CHANGELOG.md

@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [1.56.0]
+
+- [!1.56.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.56.0); List of merge requests in this release.
+
 ## [1.55.0]
 
 - [!1.55.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.55.0); List of merge requests in this release.

base/gitrepository.yaml

@@ -11,4 +11,4 @@ spec:
   interval: 10m
   url: https://repo1.dso.mil/big-bang/bigbang.git
   ref:
-    tag: 1.55.0
+    tag: 1.56.0

blog/.pages

+nav:
+  - Big Bang 2.0: big-bang-2-0

blog/big-bang-2-0.md

+# Big Bang 2.0
+
+What is Big Bang 2.0? Why are we doing it? 2.0 is the second major release since Big Bang 1.0 released in December 2020. This blog post should provide you with both the why behind what we're doing as well as what the changes involved are - and what that means for you as a user.
+
+## Why Change Things?
+
+A lot of the why behind 2.0 comes down to customer pain points. Here are a few of the top ones that tie into specific things changing in 2.0:
+1. The barrier to entry for users is too high, both from a technical/knowledge standpoint and from a cost perspective
+2. Upgrades of Big Bang are difficult, partially due to the large amount of changes in each release
+3. Adding on community packages/mission apps is too hard - there's no easy (or even documented) way to add a new community package to your deployment
+
+
+Beyond these pain points there are also changes we are making to enable future platform improvements - that necessitate a major release.
+
+## What is Changing?
+
+### Free and OpenSource Core by Default
+
+The default core packages in 1.x releases come with both licensing and closed source concerns, as well as some usability concerns in some cases. Several of the default packages will be changing in 2.0 as a result:
+    - Runtime Security: NeuVector will replace Twistlock as the default. NeuVector is opensourced and does not come with a license cost.
+    - Logging: The PLG (Promtail/Loki/Grafana) stack will become the new default stack, replacing EFK (Elasticsearch/Fluentbit/Kibana). PLG has lower resource costs for users, and does not have a license requirement for core features.
+    - Policy Enforcement: Kyverno will replace Gatekeeper as the default. Kyverno provides a better user experience for policy writing, and is more directly focused on the Kubernetes experience.
+    - Tracing: Tempo will replace Jaeger as the default. Jaeger has a dependency on Elasticsearch for persistence, and Tempo is better integrated with the PLG stack to tie traces to specific logs.
+
+These will be *small* breaking changes to user values. If you want to continue to deploy Twistlock for example, you will need to adjust your values to disable NeuVector and enable Twistlock before upgrading. It's also important to note that we will continue to support the alternative packages in all of these cases, we do not intend to lock users in to a single option.
+
+### Standardization of Naming
+
+Within Big Bang, packages have a wide variety of naming conventions and mis-matches between different locations. Some packages may have a values key that doesn't match the namespace or `HelmRelease` name. In order to improve the user experience we are standardizing the names in these areas. Package values keys will line up with the namespace and `HelmRelease`/`GitRepository` name 1:1 with case translations to accommodate different usages (`camelCase` for Helm values, `kebab-case` for Kubernetes resources). In addition, Big Bang will provide a documented style guide with any exceptions to the guide.
+
+Once again - these will be *small* breaking changes to user values and potentially has effects on any extra user scripts/tooling on top of Big Bang. Exact changes will be provided as part of a follow on blog post and in the release notes for 2.0.
+
+### Improved Package Extensibility
+
+With 2.0 we will be providing a way to deploy community/arbitrary packages as part of Big Bang, as a "first-class" experience. This will provide a way for users to effectively extend Big Bang, and still have the lifecycle of additional packages tied to the Big Bang deployment directly. Beyond this, there will also be a new `wrapper` provided that offers some features for integration of an application inside of Big Bang, strictly via Big Bang values. This includes things like configuring `VirtualService`, `ServiceMonitor`, and `NetworkPolicy` resources.
+
+For additional details on what this looks like from a user/values perspective read the [extra package deployment guide](../docs/guides/deployment-scenarios/extra-package-deployment.md). This will be provided as a new feature, and not change any existing architecture/functionality.
+
+### Upgrade Process Improvements
+
+As mentioned in our why section - upgrades for Big Bang are hard. A big piece of this is a lack of documentation surrounding what a Big Bang upgrade should look like, and how to complete one. In 2.0 we will be providing clear documentation around updates for both single packages and the entire stack as a whole.
+
+One of the challenges we are balancing is keeping end users up to date with the latest security patches as quick as they release, while avoiding the danger of updating 10, 20, 30+ packages in a single upgrade. Part of our approach to resolving this pain is releasing/encouraging smaller upgrades, more often. A piece of our solution for this is providing the Renovate tool as a Big Bang package, along with guidance around usage and templates for configuration. Renovate is a tool that provides automation of dependency updates. Within the context of Big Bang this would alert end users of new package releases and provide automatic changes to the user's GitOps config repo in the form of merge/pull requests.. The ultimate goal is that customers could update packages asynchronously from the Big Bang releases (smaller updates, more often).
+
+This again will largely look more like a new feature - although it may have implications to the current release process/cadence. We will continue to release Big Bang versions, but again we hope for these to be smaller updates due to package updates happening differently. As a result the requirements for a major/minor/patch version will be different and will be documented in the near future.
+
+### OCI HelmRepositories
+
+OCI `HelmRepository` will be offered as a deployment option instead of `GitRepository` in 2.0. Big Bang charts are currently being published as Helm OCI artifacts in `registry1.dso.mil/bigbang` and will be published for all Big Bang core, addon, and community packages. It is important to call out that there is no inherent extra scanning/security going into these artifacts today - this is largely just a "storage format" change for the way Flux sources the Helm charts. In the future Big Bang will be signing our OCI Helm charts and providing for verification of these signatures by end users - increasing confidence in our supply chain security. We also hope that will enable future improvements to the airgap process - all artifacts needed for Big Bang will be "OCI shaped", both the images and the Helm charts.
+
+This is a change in the underlying architecture of Big Bang, but it will be offered as an option in 2.0 to start with, and `GitRepository` will remain the default. We anticipate changing the default in the future but `GitRepository` will remain an option long-term to enable a variety of deployment needs.
+
+## Where can I learn more?
+
+Big Bang's 2.0 epic is a great place to start [here](https://repo1.dso.mil/groups/big-bang/-/epics/217). Beyond this we encourage users to get involved via the [BBTOC](https://repo1.dso.mil/platform-one/bbtoc).

chart/Chart.yaml

 apiVersion: v2
 name: bigbang
-version: 1.55.0
+version: 1.56.0
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
 
 type: application

chart/templates/logging/loki/values.yaml

@@ -34,9 +34,6 @@ monitoring:
       insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
     {{- end }}
 
-istio:
-  enabled: {{ .Values.istio.enabled }}
-
 loki:
   storage:
     {{- if (eq .Values.loki.strategy "monolith") }}
@@ -69,6 +66,11 @@ loki:
     {{ include "istioAnnotation" . }}
   {{- end }}
 
+{{- if (eq .Values.loki.strategy "scalable") }}
+singleBinary:
+  replicas: 0
+{{- end }}
+
 {{- with .Values.loki.objectStorage }}
 {{- if and (eq $.Values.loki.strategy "scalable") (not (and .endpoint .region)) }}
 minio:

chart/templates/monitoring/values.yaml

@@ -447,7 +447,7 @@ prometheusOperator:
   {{- range $prometheusConfig, $default := $defaults.prometheus }}
     {{- $overlay := (dig "prometheus" $prometheusConfig dict $overlays) }}
     # Only continue if an overlay matches a default constriant and hidden "skipOverlayMerge" is not set
-    {{- if and $overlay (not $overlay.skipOverlayMerge) }}
+    {{- if and $overlay (kindIs "map" $overlay) (not $overlay.skipOverlayMerge) }}
 
       # Add any default additionalScrapeConfigs to overlay
       {{- if and (dig "additionalScrapeConfigs"  list $default) (dig "additionalScrapeConfigs"  list $overlay) }}
@@ -459,7 +459,7 @@ prometheusOperator:
   {{- range $monitoringConfig, $default := $defaults }}
     {{- $overlay := (dig $monitoringConfig dict $overlays) }}
     # Only continue if an overlay matches a default constriant and hidden "skipOverlayMerge" is not set
-    {{- if and $overlay (not $overlay.skipOverlayMerge) }}
+    {{- if and $overlay (kindIs "map" $overlay) (not $overlay.skipOverlayMerge) }}
 
       # Add any default extraSecretMounts to overlay
       {{- if and (dig "extraSecretMounts" list $default) (dig "extraSecretMounts" list $overlay) }}

chart/templates/neuvector/values.yaml

@@ -16,17 +16,20 @@ istio:
     - istio-system/{{ default "public" .Values.neuvector.ingress.gateway }}
   injection: {{ ternary "enabled" "disabled" $istioInjection }}
 
-{{- if .Values.monitoring.enabled }}
 monitoring:
-  enabled: true
+  enabled: {{ .Values.monitoring.enabled }}
 
+{{- if or .Values.monitoring.enabled $istioInjection .Values.neuvector.sso.enabled }}
 controller:
+  {{- if $istioInjection }}
   podAnnotations:
-    checksum/metrics-pass: {{ sha256sum $neuvectorMetricsPass }}
+    {{ include "istioAnnotation" . }}
+  {{- end }}
+  {{- if or .Values.monitoring.enabled .Values.neuvector.sso.enabled }}
   secret:
     enabled: true
     data: 
-      # This configuration is read in at deploy time and users are created.
+      {{- if .Values.monitoring.enabled }}
       userinitcfg.yaml:
         always_reload: true
         users:
@@ -34,15 +37,36 @@ controller:
           password: {{ $neuvectorMetricsPass }}
           role: reader
           fullname: metrics
-    
+      {{- end }}
+      {{- if .Values.neuvector.sso.enabled }}
+      oidcinitcfg.yaml:
+        always_reload: true
+        enable: {{ .Values.neuvector.sso.enabled }}
+        issuer: {{ default (include "sso.url" .) (tpl (default "" .Values.neuvector.sso.issuer) .) }}
+        client_id: {{ .Values.neuvector.sso.client_id }}
+        client_secret: {{ .Values.neuvector.sso.client_secret }}
+        default_role: {{ .Values.neuvector.sso.default_role }}
+      {{- end }}
+  {{- end }}
+{{- end }}
+
 monitor:
-  install: true
+  install: {{ .Values.monitoring.enabled }}
   exporter:
-    enabled: true
+    enabled: {{ .Values.monitoring.enabled }}
+    {{- if or .Values.monitoring.enabled $istioInjection }}
+    podAnnotations:
+      {{- if .Values.monitoring.enabled }}
+      checksum/metrics-pass: {{ sha256sum $neuvectorMetricsPass }}
+      {{- end }}
+      {{- if $istioInjection }}
+      {{ include "istioAnnotation" . }}
+      {{- end }}
+    {{- end }}
     serviceMonitor:
-      enabled: true
+      enabled: {{ .Values.monitoring.enabled }}
       # conditional passes only for default istio: enabled, mTLS: SCRICT
-      {{- if and $istioInjection (eq (dig "istio" "mtls" "mode" "STRICT" .Values.neuvector.values) "STRICT") }}
+      {{- if and $istioInjection (eq (dig "istio" "mtls" "mode" "STRICT" .Values.neuvector.values) "STRICT") .Values.monitoring.enabled }}
       scheme: https
       tlsConfig:
         caFile: /etc/prom-certs/root-cert.pem
@@ -51,16 +75,33 @@ monitor:
         insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
       {{- end }}
     svc:
-      enabled: true
+      enabled: {{ .Values.monitoring.enabled }}
       type: ClusterIP
     CTRL_USERNAME: metrics
     CTRL_PASSWORD: {{ $neuvectorMetricsPass }}
+
+
+{{- if $istioInjection }}
+enforcer:
+  podAnnotations:
+    {{ include "istioAnnotation" . }}
+cve:
+  updater:
+    podAnnotations:
+      {{ include "istioAnnotation" . }}
+  scanner:
+    podAnnotations:
+      {{ include "istioAnnotation" . }}
 {{- end }}
 
 {{- if .Values.istio.enabled }}
 manager:
   env:
     ssl: false
+  {{- if $istioInjection }}
+  podAnnotations:
+    {{ include "istioAnnotation" . }}
+  {{- end }}
 {{- end }}
 
 networkPolicies:

chart/templates/package/kustomization.yaml

@@ -2,9 +2,12 @@
 {{- range $pkg, $vals := .Values.packages -}}
 {{- if and (dig "enabled" true $vals) $vals.kustomize -}}
 {{- $pkg := include "resourceName" $pkg -}}
-{{- $vals := merge $vals ($.Files.Get (printf "defaults/%s.yaml" $pkg) | fromYaml).package }}
+{{- $defaults := $.Files.Get (printf "defaults/%s.yaml" $pkg) -}}
+{{- if $defaults -}}
+{{- $vals := merge $vals ($defaults | fromYaml).package -}}
+{{- end -}}
 {{- $fluxSettings := merge (dig "flux" dict $vals) $.Values.flux -}}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
   name: {{ $pkg }}
@@ -13,37 +16,23 @@ metadata:
     app.kubernetes.io/name: {{ $pkg }}
     {{- include "commonLabels" $ | nindent 4 }}
 spec:
+  targetNamespace: {{ dig "namespace" "name" $pkg $vals }}
   path: {{ dig "git" "path" "" $vals }}
   sourceRef:
     kind: GitRepository
     name: {{ $pkg }}
     namespace: {{ dig "namespace" "name" $pkg $vals }}
-  {{- toYaml $fluxSettings | nindent 2 }}
+  interval: {{ dig "interval" "2m" $fluxSettings }}
+  timeout: {{ dig "timeout" "10m" $fluxSettings }}
+  force: {{ dig "force" false $fluxSettings }}
+  wait: {{ dig "wait" true $fluxSettings }}
+  retryInterval: {{ dig "retryInterval" "2m0s" $fluxSettings }}
+  prune: {{ dig "prune" true $fluxSettings }}
   postBuild:
     substituteFrom:
     - name: {{ $pkg }}-values
-        kind: Secret
+      kind: Secret
 
-  {{- /* Always wait on policy enforcement */ -}}
-  {{- $gatekeeperDep := $.Values.gatekeeper.enabled -}}
-  {{- $kyvernoDep := $.Values.kyvernopolicies.enabled -}}
-  {{- /* Wait on istio if sidecar is enabled */ -}}
-  {{- $istioDep := (and $.Values.istio.enabled (dig "istio" "injection" true $vals)) -}}
-  {{- if or $gatekeeperDep $kyvernoDep $istioDep }}
-  dependsOn:
-    {{- if $gatekeeperDep }}
-    - name: gatekeeper
-      namespace: {{ default "bigbang" $.Values.namespace }}
-    {{- end }}
-    {{- if $kyvernoDep }}
-    - name: kyvernopolicies
-      namespace: {{ default "bigbang" $.Values.namespace }}
-    {{- end }}
-    {{- if $istioDep }}
-    - name: istio
-      namespace: {{ default "bigbang" $.Values.namespace }}
-    {{- end -}}
-  {{- end }}
 ---
 {{ end -}}
 {{- end -}}
\ No newline at end of file

chart/templates/package/values.yaml

@@ -15,8 +15,13 @@ metadata:
     {{- include "commonLabels" $ | nindent 4 }}
 type: Opaque
 stringData:
+  {{ if and (dig "enabled" true $vals) (not $vals.kustomize) -}}
   values.yaml: |
-    {{- tpl (toYaml $vals.values) $ | nindent 4 }}
+  {{- tpl (toYaml $vals.values) $ | nindent 4 }}
+  {{ else }}
+  {{- tpl (toYaml $vals.values) $ | nindent 2 }}
+  {{ end }}
+  
 ---
 {{ end -}}
 {{- end -}}
\ No newline at end of file

chart/templates/wrapper/helmrelease.yaml

 {{- /* Used for Helm chart deployment of Big Bang wrapper.  One per package. */ -}}
 {{- range $pkg, $vals := .Values.packages -}}
-{{- if (dig "enabled" true $vals) -}}
+{{- if and (dig "enabled" true $vals) (dig "wrapper" "enabled" false $vals) -}}
 {{- $pkg = include "resourceName" $pkg -}}
 {{- $fluxSettings := merge (dig "flux" dict $vals) $.Values.flux -}}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1

chart/templates/wrapper/values.yaml

 {{- /* Used for creating values to use for Helm wrapper and package Helm charts. */ -}}
 {{- range $pkg, $vals := .Values.packages -}}
-{{- if (dig "enabled" true $vals) -}}
+{{- if and (dig "enabled" true $vals) (dig "wrapper" "enabled" false $vals) -}}
 {{- $pkg = include "resourceName" $pkg -}}
 apiVersion: v1
 kind: Secret

chart/values.yaml

@@ -147,7 +147,7 @@ istio:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
     path: "./chart"
-    tag: "1.16.2-bb.0"
+    tag: "1.17.1-bb.0"
 
   # -- Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support,
   # validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription
@@ -263,7 +263,7 @@ istiooperator:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git
     path: "./chart"
-    tag: "1.16.2-bb.0"
+    tag: "1.17.1-bb.0"
 
   # -- Flux reconciliation overrides specifically for the Istio Operator Package
   flux: {}
@@ -280,7 +280,7 @@ jaeger:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git
     path: "./chart"
-    tag: "2.38.0-bb.1"
+    tag: "2.41.0-bb.0"
 
   # -- Flux reconciliation overrides specifically for the Jaeger Package
   flux:
@@ -415,7 +415,7 @@ kyvernopolicies:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies.git
     path: ./chart
-    tag: "1.1.0-bb.3"
+    tag: "1.1.0-bb.4"
 
   # -- Flux reconciliation overrides specifically for the Kyverno Package
   flux: {}
@@ -432,7 +432,7 @@ kyvernoreporter:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-reporter.git
     path: ./chart
-    tag: "2.16.0-bb.0"
+    tag: "2.16.0-bb.1"
 
   # -- Flux reconciliation overrides specifically for the Kyverno Reporter Package
   flux: {}
@@ -508,7 +508,7 @@ fluentbit:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git
     path: "./chart"
-    tag: "0.24.0-bb.0"
+    tag: "0.25.0-bb.0"
 
   # -- Flux reconciliation overrides specifically for the Fluent-Bit Package
   flux: {}
@@ -545,7 +545,7 @@ loki:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki.git
     path: "./chart"
-    tag: "4.4.2-bb.2"
+    tag: "4.8.0-bb.0"
 
   # -- Flux reconciliation overrides specifically for the Loki Package
   flux: {}
@@ -590,15 +590,28 @@ neuvector:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git
     path: "./chart"
-    tag: "2.4.2-bb.3"
+    tag: "2.4.2-bb.5"
 
   # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
   ingress:
     gateway: ""
 
+  sso:
+    # -- Toggle SSO for Neuvector on and off
+    enabled: true
+    
+    # -- OIDC Client ID to use for Neuvector
+    client_id: ""
+
+    # -- OIDC Client Secret to use for Neuvector
+    client_secret: ""
+
+    # -- Default role to use for Neuvector OIDC users. Supports admin, reader, or no default
+    default_role: ""
+
   # -- Flux reconciliation overrides specifically for the Neuvector Package
   flux: {}
-
+  
   # -- Values to passthrough to the Neuvector chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git
   values: {}
 
@@ -615,7 +628,7 @@ tempo:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo.git
     path: "./chart"
-    tag: "1.0.0-bb.3"
+    tag: "1.0.2-bb.0"
 
   # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
   ingress:
@@ -675,7 +688,7 @@ monitoring:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git
     path: "./chart"
-    tag: "43.1.2-bb.3"
+    tag: "43.1.2-bb.4"
 
   # -- Flux reconciliation overrides specifically for the Monitoring Package
   flux:
@@ -736,7 +749,7 @@ twistlock:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
     path: "./chart"
-    tag: "0.11.4-bb.3"
+    tag: "0.12.0-bb.0"
 
   # -- Flux reconciliation overrides specifically for the Twistlock Package
   flux: {}
@@ -847,7 +860,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git
       path: "./chart"
-      tag: "4.5.4-bb.0"
+      tag: "4.5.8-bb.1"
 
     # -- Flux reconciliation overrides specifically for the Minio Operator Package
     flux: {}
@@ -864,7 +877,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git
       path: "./chart"
-      tag: "4.5.4-bb.3"
+      tag: "4.5.8-bb.0"
 
     # -- Flux reconciliation overrides specifically for the Minio Package
     flux: {}
@@ -897,7 +910,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
       path: "./chart"
-      tag: "6.8.2-bb.0"
+      tag: "6.9.2-bb.1"
 
     # -- Flux reconciliation overrides specifically for the Gitlab Package
     flux: {}
@@ -990,7 +1003,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git
       path: "./chart"
-      tag: "0.49.1-bb.0"
+      tag: "0.49.1-bb.3"
 
     # -- Flux reconciliation overrides specifically for the Gitlab Runner Package
     flux: {}
@@ -1233,7 +1246,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git
       path: "./chart"
-      tag: "1.19.0-bb.0"
+      tag: "1.20.0-bb.0"
 
     # -- Flux reconciliation overrides specifically for the Mattermost Operator Package
     flux: {}
@@ -1337,7 +1350,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git
       path: "./chart"
-      tag: "3.1.2-bb.2"
+      tag: "3.1.5-bb.0"
 
     # -- Flux reconciliation overrides specifically for the Velero Package
     flux: {}
@@ -1414,7 +1427,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault.git
       path: "./chart"
-      tag: "0.23.0-bb.2"
+      tag: "0.23.0-bb.3"
 
     # -- Flux reconciliation overrides specifically for the Vault Package
     flux: {}

chart/values2.0.yaml

@@ -268,6 +268,7 @@ packages:
     # -- Toggle deployment of this package
     # @default -- true
     enabled: false
+
     # -- Use a kustomize deployment rather than Helm
     kustomize: false
 

docs/assets/configs/example/dev-sso-values.yaml

@@ -185,6 +185,14 @@ twistlock:
     enabled: true
     client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-twistlock
 
+neuvector:
+  sso:
+    enabled: true
+    client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-neuvector
+    client_secret: AyAixE3
+    default_role: admin
+    issuer: https://login.dso.mil/auth/realms/baby-yoda
+
 addons:
   authservice:
     enabled: true
@@ -228,6 +236,7 @@ addons:
       enabled: true
       client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost"
       client_secret: "no-secret"
+
   nexusRepositoryManager:
     # Nexus requires manual configuration in Keycloak client and cannot be tested with login.dso.mil
     # you must test with your own dev deployment.  Example: keycloak.bigbang.dev

docs/assets/scripts/developer/k3d-dev.sh

 #!/bin/bash
 
+function run() {
+  ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "$@"
+}
+
 #### Global variables - These allow the script to be run by non-bigbang devs easily
 if [[ -z "${VPC_ID}" ]]; then
   # default
@@ -320,7 +324,7 @@ ssh-keygen -f "${HOME}/.ssh/known_hosts" -R "${PublicIP}"
 
 echo "ssh init"
 # this is a do-nothing remote ssh command just to initialize ssh and make sure that the connection is working
-until ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "hostname"; do
+until run "hostname"; do
   sleep 5
   echo "Retry ssh command.."
 done
@@ -333,43 +337,43 @@ echo
 echo "starting instance config"
 
 echo "Instance will automatically terminate 8 hours from now unless you alter the root crontab"
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "sudo bash -c 'echo \"\$(date -u -d \"+8 hours\" +\"%M %H\") * * * /usr/sbin/shutdown -h now\" | crontab -'"
+run "sudo bash -c 'echo \"\$(date -u -d \"+8 hours\" +\"%M %H\") * * * /usr/sbin/shutdown -h now\" | crontab -'"
 echo
 
 echo
 echo "updating packages"
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "sudo apt-get -y update"
+run "sudo apt-get -y update"
 
 echo
 echo "installing docker"
 # install dependencies
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "sudo apt-get install -y apt-transport-https ca-certificates curl gnupg lsb-release gnupg-agent software-properties-common"
+run "sudo apt-get install -y apt-transport-https ca-certificates curl gnupg lsb-release gnupg-agent software-properties-common"
 # Add the Docker repository, we are installing from Docker and not the Ubuntu APT repo.
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} 'sudo mkdir -m 0755 -p /etc/apt/keyrings'
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg'
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null'
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "sudo apt-get update && sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"
+run 'sudo mkdir -m 0755 -p /etc/apt/keyrings'
+run 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg'
+run 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null'
+run "sudo apt-get update && sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"
 
 echo
 echo
 # Add your base user to the Docker group so that you do not need sudo to run docker commands
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "sudo usermod -aG docker ubuntu"
+run "sudo usermod -aG docker ubuntu"
 echo
 
 # install kubectl
 echo Installing kubectl...
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} 'curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"'
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} 'sudo mv /home/ubuntu/kubectl /usr/local/bin/'
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} 'sudo chmod +x /usr/local/bin/kubectl'
+run 'curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"'
+run 'sudo mv /home/ubuntu/kubectl /usr/local/bin/'
+run 'sudo chmod +x /usr/local/bin/kubectl'
 
 echo
 echo
 # install k3d on instance
 echo "Installing k3d on instance"
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "wget -q -O - https://raw.githubusercontent.com/rancher/k3d/main/install.sh | TAG=v5.4.8 bash"
+run "wget -q -O - https://raw.githubusercontent.com/rancher/k3d/main/install.sh | TAG=v5.4.9 bash"
 echo
 echo "k3d version"
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "k3d version"
+run "k3d version"
 echo
 
 echo "creating k3d cluster"
@@ -388,7 +392,7 @@ k3d_command+=" --port 80:80@loadbalancer --port 443:443@loadbalancer --api-port
 if [[ "$METAL_LB" == true ]]; then
   # create docker network for k3d cluster
   echo "creating docker network for k3d cluster"
-  ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "docker network create k3d-network --driver=bridge --subnet=172.20.0.0/16 --gateway 172.20.0.1"
+  run "docker network create k3d-network --driver=bridge --subnet=172.20.0.0/16 --gateway 172.20.0.1"
   k3d_command+=" --k3s-arg \"--disable=servicelb@server:0\" --network k3d-network"
 fi
 
@@ -402,19 +406,19 @@ else
 fi
 
 # Create k3d cluster
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "${k3d_command}"
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "kubectl config use-context k3d-k3s-default"
-ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "kubectl cluster-info"
+run "${k3d_command}"
+run "kubectl config use-context k3d-k3s-default"
+run "kubectl cluster-info"
 
 # Handle MetalLB cluster resource creation
 if [[ "$METAL_LB" == true ]]; then
   echo "installing MetalLB"
-  ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "kubectl create -f https://raw.githubusercontent.com/metallb/metallb/v0.13.9/config/manifests/metallb-native.yaml"
+  run "kubectl create -f https://raw.githubusercontent.com/metallb/metallb/v0.13.9/config/manifests/metallb-native.yaml"
 	# Wait for controller to be live so that validating webhooks function when we apply the config
 	echo "waiting for MetalLB controller"
-	ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "kubectl wait --for=condition=available --timeout 120s -n metallb-system deployment controller"
+	run "kubectl wait --for=condition=available --timeout 120s -n metallb-system deployment controller"
 
-  ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} <<- 'ENDSSH'
+  run <<- 'ENDSSH'
 	#run this command on remote
 	cat << EOF > metallb-config.yaml
 	apiVersion: metallb.io/v1beta1
@@ -437,7 +441,7 @@ if [[ "$METAL_LB" == true ]]; then
 	EOF
 	ENDSSH
 
-  ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} "kubectl create -f metallb-config.yaml"
+  run "kubectl create -f metallb-config.yaml"
 fi
 
 echo "copying kubeconfig to workstation..."
@@ -449,7 +453,7 @@ else  # default is to use public ip
 fi
 
 if [[ "$METAL_LB" == true ]]; then
-  ssh -i ~/.ssh/${KeyName}.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ubuntu@${PublicIP} <<- 'ENDSSH'
+  run <<- 'ENDSSH'
   # run this command on remote
   # fix /etc/hosts for new cluster
   sudo sed -i '/bigbang.dev/d' /etc/hosts

docs/guides/deployment-scenarios/extra-package-deployment.md

@@ -57,11 +57,15 @@ The wrapper does not add anything additional to your deployment, unless you also
 ```yaml
 packages:
   podinfo:
+    enabled: true
+    wrapper:
+      enabled: true
     git:
       repo: https://github.com/stefanprodan/podinfo.git
       tag: 6.3.4
       path: charts/podinfo
 ```
+NOTE: The wrapper is an opt-in feature.  Without enabling the wrapper, the `packages` will default to deploying flux object for your chart, without any wrapper-added configuration.
 
 The package also has OCI support for sourcing the artifacts; usage will be encouraged with the move to 2.0 and "first-class" support for `HelmRepository` resources.
 
@@ -69,7 +73,7 @@ With these values added you should have a very basic deployment of `podinfo` add
 
 ### Basic Overrides
 
-There are some basic ovveride values provides to modify your Helm chart installation. An example of these values is included below:
+There are some basic override values provided to modify your Helm chart installation. These do NOT require the `wrapper`. An example of these values is included below:
 
 ```yaml
 packages:
@@ -102,6 +106,8 @@ packages:
       repo: https://github.com/stefanprodan/podinfo.git
       tag: 6.3.4
       path: charts/podinfo
+    wrapper:
+      enabled: true
     istio:
       hosts:
         - names:
@@ -127,6 +133,8 @@ packages:
       repo: https://github.com/stefanprodan/podinfo.git
       tag: 6.3.4
       path: charts/podinfo
+    wrapper:
+      enabled: true
     monitor:
       services:
         - spec:
@@ -149,6 +157,8 @@ packages:
       repo: https://github.com/stefanprodan/podinfo.git
       tag: 6.3.4
       path: charts/podinfo
+    wrapper:
+      enabled: true
     network:
       allowControlPlaneEgress: true
 ```
@@ -168,6 +178,8 @@ packages:
       repo: https://github.com/stefanprodan/podinfo.git
       tag: 6.3.4
       path: charts/podinfo
+    wrapper:
+      enabled: true
     configMaps:
       - name: config
         data:

docs/understanding-bigbang/configuration/base-config.md

 # bigbang
 
-![Version: 1.55.0](https://img.shields.io/badge/Version-1.55.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.56.0](https://img.shields.io/badge/Version-1.56.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
 
@@ -65,7 +65,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | istio.enabled | bool | `true` | Toggle deployment of Istio. |
 | istio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git"` |  |
 | istio.git.path | string | `"./chart"` |  |
-| istio.git.tag | string | `"1.16.2-bb.0"` |  |
+| istio.git.tag | string | `"1.17.1-bb.0"` |  |
 | istio.enterprise | bool | `false` | Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support, validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription |
 | istio.ingressGateways.public-ingressgateway.type | string | `"LoadBalancer"` |  |
 | istio.ingressGateways.public-ingressgateway.kubernetesResourceSpec | object | `{}` |  |
@@ -80,14 +80,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | istiooperator.enabled | bool | `true` | Toggle deployment of Istio Operator. |
 | istiooperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git"` |  |
 | istiooperator.git.path | string | `"./chart"` |  |
-| istiooperator.git.tag | string | `"1.16.2-bb.0"` |  |
+| istiooperator.git.tag | string | `"1.17.1-bb.0"` |  |
 | istiooperator.flux | object | `{}` | Flux reconciliation overrides specifically for the Istio Operator Package |
 | istiooperator.values | object | `{}` | Values to passthrough to the istio-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git |
 | istiooperator.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | jaeger.enabled | bool | `true` | Toggle deployment of Jaeger. |
 | jaeger.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git"` |  |
 | jaeger.git.path | string | `"./chart"` |  |
-| jaeger.git.tag | string | `"2.38.0-bb.1"` |  |
+| jaeger.git.tag | string | `"2.41.0-bb.0"` |  |
 | jaeger.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the Jaeger Package |
 | jaeger.ingress | object | `{"gateway":""}` | Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public". |
 | jaeger.sso.enabled | bool | `false` | Toggle SSO for Jaeger on and off |
@@ -116,21 +116,21 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | gatekeeper.enabled | bool | `true` | Toggle deployment of OPA Gatekeeper. |
 | gatekeeper.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git"` |  |
 | gatekeeper.git.path | string | `"./chart"` |  |
-| gatekeeper.git.tag | string | `"3.11.0-bb.1"` |  |
+| gatekeeper.git.tag | string | `"3.11.0-bb.2"` |  |
 | gatekeeper.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
 | gatekeeper.values | object | `{}` | Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git |
 | gatekeeper.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | kyverno.enabled | bool | `false` | Toggle deployment of Kyverno. |
 | kyverno.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno.git"` |  |
 | kyverno.git.path | string | `"./chart"` |  |
-| kyverno.git.tag | string | `"2.6.5-bb.2"` |  |
+| kyverno.git.tag | string | `"2.6.5-bb.3"` |  |
 | kyverno.flux | object | `{}` | Flux reconciliation overrides specifically for the Kyverno Package |
 | kyverno.values | object | `{}` | Values to passthrough to the kyverno chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno.git |
 | kyverno.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | kyvernopolicies.enabled | bool | `false` | Toggle deployment of Kyverno policies |
 | kyvernopolicies.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies.git"` |  |
 | kyvernopolicies.git.path | string | `"./chart"` |  |
-| kyvernopolicies.git.tag | string | `"1.1.0-bb.2"` |  |
+| kyvernopolicies.git.tag | string | `"1.1.0-bb.3"` |  |
 | kyvernopolicies.flux | object | `{}` | Flux reconciliation overrides specifically for the Kyverno Package |
 | kyvernopolicies.values | object | `{}` | Values to passthrough to the kyverno policies chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies.git |
 | kyvernopolicies.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
@@ -177,7 +177,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | loki.enabled | bool | `false` | Toggle deployment of Loki. |
 | loki.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki.git"` |  |
 | loki.git.path | string | `"./chart"` |  |
-| loki.git.tag | string | `"4.4.2-bb.2"` |  |
+| loki.git.tag | string | `"4.8.0-bb.0"` |  |
 | loki.flux | object | `{}` | Flux reconciliation overrides specifically for the Loki Package |
 | loki.strategy | string | `"monolith"` | Loki architecture.  Options are monolith and scalable |
 | loki.objectStorage.endpoint | string | `""` | S3 compatible endpoint to use for connection information. examples: "https://s3.amazonaws.com" "https://s3.us-gov-west-1.amazonaws.com" "http://minio.minio.svc.cluster.local:9000" |
@@ -190,8 +190,12 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | neuvector.enabled | bool | `false` | Toggle deployment of Neuvector. |
 | neuvector.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git"` |  |
 | neuvector.git.path | string | `"./chart"` |  |
-| neuvector.git.tag | string | `"2.4.2-bb.2"` |  |
+| neuvector.git.tag | string | `"2.4.2-bb.5"` |  |
 | neuvector.ingress | object | `{"gateway":""}` | Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public". |
+| neuvector.sso.enabled | bool | `true` | Toggle SSO for Neuvector on and off |
+| neuvector.sso.client_id | string | `""` | OIDC Client ID to use for Neuvector |
+| neuvector.sso.client_secret | string | `""` | OIDC Client Secret to use for Neuvector |
+| neuvector.sso.default_role | string | `""` | Default role to use for Neuvector OIDC users. Supports admin, reader, or no default |
 | neuvector.flux | object | `{}` | Flux reconciliation overrides specifically for the Neuvector Package |
 | neuvector.values | object | `{}` | Values to passthrough to the Neuvector chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git |
 | neuvector.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
@@ -215,7 +219,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | monitoring.enabled | bool | `true` | Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager). |
 | monitoring.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git"` |  |
 | monitoring.git.path | string | `"./chart"` |  |
-| monitoring.git.tag | string | `"43.1.2-bb.3"` |  |
+| monitoring.git.tag | string | `"43.1.2-bb.4"` |  |
 | monitoring.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the Monitoring Package |
 | monitoring.ingress | object | `{"gateway":""}` | Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public". |
 | monitoring.sso.enabled | bool | `false` | Toggle SSO for monitoring components on and off |
@@ -245,7 +249,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.argocd.enabled | bool | `false` | Toggle deployment of ArgoCD. |
 | addons.argocd.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git"` |  |
 | addons.argocd.git.path | string | `"./chart"` |  |
-| addons.argocd.git.tag | string | `"5.22.1-bb.0"` |  |
+| addons.argocd.git.tag | string | `"5.22.1-bb.2"` |  |
 | addons.argocd.flux | object | `{}` | Flux reconciliation overrides specifically for the ArgoCD Package |
 | addons.argocd.ingress | object | `{"gateway":""}` | Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public". |
 | addons.argocd.redis.host | string | `""` | Hostname of a pre-existing Redis to use for ArgoCD. Entering connection info will enable external Redis and will auto-create any required secrets. |
@@ -286,7 +290,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.gitlab.hostnames.registry | string | `"registry"` |  |
 | addons.gitlab.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git"` |  |
 | addons.gitlab.git.path | string | `"./chart"` |  |
-| addons.gitlab.git.tag | string | `"6.8.2-bb.0"` |  |
+| addons.gitlab.git.tag | string | `"6.9.2-bb.1"` |  |
 | addons.gitlab.flux | object | `{}` | Flux reconciliation overrides specifically for the Gitlab Package |
 | addons.gitlab.ingress | object | `{"gateway":""}` | Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public". |
 | addons.gitlab.sso.enabled | bool | `false` | Toggle OIDC SSO for Gitlab on and off. Enabling this option will auto-create any required secrets. |
@@ -394,7 +398,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.mattermost.enabled | bool | `false` | Toggle deployment of Mattermost. |
 | addons.mattermost.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git"` |  |
 | addons.mattermost.git.path | string | `"./chart"` |  |
-| addons.mattermost.git.tag | string | `"7.8.0-bb.0"` |  |
+| addons.mattermost.git.tag | string | `"7.8.1-bb.0"` |  |
 | addons.mattermost.flux | object | `{}` | Flux reconciliation overrides specifically for the Mattermost Package |
 | addons.mattermost.enterprise | object | `{"enabled":false,"license":""}` | Mattermost Enterprise functionality. |
 | addons.mattermost.enterprise.enabled | bool | `false` | Toggle the Mattermost Enterprise.  This must be accompanied by a valid license unless you plan to start a trial post-install. |
@@ -420,7 +424,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.velero.enabled | bool | `false` | Toggle deployment of Velero. |
 | addons.velero.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git"` |  |
 | addons.velero.git.path | string | `"./chart"` |  |
-| addons.velero.git.tag | string | `"3.1.2-bb.1"` |  |
+| addons.velero.git.tag | string | `"3.1.2-bb.2"` |  |
 | addons.velero.flux | object | `{}` | Flux reconciliation overrides specifically for the Velero Package |
 | addons.velero.plugins | list | `[]` | Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure, csi |
 | addons.velero.values | object | `{}` | Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml |
@@ -452,7 +456,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.metricsServer.enabled | string | `"auto"` | Toggle deployment of metrics server Acceptable options are enabled: true, enabled: false, enabled: auto true = enabled / false = disabled / auto = automatic (Installs only if metrics API endpoint is not present) |
 | addons.metricsServer.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/metrics-server.git"` |  |
 | addons.metricsServer.git.path | string | `"./chart"` |  |
-| addons.metricsServer.git.tag | string | `"3.8.3-bb.2"` |  |
+| addons.metricsServer.git.tag | string | `"3.8.4-bb.0"` |  |
 | addons.metricsServer.flux | object | `{}` | Flux reconciliation overrides specifically for the metrics server Package |
 | addons.metricsServer.values | object | `{}` | Values to passthrough to the metrics server chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/metrics-server.git |
 | addons.metricsServer.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |

tests/images.txt

 registry:2
 registry1.dso.mil/ironbank/big-bang/base:2.0.0
-registry1.dso.mil/ironbank/big-bang/utilities:1.0.0
+registry1.dso.mil/ironbank/big-bang/utilities:1.0.1
 registry1.dso.mil/ironbank/opensource/kubernetes-1.21/kubectl:v1.21.14

tests/test-values.yaml

@@ -167,8 +167,8 @@ gatekeeper:
           - kiali/kiali-cypress-test
           - mattermost/mattermost-cypress-test
           - keycloak/keycloak-cypress-test
-          - jaeger/jaeger-operator-cypress-test
-          - monitoring/kube-prometheus-stack-cypress-test
+          - jaeger/jaeger-cypress-test
+          - monitoring/monitoring-cypress-test
           - vault/vault-cypress-test
           - logging/loki-cypress-test
           - twistlock/twistlock-cypress-test
@@ -299,8 +299,8 @@ gatekeeper:
           - kiali/kiali-cypress-test
           - mattermost/mattermost-cypress-test
           - keycloak/keycloak-cypress-test
-          - jaeger/jaeger-operator-cypress-test
-          - monitoring/kube-prometheus-stack-cypress-test
+          - jaeger/jaeger-cypress-test
+          - monitoring/monitoring-cypress-test
           - vault/vault-cypress-test
           - logging/loki-cypress-test
           - twistlock/twistlock-cypress-test