burning more things

README.md

@@ -1,46 +1,37 @@
-# uds-package-mattermost
+# UDS Mattermost Package
 
-UDS Mattermost Zarf Package
+This repo contains the UDS Mattermost Package along with an example bundle and UDS tasks for development.
 
 ## Dependencies
 
-Mattermost requires two dependencies, postgres and s3 compatible object storage. Wiring Mattermost to your dependencies is done via secrets created in the `mattermost` namespace.
+Mattermost requires two dependencies, postgres and s3 compatible object storage. Wiring Mattermost to your dependencies is done primarily via helm values, which will require the use of a bundle created with uds-cli.
 
 ### Postgres
 
-You should create a secret named `mattermost-postgres` with a single key containing the DB connection string like the following:
-
+Postgres configuration is setup in the `uds-mattermost-config` chart and should be done via bundle overrides (variables or values) like the below:
 ```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: mattermost-postgres
-  namespace: mattermost
-type: kubernetes.io/opaque
-stringData:
-  DB_CONNECTION_STRING: "postgres://username:password@hostname:port/dbname?postgresoptions"
+    overrides:
+      mattermost:
+        uds-mattermost-config:
+          values:
+            - path: "postgres.host"
+              value: "postgresql.dev-postgres.svc.cluster.local"
 ```
 
-### S3 Compatible Object Storage
+The full list of override config can be found in the values under `postgres` [here](./chart/values.yaml). In addition a zarf var is exposed for `DB_PASSWORD` for convenience if using import/exports in your bundle.
 
-You should create a secret named `mattermost-object-store` with a number of keys matching the below:
+### S3 Compatible Object Storage
 
+Object storage configuration is setup in the `uds-mattermost-config` chart and should be done via bundle overrides (variables or values) like the below:
 ```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: mattermost-object-store
-  namespace: mattermost
-type: kubernetes.io/opaque
-stringData:
-  secure_connection: <true/false> # Typically false for insecure connections like MinIO
-  access_key: <your-access-key>
-  secret_key: <your-secret-key>
-  region: <your-region>
-  bucket: <your-bucket>
-  endpoint: <your-endpoint>
+    overrides:
+      mattermost:
+        uds-mattermost-config:
+          values:
+            - path: "objectStorage.endpoint"
+              value: "minio.dev-minio.svc.cluster.local:9000"
 ```
 
-To use IRSA make sure to set the two keys to empty strings and add the appropriate annotations to the service account via `serviceAccount.annotations` (override in a UDS Bundle).
+The full list of override config can be found in the values under `objectStorage` [here](./chart/values.yaml). In addition zarf vars are exposed for `ACCESS_KEY` and `SECRET_KEY` for convenience if using import/exports in your bundle.
 
-TODO: Figure out if this setup works and a better way to handle the keys...
+To use IRSA make sure to not set the two keys and add the appropriate annotation to the service account via an override to `serviceAccount.annotations`.

bundle/uds-bundle.yaml

@@ -18,9 +18,34 @@ packages:
   - name: dev-secrets
     path: ../
     ref: 0.1.0
-
+    exports:
+    - name: ACCESS_KEY
+    - name: SECRET_KEY
+    - name: DB_PASSWORD
+
   - name: mattermost
     path: ../
     # x-release-please-start-version
     ref: 9.3.0-uds.2
     # x-release-please-end
+    imports:
+      - name: ACCESS_KEY
+        package: dev-secrets
+      - name: SECRET_KEY
+        package: dev-secrets
+      - name: DB_PASSWORD
+        package: dev-secrets
+    overrides:
+      mattermost:
+        uds-mattermost-config:
+          values:
+            - path: "objectStorage.secure"
+              value: "false"
+            - path: "objectStorage.endpoint"
+              value: "minio.dev-minio.svc.cluster.local:9000"
+            - path: "objectStorage.bucket"
+              value: "uds-mattermost-dev"
+            - path: "postgres.host"
+              value: "postgresql.dev-postgres.svc.cluster.local"
+            - path: "postgres.connectionOptions"
+              value: "?connect_timeout=10&sslmode=disable"

bundle/uds-config.yaml

@@ -4,4 +4,4 @@ variables:
       - name: uds-mattermost-dev
   dev-postgres:
     db_username: "mattermost"
-    db_name: "mattermostdb"
+    db_name: "mattermost"

chart/templates/mattermost-object-store.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-object-store
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+stringData:
+  MM_FILESETTINGS_AMAZONS3SSL: "{{ .Values.objectStorage.secure | toString }}"
+  MM_FILESETTINGS_AMAZONS3ACCESSKEYID: "{{ .Values.objectStorage.accessKey }}"
+  MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: "{{ .Values.objectStorage.secretKey }}"
+  MM_FILESETTINGS_AMAZONS3BUCKET: "{{ .Values.objectStorage.bucket }}"
+  MM_FILESETTINGS_AMAZONS3ENDPOINT: "{{ .Values.objectStorage.endpoint }}"
+  MM_FILESETTINGS_AMAZONS3REGION: "{{ .Values.objectStorage.region }}"

chart/templates/mattermost-postgres.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-postgres
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+stringData:
+  db_connection_string: "postgres://{{ .Values.postgres.username }}:{{ .Values.postgres.password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.dbName }}{{ .Values.postgres.connectionOptions }}"

chart/templates/mattermost-sso.yaml

@@ -3,15 +3,14 @@ kind: Secret
 metadata:
   name: mattermost-sso
   namespace: {{ .Release.Namespace }}
-  labels:
 type: Opaque
 stringData:
-  MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled }}"
+  MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled | toString }}"
   MM_GITLABSETTINGS_ID: "{{ .Values.sso.client_id }}"
   MM_GITLABSETTINGS_SECRET: "{{ .Values.sso.client_secret }}"
   MM_GITLABSETTINGS_AUTHENDPOINT: "{{ .Values.sso.auth_endpoint }}"
   MM_GITLABSETTINGS_TOKENENDPOINT: "{{ .Values.sso.token_endpoint }}"
   MM_GITLABSETTINGS_USERAPIENDPOINT: "{{ .Values.sso.user_api_endpoint }}"
-  MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email }}"
-  MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email }}"
-  MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username }}"
+  MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email | toString }}"
+  MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email | toString }}"
+  MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username | toString }}"

chart/values.yaml

@@ -1,10 +1,28 @@
+objectStorage:
+  secure: true
+  accessKey: ""
+  secretKey: ""
+  bucket: "mattermost"
+  endpoint: "s3.amazonaws.com"
+  region: "us-west-1"
+
+postgres:
+  username: "mattermost"
+  password: ""
+  host: ""
+  port: 5432
+  dbName: "mattermost"
+  # Example: "?connect_timeout=10&sslmode=disable"
+  connectionOptions: ""
+
 sso:
   enabled: false
   client_id: ""
   client_secret: ""
   auth_endpoint: ""
   token_endpoint: ""
   user_api_endpoint: ""
-  enable_sign_up_with_email: ""
-  enable_sign_in_with_email: ""
-  enable_sign_in_with_username: ""
+  # These should typically be disabled if SSO is enabled
+  enable_sign_up_with_email: true
+  enable_sign_in_with_email: true
+  enable_sign_in_with_username: true

src/dev-secrets/zarf.yaml

@@ -11,22 +11,16 @@ components:
     actions:
       onDeploy:
         before:
-          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d
+          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootUser" }}' | base64 -d
             mute: true
             setVariables:
-              - name: SECRET_KEY
+              - name: ACCESS_KEY
                 sensitive: true
-          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootUser" }}' | base64 -d
+          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d
             mute: true
             setVariables:
-              - name: ACCESS_KEY
+              - name: SECRET_KEY
                 sensitive: true
-  - name: mattermost-minio
-    required: true
-    manifests:
-      - name: mattermost-minio
-        files:
-          - "minio-secret.yaml"
   - name: postgres-password
     required: true
     actions:
@@ -35,12 +29,5 @@ components:
           - cmd: kubectl get secret -n dev-postgres postgresql --template={{.data.password}} | base64 -d
             mute: true
             setVariables:
-              - name: POSTGRES_DB_PASSWORD
+              - name: DB_PASSWORD
                 sensitive: true
-  - name: mattermost-postgres
-    required: true
-    manifests:
-      - name: mattermost-postgres
-        namespace: mattermost
-        files:
-          - postgres-secret.yaml

tasks.yaml

@@ -34,6 +34,7 @@ tasks:
 
   - name: test-package
     actions:
+      - task: test:health-check
       - task: test:ingress
 
   - name: cleanup

tasks/create.yaml

@@ -18,4 +18,4 @@ tasks:
   - name: dependency-package
     description: Create the Minio, PostgreSQL, and Redis Dependency Zarf Packages
     actions:
-      - cmd: zarf package create src/dev-secrets/ --confirm --no-progress --architecture=${UDS_ARCH} --skip-sbom
+      - cmd: zarf package create src/dev-secrets/ --confirm --no-progress --architecture=${UDS_ARCH}

tasks/test.yaml

@@ -1,4 +1,13 @@
 tasks:
+  - name: health-check
+    actions:
+      - description: Mattermost Health Check
+        wait:
+          cluster:
+            kind: Deployment
+            name: mattermost-enterprise-edition
+            namespace: mattermost
+
   - name: ingress
     actions:
       - description: Mattermost UI Health Check

values/config-values.yaml

@@ -1,10 +1,6 @@
-sso:
-  enabled: ###ZARF_VAR_MATTERMOST_SSO_ENABLED###
-  client_id: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_ID###
-  client_secret: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_SECRET###
-  auth_endpoint: ###ZARF_VAR_MATTERMOST_SSO_AUTH_ENDPOINT###
-  token_endpoint: ###ZARF_VAR_MATTERMOST_SSO_TOKEN_ENDPOINT###
-  user_api_endpoint: ###ZARF_VAR_MATTERMOST_SSO_USER_API_ENDPOINT###
-  enable_sign_up_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNUP_ENABLED###
-  enable_sign_in_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNIN_ENABLED###
-  enable_sign_in_with_username: ###ZARF_VAR_MATTERMOST_SSO_USERNAME_SIGNIN_ENABLED###
+objectStorage:
+  accessKey: "###ZARF_VAR_ACCESS_KEY###"
+  secretKey: "###ZARF_VAR_SECRET_KEY###"
+
+postgres:
+  password: "###ZARF_VAR_DB_PASSWORD###"

values/values.yaml

@@ -59,32 +59,32 @@ mattermostApp:
     - name: MM_FILESETTINGS_AMAZONS3SSL
       valueFrom:
         secretKeyRef:
-          key: secure_connection
+          key: MM_FILESETTINGS_AMAZONS3SSL
           name: "mattermost-object-store"
     - name: MM_FILESETTINGS_AMAZONS3ACCESSKEYID
       valueFrom:
         secretKeyRef:
-          key: access_key
+          key: MM_FILESETTINGS_AMAZONS3ACCESSKEYID
           name: "mattermost-object-store"
     - name: MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY
       valueFrom:
         secretKeyRef:
-          key: secret_key
+          key: MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY
           name: "mattermost-object-store"
     - name: MM_FILESETTINGS_AMAZONS3BUCKET
       valueFrom:
         secretKeyRef:
-          key: bucket
+          key: MM_FILESETTINGS_AMAZONS3BUCKET
           name: "mattermost-object-store"
     - name: MM_FILESETTINGS_AMAZONS3ENDPOINT
       valueFrom:
         secretKeyRef:
-          key: endpoint
+          key: MM_FILESETTINGS_AMAZONS3ENDPOINT
           name: "mattermost-object-store"
     - name: MM_FILESETTINGS_AMAZONS3REGION
       valueFrom:
         secretKeyRef:
-          key: region
+          key: MM_FILESETTINGS_AMAZONS3REGION
           name: "mattermost-object-store"
   securityContext:
     runAsUser: 2000
@@ -93,11 +93,12 @@ mattermostApp:
 serviceAccount:
   create: true
   name: mattermost
-  annotations: {} # Add IRSA annotation here if necessary in environment
+  annotations: {}
 
 global:
   siteUrl: "https://mattermost.###ZARF_VAR_DOMAIN###"
-  mattermostLicense: "###ZARF_VAR_MATTERMOST_ENTERPRISE_LICENSE###"
+  # Default unlicensed deployment
+  mattermostLicense: ""
 
   features:
     database:

zarf.yaml

@@ -9,30 +9,14 @@ metadata:
   architecture: amd64
 
 variables:
-  - name: MATTERMOST_ENTERPRISE_LICENSE
-    default: ""
-    autoIndent: true
-  - name: MATTERMOST_SSO_ENABLED
-    default: "false"
-  - name: MATTERMOST_SSO_CLIENT_ID
-    default: ""
-  - name: MATTERMOST_SSO_CLIENT_SECRET
-    default: ""
-  - name: MATTERMOST_SSO_AUTH_ENDPOINT
-    default: ""
-  - name: MATTERMOST_SSO_TOKEN_ENDPOINT
-    default: ""
-  - name: MATTERMOST_SSO_USER_API_ENDPOINT
-    default: ""
-  # Enabled by default to support non-SSO auth
-  - name: MATTERMOST_SSO_EMAIL_SIGNUP_ENABLED
-    default: "true"
-  - name: MATTERMOST_SSO_EMAIL_SIGNIN_ENABLED
-    default: "true"
-  - name: MATTERMOST_SSO_USERNAME_SIGNIN_ENABLED
-    default: "true"
   - name: DOMAIN
     default: "uds.dev"
+  - name: ACCESS_KEY
+    description: "Access Key for S3 compatible storage"
+  - name: SECRET_KEY
+    description: "Secret Key for S3 compatible storage"
+  - name: DB_PASSWORD
+    description: "Database Password for Mattermost"
 
 components:
   - name: mattermost