Merge pull request #6 from defenseunicorns/burn-some-boats

feat: switch to upstream chart directly

.github/workflows/tag-and-release.yaml

@@ -23,7 +23,10 @@ jobs:
     needs: tag-new-version
     if: ${{ needs.tag-new-version.outputs.release_created == 'true' }}
     runs-on: ubuntu-latest
-    name: Publish package
+    name: Publish ${{ matrix.flavor }}
+    strategy:
+      matrix:
+        flavor: [upstream, registry1]
 
     permissions:
       contents: read
@@ -46,4 +49,4 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish Package
-        run: uds run -f tasks/publish.yaml package
+        run: uds run -f tasks/publish.yaml package --set FLAVOR=${{ matrix.flavor }}

.github/workflows/test.yaml

@@ -1,25 +1,33 @@
-name: Test package
+name: Test
 
+# This workflow is triggered on pull requests to the main branch.
 on:
-  # Manual trigger
-  workflow_dispatch:
-
-  # Triggered by pull-request-conditionals.yaml
-  workflow_call:
+  pull_request:
+    paths:
+      - ".github/**"
+      - "bundle/**"
+      - "values/**"
+      - "tasks/**"
+      - "tests/**"
+      - "tasks.yaml"
+      - "zarf.yaml"
 
 # Abort prior jobs in the same workflow / PR
 concurrency:
-  group: test-${{ github.ref }}-${{ inputs.package }}
+  group: test-${{ github.ref }}
   cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
   test:
-    runs-on: "uds-ubuntu-big-boy-16-core"
+    runs-on: "ubuntu-latest"
     timeout-minutes: 20
-    name: Test
+    name: Deploy ${{ matrix.flavor }}
+    strategy:
+      matrix:
+        flavor: [upstream, registry1]
 
     steps:
       - name: Checkout repository
@@ -32,7 +40,7 @@ jobs:
         run: zarf tools registry login -u "${{secrets.IRON_BANK_ROBOT_USERNAME}}" -p "${{secrets.IRON_BANK_ROBOT_PASSWORD}}" registry1.dso.mil
 
       - name: Create test bundle
-        run: uds run create-test-bundle
+        run: uds run create-test-bundle --set FLAVOR=${{ matrix.flavor }}
 
       - name: Setup cluster
         run: uds run setup-cluster
@@ -43,10 +51,6 @@ jobs:
       - name: Test package
         run: uds run test-package
 
-      - name: Cleanup
-        if: always()
-        run: uds run cleanup
-
       - name: Save logs
         if: always()
         uses: ./.github/actions/save-logs

README.md

@@ -1,3 +1,45 @@
-# uds-package-mattermost
+# UDS Mattermost Package
 
-UDS Mattermost Zarf Package
+This repo contains the UDS Mattermost Package along with an example bundle and UDS tasks for development.
+
+## Dependencies
+
+Mattermost requires two dependencies, postgres and s3 compatible object storage. Wiring Mattermost to your dependencies is done primarily via helm values, which will require the use of a bundle created with uds-cli.
+
+### Postgres
+
+Postgres configuration is setup in the `uds-mattermost-config` chart and should be done via bundle overrides (variables or values) like the below:
+```yaml
+    overrides:
+      mattermost:
+        uds-mattermost-config:
+          values:
+            - path: "postgres.host"
+              value: "postgresql.dev-postgres.svc.cluster.local"
+```
+
+The full list of override config can be found in the values under `postgres` [here](./chart/values.yaml). In addition a zarf var is exposed for `DB_PASSWORD` for convenience if using import/exports in your bundle.
+
+### S3 Compatible Object Storage
+
+Object storage configuration is setup in the `uds-mattermost-config` chart and should be done via bundle overrides (variables or values) like the below:
+```yaml
+    overrides:
+      mattermost:
+        uds-mattermost-config:
+          values:
+            - path: "objectStorage.endpoint"
+              value: "minio.dev-minio.svc.cluster.local:9000"
+```
+
+The full list of override config can be found in the values under `objectStorage` [here](./chart/values.yaml). In addition zarf vars are exposed for `ACCESS_KEY` and `SECRET_KEY` for convenience if using import/exports in your bundle.
+
+To use IRSA make sure to NOT set the two key variables and add the appropriate role ARN annotation to the service account via an override to `serviceAccount.annotations`. As an example:
+```yaml
+    overrides:
+      mattermost:
+        mattermost-enterprise-edition:
+          values:
+            - path: "serviceAccount.annotations.irsa/role-arn"
+              value: "arn:aws:iam::123456789:role/mattermost-role"
+```

bundle/uds-bundle.yaml

@@ -9,18 +9,43 @@ metadata:
 packages:
   - name: dev-minio
     repository: ghcr.io/defenseunicorns/packages/uds/dev-minio
-    ref: 5.0.13-0
+    ref: 0.0.1
 
   - name: dev-postgres
     repository: ghcr.io/defenseunicorns/packages/uds/dev-postgres
-    ref: 12.6.6-0
+    ref: 0.0.1
 
   - name: dev-secrets
     path: ../
     ref: 0.1.0
-
+    exports:
+    - name: ACCESS_KEY
+    - name: SECRET_KEY
+    - name: DB_PASSWORD
+
   - name: mattermost
     path: ../
     # x-release-please-start-version
     ref: 9.3.0-uds.2
     # x-release-please-end
+    imports:
+      - name: ACCESS_KEY
+        package: dev-secrets
+      - name: SECRET_KEY
+        package: dev-secrets
+      - name: DB_PASSWORD
+        package: dev-secrets
+    overrides:
+      mattermost:
+        uds-mattermost-config:
+          values:
+            - path: "objectStorage.secure"
+              value: "false"
+            - path: "objectStorage.endpoint"
+              value: "minio.dev-minio.svc.cluster.local:9000"
+            - path: "objectStorage.bucket"
+              value: "uds-mattermost-dev"
+            - path: "postgres.host"
+              value: "postgresql.dev-postgres.svc.cluster.local"
+            - path: "postgres.connectionOptions"
+              value: "?connect_timeout=10&sslmode=disable"

bundle/uds-config.yaml

@@ -4,7 +4,4 @@ variables:
       - name: uds-mattermost-dev
   dev-postgres:
     db_username: "mattermost"
-    db_name: "mattermostdb"
-  mattermost:
-    mattermost_file_store_endpoint: minio.dev-minio.svc.cluster.local
-    mattermost_bucket_suffix: "-dev"
+    db_name: "mattermost"

chart/templates/mattermost-gossip-svc.yaml

@@ -0,0 +1,18 @@
+{{- /* Mattermost uses a gossip protocol for HA clustering. In order for Istio to properly route this traffic it needs to be explicitly defined in a service with a `tcp-` prefix. */ -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: mattermost-gossip
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mattermost-enterprise-edition
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app.kubernetes.io/name: mattermost-enterprise-edition
+  ports:
+  - name: tcp-gossip
+    port: 8074
+    protocol: TCP
+    targetPort: 8074

chart/templates/mattermost-object-store.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-object-store
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+stringData:
+  MM_FILESETTINGS_AMAZONS3SSL: "{{ .Values.objectStorage.secure | toString }}"
+  MM_FILESETTINGS_AMAZONS3ACCESSKEYID: "{{ .Values.objectStorage.accessKey }}"
+  MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: "{{ .Values.objectStorage.secretKey }}"
+  MM_FILESETTINGS_AMAZONS3BUCKET: "{{ .Values.objectStorage.bucket }}"
+  MM_FILESETTINGS_AMAZONS3ENDPOINT: "{{ .Values.objectStorage.endpoint }}"
+  MM_FILESETTINGS_AMAZONS3REGION: "{{ .Values.objectStorage.region }}"

chart/templates/mattermost-postgres.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-postgres
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+stringData:
+  db_connection_string: "postgres://{{ .Values.postgres.username }}:{{ .Values.postgres.password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.dbName }}{{ .Values.postgres.connectionOptions }}"

chart/templates/mattermost-sso.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-sso
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+stringData:
+  MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled | toString }}"
+  MM_GITLABSETTINGS_ID: "{{ .Values.sso.client_id }}"
+  MM_GITLABSETTINGS_SECRET: "{{ .Values.sso.client_secret }}"
+  MM_GITLABSETTINGS_AUTHENDPOINT: "{{ .Values.sso.auth_endpoint }}"
+  MM_GITLABSETTINGS_TOKENENDPOINT: "{{ .Values.sso.token_endpoint }}"
+  MM_GITLABSETTINGS_USERAPIENDPOINT: "{{ .Values.sso.user_api_endpoint }}"
+  MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email | toString }}"
+  MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email | toString }}"
+  MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username | toString }}"

chart/templates/uds-package.yaml

@@ -6,15 +6,22 @@ metadata:
 spec:
   network:
     expose:
-      - service: mattermost
+      - service: mattermost-enterprise-edition
         podLabels:
-          app: mattermost
+          app.kubernetes.io/name: mattermost-enterprise-edition
         gateway: tenant
-        host: mattermost
+        host: {{ .Values.host }}
         port: 8065
     allow:
+      # Permit intra-namespace communication for job communications
+      - direction: Ingress
+        remoteGenerated: IntraNamespace
+
+      - direction: Egress
+        remoteGenerated: IntraNamespace
+
       # Todo: wide open for hitting in-cluster or external postgres/s3
       - direction: Egress
         podLabels:
-          app: mattermost
+          app.kubernetes.io/name: mattermost-enterprise-edition
         remoteGenerated: Anywhere

chart/values.yaml

@@ -0,0 +1,31 @@
+objectStorage:
+  secure: true
+  accessKey: ""
+  secretKey: ""
+  bucket: "mattermost"
+  endpoint: "s3.amazonaws.com"
+  region: "us-west-1"
+
+postgres:
+  username: "mattermost"
+  password: ""
+  host: ""
+  port: 5432
+  dbName: "mattermost"
+  # Example: "?connect_timeout=10&sslmode=disable"
+  connectionOptions: ""
+
+sso:
+  enabled: false
+  client_id: ""
+  client_secret: ""
+  auth_endpoint: ""
+  token_endpoint: ""
+  user_api_endpoint: ""
+  # These should typically be disabled if SSO is enabled
+  enable_sign_up_with_email: true
+  enable_sign_in_with_email: true
+  enable_sign_in_with_username: true
+
+# The subdomain for the mattermost server, will be prefixed to your domain (ex: mattermost.example.com)
+host: "mattermost"

src/dev-secrets/zarf.yaml

@@ -11,22 +11,16 @@ components:
     actions:
       onDeploy:
         before:
-          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d
+          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootUser" }}' | base64 -d
             mute: true
             setVariables:
-              - name: SECRET_KEY
+              - name: ACCESS_KEY
                 sensitive: true
-          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootUser" }}' | base64 -d
+          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d
             mute: true
             setVariables:
-              - name: ACCESS_KEY
+              - name: SECRET_KEY
                 sensitive: true
-  - name: mattermost-minio
-    required: true
-    manifests:
-      - name: mattermost-minio
-        files:
-          - "minio-secret.yaml"
   - name: postgres-password
     required: true
     actions:
@@ -35,12 +29,5 @@ components:
           - cmd: kubectl get secret -n dev-postgres postgresql --template={{.data.password}} | base64 -d
             mute: true
             setVariables:
-              - name: POSTGRES_DB_PASSWORD
+              - name: DB_PASSWORD
                 sensitive: true
-  - name: mattermost-postgres
-    required: true
-    manifests:
-      - name: mattermost-postgres
-        namespace: mattermost
-        files:
-          - postgres-secret.yaml