feat: add object store secret generation

.gitignore

@@ -18,7 +18,7 @@ zarf-sbom
 tmp/
 values-*.yaml
 overlay-values-*
-
+upgrade-test/
 # Tests
 node_modules/
 tests/node_modules/*

bundle/uds-bundle.yaml

@@ -10,13 +10,39 @@ metadata:
   # x-release-please-end
 
 packages:
-  - name: dev-minio
-    repository: ghcr.io/defenseunicorns/packages/uds/dev-minio
-    ref: 0.0.2
-
-  - name: dev-namespace
-    path: ../
-    ref: 0.1.0
+  - name: minio-operator
+    repository: ghcr.io/defenseunicorns/packages/uds/minio-operator
+    # x-release-please-start-version
+    ref: 6.0.4-uds.0-upstream
+    # x-release-please-end
+    overrides:
+      minio-operator:
+        uds-minio-config:
+          values:
+            # Test helm overrides to provision app specific buckets, policies and creds
+            - path: apps
+              value:
+                - name: gitlab
+                  namespace: gitlab
+                  bucketNames:
+                    - uds-gitlab-artifacts
+                    - uds-gitlab-backups
+                    - uds-gitlab-ci-secure-files
+                    - uds-gitlab-dependency-proxy
+                    - uds-gitlab-lfs
+                    - uds-gitlab-mr-diffs
+                    - uds-gitlab-packages
+                    - uds-gitlab-pages
+                    - uds-gitlab-terraform-state
+                    - uds-gitlab-uploads
+                    - uds-gitlab-registry
+                    - uds-gitlab-tmp
+                  policy: ""
+                  copyPassword:
+                    enabled: true
+                    secretName: "gitlab-minio"
+                    secretIDKey: "access_key"
+                    secretPasswordKey: "secret_key"
 
   - name: postgres-operator
     repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator
@@ -62,9 +88,9 @@ packages:
                 secretName: gitlab-redis
                 secretKey: password
 
-  - name: dev-secrets
-    path: ../
-    ref: 0.1.0
+  # - name: dev-secrets
+  #   path: ../
+  #   ref: 0.1.0
 
   - name: gitlab
     path: ../

charts/config/templates/gitlab-object-store-secret.yaml

@@ -0,0 +1,75 @@
+{{- if .Values.storage.createSecret.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitlab-object-store
+  namespace: gitlab
+type: kubernetes.io/opaque
+stringData:
+  {{- $awsAccessKey := "" }}
+  {{- $awsSecretKey := "" }}
+
+  {{- if eq .Values.storage.createSecret.provider "minio" }}
+
+  # Attempt to lookup the secret and its keys using the specified secretNamespace
+  {{- $secret := lookup "v1" "Secret" .Values.storage.createSecret.secretRef.secretNamespace .Values.storage.createSecret.secretRef.secretName }}
+  {{- if and $secret (index $secret.data .Values.storage.createSecret.secretRef.secretIDKey) }}
+    {{- $awsAccessKey = (index $secret.data .Values.storage.createSecret.secretRef.secretIDKey | b64dec) }}
+  {{- else }}
+    {{- $awsAccessKey = .Values.storage.createSecret.accessKey | quote }}
+  {{- end }}
+
+  {{- if and $secret (index $secret.data .Values.storage.createSecret.secretRef.secretPasswordKey) }}
+    {{- $awsSecretKey = (index $secret.data .Values.storage.createSecret.secretRef.secretPasswordKey | b64dec) }}
+  {{- else }}
+    {{- $awsSecretKey = .Values.storage.createSecret.secretKey | quote }}
+  {{- end }}
+
+  connection: |-
+    provider: AWS
+    region: {{ .Values.storage.createSecret.region | quote }}
+    aws_access_key_id: {{ $awsAccessKey }}
+    aws_secret_access_key: {{ $awsSecretKey }}
+    endpoint: {{ .Values.storage.endpoint | quote }}
+    aws_signature_version: 4
+    path_style: true
+  registry: |-
+    s3:
+      bucket: {{ .Values.storage.createSecret.bucketPrefix }}gitlab-registry{{ .Values.storage.createSecret.bucketSuffix }}
+      aws_access_key_id: {{ $awsAccessKey }}
+      aws_secret_access_key: {{ $awsSecretKey }}
+      regionendpoint: {{ .Values.storage.endpoint | quote }}
+      region: {{ .Values.storage.createSecret.region | quote }}
+      aws_signature_version: 4
+      path_style: true
+  backups: |-
+    [default]
+    aws_access_key_id = {{ $awsAccessKey }}
+    aws_secret_access_key = {{ $awsSecretKey }}
+    host_base = {{ .Values.storage.endpoint | quote }}
+    host_bucket = {{ .Values.storage.endpoint | quote }}
+    bucket_location = {{ .Values.storage.createSecret.region | quote }}
+    multipart_chunk_size_mb = 128
+    use_https = False
+
+  {{- else if eq .Values.storage.createSecret.provider "aws" }}
+  ### AWS
+  connection: |-
+    provider: AWS
+    region: {{ .Values.storage.createSecret.region | quote }}
+    use_iam_profile: true
+    aws_signature_version: 4
+    path_style: false
+  registry: |-
+    s3:
+      bucket: {{ .Values.storage.createSecret.bucketPrefix }}gitlab-registry{{ .Values.storage.createSecret.bucketSuffix }}
+      region: {{ .Values.storage.createSecret.region | quote }}
+  backups: |-
+    [default]
+    host_base = "s3.{{ .Values.storage.createSecret.region }}.amazonaws.com"
+    host_bucket = "s3.{{ .Values.storage.createSecret.region }}.amazonaws.com"
+    bucket_location = AWS
+    multipart_chunk_size_mb = 128
+    use_https = False
+  {{- end }}
+{{- end }}

charts/config/values.yaml

@@ -18,12 +18,28 @@ sso:
   requiredGroups: []
   adminGroups: ["/GitLab Admin", "/UDS Core/Admin"]
 storage:
-  # Set to false to use external storage
-  internal: true
+  internal: true  # Set to false to use external storage
   selector:
     app: minio
-  namespace: dev-minio
+  namespace: minio
   port: 9000
+  endpoint: "http://uds-minio-hl.minio.svc.cluster.local:9000"
+  createSecret:
+    enabled: true
+    useIAMProfile: false
+    accessKey: ""
+    secretKey: ""
+    bucketPrefix: "###ZARF_VAR_BUCKET_PREFIX###"
+    bucketSuffix: "###ZARF_VAR_BUCKET_SUFFIX###"
+    region: "###ZARF_VAR_REGION###"
+    provider: "minio"  # aws or minio; if aws, assumed IRSA is used, and annotations are passed to necessary service accounts
+    secretRef:
+      enabled: true  # Set to true to use secret reference
+      secretNamespace: "gitlab"
+      secretName: "gitlab-minio"
+      secretIDKey: "access_key"
+      secretPasswordKey: "secret_key"
+
 redis:
   password: ""
 

common/zarf.yaml

@@ -28,6 +28,10 @@ components:
         localPath: ../charts/settings
     actions:
       onDeploy:
+        before:
+          - cmd: ./zarf tools kubectl annotate secret -n gitlab gitlab-object-store meta.helm.sh/release-namespace=gitlab --overwrite || true
+          - cmd: ./zarf tools kubectl label secret -n gitlab gitlab-object-store app.kubernetes.io/managed-by=Helm --overwrite || true
+          - cmd: ./zarf tools kubectl annotate secret -n gitlab gitlab-object-store meta.helm.sh/release-name=uds-gitlab-config --overwrite || true
         after:
           - description: Validate GitLab Package
             maxTotalSeconds: 300

src/dev-secrets/minio-secret.yaml

@@ -34,4 +34,4 @@
     host_bucket = http://minio.dev-minio.svc.cluster.local:9000
     bucket_location = minio
     multipart_chunk_size_mb = 128
-    use_https = False
+    use_https = False

src/dev-secrets/zarf.yaml

@@ -29,4 +29,4 @@
     manifests:
       - name: gitlab-minio
         files:
-          - "minio-secret.yaml"
+          - "minio-secret.yaml"

src/namespace/gitlab-ns.yaml

@@ -4,4 +4,4 @@
 kind: Namespace
 apiVersion: v1
 metadata:
-  name: gitlab
+  name: gitlab

src/namespace/zarf.yaml

@@ -13,4 +13,4 @@
     manifests:
       - name: dev-namespace
         files:
-          - gitlab-ns.yaml
+          - gitlab-ns.yaml

tasks.yaml

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 includes:
+  # TODO Delete dependencies.yaml after next releaser
   - dependencies: ./tasks/dependencies.yaml
   - test: ./tasks/test.yaml
   - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.2.2/tasks/create.yaml
@@ -33,7 +34,6 @@ tasks:
   - name: create-deploy-test-bundle
     description: Test and validate cluster is deployed with GitLab
     actions:
-      - task: dependencies:create
       - task: create:test-bundle
       - task: deploy:test-bundle
       - task: setup:create-doug-user
@@ -59,6 +59,7 @@ tasks:
   - name: test-upgrade
     description: Test an upgrade from the latest released package to the current branch
     actions:
+      # TODO Delete dependencies.yaml after next releaser
       - task: upgrade:create-latest-tag-bundle
         with:
           dep_commands: ./uds run dependencies:create

zarf.yaml

@@ -29,6 +29,8 @@ variables:
     default: "postgresql"
   - name: GITLAB_PAGES_ENABLED
     default: "false"
+  - name: REGION
+    default: "minio"
   - name: GITLAB_SIGNUP_ENABLED
     default: "true"
   - name: DISABLE_REGISTRY_REDIRECT