Release 2.x

Author: mjnagel

README.md

@@ -6,11 +6,15 @@ Big Bang is a declarative, continuous delivery tool for deploying DoD hardened a
 
 ## Usage & Scope
 
-Big Bang's scope is to provide publicly available installation manifests for:
+Big Bang's scope is to provide publicly available installation manifests for packages required to adhere to the DoD DevSecOps Reference Architecture and additional useful utilities. Big Bang packages are broken into three categories:
 
-- A specific set of packages that adhere to the DevSecOps Reference Architecture. The core list of packages can be found [here](https://repo1.dso.mil/platform-one/big-bang/apps/core).
+- Core: [Core packages](./docs/understanding-bigbang/package-architecture/README.md##Core) are a group of capabilities required by the DoD DevSecOps Reference Architecture, that are supported directly by the Big Bang development team. The specific capabilities that are considered core currently are Service Mesh, Policy Enforcement, Logging, Monitoring, and Runtime Security.
 
-- Packages that facilitate development of applications that adhere to the DevSecOps Reference Architecture. The full list of packages can be found [here](https://repo1.dso.mil/platform-one/big-bang/apps).
+- Addons: [Addon packages](./docs/understanding-bigbang/package-architecture/README.md##Addons) are any packages/capabilities that the Big Bang development team directly supports that do not fall under the above core definition. These serve to extend the functionality/features of Big Bang.
+
+- Community: [Community packages](https://repo1.dso.mil/big-bang/product/community) are any packages that are maintained by the broader Big Bang community (users, vendors, etc). These packages could be alternatives to core or addon packages, or even entirely new packages to help extend usage/functionality of Big Bang.
+
+In order for an installation of Big Bang to be a valid installation/configuration you must install/deploy a core package of each category (for additional details on categories and options see [here](./docs/understanding-bigbang/package-architecture/README.md##Core)).
 
 Big Bang also builds tooling around the testing and validation of Big Bang packages. These tools are provided as-is, without support.
 

chart/templates/NOTES.txt

@@ -116,20 +116,25 @@ PLATFORM ONE ANCHORE WARNING:
 {{- end }}
 {{- end }}
 
-{{- if and $.Values.eckoperator.enabled $.Values.logging.enabled }}
-  {{- if $.Values.logging.sso.enabled }}
-    {{- if and (not $.Values.logging.license.trial) (not $.Values.logging.license.keyJSON) }}
+{{- if and $.Values.eckOperator.enabled $.Values.elasticsearchKibana.enabled }}
+  {{- if $.Values.elasticsearchKibana.sso.enabled }}
+    {{- if and (not $.Values.elasticsearchKibana.license.trial) (not $.Values.elasticsearchKibana.license.keyJSON) }}
 PLATFORM ONE LOGGING WARNING:
   You have enabled SSO but not provided an enterprise license configuration to use. SSO is not functional without a license.
   Edit the values for the eck-operator to specify a license key JSON or use the trial license for development.
     {{- end }}
   {{- end }}
 {{- end }}
 
-{{- if and (or $.Values.promtail.enabled $.Values.loki.enabled) .Values.logging.enabled }}
+{{- if and .Values.promtail.enabled .Values.fluentbit.enabled }}
 PLATFORM ONE LOGGING WARNING:
-  You have enabled both promtail/loki and efk logging.  This is permitted during beta testing of promtail/loki.
-  After the beta period, only one logging stack will be supported at one time, with the PLG stack becoming the default supported stack.
+  You have enabled both Promtail and Fluentbit (log forwarders). This is not a supported configuration and you may see conflicts as a result of both applications attempting to ship logs.
+{{- end }}
+
+{{- if and .Values.loki.enabled .Values.elasticsearchKibana.enabled }}
+PLATFORM ONE LOGGING WARNING:
+  You have enabled both Loki and Elastic (log storage). This is not a supported configuration and you may see issues as a result of running both applications.
+  If using Elastic for other functionality, deploying both applications is acceptable.
 {{- end }}
 
 {{- if and $.Values.loki.enabled (dig "values" "global" "createGlobalConfig" false $.Values.loki) }}
@@ -182,14 +187,14 @@ DEPRECATION NOTICE:
 {{- if .Values.addons.nexus }}
 DEPRECATION NOTICE:
   .Values.addons.nexus has been deprecated and will be removed in a future Big Bang release.
-  Please reconfigure your values overrides to use .Values.addons.nexusRepositoryManager 
+  Please reconfigure your values overrides to use .Values.addons.nexusRepositoryManager
 {{- end }}
 
 {{- $nexusOldValues := default dict .Values.addons.nexus -}}
 {{- $nexusValues := merge $nexusOldValues .Values.addons.nexusRepositoryManager -}}
 
 {{- with .Values }}
-{{- if and .sso.url (coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName .logging.sso.issuer .logging.sso.auth_url .logging.sso.token_url .logging.sso.userinfo_url .logging.sso.jwkset_url .logging.sso.claims_principal .logging.sso.endsession_url .logging.sso.claims_group .logging.sso.claims_mail .monitoring.sso.grafana.auth_url .monitoring.sso.grafana.token_url .monitoring.sso.grafana.api_url .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate) }}
+{{- if and .sso.url (coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName .elasticsearchKibana.sso.issuer .elasticsearchKibana.sso.auth_url .elasticsearchKibana.sso.token_url .elasticsearchKibana.sso.userinfo_url .elasticsearchKibana.sso.jwkset_url .elasticsearchKibana.sso.claims_principal .elasticsearchKibana.sso.endsession_url .elasticsearchKibana.sso.claims_group .elasticsearchKibana.sso.claims_mail .monitoring.sso.grafana.auth_url .monitoring.sso.grafana.token_url .monitoring.sso.grafana.api_url .twistlock.sso.provider_name .twistlock.sso.issuer_uri .twistlock.sso.idp_url .twistlock.sso.console_url .twistlock.sso.cert .addons.argocd.sso.provider_name .addons.gitlab.sso.label .addons.gitlab.sso.issuer_uri .addons.gitlab.sso.end_session_uri .addons.gitlab.sso.uid_field .addons.mattermost.sso.auth_endpoint .addons.mattermost.sso.token_endpoint .addons.mattermost.sso.user_api_endpoint $nexusValues.sso.idp_data.idpMetadata .addons.sonarqube.sso.provider_name .addons.sonarqube.sso.certificate) }}
 DEPRECATION NOTICE:
   The following SSO keys have been deprecated.  Deprecated keys will continue to work, but will be removed in a future release.  Please update your overrides.
     {{- if coalesce .sso.oidc.host .sso.oidc.realm .sso.certificate_authority .sso.jwks .sso.jwks_uri .sso.client_id .sso.client_secret .sso.token_url .sso.auth_url .sso.secretName }}
@@ -238,44 +243,44 @@ DEPRECATION NOTICE:
       secretName: {{ .sso.secretName }}
       {{- end }}
     {{- end }}
-    {{- if coalesce .logging.sso.issuer .logging.sso.auth_url .logging.sso.token_url .logging.sso.userinfo_url .logging.sso.jwkset_url .logging.sso.claims_principal .logging.sso.endsession_url .logging.sso.claims_group .logging.sso.claims_mail }}
-    logging:
+    {{- if coalesce .elasticsearchKibana.sso.issuer .elasticsearchKibana.sso.auth_url .elasticsearchKibana.sso.token_url .elasticsearchKibana.sso.userinfo_url .elasticsearchKibana.sso.jwkset_url .elasticsearchKibana.sso.claims_principal .elasticsearchKibana.sso.endsession_url .elasticsearchKibana.sso.claims_group .elasticsearchKibana.sso.claims_mail }}
+    elasticsearchKibana:
       sso:
-        {{- if .logging.sso.issuer }}
+        {{- if .elasticsearchKibana.sso.issuer }}
         # "issuer" was moved to "sso.url"
-        issuer: {{ .logging.sso.issuer }}
+        issuer: {{ .elasticsearchKibana.sso.issuer }}
         {{- end }}
-        {{- if .logging.sso.auth_url }}
+        {{- if .elasticsearchKibana.sso.auth_url }}
         # "auth_url" was moved to "sso.oidc.authorization"
-        auth_url: {{ .logging.sso.auth_url }}
+        auth_url: {{ .elasticsearchKibana.sso.auth_url }}
         {{- end }}
-        {{- if .logging.sso.token_url }}
+        {{- if .elasticsearchKibana.sso.token_url }}
         # "token_url" was moved to "sso.oidc.token"
-        token_url: {{ .logging.sso.token_url }}
+        token_url: {{ .elasticsearchKibana.sso.token_url }}
         {{- end }}
-        {{- if .logging.sso.userinfo_url }}
+        {{- if .elasticsearchKibana.sso.userinfo_url }}
         # "userinfo_url" was moved to "sso.oidc.userinfo"
-        userinfo_url: {{ .logging.sso.userinfo_url }}
+        userinfo_url: {{ .elasticsearchKibana.sso.userinfo_url }}
         {{- end }}
-        {{- if .logging.sso.jwkset_url }}
+        {{- if .elasticsearchKibana.sso.jwkset_url }}
         # "jwkset_url" was moved to "sso.oidc.jwksUrl"
-        jwkset_url: {{ .logging.sso.jwkset_url }}
+        jwkset_url: {{ .elasticsearchKibana.sso.jwkset_url }}
         {{- end }}
-        {{- if .logging.sso.claims_principal }}
+        {{- if .elasticsearchKibana.sso.claims_principal }}
         # "claims_principal" was moved to "sso.oidc.claims.username"
-        claims_principal: {{ .logging.sso.claims_principal }}
+        claims_principal: {{ .elasticsearchKibana.sso.claims_principal }}
         {{- end }}
-        {{- if .logging.sso.endsession_url }}
+        {{- if .elasticsearchKibana.sso.endsession_url }}
         # "endsession_url" was moved to "sso.oidc.endsession"
-        endsession_url: {{ .logging.sso.endsession_url }}
+        endsession_url: {{ .elasticsearchKibana.sso.endsession_url }}
         {{- end }}
-        {{- if .logging.sso.claims_group }}
+        {{- if .elasticsearchKibana.sso.claims_group }}
         # "claims_group" was moved to "sso.oidc.claims.groups"
-        claims_group: {{ .logging.sso.claims_group }}
+        claims_group: {{ .elasticsearchKibana.sso.claims_group }}
         {{- end }}
-        {{- if .logging.sso.claims_mail }}
+        {{- if .elasticsearchKibana.sso.claims_mail }}
         # "claims_mail" was moved to "sso.oidc.claims.email"
-        claims_mail: {{ .logging.sso.claims_mail }}
+        claims_mail: {{ .elasticsearchKibana.sso.claims_mail }}
         {{- end }}
     {{- end }}
     {{- if coalesce .monitoring.sso.grafana.auth_url .monitoring.sso.grafana.token_url .monitoring.sso.grafana.api_url }}
@@ -390,5 +395,5 @@ DEPRECATION NOTICE:
 {{- if .Values.addons.mattermostoperator }}
 DEPRECATION NOTICE:
   .Values.addons.mattermostoperator has been deprecated and will be removed in a future Big Bang release.
-  Please reconfigure your values overrides to use .Values.addons.mattermostOperator 
+  Please reconfigure your values overrides to use .Values.addons.mattermostOperator
 {{- end }}

chart/templates/_helpers.tpl

@@ -53,31 +53,6 @@ branch: {{ .branch | quote }}
 {{- end -}}
 {{- end -}}
 
-{{/*
-Check for git ref, given package values map
-*/}}
-{{- define "checkGitRef" -}}
-{{- $git := (dig "git" dict .) -}}
-{{- if not $git.repo -}}
-false
-{{- else -}}
-{{- if $git.commit -}}
-{{- if not $git.branch -}}
-false
-{{- end -}}
-true
-{{- else if $git.semver -}}
-true
-{{- else if $git.tag -}}
-true
-{{- else if $git.branch -}}
-true
-{{- else -}}
-false
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Build the appropriate git credentials secret for private git repositories
 */}}
@@ -176,7 +151,7 @@ bigbang.addValueIfSet can be used to nil check parameters before adding them to
 Annotation for Istio version
 */}}
 {{- define "istioAnnotation" -}}
-{{- if (eq (include "checkGitRef" .Values.istio) "true") -}}
+{{- if (eq .Values.istio.sourceType "git") -}}
 {{- if .Values.istio.git.semver -}}
 bigbang.dev/istioVersion: {{ .Values.istio.git.semver | trimSuffix (regexFind "-bb.*" .Values.istio.git.semver) }}
 {{- else if .Values.istio.git.tag -}}
@@ -185,7 +160,7 @@ bigbang.dev/istioVersion: {{ .Values.istio.git.tag | trimSuffix (regexFind "-bb.
 bigbang.dev/istioVersion: {{ .Values.istio.git.branch }}
 {{- end -}}
 {{- else -}}
-bigbang.dev/istioVersion: {{ .Values.istio.oci.tag }}
+bigbang.dev/istioVersion: {{ .Values.istio.helmRepo.tag }}
 {{- end -}}
 {{- end -}}
 

chart/templates/anchore/gitrepository.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq (include "checkGitRef" .Values.addons.anchore) "true") .Values.addons.anchore.enabled  }}
+{{- if and (eq .Values.addons.anchore.sourceType "git") .Values.addons.anchore.enabled  }}
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:

chart/templates/anchore/helmrelease.yaml

@@ -10,18 +10,18 @@ spec:
   targetNamespace: anchore
   chart:
     spec:
-      {{- if eq (include "checkGitRef" .Values.addons.anchore) "true" }}
+      {{- if eq .Values.addons.anchore.sourceType "git" }}
       chart: {{ .Values.addons.anchore.git.path }}
       sourceRef:
         kind: GitRepository
         name: anchore
         namespace: {{ .Release.Namespace }}
       {{- else }}
-      chart: {{ .Values.addons.anchore.oci.name }}
-      version: {{ .Values.addons.anchore.oci.tag }}
+      chart: {{ .Values.addons.anchore.helmRepo.chartName }}
+      version: {{ .Values.addons.anchore.helmRepo.tag }}
       sourceRef:
         kind: HelmRepository
-        name: {{ .Values.addons.anchore.oci.repo }}
+        name: {{ .Values.addons.anchore.helmRepo.repoName }}
         namespace: {{ .Release.Namespace }}
       {{- end }}
       interval: 5m

chart/templates/argocd/gitrepository.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq (include "checkGitRef" .Values.addons.argocd) "true") .Values.addons.argocd.enabled  }}
+{{- if and (eq .Values.addons.argocd.sourceType "git") .Values.addons.argocd.enabled  }}
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:

chart/templates/argocd/helmrelease.yaml

@@ -13,18 +13,18 @@ spec:
   targetNamespace: argocd
   chart:
     spec:
-      {{- if eq (include "checkGitRef" .Values.addons.argocd) "true" }}
+      {{- if eq .Values.addons.argocd.sourceType "git" }}
       chart: {{ .Values.addons.argocd.git.path }}
       sourceRef:
         kind: GitRepository
         name: argocd
         namespace: {{ .Release.Namespace }}
       {{- else }}
-      chart: {{ .Values.addons.argocd.oci.name }}
-      version: {{ .Values.addons.argocd.oci.tag }}
+      chart: {{ .Values.addons.argocd.helmRepo.chartName }}
+      version: {{ .Values.addons.argocd.helmRepo.tag }}
       sourceRef:
         kind: HelmRepository
-        name: {{ .Values.addons.argocd.oci.repo }}
+        name: {{ .Values.addons.argocd.helmRepo.repoName }}
         namespace: {{ .Release.Namespace }}
       {{- end }}
       interval: 5m

chart/templates/authservice/gitrepository.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.istio.enabled (eq (include "checkGitRef" .Values.addons.authservice) "true") (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
+{{- if and .Values.istio.enabled (eq .Values.addons.authservice.sourceType "git") (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:

chart/templates/authservice/helmrelease.yaml

@@ -13,18 +13,18 @@ spec:
   targetNamespace: authservice
   chart:
     spec:
-      {{- if eq (include "checkGitRef" .Values.addons.authservice) "true" }}
+      {{- if eq .Values.addons.authservice.sourceType "git" }}
       chart: {{ .Values.addons.authservice.git.path }}
       sourceRef:
         kind: GitRepository
         name: authservice
         namespace: {{ .Release.Namespace }}
       {{- else }}
-      chart: {{ .Values.addons.authservice.oci.name }}
-      version: {{ .Values.addons.authservice.oci.tag }}
+      chart: {{ .Values.addons.authservice.helmRepo.chartName }}
+      version: {{ .Values.addons.authservice.helmRepo.tag }}
       sourceRef:
         kind: HelmRepository
-        name: {{ .Values.addons.authservice.oci.repo }}
+        name: {{ .Values.addons.authservice.helmRepo.repoName }}
         namespace: {{ .Release.Namespace }}
       {{- end }}
       interval: 5m

chart/templates/cluster-auditor/gitrepository.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq (include "checkGitRef" .Values.clusterAuditor) "true") (not .Values.offline) .Values.clusterAuditor.enabled }}
+{{- if and (eq .Values.clusterAuditor.sourceType "git") (not .Values.offline) .Values.clusterAuditor.enabled }}
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:

chart/templates/cluster-auditor/helmrelease.yaml

@@ -13,18 +13,18 @@ spec:
   targetNamespace: cluster-auditor
   chart:
     spec:
-      {{- if eq (include "checkGitRef" .Values.clusterAuditor) "true" }}
+      {{- if eq .Values.clusterAuditor.sourceType "git" }}
       chart: {{ .Values.clusterAuditor.git.path }}
       sourceRef:
         kind: GitRepository
         name: cluster-auditor
         namespace: {{ .Release.Namespace }}
       {{- else }}
-      chart: {{ .Values.clusterAuditor.oci.name }}
-      version: {{ .Values.clusterAuditor.oci.tag }}
+      chart: {{ .Values.clusterAuditor.helmRepo.chartName }}
+      version: {{ .Values.clusterAuditor.helmRepo.tag }}
       sourceRef:
         kind: HelmRepository
-        name: {{ .Values.clusterAuditor.oci.repo }}
+        name: {{ .Values.clusterAuditor.helmRepo.repoName }}
         namespace: {{ .Release.Namespace }}
       {{- end }}
       interval: 5m

chart/templates/logging/eck-operator/gitrepository.yaml renamed to chart/templates/eck-operator/gitrepository.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq (include "checkGitRef" .Values.eckoperator) "true") (not .Values.offline) (or .Values.eckoperator.enabled .Values.logging.enabled) }}
+{{- if and (eq .Values.eckOperator.sourceType "git") (not .Values.offline) (or .Values.eckOperator.enabled .Values.elasticsearchKibana.enabled) }}
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
@@ -10,9 +10,9 @@ metadata:
     {{- include "commonLabels" . | nindent 4}}
 spec:
   interval: {{ .Values.flux.interval }}
-  url: {{ .Values.eckoperator.git.repo }}
+  url: {{ .Values.eckOperator.git.repo }}
   ref:
-    {{- include "validRef" .Values.eckoperator.git | nindent 4 }}
+    {{- include "validRef" .Values.eckOperator.git | nindent 4 }}
   {{ include "gitIgnore" . }}
   {{- include "gitCreds" . | nindent 2 }}
 {{- end }}