Merge branch 'minio-4-upgrade' into 'main'

MM Minio 4 upgrade See merge request !50

Merge branch 'minio-4-upgrade' into 'main'
MM Minio 4 upgrade See merge request !50
299f2dc4 · Ryan Garcia · 36c78e49 · 0c6046b3 · 299f2dc4 · 299f2dc4
Commit 299f2dc4 authored Aug 06, 2021 by Ryan Garcia
Showing with 69 additions and 7 deletions

chart/values.yaml chart/values.yaml +27 -4

docs/keycloak.md docs/keycloak.md +34 -1

tests/dependencies.yaml tests/dependencies.yaml +2 -2

tests/test-values.yml tests/test-values.yml +6 -0

No files found.
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -18,6 +18,13 @@ monitoring:
  enabled: false
  namespace: monitoring
+networkPolicies:
+  enabled: false
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  controlPlaneCidr: 0.0.0.0/0
 sso:
  enabled: false
  client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost
@@ -28,8 +35,8 @@ sso:
 # Repo and image tag 
 image:
-  name: registry.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/mattermost
+  name: registry1.dso.mil/ironbank/opensource/mattermost/mattermost
-  tag: 5.34.2
+  tag: 5.37.0
  imagePullPolicy: IfNotPresent
 global:
@@ -95,14 +102,28 @@ existingSecretEnvs: {}
  #       key: DB_CONNECTION_CHECK_URL
  #       name: "mysecretname"
+volumes: {}
+  # - name: ca-cert
+  #   secret:
+  #     secretName: ca-secret
+  #     defaultMode: 0644
+volumeMounts: {}
+  # - name: ca-cert
+  #   mountPath: /etc/ssl/certs
+  #   readOnly: true
 minio:
  install: false
+  bucketCreationImage: "registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2021-06-13T17-48-22Z"
+  # Override the minio service name for easier connection setup
+  service:
+    nameOverride: "minio.mattermost.svc.cluster.local"
  tenants:
    secrets:
      name: "mattermost-objstore-creds"
      accessKey: "minio"
-      secretKey: "minio#123" # default key, change this!
+      secretKey: "minio123" # default key, change this!
 postgresql:
  install: false
@@ -167,3 +188,5 @@ elasticsearch:
  enablesearching: true
  # When true, Elasticsearch will be used for all autocompletion queries on users and channels using the latest index. Autocompletion results may be incomplete until a bulk index of the existing users and channels database is finished. When false, database autocomplete is used.
  enableautocomplete: true
+openshift: false
--- a/docs/keycloak.md
+++ b/docs/keycloak.md
@@ -20,7 +20,7 @@ Under the mappers tab, create a new mapper:
 - claim JSON type - long
 - add to userinfo - on
-Create another mapper:
+Create username mapper:
 - name - username
 - mapper type - user property
 - property - username
@@ -29,6 +29,15 @@ Create another mapper:
 - add to userinfo - on
 - all other sliders off
+Create email mapper:
+- name - email
+- mapper type - user property
+- property - email
+- token claim name - email
+- claim JSON type - string
+- add to userinfo - on
+- all other sliders off
 Add mattermostid to existing user:
 - Login to keycloak Admin Console with the master realm user
 - Go to your realm
@@ -68,3 +77,27 @@ helm upgrade -i mattermost chart -n mattermost --create-namespace -f my-values.y
 Role based authentication can be configured as long as you are on an enterprise version.
 Follow the steps in [this tutorial](https://docs.mattermost.com/deployment/advanced-permissions.html) to customize the permissions given to users. In general permissions can be edited under the "System Console -> User Management -> Permissions". Users should be created by default under the "Member" group, except for the first user to sign up or login.
+## OIDC Custom CA
+Mattermost can be configured to point to specific files to trust with an OIDC auth connection, here is an example when using Big Bang to deploy mattermost, assuming you are populating a secret named "ca-cert" in the same namespace, with a key of cert.pem and value of a single PEM encoded certificate (an easy way to make this secret is included below as well):
+```yaml
+addons:
+  mattermost:
+    values:
+      volumes:
+        - name: ca-cert
+          secret:
+            secretName: ca-secret
+            defaultMode: 0644
+      volumeMounts:
+        - name: ca-cert
+          mountPath: /etc/ssl/certs
+          readOnly: true
+```
+For secret creation with this example and a pem file at `/path/to/cert.pem`:
+```bash
+kubectl create secret generic ca-secret --from-file=cert.pem=/path/to/cert.pem -n mattermost
+```
--- a/tests/dependencies.yaml
+++ b/tests/dependencies.yaml
 mattermostoperator:
  git: "https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git"
  namespace: "mattermost-operator"
-  branch: "1.13.0-bb.2"
+  branch: "1.14.0-bb.2"
 miniooperator:
  git: "https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git"
  namespace: "minio-operator"
-  branch: "4.0.4-bb.1"
+  branch: "4.1.2-bb.1"
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
 minio:
  install: true
+  upgradeTenants:
+    enabled: true
 postgresql:
  install: true
+networkPolicies:
+  enabled: true
 bbtests:
+  enabled: true
  cypress:
    artifacts: true
    envs: