From 242616d99088afdca52eb476018a0b6d6ed18184 Mon Sep 17 00:00:00 2001 From: zamaz <71521611+zachariahmiller@users.noreply.github.com> Date: Wed, 4 Dec 2024 13:54:47 -0500 Subject: [PATCH] feat: switch to minio operator, add lookup to object store secret (#175) ## Description - switch to minio operator| - add lookup to object store secret ## Related Issue Fixes # Relates to # ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-mattermost/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr Release-As: v10.2.0-uds.1 --- .gitignore | 2 + bundle/uds-bundle.yaml | 41 ++++++++++---------- bundle/uds-config.yaml | 5 --- chart/templates/mattermost-object-store.yaml | 20 +++++++++- chart/values.yaml | 8 +++- common/zarf.yaml | 3 ++ src/dev-secrets/zarf.yaml | 25 ------------ src/namespace/ns.yaml | 7 ---- src/namespace/zarf.yaml | 16 -------- tasks.yaml | 5 ++- tasks/dependencies.yaml | 2 - 11 files changed, 54 insertions(+), 80 deletions(-) delete mode 100644 src/dev-secrets/zarf.yaml delete mode 100644 src/namespace/ns.yaml delete mode 100644 src/namespace/zarf.yaml diff --git a/.gitignore b/.gitignore index edb16e7e..d9709669 100644 --- a/.gitignore +++ b/.gitignore @@ -5,7 +5,9 @@ build/ .DS_Store *.tar.zst zarf-sbom +oscal-assessment-results.yaml # Tests node_modules/ .playwright/ +bundle/uds-config-previous.yaml diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 8dd7eb94..6da3a805 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -10,13 +10,26 @@ metadata: # x-release-please-end packages: - - name: dev-namespace - path: ../ - ref: 0.1.0 - - - name: dev-minio - repository: ghcr.io/defenseunicorns/packages/uds/dev-minio - ref: 0.0.2 + - name: minio-operator + repository: ghcr.io/defenseunicorns/packages/uds/minio-operator + ref: 6.0.4-uds.2-upstream + overrides: + minio-operator: + uds-minio-config: + values: + # Test helm overrides to provision app specific buckets, policies and creds + - path: apps + value: + - name: mattermost + namespace: mattermost + bucketNames: + - uds-mattermost-dev + policy: "" + copyPassword: + enabled: true + secretName: "mattermost-minio" + secretIDKey: "access_key" + secretPasswordKey: "secret_key" - name: postgres-operator repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator @@ -40,13 +53,6 @@ packages: ingress: - remoteNamespace: mattermost - - name: dev-secrets - path: ../ - ref: 0.1.0 - exports: - - name: ACCESS_KEY - - name: SECRET_KEY - - name: mattermost-plugins path: ../ # x-release-please-start-version @@ -58,11 +64,6 @@ packages: # x-release-please-start-version ref: 10.2.0-uds.0 # x-release-please-end - imports: - - name: ACCESS_KEY - package: dev-secrets - - name: SECRET_KEY - package: dev-secrets overrides: mattermost: uds-mattermost-config: @@ -70,7 +71,7 @@ packages: - path: "objectStorage.secure" value: "false" - path: "objectStorage.endpoint" - value: "minio.dev-minio.svc.cluster.local:9000" + value: "uds-minio-hl.minio.svc.cluster.local:9000" - path: "objectStorage.bucket" value: "uds-mattermost-dev" mattermost-enterprise-edition: diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index cfffbb67..2067cc53 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -1,7 +1,2 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -variables: - dev-minio: - buckets: | - - name: uds-mattermost-dev diff --git a/chart/templates/mattermost-object-store.yaml b/chart/templates/mattermost-object-store.yaml index f5cf0b9c..a5417a4f 100644 --- a/chart/templates/mattermost-object-store.yaml +++ b/chart/templates/mattermost-object-store.yaml @@ -8,10 +8,26 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: + + {{- $awsAccessKey := "" }} + {{- $awsSecretKey := "" }} + + {{- $secret := lookup "v1" "Secret" .Values.objectStorage.secretRef.secretNamespace .Values.objectStorage.secretRef.secretName }} + {{- if and $secret (index $secret.data .Values.objectStorage.secretRef.secretIDKey) }} + {{- $awsAccessKey = (index $secret.data .Values.objectStorage.secretRef.secretIDKey | b64dec) }} + {{- else }} + {{- $awsAccessKey = .Values.objectStorage.accessKey | quote }} + {{- end }} + + {{- if and $secret (index $secret.data .Values.objectStorage.secretRef.secretPasswordKey) }} + {{- $awsSecretKey = (index $secret.data .Values.objectStorage.secretRef.secretPasswordKey | b64dec) }} + {{- else }} + {{- $awsSecretKey = .Values.objectStorage.secretKey | quote }} + {{- end }} MM_FILESETTINGS_DRIVERNAME: amazons3 MM_FILESETTINGS_AMAZONS3SSL: "{{ .Values.objectStorage.secure | toString }}" - MM_FILESETTINGS_AMAZONS3ACCESSKEYID: "{{ .Values.objectStorage.accessKey }}" - MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: "{{ .Values.objectStorage.secretKey }}" + MM_FILESETTINGS_AMAZONS3ACCESSKEYID: {{ $awsAccessKey }} + MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: {{ $awsSecretKey }} MM_FILESETTINGS_AMAZONS3BUCKET: "{{ .Values.objectStorage.bucket }}" MM_FILESETTINGS_AMAZONS3ENDPOINT: "{{ .Values.objectStorage.endpoint }}" MM_FILESETTINGS_AMAZONS3REGION: "{{ .Values.objectStorage.region }}" diff --git a/chart/values.yaml b/chart/values.yaml index c5b8032b..2d3c5f51 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -9,6 +9,12 @@ objectStorage: secretKey: "" bucket: "mattermost" endpoint: "s3.amazonaws.com" + secretRef: + enabled: true # Set to true to use secret reference + secretNamespace: "mattermost" + secretName: "mattermost-minio" + secretIDKey: "access_key" + secretPasswordKey: "secret_key" region: "us-west-1" postgres: @@ -64,7 +70,7 @@ storage: internal: true selector: app: minio - namespace: dev-minio + namespace: minio port: 9000 # custom: diff --git a/common/zarf.yaml b/common/zarf.yaml index 5b34323e..c6bbf3c6 100644 --- a/common/zarf.yaml +++ b/common/zarf.yaml @@ -35,6 +35,9 @@ components: name: mattermost namespace: mattermost condition: "'{.status.phase}'=Ready" + - cmd: ./zarf tools kubectl -n mattermost rollout restart deployment + description: Restart Mattermost Deployment so pods cycle on upgrades + - cmd: ./zarf tools kubectl -n mattermost rollout status deploy - description: Mattermost to be Healthy wait: cluster: diff --git a/src/dev-secrets/zarf.yaml b/src/dev-secrets/zarf.yaml deleted file mode 100644 index 2c3f19d7..00000000 --- a/src/dev-secrets/zarf.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json -kind: ZarfPackageConfig -metadata: - name: dev-secrets - version: "0.1.0" - -components: - - name: minio-password - required: true - actions: - onDeploy: - before: - - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootUser" }}' | base64 -d - mute: true - setVariables: - - name: ACCESS_KEY - sensitive: true - - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d - mute: true - setVariables: - - name: SECRET_KEY - sensitive: true diff --git a/src/namespace/ns.yaml b/src/namespace/ns.yaml deleted file mode 100644 index 3c7c50d9..00000000 --- a/src/namespace/ns.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -kind: Namespace -apiVersion: v1 -metadata: - name: mattermost diff --git a/src/namespace/zarf.yaml b/src/namespace/zarf.yaml deleted file mode 100644 index f6211f88..00000000 --- a/src/namespace/zarf.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -kind: ZarfPackageConfig -metadata: - name: dev-namespace - description: "create namespaces for cross-ns secret functionality of pg operator" - version: 0.1.0 - -components: - - name: deploy-namespace-for-cross-ns-secret - required: true - manifests: - - name: dev-namespace - files: - - ns.yaml diff --git a/tasks.yaml b/tasks.yaml index 02b1b67e..56c3342a 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -65,10 +65,11 @@ tasks: actions: - task: upgrade:create-latest-tag-bundle with: - # TODO: (@ZMILLER) remove zarf package create on next release - dep_commands: "./uds run dependencies:create && ./uds zarf package create plugins/ --confirm --no-progress" + dep_commands: "./uds run dependencies:create && cp bundle/uds-config.yaml ../bundle/uds-config-previous.yaml" - task: setup:k3d-test-cluster - task: deploy:test-bundle + with: + config: bundle/uds-config-previous.yaml - task: compliance:validate - task: create-dev-package - task: create-deploy-test-bundle diff --git a/tasks/dependencies.yaml b/tasks/dependencies.yaml index dca1d132..d00317c6 100644 --- a/tasks/dependencies.yaml +++ b/tasks/dependencies.yaml @@ -5,6 +5,4 @@ tasks: - name: create description: Create the Dependency Zarf Package actions: - - cmd: ./uds zarf package create src/dev-secrets/ --confirm --no-progress --architecture="${UDS_ARCH}" - - cmd: ./uds zarf package create src/namespace/ --confirm --no-progress --architecture="${UDS_ARCH}" - cmd: ./uds zarf package create plugins/ --confirm --no-progress