Compare revisions

Thomas Runyon · evan.rush · Eric Goode · Eric Goode · runyontr · Thomas Runyon
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [1.6.2]
+
+* [!455](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/455): gatekeeper values not hardcoded
+
 ## [1.6.1]

 * [#19](https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane/-/issues/19): istio-cni image hub reverted to dsop.io domain

--- a/README.md
+++ b/README.md
 # bigbang

-![Version: 1.6.1](https://img.shields.io/badge/Version-1.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.6.2](https://img.shields.io/badge/Version-1.6.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.


--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
  interval: 10m
  url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
  ref:
-    tag: 1.6.1
+    tag: 1.6.2
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: bigbang
-version: 1.6.1
+version: 1.6.2
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

 type: application

--- a/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
+++ b/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
@@ -49,11 +49,4 @@ spec:
    - name: {{ .Release.Name }}-gatekeeper-values
      kind: Secret
      valuesKey: "overlays"
-
-  values:
-    disableValidatingWebhook: true
-    createNamespace: false
-    image:
-      pullSecrets:
-      - name: private-registry
 {{- end }}
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -3,4 +3,9 @@
 {{- end }}

 {{- define "bigbang.defaults.gatekeeper" -}}
+disableValidatingWebhook: true
+createNamespace: false
+image:
+  pullSecrets:
+  - name: private-registry
 {{- end -}}
--- a/docs/k8s-storage/README.md
+++ b/docs/k8s-storage/README.md
+## Kubernetes Storage Options
+
+Use this data to assist in your CSI decision. However, when using a cloud provider we suggest you use their Kubernetes CSI.
+
+## Feature Matrix
+
+| Product | BB Compatible  | FOSS | In Ironbank  | RWX/RWM Support | Airgap Compatible | Cloud Agnostic |
+| --------- | --------- | --------- | --------- | --------- | --------- | --------- |
+Amazon EBS CSI    | **X** |  N/A  |  | **X** | AWS Dependent | No | 
+Azure Disk CSI    | Not Tested  |  N/A  |  | **X** | Azure Dependent | No | 
+Longhorn v1.1.0   | **X** | **X** |  | **X** | **X** - [Docs](https://longhorn.io/docs/1.1.0/advanced-resources/deploy/airgap/) | Yes, uses host storage | 
+OpenEBS (jiva)    | **X** | **X** |  | **X** **[Alpha](https://docs.openebs.io/docs/next/rwm.html)** | Manual Work Required | Yes, uses host storage |  
+Rook-Ceph         | **X** | **X** |  | **X** | Manual Work Required | Yes, uses host storage | 
+Portworx          | **X** |       |  | **X** | **X** - [Docs](https://docs.portworx.com/portworx-install-with-kubernetes/operate-and-maintain-on-kubernetes/pxcentral-onprem/install/px-central/) | Yes, uses host storage |
+
+## Benchmark Results
+
+Benchmarks were tested on AWS with GP2 ebs volumes using using FIO, see [example](./benchmark.yaml)
+
+| Product | Random Read/Write IOPS | Average Latency (usec) | Sequential Read/Write | Mixed Random Read/Write IOPS |
+| --------- | --------- | --------- | --------- | --------- |
+Amazon EBS CSI  | 2997/2996. BW: 128MiB/s / 128MiB/s | 1331.61 | 129MiB/s / 131MiB/s | 7203/2390
+Azure Disk CSI  |  |  |  | 
+Longhorn v1.1.0 | 6155/1551 BW: 230MiB/s / 96.3MiB/s | 1042.53 | 319MiB/s / 130MiB/s | 3804/1267
+OpenEBS (jiva) | 2183/770. BW: 76.8MiB/s / 45.8MiB/s | 2059.55 | 132MiB/s / 98.2MiB/s | 1590/533
+Rook-Ceph | 10.7k/3205. BW: 503MiB/s / 148MiB/s | 548.36/s | 496MiB/s / 154MiB/s | 6664/2228
+Portworx  2.6 | 3016/19.3k. BW: 74.5MiB/s / 85.1MiB/s | 1337.31 |  113MiB/s / 124MiB/s | 35.1k/11.1k
+
+## Amazon EBS CSI
+
+[Website/Docs](https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html)
+
+### REQUIREMENTS
+
+- Must be using AWS
+### Notes
+
+- Super easy use, apply CSI and you done!
+
+## Azure Disk CSI
+
+[Website/Docs](https://docs.microsoft.com/en-us/azure/aks/azure-disk-csi)
+
+### REQUIREMENTS
+
+- Must be using Azure
+### Notes
+
+- Super easy use, apply CSI and you done!
+
+## Longhorn
+
+[Website/Docs](https://longhorn.io/)
+
+### REQUIREMENTS
+
+- RWX requires `nfs-common` to be installed on the nodes. [Longhorn RWX Docs](https://longhorn.io/docs/1.1.0/advanced-resources/rwx-workloads/)
+
+### Notes
+
+- 100% open source
+- Easiest to install
+- Documented airgap install process
+- GUI provides data and observability; replica status, cluster health status, backup status, and backup initiation/recovery.
+- Native backup to S3 or NFS
+
+## OpenEBS
+
+[Website/Docs](https://openebs.io/)
+
+### REQUIREMENTS
+
+- Blank, un-partitioned attached disk(s)
+- RWX is in Alpha and requires work. [OpenEBS RWX Docs](https://docs.openebs.io/docs/next/rwm.html)
+
+### Notes
+
+
+
+## Rook-Ceph
+
+[Website/Docs](https://rook.io/)
+
+### REQUIREMENTS
+
+- Blank, un-partitioned attached disk(s)
+
+### Notes
+
+- 100% open source
+- Very Fast
+
+## Portworx
+
+[Website/Docs](https://docs.portworx.com/portworx-install-with-kubernetes/)
+
+### REQUIREMENTS
+
+- Blank, un-partitioned attached disk(s)
+
+### Notes
+
+- Portworx Essentials is free **up to** 5nodes, 5TB Storage, 500 volumes
+- Portworx Enterprise and PX-Backup require paid licenses 
+- Best Mixed IOPS, average read/write performance
+- Install is very picky about the container runtime hostpath
+- Tested on Konvoy 1.6.1 due to Portworx issues when using RKE2
--- a/docs/k8s-storage/benchmark.yaml
+++ b/docs/k8s-storage/benchmark.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: benchmark
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: dbench
+  namespace: benchmark  
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 50Gi
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: dbench
+  namespace: benchmark    
+spec:
+  template:
+    spec:
+      containers:
+      - name: dbench
+        image: sotoaster/dbench:latest
+        imagePullPolicy: IfNotPresent
+        env:
+          - name: DBENCH_MOUNTPOINT
+            value: /data
+          - name: FIO_SIZE
+            value: 25G
+        volumeMounts:
+        - name: dbench-pv
+          mountPath: /data
+      restartPolicy: Never
+      volumes:
+      - name: dbench-pv
+        persistentVolumeClaim:
+          claimName: dbench
+  backoffLimit: 4
\ No newline at end of file
--- a/docs/k8s-storage/rwx_test.yaml
+++ b/docs/k8s-storage/rwx_test.yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: rwx-test
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rwx-test
+  labels:
+    app: rwx-test
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: rwx-test
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: rwx-test
+    spec:
+      containers:
+        - image: ubuntu:xenial
+          imagePullPolicy: Always
+          command: ["/bin/sh", "-c"]
+          args:
+            - sleep 30; touch /mnt/rwx-test/test.log; while true; do date >> /mnt/rwx-test/test.log; sleep 1; done;
+          name: rwx-test
+          stdin: true
+          tty: true
+          livenessProbe:
+            exec:
+              command:
+                - timeout
+                - "10"
+                - ls
+                - /mnt/rwx-test
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 10
+          volumeMounts:
+            - mountPath: /mnt/rwx-test
+              name: rwx-test
+      restartPolicy: Always
+      volumes:
+        - name: rwx-test
+          persistentVolumeClaim:
+            claimName: rwx-test
--- a/scripts/latest.sh
+++ b/scripts/latest.sh
+#!/bin/bash
+
+# This script looks at all the deployed images from iron bank and identifies if the 
+# currently deployed version is the latest in IronBank.  Could be used as part of CI
+# or as general awareness for development
+
+# Needs crane( https://github.com/google/go-containerregistry/tree/main/cmd/crane )
+# to be configured before hand via
+
+# crane auth login -p ${REGISTRY1_CREDENTIALS} -u ${REGISTRY1_USER} registry1.dso.mil
+
+images=`kubectl get pods -A -o jsonpath="{..image}" | tr -s '[[:space:]]' '\n' | sort | uniq -c | grep "registry1" | awk '{ print $2 }'`
+
+
+for i in $images
+do
+    image=`echo "$i" | awk '{split($0,a,":"); print a[1] }'`
+    tag=`echo "$i" | awk '{split($0,a,":"); print a[2] }'`
+
+    upstream_tag=`crane ls $image | grep -v "latest" | sort -r | head -n1`
+    
+    if [[ "$tag" != "$upstream_tag" ]]
+    then
+        echo "Update for $image:  $tag ---->  $upstream_tag"
+    fi
+done
\ No newline at end of file
No results found