README.md

@@ -65,7 +65,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | istio.git.path | string | `"./chart"` |  |
 | istio.git.tag | string | `"1.8.4-bb.2"` |  |
 | istio.flux | object | `{}` | Flux reconciliation overrides specifically for the Istio Package |
-| istio.ingress | object | `{"cert":"","key":""}` | Certificate/Key pair to use as the default certificate for exposing BigBang created applications. If nothing is provided, applications will expect a valid tls secret to exist in the `istio-system` namespace called `wildcard-cert`. |
+| istio.ingress | object | `{"cert":"","key":""}` | Certificate/Key pair to use as the default certificate for exposing BigBang created applications. If nothing is provided, applications will expect a valid tls secret to exist in the `istio-system` namespace called `public-cert`. |
 | istio.values | object | `{}` | Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git |
 | istio.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
 | istiooperator.enabled | bool | `true` | Toggle deployment of Istio Operator. |

chart/templates/NOTES.txt

@@ -149,13 +149,4 @@ PLATFORM ONE MATTERMOST WARNING:
   You have enabled enterprise Mattermost in the values configuration, but not provided a license.
   Make sure to go back and edit your values or ensure you add the license through the mattermost settings page.
 {{- end }}
-{{- end }}
-
-{{ if $.Values.addons.keycloak.enabled }}
-PLATFORM ONE KEYCLOAK WARNING:
-  You have enabled keycloak in the values configuration.
-  Core packages are automatically moved to an `admin` subdomain (e.g. prometheus.admin.bigbang.dev).
-  Addons are not accessible and not supported in the same cluster as Keycloak.
-  Keycloak is still in a BETA status.  This means we don't fully recommend it for production workloads quite yet, but will be rolling out support in the near future to move it to STABLE.
-  Specifically, the way that multiple ingressgateways are created and specified within BigBang will make the automatic `admin` creation of core packages obsolete, and will also allow Keycloak to better function alongside other addons.
-{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/anchore/values.yaml

@@ -7,12 +7,22 @@ hostname: {{ .Values.hostname }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
+  ui:
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.anchore.ingress.gateway }}
+  api:
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.anchore.ingress.gateway }}
 
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.addons.anchore.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 {{- if and .Values.addons.anchore.enterprise.enabled .Values.addons.anchore.enterprise.licenseYaml }}
 enterpriseLicenseYaml: |

chart/templates/argocd/values.yaml

@@ -26,6 +26,9 @@ redis-bb:
 
 istio:
   enabled: {{ .Values.istio.enabled }}
+  argocd:
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.argocd.ingress.gateway }}
 
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
@@ -33,6 +36,10 @@ monitoring:
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.addons.argocd.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 {{- if .Values.addons.argocd.sso.enabled }}
 sso:

chart/templates/authservice/values.yaml

@@ -8,6 +8,10 @@ imagePullSecrets:
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.addons.haproxy.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 global:
   oidc:

chart/templates/gitlab/values.yaml

@@ -7,14 +7,24 @@ hostname: {{ .Values.hostname }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
+  gitlab:
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.gitlab.ingress.gateway }}
+  registry:
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.gitlab.ingress.gateway }}
 
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.addons.gitlab.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
-  
+
 {{- if .Values.addons.gitlab.database.host }}
 postgresql:
   install: false

chart/templates/haproxy/values.yaml

@@ -5,6 +5,9 @@
 {{- define "bigbang.defaults.haproxy-sso" -}}
 hostname: {{ .Values.hostname }}
 
+istio:
+  gateway: {{ default "public" .Values.addons.haproxy.ingress.gateway }}
+
 podLabels:
   protect: keycloak
 config: |

chart/templates/istio/controlplane/secret-tls.yaml

-{{- if and .Values.istio.enabled  (and .Values.istio.ingress.key .Values.istio.ingress.cert ) }}
+{{- if and .Values.istio.enabled }}
+
+{{/*
+For backwards compatibility, get key/cert from .Values.istio.ingress
+*/}}
+{{- $default := .Values.istio.ingress | default dict -}}
+
+{{- range $name, $values := .Values.istio.gateways }}
+{{- if or (and $values.tls.cert $values.tls.key) (and $default.cert $default.key) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: wildcard-cert
+  name: {{ printf "%s-cert" $name }}
   namespace: istio-system
   labels:
     app.kubernetes.io/name: istio-controlplane
     app.kubernetes.io/component: "core"
-    {{- include "commonLabels" . | nindent 4}}
+    {{- include "commonLabels" $ | nindent 4}}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Values.istio.ingress.cert | b64enc }}
-  tls.key: {{ .Values.istio.ingress.key | b64enc}}
+  tls.crt: {{ default $default.cert $values.tls.cert | b64enc }}
+  tls.key: {{ default $default.key $values.tls.key | b64enc }}
+---
+{{- end }}
+{{- end }}
+
 {{- end }}
\ No newline at end of file

chart/templates/istio/controlplane/values.yaml

@@ -15,20 +15,62 @@ openshift: {{ .Values.openshift }}
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 
-{{- if .Values.addons.keycloak.enabled }}
-extraServers:
-- port:
-    name: https-keycloak
-    protocol: TLS
-    number: 8443
-  hosts:
-    - keycloak.{{ .Values.hostname }}
-  tls:
-    mode: PASSTHROUGH
-
-gateway:
-  hosts:
-    - "*.admin.{{ .Values.hostname }}"
+{{- if .Values.istio.ingressGateways }}
+ingressGateways:
+  istio-ingressgateway:
+    enabled: false
 {{- end }}
-{{- end -}}
+
+{{- range $name, $values := .Values.istio.ingressGateways }}
+  {{ $name | nindent 2 }}:
+    {{- toYaml (merge (dict "k8s" $values.kubernetesResourceSpec) (fromYaml (include "istio.ingressgateway.k8s" $values))) | nindent 4 }}
+{{- end }}
+
+{{- if .Values.istio.gateways }}
+gateways:
+  main: null
+{{- end }}
+{{- range $name, $values := .Values.istio.gateways }}
+  {{ $name | nindent 2 }}:
+    selector:
+      app: {{ $values.ingressGateway }}
+    servers:
+    - hosts:
+      {{ tpl ($values.hosts | default (list) | toYaml) $ | nindent 8 }}
+      port:
+        name: https
+        number: 8443
+        protocol: HTTPS
+      tls:
+        credentialName: {{ $name }}-cert
+        mode: {{ default "SIMPLE" $values.tls.mode }}
+{{- end }}
+{{- end }}
+
+{{- define "istio.ingressgateway.k8s" -}}
+k8s:
+  service:
+    type: {{ .type }}
+    {{- if .nodePortBase }}
+    ports: # Pulled from Istio gateway defaults (https://github.com/istio/istio/blob/master/manifests/charts/gateways/istio-ingress/values.yaml)
+    # Ports default to "protocol: TCP" and "targetPort = port"
+    # AWS ELB will by default perform health checks on the first port on this list. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      name: status-port
+      nodePort: {{ add .nodePortBase 0 }}
+    - port: 80
+      targetPort: 8080
+      name: http2
+      nodePort: {{ add .nodePortBase 1 }}
+    - port: 443
+      targetPort: 8443
+      name: https
+      nodePort: {{ add .nodePortBase 2 }}
+    # SNI Routing port
+    - port: 15443
+      name: tls
+      nodePort: {{ add .nodePortBase 3 }}
+    {{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/jaeger/values.yaml

@@ -9,8 +9,9 @@ hostname: {{ .Values.hostname }}
 istio:
   enabled: {{ .Values.istio.enabled }}
   jaeger:
-    hosts:
-    - tracing{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+    gateways:
+    - istio-system/{{ default "public" .Values.jaeger.ingress.gateway }}
+
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 elasticsearch:
@@ -25,5 +26,9 @@ jaeger:
         protect: keycloak
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
-  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}        
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.jaeger.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 {{- end -}}
\ No newline at end of file

chart/templates/keycloak/values.yaml

@@ -14,11 +14,16 @@ istio:
   enabled: {{ .Values.istio.enabled }}
   keycloak:
     enabled: true
-    hosts:
-      - keycloak.{{ .Values.hostname }}
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.keycloak.ingress.gateway }}
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  ingressLabels:
+    {{- $gateway := default "passthrough" .Values.addons.keycloak.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}

chart/templates/kiali/values.yaml

@@ -7,8 +7,9 @@ hostname: {{ .Values.hostname }}
 istio:
   enabled: {{ .Values.istio.enabled }}
   kiali:
-    hosts:
-      - kiali{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+    gateways:
+    - istio-system/{{ default "public" .Values.kiali.ingress.gateway }}
+
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 elasticsearch:
@@ -38,4 +39,8 @@ cr:
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.kiali.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 {{- end -}}

chart/templates/logging/elasticsearch-kibana/values.yaml

@@ -7,11 +7,15 @@ hostname: {{ .Values.hostname }}
 istio:
   enabled: {{ .Values.istio.enabled }}
   kibana:
-    hosts:
-      - kibana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+    gateways:
+    - istio-system/{{ default "public" .Values.logging.ingress.gateway }}
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.logging.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 {{- with .Values.logging.sso }}
 {{- if .enabled }}

chart/templates/mattermost/mattermost/values.yaml

@@ -7,6 +7,9 @@ hostname: {{ .Values.hostname }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
+  chat:
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.mattermost.ingress.gateway }}
 
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
@@ -23,6 +26,10 @@ sso:
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.addons.mattermost.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 global:
   imagePullSecrets:

chart/templates/minio/minio/values.yaml

@@ -7,6 +7,9 @@ hostname: {{ .Values.hostname }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
+  virtualService:  # this key is non-standard and needs to be fixed in the package
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.minio.ingress.gateway }}
 
 minioRootCreds: minio-root-creds-secret
 
@@ -15,6 +18,10 @@ monitoring:
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.addons.minio.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 podAnnotations:
   sidecar.istio.io/inject: "true"

chart/templates/monitoring/values.yaml

@@ -10,6 +10,10 @@ flux:
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.monitoring.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
@@ -20,8 +24,8 @@ istio:
     port: 8080
     namespace: authservice
     {{- end }}
-    hosts:
-    - prometheus{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+    gateways:
+    - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
   alertmanager:
     enabled: true
     {{- if .Values.monitoring.sso.enabled }}
@@ -29,12 +33,12 @@ istio:
     port: 8080
     namespace: authservice
     {{- end }}
-    hosts:
-    - alertmanager{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+    gateways:
+    - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
   grafana:
     enabled: true
-    hosts:
-    - grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+    gateways:
+    - istio-system/{{ default "public" .Values.monitoring.ingress.gateway }}
 
 anchore:
   enabled: {{ .Values.addons.anchore.enabled }}
@@ -54,7 +58,7 @@ grafana:
   grafana.ini:
     {{- if .Values.istio.enabled }}
     server:
-      root_url: https://grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}/
+      root_url: https://grafana.{{ .Values.hostname }}/
     {{- end }}
 
     auth:

chart/templates/nexus-repository-manager/values.yaml

@@ -7,12 +7,19 @@ domain: {{ .Values.hostname }}
 hostname: nexus
 istio:
   enabled: {{ .Values.istio.enabled }}
+  nexus:
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.nexus.ingress.gateway }}
 
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.addons.nexus.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 nexus:
   imagePullSecrets:

chart/templates/sonarqube/values.yaml

@@ -7,12 +7,19 @@ hostname: {{ .Values.hostname }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
+  sonarqube:
+    gateways:
+    - istio-system/{{ default "public" .Values.addons.sonarqube.ingress.gateway }}
 
 monitoring:
   enabled: {{ .Values.monitoring.enabled }}
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.addons.sonarqube.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 image:
   pullSecret: private-registry

chart/templates/twistlock/values.yaml

@@ -14,10 +14,15 @@ imagePullSecrets:
 
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
+  ingressLabels:
+    {{- $gateway := default "public" .Values.twistlock.ingress.gateway }}
+    {{- $default := dict "app" (dig "gateways" $gateway "ingressGateway" nil .Values.istio) "istio" nil }}
+    {{- toYaml (dig "values" "gateways" $gateway "selector" $default .Values.istio) | nindent 4 }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
   console:
-    hosts:
-      - twistlock{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
+    gateways:
+    - istio-system/{{ default "public" .Values.twistlock.ingress.gateway }}
+
 {{- end -}}

chart/values.yaml

@@ -110,17 +110,57 @@ istio:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
     path: "./chart"
-    tag: "1.8.4-bb.3"
+    #tag: "1.8.4-bb.3"
+    branch: "25-multiingress-poc"
+
+  # Ingress gateways are created based on the key name.  Adding more keys will add ingress gateways.
+  # Ingress gateways are setup in a Horizontal Pod Autoscaler with 1 to 5 replicas
+  # Besides some ports needed by Istio, only ports 80 and 443 are opened
+  # Ingress gateways that require more configuration can be completed using `istio.values`
+  ingressGateways:
+    public-ingressgateway:
+      type: "LoadBalancer" # or "NodePort"
+      kubernetesResourceSpec: {} # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+
+    # private-ingressgateway:
+    #   type: "LoadBalancer" # or "NodePort"
+    #   kubernetesResourceSpec: # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+    #     serviceAnnotations: # Example for AWS internal load balancer
+    #       service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    #       service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+
+    # passthrough-ingressgateway:
+    #   type: "NodePort" # or "LoadBalancer"
+    #   # Node ports are assigned starting from nodePortBase.  The nodePortBase specifies the start of a range of 4 unused node ports.
+    #   # Node port will be assigned as follows: Port 15021 (Status) = nodePortBase, Port 80 = nodePortBase+1, Port 443 = nodePortBase+2, Port 15443 (SNI) = nodePortBase+3
+    #   # Node port base should be in the range from 30000 to 32764
+    #   nodePortBase: 32000  # Alternatively, the kubernetesResourceSpec can be used to configure all port parameters
+
+  gateways:
+    public:
+      ingressGateway: "public-ingressgateway"
+      hosts:
+      - "*.{{ .Values.hostname }}"
+      tls:
+        key: ""
+        cert: ""
+    # private:
+    #   ingressGateway: "private-ingressgateway"
+    #   hosts:
+    #   - "*.{{ .Values.hostname }}"
+    #   tls:
+    #     key: ""
+    #     cert: ""
+    # passthrough:
+    #   ingressGateway: "passthrough-ingressgateway"
+    #   hosts:
+    #   - "*.{{ .Values.hostname }}"
+    #   tls:
+    #     mode: "PASSTHROUGH"
 
   # -- Flux reconciliation overrides specifically for the Istio Package
   flux: {}
 
-  # -- Certificate/Key pair to use as the default certificate for exposing BigBang created applications.
-  # If nothing is provided, applications will expect a valid tls secret to exist in the `istio-system` namespace called `wildcard-cert`.
-  ingress:
-    key: ""
-    cert: ""
-
   # -- Values to passthrough to the istio-controlplane chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-controlplane.git
   values: {}
 
@@ -133,7 +173,7 @@ istiooperator:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git
     path: "./chart"
-    tag: "1.8.4-bb.2"
+    tag: "1.8.4-bb.6"
 
   # -- Flux reconciliation overrides specifically for the Istio Operator Package
   flux: {}
@@ -155,6 +195,10 @@ jaeger:
   # -- Flux reconciliation overrides specifically for the Jaeger Package
   flux: {}
 
+  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  ingress:
+    gateway: ""
+
   sso:
     # -- Toggle SSO for Jaeger on and off
     enabled: false
@@ -182,6 +226,10 @@ kiali:
   # -- Flux reconciliation overrides specifically for the Kiali Package
   flux: {}
 
+  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  ingress:
+    gateway: ""
+
   sso:
     # -- Toggle SSO for Kiali on and off
     enabled: false
@@ -257,6 +305,10 @@ logging:
   flux:
     timeout: 20m
 
+  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  ingress:
+    gateway: ""
+
   sso:
     # -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.
     # Enabling this option will auto-create any required secrets.
@@ -327,6 +379,10 @@ monitoring:
   # -- Flux reconciliation overrides specifically for the Monitoring Package
   flux: {}
 
+  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  ingress:
+    gateway: ""
+
   sso:
     # -- Toggle SSO for monitoring components on and off
     enabled: false
@@ -380,6 +436,10 @@ twistlock:
   # -- Flux reconciliation overrides specifically for the Twistlock Package
   flux: {}
 
+  # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  ingress:
+    gateway: ""
+
   # -- Values to passthrough to the twistlock chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
   values: {}
 
@@ -401,6 +461,10 @@ addons:
     # -- Flux reconciliation overrides specifically for the ArgoCD Package
     flux: {}
 
+    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    ingress:
+      gateway: ""
+
     sso:
       # -- Toggle SSO for ArgoCD on and off
       enabled: false
@@ -481,6 +545,10 @@ addons:
     # -- Flux reconciliation overrides specifically for the Minio Package
     flux: {}
 
+    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    ingress:
+      gateway: ""
+
     # -- Default access key to use for minio.
     accesskey: ""
 
@@ -509,6 +577,10 @@ addons:
     # -- Flux reconciliation overrides specifically for the Gitlab Package
     flux: {}
 
+    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    ingress:
+      gateway: ""
+
     sso:
       # -- Toggle OIDC SSO for Gitlab on and off.
       # Enabling this option will auto-create any required secrets.
@@ -597,6 +669,10 @@ addons:
     # -- Base64 encoded license file.
     license_key: ""
 
+    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    ingress:
+      gateway: ""
+
     sso:
       # -- Toggle SAML SSO for NXRM.
       # -- handles SAML SSO, a Client must be configured in Keycloak or IdP
@@ -649,6 +725,10 @@ addons:
     # -- Flux reconciliation overrides specifically for the Sonarqube Package
     flux: {}
 
+    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    ingress:
+      gateway: ""
+
     sso:
       # -- Toggle SAML SSO for SonarQube.
       # Enabling this option will auto-create any required secrets.
@@ -709,6 +789,10 @@ addons:
     # -- Flux reconciliation overrides specifically for the HAProxy Package
     flux: {}
 
+        # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    ingress:
+      gateway: ""
+
     # -- Values to passthrough to the haproxy chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy.git
     values: {}
 
@@ -741,6 +825,10 @@ addons:
       licenseYaml: |
         FULL LICENSE
 
+    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    ingress:
+      gateway: ""
+
     sso:
       # -- Toggle OIDC SSO for Anchore on and off.
       # Enabling this option will auto-create any required secrets (Note: SSO requires an Enterprise license).
@@ -835,6 +923,10 @@ addons:
       # license: "eyJpZCI6InIxM205bjR3eTdkYjludG95Z3RiOD---REST---IS---HIDDEN
       license: ""
 
+    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    ingress:
+      gateway: ""
+
     sso:
       # -- Toggle OIDC SSO for Mattermost on and off.
       # Enabling this option will auto-create any required secrets.
@@ -937,18 +1029,14 @@ addons:
   #
   keycloak:
     # -- Toggle deployment of Keycloak.
+    # if you enable Keycloak you should uncomment the istio passthrough configurations above
+      # istio.ingressGateways.passthrough-ingressgateway and istio.gateways.passthrough
     enabled: false
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
       path: "./chart"
       tag: "11.0.1-bb.0"
 
-    # -- Certificate/Key pair to use as the certificate for exposing Keycloak
-    # Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
-    ingress:
-      key: ""
-      cert: ""
-
     database:
       # -- Hostname of a pre-existing database to use for Keycloak.
       # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
@@ -972,5 +1060,14 @@ addons:
     # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
     flux: {}
 
+    # Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+    ingress:
+      # the istio gateway for keycloak must have tls.mode: PASSTHROUGH
+      gateway: "passthrough"
+      # -- Certificate/Key pair to use as the certificate for exposing Keycloak
+      # Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
+      key: ""
+      cert: ""
+
     # -- Values to passthrough to the keycloak chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
     values: {}