Compare revisions

Jason Krause · Jason Krause · Jason Krause · Jason Krause · Ronnie Webb · Micah Nagel
--- a/.gitignore
+++ b/.gitignore
@@ -21,7 +21,6 @@ npm-debug.log*
 patch.yaml
 notes
 ignore/*
-chart/*values.yaml

 # Visual Studio Code
 .vscode/*

--- a/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
+++ b/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
@@ -27,6 +27,8 @@
    DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
    DOCKER_DRIVER: overlay2
  before_script:
+    # Give docker-in-docker time to come alive
+    - i=0; while [ "$i" -lt 12 ]; do docker info &>/dev/null && break; sleep 5; i=$(( i + 1 )) ; done
    - docker network create ${CI_JOB_ID} --driver=bridge -o "com.docker.network.driver.mtu"="1450"
    - k3d cluster create ${CI_JOB_ID} --config tests/ci/k3d/config.yaml --network ${CI_JOB_ID}
    - until kubectl get deployment coredns -n kube-system -o go-template='{{.status.availableReplicas}}' | grep -v -e '<no value>'; do sleep 1s; done

--- a/.gitlab/merge_request_templates/package_owner.md
+++ b/.gitlab/merge_request_templates/package_owner.md
@@ -14,9 +14,9 @@ If possible, provide additional details that will help with the merge request.

 Known issues or expected conflicts?

-Also, include any issues closed with "Closes #ISSUENUMBER". See example:
+Also, include any issues closed with "Closes #ISSUE_NUMBER". See example:

-Closes #123
+Closes #ISSUE_NUMBER

 Add any labels for affected packages so that they are deployed in CI. See example:


--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,19 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ---
+## [1.14.0]
+
+* [!1.14.0](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.14.0); List of merge requests in this release.
+
+## [1.13.1]
+
+* [!722](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/722): Bumping Gatekeeper tag, reducing pod footprint, cleaning up constraints
+* [!730](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/730): Bumping Gatekeeper tag, properly excluding all of "kube-system" namespace from gatekeeper via upstream recommendation, removing "kube-system" exclusions from package values.
+
+## [1.13.0]
+
+[!1.13.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.13.0); List of Merge Requests in this Release
+
 ## [1.12.0]

 [!1.12.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.12.0); List of Merge Requests in this Release

--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -40,7 +40,7 @@ charter/                        @gabe.scarberry @joshwolf @megamind @micah.nagel
 ^[Istio, Istio Operator, and Authservice]
 chart/Chart.yaml                @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
 chart/values.yaml               @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
-chart/templates/authservice     @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher
+chart/templates/authservice     @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher @cdevarenne
 chart/templates/istio           @joshwolf @kavitha @michaelmcleroy @micah.nagel @runyontr @ryan.j.garcia @zackbutcher

 ^[HAProxy]

--- a/README.md
+++ b/README.md
--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
  interval: 10m
  url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
  ref:
-    tag: 1.12.0
+    tag: 1.14.0
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: bigbang
-version: 1.12.0
+version: 1.14.0
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.

 type: application
@@ -25,4 +25,4 @@ maintainers:
  - name: Josh Wolf
    email: josh@rancherfederal.com

-icon: https://p1.dso.mil/img/Big_Bang_Color_Logo_White_text.b04263b1.png
\ No newline at end of file
+icon: https://p1.dso.mil/img/Big_Bang_Color_Logo_White_text.b04263b1.png
--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
@@ -6,6 +6,8 @@
 imagePullSecrets:
  - name: private-registry

+openshift: {{ .Values.openshift }}
+
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  ingressLabels:

--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -12,23 +12,33 @@ postInstall:
    image:
      pullSecrets:
      - name: private-registry
-      
+
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 violations:  # Try to keep this in alpha order to make it easier to find keys
+
+  {{- if or .Values.istio.enabled .Values.addons.mattermost.enabled }}
  allowedDockerRegistries:
+    {{- if .Values.istio.enabled }}
    match:
-      excludedNamespaces: 
-       {{- if .Values.istio.enabled }}
+      excludedNamespaces:
        - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
-       {{- end }}
-        - kube-system # ignored as the kubernetes distro cannot be controlled
+    {{- end }}
    {{- if .Values.addons.mattermost.enabled }}
    parameters:
      exemptContainers:
        - init-check-database # mattermost needs postgres:13 image and cannot override the upstream
    {{- end }}
+  {{- end }}
+
+  {{- if .Values.monitoring.enabled}}
+  allowedHostFilesystem:
+    match:
+      excludedNamespaces: 
+        # required for monitoring's prometheus-node-exporter to get node metrics
+        - monitoring
+  {{- end }}

  {{- if .Values.monitoring.enabled }}
  hostNetworking:
@@ -37,20 +47,19 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - monitoring # Allow node exporter to export metrics. The exporters live in pod monitoring-monitoring-prometheus-node-exporter-XXXX
  {{- end }}

+  {{- if .Values.addons.mattermost.enabled }}
  httpsOnly:
    match:
-      excludedNamespaces: 
-       {{- if .Values.addons.mattermost.enabled }}
+      excludedNamespaces:
        # mattermost currently does not useIngressTLS hence Ingress is created without TLS field by the operator.
        # Adding exemption, pending https://github.com/mattermost/mattermost-operator/issues/235
        - mattermost
-       {{- end }}
+  {{- end }}

  {{- if .Values.logging.enabled }}
  noPrivilegedContainers:
    match:
      excludedNamespaces:
-        - kube-system
        - logging # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
  {{- end }}

@@ -58,7 +67,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
  restrictedTaint:
    match:
      excludedNamespaces:
-        - kube-system
        - monitoring # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
  {{- end }}

@@ -69,16 +77,17 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - logging # FluentBit needs selinux option type spc_t
  {{- end }}

+  {{- if or .Values.fluentbit.enabled (or .Values.twistlock.enabled .Values.monitoring.enabled) }}
  volumeTypes:
    match:
-      excludedNamespaces: 
+      excludedNamespaces:
       {{- if .Values.fluentbit.enabled }}
        # fluent-bit container requires certain host level access to ship logs and for keep track of state
        # https://docs.fluentbit.io/manual/pipeline/filters/kubernetes#workflow-of-tail-kubernetes-filter
        - logging
       {{- end }}
       {{- if .Values.twistlock.enabled }}
-        # Twistlock requires /dev/log for its syslog daemon. 
+        # Twistlock requires /dev/log for its syslog daemon.
        # https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/audit/logging.html#
        - twistlock
       {{- end }}
@@ -87,5 +96,5 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        # https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-node-exporter/templates/daemonset.yaml#L150
        - monitoring
       {{- end }}
-        - kube-system #local-path_local-path-provisioner helper-pod-create-pvc
+  {{- end }}
 {{- end -}}
--- a/chart/templates/gitlab/secret-objectstore.yaml
+++ b/chart/templates/gitlab/secret-objectstore.yaml
@@ -47,5 +47,6 @@ stringData:
      secret_key = {{ .Values.addons.gitlab.objectStorage.accessSecret }}
      bucket_location = {{ .Values.addons.gitlab.objectStorage.region }}
      host_bucket = %(bucket)s.{{ regexReplaceAll "http(s*)://" .Values.addons.gitlab.objectStorage.endpoint "" }}
+      multipart_chunk_size_mb = 128
+{{- end }}
 {{- end }}
-{{- end }}
\ No newline at end of file
--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -13,6 +13,9 @@ imagePullSecrets:

 openshift: {{ .Values.openshift }}

+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
@@ -73,4 +76,4 @@ k8s:
      name: tls
      nodePort: {{ add .nodePortBase 3 }}
    {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
--- a/chart/templates/keycloak/values.yaml
+++ b/chart/templates/keycloak/values.yaml
@@ -10,6 +10,8 @@ imagePullSecrets:

 hostname: {{ .Values.hostname }}

+openshift: {{ .Values.openshift }}
+
 istio:
  enabled: {{ .Values.istio.enabled }}
  keycloak:
@@ -80,4 +82,4 @@ extraVolumeMountsBigBang:
    readOnly: true
 {{- end }}

-{{- end }}
\ No newline at end of file
+{{- end }}
--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -35,6 +35,13 @@ cr:
      {{- else }}
      strategy: token
      {{- end }}
+    external_services:
+      grafana:
+        {{- $grafanaUrls := first (dig "istio" "grafana" "hosts" list .Values.monitoring.values) }}
+        url: https://{{ tpl ($grafanaUrls | default (printf "%s.%s" "grafana" .Values.hostname)) . }}
+      tracing:
+        {{- $tracingUrls := first (dig "istio" "jaeger" "hosts" list .Values.jaeger.values) }}
+        url: https://{{ tpl ($tracingUrls | default (printf "%s.%s" "tracing" .Values.hostname)) . }}
    api:
      namespaces:
        # bigbang watches all!

--- a/chart/templates/logging/elasticsearch-kibana/values.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/values.yaml
@@ -4,6 +4,9 @@

 {{- define "bigbang.defaults.logging" -}}
 hostname: {{ .Values.hostname }}
+
+openshift: {{ .Values.openshift }}
+
 istio:
  enabled: {{ .Values.istio.enabled }}
  kibana:

--- a/chart/templates/nexus-repository-manager/values.yaml
+++ b/chart/templates/nexus-repository-manager/values.yaml
@@ -11,6 +11,8 @@ istio:
    gateways:
    - istio-system/{{ default "public" .Values.addons.nexus.ingress.gateway }}

+openshift: {{ .Values.openshift }}
+
 monitoring:
  enabled: {{ .Values.monitoring.enabled }}


--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -5,6 +5,8 @@
 {{- define "bigbang.defaults.twistlock" -}}
 hostname: {{ .Values.hostname }}

+openshift: {{ .Values.openshift }}
+
 prometheus:
  servicemonitor:
    enabled: {{ .Values.monitoring.enabled }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -224,7 +224,7 @@ kiali:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/kiali.git
    path: "./chart"
-    tag: "1.36.0-bb.3"
+    tag: "1.37.0-bb.0"

  # -- Flux reconciliation overrides specifically for the Kiali Package
  flux: {}
@@ -260,7 +260,7 @@ clusterAuditor:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
    path: "./chart"
-    tag: "0.3.0-bb.4"
+    tag: "0.3.0-bb.5"

  # -- Flux reconciliation overrides specifically for the Cluster Auditor Package
  flux: {}
@@ -281,7 +281,7 @@ gatekeeper:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
    path: "./chart"
-    tag: "3.5.1-bb.4"
+    tag: "3.5.1-bb.8"

  # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
  flux:
@@ -306,7 +306,7 @@ logging:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
    path: "./chart"
-    tag: "0.1.17-bb.0"
+    tag: "0.1.18-bb.0"

  # -- Flux reconciliation overrides specifically for the Logging (EFK) Package
  flux:
@@ -346,7 +346,7 @@ eckoperator:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git
    path: "./chart"
-    tag: "1.6.0-bb.1"
+    tag: "1.6.0-bb.2"

  # -- Flux reconciliation overrides specifically for the ECK Operator Package
  flux: {}
@@ -360,7 +360,7 @@ fluentbit:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit.git
    path: "./chart"
-    tag: "0.15.15-bb.0"
+    tag: "0.16.1-bb.0"

  # -- Flux reconciliation overrides specifically for the Fluent-Bit Package
  flux: {}
@@ -381,7 +381,7 @@ monitoring:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git
    path: "./chart"
-    tag: "14.0.0-bb.1"
+    tag: "14.0.0-bb.3"

  # -- Flux reconciliation overrides specifically for the Monitoring Package
  flux:
@@ -442,7 +442,7 @@ twistlock:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock.git
    path: "./chart"
-    tag: "0.0.6-bb.0"
+    tag: "0.0.6-bb.1"

  # -- Flux reconciliation overrides specifically for the Twistlock Package
  flux: {}
@@ -467,7 +467,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/argocd.git
      path: "./chart"
-      tag: "3.6.8-bb.4"
+      tag: "3.6.8-bb.5"

    # -- Flux reconciliation overrides specifically for the ArgoCD Package
    flux: {}
@@ -511,7 +511,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice.git
      path: "./chart"
-      tag: "0.4.0-bb.8"
+      tag: "0.4.0-bb.10"

    # -- Flux reconciliation overrides specifically for the Authservice Package
    flux: {}
@@ -551,7 +551,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git
      path: "./chart"
-      tag: "2.0.9-bb.12"
+      tag: "2.0.9-bb.13"

    # -- Flux reconciliation overrides specifically for the Minio Package
    flux: {}
@@ -675,7 +675,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus.git
      path: "./chart"
-      tag: "29.1.0-bb.5"
+      tag: "29.1.0-bb.7"

    # -- Base64 encoded license file.
    license_key: ""
@@ -1018,7 +1018,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero.git
      path: "./chart"
-      tag: "2.23.3-bb.0"
+      tag: "2.23.5-bb.0"

    # -- Flux reconciliation overrides specifically for the Velero Package
    flux: {}
@@ -1046,7 +1046,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
      path: "./chart"
-      tag: "11.0.1-bb.0"
+      tag: "11.0.1-bb.1"

    database:
      # -- Hostname of a pre-existing database to use for Keycloak.

--- a/charter/GitlabLabels.md
+++ b/charter/GitlabLabels.md
@@ -41,17 +41,25 @@ Improvements on testing for individual packages or Big Bang.  Does not change th

 ### priority

-#### `priority::high`
+#### `priority::1`

-`priority::high` issues are causing runtime issues in production environments. These issues justify a patch of a release.
+`priority::1` issues are causing runtime issues in production environments. These issues justify a patch of a release.

-#### `priority:: medium`
+#### `priority::2`

-`priority:: medium` issues are defined by bugs that degrade system performance, but workarounds are available.  
+`priority::2` TBD

-#### `priority::low`
+#### `priority::3`

-`priority::low` issues are superficial and do not have any impact on the functioning of production systems
+`priority:: 3` issues are defined by bugs that degrade system performance, but workarounds are available.
+
+#### `priority::4`
+
+`priority:: 4` TBD
+
+#### `priority::5`
+
+`priority::5` issues are superficial and do not have any impact on the functioning of production systems

 ### Status

@@ -145,17 +153,25 @@ Epic is blocked by an external dependency that needs to be solved before work ca

 ### Priority

-#### `priority::low`
+#### `priority::1`

-A nice to have, but not needed to advance the product.
+Top of the backlog and should be broken down and worked on when cycles become available.

-#### `priority::medium`
+#### `priority::2`
+
+TBD
+
+#### `priority::3`

 Medium term delivery providing long term value.

-#### `priority::high`
+#### `priority::4`
+
+TBD

-Top of the backlog and should be broken down and worked on when cycles become available
+#### `priority::5`
+
+A nice to have, but not needed to advance the product.

 ### Size


--- a/docs/encryption.md
+++ b/docs/encryption.md
@@ -88,7 +88,7 @@ SOPS uses `.sops.yaml` as a configuration file for which keys to use for newly c
 1. Deploy your SOPS private key to a secret named `sops-gpg` in the cluster

   ```bash
-   gpg --export-secret-keys --armor <new key fingerprint> | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey=/dev/stdin
+   gpg --export-secret-keys --armor <new key fingerprint> | kubectl create secret generic sops-gpg -n bigbang --from-file=bigbangkey.asc=/dev/stdin
   ```

 ### AWS KMS
No results found