Compare revisions

eb7e8e0b · cb59edf8 · 3b07eaae · da865cbb · be675cda · bc8cbc3a
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -32,16 +32,16 @@ include:
 #  - Smoke tests are executed for all pipelines except scheduled nightly runs.
 #  -
 stages:
-  - smoke tests
-  - network up
-  - cluster up
-  - bigbang up
-  - test
-  - bigbang down
-  - cluster down
-  - network down
-  - package
-  - release
+  - 🔥 smoke tests
+  - 🔌 network up
+  - ⚓ cluster up
+  - 🌌 bigbang up
+  - 🤞 test
+  - 💣 bigbang down
+  - 💣 cluster down
+  - 💣 network down
+  - 📦 package
+  - 🚀 release

 variables:
  RELEASE_BUCKET: umbrella-bigbang-releases
@@ -64,9 +64,16 @@ pre vars:
    reports:
      dotenv: variables.env
  script:
-  # Create the TF_VAR_env variable
-  - echo "TF_VAR_env=$(echo $CI_COMMIT_REF_SLUG | cut -c 1-7)-$(echo $CI_COMMIT_SHA | cut -c 1-7)" >> variables.env
-  - cat variables.env
+    # Create the TF_VAR_env variable
+    - echo "TF_VAR_env=$(echo $CI_COMMIT_REF_SLUG | cut -c 1-7)-$(echo $CI_COMMIT_SHA | cut -c 1-7)" >> variables.env
+    - cat variables.env
+  retry:
+    max: 2
+    when:
+      - unknown_failure
+      - stuck_or_timeout_failure
+      - runner_system_failure
+

 #-----------------------------------------------------------------------------------------------------------------------

@@ -102,14 +109,21 @@ pre vars:
      echo "Executing ${test_script}..."
      ./${test_script} && export EXIT_CODE=$? || export EXIT_CODE=$?
      if [[ ${EXIT_CODE} -ne 0 ]]; then
-        echo "${test_script} failed, see log output above and cluster debug."
-        exit ${EXIT_CODE}
+        if [[ ${EXIT_CODE} -ne 123 ]]; then
+          echo -e "\e[31m❌ ${test_script} failed, see log output above and cluster debug.\e[0m"
+          exit ${EXIT_CODE}
+        fi
+        # 123 error codes are allowed to continue
+        echo -e "\e[31m⚠️ ${test_script} failed but was allowed to continue, see log output above and cluster debug.\e[0m"
+        EXIT_FLAG=1
      fi
      echo -e "\e[0Ksection_end:`date +%s`:${test_script##*/}\r\e[0K"
    done
-
+    if [[ -n "$EXIT_FLAG" ]]; then
+      echo -e "\e[31m⚠️ WARNING: One or more BB tests failed but were allowed to continue. See output of scripts above for details.\e[0m"
+    fi
 clean install:
-  stage: smoke tests
+  stage: 🔥 smoke tests
  extends:
    - .k3d-ci
  variables:
@@ -128,6 +142,10 @@ clean install:
    - echo $images | jq -r '.images[].repoTags[0] | select(. != null)' | tee images.txt
    - echo -e "\e[0Ksection_end:`date +%s`:images_used\r\e[0K"
    - *test_bigbang
+    - |
+      if [[ $EXIT_FLAG -eq 1 ]]; then
+        exit 123
+      fi
  artifacts:
    paths:
      - images.txt
@@ -136,9 +154,15 @@ clean install:
    when: always
  allow_failure:
    exit_codes: 123
+  retry:
+    max: 2
+    when:
+      - unknown_failure
+      - stuck_or_timeout_failure
+      - runner_system_failure

 upgrade:
-  stage: smoke tests
+  stage: 🔥 smoke tests
  dependencies:
    - pre vars
  extends:
@@ -156,19 +180,23 @@ upgrade:
  variables:
    CLUSTER_NAME: "upgrade-${CI_COMMIT_SHORT_SHA}"
  script:
-    - echo "Install Big Bang from ${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}"
+    - echo "🌌 Install Big Bang from ${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}"
    - echo -e "\e[0Ksection_start:`date +%s`:git_master[collapsed=true]\r\e[0K\e[33;1mGit Fetch Master\e[37m"  
    - git fetch && git checkout ${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}
    - echo -e "\e[0Ksection_end:`date +%s`:git_master\r\e[0K"
    - *deploy_bigbang
    - *test_bigbang
-    - echo "Upgrade Big Bang from ${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}"
+    - echo "🌌 Upgrade Big Bang from ${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}"
    - echo -e "\e[0Ksection_start:`date +%s`:git_upgrade[collapsed=true]\r\e[0K\e[33;1mGit Upgrade\e[37m"    
    - git reset --hard && git clean -fd
    - git checkout ${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}
    - echo -e "\e[0Ksection_end:`date +%s`:git_upgrade\r\e[0K"
    - *deploy_bigbang
    - *test_bigbang
+    - |
+      if [[ $EXIT_FLAG -eq 1 ]]; then
+        exit 123
+      fi
  artifacts:
    paths:
      - "test-artifacts/"
@@ -176,6 +204,12 @@ upgrade:
    when: always
  allow_failure:
    exit_codes: 123
+  retry:
+    max: 2
+    when:
+      - unknown_failure
+      - stuck_or_timeout_failure
+      - runner_system_failure

 #-----------------------------------------------------------------------------------------------------------------------
 # Rules for execution of AWS based K3S cluster deployment:  Infrastructure jobs
@@ -183,7 +217,7 @@ upgrade:

 # Abstract for job manually triggering infrastructure builds
 .infra fork:
-  stage: network up
+  stage: 🔌 network up
  rules:
    # Run on scheduled jobs OR when `test-ci` label is assigned
    - if: '($CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master") || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::infra(,|$)/'
@@ -230,7 +264,7 @@ aws/network down:
    - .bigbang-gitlab-runner-tags
    - .infra cleanup
    - .network down
-  stage: network down
+  stage: 💣 network down
  environment:
    name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
    action: stop
@@ -249,7 +283,7 @@ aws/network down:

 # Create RKE2 cluster on AWS
 aws/rke2/cluster up:
-  stage: cluster up
+  stage: ⚓ cluster up
  extends:
    - .bigbang-gitlab-runner-tags
    - .infra create
@@ -269,7 +303,7 @@ aws/rke2/cluster up:

 # Install BigBang on RKE2 cluster on AWS
 aws/rke2/bigbang up:
-  stage: bigbang up
+  stage: 🌌 bigbang up
  extends:
    - .bigbang-gitlab-runner-tags
    - .infra create
@@ -282,7 +316,6 @@ aws/rke2/bigbang up:
    - cp ${CI_PROJECT_DIR}/rke2.yaml ~/.kube/config
    # Deploy a default storage class for aws
    - kubectl apply -f ${CI_PROJECT_DIR}/.gitlab-ci/jobs/rke2/dependencies/k8s-resources/aws/default-ebs-sc.yaml
-
  script:
    - *deploy_bigbang
  environment:
@@ -296,7 +329,7 @@ aws/rke2/bigbang up:

 # Run tests on BigBang on RKE2 cluster on AWS
 aws/rke2/bigbang test:
-  stage: test
+  stage: 🤞 test
  extends:
    - .bigbang-gitlab-runner-tags
    - .infra create
@@ -313,9 +346,12 @@ aws/rke2/bigbang test:
    ## putting it here now for a quick way to install dig
    - echo -e "\e[0Ksection_start:`date +%s`:host_setup[collapsed=true]\r\e[0K\e[33;1mHost Setup\e[37m"
    - yum install bind-utils -y
-    - ./scripts/hosts.sh
    - echo -e "\e[0Ksection_end:`date +%s`:host_setup\r\e[0K"
    - *test_bigbang
+    - |
+      if [[ $EXIT_FLAG -eq 1 ]]; then
+        exit 123
+      fi
  environment:
    name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
  allow_failure:
@@ -334,7 +370,7 @@ aws/rke2/bigbang test:

 # Uninstall BigBang on RKE2 cluster on AWS
 aws/rke2/bigbang down:
-  stage: bigbang down
+  stage: 💣 bigbang down
  extends:
    - .bigbang-gitlab-runner-tags
    - .infra cleanup
@@ -352,10 +388,16 @@ aws/rke2/bigbang down:
    - sleep 180
  environment:
    name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
+  retry:
+    max: 2
+    when:
+      - unknown_failure
+      - stuck_or_timeout_failure
+      - runner_system_failure

 # Destroy RKE2 cluster on AWS
 aws/rke2/cluster down:
-  stage: cluster down
+  stage: 💣 cluster down
  extends:
    - .bigbang-gitlab-runner-tags
    - .infra cleanup
@@ -380,7 +422,7 @@ aws/rke2/cluster down:
 #

 package:
-  stage: package
+  stage: 📦 package
  image: registry.dso.mil/platform-one/big-bang/bigbang/synker:0.0.3
  extends:
    - .bigbang-gitlab-runner-tags
@@ -391,10 +433,11 @@ package:
    # Set up auth
    - mkdir -p /root/.docker
    - |
-      jq -n '{"auths": {"registry.dso.mil": {"auth": $bb_registry_auth}, "registry1.dso.mil": {"auth": $registry1_auth}, "registry.il2.dso.mil": {"auth": $il2_registry_auth} } }' \
+      jq -n '{"auths": {"registry.dso.mil": {"auth": $bb_registry_auth}, "registry1.dso.mil": {"auth": $registry1_auth}, "registry.il2.dso.mil": {"auth": $il2_registry_auth}, "docker.io": {"auth": $bb_docker_auth} } }' \
        --arg bb_registry_auth ${BB_REGISTRY_AUTH} \
        --arg registry1_auth ${REGISTRY1_AUTH} \
-        --arg il2_registry_auth ${IL2_REGISTRY_AUTH} > /root/.docker/config.json
+        --arg il2_registry_auth ${IL2_REGISTRY_AUTH} \
+        --arg bb_docker_auth ${DOCKER_AUTH} > /root/.docker/config.json
  script:
    - echo -e "\e[0Ksection_start:`date +%s`:synker_pull[collapsed=true]\r\e[0K\e[33;1mSynker Pull\e[37m"
    - cp ./scripts/package/synker.yaml ./synker.yaml
@@ -413,11 +456,8 @@ package:
    - crane pull registry:2 registry.tar
    - mv registry.tar /var/lib/registry/
    - echo -e "\e[0Ksection_start:`date +%s`:package_synker[collapsed=true]\r\e[0K\e[33;1mPackage Images\e[37m"
-    - tar -C /var/lib/registry -czvf $IMAGE_PKG .
-    - echo -e "\e[0Ksection_end:`date +%s`:package_synker\r\e[0K"
-    - echo -e "\e[0Ksection_start:`date +%s`:unpack_images[collapsed=true]\r\e[0K\e[33;1mUnpack Images\e[37m"
    - tar -czvf $IMAGE_PKG /var/lib/registry
-    - echo -e "\e[0Ksection_end:`date +%s`:unpack_images\r\e[0K"
+    - echo -e "\e[0Ksection_end:`date +%s`:package_synker\r\e[0K"
    # Package dependent repos
    - echo -e "\e[0Ksection_start:`date +%s`:package_repos[collapsed=true]\r\e[0K\e[33;1mPackage Repos\e[37m"
    - ./scripts/package/gits.sh
@@ -434,9 +474,15 @@ package:
        aws s3 sync --quiet release/ s3://umbrella-bigbang-releases/umbrella/${CI_COMMIT_TAG}
      fi
  after_script: []
+  retry:
+    max: 2
+    when:
+      - unknown_failure
+      - stuck_or_timeout_failure
+      - runner_system_failure

 release:
-  stage: release
+  stage: 🚀 release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  extends:
    - .bigbang-gitlab-runner-tags
@@ -463,5 +509,11 @@ release:
          --assets-link "{\"name\":\"${IMAGE_PKG}\",\"url\":\"${RELEASE_ENDPOINT}/${IMAGE_PKG}\"}" \
          --assets-link "{\"name\":\"${REPOS_PKG}\",\"url\":\"${RELEASE_ENDPOINT}/${REPOS_PKG}\"}"
      fi
+  retry:
+    max: 2
+    when:
+      - unknown_failure
+      - stuck_or_timeout_failure
+      - runner_system_failure

 #-----------------------------------------------------------------------------------------------------------------------
--- a/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
+++ b/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
@@ -39,6 +39,9 @@
  after_script:
    - echo -e "\e[0Ksection_start:`date +%s`:k3d_down[collapsed=true]\r\e[0K\e[33;1mK3D Cluster Delete\e[37m"  
    - kubectl get all -A
+    - echo -e "\e[0Ksection_start:`date +%s`:show_event_log[collapsed=true]\r\e[0K\e[33;1mCluster event log:\e[37m"
+    - kubectl get events -A
+    - echo -e "\e[0Ksection_end:`date +%s`:show_event_log\r\e[0K"
    - kubectl get gitrepository,helmrelease,kustomizations -A
    - k3d cluster delete ${CI_JOB_ID}
    - docker network rm ${CI_JOB_ID}

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,14 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ---
+## [1.19.0]
+
+* [!1.19.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.19.0); List of merge requests in this release.
+
+## [1.18.0]
+
+* [!1.18.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.18.0); List of merge requests in this release.
+
 ## [1.17.0]

 * [!1.17.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.17.0); List of merge requests in this release.

--- a/CODEOWNERS
+++ b/CODEOWNERS
 [Project Managers]
 # protect individual files in the root directory such as the CODEOWNERS file
-/*                              @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/*                              @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
 # Recursive protection for directories
-/.gitlab-ci/                    @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
-/.gitlab/                       @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
-/base/                          @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
-/chart/                         @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
-/charter/                       @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
-/hack/                          @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
-/scripts/                       @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
-/tests/                         @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
-/docs/                          @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/.gitlab-ci/                    @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/.gitlab/                       @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/base/                          @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/chart/                         @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/charter/                       @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/hack/                          @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/scripts/                       @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/tests/                         @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+/docs/                          @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 


 [Docs Owners]
@@ -35,7 +35,7 @@ scripts/                        @toladipupo @michaelmcleroy @egoode
 hack/                           @toladipupo @michaelmcleroy @egoode

 ^[Charter Owners]
-charter/                        @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
+charter/                        @gabe @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 

 ^[Istio, Istio Operator, and Authservice]
 chart/Chart.yaml                @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @stas
@@ -79,9 +79,9 @@ chart/values.yaml               @lynnstill @ryan.j.garcia @michaelmartin
 chart/templates/monitoring      @lynnstill @ryan.j.garcia @michaelmartin

 ^[Twistlock]
-chart/Chart.yaml                @thomas.burton @ryan.j.garcia @runyontr @joshwolf
-chart/values.yaml               @thomas.burton @ryan.j.garcia @runyontr @joshwolf
-chart/templates/twistlock       @thomas.burton @ryan.j.garcia @runyontr @joshwolf
+chart/Chart.yaml                @thomas.burton @ryan.j.garcia @runyontr @micah.nagel
+chart/values.yaml               @thomas.burton @ryan.j.garcia @runyontr @micah.nagel
+chart/templates/twistlock       @thomas.burton @ryan.j.garcia @runyontr @micah.nagel

 ^[Sonarqube]
 chart/Chart.yaml                @kevin.wilder @lynnstill @brandencobb

--- a/README.md
+++ b/README.md
 # bigbang

-![Version: 1.17.0](https://img.shields.io/badge/Version-1.17.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.19.0](https://img.shields.io/badge/Version-1.19.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

@@ -66,11 +66,12 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | istio.enabled | bool | `true` | Toggle deployment of Istio. |
 | istio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git"` |  |
 | istio.git.path | string | `"./chart"` |  |
-| istio.git.tag | string | `"1.10.4-bb.3"` |  |
+| istio.git.tag | string | `"1.11.2-bb.1"` |  |
 | istio.ingressGateways.public-ingressgateway.type | string | `"LoadBalancer"` |  |
 | istio.ingressGateways.public-ingressgateway.kubernetesResourceSpec | object | `{}` |  |
 | istio.gateways.public.ingressGateway | string | `"public-ingressgateway"` |  |
 | istio.gateways.public.hosts[0] | string | `"*.{{ .Values.domain }}"` |  |
+| istio.gateways.public.autoHttpRedirect | object | `{"enabled":true}` | Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. |
 | istio.gateways.public.tls.key | string | `""` |  |
 | istio.gateways.public.tls.cert | string | `""` |  |
 | istio.flux | object | `{}` | Flux reconciliation overrides specifically for the Istio Package |
@@ -79,14 +80,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | istiooperator.enabled | bool | `true` | Toggle deployment of Istio Operator. |
 | istiooperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git"` |  |
 | istiooperator.git.path | string | `"./chart"` |  |
-| istiooperator.git.tag | string | `"1.10.4-bb.1"` |  |
+| istiooperator.git.tag | string | `"1.11.2-bb.0"` |  |
 | istiooperator.flux | object | `{}` | Flux reconciliation overrides specifically for the Istio Operator Package |
 | istiooperator.values | object | `{}` | Values to passthrough to the istio-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git |
 | istiooperator.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | jaeger.enabled | bool | `true` | Toggle deployment of Jaeger. |
 | jaeger.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git"` |  |
 | jaeger.git.path | string | `"./chart"` |  |
-| jaeger.git.tag | string | `"2.23.0-bb.2"` |  |
+| jaeger.git.tag | string | `"2.23.0-bb.4"` |  |
 | jaeger.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the Jaeger Package |
 | jaeger.ingress.gateway | string | `""` |  |
 | jaeger.sso.enabled | bool | `false` | Toggle SSO for Jaeger on and off |
@@ -97,7 +98,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | kiali.enabled | bool | `true` | Toggle deployment of Kiali. |
 | kiali.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali.git"` |  |
 | kiali.git.path | string | `"./chart"` |  |
-| kiali.git.tag | string | `"1.39.0-bb.2"` |  |
+| kiali.git.tag | string | `"1.40.1-bb.0"` |  |
 | kiali.flux | object | `{}` | Flux reconciliation overrides specifically for the Kiali Package |
 | kiali.ingress.gateway | string | `""` |  |
 | kiali.sso.enabled | bool | `false` | Toggle SSO for Kiali on and off |
@@ -115,14 +116,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | gatekeeper.enabled | bool | `true` | Toggle deployment of OPA Gatekeeper. |
 | gatekeeper.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git"` |  |
 | gatekeeper.git.path | string | `"./chart"` |  |
-| gatekeeper.git.tag | string | `"3.5.2-bb.1"` |  |
+| gatekeeper.git.tag | string | `"3.6.0-bb.2"` |  |
 | gatekeeper.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
 | gatekeeper.values | object | `{}` | Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git |
 | gatekeeper.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | logging.enabled | bool | `true` | Toggle deployment of Logging (EFK). |
 | logging.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git"` |  |
 | logging.git.path | string | `"./chart"` |  |
-| logging.git.tag | string | `"0.1.21-bb.0"` |  |
+| logging.git.tag | string | `"0.1.21-bb.2"` |  |
 | logging.flux | object | `{"timeout":"20m"}` | Flux reconciliation overrides specifically for the Logging (EFK) Package |
 | logging.ingress.gateway | string | `""` |  |
 | logging.sso.enabled | bool | `false` | Toggle OIDC SSO for Kibana/Elasticsearch on and off. Enabling this option will auto-create any required secrets. |
@@ -135,7 +136,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | eckoperator.enabled | bool | `true` | Toggle deployment of ECK Operator. |
 | eckoperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git"` |  |
 | eckoperator.git.path | string | `"./chart"` |  |
-| eckoperator.git.tag | string | `"1.6.0-bb.2"` |  |
+| eckoperator.git.tag | string | `"1.7.1-bb.0"` |  |
 | eckoperator.flux | object | `{}` | Flux reconciliation overrides specifically for the ECK Operator Package |
 | eckoperator.values | object | `{}` | Values to passthrough to the eck-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git |
 | fluentbit.enabled | bool | `true` | Toggle deployment of Fluent-Bit. |
@@ -148,7 +149,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | monitoring.enabled | bool | `true` | Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager). |
 | monitoring.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git"` |  |
 | monitoring.git.path | string | `"./chart"` |  |
-| monitoring.git.tag | string | `"14.0.0-bb.10"` |  |
+| monitoring.git.tag | string | `"14.0.0-bb.11"` |  |
 | monitoring.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the Monitoring Package |
 | monitoring.ingress.gateway | string | `""` |  |
 | monitoring.sso.enabled | bool | `false` | Toggle SSO for monitoring components on and off |
@@ -166,7 +167,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | twistlock.enabled | bool | `true` | Toggle deployment of Twistlock. |
 | twistlock.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git"` |  |
 | twistlock.git.path | string | `"./chart"` |  |
-| twistlock.git.tag | string | `"0.0.9-bb.0"` |  |
+| twistlock.git.tag | string | `"0.0.9-bb.1"` |  |
 | twistlock.flux | object | `{}` | Flux reconciliation overrides specifically for the Twistlock Package |
 | twistlock.ingress.gateway | string | `""` |  |
 | twistlock.values | object | `{}` | Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git |
@@ -174,7 +175,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.argocd.enabled | bool | `false` | Toggle deployment of ArgoCD. |
 | addons.argocd.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git"` |  |
 | addons.argocd.git.path | string | `"./chart"` |  |
-| addons.argocd.git.tag | string | `"3.6.8-bb.8"` |  |
+| addons.argocd.git.tag | string | `"3.6.8-bb.10"` |  |
 | addons.argocd.flux | object | `{}` | Flux reconciliation overrides specifically for the ArgoCD Package |
 | addons.argocd.ingress.gateway | string | `""` |  |
 | addons.argocd.sso.enabled | bool | `false` | Toggle SSO for ArgoCD on and off |
@@ -195,26 +196,26 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.minioOperator.enabled | bool | `false` | Toggle deployment of minio operator and instance. |
 | addons.minioOperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git"` |  |
 | addons.minioOperator.git.path | string | `"./chart"` |  |
-| addons.minioOperator.git.tag | string | `"4.1.2-bb.3"` |  |
+| addons.minioOperator.git.tag | string | `"4.2.3-bb.2"` |  |
 | addons.minioOperator.flux | object | `{}` | Flux reconciliation overrides specifically for the Minio Operator Package |
 | addons.minioOperator.values | object | `{}` | Values to passthrough to the minio operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git |
 | addons.minioOperator.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | addons.minio.enabled | bool | `false` | Toggle deployment of minio. |
 | addons.minio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git"` |  |
 | addons.minio.git.path | string | `"./chart"` |  |
-| addons.minio.git.tag | string | `"4.1.2-bb.6"` |  |
+| addons.minio.git.tag | string | `"4.2.3-bb.5"` |  |
 | addons.minio.flux | object | `{}` | Flux reconciliation overrides specifically for the Minio Package |
 | addons.minio.ingress.gateway | string | `""` |  |
 | addons.minio.accesskey | string | `""` | Default access key to use for minio. |
 | addons.minio.secretkey | string | `""` | Default secret key to intstantiate with minio, you should change/delete this after installation. |
 | addons.minio.values | object | `{}` | Values to passthrough to the minio instance chart: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git |
 | addons.minio.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
-| addons.gitlab.enabled | bool | `false` | Toggle deployment of Gitlab. |
+| addons.gitlab.enabled | bool | `false` | Toggle deployment of Gitlab |
 | addons.gitlab.hostnames.gitlab | string | `"gitlab"` |  |
 | addons.gitlab.hostnames.registry | string | `"registry"` |  |
 | addons.gitlab.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git"` |  |
 | addons.gitlab.git.path | string | `"./chart"` |  |
-| addons.gitlab.git.tag | string | `"4.12.9-bb.6"` |  |
+| addons.gitlab.git.tag | string | `"5.3.1-bb.2"` |  |
 | addons.gitlab.flux | object | `{}` | Flux reconciliation overrides specifically for the Gitlab Package |
 | addons.gitlab.ingress.gateway | string | `""` |  |
 | addons.gitlab.sso.enabled | bool | `false` | Toggle OIDC SSO for Gitlab on and off. Enabling this option will auto-create any required secrets. |
@@ -234,17 +235,17 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.gitlab.objectStorage.bucketPrefix | string | `""` | Bucket prefix to use for identifying buckets. Example: "prod" will produce "prod-gitlab-bucket" |
 | addons.gitlab.values | object | `{}` | Values to passthrough to the gitlab chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git |
 | addons.gitlab.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
-| addons.gitlabRunner.enabled | bool | `false` | Toggle deployment of Gitlab Runner. |
+| addons.gitlabRunner.enabled | bool | `false` | Toggle deployment of Gitlab Runner |
 | addons.gitlabRunner.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git"` |  |
 | addons.gitlabRunner.git.path | string | `"./chart"` |  |
-| addons.gitlabRunner.git.tag | string | `"0.29.0-bb.1"` |  |
+| addons.gitlabRunner.git.tag | string | `"0.33.1-bb.2"` |  |
 | addons.gitlabRunner.flux | object | `{}` | Flux reconciliation overrides specifically for the Gitlab Runner Package |
 | addons.gitlabRunner.values | object | `{}` | Values to passthrough to the gitlab runner chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git |
 | addons.gitlabRunner.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | addons.nexus.enabled | bool | `false` | Toggle deployment of Nexus. |
 | addons.nexus.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus.git"` |  |
 | addons.nexus.git.path | string | `"./chart"` |  |
-| addons.nexus.git.tag | string | `"34.0.0-bb.0"` |  |
+| addons.nexus.git.tag | string | `"34.1.0-bb.2"` |  |
 | addons.nexus.license_key | string | `""` | Base64 encoded license file. |
 | addons.nexus.ingress.gateway | string | `""` |  |
 | addons.nexus.sso.enabled | bool | `false` | Toggle SAML SSO for NXRM. -- handles SAML SSO, a Client must be configured in Keycloak or IdP -- to complete setup. -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599 |
@@ -262,7 +263,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.sonarqube.enabled | bool | `false` | Toggle deployment of SonarQube. |
 | addons.sonarqube.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube.git"` |  |
 | addons.sonarqube.git.path | string | `"./chart"` |  |
-| addons.sonarqube.git.tag | string | `"9.6.3-bb.2"` |  |
+| addons.sonarqube.git.tag | string | `"9.6.3-bb.8"` |  |
 | addons.sonarqube.flux | object | `{}` | Flux reconciliation overrides specifically for the Sonarqube Package |
 | addons.sonarqube.ingress.gateway | string | `""` |  |
 | addons.sonarqube.sso.enabled | bool | `false` | Toggle SAML SSO for SonarQube. Enabling this option will auto-create any required secrets. |
@@ -291,7 +292,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.anchore.enabled | bool | `false` | Toggle deployment of Anchore. |
 | addons.anchore.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git"` |  |
 | addons.anchore.git.path | string | `"./chart"` |  |
-| addons.anchore.git.tag | string | `"1.13.0-bb.10"` |  |
+| addons.anchore.git.tag | string | `"1.14.7-bb.1"` |  |
 | addons.anchore.flux | object | `{"upgrade":{"disableWait":true}}` | Flux reconciliation overrides specifically for the Anchore Package |
 | addons.anchore.adminPassword | string | `""` | Initial admin password used to authenticate to Anchore. |
 | addons.anchore.enterprise | object | `{"enabled":false,"licenseYaml":"FULL LICENSE\n"}` | Anchore Enterprise functionality. |
@@ -316,14 +317,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.mattermostoperator.enabled | bool | `false` |  |
 | addons.mattermostoperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git"` |  |
 | addons.mattermostoperator.git.path | string | `"./chart"` |  |
-| addons.mattermostoperator.git.tag | string | `"1.14.0-bb.4"` |  |
+| addons.mattermostoperator.git.tag | string | `"1.15.0-bb.0"` |  |
 | addons.mattermostoperator.flux | object | `{}` | Flux reconciliation overrides specifically for the Mattermost Operator Package |
 | addons.mattermostoperator.values | object | `{}` | Values to passthrough to the mattermost operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator/-/blob/main/chart/values.yaml |
 | addons.mattermostoperator.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | addons.mattermost.enabled | bool | `false` | Toggle deployment of Mattermost. |
 | addons.mattermost.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git"` |  |
 | addons.mattermost.git.path | string | `"./chart"` |  |
-| addons.mattermost.git.tag | string | `"0.2.0-bb.1"` |  |
+| addons.mattermost.git.tag | string | `"0.2.2-bb.0"` |  |
 | addons.mattermost.flux | object | `{}` | Flux reconciliation overrides specifically for the Mattermost Package |
 | addons.mattermost.enterprise | object | `{"enabled":false,"license":""}` | Mattermost Enterprise functionality. |
 | addons.mattermost.enterprise.enabled | bool | `false` | Toggle the Mattermost Enterprise.  This must be accompanied by a valid license unless you plan to start a trial post-install. |
@@ -352,15 +353,15 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.velero.enabled | bool | `false` | Toggle deployment of Velero. |
 | addons.velero.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git"` |  |
 | addons.velero.git.path | string | `"./chart"` |  |
-| addons.velero.git.tag | string | `"2.23.6-bb.1"` |  |
+| addons.velero.git.tag | string | `"2.23.6-bb.2"` |  |
 | addons.velero.flux | object | `{}` | Flux reconciliation overrides specifically for the Velero Package |
-| addons.velero.plugins | list | `[]` | Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure, csi  |
+| addons.velero.plugins | list | `[]` | Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure, csi |
 | addons.velero.values | object | `{}` | Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml |
 | addons.velero.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | addons.keycloak.enabled | bool | `false` | Toggle deployment of Keycloak. if you enable Keycloak you should uncomment the istio passthrough configurations above istio.ingressGateways.passthrough-ingressgateway and istio.gateways.passthrough |
 | addons.keycloak.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git"` |  |
 | addons.keycloak.git.path | string | `"./chart"` |  |
-| addons.keycloak.git.tag | string | `"11.0.1-bb.6"` |  |
+| addons.keycloak.git.tag | string | `"11.0.1-bb.8"` |  |
 | addons.keycloak.database.host | string | `""` | Hostname of a pre-existing database to use for Keycloak. Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. |
 | addons.keycloak.database.type | string | `"postgres"` | Pre-existing database type (e.g. postgres) to use for Keycloak. |
 | addons.keycloak.database.port | int | `5432` | Port of a pre-existing database to use for Keycloak. |

--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
  interval: 10m
  url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
  ref:
-    tag: 1.17.0
+    tag: 1.19.0
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: bigbang
-version: 1.17.0
+version: 1.19.0
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

 type: application

--- a/chart/dev-sso-values.yaml
+++ b/chart/dev-sso-values.yaml
 # Enables and configures sso for all packages using the test bigbang.dev clients:

 sso:
+  # Entrust certificate authority for login.dso.mil
+  # do not use this CA with a Keycloak deployed with a different certificate authority
+  # For example *.bigbang.dev because that certificate is issued by a different CA
  certificate_authority: |
    -----BEGIN CERTIFICATE-----
    MIIH0zCCBrugAwIBAgIQHeg1retyhPnWuzryBJeBvTANBgkqhkiG9w0BAQsFADCB
@@ -102,6 +105,51 @@ sso:
    VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
    -----END CERTIFICATE-----

+  # # LetsEncrypt certificate authority for keycloak.bigbang.dev
+  # # Use this CA if you deployed Keycloak with *.bigbang.dev certificate using chart/keycloak-dev-values.yaml
+  # certificate_authority: |
+  #   -----BEGIN CERTIFICATE-----
+  #   MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+  #   TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+  #   cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+  #   WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+  #   ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+  #   MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+  #   h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+  #   0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+  #   A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+  #   T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+  #   B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+  #   B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+  #   KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+  #   OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+  #   jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+  #   qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+  #   rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+  #   HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+  #   hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+  #   ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+  #   3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+  #   NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+  #   ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+  #   TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+  #   jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+  #   oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+  #   4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+  #   mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+  #   emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+  #   -----END CERTIFICATE-----
+
+  
+  # The JSON Web Key Set (JWKS) containing the public keys used to verify any JSON Web Token (JWT) issued by the IDP
+  # The jwks is public and does not require a secret
+  # The jwks is used by Istio authservice
+  # Must be updated for every new deployment of Keycloak. Example of where to get the jwks:
+  # https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/certs
+  # must be single quoted and double quotes must be escaped like this \"xxxx\"
+  # This jwks is from login.bigbang.dev
+  jwks: '{\"keys\":[{\"kid\":\"4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"hiML1kjw-sw25BgaZI1AyfgcCRBPJKPE-wwttqa7NNxptr_5RCBGuJXqDyo3p1vjcbb8KjdKnXI7kWer8b2Pz_RP1m_QcPrKOxSluk7GZF8ARsc6FPGbzYgi8o8cBVSsaml6HZzpN3ZnH4DFZ27ifM-Ul_PyMxZ2aweohIaizXp-rgF7Rqpav5NXUwmcSyH8LP92NVIuFlD3HYTDGosVbfA_u_H25Z4XCGKW_vLDTNrl8PcA3HqIoD-vNavysdxAq_KNw7iLLc0KLsjFYSdJL_54H7QubsGR0AyIrLLurJbqAtvttGJK38k5XYWKIwYGtu6iiJwjSb7UtonVdPh8Vw\",\"e\":\"AQAB\",\"x5c\":[\"MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=\"],\"x5t\":\"mxFIwx7EdgxyC3Y6ODLx8yr8Bx8\",\"x5t#S256\":\"SdT7ScKVOnBW6qs_MuYdTGVtMGwYK_-nmQF9a_8lXco\"}]}'
+
 kiali:
  sso:
    enabled: true
@@ -182,3 +230,52 @@ addons:
      enabled: true
      client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost"
      client_secret: "no-secret"
+  nexus:
+    # Nexus requires manual configuration in Keycloak client and cannot be tested with login.dso.mil
+    # you must test with your own dev deployment.  Example: keycloak.bigbang.dev
+    # See more info in Nexus Package docs /docs/keycloak.md
+    # Nexus SSO is behind a paywall. You must have a valid license to enable SSO
+    # -- Base64 encoded license file.
+    # cat ~/Downloads/sonatype-license-YYYY-MM-ddTnnnnnnZ.lic | base64 -w 0 ; echo
+    license_key: "enter-single-line-base64-encoded-string-here"
+    sso:
+      # -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599
+      enabled: true
+      idp_data:
+        entityId: "https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata"
+        # -- IdP Field Mappings
+        # -- NXRM username attribute
+        username: "username"
+        firstName: "firstName"
+        lastName: "lastName"
+        email: "email"
+        groups: "groups"
+        # -- IDP SAML Metadata XML as a single line string in single quotes
+        # -- this information is public and does not require a secret
+        # curl https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/descriptor ; echo
+        idpMetadata: 'enter-single-quoted-single-line-string-here'
+      role:
+        # id is the name of the Keycloak group (case sensitive)
+        - id: "Nexus"
+          name: "Keycloak Nexus Group"
+          description: "unprivilaged users"
+          privileges: []
+          roles: []
+        - id: "Nexus-Admin"
+          name: "Keycloak Nexus Admin Group"
+          description: "keycloak users as admins"
+          privileges:
+            - "nx-all"
+          roles:
+            - "nx-admin"
+    # NexusNotes: |
+    #   Login to Nexus Admin UI and then get the x509 certificate from this path
+    #     https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata
+    #   copy and paste the nexus single line certificate into a text file and save it
+    #     vi nexus-x509.txt
+    #     -----BEGIN CERTIFICATE-----
+    #     put-single-line-nexus-x509-certificate-here
+    #     -----END CERTIFICATE-----
+    #   make a valid pem file with proper wrapping at 64 characters per line
+    #     fold -w 64 nexus-x509.txt > nexus.pem
+    #   In Keycloak go to the nexus client and on the Keys tab import the nexus.pem file in two places
--- a/chart/templates/argocd/namespace.yaml
+++ b/chart/templates/argocd/namespace.yaml
@@ -6,6 +6,6 @@ metadata:
    app.kubernetes.io/name: argocd
    app.kubernetes.io/component: "core"
    {{- include "commonLabels" . | nindent 4}}
-    istio-injection: disabled
+    istio-injection: {{ dig "istio" "injection" "enabled" .Values.addons.argocd }}
  name: argocd
 {{- end }}
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -75,6 +75,9 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - mattermost/mattermost
  {{- end }}

+  imageDigest:
+    enabled: false
+
  namespacesHaveIstio:
    enabled: {{ .Values.istio.enabled }}


--- a/chart/templates/haproxy/gitrepository.yaml
+++ b/chart/templates/haproxy/gitrepository.yaml
-{{- if and .Values.istio.enabled .Values.monitoring.sso.enabled }}
+{{- $monitoringInjection := dig "istio" "injection" "enabled" .Values.monitoring }}
+{{- if and .Values.istio.enabled .Values.monitoring.sso.enabled (eq $monitoringInjection "disabled") }}
 apiVersion: source.toolkit.fluxcd.io/v1beta1
 kind: GitRepository
 metadata:
@@ -15,4 +16,4 @@ spec:
    {{- include "validRef" .Values.addons.haproxy.git | nindent 4 }}
  {{ include "gitIgnore" . }}
  {{- include "gitCreds" . | nindent 2 }}
-{{- end }}
\ No newline at end of file
+{{- end }}
--- a/chart/templates/haproxy/haproxy-authservice.yaml
+++ b/chart/templates/haproxy/haproxy-authservice.yaml
 {{- $fluxSettingsHaProxy := merge .Values.addons.haproxy.flux .Values.flux -}}
-{{- if and .Values.istio.enabled .Values.monitoring.sso.enabled }}
+{{- $monitoringInjection := dig "istio" "injection" "enabled" .Values.monitoring }}
+{{- if and .Values.istio.enabled .Values.monitoring.sso.enabled (eq $monitoringInjection "disabled") }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
@@ -46,4 +47,4 @@ spec:
      namespace: {{ .Release.Namespace }}
    {{- end }}

-{{- end }}
\ No newline at end of file
+{{- end }}
--- a/chart/templates/haproxy/values.yaml
+++ b/chart/templates/haproxy/values.yaml
-{{- if and .Values.istio.enabled .Values.monitoring.sso.enabled }}
+{{- $monitoringInjection := dig "istio" "injection" "enabled" .Values.monitoring }}
+{{- if and .Values.istio.enabled .Values.monitoring.sso.enabled (eq $monitoringInjection "disabled") }}
 {{- include "values-secret" (dict "root" $ "package" .Values.addons.haproxy "name" "haproxy-sso" "defaults" (include "bigbang.defaults.haproxy-sso" .)) }}
 {{- end }}


--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -47,6 +47,8 @@ gateways:
  {{ $name | nindent 2 }}:
    selector:
      app: {{ $values.ingressGateway }}
+    autoHttpRedirect:
+      enabled: {{ dig "autoHttpRedirect" "enabled" "true" $values }}
    servers:
    - hosts:
      {{ tpl ($values.hosts | default (list) | toYaml) $ | nindent 8 }}

--- a/chart/templates/jaeger/values.yaml
+++ b/chart/templates/jaeger/values.yaml
@@ -21,6 +21,10 @@ monitoring:
  enabled: {{ .Values.monitoring.enabled }}
 elasticsearch:
  enabled: {{ .Values.logging.enabled }}
+
+sso:
+  enabled: {{ .Values.jaeger.sso.enabled }}
+
 {{- if .Values.jaeger.sso.enabled }}
 jaeger:
  spec:
@@ -42,4 +46,4 @@ networkPolicies:
    {{- $gateway := default "public" .Values.jaeger.ingress.gateway }}
    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
--- a/chart/templates/monitoring/monitoring-helmrelease.yaml
+++ b/chart/templates/monitoring/monitoring-helmrelease.yaml
@@ -38,7 +38,7 @@ spec:
      valuesKey: "overlays"

  # TODO: DRY this up
-  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled }}
+  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.monitoring.sso.enabled }}
  dependsOn:
  {{- if .Values.istio.enabled }}
    - name: istio
@@ -48,5 +48,9 @@ spec:
    - name: gatekeeper
      namespace: {{ .Release.Namespace }}
  {{- end }}
+  {{- if .Values.monitoring.sso.enabled }}
+    - name: authservice
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
  {{- end }}
 {{- end }}
--- a/chart/templates/monitoring/namespace.yaml
+++ b/chart/templates/monitoring/namespace.yaml
@@ -7,5 +7,5 @@ metadata:
    app.kubernetes.io/name: monitoring
    app.kubernetes.io/component: "core"
    {{- include "commonLabels" . | nindent 4}}
-    istio-injection: disabled
-{{- end }}
\ No newline at end of file
+    istio-injection: {{ dig "istio" "injection" "enabled" .Values.monitoring }}
+{{- end }}
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -22,10 +22,11 @@ minioOperator:
  enabled: {{ .Values.addons.minioOperator.enabled }}
  
 istio:
+  {{- $monitoringInjection := dig "istio" "injection" "enabled" .Values.monitoring }}
  enabled: {{ .Values.istio.enabled }}
  prometheus:
    enabled: true
-    {{- if .Values.monitoring.sso.enabled }}
+    {{- if and .Values.monitoring.sso.enabled (eq $monitoringInjection "disabled") }}
    service: authservice-haproxy-sso
    port: 8080
    namespace: authservice
@@ -34,7 +35,7 @@ istio:
    - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
  alertmanager:
    enabled: true
-    {{- if .Values.monitoring.sso.enabled }}
+    {{- if and .Values.monitoring.sso.enabled (eq $monitoringInjection "disabled") }}
    service: authservice-haproxy-sso
    port: 8080
    namespace: authservice
@@ -45,10 +46,31 @@ istio:
    enabled: true
    gateways:
    - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
+  injection: {{ dig "istio" "injection" "enabled" .Values.monitoring }}
+
+{{- if .Values.monitoring.sso.enabled }}
+alertmanager:
+  alertmanagerSpec:
+    {{- $alertmanagerAuthserviceKey := (dig "selector" "key" "protect" .Values.addons.authservice.values) }}
+    {{- $alertmanagerAuthserviceValue := (dig "selector" "value" "keycloak" .Values.addons.authservice.values) }}
+    podMetadata:
+      labels:
+        {{ $alertmanagerAuthserviceKey }}: {{ $alertmanagerAuthserviceValue }}
+prometheus:
+  prometheusSpec:
+    {{- $prometheusAuthserviceKey := (dig "selector" "key" "protect" .Values.addons.authservice.values) }}
+    {{- $prometheusAuthserviceValue := (dig "selector" "value" "keycloak" .Values.addons.authservice.values) }}
+    podMetadata:
+      labels:
+        {{ $prometheusAuthserviceKey }}: {{ $prometheusAuthserviceValue }}
+{{- end }}

 anchore:
  enabled: {{ .Values.addons.anchore.enabled }}

+kiali:
+  enabled: {{ .Values.kiali.enabled }}
+
 global:
  imagePullSecrets:
  - name: private-registry

--- a/chart/templates/nexus-repository-manager/secret-ca.yaml
+++ b/chart/templates/nexus-repository-manager/secret-ca.yaml
@@ -3,8 +3,8 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{.Values.sso.secretName}}
-  namespace: anchore
+  namespace: nexus-repository-manager
 type: Opaque
 data:
  ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
-{{- end }}
\ No newline at end of file
+{{- end }}
--- a/chart/templates/nexus-repository-manager/values.yaml
+++ b/chart/templates/nexus-repository-manager/values.yaml
@@ -27,6 +27,12 @@ networkPolicies:
 nexus:
  imagePullSecrets:
    - name: private-registry
+  {{- if .Values.addons.nexus.license_key }}
+  properties:
+    override: true
+    data: 
+      nexus.licenseFile: /nexus-data/sonatype-license.lic
+  {{- end }}

 license_key: "{{ .Values.addons.nexus.license_key }}"

@@ -34,12 +40,16 @@ license_key: "{{ .Values.addons.nexus.license_key }}"
 sso:
  enabled: {{ .Values.addons.nexus.sso.enabled }}
  idp_data:
+    {{- if .Values.addons.nexus.sso.idp_data.entityId }}
+    entityId: {{ .Values.addons.nexus.sso.idp_data.entityId }}
+    {{- else }}
    entityId: "https://nexus.{{ $domainName }}/service/rest/v1/security/saml/metadata"
-    usernameAttribute: "{{ .Values.addons.nexus.sso.idp_data.username }}"
-    firstNameAttribute: "{{ .Values.addons.nexus.sso.idp_data.firstName }}"
-    lastNameAttribute: "{{ .Values.addons.nexus.sso.idp_data.lastName }}"
-    emailAttribute: "{{ .Values.addons.nexus.sso.idp_data.email }}"
-    groupsAttribute: "{{ .Values.addons.nexus.sso.idp_data.groups }}"
+    {{- end }}
+    usernameAttribute: "{{ default "username" .Values.addons.nexus.sso.idp_data.username }}"
+    firstNameAttribute: "{{ default "firstName" .Values.addons.nexus.sso.idp_data.firstName }}"
+    lastNameAttribute: "{{ default "lastName" .Values.addons.nexus.sso.idp_data.lastName }}"
+    emailAttribute: "{{ default "email" .Values.addons.nexus.sso.idp_data.email }}"
+    groupsAttribute: "{{ default "groups" .Values.addons.nexus.sso.idp_data.groups }}"
    validateResponseSignature: "true"
    validateAssertionSignature: "true"
    idpMetadata: '{{ .Values.addons.nexus.sso.idp_data.idpMetadata }}'
@@ -48,12 +58,21 @@ sso:
    - "NexusAuthorizingRealm"
    - "SamlRealm"
  role:
-    id: "keycloak"
-    name: "keycloak"
-    description: "all keycloak users as admins"
-    privileges:
-      - "nx-all"
-    roles:
-      - "nx-admin"
+    {{- range .Values.addons.nexus.sso.role }}
+    - id: {{ .id | quote }}
+      name: {{ .name | quote }}
+      description: {{ .description | quote }}
+      privileges: 
+        {{- range .privileges }}
+        - {{ . | quote }}
+        {{- else }} []
+        {{- end }}
+      roles: 
+        {{- range .roles }}
+        - {{ . | quote }}
+        {{- else }} []
+        {{- end }}
+    {{- end }}
+
 {{- end }}
 {{- end -}}
No results found