feat: switch to minio operator, add lookup to object store secret

.gitignore

@@ -5,7 +5,9 @@ build/
 .DS_Store
 *.tar.zst
 zarf-sbom
+oscal-assessment-results.yaml
 
 # Tests
 node_modules/
 .playwright/
+bundle/uds-config-previous.yaml

bundle/uds-bundle.yaml

@@ -10,13 +10,26 @@ metadata:
   # x-release-please-end
 
 packages:
-  - name: dev-namespace
-    path: ../
-    ref: 0.1.0
-
-  - name: dev-minio
-    repository: ghcr.io/defenseunicorns/packages/uds/dev-minio
-    ref: 0.0.2
+  - name: minio-operator
+    repository: ghcr.io/defenseunicorns/packages/uds/minio-operator
+    ref: 6.0.4-uds.1-upstream
+    overrides:
+      minio-operator:
+        uds-minio-config:
+          values:
+            # Test helm overrides to provision app specific buckets, policies and creds
+            - path: apps
+              value:
+                - name: mattermost
+                  namespace: mattermost
+                  bucketNames:
+                    - uds-mattermost-dev
+                  policy: ""
+                  copyPassword:
+                    enabled: true
+                    secretName: "mattermost-minio"
+                    secretIDKey: "access_key"
+                    secretPasswordKey: "secret_key"
 
   - name: postgres-operator
     repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator
@@ -43,9 +56,6 @@ packages:
   - name: dev-secrets
     path: ../
     ref: 0.1.0
-    exports:
-      - name: ACCESS_KEY
-      - name: SECRET_KEY
 
   - name: mattermost-plugins
     path: ../
@@ -58,19 +68,14 @@ packages:
     # x-release-please-start-version
     ref: 10.2.0-uds.0
     # x-release-please-end
-    imports:
-      - name: ACCESS_KEY
-        package: dev-secrets
-      - name: SECRET_KEY
-        package: dev-secrets
     overrides:
       mattermost:
         uds-mattermost-config:
           values:
             - path: "objectStorage.secure"
               value: "false"
             - path: "objectStorage.endpoint"
-              value: "minio.dev-minio.svc.cluster.local:9000"
+              value: "uds-minio-hl.minio.svc.cluster.local:9000"
             - path: "objectStorage.bucket"
               value: "uds-mattermost-dev"
         mattermost-enterprise-edition:

bundle/uds-config.yaml

@@ -1,7 +1,2 @@
 # Copyright 2024 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
-
-variables:
-  dev-minio:
-    buckets: |
-      - name: uds-mattermost-dev

chart/templates/mattermost-object-store.yaml

@@ -8,10 +8,26 @@ metadata:
   namespace: {{ .Release.Namespace }}
 type: Opaque
 stringData:
+
+  {{- $awsAccessKey := "" }}
+  {{- $awsSecretKey := "" }}
+
+  {{- $secret := lookup "v1" "Secret" .Values.objectStorage.secretRef.secretNamespace .Values.objectStorage.secretRef.secretName }}
+  {{- if and $secret (index $secret.data .Values.objectStorage.secretRef.secretIDKey) }}
+    {{- $awsAccessKey = (index $secret.data .Values.objectStorage.secretRef.secretIDKey | b64dec) }}
+  {{- else }}
+    {{- $awsAccessKey = .Values.objectStorage.accessKey | quote }}
+  {{- end }}
+
+  {{- if and $secret (index $secret.data .Values.objectStorage.secretRef.secretPasswordKey) }}
+    {{- $awsSecretKey = (index $secret.data .Values.objectStorage.secretRef.secretPasswordKey | b64dec) }}
+  {{- else }}
+    {{- $awsSecretKey = .Values.objectStorage.secretKey | quote }}
+  {{- end }}
   MM_FILESETTINGS_DRIVERNAME: amazons3
   MM_FILESETTINGS_AMAZONS3SSL: "{{ .Values.objectStorage.secure | toString }}"
-  MM_FILESETTINGS_AMAZONS3ACCESSKEYID: "{{ .Values.objectStorage.accessKey }}"
-  MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: "{{ .Values.objectStorage.secretKey }}"
+  MM_FILESETTINGS_AMAZONS3ACCESSKEYID: {{ $awsAccessKey }}
+  MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: {{ $awsSecretKey }}
   MM_FILESETTINGS_AMAZONS3BUCKET: "{{ .Values.objectStorage.bucket }}"
   MM_FILESETTINGS_AMAZONS3ENDPOINT: "{{ .Values.objectStorage.endpoint }}"
   MM_FILESETTINGS_AMAZONS3REGION: "{{ .Values.objectStorage.region }}"

chart/templates/uds-package.yaml

@@ -105,11 +105,11 @@ spec:
       - direction: Egress
         selector:
           app.kubernetes.io/name: mattermost-enterprise-edition
-        {{- if .Values.storage.internal }}
-        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        {{- if .Values.objectStorage.internal }}
+        remoteNamespace: {{ .Values.objectStorage.namespace | quote }}
         remoteSelector:
-          {{ .Values.storage.selector | toYaml | nindent 10 }}
-        port: {{ .Values.storage.port }}
+          {{ .Values.objectStorage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.objectStorage.port }}
         {{- else }}
         remoteGenerated: Anywhere
         {{- end }}

chart/values.yaml

@@ -4,11 +4,22 @@
 domain: "###ZARF_VAR_DOMAIN###"
 
 objectStorage:
+  internal: true
+  selector:
+    app: minio
+  namespace: minio
+  port: 9000
   secure: true
   accessKey: ""
   secretKey: ""
   bucket: "mattermost"
   endpoint: "s3.amazonaws.com"
+  secretRef:
+    enabled: true  # Set to true to use secret reference
+    secretNamespace: "mattermost"
+    secretName: "mattermost-minio"
+    secretIDKey: "access_key"
+    secretPasswordKey: "secret_key"
   region: "us-west-1"
 
 postgres:
@@ -59,13 +70,13 @@ config:
 # Additional environment variables for Mattermost
 extraEnv: {}
 
-storage:
-  # Set to false to use external storage
-  internal: true
-  selector:
-    app: minio
-  namespace: dev-minio
-  port: 9000
+# storage:
+#   # Set to false to use external storage
+#   internal: true
+#   selector:
+#     app: minio
+#   namespace: dev-minio
+#   port: 9000
 
 # custom:
 #    # Notice no `remoteGenerated` field here on custom internal rule

common/zarf.yaml

@@ -35,6 +35,9 @@ components:
                 name: mattermost
                 namespace: mattermost
                 condition: "'{.status.phase}'=Ready"
+          - cmd: ./zarf tools kubectl -n mattermost rollout restart deployment
+            description: Restart Mattermost Deployment so pods cycle on upgrades
+          - cmd: ./zarf tools kubectl -n mattermost rollout status deploy
           - description: Mattermost to be Healthy
             wait:
               cluster:

tasks.yaml

@@ -65,10 +65,11 @@ tasks:
     actions:
       - task: upgrade:create-latest-tag-bundle
         with:
-          # TODO: (@ZMILLER) remove zarf package create on next release
-          dep_commands: "./uds run dependencies:create && ./uds zarf package create plugins/ --confirm --no-progress"
+          dep_commands: "./uds run dependencies:create && cp bundle/uds-config.yaml ../bundle/uds-config-previous.yaml"
       - task: setup:k3d-test-cluster
       - task: deploy:test-bundle
+        with:
+          config: bundle/uds-config-previous.yaml
       - task: compliance:validate
       - task: create-dev-package
       - task: create-deploy-test-bundle

tasks/dependencies.yaml

@@ -5,6 +5,4 @@ tasks:
   - name: create
     description: Create the Dependency Zarf Package
     actions:
-      - cmd: ./uds zarf package create src/dev-secrets/ --confirm --no-progress --architecture="${UDS_ARCH}"
-      - cmd: ./uds zarf package create src/namespace/ --confirm --no-progress --architecture="${UDS_ARCH}"
       - cmd: ./uds zarf package create plugins/ --confirm --no-progress