From cee60a7db1002bd5cc09d89e116e4ddedb8dca65 Mon Sep 17 00:00:00 2001 From: Mark Sanchez Date: Thu, 8 Jul 2021 15:56:54 +0000 Subject: [PATCH 01/13] Update README.md for updated flux deployment --- README.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9a61635..d879963 100644 --- a/README.md +++ b/README.md @@ -33,11 +33,11 @@ To deploy Big Bang, the following items are required: - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) - [Iron Bank Personal Access Token](https://registry1.dso.mil) - Under your `User Profile`, copy the `CLI secret`. - [Repo1 Personal Access Token](https://repo1.dso.mil/-/profile/personal_access_tokens) - You will need `read_repository` permissions. +- [Helm](https://helm.sh/docs/intro/install/) +- [Kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/) In addition, the following items are recommended to assist with troubleshooting: -- [Helm](https://helm.sh/docs/intro/install/) -- [Kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/) - [K9S](https://github.com/derailed/k9s) ## Setup @@ -133,6 +133,10 @@ git push --set-upstream origin template-demo We need to reference your git repository so that Big Bang will use the configuration. Add your repository into the `GitRepository` resource in `dev/bigbang.yaml`: +```shell +cd ../dev/ +``` + > Replace your forked Git repo where it states `replace-with-your-git-repo`. Replace `replace-with-your-branch` with your branch name (e.g. `template-demo` as created above). ```yaml @@ -193,7 +197,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) ```shell # Flux is used to sync Git with the the cluster configuration - curl https://repo1.dso.mil/platform-one/big-bang/bigbang/-/raw/master/scripts/deploy/flux.yaml | kubectl apply -f - + kustomize build https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base/flux?ref=master | kubectl apply -f - # Wait for flux to complete kubectl get deploy -o name -n flux-system | xargs -n1 -t kubectl rollout status -n flux-system @@ -202,7 +206,6 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) 1. Deploy Big Bang ```shell - cd ../dev kubectl apply -f bigbang.yaml # Verify 'bigbang' namespace is created -- GitLab From e4b4065c4bcc30e0dc5aaa2588d84515e78bc311 Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Thu, 8 Jul 2021 12:06:32 -0400 Subject: [PATCH 02/13] docs: updated changelog for release --- CHANGELOG.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index df06729..73d694b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,11 +2,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -- [Changelog](#changelog) - - [[Unreleased]](#unreleased) - - [Added](#added) - -## [Unreleased] +## [1.0.0] ### Added @@ -28,3 +24,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - [CHANGELOG.md](CHANGELOG.md) - [CODEOWNERS](CODEOWNERS) - [CONTRIBUTING.md](CONTRIBUTING.md) +- Terraform template for AWS with... + - Multi-environment support + - High-availability (cross-zone) and auto-scaling + - Private and public subnets + - Load balancer + - Bastion server -- GitLab From 2f5995d4626557a5abdac50d677bfd1025cf6550 Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Fri, 9 Jul 2021 16:22:07 -0400 Subject: [PATCH 03/13] fix: unique s3 bucket based on cluster name --- CHANGELOG.md | 6 ++++++ terraform/terragrunt.hcl | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 73d694b..fc71aac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.1] + +### Changed + +- Terraform cache S3 bucket created off of name in environment + ## [1.0.0] ### Added diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl index 02f406a..d3ac443 100644 --- a/terraform/terragrunt.hcl +++ b/terraform/terragrunt.hcl @@ -27,7 +27,7 @@ remote_state { config = { encrypt = true key = format("%s/terraform.tfstate", path_relative_to_include()) - bucket = "p1-bigbang-live-tf-states-${local.env.region}" + bucket = "${local.env.name}-terraform-state" region = local.env.region } } \ No newline at end of file -- GitLab From 0a2c46a54e71506cfd80f6804c04a547a083d94b Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Mon, 12 Jul 2021 11:39:58 -0400 Subject: [PATCH 04/13] feat: update to non-classic load balancer --- terraform/modules/elb/main.tf | 197 ++++++++++-------- terraform/modules/elb/outputs.tf | 12 +- terraform/modules/elb/variables.tf | 17 +- terraform/modules/pool/main.tf | 7 +- terraform/modules/pool/variables.tf | 14 +- .../us-gov-west-1/prod/pool/terragrunt.hcl | 4 +- 6 files changed, 140 insertions(+), 111 deletions(-) diff --git a/terraform/modules/elb/main.tf b/terraform/modules/elb/main.tf index c9d515d..4e18104 100644 --- a/terraform/modules/elb/main.tf +++ b/terraform/modules/elb/main.tf @@ -5,112 +5,133 @@ # - Security group created for other entities to use for ingress from the ELB # - Attaching a pool to the load balancer is done outside of this Terraform -# Security group for load balancer -resource "aws_security_group" "elb" { - name_prefix = "${var.name}-elb-" - description = "${var.name} Elastic Load Balancer" - vpc_id = "${var.vpc_id}" +resource "aws_lb" "public_nlb" { + name = "${var.name}-public-nlb" + internal = false + load_balancer_type = "network" + subnets = var.subnet_ids - # Allow all HTTP traffic - ingress { - description = "HTTP Traffic" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + tags = merge({}, var.tags) +} + +resource "aws_lb_target_group" "public_nlb_http" { + name = "${var.name}-public-nlb-http" + port = var.node_port_http + protocol = "TCP" + vpc_id = var.vpc_id + + health_check { + port = var.node_port_health_checks + path = "/healthz/ready" } + lifecycle { + create_before_destroy = true + } + tags = merge({}, var.tags) +} - # Allow all HTTPS traffic - ingress { - description = "HTTPS Traffic" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] +resource "aws_lb_target_group" "public_nlb_https" { + name = "${var.name}-public-nlb-https" + port = var.node_port_https + protocol = "TCP" + vpc_id = var.vpc_id + + health_check { + port = var.node_port_health_checks + path = "/healthz/ready" + } + lifecycle { + create_before_destroy = true } + tags = merge({}, var.tags) +} + +resource "aws_lb_target_group" "public_nlb_sni" { + name = "${var.name}-public-nlb-sni" + port = var.node_port_sni + protocol = "TCP" + vpc_id = var.vpc_id - # Allow all egress - egress { - description = "All traffic out" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + health_check { + port = var.node_port_health_checks + path = "/healthz/ready" + } + lifecycle { + create_before_destroy = true } + tags = merge({}, var.tags) +} - tags = var.tags +resource "aws_lb_listener" "public_nlb_http" { + load_balancer_arn = aws_lb.public_nlb.arn + port = "80" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.public_nlb_http.arn + } +} + +resource "aws_lb_listener" "public_nlb_https" { + load_balancer_arn = aws_lb.public_nlb.arn + port = "443" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.public_nlb_https.arn + } +} + +resource "aws_lb_listener" "public_nlb_sni" { + load_balancer_arn = aws_lb.public_nlb.arn + port = "15443" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.public_nlb_sni.arn + } +} + +# Retrieve the IP addresses of the nlb +data "aws_network_interface" "public_nlb" { + for_each = toset(var.subnet_ids) + + filter { + name = "description" + values = ["ELB ${aws_lb.public_nlb.arn_suffix}"] + } + + filter { + name = "subnet-id" + values = [each.value] + } } # Security group for server pool to allow traffic from load balancer -resource "aws_security_group" "elb_pool" { - name_prefix = "${var.name}-elb-pool-" - description = "${var.name} Traffic to Elastic Load Balancer server pool" +resource "aws_security_group" "public_nlb_pool" { + name_prefix = "${var.name}-public-nlb-to-pool-" + description = "${var.name} Traffic from public Network Load Balancer to server pool" vpc_id = "${var.vpc_id}" # Allow all traffic from load balancer ingress { - description = "Allow Load Balancer Traffic" + description = "Allow public Network Load Balancer traffic" from_port = 0 to_port = 0 - protocol = "-1" - security_groups = [aws_security_group.elb.id] + protocol = -1 + cidr_blocks = formatlist("%s/32", [for eni in data.aws_network_interface.public_nlb : eni.private_ip]) } - tags = var.tags -} - -# Create Elastic Load Balancer -module "elb" { - source = "terraform-aws-modules/elb/aws" - version = "~> 3.0" - name = "${var.name}-elb" - subnets = var.subnet_ids - security_groups = [aws_security_group.elb.id] - internal = false - - # Port: Description - # 80: HTTP for applications - # 443: HTTPS for applications - # 15021: Istio Health Checks - # 15443: Istio SNI Routing in multi-cluster environment - listener = [ - { - instance_port = var.node_port_http - instance_protocol = "TCP" - lb_port = 80 - lb_protocol = "tcp" - }, - { - instance_port = var.node_port_https - instance_protocol = "TCP" - lb_port = 443 - lb_protocol = "tcp" - }, - { - instance_port = var.node_port_health_checks - instance_protocol = "TCP" - lb_port = 15021 - lb_protocol = "tcp" - }, - { - instance_port = var.node_port_sni - instance_protocol = "TCP" - lb_port = 15443 - lb_protocol = "tcp" - }, - ] - - health_check = { - target = "TCP:${var.node_port_health_checks}" - interval = 10 - healthy_threshold = 2 - unhealthy_threshold = 6 - timeout = 5 + ingress { + description = "Allow public Network Load Balancer traffic" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = formatlist("%s/32", [for eni in data.aws_network_interface.public_nlb : eni.public_ip]) } - access_logs = {} - - tags = merge({ - "kubernetes.io/cluster/${var.name}" = "shared" - }, var.tags) + tags = var.tags } \ No newline at end of file diff --git a/terraform/modules/elb/outputs.tf b/terraform/modules/elb/outputs.tf index 089e666..1580a12 100644 --- a/terraform/modules/elb/outputs.tf +++ b/terraform/modules/elb/outputs.tf @@ -1,9 +1,9 @@ -output "elb_id" { - description = "The Elastic Load Balancer (ELB) ID" - value = module.elb.elb_id +output "pool_sg_id" { + description = "The ID of the security group used as an inbound rule for load balancer's back-end server pool" + value = aws_security_group.public_nlb_pool.id } -output "pool_sg_id" { - description = "The ID of the security group used as an inbound rule for load balancer's back-end application instances" - value = aws_security_group.elb_pool.id +output "elb_target_group_arns" { + description = "The load balancer target group ARNs" + value = [aws_lb_target_group.public_nlb_http.arn, aws_lb_target_group.public_nlb_https.arn, aws_lb_target_group.public_nlb_sni.arn] } \ No newline at end of file diff --git a/terraform/modules/elb/variables.tf b/terraform/modules/elb/variables.tf index 848b9cb..7d862f3 100644 --- a/terraform/modules/elb/variables.tf +++ b/terraform/modules/elb/variables.tf @@ -14,28 +14,27 @@ variable "subnet_ids" { type = list(string) } +variable "node_port_health_checks" { + description = "The node port to use for Istio health check traffic" + type = string + default = "30000" +} variable "node_port_http" { description = "The node port to use for HTTP traffic" type = string - default = "30080" + default = "30001" } variable "node_port_https" { description = "The node port to use for HTTPS traffic" type = string - default = "30443" -} - -variable "node_port_health_checks" { - description = "The node port to use for Istio health check traffic" - type = string - default = "32021" + default = "30002" } variable "node_port_sni" { description = "The node port to use for Istio SNI traffic" type = string - default = "32443" + default = "30003" } variable "tags" { diff --git a/terraform/modules/pool/main.tf b/terraform/modules/pool/main.tf index 7e656c8..df0eba5 100644 --- a/terraform/modules/pool/main.tf +++ b/terraform/modules/pool/main.tf @@ -1,6 +1,9 @@ # Connects an Elastic Load Balancer to a pool of servers +# NOTE: RKE2 already sets the lifecycle of the auto scale group to ignore changes in load balancers and target groups +# See https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform/-/blob/master/modules/nodepool/main.tf#L113 resource "aws_autoscaling_attachment" "pool" { - elb = var.elb_id + for_each = toset(var.elb_target_group_arns) autoscaling_group_name = var.pool_asg_id -} + alb_target_group_arn = each.value +} \ No newline at end of file diff --git a/terraform/modules/pool/variables.tf b/terraform/modules/pool/variables.tf index 1adae13..ee1ce2a 100644 --- a/terraform/modules/pool/variables.tf +++ b/terraform/modules/pool/variables.tf @@ -1,9 +1,15 @@ -variable "elb_id" { - description = "The load balancer ID to attach the pool" - type = string +variable "name" { + description = "The name to apply to resources" + type = string + default = "bigbang-dev" +} + +variable "elb_target_group_arns" { + description = "The load balancer's target group ARNs to attach to the autoscale group" + type = list(string) } variable "pool_asg_id" { - description = "The autoscale group IDs that make up the pool to attach to the load balancer" + description = "The pool's autoscale group ID" type = string } \ No newline at end of file diff --git a/terraform/us-gov-west-1/prod/pool/terragrunt.hcl b/terraform/us-gov-west-1/prod/pool/terragrunt.hcl index 46c6a03..3a9c687 100644 --- a/terraform/us-gov-west-1/prod/pool/terragrunt.hcl +++ b/terraform/us-gov-west-1/prod/pool/terragrunt.hcl @@ -16,7 +16,7 @@ include { dependency "elb" { config_path = "../elb" mock_outputs = { - elb_id = "mock_elb_id" + elb_target_group_arns = ["mock_elb_id"] } } @@ -28,7 +28,7 @@ dependency "agent" { } inputs = { - elb_id = dependency.elb.outputs.elb_id + elb_target_group_arns = dependency.elb.outputs.elb_target_group_arns pool_asg_id = dependency.agent.outputs.nodepool_id tags = merge(local.env.region_tags, local.env.tags, {}) } \ No newline at end of file -- GitLab From 1b4eae90766f7aa36923d9f11ef66172600db0bc Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Mon, 12 Jul 2021 11:40:28 -0400 Subject: [PATCH 05/13] fix(terragrunt): remote state exists behavior --- terraform/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl index d3ac443..ea21820 100644 --- a/terraform/terragrunt.hcl +++ b/terraform/terragrunt.hcl @@ -21,7 +21,7 @@ remote_state { generate = { path = "backend.tf" - if_exists = "overwrite_terragrunt" + if_exists = "overwrite" } config = { -- GitLab From 14ad512dc144bca2980212585177ce92c6642e94 Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Mon, 12 Jul 2021 11:45:21 -0400 Subject: [PATCH 06/13] feat(kubeconfig): update default name --- terraform/modules/k8s/main.tf | 4 ++++ terraform/modules/k8s/variables.tf | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/terraform/modules/k8s/main.tf b/terraform/modules/k8s/main.tf index 1924376..0962d68 100644 --- a/terraform/modules/k8s/main.tf +++ b/terraform/modules/k8s/main.tf @@ -15,6 +15,10 @@ resource "null_resource" "kubeconfig" { # Merge new config into existing export KUBECONFIGBAK=$KUBECONFIG export KUBECONFIG=~/.kube/new:~/.kube/config + # Replace default with cluster name + sed -ri 's/: default$/: ${var.name}/g' + # Update user only with more info + sed -ri 's/(user|- name): ${var.name}$/\1: clusterUser_${var.name}/g' ~/.kube/new # Do not redirect to ~/.kube/config or you may truncate the results kubectl config view --flatten > ~/.kube/merged mv -f ~/.kube/merged ~/.kube/config diff --git a/terraform/modules/k8s/variables.tf b/terraform/modules/k8s/variables.tf index a7c10bf..3e052af 100644 --- a/terraform/modules/k8s/variables.tf +++ b/terraform/modules/k8s/variables.tf @@ -1,3 +1,9 @@ +variable "name" { + description = "The name to apply to the resources" + type = string + default = "bigbang-dev" +} + variable "kubeconfig_path" { description = "Remote path to kubeconfig" type = string -- GitLab From 806cc295b637930c7e24a81e8c0aefd158961d1b Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Mon, 12 Jul 2021 11:45:41 -0400 Subject: [PATCH 07/13] chore(rke): update to latest version --- terraform/us-gov-west-1/prod/agent/terragrunt.hcl | 5 ++--- terraform/us-gov-west-1/prod/server/terragrunt.hcl | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/terraform/us-gov-west-1/prod/agent/terragrunt.hcl b/terraform/us-gov-west-1/prod/agent/terragrunt.hcl index b9eb418..5c9c18c 100644 --- a/terraform/us-gov-west-1/prod/agent/terragrunt.hcl +++ b/terraform/us-gov-west-1/prod/agent/terragrunt.hcl @@ -8,7 +8,7 @@ locals { } terraform { - source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.8" + source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.9" } include { @@ -80,5 +80,4 @@ inputs = { pre_userdata = local.env.cluster.init_script tags = merge(local.env.region_tags, local.env.tags, {}) -} - +} \ No newline at end of file diff --git a/terraform/us-gov-west-1/prod/server/terragrunt.hcl b/terraform/us-gov-west-1/prod/server/terragrunt.hcl index 176e007..164ec80 100644 --- a/terraform/us-gov-west-1/prod/server/terragrunt.hcl +++ b/terraform/us-gov-west-1/prod/server/terragrunt.hcl @@ -8,7 +8,7 @@ locals { } terraform { - source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//?ref=v1.1.8" + source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//?ref=v1.1.9" } include { -- GitLab From c2ec232fb09dc4b6eb51ec5f61a872d1bab5f16c Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Mon, 12 Jul 2021 12:05:35 -0400 Subject: [PATCH 08/13] fix(terraform): elb security group --- terraform/modules/elb/main.tf | 8 -------- terraform/modules/k8s/main.tf | 4 ++-- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/terraform/modules/elb/main.tf b/terraform/modules/elb/main.tf index 4e18104..64eea3b 100644 --- a/terraform/modules/elb/main.tf +++ b/terraform/modules/elb/main.tf @@ -125,13 +125,5 @@ resource "aws_security_group" "public_nlb_pool" { cidr_blocks = formatlist("%s/32", [for eni in data.aws_network_interface.public_nlb : eni.private_ip]) } - ingress { - description = "Allow public Network Load Balancer traffic" - from_port = 0 - to_port = 0 - protocol = -1 - cidr_blocks = formatlist("%s/32", [for eni in data.aws_network_interface.public_nlb : eni.public_ip]) - } - tags = var.tags } \ No newline at end of file diff --git a/terraform/modules/k8s/main.tf b/terraform/modules/k8s/main.tf index 0962d68..17a66c4 100644 --- a/terraform/modules/k8s/main.tf +++ b/terraform/modules/k8s/main.tf @@ -16,9 +16,9 @@ resource "null_resource" "kubeconfig" { export KUBECONFIGBAK=$KUBECONFIG export KUBECONFIG=~/.kube/new:~/.kube/config # Replace default with cluster name - sed -ri 's/: default$/: ${var.name}/g' + sed -ri "s/: default$/: ${var.name}/g" # Update user only with more info - sed -ri 's/(user|- name): ${var.name}$/\1: clusterUser_${var.name}/g' ~/.kube/new + sed -ri "s/(user|- name): ${var.name}$/\1: clusterUser_${var.name}/g" ~/.kube/new # Do not redirect to ~/.kube/config or you may truncate the results kubectl config view --flatten > ~/.kube/merged mv -f ~/.kube/merged ~/.kube/config -- GitLab From d5432822b581b349737f19dd7fe5b06ff5506801 Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Mon, 12 Jul 2021 13:44:33 -0400 Subject: [PATCH 09/13] feat(terraform): upload .ssh key --- terraform/modules/k8s/variables.tf | 10 ---------- terraform/modules/{k8s => s3}/main.tf | 17 ++++++++++++++--- terraform/modules/s3/variables.tf | 16 ++++++++++++++++ .../us-gov-west-1/prod/main/terragrunt.hcl | 9 ++++++++- 4 files changed, 38 insertions(+), 14 deletions(-) delete mode 100644 terraform/modules/k8s/variables.tf rename terraform/modules/{k8s => s3}/main.tf (60%) create mode 100644 terraform/modules/s3/variables.tf diff --git a/terraform/modules/k8s/variables.tf b/terraform/modules/k8s/variables.tf deleted file mode 100644 index 3e052af..0000000 --- a/terraform/modules/k8s/variables.tf +++ /dev/null @@ -1,10 +0,0 @@ -variable "name" { - description = "The name to apply to the resources" - type = string - default = "bigbang-dev" -} - -variable "kubeconfig_path" { - description = "Remote path to kubeconfig" - type = string -} \ No newline at end of file diff --git a/terraform/modules/k8s/main.tf b/terraform/modules/s3/main.tf similarity index 60% rename from terraform/modules/k8s/main.tf rename to terraform/modules/s3/main.tf index 17a66c4..55419ba 100644 --- a/terraform/modules/k8s/main.tf +++ b/terraform/modules/s3/main.tf @@ -1,5 +1,6 @@ -# After the cluster is setup, this script will retrieve the Kubeconfig -# file from S3 storage and merge in the local ~/.kube/config +# After the cluster is setup, these scripts will ... +# - Retrieve the Kuberntes config file from S3 and merge it with the local ~/.kube/config +# - Upload the SSH private key to S3 # Retrieves kubeconfig resource "null_resource" "kubeconfig" { @@ -22,6 +23,7 @@ resource "null_resource" "kubeconfig" { # Do not redirect to ~/.kube/config or you may truncate the results kubectl config view --flatten > ~/.kube/merged mv -f ~/.kube/merged ~/.kube/config + chmod 0600 ~/.kube/config # Cleanup rm -f ~/.kube/new @@ -29,4 +31,13 @@ resource "null_resource" "kubeconfig" { unset KUBECONFIGBAK EOF } -} \ No newline at end of file +} + +# Upload SSH private key +resource "aws_s3_bucket_object" "sshkey" { + key = "ssh-private-key.pem" + # Get bucket name in middle of s3:///rke2.yaml + bucket = replace(replace(var.kubeconfig_path, "/\\/[^/]*$/", ""), "/^[^/]*\\/\\//", "") + source = pathexpand("${var.private_key_path}/${var.name}.pem") + server_side_encryption = "aws:kms" +} diff --git a/terraform/modules/s3/variables.tf b/terraform/modules/s3/variables.tf new file mode 100644 index 0000000..3f4b4d4 --- /dev/null +++ b/terraform/modules/s3/variables.tf @@ -0,0 +1,16 @@ +variable "name" { + description = "The name of the SSH key" + type = string + default = "bigbang-dev" +} + +variable "kubeconfig_path" { + description = "Remote path to kubeconfig" + type = string +} + +variable "private_key_path" { + description = "Local path to SSH private key" + type = string + default = "~/.ssh" +} \ No newline at end of file diff --git a/terraform/us-gov-west-1/prod/main/terragrunt.hcl b/terraform/us-gov-west-1/prod/main/terragrunt.hcl index dbcdbe5..77c1e2a 100644 --- a/terraform/us-gov-west-1/prod/main/terragrunt.hcl +++ b/terraform/us-gov-west-1/prod/main/terragrunt.hcl @@ -1,7 +1,13 @@ # This file performs post-cluster actions, like downloading the kubeconfig +locals { + env = merge( + yamldecode(file(find_in_parent_folders("region.yaml"))), + yamldecode(file(find_in_parent_folders("env.yaml"))) + ) +} terraform { - source = "${path_relative_from_include()}//modules/k8s" + source = "${path_relative_from_include()}//modules/s3" } include { @@ -16,5 +22,6 @@ dependency "server" { } inputs = { + name = local.env.name kubeconfig_path = dependency.server.outputs.kubeconfig_path } \ No newline at end of file -- GitLab From a8c7bab58f46dcf5826781128554d2b72b9b3936 Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Mon, 12 Jul 2021 15:04:05 -0400 Subject: [PATCH 10/13] fix(terraform): fix rename of default profile --- terraform/modules/s3/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/s3/main.tf b/terraform/modules/s3/main.tf index 55419ba..10abfda 100644 --- a/terraform/modules/s3/main.tf +++ b/terraform/modules/s3/main.tf @@ -17,7 +17,7 @@ resource "null_resource" "kubeconfig" { export KUBECONFIGBAK=$KUBECONFIG export KUBECONFIG=~/.kube/new:~/.kube/config # Replace default with cluster name - sed -ri "s/: default$/: ${var.name}/g" + sed -ri "s/: default$/: ${var.name}/g" ~/.kube/new # Update user only with more info sed -ri "s/(user|- name): ${var.name}$/\1: clusterUser_${var.name}/g" ~/.kube/new # Do not redirect to ~/.kube/config or you may truncate the results -- GitLab From 7641670ad8c4e90dc04fb8faf238699fe9d08877 Mon Sep 17 00:00:00 2001 From: michaelmcleroy Date: Tue, 13 Jul 2021 18:05:52 +0000 Subject: [PATCH 11/13] Security Group update --- CHANGELOG.md | 17 +++++++++++++++++ terraform/modules/elb/main.tf | 32 ++++++++++++++++++++++++++++---- 2 files changed, 45 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc71aac..5abec4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.1.1] + +### Changed +- Security groups between internet facing network load balancer and agent's node ports updated to fix ingress + +## [1.1.0] + +### Added + +- Upload of private SSH to encrypted S3 bucket +- Rename of `default` Kubernetes profile to environment name +- Change permissions of local Kubernetes config file to read/write of owner only + +### Changed + +- Migrated terraform classic load balancer to regular load balancer + ## [1.0.1] ### Changed diff --git a/terraform/modules/elb/main.tf b/terraform/modules/elb/main.tf index 64eea3b..e11301e 100644 --- a/terraform/modules/elb/main.tf +++ b/terraform/modules/elb/main.tf @@ -118,12 +118,36 @@ resource "aws_security_group" "public_nlb_pool" { # Allow all traffic from load balancer ingress { - description = "Allow public Network Load Balancer traffic" - from_port = 0 - to_port = 0 - protocol = -1 + description = "Allow public Network Load Balancer traffic to health check" + from_port = var.node_port_health_checks + to_port = var.node_port_health_checks + protocol = "tcp" cidr_blocks = formatlist("%s/32", [for eni in data.aws_network_interface.public_nlb : eni.private_ip]) } + ingress { + description = "Allow internet traffic to HTTP node port" + from_port = var.node_port_http + to_port = var.node_port_http + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "Allow internet traffic to HTTPS node port" + from_port = var.node_port_https + to_port = var.node_port_https + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "Allow internet traffic to SNI node port" + from_port = var.node_port_sni + to_port = var.node_port_sni + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + tags = var.tags } \ No newline at end of file -- GitLab From d9497e1d9b01ba9f8223bf65f1b7c0dd479e9817 Mon Sep 17 00:00:00 2001 From: michaelmcleroy Date: Wed, 28 Jul 2021 15:26:59 +0000 Subject: [PATCH 12/13] Fix wildcard cert issue and update documentation --- CHANGELOG.md | 12 ++++++++++ README.md | 49 +++++++++++++++++++++++++++++++------- base/bigbang-dev-cert.yaml | 9 ------- base/configmap.yaml | 9 ++++++- base/kustomization.yaml | 6 ++--- dev/configmap.yaml | 33 ++----------------------- 6 files changed, 64 insertions(+), 54 deletions(-) delete mode 100644 base/bigbang-dev-cert.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 5abec4d..239283b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,21 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.2.0] + +### Changed + +- Fix namespace error (istio-system) when deploying wildcard-cert +- Updated expired certificate for *.bigbang.dev +- Added default values for `istio.ingress.tls.*` to workaround Helm error on `nil` values. +- Updated [README.md](./README.md) for TLS cert +- Updated [README.md](./README.md) for sops key creation (Issue #8) +- Updated default BigBang release to 1.12.0 in kustomization. + ## [1.1.1] ### Changed + - Security groups between internet facing network load balancer and agent's node ports updated to fix ingress ## [1.1.0] diff --git a/README.md b/README.md index d879963..641cd6d 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) ```shell # The private key is not stored in Git (and should NEVER be stored there). We deploy it manually by exporting the key into a secret. kubectl create namespace bigbang - gpg --export-secret-key --armor ${fp} | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey=/dev/stdin + gpg --export-secret-key --armor ${fp} | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey.asc=/dev/stdin ``` 1. Create imagePullSecrets for Flux @@ -184,6 +184,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) # Adding a space before this command keeps our PAT out of our history kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username= --docker-password= -n flux-system + ``` 1. Create Git credentials for Flux @@ -232,7 +233,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) # If you are deployed on a remote host you will need to point "kiali.bigbang.dev" to your cluster master node via your /etc/hosts file ``` - > If you cannot get to the main page of Kiali, it may be due to an expired certificate. Check the expiration of the certificate in `base/bigbang-dev-cert.yaml`. + > If you cannot get to the main page of Kiali, it may be due to an expired certificate. Check the expiration of the certificate in `base/configmap.yaml`. > For troubleshooting deployment problems, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) documentation. @@ -274,7 +275,7 @@ To minimize the risk of an unexpected deployment of a BigBang release, the BigBa ```yaml bases: - - https://repo1.dsop.io/platform-one/big-bang/bigbang.git/base/?ref=v1.8.0 + - https://repo1.dsop.io/platform-one/big-bang/bigbang.git/base/?ref=v1.12.0 ``` - Reference for the Big Bang helm release: @@ -287,7 +288,7 @@ To minimize the risk of an unexpected deployment of a BigBang release, the BigBa spec: ref: $patch: replace - semver: "1.8.0" + semver: "1.12.0" ``` To update `dev/kustomization.yaml`, you would create a `mergePatch` like the following: @@ -303,7 +304,7 @@ patchesStrategicMerge: interval: 1m ref: $patch: replace - semver: "1.9.0" + semver: "1.13.0" ``` > This does not update the kustomize base, but it is unusual for that to change. @@ -312,7 +313,7 @@ Then, commit your change: ```shell git add kustomization.yaml - git commit -m "feat(dev): update bigbang to 1.9.0" + git commit -m "feat(dev): update bigbang to 1.13.0" git push ``` @@ -326,19 +327,49 @@ When you are done testing, you can update the reference in `base` (and delete th ### Update the domain -Big Bang deploys applications to `*.bigbang.dev` by default. You can override the `bigbang.dev` domain to your domain by updating `dev/configmap.yaml` and adding the following: +Big Bang deploys applications to `*.bigbang.dev` by default. You can override the `bigbang.dev` domain to your domain by updating `base/configmap.yaml` and adding the following: ```yaml hostname: insert-your-domain-here +# Also, comment out or delete the TLS certificate for *.bigbang.dev +``` + +Since you are changing the domain, you will also need to update your TLS certificates. You should have already removed the default `*.bigbang.dev` certificate from `base/configmap.yaml`. Now, add your new certificate to `base/secrets.enc.yaml`. + +```shell +sops base/secrets.enc.yaml ``` +Put your TLS certificate and private key where it states `replace-with-your-tls-certificate` and `replace-with-your-tls-private-key`. + +> The name of the secret must be `common-bb` if the secret is in the `base` folder or `environment-bb` if the secret is in the `dev` or `prod` folder. The `environment-bb` values take precedence over the `common-bb` values. + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: common-bb +stringData: + values.yaml: |- + registryCredentials: + - registry: registry1.dso.mil + username: already-configured-iron-bank-user + password: already-configured-iron-bank-personal-access-token + istio: + ingress: + cert: "replace-with-your-tls-certificate" + key: "replace-with-your-tls-private-key" +``` + +When you save the file, it will automatically encrypt your secret using SOPS. + > NOTE: The `dev` template includes several overrides to minimize resource usage and increase polling time in a development environment. They are provided for convenience and are NOT required. Commit your change: ```shell - git add configmap.yaml - git commit -m "feat(dev): updated domain name" + git add base/configmap.yaml base/secrets.enc.yaml + git commit -m "feat(dev): updated domain name and certificate" git push ``` diff --git a/base/bigbang-dev-cert.yaml b/base/bigbang-dev-cert.yaml deleted file mode 100644 index 4d88697..0000000 --- a/base/bigbang-dev-cert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: wildcard-cert - namespace: istio-system -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZNekNDQkJ1Z0F3SUJBZ0lTQS9iZlFINVZneTNLVHUzUFh4aU5IZWQ4TUEwR0NTcUdTSWIzRFFFQkN3VUEKTURJeEN6QUpCZ05WQkFZVEFsVlRNUll3RkFZRFZRUUtFdzFNWlhRbmN5QkZibU55ZVhCME1Rc3dDUVlEVlFRRApFd0pTTXpBZUZ3MHlNVEEwTVRZd01UQTFNVE5hRncweU1UQTNNVFV3TVRBMU1UTmFNQmd4RmpBVUJnTlZCQU1NCkRTb3VZbWxuWW1GdVp5NWtaWFl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRGwKN29JZWNESFJiOFhCakc0c0VXMXFzQmxJOTRvSWE1MEtUSFdPZXQ3bWhXODJCWCtzY1dWZ3FJM1BiSVZVSTE0NApJZ0tHUFNxM1NFa2lnUDB6TmdTbHhOalpaL1VhQjk5SFhsSzVrWjg3cHVEdm9PWU1CaXVyanEvUXpnd3lnaU45Ck55eXFkVXRXZGMvVjk0b3d4UzQ3SHNjbGhuT0VYc2NWT2pTUUkvUElHTTVHOFVYWnllVjB5dkdWdnJVWU5iTWYKejlNaGgzckQyaWh3NkxRVmdYNzEwSjdxM0lPaUMxQ0RDdDB3WHVyMXcxOExZcytSMVl1MDdBTTdSNUVvRUVGQgoyVFpoWWdEWjMrdjdsdnYvRUlOeVZjNUZmb2xJaHlWMVZHK2RaeGV2SEZpdVpRNWNOTHBpTHdlcDNRcmVLZU5rCjFpakJoQWVoUm5UTWE4ZkIrbWI5QWdNQkFBR2pnZ0piTUlJQ1Z6QU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWUQKVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwTwpCQllFRkFxWXBTQy9hcTg2VkdnMFBqK0FKTDhKcTRvcE1COEdBMVVkSXdRWU1CYUFGQlF1c3hlM1dGYkxybEFKClFPWWZyNTJMRk1MR01GVUdDQ3NHQVFVRkJ3RUJCRWt3UnpBaEJnZ3JCZ0VGQlFjd0FZWVZhSFIwY0RvdkwzSXoKTG04dWJHVnVZM0l1YjNKbk1DSUdDQ3NHQVFVRkJ6QUNoaFpvZEhSd09pOHZjak11YVM1c1pXNWpjaTV2Y21jdgpNQ3NHQTFVZEVRUWtNQ0tDRFNvdVltbG5ZbUZ1Wnk1a1pYYUNFU291WkdWMkxtSnBaMkpoYm1jdVpHVjJNRXdHCkExVWRJQVJGTUVNd0NBWUdaNEVNQVFJQk1EY0dDeXNHQVFRQmd0OFRBUUVCTUNnd0pnWUlLd1lCQlFVSEFnRVcKR21oMGRIQTZMeTlqY0hNdWJHVjBjMlZ1WTNKNWNIUXViM0puTUlJQkJBWUtLd1lCQkFIV2VRSUVBZ1NCOVFTQgo4Z0R3QUhVQWIxTjJyREh3TVJuWW1RQ2tVUlgvZHhVY0Vka0N3UUFwQm8yeUNKbzMyUk1BQUFGNDJHelJYQUFBCkJBTUFSakJFQWlCQzlTSnpwQlVtTWZwVFRmbEthc1ZVTUNPVkVIL3lRSExlejlPaWpleUxFUUlnSjI5cXQrbXQKQ3doZHM1MnA4Rm44ZDREUTA1WDFZR2U4M3cvL25KRzc2aHdBZHdEMlhKUXYwWGN3SWhSVUdBZ3dsRmFPNDAwVApHVE8vM3d3dklBdk1UdkZrNHdBQUFYalliTkhQQUFBRUF3QklNRVlDSVFEQnRTbHYydTNTejNiVE9LUUF6c21TCit1NzlQanRwdlRuSGZwN1N3cUdUQUFJaEFPSkw3ZHI5cEp0OUpSS0JsNEU3VnU3OXhVN3hPdXgxTElVVkUra0EKZFIxcU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlFLNzZrWkp3YTF6TnYyazJoL3U1aXN2Y1FpREw4ZW9VZAppZElkWHk3eWRJYmh6WWw5VmgrekRHa1V3eHZJUDRqVmpENEZCQzRRcVFUanF1dHc4c0xXamJ6U1BKTFZmWUxWClRtd3RrYkN2aFRpRTNQQWRUK1Ntb09GSVVzZDJMRW1qRko2MjJEeVVhTkgwT3NkckhLQ2xDL0tJTzBOdmhUUXMKWm5OODllSDF3cmVJTDlEb2xYa28zUmdrR0IxTGJHOU1INC9kdnpUbktIb0JvNEVVRlhvSmNuU2lLN3JkSEVYSQp1N3dLRmp3OU9KbnFqQ0x4N1NHT0l5aExvNGM1VXRKWFU4dXhLbXhzTzYzV0daRytaQjM4dXp1UlphRUV0K3pzClNvbFN0ZUVFSEhYYmUvQmpZZnVmVzJCWGRKd3FpM2dhdzA0ais4UTRoY250SDJjTTI4VFcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRVpUQ0NBMDJnQXdJQkFnSVFRQUYxQklNVXBNZ2hqSVNwREJiTjN6QU5CZ2txaGtpRzl3MEJBUXNGQURBLwpNU1F3SWdZRFZRUUtFeHRFYVdkcGRHRnNJRk5wWjI1aGRIVnlaU0JVY25WemRDQkRieTR4RnpBVkJnTlZCQU1UCkRrUlRWQ0JTYjI5MElFTkJJRmd6TUI0WERUSXdNVEF3TnpFNU1qRTBNRm9YRFRJeE1Ea3lPVEU1TWpFME1Gb3cKTWpFTE1Ba0dBMVVFQmhNQ1ZWTXhGakFVQmdOVkJBb1REVXhsZENkeklFVnVZM0o1Y0hReEN6QUpCZ05WQkFNVApBbEl6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1d0lWS016Mm9KVFREeExzCmpWV1N3L2lDOFptbWVrS0lwMTBtcXJVcnVjVk1zYStPYS9sMXlLUFhEMGVVRkZVMVY0eWVxS0k1R2ZXQ1BFS3AKVG03MU84TXUyNDNBc0Z6eldUam43YzlwOEZvTEc3N0FsQ1FsaC9vM2NiTVQ1eHlzNFp2djIrUTdSVkpGbHFuQgpVODQweUZMdXRhN3RqOTVnY09LbFZLdTJiUTZYcFVBMGF5dlR2R2JyWmpSOCttdUxqMWNwbWZnd0YxMjZjbS83CmdjV3Qwb1pZUFJmSDV3bTc4U3YzaHR6QjJuRmQxRWJqekswbHdZaThZR2QxWnJQeEdQZWlYT1pUL3pxSXRrZWwKL3hNWTZwZ0pkeitkVS9uUEFlWDFwbkFYRks5anBQK1pzNU9kM0ZPbkJ2NUloUjJoYWE0bGRic1R6RklEOWUxUgpvWXZiRlFJREFRQUJvNElCYURDQ0FXUXdFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBREFPQmdOVkhROEJBZjhFCkJBTUNBWVl3U3dZSUt3WUJCUVVIQVFFRVB6QTlNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndPaTh2WVhCd2N5NXAKWkdWdWRISjFjM1F1WTI5dEwzSnZiM1J6TDJSemRISnZiM1JqWVhnekxuQTNZekFmQmdOVkhTTUVHREFXZ0JURQpwN0drZXl4eCt0dmhTNUIxLzhRVllJV0pFREJVQmdOVkhTQUVUVEJMTUFnR0JtZUJEQUVDQVRBL0Jnc3JCZ0VFCkFZTGZFd0VCQVRBd01DNEdDQ3NHQVFVRkJ3SUJGaUpvZEhSd09pOHZZM0J6TG5KdmIzUXRlREV1YkdWMGMyVnUKWTNKNWNIUXViM0puTUR3R0ExVWRId1ExTURNd01hQXZvQzJHSzJoMGRIQTZMeTlqY213dWFXUmxiblJ5ZFhOMApMbU52YlM5RVUxUlNUMDlVUTBGWU0wTlNUQzVqY213d0hRWURWUjBPQkJZRUZCUXVzeGUzV0ZiTHJsQUpRT1lmCnI1MkxGTUxHTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBMlV6Z3lmV0VpRGN4MjdzVDRyUDhpMnRpRW14WXQwbCtQQUszcUI4b1lldk80QzV6NzBrSAplaldFSHgydGFQRFkvbGFCTDIxL1dLWnVOVFlRSEhQRDViMXRYZ0hYYm5MN0txQzQwMWRrNVZ2Q2FkVFFzdmQ4ClM4TVhqb2h5Yzl6OS9HMjk0OGtMam1FNkZsaDlkRFlyVllBOXgyTytoRVBHT2FFT2ExZWVQeW5CZ1BheXZVZkwKcWpCc3R6TGhXVlFMR0FrWFhtTnMrNVpuUEJ4ekRKT0x4aEYySkliZVFBY0g1SDB0WnJVbG81Wll5T3FBN3M5cApPNWI4NW8zQU0vT0orQ2t0RkJRdGZ2QmhjSlZkOXd2bHdQc2srdXlPeTJISTdtTnhLS2dzQlR0Mzc1dGVBMlR3ClVkSGtoVk5jc0FLWDFIN0dOTkxPRUFEa3NkODZ3dW9Ydmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRGw3b0llY0RIUmI4WEIKakc0c0VXMXFzQmxJOTRvSWE1MEtUSFdPZXQ3bWhXODJCWCtzY1dWZ3FJM1BiSVZVSTE0NElnS0dQU3EzU0VraQpnUDB6TmdTbHhOalpaL1VhQjk5SFhsSzVrWjg3cHVEdm9PWU1CaXVyanEvUXpnd3lnaU45Tnl5cWRVdFdkYy9WCjk0b3d4UzQ3SHNjbGhuT0VYc2NWT2pTUUkvUElHTTVHOFVYWnllVjB5dkdWdnJVWU5iTWZ6OU1oaDNyRDJpaHcKNkxRVmdYNzEwSjdxM0lPaUMxQ0RDdDB3WHVyMXcxOExZcytSMVl1MDdBTTdSNUVvRUVGQjJUWmhZZ0RaMyt2NwpsdnYvRUlOeVZjNUZmb2xJaHlWMVZHK2RaeGV2SEZpdVpRNWNOTHBpTHdlcDNRcmVLZU5rMWlqQmhBZWhSblRNCmE4ZkIrbWI5QWdNQkFBRUNnZ0VBUzdLaUUvTkw4MitnNDMrZ0pkSDIrOURPQWorOHFka0Q4b2dKaThiWDYzeXkKaUU1M0lnYVRJYWRjU0pXcHIzR1ZhMVdIRHpyRC9XTkc4SjBXdnUxaHlsRnNNdWNPd21zbER4SDJtakZmQXZ5Rgp3VjV2WGpZSjJvazNTTDhOTlBPelMxNEd6bmVmUGUrN1pPNENDTnhoeEFUMSsxeXdXenY0dnZ4U29jRzBXSU55ClF3Ylk1M3ZsNy9meUp6bWtpRFV1cVJxdFZLUi9TQ3ZWRnlWL016YjlYd0xWVk96bWU3ek1iSzlFd2xSN1h4d0gKTnRqWlMydC9EYkZVaCtPOWxqMjhmdVY0cVZvODNqR1dFNjNQNGJFdk9YekZDNXp1K2twRW1RRVA1WDFVR3FxcApoMU5CUEcwb2VQMTdodjBqVnpjNzAzZGJuQnppZjU4U2M0REZyYVE5NFFLQmdRRDgxK0lxdVNwbVcxZXBKZE51CkFHQWFsdlBTMEpXV2pqQnJuK3NDMEpBKzdRV0dKckdBTjhGdFpyeC9FdTU4b3Z1RDNZcmE4NmlsV0FMV0pLUWoKdmFFZy94YnJaaXhiUW9hcDZNSTRYWUs2aHFFWTJPZzI4SzRNcVFYdHZRQjVOcmpuRGRZWTdjSUNTdEo4V01HcwpLVjBNS3pIR3NVYnZUQlJRR1hhRlhIRFNsd0tCZ1FEb3pXV0lIWitmTzBSZC9uRzhNK2tSWTNIbUlGTHl4WjdDCllaNXBnRW4rWDR4TmkzbGdoa0JNWEF4NTBCQithczE1OGxQcmRITFRwa2VZYmNXZzd4ZmNuMkM0VittS3VVRG8KYUFYOFRlcWJJeS9XYzY3SHhNMCt1alJrd05OSXFaSmhMckUzNFNHQkR6ajlqRHYrc0xBamdsQXpJYkszdnRMUgpuUDVEUlExSml3S0JnRmQ3RGpwLzlHYVR4Z0cxSDdFWW1pZTVBTVY0KzdpcW02QXhKV3ZFNDVPU0NHNUE1dnNZCnoyamR1ZXd4amFnNzc4L1JFQ0R2V3ZOU1B6RCtYbmdyUFJ1Z2hycU5rRjFHNkRiVFhKZUo2eGhFU21yQmFaN1EKcVRlaUozWDVCYmZxc2hEblhhTWthQkxJOW9pbFlPVURMcmx1SEh2RmpHaHhKem9MaFZGaENYd2pBb0dCQUxtTQo5QzdnUlpoNWVZMWRQek9kUUZlZXBtcWdPdHpMRERXcjdzSHlBWWZnaWdoSWNXNndzbERxVVB0S0RjdGt2dTlDCmFRYlM0cTYwNm4yZ2lKTXozaFgzWmZTb0JUbVBYQitnd1p5T1ViNWk5ajc4SjBPTUpYYW9uUmZzNUxvV2hkZzEKaWdTYXlNUi82SkdXRXo5MWZuNWU0Q05RNll3d2FRR3ZHcTF0UFNEdkFvR0JBTUg3eXpjTm9QbFRHRjd0SUh1Zgp4dkZHQ25uclMrVUZXbTZKYUZDYU5tS0NyMUZxUnFhMHNlUW1SbDBGcm53WEgzUTkvS3BlcEJsY01qeGhJMWFGClp0WE1qcVlxM0ZlNlY4UUF4MEh4YmJBbHl6ZU9uSzV4bUtmelYwWVhTSEg1R2p2Szk5ektUNnM4R3Uxanh1NEkKdmZrY3pyckJsS2JOcDV3eFBnamNBWmQ3Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/base/configmap.yaml b/base/configmap.yaml index 9a96c6a..dfd36c2 100644 --- a/base/configmap.yaml +++ b/base/configmap.yaml @@ -1 +1,8 @@ -hostname: bigbang.dev \ No newline at end of file +hostname: bigbang.dev + +# TLS key pair for *.bigbang.dev +# These should be moved to a secret and SOPS encrypted when replaced +istio: + ingress: + key: "-----BEGIN PRIVATE KEY-----\nMIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQD1ahjVSH4A+inh\nYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYMU7CzoyPJCL13\ngOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR/mc7YwF0IMVp\niApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V9dCEMkodH1tq\n+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTsLLGL/BL7E/Ba\n8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1IozD+bpFfUvUxNH\n1sjPo18JAgMBAAECggEBAJRaQ5LC1LDAiQqfhvE94oEDmR4AmOWFlqQi3f1vZPkb\nqTbIq/skxamk2iUoCPm8TT1MZhfheaNwLiCMg76U29CoSXY8Gq17mD08BPOBrcAQ\nEpVKpu8b85XpeQ5OMXAnOWbqc/sZWWqa2Nt3ilCVvZAU05KE4gljf20lajLUb0BE\nS+EOHgiPgbL9Upgb2HvsYjaBkgy6dMIJhH9ybyQqRJPaLceEbu53Krrv4iuZjzLD\nCIdePYRge9DfvIff0UBlAFPVgahrwJNzZoqhEv9KlvSshE51tfaNv7zzMpoEnq7z\nXqbisXXq/Pn6MaWiyF/6sYxYZDrAIHI5exmoJAYs4tECgYEA/V9eNpdh70Vzv19l\nTkpjEklaAgDzSda68TSb5hYLtINI3m3+vVN+rlth5gZN7n8hKjxIBuUI8yERMY8B\nis5g+qgIqK1jDeRHUJTKo7x+fRgM2vCTcYQgxCC4x2czkG86AifsNaGZ6j2P9y2v\nlpaozs+ONkADpGwnOu0lsCBxbVUCgYEA9/WaPrhOO/ImKlyFbXnXHZsoRXKuWVKm\nDRcs7z8LZmPH7n3ikiMZW7CUbKHB3mreL6Xv5gQ/nait2tjYRPT2OfBA+WTQi/kO\nMwHyuq92J1965WCld3hzGYeJHtB12rVjheRQ3TBeBCFFu3pgEVsgqnVV1gqceBL7\nedXnu85KSuUCgYEAxbhURvmfPR7PknmZDp1R7oU7LfEb6XUd8PiC5+wwOi9w/9KK\nRagQZXN+VAh7bC/c656a/nZgo4ocZrYYF/+xAil6iFa1w7NuS12xPFDtzCSmc3vl\nM2JOR37ZcxH/1ShW9jO9SqTO/VIJNHR8X2E2Xhzt9zvBG+AiRQOms2i92vkCgYEA\npZ2AiZXWg0mIXlDvuaBgouCoNEKV2wlN6X5qP94PAjNxLYUdWNhirpAxgqFD+QfO\nIWsm4a5Cw04P2RVu1hf7gdVLwIeql2MhLcaGVlStiTzHu/8iZbqovgt99Xvsy8jN\nkXde323XzdBfYAorskv4dIHsdAsgWT7sgoLxxcnSa1UCgYEAh0SDR9xTdNnCRTL8\nFz+YyN8EWm4XaiYv4fDu7mBEiAYJFQjfez/ZammSASwfv+sFcE4rCEMED2InlLin\n73hJO8bDRMI7BEtaYKyEFcCgdNXOyDRfYhLtJllaIiJNbC8m4dW8H7Hq4Av2pTc0\ndbfd2CfWKgXWqJNl2RCGWIoqDIU=\n-----END PRIVATE KEY-----" + cert: "-----BEGIN CERTIFICATE-----\nMIIFITCCBAmgAwIBAgISA4QDnwfowfekJU7pBgWPPB3SMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTA2MzAwODQxNDhaFw0yMTA5MjgwODQxNDdaMBgxFjAUBgNVBAMM\nDSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1\nahjVSH4A+inhYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYM\nU7CzoyPJCL13gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR\n/mc7YwF0IMVpiApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V\n9dCEMkodH1tq+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTs\nLLGL/BL7E/Ba8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1Ioz\nD+bpFfUvUxNH1sjPo18JAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD\nVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O\nBBYEFLKxa8BVwd6HZjzGXLkyXZLww/DwMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ\nQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz\nLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv\nMBgGA1UdEQQRMA+CDSouYmlnYmFuZy5kZXYwTAYDVR0gBEUwQzAIBgZngQwBAgEw\nNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j\ncnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KL\nIiwN0dpNXmxPlD1h204vWE2iwgAAAXpcS8iTAAAEAwBIMEYCIQCcXRHwJqXD4XZJ\n69yt9vwm/5d3fV5iEncCsg4XoV8APAIhALuWdIvzfv1qLlS3Yv+DrVf5t2lMGdrL\nRilySJivVC0QAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6\nXEvIqAAABAMARzBFAiEA7mPS3NK7XQQo+GxdVRq0kJX4uV3ELIKbVzPIdpXCmxYC\nIHfgadCRBTml5nnTd7xpjwRuvRNr/gsyyyIV0Xjao4DIMA0GCSqGSIb3DQEBCwUA\nA4IBAQBbccxKHBf4FOqHSP3U3+pCrU3Z3zhfTjYVaPP/gI7+rus4m6Jnq/pP21ak\nRWFJx9Yfp0zYPG33H4b65vvmG2jYzb/sLorHIodSn8O7HD11peWwFzgRLflVQ2Kx\nyPYdn/yY1BFIZ5cyz1iQNIUghMZVLc1JfqQbuRuodf2si0x7d2CTMV3k0qUvpll9\n6KstE/OEjLA0jgRmZAq0JBHZjDeYi65LoQWF1XM6Al1p0GvhGC+x//UyYZr/sBOl\n3FvnSe9NXeAMqeJ6QIrkFFsogPMUoTpJYs47gjMdEl6eOT2uwgchZsHpqrdHVHG6\n9xxT5njjSqfC0xOqknR0hhhn5Pbu\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\nov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\nwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\nLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\nbHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\nsR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\nXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\nFQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\nSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\nPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\nTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\nSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\nc3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\nATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\nb3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\nU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\nMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\nWCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\nhe8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\nDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n-----END CERTIFICATE-----" \ No newline at end of file diff --git a/base/kustomization.yaml b/base/kustomization.yaml index 46c9192..52a85ae 100644 --- a/base/kustomization.yaml +++ b/base/kustomization.yaml @@ -1,9 +1,7 @@ # When updating the version of BigBang, make sure to update # both the bases reference and the GitRepository reference bases: -- git::https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base?ref=1.8.0 -resources: -- bigbang-dev-cert.yaml +- git::https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base?ref=1.12.0 configMapGenerator: - name: common behavior: merge @@ -19,4 +17,4 @@ patchesStrategicMerge: spec: ref: $patch: replace - semver: "1.8.0" \ No newline at end of file + semver: "1.12.0" \ No newline at end of file diff --git a/dev/configmap.yaml b/dev/configmap.yaml index 0d27358..0b6adbe 100644 --- a/dev/configmap.yaml +++ b/dev/configmap.yaml @@ -6,7 +6,6 @@ flux: cleanupOnFail: false logging: - enabled: true values: elasticsearch: master: @@ -31,25 +30,10 @@ fluentbit: securityContext: privileged: true -istio: - enabled: true - values: - kiali: - dashboard: - auth: - strategy: "anonymous" - clusterAuditor: - enabled: true - values: - resources: - requests: - cpu: 100m - memory: .5Gi - limits: {} + enabled: false monitoring: - enabled: true values: alertmanager: alertmanagerSpec: @@ -57,48 +41,35 @@ monitoring: requests: cpu: 100m memory: 200Mi - limits: {} prometheusOperator: resources: requests: cpu: 250m memory: 400Mi - limits: {} prometheus: prometheusSpec: resources: requests: cpu: 100m memory: 200Mi - limits: {} grafana: resources: requests: cpu: 100m memory: 128Mi - limits: {} kubeStateMetrics: resources: requests: cpu: 10m memory: 32Mi - limits: {} nodeExporter: resources: requests: cpu: 100m memory: 30Mi - limits: {} gatekeeper: - enabled: true - values: - replicas: 1 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: {} + enabled: false twistlock: enabled: false -- GitLab From 44788bd3efef317a38f2b49c422ff23af2d469c5 Mon Sep 17 00:00:00 2001 From: Michael McLeroy Date: Fri, 30 Jul 2021 13:56:31 -0400 Subject: [PATCH 13/13] fix: semver mismatch to big bang --- CHANGELOG.md | 10 +++ README.md | 92 +++++++++++++------------- base/bigbang-dev-cert.yaml | 130 +++++++++++++++++++++++++++++++++++++ base/configmap.yaml | 9 +-- base/kustomization.yaml | 2 +- dev/configmap.yaml | 15 +++-- dev/kustomization.yaml | 2 +- 7 files changed, 202 insertions(+), 58 deletions(-) create mode 100644 base/bigbang-dev-cert.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 239283b..8003394 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.2.1] + +### Changed + +- Moved TLS cert back out of configmap.yaml +- Updated documentation on how to add and update TLS certificates to encrypted secret. +- Fixed Big Bang version mismatch using semver in kustomization +- Fixed flux install instructions to use version rather than master. New versions of flux may not be backwards compatible. +- Cleaned up dev values.yaml + ## [1.2.0] ### Changed diff --git a/README.md b/README.md index 641cd6d..90708e1 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,28 @@ sed -i "s/pgp: FALSE_KEY_HERE/pgp: ${fp}/" .sops.yaml ## On MacOS sed -i "" "s/pgp: FALSE_KEY_HERE/pgp: ${fp}/" .sops.yaml + +# Save encrypted secrets into Git +# Configuration changes must be stored in Git to take affect +git add .sops.yaml +git commit -m "chore: update default encryption key" +git push --set-upstream origin template-demo +``` + +### Add TLS Certificates + +The `base/configmap.yaml` is setup to use the domain `bigbang.dev` by default. A demo TLS certificate is provided in `base/bigbang-dev-cert.yaml` to use. Certificates should be encrypted before pushing to Git since they contain both the public and private key. + +```shell +cd base + +# Encrypt the existing certifiate +sops -e bigbang-dev-cert.yaml > secrets.enc.yaml + +# Save encrypted TLS certificate into Git +git add secrets.enc.yaml +git commit -m "chore: add bigbang.dev tls certificates" +git push ``` ### Add Pull Credentials @@ -95,8 +117,7 @@ You will need pull credentials for Iron Bank to retrieve images for Big Bang. > Secrets can be specific to an environment if they are located in that environment's folder (e.g. `prod`, `dev`). Or, they can be shared between environments if located in the `base` directory. ``` shell -# Create a new encrypted secret to contain your pull credentials -cd base +# Edit the same secret holding your TLS certificates to add the pull credentials sops secrets.enc.yaml ``` @@ -115,16 +136,17 @@ stringData: - registry: registry1.dso.mil username: replace-with-your-iron-bank-user password: replace-with-your-iron-bank-personal-access-token + istio: + # Leave the TLS certificate info here ``` -When you save the file, it will automatically encrypt your secret using SOPS. +When you save the file, it will automatically re-encrypt your secret using SOPS. ```shell -# Save encrypted secrets into Git -# Configuration changes must be stored in Git to take affect -git add secrets.enc.yaml ../.sops.yaml -git commit -m "chore: added encrypted credentials" -git push --set-upstream origin template-demo +# Save pull credentials into Git +git add secrets.enc.yaml +git commit -m "chore: added iron bank pull credentials" +git push ``` > Your private key to decrypt these secrets is stored in your GPG key ring. You must **NEVER** export this key and commit it to your Git repository since this would comprimise your secrets. @@ -198,7 +220,8 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really) ```shell # Flux is used to sync Git with the the cluster configuration - kustomize build https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base/flux?ref=master | kubectl apply -f - + # If you are using a different version of Big Bang, make sure to update the `?ref=1.12.0` to the correct tag or branch. + kustomize build https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base/flux?ref=1.12.0 | kubectl apply -f - # Wait for flux to complete kubectl get deploy -o name -n flux-system | xargs -n1 -t kubectl rollout status -n flux-system @@ -288,7 +311,7 @@ To minimize the risk of an unexpected deployment of a BigBang release, the BigBa spec: ref: $patch: replace - semver: "1.12.0" + tag: "1.12.0" ``` To update `dev/kustomization.yaml`, you would create a `mergePatch` like the following: @@ -304,7 +327,7 @@ patchesStrategicMerge: interval: 1m ref: $patch: replace - semver: "1.13.0" + tag: "1.13.0" ``` > This does not update the kustomize base, but it is unusual for that to change. @@ -319,7 +342,7 @@ Then, commit your change: > It may take Big Bang up to 10 minutes to recognize your changes and start to deploy them. This is based on the interval set for polling. You can force Big Bang to recheck by running the [sync.sh](https://repo1.dsop.io/platform-one/big-bang/bigbang/-/blob/master/hack/sync.sh) script. -It is recommended that you track Big Bang releases using the version. However, you can use `tag` or `branch` in place of `semver` if needed. The kustomize base uses [Go-Getter](https://github.com/hashicorp/go-getter)'s syntax for the reference. The helm release (GitRepository) resource uses the [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/#specification)'s syntax. +It is recommended that you track Big Bang releases using the version. However, you can use `branch` in place of `tag` if needed. The kustomize base uses [Go-Getter](https://github.com/hashicorp/go-getter)'s syntax for the reference. The helm release (GitRepository) resource uses the [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/#specification)'s syntax. When you are done testing, you can update the reference in `base` (and delete this setting in `dev`) to update Big Bang in all environments. @@ -331,51 +354,32 @@ Big Bang deploys applications to `*.bigbang.dev` by default. You can override t ```yaml hostname: insert-your-domain-here -# Also, comment out or delete the TLS certificate for *.bigbang.dev ``` -Since you are changing the domain, you will also need to update your TLS certificates. You should have already removed the default `*.bigbang.dev` certificate from `base/configmap.yaml`. Now, add your new certificate to `base/secrets.enc.yaml`. +In addition, you will need to update the TLS certificates by updating `base/secrets.enc.yaml`. ```shell +# Open and edit the encrypted file sops base/secrets.enc.yaml ``` -Put your TLS certificate and private key where it states `replace-with-your-tls-certificate` and `replace-with-your-tls-private-key`. - -> The name of the secret must be `common-bb` if the secret is in the `base` folder or `environment-bb` if the secret is in the `dev` or `prod` folder. The `environment-bb` values take precedence over the `common-bb` values. +After saving the secrets.enc.yaml file, it will be automatically re-encrypted. -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: common-bb -stringData: - values.yaml: |- - registryCredentials: - - registry: registry1.dso.mil - username: already-configured-iron-bank-user - password: already-configured-iron-bank-personal-access-token - istio: - ingress: - cert: "replace-with-your-tls-certificate" - key: "replace-with-your-tls-private-key" +``` shell +# Push changes to Git +git add base/configmap.yaml base/secrets.enc.yaml +git commit -m "chore: updated domain and tls certificates" +git push ``` -When you save the file, it will automatically encrypt your secret using SOPS. - -> NOTE: The `dev` template includes several overrides to minimize resource usage and increase polling time in a development environment. They are provided for convenience and are NOT required. - -Commit your change: - -```shell - git add base/configmap.yaml base/secrets.enc.yaml - git commit -m "feat(dev): updated domain name and certificate" - git push -``` +> If you have different certificates for `dev` and `prod`, you can also put the values in `dev/secrets.enc.yaml` or `prod/secrets.enc.yaml` respectively. The name of the secret must be `common-bb` if the secret is in the `base` folder or `environment-bb` if the secret is in the `dev` or `prod` folder. The `environment-bb` values take precedence over the `common-bb` values. +Make sure to add the file to `kustomization.yaml` as a resource if it is not already. ### Additional Big Bang values -For additional configuration options, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) and [Big Bang Package](https://repo1.dsop.io/platform-one/big-bang/apps) documentation. +For additional configuration options, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) and [Big Bang Package](https://repo1.dsop.io/platform-one/big-bang/apps) documentation. Big Bang values can be passed down in the `configmap.yaml` or `secrets.enc.yaml`. See the Kubernetes documentation on [configmaps](https://kubernetes.io/docs/concepts/configuration/configmap/) and [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) for differences between the two. Secrets should always be SOPS encrypted before committing to Git. + +> NOTE: The `dev` template includes several overrides in the `configmap.yaml` to minimize resource usage and increase polling time in a development environment. They are provided for convenience and are NOT required. ### Additional resources diff --git a/base/bigbang-dev-cert.yaml b/base/bigbang-dev-cert.yaml new file mode 100644 index 0000000..88c64a4 --- /dev/null +++ b/base/bigbang-dev-cert.yaml @@ -0,0 +1,130 @@ +apiVersion: v1 +kind: Secret +metadata: + name: common-bb +stringData: + # TLS key pair for *.bigbang.dev is used as an example for demo purposes + values.yaml: |- + istio: + ingress: + key: |- + -----BEGIN PRIVATE KEY----- + MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQD1ahjVSH4A+inh + YyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYMU7CzoyPJCL13 + gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR/mc7YwF0IMVp + iApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V9dCEMkodH1tq + +BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTsLLGL/BL7E/Ba + 8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1IozD+bpFfUvUxNH + 1sjPo18JAgMBAAECggEBAJRaQ5LC1LDAiQqfhvE94oEDmR4AmOWFlqQi3f1vZPkb + qTbIq/skxamk2iUoCPm8TT1MZhfheaNwLiCMg76U29CoSXY8Gq17mD08BPOBrcAQ + EpVKpu8b85XpeQ5OMXAnOWbqc/sZWWqa2Nt3ilCVvZAU05KE4gljf20lajLUb0BE + S+EOHgiPgbL9Upgb2HvsYjaBkgy6dMIJhH9ybyQqRJPaLceEbu53Krrv4iuZjzLD + CIdePYRge9DfvIff0UBlAFPVgahrwJNzZoqhEv9KlvSshE51tfaNv7zzMpoEnq7z + XqbisXXq/Pn6MaWiyF/6sYxYZDrAIHI5exmoJAYs4tECgYEA/V9eNpdh70Vzv19l + TkpjEklaAgDzSda68TSb5hYLtINI3m3+vVN+rlth5gZN7n8hKjxIBuUI8yERMY8B + is5g+qgIqK1jDeRHUJTKo7x+fRgM2vCTcYQgxCC4x2czkG86AifsNaGZ6j2P9y2v + lpaozs+ONkADpGwnOu0lsCBxbVUCgYEA9/WaPrhOO/ImKlyFbXnXHZsoRXKuWVKm + DRcs7z8LZmPH7n3ikiMZW7CUbKHB3mreL6Xv5gQ/nait2tjYRPT2OfBA+WTQi/kO + MwHyuq92J1965WCld3hzGYeJHtB12rVjheRQ3TBeBCFFu3pgEVsgqnVV1gqceBL7 + edXnu85KSuUCgYEAxbhURvmfPR7PknmZDp1R7oU7LfEb6XUd8PiC5+wwOi9w/9KK + RagQZXN+VAh7bC/c656a/nZgo4ocZrYYF/+xAil6iFa1w7NuS12xPFDtzCSmc3vl + M2JOR37ZcxH/1ShW9jO9SqTO/VIJNHR8X2E2Xhzt9zvBG+AiRQOms2i92vkCgYEA + pZ2AiZXWg0mIXlDvuaBgouCoNEKV2wlN6X5qP94PAjNxLYUdWNhirpAxgqFD+QfO + IWsm4a5Cw04P2RVu1hf7gdVLwIeql2MhLcaGVlStiTzHu/8iZbqovgt99Xvsy8jN + kXde323XzdBfYAorskv4dIHsdAsgWT7sgoLxxcnSa1UCgYEAh0SDR9xTdNnCRTL8 + Fz+YyN8EWm4XaiYv4fDu7mBEiAYJFQjfez/ZammSASwfv+sFcE4rCEMED2InlLin + 73hJO8bDRMI7BEtaYKyEFcCgdNXOyDRfYhLtJllaIiJNbC8m4dW8H7Hq4Av2pTc0 + dbfd2CfWKgXWqJNl2RCGWIoqDIU= + -----END PRIVATE KEY----- + cert: |- + -----BEGIN CERTIFICATE----- + MIIFITCCBAmgAwIBAgISA4QDnwfowfekJU7pBgWPPB3SMA0GCSqGSIb3DQEBCwUA + MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD + EwJSMzAeFw0yMTA2MzAwODQxNDhaFw0yMTA5MjgwODQxNDdaMBgxFjAUBgNVBAMM + DSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1 + ahjVSH4A+inhYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYM + U7CzoyPJCL13gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR + /mc7YwF0IMVpiApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V + 9dCEMkodH1tq+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTs + LLGL/BL7E/Ba8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1Ioz + D+bpFfUvUxNH1sjPo18JAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O + BBYEFLKxa8BVwd6HZjzGXLkyXZLww/DwMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ + QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz + Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv + MBgGA1UdEQQRMA+CDSouYmlnYmFuZy5kZXYwTAYDVR0gBEUwQzAIBgZngQwBAgEw + NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j + cnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KL + IiwN0dpNXmxPlD1h204vWE2iwgAAAXpcS8iTAAAEAwBIMEYCIQCcXRHwJqXD4XZJ + 69yt9vwm/5d3fV5iEncCsg4XoV8APAIhALuWdIvzfv1qLlS3Yv+DrVf5t2lMGdrL + RilySJivVC0QAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6 + XEvIqAAABAMARzBFAiEA7mPS3NK7XQQo+GxdVRq0kJX4uV3ELIKbVzPIdpXCmxYC + IHfgadCRBTml5nnTd7xpjwRuvRNr/gsyyyIV0Xjao4DIMA0GCSqGSIb3DQEBCwUA + A4IBAQBbccxKHBf4FOqHSP3U3+pCrU3Z3zhfTjYVaPP/gI7+rus4m6Jnq/pP21ak + RWFJx9Yfp0zYPG33H4b65vvmG2jYzb/sLorHIodSn8O7HD11peWwFzgRLflVQ2Kx + yPYdn/yY1BFIZ5cyz1iQNIUghMZVLc1JfqQbuRuodf2si0x7d2CTMV3k0qUvpll9 + 6KstE/OEjLA0jgRmZAq0JBHZjDeYi65LoQWF1XM6Al1p0GvhGC+x//UyYZr/sBOl + 3FvnSe9NXeAMqeJ6QIrkFFsogPMUoTpJYs47gjMdEl6eOT2uwgchZsHpqrdHVHG6 + 9xxT5njjSqfC0xOqknR0hhhn5Pbu + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw + TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh + cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw + WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg + RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK + AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP + R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx + sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm + NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg + Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG + /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC + AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB + Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA + FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw + AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw + Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB + gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W + PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl + ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz + CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm + lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 + avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 + yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O + yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids + hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ + HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv + MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX + nLRbwHOoq7hHwg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ + MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT + DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow + TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh + cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB + AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC + ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL + wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D + LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK + 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 + bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y + sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ + Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 + FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc + SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql + PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND + TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw + SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 + c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx + +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB + ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu + b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E + U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu + MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC + 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW + 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG + WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O + he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC + Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 + -----END CERTIFICATE----- \ No newline at end of file diff --git a/base/configmap.yaml b/base/configmap.yaml index dfd36c2..9a96c6a 100644 --- a/base/configmap.yaml +++ b/base/configmap.yaml @@ -1,8 +1 @@ -hostname: bigbang.dev - -# TLS key pair for *.bigbang.dev -# These should be moved to a secret and SOPS encrypted when replaced -istio: - ingress: - key: "-----BEGIN PRIVATE KEY-----\nMIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQD1ahjVSH4A+inh\nYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYMU7CzoyPJCL13\ngOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR/mc7YwF0IMVp\niApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V9dCEMkodH1tq\n+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTsLLGL/BL7E/Ba\n8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1IozD+bpFfUvUxNH\n1sjPo18JAgMBAAECggEBAJRaQ5LC1LDAiQqfhvE94oEDmR4AmOWFlqQi3f1vZPkb\nqTbIq/skxamk2iUoCPm8TT1MZhfheaNwLiCMg76U29CoSXY8Gq17mD08BPOBrcAQ\nEpVKpu8b85XpeQ5OMXAnOWbqc/sZWWqa2Nt3ilCVvZAU05KE4gljf20lajLUb0BE\nS+EOHgiPgbL9Upgb2HvsYjaBkgy6dMIJhH9ybyQqRJPaLceEbu53Krrv4iuZjzLD\nCIdePYRge9DfvIff0UBlAFPVgahrwJNzZoqhEv9KlvSshE51tfaNv7zzMpoEnq7z\nXqbisXXq/Pn6MaWiyF/6sYxYZDrAIHI5exmoJAYs4tECgYEA/V9eNpdh70Vzv19l\nTkpjEklaAgDzSda68TSb5hYLtINI3m3+vVN+rlth5gZN7n8hKjxIBuUI8yERMY8B\nis5g+qgIqK1jDeRHUJTKo7x+fRgM2vCTcYQgxCC4x2czkG86AifsNaGZ6j2P9y2v\nlpaozs+ONkADpGwnOu0lsCBxbVUCgYEA9/WaPrhOO/ImKlyFbXnXHZsoRXKuWVKm\nDRcs7z8LZmPH7n3ikiMZW7CUbKHB3mreL6Xv5gQ/nait2tjYRPT2OfBA+WTQi/kO\nMwHyuq92J1965WCld3hzGYeJHtB12rVjheRQ3TBeBCFFu3pgEVsgqnVV1gqceBL7\nedXnu85KSuUCgYEAxbhURvmfPR7PknmZDp1R7oU7LfEb6XUd8PiC5+wwOi9w/9KK\nRagQZXN+VAh7bC/c656a/nZgo4ocZrYYF/+xAil6iFa1w7NuS12xPFDtzCSmc3vl\nM2JOR37ZcxH/1ShW9jO9SqTO/VIJNHR8X2E2Xhzt9zvBG+AiRQOms2i92vkCgYEA\npZ2AiZXWg0mIXlDvuaBgouCoNEKV2wlN6X5qP94PAjNxLYUdWNhirpAxgqFD+QfO\nIWsm4a5Cw04P2RVu1hf7gdVLwIeql2MhLcaGVlStiTzHu/8iZbqovgt99Xvsy8jN\nkXde323XzdBfYAorskv4dIHsdAsgWT7sgoLxxcnSa1UCgYEAh0SDR9xTdNnCRTL8\nFz+YyN8EWm4XaiYv4fDu7mBEiAYJFQjfez/ZammSASwfv+sFcE4rCEMED2InlLin\n73hJO8bDRMI7BEtaYKyEFcCgdNXOyDRfYhLtJllaIiJNbC8m4dW8H7Hq4Av2pTc0\ndbfd2CfWKgXWqJNl2RCGWIoqDIU=\n-----END PRIVATE KEY-----" - cert: "-----BEGIN CERTIFICATE-----\nMIIFITCCBAmgAwIBAgISA4QDnwfowfekJU7pBgWPPB3SMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTA2MzAwODQxNDhaFw0yMTA5MjgwODQxNDdaMBgxFjAUBgNVBAMM\nDSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1\nahjVSH4A+inhYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYM\nU7CzoyPJCL13gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR\n/mc7YwF0IMVpiApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V\n9dCEMkodH1tq+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTs\nLLGL/BL7E/Ba8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1Ioz\nD+bpFfUvUxNH1sjPo18JAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD\nVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O\nBBYEFLKxa8BVwd6HZjzGXLkyXZLww/DwMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ\nQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz\nLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv\nMBgGA1UdEQQRMA+CDSouYmlnYmFuZy5kZXYwTAYDVR0gBEUwQzAIBgZngQwBAgEw\nNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j\ncnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KL\nIiwN0dpNXmxPlD1h204vWE2iwgAAAXpcS8iTAAAEAwBIMEYCIQCcXRHwJqXD4XZJ\n69yt9vwm/5d3fV5iEncCsg4XoV8APAIhALuWdIvzfv1qLlS3Yv+DrVf5t2lMGdrL\nRilySJivVC0QAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6\nXEvIqAAABAMARzBFAiEA7mPS3NK7XQQo+GxdVRq0kJX4uV3ELIKbVzPIdpXCmxYC\nIHfgadCRBTml5nnTd7xpjwRuvRNr/gsyyyIV0Xjao4DIMA0GCSqGSIb3DQEBCwUA\nA4IBAQBbccxKHBf4FOqHSP3U3+pCrU3Z3zhfTjYVaPP/gI7+rus4m6Jnq/pP21ak\nRWFJx9Yfp0zYPG33H4b65vvmG2jYzb/sLorHIodSn8O7HD11peWwFzgRLflVQ2Kx\nyPYdn/yY1BFIZ5cyz1iQNIUghMZVLc1JfqQbuRuodf2si0x7d2CTMV3k0qUvpll9\n6KstE/OEjLA0jgRmZAq0JBHZjDeYi65LoQWF1XM6Al1p0GvhGC+x//UyYZr/sBOl\n3FvnSe9NXeAMqeJ6QIrkFFsogPMUoTpJYs47gjMdEl6eOT2uwgchZsHpqrdHVHG6\n9xxT5njjSqfC0xOqknR0hhhn5Pbu\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\nov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\nwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\nLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\nbHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\nsR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\nXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\nFQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\nSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\nPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\nTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\nSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\nc3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\nATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\nb3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\nU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\nMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\nWCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\nhe8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\nDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n-----END CERTIFICATE-----" \ No newline at end of file +hostname: bigbang.dev \ No newline at end of file diff --git a/base/kustomization.yaml b/base/kustomization.yaml index 52a85ae..b55b7e3 100644 --- a/base/kustomization.yaml +++ b/base/kustomization.yaml @@ -17,4 +17,4 @@ patchesStrategicMerge: spec: ref: $patch: replace - semver: "1.12.0" \ No newline at end of file + tag: "1.12.0" \ No newline at end of file diff --git a/dev/configmap.yaml b/dev/configmap.yaml index 0b6adbe..933f7e9 100644 --- a/dev/configmap.yaml +++ b/dev/configmap.yaml @@ -15,7 +15,6 @@ logging: resources: requests: cpu: .5 - limits: {} data: count: 1 persistence: @@ -23,7 +22,6 @@ logging: resources: requests: cpu: .5 - limits: {} fluentbit: values: @@ -31,7 +29,11 @@ fluentbit: privileged: true clusterAuditor: - enabled: false + values: + resources: + requests: + cpu: 100m + memory: .5Gi monitoring: values: @@ -69,7 +71,12 @@ monitoring: memory: 30Mi gatekeeper: - enabled: false + values: + replicas: 1 + resources: + requests: + cpu: 100m + memory: 256Mi twistlock: enabled: false diff --git a/dev/kustomization.yaml b/dev/kustomization.yaml index b1ea80a..7964ce9 100644 --- a/dev/kustomization.yaml +++ b/dev/kustomization.yaml @@ -18,7 +18,7 @@ patchesStrategicMerge: # Use the following three lines to test a new version of Big Bang without affecting other environments # ref: # $patch: replace -# semver: "1.9.0" +# tag: "1.13.0" - |- apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease -- GitLab