feat!: add monitoring and granular netpols (#67)

- templates out netpols in UDS package CR to allow for internal/external db and object store as well as "custom" rules. - Adds service monitor and associated netpol via package CR to feed metrics into prometheus - switches dev bundle over to postgres operator Release-As: v9.7.2-uds.1
defenseunicorns · May 7, 2024 · 915eb2d · 915eb2d
1 parent 6010a04
commit 915eb2d
Show file tree

Hide file tree

Showing 9 changed files with 141 additions and 31 deletions.
diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
@@ -7,21 +7,31 @@ metadata:
   # x-release-please-end
 
 packages:
+  - name: dev-namespace
+    path: ../
+    ref: 0.1.0
+
   - name: dev-minio
     repository: ghcr.io/defenseunicorns/packages/uds/dev-minio
     ref: 0.0.2
 
-  - name: dev-postgres
-    repository: ghcr.io/defenseunicorns/packages/uds/dev-postgres
-    ref: 0.0.2
+  - name: postgres-operator
+    repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator
+    ref: 1.11.0-uds.0-upstream
+    overrides:
+      postgres-operator:
+        uds-postgres-config:
+          variables:
+            - name: POSTGRESQL
+              description: "Configure postgres using CRs via the uds-postgres-config chart"
+              path: postgresql
 
   - name: dev-secrets
     path: ../
     ref: 0.1.0
     exports:
       - name: ACCESS_KEY
       - name: SECRET_KEY
-      - name: DB_PASSWORD
 
   - name: mattermost
     path: ../
@@ -33,8 +43,6 @@ packages:
         package: dev-secrets
       - name: SECRET_KEY
         package: dev-secrets
-      - name: DB_PASSWORD
-        package: dev-secrets
     overrides:
       mattermost:
         uds-mattermost-config:
@@ -45,7 +53,3 @@ packages:
               value: "minio.dev-minio.svc.cluster.local:9000"
             - path: "objectStorage.bucket"
               value: "uds-mattermost-dev"
-            - path: "postgres.host"
-              value: "postgresql.dev-postgres.svc.cluster.local"
-            - path: "postgres.connectionOptions"
-              value: "?connect_timeout=10&sslmode=disable"
diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml
@@ -2,6 +2,17 @@ variables:
   dev-minio:
     buckets: |
       - name: uds-mattermost-dev
-  dev-postgres:
-    db_username: "mattermost"
-    db_name: "mattermost"
+  postgres-operator:
+    postgresql:
+      enabled: true  # Set to false to not create the PostgreSQL resource
+      teamId: "uds"
+      volume:
+        size: "10Gi"
+      numberOfInstances: 2
+      users:
+        mattermost.mattermost: []  # database owner
+      databases:
+        mattermost: mattermost.mattermost
+      version: "13"
+      ingress:
+        remoteGenerated: Anywhere
diff --git a/chart/templates/mattermost-postgres.yaml b/chart/templates/mattermost-postgres.yaml
@@ -5,4 +5,14 @@ metadata:
   namespace: {{ .Release.Namespace }}
 type: Opaque
 stringData:
-  MM_SQLSETTINGS_DATASOURCE: "postgres://{{ .Values.postgres.username }}:{{ .Values.postgres.password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.dbName }}{{ .Values.postgres.connectionOptions }}"
+  MM_SQLSETTINGS_DATASOURCE: |-
+    {{- if and .Values.postgres.existingSecret.name (eq .Values.postgres.password "") }}
+    {{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.postgres.existingSecret.name) }}
+    {{- if $secret }}
+    {{- $password := index $secret.data .Values.postgres.existingSecret.passwordKey | b64dec }}
+    {{- $username := index $secret.data .Values.postgres.existingSecret.usernameKey | b64dec }}
+    postgres://{{ $username }}:{{ $password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.dbName }}{{ .Values.postgres.connectionOptions }}
+    {{- else }}
+    postgres://{{ .Values.postgres.username }}:{{ .Values.postgres.password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.dbName }}{{ .Values.postgres.connectionOptions }}
+    {{- end }}
+    {{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -28,10 +28,17 @@ spec:
         MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email | toString }}"
         MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username | toString }}"
   {{- end }}
+  monitor:
+    - selector:
+        app.kubernetes.io/name: mattermost-enterprise-edition
+      targetPort: 8067
+      portName: mattermost-app-metrics
+      description: Metrics
+
   network:
     expose:
       - service: mattermost-enterprise-edition
-        podLabels:
+        selector:
           app.kubernetes.io/name: mattermost-enterprise-edition
         gateway: tenant
         host: {{ .Values.subdomain }}
@@ -44,8 +51,44 @@ spec:
       - direction: Egress
         remoteGenerated: IntraNamespace
 
-      # Todo: wide open for hitting in-cluster or external postgres/s3
       - direction: Egress
-        podLabels:
+        selector:
+          app.kubernetes.io/name: mattermost-enterprise-edition
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Mattermost Storage"
+
+      - direction: Egress
+        selector:
           app.kubernetes.io/name: mattermost-enterprise-edition
+        {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace | quote }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | nindent 10 }}
+        port: {{ .Values.postgres.port }}
+        {{- else }}
         remoteGenerated: Anywhere
+        {{- end }}
+        description: "Mattermost Postgres"
+
+      # Custom rules for unanticipated scenarios
+      {{- range .Values.custom }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+      {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -9,13 +9,23 @@ objectStorage:
   region: "us-west-1"
 
 postgres:
-  username: "mattermost"
+  username: "mattermost.mattermost"
+  # Note: Specifying password as anything other than "" will not use the existingSecret
   password: ""
-  host: ""
-  port: 5432
+  existingSecret:
+    name: "mattermost.mattermost.pg-cluster.credentials.postgresql.acid.zalan.do"
+    passwordKey: password
+    usernameKey: username
+  host: "pg-cluster.postgres.svc.cluster.local"
   dbName: "mattermost"
   # Example: "?connect_timeout=10&sslmode=disable"
   connectionOptions: ""
+  # Set to false to use external postgres
+  internal: true
+  selector:
+    cluster-name: pg-cluster
+  namespace: postgres
+  port: 5432
 
 sso:
   enabled: true
@@ -35,3 +45,28 @@ config:
 
 # Additional environment variables for Mattermost
 extraEnv: {}
+
+storage:
+  # Set to false to use external storage
+  internal: true
+  selector:
+    app: minio
+  namespace: dev-minio
+  port: 9000
+
+# custom:
+#    # Notice no `remoteGenerated` field here on custom internal rule
+#   - direction: Ingress
+#     selector:
+#       app: jenkins
+#     remoteNamespace: jenkins
+#     remoteSelector:
+#       app: jenkins
+#     port: 8180
+#     description: "Ingress from Jenkins"
+#   # No `remoteNamespace`, `remoteSelector`, or `port` fields on rule to `remoteGenerated`
+#   - direction: Egress
+#     selector:
+#       app: webservice
+#     remoteGenerated: Anywhere
+#     description: "Egress from Mattermost"
diff --git a/src/dev-secrets/zarf.yaml b/src/dev-secrets/zarf.yaml
@@ -3,7 +3,6 @@ kind: ZarfPackageConfig
 metadata:
   name: dev-secrets
   version: "0.1.0"
-  architecture: amd64
 
 components:
   - name: minio-password
@@ -21,13 +20,3 @@ components:
             setVariables:
               - name: SECRET_KEY
                 sensitive: true
-  - name: postgres-password
-    required: true
-    actions:
-      onDeploy:
-        before:
-          - cmd: kubectl get secret -n dev-postgres postgresql --template={{.data.password}} | base64 -d
-            mute: true
-            setVariables:
-              - name: DB_PASSWORD
-                sensitive: true
diff --git a/src/namespace/ns.yaml b/src/namespace/ns.yaml
@@ -0,0 +1,4 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: mattermost
diff --git a/src/namespace/zarf.yaml b/src/namespace/zarf.yaml
@@ -0,0 +1,13 @@
+kind: ZarfPackageConfig
+metadata:
+  name: dev-namespace
+  description: "create namespaces for cross-ns secret functionality of pg operator"
+  version: 0.1.0
+
+components:
+  - name: deploy-namespace-for-cross-ns-secret
+    required: true
+    manifests:
+      - name: dev-namespace
+        files:
+          - ns.yaml
diff --git a/tasks/dependencies.yaml b/tasks/dependencies.yaml
@@ -3,3 +3,4 @@ tasks:
     description: Create the Dependency Zarf Package
     actions:
       - cmd: uds zarf package create src/dev-secrets/ --confirm --no-progress --architecture=${UDS_ARCH}
+      - cmd: uds zarf package create src/namespace/ --confirm --no-progress --architecture=${UDS_ARCH}