UNCLASSIFIED

Skip to content

GitLab

You need to sign in or sign up before continuing.
Commit 630a82ba authored by michaelmcleroy's avatar michaelmcleroy
Browse files

feat: customer template redux

parents
Hide whitespace changes
Inline Side-by-side
Showing with 1039 additions and 0 deletions
.sops.yaml 0 → 100644
View file @ 630a82ba
creation_rules:
- encrypted_regex: '^(data|stringData)$'
# Base is shared, you can add keys from each environment that uses base here
pgp: FALSE_KEY_HERE
# ,ANOTHER_FALSE_KEY_HERE
# You can also isolate each key to specific directories by uncommenting the next 7 lines and adding the appropriate fingerprints
# path_regex: base/.*
#- path_regex: dev/.*
# encrypted_regex: '^(data|stringData)$'
# pgp: FALSE_KEY_HERE
#- path_regex: prod/.*
# encrypted_regex: '^(data|stringData)$'
# pgp: ANOTHER_FALSE_KEY_HERE
\ No newline at end of file
CHANGELOG.md 0 → 100644
View file @ 630a82ba
# Changelog
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
- [Changelog](#changelog)
- [[Unreleased]](#unreleased)
- [Added](#added)
## [Unreleased]
### Added
- Base/shared configuration with ...
- Big Bang version
- Location of Big Bang base/chart
- Iron Bank pull credentials placeholder
- Dev configuration with ...
- Reduced polling interval
- Minimized replicas for Gatekeeper
- Minimized disk, cpu, and memory resources
- Anonymous authorization for Kiali
- Secrets placeholder
- Prod configuration with ...
- Hostname placeholder
- Secrets placeholder
- Basic documentation
- [README.md](README.md)
- [CHANGELOG.md](CHANGELOG.md)
- [CODEOWNERS](CODEOWNERS)
- [CONTRIBUTING.md](CONTRIBUTING.md)
CODEOWNERS 0 → 100644
View file @ 630a82ba
* @michaelmcleroy
CONTRIBUTING.md 0 → 100644
View file @ 630a82ba
# Contributing
Thanks for contributing to this repository!
This repository follows the following conventions:
* [Semantic Versioning](https://semver.org/)
* [Keep a Changelog](https://keepachangelog.com/)
* [Conventional Commits](https://www.conventionalcommits.org/)
Development requires the Kubernetes CLI tool as well as a Kubernetes cluster. [k3d](https://k3d.io) is recommended as a lightweight local option for standing up Kubernetes clusters.
To contribute a change:
1. Create a branch on the cloned repository
1. Make the changes in code.
1. Test by deploying [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) to your Kubernetes cluster.
1. Make commits using the [Conventional Commits](https://www.conventionalcommits.org/) format. This helps with automation for changelog. Update `CHANGELOG.md` in the same commit using the [Keep a Changelog](https://keepachangelog.com). Depending on tooling maturity, this step may be automated.
1. Ensure all new commits from the `main` branch are rebased into your branch.
1. Open a merge request. If this merge request is solving a preexisting issue, add the issue reference into the description of the MR.
1. Wait for a maintainer of the repository (see CODEOWNERS) to approve.
1. If you have permissions to merge, you are responsible for merging. Otherwise, a CODEOWNER will merge the commit.
LICENSE 0 → 100644
View file @ 630a82ba
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2021 megamind
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
README.md 0 → 100644
View file @ 630a82ba
# BigBang Template
#### _This is a mirror of a government repo hosted on [Repo1](https://repo1.dso.mil/) by [DoD Platform One](http://p1.dso.mil/). Please direct all code changes, issues and comments to https://repo1.dso.mil/platform-one/big-bang/customers/template_**
This folder contains a template that you can replicate in your own Git repo to get started with Big Bang configuration. If you are new to Big Bang it is recommended you start with the [Big Bang Quickstart](https://repo1.dso.mil/platform-one/quick-start/big-bang) before attempting customization.
The main benefits of this template include:
- Isolation of the Big Bang product and your custom configuration
- Allows you to easily consume upstream Big Bang changes since you never change the product
- Big Bang product tags are explicitly referenced in your configuration, giving you control over upgrades
- [GitOps](https://www.weave.works/technologies/gitops/) for your deployments configrations
- Single source of truth for the configurations deployed
- Historical tracking of changes made
- Allows tighter control of what is deployed to production (via merge requests)
- Enables use of CI/CD pipelines to test prior to deployment
- Avoids problem of `helm upgrade` using `values.yaml` that are not controlled
- Allows you to limit access to production Kubernetes cluster since all changes are made via Git
- Shared configurations across deployments
- Common settings across deployments (e.g. dev, staging, prod) can be configured in one place
- Secrets (e.g. pull credentials) can be shared across deployments.
> NOTE: SOPS [supports multiple keys for encrypting the same secret](https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g) so that each environment can use a different SOPS key but share a secret.
### Prerequisites
To deploy Big Bang, the following items are required:
- Kubernetes cluster [ready for Big Bang](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/blob/master/docs/d_prerequisites.md)
- A git repo for your configuration
- [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
- [GPG (Mac users need to read this important note)](https://repo1.dso.mil/platform-one/onboarding/big-bang/engineering-cohort/-/blob/master/lab_guides/01-Preflight-Access-Checks/A-software-check.md#gpg)
- [SOPS](https://github.com/mozilla/sops)
- [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
- [Iron Bank Personal Access Token](https://registry1.dso.mil) - Under your `User Profile`, copy the `CLI secret`.
- [Repo1 Personal Access Token](https://repo1.dso.mil/-/profile/personal_access_tokens) - You will need `read_repository` permissions.
In addition, the following items are recommended to assist with troubleshooting:
- [Helm](https://helm.sh/docs/intro/install/)
- [Kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/)
- [K9S](https://github.com/derailed/k9s)
## Setup
This template supports a multi-environment template for two distinct deployments: `prod` and `dev`. Additional environments can be added by replicating one of the existing folders.
Each environment consists of a Kubernetes manifest containing Flux resources (`bigbang.yaml`), a Kustomization file (`kustomization.yaml`), values to pass to Big Bang (`configmap.yaml`), secrets (`secrets.enc.yaml`), and additional files used to deploy resources. All of the environments share a `base` folder to allow reusability of values between environments.
> To insure variables (e.g. `${fp}`) are set correctly, execute all of the steps below in the same terminal window.
### Create Git Repository
We need to work off our own Git repo for storing configuration. So, you should **fork** this repo into a **private** Git repo owned by yourself or your project. Then, clone your repo locally.
```shell
git clone https://<your domain>/<your repo>.git
cd <your repo>
# Create branch for your changes
git checkout -b template-demo
```
> It is recommended that you create your own branch so that you can [pull the original repository's `main` branch as a mirror](https://docs.gitlab.com/ee/user/project/repository/repository_mirroring.html) to keep it in sync.
### Create GPG Encryption Key
To make sure your pull secrets are not comprimized when uploaded to Git, you must generate your own encryption key:
> Keys should be created without a passphrase so that Flux can use the private key to decrypt secrets in the Big Bang cluster.
```shell
# Generate a GPG master key
# The GPG key fingerprint will be stored in the $fp variable
export fp=`gpg --quick-generate-key bigbang-sops rsa4096 encr | sed -e 's/ *//;2q;d;'`
gpg --quick-add-key ${fp} rsa4096 encr
# By default our key is set to expire in 2 years.
# Here we reduce this down to 14 days for learning/demo purposes
gpg --quick-set-expire ${fp} 14d
# Rekey the .sops.yaml
# This ensures your secrets are only decryptable by your key
## On linux
sed -i "s/pgp: FALSE_KEY_HERE/pgp: ${fp}/" .sops.yaml
## On MacOS
sed -i "" "s/pgp: FALSE_KEY_HERE/pgp: ${fp}/" .sops.yaml
```
### Add Pull Credentials
You will need pull credentials for Iron Bank to retrieve images for Big Bang.
> Secrets can be specific to an environment if they are located in that environment's folder (e.g. `prod`, `dev`). Or, they can be shared between environments if located in the `base` directory.
``` shell
# Create a new encrypted secret to contain your pull credentials
cd base
sops secrets.enc.yaml
```
Add the following contents to the newly created sops secret. Put your Iron Bank user/PAT where it states `replace-with-your-iron-bank-user` and `replace-with-your-iron-bank-personal-access-token`.
> The name of the secret must be `common-bb` if the secret is in the `base` folder or `environment-bb` if the secret is in the `dev` or `prod` folder. The `environment-bb` values take precedence over the `common-bb` values.
```yaml
apiVersion: v1
kind: Secret
metadata:
name: common-bb
stringData:
values.yaml: |-
registryCredentials:
- registry: registry1.dso.mil
username: replace-with-your-iron-bank-user
password: replace-with-your-iron-bank-personal-access-token
```
> If you use a private git repository, you will need to add your username and personal access token to the `registryCredentials` list.
When you save the file, it will automatically encrypt your secret using SOPS.
```shell
# Save encrypted secrets into Git
# Configuration changes must be stored in Git to take affect
git add secrets.enc.yaml ../.sops.yaml
git commit -m "chore: added encrypted credentials"
git push --set-upstream origin template-demo
```
> Your private key to decrypt these secrets is stored in your GPG key ring. You must **NEVER** export this key and commit it to your Git repository since this would comprimise your secrets.
### Configure for GitOps
We need to reference your git repository so that Big Bang will use the configuration. Add your repository into the `GitRepository` resource in `dev/bigbang.yaml`:
> Replace your forked Git repo where it states `replace-with-your-git-repo`. Replace `replace-with-your-branch` with your branch name (e.g. `template-demo` as created above).
```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: environment-repo
namespace: bigbang
spec:
interval: 1m
url: https://replace-with-your-git-repo.git
ref:
branch: replace-with-your-branch
secretRef:
name: private-git
```
> The `Kustomization` resource contains the path in your repo to the `kustomization.yaml` to start with. If your folder changes, makes sure to update `spec.path` with the new path.
Now, save and commit your change:
```shell
git add bigbang.yaml
git commit -m "chore: updated git repo"
git push
```
## Deploy
Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) approach to deployment. All configuration changes will be pulled and reconciled with what is stored in the Git repository. The only exception to this is the initial manifests (e.g. `bigbang.yaml`) which points to the Git repository and path to start from.
1. Deploy SOPS private key for Big Bang to decrypt secrets
```shell
# The private key is not stored in Git (and should NEVER be stored there). We deploy it manually by exporting the key into a secret.
kubectl create namespace bigbang
gpg --export-secret-key --armor ${fp} | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey=/dev/stdin
```
1. Create imagePullSecrets for Flux
```shell
# Image pull secrets for Iron Bank are required to install flux. After that, it uses the pull credentials we installed above
kubectl create namespace flux-system
# Adding a space before this command keeps our PAT out of our history
kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=<Your IronBank Username> --docker-password=<Your IronBank Personal Access Token> -n flux-system
1. Create Git credentials for Flux
```shell
# Flux needs the Git credentials to access your Git repository holding your environment
# Adding a space before this command keeps our PAT out of our history
kubectl create secret generic private-git --from-literal=username=<Your Repo1 Username> --from-literal=password=<Your Repo1 Personal Access Token> -n bigbang
```
1. Deploy Flux to handle syncing
```shell
# Flux is used to sync Git with the the cluster configuration
curl https://repo1.dso.mil/platform-one/big-bang/bigbang/-/raw/master/scripts/deploy/flux.yaml | kubectl apply -f -
# Wait for flux to complete
kubectl get deploy -o name -n flux-system | xargs -n1 -t kubectl rollout status -n flux-system
```
1. Deploy Big Bang
```shell
cd ../dev
kubectl apply -f bigbang.yaml
# Verify 'bigbang' namespace is created
kubectl get namespaces
# Verify Pull from Git was successful
kubectl get gitrepositories -A
# Verify Kustomization was successful
# NOTE: The Kustomization resource may fail at first with an error about the istio-system namespace. This is normal since the Helm Release for istio will create that namespace and it has not run yet. This should resolve itself within a few minutes
kubectl get -n bigbang kustomizations
# Verify secrets and configmaps are deployed
# At a minimum, you will have the following:
# secrets: sops-gpg, private-git, common-bb, and environment-bb
# configmaps: conmmon, environment
kubectl get -n bigbang secrets,configmaps
# Watch deployment
watch kubectl get hr,po -A
# Test deployment by opening a browser to "kiali.bigbang.dev" to get to the Kiali application deployed by Istio.
# Note that the owner of "bigbang.dev" has setup the domain to point to 127.0.0.1 for this type of testing.
# If you are deployed on a remote host you will need to point "kiali.bigbang.dev" to your cluster master node via your /etc/hosts file
```
> If you cannot get to the main page of Kiali, it may be due to an expired certificate. Check the expiration of the certificate in `base/bigbang-dev-cert.yaml`.
> For troubleshooting deployment problems, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) documentation.
You now have successfully deployed Big Bang. Your next step is to customize the configuration.
## Customize
### Enable a package
1. In `dev/configmap.yaml`, enable Twistlock
```yaml
twistlock:
enabled: true
```
1. Push changes to Git
```shell
git add configmap.yaml
git commit -m "feat: enable twistlock"
git push
```
1. Big Bang will automatically pick up your change and make the necessary changes.
```shell
# Watch deployment for twislock to be deployed
watch kubectl get hr,po -A
# Test deployment by opening a browser to "twistlock.bigbang.dev" to get to the Twistlock application
```
### Update the Big Bang Version
To minimize the risk of an unexpected deployment of a BigBang release, the BigBang release version is explicitly stored in the `kustomization.yaml` files and can be updated for a planned upgrades. The default release is stored in `base/kustomization.yaml`, but can be overridden in a specific environment like `dev/kustomization.yaml`.
- Reference for the Big Bang kustomize base:
```yaml
bases:
- https://repo1.dsop.io/platform-one/big-bang/bigbang.git/base/?ref=v1.8.0
```
- Reference for the Big Bang helm release:
```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: bigbang
spec:
ref:
$patch: replace
semver: "1.8.0"
```
To update `dev/kustomization.yaml`, you would create a `mergePatch` like the following:
```yaml
patchesStrategicMerge:
- |-
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: bigbang
spec:
interval: 1m
ref:
$patch: replace
semver: "1.9.0"
```
> This does not update the kustomize base, but it is unusual for that to change.
Then, commit your change:
```shell
git add kustomization.yaml
git commit -m "feat(dev): update bigbang to 1.9.0"
git push
```
> It may take Big Bang up to 10 minutes to recognize your changes and start to deploy them. This is based on the interval set for polling. You can force Big Bang to recheck by running the [sync.sh](https://repo1.dsop.io/platform-one/big-bang/bigbang/-/blob/master/hack/sync.sh) script.
It is recommended that you track Big Bang releases using the version. However, you can use `tag` or `branch` in place of `semver` if needed. The kustomize base uses [Go-Getter](https://github.com/hashicorp/go-getter)'s syntax for the reference. The helm release (GitRepository) resource uses the [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/#specification)'s syntax.
When you are done testing, you can update the reference in `base` (and delete this setting in `dev`) to update Big Bang in all environments.
> Do not forget to also update the `base/kustomization.yaml`'s `base:` reference to point to the new release.
### Update the domain
Big Bang deploys applications to `*.bigbang.dev` by default. You can override the `bigbang.dev` domain to your domain by updating `dev/configmap.yaml` and adding the following:
```yaml
hostname: insert-your-domain-here
```
> NOTE: The `dev` template includes several overrides to minimize resource usage and increase polling time in a development environment. They are provided for convenience and are NOT required.
Commit your change:
```shell
git add configmap.yaml
git commit -m "feat(dev): updated domain name"
git push
```
### Additional Big Bang values
For additional configuration options, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) and [Big Bang Package](https://repo1.dsop.io/platform-one/big-bang/apps) documentation.
### Additional resources
Using Kustomize, you can add additional resources to the deployment if needed. Read the [Kustomization](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/) documentation for futher details.
## Secrets
You have already [created a GPG Encryption Key pair](#create-gpg-encryption-key) and [deployed encrypted pull credentials](#add-pull-credentials) above. Here are some additional scenarios you may encounter with secrets.
### Key Vault
SOPS supports several key vaults to help control access to your secure keys including:
- [AWS KMS](https://github.com/mozilla/sops#27kms-aws-profiles)
- [GCP KMS](https://github.com/mozilla/sops#23encrypting-using-gcp-kms)
- [Azure Key Vault](https://github.com/mozilla/sops#24encrypting-using-azure-key-vault)
- [Hashicorp Vault](https://github.com/mozilla/sops#25encrypting-using-hashicorp-vault)
You will need to update `.sops.yaml` with your configuration based on the links above.
### Key Rotation
If you need to [rotate your GPG encryption keys](#create-gpg-encryption-key) for any reason, you will also need to re-encrypt any encrypted secrets.
1. Update `.sops.yaml` configuration file
`.sops.yaml` holds all of the key fingerpints used for SOPS. Update `pgp`'s value to the new key's fingerprint. You can list your locally stored fingerprints using `gpg -k`.
```yaml
creation_rules:
- encrypted_regex: '^(data|stringData)$'
pgp: INSERT_NEW_KEY_FINGERPRINT_HERE
```
1. Re-encrypt `secrets.enc.yaml` with your new SOPS keys. This will decrypt the file with the old key and re-encrypt with the new key.
```shell
sops updatekeys base/secrets.enc.yaml -y
# Repeat this for all other encrypted files (e.g. dev/secrets.enc.yaml)
```
1. Deploy new SOPS private key for Big Bang to decrypt secrets
```shell
# The private key is not stored in Git (and should NEVER be stored there). We deploy it manually by exporting the key into a secret.
kubectl delete secret sops-gpg -n bigbang
gpg --export-secret-key --armor INSERT_NEW_KEY_FINGERPRINT_HERE | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey=/dev/stdin
```
1. Commit changes
```shell
git add .sops.yaml **/secrets.enc.yaml
git commit -m "chore: rekey secrets"
git push
```
### Multiple Keys
You can encrypt files with SOPS using more than one key to allow different keys to decrypt the same file. The encrypted file contains copies of the data encrypted with each key and all of the public keys needed to re-encrypt the file if changes are made.
> Only one of the private keys is required to decrypt the file
1. Add the second key's fingerprint to `.sops.yaml`:
```yaml
creation_rules:
- encrypted_regex: '^(data|stringData)$'
pgp: ORIGINAL_KEY
,INSERT_SECOND_KEY_HERE
```
1. Re-encrypt all encrypted files with your new SOPS keys. This will decrypt the file with the original key and re-encrypt with both of the keys.
```shell
sops updatekeys base/secrets.enc.yaml -y
# Repeat this for all other encrypted files (e.g. dev/secrets.enc.yaml)
```
1. Commit changes
```shell
git add .sops.yaml **/secrets.enc.yaml
git commit -m "chore: added second key to secrets"
git push
```
### Different keys for different environments
In our template, we have a `dev` and a `prod` environment with a shared `base`. Let's say we wanted the following:
- Shared Iron Bank pull credential
- Different database passwords for `dev` and `prod`
- Differnet SOPS keys for `dev` and `prod`
1. Setup `.sops.yaml` for multiple folders:
```yaml
creation_rules:
# Base is shared, so add fingerprints of both keys
- path_regex: base/.*
encrypted_regex: '^(data|stringData)$'
pgp: INSERT_DEV_KEY_FINGERPRINT_HERE
,INSERT_PROD_KEY_FINGERPRINT_HERE
- path_regex: dev/.*
encrypted_regex: '^(data|stringData)$'
pgp: INSERT_DEV_KEY_FINGERPRINT_HERE
- path_regex: prod/.*
encrypted_regex: '^(data|stringData)$'
pgp: INSERT_PROD_KEY_FINGERPRINT_HERE
```
1. Re-encrypt all encrypted files with your SOPS keys. This will decrypt the file with the original private key and re-encrypt with the new keys according to your `path_regex`.
> If you do not have `secrets.enc.yaml` in `dev` or `prod`, you can can copy the one in `base` to test out these commands.
```shell
sops updatekeys base/secrets.enc.yaml -y
sops updatekeys dev/secrets.enc.yaml -y
sops updatekeys prod/secrets.enc.yaml -y
```
> There is an excellent tutorial on multiple key SOPS [here](https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g).
1. Commit changes
```shell
git add .sops.yaml **/secrets.enc.yaml
git commit -m "chore: split dev and prod keys"
git push
```
### Modifying an encrypted file
Updating values in an encrypted file can be achieved by simply opening the file with sops:
```shell
sops base/secrets.enc.yaml
```
When you save the file, sops automatically re-encrypts it for all of the keys specified in `.sops.yaml`.
## Multi-environment Workflow
In this template, we have a `dev` and `prod` environment. Your specific situation deployment may have more. Our intended workflow is:
- Test changes in the `dev` environment before deploying into `prod`
- Keep `dev` as close as possible to `prod` by sharing values
- Maintain `dev` and `prod` specific settings for resources, external connections, and secrets
To start, we may have the following in each folder:
- `base`
- Iron Bank pull credentials
- Big Bang release reference
- Application settings
- `dev`
- Dev domain name
- Dev TLS certificates
- Minimized resource values (e.g. memory, cpu)
- Dev external connections and credentials
- `prod`
- Prod domain name
- Prod TLS certificates
- Prod external connections and credentials
Big Bang `dev` value changes can be made by simply modifying `dev/configmap.yaml`. `base` and `dev` create two separate configmaps, named `common` and `environment` respectively, with the `environment` values taking precedence over `common` values in Big Bang.
The same concept applies to `dev` secret changes, with two separate secrets named `common-bb` and `environment-bb` used for values to Big Bang, with the `environment-bb` values taking prcedence over the `common-bb` values in Big Bang.
If a new resource must be deployed, for example a TLS cert, you must add a `resources:` section to the `kustomization.yaml` to refer to the new file. See the base directory for an example.
base/bigbang-dev-cert.yaml 0 → 100644
View file @ 630a82ba
apiVersion: v1
kind: Secret
metadata:
name: wildcard-cert
namespace: istio-system
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZNekNDQkJ1Z0F3SUJBZ0lTQS9iZlFINVZneTNLVHUzUFh4aU5IZWQ4TUEwR0NTcUdTSWIzRFFFQkN3VUEKTURJeEN6QUpCZ05WQkFZVEFsVlRNUll3RkFZRFZRUUtFdzFNWlhRbmN5QkZibU55ZVhCME1Rc3dDUVlEVlFRRApFd0pTTXpBZUZ3MHlNVEEwTVRZd01UQTFNVE5hRncweU1UQTNNVFV3TVRBMU1UTmFNQmd4RmpBVUJnTlZCQU1NCkRTb3VZbWxuWW1GdVp5NWtaWFl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRGwKN29JZWNESFJiOFhCakc0c0VXMXFzQmxJOTRvSWE1MEtUSFdPZXQ3bWhXODJCWCtzY1dWZ3FJM1BiSVZVSTE0NApJZ0tHUFNxM1NFa2lnUDB6TmdTbHhOalpaL1VhQjk5SFhsSzVrWjg3cHVEdm9PWU1CaXVyanEvUXpnd3lnaU45Ck55eXFkVXRXZGMvVjk0b3d4UzQ3SHNjbGhuT0VYc2NWT2pTUUkvUElHTTVHOFVYWnllVjB5dkdWdnJVWU5iTWYKejlNaGgzckQyaWh3NkxRVmdYNzEwSjdxM0lPaUMxQ0RDdDB3WHVyMXcxOExZcytSMVl1MDdBTTdSNUVvRUVGQgoyVFpoWWdEWjMrdjdsdnYvRUlOeVZjNUZmb2xJaHlWMVZHK2RaeGV2SEZpdVpRNWNOTHBpTHdlcDNRcmVLZU5rCjFpakJoQWVoUm5UTWE4ZkIrbWI5QWdNQkFBR2pnZ0piTUlJQ1Z6QU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWUQKVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwTwpCQllFRkFxWXBTQy9hcTg2VkdnMFBqK0FKTDhKcTRvcE1COEdBMVVkSXdRWU1CYUFGQlF1c3hlM1dGYkxybEFKClFPWWZyNTJMRk1MR01GVUdDQ3NHQVFVRkJ3RUJCRWt3UnpBaEJnZ3JCZ0VGQlFjd0FZWVZhSFIwY0RvdkwzSXoKTG04dWJHVnVZM0l1YjNKbk1DSUdDQ3NHQVFVRkJ6QUNoaFpvZEhSd09pOHZjak11YVM1c1pXNWpjaTV2Y21jdgpNQ3NHQTFVZEVRUWtNQ0tDRFNvdVltbG5ZbUZ1Wnk1a1pYYUNFU291WkdWMkxtSnBaMkpoYm1jdVpHVjJNRXdHCkExVWRJQVJGTUVNd0NBWUdaNEVNQVFJQk1EY0dDeXNHQVFRQmd0OFRBUUVCTUNnd0pnWUlLd1lCQlFVSEFnRVcKR21oMGRIQTZMeTlqY0hNdWJHVjBjMlZ1WTNKNWNIUXViM0puTUlJQkJBWUtLd1lCQkFIV2VRSUVBZ1NCOVFTQgo4Z0R3QUhVQWIxTjJyREh3TVJuWW1RQ2tVUlgvZHhVY0Vka0N3UUFwQm8yeUNKbzMyUk1BQUFGNDJHelJYQUFBCkJBTUFSakJFQWlCQzlTSnpwQlVtTWZwVFRmbEthc1ZVTUNPVkVIL3lRSExlejlPaWpleUxFUUlnSjI5cXQrbXQKQ3doZHM1MnA4Rm44ZDREUTA1WDFZR2U4M3cvL25KRzc2aHdBZHdEMlhKUXYwWGN3SWhSVUdBZ3dsRmFPNDAwVApHVE8vM3d3dklBdk1UdkZrNHdBQUFYalliTkhQQUFBRUF3QklNRVlDSVFEQnRTbHYydTNTejNiVE9LUUF6c21TCit1NzlQanRwdlRuSGZwN1N3cUdUQUFJaEFPSkw3ZHI5cEp0OUpSS0JsNEU3VnU3OXhVN3hPdXgxTElVVkUra0EKZFIxcU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlFLNzZrWkp3YTF6TnYyazJoL3U1aXN2Y1FpREw4ZW9VZAppZElkWHk3eWRJYmh6WWw5VmgrekRHa1V3eHZJUDRqVmpENEZCQzRRcVFUanF1dHc4c0xXamJ6U1BKTFZmWUxWClRtd3RrYkN2aFRpRTNQQWRUK1Ntb09GSVVzZDJMRW1qRko2MjJEeVVhTkgwT3NkckhLQ2xDL0tJTzBOdmhUUXMKWm5OODllSDF3cmVJTDlEb2xYa28zUmdrR0IxTGJHOU1INC9kdnpUbktIb0JvNEVVRlhvSmNuU2lLN3JkSEVYSQp1N3dLRmp3OU9KbnFqQ0x4N1NHT0l5aExvNGM1VXRKWFU4dXhLbXhzTzYzV0daRytaQjM4dXp1UlphRUV0K3pzClNvbFN0ZUVFSEhYYmUvQmpZZnVmVzJCWGRKd3FpM2dhdzA0ais4UTRoY250SDJjTTI4VFcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRVpUQ0NBMDJnQXdJQkFnSVFRQUYxQklNVXBNZ2hqSVNwREJiTjN6QU5CZ2txaGtpRzl3MEJBUXNGQURBLwpNU1F3SWdZRFZRUUtFeHRFYVdkcGRHRnNJRk5wWjI1aGRIVnlaU0JVY25WemRDQkRieTR4RnpBVkJnTlZCQU1UCkRrUlRWQ0JTYjI5MElFTkJJRmd6TUI0WERUSXdNVEF3TnpFNU1qRTBNRm9YRFRJeE1Ea3lPVEU1TWpFME1Gb3cKTWpFTE1Ba0dBMVVFQmhNQ1ZWTXhGakFVQmdOVkJBb1REVXhsZENkeklFVnVZM0o1Y0hReEN6QUpCZ05WQkFNVApBbEl6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1d0lWS016Mm9KVFREeExzCmpWV1N3L2lDOFptbWVrS0lwMTBtcXJVcnVjVk1zYStPYS9sMXlLUFhEMGVVRkZVMVY0eWVxS0k1R2ZXQ1BFS3AKVG03MU84TXUyNDNBc0Z6eldUam43YzlwOEZvTEc3N0FsQ1FsaC9vM2NiTVQ1eHlzNFp2djIrUTdSVkpGbHFuQgpVODQweUZMdXRhN3RqOTVnY09LbFZLdTJiUTZYcFVBMGF5dlR2R2JyWmpSOCttdUxqMWNwbWZnd0YxMjZjbS83CmdjV3Qwb1pZUFJmSDV3bTc4U3YzaHR6QjJuRmQxRWJqekswbHdZaThZR2QxWnJQeEdQZWlYT1pUL3pxSXRrZWwKL3hNWTZwZ0pkeitkVS9uUEFlWDFwbkFYRks5anBQK1pzNU9kM0ZPbkJ2NUloUjJoYWE0bGRic1R6RklEOWUxUgpvWXZiRlFJREFRQUJvNElCYURDQ0FXUXdFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBREFPQmdOVkhROEJBZjhFCkJBTUNBWVl3U3dZSUt3WUJCUVVIQVFFRVB6QTlNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndPaTh2WVhCd2N5NXAKWkdWdWRISjFjM1F1WTI5dEwzSnZiM1J6TDJSemRISnZiM1JqWVhnekxuQTNZekFmQmdOVkhTTUVHREFXZ0JURQpwN0drZXl4eCt0dmhTNUIxLzhRVllJV0pFREJVQmdOVkhTQUVUVEJMTUFnR0JtZUJEQUVDQVRBL0Jnc3JCZ0VFCkFZTGZFd0VCQVRBd01DNEdDQ3NHQVFVRkJ3SUJGaUpvZEhSd09pOHZZM0J6TG5KdmIzUXRlREV1YkdWMGMyVnUKWTNKNWNIUXViM0puTUR3R0ExVWRId1ExTURNd01hQXZvQzJHSzJoMGRIQTZMeTlqY213dWFXUmxiblJ5ZFhOMApMbU52YlM5RVUxUlNUMDlVUTBGWU0wTlNUQzVqY213d0hRWURWUjBPQkJZRUZCUXVzeGUzV0ZiTHJsQUpRT1lmCnI1MkxGTUxHTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBMlV6Z3lmV0VpRGN4MjdzVDRyUDhpMnRpRW14WXQwbCtQQUszcUI4b1lldk80QzV6NzBrSAplaldFSHgydGFQRFkvbGFCTDIxL1dLWnVOVFlRSEhQRDViMXRYZ0hYYm5MN0txQzQwMWRrNVZ2Q2FkVFFzdmQ4ClM4TVhqb2h5Yzl6OS9HMjk0OGtMam1FNkZsaDlkRFlyVllBOXgyTytoRVBHT2FFT2ExZWVQeW5CZ1BheXZVZkwKcWpCc3R6TGhXVlFMR0FrWFhtTnMrNVpuUEJ4ekRKT0x4aEYySkliZVFBY0g1SDB0WnJVbG81Wll5T3FBN3M5cApPNWI4NW8zQU0vT0orQ2t0RkJRdGZ2QmhjSlZkOXd2bHdQc2srdXlPeTJISTdtTnhLS2dzQlR0Mzc1dGVBMlR3ClVkSGtoVk5jc0FLWDFIN0dOTkxPRUFEa3NkODZ3dW9Ydmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRGw3b0llY0RIUmI4WEIKakc0c0VXMXFzQmxJOTRvSWE1MEtUSFdPZXQ3bWhXODJCWCtzY1dWZ3FJM1BiSVZVSTE0NElnS0dQU3EzU0VraQpnUDB6TmdTbHhOalpaL1VhQjk5SFhsSzVrWjg3cHVEdm9PWU1CaXVyanEvUXpnd3lnaU45Tnl5cWRVdFdkYy9WCjk0b3d4UzQ3SHNjbGhuT0VYc2NWT2pTUUkvUElHTTVHOFVYWnllVjB5dkdWdnJVWU5iTWZ6OU1oaDNyRDJpaHcKNkxRVmdYNzEwSjdxM0lPaUMxQ0RDdDB3WHVyMXcxOExZcytSMVl1MDdBTTdSNUVvRUVGQjJUWmhZZ0RaMyt2NwpsdnYvRUlOeVZjNUZmb2xJaHlWMVZHK2RaeGV2SEZpdVpRNWNOTHBpTHdlcDNRcmVLZU5rMWlqQmhBZWhSblRNCmE4ZkIrbWI5QWdNQkFBRUNnZ0VBUzdLaUUvTkw4MitnNDMrZ0pkSDIrOURPQWorOHFka0Q4b2dKaThiWDYzeXkKaUU1M0lnYVRJYWRjU0pXcHIzR1ZhMVdIRHpyRC9XTkc4SjBXdnUxaHlsRnNNdWNPd21zbER4SDJtakZmQXZ5Rgp3VjV2WGpZSjJvazNTTDhOTlBPelMxNEd6bmVmUGUrN1pPNENDTnhoeEFUMSsxeXdXenY0dnZ4U29jRzBXSU55ClF3Ylk1M3ZsNy9meUp6bWtpRFV1cVJxdFZLUi9TQ3ZWRnlWL016YjlYd0xWVk96bWU3ek1iSzlFd2xSN1h4d0gKTnRqWlMydC9EYkZVaCtPOWxqMjhmdVY0cVZvODNqR1dFNjNQNGJFdk9YekZDNXp1K2twRW1RRVA1WDFVR3FxcApoMU5CUEcwb2VQMTdodjBqVnpjNzAzZGJuQnppZjU4U2M0REZyYVE5NFFLQmdRRDgxK0lxdVNwbVcxZXBKZE51CkFHQWFsdlBTMEpXV2pqQnJuK3NDMEpBKzdRV0dKckdBTjhGdFpyeC9FdTU4b3Z1RDNZcmE4NmlsV0FMV0pLUWoKdmFFZy94YnJaaXhiUW9hcDZNSTRYWUs2aHFFWTJPZzI4SzRNcVFYdHZRQjVOcmpuRGRZWTdjSUNTdEo4V01HcwpLVjBNS3pIR3NVYnZUQlJRR1hhRlhIRFNsd0tCZ1FEb3pXV0lIWitmTzBSZC9uRzhNK2tSWTNIbUlGTHl4WjdDCllaNXBnRW4rWDR4TmkzbGdoa0JNWEF4NTBCQithczE1OGxQcmRITFRwa2VZYmNXZzd4ZmNuMkM0VittS3VVRG8KYUFYOFRlcWJJeS9XYzY3SHhNMCt1alJrd05OSXFaSmhMckUzNFNHQkR6ajlqRHYrc0xBamdsQXpJYkszdnRMUgpuUDVEUlExSml3S0JnRmQ3RGpwLzlHYVR4Z0cxSDdFWW1pZTVBTVY0KzdpcW02QXhKV3ZFNDVPU0NHNUE1dnNZCnoyamR1ZXd4amFnNzc4L1JFQ0R2V3ZOU1B6RCtYbmdyUFJ1Z2hycU5rRjFHNkRiVFhKZUo2eGhFU21yQmFaN1EKcVRlaUozWDVCYmZxc2hEblhhTWthQkxJOW9pbFlPVURMcmx1SEh2RmpHaHhKem9MaFZGaENYd2pBb0dCQUxtTQo5QzdnUlpoNWVZMWRQek9kUUZlZXBtcWdPdHpMRERXcjdzSHlBWWZnaWdoSWNXNndzbERxVVB0S0RjdGt2dTlDCmFRYlM0cTYwNm4yZ2lKTXozaFgzWmZTb0JUbVBYQitnd1p5T1ViNWk5ajc4SjBPTUpYYW9uUmZzNUxvV2hkZzEKaWdTYXlNUi82SkdXRXo5MWZuNWU0Q05RNll3d2FRR3ZHcTF0UFNEdkFvR0JBTUg3eXpjTm9QbFRHRjd0SUh1Zgp4dkZHQ25uclMrVUZXbTZKYUZDYU5tS0NyMUZxUnFhMHNlUW1SbDBGcm53WEgzUTkvS3BlcEJsY01qeGhJMWFGClp0WE1qcVlxM0ZlNlY4UUF4MEh4YmJBbHl6ZU9uSzV4bUtmelYwWVhTSEg1R2p2Szk5ektUNnM4R3Uxanh1NEkKdmZrY3pyckJsS2JOcDV3eFBnamNBWmQ3Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
base/configmap.yaml 0 → 100644
View file @ 630a82ba
hostname: bigbang.dev
\ No newline at end of file
base/kustomization.yaml 0 → 100644
View file @ 630a82ba
# When updating the version of BigBang, make sure to update
# both the bases reference and the GitRepository reference
bases:
- git::https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base?ref=1.8.0
resources:
- bigbang-dev-cert.yaml
configMapGenerator:
- name: common
behavior: merge
files:
- values.yaml=configmap.yaml
patchesStrategicMerge:
- secrets.enc.yaml
- |-
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: bigbang
spec:
ref:
$patch: replace
semver: "1.8.0"
\ No newline at end of file
dev/bigbang.yaml 0 → 100644
View file @ 630a82ba
apiVersion: v1
kind: Namespace
metadata:
name: bigbang
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: environment-repo
namespace: bigbang
spec:
interval: 1m
url: https://replace-with-your-git-repo.git
ref:
branch: replace-with-your-branch
secretRef:
name: private-git
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
name: environment
namespace: bigbang
spec:
interval: 1m
sourceRef:
kind: GitRepository
name: environment-repo
path: ./dev
prune: true
decryption:
provider: sops
secretRef:
name: sops-gpg
\ No newline at end of file
dev/configmap.yaml 0 → 100644
View file @ 630a82ba
hostname: bigbang.dev
flux:
interval: 1m
rollback:
cleanupOnFail: false
logging:
enabled: true
values:
elasticsearch:
master:
count: 1
persistence:
size: 5Gi
resources:
requests:
cpu: .5
limits: {}
data:
count: 1
persistence:
size: 5Gi
resources:
requests:
cpu: .5
limits: {}
fluentbit:
values:
securityContext:
privileged: true
istio:
enabled: true
values:
kiali:
dashboard:
auth:
strategy: "anonymous"
clusterAuditor:
enabled: true
values:
resources:
requests:
cpu: 100m
memory: .5Gi
limits: {}
monitoring:
enabled: true
values:
alertmanager:
alertmanagerSpec:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
prometheusOperator:
resources:
requests:
cpu: 250m
memory: 400Mi
limits: {}
prometheus:
prometheusSpec:
resources:
requests:
cpu: 100m
memory: 200Mi
limits: {}
grafana:
resources:
requests:
cpu: 100m
memory: 128Mi
limits: {}
kubeStateMetrics:
resources:
requests:
cpu: 10m
memory: 32Mi
limits: {}
nodeExporter:
resources:
requests:
cpu: 100m
memory: 30Mi
limits: {}
gatekeeper:
enabled: true
values:
replicas: 1
resources:
requests:
cpu: 100m
memory: 256Mi
limits: {}
twistlock:
enabled: false
values:
console:
persistence:
size: 5Gi
\ No newline at end of file
dev/kustomization.yaml 0 → 100644
View file @ 630a82ba
bases:
- ../base
configMapGenerator:
- name: environment
behavior: merge
files:
- values.yaml=configmap.yaml
patchesStrategicMerge:
## Enable the line below if a secrets.enc.yaml is created in this directory
# - secrets.enc.yaml
- |-
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: bigbang
spec:
interval: 1m
# Use the following three lines to test a new version of Big Bang without affecting other environments
# ref:
# $patch: replace
# semver: "1.9.0"
- |-
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: bigbang
spec:
interval: 1m
\ No newline at end of file
prod/bigbang.yaml 0 → 100644
View file @ 630a82ba
apiVersion: v1
kind: Namespace
metadata:
name: bigbang
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: environment-repo
namespace: bigbang
spec:
interval: 10m
url: https://replace-with-your-git-repo.git
ref:
branch: replace-with-your-branch
secretRef:
name: private-git
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
name: environment
namespace: bigbang
spec:
interval: 10m
sourceRef:
kind: GitRepository
name: environment-repo
path: ./prod
prune: true
decryption:
provider: sops
secretRef:
name: sops-gpg
\ No newline at end of file
prod/configmap.yaml 0 → 100644
View file @ 630a82ba
hostname: bigbang.dso.mil
\ No newline at end of file
prod/kustomization.yaml 0 → 100644
View file @ 630a82ba
bases:
- ../base
configMapGenerator:
- name: environment
behavior: merge
files:
- values.yaml=configmap.yaml
## Comment out the next two lines below if a secrets.enc.yaml is created in this directory
#patchesStrategicMerge:
# - secrets.enc.yaml
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED