diff --git a/CHANGELOG.md b/CHANGELOG.md index 805368e22d3b8e067315d12400cc83d54fd17a29..94784d7391c70ef89ebbf0f1b6f1d0882760134e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,42 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +## [0.1.6-bb.8] - 2021-07-21 +### Changed +- Add openshift toggle, conditionally add port 5353 egress. Changing "openshift:" to true in values.yaml will enable. + +## [0.1.6-bb.7] - 2021-07-08 +### Changed +- Update Mattermost to version 5.36.1 + +## [0.1.6-bb.6] - 2021-06-22 +### Changed +- Update Mattermost to version 5.36.0 + +## [0.1.6-bb.5] - 2021-06-21 +### Fixed +- NetworkPolicy blocking an init container, added policy to allow postgres egress for the init container +- Redo of test egress +- Move around DNS policy + +## [0.1.6-bb.4] - 2021-06-07 +### Added +- Ability to pass volumes / volumeMounts to MM pods + +## [0.1.6-bb.3] - 2021-06-04 +### Added +- Add IPS with new operator +- Switch to the IB image being used directly + +## [0.1.6-bb.2] - 2021-06-02 +### Changed +- Restricted test policy to just cluster + +## [0.1.6-bb.1] - 2021-06-01 +### Changed +- Moved tests to gluon library +### Added +- Default NetworkPolicies added ## [0.1.6-bb.0] - 2021-05-11 ### Changed diff --git a/CODEOWNERS b/CODEOWNERS index 9c87a4c6d25fe9bfd18df30621d2a97867c03b1d..354c8d0b178194f7c0a14bf32ccca5411c52285b 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @micah.nagel @branden.cobb +* @brandencobb @jasonkrause @micah.nagel diff --git a/chart/Chart.lock b/chart/Chart.lock index 042b2326021e186e4404306634d56e28d14c5de4..420b93116e07acebc3473fc666b65b41376227b3 100644 --- a/chart/Chart.lock +++ b/chart/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 10.3.5 - name: minio-instance repository: file://./deps/minio - version: 2.0.9-bb.9 -- name: bb-test-lib - repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates - version: 0.5.2 -digest: sha256:0a15fa5bcd2dafdc621740c7cd177210b2c875337f32fe78755af8806bba735a -generated: "2021-05-13T10:38:37.154607-06:00" + version: 4.1.2-bb.1 +- name: gluon + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon + version: 0.1.1 +digest: sha256:92b86cfa02024a6b1df1211f5881f756775945eacab13cc7f267fc8bd41aa828 +generated: "2021-07-23T09:44:19.142388-06:00" diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 54b8cbec72703189434be6484519f2a193875583..f99a952b3c2c9007672001d70d6832d754210e26 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,15 +1,13 @@ ---- apiVersion: v2 name: mattermost type: application -version: "0.1.6-bb.0" -appVersion: "5.34.2" +version: "0.1.6-bb.8" +appVersion: "5.36.1" description: "Deployment of mattermost" -keywords: +keywords: - Mattermost - Instance kubeVersion: ">=1.12.0-0" - dependencies: - name: postgresql version: 10.3.5 @@ -17,10 +15,10 @@ dependencies: condition: postgresql.install repository: file://./deps/postgresql - name: minio-instance - version: 2.0.9-bb.9 + version: 4.1.2-bb.1 alias: minio condition: minio.install repository: file://./deps/minio - - name: bb-test-lib - version: 0.5.2 - repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates" + - name: gluon + version: 0.1.1 + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon diff --git a/chart/charts/bb-test-lib-0.5.2.tgz b/chart/charts/bb-test-lib-0.5.2.tgz deleted file mode 100644 index 0df8143dd476200a3e95ccc1ddc9b52dac0bfae4..0000000000000000000000000000000000000000 Binary files a/chart/charts/bb-test-lib-0.5.2.tgz and /dev/null differ diff --git a/chart/charts/gluon-0.1.1.tgz b/chart/charts/gluon-0.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b4a4878dae126348cdee9d80977a15121ba59f9f Binary files /dev/null and b/chart/charts/gluon-0.1.1.tgz differ diff --git a/chart/charts/minio-instance-2.0.9-bb.9.tgz b/chart/charts/minio-instance-2.0.9-bb.9.tgz deleted file mode 100644 index bbfa7b0d3abe6d2381694e9538bf214d1dbb934b..0000000000000000000000000000000000000000 Binary files a/chart/charts/minio-instance-2.0.9-bb.9.tgz and /dev/null differ diff --git a/chart/charts/minio-instance-4.1.2-bb.1.tgz b/chart/charts/minio-instance-4.1.2-bb.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..61c65299c90f8a745cd4d5bc45d13617fd6d45da Binary files /dev/null and b/chart/charts/minio-instance-4.1.2-bb.1.tgz differ diff --git a/chart/charts/postgresql-10.3.5.tgz b/chart/charts/postgresql-10.3.5.tgz index a90af7a853398f710107dc689d2ee464c97d70d8..109b16577dc012abc5baa4e11574dda2d9d59837 100644 Binary files a/chart/charts/postgresql-10.3.5.tgz and b/chart/charts/postgresql-10.3.5.tgz differ diff --git a/chart/deps/minio/Chart.lock b/chart/deps/minio/Chart.lock new file mode 100644 index 0000000000000000000000000000000000000000..df1fa9acc94dbd8ebaef34d38bbc4ec099279c1a --- /dev/null +++ b/chart/deps/minio/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: bb-test-lib + repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates + version: 0.5.0 +digest: sha256:ec47e1f5de8d2060a2e7b93a756bb34c21b62069f04237c915adf8619ac03698 +generated: "2021-05-12T14:29:40.198378-06:00" diff --git a/chart/deps/minio/Chart.yaml b/chart/deps/minio/Chart.yaml index 42df286241f9d1427f12b2e72cd2eb17e9c1dd95..3f48e062911e22988fc88295b6d7f8898ab13359 100644 --- a/chart/deps/minio/Chart.yaml +++ b/chart/deps/minio/Chart.yaml @@ -1,26 +1,17 @@ apiVersion: v2 - -name: minio-instance - -description: |- - A Helm chart for deploying the Minio instances based on use of the Minio operator - -#home: https://github.com/elastic/cloud-on-k8s - type: application - -version: 2.0.9-bb.9 - -appVersion: RELEASE.2020-11-19T23-48-16Z - -kubeVersion: ">=1.17.0-0" - +name: minio-instance +version: 4.1.2-bb.1 +appVersion: v4.1.2 +description: A Helm chart for MinIO based on Minio Operator 4.1.2 +home: https://min.io +icon: https://min.io/resources/img/logo/MINIO_wordmark.png keywords: - - Minio - - Instance - +- storage +- object-storage +- S3 maintainers: - - name: me - email: - -dependencies: +- email: dev@minio.io + name: MinIO, Inc +sources: +- https://github.com/minio/operator diff --git a/chart/deps/minio/Kptfile b/chart/deps/minio/Kptfile index 521d9164c2fcb4d2583212057c7b4f002b1a66f7..5eb41fa5099d6ae27e715057e91b8465ed7bf8bd 100644 --- a/chart/deps/minio/Kptfile +++ b/chart/deps/minio/Kptfile @@ -1,11 +1,11 @@ apiVersion: kpt.dev/v1alpha1 kind: Kptfile metadata: - name: minio + name: chart upstream: type: git git: - commit: a8ef3702468317396a58ed94bb1823f9d4ae59cf + commit: 337d856c949baa059d9b909eb889458bedca52ff repo: https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio directory: /chart - ref: 2.0.9-bb.9 + ref: 4.1.2-bb.1 diff --git a/chart/deps/minio/charts/bb-test-lib-0.5.0.tgz b/chart/deps/minio/charts/bb-test-lib-0.5.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..ca0adf9edaa4f6f8a56ee22c14af94e432b150b8 Binary files /dev/null and b/chart/deps/minio/charts/bb-test-lib-0.5.0.tgz differ diff --git a/chart/deps/minio/templates/_helpers.tpl b/chart/deps/minio/templates/_helpers.tpl index 8e7b94ff7ea3dd4960fa32bb0e52095aed6b178e..29db7b76c7c39c3ce4f6a80a12971bdf0e60e647 100644 --- a/chart/deps/minio/templates/_helpers.tpl +++ b/chart/deps/minio/templates/_helpers.tpl @@ -2,7 +2,7 @@ Expand the name of the chart. */}} {{- define "minio.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- default .Chart.Name | trunc 63 | trimSuffix "-" }} {{- end }} {{/* @@ -11,17 +11,13 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} {{- define "minio.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} +{{- $name := default .Chart.Name }} {{- if contains $name .Release.Name }} {{- .Release.Name | trunc 63 | trimSuffix "-" }} {{- else }} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} {{- end }} {{- end }} -{{- end }} {{/* Create chart name and version as used by the chart label. @@ -62,9 +58,26 @@ Create the name of the service account to use {{- end }} {{/* -Create the name of the service used to access the UI +Create the name of the service used to access the Minio object UI. +Note: the Minio operator has a fixed name of "minio" for the service it creates. */}} -{{- define "minio.serviceName" -}} +{{- define "minio.serviceName" }} +{{- if .Values.upgradeTenants.enabled -}} +minio +{{- else -}} {{- default (include "minio.fullname" .) .Values.service.nameOverride }} {{- end }} +{{- end }} + +{{/* +Create the port used to communicate with the Minio service. +Note: the Minio operator has a fixed name of "minio" for the service it creates. +*/}} +{{- define "minio.servicePort" -}} +{{- if or .Values.tenants.certificate.requestAutoCert .Values.tenants.certificate.externalCertSecret }} +443 +{{- else }} +80 +{{- end }} +{{- end }} diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-egress.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c086ccaefd638de13fa73b1999b32471becb1665 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-egress.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-external-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: {} + ports: + - port: 53 + protocol: UDP +{{- end }} diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-ingress.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..956331f0df0889bc112ced639966bf1a9203fa01 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/default-deny-ingress.yaml @@ -0,0 +1,11 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress +{{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/helm-test-network-policy.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/helm-test-network-policy.yaml new file mode 100644 index 0000000000000000000000000000000000000000..319b0341e0daa84d2762360c6cbf0678ac243d88 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/helm-test-network-policy.yaml @@ -0,0 +1,19 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- if $enabled }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-helm-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + policyTypes: + - Egress + egress: + - {} +{{- end }} +{{- end }} diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/istio-allow.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/istio-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5ecf0115b852ab6d78a67691bad2e62d324755bf --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/istio-allow.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio-ingress + namespace: {{ .Release.Namespace }} +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + ports: + - port: {{ .Values.service.port }} + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: istiod + ports: + - port: 15012 +{{- end }} diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/monitoring-ingress.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/monitoring-ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..59065e3900767a80cb15b0cf65d22e87da26cd61 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/monitoring-ingress.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-scraping + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + ports: + - port: {{ .Values.service.port }} + protocol: TCP +{{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/bigbang/networkpolicies/namespace-allow.yaml b/chart/deps/minio/templates/bigbang/networkpolicies/namespace-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..495131c6ca86c6be9e4e10acf8c8b86bbe95e344 --- /dev/null +++ b/chart/deps/minio/templates/bigbang/networkpolicies/namespace-allow.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/console-secret.yaml b/chart/deps/minio/templates/console-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f2523a43db92e87f134f85ec312a398ff65dd5e7 --- /dev/null +++ b/chart/deps/minio/templates/console-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.tenants.console.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.tenants.console.secrets.name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "minio.labels" . | nindent 4 }} +type: Opaque +stringData: + CONSOLE_PBKDF_PASSPHRASE: {{ .Values.tenants.console.secrets.passphrase }} + CONSOLE_PBKDF_SALT: {{ .Values.tenants.console.secrets.salt }} + CONSOLE_ACCESS_KEY: {{ .Values.tenants.console.secrets.accessKey }} + CONSOLE_SECRET_KEY: {{ .Values.tenants.console.secrets.secretKey }} +--- +{{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/default-secret.yaml b/chart/deps/minio/templates/default-secret.yaml index c79e87de13e6aad205d6dd03a06e327dd3e2d964..f80e6f6f1c91a6e0d859f6938076e09ab394ee3b 100644 --- a/chart/deps/minio/templates/default-secret.yaml +++ b/chart/deps/minio/templates/default-secret.yaml @@ -1,3 +1,4 @@ +{{ if false }} apiVersion: v1 kind: Secret metadata: @@ -7,4 +8,4 @@ type: Opaque data: accesskey: bWluaW8= # base 64 encoded "minio" (echo -n 'minio' | base64) secretkey: bWluaW8xMjM= # based 64 encoded "minio123" (echo -n 'minio123' | base64) ---- +{{ end }} diff --git a/chart/deps/minio/templates/minio-vs.yaml b/chart/deps/minio/templates/minio-vs.yaml index 0fbee17d32a9dd3228e11ec22de4721828eb6643..3388d2bba24e3e804a49689f0169267a098a5344 100644 --- a/chart/deps/minio/templates/minio-vs.yaml +++ b/chart/deps/minio/templates/minio-vs.yaml @@ -24,25 +24,24 @@ spec: - {{ tpl . $}} {{- end }} http: - - match: - - uri: - prefix: /minio/prometheus/metrics - route: - - destination: - host: {{ include "minio.serviceName" . }} - port: - number: {{ .Values.service.port }} - fault: - abort: - percentage: - value: 100 - httpStatus: 403 + #- match: + # - uri: + # prefix: /minio/prometheus/metrics + # route: + # - destination: + # host: {{ include "minio.serviceName" . }} + # port: + # number: {{ include "minio.servicePort" . | trim }} + # fault: + # abort: + # percentage: + # value: 100 + # httpStatus: 403 - match: - uri: prefix: / route: - destination: + # Note: the minio operator creates the service for the tenant with a fixed name host: {{ include "minio.serviceName" . }} - port: - number: {{ .Values.service.port }} -{{- end }} + {{ end }} diff --git a/chart/deps/minio/templates/minioinstance.yaml b/chart/deps/minio/templates/release2.0.9/minioinstance.yaml similarity index 97% rename from chart/deps/minio/templates/minioinstance.yaml rename to chart/deps/minio/templates/release2.0.9/minioinstance.yaml index b79519ad4b978902da4401a993201134a99d5802..76122a2a8bfb4526df907d20a9bf9498c381d9ea 100644 --- a/chart/deps/minio/templates/minioinstance.yaml +++ b/chart/deps/minio/templates/release2.0.9/minioinstance.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.upgradeTenants.enabled }} apiVersion: operator.min.io/v1 kind: MinIOInstance metadata: @@ -11,6 +12,7 @@ spec: metadata: ## Optionally pass labels to be applied to the statefulset pods labels: + app: {{ include "minio.fullname" . }} {{- include "minio.labels" . | nindent 6 }} {{- with .Values.podAnnotations }} annotations: @@ -117,3 +119,4 @@ spec: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 + {{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/service.yaml b/chart/deps/minio/templates/release2.0.9/service.yaml similarity index 79% rename from chart/deps/minio/templates/service.yaml rename to chart/deps/minio/templates/release2.0.9/service.yaml index c64299dadda0e70d55b29c980fa6b91f978c54bb..cf3ce13fa98bc64cf53de088f865aea35306010e 100644 --- a/chart/deps/minio/templates/service.yaml +++ b/chart/deps/minio/templates/release2.0.9/service.yaml @@ -1,7 +1,9 @@ +{{- if not .Values.upgradeTenants.enabled }} apiVersion: v1 kind: Service metadata: name: {{ include "minio.serviceName" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "minio.labels" . | nindent 4 }} spec: @@ -13,3 +15,4 @@ spec: name: http selector: {{- include "minio.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/chart/deps/minio/templates/serviceMonitor.yaml b/chart/deps/minio/templates/release2.0.9/serviceMonitor.yaml similarity index 88% rename from chart/deps/minio/templates/serviceMonitor.yaml rename to chart/deps/minio/templates/release2.0.9/serviceMonitor.yaml index a9a1e57dd6681b685c693e529e847eadd262cdf6..1098800441c239ec5233b16ca03db88e214dbf8d 100644 --- a/chart/deps/minio/templates/serviceMonitor.yaml +++ b/chart/deps/minio/templates/release2.0.9/serviceMonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.monitoring.enabled }} +{{- if and .Values.monitoring.enabled (not .Values.upgradeTenants.enabled) }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/chart/deps/minio/templates/role.yaml b/chart/deps/minio/templates/role.yaml deleted file mode 100644 index a45547bf96c1bb8750dd6447fe89e5ce67a0d442..0000000000000000000000000000000000000000 --- a/chart/deps/minio/templates/role.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.monitoring.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleList -items: -- apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: prometheus-k8s - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/component: "monitoring" - rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - pods - verbs: - - get - - list - - watch -{{- end }} diff --git a/chart/deps/minio/templates/rolebinding.yaml b/chart/deps/minio/templates/rolebinding.yaml deleted file mode 100644 index ef303a8af8f05a9cead39cd821fc9e0eb2345e50..0000000000000000000000000000000000000000 --- a/chart/deps/minio/templates/rolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.monitoring.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBindingList -items: -- apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: prometheus-k8s - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/component: "monitoring" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-k8s - subjects: - - kind: ServiceAccount - name: prometheus-k8s - namespace: {{ .Values.monitoring.namespace }} -{{- end }} diff --git a/chart/deps/minio/templates/service-account.yaml b/chart/deps/minio/templates/service-account.yaml index 7d2de011d52fb972e246a76957d203015ab6873b..250739201736b1f8f7d2bc9cb0d67acec2c73a69 100644 --- a/chart/deps/minio/templates/service-account.yaml +++ b/chart/deps/minio/templates/service-account.yaml @@ -1,4 +1,3 @@ -{{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -11,5 +10,4 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} -{{- end }} + - {{ toYaml .Values.tenants.imagePullSecret | indent 2 }} diff --git a/chart/deps/minio/templates/tenant-secret.yaml b/chart/deps/minio/templates/tenant-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3b1e576eb69f8e00520cf3981abb0ead2de6010b --- /dev/null +++ b/chart/deps/minio/templates/tenant-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.tenants.secrets.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.tenants.secrets.name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "minio.labels" . | nindent 4 }} +type: Opaque +data: + ## Access Key for MinIO Tenant + accesskey: {{ .Values.tenants.secrets.accessKey | b64enc }} + ## Secret Key for MinIO Tenant + secretkey: {{ .Values.tenants.secrets.secretKey | b64enc }} +{{ end }} diff --git a/chart/deps/minio/templates/tenant.yaml b/chart/deps/minio/templates/tenant.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4016ef1f5966ef9073b062970e9de9d61303edde --- /dev/null +++ b/chart/deps/minio/templates/tenant.yaml @@ -0,0 +1,235 @@ +{{- if .Values.upgradeTenants.enabled }} +apiVersion: minio.min.io/v2 +kind: Tenant +metadata: + name: {{ include "minio.fullname" . }} + namespace: {{ .Release.Namespace }} + + ## Optionally pass labels to be applied to the statefulset pods + labels: + app: {{ template "minio.fullname" . }} + test: "test1" + {{- include "minio.labels" . | nindent 4 }} + {{- if .Values.istio.virtualService.labels }} + {{ toYaml .Values.istio.virtualservice.labels | indent 4 }} + {{- end }} + {{- if .Values.istio.virtualService.annotations }} + ## Annotations for MinIO Tenant Pods + annotations: + # prometheus.io/path: /minio/v2/metrics/cluster + # prometheus.io/port: "9000" + # prometheus.io/scrape: "true" + {{ toYaml .Values.istio.virtualService.annotations | indent 4 }} + {{- end }} + +## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler. +## If not specified, the Tenant pods will be dispatched by default scheduler. + ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler. + ## If not specified, the Tenant pods will be dispatched by default scheduler. + ##scheduler: + ## name: + +spec: + ## Registry location and Tag to download MinIO Server image + image: {{ .Values.tenants.image.repository }}:{{ .Values.tenants.image.tag }} + imagePullPolicy: {{ .Values.tenants.image.pullPolicy }} + imagePullSecret: + {{ toYaml .Values.tenants.imagePullSecret | indent 4 }} + + ## Secret with credentials to be used by MinIO Tenant. + ## Refers to the secret object created above. + credsSecret: + name: {{ .Values.tenants.secrets.name }} + + ## Specification for MinIO Pool(s) in this Tenant. + {{- range .Values.tenants.pools }} + pools: + ## Servers specifies the number of MinIO Tenant Pods / Servers in this pool. + ## For standalone mode, supply 1. For distributed mode, supply 4 or more. + ## Note that the operator does not support upgrading from standalone to distributed mode. + - servers: {{ .servers }} + + ## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server. + volumesPerServer: {{ .volumesPerServer }} + + ## This VolumeClaimTemplate is used across all the volumes provisioned for MinIO Tenant in this + ## Pool. + volumeClaimTemplate: + metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .size }} + #storageClassName: {{ .storageClassName}} + + ## Used to specify a toleration for a pod + # tolerations: + # - effect: NoSchedule + # key: dedicated + # operator: Equal + # value: storage + {{- with .tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + + ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be + ## eligible to run on a node, the node must have each of the + ## indicated key-value pairs as labels. + ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # nodeSelector: + # disktype: ssd + {{- with .nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + + ## Affinity settings for MinIO pods. Read more about affinity + ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/hostname + # operator: In + # values: + # - hostname1 + # - hostname2 + {{- with .affinity }} + affinity: + {{ toYaml . | nindent 8 }} + {{- end }} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app + # operator: In + # values: + # - store + # topologyKey: "kubernetes.io/hostname" + + ## Configure resource requests and limits for MinIO containers + # resources: + # requests: + # cpu: 250m + # memory: 16Gi + # limits: + # cpu: 500m + # memory: 16Gi + {{- with .resources }} + resources: + {{ toYaml . | nindent 8 }} + {{- end }} + + ## Configure security context + #securityContext: + # runAsUser: 1000 + # runAsGroup: 1000 + # runAsNonRoot: true + {{- with .securityContext }} + securityContext: + {{ toYaml . | nindent 8 }} + {{- end }} + {{ end }} + + ## Mount path where PV will be mounted inside container(s). + mountPath: {{ .Values.tenants.mountPath }} + + ## Sub path inside Mount path where MinIO stores data. + subPath: {{ .Values.tenants.subPath }} + + ## Use this field to provide a list of Secrets with external certificates. This can be used to to configure + ## TLS for MinIO Tenant pods. Create secrets as explained here: + ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + # externalCertSecret: + # - name: tls-ssl-minio + # type: kubernetes.io/tls + #{{- with .Values.tenants.certificate.externalCertSecret }} + #externalCertSecret: + # {{ toYaml . | nindent 6 }} + #{{ end }} + + ## Enable automatic Kubernetes based certificate generation and signing as explained in + ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster + requestAutoCert: {{ .Values.tenants.certificate.requestAutoCert }} + + ## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be + ## accessible as DNS entries of form `.minio.default.svc.cluster.local` + s3: + ## This feature is turned off by default + bucketDNS: {{ .Values.tenants.s3.bucketDNS }} + + ## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName + ## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is + ## not provided. DNS name format is *.minio.default.svc.cluster.local + {{- with .Values.tenants.certificate.certConfig }} + certConfig: + {{ toYaml . | nindent 4 }} + {{- end }} + + ## PodManagement policy for MinIO Tenant Pods. Can be "OrderedReady" or "Parallel" + ## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy + ## for details. + podManagementPolicy: {{ .Values.tenants.podManagementPolicy }} + + ## PrometheusOperator enables the Minio Operator to create the Prometheus serviceMonitor objects to scrape + ## metrics from the tenant + prometheusOperator: + labels: + app.kubernetes.io/component: "monitoring" + {{ include "minio.labels" . | nindent 6 }} + + ## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific + ## services created by the operator. + {{- with .Values.tenants.serviceMetadata }} + serviceMetadata: + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .env }} + {{ toYaml . | nindent 4 }} + {{- end }} + + ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) + #env: + # - name: MINIO_PROMETHEUS_AUTH_TYPE + # value: "public" + # - name: MINIO_BROWSER + # value: "off" # to turn-off browser + # - name: MINIO_STORAGE_CLASS_STANDARD + # value: "EC:2" + # ## For secure env vars like passwords, create an opaque Kubernetes secret and specify the secret in + # ## the `valueFrom` field. The `valueFrom` object must contain the following fields: + # ## `name` - the secret from which MinIO extracts the password, `key` - the data field + # ## within secret, whose value will be set to the env variable's value + # - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD + # valueFrom: + # secretKeyRef: + # name: ldap-minio-secret + # key: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD + + ## PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods. + ## This is applied to MinIO pods only. + ## Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/ + {{- if .Values.tenants.priorityClassName }} + priorityClassName: {{ .Values.tenants.priorityClassName }} + {{- end }} + + ## Define configuration for Console (Graphical user interface for MinIO) + ## Refer https://github.com/minio/console + {{- if .Values.tenants.console.enabled }} + console: + image: {{ .Values.tenants.console.image.repository }}:{{ .Values.tenants.console.image.tag }} + replicas: {{ .Values.tenants.console.replicaCount }} + consoleSecret: + name: {{ .Values.tenants.console.secrets.name }} + {{- with .Values.tenants.securityContext }} + securityContext: + {{ toYaml . | nindent 6 }} + {{ end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/deps/minio/templates/tests/test-ui.yaml b/chart/deps/minio/templates/tests/test-ui.yaml new file mode 100644 index 0000000000000000000000000000000000000000..331d74e28c00fd7e4e945c7ff8d5d99ce6f9214c --- /dev/null +++ b/chart/deps/minio/templates/tests/test-ui.yaml @@ -0,0 +1,13 @@ +{{- include "bb-test-lib.cypress-configmap.overrides" (list . "minio-test.cypress-configmap") }} +{{- define "minio-test.cypress-configmap" }} +metadata: + labels: + {{- include "minio.labels" . | nindent 4 }} +{{- end }} +--- +{{- include "bb-test-lib.cypress-runner.overrides" (list . "minio-test.cypress-runner") -}} +{{- define "minio-test.cypress-runner" -}} +metadata: + labels: + {{- include "minio.labels" . | nindent 4 }} +{{- end }} diff --git a/chart/deps/minio/templates/tests/test-write.yaml b/chart/deps/minio/templates/tests/test-write.yaml new file mode 100644 index 0000000000000000000000000000000000000000..dac09b701f05f9dd52e2f6fe6a4fc348c0e634b2 --- /dev/null +++ b/chart/deps/minio/templates/tests/test-write.yaml @@ -0,0 +1,13 @@ +{{- include "bb-test-lib.script-configmap.overrides" (list . "minio-test.script-configmap") }} +{{- define "minio-test.script-configmap" }} +metadata: + labels: + {{- include "minio.labels" . | nindent 4 }} +{{- end }} +--- +{{- include "bb-test-lib.script-runner.overrides" (list . "minio-test.script-runner") -}} +{{- define "minio-test.script-runner" -}} +metadata: + labels: + {{- include "minio.labels" . | nindent 4 }} +{{- end }} diff --git a/chart/deps/minio/tests/cypress/cypress.json b/chart/deps/minio/tests/cypress/cypress.json new file mode 100644 index 0000000000000000000000000000000000000000..e36f98472bbfea7bfc965e1a081f0b002af04859 --- /dev/null +++ b/chart/deps/minio/tests/cypress/cypress.json @@ -0,0 +1,5 @@ +{ + "pluginsFile": false, + "supportFile": false, + "fixturesFolder": false +} diff --git a/chart/deps/minio/tests/cypress/minio-health.spec.js b/chart/deps/minio/tests/cypress/minio-health.spec.js new file mode 100644 index 0000000000000000000000000000000000000000..6778cf9b1975182d923a0a73b0296935cabc272a --- /dev/null +++ b/chart/deps/minio/tests/cypress/minio-health.spec.js @@ -0,0 +1,5 @@ +describe('Basic Minio', function() { + it('Check Minio UI is accessible', function() { + cy.visit(Cypress.env('url')) + }) +}) diff --git a/chart/deps/minio/tests/cypress/minio-login.js b/chart/deps/minio/tests/cypress/minio-login.js new file mode 100644 index 0000000000000000000000000000000000000000..d64096b0dea0bbfb50203442aa179433cad51eb7 --- /dev/null +++ b/chart/deps/minio/tests/cypress/minio-login.js @@ -0,0 +1,24 @@ +describe('Minio Login', function() { + it('Check Minio Login', function() { + cy.visit(Cypress.env('url')+"/minio/login") + // Fill the username + cy.get('[name="username"]') + .type(Cypress.env('accesskey')) + .should('have.value', Cypress.env('accesskey')); + + // Fill the password + cy.get('[name="password"]') + .type(Cypress.env('secretkey')) + .should('have.value', Cypress.env('secretkey')); + + // Locate and submit the form + cy.get('form').submit(); + + // Verify the app redirected you to the homepage + cy.location('pathname', { timeout: 10000 }).should('eq', '/minio/'); + + // Verify the page title is "Home" + cy.title().should('eq', 'MinIO Browser'); + + }) +}) diff --git a/chart/deps/minio/tests/scripts/test-write.sh b/chart/deps/minio/tests/scripts/test-write.sh new file mode 100644 index 0000000000000000000000000000000000000000..3980f45e8ad73fd916d357661d1ea9c933e2b00f --- /dev/null +++ b/chart/deps/minio/tests/scripts/test-write.sh @@ -0,0 +1,16 @@ +#!/bin/bash +set -ex +# stall the ensure that the instances are started. +sleep 60 +mc config host add bigbang http://${MINIO_HOST}:${MINIO_PORT} ${ACCESS_KEY} ${SECRET_KEY} +# cleanup from pervious runs +mc rb bigbang/foobar --force || true +mc mb bigbang/foobar +mc ls bigbang/foobar +base64 /dev/urandom | head -c 10000000 > /tmp/file.txt +md5sum /tmp/file.txt > /tmp/filesig +mc cp /tmp/file.txt bigbang/foobar/file.txt +mc ls bigbang/foobar/file.txt +mc cp bigbang/foobar/file.txt /tmp/file.txt +mc rb bigbang/foobar --force +md5sum -c /tmp/filesig diff --git a/chart/deps/minio/values.yaml b/chart/deps/minio/values.yaml index e51cc84d1471039f7671066bc632ab1410fe6cfe..6161362e1a7d754141ddc4ca0053e7a508982ac9 100644 --- a/chart/deps/minio/values.yaml +++ b/chart/deps/minio/values.yaml @@ -1,35 +1,13 @@ -# ## Default values for minio instance creation. -## This is a YAML-formatted file. -## Declare variables to be passed into your templates. -## Configure number of MinIO Operator Deployment Replicas -replicas: - count: 1 +## Note: to enable upgrade of minio instance, then values file has a number of values that will be +## deprecated in the future. Deprecation candidates will have an annotation in comments regarding the timeframe for deprecation. hostname: bigbang.dev -nameOverride: "" -fullnameOverride: "" -# Configure repo and tag of MinIO Operator Image -image: - name: registry1.dso.mil/ironbank/opensource/minio/minio - tag: RELEASE.2020-11-19T23-48-16Z - imagePullPolicy: IfNotPresent - -zones: - # refer to documentation for number of servers versus volumes per server - # https://docs.min.io/docs/minio-server-limits-per-tenant.html - servers: 3 # scale to 3 for dev - -volumesPerServer: 2 # 2 is minimum volumes with 3 servers - -volumeClaimTemplate: - accessModes: ReadWriteOnce - storage: 1Gi # scale down for dev - -minioRootCreds: default-minio-creds-secret - -imagePullSecrets: [ ] +# When true, upgradeTenants enables use of the V4.* Minio Operator CRD for creation of tenants is enabled. +# The default will be made TRUE in a future release. +upgradeTenants: + enabled: false serviceAccount: # Specifies whether a service account should be created @@ -40,6 +18,8 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# because the operator handles the service deployment in 4.x and beyond. service: # Internal service name for minio instance. This is the full name of the service used to connect to Minio from within the cluster. # If not specified, the service name will be the default full name of the minio instance. @@ -47,6 +27,7 @@ service: type: ClusterIP port: 9000 +# Removed ina future release podAnnotations: {} istio: @@ -62,9 +43,194 @@ istio: service: "" port: "" - monitoring: enabled: false namespace: monitoring -mcImage: registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2021-03-23T05-46-11Z \ No newline at end of file +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +image: + name: registry1.dso.mil/ironbank/opensource/minio/minio + tag: RELEASE.2020-11-19T23-48-16Z + pullPolicy: "IfNotPresent" + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +zones: + # refer to documentation for number of servers versus volumes per server + # https://docs.min.io/docs/minio-server-limits-per-tenant.html + servers: 3 # scale to 3 for dev + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +volumesPerServer: 2 # 2 is minimum volumes with 3 servers + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +volumeClaimTemplate: + accessModes: ReadWriteOnce + storage: 1Gi # scale down for dev + +# This is maintained for compatible upgrade with the 2.0.9 release. The following service itens will be removed ina future release +# once all upgrades are complete. +minioRootCreds: default-minio-creds-secret + +## MinIO Tenant Definition used for 4.1.2 upgrade +tenants: + # Tenant name + name: minio + ## Registry location and Tag to download MinIO Server image + # Configure repo and tag of MinIO Operator Image + image: + repository: registry1.dso.mil/ironbank/opensource/minio/minio + tag: RELEASE.2021-06-17T00-10-46Z + pullPolicy: "IfNotPresent" + ## Customize namespace for tenant deployment + #namespace: default + imagePullSecret: + name: private-registry + ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler. + ## If not specified, the Tenant pods will be dispatched by default scheduler. + ##scheduler: + ## name: + scheduler: {} + + ## Used to specify a toleration for a pod + #tolerations: {} + + ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be + ## eligible to run on a node, the node must have each of the + ## indicated key-value pairs as labels. + ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + #nodeSelector: {} + + ## Affinity settings for MinIO pods. Read more about affinity + ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. + #affinity: {} + + ## Configure resource requests and limits for MinIO containers + #resources: {} + + ## Configure security context + ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup + #securityContext: + # runAsUser: 1001 + # runAsGroup: 1001 + # fsGroup: 1001 + + ## Specification for MinIO Pool(s) in this Tenant. + pools: + ## Servers specifies the number of MinIO Tenant Pods / Servers in this pool. + ## For standalone mode, supply 1. For distributed mode, supply 4 or more. + ## Note that the operator does not support upgrading from standalone to distributed mode. + - servers: 4 + ## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server. + volumesPerServer: 4 + ## size specifies the capacity per volume + size: 1Gi + ## storageClass specifies the storage class name to be used for this pool + storageClassName: local-path + ## Used to specify a toleration for a pod + tolerations: {} + ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be + ## eligible to run on a node, the node must have each of the + ## indicated key-value pairs as labels. + ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + ## Affinity settings for MinIO pods. Read more about affinity + ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. + affinity: {} + ## Configure resource requests and limits for MinIO containers + resources: {} + ## Configure security context + ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + ## Mount path where PV will be mounted inside container(s). + mountPath: /export + + ## Sub path inside Mount path where MinIO stores data. + subPath: /data + + # pool secrets + secrets: + enabled: true + name: minio-creds-secret + accessKey: minio + secretKey: minio123 + + # pool metrics to be read by Prometheus + metrics: + enabled: false + port: 9000 + + certificate: + ## Use this field to provide a list of Secrets with external certificates. This can be used to to configure + ## TLS for MinIO Tenant pods. Create secrets as explained here: + ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + externalCertSecret: {} + ## Enable automatic Kubernetes based certificate generation and signing as explained in + ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster + ## false = disabled TLS endpoints at the tenants + requestAutoCert: false + ## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName + ## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is + ## not provided. DNS name format is *.minio.default.svc.cluster.local + ##certConfig: + ## commonName: "" + ## organizationName: [] + ## dnsNames: [] + certConfig: {} + ## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be + ## accessible as DNS entries of form `.minio.default.svc.cluster.local` + s3: + ## This feature is turned off by default + bucketDNS: false + ## PodManagement policy for MinIO Tenant Pods. Can be "OrderedReady" or "Parallel" + ## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy + ## for details. + podManagementPolicy: Parallel + ## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific + ## services created by the operator. + ##serviceMetadata: {} + serviceMetadata: + minioServiceLabels: + label: minio-svc + minioServiceAnnotations: + v2.min.io: minio-svc + # consoleServiceLabels: + # label: console-svc + # consoleServiceAnnotations: + # v2.min.io: console-svc + + ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) + env: {} + ## PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods. + ## This is applied to MinIO pods only. + ## Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/ + # e.g., priorityClassName: high-priority + priorityClassName : "" + ## Define configuration for Console (Graphical user interface for MinIO) + ## Refer https://github.com/minio/console + console: + enabled: false + image: + repository: minio/console + tag: v0.7.4 + pullPolicy: IfNotPresent + replicaCount: 1 + secrets: + enabled: true + name: console-secret + passphrase: SECRET + salt: SECRET + accessKey: YOURCONSOLEACCESS + secretKey: YOURCONSOLESECRET \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..fbf5d4a189547b4a61cb009468e43ca86b08109e --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml @@ -0,0 +1,22 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-dns-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + # Allow access to DNS + egress: + - to: + - namespaceSelector: {} + ports: + - port: 53 + protocol: UDP + {{- if .Values.openshift }} + - port: 5353 + protocol: UDP + {{- end }} +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f704b0936a9189dfeb0c246c3a39a5660d382274 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml @@ -0,0 +1,25 @@ + +{{- if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-elastic-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: logging + podSelector: + matchLabels: + common.k8s.elastic.co/type: elasticsearch + ports: + - port: 9200 + protocol: TCP +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml new file mode 100644 index 0000000000000000000000000000000000000000..265a0e581a1ef7d28b57e7ff7d61e1bad03fe896 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.install) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-external-postgres-egress-upgrade + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost-update-check + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml new file mode 100644 index 0000000000000000000000000000000000000000..97a841cca7ca41fbbfe94e4f1415e4230d70f49b --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-istio.yaml b/chart/templates/bigbang/networkpolicies/allow-istio.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6c4c48ca2c873b93a7d7e0a753fd2f2ebbf7fb34 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: 8065 + protocol: TCP + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-mattermost-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-mattermost-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..931746c375fb18452f05409693066de5c82a07ae --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-mattermost-egress.yaml @@ -0,0 +1,20 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-mattermost-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b7389e8c591d0367195586c4d7ebd120b269054d --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled .Values.enterprise.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-monitoring-ingress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: mattermost + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + podSelector: + matchLabels: + app: prometheus + ports: + - port: 8067 + protocol: TCP +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..974182bd8bdb3e389e1b0e94f75ac732d8dd3847 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml @@ -0,0 +1,26 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- if $enabled }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + egress: + - to: + - ipBlock: + cidr: {{ .Values.networkPolicies.controlPlaneCidr }} + {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }} + # ONLY Block requests to cloud metadata IP + except: + - 169.254.169.254/32 + {{- end }} + policyTypes: + - Egress +{{- end }} +{{- end }} diff --git a/chart/templates/bigbang/networkpolicies/deny-default.yaml b/chart/templates/bigbang/networkpolicies/deny-default.yaml new file mode 100644 index 0000000000000000000000000000000000000000..df7d38ea61b70bcf4399fdddaf2907532929246a --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml @@ -0,0 +1,14 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: [] + egress: [] +{{- end }} diff --git a/chart/templates/mattermost.yaml b/chart/templates/mattermost.yaml index 190ebebb02981f46b75b085f8d05df9ca265b3a8..f7d6e6829c56e2572c9f3b62eea5c5ff71190a48 100644 --- a/chart/templates/mattermost.yaml +++ b/chart/templates/mattermost.yaml @@ -9,6 +9,10 @@ metadata: spec: image: {{ .Values.image.name }} imagePullPolicy: {{ .Values.image.imagePullPolicy }} + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 4 }} + {{- end }} size: {{ .Values.users }}users version: {{ .Values.image.tag }} @@ -149,6 +153,16 @@ spec: {{ toYaml .Values.nodeSelector | nindent 6 }} {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 4}} + {{- end }} + + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 4}} + {{- end }} + database: external: secret: {{ .Values.database.secret | default (printf "%s-dbcreds" (include "mattermost.fullname" .)) }} diff --git a/chart/templates/tests/test-ui.yaml b/chart/templates/tests/test-ui.yaml index 57f97717fa3416c85c53db25f8f04b7837fa6134..163bd16f97c275ce0d713081a0afdf6e07f0116d 100644 --- a/chart/templates/tests/test-ui.yaml +++ b/chart/templates/tests/test-ui.yaml @@ -1,11 +1,11 @@ -{{- include "bb-test-lib.cypress-configmap.overrides" (list . "mattermost-test.cypress-configmap") }} +{{- include "gluon.tests.cypress-configmap.overrides" (list . "mattermost-test.cypress-configmap") }} {{- define "mattermost-test.cypress-configmap" }} metadata: labels: {{ include "mattermost.labels" . | nindent 4 }} {{- end }} --- -{{- include "bb-test-lib.cypress-runner.overrides" (list . "mattermost-test.cypress-runner") -}} +{{- include "gluon.tests.cypress-runner.overrides" (list . "mattermost-test.cypress-runner") -}} {{- define "mattermost-test.cypress-runner" -}} metadata: labels: diff --git a/chart/values.yaml b/chart/values.yaml index 67ed032aca4e71c44692922394470bad472cbeb9..c4a81376eab09efa91f51b103037b156d20268d3 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -18,6 +18,13 @@ monitoring: enabled: false namespace: monitoring +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway + controlPlaneCidr: 0.0.0.0/0 + sso: enabled: false client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost @@ -28,8 +35,8 @@ sso: # Repo and image tag image: - name: registry.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost/mattermost - tag: 5.34.2 + name: registry1.dso.mil/ironbank/opensource/mattermost/mattermost + tag: 5.36.1 imagePullPolicy: IfNotPresent global: @@ -95,6 +102,17 @@ existingSecretEnvs: {} # key: DB_CONNECTION_CHECK_URL # name: "mysecretname" +volumes: {} + # - name: ca-cert + # secret: + # secretName: ca-secret + # defaultMode: 0644 + +volumeMounts: {} + # - name: ca-cert + # mountPath: /etc/ssl/certs + # readOnly: true + minio: install: false @@ -175,3 +193,5 @@ elasticsearch: enablesearching: true # When true, Elasticsearch will be used for all autocompletion queries on users and channels using the latest index. Autocompletion results may be incomplete until a bulk index of the existing users and channels database is finished. When false, database autocomplete is used. enableautocomplete: true + +openshift: false diff --git a/docs/keycloak.md b/docs/keycloak.md index a2423ae55d7ddd7f36e81201481c9d4aca046a16..36431b3c704804ae5acb2a2508116fb5f51fc814 100644 --- a/docs/keycloak.md +++ b/docs/keycloak.md @@ -20,7 +20,7 @@ Under the mappers tab, create a new mapper: - claim JSON type - long - add to userinfo - on -Create another mapper: +Create username mapper: - name - username - mapper type - user property - property - username @@ -29,6 +29,15 @@ Create another mapper: - add to userinfo - on - all other sliders off +Create email mapper: +- name - email +- mapper type - user property +- property - email +- token claim name - email +- claim JSON type - string +- add to userinfo - on +- all other sliders off + Add mattermostid to existing user: - Login to keycloak Admin Console with the master realm user - Go to your realm @@ -68,3 +77,27 @@ helm upgrade -i mattermost chart -n mattermost --create-namespace -f my-values.y Role based authentication can be configured as long as you are on an enterprise version. Follow the steps in [this tutorial](https://docs.mattermost.com/deployment/advanced-permissions.html) to customize the permissions given to users. In general permissions can be edited under the "System Console -> User Management -> Permissions". Users should be created by default under the "Member" group, except for the first user to sign up or login. + +## OIDC Custom CA + +Mattermost can be configured to point to specific files to trust with an OIDC auth connection, here is an example when using Big Bang to deploy mattermost, assuming you are populating a secret named "ca-cert" in the same namespace, with a key of cert.pem and value of a single PEM encoded certificate (an easy way to make this secret is included below as well): + +```yaml +addons: + mattermost: + values: + volumes: + - name: ca-cert + secret: + secretName: ca-secret + defaultMode: 0644 + volumeMounts: + - name: ca-cert + mountPath: /etc/ssl/certs + readOnly: true +``` + +For secret creation with this example and a pem file at `/path/to/cert.pem`: +```bash +kubectl create secret generic ca-secret --from-file=cert.pem=/path/to/cert.pem -n mattermost +``` diff --git a/tests/dependencies.yaml b/tests/dependencies.yaml index 3b18fbc707fe4712a18b56f139f543c0b01d7bb1..4d3fe12d5d98b61db9def1c046e6f1bd8239f98a 100644 --- a/tests/dependencies.yaml +++ b/tests/dependencies.yaml @@ -1,9 +1,9 @@ mattermostoperator: git: "https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git" namespace: "mattermost-operator" - branch: "1.12.0-bb.0" + branch: "1.14.0-bb.1" miniooperator: git: "https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git" namespace: "minio-operator" - branch: "2.0.9-bb.1" + branch: "4.1.2-bb.1" diff --git a/tests/test-values.yml b/tests/test-values.yml index f180ba22f089d4c494ebb1c963a5f6c06f31f7ca..322ba781db69465531ef7e6305b95167d546e4e4 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -4,7 +4,11 @@ minio: postgresql: install: true +networkPolicies: + enabled: true + bbtests: + enabled: true cypress: artifacts: true envs: