Add mattermost component and abstract db and object storage (#6)

* Add mattermost component

.github/workflows/publish.yml

@@ -47,14 +47,23 @@ jobs:
           username: ${{ secrets.REGISTRY1_USERNAME }}
           password: ${{ secrets.REGISTRY1_PASSWORD }}
 
+      ####
+      # Build and publish dependency packages to use in a dev UDS Bundle
+      ####
+      - name: Build and publish dev-dependency mattermost-postgres package
+        run: cd utils/pkg-deps/mattermost/postgres && zarf package create --confirm --no-progress --output oci://ghcr.io/defenseunicorns/uds-capability/mattermost/dev-dependency
+
+      - name: Build and publish dev-dependency mattermost-minio package
+        run: cd utils/pkg-deps/mattermost/minio && zarf package create --confirm --no-progress --output oci://ghcr.io/defenseunicorns/uds-capability/mattermost/dev-dependency
+
       ####
       # Build and publish capability package and skeleton
       ####
-      - name: Build mattermost-operator package
+      - name: Build mattermost package
         run: zarf package create --confirm --no-progress
 
-      - name: Publish mattermost-operator package
-        run: zarf package publish zarf-package-mattermost-operator-amd64-*.tar.zst oci://ghcr.io/defenseunicorns/uds-capability --no-progress
+      - name: Publish mattermost package
+        run: zarf package publish zarf-package-mattermost-amd64-*.tar.zst oci://ghcr.io/defenseunicorns/uds-capability --no-progress
 
-      - name: Publish mattermost-operator skeleton
+      - name: Publish mattermost skeleton
         run: zarf package publish . oci://ghcr.io/defenseunicorns/uds-capability --no-progress

Makefile

@@ -134,7 +134,7 @@ cluster/destroy: ## Destroy the k3d cluster
 # Build Section
 ########################################################################
 
-build/all: build build/zarf build/zarf-init build/dubbd-k3d build/uds-capability-mattermost-operator ##
+build/all: build build/zarf build/zarf-init build/dubbd-k3d build/test-pkg-deps build/uds-capability-mattermost-operator ##
 
 build: ## Create build directory
 	mkdir -p build
@@ -161,30 +161,40 @@ build/dubbd-k3d: | build/zarf ## Download dubbd k3d oci package
 	if [ -f build/zarf-package-dubbd-k3d-amd64-$(DUBBD_K3D_VERSION).tar.zst ] ; then exit 0; fi && \
 	cd build && ./zarf package pull oci://ghcr.io/defenseunicorns/packages/dubbd-k3d:$(DUBBD_K3D_VERSION)-amd64 --oci-concurrency 12
 
-build/uds-capability-mattermost-operator: | build ## Build the mattermost-operator capability
+build/test-pkg-deps: | build/zarf ## Build package dependencies for testing
+	cd build && ./zarf package create ../utils/pkg-deps/namespaces/ --skip-sbom --confirm
+	cd build && ./zarf package create ../utils/pkg-deps/mattermost/postgres/ --skip-sbom --confirm
+	cd build && ./zarf package create ../utils/pkg-deps/mattermost/minio/ --skip-sbom --confirm
+
+build/uds-capability-mattermost-operator: | build ## Build the mattermost capability
 	cd build && ./zarf package create ../ --skip-sbom --confirm
 
 ########################################################################
 # Deploy Section
 ########################################################################
 
-deploy/all: deploy/init deploy/dubbd-k3d deploy/uds-capability-mattermost-operator ##
+deploy/all: deploy/init deploy/dubbd-k3d deploy/test-pkg-deps deploy/uds-capability-mattermost-operator ##
 
 deploy/init: | build/zarf ## Deploy the zarf init package
 	cd build && ./zarf init --confirm --components=git-server
 
 deploy/dubbd-k3d: | build/zarf ## Deploy the k3d flavor of DUBBD
 	cd build && ./zarf package deploy zarf-package-dubbd-k3d-amd64-$(DUBBD_K3D_VERSION).tar.zst --confirm
 
-deploy/uds-capability-mattermost-operator: ## Deploy the mattermost-operator capability
-	cd build && ./zarf package deploy zarf-package-mattermost-operator-amd64-*.tar.zst --confirm
+deploy/test-pkg-deps: | build/zarf ## Deploy the package dependencies needed for testing the mattermost capability
+	cd build && ./zarf package deploy zarf-package-mattermost-namespaces-* --confirm
+	cd build && ./zarf package deploy zarf-package-mattermost-postgres-* --confirm
+	cd build && ./zarf package deploy zarf-package-mattermost-minio-* --confirm
+
+deploy/uds-capability-mattermost-operator: ## Deploy the mattermost capability
+	cd build && ./zarf package deploy zarf-package-mattermost-amd64-*.tar.zst --confirm
 
 ########################################################################
 # Macro Section
 ########################################################################
 
 .PHONY: all
-all: build/all cluster/reset deploy/all ## Build and deploy mattermost-operator locally
+all: build/all cluster/reset deploy/all ## Build and deploy mattermost locally
 
 .PHONY: rebuild
 rebuild: clean build/all

README.md

@@ -1,12 +1,38 @@
-# uds-capability-mattermost-operator
+# uds-capability-mattermost
+Contains both the Mattermost Operator and a Mattermost component
+
 Bigbang [Mattermost Operator](https://repo1.dso.mil/big-bang/product/packages/mattermost-operator) deployed via flux by zarf
 
+Bigbang [Mattermost](https://repo1.dso.mil/big-bang/product/packages/mattermost) deployed via flux by zarf
+
 ## Deployment Prerequisites
 
 ### Resources
 - Minimum compute requirements for single node deployment are at LEAST 64 GB RAM and 32 virtual CPU threads (aws `m6i.8xlarge` instance type should do)
 - k3d installed on machine
 
+#### General
+
+- Create `mattermost` namespace
+- Label `mattermost` namespace with `istio-injection: enabled`
+
+#### Database
+
+- A Postgres database is running on port `5432` and accessible to the cluster
+- This database can be logged into via the username `mattermost`
+- This database instance has a psql database created named `mattermostdb`
+- The `mattermost` user has read/write access to the above mentioned database
+- Create `mattermost-postgres` service in `mattermost` namespace that points to the psql database
+- Create `mattermost-postgres` secret in `mattermost` namespace with the keys `DB_CONNECTION_STRING` and `DB_CONNECTION_CHECK_URL` that contains connection the string to the for the psql database. Example connection string `postgres://mattermost:###ZARF_VAR_POSTGRES_DB_PASSWORD###@mattermost-postgres.mattermost.svc.cluster.local:5432/mattermostdb?connect_timeout=10&sslmode=disable`
+
+#### Object Storage
+
+- Create the secret `mattermost-object-store` in the `mattermost` namespace with the following keys:
+  - An example for in-cluster Minio can be found in this repository at the path `utils/pkg-deps/mattermost/minio/secret.yaml`
+  - Secret needs to contain the `accessKey` and `secretKey` for the object storage.
+- Create a bucket called `mattermost-bucket`
+- Create `mattermost-object-store` service in `mattermost` namespace that points to the object store url.
+
 ## Deploy
 
 ### Use zarf to login to the needed registries i.e. registry1.dso.mil
@@ -45,8 +71,8 @@ metadata:
   architecture: amd64
 
 zarf-packages:
-  # Mattermost Operator
-  - name: mattermost-operator
-    repository: ghcr.io/defenseunicorns/uds-capability/mattermost-operator
+  # Mattermost Operator with a Mattermost instance
+  - name: mattermost
+    repository: ghcr.io/defenseunicorns/uds-capability/mattermost
     ref: 0.0.1
 ```

docs/DEVELOPMENT_MAINTENANCE.md

@@ -3,13 +3,14 @@
 ## How to upgrade this capability
 
 This package is pulling in the [bigbang mattermost operator chart](https://repo1.dso.mil/big-bang/product/packages/mattermost-operator)
+and the [bigbang mattermost chart](https://repo1.dso.mil/big-bang/product/packages/mattermost)
 
-The [mattermost-operator-flux-values.yaml](../mattermost-operator-flux-values.yaml) file contains values used when creating the flux resources for this capability. This includes the version of the chart and the base values used for this capability.
+The [mattermost-operator-flux-values.yaml](../mattermost-operator-flux-values.yaml) and [mattermost-flux-values.yaml](../mattermost-flux-values.yaml) file contains values used when creating the flux resources for this capability. This includes the version of the chart and the base values used for this capability.
 
 To upgrade
 1) Point `application.ref.tag` to the updated version of the chart.
 1) Update any base values if necessary.
-1) Update the `mattermost-operator` component in the [zarf.yaml](../zarf.yaml) file to pull in the correct images needed for the updated version of the chart.
+1) Update the `mattermost-operator` and `mattermost` components in the [zarf.yaml](../zarf.yaml) file to pull in the correct images needed for the updated version of the chart.
 
 ## How to test this capability
 

mattermost-flux-values.yaml

@@ -0,0 +1,76 @@
+application:
+  name: mattermost
+  createNamespace: ###ZARF_VAR_MATTERMOST_CREATE_NAMESPACE###
+  namespace: mattermost
+  path: chart
+  repository: https://repo1.dso.mil/big-bang/product/packages/mattermost.git
+  ref:
+    # renovate: datasource=gitlab-tags depName=big-bang/product/packages/mattermost versioning=loose registryUrl=https://repo1.dso.mil
+    tag: 8.1.2-bb.0
+  dependsOn:
+    ###ZARF_VAR_MATTERMOST_DEPENDS_ON###
+  baseValues:
+    # hostname is deprecated and replaced with domain. But if hostname exists then use it.
+    hostname: ###ZARF_VAR_DOMAIN###
+    domain: ###ZARF_VAR_DOMAIN###
+
+    enterprise:
+      enabled: ###ZARF_VAR_MATTERMOST_ENTERPRISE_ENABLED###
+      license: ###ZARF_VAR_MATTERMOST_ENTERPRISE_LICENSE###
+
+    openshift: false
+
+    image:
+      imagePullPolicy: IfNotPresent
+
+    istio:
+      enabled: true
+      chat:
+        gateways:
+        - istio-system/tenant
+      injection: enabled
+    podAnnotations:
+      bigbang.dev/istioVersion: ###ZARF_VAR_ISTIO_VERSION###
+    updateJob:
+      disabled: true
+
+    monitoring:
+      enabled: true
+
+      serviceMonitor:
+        enabled: true
+        # conditional passes only for default istio: enabled, mTLS: STRICT
+        scheme: https
+        tlsConfig:
+          caFile: /etc/prom-certs/root-cert.pem
+          certFile: /etc/prom-certs/cert-chain.pem
+          keyFile: /etc/prom-certs/key.pem
+          insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+    sso:
+      enabled: false
+      client_id:
+      client_secret: no-secret
+      auth_endpoint: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth
+      token_endpoint: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/token
+      user_api_endpoint: https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/userinfo
+
+    networkPolicies:
+      enabled: true
+      controlPlaneCidr: 0.0.0.0/0
+      ingressLabels:
+        app: tenant-ingressgateway
+        istio: null
+
+    global:
+      imagePullSecrets:
+        - name: private-registry
+    database:
+      secret: "mattermost-postgres"
+    fileStore:
+      secret: "mattermost-object-store"
+      url: "mattermost-object-store.mattermost.svc.cluster.local"
+      bucket: "mattermost-bucket"
+
+    mattermostEnvs:
+      # required for Keycloak >= 20.X to work with gitlab auth pointed to Keycloak
+      MM_GITLABSETTINGS_SCOPE: openid

test/e2e/e2e_basic_smoke_test.go

@@ -34,5 +34,21 @@ func TestAllServicesRunning(t *testing.T) { //nolint:funlen
 		// Wait for the mattermost-operator Deployment to report that it is ready
 		output, err = platform.RunSSHCommandAsSudo(`kubectl rollout status deployment/mattermost-operator -n mattermost-operator --watch --timeout=1200s`)
 		require.NoError(t, err, output)
+
+		// Wait for the mattermost Deployment to exist.
+		output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! kubectl get deployment mattermost -n mattermost; do sleep 5; done"`)
+		require.NoError(t, err, output)
+
+		// Setup DNS records for cluster services
+		output, err = platform.RunSSHCommandAsSudo(`cd ~/app && utils/metallb/dns.sh && utils/metallb/hosts-write.sh`)
+		require.NoError(t, err, output)
+
+		// Ensure that Mattermost does not accept TLSv1.1
+		output, err = platform.RunSSHCommandAsSudo(`sslscan chat.bigbang.dev | grep "TLSv1.1" | grep "disabled"`)
+		require.NoError(t, err, output)
+
+		// Ensure that Mattermost is available outside of the cluster.
+		output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! curl -L -s --fail --show-error https://chat.bigbang.dev/login > /dev/null; do sleep 5; done"`)
+		require.NoError(t, err, output)
 	})
 }

utils/pkg-deps/mattermost/minio/policy-exceptions/externalName.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: mattermost-object-storage-external-names-exception
+  namespace: mattermost
+spec:
+  exceptions:
+  - policyName: restrict-external-names
+    ruleNames:
+    - external-names
+  match:
+    any:
+    - resources:
+        kinds:
+        - Service
+        namespaces:
+        - mattermost
+        names:
+        - mattermost-object-store

utils/pkg-deps/mattermost/minio/policy-exceptions/registry.yaml

@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: mattermost-minio-registry-exception
+  namespace: mattermost-minio
+spec:
+  exceptions:
+  - policyName: restrict-image-registries
+    ruleNames:
+    - validate-registries
+    - autogen-validate-registries
+  match:
+    any:
+    - resources:
+        kinds:
+        - Deployment
+        namespaces:
+        - mattermost-minio
+        names:
+        - minio
+    - resources:
+        kinds:
+        - Job
+        namespaces:
+        - mattermost-minio
+        names:
+        - minio-post-job

utils/pkg-deps/mattermost/minio/secret.yaml

@@ -0,0 +1,10 @@
+# Source: bigbang/templates/mattermost/secret-objectstore.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-object-store
+  namespace: mattermost
+type: kubernetes.io/opaque
+stringData:
+  accesskey: ###ZARF_VAR_ACCESS_KEY###
+  secretkey: ###ZARF_VAR_SECRET_KEY###

utils/pkg-deps/mattermost/minio/service.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mattermost-object-store
+  namespace: mattermost
+spec:
+  type: ExternalName
+  externalName: minio.mattermost-minio.svc.cluster.local

utils/pkg-deps/mattermost/minio/values.yaml

@@ -0,0 +1,15 @@
+replicas: 1
+mode: standalone
+
+# Some reasonable requests instead of the bonkers defaults
+resources:
+  requests:
+    memory: 128Mi
+    cpu: 100m
+
+buckets:
+  - name: mattermost-bucket
+
+postJob:
+  podAnnotations:
+    sidecar.istio.io/inject: "false"

utils/pkg-deps/mattermost/minio/zarf.yaml

@@ -0,0 +1,54 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: mattermost-minio
+  version: "0.0.1"
+  architecture: amd64
+
+components:
+  - name: minio-kyverno-exceptions
+    required: true
+    manifests:
+      - name: kyverno-exceptions
+        files:
+          - policy-exceptions/registry.yaml
+          - policy-exceptions/externalName.yaml
+  - name: minio
+    required: true
+    charts:
+      - name: minio
+        version: 5.0.13
+        namespace: mattermost-minio
+        url: https://charts.min.io/
+        valuesFiles:
+          - "values.yaml"
+    images:
+      - quay.io/minio/mc:RELEASE.2023-06-28T21-54-17Z
+      - quay.io/minio/minio:RELEASE.2023-07-07T07-13-57Z
+  - name: minio-secret
+    required: true
+    actions:
+      onDeploy:
+        before:
+          - cmd: kubectl get secret -n mattermost-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d
+            mute: true
+            setVariables:
+              - name: SECRET_KEY
+                sensitive: true
+          - cmd: kubectl get secret -n mattermost-minio minio --template='{{ index .data "rootUser" }}' | base64 -d
+            mute: true
+            setVariables:
+              - name: ACCESS_KEY
+                sensitive: true
+  - name: mattermost-secret
+    required: true
+    manifests:
+      - name: mattermost-secret
+        files:
+          - "secret.yaml"
+  - name: mattermost-service
+    required: true
+    manifests:
+      - name: mattermost-service
+        files:
+          - "service.yaml"