UNCLASSIFIED - NO CUI

Skip to content

Fixing Flux Logic

Jeffrey Victor requested to merge Flux-Fix-All-HR into master

Package Merge Request

Package Changes

Changing the logic behind flux so it only changes the flux values for the specified package I.E .values.tempo.flux.timeout will only change the timeout for flux and not the timeout for ALL packages

This is what occured when starting out the value of 5m would be specified in .values.packages.crossplane.flux.timeout but it would affect any package that did not have a timeout specified. This was not intended behavior image

After the changes. I set the values.packages.crossplane.flux.timeout to 25m and it only affected crossplane and not the other packages.

image

K3d override values used tested it with both making sure 2 .values.packages.$pkg.flux.x did not interfere with eachother as well as setting flux settings for twistlock to use Serviceaccountname: Junge2 Kiali to use serviceAccountName: Junge and timeout: 20m

image

# comments: |
#   This example values override file is provided FOR DEVELOPMENT/DEMO/TEST PURPOSES ONLY

domain: bigbang.dev

sso:
  # -- Name of the identity provider.  This is used by some packages as the SSO login label.
  name: SSO
  # -- Base URL for the identity provider. For OIDC, this is the issuer.  For SAML this is the entityID.
  url: https://keycloak.bigbang.dev/auth/realms/baby-yoda

flux:
  interval: 1m
  rollback:
    cleanupOnFail: false

## to enable pass through gateway
istio:
  enabled: true
  ingressGateways:
    passthrough-ingressgateway:
      type: "LoadBalancer"
  gateways:
    passthrough:
      ingressGateway: "passthrough-ingressgateway"
      hosts:
      - "*.{{ .Values.domain }}"
      tls:
        mode: "PASSTHROUGH"

promtail:
  enabled: false
kyverno:
  # -- Toggle deployment of Kyverno.
  enabled: false
networkPolicies:
  enabled: true
  controlPlaneCidr: 172.16.0.0/12

  

kyvernoPolicies:
  # -- Toggle deployment of Kyverno policies
  enabled: false

kyvernoReporter:
  # -- Toggle deployment of Kyverno Reporter
  enabled: false

clusterAuditor:
  # -- Toggle deployment of Cluster Auditor.
  enabled: false
  git:
    tag: ""
    branch: "84-refactor-cluster-auditor-to-gluon-0-4-7"
  values:
    networkpolicies:
      enabled: true
    bbtests:
      enabled: true
      cypress:
        artifacts: true
        envs:
          ##cypress_grafana_url: http://grafana.monitoring.svc.cluster.local
          cypress_grafana_url: 'https://grafana.bigbang.dev'
          cypress_prometheus_url: 'https://prometheus.bigbang.dev'
          cypress_url: 'https://grafana.bigbang.dev/d/YBgRZG6Mz/opa-violations?orgId=1'

          cypress_table_bar_allownodata: '1'
          # violations over time graph
          cypress_graph_allownodata: '2'
          cypress_reporter_ns: cluster-auditor


gatekeeper:
  enabled: false


loki:
  enabled: true
  values:
    bbtests:
      enabled: true
      cypress:
        envs:
          cypress_check_datasource: 'true'
          cypress_grafana_url: 'http://grafana.bigbang.dev'
      scripts:
        envs:
          LOKI_URL: 'http://logging-loki-write.logging.svc:3100'


monitoring:
  values:
    bbtests: 
      enabled: true
  enabled: true    
  
twistlock:
  enabled: true
  flux:
    serviceAccountName: Junge2
  sso:
    enabled: false
    client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-twistlock"
  values:
    bbtests: 
      enabled: true
    imagePullSecrets: 
      - name: private-registry
    console:
      license: "mkHgMhVTiaBi7PtpDJhrzw61DTAMpkwHqWBonqiDXaRaKaEZYSZAPaVWXWiKasJKAznWAmeKboGz03cgDkwb5RBxldwPt99Z4KnvL5oa4chIIt51/xpl37h6m8xuyB9MhIsEutI0Mu0sYHdeWBWpDloTZnE9TtH2SZ2m45mo0a4W/8XpPNHDkDYrltIDL+rlRDSdasoc3pVK4n5CteQH8RBhvWOFVF6ktWx14fBH+qfG0DMIzIJxQzyWBeh9y2S0twPPer9+ze9WdXt6eNpJffpt/wtMILcjQI3NfMWt4km17eXAnHHQ6ZmY+dv7znlfjPuq6yLycEQek1+vCxyT2KZDX3arzEwKZ9EG5J3iS5d9CHUjh+xgq0HmPB3INUdt25WxyGlpLLMWGpPKS+TLtbCd+ojnykMhUnkyvUJVsTHCCD04v4vmEkkzzPAJbh4Rs6mP4RPCCYZU02zgYvYDNFHUQt2Qu4aEmmeDT4FLrJQTUgth/BsLJTPzZoM+r8uN7IDurJAm/XeLEG3M0gck6tGxNJpFquPNEooTGL0LHdSqMTPB6NEO01OoIgEtyM+ar+b1B4L94oPfUR9U3hkWwHa/GbefEEbjVIJKTrGDuf6x+TTmqx0PKL4EIxpAxUdUIBVEqxE1MR7WBmKtvh++utIake47FWVDl5Al7VJXF+M="
      credentials:
        password: "admin"
      additionalUsers:
        - username: foo
          authType: basic
          password: bar
          role: admin
    defender:
      enabled: true
      dockerSocket: "/run/k3s/containerd/containerd.sock"
      selinux: false


istioOperator:
  enabled: true

jaeger:
  enabled: false

kiali:
  enabled: true
  flux:
    timeout: 20m
    serviceAccountName: Junge



fluentbit:
  enabled: false

neuvector:
  enabled: false

tempo:
  enabled: true
  values:
    networkPolicies:
      additionalPolicies:
      - name: egress-test-job
        spec:
          podSelector: {}
          policyTypes:
          - Egress
          egress:
          - to:
            - ipBlock:
                cidr: 172.20.0.0/12

elasticsearchKibana:
  enabled: false
grafana:
  enabled: true
  values:
    bbtests:
      enabled: true
addons:
  sonarqube:
    enabled: false
  argocd:
    enabled: false
  gitlab:
    enabled: false
  minioOperator:
    enabled: false
#    sourceType: "git"
#    git:
#      repo: https://repo1.dso.mil/big-bang/product/packages/minio-operator.git
#      path: "./chart"
#      tag: null
#      branch: "renovate/ironbank"
  minio:
    enabled: false
  metricsServer:
    enabled: false
  keycloak:
    enabled: false
    values:
      replicas: 1
      resources:
        requests:
          cpu: 250m
          memory: 250Mi
        limits: {}
      bbtests:
        enabled: true
        cypress:
          envs:
            cypress_url: "https://keycloak.bigbang.dev"
      command:
        - "/opt/keycloak/bin/kc.sh"
      args:
        - "start"
        - "--import-realm"
      extraEnv: |-
        - name: KC_HTTPS_CERTIFICATE_FILE
          value: /opt/keycloak/conf/tls.crt
        - name: KC_HTTPS_CERTIFICATE_KEY_FILE
          value: /opt/keycloak/conf/tls.key
        - name: KC_HTTP_ENABLED
          value: "true"
        - name: KC_HTTP_RELATIVE_PATH
          value: /auth
        - name: KC_HTTPS_CLIENT_AUTH
          value: request
        - name: KC_PROXY
          value: passthrough
        - name: KC_HTTPS_TRUST_STORE_FILE
          value: /opt/keycloak/conf/truststore.jks
        - name: KC_HTTPS_TRUST_STORE_PASSWORD
          value: password
        - name: KC_HOSTNAME
          value: keycloak.bigbang.dev
        - name: KC_HOSTNAME_STRICT
          value: "true"
        - name: KC_HOSTNAME_STRICT_HTTPS
          value: "true"
        - name: KC_LOG_LEVEL
          value: "org.keycloak.events:DEBUG,org.infinispan:INFO,org.jgroups:INFO"
        - name: KC_CACHE
          value: ispn
        - name: KC_CACHE_STACK
          value: kubernetes
      secrets:
        env:
          stringData:
            CUSTOM_REGISTRATION_CONFIG: /opt/keycloak/conf/customreg.yaml
        customreg:
          stringData:
            customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda.yaml" }}'
        realm:
          stringData:
            realm.json: '{{ .Files.Get "resources/dev/baby-yoda-bb-ci.json" }}'
        truststore:
          data:
            truststore.jks: |-
              {{ .Files.Get "resources/dev/truststore.jks" | b64enc }}
        quarkusproperties:
          stringData:
            quarkus.properties: '{{ .Files.Get "resources/dev/quarkus.properties" }}'
      extraInitContainers: |-
        - name: plugin
          image: registry1.dso.mil/ironbank/big-bang/p1-keycloak-plugin:3.2.0
          imagePullPolicy: Always
          command:
          - sh
          - -c
          - |
            cp /app/p1-keycloak-plugin.jar /init
            ls -l /init
          volumeMounts:
          - name: plugin
            mountPath: "/init"
      extraVolumes: |-
        - name: customreg
          secret:
            secretName: {{ include "keycloak.fullname" . }}-customreg
        - name: realm
          secret:
            secretName: {{ include "keycloak.fullname" . }}-realm
        - name: plugin
          emptyDir: {}
        - name: truststore
          secret:
            secretName: {{ include "keycloak.fullname" . }}-truststore
        - name: quarkusproperties
          secret:
            secretName: {{ include "keycloak.fullname" . }}-quarkusproperties
            defaultMode: 0777
      extraVolumeMounts: |-
        - name: customreg
          mountPath: /opt/keycloak/conf/customreg.yaml
          subPath: customreg.yaml
          readOnly: true
        - name: realm
          mountPath: /opt/keycloak/data/import/realm.json
          subPath: realm.json
        - name: plugin
          mountPath: /opt/keycloak/providers/p1-keycloak-plugin.jar
          subPath: p1-keycloak-plugin.jar
        - name: truststore
          mountPath: /opt/keycloak/conf/truststore.jks
          subPath: truststore.jks
        - name: quarkusproperties
          mountPath: /opt/keycloak/conf/quarkus.properties
          subPath: quarkus.properties


# -- Wrapper chart for integrating Big Bang components alongside a package
wrapper:
  # -- Choose source type of "git" or "helmRepo"
  sourceType: "git"

  helmRepo:
    # -- Repository holding OCI chart, corresponding to `helmRepositories` name
    repoName: "registry1"
    # -- Name of the OCI chart in `repo`
    chartName: wrapper
    # -- Tag of the OCI chart in `repo`
    tag: "0.4.7"
  git:
    # -- Git repo holding the wrapper helm chart, example: https://repo1.dso.mil/big-bang/product/packages/wrapper
    repo: "https://repo1.dso.mil/big-bang/product/packages/wrapper.git"
    # -- Path inside of the git repo to find the helm chart, example: chart
    path: "chart"
    # -- Git tag to check out.  Takes precedence over branch. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference), example: 0.0.2
    tag: "0.4.7"

# -- Packages to deploy with Big Bang
# @default - '{}'
packages:
  crossplane:
    enabled: true
    wrapper:
      enabled: true
    #flux: {}
    flux: 
      timeout: 15m
      serviceAccountName: Junge5
    namespace:
      name: crossplane-system
#    helmRepo:
#      repoName: registry1
#      chartName: crossplane
#      tag: 1.12.0-bb.0
    git:
      repo: "https://repo1.dso.mil/big-bang/product/community/crossplane.git"
      tag: "1.12.2-bb.0"
      path: "./chart"
    values:
      resourcesCrossplane:
        limits:
          # -- CPU resource limits for Crossplane.
          cpu: 1
          # -- Memory resource limits for Crossplane.
          memory: 1Gi
        requests:
          # -- CPU resource requests for Crossplane.
          cpu: 100m
          # -- Memory resource requests for Crossplane.
          memory: 256Mi
      provider:
        packages:
        - registry1.dso.mil/bigbang-ci/crossplane/provider-aws-iam:v0.37.0
        - registry1.dso.mil/bigbang-ci/crossplane/provider-aws-ec2:v0.37.0
        - registry1.dso.mil/bigbang-ci/crossplane/provider-aws-eks:v0.37.0
        - registry1.dso.mil/bigbang-ci/crossplane/provider-family-aws:v0.37.0
        - registry1.dso.mil/bigbang-ci/crossplane/provider-kubernetes:v0.9.0

  crossplane2:
    enabled: true
    wrapper:
      enabled: true
    #flux: {}
    flux: 
      timeout: 40m
      serviceAccountName: Junge10
    namespace:
      name: crossplane-system
#    helmRepo:
#      repoName: registry1
#      chartName: crossplane
#      tag: 1.12.0-bb.0
    git:
      repo: "https://repo1.dso.mil/big-bang/product/community/crossplane.git"
      tag: "1.12.2-bb.0"
      path: "./chart"
    values:
      resourcesCrossplane:
        limits:
          # -- CPU resource limits for Crossplane.
          cpu: 1
          # -- Memory resource limits for Crossplane.
          memory: 1Gi
        requests:
          # -- CPU resource requests for Crossplane.
          cpu: 100m
          # -- Memory resource requests for Crossplane.
          memory: 256Mi
      provider:
        packages:
        - registry1.dso.mil/bigbang-ci/crossplane/provider-aws-iam:v0.37.0
        - registry1.dso.mil/bigbang-ci/crossplane/provider-aws-ec2:v0.37.0
        - registry1.dso.mil/bigbang-ci/crossplane/provider-aws-eks:v0.37.0
        - registry1.dso.mil/bigbang-ci/crossplane/provider-family-aws:v0.37.0
        - registry1.dso.mil/bigbang-ci/crossplane/provider-kubernetes:v0.9.0

Package MR

(Link to Package MR here)

For Issue

Closes (big-bang/product/packages/wrapper#31 (closed))

Upgrade Notices

This will fundamentally change how people may have used Flux in the past as it currently stands if as much as 1 package deviates from the defaults of flux, it propagates that change to ALL packages. This was a bug not a feature. But people may have adapted to the buggy approach. There is potential for issues in consumers environments due to this.

Edited by Jeffrey Victor

Merge request reports

Loading