domain: bigbang.dev
sso:
# LetsEncrypt certificate authority
certificate_authority: |
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
# Must be updated for every new deployment of Keycloak. Example of where to get the jwks:
# https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/certs
# must be single quoted and double quotes must be escaped like this \"xxxx\"
jwks: '{\"keys\":[{\"kid\":\"4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"hiML1kjw-sw25BgaZI1AyfgcCRBPJKPE-wwttqa7NNxptr_5RCBGuJXqDyo3p1vjcbb8KjdKnXI7kWer8b2Pz_RP1m_QcPrKOxSluk7GZF8ARsc6FPGbzYgi8o8cBVSsaml6HZzpN3ZnH4DFZ27ifM-Ul_PyMxZ2aweohIaizXp-rgF7Rqpav5NXUwmcSyH8LP92NVIuFlD3HYTDGosVbfA_u_H25Z4XCGKW_vLDTNrl8PcA3HqIoD-vNavysdxAq_KNw7iLLc0KLsjFYSdJL_54H7QubsGR0AyIrLLurJbqAtvttGJK38k5XYWKIwYGtu6iiJwjSb7UtonVdPh8Vw\",\"e\":\"AQAB\",\"x5c\":[\"MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=\"],\"x5t\":\"mxFIwx7EdgxyC3Y6ODLx8yr8Bx8\",\"x5t#S256\":\"SdT7ScKVOnBW6qs_MuYdTGVtMGwYK_-nmQF9a_8lXco\"}]}'
oidc:
host: keycloak.bigbang.dev
realm: baby-yoda
flux:
timeout: 20m
interval: 1m
rollback:
cleanupOnFail: false
networkPolicies:
enabled: true
controlPlaneCidr: 172.16.0.0/12
istio:
enabled: true
ingressGateways:
passthrough-ingressgateway:
type: "LoadBalancer"
gateways:
passthrough:
ingressGateway: "passthrough-ingressgateway"
hosts:
- "*.{{ .Values.domain }}"
tls:
mode: "PASSTHROUGH"
public:
tls:
key: "" # Gets added via chart/ingress-certs.yaml
cert: "" # Gets added via chart/ingress-certs.yaml
values:
kiali:
dashboard:
auth:
strategy: "anonymous"
jaeger:
enabled: true
sso:
enabled: false
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-jaeger
values:
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: "https://tracing.bigbang.dev"
kiali:
enabled: true
sso:
enabled: false
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kiali
values:
cr:
spec:
auth:
strategy: "anonymous"
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: 'https://kiali.bigbang.dev'
clusterAuditor:
enabled: true
values:
resources:
requests:
cpu: 100m
memory: .5Gi
limits: {}
gatekeeper:
enabled: true
values:
replicas: 1
resources:
requests:
cpu: 100m
memory: 256Mi
limits: {}
violations:
allowedCapabilities:
parameters:
excludedResources:
# Allows k3d load balancer containers to not drop capabilities
- istio-system/lb-port-.*
allowedDockerRegistries:
parameters:
excludedResources:
# Allows k3d load balancer containers to pull from public repos
- istio-system/lb-port-.*
# Allow argocd to deploy a test app in its cypress test
- argocd/guestbook-ui.*
allowedSecCompProfiles:
parameters:
excludedResources:
# Allows k3d load balancer containers to have an undefined defined seccomp
- istio-system/lb-port-.*
allowedUsers:
parameters:
excludedResources:
# Allows k3d load balancer containers to run as any user/group
- istio-system/lb-port-.*
containerRatio:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
hostNetworking:
parameters:
excludedResources:
# Allows k3d load balancer containers to mount host ports
- istio-system/lb-port-.*
noBigContainers:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
noPrivilegedEscalation:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined security context
- istio-system/lb-port-.*
readOnlyRoot:
parameters:
excludedResources:
# Allows k3d load balancer containers to mount filesystems read/write
- istio-system/lb-port-.*
requiredLabels:
parameters:
excludedResources:
# Allows k3d load balancer pods to not have required labels
- istio-system/svclb-.*
requiredProbes:
parameters:
excludedResources:
# Allows k3d load balancer containers to not have readiness/liveness probes
- istio-system/lb-port-.*
bbtests:
# TODO: Test will need to be refactored at BB level to properly run since we can't turn everything to deny
# https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/issues/133
enabled: false
scripts:
image: registry1.dso.mil/ironbank/opensource/kubernetes-1.21/kubectl:v1.21.1
additionalVolumeMounts:
- name: "{{ .Chart.Name }}-test-config"
mountPath: /yaml
- name: "{{ .Chart.Name }}-kube-cache"
mountPath: /.kube/cache
additionalVolumes:
- name: "{{ .Chart.Name }}-test-config"
configMap:
name: "{{ .Chart.Name }}-test-config"
- name: "{{ .Chart.Name }}-kube-cache"
emptyDir: {}
kyverno:
enabled: false
values:
replicas: 1
bbtests:
enabled: true
scripts:
image: registry1.dso.mil/ironbank/opensource/kubernetes-1.21/kubectl:v1.21.1
additionalVolumeMounts:
- name: "{{ .Chart.Name }}-test-config"
mountPath: /yaml
additionalVolumes:
- name: "{{ .Chart.Name }}-test-config"
configMap:
name: "{{ .Chart.Name }}-test-config"
logging:
enabled: true
sso:
enabled: false
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kibana
license:
trial: false
values:
elasticsearch:
master:
count: 1
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
data:
count: 2
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
kibana:
count: 1
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_kibana_url: "https://kibana.bigbang.dev"
secretEnvs:
- name: cypress_elastic_password
valueFrom:
secretKeyRef:
name: "logging-ek-es-elastic-user"
key: elastic
scripts:
image: registry1.dso.mil/ironbank/stedolan/jq:1.6
envs:
elasticsearch_host: "https://{{ .Release.Name }}-es-http.{{ .Release.Namespace }}.svc.cluster.local:9200"
desired_version: "{{ .Values.elasticsearch.version }}"
secretEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: "logging-ek-es-elastic-user"
key: elastic
fluentbit:
enabled: true
values:
securityContext:
privileged: true
bbtests:
enabled: true
scripts:
image: registry1.dso.mil/ironbank/stedolan/jq:1.6
envs:
fluent_host: "http://{{ include \"fluent-bit.fullname\" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}"
desired_version: "{{ .Values.image.tag }}"
monitoring:
enabled: true
sso:
enabled: false
prometheus:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-prometheus
alertmanager:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-alertmanager
grafana:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-grafana
scopes: "Grafana"
values:
prometheus:
prometheusSpec:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
kube-state-metrics:
resources:
requests:
cpu: 10m
memory: 32Mi
limits: {}
prometheus-node-exporter:
resources:
requests:
cpu: 100m
memory: 30Mi
limits: {}
grafana:
testFramework:
enabled: false
dashboards:
default:
k8s-deployment:
gnetId: 741
revision: 1
datasource: Prometheus
downloadDashboards:
resources:
limits:
cpu: 20m
memory: 20Mi
requests:
cpu: 20m
memory: 20Mi
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
providers:
- name: 'default'
orgId: 1
folder: ''
type: file
disableDeletion: false
editable: true
options:
path: /var/lib/grafana/dashboards
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_prometheus_url: 'https://prometheus.bigbang.dev'
cypress_grafana_url: 'https://grafana.bigbang.dev'
cypress_alertmanager_url: 'https://alertmanager.bigbang.dev'
twistlock:
enabled: true
sso:
enabled: false
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-twistlock
values:
console:
persistence:
size: 256Mi
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_baseUrl: "https://twistlock.bigbang.dev"
scripts:
image: registry1.dso.mil/ironbank/stedolan/jq:1.6
envs:
twistlock_host: "https://twistlock.bigbang.dev"
desired_version: "{{ .Values.console.image.tag }}"
# Addons are toggled based on labels in CI
addons:
argocd:
enabled: false
sso:
enabled: false
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-argocd
client_secret: anything-for-dev
provider_name: "P1 SSO"
groups: |
g, Impact Level 2 Authorized, role:admin
values:
controller:
resources:
requests:
cpu: 500m
memory: 2Gi
limits: {}
dex:
resources:
requests:
cpu: 10m
memory: 128Mi
limits: {}
redis-bb:
master:
persistence:
size: 512Mi
replica:
persistence:
size: 512Mi
redis:
resources:
requests:
cpu: 50m
memory: 256Mi
limits: {}
server:
resources:
requests:
cpu: 20m
memory: 128Mi
limits: {}
repoServer:
resources:
requests:
cpu: 50m
memory: 128Mi
limits: {}
configs:
secret:
argocdServerAdminPassword: '$2a$10$rUDZDckdDZ2TEwk9PDs3QuqjkL58qR1IHE1Kj4MwDx.7/m5dytZJm'
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: "https://argocd.bigbang.dev"
cypress_user: "admin"
cypress_password: "Password123"
authservice:
enabled: false
chains:
minimal:
callback_uri: "https://minimal.bigbang.dev"
values:
resources:
requests:
cpu: 100m
memory: 100Mi
limits: {}
redis:
master:
persistence:
size: 256Mi
replica:
persistence:
size: 256Mi
gitlab:
enabled: false
sso:
enabled: false
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-gitlab
flux:
timeout: 20m
values:
global:
rails:
bootstrap:
enabled: false
gitlab-runner:
resources:
requests:
cpu: 10m
limits: {}
gitlab:
webservice:
minReplicas: 1
maxReplicas: 1
helmTests:
enabled: false
sidekiq:
minReplicas: 1
maxReplicas: 1
gitlab-shell:
minReplicas: 1
maxReplicas: 1
gitaly:
persistence:
size: 256Mi
resources:
## values raised to help pass CI after default values for gitaly are fixed then can revert to original request.
#requests:
# cpu: 50m
#limits: {}
requests:
cpu: 400m
memory: 600Mi
limits:
cpu: 400m
memory: 600Mi
shared-secrets:
resources:
requests:
cpu: 10m
limits: {}
migrations:
resources:
requests:
cpu: 10m
limits: {}
task-runner:
persistence:
size: 256Mi
resources:
requests:
cpu: 10m
limits: {}
registry:
hpa:
minReplicas: 1
maxReplicas: 1
postgresql:
persistence:
size: 256Mi
metrics:
resources:
requests:
cpu: 10m
limits: {}
minio:
persistence:
size: 256Mi
resources:
requests:
cpu: 50m
limits: {}
redis:
master:
persistence:
size: 256Mi
slave:
persistence:
size: 256Mi
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_baseUrl: https://gitlab.bigbang.dev
cypress_gitlab_first_name: "test"
cypress_gitlab_last_name: "user"
cypress_gitlab_username: "testuser"
cypress_gitlab_password: "12345678"
cypress_gitlab_email: "testuser@example.com"
cypress_gitlab_project: "my-awesome-project"
secretEnvs:
- name: cypress_adminpassword
valueFrom:
secretKeyRef:
name: gitlab-gitlab-initial-root-password
key: password
scripts:
image: "registry.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/bbtests:0.0.3"
envs:
GITLAB_USER: "testuser"
GITLAB_PASS: "12345678"
GITLAB_EMAIL: "testuser@example.com"
GITLAB_PROJECT: "my-awesome-project"
GITLAB_REPOSITORY: https://gitlab.bigbang.dev
GITLAB_ORIGIN: https://testuser:12345678@gitlab.bigbang.dev
GITLAB_REGISTRY: registry.bigbang.dev
gitlabRunner:
enabled: false
values:
resources:
requests:
memory: 64Mi
cpu: 50m
limits: {}
runners:
protected: false
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_baseUrl: "https://gitlab.bigbang.dev"
cypress_gitlab_first_name: "testrunner"
cypress_gitlab_last_name: "userrunner"
cypress_gitlab_email: "gitlab@bigbang.dev"
cypress_gitlab_username: "gitlabrunner_user"
cypress_gitlab_password: "gitlabrunner_pass"
cypress_gitlab_project: "runner-hello-world"
secretEnvs:
- name: cypress_adminpassword
valueFrom:
secretKeyRef:
name: gitlab-gitlab-initial-root-password
key: password
anchore:
enabled: false
sso:
enabled: false
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore
enterprise:
enabled: false
licenseYaml: |
"TBD"
values:
ensureDbJobs:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
sso:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
postgresql:
persistence:
size: 256Mi
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
metrics:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreAnalyzer:
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreApi:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreCatalog:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchorePolicyEngine:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreSimpleQueue:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEngineUpgradeJob:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchore-feeds-db:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
metrics:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseFeeds:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseFeedsUpgradeJob:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseRbac:
authResources:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
managerResources:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseReports:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseNotifications:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEntperpiseUi:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
anchoreEnterpriseEngineUpgradeJob:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
bbtests:
enabled: true
scripts:
image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1
envs:
ANCHORE_CLI_URL: "https://anchore-api.bigbang.dev/v1"
ANCHORE_CLI_USER: admin
secretEnvs:
- name: ANCHORE_CLI_PASS
valueFrom:
secretKeyRef:
name: "{{ template \"anchore-engine.fullname\" . }}-admin-pass"
key: ANCHORE_ADMIN_PASSWORD
sonarqube:
enabled: false
sso:
enabled: false
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-saml-sonarqube
provider_name: "P1 SSO"
certificate: MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U=
login: login
name: name
email: email
values:
plugins:
install: []
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
persistence:
enabled: false
size: 5Gi
postgresql:
persistence:
size: 256Mi
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
tests:
enabled: false
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: "https://sonarqube.bigbang.dev"
cypress_url_setup: "https://sonarqube.bigbang.dev/setup"
cypress_user: "admin"
cypress_password: "new_admin_password"
account:
adminPassword: new_admin_password
currentAdminPassword: admin
curlContainerImage: registry1.dso.mil/ironbank/big-bang/base:8.4
minioOperator:
enabled: false
minio:
enabled: false
values:
tenants:
pools:
- servers: 1
volumesPerServer: 4
size: 256Mi
resources:
requests:
cpu: 250m
memory: 2Gi
limits:
cpu: 250m
memory: 2Gi
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
bbtests:
# There have been intermittent failures of the tests in the past. The issue is tracked in the below issue.
# https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio/-/issues/7
# This issue can be reopened if problems reappear.
enabled: true
cypress:
artifacts: true
envs:
cypress_url: 'https://minio.bigbang.dev/login'
secretEnvs:
- name: cypress_secretkey
valueFrom:
secretKeyRef:
name: "{{ .Values.tenants.secrets.name }}"
key: secretkey
- name: cypress_accesskey
valueFrom:
secretKeyRef:
name: "{{ .Values.tenants.secrets.name }}"
key: accesskey
scripts:
image: registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2021-09-02T09-21-27Z
envs:
MINIO_PORT: ''
MINIO_HOST: 'https://minio-api.bigbang.dev'
secretEnvs:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: "{{ .Values.tenants.secrets.name }}"
key: secretkey
- name: ACCESS_KEY
valueFrom:
secretKeyRef:
name: "{{ .Values.tenants.secrets.name }}"
key: accesskey
mattermostoperator:
enabled: false
mattermost:
enabled: false
sso:
enabled: false
client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost"
client_secret: "no-secret"
elasticsearch:
enabled: true
values:
postgresql:
persistence:
size: 256Mi
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits: {}
minio:
tenants:
pools:
- servers: 1
volumesPerServer: 4
size: 256Mi
resources:
requests:
cpu: 250m
memory: 2Gi
limits:
cpu: 250m
memory: 2Gi
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_url: https://chat.bigbang.dev
cypress_mm_email: "test@bigbang.dev"
cypress_mm_user: "bigbang"
cypress_mm_password: "Bigbang#123"
nexus:
enabled: false
# Nexus requires manual configuration in Keycloak client and cannot be tested with login.dso.mil
# you must test with your own dev deployment. Example: keycloak.bigbang.dev
# See more info in Nexus Package docs /docs/keycloak.md
# Nexus SSO is behind a paywall. You must have a valid license to enable SSO
# -- Base64 encoded license file.
# cat ~/Downloads/sonatype-license-YYYY-MM-ddTnnnnnnZ.lic | base64 -w 0 ; echo
#license_key: "enter-single-line-base64-encoded-string-here"
sso:
# -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599
enabled: false
idp_data:
entityId: "https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata"
# -- IdP Field Mappings
# -- NXRM username attribute
username: "username"
firstName: "firstName"
lastName: "lastName"
email: "email"
groups: "groups"
# -- IDP SAML Metadata XML as a single line string in single quotes
# -- this information is public and does not require a secret
# curl https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/saml/descriptor ; echo
idpMetadata: 'enter-single-quoted-single-line-string-here'
role:
# id is the name of the Keycloak group (case sensitive)
- id: "Nexus"
name: "Keycloak Nexus Group"
description: "unprivilaged users"
privileges: []
roles: []
- id: "Nexus-Admin"
name: "Keycloak Nexus Admin Group"
description: "keycloak users as admins"
privileges:
- "nx-all"
roles:
- "nx-admin"
# NexusNotes: |
# Login to Nexus Admin UI and then get the x509 certificate from this path
# https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata
# copy and paste the nexus single line certificate into a text file and save it
# vi nexus-x509.txt
# -----BEGIN CERTIFICATE-----
# put-single-line-nexus-x509-certificate-here
# -----END CERTIFICATE-----
# make a valid pem file with proper wrapping at 64 characters per line
# fold -w 64 nexus-x509.txt > nexus.pem
# In Keycloak go to the nexus client and on the Keys tab import the nexus.pem file in two places
values:
persistence:
# Do NOT set this below 5Gi, nexus will fail to boot
storageSize: 5Gi
nexus:
# https://help.sonatype.com/repomanager3/installation/system-requirements#SystemRequirements-JVMDirectMemory
env:
- name: install4jAddVmParams
value: "-Xms500M -Xmx500M -XX:MaxDirectMemorySize=500M -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"
resources:
requests:
cpu: 100m
memory: 1500Mi
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_nexus_url: "https://nexus.bigbang.dev"
cypress_nexus_user: "admin"
cypress_nexus_pass_new: "new_admin_password"
secretEnvs:
- name: cypress_nexus_pass
valueFrom:
secretKeyRef:
name: nexus-repository-manager-secret
key: admin.password
velero:
enabled: false
plugins:
- aws
values:
serviceAccount:
server:
name: velero
configuration:
# minio uses s3 provider
provider: aws
backupStorageLocation:
bucket: velero
config: &minio-config
region: velero
insecureSkipTLSVerify: "true"
s3ForcePathStyle: "true"
s3Url: &minio-address https://minio.bigbang.dev
volumeSnapshotLocation:
provider: aws
config:
region: velero
credentials:
useSecret: true
secretContents:
cloud: |
[default]
aws_access_key_id = minio
aws_secret_access_key = minio123
bbtests:
# TODO: Velero test is messy and times out running in BB CI
# https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/issues/9
enabled: false
scripts:
image: registry1.dso.mil/ironbank/opensource/velero/velero:v1.6.0
additionalVolumes:
- name: transfer-kubectl
emptyDir: {}
- name: &yamlVolName yaml-configs
configMap:
name: "{{ .Chart.Name }}-backup-restore-files-config"
additionalVolumeMounts:
- name: transfer-kubectl
mountPath: /usr/local/bin/kubectl
subPath: kubectl
- name: *yamlVolName
mountPath: &yamlMountPath /yaml
envs:
MINIO_HOST: *minio-address
TEST_YAML_DIR: *yamlMountPath
MINIO_USER: minio
MINIO_PASS: minio123
secretEnvs:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
keycloak:
enabled: false
ingress:
gateway: "passthrough"
key: "" # Gets added via chart/ingress-certs.yaml
cert: "" # Gets added via chart/ingress-certs.yaml
values:
replicas: 1
resources:
requests:
cpu: 10m
memory: 16Mi
limits: {}
# Disabling helm tests for keycloak until they are working on rke2
bbtests:
enabled: false
cypress:
artifacts: true
envs:
cypress_url: "https://keycloak.bigbang.dev"
cypress_username: "admin"
cypress_password: "password"
vault:
enabled: false
values:
server:
dataStorage:
enabled: true
bbtests:
enabled: true
cypress:
artifacts: true
envs:
cypress_vault_url: "https://vault.bigbang.dev"