Compare revisions

Patrick Kelly · Jason Krause · Ryan Garcia · Micah Nagel · Michael Martin · Micah Nagel
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ---
+## [1.22.0]
+
+* [!1.22.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.22.0); List of merge requests in this release.
+
 ## [1.21.0]

 * [!1.21.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.21.0); List of merge requests in this release.

--- a/Packages.md
+++ b/Packages.md
@@ -24,7 +24,9 @@ Columns:
 | [OPA Gatekeeper](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy) | ![OPA Build](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/626) | No |No |
 | [Argocd](https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd) |![Argo Build](https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd/badges/main/pipeline.svg)  |  No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/572) | [No](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/620) | No |
 | [Cluster Auditor](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor) | ![Cluster Auditor Build](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor/badges/main/pipeline.svg)  | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/565) | No | No |
-
+| [Kyverno](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Kyverno Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno/badges/main/pipeline.svg) |  No | No | No | Yes | No | No |
+| [Promtail](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Promtail Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail/badges/main/pipeline.svg) |  No | No | No | Yes | No | No |
+| [Loki](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Loki Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki/badges/main/pipeline.svg) |  No | No | No | Yes | No | No |

 ## Security
 | Package | Status | Logging | Telemetry | Tracing | Network Policies | mTLS | Behavior Detection |
@@ -33,6 +35,8 @@ Columns:
 | [Twistlock](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock) |  ![Twistlock Build](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/498) | [No](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/618) | No |
 | [Anchore Enterprise](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise) | ![Anchore Build](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/505) | [No](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/619) | No |
 | [Authservice](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice) | ![Authservice Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice/badges/main/pipeline.svg) | No | Yes | Yes | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/511) | No | No |
+| [Vault](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Vault Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault/badges/main/pipeline.svg) |  No | No | No | Yes | No | No |
+

 ## Development Tools


--- a/README.md
+++ b/README.md
 # bigbang

-![Version: 1.21.0](https://img.shields.io/badge/Version-1.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.22.0](https://img.shields.io/badge/Version-1.22.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

@@ -14,11 +14,11 @@ Big Bang follows a [GitOps](#gitops) approach to configuration management, using

 Big Bang is intended to be used for deploying and maintaining a DoD hardened and approved set of packages into a Kubernetes cluster.  Deployment and configuration of ingress/egress, load balancing, policy auditing, logging, monitoring, etc. are handled via Big Bang.   Additional packages (e.g. ArgoCD, GitLab) can also be enabled and customized to extend Big Bang's baseline.  Once deployed, the customer can use the Kubernetes cluster to add mission specific applications.

-Additional information can be found in [Big Bang Overview](./docs/overview.md).
+Additional information can be found in [Big Bang Docs](./docs/README.md).

 ## Getting Started

-To start using Big Bang, you will need to create your own Big Bang environment tailored to your needs.  The [Big Bang customer template](https://repo1.dso.mil/platform-one/big-bang/customers/template/) is provided for you to copy into your own Git repository and begin modifications.  Follow the instructions in [Big Bang Getting Started](./docs) to customize and deploy Big Bang.
+To start using Big Bang, you will need to create your own Big Bang environment tailored to your needs.  The [Big Bang customer template](https://repo1.dso.mil/platform-one/big-bang/customers/template/) is provided for you to copy into your own Git repository and begin modifications.

 ## Maintainers

@@ -121,10 +121,17 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | gatekeeper.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
 | gatekeeper.values | object | `{}` | Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git |
 | gatekeeper.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
+| kyverno.enabled | bool | `false` | Toggle deployment of Kyverno. |
+| kyverno.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno"` |  |
+| kyverno.git.path | string | `"./chart"` |  |
+| kyverno.git.tag | string | `"2.1.2-bb.0"` |  |
+| kyverno.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the Kyverno Package |
+| kyverno.values | object | `{}` | Values to passthrough to the kyverno chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno.git |
+| kyverno.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | logging.enabled | bool | `true` | Toggle deployment of Logging (EFK). |
 | logging.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git"` |  |
 | logging.git.path | string | `"./chart"` |  |
-| logging.git.tag | string | `"0.1.22-bb.0"` |  |
+| logging.git.tag | string | `"0.1.23-bb.0"` |  |
 | logging.flux | object | `{"timeout":"20m"}` | Flux reconciliation overrides specifically for the Logging (EFK) Package |
 | logging.ingress.gateway | string | `""` |  |
 | logging.sso.enabled | bool | `false` | Toggle OIDC SSO for Kibana/Elasticsearch on and off. Enabling this option will auto-create any required secrets. |
@@ -143,14 +150,26 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | fluentbit.enabled | bool | `true` | Toggle deployment of Fluent-Bit. |
 | fluentbit.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git"` |  |
 | fluentbit.git.path | string | `"./chart"` |  |
-| fluentbit.git.tag | string | `"0.16.6-bb.1"` |  |
+| fluentbit.git.tag | string | `"0.19.3-bb.0"` |  |
 | fluentbit.flux | object | `{}` | Flux reconciliation overrides specifically for the Fluent-Bit Package |
 | fluentbit.values | object | `{}` | Values to passthrough to the fluentbit chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git |
 | fluentbit.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
+| promtail | object | `{"enabled":false,"flux":{},"git":{"path":"./chart","repo":"https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail.git","tag":"3.8.1-bb.2"},"postRenderers":[],"values":{}}` | BETA support of promtail/loki logging stack |
+| promtail.enabled | bool | `false` | Toggle deployment of Promtail. |
+| promtail.flux | object | `{}` | Flux reconciliation overrides specifically for the Promtail Package |
+| promtail.values | object | `{}` | Values to passthrough to the promtail chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git |
+| promtail.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
+| loki.enabled | bool | `false` | Toggle deployment of Loki. |
+| loki.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki.git"` |  |
+| loki.git.path | string | `"./chart"` |  |
+| loki.git.tag | string | `"2.5.1-bb.2"` |  |
+| loki.flux | object | `{}` | Flux reconciliation overrides specifically for the Loki Package |
+| loki.values | object | `{}` | Values to passthrough to the Loki chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki.git |
+| loki.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | monitoring.enabled | bool | `true` | Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager). |
 | monitoring.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git"` |  |
 | monitoring.git.path | string | `"./chart"` |  |
-| monitoring.git.tag | string | `"14.0.0-bb.17"` |  |
+| monitoring.git.tag | string | `"14.0.0-bb.18"` |  |
 | monitoring.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the Monitoring Package |
 | monitoring.ingress.gateway | string | `""` |  |
 | monitoring.sso.enabled | bool | `false` | Toggle SSO for monitoring components on and off |
@@ -168,7 +187,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | twistlock.enabled | bool | `true` | Toggle deployment of Twistlock. |
 | twistlock.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git"` |  |
 | twistlock.git.path | string | `"./chart"` |  |
-| twistlock.git.tag | string | `"0.0.11-bb.0"` |  |
+| twistlock.git.tag | string | `"0.0.12-bb.0"` |  |
 | twistlock.flux | object | `{}` | Flux reconciliation overrides specifically for the Twistlock Package |
 | twistlock.ingress.gateway | string | `""` |  |
 | twistlock.values | object | `{}` | Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git |
@@ -176,7 +195,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.argocd.enabled | bool | `false` | Toggle deployment of ArgoCD. |
 | addons.argocd.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git"` |  |
 | addons.argocd.git.path | string | `"./chart"` |  |
-| addons.argocd.git.tag | string | `"3.6.8-bb.10"` |  |
+| addons.argocd.git.tag | string | `"3.6.8-bb.12"` |  |
 | addons.argocd.flux | object | `{}` | Flux reconciliation overrides specifically for the ArgoCD Package |
 | addons.argocd.ingress.gateway | string | `""` |  |
 | addons.argocd.sso.enabled | bool | `false` | Toggle SSO for ArgoCD on and off |
@@ -204,7 +223,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.minio.enabled | bool | `false` | Toggle deployment of minio. |
 | addons.minio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git"` |  |
 | addons.minio.git.path | string | `"./chart"` |  |
-| addons.minio.git.tag | string | `"4.2.3-bb.6"` |  |
+| addons.minio.git.tag | string | `"4.2.3-bb.8"` |  |
 | addons.minio.flux | object | `{}` | Flux reconciliation overrides specifically for the Minio Package |
 | addons.minio.ingress.gateway | string | `""` |  |
 | addons.minio.accesskey | string | `""` | Default access key to use for minio. |
@@ -247,7 +266,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.nexus.enabled | bool | `false` | Toggle deployment of Nexus. |
 | addons.nexus.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus.git"` |  |
 | addons.nexus.git.path | string | `"./chart"` |  |
-| addons.nexus.git.tag | string | `"34.1.0-bb.4"` |  |
+| addons.nexus.git.tag | string | `"34.1.0-bb.5"` |  |
 | addons.nexus.license_key | string | `""` | Base64 encoded license file. |
 | addons.nexus.ingress.gateway | string | `""` |  |
 | addons.nexus.sso.enabled | bool | `false` | Toggle SAML SSO for NXRM. -- handles SAML SSO, a Client must be configured in Keycloak or IdP -- to complete setup. -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599 |
@@ -265,7 +284,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.sonarqube.enabled | bool | `false` | Toggle deployment of SonarQube. |
 | addons.sonarqube.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube.git"` |  |
 | addons.sonarqube.git.path | string | `"./chart"` |  |
-| addons.sonarqube.git.tag | string | `"9.6.3-bb.9"` |  |
+| addons.sonarqube.git.tag | string | `"9.6.3-bb.10"` |  |
 | addons.sonarqube.flux | object | `{}` | Flux reconciliation overrides specifically for the Sonarqube Package |
 | addons.sonarqube.ingress.gateway | string | `""` |  |
 | addons.sonarqube.sso.enabled | bool | `false` | Toggle SAML SSO for SonarQube. Enabling this option will auto-create any required secrets. |
@@ -375,6 +394,14 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.keycloak.ingress.key | string | `""` | Certificate/Key pair to use as the certificate for exposing Keycloak Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart |
 | addons.keycloak.ingress.cert | string | `""` |  |
 | addons.keycloak.values | object | `{}` | Values to passthrough to the keycloak chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git |
+| addons.vault.enabled | bool | `false` | Toggle deployment of Vault. |
+| addons.vault.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault.git"` |  |
+| addons.vault.git.path | string | `"./chart"` |  |
+| addons.vault.git.tag | string | `"0.16.1-bb.2"` |  |
+| addons.vault.flux | object | `{}` | Flux reconciliation overrides specifically for the Vault Package |
+| addons.vault.ingress.gateway | string | `""` |  |
+| addons.vault.values | object | `{}` | Values to passthrough to the vault chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault.git |
+| addons.vault.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |

 ## Contributing


--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
  interval: 10m
  url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
  ref:
-    tag: 1.21.0
+    tag: 1.22.0
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: bigbang
-version: 1.21.0
+version: 1.22.0
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

 type: application

--- a/chart/templates/clusterauditor/values.yaml
+++ b/chart/templates/clusterauditor/values.yaml
@@ -7,6 +7,9 @@ elasticsearch:
  imagePullSecrets:
    - name: private-registry

+image:
+  imagePullPolicy: {{ .Values.imagePullPolicy }}
+
 monitoring:
  enabled: {{ .Values.monitoring.enabled }}


--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -4,17 +4,20 @@

 {{- define "bigbang.defaults.gatekeeper" -}}
 image:
+  pullPolicy: {{ .Values.imagePullPolicy }}
  pullSecrets:
  - name: private-registry
 postInstall:
  labelNamespace:
    enabled: false
    image:
+      pullPolicy: {{ .Values.imagePullPolicy }}
      pullSecrets:
      - name: private-registry
 postUpgrade:
  cleanupCRD:
    image:
+      pullPolicy: {{ .Values.imagePullPolicy }}
      pullSecrets:
      - name: private-registry

@@ -101,7 +104,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
      {{- end }}
  {{- end }}

-  {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled }}
+  {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled .Values.promtail.enabled }}
  selinuxPolicy:
    parameters:
      excludedResources:
@@ -113,6 +116,10 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
      # Twistlock Defenders need selinux option type spc_t
      - twistlock/twistlock-defender
      {{- end }}
+      {{- if .Values.promtail.enabled }}
+      # Promtail needs selinux option type spc_t
+      - logging/promtail
+      {{- end }}
  {{- end }}

  {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled .Values.monitoring.enabled .Values.promtail.enabled }}

--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -25,6 +25,8 @@ networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}

+imagePullPolicy: {{ .Values.imagePullPolicy }}
+
 {{- if .Values.istio.ingressGateways }}
 ingressGateways:
  istio-ingressgateway:

--- a/chart/templates/istio/operator/values.yaml
+++ b/chart/templates/istio/operator/values.yaml
@@ -5,6 +5,8 @@
 {{- define "bigbang.defaults.istiooperator" -}}
 createNamespace: false

+imagePullPolicy: {{ .Values.imagePullPolicy }}
+
 imagePullSecrets:
  - private-registry


--- a/chart/templates/jaeger/values.yaml
+++ b/chart/templates/jaeger/values.yaml
@@ -6,6 +6,9 @@
 imagePullSecrets:
  - name: private-registry

+image:
+  pullPolicy: {{ .Values.imagePullPolicy }}
+  
 # hostname is deprecated and replaced with domain. But if hostname exists then use it.
 {{- $domainName := default .Values.domain .Values.hostname }}
 hostname: {{ $domainName }}

--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -10,6 +10,9 @@ domain: {{ $domainName }}

 openshift: {{ .Values.openshift}}

+image:
+  pullPolicy: {{ .Values.imagePullPolicy }}
+
 istio:
  enabled: {{ .Values.istio.enabled }}
  kiali:
@@ -22,6 +25,8 @@ elasticsearch:
  enabled: {{ .Values.logging.enabled }}
 cr:
  spec:
+    deployment:
+      image_pull_policy: {{ .Values.imagePullPolicy }}
    server:
      web_port: "443"
    auth:

--- a/chart/templates/logging/eck-operator/values.yaml
+++ b/chart/templates/logging/eck-operator/values.yaml
@@ -8,6 +8,9 @@ license:
  keyJSON: |
    {{ .Values.logging.license.keyJSON | nindent 4 }}

+image:
+  pullPolicy: {{ .Values.imagePullPolicy }}
+
 podAnnotations:
  sidecar.istio.io/inject: "true"
  traffic.sidecar.istio.io/includeInboundPorts: "*"

--- a/chart/templates/logging/elasticsearch-kibana/values.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/values.yaml
@@ -10,6 +10,8 @@ domain: {{ $domainName }}

 openshift: {{ .Values.openshift }}

+imagePullPolicy: {{ .Values.imagePullPolicy }}
+
 istio:
  enabled: {{ .Values.istio.enabled }}
  kibana:

--- a/chart/templates/logging/fluentbit/values.yaml
+++ b/chart/templates/logging/fluentbit/values.yaml
@@ -11,6 +11,9 @@ elasticsearch:
 imagePullSecrets:
  - name: private-registry

+image:
+  pullPolicy: {{ .Values.imagePullPolicy }}
+
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}

--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -48,22 +48,38 @@ istio:
    - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
  injection: {{ dig "istio" "injection" "enabled" .Values.monitoring }}

-{{- if .Values.monitoring.sso.enabled }}
 alertmanager:
  alertmanagerSpec:
+    # The operator performs a strategic merge to add our imagePullPolicy definition to the default containers
+    # NOTE: This functionality is not actively maintained upstream and may not work in a future monitoring upgrade
+    containers:
+      - name: "alertmanager"
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+      - name: "config-reloader"
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+    {{- if .Values.monitoring.sso.enabled }}
    {{- $alertmanagerAuthserviceKey := (dig "selector" "key" "protect" .Values.addons.authservice.values) }}
    {{- $alertmanagerAuthserviceValue := (dig "selector" "value" "keycloak" .Values.addons.authservice.values) }}
    podMetadata:
      labels:
        {{ $alertmanagerAuthserviceKey }}: {{ $alertmanagerAuthserviceValue }}
+    {{- end }}
 prometheus:
  prometheusSpec:
+    # The operator performs a strategic merge to add our imagePullPolicy definition to the default containers
+    # NOTE: This functionality is not actively maintained upstream and may not work in a future monitoring upgrade
+    containers:
+      - name: "prometheus"
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+      - name: "config-reloader"
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+    {{- if .Values.monitoring.sso.enabled }}
    {{- $prometheusAuthserviceKey := (dig "selector" "key" "protect" .Values.addons.authservice.values) }}
    {{- $prometheusAuthserviceValue := (dig "selector" "value" "keycloak" .Values.addons.authservice.values) }}
    podMetadata:
      labels:
        {{ $prometheusAuthserviceKey }}: {{ $prometheusAuthserviceValue }}
-{{- end }}
+    {{- end }}

 anchore:
  enabled: {{ .Values.addons.anchore.enabled }}
@@ -83,8 +99,11 @@ sso:

 grafana:
  image:
+    pullPolicy: {{ .Values.imagePullPolicy }}
    pullSecrets:
    - private-registry
+  sidecar:
+    imagePullPolicy: {{ .Values.imagePullPolicy }}

  {{- if .Values.loki.enabled }}
  additionalDataSources:
@@ -127,6 +146,8 @@ grafana:
  {{- end }}

 prometheus-node-exporter:
+  image:
+    pullPolicy: {{ .Values.imagePullPolicy }}
  serviceAccount:
    imagePullSecrets:
    - name: private-registry
@@ -138,6 +159,19 @@ prometheus-node-exporter:
  {{- end }}

 kube-state-metrics:
+  image:
+    pullPolicy: {{ .Values.imagePullPolicy }}
  imagePullSecrets:
  - name: private-registry
+
+prometheusOperator:      
+  image:
+    pullPolicy: {{ .Values.imagePullPolicy }}      
+  admissionWebhooks:        
+    cleanupProxy:          
+      image:            
+        pullPolicy: {{ .Values.imagePullPolicy }}        
+    patch:           
+      image:            
+        pullPolicy: {{ .Values.imagePullPolicy }}
 {{- end -}}
--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -31,4 +31,8 @@ istio:
    gateways:
    - istio-system/{{ default "public" .Values.twistlock.ingress.gateway }}

+console:
+  image:
+    imagePullPolicy: {{ .Values.imagePullPolicy }}
+
 {{- end -}}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -109,6 +109,11 @@ networkPolicies:
  # Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs)
  nodeCidr: ""

+# -- Global ImagePullPolicy value for all packages
+# Permitted values are: None, Always, IfNotPresent 
+imagePullPolicy: IfNotPresent
+
+
 # ----------------------------------------------------------------------------------------------------------------------
 # Istio
 #
@@ -428,7 +433,7 @@ promtail:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail.git
    path: "./chart"
-    tag: "3.8.1-bb.1"
+    tag: "3.8.1-bb.2"

  # -- Flux reconciliation overrides specifically for the Promtail Package
  flux: {}
@@ -1020,7 +1025,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git
      path: "./chart"
-      tag: "0.2.4-bb.0"
+      tag: "0.3.0-bb.0"

    # -- Flux reconciliation overrides specifically for the Mattermost Package
    flux: {}

--- a/docs/developer/package-integration/package-integration-monitoring.md
+++ b/docs/developer/package-integration/package-integration-monitoring.md
@@ -4,8 +4,208 @@ Monitoring packages requires a way to scrape metrics, provide those to data stor

 ## Prerequisites

-TBD
+Before integrating with Prometheus, you must identify the following:
+
+- Does the application support metrics exporting for Prometheus.  If not, you will need to find a Prometheus exporter to provide this service.
+- Does the upstream Helm chart for the application (or exporter) support Prometheus natively?  If not, we'll have to create our own monitoring resources.
+   > Searching the Helm chart for `monitoring.coreos.com` will usually find any resources that support Prometheus
+- What path and port are used to scrape metrics on the application or exporter?
+- What services and/or pods are deployed that should be monitored?
+- Is there a pre-existing Grafana dashboard that can be leveraged?  If not, we will need to create one.

 ## Integration

+### Placeholder values
+
+The package requires placeholder values for whether the monitoring stack (e.g. Prometheus / Grafana) is enabled and what label to use for dashboards.  In `chart/values.yaml`, add placeholders for these:
+
+```yaml
+serviceMonitor:
+  enabled: false
+  ## Added by Big Bang
+  dashboards:
+    # Namespace to put .json ConfigMap so Grafana sidecar will find it
+    namespace: ""
+    # Label to apply to dashboard so Grafana sidecar will find it
+    label: grafana_dashboard
+```
+
+> In this case, we put the values under `serviceMonitor:` since it already exists in the upstream Helm chart. Otherwise, we would create `monitoring:` for the values
+
+### Pass down values
+
+Big Bang needs to set the placeholders above to the appropriate values.  In addition, upstream charts may already have values related to monitoring that need to be set.
+
+In `bigbang/templates/podinfo/values.yaml`, add the following to pass down the values from Big Bang to PodInfo.
+
+```yaml
+serviceMonitor:
+  enabled: {{ .Values.monitoring.enabled }}
+  dashboards:
+    namespace: monitoring
+    label: {{ dig "values" "grafana" "sidecar" "dashboards" "label" "grafana_dashboard" .Values.monitoring }}
+```
+
+### Dependency
+
+If we plan to scrape metrics from the application with the monitoring stack, we need to make sure the monitoring stack is deployed first so that CRDs are in place before we deploy our resources.  To do this, we add a `dependsOn` section in the `bigbang/templates/podinfo/helmrelease.yaml` file like this:
+
+```yaml
+spec:
+  {{- if or .Values.istio.enabled .Values.monitoring.enabled }}
+  dependsOn:
+    {{- if .Values.istio.enabled }}
+    - name: istio
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.monitoring.enabled }}
+    - name: monitoring
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+  {{- end }}
+```
+
+> We previously had a dependency on Istio, which we leave in place in this example.
+
+### Service Monitor
+
+If the upstream Helm chart provides you with a `ServiceMonitor` and `Service` for scraping metrics, verify that there is a conditional around each one to only deploy them if monitoring is enabled (e.g. `{{- if .Values.serviceMonitor.enabled }}` or `{{- if .Values.monitoring.enabled }}`)
+
+If the upstream chart does **not** provide a `ServiceMonitor` and `Service` for scraping metrics, you will need to create one yourself using the [Prometheus instructions for running an exporter](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/running-exporters.md).
+
+> Any new resources should be placed in the `chart/templates/bigbang` folder.
+
+### RBAC
+
+If the application is using Role Based Access Control (RBAC), you may need to create rules for Prometheus to access the metrics.  Check the upstream Helm chart to make sure this is already done for you, or implement a new `ClusterRole` and `ClusterRoleBinding` into the chart following the [Prometheus RBAC documentation](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md#enable-rbac-rules-for-prometheus-pods)
+
+### Alerts
+
+Alerting rules allow you to define alert conditions based on Prometheus expression language expressions and to send notifications about firing alerts to an external service.  By creating a `PrometheusRule`, you can configure these conditions for your application.
+
+You will need to decide what aspects of the application should be monitored and alerted on to detect potential failures in the service it provides.  Some examples include:
+
+- Low disk space on a persistent volume
+- Loss of connectivity to external resources
+- Metrics cannot be scraped
+- Operator down
+- Pods in CrashLookBackOff state
+- Pods restarting too often
+- Latency too high
+- Web application returns 4xx or 5xx too often
+- No log messages for too long
+- Pod memory too close to limit
+
+All of these rules must be based on [PromQL queries](https://prometheus.io/docs/prometheus/latest/querying/basics/) using the application's metrics.
+
+Once you have identified what you want to monitor, create [Prometheus Alerting Rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) and add them to a [PrometheusRule](https://prometheus-operator.dev/docs/operator/api/#prometheusrule) resource.  The rule should reside in the `chart/templates/bigbang` folder and only be deployed if monitoring is enabled.
+
+Some examples of rules can be found in the [Big Bang monitoring chart](https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring/-/tree/main/chart/templates/prometheus/rules).
+
+### Dashboards
+
+Dashboards are important for administrators to understand what is happening in your package and when action needs to be taken.
+
+1. Create a dashboard
+
+   Some packages or maintainers provide Grafana dashboards upstream, otherwise you can search [Grafana's Dashboard Repository](https://grafana.com/grafana/dashboards/) for a relevant Dashboard. If there is already a ready-made Grafana dashboard for your package provided upstream, you should use [Kpt](https://googlecontainertools.github.io/kpt/installation/) to sync it into monitoring package (for example flux provides the JSON dashboards in their upstream repo):
+
+   ```shell
+   # There isn't a dashboard for podinfo, so we use flux as an example here
+   kpt pkg get https://github.com/fluxcd/flux2.git//manifests/monitoring/grafana/dashboards@v0.9.1 chart/dashboards/
+   ```
+
+   If you need to create your own dashboard, open Grafana and use `Create > Dashboard`.  Add a panel and setup the query to pull custom data from your package or general data about your pods (e.g. container_processes).  After you have saved your dashboard in Grafana, use `Share (icon) > Export` to save the dashboard to a .json file in `chart/dashboards`.  You can leave the `Export for sharing externally` slider off.
+
+1. We will store dashboards in a ConfigMap for Grafana's sidecar to parse.  Create a ConfigMapList in `chart/templates/bigbang/dashboards.yaml` to store all of the dashboards:
+
+   ```yaml
+   {{- $pkg := "podinfo" }}
+   {{- $files := .Files.Glob "dashboards/*.json" }}
+   {{- if and .Values.serviceMonitor.enabled $files }}
+   apiVersion: v1
+   kind: ConfigMapList
+   items:
+   {{- range $path, $fileContents := $files }}
+   {{- $dashboardName := regexReplaceAll "(^.*/)(.*)\\.json$" $path "${2}" }}
+   - apiVersion: v1
+     kind: ConfigMap
+     metadata:
+       name: {{ printf "%s-%s" $pkg $dashboardName | trunc 63 | trimSuffix "-" }}
+       namespace: {{ default $.Release.Namespace $.Values.serviceMonitor.dashboards.namespace }}
+       labels:
+         {{- if $.Values.serviceMonitor.dashboards.label }}
+         {{ $.Values.serviceMonitor.dashboards.label }}: "1"
+         {{- end }}
+         app: {{ $pkg }}-grafana
+         {{- include (printf "%s.labels" $pkg) $ | nindent 6 }}
+     data:
+       {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }}
+   {{- end }}
+   {{- end }}
+   ```
+
+   > Podinfo's Helm chart already had a key for monitoring named `serviceMonitor`.  You may need to use a different key or create one named `monitoring`.
+
+1. Commit your dashboard files:
+
+   ```shell
+   git add -A
+   git commit -m "feat: Grafana dashboards"
+   git push
+   ```
+
+1. If your package is being integrated as a supported application in BigBang, you can add your Dashboards to the core monitoring package.
+
+   Create a new folder within `chart/dashboards/APP_NAME` and sync your JSON files for your dashboard(s) there, whether using KPT from a Github repo or individual files from Grafana's Dashboard Repository.
+
+   Commit your dashboard files:
+
+   ```shell
+   git add -A
+   git commit -m "feat: Adding APP_NAME Grafana Dashboards"
+   git push
+   ```
+
+   Any JSON dashboards in the `chart/dashboards` folder automatically get created and imported into the monitoring stack via the Operator.
+
 ## Validation
+
+### Setup
+
+Monitoring must be enabled in our Big Bang deployment and our application.  We do this by setting `monitoring.enabled`: `true` in `bigbang/values.yaml`.  Then, deploy Big Bang and your application to your cluster.
+
+```shell
+# This assumes you have the Big Bang repository cloned in ~/bigbang
+helm upgrade -i -n bigbang --create-namespace -f ~/bigbang/chart/values.yaml -f bigbang/values.yaml bigbang ~/bigbang/chart
+
+# Deploy your application on top of Big Bang using the same values
+helm upgrade -i -n bigbang --create-namespace -f ~/bigbang/chart/values.yaml -f bigbang/values.yaml bigbang-podinfo bigbang
+```
+
+> Don't forget to also include your Big Bang values for [TLS certificates](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/blob/master/chart/ingress-certs.yaml) and Iron Bank pull credentials.
+
+```shell
+# Wait for the cluster to deploy
+watch kubectl get gitrepo,hr,po -A
+
+# Test ingress to monitoring stack
+curl -L https://prometheus.bigbang.dev
+curl -L https://grafana.bigbang.dev
+```
+
+> If your application also has an ingress, test it (e.g. `https://podinfo.bigbang.dev`)
+
+### Target
+
+Open `https://prometheus.bigbang.dev` and navigate to `Status > Targets`.  The `State` should show `UP` if metrics are being scraped for your package.
+
+> There should be one `Endpoint` for every replica pod of your package.
+
+### Alert Rules
+
+In Prometheus, navigate to `Alerts`.  Verify that the `PrometheusRule` alerting rules show up here and are green.
+
+### Dashboards
+
+Open `https://grafana.bigbang.dev` and navigate to `Dashboards > Manage`.  Make sure your dashboards are listed.  Select each one and verify that it is working correctly.
--- a/docs/guides/prerequisites/kubernetes_preconfiguration.md
+++ b/docs/guides/prerequisites/kubernetes_preconfiguration.md
@@ -93,8 +93,11 @@ oc -n monitoring create -f NetworkAttachmentDefinition.yaml

 ### Konvoy
 * [Prerequistes can be found here](https://repo1.dso.mil/platform-one/distros/d2iq/konvoy/konvoy/-/tree/master/docs/1.5.0#prerequisites)
+* Konvoy clusters need a [Metrics API Endpoint](https://github.com/kubernetes/metrics#resource-metrics-api) available within the cluster to allow Horizontal Pod Autoscalers to correctly fetch pod/deployment metrics.
 * [Different Deployment Scenarios have been documented here](https://repo1.dso.mil/platform-one/distros/d2iq/konvoy/konvoy/-/tree/master/docs/1.4.4/install)

+
+
 ### RKE2
 * RKE2 turns PSPs on by default (see above for tips on disabling)
 * RKE2 sets selinux to enforcing by default ([see os_preconfiguration.md for selinux config](os_preconfiguration.md))

--- a/docs/guides/using_bigbang/image_pull_policy.md
+++ b/docs/guides/using_bigbang/image_pull_policy.md
 # ImagePullPolicy at Big Bang Level

-Big Bang is currently working to standardize the adoption of a global image pull policy so that customers can set a single value and have it passed to all packages. This work is not yet complete, but should allow customers easier control over their global pull policy.
+Big Bang is currently working to standardize the adoption of a global image pull policy so that customers can set a single value and have it passed to all packages.

-In the meantime we have begun to document the package overrides required in preparation for this change.
+The global image pull policy has been adopted in Big Bang for the core packages currently. In the Big Bang values.yaml file, a global parameter has been created to set the global image pull policy (`imagePullPolicy` in values) and it gets passed down to all core packages spec. The default value for this global policy is `IfNotPresent`.
+
+This work is not yet complete for addons, but should allow customers easier control over their global pull policy.
+
+We have also documented the package overrides required if you want to set a single package/pod with a different pull policy than the global.

 # ImagePullPolicy per Package

@@ -17,7 +21,7 @@ In the meantime we have begun to document the package overrides required in prep
 | Elasticsearch / Kibana | `IfNotPresent` | <pre lang="yaml">logging:<br>  values:<br>    imagePullPolicy: IfNotPresent</pre> |
 | ECK Operator | `IfNotPresent` | <pre lang="yaml">eckoperator:<br>  values:<br>    image:<br>      pullPolicy: IfNotPresent</pre> |
 | Fluentbit | `Always` | <pre lang="yaml">fluentbit:<br>  values:<br>    image:<br>      pullPolicy: IfNotPresent</pre> |
-| Monitoring | Varies | <pre lang="yaml">monitoring:<br>  values: <br>    kube-state-metrics:<br>      image:<br>        pullPolicy: IfNotPresent<br>    grafana:<br>      image:<br>        pullPolicy: IfNotPresent<br>    prometheus-node-exporter:<br>      image:<br>        pullPolicy: IfNotPresent<br>    prometheusOperator:<br>      image:<br>        pullPolicy: IfNotPresent<br>      admissionWebhooks:<br>        cleanupProxy:<br>          image:<br>            pullPolicy: IfNotPresent<br>        patch: <br>          image:<br>            pullPolicy: IfNotPresent</pre> |
+| Monitoring | Varies | <pre lang="yaml">monitoring:<br>  values: <br>    kube-state-metrics:<br>      image:<br>        pullPolicy: IfNotPresent<br>    grafana:<br>      image:<br>        pullPolicy: IfNotPresent<br>      sidecar:<br>        imagePullPolicy: IfNotPresent<br>    prometheus-node-exporter:<br>      image:<br>        pullPolicy: IfNotPresent<br>    prometheusOperator:<br>      image:<br>        pullPolicy: IfNotPresent<br>      admissionWebhooks:<br>        cleanupProxy:<br>          image:<br>            pullPolicy: IfNotPresent<br>        patch: <br>          image:<br>            pullPolicy: IfNotPresent<br>    prometheus:<br>      prometheusSpec:<br>        containers:<br>          - name: "prometheus"<br>            imagePullPolicy: IfNotPresent<br>          - name: "config-reloader"<br>            imagePullPolicy: IfNotPresent<br>    alertmanager:<br>      alertmanagerSpec:<br>        containers:<br>          - name: "alertmanager"<br>            imagePullPolicy: IfNotPresent<br>          - name: "config-reloader"<br>            imagePullPolicy: IfNotPresent</pre> |
 | Twistlock | `IfNotPresent` | <pre lang="yaml">twistlock:<br>  values:<br>    console:<br>      image:<br>        imagePullPolicy: IfNotPresent</pre>  |
 | ArgoCD | Varies | <pre lang="yaml">addons:<br>  argocd:<br>    values:<br>      global:<br>        image:<br>          imagePullPolicy: IfNotPresent<br>      controller:<br>        image:<br>          imagePullPolicy: IfNotPresent<br>      dex:<br>        image:<br>          imagePullPolicy: IfNotPresent<br>      redis-bb:<br>        image:<br>          pullPolicy: IfNotPresent<br>      server:<br>        image:<br>          imagePullPolicy: IfNotPresent<br>      repoServer:<br>        image:<br>          imagePullPolicy: IfNotPresent</pre> |
 | Authservice | `IfNotPresent` | <pre lang="yaml">addons:<br>  authservice:<br>    values:<br>      image:<br>        pullPolicy: IfNotPresent</pre> |
No results found