From 1bdd96358710df0bd6c93dc4717fe963c8a9ced8 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 30 Jan 2024 15:11:45 -0700 Subject: [PATCH 1/6] wip: burning boats --- bundle/uds-bundle.yaml | 4 +- bundle/uds-config.yaml | 3 - chart/templates/mattermost-gossip-svc.yaml | 18 ++++ chart/templates/mattermost-sso.yaml | 17 ++++ chart/templates/uds-package.yaml | 13 ++- chart/values.yaml | 10 ++ src/dev-secrets/minio-secret.yaml | 7 +- src/dev-secrets/postgres-secret.yaml | 1 - tasks.yaml | 6 ++ tasks/create.yaml | 6 +- tasks/setup.yaml | 2 +- values/config-values.yaml | 10 ++ values/mattermost-ce.yaml | 0 values/mattermost-operator-upstream.yaml | 0 values/mattermost-operator-values.yaml | 7 -- values/mattermost-upstream.yaml | 0 values/mattermost-values.yaml | 62 ------------ values/registry1-values.yaml | 7 ++ values/upstream-values.yaml | 4 + values/values.yaml | 107 +++++++++++++++++++++ zarf.yaml | 82 ++++++---------- 21 files changed, 232 insertions(+), 134 deletions(-) create mode 100644 chart/templates/mattermost-gossip-svc.yaml create mode 100644 chart/templates/mattermost-sso.yaml create mode 100644 values/config-values.yaml delete mode 100644 values/mattermost-ce.yaml delete mode 100644 values/mattermost-operator-upstream.yaml delete mode 100644 values/mattermost-operator-values.yaml delete mode 100644 values/mattermost-upstream.yaml delete mode 100644 values/mattermost-values.yaml create mode 100644 values/registry1-values.yaml create mode 100644 values/upstream-values.yaml create mode 100644 values/values.yaml diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 394d222f..868ba736 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -9,11 +9,11 @@ metadata: packages: - name: dev-minio repository: ghcr.io/defenseunicorns/packages/uds/dev-minio - ref: 5.0.13-0 + ref: 0.0.1 - name: dev-postgres repository: ghcr.io/defenseunicorns/packages/uds/dev-postgres - ref: 12.6.6-0 + ref: 0.0.1 - name: dev-secrets path: ../ diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index 9ce97759..85db958c 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -5,6 +5,3 @@ variables: dev-postgres: db_username: "mattermost" db_name: "mattermostdb" - mattermost: - mattermost_file_store_endpoint: minio.dev-minio.svc.cluster.local - mattermost_bucket_suffix: "-dev" diff --git a/chart/templates/mattermost-gossip-svc.yaml b/chart/templates/mattermost-gossip-svc.yaml new file mode 100644 index 00000000..5d190824 --- /dev/null +++ b/chart/templates/mattermost-gossip-svc.yaml @@ -0,0 +1,18 @@ +{{- /* Mattermost uses a gossip protocol for HA clustering. In order for Istio to properly route this traffic it needs to be explicitly defined in a service with a `tcp-` prefix. */ -}} +apiVersion: v1 +kind: Service +metadata: + name: mattermost-gossip + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: mattermost-enterprise-edition +spec: + type: ClusterIP + clusterIP: None + selector: + app.kubernetes.io/name: mattermost-enterprise-edition + ports: + - name: tcp-gossip + port: 8074 + protocol: TCP + targetPort: 8074 diff --git a/chart/templates/mattermost-sso.yaml b/chart/templates/mattermost-sso.yaml new file mode 100644 index 00000000..52fe0d60 --- /dev/null +++ b/chart/templates/mattermost-sso.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mattermost-sso + namespace: {{ .Release.Namespace }} + labels: +type: Opaque +stringData: + MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled }}" + MM_GITLABSETTINGS_ID: "{{ .Values.sso.client_id }}" + MM_GITLABSETTINGS_SECRET: "{{ .Values.sso.client_secret }}" + MM_GITLABSETTINGS_AUTHENDPOINT: "{{ .Values.sso.auth_endpoint }}" + MM_GITLABSETTINGS_TOKENENDPOINT: "{{ .Values.sso.token_endpoint }}" + MM_GITLABSETTINGS_USERAPIENDPOINT: "{{ .Values.sso.user_api_endpoint }}" + MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email }}" + MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email }}" + MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username }}" diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index d5f7419d..434c2f53 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -6,15 +6,22 @@ metadata: spec: network: expose: - - service: mattermost + - service: mattermost-enterprise-edition podLabels: - app: mattermost + app.kubernetes.io/name: mattermost-enterprise-edition gateway: tenant host: mattermost port: 8065 allow: + # Permit intra-namespace communication for job communications + - direction: Ingress + remoteGenerated: IntraNamespace + + - direction: Egress + remoteGenerated: IntraNamespace + # Todo: wide open for hitting in-cluster or external postgres/s3 - direction: Egress podLabels: - app: mattermost + app.kubernetes.io/name: mattermost-enterprise-edition remoteGenerated: Anywhere diff --git a/chart/values.yaml b/chart/values.yaml index e69de29b..87f26075 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -0,0 +1,10 @@ +sso: + enabled: false + client_id: "" + client_secret: "" + auth_endpoint: "" + token_endpoint: "" + user_api_endpoint: "" + enable_sign_up_with_email: "" + enable_sign_in_with_email: "" + enable_sign_in_with_username: "" diff --git a/src/dev-secrets/minio-secret.yaml b/src/dev-secrets/minio-secret.yaml index 2a766064..ff4f1153 100644 --- a/src/dev-secrets/minio-secret.yaml +++ b/src/dev-secrets/minio-secret.yaml @@ -6,5 +6,8 @@ metadata: namespace: mattermost type: kubernetes.io/opaque stringData: - accesskey: ###ZARF_VAR_ACCESS_KEY### - secretkey: ###ZARF_VAR_SECRET_KEY### + MM_FILESETTINGS_AMAZONS3SSL: "false" + MM_FILESETTINGS_AMAZONS3ACCESSKEYID: ###ZARF_VAR_ACCESS_KEY### + MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: ###ZARF_VAR_SECRET_KEY### + MM_FILESETTINGS_AMAZONS3BUCKET: "uds-mattermost-dev" + MM_FILESETTINGS_AMAZONS3ENDPOINT: "minio.dev-minio.svc.cluster.local:9000" diff --git a/src/dev-secrets/postgres-secret.yaml b/src/dev-secrets/postgres-secret.yaml index 137f7557..17695171 100644 --- a/src/dev-secrets/postgres-secret.yaml +++ b/src/dev-secrets/postgres-secret.yaml @@ -5,5 +5,4 @@ metadata: namespace: mattermost type: kubernetes.io/opaque stringData: - DB_CONNECTION_CHECK_URL: "postgres://mattermost:###ZARF_VAR_POSTGRES_DB_PASSWORD###@postgresql.dev-postgres.svc.cluster.local:5432/mattermostdb?connect_timeout=10&sslmode=disable" DB_CONNECTION_STRING: "postgres://mattermost:###ZARF_VAR_POSTGRES_DB_PASSWORD###@postgresql.dev-postgres.svc.cluster.local:5432/mattermostdb?connect_timeout=10&sslmode=disable" diff --git a/tasks.yaml b/tasks.yaml index 38b9f09d..09104a07 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -6,6 +6,12 @@ includes: - test: ./tasks/test.yaml tasks: + - name: default + actions: + - task: setup-cluster + - task: create-test-bundle + - task: deploy-test-bundle + - name: setup-cluster actions: - task: setup:k3d-test-cluster diff --git a/tasks/create.yaml b/tasks/create.yaml index fdbbb4c6..08c19263 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,3 +1,7 @@ +variables: + - name: FLAVOR + default: "registry1" + tasks: - name: mattermost-test-bundle description: Create the UDS bundle with Mattermost and its dependencies @@ -9,7 +13,7 @@ tasks: - name: mattermost-package description: Create the UDS Mattermost Zarf Package actions: - - cmd: zarf package create --confirm --no-progress --architecture=${ZARF_ARCHITECTURE} --flavor registry1 + - cmd: zarf package create --confirm --no-progress --architecture=${ZARF_ARCHITECTURE} --flavor ${FLAVOR} - name: dependency-package description: Create the Minio, PostgreSQL, and Redis Dependency Zarf Packages diff --git a/tasks/setup.yaml b/tasks/setup.yaml index 2a029045..725bc11c 100644 --- a/tasks/setup.yaml +++ b/tasks/setup.yaml @@ -2,4 +2,4 @@ tasks: - name: k3d-test-cluster actions: - description: Create k3d cluster with UDS Core - cmd: uds deploy oci://defenseunicorns/uds/bundles/k3d-core-istio:0.7.0-${UDS_ARCH} --confirm --no-progress + cmd: uds deploy oci://defenseunicorns/uds/bundles/k3d-core-istio-dev:0.10.0-${UDS_ARCH} --confirm --no-progress diff --git a/values/config-values.yaml b/values/config-values.yaml new file mode 100644 index 00000000..a21bc4f2 --- /dev/null +++ b/values/config-values.yaml @@ -0,0 +1,10 @@ +sso: + enabled: ###ZARF_VAR_MATTERMOST_SSO_ENABLED### + client_id: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_ID### + client_secret: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_SECRET### + auth_endpoint: ###ZARF_VAR_MATTERMOST_SSO_AUTH_ENDPOINT### + token_endpoint: ###ZARF_VAR_MATTERMOST_SSO_TOKEN_ENDPOINT### + user_api_endpoint: ###ZARF_VAR_MATTERMOST_SSO_USER_API_ENDPOINT### + enable_sign_up_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNUP_ENABLED### + enable_sign_in_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNIN_ENABLED### + enable_sign_in_with_username: ###ZARF_VAR_MATTERMOST_SSO_USERNAME_SIGNIN_ENABLED### diff --git a/values/mattermost-ce.yaml b/values/mattermost-ce.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/values/mattermost-operator-upstream.yaml b/values/mattermost-operator-upstream.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/values/mattermost-operator-values.yaml b/values/mattermost-operator-values.yaml deleted file mode 100644 index 67222be4..00000000 --- a/values/mattermost-operator-values.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# imagePullSecrets: -# - name: private-registry - -image: - imagePullPolicy: IfNotPresent - -openshift: false \ No newline at end of file diff --git a/values/mattermost-upstream.yaml b/values/mattermost-upstream.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/values/mattermost-values.yaml b/values/mattermost-values.yaml deleted file mode 100644 index 4f10a4dd..00000000 --- a/values/mattermost-values.yaml +++ /dev/null @@ -1,62 +0,0 @@ -# hostname is deprecated and replaced with domain. But if hostname exists then use it. -hostname: ###ZARF_VAR_DOMAIN### -domain: ###ZARF_VAR_DOMAIN### - -ingress: - host: mattermost.###ZARF_VAR_DOMAIN### - -enterprise: - enabled: ###ZARF_VAR_MATTERMOST_ENTERPRISE_ENABLED### - license: | - ###ZARF_VAR_MATTERMOST_ENTERPRISE_LICENSE### - -openshift: false - -image: - imagePullPolicy: IfNotPresent - -updateJob: - disabled: true - -# monitoring: -# enabled: true - -# serviceMonitor: -# enabled: true -# # conditional passes only for default istio: enabled, mTLS: STRICT -# scheme: https -# tlsConfig: -# caFile: /etc/prom-certs/root-cert.pem -# certFile: /etc/prom-certs/cert-chain.pem -# keyFile: /etc/prom-certs/key.pem -# insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate - -sso: - enabled: ###ZARF_VAR_MATTERMOST_SSO_ENABLED### - client_id: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_ID### - client_secret: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_SECRET### - auth_endpoint: ###ZARF_VAR_MATTERMOST_SSO_AUTH_ENDPOINT### - token_endpoint: ###ZARF_VAR_MATTERMOST_SSO_TOKEN_ENDPOINT### - user_api_endpoint: ###ZARF_VAR_MATTERMOST_SSO_USER_API_ENDPOINT### - enable_sign_up_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNUP_ENABLED### - enable_sign_in_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNIN_ENABLED### - enable_sign_in_with_username: ###ZARF_VAR_MATTERMOST_SSO_USERNAME_SIGNIN_ENABLED### - -# global: - # imagePullSecrets: - # - name: private-registry -database: - secret: "mattermost-postgres" -fileStore: - secret: "mattermost-object-store" - url: "###ZARF_VAR_MATTERMOST_FILE_STORE_ENDPOINT###" - bucket: "uds-mattermost###ZARF_VAR_MATTERMOST_BUCKET_SUFFIX###" - -# mattermostEnvs: -# # required for Keycloak >= 20.X to work with mattermost auth pointed to Keycloak -# MM_MATTERMOSTSETTINGS_SCOPE: openid - -volumes: - ###ZARF_VAR_MATTERMOST_VOLUMES### -volumeMounts: - ###ZARF_VAR_MATTERMOST_VOLUME_MOUNTS### diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml new file mode 100644 index 00000000..f0dc2467 --- /dev/null +++ b/values/registry1-values.yaml @@ -0,0 +1,7 @@ +mattermostApp: + image: + repository: registry1.dso.mil/ironbank/opensource/mattermost/mattermost + tag: 9.4.1 +initContainerImage: + repository: registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal + tag: 9.3 diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml new file mode 100644 index 00000000..3b908e23 --- /dev/null +++ b/values/upstream-values.yaml @@ -0,0 +1,4 @@ +mattermostApp: + image: + repository: mattermost/mattermost-enterprise-edition + tag: 9.4.1 diff --git a/values/values.yaml b/values/values.yaml new file mode 100644 index 00000000..852d640e --- /dev/null +++ b/values/values.yaml @@ -0,0 +1,107 @@ +minio: + enabled: false +mysqlha: + enabled: false +mattermostApp: + # Default replicacount due to HA requiring a license + replicaCount: 1 + # Mattermost does not provide helm values to configure all the options so it is done via ENV + extraEnv: + # SSO Settings + - name: MM_GITLABSETTINGS_ENABLE + valueFrom: + secretKeyRef: + key: MM_GITLABSETTINGS_ENABLE + name: "mattermost-sso" + - name: MM_GITLABSETTINGS_ID + valueFrom: + secretKeyRef: + key: MM_GITLABSETTINGS_ID + name: "mattermost-sso" + - name: MM_GITLABSETTINGS_SECRET + valueFrom: + secretKeyRef: + key: MM_GITLABSETTINGS_SECRET + name: "mattermost-sso" + - name: MM_GITLABSETTINGS_AUTHENDPOINT + valueFrom: + secretKeyRef: + key: MM_GITLABSETTINGS_AUTHENDPOINT + name: "mattermost-sso" + - name: MM_GITLABSETTINGS_TOKENENDPOINT + valueFrom: + secretKeyRef: + key: MM_GITLABSETTINGS_TOKENENDPOINT + name: "mattermost-sso" + - name: MM_GITLABSETTINGS_USERAPIENDPOINT + valueFrom: + secretKeyRef: + key: MM_GITLABSETTINGS_USERAPIENDPOINT + name: "mattermost-sso" + - name: MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL + valueFrom: + secretKeyRef: + key: MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL + name: "mattermost-sso" + - name: MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL + valueFrom: + secretKeyRef: + key: MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL + name: "mattermost-sso" + - name: MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME + valueFrom: + secretKeyRef: + key: MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME + name: "mattermost-sso" + # Object Storage Connection + - name: MM_FILESETTINGS_DRIVERNAME + value: "amazons3" + - name: MM_FILESETTINGS_AMAZONS3SSL + valueFrom: + secretKeyRef: + key: MM_FILESETTINGS_AMAZONS3SSL + name: "mattermost-object-store" + - name: MM_FILESETTINGS_AMAZONS3ACCESSKEYID + valueFrom: + secretKeyRef: + key: MM_FILESETTINGS_AMAZONS3ACCESSKEYID + name: "mattermost-object-store" + - name: MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY + valueFrom: + secretKeyRef: + key: MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY + name: "mattermost-object-store" + - name: MM_FILESETTINGS_AMAZONS3BUCKET + valueFrom: + secretKeyRef: + key: MM_FILESETTINGS_AMAZONS3BUCKET + name: "mattermost-object-store" + - name: MM_FILESETTINGS_AMAZONS3ENDPOINT + valueFrom: + secretKeyRef: + key: MM_FILESETTINGS_AMAZONS3ENDPOINT + name: "mattermost-object-store" + securityContext: + runAsUser: 2000 + runAsGroup: 2000 + +serviceAccount: + create: true + name: mattermost + annotations: {} # Add IRSA annotation here if necessary in environment + +global: + siteUrl: "https://mattermost.###ZARF_VAR_DOMAIN###" + mattermostLicense: "###ZARF_VAR_MATTERMOST_ENTERPRISE_LICENSE###" + + features: + database: + useInternal: false + existingDatabaseSecret: + name: mattermost-postgres + key: DB_CONNECTION_STRING + # The job server is only necessary on multi-node/enterprise clusters + # https://docs.mattermost.com/scale/high-availability-cluster.html#job-server + # It also will error due to its init container being blocked by Istio mTLS + jobserver: + enabled: false diff --git a/zarf.yaml b/zarf.yaml index c819dea0..bdd54b4d 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -2,15 +2,13 @@ kind: ZarfPackageConfig metadata: name: mattermost - description: "UDS mattermost package deployed via flux" + description: "UDS Mattermost Package" # x-release-please-start-version version: "9.3.0-uds.1" # x-release-please-end architecture: amd64 variables: - - name: MATTERMOST_ENTERPRISE_ENABLED - default: "false" - name: MATTERMOST_ENTERPRISE_LICENSE default: "" autoIndent: true @@ -18,12 +16,6 @@ variables: default: "" - name: MATTERMOST_FILE_STORE_ENDPOINT default: "minio" - - name: MATTERMOST_VOLUMES - default: "[]" - autoIndent: true - - name: MATTERMOST_VOLUME_MOUNTS - default: "[]" - autoIndent: true - name: MATTERMOST_SSO_ENABLED default: "false" - name: MATTERMOST_SSO_CLIENT_ID @@ -36,12 +28,13 @@ variables: default: "" - name: MATTERMOST_SSO_USER_API_ENDPOINT default: "" + # Enabled by default to support non-SSO auth - name: MATTERMOST_SSO_EMAIL_SIGNUP_ENABLED - default: "false" + default: "true" - name: MATTERMOST_SSO_EMAIL_SIGNIN_ENABLED - default: "false" + default: "true" - name: MATTERMOST_SSO_USERNAME_SIGNIN_ENABLED - default: "false" + default: "true" - name: DOMAIN default: "uds.dev" @@ -50,61 +43,46 @@ components: required: true description: "Deploy Mattermost" only: - flavor: registry1 + flavor: upstream charts: - - name: mattermost-operator - namespace: mattermost-operator - url: https://repo1.dso.mil/big-bang/product/packages/mattermost-operator.git - gitPath: chart - version: 1.20.1-bb.0 - valuesFiles: - - values/mattermost-operator-values.yaml - - name: mattermost - namespace: mattermost - url: https://repo1.dso.mil/big-bang/product/packages/mattermost.git - gitPath: chart - version: 9.3.0-bb.2 - valuesFiles: - - values/mattermost-values.yaml - name: uds-mattermost-config namespace: mattermost version: 0.1.0 localPath: chart + valuesFiles: + - values/config-values.yaml + - name: mattermost-enterprise-edition + namespace: mattermost + url: https://helm.mattermost.com + gitPath: chart + version: 2.6.43 + valuesFiles: + - values/values.yaml + - values/upstream-values.yaml images: - - "registry1.dso.mil/ironbank/opensource/mattermost/mattermost-operator:v1.20.1" - - "registry1.dso.mil/ironbank/opensource/mattermost/mattermost:v9.3.0" - - "registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.17" + - appropriate/curl:latest + - mattermost/mattermost-enterprise-edition:9.4.1 - name: mattermost required: true description: "Deploy Mattermost" only: - flavor: upstream-ce + flavor: registry1 charts: - - name: mattermost-operator - namespace: mattermost-operator - url: https://helm.mattermost.com - gitPath: chart - version: 0.3.5 + - name: uds-mattermost-config + namespace: mattermost + version: 0.1.0 + localPath: chart valuesFiles: - - values/mattermost-operator-values.yaml - - values/mattermost-operator-upstream.yaml - - name: mattermost-team-edition + - values/config-values.yaml + - name: mattermost-enterprise-edition namespace: mattermost url: https://helm.mattermost.com gitPath: chart - version: 6.6.46 + version: 2.6.43 valuesFiles: - - values/mattermost-values.yaml - - values/mattermost-upstream.yaml - - values/mattermost-ce.yaml - - name: uds-mattermost-config - namespace: mattermost - version: 0.1.0 - localPath: chart + - values/values.yaml + - values/registry1-values.yaml images: - - appropriate/curl:latest - - bats/bats:v1.1.0 - - busybox:1.31.1 - - mattermost/mattermost-operator:v1.20.1 - - mattermost/mattermost-team-edition:9.4.1 + - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.3 + - registry1.dso.mil/ironbank/opensource/mattermost/mattermost:9.4.1 From 13645866d82e81f6e3c74145ceb0d05ac097e2ad Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 30 Jan 2024 21:41:25 -0700 Subject: [PATCH 2/6] burning more things --- README.md | 51 ++++++++------------ bundle/uds-bundle.yaml | 27 ++++++++++- bundle/uds-config.yaml | 2 +- chart/templates/mattermost-object-store.yaml | 13 +++++ chart/templates/mattermost-postgres.yaml | 8 +++ chart/templates/mattermost-sso.yaml | 9 ++-- chart/values.yaml | 24 +++++++-- src/dev-secrets/minio-secret.yaml | 13 ----- src/dev-secrets/postgres-secret.yaml | 8 --- src/dev-secrets/zarf.yaml | 23 ++------- tasks.yaml | 1 + tasks/create.yaml | 2 +- tasks/test.yaml | 9 ++++ values/config-values.yaml | 16 +++--- values/values.yaml | 17 ++++--- zarf.yaml | 28 +++-------- 16 files changed, 131 insertions(+), 120 deletions(-) create mode 100644 chart/templates/mattermost-object-store.yaml create mode 100644 chart/templates/mattermost-postgres.yaml delete mode 100644 src/dev-secrets/minio-secret.yaml delete mode 100644 src/dev-secrets/postgres-secret.yaml diff --git a/README.md b/README.md index 59da501b..89412f32 100644 --- a/README.md +++ b/README.md @@ -1,46 +1,37 @@ -# uds-package-mattermost +# UDS Mattermost Package -UDS Mattermost Zarf Package +This repo contains the UDS Mattermost Package along with an example bundle and UDS tasks for development. ## Dependencies -Mattermost requires two dependencies, postgres and s3 compatible object storage. Wiring Mattermost to your dependencies is done via secrets created in the `mattermost` namespace. +Mattermost requires two dependencies, postgres and s3 compatible object storage. Wiring Mattermost to your dependencies is done primarily via helm values, which will require the use of a bundle created with uds-cli. ### Postgres -You should create a secret named `mattermost-postgres` with a single key containing the DB connection string like the following: - +Postgres configuration is setup in the `uds-mattermost-config` chart and should be done via bundle overrides (variables or values) like the below: ```yaml -apiVersion: v1 -kind: Secret -metadata: - name: mattermost-postgres - namespace: mattermost -type: kubernetes.io/opaque -stringData: - DB_CONNECTION_STRING: "postgres://username:password@hostname:port/dbname?postgresoptions" + overrides: + mattermost: + uds-mattermost-config: + values: + - path: "postgres.host" + value: "postgresql.dev-postgres.svc.cluster.local" ``` -### S3 Compatible Object Storage +The full list of override config can be found in the values under `postgres` [here](./chart/values.yaml). In addition a zarf var is exposed for `DB_PASSWORD` for convenience if using import/exports in your bundle. -You should create a secret named `mattermost-object-store` with a number of keys matching the below: +### S3 Compatible Object Storage +Object storage configuration is setup in the `uds-mattermost-config` chart and should be done via bundle overrides (variables or values) like the below: ```yaml -apiVersion: v1 -kind: Secret -metadata: - name: mattermost-object-store - namespace: mattermost -type: kubernetes.io/opaque -stringData: - secure_connection: # Typically false for insecure connections like MinIO - access_key: - secret_key: - region: - bucket: - endpoint: + overrides: + mattermost: + uds-mattermost-config: + values: + - path: "objectStorage.endpoint" + value: "minio.dev-minio.svc.cluster.local:9000" ``` -To use IRSA make sure to set the two keys to empty strings and add the appropriate annotations to the service account via `serviceAccount.annotations` (override in a UDS Bundle). +The full list of override config can be found in the values under `objectStorage` [here](./chart/values.yaml). In addition zarf vars are exposed for `ACCESS_KEY` and `SECRET_KEY` for convenience if using import/exports in your bundle. -TODO: Figure out if this setup works and a better way to handle the keys... +To use IRSA make sure to not set the two keys and add the appropriate annotation to the service account via an override to `serviceAccount.annotations`. diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 5414990a..4afa90ec 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -18,9 +18,34 @@ packages: - name: dev-secrets path: ../ ref: 0.1.0 - + exports: + - name: ACCESS_KEY + - name: SECRET_KEY + - name: DB_PASSWORD + - name: mattermost path: ../ # x-release-please-start-version ref: 9.3.0-uds.2 # x-release-please-end + imports: + - name: ACCESS_KEY + package: dev-secrets + - name: SECRET_KEY + package: dev-secrets + - name: DB_PASSWORD + package: dev-secrets + overrides: + mattermost: + uds-mattermost-config: + values: + - path: "objectStorage.secure" + value: "false" + - path: "objectStorage.endpoint" + value: "minio.dev-minio.svc.cluster.local:9000" + - path: "objectStorage.bucket" + value: "uds-mattermost-dev" + - path: "postgres.host" + value: "postgresql.dev-postgres.svc.cluster.local" + - path: "postgres.connectionOptions" + value: "?connect_timeout=10&sslmode=disable" diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index 85db958c..da837a94 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -4,4 +4,4 @@ variables: - name: uds-mattermost-dev dev-postgres: db_username: "mattermost" - db_name: "mattermostdb" + db_name: "mattermost" diff --git a/chart/templates/mattermost-object-store.yaml b/chart/templates/mattermost-object-store.yaml new file mode 100644 index 00000000..03b627e0 --- /dev/null +++ b/chart/templates/mattermost-object-store.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mattermost-object-store + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + MM_FILESETTINGS_AMAZONS3SSL: "{{ .Values.objectStorage.secure | toString }}" + MM_FILESETTINGS_AMAZONS3ACCESSKEYID: "{{ .Values.objectStorage.accessKey }}" + MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY: "{{ .Values.objectStorage.secretKey }}" + MM_FILESETTINGS_AMAZONS3BUCKET: "{{ .Values.objectStorage.bucket }}" + MM_FILESETTINGS_AMAZONS3ENDPOINT: "{{ .Values.objectStorage.endpoint }}" + MM_FILESETTINGS_AMAZONS3REGION: "{{ .Values.objectStorage.region }}" diff --git a/chart/templates/mattermost-postgres.yaml b/chart/templates/mattermost-postgres.yaml new file mode 100644 index 00000000..3830dc36 --- /dev/null +++ b/chart/templates/mattermost-postgres.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mattermost-postgres + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + db_connection_string: "postgres://{{ .Values.postgres.username }}:{{ .Values.postgres.password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.dbName }}{{ .Values.postgres.connectionOptions }}" diff --git a/chart/templates/mattermost-sso.yaml b/chart/templates/mattermost-sso.yaml index 52fe0d60..84de4369 100644 --- a/chart/templates/mattermost-sso.yaml +++ b/chart/templates/mattermost-sso.yaml @@ -3,15 +3,14 @@ kind: Secret metadata: name: mattermost-sso namespace: {{ .Release.Namespace }} - labels: type: Opaque stringData: - MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled }}" + MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled | toString }}" MM_GITLABSETTINGS_ID: "{{ .Values.sso.client_id }}" MM_GITLABSETTINGS_SECRET: "{{ .Values.sso.client_secret }}" MM_GITLABSETTINGS_AUTHENDPOINT: "{{ .Values.sso.auth_endpoint }}" MM_GITLABSETTINGS_TOKENENDPOINT: "{{ .Values.sso.token_endpoint }}" MM_GITLABSETTINGS_USERAPIENDPOINT: "{{ .Values.sso.user_api_endpoint }}" - MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email }}" - MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email }}" - MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username }}" + MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email | toString }}" + MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email | toString }}" + MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username | toString }}" diff --git a/chart/values.yaml b/chart/values.yaml index 87f26075..52ed9fe1 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,3 +1,20 @@ +objectStorage: + secure: true + accessKey: "" + secretKey: "" + bucket: "mattermost" + endpoint: "s3.amazonaws.com" + region: "us-west-1" + +postgres: + username: "mattermost" + password: "" + host: "" + port: 5432 + dbName: "mattermost" + # Example: "?connect_timeout=10&sslmode=disable" + connectionOptions: "" + sso: enabled: false client_id: "" @@ -5,6 +22,7 @@ sso: auth_endpoint: "" token_endpoint: "" user_api_endpoint: "" - enable_sign_up_with_email: "" - enable_sign_in_with_email: "" - enable_sign_in_with_username: "" + # These should typically be disabled if SSO is enabled + enable_sign_up_with_email: true + enable_sign_in_with_email: true + enable_sign_in_with_username: true diff --git a/src/dev-secrets/minio-secret.yaml b/src/dev-secrets/minio-secret.yaml deleted file mode 100644 index a0083af9..00000000 --- a/src/dev-secrets/minio-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: mattermost-object-store - namespace: mattermost -type: kubernetes.io/opaque -stringData: - secure_connection: "false" - access_key: ###ZARF_VAR_ACCESS_KEY### - secret_key: ###ZARF_VAR_SECRET_KEY### - region: "minio" - bucket: "uds-mattermost-dev" - endpoint: "minio.dev-minio.svc.cluster.local:9000" diff --git a/src/dev-secrets/postgres-secret.yaml b/src/dev-secrets/postgres-secret.yaml deleted file mode 100644 index 03635ad7..00000000 --- a/src/dev-secrets/postgres-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: mattermost-postgres - namespace: mattermost -type: kubernetes.io/opaque -stringData: - db_connection_string: "postgres://mattermost:###ZARF_VAR_POSTGRES_DB_PASSWORD###@postgresql.dev-postgres.svc.cluster.local:5432/mattermostdb?connect_timeout=10&sslmode=disable" diff --git a/src/dev-secrets/zarf.yaml b/src/dev-secrets/zarf.yaml index 38e378e7..75f6df57 100644 --- a/src/dev-secrets/zarf.yaml +++ b/src/dev-secrets/zarf.yaml @@ -11,22 +11,16 @@ components: actions: onDeploy: before: - - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d + - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootUser" }}' | base64 -d mute: true setVariables: - - name: SECRET_KEY + - name: ACCESS_KEY sensitive: true - - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootUser" }}' | base64 -d + - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d mute: true setVariables: - - name: ACCESS_KEY + - name: SECRET_KEY sensitive: true - - name: mattermost-minio - required: true - manifests: - - name: mattermost-minio - files: - - "minio-secret.yaml" - name: postgres-password required: true actions: @@ -35,12 +29,5 @@ components: - cmd: kubectl get secret -n dev-postgres postgresql --template={{.data.password}} | base64 -d mute: true setVariables: - - name: POSTGRES_DB_PASSWORD + - name: DB_PASSWORD sensitive: true - - name: mattermost-postgres - required: true - manifests: - - name: mattermost-postgres - namespace: mattermost - files: - - postgres-secret.yaml diff --git a/tasks.yaml b/tasks.yaml index 3c216209..09104a07 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -34,6 +34,7 @@ tasks: - name: test-package actions: + - task: test:health-check - task: test:ingress - name: cleanup diff --git a/tasks/create.yaml b/tasks/create.yaml index 08c19263..3bcdf11e 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -18,4 +18,4 @@ tasks: - name: dependency-package description: Create the Minio, PostgreSQL, and Redis Dependency Zarf Packages actions: - - cmd: zarf package create src/dev-secrets/ --confirm --no-progress --architecture=${UDS_ARCH} --skip-sbom + - cmd: zarf package create src/dev-secrets/ --confirm --no-progress --architecture=${UDS_ARCH} diff --git a/tasks/test.yaml b/tasks/test.yaml index 6fc0bf48..caea0468 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -1,4 +1,13 @@ tasks: + - name: health-check + actions: + - description: Mattermost Health Check + wait: + cluster: + kind: Deployment + name: mattermost-enterprise-edition + namespace: mattermost + - name: ingress actions: - description: Mattermost UI Health Check diff --git a/values/config-values.yaml b/values/config-values.yaml index a21bc4f2..eef12a96 100644 --- a/values/config-values.yaml +++ b/values/config-values.yaml @@ -1,10 +1,6 @@ -sso: - enabled: ###ZARF_VAR_MATTERMOST_SSO_ENABLED### - client_id: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_ID### - client_secret: ###ZARF_VAR_MATTERMOST_SSO_CLIENT_SECRET### - auth_endpoint: ###ZARF_VAR_MATTERMOST_SSO_AUTH_ENDPOINT### - token_endpoint: ###ZARF_VAR_MATTERMOST_SSO_TOKEN_ENDPOINT### - user_api_endpoint: ###ZARF_VAR_MATTERMOST_SSO_USER_API_ENDPOINT### - enable_sign_up_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNUP_ENABLED### - enable_sign_in_with_email: ###ZARF_VAR_MATTERMOST_SSO_EMAIL_SIGNIN_ENABLED### - enable_sign_in_with_username: ###ZARF_VAR_MATTERMOST_SSO_USERNAME_SIGNIN_ENABLED### +objectStorage: + accessKey: "###ZARF_VAR_ACCESS_KEY###" + secretKey: "###ZARF_VAR_SECRET_KEY###" + +postgres: + password: "###ZARF_VAR_DB_PASSWORD###" diff --git a/values/values.yaml b/values/values.yaml index 5d619552..aef42581 100644 --- a/values/values.yaml +++ b/values/values.yaml @@ -59,32 +59,32 @@ mattermostApp: - name: MM_FILESETTINGS_AMAZONS3SSL valueFrom: secretKeyRef: - key: secure_connection + key: MM_FILESETTINGS_AMAZONS3SSL name: "mattermost-object-store" - name: MM_FILESETTINGS_AMAZONS3ACCESSKEYID valueFrom: secretKeyRef: - key: access_key + key: MM_FILESETTINGS_AMAZONS3ACCESSKEYID name: "mattermost-object-store" - name: MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY valueFrom: secretKeyRef: - key: secret_key + key: MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY name: "mattermost-object-store" - name: MM_FILESETTINGS_AMAZONS3BUCKET valueFrom: secretKeyRef: - key: bucket + key: MM_FILESETTINGS_AMAZONS3BUCKET name: "mattermost-object-store" - name: MM_FILESETTINGS_AMAZONS3ENDPOINT valueFrom: secretKeyRef: - key: endpoint + key: MM_FILESETTINGS_AMAZONS3ENDPOINT name: "mattermost-object-store" - name: MM_FILESETTINGS_AMAZONS3REGION valueFrom: secretKeyRef: - key: region + key: MM_FILESETTINGS_AMAZONS3REGION name: "mattermost-object-store" securityContext: runAsUser: 2000 @@ -93,11 +93,12 @@ mattermostApp: serviceAccount: create: true name: mattermost - annotations: {} # Add IRSA annotation here if necessary in environment + annotations: {} global: siteUrl: "https://mattermost.###ZARF_VAR_DOMAIN###" - mattermostLicense: "###ZARF_VAR_MATTERMOST_ENTERPRISE_LICENSE###" + # Default unlicensed deployment + mattermostLicense: "" features: database: diff --git a/zarf.yaml b/zarf.yaml index 80fba314..bb0ee922 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -9,30 +9,14 @@ metadata: architecture: amd64 variables: - - name: MATTERMOST_ENTERPRISE_LICENSE - default: "" - autoIndent: true - - name: MATTERMOST_SSO_ENABLED - default: "false" - - name: MATTERMOST_SSO_CLIENT_ID - default: "" - - name: MATTERMOST_SSO_CLIENT_SECRET - default: "" - - name: MATTERMOST_SSO_AUTH_ENDPOINT - default: "" - - name: MATTERMOST_SSO_TOKEN_ENDPOINT - default: "" - - name: MATTERMOST_SSO_USER_API_ENDPOINT - default: "" - # Enabled by default to support non-SSO auth - - name: MATTERMOST_SSO_EMAIL_SIGNUP_ENABLED - default: "true" - - name: MATTERMOST_SSO_EMAIL_SIGNIN_ENABLED - default: "true" - - name: MATTERMOST_SSO_USERNAME_SIGNIN_ENABLED - default: "true" - name: DOMAIN default: "uds.dev" + - name: ACCESS_KEY + description: "Access Key for S3 compatible storage" + - name: SECRET_KEY + description: "Secret Key for S3 compatible storage" + - name: DB_PASSWORD + description: "Database Password for Mattermost" components: - name: mattermost From 5d3f49020fee7139595ff9a6cdf7420f3ef76756 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 30 Jan 2024 21:47:26 -0700 Subject: [PATCH 3/6] publishing workflow --- tasks/publish.yaml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/tasks/publish.yaml b/tasks/publish.yaml index f3ffa4e4..86dcdd01 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -13,13 +13,7 @@ tasks: description: Build and publish the packages actions: - description: Create the packages - cmd: | - set -e - ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml mattermost-package --no-progress - ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml mattermost-package --no-progress + cmd: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml mattermost-package --no-progress - description: Publish the packages - cmd: | - set -e - zarf package publish zarf-package-mattermost-amd64-${VERSION}.tar.zst ${TARGET_REPO} - zarf package publish zarf-package-mattermost-arm64-${VERSION}.tar.zst ${TARGET_REPO} + cmd: zarf package publish zarf-package-mattermost-amd64-${VERSION}.tar.zst ${TARGET_REPO} From e3ec215ef0c24d5ef8b0b2fb1b8dc72fae31f7e2 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 30 Jan 2024 21:51:07 -0700 Subject: [PATCH 4/6] flavor publishing --- .github/workflows/tag-and-release.yaml | 7 +++++-- tasks/publish.yaml | 14 ++++++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index b6f7afae..32eda337 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -23,7 +23,10 @@ jobs: needs: tag-new-version if: ${{ needs.tag-new-version.outputs.release_created == 'true' }} runs-on: ubuntu-latest - name: Publish package + name: Publish ${{ matrix.flavor }} + strategy: + matrix: + flavor: [upstream, registry1] permissions: contents: read @@ -46,4 +49,4 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Publish Package - run: uds run -f tasks/publish.yaml package + run: uds run -f tasks/publish.yaml package --set FLAVOR=${{ matrix.flavor }} diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 86dcdd01..54d3a4aa 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -13,7 +13,17 @@ tasks: description: Build and publish the packages actions: - description: Create the packages - cmd: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml mattermost-package --no-progress + cmd: | + set -e + ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml mattermost-package --no-progress --set FLAVOR=${FLAVOR} + if [ "${FLAVOR}" != "registry1" ]; then + ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml mattermost-package --no-progress --set FLAVOR=${FLAVOR} + fi - description: Publish the packages - cmd: zarf package publish zarf-package-mattermost-amd64-${VERSION}.tar.zst ${TARGET_REPO} + cmd: | + set -e + zarf package publish zarf-package-mattermost-amd64-${VERSION}.tar.zst ${TARGET_REPO} + if [ "${FLAVOR}" != "registry1" ]; then + zarf package publish zarf-package-mattermost-arm64-${VERSION}.tar.zst ${TARGET_REPO} + fi From 409d1160d3f5c5ab25a39116e0817f3b70afc519 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 31 Jan 2024 10:42:24 -0700 Subject: [PATCH 5/6] expose host as helm value --- chart/templates/uds-package.yaml | 2 +- chart/values.yaml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 434c2f53..5b96555c 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -10,7 +10,7 @@ spec: podLabels: app.kubernetes.io/name: mattermost-enterprise-edition gateway: tenant - host: mattermost + host: {{ .Values.host }} port: 8065 allow: # Permit intra-namespace communication for job communications diff --git a/chart/values.yaml b/chart/values.yaml index 52ed9fe1..9260bd43 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -26,3 +26,6 @@ sso: enable_sign_up_with_email: true enable_sign_in_with_email: true enable_sign_in_with_username: true + +# The subdomain for the mattermost server, will be prefixed to your domain (ex: mattermost.example.com) +host: "mattermost" From 4a05031ff7b1e35e9fdc27e283d4adc724fccc1f Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 31 Jan 2024 13:11:38 -0700 Subject: [PATCH 6/6] readme example --- README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 89412f32..f69c0864 100644 --- a/README.md +++ b/README.md @@ -34,4 +34,12 @@ Object storage configuration is setup in the `uds-mattermost-config` chart and s The full list of override config can be found in the values under `objectStorage` [here](./chart/values.yaml). In addition zarf vars are exposed for `ACCESS_KEY` and `SECRET_KEY` for convenience if using import/exports in your bundle. -To use IRSA make sure to not set the two keys and add the appropriate annotation to the service account via an override to `serviceAccount.annotations`. +To use IRSA make sure to NOT set the two key variables and add the appropriate role ARN annotation to the service account via an override to `serviceAccount.annotations`. As an example: +```yaml + overrides: + mattermost: + mattermost-enterprise-edition: + values: + - path: "serviceAccount.annotations.irsa/role-arn" + value: "arn:aws:iam::123456789:role/mattermost-role" +```