Compare revisions

Tawsif Siddiqui · Micah Nagel · Ryan Garcia · Ryan Garcia · Micah Nagel · Ryan Garcia
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -132,6 +132,12 @@ PLATFORM ONE LOGGING WARNING:
  After the beta period, only one logging stack will be supported at one time, with the PLG stack becoming the default supported stack.
 {{- end }}

+{{- if and $.Values.jaeger.enabled .Values.tempo.enabled }}
+PLATFORM ONE TRACING WARNING:
+  You have enabled both Jaeger and Tempo Tracing Engines.  This is permitted during beta testing of Tempo.
+  After the beta period, only one Tracing engine will be supported at one time, with Tempo becoming the default supported engine over a direct Jaeger installation. Tempo will deploy with Tempo-Query, a Jaeger frontend with Tempo as the backend.
+{{- end }}
+
 {{- if $.Values.addons.mattermost.enabled }}
 Mattermost is enabled.
 {{- with .Values.addons.mattermost.database }}

--- a/chart/templates/jaeger/values.yaml
+++ b/chart/templates/jaeger/values.yaml
@@ -17,6 +17,7 @@ domain: {{ $domainName }}
 istio:
  enabled: {{ .Values.istio.enabled }}
  jaeger:
+    enabled: {{ .Values.istio.enabled }}
    gateways:
    - istio-system/{{ default "public" .Values.jaeger.ingress.gateway }}


--- a/chart/templates/logging/fluentbit/values.yaml
+++ b/chart/templates/logging/fluentbit/values.yaml
@@ -26,6 +26,7 @@ extraVolumes:
 extraVolumeMounts:
  - mountPath: /var/log/flb-storage/
    name: flb-storage
+    readOnly: false
  - mountPath: /etc/elasticsearch/certs/
    name: elasticsearch-certs
 {{- end }}

--- a/chart/templates/tempo/values.yaml
+++ b/chart/templates/tempo/values.yaml
@@ -13,6 +13,11 @@ tempo:
  imagePullSecrets:
  - name: private-registry

+    # hostname is deprecated and replaced with domain. But if hostname exists then use it.
+{{- $domainName := default .Values.domain .Values.hostname }}
+hostname: {{ $domainName }}
+domain: {{ $domainName }}
+
 tempo:
  pullPolicy: {{ .Values.imagePullPolicy }}

@@ -21,9 +26,27 @@ tempoQuery:

 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.tempo.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}

 istio:
  enabled: {{ .Values.istio.enabled }}
+  tempoQuery:
+    # During BETA Period set TempoQuery UI to "tempo." instead of soon to be default "tracing."
+    {{- if .Values.jaeger.enabled }}
+    hosts:
+      - "tempo.{{ .Values.domain }}"
+    {{- end }}
+    gateways:
+    - istio-system/{{ default "public" .Values.tempo.ingress.gateway }}
+
+{{- if .Values.istio.enabled }}
+podAnnotations:
+  {{ include "istioAnnotation" . }}
+{{- end }}

 monitoring:
  enabled: {{ .Values.monitoring.enabled }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -244,7 +244,7 @@ istiooperator:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git
    path: "./chart"
-    tag: "1.13.2-bb.0"
+    tag: "1.13.2-bb.1"

  # -- Flux reconciliation overrides specifically for the Istio Operator Package
  flux: {}
@@ -270,7 +270,7 @@ jaeger:
    upgrade:
      crds: CreateReplace

-  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
  ingress:
    gateway: ""

@@ -301,7 +301,7 @@ kiali:
  # -- Flux reconciliation overrides specifically for the Kiali Package
  flux: {}

-  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
  ingress:
    gateway: ""

@@ -424,7 +424,7 @@ logging:
  flux:
    timeout: 20m

-  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
  ingress:
    gateway: ""

@@ -472,7 +472,7 @@ fluentbit:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git
    path: "./chart"
-    tag: "0.19.20-bb.0"
+    tag: "0.19.20-bb.1"

  # -- Flux reconciliation overrides specifically for the Fluent-Bit Package
  flux: {}
@@ -490,7 +490,7 @@ promtail:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail.git
    path: "./chart"
-    tag: "3.8.1-bb.3"
+    tag: "3.11.0-bb.0"

  # -- Flux reconciliation overrides specifically for the Promtail Package
  flux: {}
@@ -527,7 +527,11 @@ tempo:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo.git
    path: "./chart"
-    tag: "0.14.1-bb.0"
+    tag: "0.14.1-bb.1"
+  
+  # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  ingress:
+    gateway: ""

  # -- Flux reconciliation overrides specifically for the Tempo Package
  flux: {}
@@ -558,7 +562,7 @@ monitoring:
    upgrade:
      crds: CreateReplace

-  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
  ingress:
    gateway: ""

@@ -615,7 +619,7 @@ twistlock:
  # -- Flux reconciliation overrides specifically for the Twistlock Package
  flux: {}

-  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
  ingress:
    gateway: ""

@@ -640,7 +644,7 @@ addons:
    # -- Flux reconciliation overrides specifically for the ArgoCD Package
    flux: {}

-    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      gateway: ""

@@ -687,7 +691,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git
      path: "./chart"
-      tag: "0.4.0-bb.25"
+      tag: "0.4.0-bb.26"

    # -- Flux reconciliation overrides specifically for the Authservice Package
    flux: {}
@@ -732,7 +736,7 @@ addons:
    # -- Flux reconciliation overrides specifically for the Minio Package
    flux: {}

-    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      gateway: ""

@@ -765,7 +769,7 @@ addons:
    # -- Flux reconciliation overrides specifically for the Gitlab Package
    flux: {}

-    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      gateway: ""

@@ -884,7 +888,7 @@ addons:
    # -- Base64 encoded license file.
    license_key: ""

-    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      gateway: ""

@@ -949,7 +953,7 @@ addons:
    # -- Flux reconciliation overrides specifically for the Sonarqube Package
    flux: {}

-    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      gateway: ""

@@ -1048,7 +1052,7 @@ addons:
      licenseYaml: |
        FULL LICENSE

-    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      gateway: ""

@@ -1146,7 +1150,7 @@ addons:
      # license: "eyJpZCI6InIxM205bjR3eTdkYjludG95Z3RiOD---REST---IS---HIDDEN
      license: ""

-    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      gateway: ""

@@ -1283,7 +1287,7 @@ addons:
    # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
    flux: {}

-    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      # the istio gateway for keycloak must have tls.mode: PASSTHROUGH
      gateway: "passthrough"
@@ -1309,7 +1313,7 @@ addons:
    # -- Flux reconciliation overrides specifically for the Vault Package
    flux: {}

-    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
    ingress:
      gateway: ""


--- a/docs/understanding_bigbang/kube-apiserver_webhooks_diagram.md
+++ b/docs/understanding_bigbang/kube-apiserver_webhooks_diagram.md
@@ -6,10 +6,10 @@
 * Kubernetes Security Best Practice (per [kube-bench](https://github.com/aquasecurity/kube-bench)) for requests to the kube-apiserver is that requests should go through the following flow of controls:
  1. mTLS Authentication via x509 certs:
     * This is baked into Kubernetes
-  2. RBAC Authorization of users and Node Authentication for worker nodes
+  1. RBAC Authorization of users and Node Authentication for worker nodes
     * `--authorization-mode=Node,RBAC` flag on kube-apiserver ensures this is set.
     * Deployed applications contain YAML manifests with rbac rules to minimize the rights of the application's service account.
-  3. Admission Controllers: These take effect after Authn and Authz have occurred and allow the functionality of the api-server to be extended to enable additional security controls and advanced features.
+  1. Admission Controllers: These take effect after Authn and Authz have occurred and allow the functionality of the api-server to be extended to enable additional security controls and advanced features.
     * There are apiserver plugins baked into Kubernetes that just need to be turned on like `--enable-admission-plugins=NodeRestriction` per kube-bench.
     * There's also webhooks that allow extending the apiserver with custom logic, this will be overviewed in the diagram below.

@@ -27,7 +27,7 @@

 #### 2. Mutating Admission Controllers

-* This improves user experience for developers. If a namespace is labeled `istio-injection=enabled`, then a developer can submit a YAML manifest where the pod only needs to reference 1 container image/the application. After the request is authenticated and authorized against the kube-apiserver, it's admission controller will see a mutating admission webhook exists and the manifest will be sent to the istiod pod in the istio-system namespace to mutate the manifest and inject an istio init container and istio envoy proxy sidecar container into the YAML manifest. This allows the developer's pod to be integrated into the service mesh with minimal configuration / effort on their part/no adjustments to their YAMLs were needed.
+* This improves user experience for developers. If a namespace is labeled `istio-injection=enabled`, then a developer can submit a YAML manifest where the pod only needs to reference 1 container image/the application. After the request is authenticated and authorized against the kube-apiserver, it's admission controller will see a mutating admission webhook exists and the manifest will be sent to the `istiod` pod in the `istio-system` namespace to mutate the manifest and inject an Istio init container and Istio envoy proxy sidecar container into the YAML manifest. This allows the developer's pod to be integrated into the service mesh with minimal configuration / effort on their part/no adjustments to their YAMLs were needed.
 * Note: It's possible to use Istio CNI Plugin to eliminate the need for Istio Init Containers.

 #### 3. Validating Admission Controllers

--- a/docs/understanding_bigbang/licensing_expectations.md
+++ b/docs/understanding_bigbang/licensing_expectations.md
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -81,6 +81,9 @@ jaeger:
    enabled: false
    client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger
  values:
+    istio:
+      jaeger:
+        enabled: true
    bbtests:
      enabled: true
      cypress:
@@ -457,22 +460,11 @@ loki:

 tempo:
  enabled: false
-  resources:
-    limits:
-      cpu: 200m
-      memory: 128Mi
-    requests:
-      cpu: 200m
-      memory: 128Mi
-
-  persistence:
-    enabled: true
-    # storageClassName: local-path
-    accessModes:
-      - ReadWriteOnce
-    size: 5Gi
-
-  tempoQuery:
+  values:
+    istio:
+      tempoQuery:
+        hosts:
+          - "tempo.{{ .Values.domain }}"
    resources:
      limits:
        cpu: 200m
@@ -481,14 +473,30 @@ tempo:
        cpu: 200m
        memory: 128Mi

-  opentelemetryCollector:
-    resources:
-      limits:
-        cpu: 200m
-        memory: 128Mi
-      requests:
-        cpu: 200m
-        memory: 128Mi
+    persistence:
+      enabled: true
+      # storageClassName: local-path
+      accessModes:
+        - ReadWriteOnce
+      size: 5Gi
+
+    tempoQuery:
+      resources:
+        limits:
+          cpu: 200m
+          memory: 128Mi
+        requests:
+          cpu: 200m
+          memory: 128Mi
+
+    opentelemetryCollector:
+      resources:
+        limits:
+          cpu: 200m
+          memory: 128Mi
+        requests:
+          cpu: 200m
+          memory: 128Mi

 monitoring:
  enabled: true
No results found