From edb91cf47b9f7298659d2c49f9baeb86267ab266 Mon Sep 17 00:00:00 2001 From: Zachariah Miller Date: Tue, 3 Dec 2024 14:17:30 -0500 Subject: [PATCH 1/8] switch to minio operator, add lookup to object store secret --- bundle/uds-bundle.yaml | 37 +++++++++++--------- bundle/uds-config.yaml | 5 --- chart/templates/mattermost-object-store.yaml | 16 +++++++++ chart/templates/uds-package.yaml | 8 ++--- chart/values.yaml | 25 +++++++++---- common/zarf.yaml | 3 ++ tasks.yaml | 5 +-- 7 files changed, 65 insertions(+), 34 deletions(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 8a0ce9f4..3e241725 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -10,13 +10,26 @@ metadata: # x-release-please-end packages: - - name: dev-namespace - path: ../ - ref: 0.1.0 - - - name: dev-minio - repository: ghcr.io/defenseunicorns/packages/uds/dev-minio - ref: 0.0.2 + - name: minio-operator + repository: ghcr.io/defenseunicorns/packages/uds/minio-operator + ref: 6.0.4-uds.1-upstream + overrides: + minio-operator: + uds-minio-config: + values: + # Test helm overrides to provision app specific buckets, policies and creds + - path: apps + value: + - name: mattermost + namespace: mattermost + bucketNames: + - uds-mattermost-dev + policy: "" + copyPassword: + enabled: true + secretName: "mattermost-minio" + secretIDKey: "access_key" + secretPasswordKey: "secret_key" - name: postgres-operator repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator @@ -43,9 +56,6 @@ packages: - name: dev-secrets path: ../ ref: 0.1.0 - exports: - - name: ACCESS_KEY - - name: SECRET_KEY - name: mattermost-plugins path: ../ @@ -58,11 +68,6 @@ packages: # x-release-please-start-version ref: 10.1.2-uds.1 # x-release-please-end - imports: - - name: ACCESS_KEY - package: dev-secrets - - name: SECRET_KEY - package: dev-secrets overrides: mattermost: uds-mattermost-config: @@ -70,7 +75,7 @@ packages: - path: "objectStorage.secure" value: "false" - path: "objectStorage.endpoint" - value: "minio.dev-minio.svc.cluster.local:9000" + value: "uds-minio-hl.minio.svc.cluster.local:9000" - path: "objectStorage.bucket" value: "uds-mattermost-dev" mattermost-enterprise-edition: diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index cfffbb67..2067cc53 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -1,7 +1,2 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -variables: - dev-minio: - buckets: | - - name: uds-mattermost-dev diff --git a/chart/templates/mattermost-object-store.yaml b/chart/templates/mattermost-object-store.yaml index f5cf0b9c..7801acbd 100644 --- a/chart/templates/mattermost-object-store.yaml +++ b/chart/templates/mattermost-object-store.yaml @@ -8,6 +8,22 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: + + {{- $awsAccessKey := "" }} + {{- $awsSecretKey := "" }} + + {{- $secret := lookup "v1" "Secret" .Values.objectStorage.secretRef.secretNamespace .Values.objectStorage.secretRef.secretName }} + {{- if and $secret (index $secret.data .Values.objectStorage.secretRef.secretIDKey) }} + {{- $awsAccessKey = (index $secret.data .Values.objectStorage.secretRef.secretIDKey | b64dec) }} + {{- else }} + {{- $awsAccessKey = .Values.objectStorage.accessKey | quote }} + {{- end }} + + {{- if and $secret (index $secret.data .Values.objectStorage.secretRef.secretPasswordKey) }} + {{- $awsSecretKey = (index $secret.data .Values.objectStorage.secretRef.secretPasswordKey | b64dec) }} + {{- else }} + {{- $awsSecretKey = .Values.objectStorage.secretKey | quote }} + {{- end }} MM_FILESETTINGS_DRIVERNAME: amazons3 MM_FILESETTINGS_AMAZONS3SSL: "{{ .Values.objectStorage.secure | toString }}" MM_FILESETTINGS_AMAZONS3ACCESSKEYID: "{{ .Values.objectStorage.accessKey }}" diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 33fff11d..1d2d38c7 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -98,11 +98,11 @@ spec: - direction: Egress selector: app.kubernetes.io/name: mattermost-enterprise-edition - {{- if .Values.storage.internal }} - remoteNamespace: {{ .Values.storage.namespace | quote }} + {{- if .Values.objectStorage.internal }} + remoteNamespace: {{ .Values.objectStorage.namespace | quote }} remoteSelector: - {{ .Values.storage.selector | toYaml | nindent 10 }} - port: {{ .Values.storage.port }} + {{ .Values.objectStorage.selector | toYaml | nindent 10 }} + port: {{ .Values.objectStorage.port }} {{- else }} remoteGenerated: Anywhere {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 8daf03ad..8fcb7493 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -4,11 +4,22 @@ domain: "###ZARF_VAR_DOMAIN###" objectStorage: + internal: true + selector: + app: minio + namespace: minio + port: 9000 secure: true accessKey: "" secretKey: "" bucket: "mattermost" endpoint: "s3.amazonaws.com" + secretRef: + enabled: true # Set to true to use secret reference + secretNamespace: "mattermost" + secretName: "mattermost-minio" + secretIDKey: "access_key" + secretPasswordKey: "secret_key" region: "us-west-1" postgres: @@ -58,13 +69,13 @@ config: # Additional environment variables for Mattermost extraEnv: {} -storage: - # Set to false to use external storage - internal: true - selector: - app: minio - namespace: dev-minio - port: 9000 +# storage: +# # Set to false to use external storage +# internal: true +# selector: +# app: minio +# namespace: dev-minio +# port: 9000 # custom: # # Notice no `remoteGenerated` field here on custom internal rule diff --git a/common/zarf.yaml b/common/zarf.yaml index eed5ee3a..c4f7dda7 100644 --- a/common/zarf.yaml +++ b/common/zarf.yaml @@ -35,6 +35,9 @@ components: name: mattermost namespace: mattermost condition: "'{.status.phase}'=Ready" + - cmd: ./zarf tools kubectl -n mattermost rollout restart deployment + description: Restart Mattermost Deployment so pods cycle on upgrades + - cmd: ./zarf tools kubectl -n mattermost rollout status deploy - description: Mattermost to be Healthy wait: cluster: diff --git a/tasks.yaml b/tasks.yaml index d2c47756..f162145a 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -65,10 +65,11 @@ tasks: actions: - task: upgrade:create-latest-tag-bundle with: - # TODO: (@ZMILLER) remove zarf package create on next release - dep_commands: "./uds run dependencies:create && ./uds zarf package create plugins/ --confirm --no-progress" + dep_commands: "./uds run dependencies:create && cp bundle/uds-config.yaml ../bundle/uds-config-previous.yaml" - task: setup:k3d-test-cluster - task: deploy:test-bundle + with: + config: bundle/uds-config-previous.yaml - task: compliance:validate - task: create-dev-package - task: create-deploy-test-bundle From 100ab9dac72cccd246a3bc9449bc2701675644e4 Mon Sep 17 00:00:00 2001 From: Zachariah Miller Date: Tue, 3 Dec 2024 14:51:59 -0500 Subject: [PATCH 2/8] fix stupid mistake --- .gitignore | 1 + chart/templates/mattermost-object-store.yaml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index edb16e7e..0bb74c66 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ zarf-sbom # Tests node_modules/ .playwright/ +bundle/uds-config-previous.yaml \ No newline at end of file diff --git a/chart/templates/mattermost-object-store.yaml b/chart/templates/mattermost-object-store.yaml index 7801acbd..56fd788c 100644 --- a/chart/templates/mattermost-object-store.yaml +++ b/chart/templates/mattermost-object-store.yaml @@ -26,8 +26,8 @@ stringData: {{- end }} MM_FILESETTINGS_DRIVERNAME: amazons3 MM_FILESETTINGS_AMAZONS3SSL: "{{ .Values.objectStorage.secure | toString }}" - MM_FILESETTINGS_AMAZONS3ACCESSKEYID: "{{ .Values.objectStorage.accessKey }}" - MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: "{{ .Values.objectStorage.secretKey }}" + MM_FILESETTINGS_AMAZONS3ACCESSKEYID: {{ $awsSecretKey }} + MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: {{ $awsAccessKey }} MM_FILESETTINGS_AMAZONS3BUCKET: "{{ .Values.objectStorage.bucket }}" MM_FILESETTINGS_AMAZONS3ENDPOINT: "{{ .Values.objectStorage.endpoint }}" MM_FILESETTINGS_AMAZONS3REGION: "{{ .Values.objectStorage.region }}" From a717ca3975cc769c71bfdde7276b9f62c275e2c5 Mon Sep 17 00:00:00 2001 From: Zachariah Miller Date: Tue, 3 Dec 2024 16:21:10 -0500 Subject: [PATCH 3/8] fix: swap access key and secret key variables --- chart/templates/mattermost-object-store.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/templates/mattermost-object-store.yaml b/chart/templates/mattermost-object-store.yaml index 56fd788c..a5417a4f 100644 --- a/chart/templates/mattermost-object-store.yaml +++ b/chart/templates/mattermost-object-store.yaml @@ -26,8 +26,8 @@ stringData: {{- end }} MM_FILESETTINGS_DRIVERNAME: amazons3 MM_FILESETTINGS_AMAZONS3SSL: "{{ .Values.objectStorage.secure | toString }}" - MM_FILESETTINGS_AMAZONS3ACCESSKEYID: {{ $awsSecretKey }} - MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: {{ $awsAccessKey }} + MM_FILESETTINGS_AMAZONS3ACCESSKEYID: {{ $awsAccessKey }} + MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: {{ $awsSecretKey }} MM_FILESETTINGS_AMAZONS3BUCKET: "{{ .Values.objectStorage.bucket }}" MM_FILESETTINGS_AMAZONS3ENDPOINT: "{{ .Values.objectStorage.endpoint }}" MM_FILESETTINGS_AMAZONS3REGION: "{{ .Values.objectStorage.region }}" From 33c480018cf04e46be99cf7ef225bbd6dc37928d Mon Sep 17 00:00:00 2001 From: Zachariah Miller Date: Tue, 3 Dec 2024 16:40:32 -0500 Subject: [PATCH 4/8] delete no longer needed files, add missing newline --- .gitignore | 3 ++- src/dev-secrets/zarf.yaml | 25 ------------------------- src/namespace/ns.yaml | 7 ------- src/namespace/zarf.yaml | 16 ---------------- tasks/dependencies.yaml | 2 -- 5 files changed, 2 insertions(+), 51 deletions(-) delete mode 100644 src/dev-secrets/zarf.yaml delete mode 100644 src/namespace/ns.yaml delete mode 100644 src/namespace/zarf.yaml diff --git a/.gitignore b/.gitignore index 0bb74c66..d9709669 100644 --- a/.gitignore +++ b/.gitignore @@ -5,8 +5,9 @@ build/ .DS_Store *.tar.zst zarf-sbom +oscal-assessment-results.yaml # Tests node_modules/ .playwright/ -bundle/uds-config-previous.yaml \ No newline at end of file +bundle/uds-config-previous.yaml diff --git a/src/dev-secrets/zarf.yaml b/src/dev-secrets/zarf.yaml deleted file mode 100644 index 2c3f19d7..00000000 --- a/src/dev-secrets/zarf.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json -kind: ZarfPackageConfig -metadata: - name: dev-secrets - version: "0.1.0" - -components: - - name: minio-password - required: true - actions: - onDeploy: - before: - - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootUser" }}' | base64 -d - mute: true - setVariables: - - name: ACCESS_KEY - sensitive: true - - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d - mute: true - setVariables: - - name: SECRET_KEY - sensitive: true diff --git a/src/namespace/ns.yaml b/src/namespace/ns.yaml deleted file mode 100644 index 3c7c50d9..00000000 --- a/src/namespace/ns.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -kind: Namespace -apiVersion: v1 -metadata: - name: mattermost diff --git a/src/namespace/zarf.yaml b/src/namespace/zarf.yaml deleted file mode 100644 index f6211f88..00000000 --- a/src/namespace/zarf.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -kind: ZarfPackageConfig -metadata: - name: dev-namespace - description: "create namespaces for cross-ns secret functionality of pg operator" - version: 0.1.0 - -components: - - name: deploy-namespace-for-cross-ns-secret - required: true - manifests: - - name: dev-namespace - files: - - ns.yaml diff --git a/tasks/dependencies.yaml b/tasks/dependencies.yaml index dca1d132..d00317c6 100644 --- a/tasks/dependencies.yaml +++ b/tasks/dependencies.yaml @@ -5,6 +5,4 @@ tasks: - name: create description: Create the Dependency Zarf Package actions: - - cmd: ./uds zarf package create src/dev-secrets/ --confirm --no-progress --architecture="${UDS_ARCH}" - - cmd: ./uds zarf package create src/namespace/ --confirm --no-progress --architecture="${UDS_ARCH}" - cmd: ./uds zarf package create plugins/ --confirm --no-progress From ef3b32670b513c42249540dd58592e7a96e6d644 Mon Sep 17 00:00:00 2001 From: zamaz <71521611+zachariahmiller@users.noreply.github.com> Date: Tue, 3 Dec 2024 16:47:44 -0500 Subject: [PATCH 5/8] Update bundle/uds-bundle.yaml Co-authored-by: Wayne Starr --- bundle/uds-bundle.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 12b626a6..4da637d5 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -12,7 +12,7 @@ metadata: packages: - name: minio-operator repository: ghcr.io/defenseunicorns/packages/uds/minio-operator - ref: 6.0.4-uds.1-upstream + ref: 6.0.4-uds.2-upstream overrides: minio-operator: uds-minio-config: From 1bf6748204e6d210facf6041883eee87baf860d5 Mon Sep 17 00:00:00 2001 From: Zachariah Miller Date: Tue, 3 Dec 2024 16:49:01 -0500 Subject: [PATCH 6/8] remove dev secrets ref from bundle yaml --- bundle/uds-bundle.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 4da637d5..5de10c8d 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -12,7 +12,7 @@ metadata: packages: - name: minio-operator repository: ghcr.io/defenseunicorns/packages/uds/minio-operator - ref: 6.0.4-uds.2-upstream + ref: 6.0.4-uds.1-upstream overrides: minio-operator: uds-minio-config: @@ -53,10 +53,6 @@ packages: ingress: - remoteNamespace: mattermost - - name: dev-secrets - path: ../ - ref: 0.1.0 - - name: mattermost-plugins path: ../ # x-release-please-start-version From d75c29dbee59f5a1ac061d3d0f9636f80063f66e Mon Sep 17 00:00:00 2001 From: Zachariah Miller Date: Tue, 3 Dec 2024 16:49:55 -0500 Subject: [PATCH 7/8] bump minio operator version again --- bundle/uds-bundle.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 5de10c8d..3fd6f0f4 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -12,7 +12,7 @@ metadata: packages: - name: minio-operator repository: ghcr.io/defenseunicorns/packages/uds/minio-operator - ref: 6.0.4-uds.1-upstream + ref: 6.0.4-uds.2-upstream overrides: minio-operator: uds-minio-config: From 23bb948daf33d09fae01805bc5b407f3f73557b1 Mon Sep 17 00:00:00 2001 From: Zachariah Miller Date: Wed, 4 Dec 2024 12:17:21 -0500 Subject: [PATCH 8/8] revert replacement of storage key in config chart values for now --- chart/templates/uds-package.yaml | 8 ++++---- chart/values.yaml | 19 +++++++------------ 2 files changed, 11 insertions(+), 16 deletions(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 9993bea8..27149464 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -105,11 +105,11 @@ spec: - direction: Egress selector: app.kubernetes.io/name: mattermost-enterprise-edition - {{- if .Values.objectStorage.internal }} - remoteNamespace: {{ .Values.objectStorage.namespace | quote }} + {{- if .Values.storage.internal }} + remoteNamespace: {{ .Values.storage.namespace | quote }} remoteSelector: - {{ .Values.objectStorage.selector | toYaml | nindent 10 }} - port: {{ .Values.objectStorage.port }} + {{ .Values.storage.selector | toYaml | nindent 10 }} + port: {{ .Values.storage.port }} {{- else }} remoteGenerated: Anywhere {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index b419ac35..2d3c5f51 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -4,11 +4,6 @@ domain: "###ZARF_VAR_DOMAIN###" objectStorage: - internal: true - selector: - app: minio - namespace: minio - port: 9000 secure: true accessKey: "" secretKey: "" @@ -70,13 +65,13 @@ config: # Additional environment variables for Mattermost extraEnv: {} -# storage: -# # Set to false to use external storage -# internal: true -# selector: -# app: minio -# namespace: dev-minio -# port: 9000 +storage: + # Set to false to use external storage + internal: true + selector: + app: minio + namespace: minio + port: 9000 # custom: # # Notice no `remoteGenerated` field here on custom internal rule