CHANGELOG.md

@@ -3,6 +3,14 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [2.50.0]
+	
+- [!2.50.0](https://repo1.dso.mil/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=2.50.0); List of merge requests in this release.
+
+## [2.49.0]
+	
+- [!2.49.0](https://repo1.dso.mil/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=2.49.0); List of merge requests in this release.
+
 ## [2.48.0]
 	
 - [!2.48.0](https://repo1.dso.mil/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=2.48.0); List of merge requests in this release.

base/gitrepository.yaml

@@ -11,4 +11,4 @@ spec:
   interval: 10m
   url: https://repo1.dso.mil/big-bang/bigbang.git
   ref:
-    tag: 2.48.0
+    tag: 2.50.0

chart/Chart.yaml

 apiVersion: v2
 name: bigbang
-version: 2.48.0
+version: 2.50.0
 kubeVersion: '>=1.29.0-0'
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
 type: application

chart/templates/NOTES.txt

@@ -153,6 +153,12 @@ PLATFORM ONE TRACING WARNING:
   After the beta period, only one Tracing engine will be supported at one time, with Tempo becoming the default supported engine over a direct Jaeger installation. Grafana has a built-in Tempo data source that can be used to query Tempo and visualize traces. 
 {{- end }}
 
+{{- if and .Values.bbctl.enabled (or (not .Values.loki.enabled) (not .Values.promtail.enabled) (not .Values.monitoring.enabled) (not .Values.grafana.enabled)) }}
+PLATFORM ONE BBCTL WARNING:
+  You have enabled the bbctl Grafana dashboards package but one or more of the dependencies are disabled.
+  Please ensure Loki, Promtail, Grafana, and Monitoring are all enabled when using the bbctl package.
+{{- end }}
+
 {{- if $.Values.addons.mattermost.enabled }}
 Mattermost is enabled.
 {{- with .Values.addons.mattermost.database }}

chart/templates/alloy/_postrenderers.tpl

+{{- define "alloy.istioPostRenderers" }}
+- kustomize:
+    patches:
+      - patch: |
+          - op: replace
+            path: /spec/endpoints/0/scheme
+            value: https
+        target:
+          kind: ServiceMonitor
+          name: ".*alloy-alloy.*"
+{{- end }}
\ No newline at end of file

chart/templates/alloy/helmrelease.yaml

-{{- $fluxSettingsMonitoring := merge .Values.addons.alloy.flux .Values.flux -}}
+{{- $fluxSettingsAlloy := merge .Values.addons.alloy.flux .Values.flux -}}
+{{- $isStrictIstio := and (eq (include "istioEnabled" .) "true") (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.alloy.values) "STRICT") -}}
 {{- if .Values.addons.alloy.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -11,7 +12,8 @@ metadata:
   annotations:
     checksum/bigbang-values: {{ include (print $.Template.BasePath "/alloy/values.yaml") . | sha256sum }}
 spec:
-  targetNamespace: monitoring
+  targetNamespace: alloy
+  releaseName: alloy
   chart:
     spec:
       {{- if eq .Values.addons.alloy.sourceType "git" }}
@@ -36,12 +38,15 @@ spec:
       {{- end }}
       {{- end }}
       interval: 5m
-
-  {{- toYaml $fluxSettingsMonitoring | nindent 2 }}
-
-  {{- if .Values.addons.alloy.postRenderers }}
+  {{- toYaml $fluxSettingsAlloy | nindent 2 }}
+  {{- if or .Values.addons.alloy.postRenderers (and .Values.monitoring.enabled $isStrictIstio ) }}
   postRenderers:
-  {{ toYaml .Values.addons.alloy.postRenderers | nindent 4 }}
+  {{- if and .Values.monitoring.enabled $isStrictIstio }}
+  {{- include "alloy.istioPostRenderers" . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.addons.alloy.postRenderers }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
   {{- end }}
   valuesFrom:
     - name: {{ .Release.Name }}-alloy-values
@@ -69,6 +74,10 @@ spec:
     - name: kyverno-policies
       namespace: {{ .Release.Namespace }}
   {{- end }}
+  {{- if .Values.monitoring.enabled }}
+    - name: monitoring
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
   {{- end }}
 {{- end }}
 

chart/templates/alloy/imagepullsecret.yaml

-{{- if and (not .Values.monitoring.enabled) (not .Values.grafana.enabled ) .Values.addons.alloy.enabled }}
+{{- if .Values.addons.alloy.enabled }}
 {{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: private-registry
-  namespace: monitoring
+  namespace: alloy
   labels:
     app.kubernetes.io/name: alloy
     {{- include "commonLabels" . | nindent 4}}

chart/templates/alloy/namespace.yaml

-{{- if and (not .Values.monitoring.enabled) (not .Values.grafana.enabled ) .Values.addons.alloy.enabled }}
+{{- if .Values.addons.alloy.enabled }}
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: monitoring
+  name: alloy
   labels:
-    app.kubernetes.io/name: monitoring
+    app.kubernetes.io/name: alloy
     app.kubernetes.io/component: "core"
     {{- include "commonLabels" . | nindent 4}}
     istio-injection: {{ dig "istio" "injection" "enabled" .Values.grafana }}

chart/templates/alloy/values.yaml

@@ -11,4 +11,33 @@ networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 
+istio:
+  enabled: {{ .Values.istio.enabled }}
+  hardened:
+    enabled: {{ or
+      (dig "istio" "hardened" "enabled" false .Values.monitoring.values)
+      (dig "istio" "hardened" "enabled" false .Values.addons.authservice.values)
+      (dig "hardened" "enabled" false .Values.istio.values)
+      (dig "istio" "hardened" "enabled" false .Values.grafana.values)
+      (dig "istio" "hardened" "enabled" false .Values.loki.values)
+      (dig "istio" "hardened" "enabled" false .Values.eckOperator.values)
+      (dig "istio" "hardened" "enabled" false .Values.elasticsearchKibana.values)
+      (dig "istio" "hardened" "enabled" false .Values.addons.mimir.values)
+      (dig "istio" "hardened" "enabled" false .Values.addons.alloy.values)
+    }}
+
+k8s-monitoring:
+  {{- range $service := list "alloy-metrics" "alloy-log" }} # Add/Remove Alloy Micro-Services as Alloy Configurations Change
+  {{ $service }}:
+    serviceMonitor:
+      enabled: {{ $.Values.monitoring.enabled }}
+      {{- if and (include "istioEnabled" $) (eq (dig "istio" "mtls" "mode" "STRICT" $.Values.addons.alloy.values) "STRICT") }}
+      tlsConfig:
+        caFile: /etc/prom-certs/root-cert.pem
+        certFile: /etc/prom-certs/cert-chain.pem
+        keyFile: /etc/prom-certs/key.pem
+        insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+      {{- end }}
+  {{- end }}
+
 {{- end }}
\ No newline at end of file

chart/templates/authservice/values.yaml

-{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled) (and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled) (and .Values.addons.holocron.enabled .Values.addons.holocron.sso.enabled)) }}
+{{- if and (include "istioEnabled" .) (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled) (and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled)) }}
 {{- include "values-secret" (dict "root" $ "package" .Values.addons.authservice "name" "authservice" "defaults" (include "bigbang.defaults.authservice" .)) }}
 {{- end }}
 
@@ -147,27 +147,6 @@ chains:
     {{- end }}
   {{- end }}
 
-  {{- if and .Values.addons.holocron.enabled .Values.addons.holocron.sso.enabled }}
-  holocron:
-    match:
-      header: ":authority"
-    {{- $holocronHosts := (dig "istio" "holocron" "hosts" dict .Values.addons.holocron.values) }}
-    {{- if $holocronHosts }}
-      prefix: {{ tpl ($holocronHosts | first) $ }}
-    callback_uri: https://{{ tpl ($holocronHosts | first) $ }}/login
-    {{- else }}
-      prefix: {{ printf "holocron.%s" $domainName }}
-    callback_uri: https://holocron.{{ $domainName }}/login
-    {{- end }}
-    client_id: "{{ .Values.addons.holocron.sso.client_id }}"
-    client_secret: "{{ .Values.addons.holocron.sso.client_secret }}"
-    {{- if not $legacy }}
-    authorization_uri: {{ include "sso.oidc.auth" . }}
-    token_uri: {{ include "sso.oidc.token" . }}
-    logout_redirect_uri: {{ include "sso.oidc.endsession" . }}
-    {{- end }}
-  {{- end }}
-
   {{- if and .Values.addons.thanos.enabled .Values.addons.thanos.sso.enabled }}
   thanos:
     match:

chart/templates/bbctl/git-credentials.yaml

+{{- $gitCredsSecretDict := dict
+  "name" "bbctl"
+  "targetScope" .Values.bbctl
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}

chart/templates/bbctl/gitrepository.yaml

+{{- if and .Values.bbctl.enabled .Values.loki.enabled .Values.promtail.enabled .Values.monitoring.enabled .Values.grafana.enabled }}
+{{- $gitCredsDict := dict
+  "name" "bbctl"
+  "packageGitScope" .Values.bbctl.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: bbctl
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: bbctl
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.bbctl.git.repo }}
+  ref:
+    {{- include "validRef" .Values.bbctl.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}

chart/templates/holocron/helmrelease.yaml → chart/templates/bbctl/helmrelease.yaml

-{{- $pkg := "holocron" }}
-{{- $fluxSettingsHolocron := merge .Values.addons.holocron.flux .Values.flux -}}
-{{- if (get .Values.addons $pkg).enabled }}
+{{- $fluxSettingsbbctl := merge .Values.bbctl.flux .Values.flux -}}
+{{- if and .Values.bbctl.enabled .Values.loki.enabled .Values.promtail.enabled .Values.monitoring.enabled .Values.grafana.enabled }}
+
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: {{ $pkg }}
+  name: bbctl
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ $pkg }}
+    app.kubernetes.io/name: bbctl
     {{- include "commonLabels" . | nindent 4}}
   annotations:
-    checksum/bigbang-values: {{ include (print $.Template.BasePath "/holocron/values.yaml") . | sha256sum }}
+    checksum/bigbang-values: {{ include (print $.Template.BasePath "/bbctl/values.yaml") . | sha256sum }}
 spec:
-  releaseName: {{ $pkg }}
-  targetNamespace: {{ $pkg }}
+  targetNamespace: bbctl
+  interval: 5m
   chart:
     spec:
-      {{- if eq (get .Values.addons $pkg).sourceType "git" }}
-      chart: {{ (get .Values.addons $pkg).git.path }}
+      {{- if eq .Values.bbctl.sourceType "git" }}
+      chart: {{ .Values.bbctl.git.path }}
       sourceRef:
         kind: GitRepository
-        name: holocron
+        name: bbctl
         namespace: {{ .Release.Namespace }}
       {{- else }}
-      chart: {{ (get .Values.addons $pkg).helmRepo.chartName }}
-      version: {{ (get .Values.addons $pkg).helmRepo.tag }}
+      chart: {{ .Values.bbctl.helmRepo.chartName }}
+      version: {{ .Values.bbctl.helmRepo.tag }}
       sourceRef:
         kind: HelmRepository
-        name: {{ (get .Values.addons $pkg).helmRepo.repoName }}
+        name: {{ .Values.bbctl.helmRepo.repoName }}
         namespace: {{ .Release.Namespace }}
+      {{- $repoType := include "getRepoType" (dict "repoName" .Values.bbctl.helmRepo.repoName "allRepos" $.Values.helmRepositories) -}}
+      {{- if (and .Values.bbctl.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+      verify:
+        provider: cosign
+        secretRef:
+          name: {{ printf "%s-cosign-pub" .Values.bbctl.helmRepo.repoName }}
+      {{- end }}
       {{- end }}
-      interval: 5m
 
-  {{- toYaml $fluxSettingsHolocron | nindent 2 }}
+  {{- toYaml $fluxSettingsbbctl | nindent 2 }}
 
-  {{- if (get .Values.addons $pkg).postRenderers }}
+  {{- if .Values.bbctl.postRenderers }}
   postRenderers:
-  {{ toYaml (get .Values.addons $pkg).postRenderers | nindent 4 }}
+  {{ toYaml .Values.bbctl.postRenderers | nindent 4 }}
   {{- end }}
+
   valuesFrom:
-    - name: {{ .Release.Name }}-{{ $pkg }}-values
+    - name: {{ .Release.Name }}-bbctl-values
       kind: Secret
       valuesKey: "common"
-    - name: {{ .Release.Name }}-{{ $pkg }}-values
+    - name: {{ .Release.Name }}-bbctl-values
       kind: Secret
       valuesKey: "defaults"
-    - name: {{ .Release.Name }}-{{ $pkg }}-values
+    - name: {{ .Release.Name }}-bbctl-values
       kind: Secret
       valuesKey: "overlays"
 
-  {{- if or .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled  .Values.addons.gitlab.enabled}}
   dependsOn:
-  {{- if .Values.istio.enabled }}
-    - name: istio
+    - name: monitoring
       namespace: {{ .Release.Namespace }}
-  {{- end }}
-  {{- if .Values.kyvernoPolicies.enabled }}
-    - name: kyverno-policies
+    - name: grafana
       namespace: {{ .Release.Namespace }}
-  {{- end }}
-  {{- if .Values.monitoring.enabled }}
-    - name: monitoring
+    - name: loki
       namespace: {{ .Release.Namespace }}
-  {{- end }}
-  {{- if .Values.addons.gitlab.enabled }}
-    - name: gitlab
+    - name: promtail
       namespace: {{ .Release.Namespace }}
-  {{- end }}
-  {{- end }}
 {{- end }}

chart/templates/holocron/imagepullsecret.yaml → chart/templates/bbctl/imagepullsecret.yaml

-{{- $pkg := "holocron" }}
-{{- if and (get .Values.addons $pkg).enabled ( include "imagePullSecret" . ) }}
+{{- if and .Values.bbctl.enabled .Values.loki.enabled .Values.promtail.enabled .Values.monitoring.enabled .Values.grafana.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: private-registry
-  namespace: {{ $pkg }}
+  namespace: bbctl
   labels:
-    app.kubernetes.io/name: {{ $pkg }}
-    {{- include "commonLabels" . | nindent 4 }}
+    app.kubernetes.io/name: bbctl
+    {{- include "commonLabels" . | nindent 4}}
 type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: {{ template "imagePullSecret" . }}
 {{- end }}
+{{- end }}

chart/templates/holocron/namespace.yaml → chart/templates/bbctl/namespace.yaml

-{{- $pkg := "holocron" }}
-{{- if and (get .Values.addons $pkg).enabled (not (get .Values.addons $pkg).collectorAuth.existingSecret) }}
+{{- if and .Values.bbctl.enabled .Values.loki.enabled .Values.promtail.enabled .Values.monitoring.enabled .Values.grafana.enabled }}
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ $pkg }}
+  name: bbctl
   labels:
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" (get .Values.addons $pkg)) "enabled")) }}
-    app.kubernetes.io/name: {{ $pkg }}
-    app.kubernetes.io/component: "core"
+    app.kubernetes.io/name: bbctl
     {{- include "commonLabels" . | nindent 4}}
+    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.gitlab) "enabled")) }}
 {{- end }}

chart/templates/bbctl/values.yaml

+{{- if and .Values.bbctl.enabled .Values.loki.enabled .Values.promtail.enabled .Values.monitoring.enabled .Values.grafana.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.bbctl "name" "bbctl" "defaults" (include "bigbang.defaults.bbctl" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.bbctl" -}}
+
+image:
+  imagePullPolicy: {{ .Values.imagePullPolicy }}
+
+registryCredentials:
+{{- if and .Values.registryCredentials (kindIs "slice" .Values.registryCredentials) }}
+{{ with index .Values.registryCredentials 0 }}
+  registry: "{{ .registry }}"
+  username: "{{ .username }}"
+  password: "{{ .password }}"
+{{- end }}
+{{ else }}
+{{ toYaml .Values.registryCredentials }}
+{{- end }}
+
+credentialsFile:
+  credentials:
+  {{- if and .Values.registryCredentials (kindIs "slice" .Values.registryCredentials) }}
+  {{- range $item := .Values.registryCredentials }}
+  - uri: {{ $item.registry }}
+    username: {{ $item.username }}
+    password: {{ $item.password }}
+  {{- end }}
+  {{ else }}
+  - uri: {{ .Values.registryCredentials.registry }}
+    username: {{ .Values.registryCredentials.username }}
+    password: {{ .Values.registryCredentials.password }}
+  {{- end }}
+  - uri: "{{ .Values.bbctl.repoCredentials.repo }}"
+    username: "{{ .Values.bbctl.repoCredentials.username }}"
+    password: "{{ .Values.bbctl.repoCredentials.password }}"
+
+baseConfig:
+  skip-update-check: true
+  preflight-check:
+    {{- if and .Values.registryCredentials (kindIs "slice" .Values.registryCredentials) }}
+    {{ with index .Values.registryCredentials 0 }}
+    registryserver: "https://{{ .registry }}"
+    registryusername: {{ .username }}
+    registrypassword: {{ .password }}
+    {{- end }}
+    {{ else }}
+    registryserver: "https://{{ .Values.registryCredentials.registry }}"
+    registryusername: {{ .Values.registryCredentials.username }}
+    registrypassword: {{ .Values.registryCredentials.password }}
+    {{- end }}
+
+istio:
+  enabled: {{ include "istioEnabled" . }}
+  hardened:
+    enabled: {{ or
+      (dig "istio" "hardened" "enabled" false .Values.bbctl.values)
+      (dig "hardened" "enabled" false .Values.istio.values)
+    }}
+
+{{- end -}}

chart/templates/fortify/helmrelease.yaml

@@ -56,11 +56,14 @@ spec:
       kind: Secret
       valuesKey: "overlays"
 
-  {{- if or .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+  {{- if or (eq (include "istioEnabled" .) "true") .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
   dependsOn:
     {{- if .Values.istio.enabled }}
     - name: istio
       namespace: {{ .Release.Namespace }}
+    {{- else if .Values.istioCore.enabled }}
+    - name: istio-core
+      namespace: {{ .Release.Namespace }}
     {{- end }}
     {{- if .Values.kyvernoPolicies.enabled }}
     - name: kyverno-policies

chart/templates/fortify/namespace.yaml

@@ -5,7 +5,7 @@ kind: Namespace
 metadata:
   name: {{ $pkg }}
   labels:
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" (get .Values.addons $pkg)) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (eq (include "istioEnabled" .) "true") (eq (dig "istio" "injection" "enabled" (get .Values.addons $pkg)) "enabled")) }}
     app.kubernetes.io/name: {{ $pkg }}
     app.kubernetes.io/component: "core"
     {{- include "commonLabels" . | nindent 4}}

chart/templates/fortify/values.yaml

@@ -16,7 +16,7 @@ externalURL: https://fortify.{{ .Values.domain }}
 domain: {{ .Values.domain }}
 
 istio:
-  enabled: {{ .Values.istio.enabled }}
+  enabled: {{ include "istioEnabled" . }}
   hardened:
     enabled: {{ or
       (dig "istio" "hardened" "enabled" false .Values.addons.fortify.values)
@@ -24,15 +24,17 @@ istio:
     }}
   fortify:
     gateways:
-    - istio-system/{{ default "public" .Values.addons.fortify.ingress.gateway }}
+    - {{ include "istioGatewayNamespace" . }}/{{ default (include "istioPublicGateway" . ) .Values.addons.fortify.ingress.gateway }}
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
   ingressLabels:
-    {{- $gateway := default "public" .Values.addons.fortify.ingress.gateway }}
+    {{- $gateway := default (include "istioPublicGateway" . ) .Values.addons.fortify.ingress.gateway }}
     {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
     {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
+  istioNamespaceSelector:
+  {{ include "istioNamespaceSelector" . | nindent 4 }}
 
 openshift: {{ .Values.openshift }}
 

chart/templates/gitlab-runner/namespace.yaml

@@ -6,6 +6,6 @@ metadata:
     app.kubernetes.io/name: gitlab-runner
     app.kubernetes.io/component: "developer-tools"
     {{- include "commonLabels" . | nindent 4}}
-    istio-injection: {{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.gitlabRunner) "enabled")) }}
+    istio-injection: {{ ternary "enabled" "disabled" (and (include "istioEnabled" .) (eq (dig "istio" "injection" "enabled" .Values.addons.gitlabRunner) "enabled")) }}
   name: gitlab-runner
 {{- end }}