diff --git a/CHANGELOG.md b/CHANGELOG.md index 1252c6e1d81092c0a49e9441f365e96d333ea3d9..309363044f317abd25c4405a4e55f235e3cde380 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,11 +3,57 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +## [0.1.7-bb.1] - 2021-07-23 +### Changed +- Updated to latest IronBank image 5.37.0 +- Updated to latest Minio 4.1.2 package as dependency +- Moved to Gluon test library +- Pulled in changes from main-minio2 branch + +### Added +- Added BigBang networkPolicies ## [0.1.7-bb.0] - 2021-05-17 ### Changed - Updated to latest Minio package as dependency +## [0.1.6-bb.8] - 2021-07-21 +### Changed +- Add openshift toggle, conditionally add port 5353 egress. Changing "openshift:" to true in values.yaml will enable. + +## [0.1.6-bb.7] - 2021-07-08 +### Changed +- Update Mattermost to version 5.36.1 + +## [0.1.6-bb.6] - 2021-06-22 +### Changed +- Update Mattermost to version 5.36.0 + +## [0.1.6-bb.5] - 2021-06-21 +### Fixed +- NetworkPolicy blocking an init container, added policy to allow postgres egress for the init container +- Redo of test egress +- Move around DNS policy + +## [0.1.6-bb.4] - 2021-06-07 +### Added +- Ability to pass volumes / volumeMounts to MM pods + +## [0.1.6-bb.3] - 2021-06-04 +### Added +- Add IPS with new operator +- Switch to the IB image being used directly + +## [0.1.6-bb.2] - 2021-06-02 +### Changed +- Restricted test policy to just cluster + +## [0.1.6-bb.1] - 2021-06-01 +### Changed +- Moved tests to gluon library +### Added +- Default NetworkPolicies added + ## [0.1.6-bb.0] - 2021-05-11 ### Changed - Migrated Cypress tests to Helm tests diff --git a/CODEOWNERS b/CODEOWNERS index 9c87a4c6d25fe9bfd18df30621d2a97867c03b1d..8de84b20356c5344fc780d5f956327e7bac59b16 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @micah.nagel @branden.cobb +* @micah.nagel @brandencobb @jasonkrause diff --git a/chart/Chart.lock b/chart/Chart.lock index 4365439f9029a45da5e008c141c0588a90e4ea3f..59e69eff307e86a60ca595d86dac1cfaab73bb3f 100644 --- a/chart/Chart.lock +++ b/chart/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 10.3.5 - name: minio-instance repository: file://./deps/minio - version: 4.0.4-bb.4 -- name: bb-test-lib - repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates - version: 0.5.2 -digest: sha256:3ca344e6b6e62dc508c2599518d638e424477cf8de51a53cf795c8481d6c2b32 -generated: "2021-05-17T13:29:55.74089-06:00" + version: 4.1.2-bb.3 +- name: gluon + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon + version: 0.1.1 +digest: sha256:4f58bc0a89971b5e64c0fd8d57d8cee0a116fd8bd62315722a6fea37fdfd44e3 +generated: "2021-07-27T10:06:13.1849167-06:00" diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 4de4aabada25580a6a19d0aa32e3101faa8af15f..79440d1a1dcb4a14f3fa51f19ef53bfc19ba66c5 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: mattermost type: application -version: "0.1.7-bb.0" -appVersion: "5.34.2" +version: "0.1.7-bb.1" +appVersion: "5.37.0" description: "Deployment of mattermost" keywords: - Mattermost @@ -17,10 +17,10 @@ dependencies: condition: postgresql.install repository: file://./deps/postgresql - name: minio-instance - version: 4.0.4-bb.4 + version: 4.1.2-bb.3 alias: minio condition: minio.install repository: file://./deps/minio - - name: bb-test-lib - version: 0.5.2 - repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates" + - name: gluon + version: 0.1.1 + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon diff --git a/chart/charts/bb-test-lib-0.5.2.tgz b/chart/charts/bb-test-lib-0.5.2.tgz deleted file mode 100644 index 0df8143dd476200a3e95ccc1ddc9b52dac0bfae4..0000000000000000000000000000000000000000 Binary files a/chart/charts/bb-test-lib-0.5.2.tgz and /dev/null differ diff --git a/chart/charts/gluon-0.1.1.tgz b/chart/charts/gluon-0.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b4a4878dae126348cdee9d80977a15121ba59f9f Binary files /dev/null and b/chart/charts/gluon-0.1.1.tgz differ diff --git a/chart/charts/minio-instance-4.0.4-bb.4.tgz b/chart/charts/minio-instance-4.0.4-bb.4.tgz deleted file mode 100644 index 46ad6c493b04ee1a445ecedc63f15adda7d4b0b9..0000000000000000000000000000000000000000 Binary files a/chart/charts/minio-instance-4.0.4-bb.4.tgz and /dev/null differ diff --git a/chart/charts/minio-instance-4.1.2-bb.3.tgz b/chart/charts/minio-instance-4.1.2-bb.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..55b0f2d15b28e792c9522e59f53a131c3d858d2f Binary files /dev/null and b/chart/charts/minio-instance-4.1.2-bb.3.tgz differ diff --git a/chart/charts/postgresql-10.3.5.tgz b/chart/charts/postgresql-10.3.5.tgz index ad2bbeb3f9f0de74fd552da246173d001d058e16..f76462857d424c500f186cabe2256559b87091e0 100644 Binary files a/chart/charts/postgresql-10.3.5.tgz and b/chart/charts/postgresql-10.3.5.tgz differ diff --git a/chart/deps/minio/Chart.yaml b/chart/deps/minio/Chart.yaml index 677b4ce4f4a47864157cc2dc0198e7846927c2ae..1b0a01f8b1f6a4468e6c9b73ffaeb33b728e83ff 100644 --- a/chart/deps/minio/Chart.yaml +++ b/chart/deps/minio/Chart.yaml @@ -1,29 +1,17 @@ apiVersion: v2 - -name: minio-instance - -description: |- - A Helm chart for deploying the Minio instances based on use of the Minio operator - -#home: https://github.com/elastic/cloud-on-k8s - type: application - -version: 4.0.4-bb.4 - -appVersion: RELEASE.2020-11-19T23-48-16Z - -kubeVersion: ">=1.17.0-0" - +name: minio-instance +version: 4.1.2-bb.3 +appVersion: v4.1.2 +description: A Helm chart for MinIO based on Minio Operator 4.1.2 +home: https://min.io +icon: https://min.io/resources/img/logo/MINIO_wordmark.png keywords: - - Minio - - Instance - +- storage +- object-storage +- S3 maintainers: - - name: me - email: - -dependencies: - - name: bb-test-lib - version: "0.5.0" - repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates" +- email: dev@minio.io + name: MinIO, Inc +sources: +- https://github.com/minio/operator diff --git a/chart/deps/minio/Kptfile b/chart/deps/minio/Kptfile index 5111a051474bf3e64932f4ddf5745cd6b6f76725..cf023c60f7445ff0213318cf43bef808d36bc520 100644 --- a/chart/deps/minio/Kptfile +++ b/chart/deps/minio/Kptfile @@ -1,11 +1,11 @@ apiVersion: kpt.dev/v1alpha1 kind: Kptfile metadata: - name: minio + name: chart upstream: type: git git: - commit: 3da8ff8e918a5f0fbff1e9a14e2f00a4cba3f925 + commit: 2ac9e5bf5aaaa414ea9790b2057d42e30b86df92 repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio directory: /chart - ref: 4.0.4-bb.4 + ref: 4.1.2-bb.3 diff --git a/chart/deps/minio/templates/_helpers.tpl b/chart/deps/minio/templates/_helpers.tpl index d0d93096c6cd0b831256169532b3c4d8a1a5e20f..29db7b76c7c39c3ce4f6a80a12971bdf0e60e647 100644 --- a/chart/deps/minio/templates/_helpers.tpl +++ b/chart/deps/minio/templates/_helpers.tpl @@ -61,8 +61,12 @@ Create the name of the service account to use Create the name of the service used to access the Minio object UI. Note: the Minio operator has a fixed name of "minio" for the service it creates. */}} -{{- define "minio.serviceName" -}} +{{- define "minio.serviceName" }} +{{- if .Values.upgradeTenants.enabled -}} minio +{{- else -}} +{{- default (include "minio.fullname" .) .Values.service.nameOverride }} +{{- end }} {{- end }} {{/* diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/allow-sidecar-scraping.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/allow-sidecar-scraping.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0d45971d78b907c720fedb50e25ff8c77df36db5 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/allow-sidecar-scraping.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-sidecar-scraping + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus + ports: + - protocol: TCP + port: 15090 + - protocol: TCP + port: 15020 +{{- end }} diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-egress.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c086ccaefd638de13fa73b1999b32471becb1665 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-egress.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-external-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: {} + ports: + - port: 53 + protocol: UDP +{{- end }} diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-ingress.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..956331f0df0889bc112ced639966bf1a9203fa01 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-ingress.yaml @@ -0,0 +1,11 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress +{{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/helm-test-network-policy.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/helm-test-network-policy.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0381a216d0af331b60a2ce49916c3f8f6ca17837 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/helm-test-network-policy.yaml @@ -0,0 +1,26 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- if $enabled }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-helm-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + egress: + - to: + - ipBlock: + cidr: {{ .Values.networkPolicies.controlPlaneCidr }} + {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }} + # ONLY Block requests to cloud metadata IP + except: + - 169.254.169.254/32 + {{- end }} + policyTypes: + - Egress +{{- end }} +{{- end }} diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/istio-allow.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/istio-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5ecf0115b852ab6d78a67691bad2e62d324755bf --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/istio-allow.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio-ingress + namespace: {{ .Release.Namespace }} +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + ports: + - port: {{ .Values.service.port }} + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: istiod + ports: + - port: 15012 +{{- end }} diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/monitoring-ingress.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/monitoring-ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..59065e3900767a80cb15b0cf65d22e87da26cd61 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/monitoring-ingress.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-scraping + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + ports: + - port: {{ .Values.service.port }} + protocol: TCP +{{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/namespace-allow.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/namespace-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..495131c6ca86c6be9e4e10acf8c8b86bbe95e344 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/namespace-allow.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/minio-vs.yaml b/chart/deps/minio/templates/minio-vs.yaml index 08496b4aa5eb09d40b5593e2b0fc360eef47994d..31dead7bf7b3d47d31c94ebc82ddd0cedcced907 100644 --- a/chart/deps/minio/templates/minio-vs.yaml +++ b/chart/deps/minio/templates/minio-vs.yaml @@ -26,12 +26,12 @@ spec: http: - match: - uri: - prefix: /minio/prometheus/metrics + prefix: /minio/v2/metrics/cluster route: - destination: host: {{ include "minio.serviceName" . }} port: - number: {{ include "minio.servicePort" . | trim }} + number: {{ .Values.tenants.metrics.port }} fault: abort: percentage: diff --git a/chart/deps/minio/templates/release2.0.9/minioinstance.yaml b/chart/deps/minio/templates/release2.0.9/minioinstance.yaml new file mode 100644 index 0000000000000000000000000000000000000000..76122a2a8bfb4526df907d20a9bf9498c381d9ea --- /dev/null +++ b/chart/deps/minio/templates/release2.0.9/minioinstance.yaml @@ -0,0 +1,122 @@ +{{- if not .Values.upgradeTenants.enabled }} +apiVersion: operator.min.io/v1 +kind: MinIOInstance +metadata: + name: {{ include "minio.fullname" . }} +## If specified, MinIOInstance pods will be dispatched by specified scheduler. +## If not specified, the pod will be dispatched by default scheduler. +# scheduler: +# name: my-custom-scheduler +spec: + ## Add metadata to the all pods created by the StatefulSet + metadata: + ## Optionally pass labels to be applied to the statefulset pods + labels: + app: {{ include "minio.fullname" . }} + {{- include "minio.labels" . | nindent 6 }} + {{- with .Values.podAnnotations }} + annotations: + prometheus.io/path: /minio/prometheus/metrics + prometheus.io/port: "9000" + prometheus.io/scrape: "true" + {{- toYaml . | nindent 6 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} +{{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + + ## Registry location and Tag to download MinIO Server image + image: {{ .Values.image.name }}:{{ .Values.image.tag }} + serviceAccountName: {{ include "minio.serviceAccountName" . }} + ## A ClusterIP Service will be created with the given name + serviceName: minio-internal-service + zones: + - name: "zone-0" + ## Number of MinIO servers/pods in this zone. + ## For standalone mode, supply 1. For distributed mode, supply 4 or more. + ## Note that the operator does not support upgrading from standalone to distributed mode. + servers: {{ .Values.zones.servers }} + ## Supply number of volumes to be mounted per MinIO server instance. + ## 2 is minimum volumes with 3 servers + volumesPerServer: {{ .Values.volumesPerServer }} + ## Mount path where PV will be mounted inside container(s). Defaults to "/export". + mountPath: /export + ## Sub path inside Mount path where MinIO starts. Defaults to "". + # subPath: /data + ## This VolumeClaimTemplate is used across all the volumes provisioned for MinIO cluster. + ## Please do not change the volumeClaimTemplate field while expanding the cluster, this may + ## lead to unbound PVCs and missing data + volumeClaimTemplate: + metadata: + name: data + spec: + accessModes: + - {{ .Values.volumeClaimTemplate.accessModes}} + resources: + requests: + storage: {{ .Values.volumeClaimTemplate.storage}} + ## Secret with credentials to be used by MinIO instance. + credsSecret: + name: {{ .Values.minioRootCreds }} + ## PodManagement policy for pods created by StatefulSet. Can be "OrderedReady" or "Parallel" + ## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy + ## for details. Defaults to "Parallel" + podManagementPolicy: Parallel + ## Secret with certificates to configure TLS for MinIO certs. Create secrets as explained + ## here: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + # externalCertSecret: + # name: tls-ssl-minio + ## Enable Kubernetes based certificate generation and signing as explained in + ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster + requestAutoCert: false + ## Used when "requestAutoCert" is set to true. Set CommonName for the auto-generated certificate. + ## Internal DNS name for the pod will be used if CommonName is not provided. + ## DNS name format is minio-{0...3}.minio.default.svc.cluster.local + certConfig: + commonName: "" + organizationName: [] + dnsNames: [] + ## Used to specify a toleration for a pod + # tolerations: + # - effect: NoSchedule + # key: dedicated + # operator: Equal + # value: storage + ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) + env: + - name: MINIO_PROMETHEUS_AUTH_TYPE + value: "public" + # - name: MINIO_BROWSER + # value: "off" # to turn-off browser + # - name: MINIO_STORAGE_CLASS_STANDARD + # value: "EC:2" + ## Configure resource requests and limits for MinIO containers + # resources: + # requests: + # memory: 20Gi + ## Liveness probe detects situations where MinIO server instance + ## is not working properly and needs restart. Kubernetes automatically + ## restarts the pods if liveness checks fail. + liveness: + initialDelaySeconds: 10 + periodSeconds: 1 + timeoutSeconds: 1 + ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be + ## eligible to run on a node, the node must have each of the + ## indicated key-value pairs as labels. + ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # nodeSelector: + # disktype: ssd + ## Affinity settings for MinIO pods. Read more about affinity + ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. + # affinity: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + {{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/release2.0.9/service.yaml b/chart/deps/minio/templates/release2.0.9/service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..cf3ce13fa98bc64cf53de088f865aea35306010e --- /dev/null +++ b/chart/deps/minio/templates/release2.0.9/service.yaml @@ -0,0 +1,18 @@ +{{- if not .Values.upgradeTenants.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "minio.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "minio.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: 9000 + protocol: TCP + name: http + selector: + {{- include "minio.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/chart/deps/minio/templates/serviceMonitor.yaml b/chart/deps/minio/templates/release2.0.9/serviceMonitor.yaml similarity index 88% rename from chart/deps/minio/templates/serviceMonitor.yaml rename to chart/deps/minio/templates/release2.0.9/serviceMonitor.yaml index a9a1e57dd6681b685c693e529e847eadd262cdf6..1098800441c239ec5233b16ca03db88e214dbf8d 100644 --- a/chart/deps/minio/templates/serviceMonitor.yaml +++ b/chart/deps/minio/templates/release2.0.9/serviceMonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.monitoring.enabled }} +{{- if and .Values.monitoring.enabled (not .Values.upgradeTenants.enabled) }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/chart/deps/minio/templates/service-account.yaml b/chart/deps/minio/templates/service-account.yaml index 1ff1374e539829a7214d3c8f7c6d340a8ce0312a..250739201736b1f8f7d2bc9cb0d67acec2c73a69 100644 --- a/chart/deps/minio/templates/service-account.yaml +++ b/chart/deps/minio/templates/service-account.yaml @@ -10,4 +10,4 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} + - {{ toYaml .Values.tenants.imagePullSecret | indent 2 }} diff --git a/chart/deps/minio/templates/tenant-secret.yaml b/chart/deps/minio/templates/tenant-secret.yaml index c1ded296474fdd50d31fbe4ec633465ce79ce10e..3b1e576eb69f8e00520cf3981abb0ead2de6010b 100644 --- a/chart/deps/minio/templates/tenant-secret.yaml +++ b/chart/deps/minio/templates/tenant-secret.yaml @@ -1,3 +1,4 @@ +{{- if .Values.tenants.secrets.enabled }} apiVersion: v1 kind: Secret metadata: @@ -6,7 +7,9 @@ metadata: labels: {{- include "minio.labels" . | nindent 4 }} type: Opaque -stringData: - accesskey: {{ .Values.tenants.secrets.accessKey }} - secretkey: {{ .Values.tenants.secrets.secretKey }} ---- +data: + ## Access Key for MinIO Tenant + accesskey: {{ .Values.tenants.secrets.accessKey | b64enc }} + ## Secret Key for MinIO Tenant + secretkey: {{ .Values.tenants.secrets.secretKey | b64enc }} +{{ end }} diff --git a/chart/deps/minio/templates/tenant.yaml b/chart/deps/minio/templates/tenant.yaml index aa06c5f55301df481fa9dae5feb9293ca11a84d7..b162c1d418dbba48832c4f6da61d245c10492034 100644 --- a/chart/deps/minio/templates/tenant.yaml +++ b/chart/deps/minio/templates/tenant.yaml @@ -1,3 +1,4 @@ +{{- if .Values.upgradeTenants.enabled }} apiVersion: minio.min.io/v2 kind: Tenant metadata: @@ -8,17 +9,6 @@ metadata: labels: app: {{ template "minio.fullname" . }} {{- include "minio.labels" . | nindent 4 }} - {{- if .Values.istio.virtualService.labels }} - {{ toYaml .Values.istio.virtualservice.labels | indent 4 }} - {{- end }} - {{- if .Values.istio.virtualService.annotations }} - ## Annotations for MinIO Tenant Pods - annotations: - prometheus.io/path: /minio/prometheus/metrics - prometheus.io/port: "9000" - prometheus.io/scrape: "true" - {{ toYaml .Values.istio.virtualService.annotations | indent 4 }} - {{- end }} ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler. ## If not specified, the Tenant pods will be dispatched by default scheduler. @@ -61,6 +51,7 @@ spec: resources: requests: storage: {{ .size }} + #storageClassName: {{ .storageClassName}} ## Used to specify a toleration for a pod # tolerations: @@ -174,6 +165,15 @@ spec: ## for details. podManagementPolicy: {{ .Values.tenants.podManagementPolicy }} + {{ if or .Values.monitoring.enabled .Values.tenants.metrics.enabled }} + ## PrometheusOperator enables the Minio Operator to create the Prometheus serviceMonitor objects to scrape + ## metrics from the tenant. This is only applied if monitoring support is enabled. + prometheusOperator: + labels: + app.kubernetes.io/component: "monitoring" + {{ include "minio.labels" . | nindent 6 }} + {{- end }} + ## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific ## services created by the operator. {{- with .Values.tenants.serviceMetadata }} @@ -185,7 +185,9 @@ spec: {{- end }} ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) - # env: + #env: + # - name: MINIO_PROMETHEUS_AUTH_TYPE + # value: "public" # - name: MINIO_BROWSER # value: "off" # to turn-off browser # - name: MINIO_STORAGE_CLASS_STANDARD @@ -220,3 +222,4 @@ spec: {{ toYaml . | nindent 6 }} {{ end }} {{- end }} +{{- end }} diff --git a/chart/deps/minio/values.yaml b/chart/deps/minio/values.yaml index 97f048bd12204df2e7745dae3b2050222dcb97d4..4c7310ad9e1270e2a3584eb83126d904d8026708 100644 --- a/chart/deps/minio/values.yaml +++ b/chart/deps/minio/values.yaml @@ -1,33 +1,13 @@ -# ## Default values for minio instance creation. -## This is a YAML-formatted file. -## Declare variables to be passed into your templates. -## Configure number of MinIO Operator Deployment Replicas -#replicas: -# count: 1 +## Note: to enable upgrade of minio instance, then values file has a number of values that will be +## deprecated in the future. Deprecation candidates will have an annotation in comments regarding the timeframe for deprecation. hostname: bigbang.dev -#nameOverride: "" -#fullnameOverride: "" -# Configure repo and tag of MinIO Operator Image -#image: -# name: registry1.dso.mil/ironbank/opensource/minio/minio -# tag: RELEASE.2020-11-19T23-48-16Z -# imagePullPolicy: IfNotPresent - -#zones: - # refer to documentation for number of servers versus volumes per server - # https://docs.min.io/docs/minio-server-limits-per-tenant.html -# servers: 3 # scale to 3 for dev -#volumesPerServer: 2 # 2 is minimum volumes with 3 servers - -#volumeClaimTemplate: -# accessModes: ReadWriteOnce -# storage: 1Gi # scale down for dev - -imagePullSecrets: - - name: private-registry +# When true, upgradeTenants enables use of the V4.* Minio Operator CRD for creation of tenants is enabled. +# The default will be made TRUE in a future release. +upgradeTenants: + enabled: false serviceAccount: # Specifies whether a service account should be created @@ -38,6 +18,8 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# because the operator handles the service deployment in 4.x and beyond. service: # Internal service name for minio instance. This is the full name of the service used to connect to Minio from within the cluster. # If not specified, the service name will be the default full name of the minio instance. @@ -45,6 +27,7 @@ service: type: ClusterIP port: 9000 +# Removed ina future release podAnnotations: {} istio: @@ -60,56 +43,89 @@ istio: service: "" port: "" - monitoring: enabled: false namespace: monitoring +networkPolicies: + enabled: false + controlPlaneCidr: 0.0.0.0/0 + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +image: + name: registry1.dso.mil/ironbank/opensource/minio/minio + tag: RELEASE.2020-11-19T23-48-16Z + pullPolicy: "IfNotPresent" -## MinIO Tenant Definition +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +zones: + # refer to documentation for number of servers versus volumes per server + # https://docs.min.io/docs/minio-server-limits-per-tenant.html + servers: 3 # scale to 3 for dev + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +volumesPerServer: 2 # 2 is minimum volumes with 3 servers + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +volumeClaimTemplate: + accessModes: ReadWriteOnce + storage: 1Gi # scale down for dev + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +minioRootCreds: default-minio-creds-secret + +## MinIO Tenant Definition used for 4.1.2 upgrade tenants: # Tenant name name: minio - ## Registry location and Tag to download MinIO Server image -# Configure repo and tag of MinIO Operator Image + ## Registry location and Tag to download MinIO Server image + # Configure repo and tag of MinIO Operator Image image: repository: registry1.dso.mil/ironbank/opensource/minio/minio - tag: RELEASE.2020-11-19T23-48-16Z + tag: RELEASE.2021-06-17T00-10-46Z pullPolicy: "IfNotPresent" + ## Customize namespace for tenant deployment + #namespace: default imagePullSecret: name: private-registry - ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler. - ## If not specified, the Tenant pods will be dispatched by default scheduler. - ##scheduler: - ## name: + ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler. + ## If not specified, the Tenant pods will be dispatched by default scheduler. + ##scheduler: + ## name: scheduler: {} - ## Used to specify a toleration for a pod - tolerations: {} - ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be - ## eligible to run on a node, the node must have each of the - ## indicated key-value pairs as labels. - ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - nodeSelector: {} - ## Affinity settings for MinIO pods. Read more about affinity - ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. - affinity: {} - ## Configure resource requests and limits for MinIO containers - resources: {} - ## Configure security context - ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup - securityContext: - runAsUser: 1001 - runAsGroup: 1001 - fsGroup: 1001 - secrets: - name: minio-creds-secret - accessKey: ThisIsAVeryLongPasswordForExample - secretKey: ThisIsAVeryLongPasswordForExample - metrics: - enabled: false - port: 9000 - ## Specification for MinIO Pool(s) in this Tenant. + ## Used to specify a toleration for a pod + #tolerations: {} + + ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be + ## eligible to run on a node, the node must have each of the + ## indicated key-value pairs as labels. + ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + #nodeSelector: {} + + ## Affinity settings for MinIO pods. Read more about affinity + ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. + #affinity: {} + + ## Configure resource requests and limits for MinIO containers + #resources: {} + + ## Configure security context + ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup + #securityContext: + # runAsUser: 1001 + # runAsGroup: 1001 + # fsGroup: 1001 + + ## Specification for MinIO Pool(s) in this Tenant. pools: ## Servers specifies the number of MinIO Tenant Pods / Servers in this pool. ## For standalone mode, supply 1. For distributed mode, supply 4 or more. @@ -120,7 +136,7 @@ tenants: ## size specifies the capacity per volume size: 1Gi ## storageClass specifies the storage class name to be used for this pool - storageClassName: standard + storageClassName: local-path ## Used to specify a toleration for a pod tolerations: {} ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be @@ -139,10 +155,24 @@ tenants: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 - ## Mount path where PV will be mounted inside container(s). + ## Mount path where PV will be mounted inside container(s). mountPath: /export - ## Sub path inside Mount path where MinIO stores data. + + ## Sub path inside Mount path where MinIO stores data. subPath: /data + + # pool secrets + secrets: + enabled: true + name: minio-creds-secret + accessKey: minio + secretKey: minio123 + + # pool metrics to be read by Prometheus + metrics: + enabled: false + port: 9000 + certificate: ## Use this field to provide a list of Secrets with external certificates. This can be used to to configure ## TLS for MinIO Tenant pods. Create secrets as explained here: @@ -195,12 +225,13 @@ tenants: enabled: false image: repository: minio/console - tag: v0.6.3 + tag: v0.7.4 pullPolicy: IfNotPresent replicaCount: 1 secrets: - name: minio-console-secret - passphrase: ThisIsAVeryLongConsolePasswordForExample - salt: ThisIsAVeryLongConsolePasswordForExample - accessKey: ThisIsAVeryLongConsolePasswordForExample - secretKey: ThisIsAVeryLongConsolePasswordForExample + enabled: true + name: console-secret + passphrase: SECRET + salt: SECRET + accessKey: YOURCONSOLEACCESS + secretKey: YOURCONSOLESECRET diff --git a/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ec71cd29e338d56d3b3239c741596cd8a25f6e84 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml @@ -0,0 +1,22 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-dns-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + # Allow access to DNS + egress: + - to: + - namespaceSelector: {} + ports: + - port: 53 + protocol: UDP + {{- if .Values.openshift }} + - port: 5353 + protocol: UDP + {{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9ebb80c7cca818f95615d5ee6da03045cd7fc2b2 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-elastic-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: logging + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + ports: + - port: 9200 + protocol: TCP +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml new file mode 100644 index 0000000000000000000000000000000000000000..265a0e581a1ef7d28b57e7ff7d61e1bad03fe896 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.install) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-external-postgres-egress-upgrade + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost-update-check + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml new file mode 100644 index 0000000000000000000000000000000000000000..495131c6ca86c6be9e4e10acf8c8b86bbe95e344 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e2227896fd03d735201ad8b365699ce939ef09d6 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: 8065 + protocol: TCP + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-mattermost-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-mattermost-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..931746c375fb18452f05409693066de5c82a07ae --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-mattermost-egress.yaml @@ -0,0 +1,20 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-mattermost-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9d615b7bed3dfd2377008b658e4275e80701e678 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled .Values.enterprise.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-monitoring-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus + ports: + - port: 8067 + protocol: TCP +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..974182bd8bdb3e389e1b0e94f75ac732d8dd3847 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml @@ -0,0 +1,26 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- if $enabled }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + egress: + - to: + - ipBlock: + cidr: {{ .Values.networkPolicies.controlPlaneCidr }} + {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }} + # ONLY Block requests to cloud metadata IP + except: + - 169.254.169.254/32 + {{- end }} + policyTypes: + - Egress +{{- end }} +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/deny-default.yaml b/chart/templates/bigbang/networkpolicies/deny-default.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b8fe2231e033ac99c6fa5c0c7337241be9fe5bfa --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml @@ -0,0 +1,14 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: [] + egress: [] +{{- end }} \ No newline at end of file diff --git a/chart/templates/default-bucket.yaml b/chart/templates/default-bucket.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f3065f2958eef89b05d2ee2e06818a56fff13ca7 --- /dev/null +++ b/chart/templates/default-bucket.yaml @@ -0,0 +1,40 @@ +{{- if .Values.minio.install }} +apiVersion: batch/v1 +kind: Job +metadata: + name: default-minio-bucket-creation + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation +spec: + template: + metadata: + name: default-minio-bucket-creation + spec: + imagePullSecrets: + {{- with .Values.global.imagePullSecrets }} + {{ . | toYaml | nindent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: minio-bucket-creation + image: {{ .Values.minio.bucketCreationImage }} + command: + - /bin/sh + - -c + - | + set -ex + attempt_counter=0 + max_attempts=25 + until [ $(mc config host add bigbang http://{{ .Values.minio.service.nameOverride }} {{ .Values.minio.tenants.secrets.accessKey }} {{ .Values.minio.tenants.secrets.secretKey }} >/dev/null; echo $?) -eq 0 ]; do + if [ ${attempt_counter} -eq ${max_attempts} ];then + echo "Max attempts reached" + exit 1 + fi + attempt_counter=$(($attempt_counter+1)) + sleep 10 + done + mc mb bigbang/mattermost +{{- end }} diff --git a/chart/templates/env-secret.yaml b/chart/templates/env-secret.yaml index 9dd5e1e513130438f6884fe3d6ccbca6105b77ef..ebb8e7b2dae2e22b701745bf1805e620a0f0322a 100644 --- a/chart/templates/env-secret.yaml +++ b/chart/templates/env-secret.yaml @@ -46,4 +46,4 @@ stringData: MM_ELASTICSEARCHSETTINGS_PASSWORD: {{ .data.elastic | b64dec }} {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/mattermost.yaml b/chart/templates/mattermost.yaml index 524b26d0e847d5845e46921d04c9c1e5a413bc10..6360eec2dc35e3fe380d2c6b6fd1bf46441866d5 100644 --- a/chart/templates/mattermost.yaml +++ b/chart/templates/mattermost.yaml @@ -9,6 +9,10 @@ metadata: spec: image: {{ .Values.image.name }} imagePullPolicy: {{ .Values.image.imagePullPolicy }} + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 4 }} + {{- end }} size: {{ .Values.users }}users version: {{ .Values.image.tag }} @@ -149,12 +153,22 @@ spec: {{ toYaml .Values.nodeSelector | nindent 6 }} {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 4}} + {{- end }} + + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 4}} + {{- end }} + database: external: secret: {{ .Values.database.secret | default (printf "%s-dbcreds" (include "mattermost.fullname" .)) }} fileStore: external: - url: {{ .Values.fileStore.url | default "minio:80" }} + url: {{ .Values.fileStore.url | default .Values.minio.service.nameOverride }} bucket: {{ .Values.fileStore.bucket | default "mattermost" }} secret: {{ .Values.fileStore.secret | default .Values.minio.tenants.secrets.name }} diff --git a/chart/templates/tests/test-ui.yaml b/chart/templates/tests/test-ui.yaml index 57f97717fa3416c85c53db25f8f04b7837fa6134..163bd16f97c275ce0d713081a0afdf6e07f0116d 100644 --- a/chart/templates/tests/test-ui.yaml +++ b/chart/templates/tests/test-ui.yaml @@ -1,11 +1,11 @@ -{{- include "bb-test-lib.cypress-configmap.overrides" (list . "mattermost-test.cypress-configmap") }} +{{- include "gluon.tests.cypress-configmap.overrides" (list . "mattermost-test.cypress-configmap") }} {{- define "mattermost-test.cypress-configmap" }} metadata: labels: {{ include "mattermost.labels" . | nindent 4 }} {{- end }} --- -{{- include "bb-test-lib.cypress-runner.overrides" (list . "mattermost-test.cypress-runner") -}} +{{- include "gluon.tests.cypress-runner.overrides" (list . "mattermost-test.cypress-runner") -}} {{- define "mattermost-test.cypress-runner" -}} metadata: labels: diff --git a/chart/values.yaml b/chart/values.yaml index 81d548175b2e8b3b30089fa3b91a76268cf5dc91..541b99cebae176602653f7c89569cd926d29cbf1 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -18,6 +18,13 @@ monitoring: enabled: false namespace: monitoring +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + controlPlaneCidr: 0.0.0.0/0 + sso: enabled: false client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost @@ -28,8 +35,8 @@ sso: # Repo and image tag image: - name: registry.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/mattermost - tag: 5.34.2 + name: registry1.dso.mil/ironbank/opensource/mattermost/mattermost + tag: 5.37.0 imagePullPolicy: IfNotPresent global: @@ -95,14 +102,28 @@ existingSecretEnvs: {} # key: DB_CONNECTION_CHECK_URL # name: "mysecretname" +volumes: {} + # - name: ca-cert + # secret: + # secretName: ca-secret + # defaultMode: 0644 + +volumeMounts: {} + # - name: ca-cert + # mountPath: /etc/ssl/certs + # readOnly: true + minio: install: false - + bucketCreationImage: "registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2021-06-13T17-48-22Z" + # Override the minio service name for easier connection setup + service: + nameOverride: "minio.mattermost.svc.cluster.local" tenants: secrets: name: "mattermost-objstore-creds" accessKey: "minio" - secretKey: "minio#123" # default key, change this! + secretKey: "minio123" # default key, change this! postgresql: install: false @@ -167,3 +188,5 @@ elasticsearch: enablesearching: true # When true, Elasticsearch will be used for all autocompletion queries on users and channels using the latest index. Autocompletion results may be incomplete until a bulk index of the existing users and channels database is finished. When false, database autocomplete is used. enableautocomplete: true + +openshift: false diff --git a/docs/keycloak.md b/docs/keycloak.md index a2423ae55d7ddd7f36e81201481c9d4aca046a16..36431b3c704804ae5acb2a2508116fb5f51fc814 100644 --- a/docs/keycloak.md +++ b/docs/keycloak.md @@ -20,7 +20,7 @@ Under the mappers tab, create a new mapper: - claim JSON type - long - add to userinfo - on -Create another mapper: +Create username mapper: - name - username - mapper type - user property - property - username @@ -29,6 +29,15 @@ Create another mapper: - add to userinfo - on - all other sliders off +Create email mapper: +- name - email +- mapper type - user property +- property - email +- token claim name - email +- claim JSON type - string +- add to userinfo - on +- all other sliders off + Add mattermostid to existing user: - Login to keycloak Admin Console with the master realm user - Go to your realm @@ -68,3 +77,27 @@ helm upgrade -i mattermost chart -n mattermost --create-namespace -f my-values.y Role based authentication can be configured as long as you are on an enterprise version. Follow the steps in [this tutorial](https://docs.mattermost.com/deployment/advanced-permissions.html) to customize the permissions given to users. In general permissions can be edited under the "System Console -> User Management -> Permissions". Users should be created by default under the "Member" group, except for the first user to sign up or login. + +## OIDC Custom CA + +Mattermost can be configured to point to specific files to trust with an OIDC auth connection, here is an example when using Big Bang to deploy mattermost, assuming you are populating a secret named "ca-cert" in the same namespace, with a key of cert.pem and value of a single PEM encoded certificate (an easy way to make this secret is included below as well): + +```yaml +addons: + mattermost: + values: + volumes: + - name: ca-cert + secret: + secretName: ca-secret + defaultMode: 0644 + volumeMounts: + - name: ca-cert + mountPath: /etc/ssl/certs + readOnly: true +``` + +For secret creation with this example and a pem file at `/path/to/cert.pem`: +```bash +kubectl create secret generic ca-secret --from-file=cert.pem=/path/to/cert.pem -n mattermost +``` diff --git a/tests/dependencies.yaml b/tests/dependencies.yaml index 0199dcdca193f9dcd384d15024b2213f0b2e69ab..8ca3e4856d93c8fcb7d5e9a7b0f54cba6399cb1b 100644 --- a/tests/dependencies.yaml +++ b/tests/dependencies.yaml @@ -1,9 +1,9 @@ mattermostoperator: git: "https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git" namespace: "mattermost-operator" - branch: "1.13.0-bb.2" + branch: "1.14.0-bb.2" miniooperator: git: "https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git" namespace: "minio-operator" - branch: "4.0.4-bb.1" + branch: "4.1.2-bb.1" diff --git a/tests/test-values.yml b/tests/test-values.yml index f180ba22f089d4c494ebb1c963a5f6c06f31f7ca..3f12784fc0724d427f278eebfbf489c6c6dca1e5 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,10 +1,16 @@ minio: install: true + upgradeTenants: + enabled: true postgresql: install: true +networkPolicies: + enabled: true + bbtests: + enabled: true cypress: artifacts: true envs: