Compare revisions

a797969b · a797969b · a797969b · a797969b · a797969b · a797969b
--- a/docs/airgap/scripts/registry.sh
+++ b/docs/airgap/scripts/registry.sh
+#!/usr/bin/env bash
+set -e
+
+# Installs/Configures:
+#  - Docker Registy Container with self-signed cert
+#
+# Tested on Ubuntu 14.04.1
+
+# Must be executed with elevated privilages
+if [ "$(id -u)" != "0" ]; then
+  printf "This script must be ran as root or sudo!\n"
+  exit 1
+fi
+
+# prompt helper function
+function prompt () {
+  if [ -z ${!1} ]; then
+    local response=""
+    while [[ ${response} = "" ]]; do
+      read -p "$2: " response
+    done
+    eval $1=${response}
+  fi
+}
+
+# collect required information
+# - C   Country
+# - ST  State
+# - L    Location
+# - O    Organization
+# - OU   Organizational Unit
+# - CN   Common Name
+echo -e "\nRequired information:"
+prompt BITS "Enter bit size for certs (Ex. 4096)"
+prompt DAYS "Enter number of days to sign the certs with (Ex. 3650)"
+prompt COUNTRY "Enter the 'Country' for the cert (Ex. US)"
+prompt STATE "Enter the 'State' for the cert (Ex. CO)"
+prompt LOCATION "Enter the 'Location' for the cert (Ex. ColoradoSprings)"
+prompt ORGANIZATION "Enter the 'Organization' for the cert (Ex. PlatformOne)"
+prompt OUNIT "Enter the 'Organizational Unit' for the cert (Ex. Bigbang)"
+prompt COMMON  "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. host.k3d.internal"
+prompt ALTNAMES  "Enter the 'Subject Alternative Names' for the cert E.g. DNS:host.k3d.internal,IP:PRIVATEIP)"
+
+# ... Certs ...
+# ~~~~~~~~~~~~~
+
+# ... prep certs ...
+
+echo -e "\nGenerating certs ..."
+mkdir -p certs
+cd certs
+# Generate a root key
+openssl genrsa -out rootCA.key ${BITS}
+
+# Generate a root certificate
+openssl req -x509 -new -nodes -key rootCA.key -days ${DAYS}\
+    -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
+    -out rootCA.crt
+
+# Generate key for host
+openssl genrsa -out ${COMMON}.key ${BITS}
+
+# Generate CSR
+openssl req -new -key ${COMMON}.key \
+    -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
+    -out ${COMMON}.csr
+
+# Sign certificate request
+echo subjectAltName = DNS:${COMMON},${ALTNAMES} > extfile.cnf
+openssl x509 -req -in ${COMMON}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days ${DAYS} \
+-out ${COMMON}.crt -extfile extfile.cnf
+
+
+openssl rsa -in ${COMMON}.key -text > ${COMMON}.private.pem
+openssl x509 -inform PEM -in ${COMMON}.crt > ${COMMON}.public.pem
+
+mkdir -p /certs/${COMMON}
+cp rootCA.crt /certs/${COMMON}/ca.crt
+
+
+# ... launch registry ...
+# ~~~~~~~~~~~~~~~~~~~~~~~
+
+echo -e "\nLaunching our private registry ..."
+cd ..
+docker run -d -p 5443:5000 --restart=always --name bigbang_registry \
+    -v `pwd`/certs:/certs \
+    -v `pwd`/var/lib/registry:/var/lib/registry \
+    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${COMMON}.crt \
+    -e REGISTRY_HTTP_TLS_KEY=/certs/${COMMON}.key \
+    registry:2
+
+
+# Instructions
+echo -e "\nInstallation finished ...
+
+Notes
+=====
+
+To see images in the registry;
+
+=========================
+For example, 
+  curl https://host.k3d.internal:5443/v2/_catalog -k
+=========================
+
+"
\ No newline at end of file
--- a/docs/airgap/scripts/registry_config.yaml
+++ b/docs/airgap/scripts/registry_config.yaml
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+  filesystem:
+    rootdirectory: /var/lib/registry-package
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
\ No newline at end of file
--- a/docs/airgap/scripts/synker.md
+++ b/docs/airgap/scripts/synker.md
+# Airgap Image Sync
+
+## Prerequisite
+
+- `images.tar.gz` from [Big Bang Releases](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/releases)
+- 40gb disk space
+- docker
+
+## Usage
+
+Unpack 
+```
+tar -xvf images.tar.gz
+```
+
+Start a local registry based on the images we just unpacked
+```
+cd ./var/lib/registry
+docker load < registry.tar
+docker run -p 25000:5000 -v $(pwd):/var/lib/registry registry:2
+# verify the registry mounted correctly
+curl http://localhost:25000/v2/_catalog -k
+# a list of Big Bang images should be displayed, if not check the volume mount of the registry
+```
+Configure `./synker.yaml`
+
+Example
+```
+destination:
+  registry:
+    # Hostname of the destination registry to push to
+    hostname: 10.0.0.10
+    # Port of the destination registry to push to
+    port: 5000
+```
+If using Harbor reference the project name
+```
+destination:
+  registry:
+    # Hostname of the destination registry to push to
+    hostname: harbor.domain.com/ironbank
+    # Port of the destination registry to push to
+    port: 443
+```
+If your destination repo requires credentials add them to ` ~/.docker/config.json`
+```
+{
+  "auths": {
+    "registry.dso.mil": {
+      "username": "gitlab -user",
+      "password": "",
+      "auth": "=="
+    },
+    "registry1.dso.mil": {
+      "auth": ""
+    },
+    "harbor.yourdomain.com": {
+      "username": "robot",
+      "password": "",
+      "auth": "base64(username:password)="
+    }
+  }
+}
+``` 
+
+**WARNING:** Verify your credentials with docker login before running synker. If your environment has login lockout after failed attempts synker could trigger a lockout if your credentials are incorrect.
+
+```
+./synker push
+```
+Verify the images were pushed to your registry
--- a/docs/airgap/scripts/values.yaml
+++ b/docs/airgap/scripts/values.yaml
+# -- Domain used for BigBang created exposed services, can be overridden by individual packages.
+hostname: bigbang.dev
+registryCredentials:
+  registry: host.k3d.internal
+  username: ""
+  password: ""
+  email: ""
+git:
+  # -- Existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication
+  existingSecret: "ssh-credentials"
+
+flux:
+  interval: 1m
+  rollback:
+    cleanupOnFail: false
+
+
+eckoperator:
+  enabled: true
+  git:
+    repo: ssh://git@host.k3d.internal/home/git/repos/eck-operator
+
+fluentbit:
+  enabled: true
+  git:
+    repo: ssh://git@host.k3d.internal/home/git/repos/fluentbit
+logging:
+  enabled: true
+  git:
+    repo: ssh://git@host.k3d.internal/home/git/repos/elasticsearch-kibana
+
+istio:
+  enabled: true
+  git:
+    repo: ssh://git@host.k3d.internal/home/git/repos/istio-controlplane
+
+istiooperator:
+  enabled: true
+  git:
+    repo: ssh://git@host.k3d.internal/home/git/repos/istio-operator
+
+clusterAuditor:
+  enabled: true
+  git:
+    repo: ssh://git@host.k3d.internal/home/git/repos/cluster-auditor
+  values:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 0.5Gi
+
+monitoring:
+  enabled: true
+  git:
+    repo: ssh://git@host.k3d.internal/home/git/repos/monitoring
+
+gatekeeper:
+  enabled: true
+  git:
+    repo: ssh://git@host.k3d.internal/home/git/repos/policy
+
+twistlock:
+  enabled: true
+  git:
+    repo: ssh://git@host.k3d.internal/home/git/repos/twistlock
+
+# Explicitly enable all addons for CI
+addons:
+  argocd:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/argocd
+  authservice:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/authservice
+    chains:
+      minimal:
+        callback_uri: "https://minimal.bigbang.dev"
+  gitlab:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/gitlab
+    sso:
+      enabled: false
+  gitlabRunner:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/gitlab-runner
+  anchore:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/anchore-enterprise
+  sonarqube:
+    enabled: true
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/sonarqube
+  minioOperator:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/minio-operator
+  minio:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/minio
+  haproxy:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/haproxy
+  mattermostoperator:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/mattermost-operator
+  mattermost:
+    enabled: false
+    git:
+      repo: ssh://git@host.k3d.internal/home/git/repos/mattermost
\ No newline at end of file
--- a/docs/d_prerequisites.md
+++ b/docs/d_prerequisites.md
@@ -144,3 +144,25 @@ kubectl patch psp global-restricted-psp  -p '{"metadata": {"annotations":{"secco
 ### Istio

 By default, BigBang will use `istio-init`, and `rke2` clusters will come with `selinux` in `Enforcing` mode, please see the [`istio-init`](#istio-pre-requisites-on-selinux-enforcing-systems) above for pre-requisites and warnings.
+
+### Sonarqube
+
+Sonarqube requires the following kernel configurations set at the node level: 
+
+```bash
+sysctl -w vm.max_map_count=524288
+sysctl -w fs.file-max=131072
+ulimit -n 131072
+ulimit -u 8192
+```
+
+Another option includes running the init container to modify the kernel values on the host (this requires a busybox container run as root):
+
+```yaml
+addons:
+  sonarqube:
+    values:
+      initSysctl:
+        enabled: true
+```
+**This is not the recommended solution as it requires running an init container as privileged.**
--- a/docs/understanding/images/logs_data_flow_diagram.app.diagrams.net.png
+++ b/docs/understanding/images/logs_data_flow_diagram.app.diagrams.net.png
--- a/docs/understanding/images/logs_data_flow_diagram.app.diagrams.net.xml
+++ b/docs/understanding/images/logs_data_flow_diagram.app.diagrams.net.xml
+<mxfile host="app.diagrams.net" modified="2021-04-01T03:29:15.169Z" agent="5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" etag="D8lnvlAFDhG5Sz-aWDvn" version="14.5.3" type="device"><diagram id="w6dHBhk2DzmvdH_unnzh" name="Page-1">1VpXk6M+Ev80U3f3MC6iwY/GBueAM37ZkkEEGxBDcPr0JxGc8OzM3nr/teeqGUuN1Gp1/1rqbvzGNrxjKwSBPUAGdN8Yyji+sc03hqEZgcdfhHLKKAxdUKzQMfJRV8LUOcOcSOXUxDFgdDcwRsiNneCeqCPfh3p8RwNhiA73w0zk3q8aACtfkboSpjpwYWnY0jFiO6OK/M3oNnQsu1iZpvInHigG54TIBgY63JBY+Y1thAjFWcs7NqBLtFfoJZunfPL0IlgI/fg7E36sko+tfBju99awu0hakj+uv+dc9sBN8g3nwsanQgMhSnwDEibUGysdbCeG0wDo5OkBGx3T7NhzcY/GzbJQxQowjOHxhpQL2YLIg3F4wkPyp+80xWZzTgWBr+WgOdyYoJqPsm/UzzD5QJCb3bqwv2oGN3Ll/IKixCeKqrp4WWmDGxZp9JwN8EFBxqtcnlyGho+UKAB+Qds5PpagTrwFBi46eUSHV263Q7/HsBCIciLiNjYkDhAiP4Z4IYZqzTupR4RkXw48OL51GeYiK0phgEJIxjr+5ZHsgih29CkEoW7jfsNNohiGn4tUkv1TgNFfA8wFG+hKQN9Z6bQGcrH8bNNHPh4vAdexfNx1oUmWIqBzsC/Xc3KMgkxFOt5rPx3T5F6DWo6tPYCW44QSaBmWKYNWoP4QZtmvMZsbM8qNWQUe0ZC/iYKfouwW3FfYwntm1L8bGBnIw60JjFAS6vA/ZZazFFT51HcUwBBg0L1TxCDoAXpQ311G4K4PPBilSMHKSyF9Aa+FDfwOd0+E0guZwlym+yXyubfcK7izROEuvXosiMeFaZOgOEinJkEqwc+cI1sDOxtZGpn4X+YFIIZm4kYwJu5GX/xRnqZXSD7XR+QOLDb5MOqARbuOqjwz2l/lcDR1Jc3I84zyCh+khdLFQZV8kOWosg/S7J9yQuZrJ1TwIz/eOPGvOpwBoId8DJ7yxBue2fEPMnCngYgTBAQxDfKMDEgiWAyxURSPSeiCRUZu4hGf8LDh4wLyRQdLtAeYiZIxRVcXIizwVy/ZwNCHccqaYPMC4Hy52E4FKxgGyLmuoiPXJeHcw32UOg5IlY4PB0IJE9/P/DWVAFzWIpuLULFDPfXOCN6fElGx3J3bPnGh+uN+bjRPQT9KQnjx3xvF5wfYEzkhRvUpl7Xylzko9+iftde4J11cdD91T6YIQe/iOuoF7ik3Tn3rw/O4d1v6sVaG67W++U4AjAP3gDQdL80VpPS7HgVZukHOLlB0TOdIzHZRc5/YZowiJ3YQUfcGxeTy+cwO+QpNO45JelMnW2OUEBwqlhPbyQY7Tqin8Vtc0cklpmRouzTeU9wpIq1zNcaoGcIGQAANztBpUxdqpkhVOY7jWYrlBJrdkMjMx3i6nV6J9tZr7M1ypeNYrJaPY7ZSBO23Fr8hv9zmz47kv8zmYA9iEEbUp4ZP8F9VqOKwEwujEA2lPpIHcPvXBbYCVfJakStbUaw889sb8sut+Cy6/cKKX5rok7P0jWHlqoL96lMrltBQBkxhaANbFts56zJKQC6FhrOQRpMD1WtZqI4/w+nclucWbjUHpH9u1DXyXUWz+gehdmRXVhcTJMGVhplQ0UybHNrimOrinurX6tx86KCPpbxT6YZHd9hjvf+xaHFUt2E5/Z4jWpA+Lo5qa6q6fbk72/amp9Zg0oqbvfMkkam+vBXqW28XMtXYYE8Nh22P2SY7Zs0R5Z3pw7hvbqCO1/KN9RsjCWfcHA4w3qS1qosHm5iUb567SqK16DM3M1IjN3c1cBjLdM0TOp21MxB7CEewUk+qDY9jjAhpB5vS0NSAykXNqHloB2fpXKf7anPFQK4z3ozOI80SWy3QYrrmrL8zW21qL/Vl307AlGngiKKJccso89pQhac2UDHPjR1bfV04rHC7tepqwWChtil/N+aD2bLX5+dnGsLm2RAT9bCtea6qWB1np8zd7cB2NxavqVSjSRCqd02dPfdDDylIdT7kFj0S4oMc+o29rQO23fb1xcw7hSo+txS2OwDiBqOhO62P9ibfGe3UTlSVdr3lZjMNGLehbJaaMGttqZMyPovJqFeXOxaznRyFszAAHeF06oPkuJTcVotaSe6U1ux5nPTOPY05tPW1J+9WfWrdnJui19/jvSl0TVyHe1Ga19ud5u64M8mGnfXKEkc91VyIrs+v7U1c261Mz6o6S/WjO2F2SnvkDkRVHo+FGNtI0oa1Xn2nW1Dexd5cm1fNxqx7nG+1DgcdvLGap2/p3pLlxCO/tkR0mBxEoznxx635+MCKdgvZ1eW0GXhdGq4oobP14NGX6sOuOtgpi3HCaB9Bz9RqQD7LItXdWWBiu2G81E7q8eRNFSG0ln1ZNEl8OZ0k6mZfX3radKxKg5OmHK1xZ4xgr+7OxQFF9YIPk5W2A8ZdUL1+M1ZZn/mALQDW+klxjuwgUaYNnjP2Huoiro9W3EfUmvL2bDal+I7hnp0J0L0FCUyUWWvIGMbB6rRVSwulj95ysO4Ng5XdDYKttKA3iToN230IRnw3W2mC1TXXtUgENXk9mgm8tem6Hw04a1PCXmY62vEcqfvmQSRuAapJA7SaUKjbthDzW5+Rw+7C6tMfW/+scmzXn9KO6Hf2nITmXaF3xP+lgXiUx/RpZcfzxaZWGw02MiJYrNtGG3/JK2Y5XJsHztvRmjEZaIvpXJOqcwoMvG1PcaWIjO1FVds/9nnPllqGumMSS2k16Lrd7C15qptQ59FU2En46JRk8WPQVvsjRRzutVE1GIGZKw0icvLUp/PFaNLjG1qnQ07El9wtVZYvFU3Y8t3yJF97RbomUtz7YkyHqx+75k7fz3Xvh/Q0HnxI10CIw6QQpBtJI/zfL/jds/n1St/MhiG8zfRwsLDHdnHSZOOAY4i0/HCXwhzyOXfpFEhJ8EjurbTwl6ZHKImDJE/GnPAhd4pinNWB0MjGVdLU8FHmziUNTaIEL3i6ZGE6iGDaAXGqiseZ749iZzlVLkAmbgy9AGGDOCnfQ+jEOFAqxLvPUxUSRQHHh2GaxTkh3idKLZmlZSCt2pRS18rXpTEiaP2tyLFDGF/UHyDX0VOwhJAY5VqMzXdhhmlBKonyCixK8+wkFSXLeHMx/pUJHZFSVFGaeiZHVlN7oikDujCzK7b+NWO/yVOvI9IKk4f28GJp4KO8+HVXc3pacvp/KP1WHxPdG8IkP2uYl73U+Fbyy4kVofok/6X/VHmq+nUUDX2jTt6k4Z7ugihy9Hu7YK2Ep1Ue5aYdjXQqHC8UhObx9nHzdNsbw9DBe4FhTvxU2zghsmD8dakNGsUrvU9scqNw/sndUtBC6ILY2d+/CHxmgHyFcV7AKgDBP1qcq9XumWQF6Hze1ZDfYMXUHgCRKafEKsXEZevfgkncVn8kp7lpTs4x0EBAGQvrSco8pMtAwYpPU6t7fBSeqWODEiuXfNNzDIPwkEIYOWewSfkRKKQlwXSDvPTGPw86forqR/+8vCfOF3m7fRV7h5HfNH6hsFNhwHsGyDTT2uFvGerpzoUX+vM7VaGo6oNT08xLnfovcVa29vjOmRMfbPZdZ+VovlKrUtcP9xXnP+y75ZB2+AQUf43vFgj+33238EGM1lIJ8iVo4SoPRqXZivCPuTj9jZr1jY/n8ZEBIvsSad1YmNDHAEfMoZ9SGCqt/8ch2l1+8XJ/y1f4uyPhq+Pg6MTZNC47S3BfK3ji9nUa6dzOejxDtokX5D8Qqv7sSMlf6375XvzLeEL8q44onq0+YPnyJvNXjyiG+wfjiQUd2MpA/tGT1nxbqNFRozZ5diahGKbpGlsOLH4pTTAd170p3Bo8FI0rpG+eiMyGrV6R9OTAKYHr83dbYinYY8vhffUJOpgXRPZPVfwkZLuouHxg/P0qrvKlYtGT10kvUjF57Xb5ZV4G+usPHFn5vw==</diagram></mxfile>
\ No newline at end of file
--- a/docs/understanding/images/metrics_data_flow_diagram.app.diagrams.net.png
+++ b/docs/understanding/images/metrics_data_flow_diagram.app.diagrams.net.png
--- a/docs/understanding/images/metrics_data_flow_diagram.app.diagrams.net.xml
+++ b/docs/understanding/images/metrics_data_flow_diagram.app.diagrams.net.xml
+<mxfile host="app.diagrams.net" modified="2021-04-01T03:06:34.651Z" agent="5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" etag="yaGJlwZQux8Q-9mWfGid" version="14.5.3" type="device"><diagram id="w6dHBhk2DzmvdH_unnzh" name="Page-1">7VlZc9s2EP41mrYP1vCQfDxaku04TVw3TpM0LxmIhERUJECDoI78+u4CIAmSUqzUbqed6YNtcgns+e0BeBBOs+2NJHnyVsQ0HQRevB2Es0EQ+MHZGP4gZWcoQRAGhrKULLarGsID+0ot0bPUksW0aC1UQqSK5W1iJDinkWrRiJRi0162EGlbak6WVqLXEB4iktLeso8sVomhno+d1a8oWyaVZN+zXzJSLbaEIiGx2Dik8GoQTqUQyjxl2ylN0XuVX8y+6wNfa8Uk5eqYDV8+lY9/XG3u1uvl3esP5c2E31+eWC5rkpbWYKus2lUekKLkMUUm3iCcbBKm6ENOIvy6gaADLVFZCm8+PPaVqiRQqejWIVklb6jIqJI7WGK/nvheaPbsKkI4sj7cOCE4tasSx/1hBRtiw76s2TeegQfrnO9xVLjHU6cpyJ3M4WGJD/cShSW0LIBCMnQNnxe5dotdKqu1FQWUqfevGAcVLrX7iaKLMi2o6m91xXgMfxH4ec8yCn8eqGQUaTOiyJwUSFMJUT8gTeSKZZBisc4EqQUJyfgS8QpuYlExhMeWgBwYiphBRqQYpCKCmGsBMQhAPrC43g4PlMe5YFxpvXhsZegdTOkQqoRx/fZDxQb1HB72UUOZlhKRpTUR3CiUCIl8FZWZFYYpHXhlYQy7mjxg3ERaZrT2WFHmOeyj8bAfqoP495/Gf0rmNJ2QaLXU26YiBTeHMy44rJ+QlC05vKZ0gdZgTqBjLy1ZCeRWAHPQ/I1eMzttKO/x8yx4mSwb+WedJAvGwTAY9/Kszj03z/wwGI6fn2lX092b5WOWjU6SyZfP13efP0fzk9HTJQlKaY6PLNPVe6L/Xha5aQBYpkj1smBbjF3t6zcYoHtRMMUE+nwulAIAHwqGlTBLlMKGc4mmBddkDaCVhT9cApjLeVlQCf1HQTSGEWbDdQk/YXjujU4hBNfooQD7gkXaGt5HLxPGs6q7NGEcXewP455qOfq7imVwRLEUsa0G6AO34thKpGsJmadYrfZXU7d2Hq4ekD18b+l8W8uJcIU3p65IWyCxxOVa1Tm6PRamqAAPM02kYoMUREZXAX/4E6x5Rda03mA4JaJQFeu+4U4N1YMTJ5kmbuhcDys9OVdb0zR8bzgKht4Q4HJ54Y9DDF1lYnfPj3dCUbNtRtc0FVDmG09EMMdpnXWtBPWygqZrXT21U3KBWGe2JUj6WFJtETYazFRtk3FUylb0WFsLGPUiIs00pwjjFJ+XVDsrjnVUlIBft1LwCeErHWWo5VFiUFy5+fWHt4flbXXhly15VnEHBy15NQimVRczKyUlcS2u9vXUGIBJbL1X8bEgODgm1EoC9jLUaFo3UYsZy01wq5WbK8aPCLqnG2ngYhMZ/VzOqeRU6SDDELFmEW0cU3d01wyNZaOdmUI2UMlQuYX+WllfLzWNF1lrZBzIecGPmgRCbcAUIqAqE6zWbwVnSsM0KgulhxMYP0QpnzKoONJqHJH2ZNR7/b1VYX6BrCLKpowpd7p4lkVTEhpfN4ob0JWgPFH15BWzIhJrKuudt/e1/623refjorHB4uaAs83uriQA74ItS9ko2bIKNaaNTVrZCCohNlyXuZ0MYZs211ayjjU6yeqZ8VvghXLmlvJ/2ZzmB91BzaW8s033hYa3k4vz7gkp7J+QRhd7Jrfg/Pz5TZ9eZY+PF8Xi1f31yuNFuC2It3du6/T8G0kWhJPnno5imqdil6H/ejtrER5r+gEgEaczhNrNb7eDqrevGd20Dj8De1jR1Yp3cP//MUEjzffOjjsjnL3AUXwv0MZPHxAg1pd4+dP4NCZFUkfHiQTS74mCgYBrSuCF6Eolxaq+8MF14EK5+4SnCzj42Nff3W+zrT16mLedfTsYA9uRnswnOGjgBPT0zQSNq5usAyF1AjbeE6+KJmkKvWDdvv/aF0Qr4d5ObxYxwah3Igk7SDCm233ujVWX1UWP1XmHlfFOj5XGVW36UVDLVrOHd77y8tebi9Wv2fnNx9vrY67HHKhFKSkKmN8QP0SqPtnBXYMnF00OuA7giW6Z+lTxgGdnF7w1m/DluzD4zYPcfw2E4biLHG/8F0E48rqs6ivefwiE/cP0XRU/B4bgeH230YZZ1UoiCD3MbP1mkrE4Rh4TmJHZVzz7WtDY4ReYjyeD8WwvjL6ZM90eU9/RWyED9xp875TjDT3vbNTyvv88eFRcwvYOsVjom9bviR28Nnf3ZnnzL5Dw6k8=</diagram></mxfile>
\ No newline at end of file
--- a/docs/understanding/logs_data_flow_diagram.md
+++ b/docs/understanding/logs_data_flow_diagram.md
+# Goals of this Diagram: 
+* Help new users understand the data flow of pod logs
+
+# Kubernetes Pod Logs Data Flow Diagram: 
+![](images/logs_data_flow_diagram.app.diagrams.net.png)
+
+| Line Number | Protocol | Port | Description |
+| --- |  --- | --- | --- |
+| N1 | Volume Mount | NA | Fluentbit reads pod logs from a host node volume mount |
+| N2 | HTTPS | TCP:9200 | Fluentbit sends logs to Elastic Search over the URL: https://logging-ek-es-http:9200 (This URL is only exposed over the Kubernetes Inner Cluster Network, and because Fluentbit and ElasticSearch have Istio Envoy Proxy sidecar containers the network traffic is protected by the service mesh.) |
+
+## Notes: 
+1. The fluentbit log shipper is configured to send pod logs to the ElasticSearch Cluster in the logstash data format.  Logstash_Format On
+2. By default: The log index logstash-%Y.%m.%d will create a new log index everyday, because %d will increment by one everyday. There are no default Index Lifecycle Management Policies that are created or applied to these indexes. It is recommended that customers create a Index Lifecycle policy to prevent disk space from filling up. (Example: Archive to s3 and then delete from PVC logs older than N days.)
--- a/docs/understanding/metrics_data_flow_diagram.md
+++ b/docs/understanding/metrics_data_flow_diagram.md
+# Goals of this Diagram: 
+* Help new users understand the data flow of prometheus metrics
+
+# Prometheus Metrics Data Flow Diagram: 
+![](images/metrics_data_flow_diagram.app.diagrams.net.png)
+
+| Line Number | Protocol | Port | Description |
+| --- |  --- | --- | --- |
+| N1 | HTTP | varies* | *A standard port number for prometheus metric endpoint URLs doesn't exist. The Prometheus Operator is able to use ServiceMonitors and Kubernetes Services to automatically discover IP addresses of pods and these varying prometheus metric endpoint ports. Once a minute the prometheus Operator dynamically regenerates a metric collection config file that the Prometheus Server continuously uses to collect metrics. In the majority of cases prometheus metric endpoints, are read over HTTP, and are only reachable over the Kubernetes Inner Cluster Network.  |
--- a/hack/secrets/ingress-cert.yaml
+++ b/hack/secrets/ingress-cert.yaml
--- a/scripts/deploy/02_wait_for_helmreleases.sh
+++ b/scripts/deploy/02_wait_for_helmreleases.sh
@@ -84,7 +84,7 @@ do
  fi
 done

-kubectl get hr,kustomizations,gitrepositories -A
+kubectl get helmreleases,kustomizations,gitrepositories -A

 for package in $DEPLOYED_HELMRELEASES;
 do

--- a/scripts/deploy/flux.yaml
+++ b/scripts/deploy/flux.yaml
 ---
-# GitOps Toolkit revision latest
+# Installed with flux install --image-pull-secret=private-registry --registry=registry1.dso.mil/ironbank/fluxcd --dry-run --export > flux.yaml
+# Flux version: v0.10.0
 # Components: source-controller,kustomize-controller,helm-controller,notification-controller
 apiVersion: v1
 kind: Namespace
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: flux-system
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.1
  creationTimestamp: null
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: alerts.notification.toolkit.fluxcd.io
 spec:
  group: notification.toolkit.fluxcd.io
@@ -183,11 +184,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.1
  creationTimestamp: null
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: buckets.source.toolkit.fluxcd.io
 spec:
  group: source.toolkit.fluxcd.io
@@ -370,11 +371,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.1
  creationTimestamp: null
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: gitrepositories.source.toolkit.fluxcd.io
 spec:
  group: source.toolkit.fluxcd.io
@@ -585,11 +586,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.1
  creationTimestamp: null
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: helmcharts.source.toolkit.fluxcd.io
 spec:
  group: source.toolkit.fluxcd.io
@@ -776,11 +777,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.1
  creationTimestamp: null
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: helmreleases.helm.toolkit.fluxcd.io
 spec:
  group: helm.toolkit.fluxcd.io
@@ -1291,11 +1292,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.1
  creationTimestamp: null
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: helmrepositories.source.toolkit.fluxcd.io
 spec:
  group: source.toolkit.fluxcd.io
@@ -1458,11 +1459,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.1
  creationTimestamp: null
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: kustomizations.kustomize.toolkit.fluxcd.io
 spec:
  group: kustomize.toolkit.fluxcd.io
@@ -1536,6 +1537,10 @@ spec:
                  - name
                  type: object
                type: array
+              force:
+                default: false
+                description: Force instructs the controller to recreate resources when patching fails due to an immutable field change.
+                type: boolean
              healthChecks:
                description: A list of resources to be included in the health assessment.
                items:
@@ -1671,6 +1676,27 @@ spec:
                      type: string
                    description: Substitute holds a map of key/value pairs. The variables defined in your YAML manifests that match any of the keys defined in the map will be substituted with the set value. Includes support for bash string replacement functions e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.
                    type: object
+                  substituteFrom:
+                    description: SubstituteFrom holds references to ConfigMaps and Secrets containing the variables and their values to be substituted in the YAML manifests. The ConfigMap and the Secret data keys represent the var names and they must match the vars declared in the manifests for the substitution to happen.
+                    items:
+                      description: SubstituteReference contains a reference to a resource containing the variables name and value.
+                      properties:
+                        kind:
+                          description: Kind of the values referent, valid values are ('Secret', 'ConfigMap').
+                          enum:
+                          - Secret
+                          - ConfigMap
+                          type: string
+                        name:
+                          description: Name of the values referent. Should reside in the same namespace as the referring resource.
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                      required:
+                      - kind
+                      - name
+                      type: object
+                    type: array
                type: object
              prune:
                description: Prune enables garbage collection.
@@ -1715,7 +1741,7 @@ spec:
                description: Timeout for validation, apply and health checking operations. Defaults to 'Interval' duration.
                type: string
              validation:
-                description: Validate the Kubernetes objects before applying them on the cluster. The validation strategy can be 'client' (local dry-run), 'server' (APIServer dry-run) or 'none'.
+                description: Validate the Kubernetes objects before applying them on the cluster. The validation strategy can be 'client' (local dry-run), 'server' (APIServer dry-run) or 'none'. When 'Force' is 'true', validation will fallback to 'client' if set to 'server' because server-side validation is not supported in this scenario.
                enum:
                - none
                - client
@@ -1829,11 +1855,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.1
  creationTimestamp: null
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: providers.notification.toolkit.fluxcd.io
 spec:
  group: notification.toolkit.fluxcd.io
@@ -1902,6 +1928,7 @@ spec:
                - gitlab
                - bitbucket
                - azuredevops
+                - googlechat
                type: string
              username:
                description: Bot username for this provider
@@ -1972,11 +1999,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.4.1
  creationTimestamp: null
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: receivers.notification.toolkit.fluxcd.io
 spec:
  group: notification.toolkit.fluxcd.io
@@ -2078,6 +2105,7 @@ spec:
                - quay
                - gcr
                - nexus
+                - acr
                type: string
            required:
            - resources
@@ -2150,7 +2178,7 @@ kind: ServiceAccount
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: helm-controller
  namespace: flux-system
 ---
@@ -2159,7 +2187,7 @@ kind: ServiceAccount
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: kustomize-controller
  namespace: flux-system
 ---
@@ -2168,7 +2196,7 @@ kind: ServiceAccount
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: notification-controller
  namespace: flux-system
 ---
@@ -2177,7 +2205,7 @@ kind: ServiceAccount
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: source-controller
  namespace: flux-system
 ---
@@ -2186,7 +2214,7 @@ kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: crd-controller-flux-system
 rules:
 - apiGroups:
@@ -2265,7 +2293,7 @@ kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: cluster-reconciler-flux-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@@ -2284,7 +2312,7 @@ kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: crd-controller-flux-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@@ -2315,7 +2343,7 @@ kind: Service
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
    control-plane: controller
  name: notification-controller
  namespace: flux-system
@@ -2334,7 +2362,7 @@ kind: Service
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
    control-plane: controller
  name: source-controller
  namespace: flux-system
@@ -2353,7 +2381,7 @@ kind: Service
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
    control-plane: controller
  name: webhook-receiver
  namespace: flux-system
@@ -2372,7 +2400,7 @@ kind: Deployment
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
    control-plane: controller
  name: helm-controller
  namespace: flux-system
@@ -2401,7 +2429,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: registry1.dso.mil/ironbank/fluxcd/helm-controller:v0.7.0
+        image: registry1.dso.mil/ironbank/fluxcd/helm-controller:v0.9.0
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
@@ -2409,11 +2437,11 @@ spec:
            port: healthz
        name: manager
        ports:
-        - containerPort: 8080
-          name: http-prom
        - containerPort: 9440
          name: healthz
          protocol: TCP
+        - containerPort: 8080
+          name: http-prom
        readinessProbe:
          httpGet:
            path: /readyz
@@ -2446,7 +2474,7 @@ kind: Deployment
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
    control-plane: controller
  name: kustomize-controller
  namespace: flux-system
@@ -2475,7 +2503,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: registry1.dso.mil/ironbank/fluxcd/kustomize-controller:v0.7.4
+        image: registry1.dso.mil/ironbank/fluxcd/kustomize-controller:v0.9.3
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
@@ -2483,11 +2511,11 @@ spec:
            port: healthz
        name: manager
        ports:
-        - containerPort: 8080
-          name: http-prom
        - containerPort: 9440
          name: healthz
          protocol: TCP
+        - containerPort: 8080
+          name: http-prom
        readinessProbe:
          httpGet:
            path: /readyz
@@ -2522,7 +2550,7 @@ kind: Deployment
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
    control-plane: controller
  name: notification-controller
  namespace: flux-system
@@ -2550,7 +2578,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: registry1.dso.mil/ironbank/fluxcd/notification-controller:v0.8.0
+        image: registry1.dso.mil/ironbank/fluxcd/notification-controller:v0.12.0
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
@@ -2558,15 +2586,15 @@ spec:
            port: healthz
        name: manager
        ports:
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
        - containerPort: 9090
          name: http
        - containerPort: 9292
          name: http-webhook
        - containerPort: 8080
          name: http-prom
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
        readinessProbe:
          httpGet:
            path: /readyz
@@ -2599,7 +2627,7 @@ kind: Deployment
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
    control-plane: controller
  name: source-controller
  namespace: flux-system
@@ -2632,7 +2660,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: registry1.dso.mil/ironbank/fluxcd/source-controller:v0.8.1
+        image: registry1.dso.mil/ironbank/fluxcd/source-controller:v0.9.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
@@ -2684,7 +2712,7 @@ kind: NetworkPolicy
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: allow-scraping
  namespace: flux-system
 spec:
@@ -2703,7 +2731,7 @@ kind: NetworkPolicy
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: allow-webhooks
  namespace: flux-system
 spec:
@@ -2721,7 +2749,7 @@ kind: NetworkPolicy
 metadata:
  labels:
    app.kubernetes.io/instance: flux-system
-    app.kubernetes.io/version: latest
+    app.kubernetes.io/version: v0.10.0
  name: deny-ingress
  namespace: flux-system
 spec:

--- a/scripts/package/gits.sh
+++ b/scripts/package/gits.sh
@@ -5,7 +5,7 @@ mkdir -p repos/

 # "Package" ourselves
 # Do it this way on purpose (instead of cp or rsync) to ensure this never includes any unwanted "build" artifacts
-git -C repos/ clone -b ${CI_COMMIT_REF_NAME} ${CI_REPOSITORY_URL}
+git -C repos/ clone -b ${CI_COMMIT_REF_NAME} ${CI_PROJECT_URL}

 # Clone core
 yq e ".*.git.repo | select(. != null) | path | .[-3] " "chart/values.yaml" | while IFS= read -r package; do

--- a/tests/bash/01_virtualservices.sh
+++ b/tests/bash/01_virtualservices.sh
@@ -8,7 +8,7 @@ ip=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.sta

 echo "Checking "

-hosts=`kubectl get vs -A -o jsonpath="{ .items[*].spec.hosts[*] }"`
+hosts=`kubectl get virtualservices -A -o jsonpath="{ .items[*].spec.hosts[*] }"`
 for host in $hosts; do
    echo "$ip $host" >> /etc/hosts
    curl -svv https://$host/ > /dev/null

--- a/tests/bash/02_non_ironbank.sh
+++ b/tests/bash/02_non_ironbank.sh
@@ -6,4 +6,4 @@ set -e
 # Quick check for non iron bank images
 echo "Showing images not from ironbank:"
 # Ignore rancher images since those are from k3d
-kubectl get pods -A -o jsonpath="{..image}" | tr -s '[[:space:]]' '\n' | sort | uniq -c | grep -v "registry1" | grep -v "rancher"
+kubectl get pods -A -o jsonpath="{..image}" | tr -s '[[:space:]]' '\n' | sort | uniq -c | grep -v "registry1" | ( grep -v "rancher" || echo "None" )
--- a/tests/ci/k3d/values.yaml
+++ b/tests/ci/k3d/values.yaml
@@ -26,6 +26,11 @@ logging:
            cpu: .5
          limits: {}

+fluentbit:
+  values:
+    securityContext:
+      privileged: true
+
 istio:
  enabled: true
  values:

--- a/tests/ci/secrets/README.md
+++ b/tests/ci/secrets/README.md
@@ -19,7 +19,7 @@ sudo chown -R tom certs
 ## Unencrypt Cert

 ```bash
-kubectl create secret tls wildcard-cert --key=certs/privkey.pem --cert=certs/fullchain.pem --dry-run=client -oyaml > ingress-cert.yaml
+kubectl create secret tls wildcard-cert -n istio-system --key=certs/privkey.pem --cert=certs/fullchain.pem --dry-run=client -oyaml > ingress-cert.yaml
 ```

 ## Recrypt Cert

--- a/tests/ci/secrets/ingress-cert.yaml
+++ b/tests/ci/secrets/ingress-cert.yaml
No results found