wip: burning boats

bundle/uds-bundle.yaml

@@ -9,11 +9,11 @@ metadata:
 packages:
   - name: dev-minio
     repository: ghcr.io/defenseunicorns/packages/uds/dev-minio
-    ref: 5.0.13-0
+    ref: 0.0.1
 
   - name: dev-postgres
     repository: ghcr.io/defenseunicorns/packages/uds/dev-postgres
-    ref: 12.6.6-0
+    ref: 0.0.1
 
   - name: dev-secrets
     path: ../

bundle/uds-config.yaml

@@ -5,6 +5,3 @@ variables:
   dev-postgres:
     db_username: "mattermost"
     db_name: "mattermostdb"
-  mattermost:
-    mattermost_file_store_endpoint: minio.dev-minio.svc.cluster.local
-    mattermost_bucket_suffix: "-dev"

chart/templates/mattermost-gossip-svc.yaml

@@ -0,0 +1,18 @@
+{{- /* Mattermost uses a gossip protocol for HA clustering. In order for Istio to properly route this traffic it needs to be explicitly defined in a service with a `tcp-` prefix. */ -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: mattermost-gossip
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mattermost-enterprise-edition
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app.kubernetes.io/name: mattermost-enterprise-edition
+  ports:
+  - name: tcp-gossip
+    port: 8074
+    protocol: TCP
+    targetPort: 8074

chart/templates/mattermost-sso.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-sso
+  namespace: {{ .Release.Namespace }}
+  labels:
+type: Opaque
+stringData:
+  MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled }}"
+  MM_GITLABSETTINGS_ID: "{{ .Values.sso.client_id }}"
+  MM_GITLABSETTINGS_SECRET: "{{ .Values.sso.client_secret }}"
+  MM_GITLABSETTINGS_AUTHENDPOINT: "{{ .Values.sso.auth_endpoint }}"
+  MM_GITLABSETTINGS_TOKENENDPOINT: "{{ .Values.sso.token_endpoint }}"
+  MM_GITLABSETTINGS_USERAPIENDPOINT: "{{ .Values.sso.user_api_endpoint }}"
+  MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email }}"
+  MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email }}"
+  MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username }}"

chart/templates/uds-package.yaml

@@ -6,15 +6,22 @@ metadata:
 spec:
   network:
     expose:
-      - service: mattermost
+      - service: mattermost-enterprise-edition
         podLabels:
-          app: mattermost
+          app.kubernetes.io/name: mattermost-enterprise-edition
         gateway: tenant
         host: mattermost
         port: 8065
     allow:
+      # Permit intra-namespace communication for job communications
+      - direction: Ingress
+        remoteGenerated: IntraNamespace
+
+      - direction: Egress
+        remoteGenerated: IntraNamespace
+
       # Todo: wide open for hitting in-cluster or external postgres/s3
       - direction: Egress
         podLabels:
-          app: mattermost
+          app.kubernetes.io/name: mattermost-enterprise-edition
         remoteGenerated: Anywhere

chart/values.yaml

@@ -0,0 +1,10 @@
+sso:
+  enabled: false
+  client_id: ""
+  client_secret: ""
+  auth_endpoint: ""
+  token_endpoint: ""
+  user_api_endpoint: ""
+  enable_sign_up_with_email: ""
+  enable_sign_in_with_email: ""
+  enable_sign_in_with_username: ""

src/dev-secrets/minio-secret.yaml

@@ -6,5 +6,8 @@ metadata:
   namespace: mattermost
 type: kubernetes.io/opaque
 stringData:
-  accesskey: ###ZARF_VAR_ACCESS_KEY###
-  secretkey: ###ZARF_VAR_SECRET_KEY###
+  MM_FILESETTINGS_AMAZONS3SSL: "false"
+  MM_FILESETTINGS_AMAZONS3ACCESSKEYID: ###ZARF_VAR_ACCESS_KEY###
+  MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: ###ZARF_VAR_SECRET_KEY###
+  MM_FILESETTINGS_AMAZONS3BUCKET: "uds-mattermost-dev"
+  MM_FILESETTINGS_AMAZONS3ENDPOINT: "minio.dev-minio.svc.cluster.local:9000"

src/dev-secrets/postgres-secret.yaml

@@ -5,5 +5,4 @@ metadata:
   namespace: mattermost
 type: kubernetes.io/opaque
 stringData:
-  DB_CONNECTION_CHECK_URL: "postgres://mattermost:###ZARF_VAR_POSTGRES_DB_PASSWORD###@postgresql.dev-postgres.svc.cluster.local:5432/mattermostdb?connect_timeout=10&sslmode=disable"
   DB_CONNECTION_STRING: "postgres://mattermost:###ZARF_VAR_POSTGRES_DB_PASSWORD###@postgresql.dev-postgres.svc.cluster.local:5432/mattermostdb?connect_timeout=10&sslmode=disable"

tasks.yaml

@@ -6,6 +6,12 @@ includes:
   - test: ./tasks/test.yaml
 
 tasks:
+  - name: default
+    actions:
+      - task: setup-cluster
+      - task: create-test-bundle
+      - task: deploy-test-bundle
+
   - name: setup-cluster
     actions:
       - task: setup:k3d-test-cluster

tasks/create.yaml

@@ -1,3 +1,7 @@
+variables:
+  - name: FLAVOR
+    default: "registry1"
+
 tasks:
   - name: mattermost-test-bundle
     description: Create the UDS bundle with Mattermost and its dependencies
@@ -9,7 +13,7 @@ tasks:
   - name: mattermost-package
     description: Create the UDS Mattermost Zarf Package
     actions:
-      - cmd: zarf package create --confirm --no-progress --architecture=${ZARF_ARCHITECTURE} --flavor registry1
+      - cmd: zarf package create --confirm --no-progress --architecture=${ZARF_ARCHITECTURE} --flavor ${FLAVOR}
 
   - name: dependency-package
     description: Create the Minio, PostgreSQL, and Redis Dependency Zarf Packages

tasks/setup.yaml

@@ -2,4 +2,4 @@ tasks:
   - name: k3d-test-cluster
     actions:
       - description: Create k3d cluster with UDS Core
-        cmd: uds deploy oci://defenseunicorns/uds/bundles/k3d-core-istio:0.7.0-${UDS_ARCH} --confirm --no-progress
+        cmd: uds deploy oci://defenseunicorns/uds/bundles/k3d-core-istio-dev:0.10.0-${UDS_ARCH} --confirm --no-progress

values/config-values.yaml

@@ -0,0 +1,10 @@
+sso:
+  enabled: ###ZARF_VAR_MATTERMOST_SSO_ENABLED###
+  client_id: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_ID###
+  client_secret: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_SECRET###
+  auth_endpoint: ###ZARF_VAR_MATTERMOST_SSO_AUTH_ENDPOINT###
+  token_endpoint: ###ZARF_VAR_MATTERMOST_SSO_TOKEN_ENDPOINT###
+  user_api_endpoint: ###ZARF_VAR_MATTERMOST_SSO_USER_API_ENDPOINT###
+  enable_sign_up_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNUP_ENABLED###
+  enable_sign_in_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNIN_ENABLED###
+  enable_sign_in_with_username: ###ZARF_VAR_MATTERMOST_SSO_USERNAME_SIGNIN_ENABLED###

values/registry1-values.yaml

@@ -0,0 +1,7 @@
+mattermostApp:
+  image:
+    repository: registry1.dso.mil/ironbank/opensource/mattermost/mattermost
+    tag: 9.4.1
+initContainerImage:
+  repository: registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal
+  tag: 9.3

values/upstream-values.yaml

@@ -0,0 +1,4 @@
+mattermostApp:
+  image:
+    repository: mattermost/mattermost-enterprise-edition
+    tag: 9.4.1

values/values.yaml

@@ -0,0 +1,107 @@
+minio:
+  enabled: false
+mysqlha:
+  enabled: false
+mattermostApp:
+  # Default replicacount due to HA requiring a license
+  replicaCount: 1
+  # Mattermost does not provide helm values to configure all the options so it is done via ENV
+  extraEnv:
+    # SSO Settings
+    - name: MM_GITLABSETTINGS_ENABLE
+      valueFrom:
+        secretKeyRef:
+          key: MM_GITLABSETTINGS_ENABLE
+          name: "mattermost-sso"
+    - name: MM_GITLABSETTINGS_ID
+      valueFrom:
+        secretKeyRef:
+          key: MM_GITLABSETTINGS_ID
+          name: "mattermost-sso"
+    - name: MM_GITLABSETTINGS_SECRET
+      valueFrom:
+        secretKeyRef:
+          key: MM_GITLABSETTINGS_SECRET
+          name: "mattermost-sso"
+    - name: MM_GITLABSETTINGS_AUTHENDPOINT
+      valueFrom:
+        secretKeyRef:
+          key: MM_GITLABSETTINGS_AUTHENDPOINT
+          name: "mattermost-sso"
+    - name: MM_GITLABSETTINGS_TOKENENDPOINT
+      valueFrom:
+        secretKeyRef:
+          key: MM_GITLABSETTINGS_TOKENENDPOINT
+          name: "mattermost-sso"
+    - name: MM_GITLABSETTINGS_USERAPIENDPOINT
+      valueFrom:
+        secretKeyRef:
+          key: MM_GITLABSETTINGS_USERAPIENDPOINT
+          name: "mattermost-sso"
+    - name: MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL
+      valueFrom:
+        secretKeyRef:
+          key: MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL
+          name: "mattermost-sso"
+    - name: MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL
+      valueFrom:
+        secretKeyRef:
+          key: MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL
+          name: "mattermost-sso"
+    - name: MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME
+      valueFrom:
+        secretKeyRef:
+          key: MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME
+          name: "mattermost-sso"
+    # Object Storage Connection
+    - name: MM_FILESETTINGS_DRIVERNAME
+      value: "amazons3"
+    - name: MM_FILESETTINGS_AMAZONS3SSL
+      valueFrom:
+        secretKeyRef:
+          key: MM_FILESETTINGS_AMAZONS3SSL
+          name: "mattermost-object-store"
+    - name: MM_FILESETTINGS_AMAZONS3ACCESSKEYID
+      valueFrom:
+        secretKeyRef:
+          key: MM_FILESETTINGS_AMAZONS3ACCESSKEYID
+          name: "mattermost-object-store"
+    - name: MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY
+      valueFrom:
+        secretKeyRef:
+          key: MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY
+          name: "mattermost-object-store"
+    - name: MM_FILESETTINGS_AMAZONS3BUCKET
+      valueFrom:
+        secretKeyRef:
+          key: MM_FILESETTINGS_AMAZONS3BUCKET
+          name: "mattermost-object-store"
+    - name: MM_FILESETTINGS_AMAZONS3ENDPOINT
+      valueFrom:
+        secretKeyRef:
+          key: MM_FILESETTINGS_AMAZONS3ENDPOINT
+          name: "mattermost-object-store"
+  securityContext:
+    runAsUser: 2000
+    runAsGroup: 2000
+
+serviceAccount:
+  create: true
+  name: mattermost
+  annotations: {} # Add IRSA annotation here if necessary in environment
+
+global:
+  siteUrl: "https://mattermost.###ZARF_VAR_DOMAIN###"
+  mattermostLicense: "###ZARF_VAR_MATTERMOST_ENTERPRISE_LICENSE###"
+
+  features:
+    database:
+      useInternal: false
+      existingDatabaseSecret:
+        name: mattermost-postgres
+        key: DB_CONNECTION_STRING
+    # The job server is only necessary on multi-node/enterprise clusters
+    # https://docs.mattermost.com/scale/high-availability-cluster.html#job-server
+    # It also will error due to its init container being blocked by Istio mTLS
+    jobserver:
+      enabled: false