From 915eb2ddcfe82f56c34bb2e98043d7a05f3e4810 Mon Sep 17 00:00:00 2001 From: zamaz <71521611+zachariahmiller@users.noreply.github.com> Date: Tue, 7 May 2024 19:29:20 -0400 Subject: [PATCH] feat!: add monitoring and granular netpols (#67) - templates out netpols in UDS package CR to allow for internal/external db and object store as well as "custom" rules. - Adds service monitor and associated netpol via package CR to feed metrics into prometheus - switches dev bundle over to postgres operator Release-As: v9.7.2-uds.1 --- bundle/uds-bundle.yaml | 24 +++++++----- bundle/uds-config.yaml | 17 ++++++-- chart/templates/mattermost-postgres.yaml | 12 +++++- chart/templates/uds-package.yaml | 49 ++++++++++++++++++++++-- chart/values.yaml | 41 ++++++++++++++++++-- src/dev-secrets/zarf.yaml | 11 ------ src/namespace/ns.yaml | 4 ++ src/namespace/zarf.yaml | 13 +++++++ tasks/dependencies.yaml | 1 + 9 files changed, 141 insertions(+), 31 deletions(-) create mode 100644 src/namespace/ns.yaml create mode 100644 src/namespace/zarf.yaml diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 5317c26f..56c99314 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -7,13 +7,24 @@ metadata: # x-release-please-end packages: + - name: dev-namespace + path: ../ + ref: 0.1.0 + - name: dev-minio repository: ghcr.io/defenseunicorns/packages/uds/dev-minio ref: 0.0.2 - - name: dev-postgres - repository: ghcr.io/defenseunicorns/packages/uds/dev-postgres - ref: 0.0.2 + - name: postgres-operator + repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator + ref: 1.11.0-uds.0-upstream + overrides: + postgres-operator: + uds-postgres-config: + variables: + - name: POSTGRESQL + description: "Configure postgres using CRs via the uds-postgres-config chart" + path: postgresql - name: dev-secrets path: ../ @@ -21,7 +32,6 @@ packages: exports: - name: ACCESS_KEY - name: SECRET_KEY - - name: DB_PASSWORD - name: mattermost path: ../ @@ -33,8 +43,6 @@ packages: package: dev-secrets - name: SECRET_KEY package: dev-secrets - - name: DB_PASSWORD - package: dev-secrets overrides: mattermost: uds-mattermost-config: @@ -45,7 +53,3 @@ packages: value: "minio.dev-minio.svc.cluster.local:9000" - path: "objectStorage.bucket" value: "uds-mattermost-dev" - - path: "postgres.host" - value: "postgresql.dev-postgres.svc.cluster.local" - - path: "postgres.connectionOptions" - value: "?connect_timeout=10&sslmode=disable" diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index da837a94..81575607 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -2,6 +2,17 @@ variables: dev-minio: buckets: | - name: uds-mattermost-dev - dev-postgres: - db_username: "mattermost" - db_name: "mattermost" + postgres-operator: + postgresql: + enabled: true # Set to false to not create the PostgreSQL resource + teamId: "uds" + volume: + size: "10Gi" + numberOfInstances: 2 + users: + mattermost.mattermost: [] # database owner + databases: + mattermost: mattermost.mattermost + version: "13" + ingress: + remoteGenerated: Anywhere diff --git a/chart/templates/mattermost-postgres.yaml b/chart/templates/mattermost-postgres.yaml index 8c1eee1e..0a351f48 100644 --- a/chart/templates/mattermost-postgres.yaml +++ b/chart/templates/mattermost-postgres.yaml @@ -5,4 +5,14 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: - MM_SQLSETTINGS_DATASOURCE: "postgres://{{ .Values.postgres.username }}:{{ .Values.postgres.password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.dbName }}{{ .Values.postgres.connectionOptions }}" + MM_SQLSETTINGS_DATASOURCE: |- + {{- if and .Values.postgres.existingSecret.name (eq .Values.postgres.password "") }} + {{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.postgres.existingSecret.name) }} + {{- if $secret }} + {{- $password := index $secret.data .Values.postgres.existingSecret.passwordKey | b64dec }} + {{- $username := index $secret.data .Values.postgres.existingSecret.usernameKey | b64dec }} + postgres://{{ $username }}:{{ $password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.dbName }}{{ .Values.postgres.connectionOptions }} + {{- else }} + postgres://{{ .Values.postgres.username }}:{{ .Values.postgres.password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.dbName }}{{ .Values.postgres.connectionOptions }} + {{- end }} + {{- end }} diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 89cd9060..393c019b 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -28,10 +28,17 @@ spec: MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email | toString }}" MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username | toString }}" {{- end }} + monitor: + - selector: + app.kubernetes.io/name: mattermost-enterprise-edition + targetPort: 8067 + portName: mattermost-app-metrics + description: Metrics + network: expose: - service: mattermost-enterprise-edition - podLabels: + selector: app.kubernetes.io/name: mattermost-enterprise-edition gateway: tenant host: {{ .Values.subdomain }} @@ -44,8 +51,44 @@ spec: - direction: Egress remoteGenerated: IntraNamespace - # Todo: wide open for hitting in-cluster or external postgres/s3 - direction: Egress - podLabels: + selector: + app.kubernetes.io/name: mattermost-enterprise-edition + {{- if .Values.storage.internal }} + remoteNamespace: {{ .Values.storage.namespace | quote }} + remoteSelector: + {{ .Values.storage.selector | toYaml | nindent 10 }} + port: {{ .Values.storage.port }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + description: "Mattermost Storage" + + - direction: Egress + selector: app.kubernetes.io/name: mattermost-enterprise-edition + {{- if .Values.postgres.internal }} + remoteNamespace: {{ .Values.postgres.namespace | quote }} + remoteSelector: + {{ .Values.postgres.selector | toYaml | nindent 10 }} + port: {{ .Values.postgres.port }} + {{- else }} remoteGenerated: Anywhere + {{- end }} + description: "Mattermost Postgres" + + # Custom rules for unanticipated scenarios + {{- range .Values.custom }} + - direction: {{ .direction }} + selector: + {{ .selector | toYaml | nindent 10 }} + {{- if not .remoteGenerated }} + remoteNamespace: {{ .remoteNamespace }} + remoteSelector: + {{ .remoteSelector | toYaml | nindent 10 }} + port: {{ .port }} + {{- else }} + remoteGenerated: {{ .remoteGenerated }} + {{- end }} + description: {{ .description }} + {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 9e5a07a7..3e9b0dd2 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -9,13 +9,23 @@ objectStorage: region: "us-west-1" postgres: - username: "mattermost" + username: "mattermost.mattermost" + # Note: Specifying password as anything other than "" will not use the existingSecret password: "" - host: "" - port: 5432 + existingSecret: + name: "mattermost.mattermost.pg-cluster.credentials.postgresql.acid.zalan.do" + passwordKey: password + usernameKey: username + host: "pg-cluster.postgres.svc.cluster.local" dbName: "mattermost" # Example: "?connect_timeout=10&sslmode=disable" connectionOptions: "" + # Set to false to use external postgres + internal: true + selector: + cluster-name: pg-cluster + namespace: postgres + port: 5432 sso: enabled: true @@ -35,3 +45,28 @@ config: # Additional environment variables for Mattermost extraEnv: {} + +storage: + # Set to false to use external storage + internal: true + selector: + app: minio + namespace: dev-minio + port: 9000 + +# custom: +# # Notice no `remoteGenerated` field here on custom internal rule +# - direction: Ingress +# selector: +# app: jenkins +# remoteNamespace: jenkins +# remoteSelector: +# app: jenkins +# port: 8180 +# description: "Ingress from Jenkins" +# # No `remoteNamespace`, `remoteSelector`, or `port` fields on rule to `remoteGenerated` +# - direction: Egress +# selector: +# app: webservice +# remoteGenerated: Anywhere +# description: "Egress from Mattermost" diff --git a/src/dev-secrets/zarf.yaml b/src/dev-secrets/zarf.yaml index 75f6df57..e4ae6981 100644 --- a/src/dev-secrets/zarf.yaml +++ b/src/dev-secrets/zarf.yaml @@ -3,7 +3,6 @@ kind: ZarfPackageConfig metadata: name: dev-secrets version: "0.1.0" - architecture: amd64 components: - name: minio-password @@ -21,13 +20,3 @@ components: setVariables: - name: SECRET_KEY sensitive: true - - name: postgres-password - required: true - actions: - onDeploy: - before: - - cmd: kubectl get secret -n dev-postgres postgresql --template={{.data.password}} | base64 -d - mute: true - setVariables: - - name: DB_PASSWORD - sensitive: true diff --git a/src/namespace/ns.yaml b/src/namespace/ns.yaml new file mode 100644 index 00000000..2761c1bb --- /dev/null +++ b/src/namespace/ns.yaml @@ -0,0 +1,4 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: mattermost diff --git a/src/namespace/zarf.yaml b/src/namespace/zarf.yaml new file mode 100644 index 00000000..51720df5 --- /dev/null +++ b/src/namespace/zarf.yaml @@ -0,0 +1,13 @@ +kind: ZarfPackageConfig +metadata: + name: dev-namespace + description: "create namespaces for cross-ns secret functionality of pg operator" + version: 0.1.0 + +components: + - name: deploy-namespace-for-cross-ns-secret + required: true + manifests: + - name: dev-namespace + files: + - ns.yaml diff --git a/tasks/dependencies.yaml b/tasks/dependencies.yaml index 1056b955..f10ef64f 100644 --- a/tasks/dependencies.yaml +++ b/tasks/dependencies.yaml @@ -3,3 +3,4 @@ tasks: description: Create the Dependency Zarf Package actions: - cmd: uds zarf package create src/dev-secrets/ --confirm --no-progress --architecture=${UDS_ARCH} + - cmd: uds zarf package create src/namespace/ --confirm --no-progress --architecture=${UDS_ARCH}