# -- Domain used for BigBang created exposed services, can be overridden by individual packages.
domain: dev.bigbang.mil
# -- (experimental) Toggle sourcing from external repos.
# All this does right now is toggle GitRepositories, it is _not_ fully functional
offline: false
# -- List of Helm repositories/credentials to pull helm charts from.
# OCI Type: Must specify username/password or existingSecret if repository requires auth. Using "private-registry" for existingSecret will reuse credentials from registryCredentials above.
# Default Type: Must specify existingSecret with auth - see https://fluxcd.io/flux/components/source/helmrepositories/#secret-reference for details on secret data required.
helmRepositories: []
# - name: "registry1"
# repository: "oci://registry1.dso.mil/bigbang"
# existingSecret: "private-registry"
# type: "oci"
# username: ""
# password: ""
# email: ""
# # This is an array/list of public keys to be used. Template will append `.pub` to the key as required by Flux
# cosignPublicKeys: []
# key1: |
# -----BEGIN PUBLIC KEY-----
# MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIE7v9J6ttQus6itUoyfMCqMjaIqm
# R8XrntaedsdEhPPchOQuFzqTyyAPGifV1SaEu8medVRi6mVICWbVwOteNg==
# -----END PUBLIC KEY-----
# -- Single set of registry credentials used to pull all images deployed by BigBang.
registryCredentials:
registry: registry1.dso.mil
username: ""
password: ""
email: ""
# -- Multiple sets of registry credentials used to pull all images deployed by BigBang.
# Credentials will only be created when a valid combination exists, registry, username, and password (email is optional)
# Or a list of registires:
# - registry: registry1.dso.mil
# username: ""
# password: ""
# email: ""
# - registry: registry.dso.mil
# username: ""
# password: ""
# email: ""
# Openshift Container Platform Feature Toggle
openshift: false
# -- Git credential settings for accessing private repositories
# Order of precedence is:
# 1. existingSecret
# 2. http credentials (username/password/caFile)
# 3. ssh credentials (privateKey/publicKey/knownHosts)
git:
# -- Existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication
existingSecret: ""
# -- Chart created secrets with user defined values
credentials:
# -- HTTP git credentials, both username and password must be provided
username: ""
password: ""
# -- HTTPS certificate authority file. Required for any repo with a self signed certificate
caFile: ""
# -- SSH git credentials, privateKey, publicKey, and knownHosts must be provided
privateKey: ""
publicKey: ""
knownHosts: ""
# -- Global SSO values used for BigBang deployments when sso is enabled
sso:
# -- Name of the identity provider. This is used by some packages as the SSO login label.
name: SSO
# -- Base URL for the identity provider. For OIDC, this is the issuer. For SAML this is the entityID.
url: https://login.dso.mil/auth/realms/baby-yoda
# -- Certificate authority for the identity provider's certificates
certificateAuthority:
# -- The certificate authority public certificate in .pem format. Populating this will create a secret in each namespace that enables SSO.
cert: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
# -- The secret name to use for the certificate authority. Can be manually populated if cert is blank.
secretName: tls-ca-sso
saml:
# -- SAML entityDescriptor (metadata) path
entityDescriptor: "{{ .Values.sso.url }}/protocol/saml/descriptor"
# -- SAML SSO Service path
service: "{{ .Values.sso.url }}/protocol/saml"
# -- Literal SAML XML metadata retrieved from `{{ .Values.sso.saml.entityDescriptor }}`. Required for SSO in Nexus, Twistlock, or Sonarqube.
metadata: "" # See docs/assets/configs/example/dev-sso-values.yaml for an example
# NOTE: SAML attribute names may vary by package. Use the package values to setup attribute names
# -- OIDC endpoints can be retrieved from `{{ .Values.sso.url }}/.well-known/openid-configuration`
oidc:
# -- OIDC authorization path
authorization: "{{ .Values.sso.url }}/protocol/openid-connect/auth"
# -- OIDC logout / end session path
endSession: "{{ .Values.sso.url }}/protocol/openid-connect/logout"
# -- OIDC JSON Web Key Set (JWKS) path
jwksUri: "{{ .Values.sso.url }}/protocol/openid-connect/certs"
# -- OIDC token path
token: "{{ .Values.sso.url }}/protocol/openid-connect/token"
# -- OIDC user information path
userinfo: "{{ .Values.sso.url }}/protocol/openid-connect/userinfo"
# -- Literal OIDC JWKS data retrieved from JWKS Uri. Only needed if `jwsksUri` is not defined.
jwks: ""
# -- Identity provider claim names that store metadata about the authenticated user.
claims:
# -- IdP's claim name used for the user's email address.
email: email
# -- IdP's claim name used for the user's full name
name: name
# -- IdP's claim name used for the username
username: preferred_username
# -- IdP's claim name used for the user's groups or roles
groups: groups
# -- (Advanced) Flux reconciliation parameters.
# The default values provided will be sufficient for the majority of workloads.
flux:
timeout: 10m
interval: 2m
test:
enable: false
install:
remediation:
retries: -1
upgrade:
remediation:
retries: 3
remediateLastFailure: true
cleanupOnFail: true
rollback:
timeout: 10m
cleanupOnFail: true
# -- Global NetworkPolicies settings
networkPolicies:
# -- Toggle all package NetworkPolicies, can disable specific packages with `package.values.networkPolicies.enabled`
enabled: true
# -- Control Plane CIDR, defaults to 0.0.0.0/0, use `kubectl get endpoints -n default kubernetes` to get the CIDR range needed for your cluster
# Must be an IP CIDR range (x.x.x.x/x - ideally with /32 for the specific IP of a single endpoint, broader range for multiple masters/endpoints)
# Used by package NetworkPolicies to allow Kube API access
controlPlaneCidr: 0.0.0.0/0
# -- Node CIDR, defaults to allowing "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" networks.
# use `kubectl get nodes -owide` and review the `INTERNAL-IP` column to derive CIDR range.
# Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs)
nodeCidr: ""
# -- VPC CIDR, defaults to 0.0.0.0/0
# In a production environment, it is recommended to setup a Private Endpoint for your AWS services like KMS or S3.
# Please review https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html to setup routing to AWS services that never leave the AWS network.
# Once created update `networkPolicies.vpcCidr` to match the CIDR of your VPC so Vault will be able to reach your VPCs DNS and new KMS endpoint.
vpcCidr: 0.0.0.0/0
# -- Global ImagePullPolicy value for all packages
# Permitted values are: None, Always, IfNotPresent
imagePullPolicy: IfNotPresent
# ----------------------------------------------------------------------------------------------------------------------
# Istio
#
istioBase:
# -- Toggle deployment of Istio Base
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/apps/sandbox/istio-base.git
path: "./chart"
branch: "main"
#tag:
helmRepo:
repoName: "registry1"
chartName: "istio-base"
#tag:
# -- Flux reconciliation overrides specifically for the Istio Base Package
flux: {}
# -- Values to passthrough to the istio-base chart
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
istiod:
# -- Toggle deployment of Istio Daemon
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/apps/sandbox/istiod.git
path: "./chart"
branch: "main"
#tag:
helmRepo:
repoName: "registry1"
chartName: "istiod"
#tag:
# -- Flux reconciliation overrides specifically for the Istio Daemon Package
flux: {}
# -- Values to passthrough to the istiod chart
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
istioGateway:
# -- Toggle deployment of Istio Gateway
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/apps/sandbox/istio-gateway.git
path: "./chart"
branch: "main"
#tag:
helmRepo:
repoName: "registry1"
chartName: "istio-gateway"
#tag:
gateways:
- name: public-ingressgateway
values:
type: "LoadBalancer" # or "NodePort"
# hosts:
# - "*.{{ .Values.domain }}"
# autoHttpRedirect:
# enabled: true
# tls:
# key: ""
# cert: ""
# minProtocolVersion: ""
# - name: passthrough-ingressgateway
# values:
# some: value
# ingressGateways:
# public-ingressgateway:
# type: "LoadBalancer" # or "NodePort"
# gateways:
# public:
# ingressGateway: "public-ingressgateway"
# hosts:
# - "*.{{ .Values.domain }}"
# autoHttpRedirect:
# enabled: true
# tls:
# key: ""
# cert: ""
# minProtocolVersion: ""
# -- Flux reconciliation overrides specifically for the Istio Gateway Package
flux: {}
# -- Values to passthrough to the istio-base chart
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
istio:
# -- Toggle deployment of Istio.
enabled: true
mtls:
# -- STRICT = Allow only mutual TLS traffic,
# PERMISSIVE = Allow both plain text and mutual TLS traffic
mode: STRICT
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/istio-controlplane.git
path: "./chart"
tag: "1.22.3-bb.1"
helmRepo:
repoName: "registry1"
chartName: "istio"
tag: "1.22.3-bb.1"
# -- If the HelmRelease should verify the cosign signature of the HelmRepo (only relevant if Repo is OCI). Set to 'false' to disable verification.
# cosignVerify:
# -- Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support,
# validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription
enterprise: false
# Ingress gateways are created based on the key name. Adding more keys will add ingress gateways.
# Ingress gateways are setup in a Horizontal Pod Autoscaler with 1 to 5 replicas
# Besides some ports needed by Istio, only ports 80 and 443 are opened
# Ingress gateways that require more configuration can be completed using `istio.values`
ingressGateways:
public-ingressgateway:
type: "LoadBalancer" # or "NodePort"
kubernetesResourceSpec: {} # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
# private-ingressgateway:
# type: "LoadBalancer" # or "NodePort"
# kubernetesResourceSpec: # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
# serviceAnnotations: # Example for AWS internal load balancer
# service.beta.kubernetes.io/aws-load-balancer-type: nlb
# service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# passthrough-ingressgateway:
# type: "NodePort" # or "LoadBalancer"
# # Node ports are assigned starting from nodePortBase. The nodePortBase specifies the start of a range of 4 unused node ports.
# # Node port will be assigned as follows: Port 15021 (Status) = nodePortBase, Port 80 = nodePortBase+1, Port 443 = nodePortBase+2, Port 15443 (SNI) = nodePortBase+3
# # Node port base should be in the range from 30000 to 32764
# nodePortBase: 32000 # Alternatively, the kubernetesResourceSpec can be used to configure all port parameters
gateways:
public:
ingressGateway: "public-ingressgateway"
hosts:
- "*.{{ .Values.domain }}"
# -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
autoHttpRedirect:
enabled: true
tls:
key: ""
cert: ""
minProtocolVersion: ""
# private:
# ingressGateway: "private-ingressgateway"
# hosts:
# - "example.bigbang.dev"
# ports:
# - name: tls-2
# number: 1234
# protocol: TCP
# - name: tls
# number: 5678
# protocol: TCP
# # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
# autoHttpRedirect:
# enabled: false
# tls:
# key: ""
# cert: ""
# minProtocolVersion: ""
# passthrough:
# ingressGateway: "passthrough-ingressgateway"
# hosts:
####
# Alternate multi-server configuration method
####
# private:
# ingressGateway: "private-ingressgateway"
# servers:
# - hosts:
# - "example.bigbang.dev"
# port:
# name: tls-1
# number: 1234
# protocol: TCP
# # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
# autoHttpRedirect:
# enabled: false
# tls:
# key: ""
# cert: ""
# minProtocolVersion: ""
# - hosts:
# - "example.bigbang.dev"
# port:
# name: tls-2
# number: 5678
# protocol: TCP
# # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
# autoHttpRedirect:
# enabled: false
# tls:
# key: ""
# cert: ""
# minProtocolVersion: ""
# passthrough:
# ingressGateway: "passthrough-ingressgateway"
# hosts:
# - "*.{{ .Values.domain }}"
# # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
# autoHttpRedirect:
# enabled: true
# tls:
# mode: "PASSTHROUGH"
# mutual:
# ingressGateway: "mutual-ingressgateway"
# hosts:
# - "*.{{ .Values.domain }}"
# # -- Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect.
# autoHttpRedirect:
# enabled: true
# tls:
# mode: MUTUAL
# cert: ""
# key: ""
# ca: ""
# -- Flux reconciliation overrides specifically for the Istio Package
flux: {}
# -- Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/big-bang/product/packages/istio-controlplane.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
istioOperator:
# -- Toggle deployment of Istio Operator.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/istio-operator.git
path: "./chart"
tag: "1.22.3-bb.0"
helmRepo:
repoName: "registry1"
chartName: "istio-operator"
tag: "1.22.3-bb.0"
# -- Flux reconciliation overrides specifically for the Istio Operator Package
flux: {}
# -- Values to passthrough to the istio-operator chart: https://repo1.dso.mil/big-bang/product/packages/istio-operator.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
jaeger:
# -- Toggle deployment of Jaeger.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/jaeger.git
path: "./chart"
tag: "2.54.0-bb.2"
helmRepo:
repoName: "registry1"
chartName: "jaeger"
tag: "2.54.0-bb.2"
# -- Flux reconciliation overrides specifically for the Jaeger Package
flux:
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SSO for Jaeger on and off
enabled: false
# -- OIDC Client ID to use for Jaeger
client_id: ""
# -- OIDC Client Secret to use for Jaeger
client_secret: ""
# -- Values to pass through to Jaeger chart: https://repo1.dso.mil/big-bang/product/packages/jaeger.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
kiali:
# -- Toggle deployment of Kiali.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/kiali.git
path: "./chart"
tag: "1.87.0-bb.0"
helmRepo:
repoName: "registry1"
chartName: "kiali"
tag: "1.87.0-bb.0"
# -- Flux reconciliation overrides specifically for the Kiali Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SSO for Kiali on and off
enabled: false
# -- OIDC Client ID to use for Kiali
client_id: ""
# -- OIDC Client Secret to use for Kiali
client_secret: ""
# -- Values to pass through to Kiali chart: https://repo1.dso.mil/big-bang/product/packages/kiali
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
# Cluster Auditor
#
clusterAuditor:
# -- Toggle deployment of Cluster Auditor.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/cluster-auditor.git
path: "./chart"
tag: "1.5.0-bb.20"
helmRepo:
repoName: "registry1"
chartName: "cluster-auditor"
tag: "1.5.0-bb.20"
# -- Flux reconciliation overrides specifically for the Cluster Auditor Package
flux: {}
# -- Values to passthrough to the cluster auditor chart: https://repo1.dso.mil/big-bang/product/packages/cluster-auditor.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
# OPA Gatekeeper
#
gatekeeper:
# -- Toggle deployment of OPA Gatekeeper.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/policy.git
path: "./chart"
tag: "3.16.3-bb.1"
helmRepo:
repoName: "registry1"
chartName: "gatekeeper"
tag: "3.16.3-bb.1"
# -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
flux:
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
# -- Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/big-bang/product/packages/policy.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
# Kyverno
#
kyverno:
# -- Toggle deployment of Kyverno.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/kyverno.git
path: "./chart"
tag: "3.2.5-bb.3"
helmRepo:
repoName: "registry1"
chartName: "kyverno"
tag: "3.2.5-bb.3"
# -- Flux reconciliation overrides specifically for the Kyverno Package
flux: {}
# -- Values to passthrough to the kyverno chart: https://repo1.dso.mil/big-bang/product/packages/kyverno.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
kyvernoPolicies:
# -- Toggle deployment of Kyverno policies
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/kyverno-policies.git
path: ./chart
tag: "3.2.5-bb.0"
helmRepo:
repoName: "registry1"
chartName: "kyverno-policies"
tag: "3.2.5-bb.0"
# -- Flux reconciliation overrides specifically for the Kyverno Package
flux: {}
# -- Values to passthrough to the kyverno policies chart: https://repo1.dso.mil/big-bang/product/packages/kyverno-policies.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
kyvernoReporter:
# -- Toggle deployment of Kyverno Reporter
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/kyverno-reporter.git
path: ./chart
tag: "2.24.0-bb.1"
helmRepo:
repoName: "registry1"
chartName: "kyverno-reporter"
tag: "2.24.0-bb.1"
# -- Flux reconciliation overrides specifically for the Kyverno Reporter Package
flux: {}
# -- Values to passthrough to the kyverno reporter chart: https://repo1.dso.mil/big-bang/product/packages/kyverno-reporter.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
# Elasticsearch, Kibana, Fluentbit Logging stack
#
elasticsearchKibana:
# -- Toggle deployment of Logging (EFK).
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana.git
path: "./chart"
tag: "1.17.0-bb.3"
helmRepo:
repoName: "registry1"
chartName: "elasticsearch-kibana"
tag: "1.17.0-bb.3"
# -- Flux reconciliation overrides specifically for the Logging (EFK) Package
flux:
timeout: 20m
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.
# Enabling this option will auto-create any required secrets.
enabled: false
# -- Elasticsearch/Kibana OIDC client ID
client_id: ""
# -- Elasticsearch/Kibana OIDC client secret
client_secret: ""
# -- Elasticsearch/Kibana Service Account Annotations
serviceAccountAnnotations:
elasticsearch: {}
kibana: {}
license:
# -- Toggle trial license installation of elasticsearch. Note that enterprise (non trial) is required for SSO to work.
trial: false
# -- Elasticsearch license in json format seen here: https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana#enterprise-license
keyJSON: ""
# -- Values to passthrough to the elasticsearch-kibana chart: https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
eckOperator:
# -- Toggle deployment of ECK Operator.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/eck-operator.git
path: "./chart"
tag: "2.13.0-bb.2"
helmRepo:
repoName: "registry1"
chartName: "eck-operator"
tag: "2.13.0-bb.2"
# -- Flux reconciliation overrides specifically for the ECK Operator Package
flux: {}
# -- Values to passthrough to the eck-operator chart: https://repo1.dso.mil/big-bang/product/packages/eck-operator.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
fluentbit:
# -- Toggle deployment of Fluent-Bit.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/fluentbit.git
path: "./chart"
tag: "0.47.5-bb.0"
helmRepo:
repoName: "registry1"
chartName: "fluentbit"
tag: "0.47.5-bb.0"
# -- Flux reconciliation overrides specifically for the Fluent-Bit Package
flux: {}
# -- Values to passthrough to the fluentbit chart: https://repo1.dso.mil/big-bang/product/packages/fluentbit.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# Promtail / Loki Logging stack
#
promtail:
# -- Toggle deployment of Promtail.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/promtail.git
path: "./chart"
tag: "6.16.2-bb.1"
helmRepo:
repoName: "registry1"
chartName: "promtail"
tag: "6.16.2-bb.1"
# -- Flux reconciliation overrides specifically for the Promtail Package
flux: {}
# -- Values to passthrough to the promtail chart: https://repo1.dso.mil/big-bang/product/packages/fluentbit.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
loki:
# -- Toggle deployment of Loki.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/loki.git
path: "./chart"
tag: "6.7.1-bb.0"
helmRepo:
repoName: "registry1"
chartName: "loki"
tag: "6.7.1-bb.0"
# -- Flux reconciliation overrides specifically for the Loki Package
flux: {}
# -- Loki architecture. Options are monolith and scalable
strategy: monolith
# -- Loki clusterName identifier for Promtail and Dashboards
clusterName: ""
objectStorage:
# -- S3 compatible endpoint to use for connection information.
# examples: "https://s3.amazonaws.com" "https://s3.us-gov-west-1.amazonaws.com" "http://minio.minio.svc.cluster.local:9000"
endpoint: ""
# -- S3 compatible region to use for connection information.
region: ""
# -- Access key for connecting to object storage endpoint.
accessKey: ""
# -- Secret key for connecting to object storage endpoint.
# Unencoded string data. This should be placed in the secret values and then encrypted
accessSecret: ""
# -- Bucket Names for the Loki buckets as YAML
# chunks: loki-logs
# ruler: loki-ruler
# admin: loki-admin
bucketNames: {}
# -- Values to passthrough to the Loki chart: https://repo1.dso.mil/big-bang/product/packages/loki.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
neuvector:
# -- Toggle deployment of Neuvector.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/neuvector.git
path: "./chart"
tag: "2.7.7-bb.3"
helmRepo:
repoName: "registry1"
chartName: "neuvector"
tag: "2.7.7-bb.3"
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SSO for Neuvector on and off
enabled: false
# -- OIDC Client ID to use for Neuvector
client_id: ""
# -- OIDC Client Secret to use for Neuvector
client_secret: ""
# -- Default role to use for Neuvector OIDC users. Supports admin, reader, or no default
default_role: ""
# -- Default role to use for Neuvector OIDC users. Supports admin, reader, or no default
group_claim: ""
# -- Default role to use for Neuvector OIDC users. Supports admin, reader, or no default
group_mapped_roles: []
# -- Flux reconciliation overrides specifically for the Neuvector Package
flux: {}
# -- Values to passthrough to the Neuvector chart: https://repo1.dso.mil/big-bang/product/packages/neuvector.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
tempo:
# -- Toggle deployment of Tempo.
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/tempo.git
path: "./chart"
tag: "1.10.1-bb.0"
helmRepo:
repoName: "registry1"
chartName: "tempo"
tag: "1.10.1-bb.0"
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
# -- Flux reconciliation overrides specifically for the Tempo Package
flux: {}
sso:
# -- Toggle SSO for Tempo on and off
enabled: false
# -- OIDC Client ID to use for Tempo
client_id: ""
# -- OIDC Client Secret to use for Tempo
client_secret: ""
objectStorage:
# -- S3 compatible endpoint to use for connection information.
# examples: "s3.amazonaws.com" "s3.us-gov-west-1.amazonaws.com" "minio.minio.svc.cluster.local:9000"
# Note: tempo does not require protocol prefix for URL.
endpoint: ""
# -- S3 compatible region to use for connection information.
region: ""
# -- Access key for connecting to object storage endpoint.
accessKey: ""
# -- Secret key for connecting to object storage endpoint.
# Unencoded string data. This should be placed in the secret values and then encrypted
accessSecret: ""
# -- Bucket Name for Tempo
# examples: "tempo-traces"
bucket: ""
# -- Whether or not objectStorage connection should require HTTPS, if connecting to in-cluster object
# storage on port 80/9000 set this value to true.
insecure: false
# -- Values to passthrough to the Tempo chart: https://repo1.dso.mil/big-bang/product/packages/tempo.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
# Monitoring
#
monitoring:
# -- Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager).
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/monitoring.git
path: "./chart"
tag: "61.2.0-bb.2"
helmRepo:
repoName: "registry1"
chartName: "monitoring"
tag: "61.2.0-bb.2"
# -- Flux reconciliation overrides specifically for the Monitoring Package
flux:
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SSO for monitoring components on and off
enabled: false
prometheus:
# -- Prometheus OIDC client ID
client_id: ""
# -- Prometheus OIDC client secret
client_secret: ""
alertmanager:
# -- Alertmanager OIDC client ID
client_id: ""
# -- Alertmanager OIDC client secret
client_secret: ""
# -- Values to passthrough to the monitoring chart: https://repo1.dso.mil/big-bang/product/packages/monitoring.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
# Grafana
#
grafana:
# -- Toggle deployment of Grafana
enabled: true
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/grafana.git
path: "./chart"
tag: "8.3.6-bb.0"
helmRepo:
repoName: "registry1"
chartName: "grafana"
tag: "8.3.6-bb.0"
# -- Flux reconciliation overrides specifically for the Monitoring Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SSO for grafana components on and off
enabled: false
grafana:
# -- Grafana OIDC client ID
client_id: ""
# -- Grafana OIDC client secret
client_secret: ""
# -- Grafana OIDC client scopes, comma separated, see https://grafana.com/docs/grafana/latest/auth/generic-oauth/
scopes: ""
allow_sign_up: true
role_attribute_path: "Viewer"
# -- Other options available, see package Documentation.
# -- Values to passthrough to the grafana chart: https://repo1.dso.mil/big-bang/product/packages/grafana.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
# Twistlock
#
twistlock:
# -- Toggle deployment of Twistlock.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/twistlock.git
path: "./chart"
tag: "0.15.0-bb.17"
helmRepo:
repoName: "registry1"
chartName: "twistlock"
tag: "0.15.0-bb.17"
# -- Flux reconciliation overrides specifically for the Twistlock Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SAML SSO, requires a license and enabling the init job - see https://repo1.dso.mil/big-bang/product/packages/initialization.md
enabled: false
# -- SAML client ID
client_id: ""
# -- SAML Identity Provider. `shibboleth` is recommended by Twistlock support for Keycloak
# Possible values: okta, gsuite, ping, shibboleth, azure, adfs
provider_type: "shibboleth"
# -- Groups attribute (optional)
groups: ""
# -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/big-bang/product/packages/twistlock.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
#
# ----------------------------------------------------------------------------------------------------------------------
#
addons:
argocd:
# -- Toggle deployment of ArgoCD.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/argocd.git
path: "./chart"
tag: "7.3.9-bb.0"
helmRepo:
repoName: "registry1"
chartName: "argocd"
tag: "7.3.9-bb.0"
# -- Flux reconciliation overrides specifically for the ArgoCD Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
redis:
# -- Hostname of a pre-existing Redis to use for ArgoCD.
# Entering connection info will enable external Redis and will auto-create any required secrets.
host: ""
# -- Port of a pre-existing Redis to use for ArgoCD.
port: ""
sso:
# -- Toggle SSO for ArgoCD on and off
enabled: false
# -- ArgoCD OIDC client ID
client_id: ""
# -- ArgoCD OIDC client secret
client_secret: ""
# -- ArgoCD SSO group roles, see docs for more details: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
groups: |
g, Impact Level 2 Authorized, role:admin
# -- Values to passthrough to the argocd chart: https://repo1.dso.mil/big-bang/product/packages/argocd.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
authservice:
# -- Toggle deployment of Authservice.
# if enabling authservice, a filter needs to be provided by either enabling
# sso for monitoring or istio, or manually adding a filter chain in the values here:
# values:
# chain:
# minimal:
# callback_uri: "https://somecallback"
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/authservice.git
path: "./chart"
tag: "1.0.1-bb.4"
helmRepo:
repoName: "registry1"
chartName: "authservice"
tag: "1.0.1-bb.4"
# -- Flux reconciliation overrides specifically for the Authservice Package
flux: {}
# -- Values to passthrough to the authservice chart: https://repo1.dso.mil/big-bang/product/packages/authservice.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# -- Additional authservice chain configurations.
chains: {}
# ----------------------------------------------------------------------------------------------------------------------
# Minio Operator and Instance
#
minioOperator:
# -- Toggle deployment of minio operator and instance.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/minio-operator.git
path: "./chart"
tag: "5.0.16-bb.1"
helmRepo:
repoName: "registry1"
chartName: "minio-operator"
tag: "5.0.16-bb.1"
# -- Flux reconciliation overrides specifically for the Minio Operator Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
# -- Values to passthrough to the minio operator chart: https://repo1.dso.mil/big-bang/product/packages/minio-operator.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
minio:
# -- Toggle deployment of minio.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/minio.git
path: "./chart"
tag: "5.0.16-bb.0"
helmRepo:
repoName: "registry1"
chartName: "minio-instance"
tag: "5.0.16-bb.0"
# -- Flux reconciliation overrides specifically for the Minio Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
# -- Default access key to use for minio.
accesskey: ""
# -- Default secret key to intstantiate with minio, you should change/delete this after installation.
secretkey: ""
# -- Values to passthrough to the minio instance chart: https://repo1.dso.mil/big-bang/product/packages/minio.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
gitlab:
# -- Toggle deployment of Gitlab
enabled: false
hostnames:
# host name only without the domain
gitlab: gitlab
registry: registry
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/gitlab.git
path: "./chart"
tag: "8.1.2-bb.3"
helmRepo:
repoName: "registry1"
chartName: "gitlab"
tag: "8.1.2-bb.3"
# -- Flux reconciliation overrides specifically for the Gitlab Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle OIDC SSO for Gitlab on and off.
# Enabling this option will auto-create any required secrets.
enabled: false
# -- Gitlab OIDC client ID
client_id: ""
# -- Gitlab OIDC client secret
client_secret: ""
# -- Gitlab SSO Scopes, default is ["Gitlab"]
scopes:
- Gitlab
# -- Fill out the groups block below and populate with Keycloak groups according to your desired Gitlab membership requirements. The default groupsAttribute is "groups".
# Full documentation: https://docs.gitlab.com/ee/administration/auth/oidc.html?tab=Linux+package+%28Omnibus%29#configure-users-based-on-oidc-group-membership
groups: []
# groupsAttribute: ""
# requiredGroups: []
# externalGroups: []
# auditorGroups: []
# adminGroups: []
database:
# -- Hostname of a pre-existing PostgreSQL database to use for Gitlab.
# Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
host: ""
# -- Port of a pre-existing PostgreSQL database to use for Gitlab.
port: 5432
# -- Database name to connect to on host.
database: "" # example: gitlab
# -- Username to connect as to external database, the user must have all privileges on the database.
username: ""
# -- Database password for the username used to connect to the existing database.
password: ""
objectStorage:
# -- Type of object storage to use for Gitlab, setting to s3 will assume an external, pre-existing object storage is to be used.
# Entering connection info will enable this option and will auto-create any required secrets
type: "" # supported types are "s3" or "minio"
# -- S3 compatible endpoint to use for connection information.
# examples: "https://s3.amazonaws.com" "https://s3.us-gov-west-1.amazonaws.com" "http://minio.minio.svc.cluster.local:9000"
endpoint: ""
# -- S3 compatible region to use for connection information.
region: ""
# -- Access key for connecting to object storage endpoint.
# -- If using accessKey and accessSecret, the iamProfile must be left as an empty string: ""
accessKey: ""
# -- Secret key for connecting to object storage endpoint.
# Unencoded string data. This should be placed in the secret values and then encrypted
accessSecret: ""
# -- Bucket prefix to use for identifying buckets.
# Example: "prod" will produce "prod-gitlab-bucket"
bucketPrefix: ""
# -- NOTE: Current bug with AWS IAM Profiles and Object Storage where only artifacts are stored. Fixed in Gitlab 14.5
# -- Name of AWS IAM profile to use.
# -- If using an AWS IAM profile, the accessKey and accessSecret values must be left as empty strings eg: ""
iamProfile: ""
smtp:
# -- Passwords should be placed in an encrypted file. Example: environment-bb-secret.enc.yaml
# If a value is provided BigBang will create a k8s secret named gitlab-smtp-password in the gitlab namespace
password: ""
redis:
# -- Redis plain text password to connect to the redis server. If empty (""), the gitlab charts will create the gitlab-redis-secret
# with a random password.
# -- This needs to be set to a non-empty value in order for the Grafana Redis Datasource and Dashboards to be installed.
password: ""
# -- Rails plain text secret to define. If empty (""), the gitlab charts will create the gitlab-rails-secret with randomized data.
# Read the following for more information on setting Gitlab rails secrets: https://docs.gitlab.com/charts/installation/secrets#gitlab-rails-secret
railsSecret: ""
# -- Values to passthrough to the gitlab chart: https://repo1.dso.mil/big-bang/product/packages/gitlab.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
gitlabRunner:
# -- Toggle deployment of Gitlab Runner
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/gitlab-runner.git
path: "./chart"
tag: "0.66.0-bb.0"
helmRepo:
repoName: "registry1"
chartName: "gitlab-runner"
tag: "0.66.0-bb.0"
# -- Flux reconciliation overrides specifically for the Gitlab Runner Package
flux: {}
# -- Values to passthrough to the gitlab runner chart: https://repo1.dso.mil/big-bang/product/packages/gitlab-runner.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
nexusRepositoryManager:
# -- Toggle deployment of Nexus Repository Manager.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/nexus.git
path: "./chart"
tag: "70.1.0-bb.0"
helmRepo:
repoName: "registry1"
chartName: "nexus-repository-manager"
tag: "70.1.0-bb.0"
# -- Base64 encoded license file.
license_key: ""
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SAML SSO for NXRM.
# -- handles SAML SSO, a Client must be configured in Keycloak or IdP
# -- to complete setup.
# -- https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak#h_01EV7CWCYH3YKAPMAHG8XMQ599
enabled: false
# -- NXRM SAML SSO Integration data
idp_data:
# Nexus saml URL. example: "https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata"
entityId: ""
# -- IdP Field Mappings
# -- NXRM username attribute
username: ""
# -- NXRM firstname attribute (optional)
firstName: ""
# -- NXRM lastname attribute (optional)
lastName: ""
# -- NXRM email attribute (optional)
email: ""
# -- NXRM groups attribute (optional)
groups: ""
# -- NXRM Role
role:
# the id must match the Keycloak group name (case sensitive)
- id: ""
name: ""
description: ""
privileges: []
roles: []
# -- Flux reconciliation overrides specifically for the Nexus Repository Manager Package
flux: {}
# -- Values to passthrough to the nxrm chart: https://repo1.dso.mil/big-bang/product/packages/nexus.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
sonarqube:
# -- Toggle deployment of SonarQube.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/sonarqube.git
path: "./chart"
tag: "8.0.6-bb.2"
helmRepo:
repoName: "registry1"
chartName: "sonarqube"
tag: "8.0.6-bb.2"
# -- Flux reconciliation overrides specifically for the Sonarqube Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SAML SSO for SonarQube.
# Enabling this option will auto-create any required secrets.
enabled: false
# -- SonarQube SAML client ID
client_id: ""
# -- SonarQube login sso attribute.
login: login
# -- SonarQube name sso attribute.
name: name
# -- SonarQube email sso attribute.
email: email
# -- (optional) SonarQube group sso attribute.
group: group
database:
# -- Hostname of a pre-existing PostgreSQL database to use for SonarQube.
host: ""
# -- Port of a pre-existing PostgreSQL database to use for SonarQube.
port: 5432
# -- Database name to connect to on host.
database: ""
# -- Username to connect as to external database, the user must have all privileges on the database.
username: ""
# -- Database password for the username used to connect to the existing database.
password: ""
# -- Values to passthrough to the sonarqube chart: https://repo1.dso.mil/big-bang/product/packages/sonarqube.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
fortify:
# -- Toggle deployment of Fortify.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/fortify.git
path: "./chart"
tag: "1.1.2320154-bb.15"
helmRepo:
repoName: "registry1"
chartName: "fortify-ssc"
tag: "1.1.2320154-bb.15"
# -- Flux reconciliation overrides specifically for the Fortify Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SSO for Fortify on and off
enabled: false
# -- SAML Client ID to use for Fortify
client_id: ""
# -- SAML Client Secret to use for Fortify
client_secret: ""
# -- Values to passthrough to the fortify chart: https://repo1.dso.mil/big-bang/product/packages/fortify.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# Deployment of HAProxy is automatically toggled depending on Monitoring SSO and Monitoring Istio Injection
#
haproxy:
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/haproxy.git
path: "./chart"
tag: "1.19.3-bb.7"
helmRepo:
repoName: "registry1"
chartName: "haproxy"
tag: "1.19.3-bb.7"
# -- Flux reconciliation overrides specifically for the HAProxy Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
# -- Values to passthrough to the haproxy chart: https://repo1.dso.mil/big-bang/product/packages/haproxy.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
anchore:
# -- Toggle deployment of Anchore.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise.git
path: "./chart"
tag: "2.7.0-bb.6"
helmRepo:
repoName: "registry1"
chartName: "anchore"
tag: "2.7.0-bb.6"
# -- Flux reconciliation overrides specifically for the Anchore Package
flux:
upgrade:
disableWait: true
# -- Initial admin password used to authenticate to Anchore.
adminPassword: ""
# -- Anchore Enterprise functionality.
enterprise:
# -- License for Anchore Enterprise. Enterprise is the only option available for the chart starting with chart major version 2.X.
# For formatting examples see https://repo1.dso.mil/big-bang/product/packages/CHART.md#enabling-enterprise-services
licenseYaml: |
FULL LICENSE
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SAML SSO for Anchore on and off.
# Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license).
enabled: false
# -- Anchore SAML client ID
client_id: ""
# -- Anchore SAML client role attribute
role_attribute: ""
database:
# -- Hostname of a pre-existing PostgreSQL database to use for Anchore.
# Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
host: ""
# -- Port of a pre-existing PostgreSQL database to use for Anchore.
port: ""
# -- Username to connect as to external database, the user must have all privileges on the database.
username: ""
# -- Database password for the username used to connect to the existing database.
password: ""
# -- Database name to connect to on host (Note: database name CANNOT contain hyphens).
database: ""
# -- Feeds database name to connect to on host (Note: feeds database name CANNOT contain hyphens).
# Only required for enterprise edition of anchore.
# By default, feeds database will be configured with the same username and password as the main database. For formatting examples on how to use a separate username and password for the feeds database see https://repo1.dso.mil/big-bang/product/packages/CHART.md#handling-dependencies
feeds_database: ""
redis:
# -- Hostname of a pre-existing Redis to use for Anchore Enterprise.
# Entering connection info will enable external redis and will auto-create any required secrets.
# Anchore only requires redis for enterprise deployments and will not provision an instance if using external
host: ""
# -- Port of a pre-existing Redis to use for Anchore Enterprise.
port: ""
# -- OPTIONAL: Username to connect to a pre-existing Redis (for password-only auth leave empty)
username: ""
# -- Password to connect to pre-existing Redis.
password: ""
# -- Values to passthrough to the anchore chart: https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# Mattermost Operator and Instance
#
mattermostOperator:
# -- Toggle deployment of Mattermost Operator.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/mattermost-operator.git
path: "./chart"
tag: "1.22.0-bb.2"
helmRepo:
repoName: "registry1"
chartName: "mattermost-operator"
tag: "1.22.0-bb.2"
# -- Flux reconciliation overrides specifically for the Mattermost Operator Package
flux: {}
# -- Values to passthrough to the mattermost operator chart: https://repo1.dso.mil/big-bang/product/packages/values.yaml
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
mattermost:
# -- Toggle deployment of Mattermost.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/mattermost.git
path: "./chart"
tag: "9.10.0-bb.3"
helmRepo:
repoName: "registry1"
chartName: "mattermost"
tag: "9.10.0-bb.3"
# -- Flux reconciliation overrides specifically for the Mattermost Package
flux: {}
# -- Mattermost Enterprise functionality.
enterprise:
# -- Toggle the Mattermost Enterprise. This must be accompanied by a valid license unless you plan to start a trial post-install.
enabled: false
# -- License for Mattermost.
# This should be the entire contents of the license file from Mattermost (should be one line), example below
# license: "eyJpZCI6InIxM205bjR3eTdkYjludG95Z3RiOD---REST---IS---HIDDEN
license: ""
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle OIDC SSO for Mattermost on and off.
# Enabling this option will auto-create any required secrets.
enabled: false
# -- Mattermost OIDC client ID
client_id: ""
# -- Mattermost OIDC client secret
client_secret: ""
database:
# -- Hostname of a pre-existing PostgreSQL database to use for Mattermost.
# Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
host: ""
# -- Port of a pre-existing PostgreSQL database to use for Mattermost.
port: ""
# -- Username to connect as to external database, the user must have all privileges on the database.
username: ""
# -- Database password for the username used to connect to the existing database.
password: ""
# -- Database name to connect to on host.
database: ""
# -- SSL Mode to use when connecting to the database.
# Allowable values for this are viewable in the postgres documentation: https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS
ssl_mode: ""
objectStorage:
# -- S3 compatible endpoint to use for connection information.
# Entering connection info will enable this option and will auto-create any required secrets.
# examples: "s3.amazonaws.com" "s3.us-gov-west-1.amazonaws.com" "minio.minio.svc.cluster.local:9000"
endpoint: ""
# -- Access key for connecting to object storage endpoint.
accessKey: ""
# -- Secret key for connecting to object storage endpoint.
# Unencoded string data. This should be placed in the secret values and then encrypted
accessSecret: ""
# -- Bucket name to use for Mattermost - will be auto-created.
bucket: ""
# -- Mattermost Elasticsearch integration - requires enterprise E20 license - https://docs.mattermost.com/deployment/elasticsearch.html
# Connection info defaults to the BB deployed Elastic, all values can be overridden via the "values" passthrough for other connections.
# See values spec in MM chart "elasticsearch" yaml block - https://repo1.dso.mil/big-bang/product/packages/values.yaml
elasticsearch:
# -- Toggle interaction with Elastic for optimized search indexing
enabled: false
# -- Values to passthrough to the Mattermost chart: https://repo1.dso.mil/big-bang/product/packages/values.yaml
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
velero:
# -- Toggle deployment of Velero.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/velero.git
path: "./chart"
tag: "6.7.0-bb.4"
helmRepo:
repoName: "registry1"
chartName: "velero"
tag: "6.7.0-bb.4"
# -- Flux reconciliation overrides specifically for the Velero Package
flux: {}
# -- Plugin provider for Velero - requires at least one plugin installed. Current supported values: aws, azure, csi
plugins: []
# - aws
# -- Values to passthrough to the Velero chart: https://repo1.dso.mil/big-bang/product/packages/values.yaml
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
#
# ----------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------
# Keycloak
#
keycloak:
# -- Toggle deployment of Keycloak.
# if you enable Keycloak you should uncomment the istio passthrough configurations above
# istio.ingressGateways.passthrough-ingressgateway and istio.gateways.passthrough
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/keycloak.git
path: "./chart"
tag: "2.4.3-bb.2"
helmRepo:
repoName: "registry1"
chartName: "keycloak"
tag: "2.4.3-bb.2"
database:
# -- Hostname of a pre-existing database to use for Keycloak.
# Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
host: ""
# -- Pre-existing database type (e.g. postgres) to use for Keycloak.
type: postgres
# -- Port of a pre-existing database to use for Keycloak.
port: 5432
# -- Database name to connect to on host.
database: "" # example: keycloak
# -- Username to connect as to external database, the user must have all privileges on the database.
username: ""
# -- Database password for the username used to connect to the existing database.
password: ""
# -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
# the istio gateway for keycloak must have tls.mode: PASSTHROUGH
gateway: "passthrough"
# -- Certificate/Key pair to use as the certificate for exposing Keycloak
# Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
key: ""
cert: ""
# -- Values to passthrough to the keycloak chart: https://repo1.dso.mil/big-bang/product/packages/keycloak.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# Vault
#
vault:
# -- Toggle deployment of Vault.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/vault.git
path: "./chart"
tag: "0.25.0-bb.38"
helmRepo:
repoName: "registry1"
chartName: "vault"
tag: "0.25.0-bb.38"
# -- Flux reconciliation overrides specifically for the Vault Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
# -- Certificate/Key pair to use as the certificate for exposing Vault
# Setting the ingress cert here will automatically create the volume and volumemounts in the Vault package chart
key: ""
cert: ""
# -- Values to passthrough to the vault chart: https://repo1.dso.mil/big-bang/product/packages/vault.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# Metrics Server
#
metricsServer:
# -- Toggle deployment of metrics server
# Acceptable options are enabled: true, enabled: false, enabled: auto
# true = enabled / false = disabled / auto = automatic (Installs only if metrics API endpoint is not present)
enabled: auto
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/metrics-server.git
path: "./chart"
tag: "3.12.1-bb.3"
helmRepo:
repoName: "registry1"
chartName: "metrics-server"
tag: "3.12.1-bb.3"
# -- Flux reconciliation overrides specifically for the metrics server Package
flux: {}
# -- Values to passthrough to the metrics server chart: https://repo1.dso.mil/big-bang/product/packages/metrics-server.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# ----------------------------------------------------------------------------------------------------------------------
# Harbor
#
harbor:
# -- Toggle deployment of harbor
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/harbor.git
tag: "1.15.0-bb.0"
path: "./chart"
helmRepo:
repoName: "registry1"
chartName: "harbor"
tag: "1.15.0-bb.0"
# -- Flux reconciliation overrides specifically for the Jaeger Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SSO for Harbor on and off
enabled: false
# -- OIDC Client ID to use for Harbor
client_id: ""
# -- OIDC Client Secret to use for Harbor
client_secret: ""
# -- Values to pass through to Habor chart: https://repo1.dso.mil/big-bang/product/packages/harbor.git
values: {}
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
holocron:
# -- Toggle deployment of Holocron.
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/holocron.git
tag: "1.0.11"
path: "./chart"
helmRepo:
repoName: "registry1"
chartName: "holocron"
tag: "1.0.11"
collectorAuth:
# -- Name of existing secret with auth tokens for collector services: https://repo1.dso.mil/groups/big-bang/apps/sandbox/holocron/-/wikis/Administrator-Guide
# -- Default keys for secret are:
# -- gitlab-scm-0, gitlab-workflow-0, gitlab-build-0, jira-workflow-0, sonarqube-project-analysis-0
# -- If not provided, one will be created
existingSecret: ""
# -- Tokens for the secret to be created
gitlabToken: mygitlabtoken
jiraToken: myjiratoken
sonarToken: mysonartoken
jira:
# -- If there is a Jira deployment, enable a collector for it
enabled: false
service:
# -- The service name to communicate with
name: ""
# -- If network policies are enabled, a label to match the namespace for egress policy
label:
key: value
# -- Flux reconciliation overrides specifically for the Holocron Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
sso:
# -- Toggle SSO for Holocron on and off
enabled: false
# -- OIDC Client ID to use for Holocron
client_id: ""
# -- OIDC Client Secret to use for Holocron
client_secret: ""
# -- Holocron SSO group roles: https://repo1.dso.mil/groups/big-bang/apps/sandbox/holocron/-/wikis/Administrator-Guide
groups:
admin: ""
leadership: ""
database:
# -- Hostname of a pre-existing PostgreSQL database to use for Gitlab.
# -- Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
host: ""
# -- Port of a pre-existing PostgreSQL database to use for Gitlab.
port: 5432
# -- Database name to connect to on host.
database: "holocron"
# -- Username to connect as to external database, the user must have all privileges on the database.
username: "holocron"
# -- Database password for the username used to connect to the existing database.
password: "holocron"
# -- Post Renderers. See docs/postrenders.md
postRenderers: []
# -- Values to passthrough to the Holocron chart: https://repo1.dso.mil/big-bang/product/packages/holocron.git
values: {}
# ----------------------------------------------------------------------------------------------------------------------
# thanos
#
thanos:
# -- Toggle deployment of thanos
enabled: false
sso:
# -- Toggle SSO for Thanos on and off
enabled: false
# -- OIDC Client ID to use for Thanos
client_id: ""
# -- OIDC Client Secret to use for Thanos
client_secret: ""
#Enable S3 Object Storage for Thanos-sidecar https://thanos.io/tip/components/sidecar.md/ and enables Thanos Store Gateway by default https://thanos.io/tip/components/store.md/
objectStorage:
# -- S3 compatible endpoint to use for connection information.
# examples: "s3.amazonaws.com" "s3.us-gov-west-1.amazonaws.com" "minio.minio.svc.cluster.local:9000"
# Note: Thanos does not require protocol prefix for URL.
endpoint: ""
# -- S3 compatible region to use for connection information.
region: ""
# -- Access key for connecting to object storage endpoint.
accessKey: ""
# -- Secret key for connecting to object storage endpoint.
# Unencoded string data. This should be placed in the secret values and then encrypted
accessSecret: ""
# -- Bucket Name for Thanos
# examples: "Thanos-metrics"
bucket: ""
# -- Whether or not objectStorage connection should require HTTPS, if connecting to in-cluster object
insecure: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/thanos.git
tag: "15.7.9-bb.5"
path: "./chart"
helmRepo:
repoName: "registry1"
chartName: "thanos"
tag: "15.7.9-bb.5"
# -- Flux reconciliation overrides specifically for the Thanos Package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
values: {}
postRenderers: []
externalSecrets:
# -- Toggle deployment of external secrets
enabled: false
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
git:
repo: https://repo1.dso.mil/big-bang/product/packages/external-secrets.git
tag: "0.9.18-bb.7"
path: "./chart"
helmRepo:
repoName: "registry1"
chartName: "external-secrets"
tag: "0.9.18-bb.7"
# -- Override flux settings for this package
flux: {}
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
gateway: ""
values: {}
postRenderers: []
# -- Wrapper chart for integrating Big Bang components alongside a package
wrapper:
# -- Choose source type of "git" or "helmRepo"
sourceType: "git"
helmRepo:
# -- Repository holding OCI chart, corresponding to `helmRepositories` name
repoName: "registry1"
# -- Name of the OCI chart in `repo`
chartName: wrapper
# -- Tag of the OCI chart in `repo`
tag: "0.4.10"
git:
# -- Git repo holding the wrapper helm chart, example: https://repo1.dso.mil/big-bang/product/packages/wrapper
repo: "https://repo1.dso.mil/big-bang/product/packages/wrapper.git"
# -- Path inside of the git repo to find the helm chart, example: chart
path: "chart"
# -- Git tag to check out. Takes precedence over branch. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference), example: 0.0.2
tag: "0.4.10"
# -- Packages to deploy with Big Bang
# @default - '{}'
packages:
# -- Package name. Each package will be independently wrapped for Big Bang integration.
# @default -- Uses `defaults/<package name>.yaml` for defaults. See `package` Helm chart for additional values that can be set.
sample:
# -- Toggle deployment of this package
# @default -- true
enabled: false
# -- Choose source type of "git" ("helmRepo" not supported yet)
sourceType: "git"
# -- Toggle wrapper functionality. See https://docs-bigbang.dso.mil/latest/docs/guides/deployment-scenarios/extra-package-deployment/#Wrapper-Deployment for more details.
# @default -- false
wrapper:
enabled: false
# -- After deployment, patch wrapper resources. [More info](https://fluxcd.io/flux/components/helm/helmreleases/#post-renderers)
postRenderers: []
# -- Use a kustomize deployment rather than Helm
kustomize: false
# -- HelmRepo source is supported as an option for Helm deployments. If both `git` and `helmRepo` are provided `git` will take precedence.
helmRepo:
# -- Name of the HelmRepo specified in `helmRepositories`
# @default -- Uses `registry1` Helm Repository if not specified
repoName:
# -- Name of the chart stored in the Helm repository
# @default -- Uses values key/package name if not specified
chartName:
# -- Tag of the chart in the Helm repo, required
tag:
# -- If the HelmRelease should verify the cosign signature of the HelmRepo (only relevant if Repo is OCI). Set to 'false' to disable verification
#cosignVerify:
# -- Git source is supported for both Helm and Kustomize deployments. If both `git` and `helmRepo` are provided `git` will take precedence.
git:
# -- Git repo URL holding the helm chart for this package, required if using git
repo:
# -- Git commit to check out. Takes precedence over semver, tag, and branch. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference)
commit:
# -- Git semVer tag expression to check out. Takes precedence over tag. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference)
semver:
# -- Git tag to check out. Takes precedence over branch. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference)
tag:
# -- Git branch to check out. [More info](https://fluxcd.io/flux/components/source/gitrepositories/#reference).
# @default -- When no other reference is specified, `master` branch is used
branch:
# -- Path inside of the git repo to find the helm chart or kustomize
# @default -- For Helm charts `chart`. For Kustomize `/`.
path:
# -- Optional, alternative existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication
existingSecret: ""
# -- Optional, alternative Chart created secrets with user defined values
credentials:
# -- HTTP git credentials, both username and password must be provided
username: ""
password: ""
# -- HTTPS certificate authority file. Required for any repo with a self signed certificate
caFile: ""
# -- SSH git credentials, privateKey, publicKey, and knownHosts must be provided
privateKey: ""
publicKey: ""
knownHosts: ""
# -- Override flux settings for this package
flux: {}
# -- After deployment, patch package resources. [More info](https://fluxcd.io/flux/components/helm/helmreleases/#post-renderers)
postRenderers: []
# -- Specify dependencies for the package. Only used for HelmRelease, does not effect Kustomization. See [here](https://fluxcd.io/flux/components/helm/helmreleases/#helmrelease-dependencies) for a reference.
dependsOn: []
# -- Package details for Istio. See [wrapper values](https://repo1.dso.mil/big-bang/product/packages/wrapper/-/blob/main/chart/values.yaml) for settings.
istio: {}
# -- Package details for monitoring. See [wrapper values](https://repo1.dso.mil/big-bang/product/packages/wrapper/-/blob/main/chart/values.yaml) for settings.
monitor: {}
# -- Package details for network policies. See [wrapper values](https://repo1.dso.mil/big-bang/product/packages/wrapper/-/blob/main/chart/values.yaml) for settings.
network: {}
# -- Secrets that should be created prior to package installation. See [wrapper values](https://repo1.dso.mil/big-bang/product/packages/wrapper/-/blob/main/chart/values.yaml) for settings.
secrets: {}
# -- ConfigMaps that should be created prior to package installation. See [wrapper values](https://repo1.dso.mil/big-bang/product/packages/wrapper/-/blob/main/chart/values.yaml) for settings.
configMaps: {}
# -- Values to pass through to package Helm chart
values: {}