hostname: bigbang.dev
flux:
interval: 1m
rollback:
cleanupOnFail: false
networkPolicies:
controlPlaneCidr: 172.16.0.0/12
logging:
enabled: true
values:
elasticsearch:
master:
count: 1
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
data:
count: 2
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
kibana:
count: 1
bbtests:
# TODO: Connection refused on the script test currently
# https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/-/issues/39
enabled: false
cypress:
artifacts: true
envs:
cypress_kibana_url: "https://kibana.bigbang.dev"
secretEnvs:
- name: cypress_elastic_password
valueFrom:
secretKeyRef:
name: "logging-ek-es-elastic-user"
key: elastic
scripts:
image: registry1.dso.mil/ironbank/stedolan/jq:1.6
envs:
elasticsearch_host: "https://{{ .Release.Name }}-es-http.{{ .Release.Namespace }}.svc.cluster.local:9200"
desired_version: "{{ .Values.elasticsearch.version }}"
secretEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: "logging-ek-es-elastic-user"
key: elastic
fluentbit:
values:
securityContext:
privileged: true
bbtests:
# TODO: Connection refused on the test currently
# https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit/-/issues/18
scripts:
# Image commented out to disable the test since the BB Test Lib version being used doesn't have the enabled flag
# image: registry1.dso.mil/ironbank/stedolan/jq:1.6
envs:
fluent_host: "http://{{ include \"fluent-bit.fullname\" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}"
desired_version: "{{ .Values.image.tag }}"
istio:
enabled: true
values:
kiali:
dashboard:
auth:
strategy: "anonymous"
jaeger:
enabled: true
values:
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: "https://tracing.bigbang.dev"
kiali:
enabled: true
values:
cr:
spec:
auth:
strategy: "anonymous"
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: 'https://kiali.bigbang.dev'
clusterAuditor:
enabled: true
values:
resources:
requests:
cpu: 100m
memory: .5Gi
limits: {}
monitoring:
enabled: true
values:
prometheus:
prometheusSpec:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
kube-state-metrics:
resources:
requests:
cpu: 10m
memory: 32Mi
limits: {}
prometheus-node-exporter:
resources:
requests:
cpu: 100m
memory: 30Mi
limits: {}
grafana:
testFramework:
enabled: false
dashboards:
default:
k8s-deployment:
gnetId: 741
revision: 1
datasource: Prometheus
downloadDashboards:
resources:
limits:
cpu: 20m
memory: 20Mi
requests:
cpu: 20m
memory: 20Mi
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
providers:
- name: 'default'
orgId: 1
folder: ''
type: file
disableDeletion: false
editable: true
options:
path: /var/lib/grafana/dashboards
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_prometheus_url: 'https://prometheus.bigbang.dev'
cypress_grafana_url: 'https://grafana.bigbang.dev'
cypress_alertmanager_url: 'https://alertmanager.bigbang.dev'
gatekeeper:
enabled: true
values:
replicas: 1
resources:
requests:
cpu: 100m
memory: 256Mi
limits: {}
violations:
allowedCapabilities:
parameters:
excludedResources:
# Allows k3d load balancer containers to not drop capabilities
- istio-system/lb-port-.*
allowedDockerRegistries:
parameters:
excludedResources:
# Allows k3d load balancer containers to pull from public repos
- istio-system/lb-port-.*
allowedSecCompProfiles:
parameters:
excludedResources:
# Allows k3d load balancer containers to have an undefined defined seccomp
- istio-system/lb-port-.*
allowedUsers:
parameters:
excludedResources:
# Allows k3d load balancer containers to run as any user/group
- istio-system/lb-port-.*
containerRatio:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
hostNetworking:
parameters:
excludedResources:
# Allows k3d load balancer containers to mount host ports
- istio-system/lb-port-.*
noBigContainers:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
noPrivilegedEscalation:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined security context
- istio-system/lb-port-.*
readOnlyRoot:
parameters:
excludedResources:
# Allows k3d load balancer containers to mount filesystems read/write
- istio-system/lb-port-.*
requiredLabels:
parameters:
excludedResources:
# Allows k3d load balancer pods to not have required labels
- istio-system/svclb-.*
requiredProbes:
parameters:
excludedResources:
# Allows k3d load balancer containers to not have readiness/liveness probes
- istio-system/lb-port-.*
bbtests:
# TODO: Test will need to be refactored at BB level to properly run since we can't turn everything to deny
# https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/issues/133
enabled: false
scripts:
image: registry1.dso.mil/ironbank/opensource/kubernetes-1.21/kubectl:v1.21.1
additionalVolumeMounts:
- name: "{{ .Chart.Name }}-test-config"
mountPath: /yaml
- name: "{{ .Chart.Name }}-kube-cache"
mountPath: /.kube/cache
additionalVolumes:
- name: "{{ .Chart.Name }}-test-config"
configMap:
name: "{{ .Chart.Name }}-test-config"
- name: "{{ .Chart.Name }}-kube-cache"
emptyDir: {}
twistlock:
enabled: true
values:
console:
persistence:
size: 256Mi
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_baseUrl: "https://twistlock.bigbang.dev"
scripts:
image: registry1.dso.mil/ironbank/stedolan/jq:1.6
envs:
twistlock_host: "https://twistlock.bigbang.dev"
desired_version: "{{ .Values.console.image.tag }}"
# Addons are toggled based on labels in CI
addons:
argocd:
enabled: false
values:
controller:
resources:
requests:
cpu: 500m
memory: 2Gi
limits: {}
dex:
resources:
requests:
cpu: 10m
memory: 128Mi
limits: {}
redis-bb:
master:
persistence:
size: 256Mi
replica:
persistence:
size: 256Mi
redis:
resources:
requests:
cpu: 50m
memory: 64Mi
limits: {}
server:
resources:
requests:
cpu: 20m
memory: 128Mi
limits: {}
repoServer:
resources:
requests:
cpu: 50m
memory: 128Mi
limits: {}
configs:
secret:
argocdServerAdminPassword: '$2a$10$rUDZDckdDZ2TEwk9PDs3QuqjkL58qR1IHE1Kj4MwDx.7/m5dytZJm'
bbtests:
# TODO: Disabled pending resolution of some "timing?" issues
# https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd/-/issues/17
enabled: false
cypress:
artifacts: true
envs:
cypress_url: "https://argocd.bigbang.dev"
cypress_user: "admin"
cypress_password: "Password123"
authservice:
enabled: false
chains:
minimal:
callback_uri: "https://minimal.bigbang.dev"
values:
resources:
requests:
cpu: 100m
memory: 100Mi
limits: {}
redis:
master:
persistence:
size: 256Mi
replica:
persistence:
size: 256Mi
gitlab:
enabled: false
sso:
enabled: false
flux:
timeout: 20m
values:
global:
rails:
bootstrap:
enabled: false
gitlab-runner:
resources:
requests:
cpu: 10m
limits: {}
gitlab:
webservice:
minReplicas: 1
maxReplicas: 1
helmTests:
enabled: false
sidekiq:
minReplicas: 1
maxReplicas: 1
gitlab-shell:
minReplicas: 1
maxReplicas: 1
gitaly:
persistence:
size: 256Mi
resources:
requests:
cpu: 50m
limits: {}
shared-secrets:
resources:
requests:
cpu: 10m
limits: {}
migrations:
resources:
requests:
cpu: 10m
limits: {}
task-runner:
persistence:
size: 256Mi
resources:
requests:
cpu: 10m
limits: {}
registry:
hpa:
minReplicas: 1
maxReplicas: 1
postgresql:
persistence:
size: 256Mi
metrics:
resources:
requests:
cpu: 10m
limits: {}
minio:
persistence:
size: 256Mi
resources:
requests:
cpu: 50m
limits: {}
redis:
master:
persistence:
size: 256Mi
slave:
persistence:
size: 256Mi
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_baseUrl: https://gitlab.bigbang.dev
cypress_gitlab_first_name: "test"
cypress_gitlab_last_name: "user"
cypress_gitlab_username: "testuser"
cypress_gitlab_password: "12345678"
cypress_gitlab_email: "testuser@example.com"
cypress_gitlab_project: "my-awesome-project"
secretEnvs:
- name: cypress_adminpassword
valueFrom:
secretKeyRef:
name: gitlab-gitlab-initial-root-password
key: password
scripts:
image: "registry.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/bbtests:0.0.3"
envs:
GITLAB_USER: "testuser"
GITLAB_PASS: "12345678"
GITLAB_EMAIL: "testuser@example.com"
GITLAB_PROJECT: "my-awesome-project"
GITLAB_REPOSITORY: https://gitlab.bigbang.dev
GITLAB_ORIGIN: https://testuser:12345678@gitlab.bigbang.dev
GITLAB_REGISTRY: registry.bigbang.dev
gitlabRunner:
enabled: false
values:
resources:
requests:
memory: 64Mi
cpu: 50m
limits: {}
runners:
protected: false
bbtests:
# TODO: This test runs fine locally with the same values, but fails in CI
enabled: false
cypress:
artifacts: true
secretEnvs:
- name: cypress_adminpassword
valueFrom:
secretKeyRef:
name: gitlab-gitlab-initial-root-password
key: password
envs:
cypress_baseUrl: "https://gitlab.bigbang.dev"
cypress_gitlab_email: "gitlab@bigbang.dev"
cypress_gitlab_user: "gitlab_user"
cypress_gitlab_password: "gitlab_pass"
cypress_gitlab_project: "hello-world"
anchore:
enabled: false
values:
ensureDbJobs:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
sso:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
postgresql:
persistence:
size: 256Mi
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
metrics:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreAnalyzer:
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreApi:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreCatalog:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchorePolicyEngine:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreSimpleQueue:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEngineUpgradeJob:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchore-feeds-db:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
metrics:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseFeeds:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseFeedsUpgradeJob:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseRbac:
authResources:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
managerResources:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseReports:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseNotifications:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEntperpiseUi:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseEngineUpgradeJob:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
bbtests:
enabled: true
scripts:
image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1
envs:
ANCHORE_CLI_URL: "https://anchore-api.bigbang.dev/v1"
ANCHORE_CLI_USER: admin
secretEnvs:
- name: ANCHORE_CLI_PASS
valueFrom:
secretKeyRef:
name: "{{ template \"anchore-engine.fullname\" . }}-admin-pass"
key: ANCHORE_ADMIN_PASSWORD
sonarqube:
enabled: false
values:
plugins:
install: []
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
persistence:
enabled: false
size: 5Gi
postgresql:
persistence:
size: 256Mi
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
tests:
enabled: false
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: "https://sonarqube.bigbang.dev"
cypress_url_setup: "https://sonarqube.bigbang.dev/setup"
cypress_user: "admin"
cypress_password: "new_admin_password"
account:
adminPassword: new_admin_password
currentAdminPassword: admin
curlContainerImage: registry1.dso.mil/ironbank/big-bang/base:8.4
minioOperator:
enabled: false
minio:
enabled: false
values:
tenants:
pools:
- servers: 1
volumesPerServer: 4
size: 256Mi
resources:
requests:
cpu: 250m
memory: 2Gi
limits:
cpu: 250m
memory: 2Gi
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
bbtests:
# TODO: Seems like a timing issue with BB CI
# https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio/-/issues/7
enabled: false
cypress:
artifacts: true
envs:
cypress_url: 'http://minio.bigbang.dev/login'
secretEnvs:
- name: cypress_secretkey
valueFrom:
secretKeyRef:
name: "{{ .Values.tenants.secrets.name }}"
key: secretkey
- name: cypress_accesskey
valueFrom:
secretKeyRef:
name: "{{ .Values.tenants.secrets.name }}"
key: accesskey
scripts:
image: registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2021-09-02T09-21-27Z
envs:
MINIO_PORT: '80'
MINIO_HOST: 'http://minio'
secretEnvs:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: "{{ .Values.tenants.secrets.name }}"
key: secretkey
- name: ACCESS_KEY
valueFrom:
secretKeyRef:
name: "{{ .Values.tenants.secrets.name }}"
key: accesskey
mattermostoperator:
enabled: false
mattermost:
enabled: false
elasticsearch:
enabled: true
values:
postgresql:
persistence:
size: 256Mi
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits: {}
minio:
tenants:
pools:
- servers: 1
volumesPerServer: 4
size: 256Mi
resources:
requests:
cpu: 250m
memory: 2Gi
limits:
cpu: 250m
memory: 2Gi
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: https://chat.bigbang.dev
cypress_mm_email: "test@bigbang.dev"
cypress_mm_user: "bigbang"
cypress_mm_password: "Bigbang#123"
nexus:
enabled: false
values:
persistence:
# Do NOT set this below 5Gi, nexus will fail to boot
storageSize: 5Gi
nexus:
# https://help.sonatype.com/repomanager3/installation/system-requirements#SystemRequirements-JVMDirectMemory
env:
- name: install4jAddVmParams
value: "-Xms500M -Xmx500M -XX:MaxDirectMemorySize=500M -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"
resources:
requests:
cpu: 100m
memory: 1500Mi
bbtests:
# TODO: Disabled pending resolution of "timing?" issues
# https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus/-/issues/9
enabled: false
cypress:
artifacts: true
envs:
cypress_nexus_url: "https://nexus.bigbang.dev"
cypress_nexus_user: "admin"
cypress_nexus_pass_new: "new_admin_password"
secretEnvs:
- name: cypress_nexus_pass
valueFrom:
secretKeyRef:
name: nexus-repository-manager-secret
key: admin.password
velero:
enabled: false
plugins:
- aws
values:
serviceAccount:
server:
name: velero
configuration:
# minio uses s3 provider
provider: aws
backupStorageLocation:
bucket: velero
config: &minio-config
region: velero
insecureSkipTLSVerify: "true"
s3ForcePathStyle: "true"
s3Url: &minio-address https://minio.bigbang.dev
volumeSnapshotLocation:
provider: aws
config:
region: velero
credentials:
useSecret: true
secretContents:
cloud: |
[default]
aws_access_key_id = minio
aws_secret_access_key = minio123
bbtests:
# TODO: Velero test is messy and times out running in BB CI
# https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/issues/9
enabled: false
scripts:
image: registry1.dso.mil/ironbank/opensource/velero/velero:v1.6.0
additionalVolumes:
- name: transfer-kubectl
emptyDir: {}
- name: &yamlVolName yaml-configs
configMap:
name: "{{ .Chart.Name }}-backup-restore-files-config"
additionalVolumeMounts:
- name: transfer-kubectl
mountPath: /usr/local/bin/kubectl
subPath: kubectl
- name: *yamlVolName
mountPath: &yamlMountPath /yaml
envs:
MINIO_HOST: *minio-address
TEST_YAML_DIR: *yamlMountPath
MINIO_USER: minio
MINIO_PASS: minio123
secretEnvs:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
keycloak:
enabled: false
ingress:
gateway: "public"
values:
replicas: 1
resources:
requests:
cpu: 10m
memory: 16Mi
limits: {}
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: "https://keycloak.bigbang.dev"
cypress_username: "admin"
cypress_password: "password"
# Custom dev secret configuration
secrets:
env:
stringData:
CUSTOM_REGISTRATION_CONFIG: /opt/jboss/keycloak/customreg.yaml
KEYCLOAK_IMPORT: /opt/jboss/keycloak/realm.json
X509_CA_BUNDLE: /etc/x509/https/cas.pem
certauthority:
stringData:
cas.pem: '{{ .Files.Get "resources/dev/dod_cas.pem" }}'
customreg:
stringData:
customreg.yaml: '{{ .Files.Get "resources/dev/baby-yoda.yaml" }}'
realm:
stringData:
realm.json: '{{ .Files.Get "resources/dev/baby-yoda.json" }}'
extraVolumes: |-
- name: certauthority
secret:
secretName: {{ include "keycloak.fullname" . }}-certauthority
- name: customreg
secret:
secretName: {{ include "keycloak.fullname" . }}-customreg
- name: realm
secret:
secretName: {{ include "keycloak.fullname" . }}-realm
extraVolumeMounts: |-
- name: certauthority
mountPath: /etc/x509/https/cas.pem
subPath: cas.pem
readOnly: true
- name: customreg
mountPath: /opt/jboss/keycloak/customreg.yaml
subPath: customreg.yaml
readOnly: true
- name: realm
mountPath: /opt/jboss/keycloak/realm.json
subPath: realm.json
readOnly: true
extraVolumeMountsBigBang:
- name: tlscert
mountPath: /etc/x509/https/tls.crt
subPath: tls.crt
readOnly: true
- name: tlskey
mountPath: /etc/x509/https/tls.key
subPath: tls.key
readOnly: true