.gitlab-ci.yml

@@ -94,10 +94,22 @@ pre vars:
     - tests/**/*
 
 .deploy_bigbang: &deploy_bigbang
-  - find ./scripts/deploy -type f -name '*.sh' | sort | xargs -r -I {} sh -c 'echo {} && sh {}'
+  - |
+    set -e
+    for deploy_script in $(find ./scripts/deploy -type f -name '*.sh' | sort); do
+      chmod +x ${deploy_script}
+      echo "Executing ${deploy_script}..."
+      ./${deploy_script}
+    done
 
 .test_bigbang: &test_bigbang
-  - find ./tests -type f -name '*.sh' | sort | xargs -r -I {} sh -c 'echo {} && sh {}'
+  - |
+    set -e
+    for test_script in $(find ./tests -type f -name '*.sh' | sort); do
+      chmod +x ${test_script}
+      echo "Executing ${test_script}..."
+      ./${test_script}
+    done
 
 clean install:
   stage: smoke tests
@@ -336,7 +348,11 @@ package:
   before_script:
     # Set up auth
     - mkdir -p /root/.docker
-    - echo $DOCKER_AUTH_CONFIG > /root/.docker/config.json
+    - |
+      jq -n '{"auths": {"registry.dso.mil": {"auth": $bb_registry_auth}, "registry1.dso.mil": {"auth": $registry1_auth}, "registry.il2.dso.mil": {"auth": $il2_registry_auth} } }' \
+        --arg bb_registry_auth ${BB_REGISTRY_AUTH} \
+        --arg registry1_auth ${REGISTRY1_AUTH} \
+        --arg il2_registry_auth ${IL2_REGISTRY_AUTH} > /root/.docker/config.json
   script:
     - cp ./scripts/package/synker.yaml ./synker.yaml
     # Populate images list in synker config

.gitlab-ci/jobs/networking/aws/dependencies/terraform/main/main.tf

@@ -39,6 +39,7 @@ locals {
 #
 module "vpc" {
   source = "terraform-aws-modules/vpc/aws"
+  version = "2.78.0"
 
   name = local.name
   cidr = var.vpc_cidr

CHANGELOG.md

@@ -3,6 +3,81 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [1.8.1]
+
+* [!594](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/594): Fixed bug where gitlab PostRenders are passed to GitlabRunners
+
+## [1.8.0]
+
+* [!447](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/447): Sonarqube upgrade app version 8.7.1 chart version 9.2.6-bb.8
+* [!406](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/406): Authservice Support For Non Keycloak OIDC Endpoints
+* [!459](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/459): Gitlab update to fix monitoring
+* [!463](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/463),[!480](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/480): update codeowners
+* [!462](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/462): Document GitLab package architecture in charter
+* [!453](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/453): Set Global Timeout for Flux & Allow for HelmRelease Flux Settings to be Populated via Values File
+* [!466](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/466): Updating name for kiali oidc secret secret
+* [!465](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/465): Mattermost update app version 5.34.2 chart version 0.1.5-bb.0
+* [!467](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/467): update changelog for release 1.7.0
+* [!468](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/468): Modify continuous integration (CI) pipeline script execution
+* [!474](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/474): Update twistlock app version 21.04.412 chart version 0.0.4-bb.0
+* [!464](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/464): Documentation updates
+* [!475](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/475): Anchore upgrade app version 0.9.3 chart version 1.12.13-bb.0
+* [!430](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/430): Charter update for istio architecture
+* [!451](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/451),[!481](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/481),[!482](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/482): Breakout secrets into individual files in Package templates
+* [!417](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/417): update Kibana
+* [!350](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/350): Authservice Redirect URLs dont respect virtual service name overrides
+* [!485](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/485): ArgoCD upgrade app version 1.8.4 chart version 2.14.7-bb.5
+* [!476](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/476): Charter documentation updates
+* [!134](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/134),[!489](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/489): BETA release of Keycloak app version 13.0.0 helm chart version 11.0.0
+* [!342](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/342): Upgrade elasticsearch-kibana package app version 7.10.x chart version 0.1.11-bb.0
+* [!457](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/457): Add labels to authservice namespace in compliance with charter
+
+### Upgrade Notices
+* Release 1.8.0 upgrades Elasticsearch and Kibana to 7.10 versions and if the [autoRollingUpgrade](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/#autorollingupgrade) job does not complete successfully or is interfered with it could cause ECK data loss. Please leave autoRollingUpgrade enabled and read [documentation](https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/-/blob/main/docs/troubleshooting.md) to prepare for upgrade issues.
+
+
+### Known Issues
+* If the following error is seen on any helm releases ```scheme "" not supported``` try updating flux to latest ib images. A simple way to do this is by adding registry credentials to the flux-system namespace and applying the flux.yaml:
+```bash
+kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=<Your IronBank Username> --docker-password=<Your IronBank Personal Access Token> --docker-email=<Your E-mail Address> -n flux-system
+curl https://repo1.dso.mil/platform-one/big-bang/bigbang/-/raw/master/scripts/deploy/flux.yaml | kubectl apply -f -
+```
+* There is a [known issue](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/329) with Velero ability to restore PersistentVolumes.
+
+
+## [1.7.0]
+
+* [!453](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/453): Global Timeout for flux and allow for HR flux settings to be populated via values
+* [!459](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/459): Gitlab monitoring fix
+* [!406](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/406): Authservice Support For Non Keycloak OIDC Endpoints
+* [!447](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/447): Sonarqube updated to 8.7.1
+* [!446](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/446): Mattermost elastic integration
+* [!437](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/437): Postrenders
+* [!440](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/440): GitLab Upgrade to 13.10.3
+* [!450](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/450): Ironbank image version check script
+
+* [!369](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/369): Update development-environment
+* [!371](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/371): Update 2_getting_started
+* [!483](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/438): cluster auditor architecture
+* [!454](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/454): Storage Documentation
+* [!221](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/221): Add initial thoughts on Hugo
+* [!408](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/408): Adding Architecture Doc for ek package
+* [!462](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/462): Document GitLab package architecture in charter
+* [!463](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/463): Update CODEOWNERS
+
+### Upgrade Notice
+This release comes with a new version of Sonarqube which requires a manual database upgrade that can be easily done through the web interface. If you see a message stating Sonarqube is under maintenance go to the following url and click update database:
+```
+https://sonarqube.your.url/setup
+```
+After a few minutes you should be able to log back in.
+
+### Known Issues
+If the following error is seen on any helm releases ```scheme "" not supported``` try updating flux to latest ib images. A simple way to do this is by adding registry credentials to the flux-system namespace and applying the flux.yaml:
+```bash
+kubectl create -n flux-system secret docker-registry private-registry --docker-server="https://registry1.dso.mil" --docker-username='<IB_Username>' --docker-password="<CLI_TOKEN>"
+kubectl apply -f scripts/deploy/flux.yaml
+```
 
 ## [1.6.2]
 

CODEOWNERS

@@ -16,9 +16,9 @@
 [Docs Owners]
 # Allow any one of the listed codeowners to approve merges to the documentation 
 # Does not allow the creator of the merge request to be the approveer.
-/docs/                @michaelmcleroy @egoode @aaronbeger @aaron.ruse @branden.cobb @shouseba @chuck.laverde @daryndecker @dyoung @egnoriega @egoode @iahmad @jcookehg   
+/docs/                @michaelmcleroy @egoode @aaronbeger @aaron.ruse @branden.cobb @shouseba @chuck.laverde @daryndecker @dyoung @egnoriega @iahmad @jcookehg   
                       @jasonkrause @jpower_rfed @jkayse @jdale @joshwolf @karchaf @kavitha @kenna81 @kevin.wilder @killian.byrne @mgauto @msbrown47 @mdutton @matthew.kaiser 
-                      @michaelmcleroy @nick_tetrate @racosta @rkernick @runyontr @ryan.j.garcia @sean.deprefontaine @seanthomaswilliams1 @thomas.burton @Ozzie100 @tsiddique1 
+                      @michaelmcleroy @barrywoodtetrate @racosta @rkernick @runyontr @ryan.j.garcia @sean.deprefontaine @seanthomaswilliams1 @thomas.burton @Ozzie100 @tsiddique1 
                       @toladipupo @visuth.dy @zdzielinski @micah.nagel @LynnStill @cmcgrath @evan.rush @andrew.scala.hg @jay-rob @david.allen @nick.kammerdiener
 
 
@@ -42,10 +42,10 @@ hack/                 @toladipupo @michaelmcleroy @egoode
 charter/              @gabe.scarberry @joshwolf @megamind @micah.nagel @michaelmcleroy @phillip.record @runyontr @ryan.j.garcia 
 
 ^[Istio and Authservice]
-chart/Chart.yaml                @kenna81 @kavitha @cmcgrath @nick_tetrate
-chart/values.yaml               @kenna81 @kavitha @cmcgrath @nick_tetrate
+chart/Chart.yaml                @kenna81 @kavitha @cmcgrath @barrywoodtetrate
+chart/values.yaml               @kenna81 @kavitha @cmcgrath @barrywoodtetrate
 chart/templates/authservice     @kenna81 @kavitha @cmcgrath 
-chart/templates/istio           @kenna81 @kavitha @cmcgrath @nick_tetrate
+chart/templates/istio           @kenna81 @kavitha @cmcgrath @barrywoodtetrate
 
 # ^[HAProxy]
 # chart/Chart.yaml              @?
@@ -98,9 +98,9 @@ chart/values.yaml               @lynnstill @ryan.j.garcia @kevin.wilder
 chart/templates/gitlab          @lynnstill @ryan.j.garcia @kevin.wilder
 
 ^[KeyCloak]
-chart/Chart.yaml                @megamind
-chart/values.yaml               @megamind
-chart/templates/keycloak        @megamind
+chart/Chart.yaml                @megamind @kevin.wilder @michaelmcleroy
+chart/values.yaml               @megamind @kevin.wilder @michaelmcleroy
+chart/templates/keycloak        @megamind @kevin.wilder @michaelmcleroy
 
 ^[Mattermost (and operator)]
 chart/Chart.yaml                @micah.nagel @branden.cobb

base/gitrepository.yaml

@@ -11,4 +11,4 @@ spec:
   interval: 10m
   url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
   ref:
-    tag: 1.6.2
+    tag: 1.8.1

chart/Chart.yaml

 apiVersion: v2
 name: bigbang
-version: 1.6.2
+version: 1.8.1
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
 
 type: application

chart/admin.bigbang.dev-certs.yaml

+istio:
+  ingress:
+    key: |
+      -----BEGIN PRIVATE KEY-----
+      MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8bJtY3qQC0udg
+      WInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDNeJ2JoH96d1vLAm1YmHJ3
+      1aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwiDXjwv9JyOQgOrQqFxP7B
+      Qab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/iiGDJ+Jvomt8opWb4mC2jZ
+      MK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuTNptI3x6OySjbkYlBGhjK
+      MpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHcDxwCJQQJrzGNNc5YMpn8
+      1rvltDOTAgMBAAECggEACINbrXM5s8r1mzvE12S9mcba/25RQyyVo3AJ2rDt7z6z
+      Liespr79K2cwFeh6Laqrt8vGwPBWImeY3GMxgYHIp9pec6+gaHMoV3DZbd1igmdF
+      gS7L9BMqgra4lo1HRpFUH8cF3yvgStTwsaiWs4bOYZmNsFc1ocgw+0EqFRnR14vw
+      Q6pxlNlR0wND4WwEQ+PEFuGyaZpcnDA38vwaNyIVl99pRXXojvfco7dacYyce40o
+      O02mtl2yME4ssCgYPcThonPaUDjF594q7J2kqVRp6mJ0J9lvsxPRZ3NC1tOfVgzI
+      E/YVeNx7S9r0ONTJFLfRidd+udBKBCUM7NcKygqk8QKBgQDiQc0LPe7NWzfZ5Ks2
+      IeZZ1S7CX/Eyv7VW90YhOUTF9g9PmmH1v539vp9xdHlo9YaF2dXuf1GsMgpNQ4IZ
+      Nuz5xwvvmma3demqtOawTpHj3vHpZWOYTL0SEb5XwyPaZZIb33wxDidT8/0CpwPt
+      Tlq6GQ8HPYupHT6cJQcb7PgAmQKBgQDVMZ+0WucFAKeJSEj1zDZA0EzUqiFfLCpP
+      gko9+9yhPvl7Q6c+oOV0brx0ny+racLUsV0m8vzvvLFxHTubPa7CMKf5s7c3EPQv
+      8GqovlsvgzchwxRRs0KQMhQSZw1X2UDSBDci0AwZRXrJQp3odJk+0Pq5MslfCF6s
+      fwWxV6C1CwKBgBSvv3ePqg3MkUayyZShdNYxz5yl+P+S15mj8h2HhuoynSPCEcLO
+      Sjuw+hL9ezxFdo82Y4Dy0xzTVm3KBlMX2oLb2BOIImwTs9GPyKfGB0C2WZflVT3P
+      hlnolWagyN5m+vzhahFyIdZjMHbVnl5ME6+AKweWcPZ9XgQYvpWnDOXBAoGBAL0I
+      mTEUAQ+geuzxGTBI+DoT+GwAxkJbKNEDF81KC2E2M4Qmgp63j3zjy1ok4+G7jzOE
+      aLJmdfwkdbl0UCvgT5qEBg0UWvoKoFn5dLlWwAeq8zGOhe/DYNv2a3G9ykkAq8cM
+      Uc8eZfvqbWsTFGzPJipaplWcQI1xIHEW1/ddWXPtAoGBAInFXBnVDJiZkhq1adt9
+      3S/YVoMigw6ZD4j7E5g/5QBCs2rnZex20YFuJDvf+HAD/3eohJ6n75QRSZc0sn9j
+      XO49WKI7Qd2XTEL6dGvxGyFRTqrC5dUd3v/wq4XjUz1bI6VTvvHvf7EPCGh1NJ8v
+      PcJzvO/HdugGAG1xWnN7HT4g
+      -----END PRIVATE KEY-----
+    cert: |
+      -----BEGIN CERTIFICATE-----
+      MIIFLDCCBBSgAwIBAgISA87F5ACBGZuzPeSeGr2wqcY8MA0GCSqGSIb3DQEBCwUA
+      MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+      EwJSMzAeFw0yMTA0MTQxNDIzMTRaFw0yMTA3MTMxNDIzMTRaMB4xHDAaBgNVBAMM
+      EyouYWRtaW4uYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+      AoIBAQC8bJtY3qQC0udgWInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDN
+      eJ2JoH96d1vLAm1YmHJ31aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwi
+      DXjwv9JyOQgOrQqFxP7BQab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/ii
+      GDJ+Jvomt8opWb4mC2jZMK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuT
+      NptI3x6OySjbkYlBGhjKMpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHc
+      DxwCJQQJrzGNNc5YMpn81rvltDOTAgMBAAGjggJOMIICSjAOBgNVHQ8BAf8EBAMC
+      BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
+      HQYDVR0OBBYEFLp8IoeSyLzb/tJ57pxDqGX4t/4nMB8GA1UdIwQYMBaAFBQusxe3
+      WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
+      cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
+      ci5vcmcvMB4GA1UdEQQXMBWCEyouYWRtaW4uYmlnYmFuZy5kZXYwTAYDVR0gBEUw
+      QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
+      L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgCU
+      ILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXjQ+rZ5AAAEAwBHMEUC
+      IQCOtTENOPlAwvmnqNxm9LHWo1TkNpLZqdCQWffa3zc2sAIgVpNs+pLLUmJfwq0+
+      FRSQJB9FyrH7js53BSZ1WyfY6GwAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5q
+      l2iZfiLw1wAAAXjQ+razAAAEAwBHMEUCIQDCliAyo7EV92Kmp5zeoVfeqklvPPYi
+      p43KG/yc6gbiBwIgHpQYiQ5MCcJHnnol3Ku35ZYJw8jcWy7aW2S9gHR3eeUwDQYJ
+      KoZIhvcNAQELBQADggEBACUBLIHwOvyAsXlRGxqDKBGcl8BmbelWgp+XXsf9MZd0
+      hYYrPlnQL95C5R78FXmYlG24J4uHLMTvz+gYe/WRv4Cjr8It+EaoGATZ8zGa2OlY
+      FTfx6dLk/h2KPF9N45o5rsUtlTlTfJYGz58p30XefLwOdIrez8UtEV2fWevAWwYw
+      ZGLvPczwDABye0OUou+M+BoZQOI6hrcQ3IXGlf/VQKzBp1dOOxZB7bx3mOzg1CI6
+      1AebDLxybOev4Ke25jbtst6i4HG1feFXm4yL1utNsn15uBVoQVfKeLVvMO3Y2Hyi
+      DZvLATJX4qq0e2wDcETc8fxshOUnYhpzrbUctVBBncA=
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
+      MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+      DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
+      MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
+      AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
+      jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
+      Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
+      U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
+      gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
+      /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
+      oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+      BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
+      ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
+      p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
+      AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
+      Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
+      LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
+      r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
+      AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
+      ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
+      S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
+      qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
+      O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
+      UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
+      -----END CERTIFICATE-----

chart/google-auth-example-values.yaml

@@ -3,10 +3,13 @@
 #
 # Current tested implementations and reference docs:
 #   * grafana - https://grafana.com/docs/grafana/latest/auth/google/
+#   * kibana/es - https://www.elastic.co/guide/en/elasticsearch/reference/7.12/oidc-guide-stack.html
+#               - https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html#oidc
 #
 
 monitoring:
   sso:
+    enabled: true
     grafana:
       client_id: <client_id>
       client_secret: <client_secret>
@@ -14,4 +17,29 @@ monitoring:
       allowed_domains: <allowed_domains>
       auth_url: https://accounts.google.com/o/oauth2/auth
       token_url: https://oauth2.googleapis.com/token
-      signout_redirect_url: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=https://grafana.bigbang.dev
\ No newline at end of file
+      signout_redirect_url: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=https://grafana.bigbang.dev
+logging:
+  sso:
+    enabled: true
+    oidc:
+      realm: "Google" # optionally override the name used in the custom ES realm def and login page
+    client_secret: "<client_secret>"
+    client_id: "<client_id>"
+    # additional fields (required to override keycloak defaults)
+    issuer: "https://accounts.google.com"
+    auth_url: "https://accounts.google.com/o/oauth2/v2/auth"
+    token_url: "https://oauth2.googleapis.com/token"
+    userinfo_url: "https://openidconnect.googleapis.com/v1/userinfo"
+    jwkset_url: "https://www.googleapis.com/oauth2/v3/certs"
+    claims_principal: email
+    claims_principal_pattern: "<regex for allowed email domains>" # example: "^([^@]+)@leapfrog\\.ai$"
+    requested_scopes:
+      - openid
+      - email
+    # required for keycloak - should be empty for google)
+    signature_algorithm: ""
+    endsession_url: ""
+    claims_group: ""
+    claims_mail: ""
+  license:
+    trial: true
\ No newline at end of file

chart/templates/NOTES.txt

@@ -150,3 +150,12 @@ PLATFORM ONE MATTERMOST WARNING:
   Make sure to go back and edit your values or ensure you add the license through the mattermost settings page.
 {{- end }}
 {{- end }}
+
+{{ if $.Values.addons.keycloak.enabled }}
+PLATFORM ONE KEYCLOAK WARNING:
+  You have enabled keycloak in the values configuration.
+  Core packages are automatically moved to an `admin` subdomain (e.g. prometheus.admin.bigbang.dev).
+  Addons are not accessible and not supported in the same cluster as Keycloak.
+  Keycloak is still in a BETA status.  This means we don't fully recommend it for production workloads quite yet, but will be rolling out support in the near future to move it to STABLE.
+  Specifically, the way that multiple ingressgateways are created and specified within BigBang will make the automatic `admin` creation of core packages obsolete, and will also allow Keycloak to better function alongside other addons.
+{{- end }}

chart/templates/_helpers.tpl

@@ -101,3 +101,46 @@ stringData:
   overlays: |
     {{- toYaml .package.values | nindent 4 }}
 {{- end -}}
+
+{{/* 
+bigbang.addValueIfSet can be used to nil check parameters before adding them to the values.
+  Expects a list with the following params:
+    * [0] - (string) <yaml_key_to_add>
+    * [1] - (interface{}) <value_to_check>
+  
+  No output is generated if <value> is undefined, however, explicitly set empty values 
+  (i.e. `username=""`) will be passed along. All string fields will be quoted.
+
+  Example command: 
+  - `{{ (list "name" .username) | include "bigbang.addValueIfSet" }}`
+    * When `username: Aniken`
+      -> `name: "Aniken"`
+    * When `username: ""`
+      -> `name: ""`
+    * When username is not defined
+      -> no output 
+*/}}
+{{- define "bigbang.addValueIfSet" -}}
+  {{- $key := (index . 0) }}
+  {{- $value := (index . 1) }}
+  {{- /*If the value is explicitly set (even if it's empty)*/}}
+  {{- if not (kindIs "invalid" $value) }}
+    {{- /*Handle strings*/}}
+    {{- if kindIs "string" $value }}
+      {{- printf "\n%s" $key }}: {{ $value | quote }} 
+    {{- /*Hanldle slices*/}}
+    {{- else if kindIs "slice" $value }}
+      {{- printf "\n%s" $key }}:    
+        {{- range $value }}
+          {{- if kindIs "string" . }}
+            {{- printf "\n  - %s" (. | quote) }}
+          {{- else }} 
+            {{- printf "\n  - %v" . }}
+          {{- end }}
+        {{- end }}
+    {{- /*Handle other types (no quotes)*/}}
+    {{- else }}
+      {{- printf "\n%s" $key }}: {{ $value }} 
+    {{- end }}
+  {{- end }}
+{{- end -}}

chart/templates/anchore/anchore-helmrelease.yaml

+{{- $fluxSettingsAnchore := merge .Values.addons.anchore.flux .Values.flux -}}
 {{- if .Values.addons.anchore.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
@@ -16,23 +17,7 @@ spec:
         name: anchore
         namespace: {{ .Release.Namespace }}
 
-  {{- with .Values.flux }}
-  interval: {{ .interval }}
-  test:
-    enable: false
-  install:
-    remediation:
-      retries: {{ .install.retries }}
-  upgrade:
-    disableWait: true
-    remediation:
-      retries: {{ .upgrade.retries }}
-      remediateLastFailure: true
-    cleanupOnFail: true
-  rollback:
-    timeout: {{ .rollback.timeout }}
-    cleanupOnFail: {{ .rollback.cleanupOnFail }}
-  {{- end }}
+  {{- toYaml $fluxSettingsAnchore | nindent 2 }}
 
   valuesFrom:
     - name: {{ .Release.Name }}-anchore-values
@@ -56,4 +41,4 @@ spec:
       namespace: {{ .Release.Namespace }}
     {{- end }}
   {{- end }}
-{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/anchore/imagepullsecret.yaml

+{{- if .Values.addons.anchore.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: anchore
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/anchore/namespace.yaml

@@ -5,16 +5,4 @@ metadata:
   labels:
     app: {{ .Release.Name }}-anchore
   name: anchore
-
----
-{{- if ( include "imagePullSecret" . ) }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: private-registry
-  namespace: anchore
-type: kubernetes.io/dockerconfigjson
-data:
-  .dockerconfigjson: {{ template "imagePullSecret" . }}
-{{- end }}
 {{- end }}
\ No newline at end of file

chart/templates/anchore/values.yaml

@@ -62,7 +62,7 @@ anchoreEnterpriseUi:
 anchore-ui-redis:
   {{- if and .Values.addons.anchore.redis.host .Values.addons.anchore.redis.port .Values.addons.anchore.redis.password }}
   enabled: false
-  externalEndpoint: "redis://:{{ .Values.addons.anchore.redis.password }}@{{ .Values.addons.anchore.redis.host }}:{{ .Values.addons.anchore.redis.port }}"
+  externalEndpoint: "redis://{{ .Values.addons.anchore.redis.username | default "nouser" }}:{{ .Values.addons.anchore.redis.password }}@{{ .Values.addons.anchore.redis.host }}:{{ .Values.addons.anchore.redis.port }}"
   password: {{ .Values.addons.anchore.redis.password }}
   {{- end }}
   image:

chart/templates/argocd/argocd-helmrelease.yaml

+{{- $fluxSettingsArgo := merge .Values.addons.argocd.flux .Values.flux -}}
 {{- if .Values.addons.argocd.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
@@ -19,22 +20,7 @@ spec:
         name: argocd
         namespace: {{ .Release.Namespace }}
 
-  {{- with .Values.flux }}
-  interval: {{ .interval }}
-  test:
-    enable: false
-  install:
-    remediation:
-      retries: {{ .install.retries }}
-  upgrade:
-    remediation:
-      retries: {{ .upgrade.retries }}
-      remediateLastFailure: true
-    cleanupOnFail: true
-  rollback:
-    timeout: {{ .rollback.timeout }}
-    cleanupOnFail: {{ .rollback.cleanupOnFail }}
-  {{- end }}
+  {{- toYaml $fluxSettingsArgo | nindent 2 }}
 
   valuesFrom:
     - name: {{ .Release.Name }}-argocd-values

chart/templates/argocd/imagepullsecret.yaml

+{{- if .Values.addons.argocd.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: argocd
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}

chart/templates/argocd/namespace.yaml

@@ -7,16 +7,4 @@ metadata:
     app.kubernetes.io/component: "core"
     {{- include "commonLabels" . | nindent 4}}
   name: argocd
-
----
-{{- if ( include "imagePullSecret" . ) }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: private-registry
-  namespace: argocd
-type: kubernetes.io/dockerconfigjson
-data:
-  .dockerconfigjson: {{ template "imagePullSecret" . }}
-{{- end }}
 {{- end }}

chart/templates/argocd/values.yaml

@@ -27,6 +27,9 @@ redis-bb:
 istio:
   enabled: {{ .Values.istio.enabled }}
 
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+
 {{- if .Values.addons.argocd.sso.enabled }}
 sso:
   enabled: {{ .Values.addons.argocd.sso.enabled }}

chart/templates/authservice/authservice-helmrelease.yaml

+{{- $fluxSettingsAuthservice := merge .Values.addons.authservice.flux .Values.flux -}}
 {{- if and .Values.istio.enabled ( or .Values.addons.authservice.enabled .Values.monitoring.sso.enabled .Values.jaeger.sso.enabled ) }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
@@ -19,22 +20,8 @@ spec:
         name: authservice
         namespace: {{ .Release.Namespace }}
 
-  {{- with .Values.flux }}
-  interval: {{ .interval }}
-  test:
-    enable: false
-  install:
-    remediation:
-      retries: {{ .install.retries }}
-  upgrade:
-    remediation:
-      retries: {{ .upgrade.retries }}
-      remediateLastFailure: true
-    cleanupOnFail: true
-  rollback:
-    timeout: {{ .rollback.timeout }}
-    cleanupOnFail: {{ .rollback.cleanupOnFail }}
-  {{- end }}
+  {{- toYaml $fluxSettingsAuthservice | nindent 2 }}
+
   {{- if .Values.addons.authservice.postRenderers }}
   postRenderers:
   {{ toYaml .Values.addons.authservice.postRenderers | nindent 4 }}