MM Minio 4 upgrade

CHANGELOG.md

@@ -3,11 +3,57 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [0.1.7-bb.1] - 2021-07-23
+### Changed
+- Updated to latest IronBank image 5.37.0
+- Updated to latest Minio 4.1.2 package as dependency
+- Moved to Gluon test library
+- Pulled in changes from main-minio2 branch
+
+### Added
+- Added BigBang networkPolicies
 
 ## [0.1.7-bb.0] - 2021-05-17
 ### Changed
 - Updated to latest Minio package as dependency
 
+## [0.1.6-bb.8] - 2021-07-21
+### Changed
+- Add openshift toggle, conditionally add port 5353 egress. Changing "openshift:" to true in values.yaml will enable.
+
+## [0.1.6-bb.7] - 2021-07-08
+### Changed
+- Update Mattermost to version 5.36.1
+
+## [0.1.6-bb.6] - 2021-06-22
+### Changed
+- Update Mattermost to version 5.36.0
+
+## [0.1.6-bb.5] - 2021-06-21
+### Fixed
+- NetworkPolicy blocking an init container, added policy to allow postgres egress for the init container
+- Redo of test egress
+- Move around DNS policy
+
+## [0.1.6-bb.4] - 2021-06-07
+### Added
+- Ability to pass volumes / volumeMounts to MM pods
+
+## [0.1.6-bb.3] - 2021-06-04
+### Added
+- Add IPS with new operator
+- Switch to the IB image being used directly
+
+## [0.1.6-bb.2] - 2021-06-02
+### Changed
+- Restricted test policy to just cluster
+
+## [0.1.6-bb.1] - 2021-06-01
+### Changed
+- Moved tests to gluon library
+### Added
+- Default NetworkPolicies added
+
 ## [0.1.6-bb.0] - 2021-05-11
 ### Changed
 - Migrated Cypress tests to Helm tests

CODEOWNERS

-* @micah.nagel @branden.cobb
+* @micah.nagel @brandencobb @jasonkrause

chart/Chart.lock

@@ -4,9 +4,9 @@ dependencies:
   version: 10.3.5
 - name: minio-instance
   repository: file://./deps/minio
-  version: 4.0.4-bb.4
-- name: bb-test-lib
-  repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates
-  version: 0.5.2
-digest: sha256:3ca344e6b6e62dc508c2599518d638e424477cf8de51a53cf795c8481d6c2b32
-generated: "2021-05-17T13:29:55.74089-06:00"
+  version: 4.1.2-bb.3
+- name: gluon
+  repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon
+  version: 0.1.1
+digest: sha256:4f58bc0a89971b5e64c0fd8d57d8cee0a116fd8bd62315722a6fea37fdfd44e3
+generated: "2021-07-27T10:06:13.1849167-06:00"

chart/Chart.yaml

@@ -2,8 +2,8 @@
 apiVersion: v2
 name: mattermost
 type: application
-version: "0.1.7-bb.0"
-appVersion: "5.34.2"
+version: "0.1.7-bb.1"
+appVersion: "5.37.0"
 description: "Deployment of mattermost"
 keywords: 
   - Mattermost
@@ -17,10 +17,10 @@ dependencies:
     condition: postgresql.install
     repository: file://./deps/postgresql
   - name: minio-instance
-    version: 4.0.4-bb.4
+    version: 4.1.2-bb.3
     alias: minio
     condition: minio.install
     repository: file://./deps/minio
-  - name: bb-test-lib
-    version: 0.5.2
-    repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates"
+  - name: gluon
+    version: 0.1.1
+    repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon

chart/deps/minio/Chart.yaml

 apiVersion: v2
-
-name: minio-instance
-
-description: |-
-  A Helm chart for deploying the Minio instances based on use of the Minio operator
-
-#home: https://github.com/elastic/cloud-on-k8s
-
 type: application
-
-version: 4.0.4-bb.4
-
-appVersion: RELEASE.2020-11-19T23-48-16Z
-
-kubeVersion: ">=1.17.0-0"
-
+name: minio-instance
+version: 4.1.2-bb.3
+appVersion: v4.1.2
+description: A Helm chart for MinIO based on Minio Operator 4.1.2
+home: https://min.io
+icon: https://min.io/resources/img/logo/MINIO_wordmark.png
 keywords:
-  - Minio
-  - Instance
-
+- storage
+- object-storage
+- S3
 maintainers:
-  - name: me
-    email:
-
-dependencies:
-  - name: bb-test-lib
-    version: "0.5.0"
-    repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates"
+- email: dev@minio.io
+  name: MinIO, Inc
+sources:
+- https://github.com/minio/operator

chart/deps/minio/Kptfile

 apiVersion: kpt.dev/v1alpha1
 kind: Kptfile
 metadata:
-  name: minio
+  name: chart
 upstream:
   type: git
   git:
-    commit: 3da8ff8e918a5f0fbff1e9a14e2f00a4cba3f925
+    commit: 2ac9e5bf5aaaa414ea9790b2057d42e30b86df92
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio
     directory: /chart
-    ref: 4.0.4-bb.4
+    ref: 4.1.2-bb.3

chart/deps/minio/templates/_helpers.tpl

@@ -61,8 +61,12 @@ Create the name of the service account to use
 Create the name of the service used to access the Minio object UI.
 Note: the Minio operator has a fixed name of "minio" for the service it creates.
 */}}
-{{- define "minio.serviceName" -}}
+{{- define "minio.serviceName" }}
+{{- if .Values.upgradeTenants.enabled -}}
 minio
+{{- else -}}
+{{- default (include "minio.fullname" .) .Values.service.nameOverride }}
+{{- end }}
 {{- end }}
 
 {{/*

chart/deps/minio/templates/bigbang/networkpolicies/allow-sidecar-scraping.yaml

+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-sidecar-scraping
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: monitoring
+      podSelector:
+        matchLabels:
+          app: prometheus
+    ports:
+    - protocol: TCP
+      port: 15090
+    - protocol: TCP
+      port: 15020
+{{- end }}

chart/deps/minio/templates/bigbang/networkpolicies/default-deny-egress.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-external-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector: {}
+    ports:
+    - port: 53
+      protocol: UDP
+{{- end }}

chart/deps/minio/templates/bigbang/networkpolicies/default-deny-ingress.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+{{- end }}
\ No newline at end of file

chart/deps/minio/templates/bigbang/networkpolicies/helm-test-network-policy.yaml

+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- if $enabled }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-helm-test-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      helm-test: enabled
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+        # ONLY Block requests to cloud metadata IP
+        except:
+        - 169.254.169.254/32
+        {{- end }}
+  policyTypes:
+  - Egress
+{{- end }}
+{{- end }}

chart/deps/minio/templates/bigbang/networkpolicies/istio-allow.yaml

+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-istio-ingress
+  namespace: {{ .Release.Namespace }}
+spec:
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          app: istio-ingressgateway
+          istio: ingressgateway
+    ports:
+    - port: {{ .Values.service.port }}
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-istio-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          app: istiod
+    ports:
+    - port: 15012
+{{- end }}

chart/deps/minio/templates/bigbang/networkpolicies/monitoring-ingress.yaml

+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-scraping
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: monitoring
+    ports:
+    - port: {{ .Values.service.port }}
+      protocol: TCP
+{{- end }}
\ No newline at end of file

chart/deps/minio/templates/bigbang/networkpolicies/namespace-allow.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-in-ns
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector: {}
+  egress:
+    - to:
+        - podSelector: {}
+{{- end }}
\ No newline at end of file

chart/deps/minio/templates/minio-vs.yaml

@@ -26,12 +26,12 @@ spec:
   http:
     - match:
         - uri:
-            prefix: /minio/prometheus/metrics
+            prefix: /minio/v2/metrics/cluster
       route:
         - destination:
             host: {{ include "minio.serviceName" . }}
             port:
-              number: {{ include "minio.servicePort" . | trim }}
+              number: {{ .Values.tenants.metrics.port }}
       fault:
         abort:
           percentage: