Compare revisions

48a9800c · 23d0f3a1 · 6e2c4a01 · 21a5eee1 · 9164186e · 563bdd3b
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -40,7 +40,7 @@ variables:
    - generic

 .bigbang:
-  image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.1
+  image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.6
  extends: .bigbang-dogfood
  after_script:
    - kubectl get all -A

--- a/.gitlab-ci/README.md.gotmpl
+++ b/.gitlab-ci/README.md.gotmpl
@@ -7,6 +7,8 @@

 {{ template "chart.homepageLine" . }}

+> _This is a mirror of a government repo hosted on [Repo1](https://repo1.dso.mil/) by [DoD Platform One](http://p1.dso.mil/).  Please direct all code changes, issues and comments to https://repo1.dso.mil/platform-one/big-bang/bigbang_
+
 Big Bang follows a [GitOps](#gitops) approach to configuration management, using [Flux v2](#flux-v2) to reconcile Git with the cluster.  Environments (e.g. dev, prod) and packages (e.g. istio) can be fully configured to suit the deployment needs.

 ## Usage

--- a/.gitlab-ci/jobs/rke2/dependencies/terraform/main/main.tf
+++ b/.gitlab-ci/jobs/rke2/dependencies/terraform/main/main.tf
@@ -7,7 +7,12 @@ locals {
 aws configure set default.region $(curl -s http://169.254.169.254/latest/meta-data/placement/region)

 # Tune vm sysctl for elasticsearch
-sysctl -w vm.max_map_count=262144
+sysctl -w vm.max_map_count=524288
+
+# SonarQube host pre-requisites
+sysctl -w fs.file-max=131072
+ulimit -n 131072
+ulimit -u 8192

 # Preload kernel modules required by istio-init, required for selinux enforcing instances using istio-init
 modprobe xt_REDIRECT

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,100 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ---
+## [1.5.0]
+
+### Upgrade Notice
+
+This update includes several additions to fluent-bit which are recommended for production environments to increase reliability of log ingestion to the ECK stack.
+
+This is mainly accomplished within fluent-bit by introducing a [filesystem storage buffer](https://docs.fluentbit.io/manual/administration/buffering-and-storage#filesystem-buffering-to-the-rescue) interacting with a new `hostPath` volume in fluent-bit containers.
+By default, this is mounted to nodes at `/var/log/flb-storage/`, however it can be updated in the package's values in 3 places:
+```yaml
+storage_buffer:
+  path: /var/log/flb-storage/
+
+extraVolumes:
+  - hostPath:
+      path: /var/log/flb-storage/
+      type: DirectoryOrCreate
+    name: flb-storage
+
+extraVolumeMounts:
+  - mountPath: /var/log/flb-storage/
+    name: flb-storage
+```
+
+* [!386](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/386): Updated Fluentbit to 1.7.2 which fixes #335.
+* [!356](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/356): Enabled flux monitoring via Prometheus/Grafana in Monitoring package.
+* [!380](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/380): Fixed `eckoperator.enabled` conditional.
+* Added and Documented Affinity support.
+  * [!379](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/379) Twistlock
+  * [!393](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/393) Cluster Auditor
+
+## [1.4.0]
+
+### Upgrade Notice
+
+This update includes updated `EnvoyFilters` for `authservice` to fix #65 and is a component of a future upgrade to istio 1.8 (#191).
+
+__After upgrading BigBang to this version, you must follow the steps below to ensure apps protected by `authservice` are still protected.__
+
+In order to ensure sso for all services protected by `authservice` remain functional (`kiali`, `jaeger`, `prometheus`, and `alertmanager`), the `istio-proxy` sidecar attached to the `haproxy` infront of the services must be updated to `1.7.7`.
+
+The easiest way to do this is to cycle the pod:
+
+```bash
+kubectl delete po -n authservice -l app.kubernetes.io/instance=authservice-haproxy-sso
+```
+
+> __Note__: these 4 services (`kiali`, `jaeger`, `prometheus`, and `alertmanager`) will be unavailable for ~10s while the pod cycles. In the future we aim to provide an HA implementation of authservice's haproxy so the above operations can happen without downtime.
+
+* [!300](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/300): Velero Addon Addition
+* [!308](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/308): BigBang values migrated to Secret objects parsed by `HelmRelease` objects within chart. (also fixes #221)
+* [!357](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/357): Updated Anchore (Engine 0.9.3, Enterprise 3.0.2).
+* [!333](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/333): Updated Mattermost (Operator: 1.13.0, Instance: 5.32.1).
+* [!346](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/346): Redis Integration with Anchore Enterprise Package.
+* [!318](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/318): Redis Integration with ArgoCD Package.
+
+## [1.3.0]
+
+* [!322](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/322): Updated anchore to 0.9.2, enterprise 3.0.1, this also fixes #135
+* [!309](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/309): Add support for Gitlab CAC signed commits and custom CAs
+* [!311](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/311): Update minio to `RELEASE.2020-11-19T23-48-16Z` and expose more user configuration options
+* [!220](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/220): Added consolidatedflux installation (without `flux` cli)
+* [!319](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/319): Updated gitlab-runner to `13.9.0` IronBank image (note this uses a different chart schema than previous versions, see [here](https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration) for more information)
+* [!340](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/340): Package `bigbang` repo in `repositories.tar.gz` release artifact
+  
+
+In addition, [Big Bang Pre-requisites](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/blob/1.4.0/docs/d_prerequisites.md) has been added as a location to store all (known) pre-requisites for running BigBang on various distributions.  Over time, more distributions will be added as they are tested, community (and vendor) contributions are welcomed!
+
+## [1.2.0]
+
+* [!270](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/270): upgrade to flux 0.7.x, this requires updating flux and fixes #13
+* [!250](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/250): Filename spelling correction in scripts directory
+* [!259](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/259), [!265](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/265), [!274](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/274): documentation updates
+* [!263](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/263), [!271](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/271): Update codeowners
+* [!263](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/263): add missing enterprise Anchore images to airgap bundle
+* [!237](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/237): add gitlab-runner to test values
+* [!266](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/266): update fluentbit package version
+* [!269](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/269): Update charter/PackageOwner.md
+* [!256](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/256): update developer documentation
+* [!272](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/272): Remove CI jobs that check for things no longer required as part of the developer workflow
+* [!264](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/264), [!238](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/238): Update BigBang repo url references from "umbrella" to "bigbang"
+* [!249](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/249): image for gatekeeper is set in the chart and should not be hardcoded in the HelmRelease
+* [!202](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/202): add initial support for openshift (ocp)
+* [!272](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/272): upgrade argocd helm chart to 2.14.7-bb.0
+* [!232](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/232): Twistlock IB image and VirtualServcie customization
+* [!210](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/210): only run cluster tests when chart contents have changed
+* [!279](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/279): remove hardcoded ArgoCD server url config, allow users to set their own sso url
+* [!215](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/215): add sample sso values
+* [!286](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/286): add Ironbank defender image to synker config
+* [!287](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/287): add gitlab runner images to synker config
+* [!288](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/288): split minio into minio operator and minio and move to addons
+* [!255](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/255): Integrate Mattermost Operator as an addon
+* [!273](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/273): Integrate Mattermost as an addon
+* [!291](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/291): enable MinIO in CI tests
+* [!290](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/290): upgrade Mattermost chart version. Uses latest IronBank image

 ## [1.1.0]


--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -10,12 +10,13 @@
 /hack/                 @runyontr @joshwolf @megamind @phillip.record
 /scripts/              @runyontr @joshwolf @megamind @phillip.record
 /tests/                @runyontr @joshwolf @megamind @phillip.record
+/docs/                 @runyontr @joshwolf @megamind @phillip.record


 [Docs Owners]
 # Allow any one of the listed codeowners to approve merges to the documentation 
 # Does not allow the creator of the merge request to be the approveer.
-/docs/                @michaelmcleroy @egoode @aaronbeger @aaron.ruse @branden.cobb @shouseba @chadningle @chuck.laverde @daryndecker @dyoung @egnoriega @egoode @iahmad @jcookehg   
+/docs/                @michaelmcleroy @egoode @aaronbeger @aaron.ruse @branden.cobb @shouseba @chuck.laverde @daryndecker @dyoung @egnoriega @egoode @iahmad @jcookehg   
                      @jasonkrause @jpower_rfed @jkayse @jdale @joshwolf @karchaf @kavitha @kenna81 @kevin.wilder @killian.byrne @mgauto @msbrown47 @mdutton @matthew.kaiser 
                      @michaelmcleroy @nick_tetrate @racosta @rkernick @runyontr @ryan.j.garcia @sean.deprefontaine @seanthomaswilliams1 @thomas.burton @Ozzie100 @tsiddique1 
                      @toladipupo @visuth.dy @zdzielinski @micah.nagel @LynnStill @cmcgrath
@@ -46,6 +47,11 @@ chart/values.yaml               @kenna81 @kavitha @cmcgrath @nick_tetrate
 chart/templates/authservice     @kenna81 @kavitha @cmcgrath 
 chart/templates/istio           @kenna81 @kavitha @cmcgrath @nick_tetrate

+# ^[HAProxy]
+# chart/Chart.yaml              @?
+# chart/values.yaml             @?
+# chart/templates/haproxy       @?
+
 ^[Anchore]
 chart/Chart.yaml                @blake.hearn @micah.nagel @jasonkrause
 chart/values.yaml               @blake.hearn @micah.nagel @jasonkrause
@@ -77,19 +83,37 @@ chart/values.yaml               @lynnstill @ryan.j.garcia
 chart/templates/monitoring      @lynnstill @ryan.j.garcia

 ^[Twistlock]
-chart/Chart.yaml                @thomas.burton
-chart/values.yaml               @thomas.burton
-chart/templates/twistlock       @thomas.burton
+chart/Chart.yaml                @thomas.burton @ryan.j.garcia @runyontr @joshwolf
+chart/values.yaml               @thomas.burton @ryan.j.garcia @runyontr @joshwolf
+chart/templates/twistlock       @thomas.burton @ryan.j.garcia @runyontr @joshwolf
+
+^[Sonarqube]
+chart/Chart.yaml                @kevin.wilder @lynnstill @branden.cobb
+chart/values.yaml               @kevin.wilder @lynnstill @branden.cobb
+chart/templates/sonarqube       @kevin.wilder @lynnstill @branden.cobb

-^[Gitlab]
-chart/Chart.yaml                @egoode @kevin.wilder
-chart/values.yaml               @egoode @kevin.wilder
-chart/templates/gitlab          @egoode @kevin.wilder
+^[Gitlab and Gitlab Runners]
+chart/Chart.yaml                @lynnstill @ryan.j.garcia @kevin.wilder
+chart/values.yaml               @lynnstill @ryan.j.garcia @kevin.wilder
+chart/templates/gitlab          @lynnstill @ryan.j.garcia @kevin.wilder

 ^[KeyCloak]
 chart/Chart.yaml                @megamind
 chart/values.yaml               @megamind
 chart/templates/keycloak        @megamind

+^[Mattermost (and operator)]
+chart/Chart.yaml                @micah.nagel @branden.cobb
+chart/values.yaml               @micah.nagel @branden.cobb
+chart/templates/mattermost      @micah.nagel @branden.cobb
+
+^[Minio (and operator)]
+chart/Chart.yaml                @LynnStill @kevin.wilder @branden.cobb
+chart/values.yaml               @LynnStill @kevin.wilder @branden.cobb
+chart/templates/minio           @LynnStill @kevin.wilder @branden.cobb

+^[Velero]
+chart/Chart.yaml                @tunde @adam.toy
+chart/values.yaml               @tunde @adam.toy
+chart/templates/velero          @tunde @adam.toy

--- a/README.md
+++ b/README.md
 # bigbang

-![Version: 1.4.0](https://img.shields.io/badge/Version-1.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.5.0](https://img.shields.io/badge/Version-1.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

-> _This is a mirror of a government repo hosted on [Repo1](https://repo1.dso.mil/) by [DoD Platform One](http://p1.dso.mil/).  Please direct all code changes, issues and comments to https://repo1.dso.mil/platform-one/big-bang/bigbang_
-
 **Homepage:** <https://p1.dso.mil/#/products/big-bang>

+> _This is a mirror of a government repo hosted on [Repo1](https://repo1.dso.mil/) by [DoD Platform One](http://p1.dso.mil/).  Please direct all code changes, issues and comments to https://repo1.dso.mil/platform-one/big-bang/bigbang_
+
 Big Bang follows a [GitOps](#gitops) approach to configuration management, using [Flux v2](#flux-v2) to reconcile Git with the cluster.  Environments (e.g. dev, prod) and packages (e.g. istio) can be fully configured to suit the deployment needs.

 ## Usage
@@ -44,13 +44,15 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | git.credentials | object | `{"knownHosts":"","password":"","privateKey":"","publicKey":"","username":""}` | Chart created secrets with user defined values |
 | git.credentials.username | string | `""` | HTTP git credentials, both username and password must be provided |
 | git.credentials.privateKey | string | `""` | SSH git credentials, privateKey, publicKey, and knownHosts must be provided |
-| sso | object | `{"certificate_authority":"","client_id":"","client_secret":"","jwks":"","oidc":{"host":"login.dso.mil","realm":"baby-yoda"}}` | Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages. |
+| sso | object | `{"auth_url":"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth","certificate_authority":"","client_id":"","client_secret":"","jwks":"","oidc":{"host":"login.dso.mil","realm":"baby-yoda"},"token_url":"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"}` | Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages. |
 | sso.oidc.host | string | `"login.dso.mil"` | Domain for keycloak used for configuring SSO |
 | sso.oidc.realm | string | `"baby-yoda"` | Keycloak realm containing clients |
 | sso.certificate_authority | string | `""` | Keycloak's certificate authority (unencoded) used by authservice to support SSO for various packages |
 | sso.jwks | string | `""` | Keycloak realm's json web key uri, obtained through https://<keycloak-server>/auth/realms/<realm>/.well-known/openid-configuration |
 | sso.client_id | string | `""` | OIDC client ID used for packages authenticated through authservice |
 | sso.client_secret | string | `""` | OIDC client secret used for packages authenticated through authservice |
+| sso.token_url | string | `"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"` | OIDC token URL template string (to be used as default) |
+| sso.auth_url | string | `"https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"` | OIDC auth URL template string (to be used as default) |
 | flux | object | `{"install":{"retries":3},"interval":"2m","rollback":{"cleanupOnFail":true,"timeout":"10m"},"upgrade":{"retries":3}}` | (Advanced) Flux reconciliation parameters. The default values provided will be sufficient for the majority of workloads. |
 | istio.enabled | bool | `true` | Toggle deployment of Istio. |
 | istio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git"` |  |
@@ -71,7 +73,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | clusterAuditor.enabled | bool | `true` | Toggle deployment of Cluster Auditor. |
 | clusterAuditor.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git"` |  |
 | clusterAuditor.git.path | string | `"./chart"` |  |
-| clusterAuditor.git.tag | string | `"0.1.8-bb.1"` |  |
+| clusterAuditor.git.tag | string | `"0.1.8-bb.2"` |  |
 | clusterAuditor.values | object | `{}` | Values to passthrough to the cluster auditor chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git |
 | gatekeeper.enabled | bool | `true` | Toggle deployment of OPA Gatekeeper. |
 | gatekeeper.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git"` |  |
@@ -81,7 +83,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | logging.enabled | bool | `true` | Toggle deployment of Logging (EFK). |
 | logging.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git"` |  |
 | logging.git.path | string | `"./chart"` |  |
-| logging.git.tag | string | `"0.1.4-bb.4"` |  |
+| logging.git.tag | string | `"0.1.7-bb.0"` |  |
 | logging.sso.enabled | bool | `false` | Toggle OIDC SSO for Kibana/Elasticsearch on and off. Enabling this option will auto-create any required secrets. |
 | logging.sso.client_id | string | `""` | Elasticsearch/Kibana OIDC client ID |
 | logging.sso.client_secret | string | `""` | Elasticsearch/Kibana OIDC client secret |
@@ -96,7 +98,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | fluentbit.enabled | bool | `true` | Toggle deployment of Fluent-Bit. |
 | fluentbit.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git"` |  |
 | fluentbit.git.path | string | `"./chart"` |  |
-| fluentbit.git.tag | string | `"0.7.10-bb.0"` |  |
+| fluentbit.git.tag | string | `"0.15.3-bb.0"` |  |
 | fluentbit.values | object | `{}` |  |
 | monitoring.enabled | bool | `true` | Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager). |
 | monitoring.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git"` |  |
@@ -116,12 +118,12 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | twistlock.enabled | bool | `true` | Toggle deployment of Twistlock. |
 | twistlock.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git"` |  |
 | twistlock.git.path | string | `"./chart"` |  |
-| twistlock.git.tag | string | `"0.0.3-bb.1"` |  |
+| twistlock.git.tag | string | `"0.0.3-bb.3"` |  |
 | twistlock.values | object | `{}` | Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git |
 | addons.argocd.enabled | bool | `false` | Toggle deployment of ArgoCD. |
 | addons.argocd.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git"` |  |
 | addons.argocd.git.path | string | `"./chart"` |  |
-| addons.argocd.git.tag | string | `"2.14.7-bb.2"` |  |
+| addons.argocd.git.tag | string | `"2.14.7-bb.3"` |  |
 | addons.argocd.sso.enabled | bool | `false` | Toggle SSO for ArgoCD on and off |
 | addons.argocd.sso.client_id | string | `""` | ArgoCD OIDC client ID |
 | addons.argocd.sso.client_secret | string | `""` | ArgoCD OIDC client secret |
@@ -176,7 +178,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.sonarqube.enabled | bool | `false` | Toggle deployment of SonarQube. |
 | addons.sonarqube.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube.git"` |  |
 | addons.sonarqube.git.path | string | `"./chart"` |  |
-| addons.sonarqube.git.tag | string | `"9.2.6-bb.6"` |  |
+| addons.sonarqube.git.tag | string | `"9.2.6-bb.7"` |  |
 | addons.sonarqube.sso.enabled | bool | `false` | Toggle OIDC SSO for SonarQube. Enabling this option will auto-create any required secrets. |
 | addons.sonarqube.sso.client_id | string | `""` | SonarQube OIDC client ID |
 | addons.sonarqube.sso.label | string | `""` | SonarQube SSO login button label |
@@ -220,12 +222,12 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.mattermostoperator.enabled | bool | `false` |  |
 | addons.mattermostoperator.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git"` |  |
 | addons.mattermostoperator.git.path | string | `"./chart"` |  |
-| addons.mattermostoperator.git.tag | string | `"1.13.0-bb.0"` |  |
+| addons.mattermostoperator.git.tag | string | `"1.13.0-bb.2"` |  |
 | addons.mattermostoperator.values | object | `{}` | Values to passthrough to the mattermost operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator/-/blob/main/chart/values.yaml |
 | addons.mattermost.enabled | bool | `false` | Toggle deployment of Mattermost. |
 | addons.mattermost.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git"` |  |
 | addons.mattermost.git.path | string | `"./chart"` |  |
-| addons.mattermost.git.tag | string | `"0.1.1-bb.3"` |  |
+| addons.mattermost.git.tag | string | `"0.1.2-bb.0"` |  |
 | addons.mattermost.enterprise | object | `{"enabled":false,"license":""}` | Mattermost Enterprise functionality. |
 | addons.mattermost.enterprise.enabled | bool | `false` | Toggle the Mattermost Enterprise.  This must be accompanied by a valid license unless you plan to start a trial post-install. |
 | addons.mattermost.enterprise.license | string | `""` | License for Mattermost. This should be the entire contents of the license file from Mattermost (should be one line), example below license: "eyJpZCI6InIxM205bjR3eTdkYjludG95Z3RiOD---REST---IS---HIDDEN |

--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
  interval: 10m
  url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
  ref:
-    tag: 1.4.0
+    tag: 1.5.0
--- a/base/helmrelease.yaml
+++ b/base/helmrelease.yaml
@@ -26,6 +26,10 @@ spec:
    timeout: 10m
    cleanupOnFail: false
  valuesFrom:
+    # Optional secret injected with https://repo1.dso.mil/platform-one/big-bang/terraform-modules/big-bang-terraform-launcher
+    - kind: Secret
+      name: terraform
+      optional: true
    - kind: Secret
      name: common-bb
    - kind: ConfigMap

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: bigbang
-version: 1.4.0
+version: 1.5.0
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

 type: application

--- a/chart/ingress-certs.yaml
+++ b/chart/ingress-certs.yaml
@@ -2,65 +2,63 @@ istio:
  ingress:
    key: |
      -----BEGIN PRIVATE KEY-----
-      MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC/D0ec03HNoIEK
-      y1b58HynHMpf/ozsUmnQ5PRBlxMuf7kwMICaBpAwIiyKf8a34sBg3xv1KXe5hUlf
-      0aOXhK3LRg3VMhRw0Q8bLwc3qaUViqqa3niYqsOjg3bTiTM/oQZDyN09oFJTvG2T
-      +bcpX6IdIu3elsXQL7iETtl6e3MKF+NrLh/nDXGh89suBxFmkKqlYi8OYgxa0smK
-      rRQdapRaCfdYwfhYUmpzP64YIkjBnjlHa+QM901iSC/p21Iog3iGM1VyeGKCjd3a
-      g9mm+es0MXVtvTR9nPJtVgfDN8izmdbEkKYcxsGuy9EWFkqzNpSRmIBAFmRE0RZa
-      khStc/5jAgMBAAECggEAXJb7DXUq4Yu2/ZQtQlLZFeNN79dcU+pcfW93L5IXKaGc
-      DU50BDDKD4mALF5f3x10PX3h/p1p9+4v8M+XiAY0cx4v9fGfFk06FOJljQQZjKb2
-      prbJmrKmvMco/rquq1dNwevFy+e1/f6C3ANYUCSYW6ZhwE0w8AMwWG4d1s2cona6
-      y+2dCBDmPPeZMAi6fV52G5YRULGkkfZTc9OJnx4Mivtuf8sjahNLnaLgL+kscf0s
-      amWpMqQ++EpXSj/bb1pNxqtQmm9bn9gxX8WWwUCVrZTpV4gmaoekhAU1H0CDglmH
-      7ByeMYlVYZ40SPhTzWTqQJGQg/seSJBOHTm59vLygQKBgQDhEHpQ5QofK902RrH6
-      Nuoui8WUS4w8y3X+jJ/6WC7Wlp94H29+ag7Z9BOMw7ReKlICCwUYLpKO9oeTHKT/
-      LmIDq03Leduj34K5t/BHcMfwpGMabPRDgWM5r0rJUNxIGtqTpJmOEOHCB+yXRiTO
-      GJtuDmmL8Vkrh0S6xck7D2tHrwKBgQDZUkBwjtylRoRYflZspGwp3e5ECmNf2GYp
-      9ZypaycDNDK06av0Jk+DNKQ3XFmRpID56lyUN4fPV/ICphPYE+C88J5rXAvdmG/7
-      1UTZN68FaObNrwH2H1H5pdlCiaezIPXcjOfr9Fyf3q+W3mo54bnIc3uuXNTu8QSA
-      W1S4uahtjQKBgQDg9hp872M9oxebH/DYHLnZSqZ0Q0tqnShVBnUFw80Vezrs0+ca
-      4aH0o25DHn8UPJL6Lc+qyyp9Mdhz6IbX9qHL7xd0klpDo67EOiI3FnkThQz2Jf/F
-      1fe7egZz0ZpNjGH8f+NoyGEQE+Gdl2REiP4bdNZ1JgmuY6gEVJx+pzvhSwKBgQCU
-      ZDOYKBTFzibkfi/pM0SgOehOEYHVml/4WrvEe2RCLcxJ+BzwM5CrmLBhFPAcIOXo
-      wHzCwEA99mFMKbb3Hmug1/R0fn+jqkkc/n1qjTk3Sm//FncSZkSFYRe+9VvLVsBK
-      /vQGC++LQnVHYUvLhjRjiWd0ofLLzUszkimBkVROqQKBgQDbF8zopHsx9esG56wa
-      swAacYfmfqS6d2WOGdMVX4lLBm6i8AXjsUPDM7uCPgFYNME8nabnCUUUUp/ay9K9
-      y0MSGIBODQBuG3oQh50WFrMS9DS81CeN6Pw0OfyJbcVipfzR91enLVrtu2VHR6k/
-      yaBUIExh8TljUL3lXmmsogyTtA==
+      MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDl7oIecDHRb8XB
+      jG4sEW1qsBlI94oIa50KTHWOet7mhW82BX+scWVgqI3PbIVUI144IgKGPSq3SEki
+      gP0zNgSlxNjZZ/UaB99HXlK5kZ87puDvoOYMBiurjq/QzgwygiN9NyyqdUtWdc/V
+      94owxS47HsclhnOEXscVOjSQI/PIGM5G8UXZyeV0yvGVvrUYNbMfz9Mhh3rD2ihw
+      6LQVgX710J7q3IOiC1CDCt0wXur1w18LYs+R1Yu07AM7R5EoEEFB2TZhYgDZ3+v7
+      lvv/EINyVc5FfolIhyV1VG+dZxevHFiuZQ5cNLpiLwep3QreKeNk1ijBhAehRnTM
+      a8fB+mb9AgMBAAECggEAS7KiE/NL82+g43+gJdH2+9DOAj+8qdkD8ogJi8bX63yy
+      iE53IgaTIadcSJWpr3GVa1WHDzrD/WNG8J0Wvu1hylFsMucOwmslDxH2mjFfAvyF
+      wV5vXjYJ2ok3SL8NNPOzS14GznefPe+7ZO4CCNxhxAT1+1ywWzv4vvxSocG0WINy
+      QwbY53vl7/fyJzmkiDUuqRqtVKR/SCvVFyV/Mzb9XwLVVOzme7zMbK9EwlR7XxwH
+      NtjZS2t/DbFUh+O9lj28fuV4qVo83jGWE63P4bEvOXzFC5zu+kpEmQEP5X1UGqqp
+      h1NBPG0oeP17hv0jVzc703dbnBzif58Sc4DFraQ94QKBgQD81+IquSpmW1epJdNu
+      AGAalvPS0JWWjjBrn+sC0JA+7QWGJrGAN8FtZrx/Eu58ovuD3Yra86ilWALWJKQj
+      vaEg/xbrZixbQoap6MI4XYK6hqEY2Og28K4MqQXtvQB5NrjnDdYY7cICStJ8WMGs
+      KV0MKzHGsUbvTBRQGXaFXHDSlwKBgQDozWWIHZ+fO0Rd/nG8M+kRY3HmIFLyxZ7C
+      YZ5pgEn+X4xNi3lghkBMXAx50BB+as158lPrdHLTpkeYbcWg7xfcn2C4V+mKuUDo
+      aAX8TeqbIy/Wc67HxM0+ujRkwNNIqZJhLrE34SGBDzj9jDv+sLAjglAzIbK3vtLR
+      nP5DRQ1JiwKBgFd7Djp/9GaTxgG1H7EYmie5AMV4+7iqm6AxJWvE45OSCG5A5vsY
+      z2jduewxjag778/RECDvWvNSPzD+XngrPRughrqNkF1G6DbTXJeJ6xhESmrBaZ7Q
+      qTeiJ3X5BbfqshDnXaMkaBLI9oilYOUDLrluHHvFjGhxJzoLhVFhCXwjAoGBALmM
+      9C7gRZh5eY1dPzOdQFeepmqgOtzLDDWr7sHyAYfgighIcW6wslDqUPtKDctkvu9C
+      aQbS4q606n2giJMz3hX3ZfSoBTmPXB+gwZyOUb5i9j78J0OMJXaonRfs5LoWhdg1
+      igSayMR/6JGWEz91fn5e4CNQ6YwwaQGvGq1tPSDvAoGBAMH7yzcNoPlTGF7tIHuf
+      xvFGCnnrS+UFWm6JaFCaNmKCr1FqRqa0seQmRl0FrnwXH3Q9/KpepBlcMjxhI1aF
+      ZtXMjqYq3Fe6V8QAx0HxbbAlyzeOnK5xmKfzV0YXSHH5GjvK99zKT6s8Gu1jxu4I
+      vfkczrrBlKbNp5wxPgjcAZd7
      -----END PRIVATE KEY-----
    cert: |
      -----BEGIN CERTIFICATE-----
-      MIIFbjCCBFagAwIBAgISAw26hxsmWVkOG9m/gVhtkSG5MA0GCSqGSIb3DQEBCwUA
+      MIIFMzCCBBugAwIBAgISA/bfQH5Vgy3KTu3PXxiNHed8MA0GCSqGSIb3DQEBCwUA
      MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
-      EwJSMzAeFw0yMTAxMTYwMDQwNDNaFw0yMTA0MTYwMDQwNDNaMBwxGjAYBgNVBAMM
-      ESouZGV2LmJpZ2JhbmcuZGV2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-      AQEAvw9HnNNxzaCBCstW+fB8pxzKX/6M7FJp0OT0QZcTLn+5MDCAmgaQMCIsin/G
-      t+LAYN8b9Sl3uYVJX9Gjl4Sty0YN1TIUcNEPGy8HN6mlFYqqmt54mKrDo4N204kz
-      P6EGQ8jdPaBSU7xtk/m3KV+iHSLt3pbF0C+4hE7ZentzChfjay4f5w1xofPbLgcR
-      ZpCqpWIvDmIMWtLJiq0UHWqUWgn3WMH4WFJqcz+uGCJIwZ45R2vkDPdNYkgv6dtS
-      KIN4hjNVcnhigo3d2oPZpvnrNDF1bb00fZzybVYHwzfIs5nWxJCmHMbBrsvRFhZK
-      szaUkZiAQBZkRNEWWpIUrXP+YwIDAQABo4ICkjCCAo4wDgYDVR0PAQH/BAQDAgWg
-      MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
-      A1UdDgQWBBTrbZ6+wAuQ0OIBbN8V8hXbLkufuDAfBgNVHSMEGDAWgBQULrMXt1hW
-      y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
-      Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
-      b3JnLzBjBgNVHREEXDBagg0qLmJpZ2JhbmcuZGV2ghUqLmRlZmF1bHQuYmlnYmFu
-      Zy5kZXaCESouZGV2LmJpZ2JhbmcuZGV2ghIqLnRlc3QuYmlnYmFuZy5kZXaCC2Jp
-      Z2JhbmcuZGV2MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgw
-      JgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYB
-      BAHWeQIEAgSB9ASB8QDvAHYARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2
-      gagAAAF3CNoNOwAABAMARzBFAiBCxBHYF5SXNE+UcCZRftFb+5XE+Onj8HtC4atE
-      kNm6qQIhANFpOLxz2e3JwrwHKdadcBDwc+Q2xLPYKJHpyQUVMJboAHUA9lyUL9F3
-      MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF3CNoNGgAABAMARjBEAiADpTYm
-      547TFUjhV83thTmZWJWsYZRzsZMeo7EamHedBgIgf92OPEoJGOGTmMUHR5nmEIgv
-      OU/BA5PVyEYOrHL42mYwDQYJKoZIhvcNAQELBQADggEBAAqLJb4kCmqtYUeWIFJH
-      gpqpYN2twKos3CxVSJoWz3keU40t21/IrqziZkFffoGOTtuBzaX8xsPPz1Vpp+4G
-      WKHVZLb46ykDFPGL9+GaoUKOscxqdWHyN1abH5QFq7lYlH6AyJJ7qIj7RYIJRYIr
-      XuDGFpw7pxzM/laud/mZP9rztG3xbcFxxuYxCTqB53PUnMF1VfXAgsGz9l8Z91VU
-      KQQxckFwe2xunlB6HqUg3ahJOHNdDLuFPz6WS35Eyl+xf2gXFW1jYpxOJRpzsxp9
-      aVIrak3GIa7QgCav++5tue++YM2TqrWqq9GM1ixPG7HRCIbGYh31Hs462qlLOIAn
-      PKE=
+      EwJSMzAeFw0yMTA0MTYwMTA1MTNaFw0yMTA3MTUwMTA1MTNaMBgxFjAUBgNVBAMM
+      DSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl
+      7oIecDHRb8XBjG4sEW1qsBlI94oIa50KTHWOet7mhW82BX+scWVgqI3PbIVUI144
+      IgKGPSq3SEkigP0zNgSlxNjZZ/UaB99HXlK5kZ87puDvoOYMBiurjq/QzgwygiN9
+      NyyqdUtWdc/V94owxS47HsclhnOEXscVOjSQI/PIGM5G8UXZyeV0yvGVvrUYNbMf
+      z9Mhh3rD2ihw6LQVgX710J7q3IOiC1CDCt0wXur1w18LYs+R1Yu07AM7R5EoEEFB
+      2TZhYgDZ3+v7lvv/EINyVc5FfolIhyV1VG+dZxevHFiuZQ5cNLpiLwep3QreKeNk
+      1ijBhAehRnTMa8fB+mb9AgMBAAGjggJbMIICVzAOBgNVHQ8BAf8EBAMCBaAwHQYD
+      VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
+      BBYEFAqYpSC/aq86VGg0Pj+AJL8Jq4opMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
+      QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
+      Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
+      MCsGA1UdEQQkMCKCDSouYmlnYmFuZy5kZXaCESouZGV2LmJpZ2JhbmcuZGV2MEwG
+      A1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEW
+      Gmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB
+      8gDwAHUAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAF42GzRXAAA
+      BAMARjBEAiBC9SJzpBUmMfpTTflKasVUMCOVEH/yQHLez9OijeyLEQIgJ29qt+mt
+      Cwhds52p8Fn8d4DQ05X1YGe83w//nJG76hwAdwD2XJQv0XcwIhRUGAgwlFaO400T
+      GTO/3wwvIAvMTvFk4wAAAXjYbNHPAAAEAwBIMEYCIQDBtSlv2u3Sz3bTOKQAzsmS
+      +u79PjtpvTnHfp7SwqGTAAIhAOJL7dr9pJt9JRKBl4E7Vu79xU7xOux1LIUVE+kA
+      dR1qMA0GCSqGSIb3DQEBCwUAA4IBAQBQK76kZJwa1zNv2k2h/u5isvcQiDL8eoUd
+      idIdXy7ydIbhzYl9Vh+zDGkUwxvIP4jVjD4FBC4QqQTjqutw8sLWjbzSPJLVfYLV
+      TmwtkbCvhTiE3PAdT+SmoOFIUsd2LEmjFJ622DyUaNH0OsdrHKClC/KIO0NvhTQs
+      ZnN89eH1wreIL9DolXko3RgkGB1LbG9MH4/dvzTnKHoBo4EUFXoJcnSiK7rdHEXI
+      u7wKFjw9OJnqjCLx7SGOIyhLo4c5UtJXU8uxKmxsO63WGZG+ZB38uzuRZaEEt+zs
+      SolSteEEHHXbe/BjYfufW2BXdJwqi3gaw04j+8Q4hcntH2cM28TW
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/

--- a/chart/templates/clusterauditor/values.yaml
+++ b/chart/templates/clusterauditor/values.yaml
@@ -6,4 +6,7 @@
 elasticsearch:
  imagePullSecrets:
    - name: private-registry
+
+istio:
+  enabled: {{ .Values.istio.enabled }}
 {{- end -}}
--- a/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
+++ b/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
@@ -50,6 +50,7 @@ spec:
  values:
    disableValidatingWebhook: true
    createNamespace: false
-    imagePullSecrets:
-    - name: private-registry
-{{- end }}
\ No newline at end of file
+    image:
+      pullSecrets:
+      - name: private-registry
+{{- end }}
--- a/chart/templates/haproxy/values.yaml
+++ b/chart/templates/haproxy/values.yaml
@@ -65,22 +65,33 @@ config: |
    unique-id-format %{+X}o\ 1-%[date,hex,bytes(8,8),lower]-%[capture.req.hdr(3)]
    http-request set-header X-Amzn-Trace-Id Root=%[unique-id,lower]
    bind :8080
+{{- if and .Values.istio.sso.enabled }}
    acl host_kiali hdr(host) -i kiali.{{ .Values.hostname }}
    acl host_tracing hdr(host) -i tracing.{{ .Values.hostname }}
+{{- end }}
+{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
    acl host_alertmanager hdr(host) -i alertmanager.{{ .Values.hostname }}
    acl host_prometheus hdr(host) -i prometheus.{{ .Values.hostname }}
+{{- end }}

    option forwardfor
+{{- if and .Values.istio.sso.enabled }}
    use_backend kiali_main if host_kiali
    use_backend tracing_main if host_tracing
+{{- end }}
+{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
    use_backend alertmanager_main if host_alertmanager
    use_backend prometheus_main if host_prometheus
+{{- end }} 
+{{- if and .Values.istio.sso.enabled }}
  backend kiali_main
    mode http
    server kiali kiali.istio-system.svc.cluster.local:20001
  backend tracing_main
    mode http
    server jaeger tracing.istio-system.svc.cluster.local:80
+{{- end }}
+{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
  backend alertmanager_main
    mode http
    option forwardfor
@@ -91,6 +102,7 @@ config: |
    option forwardfor
    http-request replace-header Host .* monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local
    server prometheus monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local:9090
+{{- end }}

 image:
  repository: registry1.dso.mil/ironbank/opensource/haproxy/haproxy22

--- a/chart/templates/logging/fluentbit/fluentbit-helmrelease.yaml
+++ b/chart/templates/logging/fluentbit/fluentbit-helmrelease.yaml
-{{- if .Values.logging.enabled }}
+{{- if .Values.fluentbit.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:

--- a/chart/templates/logging/fluentbit/gitrepository.yaml
+++ b/chart/templates/logging/fluentbit/gitrepository.yaml
-{{- if and (not .Values.offline) (or .Values.logging.enabled .Values.clusterAuditor.enabled) }}
+{{- if and (not .Values.offline) (.Values.fluentbit.enabled) }}
 apiVersion: source.toolkit.fluxcd.io/v1beta1
 kind: GitRepository
 metadata:

--- a/chart/templates/logging/fluentbit/values.yaml
+++ b/chart/templates/logging/fluentbit/values.yaml
-{{- if and .Values.logging.enabled .Values.fluentbit.enabled }}
+{{- if .Values.fluentbit.enabled }}
 {{- include "values-secret" (dict "root" $ "package" .Values.fluentbit "name" "fluentbit" "defaults" (include "bigbang.defaults.fluentbit" .)) }}
 {{- end }}

@@ -11,6 +11,26 @@ elasticsearch:
 imagePullSecrets:
  - name: private-registry

+{{- if .Values.monitoring.enabled }}
+serviceMonitor:
+  enabled: true
+  namespace: monitoring
+  interval: 10s
+  scrapeTimeout: 10s
+  selector:
+    prometheus: monitoring-monitoring-kube-prometheus
+
+dashboards:
+  enabled: true
+  labelKey: grafana_dashboard
+  namespace: monitoring
+{{- end }}
+
+{{- if .Values.istio.enabled }}
+podLabels:
+  traffic.sidecar.istio.io/excludeOutboundPorts: "443"
+{{- end }}
+
 {{- if .Values.openshift }}
 podSecurityContext:
  seLinuxOptions:

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -142,7 +142,7 @@ clusterAuditor:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
    path: "./chart"
-    tag: "0.1.8-bb.1"
+    tag: "0.1.9-bb.0"

  # -- Values to passthrough to the cluster auditor chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
  values: {}
@@ -157,7 +157,7 @@ gatekeeper:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
    path: "./chart"
-    tag: "3.1.2-bb.3"
+    tag: "3.3.0-bb.0"

  # -- Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
  values: {}
@@ -172,7 +172,7 @@ logging:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
    path: "./chart"
-    tag: "0.1.4-bb.4"
+    tag: "0.1.7-bb.0"

  sso:
    # -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.
@@ -201,7 +201,7 @@ eckoperator:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git
    path: "./chart"
-    tag: "1.3.0-bb.4"
+    tag: "1.4.0-bb.1"
  values: {}

 fluentbit:
@@ -210,7 +210,7 @@ fluentbit:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git
    path: "./chart"
-    tag: "0.7.10-bb.0"
+    tag: "0.15.3-bb.0"
  values: {}
 # ----------------------------------------------------------------------------------------------------------------------

@@ -267,7 +267,7 @@ twistlock:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
    path: "./chart"
-    tag: "0.0.3-bb.2"
+    tag: "0.0.3-bb.3"

  # -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
  values: {}
@@ -282,7 +282,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git
      path: "./chart"
-      tag: "2.14.7-bb.2"
+      tag: "2.14.7-bb.3"
    sso:
      # -- Toggle SSO for ArgoCD on and off
      enabled: false
@@ -341,7 +341,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git
      path: "./chart"
-      tag: "2.0.9-bb.5"
+      tag: "2.0.9-bb.9"

    # -- Default access key to use for minio.
    accesskey: ""
@@ -439,7 +439,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube.git
      path: "./chart"
-      tag: "9.2.6-bb.6"
+      tag: "9.2.6-bb.7"

    sso:
      # -- Toggle OIDC SSO for SonarQube.
@@ -504,7 +504,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git
      path: "./chart"
-      tag: "1.12.7-bb.1"
+      tag: "1.12.7-bb.2"

    # -- Initial admin password used to authenticate to Anchore.
    adminPassword: ""
@@ -521,7 +521,7 @@ addons:

    sso:
      # -- Toggle OIDC SSO for Anchore on and off.
-      # Enabling this option will auto-create any required secrets.
+      # Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license).
      enabled: false

      # -- Anchore OIDC client ID
@@ -544,11 +544,12 @@ addons:
      # -- Database password for the username used to connect to the existing database.
      password: ""

-      # -- Database name to connect to on host.
+      # -- Database name to connect to on host (Note: database name CANNOT contain hyphens).
      database: ""

-      # -- Feeds database name to connect to on host.
+      # -- Feeds database name to connect to on host (Note: feeds database name CANNOT contain hyphens).
      # Only required for enterprise edition of anchore.
+      # By default, feeds database will be configured with the same username and password as the main database. For formatting examples on how to use a separate username and password for the feeds database see https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/docs/CHART.md#handling-dependencies
      feeds_database: ""

    redis:
@@ -584,7 +585,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git
      path: "./chart"
-      tag: "0.1.2-bb.0"
+      tag: "0.1.3-bb.0"

    # -- Mattermost Enterprise functionality.
    enterprise:

--- a/charter/GitlabLabels.md
+++ b/charter/GitlabLabels.md
+# Gitlab Labels
+
+## Issues
+
+Issues are required to have `status`, `priority` and `kind` labels.
+
+Generally, all issues derived from an epic should have a `priority` value set to the `priority` of the epic its a part of.
+Issues that are not part of an epic will need to be determined by a package owner or maintainer.
+
+### `kind`
+
+The kind label shows the type of work that needs to be accomplished
+
+#### `kind::bug`
+
+Issues releated to Bigbang not functioning as expected
+
+#### `kind::chore`
+
+Catch all kind that captures administrative tasking for the BigBang project
+
+#### `kind:ci`
+
+Issues related to the CI/CD, developer workflows and/or the releaes process
+
+#### `kind::docs`
+
+Issues related to documentaiton
+
+#### `kind::feature`
+
+Creation of a new capability for BigBang and/or one of its packages
+
+#### `kind::enhancement`
+
+Improvement of an existing capablity to work more efficiently in specific environments
+
+#### `kind::test`
+
+Improvements on testing for individual packages or Big Bang.  Does not change the actual CI/CD pipelines, just enhances the test suite.
+
+### priority
+
+#### `priority::high`
+
+`priority::high` issues are causing runtime issues in production enviornments. These issues justify a patch of a release.
+
+#### `priority:: medium`
+
+`priority:: medium` issues are defined by bugs that degrade system performance, but workarounds are available.  
+
+#### `priority::low`
+
+`priority::low` issues are superficial and do not have any impact on the functioning of production systems
+
+### Status
+
+Status captures the state of the issue
+
+#### `status::blocked`
+
+Blocked issues have an external dependency that needs to be solved before work can be completed.  This may be other Big Bang issues or hardening of IronBank images.  If blocked by an IronBank issue, the `ironbank` label should also be applied
+
+#### `status::doing`
+
+Work is actively being done on this issue.  At this point it should have an assignee
+
+#### `status::review`
+
+The issue is ready to be reviewed by a Maintainer
+
+#### `status::to-do`
+
+This Issue has not been started.
+
+### Packages
+
+Package labels are identified by their package name and serve two purposes. 
+
+1. Packages owners subscribe to the package labels for their packages and will be notified when a new issue or merge request is created with the label
+
+## Merge Requests
+
+Merge Requests are required to have `status` and `kind` labels.
+
+### Status
+
+Status captures the state of the Merge Request
+
+#### `status::blocked`
+
+Blocked merge requests and issues have an external dependency that needs to be solved before work can be completed.  This may be other Big Bang issues or hardening of IronBank images.
+
+#### `status::doing`
+
+Work is actively being done on this Merge Request
+
+#### `status::review`
+
+The Merge Request is ready to be reviewed by a Maintainer
+
+#### `status::to-do`
+
+This Merge Request has been assigned, but work as not been started.
+
+### Packages
+
+The package label controls which addons are deployed as part of CI. If a label is present for an addon, the Gitlab testing framework will enable this addon and ensure its tested as part
+
+### `ci::test-infra`
+
+The CI label for a Merge Request causes the full e2e CI job to run, which includes provisioning Kubernetes clusters in AWS.
+
+### `charter`
+
+This Merge Request has a proposed change to the Charter
+
+## Epics
+
+Epics are required to have `priority`, `size` and `status` labels.
+
+### Status
+
+Status captures the state of the Merge Request
+
+#### `status::to-do`
+
+This Epic is being identified and worked on by the Maintainers.
+
+#### `status::review`
+
+The Epic is ready for review by the engineering team.  Team can re-assign to `status::to-do` when more detail is needed.
+
+#### `status::ready`
+
+The epic is accepted by the team and ready for breakdown of work as priority dictates.
+
+#### `status::doing`
+
+Work has been broken out from this epic and is assigned to milestones for completion
+
+#### `status::blocked`
+
+Epic is blocked by an external dependency that needs to be solved before work can be completed.  This may be other Big Bang Epic or an Epic from another ValueStream.
+
+### Priority
+
+#### `priority::low`
+
+A nice to have, but not needed to advance the product.
+
+#### `priority::medium`
+
+Medium term delivery providing long term value.
+
+#### `priority::high`
+
+Top of the backlog and should be broken down and worked on when cycles become available
+
+### Size
+
+The `size` label helps identify the scope of work needed as part of the epic
+
+#### `size::small`
+
+Sufficently small enough to be completed by an engineer in a two week period
+
+#### `size::medium`
+
+A small number of engineers could complete this in a two week period
+
+#### `size::large`
+
+This epic should be broken down further into consumable sub-epics
+
+#### `size::xl`
+
+This epic needs to be broken down further to be able to be tackled in a sprint
--- a/charter/PackageRequirements.md
+++ b/charter/PackageRequirements.md
@@ -156,3 +156,6 @@ Each package will have a default branch of `main`.  Immutable tags will be used
 * Helm chart dependency version,use version ranges instead of pinning to an exact version.
    version: ~1.2.3
 * There should be a Helm values file located at `tests/test-values.yaml` used for pipeline testing.
+* Charts should support `affinity` and `nodeSelector` configuration for all components.  If there is only one type of `Pods`, then a single, top level value shall be provided, otherwise there should be `affinity` and `nodeSelector` regions for each component.  See [the Kubernetes Docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) for more information
+
+
--- a/charter/packages/anchore/Architecture.md
+++ b/charter/packages/anchore/Architecture.md
+# Anchore
+
+## Overview
+
+[Anchore](https://anchore.com/) is a Docker container static analysis and policy-based compliance system that automates the inspection, analysis, and evaluation of images against user-defined checks to allow high confidence in container deployments by ensuring workload content meets the required criteria.
+
+Anchore offers several [open source tools](https://anchore.com/opensource/) and products, however, this document will cover the architectural touchpoints for the Big Bang Anchore package, which includes Anchore Engine (open source) and Anchore Enterprise (requires enterprise license). For more information on the differentiators between Anchore's open source and commercial offerings, see [here](https://anchore.com/pricing/).
+
+### Anchore Engine
+```mermaid
+graph LR
+  subgraph "Anchore Engine"
+    anchorepods("Anchore Pods")
+    anchoreservice{{"API Service"}} --> anchorepods("Anchore Pods")
+  end      
+
+  subgraph "Ingress"
+    ig(Ingress Gateway) --> anchoreservice
+  end
+
+  subgraph "Database Storage (Postgres)"
+    anchorepods("Anchore Pods") --> database[(Anchore DB)]
+  end
+
+  subgraph "Object Storage (S3/Swift)"
+    anchorepods("Anchore Pods") --> bucket[(Anchore Bucket)]
+  end
+```
+
+### Anchore Enterprise
+```mermaid
+graph LR
+  subgraph "Anchore Enterprise"
+    anchorepods("Anchore Pods")
+    anchoreservice1{{"API Service"}} --> anchorepods("Anchore Pods")
+    anchoreservice2{{"Enterprise UI Service"}} --> anchorepods("Anchore Pods")
+  end      
+
+  subgraph "Session Storage (Redis)"
+    anchoreservice2 --> database3[("Enterprise UI DB")]
+  end
+
+  subgraph "Ingress"
+    ig(Ingress Gateway) --> anchoreservice1
+    ig(Ingress Gateway) --> anchoreservice2
+  end
+
+  subgraph "Database Storage (Postgres)"
+    anchorepods("Anchore Pods") --> database1[(Anchore DB)]
+    anchorepods("Anchore Pods") --> database2[(Enterprise Feeds DB)]
+  end
+
+  subgraph "Object Storage (S3/Swift)"
+    anchorepods("Anchore Pods") --> bucket[(Anchore Bucket)]
+  end
+
+  subgraph "Logging"
+    anchorepods("Anchore Pods") --> fluent(Fluentbit) --> logging-ek-es-http
+    logging-ek-es-http{{Elastic Service<br />logging-ek-es-http}} --> elastic[(Elastic Storage)]
+  end
+
+  subgraph "Monitoring"
+    svcmonitor("Service Monitor") --> anchoreservice1
+    Prometheus --> svcmonitor("Service Monitor")
+  end
+```
+
+For more information on the Anchore Enterprise architecture, see [Enterprise Service Overview and Architecture](https://docs.anchore.com/current/docs/overview/architecture/).
+
+## Big Bang Touchpoints
+
+### Licensing
+
+The Big Bang Anchore Enterprise services require a valid Anchore Enterprise license as well as credentials with access to Registry1 hosting the hardened images. 
+
+To be onboarded and provided with a trial or production license, please send an email to publicsector@anchore.com including program name and contact details.
+
+Once you have obtained a license this can be added to your values in Big Bang to automatically set up your Anchore deployment with the license (replacing the `licenseYaml:` value with your full license):
+```yaml
+addons:
+  anchore:
+    enterprise:
+      enabled: true
+      licenseYaml: |
+        ehjgjhh...
+```
+
+### Single Sign On
+
+Anchore Enterprise 2.1+ can be configured to support user login to the UI using identities from external identity providers that support SAML 2.0. In such a configuration, Anchore never stores any credentials for the users, only their usernames and Anchore permissions, and all UI access is gated through a user’s valid login into the identity provider. Anchore uses the external provider to verify username identity and initialize a username, account, and roles on first login for a new user. Once a user’s identity is initialized in Anchore, the Anchore administrator may manage user permissions by managing the roles associated with the user’s identity in Anchore itself. For more information, see [Anchore Enterprise SSO Support](https://docs.anchore.com/current/docs/overview/sso/).
+
+See below for an example of the values to provide to Anchore Enterprise for SSO setup:
+```yaml
+addons:
+  anchore:
+    sso:
+      enabled: true
+      client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore
+      role_attribute: ""
+```
+
+### Storage
+
+Anchore relies on a PostgreSQL database as its primary data store. By default, Anchore will deploy an in-cluster PostgreSQL database, but it is recommended that an external PostgreSQL 9.6+ database be used, which can be configured in the Big Bang values.yaml. For more information, see [Anchore Enterprise Storage Overview](https://docs.anchore.com/current/docs/installation/storage/).
+
+### High Availability
+
+Since Anchore relies on a PostgreSQL database, it is recommended that production users utilize their database service's HA and scaling capabilities (e.g. Amazon Aurora, Google Cloud SQL, etc.). For users who need scaling or redundancy for their object storage, S3 or Swift are recommended. By default, Anchore Enterprise will utilize an HA redis deployment, but it can also be configured to use an external redis such as Elasticache).
+
+Anchore Enterprise can run one or more analyzer services to scale out the processing of images. There may be many of these analyzers but best practice is to not have more than one per node since analysis is very IO intensive (see [Affinity](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/docs/Affinity.md) for an example of how to specify nodeSelector/affinity/anti-affinity). By specifying a `replicaCount` for the analyzers, the number of analysis pods can be scaled up or down:
+```yaml
+addons:
+  anchore:
+    values:
+      anchoreAnalyzer:
+        replicaCount: 2
+```
+As of the anchore-engine Chart version 0.9.0, all services can be scaled-out, so the above example can be modified for the `anchoreApi:`, `anchoreCatalog:`, `anchorePolicyEngine:`, and `anchoreSimpleQueue:` components as well.
+
+### UI
+
+Anchore Enterprise includes a UI, which can be used to scan repositories and images, edit policy bundles, manage users accounts and roles via RBAC, and view and generate security vulnerability and policy evaluation reports. For more information, see [Using the Anchore Enterprirse UI](https://docs.anchore.com/current/docs/using/ui_usage/).
+
+### Logging
+
+Anchore services produce detailed logs that contain information about user interactions, internal processes, warnings and errors. The verbosity of the logs is controlled using the log_level setting in config.yaml (for manual installations) or the corresponding ANCHORE_LOG_LEVEL environment variable (for Helm installations) for each service. The log levels are DEBUG, INFO, WARN, ERROR, and FATAL, where the default is INFO. Most of the time, the default level is sufficient as the logs will contain warn, error and fatal messages as well, but for deep troubleshooting, it is always recommended to increase the log level to DEBUG in order to ensure the availability of the maximum amount of information. For more information, see [Anchore Enterprise Logs](https://docs.anchore.com/current/docs/troubleshooting/#logs).
+
+_Note:_ within Big Bang, logs are captured by fluentbit and shipped to elastic by default.
+
+### Monitoring
+
+Anchore Engine and Enterprise expose prometheus metrics in the API of each service if the config.yaml used by that service has the metrics.enabled key set to true. Each service exports its own metrics and is typically scraped by a Prometheus installation to gather the metrics. Anchore does not aggregate or distribute metrics between services. You should configure your Prometheus deployment or integration to check each Anchore service’s api (using the same port it exports), for the /metrics route. For more information, see [Anchore Enterprise Monitoring](https://docs.anchore.com/current/docs/monitoring/#monitoring-in-kubernetes-andor-helm-chart) and [metrics.md](./metrics.md).
+
+The Big Bang Anchore Helm chart has been modified to use your `monitoring:` values in Big Bang to automatically toggle metrics on/off.
+
+### Healthchecks
+
+Liveness and readiness probes are included in the Anchore Helm chart for all deployments. System health can also be retrieved via the CLI, API, or UI. For example, to see the health of the Anchore services after a Helm install via the CLI:
+```
+kubectl -n anchore exec -it <ANCHORE_ENGINE_API_POD> -- anchore-cli --u <USERNAME> --p <PASSWORD> system status
+```
+For more information, see [Anchore Enterprise System Health](https://docs.anchore.com/current/docs/using/ui_usage/system_health/).
+
+### Dependant Packages
+
+- PostgreSQL 9.6+ (in-cluster by default; can be configured to use an external postgres)
+- Redis (in-cluster by default; can be configured to use an external redis)
\ No newline at end of file
No results found