Merge branch 'minio-4-upgrade' into 'main'

MM Minio 4 upgrade See merge request !50

Merge branch 'minio-4-upgrade' into 'main'
MM Minio 4 upgrade See merge request !50
299f2dc4 · Ryan Garcia · 36c78e49 · 0c6046b3 · 299f2dc4 · 299f2dc4
Commit 299f2dc4 authored Aug 06, 2021 by Ryan Garcia
20 changed files
--- a/chart/deps/minio/templates/release2.0.9/minioinstance.yaml
+++ b/chart/deps/minio/templates/release2.0.9/minioinstance.yaml
+{{- if not .Values.upgradeTenants.enabled }}
+apiVersion: operator.min.io/v1
+kind: MinIOInstance
+metadata:
+  name: {{ include "minio.fullname" . }}
+## If specified, MinIOInstance pods will be dispatched by specified scheduler.
+## If not specified, the pod will be dispatched by default scheduler.
+# scheduler:
+#  name: my-custom-scheduler
+spec:
+  ## Add metadata to the all pods created by the StatefulSet
+  metadata:
+    ## Optionally pass labels to be applied to the statefulset pods
+    labels:
+      app: {{ include "minio.fullname" . }}
+      {{- include "minio.labels" . | nindent 6 }}
+    {{- with .Values.podAnnotations }}
+    annotations:
+      prometheus.io/path: /minio/prometheus/metrics
+      prometheus.io/port: "9000"
+      prometheus.io/scrape: "true"
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+{{- end }}
+    {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+
+  ## Registry location and Tag to download MinIO Server image
+  image: {{ .Values.image.name }}:{{ .Values.image.tag }}
+  serviceAccountName: {{ include "minio.serviceAccountName" . }}
+  ## A ClusterIP Service will be created with the given name
+  serviceName: minio-internal-service
+  zones:
+    - name: "zone-0"
+      ## Number of MinIO servers/pods in this zone.
+      ## For standalone mode, supply 1. For distributed mode, supply 4 or more.
+      ## Note that the operator does not support upgrading from standalone to distributed mode.
+      servers: {{ .Values.zones.servers }}
+  ## Supply number of volumes to be mounted per MinIO server instance.
+  ## 2 is minimum volumes with 3 servers
+  volumesPerServer: {{ .Values.volumesPerServer }}
+  ## Mount path where PV will be mounted inside container(s). Defaults to "/export".
+  mountPath: /export
+  ## Sub path inside Mount path where MinIO starts. Defaults to "".
+  # subPath: /data
+  ## This VolumeClaimTemplate is used across all the volumes provisioned for MinIO cluster.
+  ## Please do not change the volumeClaimTemplate field while expanding the cluster, this may
+  ## lead to unbound PVCs and missing data
+  volumeClaimTemplate:
+    metadata:
+      name: data
+    spec:
+      accessModes:
+        - {{ .Values.volumeClaimTemplate.accessModes}}
+      resources:
+        requests:
+          storage: {{ .Values.volumeClaimTemplate.storage}}
+  ## Secret with credentials to be used by MinIO instance.
+  credsSecret:
+    name: {{ .Values.minioRootCreds }}
+  ## PodManagement policy for pods created by StatefulSet. Can be "OrderedReady" or "Parallel"
+  ## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
+  ## for details. Defaults to "Parallel"
+  podManagementPolicy: Parallel
+  ## Secret with certificates to configure TLS for MinIO certs. Create secrets as explained
+  ## here: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
+  # externalCertSecret:
+  # name: tls-ssl-minio
+  ## Enable Kubernetes based certificate generation and signing as explained in
+  ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
+  requestAutoCert: false
+  ## Used when "requestAutoCert" is set to true. Set CommonName for the auto-generated certificate.
+  ## Internal DNS name for the pod will be used if CommonName is not provided.
+  ## DNS name format is minio-{0...3}.minio.default.svc.cluster.local
+  certConfig:
+    commonName: ""
+    organizationName: []
+    dnsNames: []
+  ## Used to specify a toleration for a pod
+  # tolerations:
+  #  - effect: NoSchedule
+  #    key: dedicated
+  #    operator: Equal
+  #    value: storage
+  ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
+  env:
+    - name: MINIO_PROMETHEUS_AUTH_TYPE
+      value: "public"
+    # - name: MINIO_BROWSER
+    #   value: "off" # to turn-off browser
+    # - name: MINIO_STORAGE_CLASS_STANDARD
+    #   value: "EC:2"
+  ## Configure resource requests and limits for MinIO containers
+  # resources:
+    # requests:
+      # memory: 20Gi
+  ## Liveness probe detects situations where MinIO server instance
+  ## is not working properly and needs restart. Kubernetes automatically
+  ## restarts the pods if liveness checks fail.
+  liveness:
+    initialDelaySeconds: 10
+    periodSeconds: 1
+    timeoutSeconds: 1
+  ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
+  ## eligible to run on a node, the node must have each of the
+  ## indicated key-value pairs as labels.
+  ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+  # nodeSelector:
+  #   disktype: ssd
+  ## Affinity settings for MinIO pods. Read more about affinity
+  ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
+  # affinity:
+  securityContext:
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
+  {{- end }}
\ No newline at end of file
--- a/chart/deps/minio/templates/release2.0.9/service.yaml
+++ b/chart/deps/minio/templates/release2.0.9/service.yaml
+{{- if not .Values.upgradeTenants.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "minio.serviceName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "minio.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: 9000
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "minio.selectorLabels" . | nindent 4 }}
+{{- end }}
--- a/chart/deps/minio/templates/serviceMonitor.yaml
+++ b/chart/deps/minio/templates/serviceMonitor.yaml
-{{- if .Values.monitoring.enabled }}
+{{- if and .Values.monitoring.enabled (not .Values.upgradeTenants.enabled) }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:

--- a/chart/deps/minio/templates/service-account.yaml
+++ b/chart/deps/minio/templates/service-account.yaml
@@ -10,4 +10,4 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 imagePullSecrets:
-  {{ toYaml .Values.imagePullSecrets | indent 2 }}
+  - {{ toYaml .Values.tenants.imagePullSecret | indent 2 }}
--- a/chart/deps/minio/templates/tenant-secret.yaml
+++ b/chart/deps/minio/templates/tenant-secret.yaml
+{{- if .Values.tenants.secrets.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,7 +7,9 @@ metadata:
  labels:
    {{- include "minio.labels" . | nindent 4 }}
 type: Opaque
-stringData:
-  accesskey: {{ .Values.tenants.secrets.accessKey }}
-  secretkey: {{ .Values.tenants.secrets.secretKey }}
---
+data:
+  ## Access Key for MinIO Tenant
+  accesskey: {{ .Values.tenants.secrets.accessKey  | b64enc }}
+  ## Secret Key for MinIO Tenant
+  secretkey: {{ .Values.tenants.secrets.secretKey  | b64enc }}
+{{ end }}
--- a/chart/deps/minio/templates/tenant.yaml
+++ b/chart/deps/minio/templates/tenant.yaml
+{{- if .Values.upgradeTenants.enabled }}
 apiVersion: minio.min.io/v2
 kind: Tenant
 metadata:
@@ -8,17 +9,6 @@ metadata:
  labels:
    app: {{ template "minio.fullname" . }}
    {{- include "minio.labels" . | nindent 4 }}
-  {{- if .Values.istio.virtualService.labels }}
-  {{ toYaml .Values.istio.virtualservice.labels | indent 4 }}
-  {{- end }}
-  {{- if .Values.istio.virtualService.annotations }}
-  ## Annotations for MinIO Tenant Pods
-  annotations:
-    prometheus.io/path: /minio/prometheus/metrics
-    prometheus.io/port: "9000"
-    prometheus.io/scrape: "true"
-    {{ toYaml .Values.istio.virtualService.annotations | indent 4 }}
-  {{- end }}

 ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler.
 ## If not specified, the Tenant pods will be dispatched by default scheduler.
@@ -61,6 +51,7 @@ spec:
          resources:
            requests:
              storage: {{ .size }}
+          #storageClassName: {{ .storageClassName}}

      ## Used to specify a toleration for a pod
      # tolerations:
@@ -174,6 +165,15 @@ spec:
  ## for details.
  podManagementPolicy: {{ .Values.tenants.podManagementPolicy }}

+  {{ if or .Values.monitoring.enabled .Values.tenants.metrics.enabled }}
+  ## PrometheusOperator enables the Minio Operator to create the Prometheus serviceMonitor objects to scrape
+  ## metrics from the tenant.  This is only applied if monitoring support is enabled.
+  prometheusOperator:
+    labels:
+      app.kubernetes.io/component: "monitoring"
+      {{ include "minio.labels" . | nindent 6 }}
+  {{- end }}
+
  ## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
  ## services created by the operator.
  {{- with .Values.tenants.serviceMetadata }}
@@ -185,7 +185,9 @@ spec:
  {{- end }}

  ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
-  # env:
+  #env:
+  #  - name: MINIO_PROMETHEUS_AUTH_TYPE
+  #    value: "public"
  # - name: MINIO_BROWSER
  #   value: "off" # to turn-off browser
  # - name: MINIO_STORAGE_CLASS_STANDARD
@@ -220,3 +222,4 @@ spec:
      {{ toYaml . | nindent 6 }}
    {{ end }}
  {{- end }}
+{{- end }}
--- a/chart/deps/minio/values.yaml
+++ b/chart/deps/minio/values.yaml
-#
 ## Default values for minio instance creation.
-## This is a YAML-formatted file.
-## Declare variables to be passed into your templates.
-## Configure number of MinIO Operator Deployment Replicas
-#replicas:
-#  count: 1
+## Note: to enable upgrade of minio instance, then values file has a number of values that will be
+## deprecated in the future. Deprecation candidates will have an annotation in comments regarding the timeframe for deprecation.

 hostname: bigbang.dev
-#nameOverride: ""
-#fullnameOverride: ""

-# Configure repo and tag of MinIO Operator Image
-#image:
-#  name: registry1.dso.mil/ironbank/opensource/minio/minio
-#  tag: RELEASE.2020-11-19T23-48-16Z
-#  imagePullPolicy: IfNotPresent
-
-#zones:
-  # refer to documentation for number of servers versus volumes per server
-  #  https://docs.min.io/docs/minio-server-limits-per-tenant.html
-#  servers: 3       # scale to 3 for dev
-#volumesPerServer: 2  # 2 is minimum volumes with 3 servers
-
-#volumeClaimTemplate:
-#  accessModes: ReadWriteOnce
-#  storage: 1Gi  # scale down for dev
-
-imagePullSecrets:
-  - name: private-registry
+# When true, upgradeTenants enables use of the V4.* Minio Operator CRD for creation of tenants is enabled.
+# The default will be made TRUE in a future release.
+upgradeTenants:
+  enabled: false

 serviceAccount:
  # Specifies whether a service account should be created
@@ -38,6 +18,8 @@ serviceAccount:
  # If not set and create is true, a name is generated using the fullname template
  name: ""

+# This is maintained for compatible upgrade with the 2.0.9 release.   The following service itens will be removed ina future release
+# because the operator handles the service deployment in 4.x and beyond.
 service:
  # Internal service name for minio instance.  This is the full name of the service used to connect to Minio from within the cluster.
  # If not specified, the service name will be the default full name of the minio instance.
@@ -45,6 +27,7 @@ service:
  type: ClusterIP
  port: 9000

+# Removed ina future release
 podAnnotations: {}

 istio:
@@ -60,56 +43,89 @@ istio:
    service: ""
    port: ""

-
 monitoring:
  enabled: false
  namespace: monitoring

+networkPolicies:
+  enabled: false
+  controlPlaneCidr: 0.0.0.0/0
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+
+# This is maintained for compatible upgrade with the 2.0.9 release.   The following service itens will be removed ina future release
+# once all upgrades are complete.
+image:
+  name: registry1.dso.mil/ironbank/opensource/minio/minio
+  tag: RELEASE.2020-11-19T23-48-16Z
+  pullPolicy: "IfNotPresent"

-## MinIO Tenant Definition
+# This is maintained for compatible upgrade with the 2.0.9 release.   The following service itens will be removed ina future release
+# once all upgrades are complete.
+zones:
+  # refer to documentation for number of servers versus volumes per server
+  #  https://docs.min.io/docs/minio-server-limits-per-tenant.html
+  servers: 3       # scale to 3 for dev
+
+# This is maintained for compatible upgrade with the 2.0.9 release.   The following service itens will be removed ina future release
+# once all upgrades are complete.
+volumesPerServer: 2  # 2 is minimum volumes with 3 servers
+
+# This is maintained for compatible upgrade with the 2.0.9 release.   The following service itens will be removed ina future release
+# once all upgrades are complete.
+volumeClaimTemplate:
+  accessModes: ReadWriteOnce
+  storage: 1Gi  # scale down for dev
+
+# This is maintained for compatible upgrade with the 2.0.9 release.   The following service itens will be removed ina future release
+# once all upgrades are complete.
+minioRootCreds: default-minio-creds-secret
+
+## MinIO Tenant Definition used for 4.1.2 upgrade
 tenants:
  # Tenant name
  name: minio
-    ## Registry location and Tag to download MinIO Server image
-# Configure repo and tag of MinIO Operator Image
+  ## Registry location and Tag to download MinIO Server image
+  # Configure repo and tag of MinIO Operator Image
  image:
    repository: registry1.dso.mil/ironbank/opensource/minio/minio
-    tag: RELEASE.2020-11-19T23-48-16Z
+    tag: RELEASE.2021-06-17T00-10-46Z
    pullPolicy: "IfNotPresent"
+  ## Customize namespace for tenant deployment
+  #namespace: default
  imagePullSecret:
    name: private-registry
-    ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler.
-    ## If not specified, the Tenant pods will be dispatched by default scheduler.
-    ##scheduler:
-    ##  name:
+  ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler.
+  ## If not specified, the Tenant pods will be dispatched by default scheduler.
+  ##scheduler:
+  ##  name:
  scheduler: {}

-    ## Used to specify a toleration for a pod
-  tolerations: {}
-      ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
-    ## eligible to run on a node, the node must have each of the
-    ## indicated key-value pairs as labels.
-    ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-  nodeSelector: {}
-    ## Affinity settings for MinIO pods. Read more about affinity
-    ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
-  affinity: {}
-    ## Configure resource requests and limits for MinIO containers
-  resources: {}
-    ## Configure security context
-    ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup
-  securityContext:
-    runAsUser: 1001
-    runAsGroup: 1001
-    fsGroup: 1001
-  secrets:
-    name: minio-creds-secret
-    accessKey: ThisIsAVeryLongPasswordForExample
-    secretKey: ThisIsAVeryLongPasswordForExample
-  metrics:
-    enabled: false
-    port: 9000
-    ## Specification for MinIO Pool(s) in this Tenant.
+  ## Used to specify a toleration for a pod
+  #tolerations: {}
+
+  ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
+  ## eligible to run on a node, the node must have each of the
+  ## indicated key-value pairs as labels.
+  ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+  #nodeSelector: {}
+
+  ## Affinity settings for MinIO pods. Read more about affinity
+  ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
+  #affinity: {}
+
+  ## Configure resource requests and limits for MinIO containers
+  #resources: {}
+
+  ## Configure security context
+  ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup
+  #securityContext:
+  #  runAsUser: 1001
+  #  runAsGroup: 1001
+  #  fsGroup: 1001
+
+  ## Specification for MinIO Pool(s) in this Tenant.
  pools:
      ## Servers specifies the number of MinIO Tenant Pods / Servers in this pool.
      ## For standalone mode, supply 1. For distributed mode, supply 4 or more.
@@ -120,7 +136,7 @@ tenants:
        ## size specifies the capacity per volume
      size: 1Gi
        ## storageClass specifies the storage class name to be used for this pool
-      storageClassName: standard
+      storageClassName: local-path
        ## Used to specify a toleration for a pod
      tolerations: {}
          ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
@@ -139,10 +155,24 @@ tenants:
        runAsUser: 1001
        runAsGroup: 1001
        fsGroup: 1001
-    ## Mount path where PV will be mounted inside container(s).
+  ## Mount path where PV will be mounted inside container(s).
  mountPath: /export
-    ## Sub path inside Mount path where MinIO stores data.
+
+  ## Sub path inside Mount path where MinIO stores data.
  subPath: /data
+
+  # pool secrets
+  secrets:
+    enabled: true
+    name: minio-creds-secret
+    accessKey: minio
+    secretKey: minio123
+
+  # pool metrics to be read by Prometheus
+  metrics:
+    enabled: false
+    port: 9000
+
  certificate:
      ## Use this field to provide a list of Secrets with external certificates. This can be used to to configure
      ## TLS for MinIO Tenant pods. Create secrets as explained here:
@@ -195,12 +225,13 @@ tenants:
    enabled: false
    image:
      repository: minio/console
-      tag: v0.6.3
+      tag: v0.7.4
      pullPolicy: IfNotPresent
    replicaCount: 1
    secrets:
-      name: minio-console-secret
-      passphrase: ThisIsAVeryLongConsolePasswordForExample
-      salt: ThisIsAVeryLongConsolePasswordForExample
-      accessKey: ThisIsAVeryLongConsolePasswordForExample
-      secretKey: ThisIsAVeryLongConsolePasswordForExample
+      enabled: true
+      name: console-secret
+      passphrase: SECRET
+      salt: SECRET
+      accessKey: YOURCONSOLEACCESS
+      secretKey: YOURCONSOLESECRET
--- a/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  # Allow access to DNS
+  egress:
+  - to:
+    - namespaceSelector: {}
+    ports:
+    - port: 53
+      protocol: UDP
+    {{- if .Values.openshift }}  
+    - port: 5353
+      protocol: UDP
+    {{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml
+{{- if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-elastic-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: logging
+      podSelector:
+        matchLabels:
+          common.k8s.elastic.co/type: elasticsearch
+    ports:
+    - port: 9200
+      protocol: TCP
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml
+{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.install) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-external-postgres-egress-upgrade
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost-update-check
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-in-ns
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector: {}
+  egress:
+    - to:
+        - podSelector: {}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-istio
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
+    ports:
+    - port: 8065
+      protocol: TCP
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          istio: pilot
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/allow-mattermost-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-mattermost-egress.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-mattermost-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml
+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled .Values.enterprise.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-monitoring-ingress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: monitoring
+      podSelector:
+        matchLabels:
+          app: prometheus
+    ports:
+    - port: 8067
+      protocol: TCP
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml
+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- if $enabled }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-test-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      helm-test: enabled
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+        # ONLY Block requests to cloud metadata IP
+        except:
+        - 169.254.169.254/32
+        {{- end }}
+  policyTypes:
+  - Egress
+{{- end }}
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/deny-default.yaml
+++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress: []
+  egress: []
+{{- end }}
\ No newline at end of file
--- a/chart/templates/default-bucket.yaml
+++ b/chart/templates/default-bucket.yaml
+{{- if .Values.minio.install }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: default-minio-bucket-creation
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    metadata:
+      name: default-minio-bucket-creation
+    spec:
+      imagePullSecrets:
+      {{- with .Values.global.imagePullSecrets }}
+      {{ . | toYaml | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      containers:
+        - name: minio-bucket-creation
+          image: {{ .Values.minio.bucketCreationImage }}
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -ex
+              attempt_counter=0
+              max_attempts=25
+              until [ $(mc config host add bigbang http://{{ .Values.minio.service.nameOverride }} {{ .Values.minio.tenants.secrets.accessKey }} {{ .Values.minio.tenants.secrets.secretKey }} >/dev/null; echo $?) -eq 0 ]; do
+               if [ ${attempt_counter} -eq ${max_attempts} ];then
+                  echo "Max attempts reached"
+                  exit 1
+                fi
+                attempt_counter=$(($attempt_counter+1))
+                sleep 10
+              done
+              mc mb bigbang/mattermost            
+{{- end }}
--- a/chart/templates/env-secret.yaml
+++ b/chart/templates/env-secret.yaml
@@ -46,4 +46,4 @@ stringData:
  MM_ELASTICSEARCHSETTINGS_PASSWORD: {{ .data.elastic | b64dec }}  
  {{- end }}    
  {{- end }}  
-{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/mattermost.yaml
+++ b/chart/templates/mattermost.yaml
@@ -9,6 +9,10 @@ metadata:
 spec:
  image: {{ .Values.image.name }}
  imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+  {{- with .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}

  size: {{ .Values.users }}users
  version: {{ .Values.image.tag }}
@@ -149,12 +153,22 @@ spec:
      {{ toYaml .Values.nodeSelector | nindent 6 }}
    {{- end }}  

+  {{- with .Values.volumes }}
+  volumes:
+  {{- toYaml . | nindent 4}}
+  {{- end }}
+
+  {{- with .Values.volumeMounts }}
+  volumeMounts:
+  {{- toYaml . | nindent 4}}
+  {{- end }}
+
  database:
    external:
      secret: {{ .Values.database.secret | default (printf "%s-dbcreds" (include "mattermost.fullname" .)) }}

  fileStore:
    external:
-      url: {{ .Values.fileStore.url | default "minio:80" }}
+      url: {{ .Values.fileStore.url | default .Values.minio.service.nameOverride }}
      bucket: {{ .Values.fileStore.bucket | default "mattermost" }}
      secret: {{ .Values.fileStore.secret | default .Values.minio.tenants.secrets.name }}
--- a/chart/templates/tests/test-ui.yaml
+++ b/chart/templates/tests/test-ui.yaml
-{{- include "bb-test-lib.cypress-configmap.overrides" (list . "mattermost-test.cypress-configmap") }}
+{{- include "gluon.tests.cypress-configmap.overrides" (list . "mattermost-test.cypress-configmap") }}
 {{- define "mattermost-test.cypress-configmap" }}
 metadata:
  labels:
    {{ include "mattermost.labels" . | nindent 4 }}
 {{- end }}
 ---
-{{- include "bb-test-lib.cypress-runner.overrides" (list . "mattermost-test.cypress-runner") -}}
+{{- include "gluon.tests.cypress-runner.overrides" (list . "mattermost-test.cypress-runner") -}}
 {{- define "mattermost-test.cypress-runner" -}}
 metadata:
  labels: