCI6InIxM205bjR3eTdkYjludG95Z3RiOD---REST---IS---HIDDEN |
+| addons.mattermost.ingress.gateway | string | `""` |  |
 | addons.mattermost.sso.enabled | bool | `false` | Toggle OIDC SSO for Mattermost on and off. Enabling this option will auto-create any required secrets. |
 | addons.mattermost.sso.client_id | string | `""` | Mattermost OIDC client ID |
 | addons.mattermost.sso.client_secret | string | `""` | Mattermost OIDC client secret |
@@ -330,16 +348,15 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.velero.enabled | bool | `false` | Toggle deployment of Velero. |
 | addons.velero.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git"` |  |
 | addons.velero.git.path | string | `"./chart"` |  |
-| addons.velero.git.tag | string | `"2.21.1-bb.6"` |  |
+| addons.velero.git.tag | string | `"2.23.5-bb.0"` |  |
 | addons.velero.flux | object | `{}` | Flux reconciliation overrides specifically for the Velero Package |
-| addons.velero.plugins | list | `[]` | Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure  |
+| addons.velero.plugins | list | `[]` | Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure, csi  |
 | addons.velero.values | object | `{}` | Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml |
 | addons.velero.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
-| addons.keycloak.enabled | bool | `false` | Toggle deployment of Keycloak. |
+| addons.keycloak.enabled | bool | `false` | Toggle deployment of Keycloak. if you enable Keycloak you should uncomment the istio passthrough configurations above istio.ingressGateways.passthrough-ingressgateway and istio.gateways.passthrough |
 | addons.keycloak.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git"` |  |
 | addons.keycloak.git.path | string | `"./chart"` |  |
-| addons.keycloak.git.tag | string | `"11.0.1-bb.0"` |  |
-| addons.keycloak.ingress | object | `{"cert":"","key":""}` | Certificate/Key pair to use as the certificate for exposing Keycloak Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart |
+| addons.keycloak.git.tag | string | `"11.0.1-bb.1"` |  |
 | addons.keycloak.database.host | string | `""` | Hostname of a pre-existing database to use for Keycloak. Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. |
 | addons.keycloak.database.type | string | `"postgres"` | Pre-existing database type (e.g. postgres) to use for Keycloak. |
 | addons.keycloak.database.port | int | `5432` | Port of a pre-existing database to use for Keycloak. |
@@ -347,6 +364,9 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.keycloak.database.username | string | `""` | Username to connect as to external database, the user must have all privileges on the database. |
 | addons.keycloak.database.password | string | `""` | Database password for the username used to connect to the existing database. |
 | addons.keycloak.flux | object | `{}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
+| addons.keycloak.ingress.gateway | string | `"passthrough"` |  |
+| addons.keycloak.ingress.key | string | `""` | Certificate/Key pair to use as the certificate for exposing Keycloak Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart |
+| addons.keycloak.ingress.cert | string | `""` |  |
 | addons.keycloak.values | object | `{}` | Values to passthrough to the keycloak chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git |

 ## Contributing

--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
  interval: 10m
  url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
  ref:
-    tag: 1.12.0
+    tag: 1.14.0
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: bigbang
-version: 1.12.0
+version: 1.14.0
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

 type: application
@@ -25,4 +25,4 @@ maintainers:
  - name: Josh Wolf
    email: josh@rancherfederal.com

-icon: https://p1.dso.mil/img/Big_Bang_Color_Logo_White_text.b04263b1.png
\ No newline at end of file
+icon: https://p1.dso.mil/img/Big_Bang_Color_Logo_White_text.b04263b1.png
--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
@@ -6,6 +6,8 @@
 imagePullSecrets:
  - name: private-registry

+openshift: {{ .Values.openshift }}
+
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  ingressLabels:

--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -12,23 +12,33 @@ postInstall:
    image:
      pullSecrets:
      - name: private-registry
-      
+
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 violations:  # Try to keep this in alpha order to make it easier to find keys
+
+  {{- if or .Values.istio.enabled .Values.addons.mattermost.enabled }}
  allowedDockerRegistries:
+    {{- if .Values.istio.enabled }}
    match:
-      excludedNamespaces: 
-       {{- if .Values.istio.enabled }}
+      excludedNamespaces:
        - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
-       {{- end }}
-        - kube-system # ignored as the kubernetes distro cannot be controlled
+    {{- end }}
    {{- if .Values.addons.mattermost.enabled }}
    parameters:
      exemptContainers:
        - init-check-database # mattermost needs postgres:13 image and cannot override the upstream
    {{- end }}
+  {{- end }}
+
+  {{- if .Values.monitoring.enabled}}
+  allowedHostFilesystem:
+    match:
+      excludedNamespaces: 
+        # required for monitoring's prometheus-node-exporter to get node metrics
+        - monitoring
+  {{- end }}

  {{- if .Values.monitoring.enabled }}
  hostNetworking:
@@ -37,20 +47,19 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - monitoring # Allow node exporter to export metrics. The exporters live in pod monitoring-monitoring-prometheus-node-exporter-XXXX
  {{- end }}

+  {{- if .Values.addons.mattermost.enabled }}
  httpsOnly:
    match:
-      excludedNamespaces: 
-       {{- if .Values.addons.mattermost.enabled }}
+      excludedNamespaces:
        # mattermost currently does not useIngressTLS hence Ingress is created without TLS field by the operator.
        # Adding exemption, pending https://github.com/mattermost/mattermost-operator/issues/235
        - mattermost
-       {{- end }}
+  {{- end }}

  {{- if .Values.logging.enabled }}
  noPrivilegedContainers:
    match:
      excludedNamespaces:
-        - kube-system
        - logging # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
  {{- end }}

@@ -58,7 +67,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
  restrictedTaint:
    match:
      excludedNamespaces:
-        - kube-system
        - monitoring # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
  {{- end }}

@@ -69,16 +77,17 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - logging # FluentBit needs selinux option type spc_t
  {{- end }}

+  {{- if or .Values.fluentbit.enabled (or .Values.twistlock.enabled .Values.monitoring.enabled) }}
  volumeTypes:
    match:
-      excludedNamespaces: 
+      excludedNamespaces:
       {{- if .Values.fluentbit.enabled }}
        # fluent-bit container requires certain host level access to ship logs and for keep track of state
        # https://docs.fluentbit.io/manual/pipeline/filters/kubernetes#workflow-of-tail-kubernetes-filter
        - logging
       {{- end }}
       {{- if .Values.twistlock.enabled }}
-        # Twistlock requires /dev/log for its syslog daemon. 
+        # Twistlock requires /dev/log for its syslog daemon.
        # https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/audit/logging.html#
        - twistlock
       {{- end }}
@@ -87,5 +96,5 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        # https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-node-exporter/templates/daemonset.yaml#L150
        - monitoring
       {{- end }}
-        - kube-system #local-path_local-path-provisioner helper-pod-create-pvc
+  {{- end }}
 {{- end -}}
--- a/chart/templates/gitlab/secret-objectstore.yaml
+++ b/chart/templates/gitlab/secret-objectstore.yaml
@@ -47,5 +47,6 @@ stringData:
      secret_key = {{ .Values.addons.gitlab.objectStorage.accessSecret }}
      bucket_location = {{ .Values.addons.gitlab.objectStorage.region }}
      host_bucket = %(bucket)s.{{ regexReplaceAll "http(s*)://" .Values.addons.gitlab.objectStorage.endpoint "" }}
+      multipart_chunk_size_mb = 128
+{{- end }}
 {{- end }}
-{{- end }}
\ No newline at end of file
--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -13,6 +13,9 @@ imagePullSecrets:

 openshift: {{ .Values.openshift }}

+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
@@ -73,4 +76,4 @@ k8s:
      name: tls
      nodePort: {{ add .nodePortBase 3 }}
    {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
--- a/chart/templates/keycloak/values.yaml
+++ b/chart/templates/keycloak/values.yaml
@@ -10,6 +10,8 @@ imagePullSecrets:

 hostname: {{ .Values.hostname }}

+openshift: {{ .Values.openshift }}
+
 istio:
  enabled: {{ .Values.istio.enabled }}
  keycloak:
@@ -80,4 +82,4 @@ extraVolumeMountsBigBang:
    readOnly: true
 {{- end }}

-{{- end }}
\ No newline at end of file
+{{- end }}
--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -35,6 +35,13 @@ cr:
      {{- else }}
      strategy: token
      {{- end }}
+    external_services:
+      grafana:
+        {{- $grafanaUrls := first (dig "istio" "grafana" "hosts" list .Values.monitoring.values) }}
+        url: https://{{ tpl ($grafanaUrls | default (printf "%s.%s" "grafana" .Values.hostname)) . }}
+      tracing:
+        {{- $tracingUrls := first (dig "istio" "jaeger" "hosts" list .Values.jaeger.values) }}
+        url: https://{{ tpl ($tracingUrls | default (printf "%s.%s" "tracing" .Values.hostname)) . }}
    api:
      namespaces:
        # bigbang watches all!

--- a/chart/templates/logging/elasticsearch-kibana/values.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/values.yaml
@@ -4,6 +4,9 @@

 {{- define "bigbang.defaults.logging" -}}
 hostname: {{ .Values.hostname }}
+
+openshift: {{ .Values.openshift }}
+
 istio:
  enabled: {{ .Values.istio.enabled }}
  kibana:

--- a/chart/templates/nexus-repository-manager/values.yaml
+++ b/chart/templates/nexus-repository-manager/values.yaml
@@ -11,6 +11,8 @@ istio:
    gateways:
    - istio-system/{{ default "public" .Values.addons.nexus.ingress.gateway }}

+openshift: {{ .Values.openshift }}
+
 monitoring:
  enabled: {{ .Values.monitoring.enabled }}


--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -5,6 +5,8 @@
 {{- define "bigbang.defaults.twistlock" -}}
 hostname: {{ .Values.hostname }}

+openshift: {{ .Values.openshift }}
+
 prometheus:
  servicemonitor:
    enabled: {{ .Values.monitoring.enabled }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -224,7 +224,7 @@ kiali:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali.git
    path: "./chart"
-    tag: "1.36.0-bb.3"
+    tag: "1.37.0-bb.0"

  # -- Flux reconciliation overrides specifically for the Kiali Package
  flux: {}
@@ -260,7 +260,7 @@ clusterAuditor:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
    path: "./chart"
-    tag: "0.3.0-bb.4"
+    tag: "0.3.0-bb.5"

  # -- Flux reconciliation overrides specifically for the Cluster Auditor Package
  flux: {}
@@ -281,7 +281,7 @@ gatekeeper:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
    path: "./chart"
-    tag: "3.5.1-bb.4"
+    tag: "3.5.1-bb.8"

  # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
  flux:
@@ -306,7 +306,7 @@ logging:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
    path: "./chart"
-    tag: "0.1.17-bb.0"
+    tag: "0.1.18-bb.0"

  # -- Flux reconciliation overrides specifically for the Logging (EFK) Package
  flux:
@@ -346,7 +346,7 @@ eckoperator:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git
    path: "./chart"
-    tag: "1.6.0-bb.1"
+    tag: "1.6.0-bb.2"

  # -- Flux reconciliation overrides specifically for the ECK Operator Package
  flux: {}
@@ -360,7 +360,7 @@ fluentbit:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git
    path: "./chart"
-    tag: "0.15.15-bb.0"
+    tag: "0.16.1-bb.0"

  # -- Flux reconciliation overrides specifically for the Fluent-Bit Package
  flux: {}
@@ -381,7 +381,7 @@ monitoring:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git
    path: "./chart"
-    tag: "14.0.0-bb.1"
+    tag: "14.0.0-bb.3"

  # -- Flux reconciliation overrides specifically for the Monitoring Package
  flux:
@@ -442,7 +442,7 @@ twistlock:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
    path: "./chart"
-    tag: "0.0.6-bb.0"
+    tag: "0.0.6-bb.1"

  # -- Flux reconciliation overrides specifically for the Twistlock Package
  flux: {}
@@ -467,7 +467,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git
      path: "./chart"
-      tag: "3.6.8-bb.4"
+      tag: "3.6.8-bb.5"

    # -- Flux reconciliation overrides specifically for the ArgoCD Package
    flux: {}
@@ -511,7 +511,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git
      path: "./chart"
-      tag: "0.4.0-bb.8"
+      tag: "0.4.0-bb.10"

    # -- Flux reconciliation overrides specifically for the Authservice Package
    flux: {}
@@ -551,7 +551,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git
      path: "./chart"
-      tag: "2.0.9-bb.12"
+      tag: "2.0.9-bb.13"

    # -- Flux reconciliation overrides specifically for the Minio Package
    flux: {}
@@ -675,7 +675,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus.git
      path: "./chart"
-      tag: "29.1.0-bb.5"
+      tag: "29.1.0-bb.7"

    # -- Base64 encoded license file.
    license_key: ""
@@ -1018,7 +1018,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git
      path: "./chart"
-      tag: "2.23.3-bb.0"
+      tag: "2.23.5-bb.0"

    # -- Flux reconciliation overrides specifically for the Velero Package
    flux: {}
@@ -1046,7 +1046,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
      path: "./chart"
-      tag: "11.0.1-bb.0"
+      tag: "11.0.1-bb.1"

    database:
      # -- Hostname of a pre-existing database to use for Keycloak.

--- a/charter/GitlabLabels.md
+++ b/charter/GitlabLabels.md
@@ -41,17 +41,25 @@ Improvements on testing for individual packages or Big Bang.  Does not change th

 ### priority

-#### `priority::high`
+#### `priority::1`

-`priority::high` issues are causing runtime issues in production environments. These issues justify a patch of a release.
+`priority::1` issues are causing runtime issues in production environments. These issues justify a patch of a release.

-#### `priority:: medium`
+#### `priority::2`

-`priority:: medium` issues are defined by bugs that degrade system performance, but workarounds are available.  
+`priority::2` TBD

-#### `priority::low`
+#### `priority::3`

-`priority::low` issues are superficial and do not have any impact on the functioning of production systems
+`priority:: 3` issues are defined by bugs that degrade system performance, but workarounds are available.
+
+#### `priority::4`
+
+`priority:: 4` TBD
+
+#### `priority::5`
+
+`priority::5` issues are superficial and do not have any impact on the functioning of production systems

 ### Status

@@ -145,17 +153,25 @@ Epic is blocked by an external dependency that needs to be solved before work ca

 ### Priority

-#### `priority::low`
+#### `priority::1`

-A nice to have, but not needed to advance the product.
+Top of the backlog and should be broken down and worked on when cycles become available.

-#### `priority::medium`
+#### `priority::2`
+
+TBD
+
+#### `priority::3`

 Medium term delivery providing long term value.

-#### `priority::high`
+#### `priority::4`
+
+TBD

-Top of the backlog and should be broken down and worked on when cycles become available
+#### `priority::5`
+
+A nice to have, but not needed to advance the product.

 ### Size


--- a/docs/encryption.md
+++ b/docs/encryption.md
@@ -88,7 +88,7 @@ SOPS uses `.sops.yaml` as a configuration file for which keys to use for newly c
 1. Deploy your SOPS private key to a secret named `sops-gpg` in the cluster

   ```bash
-   gpg --export-secret-keys --armor <new key fingerprint> | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey=/dev/stdin
+   gpg --export-secret-keys --armor <new key fingerprint> | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey.asc=/dev/stdin
   ```

 ### AWS KMS
No results found