# -- Domain used for BigBang created exposed services, can be overridden by individual packages. domain: bigbang.dev # -- (experimental) Toggle sourcing from external repos. # All this does right now is toggle GitRepositories, it is _not_ fully functional offline: false # -- Single set of registry credentials used to pull all images deployed by BigBang. registryCredentials: registry: registry1.dso.mil username: "" password: "" email: "" # -- Multiple sets of registry credentials used to pull all images deployed by BigBang. # Credentials will only be created when a valid combination exists, registry, username, and password (email is optional) # Or a list of registires: # - registry: registry1.dso.mil # username: "" # password: "" # email: "" # - registry: registry.dso.mil # username: "" # password: "" # email: "" # Openshift Container Platform Feature Toggle openshift: false # -- Git credential settings for accessing private repositories # Order of precedence is: # 1. existingSecret # 2. http credentials (username/password/caFile) # 3. ssh credentials (privateKey/publicKey/knownHosts) git: # -- Existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication existingSecret: "" # -- Chart created secrets with user defined values credentials: # -- HTTP git credentials, both username and password must be provided username: "" password: "" # -- HTTPS certificate authority file. Required for any repo with a self signed certificate caFile: "" # -- SSH git credentials, privateKey, publicKey, and knownHosts must be provided privateKey: "" publicKey: "" knownHosts: "" # -- Global SSO values used for BigBang deployments when sso is enabled, can be overridden by individual packages. sso: oidc: # -- Domain for keycloak used for configuring SSO host: login.dso.mil # -- Keycloak realm containing clients realm: baby-yoda # -- Keycloak's certificate authority (PEM Format). Entered using chomp modifier (see docs/assets/configs/example/dev-sso-values.yaml for example). Used by authservice to support SSO for various packages certificate_authority: "" # -- Keycloak realm's json web key output, obtained at https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/certs jwks: '' # -- OIDC client ID used for packages authenticated through authservice client_id: "" # -- OIDC client secret used for packages authenticated through authservice client_secret: "" # -- OIDC token URL template string (to be used as default) token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token" # -- OIDC auth URL template string (to be used as default) auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth" # -- Kubernetes Secret containing the sso.certificate_authority value for SSO enabled application namespaces secretName: "tls-ca-sso" # -- (Advanced) Flux reconciliation parameters. # The default values provided will be sufficient for the majority of workloads. flux: timeout: 10m interval: 2m test: enable: false install: remediation: retries: -1 upgrade: remediation: retries: 3 remediateLastFailure: true cleanupOnFail: true rollback: timeout: 10m cleanupOnFail: true # -- Global NetworkPolicies settings networkPolicies: # -- Toggle all package NetworkPolicies, can disable specific packages with `package.values.networkPolicies.enabled` enabled: true # -- Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl get endpoints -n default kubernetes` to get the CIDR range needed for your cluster # Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP of a single endpoint, broader range for multiple masters/endpoints) # Used by package NetworkPolicies to allow Kube API access controlPlaneCidr: 0.0.0.0/0 # -- Node CIDR, defaults to allowing "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" networks. # use `kubectl get nodes -owide` and review the `INTERNAL-IP` column to derive CIDR range. # Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs) nodeCidr: "" # -- VPC CIDR, defaults to 0.0.0.0/0 # In a production environment, it is recommended to setup a Private Endpoint for your AWS services like KMS or S3. # Please review https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html to setup routing to AWS services that never leave the AWS network. # Once created update `networkPolicies.vpcCidr` to match the CIDR of your VPC so Vault will be able to reach your VPCs DNS and new KMS endpoint. vpcCidr: 0.0.0.0/0 # -- Global ImagePullPolicy value for all packages # Permitted values are: None, Always, IfNotPresent imagePullPolicy: IfNotPresent # ---------------------------------------------------------------------------------------------------------------------- # Istio # istio: # -- Toggle deployment of Istio. enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git path: "./chart" tag: "1.13.5-bb.1" # -- Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support, # validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription enterprise: false # Ingress gateways are created based on the key name. Adding more keys will add ingress gateways. # Ingress gateways are setup in a Horizontal Pod Autoscaler with 1 to 5 replicas # Besides some ports needed by Istio, only ports 80 and 443 are opened # Ingress gateways that require more configuration can be completed using `istio.values` ingressGateways: public-ingressgateway: type: "LoadBalancer" # or "NodePort" kubernetesResourceSpec: {} # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec # private-ingressgateway: # type: "LoadBalancer" # or "NodePort" # kubernetesResourceSpec: # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec # serviceAnnotations: # Example for AWS internal load balancer # service.beta.kubernetes.io/aws-load-balancer-type: nlb # service.beta.kubernetes.io/aws-load-balancer-internal: "true" # passthrough-ingressgateway: # type: "NodePort" # or "LoadBalancer" # # Node ports are assigned starting from nodePortBase. The nodePortBase specifies the start of a range of 4 unused node ports. # # Node port will be assigned as follows: Port 15021 (Status) = nodePortBase, Port 80 = nodePortBase+1, Port 443 = nodePortBase+2, Port 15443 (SNI) = nodePortBase+3 # # Node port base should be in the range from 30000 to 32764 # nodePortBase: 32000 # Alternatively, the kubernetesResourceSpec can be used to configure all port parameters gateways: public: ingressGateway: "public-ingressgateway" hosts: - "*.{{ .Values.domain }}" # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. autoHttpRedirect: enabled: true tls: key: "" cert: "" # private: # ingressGateway: "private-ingressgateway" # hosts: # - "example.bigbang.dev" # ports: # - name: tls-2 # number: 1234 # protocol: TCP # - name: tls # number: 5678 # protocol: TCP # # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. # autoHttpRedirect: # enabled: false # tls: # key: "" # cert: "" # passthrough: # ingressGateway: "passthrough-ingressgateway" # hosts: #### # Alternate multi-server configuration method #### # private: # ingressGateway: "private-ingressgateway" # servers: # - hosts: # - "example.bigbang.dev" # port: # name: tls-1 # number: 1234 # protocol: TCP # # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. # autoHttpRedirect: # enabled: false # tls: # key: "" # cert: "" # - hosts: # - "example.bigbang.dev" # port: # name: tls-2 # number: 5678 # protocol: TCP # # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. # autoHttpRedirect: # enabled: false # tls: # key: "" # cert: "" # passthrough: # ingressGateway: "passthrough-ingressgateway" # hosts: # - "*.{{ .Values.domain }}" # # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. # autoHttpRedirect: # enabled: true # tls: # mode: "PASSTHROUGH" # -- Flux reconciliation overrides specifically for the Istio Package flux: {} # -- Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] istiooperator: # -- Toggle deployment of Istio Operator. enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git path: "./chart" tag: "1.13.5-bb.1" # -- Flux reconciliation overrides specifically for the Istio Operator Package flux: {} # -- Values to passthrough to the istio-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] jaeger: # -- Toggle deployment of Jaeger. enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git path: "./chart" tag: "2.32.2-bb.3" # -- Flux reconciliation overrides specifically for the Jaeger Package flux: install: crds: CreateReplace upgrade: crds: CreateReplace # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" sso: # -- Toggle SSO for Jaeger on and off enabled: false # -- OIDC Client ID to use for Jaeger client_id: "" # -- OIDC Client Secret to use for Jaeger client_secret: "" # -- Values to pass through to Jaeger chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/jaeger.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] kiali: # -- Toggle deployment of Kiali. enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali.git path: "./chart" tag: "1.51.0-bb.3" # -- Flux reconciliation overrides specifically for the Kiali Package flux: {} # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" sso: # -- Toggle SSO for Kiali on and off enabled: false # -- OIDC Client ID to use for Kiali client_id: "" # -- OIDC Client Secret to use for Kiali client_secret: "" # -- Values to pass through to Kiali chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------- # Cluster Auditor # clusterAuditor: # -- Toggle deployment of Cluster Auditor. enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git path: "./chart" tag: "1.4.0-bb.4" # -- Flux reconciliation overrides specifically for the Cluster Auditor Package flux: {} # -- Values to passthrough to the cluster auditor chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------- # OPA Gatekeeper # gatekeeper: # -- Toggle deployment of OPA Gatekeeper. enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git path: "./chart" tag: "3.8.1-bb.4" # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package flux: install: crds: CreateReplace upgrade: crds: CreateReplace # -- Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------- # Kyverno # kyverno: # -- Toggle deployment of Kyverno. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno.git path: "./chart" tag: "2.2.0-bb.3" # -- Flux reconciliation overrides specifically for the Kyverno Package flux: {} # -- Values to passthrough to the kyverno chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] kyvernopolicies: # -- Toggle deployment of Kyverno policies enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies.git path: ./chart tag: "1.0.1-bb.0" # -- Flux reconciliation overrides specifically for the Kyverno Package flux: {} # -- Values to passthrough to the kyverno policies chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------- # Logging # logging: # -- Toggle deployment of Logging (EFK). enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git path: "./chart" tag: "0.8.0-bb.1" # -- Flux reconciliation overrides specifically for the Logging (EFK) Package flux: timeout: 20m # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" sso: # -- Toggle OIDC SSO for Kibana/Elasticsearch on and off. # Enabling this option will auto-create any required secrets. enabled: false # -- Elasticsearch/Kibana OIDC client ID client_id: "" # -- Elasticsearch/Kibana OIDC client secret client_secret: "" license: # -- Toggle trial license installation of elasticsearch. Note that enterprise (non trial) is required for SSO to work. trial: false # -- Elasticsearch license in json format seen here: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana#enterprise-license keyJSON: "" # -- Values to passthrough to the elasticsearch-kibana chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] eckoperator: # -- Toggle deployment of ECK Operator. enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git path: "./chart" tag: "2.3.0-bb.0" # -- Flux reconciliation overrides specifically for the ECK Operator Package flux: {} # -- Values to passthrough to the eck-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git values: {} fluentbit: # -- Toggle deployment of Fluent-Bit. enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git path: "./chart" tag: "0.20.3-bb.0" # -- Flux reconciliation overrides specifically for the Fluent-Bit Package flux: {} # -- Values to passthrough to the fluentbit chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # BETA support of promtail/loki logging stack # promtail: # -- Toggle deployment of Promtail. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail.git path: "./chart" tag: "4.2.0-bb.2" # -- Flux reconciliation overrides specifically for the Promtail Package flux: {} # -- Values to passthrough to the promtail chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] loki: # -- Toggle deployment of Loki. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki.git path: "./chart" tag: "3.0.5-bb.4" # -- Flux reconciliation overrides specifically for the Loki Package flux: {} # -- Loki architecture. Options are monolith and scalable strategy: monolith objectStorage: # -- S3 compatible endpoint to use for connection information. # examples: "https://s3.amazonaws.com" "https://s3.us-gov-west-1.amazonaws.com" "http://minio.minio.svc.cluster.local:9000" endpoint: "" # -- S3 compatible region to use for connection information. region: "" # -- Access key for connecting to object storage endpoint. accessKey: "" # -- Secret key for connecting to object storage endpoint. # Unencoded string data. This should be placed in the secret values and then encrypted accessSecret: "" # -- Bucket Names for Loki as a comma delimited list. # examples: "loki-logs" bucketNames: "" # -- Values to passthrough to the Loki chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------- tempo: # -- Toggle deployment of Tempo. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo.git path: "./chart" tag: "0.15.1-bb.7" # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" # -- Flux reconciliation overrides specifically for the Tempo Package flux: {} sso: # -- Toggle SSO for Tempo on and off enabled: false # -- OIDC Client ID to use for Tempo client_id: "" # -- OIDC Client Secret to use for Tempo client_secret: "" objectStorage: # -- S3 compatible endpoint to use for connection information. # examples: "s3.amazonaws.com" "s3.us-gov-west-1.amazonaws.com" "minio.minio.svc.cluster.local:9000" # Note: tempo does not require protocol prefix for URL. endpoint: "" # -- S3 compatible region to use for connection information. region: "" # -- Access key for connecting to object storage endpoint. accessKey: "" # -- Secret key for connecting to object storage endpoint. # Unencoded string data. This should be placed in the secret values and then encrypted accessSecret: "" # -- Bucket Names for Loki as a comma delimited list. # examples: "tempo-traces" bucket: "" # -- Whether or not objectStorage connection should require HTTPS, if connecting to in-cluster object # storage on port 80/9000 set this value to true. insecure: false # -- Values to passthrough to the Tempo chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------- # Monitoring # monitoring: # -- Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager). enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git path: "./chart" tag: "36.2.1-bb.2" # -- Flux reconciliation overrides specifically for the Monitoring Package flux: install: crds: CreateReplace upgrade: crds: CreateReplace # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" sso: # -- Toggle SSO for monitoring components on and off enabled: false prometheus: # -- Prometheus OIDC client ID client_id: "" # -- Prometheus OIDC client secret client_secret: "" alertmanager: # -- Alertmanager OIDC client ID client_id: "" # -- Alertmanager OIDC client secret client_secret: "" grafana: # -- Grafana OIDC client ID client_id: "" # -- Grafana OIDC client secret client_secret: "" # -- Grafana OIDC client scopes, comma separated, see https://grafana.com/docs/grafana/latest/auth/generic-oauth/ scopes: "" allow_sign_up: "true" role_attribute_path: "Viewer" # -- Other options available, see package Documentation. # -- Values to passthrough to the monitoring chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------- # Twistlock # twistlock: # -- Toggle deployment of Twistlock. enabled: true git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git path: "./chart" tag: "0.9.0-bb.3" # -- Flux reconciliation overrides specifically for the Twistlock Package flux: {} # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" # -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # # ---------------------------------------------------------------------------------------------------------------------- # addons: argocd: # -- Toggle deployment of ArgoCD. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git path: "./chart" tag: "4.9.12-bb.2" # -- Flux reconciliation overrides specifically for the ArgoCD Package flux: {} # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" redis: # -- Hostname of a pre-existing Redis to use for ArgoCD. # Entering connection info will enable external Redis and will auto-create any required secrets. host: "" # -- Port of a pre-existing Redis to use for ArgoCD. port: "" sso: # -- Toggle SSO for ArgoCD on and off enabled: false # -- ArgoCD OIDC client ID client_id: "" # -- ArgoCD OIDC client secret client_secret: "" # -- ArgoCD SSO login text provider_name: "" # -- ArgoCD SSO group roles, see docs for more details: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/ groups: | g, Impact Level 2 Authorized, role:admin # -- Values to passthrough to the argocd chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] authservice: # -- Toggle deployment of Authservice. # if enabling authservice, a filter needs to be provided by either enabling # sso for monitoring or istio, or manually adding a filter chain in the values here: # values: # chain: # minimal: # callback_uri: "https://somecallback" enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git path: "./chart" tag: "0.5.1-bb.4" # -- Flux reconciliation overrides specifically for the Authservice Package flux: {} # -- Values to passthrough to the authservice chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # -- Additional authservice chain configurations. chains: {} # ---------------------------------------------------------------------------------------------------------------------- # Minio Operator and Instance # minioOperator: # -- Toggle deployment of minio operator and instance. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git path: "./chart" tag: "4.4.16-bb.3" # -- Flux reconciliation overrides specifically for the Minio Operator Package flux: {} # -- Values to passthrough to the minio operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] minio: # -- Toggle deployment of minio. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git path: "./chart" tag: "4.4.16-bb.0" # -- Flux reconciliation overrides specifically for the Minio Package flux: {} # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" # -- Default access key to use for minio. accesskey: "" # -- Default secret key to intstantiate with minio, you should change/delete this after installation. secretkey: "" # -- Values to passthrough to the minio instance chart: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] gitlab: # -- Toggle deployment of Gitlab enabled: false hostnames: # host name only without the domain gitlab: gitlab registry: registry git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git path: "./chart" tag: "6.1.2-bb.1" # -- Flux reconciliation overrides specifically for the Gitlab Package flux: {} # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" sso: # -- Toggle OIDC SSO for Gitlab on and off. # Enabling this option will auto-create any required secrets. enabled: false # -- Gitlab OIDC client ID client_id: "" # -- Gitlab OIDC client secret client_secret: "" # -- Gitlab SSO login button label label: "" # -- Gitlab SSO Scopes, default is ["Gitlab"] scopes: - Gitlab # -- GitLab SSO Issuer URI, # Only needed if your SSO is non-Keycloak issuer_uri: "" # -- GitLab SSO End Session URI, # Only needed if your SSO is non-Keycloak end_session_uri: "" # -- Gitlab SSO UID field uid_field: preferred_username database: # -- Hostname of a pre-existing PostgreSQL database to use for Gitlab. # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. host: "" # -- Port of a pre-existing PostgreSQL database to use for Gitlab. port: 5432 # -- Database name to connect to on host. database: "" # example: gitlab # -- Username to connect as to external database, the user must have all privileges on the database. username: "" # -- Database password for the username used to connect to the existing database. password: "" objectStorage: # -- Type of object storage to use for Gitlab, setting to s3 will assume an external, pre-existing object storage is to be used. # Entering connection info will enable this option and will auto-create any required secrets type: "" # supported types are "s3" or "minio" # -- S3 compatible endpoint to use for connection information. # examples: "https://s3.amazonaws.com" "https://s3.us-gov-west-1.amazonaws.com" "http://minio.minio.svc.cluster.local:9000" endpoint: "" # -- S3 compatible region to use for connection information. region: "" # -- Access key for connecting to object storage endpoint. # -- If using accessKey and accessSecret, the iamProfile must be left as an empty string: "" accessKey: "" # -- Secret key for connecting to object storage endpoint. # Unencoded string data. This should be placed in the secret values and then encrypted accessSecret: "" # -- Bucket prefix to use for identifying buckets. # Example: "prod" will produce "prod-gitlab-bucket" bucketPrefix: "" # -- NOTE: Current bug with AWS IAM Profiles and Object Storage where only artifacts are stored. Fixed in Gitlab 14.5 # -- Name of AWS IAM profile to use. # -- If using an AWS IAM profile, the accessKey and accessSecret values must be left as empty strings eg: "" iamProfile: "" smtp: # -- Passwords should be placed in an encrypted file. Example: environment-bb-secret.enc.yaml # If a value is provided BigBang will create a k8s secret named gitlab-smtp-password in the gitlab namespace password: "" redis: # -- Redis plain text password to connect to the redis server. If empty (""), the gitlab charts will create the gitlab-redis-secret # with a random password. # -- This needs to be set to a non-empty value in order for the Grafana Redis Datasource and Dashboards to be installed. password: "" # -- Values to passthrough to the gitlab chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] gitlabRunner: # -- Toggle deployment of Gitlab Runner enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git path: "./chart" tag: "0.41.0-bb.0" # -- Flux reconciliation overrides specifically for the Gitlab Runner Package flux: {} # -- Values to passthrough to the gitlab runner chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] nexus: # -- Toggle deployment of Nexus. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus.git path: "./chart" tag: "40.1.0-bb.0" # -- Base64 encoded license file. license_key: "" # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" sso: # -- Toggle SAML SSO for NXRM. # -- handles SAML SSO, a Client must be configured in Keycloak or IdP # -- to complete setup. # -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599 enabled: false # -- NXRM SAML SSO Integration data idp_data: # Nexus saml URL. example: "https://nexus.example.mil/service/rest/v1/security/saml/metadata" entityId: "" # -- IdP Field Mappings # -- NXRM username attribute username: "" # -- NXRM firstname attribute (optional) firstName: "" # -- NXRM lastname attribute (optional) lastName: "" # -- NXRM email attribute (optional) email: "" # -- NXRM groups attribute (optional) groups: "" # -- IDP SAML Metadata XML as a single line string in single quotes # -- this information is public and does not require a secret idpMetadata: '' # -- NXRM Role role: # the id must match the Keycloak group name (case sensitive) - id: "" name: "" description: "" privileges: [] roles: [] # -- Flux reconciliation overrides specifically for the Nexus Repository Manager Package flux: {} # -- Values to passthrough to the nxrm chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/nexus.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] sonarqube: # -- Toggle deployment of SonarQube. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube.git path: "./chart" tag: "1.0.29-bb.2" # -- Flux reconciliation overrides specifically for the Sonarqube Package flux: {} # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" sso: # -- Toggle SAML SSO for SonarQube. # Enabling this option will auto-create any required secrets. enabled: false # -- SonarQube SAML client ID client_id: "" # -- SonarQube SSO login button label provider_name: "" # -- SonarQube plaintext SAML sso certificate. # example: MITCAYCBFyIEUjNBkqhkiG9w0BA.... certificate: "" # -- SonarQube login sso attribute. login: login # -- SonarQube name sso attribute. name: name # -- SonarQube email sso attribute. email: email # -- (optional) SonarQube group sso attribute. group: group database: # -- Hostname of a pre-existing PostgreSQL database to use for SonarQube. host: "" # -- Port of a pre-existing PostgreSQL database to use for SonarQube. port: 5432 # -- Database name to connect to on host. database: "" # -- Username to connect as to external database, the user must have all privileges on the database. username: "" # -- Database password for the username used to connect to the existing database. password: "" # -- Values to passthrough to the sonarqube chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/sonarqube.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # Deployment of HAProxy is automatically toggled depending on Monitoring SSO and Monitoring Istio Injection # haproxy: git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/haproxy path: "./chart" tag: "1.12.0-bb.0" # -- Flux reconciliation overrides specifically for the HAProxy Package flux: {} # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" # -- Values to passthrough to the haproxy chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] anchore: # -- Toggle deployment of Anchore. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git path: "./chart" tag: "1.18.6-bb.7" # -- Flux reconciliation overrides specifically for the Anchore Package flux: upgrade: disableWait: true # -- Initial admin password used to authenticate to Anchore. adminPassword: "" # -- Anchore Enterprise functionality. enterprise: # -- Toggle the installation of Anchore Enterprise. This must be accompanied by a valid license. enabled: false # -- License for Anchore Enterprise. # For formatting examples see https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/docs/CHART.md#enabling-enterprise-services licenseYaml: | FULL LICENSE # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" sso: # -- Toggle OIDC SSO for Anchore on and off. # Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license). enabled: false # -- Anchore OIDC client ID client_id: "" # -- Anchore OIDC client role attribute role_attribute: "" database: # -- Hostname of a pre-existing PostgreSQL database to use for Anchore. # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. host: "" # -- Port of a pre-existing PostgreSQL database to use for Anchore. port: "" # -- Username to connect as to external database, the user must have all privileges on the database. username: "" # -- Database password for the username used to connect to the existing database. password: "" # -- Database name to connect to on host (Note: database name CANNOT contain hyphens). database: "" # -- Feeds database name to connect to on host (Note: feeds database name CANNOT contain hyphens). # Only required for enterprise edition of anchore. # By default, feeds database will be configured with the same username and password as the main database. For formatting examples on how to use a separate username and password for the feeds database see https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/docs/CHART.md#handling-dependencies feeds_database: "" redis: # -- Hostname of a pre-existing Redis to use for Anchore Enterprise. # Entering connection info will enable external redis and will auto-create any required secrets. # Anchore only requires redis for enterprise deployments and will not provision an instance if using external host: "" # -- Port of a pre-existing Redis to use for Anchore Enterprise. port: "" # -- OPTIONAL: Username to connect to a pre-existing Redis (for password-only auth leave empty) username: "" # -- Password to connect to pre-existing Redis. password: "" # -- Values to passthrough to the anchore chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # Mattermost Operator and Instance # mattermostoperator: enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git path: "./chart" tag: "1.18.1-bb.0" # -- Flux reconciliation overrides specifically for the Mattermost Operator Package flux: {} # -- Values to passthrough to the mattermost operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator/-/blob/main/chart/values.yaml values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] mattermost: # -- Toggle deployment of Mattermost. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost.git path: "./chart" tag: "7.0.1-bb.1" # -- Flux reconciliation overrides specifically for the Mattermost Package flux: {} # -- Mattermost Enterprise functionality. enterprise: # -- Toggle the Mattermost Enterprise. This must be accompanied by a valid license unless you plan to start a trial post-install. enabled: false # -- License for Mattermost. # This should be the entire contents of the license file from Mattermost (should be one line), example below # license: "eyJpZCI6InIxM205bjR3eTdkYjludG95Z3RiOD---REST---IS---HIDDEN license: "" # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" sso: # -- Toggle OIDC SSO for Mattermost on and off. # Enabling this option will auto-create any required secrets. enabled: false # -- Mattermost OIDC client ID client_id: "" # -- Mattermost OIDC client secret client_secret: "" # -- Mattermost OIDC auth endpoint # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values auth_endpoint: "" # -- Mattermost OIDC token endpoint # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values token_endpoint: "" # -- Mattermost OIDC user API endpoint # To get endpoint values, see here: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/docs/keycloak.md#helm-values user_api_endpoint: "" database: # -- Hostname of a pre-existing PostgreSQL database to use for Mattermost. # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. host: "" # -- Port of a pre-existing PostgreSQL database to use for Mattermost. port: "" # -- Username to connect as to external database, the user must have all privileges on the database. username: "" # -- Database password for the username used to connect to the existing database. password: "" # -- Database name to connect to on host. database: "" # -- SSL Mode to use when connecting to the database. # Allowable values for this are viewable in the postgres documentation: https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS ssl_mode: "" objectStorage: # -- S3 compatible endpoint to use for connection information. # Entering connection info will enable this option and will auto-create any required secrets. # examples: "s3.amazonaws.com" "s3.us-gov-west-1.amazonaws.com" "minio.minio.svc.cluster.local:9000" endpoint: "" # -- Access key for connecting to object storage endpoint. accessKey: "" # -- Secret key for connecting to object storage endpoint. # Unencoded string data. This should be placed in the secret values and then encrypted accessSecret: "" # -- Bucket name to use for Mattermost - will be auto-created. bucket: "" # -- Mattermost Elasticsearch integration - requires enterprise E20 license - https://docs.mattermost.com/deployment/elasticsearch.html # Connection info defaults to the BB deployed Elastic, all values can be overridden via the "values" passthrough for other connections. # See values spec in MM chart "elasticsearch" yaml block - https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/chart/values.yaml elasticsearch: # -- Toggle interaction with Elastic for optimized search indexing enabled: false # -- Values to passthrough to the Mattermost chart: https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/-/blob/main/chart/values.yaml values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] velero: # -- Toggle deployment of Velero. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git path: "./chart" tag: "2.30.1-bb.0" # -- Flux reconciliation overrides specifically for the Velero Package flux: {} # -- Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure, csi plugins: [] # - aws # -- Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # # ---------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------- # Keycloak # keycloak: # -- Toggle deployment of Keycloak. # if you enable Keycloak you should uncomment the istio passthrough configurations above # istio.ingressGateways.passthrough-ingressgateway and istio.gateways.passthrough enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git path: "./chart" tag: "18.2.1-bb.0" database: # -- Hostname of a pre-existing database to use for Keycloak. # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. host: "" # -- Pre-existing database type (e.g. postgres) to use for Keycloak. type: postgres # -- Port of a pre-existing database to use for Keycloak. port: 5432 # -- Database name to connect to on host. database: "" # example: keycloak # -- Username to connect as to external database, the user must have all privileges on the database. username: "" # -- Database password for the username used to connect to the existing database. password: "" # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package flux: {} # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: # the istio gateway for keycloak must have tls.mode: PASSTHROUGH gateway: "passthrough" # -- Certificate/Key pair to use as the certificate for exposing Keycloak # Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart key: "" cert: "" # -- Values to passthrough to the keycloak chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # Vault # vault: # -- Toggle deployment of Vault. enabled: false git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault.git path: "./chart" tag: "0.20.1-bb.4" # -- Flux reconciliation overrides specifically for the Vault Package flux: {} # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public". ingress: gateway: "" # -- Certificate/Key pair to use as the certificate for exposing Vault # Setting the ingress cert here will automatically create the volume and volumemounts in the Vault package chart key: "" cert: "" # -- Values to passthrough to the vault chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/vault.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: [] # ---------------------------------------------------------------------------------------------------------------------- # Metrics Server # metricsServer: # -- Toggle deployment of metrics server # Acceptable options are enabled: true, enabled: false, enabled: auto # true = enabled / false = disabled / auto = automatic (Installs only if metrics API endpoint is not present) enabled: auto git: repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/metrics-server.git path: "./chart" tag: "3.8.0-bb.2" # -- Flux reconciliation overrides specifically for the metrics server Package flux: {} # -- Values to passthrough to the metrics server chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/metrics-server.git values: {} # -- Post Renderers. See docs/postrenders.md postRenderers: []