zarf-dev · AustinAbro321 · Sep 11, 2024 · Sep 16, 2024 · Sep 16, 2024 · Sep 16, 2024
@@ -0,0 +1,14 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: bigbang
+spec:
+  ignore: |
+    # exclude file extensions
+    /**/*.md
+    /**/*.txt
+    /**/*.sh
+  interval: 10m
+  url: https://repo1.dso.mil/big-bang/bigbang.git
+  ref:
+    tag: 2.35.0
@@ -0,0 +1,36 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: bigbang
+spec:
+  chart:
+    spec:
+      chart: chart
+      sourceRef:
+        kind: GitRepository
+        name: bigbang
+  install:
+    remediation:
+      retries: -1
+  interval: 10m
+  releaseName: bigbang
+  rollback:
+    cleanupOnFail: false
+    timeout: 10m
+  targetNamespace: bigbang
+  test:
+    enable: false
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      remediateLastFailure: true
+      retries: 5
+  valuesFrom:
+  - kind: Secret
+    name: zarf-credentials
+  - kind: ConfigMap
+    name: kyverno-config
+  - kind: ConfigMap
+    name: loki-config
+  - kind: Secret
+    name: bb-neuvector-vals
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: zarf-credentials
+  namespace: bigbang
+stringData:
+  values.yaml: |
+    registryCredentials:
+      registry: "###ZARF_REGISTRY###"
+      username: "zarf-pull"
+      password: "###ZARF_REGISTRY_AUTH_PULL###"
+    git:
+      existingSecret: "private-git-server"	# -- Chart created secrets with user defined values
+      credentials:
+        username: "###ZARF_GIT_PUSH###" # -- HTTP git credentials, both username and password must be provided
+        password: "###ZARF_GIT_AUTH_PUSH###"
+    kyvernoPolicies:
+      values:
+        exclude:
+          any:
+          - resources:
+            namespaces:
+            - zarf # don't have Kyverno prevent Zarf from doing zarf things
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kyverno-config
+data:
+  values.yaml: |
+    gatekeeper:
+      enabled: false
+    clusterAuditor:
+      enabled: false
+    kyverno:
+      enabled: true
+    kyvernoPolicies:
+      enabled: true
+      values:
+        policies:
+          disallow-shared-subpath-volume-writes:
+            validationFailureAction: audit
+          restrict-host-ports:
+            validationFailureAction: audit
+          restrict-capabilities:
+            validationFailureAction: audit
+          restrict-image-registries:
+            validationFailureAction: audit
+          disallow-host-namespaces:
+            validationFailureAction: audit
+          disallow-privileged-containers:
+            validationFailureAction: audit
+          require-non-root-user:
+            validationFailureAction: audit
+          restrict-host-path-mount-pv:
+            validationFailureAction: audit
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: loki-config
+data:
+  values.yaml: |
+    elasticsearchKibana:
+      enabled: false
+
+    eckOperator:
+      enabled: false
+
+    fluentbit:
+      enabled: false
+
+    loki:
+      enabled: true
+
+    promtail:
+      enabled: true
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: bb-neuvector-vals
+  namespace: bigbang
+stringData:
+  values.yaml: |
+    # If running in k3s, this is needed for Neuvector to start properly
+    neuvector:
+      values:
+        k3s:
+          enabled: true
@@ -0,0 +1,142 @@
+apiVersion: zarf.dev/v1alpha1
+kind: ZarfPackageConfig
+metadata:
+  name: bigbang
+components:
+- name: flux
+  required: true
+  manifests:
+  - name: flux-system
+    namespace: flux-system
+    files:
+    - flux/bb-flux.yaml
+  images:
+  - registry1.dso.mil/ironbank/fluxcd/source-controller:v1.3.0
+  - registry1.dso.mil/ironbank/fluxcd/kustomize-controller:v1.3.0
+  - registry1.dso.mil/ironbank/fluxcd/helm-controller:v1.0.1
+  - registry1.dso.mil/ironbank/fluxcd/notification-controller:v1.3.0
+- name: bigbang
+  required: true
+  manifests:
+  - name: bigbang
+    namespace: bigbang
+    files:
+    - manifests/bb-gitrepository.yaml
+    - manifests/bb-zarf-credentials.yaml
+    - values-files/kyverno.yaml
+    - values-files/loki.yaml
+    - values-files/neuvector.yaml
+    - manifests/bb-helmrelease.yaml
+  images:
+  - registry1.dso.mil/ironbank/big-bang/grafana/grafana-plugins:11.1.4
+  - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.5
+  - registry1.dso.mil/ironbank/big-bang/base:2.1.0
+  - registry1.dso.mil/ironbank/opensource/istio/pilot:1.22.4
+  - registry1.dso.mil/ironbank/opensource/istio/proxyv2:1.22.4
+  - registry1.dso.mil/ironbank/opensource/istio/operator:1.22.4
+  - registry1.dso.mil/ironbank/opensource/kiali/kiali:v1.89.0
+  - registry1.dso.mil/ironbank/opensource/kiali/kiali-operator:v1.89.1
+  - registry1.dso.mil/ironbank/opensource/kyverno:v1.12.5
+  - registry1.dso.mil/ironbank/opensource/kyverno/kyvernopre:v1.12.5
+  - registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.7
+  - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
+  - registry1.dso.mil/ironbank/opensource/kyverno/kyverno/reports-controller:v1.12.5
+  - registry1.dso.mil/ironbank/opensource/kyverno/kyverno/background-controller:v1.12.5
+  - registry1.dso.mil/ironbank/opensource/kyverno/kyverno/cleanup-controller:v1.12.5
+  - registry1.dso.mil/ironbank/opensource/kyverno/kyvernocli:v1.12.5
+  - registry1.dso.mil/ironbank/opensource/kyverno/policy-reporter:2.20.1
+  - registry1.dso.mil/ironbank/opensource/grafana/loki:3.1.1
+  - registry1.dso.mil/ironbank/opensource/kubernetes-sigs/metrics-server:v0.7.1
+  - registry1.dso.mil/ironbank/opensource/prometheus/alertmanager:v0.27.0
+  - registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.6
+  - registry1.dso.mil/ironbank/opensource/kubernetes/kube-state-metrics:v2.12.0
+  - registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.3.0
+  - registry1.dso.mil/ironbank/opensource/prometheus/prometheus:v2.53.0
+  - registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.75.0
+  - registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator:v0.75.0
+  - registry1.dso.mil/ironbank/opensource/prometheus/node-exporter:v1.8.1
+  - registry1.dso.mil/ironbank/opensource/thanos/thanos:v0.35.1
+  - registry1.dso.mil/ironbank/neuvector/neuvector/controller:5.3.4
+  - registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.3.4
+  - registry1.dso.mil/ironbank/neuvector/neuvector/manager:5.3.4
+  - registry1.dso.mil/ironbank/neuvector/neuvector/scanner:5
+  - registry1.dso.mil/ironbank/neuvector/neuvector/prometheus-exporter:5.3.2
+  - registry1.dso.mil/ironbank/opensource/grafana/promtail:v3.0.0
+  - registry1.dso.mil/ironbank/opensource/grafana/tempo:2.5.0
+  - registry1.dso.mil/ironbank/opensource/grafana/tempo-query:2.5.0
+  repos:
+  - https://repo1.dso.mil/big-bang/bigbang@2.35.0
+  - https://repo1.dso.mil/big-bang/product/packages/grafana.git@8.4.6-bb.1
+  - https://repo1.dso.mil/big-bang/product/packages/istio-controlplane.git@1.22.4-bb.1
+  - https://repo1.dso.mil/big-bang/product/packages/istio-operator.git@1.22.4-bb.0
+  - https://repo1.dso.mil/big-bang/product/packages/kiali.git@1.89.0-bb.0
+  - https://repo1.dso.mil/big-bang/product/packages/kyverno-policies.git@3.2.5-bb.3
+  - https://repo1.dso.mil/big-bang/product/packages/kyverno-reporter.git@2.24.1-bb.0
+  - https://repo1.dso.mil/big-bang/product/packages/kyverno.git@3.2.6-bb.0
+  - https://repo1.dso.mil/big-bang/product/packages/loki.git@6.10.0-bb.0
+  - https://repo1.dso.mil/big-bang/product/packages/metrics-server.git@3.12.1-bb.4
+  - https://repo1.dso.mil/big-bang/product/packages/monitoring.git@62.1.0-bb.0
+  - https://repo1.dso.mil/big-bang/product/packages/neuvector.git@2.7.8-bb.1
+  - https://repo1.dso.mil/big-bang/product/packages/promtail.git@6.16.2-bb.3
+  - https://repo1.dso.mil/big-bang/product/packages/tempo.git@1.10.3-bb.0
+  actions:
+    onRemove:
+      before:
+      - cmd: ./zarf tools kubectl patch helmrelease -n bigbang bigbang --type=merge -p '{"spec":{"suspend":true}}'
+        description: Suspend Big Bang HelmReleases to prevent reconciliation during removal.
+  healthChecks:
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: grafana
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: istio
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: istio-operator
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: kiali
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: kyverno
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: kyverno-policies
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: kyverno-reporter
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: loki
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: monitoring
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: neuvector
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: promtail
+  - apiVersion: helm.toolkit.fluxcd.io/v2
+    kind: HelmRelease
+    namespace: bigbang
+    name: tempo
+
+# YAML keys starting with `x-` are custom keys that are ignored by the Zarf CLI
+# The `x-mdx` key is used to render the markdown content for https://docs.zarf.dev/ref/examples
+x-mdx: |
+  This package deploys [Big Bang](https://repo1.dso.mil/platform-one/big-bang/bigbang)
+
+  It was generated using the command `zarf dev generate big-bang 2.35.0 --values-file-manifests=values-files/kyverno.yaml,values-files/loki.yaml,values-files/neuvector.yaml`