Merge branch 'main' of https://repo1.dso.mil/platform-one/big-bang/customers/template into main

CHANGELOG.md

@@ -2,11 +2,52 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-- [Changelog](#changelog)
-  - [[Unreleased]](#unreleased)
-    - [Added](#added)
+## [1.2.1]
 
-## [Unreleased]
+### Changed
+
+- Moved TLS cert back out of configmap.yaml
+- Updated documentation on how to add and update TLS certificates to encrypted secret.
+- Fixed Big Bang version mismatch using semver in kustomization
+- Fixed flux install instructions to use version rather than master.  New versions of flux may not be backwards compatible.
+- Cleaned up dev values.yaml
+
+## [1.2.0]
+
+### Changed
+
+- Fix namespace error (istio-system) when deploying wildcard-cert
+- Updated expired certificate for *.bigbang.dev
+- Added default values for `istio.ingress.tls.*` to workaround Helm error on `nil` values.
+- Updated [README.md](./README.md) for TLS cert
+- Updated [README.md](./README.md) for sops key creation (Issue #8)
+- Updated default BigBang release to 1.12.0 in kustomization.
+
+## [1.1.1]
+
+### Changed
+
+- Security groups between internet facing network load balancer and agent's node ports updated to fix ingress
+
+## [1.1.0]
+
+### Added
+
+- Upload of private SSH to encrypted S3 bucket
+- Rename of `default` Kubernetes profile to environment name
+- Change permissions of local Kubernetes config file to read/write of owner only
+
+### Changed
+
+- Migrated terraform classic load balancer to regular load balancer
+
+## [1.0.1]
+
+### Changed
+
+- Terraform cache S3 bucket created off of name in environment
+
+## [1.0.0]
 
 ### Added
 
@@ -28,3 +69,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
   - [CHANGELOG.md](CHANGELOG.md)
   - [CODEOWNERS](CODEOWNERS)
   - [CONTRIBUTING.md](CONTRIBUTING.md)
+- Terraform template for AWS with...
+  - Multi-environment support
+  - High-availability (cross-zone) and auto-scaling
+  - Private and public subnets
+  - Load balancer
+  - Bastion server

README.md

@@ -86,6 +86,28 @@ sed -i "s/pgp: FALSE_KEY_HERE/pgp: ${fp}/" .sops.yaml
 
 ## On MacOS
 sed -i "" "s/pgp: FALSE_KEY_HERE/pgp: ${fp}/" .sops.yaml
+
+# Save encrypted secrets into Git
+# Configuration changes must be stored in Git to take affect
+git add .sops.yaml
+git commit -m "chore: update default encryption key"
+git push --set-upstream origin template-demo
+```
+
+### Add TLS Certificates
+
+The `base/configmap.yaml` is setup to use the domain `bigbang.dev` by default.  A demo TLS certificate is provided in `base/bigbang-dev-cert.yaml` to use.  Certificates should be encrypted before pushing to Git since they contain both the public and private key.
+
+```shell
+cd base
+
+# Encrypt the existing certifiate
+sops -e bigbang-dev-cert.yaml > secrets.enc.yaml
+
+# Save encrypted TLS certificate into Git
+git add secrets.enc.yaml
+git commit -m "chore: add bigbang.dev tls certificates"
+git push
 ```
 
 ### Add Pull Credentials
@@ -95,8 +117,7 @@ You will need pull credentials for Iron Bank to retrieve images for Big Bang.
 > Secrets can be specific to an environment if they are located in that environment's folder (e.g. `prod`, `dev`).  Or, they can be shared between environments if located in the `base` directory.
 
 ``` shell
-# Create a new encrypted secret to contain your pull credentials
-cd base
+# Edit the same secret holding your TLS certificates to add the pull credentials
 sops secrets.enc.yaml
 ```
 
@@ -115,16 +136,17 @@ stringData:
       - registry: registry1.dso.mil
         username: replace-with-your-iron-bank-user
         password: replace-with-your-iron-bank-personal-access-token
+      istio:
+        # Leave the TLS certificate info here
 ```
 
-When you save the file, it will automatically encrypt your secret using SOPS.
+When you save the file, it will automatically re-encrypt your secret using SOPS.
 
 ```shell
-# Save encrypted secrets into Git
-# Configuration changes must be stored in Git to take affect
-git add secrets.enc.yaml ../.sops.yaml
-git commit -m "chore: added encrypted credentials"
-git push --set-upstream origin template-demo
+# Save pull credentials into Git
+git add secrets.enc.yaml
+git commit -m "chore: added iron bank pull credentials"
+git push
 ```
 
 > Your private key to decrypt these secrets is stored in your GPG key ring.  You must **NEVER** export this key and commit it to your Git repository since this would comprimise your secrets.
@@ -173,7 +195,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really)
    ```shell
    # The private key is not stored in Git (and should NEVER be stored there).  We deploy it manually by exporting the key into a secret.
    kubectl create namespace bigbang
-   gpg --export-secret-key --armor ${fp} | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey=/dev/stdin
+   gpg --export-secret-key --armor ${fp} | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey.asc=/dev/stdin
    ```
 
 1. Create imagePullSecrets for Flux
@@ -184,6 +206,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really)
 
    # Adding a space before this command keeps our PAT out of our history
     kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=<Your IronBank Username> --docker-password=<Your IronBank Personal Access Token> -n flux-system
+   ```
 
 1. Create Git credentials for Flux
 
@@ -197,7 +220,8 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really)
 
    ```shell
    # Flux is used to sync Git with the the cluster configuration
-   kustomize build https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base/flux?ref=master | kubectl apply -f -
+   # If you are using a different version of Big Bang, make sure to update the `?ref=1.12.0` to the correct tag or branch.
+   kustomize build https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base/flux?ref=1.12.0 | kubectl apply -f -
 
    # Wait for flux to complete
    kubectl get deploy -o name -n flux-system | xargs -n1 -t kubectl rollout status -n flux-system
@@ -232,7 +256,7 @@ Big Bang follows a [GitOps](https://www.weave.works/blog/what-is-gitops-really)
    # If you are deployed on a remote host you will need to point "kiali.bigbang.dev" to your cluster master node via your /etc/hosts file
    ```
 
-   > If you cannot get to the main page of Kiali, it may be due to an expired certificate.  Check the expiration of the certificate in `base/bigbang-dev-cert.yaml`.
+   > If you cannot get to the main page of Kiali, it may be due to an expired certificate.  Check the expiration of the certificate in `base/configmap.yaml`.
 
    > For troubleshooting deployment problems, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) documentation.
 
@@ -274,7 +298,7 @@ To minimize the risk of an unexpected deployment of a BigBang release, the BigBa
 
   ```yaml
   bases:
-  - https://repo1.dsop.io/platform-one/big-bang/bigbang.git/base/?ref=v1.8.0
+  - https://repo1.dsop.io/platform-one/big-bang/bigbang.git/base/?ref=v1.12.0
   ```
 
 - Reference for the Big Bang helm release:
@@ -287,7 +311,7 @@ To minimize the risk of an unexpected deployment of a BigBang release, the BigBa
    spec:
       ref:
          $patch: replace
-         semver: "1.8.0"
+         tag: "1.12.0"
    ```
 
 To update `dev/kustomization.yaml`, you would create a `mergePatch` like the following:
@@ -303,7 +327,7 @@ patchesStrategicMerge:
     interval: 1m
     ref:
       $patch: replace
-      semver: "1.9.0"
+      tag: "1.13.0"
 ```
 
 > This does not update the kustomize base, but it is unusual for that to change.
@@ -312,13 +336,13 @@ Then, commit your change:
 
 ```shell
    git add kustomization.yaml
-   git commit -m "feat(dev): update bigbang to 1.9.0"
+   git commit -m "feat(dev): update bigbang to 1.13.0"
    git push
 ```
 
 > It may take Big Bang up to 10 minutes to recognize your changes and start to deploy them.  This is based on the interval set for polling.  You can force Big Bang to recheck by running the [sync.sh](https://repo1.dsop.io/platform-one/big-bang/bigbang/-/blob/master/hack/sync.sh) script.
 
-It is recommended that you track Big Bang releases using the version.  However, you can use `tag` or `branch` in place of `semver` if needed.  The kustomize base uses [Go-Getter](https://github.com/hashicorp/go-getter)'s syntax for the reference.  The helm release (GitRepository) resource uses the [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/#specification)'s syntax.
+It is recommended that you track Big Bang releases using the version.  However, you can use `branch` in place of `tag` if needed.  The kustomize base uses [Go-Getter](https://github.com/hashicorp/go-getter)'s syntax for the reference.  The helm release (GitRepository) resource uses the [GitRepository CRD](https://toolkit.fluxcd.io/components/source/gitrepositories/#specification)'s syntax.
 
 When you are done testing, you can update the reference in `base` (and delete this setting in `dev`) to update Big Bang in all environments.
 
@@ -326,25 +350,36 @@ When you are done testing, you can update the reference in `base` (and delete th
 
 ### Update the domain
 
-Big Bang deploys applications to `*.bigbang.dev` by default.  You can override the `bigbang.dev` domain to your domain by updating `dev/configmap.yaml` and adding the following:
+Big Bang deploys applications to `*.bigbang.dev` by default.  You can override the `bigbang.dev` domain to your domain by updating `base/configmap.yaml` and adding the following:
 
 ```yaml
 hostname: insert-your-domain-here
 ```
 
-> NOTE: The `dev` template includes several overrides to minimize resource usage and increase polling time in a development environment.  They are provided for convenience and are NOT required.
-
-Commit your change:
+In addition, you will need to update the TLS certificates by updating `base/secrets.enc.yaml`.
 
 ```shell
-   git add configmap.yaml
-   git commit -m "feat(dev): updated domain name"
-   git push
+# Open and edit the encrypted file
+sops base/secrets.enc.yaml
 ```
 
+After saving the secrets.enc.yaml file, it will be automatically re-encrypted.
+
+``` shell
+# Push changes to Git
+git add base/configmap.yaml base/secrets.enc.yaml
+git commit -m "chore: updated domain and tls certificates"
+git push
+```
+
+> If you have different certificates for `dev` and `prod`, you can also put the values in `dev/secrets.enc.yaml` or `prod/secrets.enc.yaml` respectively.  The name of the secret must be `common-bb` if the secret is in the `base` folder or `environment-bb` if the secret is in the `dev` or `prod` folder.  The `environment-bb` values take precedence over the `common-bb` values.
+Make sure to add the file to `kustomization.yaml` as a resource if it is not already.
+
 ### Additional Big Bang values
 
-For additional configuration options, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) and [Big Bang Package](https://repo1.dsop.io/platform-one/big-bang/apps) documentation.
+For additional configuration options, refer to the [Big Bang](https://repo1.dsop.io/platform-one/big-bang/bigbang) and [Big Bang Package](https://repo1.dsop.io/platform-one/big-bang/apps) documentation.  Big Bang values can be passed down in the `configmap.yaml` or `secrets.enc.yaml`.  See the Kubernetes documentation on [configmaps](https://kubernetes.io/docs/concepts/configuration/configmap/) and [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) for differences between the two.  Secrets should always be SOPS encrypted before committing to Git.
+
+> NOTE: The `dev` template includes several overrides in the `configmap.yaml` to minimize resource usage and increase polling time in a development environment.  They are provided for convenience and are NOT required.
 
 ### Additional resources
 

base/bigbang-dev-cert.yaml

 apiVersion: v1
 kind: Secret
 metadata:
-  name: wildcard-cert
-  namespace: istio-system
-type: kubernetes.io/tls
-data:
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZNekNDQkJ1Z0F3SUJBZ0lTQS9iZlFINVZneTNLVHUzUFh4aU5IZWQ4TUEwR0NTcUdTSWIzRFFFQkN3VUEKTURJeEN6QUpCZ05WQkFZVEFsVlRNUll3RkFZRFZRUUtFdzFNWlhRbmN5QkZibU55ZVhCME1Rc3dDUVlEVlFRRApFd0pTTXpBZUZ3MHlNVEEwTVRZd01UQTFNVE5hRncweU1UQTNNVFV3TVRBMU1UTmFNQmd4RmpBVUJnTlZCQU1NCkRTb3VZbWxuWW1GdVp5NWtaWFl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRGwKN29JZWNESFJiOFhCakc0c0VXMXFzQmxJOTRvSWE1MEtUSFdPZXQ3bWhXODJCWCtzY1dWZ3FJM1BiSVZVSTE0NApJZ0tHUFNxM1NFa2lnUDB6TmdTbHhOalpaL1VhQjk5SFhsSzVrWjg3cHVEdm9PWU1CaXVyanEvUXpnd3lnaU45Ck55eXFkVXRXZGMvVjk0b3d4UzQ3SHNjbGhuT0VYc2NWT2pTUUkvUElHTTVHOFVYWnllVjB5dkdWdnJVWU5iTWYKejlNaGgzckQyaWh3NkxRVmdYNzEwSjdxM0lPaUMxQ0RDdDB3WHVyMXcxOExZcytSMVl1MDdBTTdSNUVvRUVGQgoyVFpoWWdEWjMrdjdsdnYvRUlOeVZjNUZmb2xJaHlWMVZHK2RaeGV2SEZpdVpRNWNOTHBpTHdlcDNRcmVLZU5rCjFpakJoQWVoUm5UTWE4ZkIrbWI5QWdNQkFBR2pnZ0piTUlJQ1Z6QU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWUQKVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwTwpCQllFRkFxWXBTQy9hcTg2VkdnMFBqK0FKTDhKcTRvcE1COEdBMVVkSXdRWU1CYUFGQlF1c3hlM1dGYkxybEFKClFPWWZyNTJMRk1MR01GVUdDQ3NHQVFVRkJ3RUJCRWt3UnpBaEJnZ3JCZ0VGQlFjd0FZWVZhSFIwY0RvdkwzSXoKTG04dWJHVnVZM0l1YjNKbk1DSUdDQ3NHQVFVRkJ6QUNoaFpvZEhSd09pOHZjak11YVM1c1pXNWpjaTV2Y21jdgpNQ3NHQTFVZEVRUWtNQ0tDRFNvdVltbG5ZbUZ1Wnk1a1pYYUNFU291WkdWMkxtSnBaMkpoYm1jdVpHVjJNRXdHCkExVWRJQVJGTUVNd0NBWUdaNEVNQVFJQk1EY0dDeXNHQVFRQmd0OFRBUUVCTUNnd0pnWUlLd1lCQlFVSEFnRVcKR21oMGRIQTZMeTlqY0hNdWJHVjBjMlZ1WTNKNWNIUXViM0puTUlJQkJBWUtLd1lCQkFIV2VRSUVBZ1NCOVFTQgo4Z0R3QUhVQWIxTjJyREh3TVJuWW1RQ2tVUlgvZHhVY0Vka0N3UUFwQm8yeUNKbzMyUk1BQUFGNDJHelJYQUFBCkJBTUFSakJFQWlCQzlTSnpwQlVtTWZwVFRmbEthc1ZVTUNPVkVIL3lRSExlejlPaWpleUxFUUlnSjI5cXQrbXQKQ3doZHM1MnA4Rm44ZDREUTA1WDFZR2U4M3cvL25KRzc2aHdBZHdEMlhKUXYwWGN3SWhSVUdBZ3dsRmFPNDAwVApHVE8vM3d3dklBdk1UdkZrNHdBQUFYalliTkhQQUFBRUF3QklNRVlDSVFEQnRTbHYydTNTejNiVE9LUUF6c21TCit1NzlQanRwdlRuSGZwN1N3cUdUQUFJaEFPSkw3ZHI5cEp0OUpSS0JsNEU3VnU3OXhVN3hPdXgxTElVVkUra0EKZFIxcU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlFLNzZrWkp3YTF6TnYyazJoL3U1aXN2Y1FpREw4ZW9VZAppZElkWHk3eWRJYmh6WWw5VmgrekRHa1V3eHZJUDRqVmpENEZCQzRRcVFUanF1dHc4c0xXamJ6U1BKTFZmWUxWClRtd3RrYkN2aFRpRTNQQWRUK1Ntb09GSVVzZDJMRW1qRko2MjJEeVVhTkgwT3NkckhLQ2xDL0tJTzBOdmhUUXMKWm5OODllSDF3cmVJTDlEb2xYa28zUmdrR0IxTGJHOU1INC9kdnpUbktIb0JvNEVVRlhvSmNuU2lLN3JkSEVYSQp1N3dLRmp3OU9KbnFqQ0x4N1NHT0l5aExvNGM1VXRKWFU4dXhLbXhzTzYzV0daRytaQjM4dXp1UlphRUV0K3pzClNvbFN0ZUVFSEhYYmUvQmpZZnVmVzJCWGRKd3FpM2dhdzA0ais4UTRoY250SDJjTTI4VFcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRVpUQ0NBMDJnQXdJQkFnSVFRQUYxQklNVXBNZ2hqSVNwREJiTjN6QU5CZ2txaGtpRzl3MEJBUXNGQURBLwpNU1F3SWdZRFZRUUtFeHRFYVdkcGRHRnNJRk5wWjI1aGRIVnlaU0JVY25WemRDQkRieTR4RnpBVkJnTlZCQU1UCkRrUlRWQ0JTYjI5MElFTkJJRmd6TUI0WERUSXdNVEF3TnpFNU1qRTBNRm9YRFRJeE1Ea3lPVEU1TWpFME1Gb3cKTWpFTE1Ba0dBMVVFQmhNQ1ZWTXhGakFVQmdOVkJBb1REVXhsZENkeklFVnVZM0o1Y0hReEN6QUpCZ05WQkFNVApBbEl6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1d0lWS016Mm9KVFREeExzCmpWV1N3L2lDOFptbWVrS0lwMTBtcXJVcnVjVk1zYStPYS9sMXlLUFhEMGVVRkZVMVY0eWVxS0k1R2ZXQ1BFS3AKVG03MU84TXUyNDNBc0Z6eldUam43YzlwOEZvTEc3N0FsQ1FsaC9vM2NiTVQ1eHlzNFp2djIrUTdSVkpGbHFuQgpVODQweUZMdXRhN3RqOTVnY09LbFZLdTJiUTZYcFVBMGF5dlR2R2JyWmpSOCttdUxqMWNwbWZnd0YxMjZjbS83CmdjV3Qwb1pZUFJmSDV3bTc4U3YzaHR6QjJuRmQxRWJqekswbHdZaThZR2QxWnJQeEdQZWlYT1pUL3pxSXRrZWwKL3hNWTZwZ0pkeitkVS9uUEFlWDFwbkFYRks5anBQK1pzNU9kM0ZPbkJ2NUloUjJoYWE0bGRic1R6RklEOWUxUgpvWXZiRlFJREFRQUJvNElCYURDQ0FXUXdFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBREFPQmdOVkhROEJBZjhFCkJBTUNBWVl3U3dZSUt3WUJCUVVIQVFFRVB6QTlNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndPaTh2WVhCd2N5NXAKWkdWdWRISjFjM1F1WTI5dEwzSnZiM1J6TDJSemRISnZiM1JqWVhnekxuQTNZekFmQmdOVkhTTUVHREFXZ0JURQpwN0drZXl4eCt0dmhTNUIxLzhRVllJV0pFREJVQmdOVkhTQUVUVEJMTUFnR0JtZUJEQUVDQVRBL0Jnc3JCZ0VFCkFZTGZFd0VCQVRBd01DNEdDQ3NHQVFVRkJ3SUJGaUpvZEhSd09pOHZZM0J6TG5KdmIzUXRlREV1YkdWMGMyVnUKWTNKNWNIUXViM0puTUR3R0ExVWRId1ExTURNd01hQXZvQzJHSzJoMGRIQTZMeTlqY213dWFXUmxiblJ5ZFhOMApMbU52YlM5RVUxUlNUMDlVUTBGWU0wTlNUQzVqY213d0hRWURWUjBPQkJZRUZCUXVzeGUzV0ZiTHJsQUpRT1lmCnI1MkxGTUxHTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBMlV6Z3lmV0VpRGN4MjdzVDRyUDhpMnRpRW14WXQwbCtQQUszcUI4b1lldk80QzV6NzBrSAplaldFSHgydGFQRFkvbGFCTDIxL1dLWnVOVFlRSEhQRDViMXRYZ0hYYm5MN0txQzQwMWRrNVZ2Q2FkVFFzdmQ4ClM4TVhqb2h5Yzl6OS9HMjk0OGtMam1FNkZsaDlkRFlyVllBOXgyTytoRVBHT2FFT2ExZWVQeW5CZ1BheXZVZkwKcWpCc3R6TGhXVlFMR0FrWFhtTnMrNVpuUEJ4ekRKT0x4aEYySkliZVFBY0g1SDB0WnJVbG81Wll5T3FBN3M5cApPNWI4NW8zQU0vT0orQ2t0RkJRdGZ2QmhjSlZkOXd2bHdQc2srdXlPeTJISTdtTnhLS2dzQlR0Mzc1dGVBMlR3ClVkSGtoVk5jc0FLWDFIN0dOTkxPRUFEa3NkODZ3dW9Ydmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRGw3b0llY0RIUmI4WEIKakc0c0VXMXFzQmxJOTRvSWE1MEtUSFdPZXQ3bWhXODJCWCtzY1dWZ3FJM1BiSVZVSTE0NElnS0dQU3EzU0VraQpnUDB6TmdTbHhOalpaL1VhQjk5SFhsSzVrWjg3cHVEdm9PWU1CaXVyanEvUXpnd3lnaU45Tnl5cWRVdFdkYy9WCjk0b3d4UzQ3SHNjbGhuT0VYc2NWT2pTUUkvUElHTTVHOFVYWnllVjB5dkdWdnJVWU5iTWZ6OU1oaDNyRDJpaHcKNkxRVmdYNzEwSjdxM0lPaUMxQ0RDdDB3WHVyMXcxOExZcytSMVl1MDdBTTdSNUVvRUVGQjJUWmhZZ0RaMyt2NwpsdnYvRUlOeVZjNUZmb2xJaHlWMVZHK2RaeGV2SEZpdVpRNWNOTHBpTHdlcDNRcmVLZU5rMWlqQmhBZWhSblRNCmE4ZkIrbWI5QWdNQkFBRUNnZ0VBUzdLaUUvTkw4MitnNDMrZ0pkSDIrOURPQWorOHFka0Q4b2dKaThiWDYzeXkKaUU1M0lnYVRJYWRjU0pXcHIzR1ZhMVdIRHpyRC9XTkc4SjBXdnUxaHlsRnNNdWNPd21zbER4SDJtakZmQXZ5Rgp3VjV2WGpZSjJvazNTTDhOTlBPelMxNEd6bmVmUGUrN1pPNENDTnhoeEFUMSsxeXdXenY0dnZ4U29jRzBXSU55ClF3Ylk1M3ZsNy9meUp6bWtpRFV1cVJxdFZLUi9TQ3ZWRnlWL016YjlYd0xWVk96bWU3ek1iSzlFd2xSN1h4d0gKTnRqWlMydC9EYkZVaCtPOWxqMjhmdVY0cVZvODNqR1dFNjNQNGJFdk9YekZDNXp1K2twRW1RRVA1WDFVR3FxcApoMU5CUEcwb2VQMTdodjBqVnpjNzAzZGJuQnppZjU4U2M0REZyYVE5NFFLQmdRRDgxK0lxdVNwbVcxZXBKZE51CkFHQWFsdlBTMEpXV2pqQnJuK3NDMEpBKzdRV0dKckdBTjhGdFpyeC9FdTU4b3Z1RDNZcmE4NmlsV0FMV0pLUWoKdmFFZy94YnJaaXhiUW9hcDZNSTRYWUs2aHFFWTJPZzI4SzRNcVFYdHZRQjVOcmpuRGRZWTdjSUNTdEo4V01HcwpLVjBNS3pIR3NVYnZUQlJRR1hhRlhIRFNsd0tCZ1FEb3pXV0lIWitmTzBSZC9uRzhNK2tSWTNIbUlGTHl4WjdDCllaNXBnRW4rWDR4TmkzbGdoa0JNWEF4NTBCQithczE1OGxQcmRITFRwa2VZYmNXZzd4ZmNuMkM0VittS3VVRG8KYUFYOFRlcWJJeS9XYzY3SHhNMCt1alJrd05OSXFaSmhMckUzNFNHQkR6ajlqRHYrc0xBamdsQXpJYkszdnRMUgpuUDVEUlExSml3S0JnRmQ3RGpwLzlHYVR4Z0cxSDdFWW1pZTVBTVY0KzdpcW02QXhKV3ZFNDVPU0NHNUE1dnNZCnoyamR1ZXd4amFnNzc4L1JFQ0R2V3ZOU1B6RCtYbmdyUFJ1Z2hycU5rRjFHNkRiVFhKZUo2eGhFU21yQmFaN1EKcVRlaUozWDVCYmZxc2hEblhhTWthQkxJOW9pbFlPVURMcmx1SEh2RmpHaHhKem9MaFZGaENYd2pBb0dCQUxtTQo5QzdnUlpoNWVZMWRQek9kUUZlZXBtcWdPdHpMRERXcjdzSHlBWWZnaWdoSWNXNndzbERxVVB0S0RjdGt2dTlDCmFRYlM0cTYwNm4yZ2lKTXozaFgzWmZTb0JUbVBYQitnd1p5T1ViNWk5ajc4SjBPTUpYYW9uUmZzNUxvV2hkZzEKaWdTYXlNUi82SkdXRXo5MWZuNWU0Q05RNll3d2FRR3ZHcTF0UFNEdkFvR0JBTUg3eXpjTm9QbFRHRjd0SUh1Zgp4dkZHQ25uclMrVUZXbTZKYUZDYU5tS0NyMUZxUnFhMHNlUW1SbDBGcm53WEgzUTkvS3BlcEJsY01qeGhJMWFGClp0WE1qcVlxM0ZlNlY4UUF4MEh4YmJBbHl6ZU9uSzV4bUtmelYwWVhTSEg1R2p2Szk5ektUNnM4R3Uxanh1NEkKdmZrY3pyckJsS2JOcDV3eFBnamNBWmQ3Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  name: common-bb
+stringData:
+  # TLS key pair for *.bigbang.dev is used as an example for demo purposes
+  values.yaml: |-
+    istio:
+      ingress:
+        key: |-
+          -----BEGIN PRIVATE KEY-----
+          MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQD1ahjVSH4A+inh
+          YyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYMU7CzoyPJCL13
+          gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR/mc7YwF0IMVp
+          iApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V9dCEMkodH1tq
+          +BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTsLLGL/BL7E/Ba
+          8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1IozD+bpFfUvUxNH
+          1sjPo18JAgMBAAECggEBAJRaQ5LC1LDAiQqfhvE94oEDmR4AmOWFlqQi3f1vZPkb
+          qTbIq/skxamk2iUoCPm8TT1MZhfheaNwLiCMg76U29CoSXY8Gq17mD08BPOBrcAQ
+          EpVKpu8b85XpeQ5OMXAnOWbqc/sZWWqa2Nt3ilCVvZAU05KE4gljf20lajLUb0BE
+          S+EOHgiPgbL9Upgb2HvsYjaBkgy6dMIJhH9ybyQqRJPaLceEbu53Krrv4iuZjzLD
+          CIdePYRge9DfvIff0UBlAFPVgahrwJNzZoqhEv9KlvSshE51tfaNv7zzMpoEnq7z
+          XqbisXXq/Pn6MaWiyF/6sYxYZDrAIHI5exmoJAYs4tECgYEA/V9eNpdh70Vzv19l
+          TkpjEklaAgDzSda68TSb5hYLtINI3m3+vVN+rlth5gZN7n8hKjxIBuUI8yERMY8B
+          is5g+qgIqK1jDeRHUJTKo7x+fRgM2vCTcYQgxCC4x2czkG86AifsNaGZ6j2P9y2v
+          lpaozs+ONkADpGwnOu0lsCBxbVUCgYEA9/WaPrhOO/ImKlyFbXnXHZsoRXKuWVKm
+          DRcs7z8LZmPH7n3ikiMZW7CUbKHB3mreL6Xv5gQ/nait2tjYRPT2OfBA+WTQi/kO
+          MwHyuq92J1965WCld3hzGYeJHtB12rVjheRQ3TBeBCFFu3pgEVsgqnVV1gqceBL7
+          edXnu85KSuUCgYEAxbhURvmfPR7PknmZDp1R7oU7LfEb6XUd8PiC5+wwOi9w/9KK
+          RagQZXN+VAh7bC/c656a/nZgo4ocZrYYF/+xAil6iFa1w7NuS12xPFDtzCSmc3vl
+          M2JOR37ZcxH/1ShW9jO9SqTO/VIJNHR8X2E2Xhzt9zvBG+AiRQOms2i92vkCgYEA
+          pZ2AiZXWg0mIXlDvuaBgouCoNEKV2wlN6X5qP94PAjNxLYUdWNhirpAxgqFD+QfO
+          IWsm4a5Cw04P2RVu1hf7gdVLwIeql2MhLcaGVlStiTzHu/8iZbqovgt99Xvsy8jN
+          kXde323XzdBfYAorskv4dIHsdAsgWT7sgoLxxcnSa1UCgYEAh0SDR9xTdNnCRTL8
+          Fz+YyN8EWm4XaiYv4fDu7mBEiAYJFQjfez/ZammSASwfv+sFcE4rCEMED2InlLin
+          73hJO8bDRMI7BEtaYKyEFcCgdNXOyDRfYhLtJllaIiJNbC8m4dW8H7Hq4Av2pTc0
+          dbfd2CfWKgXWqJNl2RCGWIoqDIU=
+          -----END PRIVATE KEY-----
+        cert: |-
+          -----BEGIN CERTIFICATE-----
+          MIIFITCCBAmgAwIBAgISA4QDnwfowfekJU7pBgWPPB3SMA0GCSqGSIb3DQEBCwUA
+          MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+          EwJSMzAeFw0yMTA2MzAwODQxNDhaFw0yMTA5MjgwODQxNDdaMBgxFjAUBgNVBAMM
+          DSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1
+          ahjVSH4A+inhYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYM
+          U7CzoyPJCL13gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR
+          /mc7YwF0IMVpiApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V
+          9dCEMkodH1tq+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTs
+          LLGL/BL7E/Ba8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1Ioz
+          D+bpFfUvUxNH1sjPo18JAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD
+          VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
+          BBYEFLKxa8BVwd6HZjzGXLkyXZLww/DwMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
+          QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
+          Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
+          MBgGA1UdEQQRMA+CDSouYmlnYmFuZy5kZXYwTAYDVR0gBEUwQzAIBgZngQwBAgEw
+          NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
+          cnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KL
+          IiwN0dpNXmxPlD1h204vWE2iwgAAAXpcS8iTAAAEAwBIMEYCIQCcXRHwJqXD4XZJ
+          69yt9vwm/5d3fV5iEncCsg4XoV8APAIhALuWdIvzfv1qLlS3Yv+DrVf5t2lMGdrL
+          RilySJivVC0QAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6
+          XEvIqAAABAMARzBFAiEA7mPS3NK7XQQo+GxdVRq0kJX4uV3ELIKbVzPIdpXCmxYC
+          IHfgadCRBTml5nnTd7xpjwRuvRNr/gsyyyIV0Xjao4DIMA0GCSqGSIb3DQEBCwUA
+          A4IBAQBbccxKHBf4FOqHSP3U3+pCrU3Z3zhfTjYVaPP/gI7+rus4m6Jnq/pP21ak
+          RWFJx9Yfp0zYPG33H4b65vvmG2jYzb/sLorHIodSn8O7HD11peWwFzgRLflVQ2Kx
+          yPYdn/yY1BFIZ5cyz1iQNIUghMZVLc1JfqQbuRuodf2si0x7d2CTMV3k0qUvpll9
+          6KstE/OEjLA0jgRmZAq0JBHZjDeYi65LoQWF1XM6Al1p0GvhGC+x//UyYZr/sBOl
+          3FvnSe9NXeAMqeJ6QIrkFFsogPMUoTpJYs47gjMdEl6eOT2uwgchZsHpqrdHVHG6
+          9xxT5njjSqfC0xOqknR0hhhn5Pbu
+          -----END CERTIFICATE-----
+          -----BEGIN CERTIFICATE-----
+          MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+          TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+          cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+          WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+          RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+          AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+          R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+          sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+          NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+          Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+          /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+          AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+          Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+          FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+          AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+          Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+          gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+          PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+          ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+          CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+          lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+          avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+          yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+          yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+          hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+          HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+          MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+          nLRbwHOoq7hHwg==
+          -----END CERTIFICATE-----
+          -----BEGIN CERTIFICATE-----
+          MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+          MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+          DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+          TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+          cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+          AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+          ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+          wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+          LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+          4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+          bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+          sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+          Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+          FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+          SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+          PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+          TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+          SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+          c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+          +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+          ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+          b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+          U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+          MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+          5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+          9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+          WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+          he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+          Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+          -----END CERTIFICATE-----
\ No newline at end of file

base/kustomization.yaml

 # When updating the version of BigBang, make sure to update
 #   both the bases reference and the GitRepository reference
 bases:
-- git::https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base?ref=1.8.0
-resources:
-- bigbang-dev-cert.yaml
+- git::https://repo1.dso.mil/platform-one/big-bang/bigbang.git//base?ref=1.12.0
 configMapGenerator:
   - name: common
     behavior: merge
@@ -19,4 +17,4 @@ patchesStrategicMerge:
   spec:
     ref:
       $patch: replace
-      semver: "1.8.0"
\ No newline at end of file
+      tag: "1.12.0"
\ No newline at end of file

dev/configmap.yaml

@@ -6,7 +6,6 @@ flux:
     cleanupOnFail: false
 
 logging:
-  enabled: true
   values:
     elasticsearch:
       master:
@@ -16,7 +15,6 @@ logging:
         resources:
           requests:
             cpu: .5
-          limits: {}
       data:
         count: 1
         persistence:
@@ -24,32 +22,20 @@ logging:
         resources:
           requests:
             cpu: .5
-          limits: {}
 
 fluentbit:
   values:
     securityContext:
       privileged: true
 
-istio:
-  enabled: true
-  values:
-    kiali:
-      dashboard:
-        auth:
-          strategy: "anonymous"
-
 clusterAuditor:
-  enabled: true
   values:
     resources:
       requests:
         cpu: 100m
         memory: .5Gi
-      limits: {}
 
 monitoring:
-  enabled: true
   values:
     alertmanager:
       alertmanagerSpec:
@@ -57,48 +43,40 @@ monitoring:
           requests:
             cpu: 100m
             memory: 200Mi
-          limits: {}
     prometheusOperator:
       resources:
         requests:
           cpu: 250m
           memory: 400Mi
-        limits: {}
     prometheus:
       prometheusSpec:
         resources:
           requests:
             cpu: 100m
             memory: 200Mi
-          limits: {}
     grafana:
       resources:
         requests:
           cpu: 100m
           memory: 128Mi
-        limits: {}
     kubeStateMetrics:
       resources:
         requests:
           cpu: 10m
           memory: 32Mi
-        limits: {}
     nodeExporter:
       resources:
         requests:
           cpu: 100m
           memory: 30Mi
-        limits: {}
 
 gatekeeper:
-  enabled: true
   values:
     replicas: 1
     resources:
       requests:
         cpu: 100m
         memory: 256Mi
-      limits: {}
 
 twistlock:
   enabled: false

dev/kustomization.yaml

@@ -18,7 +18,7 @@ patchesStrategicMerge:
 # Use the following three lines to test a new version of Big Bang without affecting other environments
 #    ref:
 #      $patch: replace
-#      semver: "1.9.0"
+#      tag: "1.13.0"
 - |-
   apiVersion: helm.toolkit.fluxcd.io/v2beta1
   kind: HelmRelease

terraform/modules/elb/main.tf

@@ -5,112 +5,149 @@
 # - Security group created for other entities to use for ingress from the ELB
 # - Attaching a pool to the load balancer is done outside of this Terraform
 
-# Security group for load balancer
-resource "aws_security_group" "elb" {
-  name_prefix = "${var.name}-elb-"
-  description = "${var.name} Elastic Load Balancer"
-  vpc_id      = "${var.vpc_id}"
+resource "aws_lb" "public_nlb" {
+  name               = "${var.name}-public-nlb"
+  internal           = false
+  load_balancer_type = "network"
+  subnets            = var.subnet_ids
 
-  # Allow all HTTP traffic
-  ingress {
-    description = "HTTP Traffic"
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+  tags = merge({}, var.tags)
+}
+
+resource "aws_lb_target_group" "public_nlb_http" {
+  name     = "${var.name}-public-nlb-http"
+  port     = var.node_port_http
+  protocol = "TCP"
+  vpc_id   = var.vpc_id
+
+  health_check {
+    port           = var.node_port_health_checks
+    path           = "/healthz/ready"
   }
+  lifecycle {
+    create_before_destroy = true
+  }
+  tags = merge({}, var.tags)
+}
 
-  # Allow all HTTPS traffic
-  ingress {
-    description = "HTTPS Traffic"
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+resource "aws_lb_target_group" "public_nlb_https" {
+  name     = "${var.name}-public-nlb-https"
+  port     = var.node_port_https
+  protocol = "TCP"
+  vpc_id   = var.vpc_id
+
+  health_check {
+    port           = var.node_port_health_checks
+    path           = "/healthz/ready"
+  }
+  lifecycle {
+    create_before_destroy = true
   }
+  tags = merge({}, var.tags)
+}
+
+resource "aws_lb_target_group" "public_nlb_sni" {
+  name     = "${var.name}-public-nlb-sni"
+  port     = var.node_port_sni
+  protocol = "TCP"
+  vpc_id   = var.vpc_id
 
-  # Allow all egress
-  egress {
-    description = "All traffic out"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+  health_check {
+    port           = var.node_port_health_checks
+    path           = "/healthz/ready"
+  }
+  lifecycle {
+    create_before_destroy = true
   }
+  tags = merge({}, var.tags)
+}
 
-  tags = var.tags
+resource "aws_lb_listener" "public_nlb_http" {
+  load_balancer_arn = aws_lb.public_nlb.arn
+  port              = "80"
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.public_nlb_http.arn
+  }
+}
+
+resource "aws_lb_listener" "public_nlb_https" {
+  load_balancer_arn = aws_lb.public_nlb.arn
+  port              = "443"
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.public_nlb_https.arn
+  }
+}
+
+resource "aws_lb_listener" "public_nlb_sni" {
+  load_balancer_arn = aws_lb.public_nlb.arn
+  port              = "15443"
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.public_nlb_sni.arn
+  }
+}
+
+# Retrieve the IP addresses of the nlb
+data "aws_network_interface" "public_nlb" {
+  for_each = toset(var.subnet_ids)
+
+  filter {
+    name   = "description"
+    values = ["ELB ${aws_lb.public_nlb.arn_suffix}"]
+  }
+
+  filter {
+    name   = "subnet-id"
+    values = [each.value]
+  }
 }
 
 # Security group for server pool to allow traffic from load balancer
-resource "aws_security_group" "elb_pool" {
-  name_prefix = "${var.name}-elb-pool-"
-  description = "${var.name} Traffic to Elastic Load Balancer server pool"
+resource "aws_security_group" "public_nlb_pool" {
+  name_prefix = "${var.name}-public-nlb-to-pool-"
+  description = "${var.name} Traffic from public Network Load Balancer to server pool"
   vpc_id      = "${var.vpc_id}"
 
   # Allow all traffic from load balancer
   ingress {
-    description       = "Allow Load Balancer Traffic"
-    from_port         = 0
-    to_port           = 0
-    protocol          = "-1"
-    security_groups = [aws_security_group.elb.id]
+    description       = "Allow public Network Load Balancer traffic to health check"
+    from_port         = var.node_port_health_checks
+    to_port           = var.node_port_health_checks
+    protocol          = "tcp"
+    cidr_blocks       = formatlist("%s/32", [for eni in data.aws_network_interface.public_nlb : eni.private_ip])
   }
 
-  tags = var.tags
-}
+  ingress {
+    description       = "Allow internet traffic to HTTP node port"
+    from_port         = var.node_port_http
+    to_port           = var.node_port_http
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.0.0/0"]
+  }
 
-# Create Elastic Load Balancer
-module "elb" {
-  source          = "terraform-aws-modules/elb/aws"
-  version         = "~> 3.0"
-  name = "${var.name}-elb"
-  subnets         = var.subnet_ids
-  security_groups = [aws_security_group.elb.id]
-  internal        = false
-
-  # Port: Description
-  # 80: HTTP for applications
-  # 443: HTTPS for applications
-  # 15021: Istio Health Checks
-  # 15443: Istio SNI Routing in multi-cluster environment
-  listener = [
-    {
-      instance_port     = var.node_port_http
-      instance_protocol = "TCP"
-      lb_port           = 80
-      lb_protocol       = "tcp"
-    },
-    {
-      instance_port     = var.node_port_https
-      instance_protocol = "TCP"
-      lb_port           = 443
-      lb_protocol       = "tcp"
-    },
-    {
-      instance_port     = var.node_port_health_checks
-      instance_protocol = "TCP"
-      lb_port           = 15021
-      lb_protocol       = "tcp"
-    },
-    {
-      instance_port     = var.node_port_sni
-      instance_protocol = "TCP"
-      lb_port           = 15443
-      lb_protocol       = "tcp"
-    },
-  ]
-
-  health_check = {
-    target              = "TCP:${var.node_port_health_checks}"
-    interval            = 10
-    healthy_threshold   = 2
-    unhealthy_threshold = 6
-    timeout             = 5
+  ingress {
+    description       = "Allow internet traffic to HTTPS node port"
+    from_port         = var.node_port_https
+    to_port           = var.node_port_https
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.0.0/0"]
   }
 
-  access_logs = {}
+  ingress {
+    description       = "Allow internet traffic to SNI node port"
+    from_port         = var.node_port_sni
+    to_port           = var.node_port_sni
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.0.0/0"]
+  }
 
-  tags = merge({
-    "kubernetes.io/cluster/${var.name}" = "shared"
-  }, var.tags)
+  tags = var.tags
 }
\ No newline at end of file

terraform/modules/elb/outputs.tf

-output "elb_id" {
-  description = "The Elastic Load Balancer (ELB) ID"
-  value = module.elb.elb_id
+output "pool_sg_id" {
+  description = "The ID of the security group used as an inbound rule for load balancer's back-end server pool"
+  value = aws_security_group.public_nlb_pool.id
 }
 
-output "pool_sg_id" {
-  description = "The ID of the security group used as an inbound rule for load balancer's back-end application instances"
-  value = aws_security_group.elb_pool.id
+output "elb_target_group_arns" {
+  description = "The load balancer target group ARNs"
+  value = [aws_lb_target_group.public_nlb_http.arn, aws_lb_target_group.public_nlb_https.arn, aws_lb_target_group.public_nlb_sni.arn]
 }
\ No newline at end of file

terraform/modules/elb/variables.tf

@@ -14,28 +14,27 @@ variable "subnet_ids" {
   type = list(string)
 }
 
+variable "node_port_health_checks" {
+  description = "The node port to use for Istio health check traffic"
+  type = string
+  default = "30000"
+}
 variable "node_port_http" {
   description = "The node port to use for HTTP traffic"
   type = string
-  default = "30080"
+  default = "30001"
 }
 
 variable "node_port_https" {
   description = "The node port to use for HTTPS traffic"
   type = string
-  default = "30443"
-}
-
-variable "node_port_health_checks" {
-  description = "The node port to use for Istio health check traffic"
-  type = string
-  default = "32021"
+  default = "30002"
 }
 
 variable "node_port_sni" {
   description = "The node port to use for Istio SNI traffic"
   type = string
-  default = "32443"
+  default = "30003"
 }
 
 variable "tags" {

terraform/modules/k8s/variables.tf

-variable "kubeconfig_path" {
-  description = "Remote path to kubeconfig"
-  type = string
-}
\ No newline at end of file

terraform/modules/pool/main.tf

 # Connects an Elastic Load Balancer to a pool of servers
+# NOTE: RKE2 already sets the lifecycle of the auto scale group to ignore changes in load balancers and target groups
+# See https://repo1.dso.mil/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform/-/blob/master/modules/nodepool/main.tf#L113
 
 resource "aws_autoscaling_attachment" "pool" {
-  elb                    = var.elb_id
+  for_each = toset(var.elb_target_group_arns)
   autoscaling_group_name = var.pool_asg_id
-}
+  alb_target_group_arn = each.value
+}
\ No newline at end of file

terraform/modules/pool/variables.tf

-variable "elb_id" {
-  description = "The load balancer ID to attach the pool"
-  type = string
+variable "name" {
+  description = "The name to apply to resources"
+  type    = string
+  default = "bigbang-dev"
+}
+
+variable "elb_target_group_arns" {
+  description = "The load balancer's target group ARNs to attach to the autoscale group"
+  type = list(string)
 }
 
 variable "pool_asg_id" {
-  description = "The autoscale group IDs that make up the pool to attach to the load balancer"
+  description = "The pool's autoscale group ID"
   type = string
 }
\ No newline at end of file

terraform/modules/k8s/main.tf → terraform/modules/s3/main.tf

-# After the cluster is setup, this script will retrieve the Kubeconfig
-# file from S3 storage and merge in the local ~/.kube/config
+# After the cluster is setup, these scripts will ...
+# - Retrieve the Kuberntes config file from S3 and merge it with the local ~/.kube/config
+# - Upload the SSH private key to S3
 
 # Retrieves kubeconfig
 resource "null_resource" "kubeconfig" {
@@ -15,9 +16,14 @@ resource "null_resource" "kubeconfig" {
       # Merge new config into existing
       export KUBECONFIGBAK=$KUBECONFIG
       export KUBECONFIG=~/.kube/new:~/.kube/config
+      # Replace default with cluster name
+      sed -ri "s/: default$/: ${var.name}/g" ~/.kube/new
+      # Update user only with more info
+      sed -ri "s/(user|- name): ${var.name}$/\1: clusterUser_${var.name}/g" ~/.kube/new
       # Do not redirect to ~/.kube/config or you may truncate the results
       kubectl config view --flatten > ~/.kube/merged
       mv -f ~/.kube/merged ~/.kube/config
+      chmod 0600 ~/.kube/config
 
       # Cleanup
       rm -f ~/.kube/new
@@ -25,4 +31,13 @@ resource "null_resource" "kubeconfig" {
       unset KUBECONFIGBAK
     EOF
   }
-}
\ No newline at end of file
+}
+
+# Upload SSH private key
+resource "aws_s3_bucket_object" "sshkey" {
+  key                    = "ssh-private-key.pem"
+  # Get bucket name in middle of s3://<bucket name>/rke2.yaml
+  bucket                 = replace(replace(var.kubeconfig_path, "/\\/[^/]*$/", ""), "/^[^/]*\\/\\//", "")
+  source                 = pathexpand("${var.private_key_path}/${var.name}.pem")
+  server_side_encryption = "aws:kms"
+}

terraform/modules/s3/variables.tf

+variable "name" {
+  description = "The name of the SSH key"
+  type    = string
+  default = "bigbang-dev"
+}
+
+variable "kubeconfig_path" {
+  description = "Remote path to kubeconfig"
+  type = string
+}
+
+variable "private_key_path" {
+  description = "Local path to SSH private key"
+  type = string
+  default = "~/.ssh"
+}
\ No newline at end of file

terraform/terragrunt.hcl

@@ -21,13 +21,13 @@ remote_state {
 
   generate = {
     path      = "backend.tf"
-    if_exists = "overwrite_terragrunt"
+    if_exists = "overwrite"
   }
 
   config = {
     encrypt = true
     key     = format("%s/terraform.tfstate", path_relative_to_include())
-    bucket  = "p1-bigbang-live-tf-states-${local.env.region}"
+    bucket  = "${local.env.name}-terraform-state"
     region  = local.env.region
   }
 }
\ No newline at end of file

terraform/us-gov-west-1/prod/agent/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 }
 
 terraform {
-  source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.8"
+  source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//modules/agent-nodepool?ref=v1.1.9"
 }
 
 include {
@@ -80,5 +80,4 @@ inputs = {
   pre_userdata = local.env.cluster.init_script
 
   tags = merge(local.env.region_tags, local.env.tags, {})
-}
-
+}
\ No newline at end of file

terraform/us-gov-west-1/prod/main/terragrunt.hcl

 # This file performs post-cluster actions, like downloading the kubeconfig
+locals {
+  env = merge(
+    yamldecode(file(find_in_parent_folders("region.yaml"))),
+    yamldecode(file(find_in_parent_folders("env.yaml")))
+  )
+}
 
 terraform {
-  source = "${path_relative_from_include()}//modules/k8s"
+  source = "${path_relative_from_include()}//modules/s3"
 }
 
 include {
@@ -16,5 +22,6 @@ dependency "server" {
 }
 
 inputs = {
+  name = local.env.name
   kubeconfig_path = dependency.server.outputs.kubeconfig_path
 }
\ No newline at end of file

terraform/us-gov-west-1/prod/pool/terragrunt.hcl

@@ -16,7 +16,7 @@ include {
 dependency "elb" {
   config_path = "../elb"
   mock_outputs = {
-    elb_id = "mock_elb_id"
+    elb_target_group_arns = ["mock_elb_id"]
   }
 }
 
@@ -28,7 +28,7 @@ dependency "agent" {
 }
 
 inputs = {
-  elb_id = dependency.elb.outputs.elb_id
+  elb_target_group_arns = dependency.elb.outputs.elb_target_group_arns
   pool_asg_id = dependency.agent.outputs.nodepool_id
   tags = merge(local.env.region_tags, local.env.tags, {})
 }
\ No newline at end of file

terraform/us-gov-west-1/prod/server/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 }
 
 terraform {
-  source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//?ref=v1.1.8"
+  source = "git::https://repo1.dsop.io/platform-one/distros/rancher-federal/rke2/rke2-aws-terraform.git//?ref=v1.1.9"
 }
 
 include {