feat: add more stuff

doesn't work yet

chart/charts/postgresql/templates/svc-headless.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "common.names.fullname" . }}-headless
+  labels:
+  {{- include "common.labels.standard" . | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+    # Use this annotation in addition to the actual publishNotReadyAddresses
+    # field below because the annotation will stop being respected soon but the
+    # field is broken in some versions of Kubernetes:
+    # https://github.com/kubernetes/kubernetes/issues/58662
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  clusterIP: None
+  # We want all pods in the StatefulSet to have their addresses published for
+  # the sake of the other Postgresql pods even before they're ready, since they
+  # have to be able to talk to each other in order to become ready.
+  publishNotReadyAddresses: true
+  ports:
+    - name: tcp-postgresql
+      port: {{ template "postgresql.port" . }}
+      targetPort: tcp-postgresql
+  selector:
+  {{- include "common.labels.matchLabels" . | nindent 4 }}

chart/charts/postgresql/templates/svc-read.yaml

+{{- if .Values.replication.enabled }}
+{{- $serviceAnnotations := coalesce .Values.readReplicas.service.annotations .Values.service.annotations -}}
+{{- $serviceType := coalesce .Values.readReplicas.service.type .Values.service.type -}}
+{{- $serviceLoadBalancerIP := coalesce .Values.readReplicas.service.loadBalancerIP .Values.service.loadBalancerIP -}}
+{{- $serviceLoadBalancerSourceRanges := coalesce .Values.readReplicas.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}}
+{{- $serviceClusterIP := coalesce .Values.readReplicas.service.clusterIP .Values.service.clusterIP -}}
+{{- $serviceNodePort := coalesce .Values.readReplicas.service.nodePort .Values.service.nodePort -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "common.names.fullname" . }}-read
+  labels:
+  {{- include "common.labels.standard" . | nindent 4 }}
+  annotations:
+  {{- if .Values.commonAnnotations }}
+  {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  {{- if $serviceAnnotations }}
+  {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: {{ $serviceType }}
+  {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }}
+  loadBalancerIP: {{ $serviceLoadBalancerIP }}
+  {{- end }}
+  {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }}
+  loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }}
+  {{- end }}
+  {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }}
+  clusterIP: {{ $serviceClusterIP }}
+  {{- end }}
+  ports:
+    - name: tcp-postgresql
+      port:  {{ template "postgresql.port" . }}
+      targetPort: tcp-postgresql
+      {{- if $serviceNodePort }}
+      nodePort: {{ $serviceNodePort }}
+      {{- end }}
+  selector:
+  {{- include "common.labels.matchLabels" . | nindent 4 }}
+    role: read
+{{- end }}

chart/charts/postgresql/templates/svc.yaml

+{{- $serviceAnnotations := coalesce .Values.primary.service.annotations .Values.service.annotations -}}
+{{- $serviceType := coalesce .Values.primary.service.type .Values.service.type -}}
+{{- $serviceLoadBalancerIP := coalesce .Values.primary.service.loadBalancerIP .Values.service.loadBalancerIP -}}
+{{- $serviceLoadBalancerSourceRanges := coalesce .Values.primary.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}}
+{{- $serviceClusterIP := coalesce .Values.primary.service.clusterIP .Values.service.clusterIP -}}
+{{- $serviceNodePort := coalesce .Values.primary.service.nodePort .Values.service.nodePort -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "common.names.fullname" . }}
+  labels:
+  {{- include "common.labels.standard" . | nindent 4 }}
+  annotations:
+  {{- if .Values.commonAnnotations }}
+  {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  {{- if $serviceAnnotations }}
+  {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: {{ $serviceType }}
+  {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }}
+  loadBalancerIP: {{ $serviceLoadBalancerIP }}
+  {{- end }}
+  {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }}
+  loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }}
+  {{- end }}
+  {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }}
+  clusterIP: {{ $serviceClusterIP }}
+  {{- end }}
+  ports:
+    - name: tcp-postgresql
+      port: {{ template "postgresql.port" . }}
+      targetPort: tcp-postgresql
+      {{- if $serviceNodePort }}
+      nodePort: {{ $serviceNodePort }}
+      {{- end }}
+  selector:
+  {{- include "common.labels.matchLabels" . | nindent 4 }}
+    role: primary

chart/charts/postgresql/values.schema.json

+{
+  "$schema": "http://json-schema.org/schema#",
+  "type": "object",
+  "properties": {
+    "postgresqlUsername": {
+      "type": "string",
+      "title": "Admin user",
+      "form": true
+    },
+    "postgresqlPassword": {
+      "type": "string",
+      "title": "Password",
+      "form": true
+    },
+    "persistence": {
+      "type": "object",
+      "properties": {
+        "size": {
+          "type": "string",
+          "title": "Persistent Volume Size",
+          "form": true,
+          "render": "slider",
+          "sliderMin": 1,
+          "sliderMax": 100,
+          "sliderUnit": "Gi"
+        }
+      }
+    },
+    "resources": {
+      "type": "object",
+      "title": "Required Resources",
+      "description": "Configure resource requests",
+      "form": true,
+      "properties": {
+        "requests": {
+          "type": "object",
+          "properties": {
+            "memory": {
+              "type": "string",
+              "form": true,
+              "render": "slider",
+              "title": "Memory Request",
+              "sliderMin": 10,
+              "sliderMax": 2048,
+              "sliderUnit": "Mi"
+            },
+            "cpu": {
+              "type": "string",
+              "form": true,
+              "render": "slider",
+              "title": "CPU Request",
+              "sliderMin": 10,
+              "sliderMax": 2000,
+              "sliderUnit": "m"
+            }
+          }
+        }
+      }
+    },
+    "replication": {
+      "type": "object",
+      "form": true,
+      "title": "Replication Details",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "title": "Enable Replication",
+          "form": true
+        },
+        "readReplicas": {
+          "type": "integer",
+          "title": "read Replicas",
+          "form": true,
+          "hidden": {
+            "value": false,
+            "path": "replication/enabled"
+          }
+        }
+      }
+    },
+    "volumePermissions": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "form": true,
+          "title": "Enable Init Containers",
+          "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup"
+        }
+      }
+    },
+    "metrics": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "title": "Configure metrics exporter",
+          "form": true
+        }
+      }
+    }
+  }
+}

chart/templates/_helpers.tpl

+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "mattermost.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "mattermost.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "mattermost.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "mattermost.labels" -}}
+helm.sh/chart: {{ include "mattermost.chart" . }}
+{{ include "mattermost.selectorLabels" . }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "mattermost.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "mattermost.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "mattermost.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "mattermost.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

chart/templates/db-credentials.yaml

+{{- if and (not .Values.database.secret) .Values.postgresql.install }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "mattermost.fullname" . }}-dbcreds
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "mattermost.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "database"
+stringData:
+  {{- with .Values.postgresql }}
+  DB_CONNECTION_CHECK_URL: "postgres://{{ .postgresqlUsername }}:{{ .postgresqlPassword }}@{{ .fullnameOverride }}:5432/{{ .postgresqlDatabase }}?connect_timeout=10&sslmode=disable"
+  DB_CONNECTION_STRING: "postgres://{{ .postgresqlUsername }}:{{ .postgresqlPassword }}@{{ .fullnameOverride }}:5432/{{ .postgresqlDatabase }}?connect_timeout=10&sslmode=disable"
+  {{- end }}
+{{- end }}

chart/templates/license.yaml

+{{- if and .Values.enterprise.enabled .Values.enterprise.license }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-license
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "mattermost.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "license"
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+type: Opaque
+data:
+  license: {{ .Values.enterprise.license | b64enc }}
+{{- end }}

chart/templates/mattermost-instance.yaml

-apiVersion: mattermost.com/v1alpha1
-kind: ClusterInstallation
-metadata:
-  name: chat
-spec:
-  version: 5.27.0
-  size: 100users
-  ingressName: chat.kube.dev
-  image: registry1.dsop.io/ironbank/opensource/mattermost/mattermost
\ No newline at end of file

chart/templates/mattermost.yaml

+apiVersion: installation.mattermost.com/v1beta1
+kind: Mattermost
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "mattermost.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "instance"
+spec:
+  image: {{ .Values.image.name }}
+  imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+
+  size: {{ .Values.users }}users
+  version: {{ .Values.image.tag }}
+  replicas: {{ .Values.replicaCount }}
+
+  {{- if .Values.istio.chat.hosts }}
+  ingressName: {{ tpl (index .Values.istio.chat.hosts 0) $ }}
+  {{- else }}
+  ingressName: "chat.bigbang.dev"
+  {{- end }}
+
+  {{- if and .Values.enterprise.enabled .Values.enterprise.license }}
+  licenseSecret: "mattermost-license"
+  {{- end }}
+
+  {{- if or .Values.mattermostEnvs .Values.sso.enabled }}
+  mattermostEnv:
+  {{- range $k, $v := .Values.mattermostEnvs }}
+  - name: {{ $k }}
+    value: {{ $v | quote }}
+  {{- end }}
+  {{- if .Values.sso.enabled }}
+  - name: MM_GITLABSETTINGS_ENABLE
+    value: "{{ .Values.sso.enabled }}"
+  - name: MM_GITLABSETTINGS_ID
+    value: "{{ .Values.sso.client_id }}"
+  - name: MM_GITLABSETTINGS_SECRET
+    value: "{{ .Values.sso.client_secret }}"
+  - name: MM_GITLABSETTINGS_AUTHENDPOINT
+    value: "{{ .Values.sso.auth_endpoint }}"
+  - name: MM_GITLABSETTINGS_TOKENENDPOINT
+    value: "{{ .Values.sso.token_endpoint }}"
+  - name: MM_GITLABSETTINGS_USERAPIENDPOINT
+    value: "{{ .Values.sso.user_api_endpoint }}"
+  {{- end }}
+  {{- end }}
+
+  # Give MM enough time to keel over if needed
+  probes:
+    livenessProbe:
+      initialDelaySeconds: 120
+      periodSeconds: 120
+
+  scheduling:
+    resources:
+    {{- toYaml .Values.resources | nindent 6 }}
+
+    {{- if or .Values.antiAffinity .Values.nodeAffinity }}
+    affinity:
+      {{- if eq .Values.antiAffinity "hard" }}
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - topologyKey: "kubernetes.io/hostname"
+            labelSelector:
+              matchLabels:
+                app: mattermost
+                installation.mattermost.com/installation: mattermost
+                installation.mattermost.com/resource: mattermost
+      {{- else if eq .Values.antiAffinity "soft" }}
+      podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 1
+          podAffinityTerm:
+            topologyKey: kubernetes.io/hostname
+            labelSelector:
+              matchLabels:
+                app: mattermost
+                installation.mattermost.com/installation: mattermost
+                installation.mattermost.com/resource: mattermost
+      {{- end }}
+      {{- with .Values.nodeAffinity }}
+      nodeAffinity:
+      {{ toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+
+  database:
+    external:
+      secret: {{ .Values.database.secret | default (printf "%s-dbcreds" (include "mattermost.fullname" .)) }}
+
+  fileStore:
+    external:
+      url: {{ .Values.fileStore.url | default "minio-service:9000" }}
+      bucket: {{ .Values.fileStore.bucket | default "mattermost" }}
+      secret: {{ .Values.fileStore.secret | default "minio-creds-secret" }}

chart/templates/objectstorage-credentials.yaml

+{{- if and (not .Values.fileStore.secret) .Values.minio.install }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "mattermost.fullname" . }}-objstore-creds
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "mattermost.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "objectstorage"
+data:
+  accesskey: {{ .Values.minio.accessKey | b64enc }}
+  secretkey: {{ .Values.minio.secretKey | b64enc }}
+{{- end }}

chart/templates/role-binding.yaml

+{{- if .Values.monitoring.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBindingList
+items:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: prometheus-k8s
+    namespace: {{ .Release.Namespace }}
+    labels:
+      {{ include "mattermost.labels" . | nindent 6 }}
+      app.kubernetes.io/component: "monitoring"
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: prometheus-k8s
+  subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: {{ .Values.monitoring.namespace }}
+{{- end }}

chart/templates/role.yaml

+{{- if .Values.monitoring.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleList
+items:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    name: prometheus-k8s
+    namespace: {{ .Release.Namespace }}
+    labels:
+      {{ include "mattermost.labels" . | nindent 6 }}
+      app.kubernetes.io/component: "monitoring"
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - services
+    - endpoints
+    - pods
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}

chart/templates/service-monitor.yaml

+{{- if and .Values.monitoring.enabled .Values.enterprise.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    prometheus: k8s
+    release: monitoring
+    {{ include "mattermost.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "monitoring"
+  name: mattermost-enterprise-metrics
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  endpoints:
+    - interval: 30s
+      port: metrics
+      scheme: http
+  jobLabel: mattermost
+{{- end }}

chart/templates/virtualservice.yaml

+{{- if and .Values.istio.enabled .Values.istio.chat.enabled -}}
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: {{ template "mattermost.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "mattermost.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "chat"
+  {{- if .Values.istio.chat.labels }}
+    {{ toYaml .Values.istio.chat.labels | indent 4 }}
+  {{- end }}
+  {{- if .Values.istio.chat.annotations }}
+  annotations:
+    {{ toYaml .Values.istio.chat.annotations | indent 4 }}
+  {{- end }}
+spec:
+  gateways:
+  {{- range .Values.istio.chat.gateways }}
+    - {{ . }}
+  {{- end }}
+  hosts:
+  {{- range .Values.istio.chat.hosts }}
+    - {{ tpl . $ }}
+  {{- end }}
+  http:
+    - route:
+        - destination:
+            host: {{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local
+            port:
+              number: 8065  # hardcode this because the operator does
+{{- end }}

chart/values.yaml

+hostname: bigbang.dev
+
+istio:
+  # Toggle istio integration
+  enabled: false
+  chat:
+    # Toggle vs creation
+    enabled: true
+    annotations: {}
+    labels: {}
+    gateways:
+      - istio-system/main
+    hosts:
+      - chat.{{ .Values.hostname }}
+
+# NOTE: Requires enterprise.enabled to have any effect
+monitoring:
+  enabled: false
+  namespace: monitoring
+
+sso:
+  enabled: false
+  client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost
+  client_secret: nothing # Change to your Keycloak client secret
+  auth_endpoint: https://login.dso.mil/oauth/authorize
+  token_endpoint: https://login.dso.mil/oauth/token
+  user_api_endpoint: https://login.dso.mil/api/v4/user
+
 # Repo and image tag 
-image: 
+image:
+  name: registry.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/mattermost
+  tag: 5.31.0
   imagePullPolicy: IfNotPresent
-  name: "registry1.dsop.io/ironbank/opensource/mattermost/mattermost-operator:v1.5.0"
 
-#Mattermost operator desired replicas
-replicas: 
-  count: 1
+global:
+  imagePullSecrets: []
+  # - name: private-registry
+
+# Mattermost instance desired replicas
+replicaCount: 3
+
+users: 100 # Allowable: 100, 1000, 5000, 10000, 25000
+
+enterprise:
+  enabled: false
+  license: ""
+  # Example:
+  # license: |
+  #   LICENSE HERE
+
+nameOverride: ""
+
+resources: {}
+  # limits:
+  #   cpu: 500m
+  #   memory: 512Mi
+  # requests:
+  #   cpu: 250m
+  #   memory: 256Mi
+
+# Available options are "soft" and "hard"
+antiAffinity: ""
+
+nodeAffinity: {}
+  # requiredDuringSchedulingIgnoredDuringExecution:
+  #   nodeSelectorTerms:
+  #   - matchExpressions:
+  #     - key: type
+  #       operator: In
+  #       values:
+  #       - "mattermost-optimized"
+
+mattermostEnvs: {}
+
+minio:
+  install: false
+
+  accessKey: minio
+  secretKey: minio#123 # default key, change this!
+
+postgresql:
+  install: false
+
+  image:
+    registry: "registry1.dso.mil/ironbank"
+    repository: "opensource/postgres/postgresql11"
+    tag: "11.10"
+
+    pullSecrets: []
+    # - private-registry
+
+  postgresqlUsername: "mattermost"
+  postgresqlPassword: "bigbang" # default password, change this!
+  postgresqlDatabase: "mattermost"
+
+  fullnameOverride: "mattermost-postgresql" # Overrides the name used for resource creation
+
+  securityContext:
+    fsGroup: 26
+  containerSecurityContext:
+    runAsUser: 26
+
+  # Set the configs to allow listening and connecting from other pods
+  postgresqlConfiguration: {"listen_addresses": "*"}
+  pgHbaConfiguration: |-
+    local all all md5
+    host all all all md5
+
+database:
+  # Name of an existing secret to pull credentials from, leave empty for chart created database
+  # Must at minimum contain DB_CONNECTION_STRING
+  secret: ""
 
-# Watched namespace, blank for all namspaces
-watchedNamespace: 
+fileStore:
+  # Name of an existing secret to pull credentials from, leave empty for chart created minio
+  secret: ""
+  # URL for existing file store, leave empty for chart created minio
+  url: ""
+  # Bucket for existing file store, leave empty for chart created minio
+  bucket: ""

docs/CHANGELOG.md

-# Mattermost Change log  
-
-October 1, 2020 Update oprator to 1.8 and MM to 5.27, use direct IB images from Harbor
-
-July 20,2020  Added ECK instructions to README.md
-October 8, 2020 Switched thei images being pulled to the registr1 repo (harbor)