UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects

Adding OpenShift Test Values

Merged Adding OpenShift Test Values
openshift-test-values into master
Merged Aaron Lieberman requested to merge openshift-test-values into master
Compare
and
1 file
+ 2504
0
Compare changes
  • Side-by-side
  • Inline
tests/openshift-test-values.yaml 0 → 100644
+ 2504
0
openshift: true
domain: dev.bigbang.mil
sso:
url: https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda
# LetsEncrypt certificate authority
certificateAuthority:
cert: |
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
saml:
# Retrieve from {{ .Values.sso.url }}/protocol/saml/descriptor
metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml/resolve" index="0"></md:ArtifactResolutionService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>
flux:
timeout: 20m
interval: 1m
rollback:
timeout: 20m
cleanupOnFail: false
networkPolicies:
enabled: true
#controlPlaneCidr: 172.16.0.0/12
# istio:
# enabled: true
# git:
# tag: null
# branch: "main"
# values:
# profile: "openshift"
# ingressGateways:
# public-ingressgateway:
# k8s:
# hpaSpec:
# minReplicas: 3
# maxReplicas: 5
# istio:
# enabled: true
# ingressGateways:
# passthrough-ingressgateway:
# type: "LoadBalancer"
# gateways:
# passthrough:
# ingressGateway: "passthrough-ingressgateway"
# hosts:
# - "*.{{ .Values.domain }}"
# tls:
# mode: "PASSTHROUGH"
# public:
# tls:
# key: "" # Gets added via chart/ingress-certs.yaml
# cert: "" # Gets added via chart/ingress-certs.yaml
# git:
# tag: null
# branch: "main"
# values:
# kiali:
# dashboard:
# auth:
# strategy: "anonymous"
# profile: "openshift"
# ingressGateways:
# public-ingressgateway:
# k8s:
# hpaSpec:
# minReplicas: 3
# maxReplicas: 5
istio:
enabled: true
git:
tag: null
branch: "main"
values:
profile: "openshift"
ingressGateways:
public-ingressgateway:
k8s:
hpaSpec:
minReplicas: 3
maxReplicas: 5
gateways:
public:
tls:
key: "" # Gets added via chart/ingress-certs.yaml
cert: "" # Gets added via chart/ingress-certs.yaml
jaeger:
enabled: true
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger
values:
istio:
jaeger:
enabled: true
bbtests:
enabled: true
cypress:
envs:
cypress_url: "https://tracing.dev.bigbang.mil"
# uncomment following variables for sso keycloak testing in bb
# cypress_tnr_username: "cypress"
# cypress_tnr_password: "tnr_w!G33ZyAt@C8"
# cypress_keycloak_test_enable: "true"
kiali:
enabled: true
git:
tag: null
branch: "main"
values:
cr:
spec:
identity:
cert_file: ""
private_key_file: ""
bbtests:
enabled: true
cypress:
envs:
cypress_url: 'https://kiali.dev.bigbang.mil'
cypress_check_data: 'true'
# uncomment these next 3 lines if enabling the keycloak SSO integration test
#cypress_keycloak_test_enable: "true"
#cypress_keycloak_username: "cypress"
#cypress_keycloak_password: "tnr_w!G33ZyAt@C8"
resources:
requests:
cpu: 3
memory: 4Gi
limits:
cpu: 3
memory: 4Gi
clusterAuditor:
enabled: true
values:
resources:
requests:
cpu: 100m
memory: 256Mi
limits: {}
bbtests:
enabled: true
cypress:
envs:
cypress_grafana_url: 'https://grafana.dev.bigbang.mil'
cypress_prometheus_url: 'https://prometheus.dev.bigbang.mil'
cypress_url: 'https://grafana.dev.bigbang.mil/d/YBgRZG6Mz/opa-violations?orgId=1'
# gatekeeper:
# values:
# replicas: 1
# controllerManager:
# resources:
# limits: null
# requests:
# cpu: 175m
# memory: 512Mi
gatekeeper:
enabled: true
values:
replicas: 1
controllerManager:
resources:
limits: {}
requests:
cpu: 100m
memory: 256Mi
violations:
allowedCapabilities:
parameters:
excludedResources:
# Allows k3d load balancer containers to not drop capabilities
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
allowedDockerRegistries:
parameters:
excludedResources:
# Allows k3d load balancer containers to pull from public repos
- istio-system/lb-port-.*
# Allow argocd to deploy a test app in its cypress test
- argocd/guestbook-ui
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
allowedHostFilesystem:
parameters:
excludedResources:
- argocd/argocd-cypress-test
- cluster-auditor/cluster-auditor-cypress-test
- fortify/fortify-cypress-test
- fortify/fortify-ssc-cypress-test
- gitlab/gitlab-cypress-test
- gitlab/gitlab-runner-cypress-test
- gitlab-runner/gitlab-runner-cypress-test
- harbor/harbor-cypress-test
- holocron/holocron-cypress-test
- jaeger/jaeger-cypress-test
- keycloak/keycloak-cypress-test
- kiali/kiali-cypress-test
- kyverno-reporter/kyverno-reporter-cypress-test
- logging/elasticsearch-kibana-cypress-test
- logging/loki-cypress-test
- mattermost/mattermost-cypress-test
- minio/minio-instance-cypress-test
- minio-operator/minio-operator-cypress-test
- monitoring/grafana-cypress-test
- monitoring/monitoring-cypress-test
- neuvector/neuvector-cypress-test
- nexus-repository-manager/nexus-repository-manager-cypress-test
- sonarqube/sonarqube-cypress-test
- tempo/tempo-cypress-test
- thanos/thanos-cypress-test
- twistlock/twistlock-cypress-test
- vault/vault-cypress-test
# Allow kyverno test vectors for Helm test
- default/restrict-host-path-mount-.?
- default/restrict-host-path-write-.?
- default/restrict-volume-types-.?
allowedIPs:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/restrict-external-ips-.?
allowedSecCompProfiles:
parameters:
excludedResources:
# Allows k3d load balancer containers to have an undefined defined seccomp
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
allowedUsers:
parameters:
excludedResources:
# Allows k3d load balancer containers to run as any user/group
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
bannedImageTags:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
- default/not-me
containerRatio:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
hostNetworking:
parameters:
excludedResources:
# Allows k3d load balancer containers to mount host ports
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/disallow-host-namespaces-.?
- default/c.?
- default/i.?
noBigContainers:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
noHostNamespace:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/disallow-host-namespaces-.?
noPrivilegedContainers:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
noPrivilegedEscalation:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined security context
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
noSysctls:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/restrict-sysctls-.?
readOnlyRoot:
parameters:
excludedResources:
# Allows k3d load balancer containers to mount filesystems read/write
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
requiredLabels:
parameters:
excludedResources:
# Allows k3d load balancer pods to not have required labels
- istio-system/svclb-.*
# Allow kyverno test vectors for Helm test
- default/require-labels-.?
requiredProbes:
parameters:
excludedResources:
# Allows k3d load balancer containers to not have readiness/liveness probes
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
restrictedTaint:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/disallow-tolerations-.?
selinuxPolicy:
enabled: false
enforcementAction: allow
parameters:
exemptImages:
# Allow kyverno test vectors for Helm test
- default/.*
- default/disallow-selinux-options-.*
- default/restrict-selinux-type-.*
- default/not-me
- istio-system/.*
- istio-operator/.*
- monitoring/.*
volumeTypes:
parameters:
excludedResources:
- argocd/argocd-cypress-test
- cluster-auditor/cluster-auditor-cypress-test
- fortify/fortify-ssc-cypress-test
- gitlab/gitlab-cypress-test
- gitlab/gitlab-runner-cypress-test
- gitlab-runner/gitlab-runner-cypress-test
- harbor/harbor-cypress-test
- holocron/holocron-cypress-test
- jaeger/jaeger-cypress-test
- keycloak/keycloak-cypress-test
- kiali/kiali-cypress-test
- kyverno-reporter/kyverno-reporter-cypress-test
- logging/elasticsearch-kibana-cypress-test
- logging/loki-cypress-test
- mattermost/mattermost-cypress-test
- minio/minio-instance-cypress-test
- minio-operator/minio-operator-cypress-test
- monitoring/grafana-cypress-test
- monitoring/monitoring-cypress-test
- neuvector/neuvector-cypress-test
- nexus-repository-manager/nexus-repository-manager-cypress-test
- sonarqube/sonarqube-cypress-test
- tempo/tempo-cypress-test
- thanos/thanos-cypress-test
- twistlock/twistlock-cypress-test
- vault/vault-cypress-test
# Allow kyverno test vectors for Helm test
- default/restrict-host-path-mount-.?
- default/restrict-host-path-write-.?
- default/restrict-volume-types-.?
bbtests:
enabled: true
kyverno:
enabled: true
values:
networkPolicies:
externalRegistries:
allowEgress: true
admissionController:
container:
extraArgs:
webhookTimeout: 30
resources:
limits:
cpu: 1
memory: 768Mi
requests:
cpu: 1
memory: 768Mi
bbtests:
enabled: true
kyvernoReporter:
enabled: false
values:
bbtests:
enabled: true
cypress:
envs:
cypress_grafana_url: https://grafana.dev.bigbang.mil
cypress_prometheus_url: https://prometheus.dev.bigbang.mil
cypress_check_datasource: 'true'
resources:
requests:
cpu: 2
memory: 3Gi
limits:
cpu: 2
memory: 3Gi
istio:
hardened:
enabled: true
customServiceEntries:
- name: "allow-npm-for-cypress-tests"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
location: MESH_EXTERNAL
exportTo:
- "."
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
- name: "allow-repo1-for-cypress"
enabled: true
spec:
hosts:
- 'repo1.dso.mil'
location: MESH_EXTERNAL
exportTo:
- "."
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
- name: "allow-grafana-for-cypress"
enabled: true
spec:
hosts:
- 'prometheus.dev.bigbang.mil'
location: MESH_EXTERNAL
exportTo:
- "."
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
kyvernoPolicies:
enabled: false
values:
bbtests:
enabled: true
excludeContainers:
- not-me
- or-me
exclude:
any:
# Allows k3d load balancer to bypass policies.
- resources:
namespaces:
- istio-system
names:
- svclb-*
# Exclude gatekeeper test resources so Helm tests will work
- resources:
namespaces:
- default
names:
- bad-test*
- good-test*
# Parameters are copied from kyverno policies for test vectors
# Exclusions are for allowing other helm tests to function
policies:
clone-configs:
parameters:
clone:
- name: clone-configs-1
kind: ConfigMap
namespace: "{{ .Release.Namespace }}"
- name: clone-configs-2
kind: Secret
namespace: "{{ .Release.Namespace }}"
disallow-annotations:
parameters:
disallow:
- 'kyverno-policies-bbtest/test: disallowed'
- kyverno-policies-bbtest/disallowed
disallow-labels:
parameters:
disallow:
- 'kyverno-policies-bbtest/test: disallowed'
- kyverno-policies-bbtest/disallowed
disallow-tolerations:
parameters:
disallow:
- effect: NoSchedule
key: notallowed
value: 'false'
- effect: '*NoSchedule'
key: disa??owed
value: 'true'
require-annotations:
parameters:
require:
- 'kyverno-policies-bbtest/test: required'
- kyverno-policies-bbtest/required
require-image-signature:
enabled: false
# set to Audit for now -- having signature issues with registry1.dso.mil/ironbank/bitnami/redis:7.0.0-debian-10-r3
validationFailureAction: Audit
parameters:
require:
- imageReferences:
- "ghcr.io/kyverno/test-verify-image:*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
# Skip Rekor Transparency log check
rekor:
ignoreTlog: true
url: ""
mutateDigest: false
verifyDigest: false
- imageReferences:
- "registry1.dso.mil/ironbank/*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
-----END PUBLIC KEY-----
# Skip Rekor Transparency log check
rekor:
ignoreTlog: true
url: ""
# Ironbank images are rebuilt nightly and tags are not immutable
mutateDigest: false
verifyDigest: false
require-labels:
parameters:
require:
- 'kyverno-policies-bbtest/test: required'
- kyverno-policies-bbtest/required
restrict-external-ips:
parameters:
allow:
- 192.168.0.1
restrict-external-names:
enabled: true
parameters:
allow:
- allowed
restrict-host-path-mount:
exclude:
any:
- resources:
namespaces:
- gitlab
- gitlab-runner
- kiali
- cluster-auditor
- mattermost
- nexus-repository-manager
- keycloak
- jaeger
- kyverno-reporter
- monitoring
- vault
- logging
- twistlock
- sonarqube
- logging
- tempo
- argocd
- minio
- minio-operator
- neuvector
- harbor
- fortify
- thanos
- holocron
names:
- "*-cypress-test*"
parameters:
allow:
- /tmp/allowed
restrict-host-path-mount-pv:
parameters:
allow:
- /tmp/allowed
- /var/lib/rancher/k3s/storage/pvc-*
restrict-host-path-write:
exclude:
any:
- resources:
namespaces:
- gitlab
- gitlab-runner
- kiali
- cluster-auditor
- mattermost
- nexus-repository-manager
- keycloak
- kyverno-reporter
- jaeger
- monitoring
- vault
- logging
- twistlock
- sonarqube
- logging
- tempo
- argocd
- minio
- minio-operator
- neuvector
- harbor
- fortify
- thanos
- holocron
names:
- "*-cypress-test*"
- resources:
namespaces:
- neuvector
names:
- "neuvector-enforcer-*"
- "neuvector-manager-*"
parameters:
allow:
- /tmp/allowed
restrict-host-ports:
parameters:
allow:
- '63999'
- '>= 64000 & < 65000'
- '> 65000'
restrict-image-registries:
exclude:
any:
# ArgoCD deploys a test app as part of its Cypress test
- resources:
namespaces:
- argocd
names:
- guestbook-ui-*
restrict-volume-types:
exclude:
any:
- resources:
namespaces:
- gitlab
- gitlab-runner
- kiali
- cluster-auditor
- mattermost
- nexus-repository-manager
- keycloak
- kyverno-reporter
- jaeger
- monitoring
- vault
- logging
- twistlock
- sonarqube
- logging
- tempo
- argocd
- minio
- minio-operator
- neuvector
- harbor
- fortify
- thanos
- holocron
names:
- "*-cypress-test*"
update-image-pull-policy:
parameters:
update:
- to: Always
update-image-registry:
parameters:
update:
- from: replace.image.registry
to: registry1.dso.mil
require-drop-all-capabilities:
exclude:
any:
# Gitlab Minio sub-chart does not have configurable securityContext values from upstream. Minio installation
# is only recommended for Dev/CI environments.
- resources:
namespaces:
- gitlab
names:
- gitlab-minio-*
require-non-root-group:
exclude:
any:
# Gitlab Minio sub-chart does not have configurable securityContext values from upstream. Minio installation
# is only recommended for Dev/CI environments.
- resources:
namespaces:
- gitlab
names:
- gitlab-minio-*
- resources:
namespaces:
- fortify
names:
- fortify-mysql-* # mysql breaks if you give it a different group
- resources:
namespaces:
- metallb-system
names:
- speaker-*
- controller-*
- resources:
namespaces:
- velero
names:
- velero-backup-restore-test*
require-non-root-user:
exclude:
any:
# Gitlab Minio sub-chart does not have configurable securityContext values from upstream. Minio installation
# is only recommended for Dev/CI environments.
- resources:
namespaces:
- gitlab
names:
- gitlab-minio-*
- resources:
namespaces:
- metallb-system
names:
- speaker-*
- resources:
namespaces:
- argocd
names:
- guestbook*
- resources:
namespaces:
- velero
names:
- velero-backup-restore-test*
- resources:
namespaces:
- twistlock
names:
- volume-upgrade-job*
disallow-namespaces:
parameters:
disallow:
- bigbang
elasticsearchKibana:
enabled: true
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_kibana
license:
trial: true
values:
istio:
hardened:
enabled: true
elasticsearch:
master:
count: 1
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
data:
count: 2
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
kibana:
count: 1
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_expect_logs: "true"
cypress_kibana_url: "https://kibana.dev.bigbang.mil"
fluentbit:
enabled: true
values:
securityContext:
privileged: true
bbtests:
enabled: true
loki:
enabled: true
strategy: scalable
values:
istio:
hardened:
enabled: true
customServiceEntries:
- name: "allow-npm-for-cypress-tests"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
- name: "allow-repo1-for-cypress"
enabled: true
spec:
hosts:
- 'repo1.dso.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
- name: "allow-grafana-for-cypress"
enabled: true
spec:
hosts:
- 'grafana.dev.bigbang.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
minio:
enabled: false
write:
replicas: 3
persistence:
size: 2Gi
resources:
limits:
cpu: 1
memory: 1G
requests:
cpu: 1
memory: 1G
backend:
replicas: 3
persistence:
size: 2Gi
resources:
limits:
cpu: 500m
memory: 1G
requests:
cpu: 500m
memory: 1G
read:
replicas: 3
persistence:
size: 2Gi
resources:
limits:
cpu: 400m
memory: 500Mi
requests:
cpu: 400m
memory: 500Mi
bbtests:
enabled: true
cypress:
envs:
cypress_check_datasource: 'true'
cypress_grafana_url: 'https://grafana.dev.bigbang.mil'
scripts:
envs:
LOKI_URL: 'http://logging-loki-write.logging.svc:3100'
tempo:
enabled: true
git:
tag: 1.7.1-bb.4
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_tempo
values:
istio:
tempoQuery:
hosts:
- "tempo.{{ .Values.domain }}"
tempo:
resources:
limits: null
requests:
cpu: 200m
memory: 128Mi
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: 'https://tempo.dev.bigbang.mil'
cypress_tempo_datasource: 'http://tempo-tempo.tempo.svc:3100'
cypress_check_datasource: 'true'
cypress_grafana_url: 'https://grafana.dev.bigbang.mil'
# uncomment following variables for sso keycloak testing in bb
#cypress_tnr_username: "cypress"
#cypress_tnr_password: "tnr_w!G33ZyAt@C8"
#cypress_keycloak_test_enable: "true"
scripts:
enabled: false
envs:
TEMPO_METRICS_URL: 'http://tempo-tempo.tempo.svc:3100'
persistence:
enabled: true
# storageClassName: local-path
accessModes:
- ReadWriteOnce
size: 5Gi
tempoQuery:
resources:
limits: null
requests:
cpu: 200m
memory: 128Mi
promtail:
enabled: true
values:
istio:
hardened:
enabled: true
monitoring:
values:
prometheus:
prometheusSpec:
additionalScrapeConfigs: []
podMetadata:
annotations:
vault.hashicorp.com/agent-inject: "false"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject-token: "true"
vault.hashicorp.com/role: "prometheus"
vault.hashicorp.com/agent-pre-populate: "false"
resources:
requests:
cpu: 300m
memory: 5Gi
limits: null
kube-state-metrics:
resources:
requests:
cpu: 100m
memory: 128Mi
limits: null
prometheus-node-exporter:
resources:
requests:
cpu: 200m
memory: 50Mi
limits: null
grafana:
downloadDashboards:
resources:
limits: null
requests:
cpu: 20m
memory: 20Mi
grafana:
enabled: true
git:
tag: 7.3.7-bb.0
sso:
enabled: false
grafana:
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_grafana
scopes: "openid Grafana"
values:
istio:
hardened:
enabled: true
customServiceEntries:
- name: "allow-npm-for-cypress-tests"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
- name: "allow-repo1-for-cypress"
enabled: true
spec:
hosts:
- 'repo1.dso.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
- name: "allow-grafana-for-cypress"
enabled: true
spec:
hosts:
- 'grafana.dev.bigbang.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
dashboards:
default:
k8s-deployment:
gnetId: 741
revision: 1
datasource: Prometheus
downloadDashboards:
resources:
limits:
cpu: 20m
memory: 20Mi
requests:
cpu: 20m
memory: 20Mi
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
providers:
- name: 'default'
orgId: 1
folder: ''
type: file
disableDeletion: false
editable: true
options:
path: /var/lib/grafana/dashboards
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_grafana_url: 'https://grafana.dev.bigbang.mil'
# neuvector:
# enabled: true
# values:
# k3s:
# enabled: false
# istio:
# enabled: true
# hardened:
# enabled: true
# customServiceEntries:
# - name: "allow-npm-for-cypress-tests"
# enabled: true
# spec:
# hosts:
# - 'registry.npmjs.org'
# - 'download.cypress.io'
# - 'cdn.cypress.io'
# location: MESH_EXTERNAL
# ports:
# - number: 443
# protocol: TLS
# name: https
# resolution: DNS
# - name: "allow-repo1-for-cypress"
# enabled: true
# spec:
# hosts:
# - 'repo1.dso.mil'
# location: MESH_EXTERNAL
# ports:
# - number: 443
# protocol: TLS
# name: https
# resolution: DNS
# - name: "allow-neuvector-for-cypress"
# enabled: true
# spec:
# hosts:
# - 'neuvector.dev.bigbang.mil'
# location: MESH_EXTERNAL
# ports:
# - number: 443
# protocol: TLS
# name: https
# resolution: DNS
# bbtests:
# enabled: true
# cypress:
# artifacts: true
# envs:
# cypress_url: https://neuvector.dev.bigbang.mil
# resources:
# requests:
# cpu: "2"
# memory: "1500M"
# limits:
# cpu: "2"
# memory: "1500M"
neuvector:
enabled: true
values:
k3s:
enabled: false
crio:
enabled: true
path: /var/run/crio/crio.sock
istio:
enabled: true
hardened:
enabled: false
tempo:
enabled: false
console:
enabled: false
openshift: true
bbtests:
enabled: true
cypress:
artifacts: true
openshift: true
twistlock:
enabled: true
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_twistlock-saml
values:
istio:
enabled: true
hardened:
enabled: true
customServiceEntries:
- name: "allow-npm-for-cypress-tests"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
location: MESH_EXTERNAL
exportTo:
- "."
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
- name: "allow-repo1-for-cypress"
enabled: true
spec:
hosts:
- 'repo1.dso.mil'
location: MESH_EXTERNAL
exportTo:
- "."
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
- name: "allow-twistlock-for-cypress"
enabled: true
spec:
hosts:
- 'twistlock.dev.bigbang.mil'
location: MESH_EXTERNAL
exportTo:
- "."
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
console:
persistence:
size: 5Gi
localVolumeUpgrade: true
bbtests:
enabled: true
scripts:
envs:
twistlock_host: "https://twistlock.dev.bigbang.mil"
# Addons are toggled based on labels in CI
addons:
argocd:
enabled: true
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_argocd
client_secret: anything-for-dev
groups: |
g, Impact Level 2 Authorized, role:admin
values:
sso:
rbac:
policy.default: role:admin
controller:
resources:
requests:
cpu: 500m
memory: 2Gi
limits: {}
dex:
resources:
requests:
cpu: 10m
memory: 128Mi
limits: {}
redis-bb:
master:
persistence:
size: 512Mi
replica:
replicaCount: 0
autoscaling:
enabled: false
persistence:
size: 512Mi
redis:
resources:
requests:
cpu: 50m
memory: 256Mi
limits: {}
server:
autoscaling:
enabled: false
resources:
requests:
cpu: 20m
memory: 128Mi
limits: {}
repoServer:
autoscaling:
enabled: false
resources:
requests:
cpu: 50m
memory: 128Mi
limits: {}
configs:
secret:
argocdServerAdminPassword: '$2a$10$rUDZDckdDZ2TEwk9PDs3QuqjkL58qR1IHE1Kj4MwDx.7/m5dytZJm'
bbtests:
enabled: true
cypress:
envs:
cypress_url: "https://argocd.dev.bigbang.mil"
resources:
requests:
cpu: 2
memory: 2Gi
istio:
sidecar:
resources:
cpu:
requests: 100m
limits: 2000m
memory:
requests: 512Mi
limits: 2048Mi
authservice:
enabled: true
chains:
minimal:
callback_uri: "https://minimal.dev.bigbang.mil"
values:
istio:
hardened:
enabled: true
resources:
requests:
cpu: 100m
memory: 100Mi
limits: {}
redis:
enabled: true
redis-bb:
master:
persistence:
size: 256Mi
replica:
replicaCount: 0
autoscaling:
enabled: false
persistence:
size: 256Mi
fortify:
enabled: true
flux:
timeout: 15m
ingress:
gateway: ""
sso:
enabled: false
values:
storage:
volume: 5Gi
jvmMaxRAMPercentage: 85
resources:
limits:
cpu: 2
memory: 8Gi
requests:
cpu: 1
memory: 1Gi
databaseSecret:
useRoot: true
initContainer:
resources:
limits:
cpu: 1
memory: 500Mi
requests:
cpu: 250m
memory: 64Mi
trust_store_password: dsoppassword
key_store_password: dsoppassword
key_store_cert_password : dsoppassword
fortify_autoconfig: |
appProperties:
host.validation: false
datasourceProperties:
db.username: root
db.password: password
jdbc.url: 'jdbc:mysql://fortify-mysql:3306/ssc_db?sessionVariables=collation_connection=latin1_general_cs&rewriteBatchedStatements=true'
dbMigrationProperties:
migration.enabled: true
migration.username: root
migration.password: password
fortify_license: |
<License>
mysql:
primary:
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 100m
memory: 500Mi
secondary:
resources:
limits:
cpu: 100m
memory: 500Mi
requests:
cpu: 100m
memory: 500Mi
metrics:
resources:
limits:
cpu: 100m
memory: 500Mi
requests:
cpu: 100m
memory: 256Mi
bbtests:
enabled: true
cypress: # note `cypress:*`` is different than in the fortify chart test-values.yaml
envs:
cypress_url: "https://fortify.dev.bigbang.mil"
haproxy:
enabled: true
values:
istio:
hardened:
enabled: true
gitlab:
enabled: true
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_gitlab
flux:
timeout: 30m
values:
global:
rails:
bootstrap:
enabled: false
gitlab-runner:
resources:
requests:
cpu: 20m
limits: {}
gitlab:
webservice:
minReplicas: 1
maxReplicas: 1
helmTests:
enabled: false
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "5432,6379"
sidekiq:
minReplicas: 1
maxReplicas: 1
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "5432,6379"
gitlab-shell:
minReplicas: 1
maxReplicas: 1
gitaly:
persistence:
size: 256Mi
resources:
## values raised to help pass CI after default values for gitaly are fixed then can revert to original request.
#requests:
# cpu: 50m
#limits: {}
requests:
cpu: 400m
memory: 600Mi
limits:
cpu: 400m
memory: 600Mi
shared-secrets:
resources:
requests:
cpu: 10m
limits: {}
migrations:
resources:
requests:
cpu: 10m
limits: {}
toolbox:
persistence:
size: 256Mi
resources:
requests:
cpu: 10m
limits: {}
registry:
hpa:
minReplicas: 1
maxReplicas: 1
postgresql:
persistence:
size: 256Mi
metrics:
resources:
requests:
cpu: 10m
limits: {}
minio:
persistence:
size: 256Mi
resources:
requests:
cpu: 50m
limits: {}
redis:
master:
persistence:
size: 256Mi
slave:
persistence:
size: 256Mi
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: https://gitlab.dev.bigbang.mil
scripts:
envs:
GITLAB_REPOSITORY: https://gitlab.dev.bigbang.mil
GITLAB_ORIGIN: https://testuser:Password123h56a78@gitlab.dev.bigbang.mil
GITLAB_REGISTRY: registry.dev.bigbang.mil
gitlabRunner:
enabled: false
values:
resources:
requests:
memory: 128Mi
cpu: 100m
limits: null
runners:
protected: false
autoRegister:
enabled: true
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: "https://gitlab.dev.bigbang.mil"
cypress_gitlab_first_name: "testrunner"
cypress_gitlab_last_name: "userrunner"
cypress_gitlab_email: "gitlab@dev.bigbang.mil"
cypress_gitlab_username: "gitlabrunner_user"
cypress_gitlab_password: "Runner_PaSsw0rd123"
cypress_gitlab_project: "runner-hello-world"
secretEnvs:
- name: cypress_adminpassword
valueFrom:
secretKeyRef:
name: gitlab-gitlab-initial-root-password
key: password
anchore:
enabled: false
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_anchore
enterprise:
enabled: false
licenseYaml: |
"TBD"
values:
ensureDbJobs:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
sso:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
postgresql:
persistence:
size: 256Mi
resources:
requests:
cpu: 200m
memory: 1024Mi
limits: {}
metrics:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreAnalyzer:
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreApi:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreCatalog:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchorePolicyEngine:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreSimpleQueue:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEngineUpgradeJob:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchore-feeds-db:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
metrics:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseFeeds:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseFeedsUpgradeJob:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseRbac:
authResources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
managerResources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseReports:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseNotifications:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEntperpiseUi:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseEngineUpgradeJob:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
ui-redis:
enabled: true
replica:
replicaCount: 0
autoscaling:
enabled: false
bbtests:
enabled: true
scripts:
envs:
ANCHORE_CLI_URL: "https://anchore-api.dev.bigbang.mil/v1"
sonarqube:
enabled: true
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_saml-sonarqube
login: login
name: name
email: email
values:
plugins:
install: []
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
persistence:
enabled: false
size: 5Gi
postgresql:
persistence:
size: 256Mi
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
tests:
enabled: false
bbtests:
enabled: true
cypress:
envs:
cypress_url: "https://sonarqube.dev.bigbang.mil"
cypress_url_setup: "https://sonarqube.dev.bigbang.mil/setup"
account:
adminPassword: new_admin_password
currentAdminPassword: admin
curlContainerImage: registry1.dso.mil/ironbank/big-bang/base:2.0.0
minioOperator:
enabled: true # Minio Operator is required for Loki in default core
values:
console:
enabled: true
bbtests:
enabled: true
istio:
enabled: true
openshift: true
minio:
enabled: true
values:
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "443"
tenant:
pools:
- servers: 3
volumesPerServer: 4
size: 256Mi
resources:
requests:
cpu: 250m
memory: 2Gi
limits:
cpu: 250m
memory: 2Gi
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
runAsNonRoot: true
containerSecurityContext:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
istio:
enabled: true
openshift: true
bbtests:
# There have been intermittent failures of the tests in the past. The issue is tracked in the below issue.
# https://repo1.dso.mil/big-bang/product/packages/minio/-/issues/7
# This issue can be reopened if problems reappear.
enabled: true
cypress:
envs:
cypress_url: 'https://minio.dev.bigbang.mil/login'
scripts:
envs:
MINIO_PORT: ''
MINIO_HOST: 'https://minio-api.dev.bigbang.mil'
istio:
enabled: true
hardened:
enabled: true
mattermostOperator:
enabled: true
values:
istio:
hardened:
enabled: true
mattermost:
enabled: true
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_mattermost
client_secret: "no-secret"
elasticsearch:
enabled: true
values:
enterprise:
enabled: true
monitoring:
enabled: true
istio:
hardened:
enabled: true
customAuthorizationPolicies:
- name: "test-for-allowing-monitoring"
enabled: true
spec:
action: ALLOW
rules:
- from:
- source:
namespaces:
- monitoring
postgresql:
persistence:
size: 256Mi
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits: {}
minio:
tenant:
pools:
- servers: 1
name: pool-0
volumesPerServer: 4
size: 256Mi
resources:
requests:
cpu: 250m
memory: 2Gi
limits:
cpu: 250m
memory: 2Gi
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
containerSecurityContext:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
capabilities:
drop:
- ALL
bbtests:
enabled: true
cypress:
envs:
cypress_url: https://chat.dev.bigbang.mil
nexusRepositoryManager:
enabled: true
# Nexus requires manual configuration in Keycloak client and cannot be tested with
# you must test with your own dev deployment. Example: keycloak.dev.bigbang.mil
# See more info in Nexus Package docs /docs/keycloak.md
# Nexus SSO is behind a paywall. You must have a valid license to enable SSO
# -- Base64 encoded license file.
# cat ~/Downloads/sonatype-license-YYYY-MM-ddTnnnnnnZ.lic | base64 -w 0 ; echo
#license_key: "enter-single-line-base64-encoded-string-here"
sso:
# -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599
enabled: false
idp_data:
entityId: "https://nexus.dev.bigbang.mil/service/rest/v1/security/saml/metadata"
# -- IdP Field Mappings
# -- NXRM username attribute
username: "username"
firstName: "firstName"
lastName: "lastName"
email: "email"
groups: "groups"
role:
# id is the name of the Keycloak group (case sensitive)
- id: "Nexus"
name: "Keycloak Nexus Group"
description: "unprivilaged users"
privileges: []
roles: []
- id: "Nexus-Admin"
name: "Keycloak Nexus Admin Group"
description: "keycloak users as admins"
privileges:
- "nx-all"
roles:
- "nx-admin"
# NexusNotes: |
# Login to Nexus Admin UI and then get the x509 certificate from this path
# https://nexus.dev.bigbang.mil/service/rest/v1/security/saml/metadata
# copy and paste the nexus single line certificate into a text file and save it
# vi nexus-x509.txt
# -----BEGIN CERTIFICATE-----
# put-single-line-nexus-x509-certificate-here
# -----END CERTIFICATE-----
# make a valid pem file with proper wrapping at 64 characters per line
# fold -w 64 nexus-x509.txt > nexus.pem
# In Keycloak go to the nexus client and on the Keys tab import the nexus.pem file in two places
values:
persistence:
# Do NOT set this below 5Gi, nexus will fail to boot
storageSize: 5Gi
nexus:
# https://help.sonatype.com/repomanager3/installation/system-requirements#SystemRequirements-JVMDirectMemory
env:
- name: INSTALL4J_ADD_VM_PARAMS
value: "-Dcom.redhat.fips=false -Xms1024M -Xmx1024M -XX:MaxDirectMemorySize=1024M -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -Djava.util.prefs.userRoot=/nexus-data/javaprefs"
- name: NEXUS_SECURITY_RANDOMPASSWORD
value: "true"
resources:
requests:
cpu: 100m
memory: 1500Mi
docker:
enabled: true
registries:
- host: containers.dev.bigbang.mil
port: 5000
repository:
enabled: true
repo:
- name: "containers"
format: "docker"
type: "hosted"
repo_data:
name: "containers"
online: true
storage:
blobStoreName: "default"
strictContentTypeValidation: true
writePolicy: "allow_once"
cleanup:
policyNames:
- "string"
component:
proprietaryComponents: true
docker:
v1Enabled: false
forceBasicAuth: true
httpPort: 5000
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_nexus_url: "https://nexus.dev.bigbang.mil"
scripts:
envs:
docker_host: "containers.dev.bigbang.mil"
velero:
enabled: false
plugins:
- aws
values:
serviceAccount:
server:
name: velero
configuration:
backupStorageLocation:
- bucket: velero
provider: aws
default: true
config:
region: velero
s3ForcePathStyle: "true"
s3Url: https://minio-api.dev.bigbang.mil
volumeSnapshotLocation:
- name: default
provider: aws
config:
region: velero
credentials:
useSecret: true
secretContents:
cloud: |
[default]
aws_access_key_id = minio
aws_secret_access_key = minio123
cleanUpCRDs: true
bbtests:
enabled: true
scripts:
envs:
MINIO_HOST: https://minio-api.dev.bigbang.mil
keycloak:
enabled: false
ingress:
gateway: "passthrough"
key: "" # Gets added via chart/ingress-certs.yaml
cert: "" # Gets added via chart/ingress-certs.yaml
values:
replicas: 1
resources:
requests:
cpu: 250m
memory: 250Mi
limits: {}
bbtests:
enabled: true
cypress:
envs:
cypress_url: "https://keycloak.dev.bigbang.mil"
command:
- "/opt/keycloak/bin/kc.sh"
args:
- "start"
- "--import-realm"
extraEnv: |-
- name: KC_HTTPS_CERTIFICATE_FILE
value: /opt/keycloak/conf/tls.crt
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /opt/keycloak/conf/tls.key
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_HTTP_RELATIVE_PATH
value: /auth
- name: KC_HTTPS_CLIENT_AUTH
value: request
- name: KC_PROXY
value: passthrough
- name: KC_HTTPS_TRUST_STORE_FILE
value: /opt/keycloak/conf/truststore.jks
- name: KC_HTTPS_TRUST_STORE_PASSWORD
value: password
- name: KC_HOSTNAME
value: keycloak.dev.bigbang.mil
- name: KC_HOSTNAME_STRICT
value: "true"
- name: KC_HOSTNAME_STRICT_HTTPS
value: "true"
- name: KC_LOG_LEVEL
value: "org.keycloak.events:DEBUG,org.infinispan:INFO,org.jgroups:INFO"
- name: KC_CACHE
value: ispn
- name: KC_CACHE_STACK
value: kubernetes
secrets:
env:
stringData:
CUSTOM_REGISTRATION_CONFIG: /opt/keycloak/conf/customreg.yaml
customreg:
stringData:
customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda.yaml" }}'
realm:
stringData:
realm.json: '{{ .Files.Get "resources/dev/baby-yoda-bb-ci.json" }}'
truststore:
data:
truststore.jks: |-
{{ .Files.Get "resources/dev/truststore.jks" | b64enc }}
quarkusproperties:
stringData:
quarkus.properties: '{{ .Files.Get "resources/dev/quarkus.properties" }}'
extraInitContainers: |-
- name: plugin
image: registry1.dso.mil/ironbank/big-bang/p1-keycloak-plugin:3.3.0
imagePullPolicy: Always
command:
- sh
- -c
- |
cp /app/p1-keycloak-plugin.jar /init
ls -l /init
volumeMounts:
- name: plugin
mountPath: "/init"
extraVolumes: |-
- name: customreg
secret:
secretName: {{ include "keycloak.fullname" . }}-customreg
- name: realm
secret:
secretName: {{ include "keycloak.fullname" . }}-realm
- name: plugin
emptyDir: {}
- name: truststore
secret:
secretName: {{ include "keycloak.fullname" . }}-truststore
- name: quarkusproperties
secret:
secretName: {{ include "keycloak.fullname" . }}-quarkusproperties
defaultMode: 0777
extraVolumeMounts: |-
- name: customreg
mountPath: /opt/keycloak/conf/customreg.yaml
subPath: customreg.yaml
readOnly: true
- name: realm
mountPath: /opt/keycloak/data/import/realm.json
subPath: realm.json
- name: plugin
mountPath: /opt/keycloak/providers/p1-keycloak-plugin.jar
subPath: p1-keycloak-plugin.jar
- name: truststore
mountPath: /opt/keycloak/conf/truststore.jks
subPath: truststore.jks
- name: quarkusproperties
mountPath: /opt/keycloak/conf/quarkus.properties
subPath: quarkus.properties
vault:
enabled: false
ingress:
gateway: "passthrough"
key: "" # Gets added via chart/ingress-certs.yaml
cert: "" # Gets added via chart/ingress-certs.yaml
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_vault
values:
minio:
enabled: false
disableSSL: true
endpoint: minio
accessKey: "minio"
secretKey: "minio123"
bucketName: vault-data
autoInit:
enabled: true
global:
tlsDisable: false
injector:
affinity: |
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: webhook
topologyKey: kubernetes.io/hostname
server:
extraEnvironmentVars:
VAULT_SKIP_VERIFY: "true"
VAULT_LOG_FORMAT: "json"
dataStorage:
enabled: true
size: 256Mi
auditStorage:
size: 256Mi
ha:
enabled: true
replicas: 1
apiAddr: "https://vault.dev.bigbang.mil"
raft:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = false
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/tls/tls.crt"
tls_key_file = "/vault/tls/tls.key"
telemetry {
unauthenticated_metrics_access = true
}
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "https://vault-vault-0.vault-vault-internal:8200"
leader_client_cert_file = "/vault/tls/tls.crt"
leader_client_key_file = "/vault/tls/tls.key"
leader_tls_servername = "vault.dev.bigbang.mil"
}
}
seal "awskms" {
region = "us-gov-west-1"
kms_key_id = "mrk-ff723da024254ea2b7f490c68fbc9b9b"
endpoint = "https://kms.us-gov-west-1.amazonaws.com"
}
telemetry {
prometheus_retention_time = "24h"
disable_hostname = true
}
service_registration "kubernetes" {}
istio:
hardened:
enabled: true
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_vault_url: "https://vault.dev.bigbang.mil"
metricsServer:
enabled: false
values:
istio:
hardened:
enabled: true
replicas: 1
bbtests:
enabled: true
# ----------------------------------------------------------------------------------------------------------------------
# Harbor
#
harbor:
# -- Toggle deployment of harbor
enabled: true
# -- Values to pass through to Habor chart: https://repo1.dso.mil/big-bang/product/packages/harbor.git
values:
expose:
type: clusterIP
tls:
enabled: false
internalTLS:
enabled: false
externalURL: https://harbor.dev.bigbang.mil
nginx:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
portal:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
core:
secretName: "ci-only"
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
jobservice:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
registry:
registry:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
controller:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
chartmuseum:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
trivy:
resources:
requests:
cpu: 80m
memory: 200Mi
limits:
cpu: 80m
memory: 200Mi
notary:
server:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
signer:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
database:
type: external
internal:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
initContainer:
migrator: {}
permissions: {}
resources:
requests:
memory: 100Mi
cpu: 80m
limits:
cpu: 80m
memory: 100Mi
postgresql:
resources:
requests:
cpu: "200m"
memory: "200Mi"
limits:
cpu: "200m"
memory: "200Mi"
redis:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
memory: 200Mi
cpu: 80m
exporter:
resources:
requests:
memory: 200Mi
cpu: 80m
limits:
cpu: 80m
memory: 200Mi
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: "https://harbor.dev.bigbang.mil"
scripts:
image: "registry1.dso.mil/bigbang-ci/gitlab-tester:0.0.4"
envs:
HARBOR_REGISTRY: "harbor.dev.bigbang.mil"
# ----------------------------------------------------------------------------------------------------------------------
# Thanos
#
thanos:
# -- Toggle deployment of thanos
enabled: false
values:
istio:
hardened:
enabled: true
minio:
enabled: true
tenant:
pools:
- servers: 1
volumesPerServer: 4
size: 256Mi
resources:
requests:
cpu: 250m
memory: 2Gi
limits:
cpu: 250m
memory: 2Gi
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
runAsNonRoot: true
containerSecurityContext:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
storegateway:
enabled: true
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: "https://thanos.dev.bigbang.mil"
cypress_prometheus_integration_enabled: "true"
cypress_objstorage_integration_enabled: "true"
scripts:
image: "registry1.dso.mil/bigbang-ci/gitlab-tester:0.0.4"
envs:
THANOS_REGISTRY: "thanos.dev.bigbang.mil"
objstoreConfig: |-
type: s3
config:
bucket: "thanos"
endpoint: minio.thanos.svc.cluster.local:80
access_key: "minio"
secret_key: "minio123"
insecure: true
trace:
enable: true
# ----------------------------------------------------------------------------------------------------------------------
# Holocron
#
holocron:
# -- Toggle deployment of holocron
enabled: false
values:
istio:
hardened:
enabled: true
bbtests:
enabled: true
cypress:
artifacts: true
resources:
requests:
cpu: "2"
memory: "2G"
limits:
cpu: "2"
memory: "2G"

UNCLASSIFIED - NO CUI