fix: mattermost object storage configuration (#81)

feat: add ability to add additional cert chain for mattermost
defenseunicorns · Apr 18, 2024 · 1eb5528 · 1eb5528
1 parent 0beebda
commit 1eb5528
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 1 deletion.
diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml
@@ -349,6 +349,14 @@ packages:
     ref: 9.6.1-uds.0-registry1
     overrides:
       mattermost:
+        mattermost-enterprise-edition:
+          variables:
+            - name: VOLUMES
+              path: "mattermostApp.extraVolumes"
+              description: "Used to mount ca certs"
+            - name: VOLUME_MOUNTS
+              path: "mattermostApp.extraVolumeMounts"
+              description: "Used to mount ca certs"
         uds-mattermost-config:
           variables:
             - name: OBJECT_STORE_SECURE
@@ -362,6 +370,10 @@ packages:
               path: "objectStorage.bucket"
               description: "Object storage bucket"
               default: "mattermost-bucket"
+            - name: OBJECT_STORE_REGION
+              path: "objectStorage.region"
+              description: "Object storage region"
+              default: "us-east-1"
             - name: DB_ENDPOINT
               path: "postgres.host"
               description: "Postgres DB endpoint"

diff --git a/config/uds-config.yaml b/config/uds-config.yaml
@@ -2,6 +2,8 @@ options:
   log_level: info
 shared:
   DOMAIN: replace.with.your.domain
+  # ADDITIONAL_CA_CHAIN value must be base64 encoded
+  ADDITIONAL_CA_CHAIN: replace-me-with-additional-ca-chain
 variables:
   init:
     REGISTRY_HPA_ENABLE: false
@@ -12,7 +14,7 @@ variables:
     # Replace with a valid IP address range
     IP_ADDRESS_POOL: "10.0.0.10-10.0.0.20"
   core:
-    # CERT values must be base64 encoded
+    # TLS CERT and KEY values must be base64 encoded
     ADMIN_TLS_CERT: replace-me-cert
     ADMIN_TLS_KEY: replace-me-key
     TENANT_TLS_CERT: replace-me-cert
@@ -128,6 +130,16 @@ variables:
     OBJECT_STORE_SECURE: "false"
     OBJECT_STORE_ENDPOINT: "replace.with.object.store.url"
     OBJECT_STORE_BUCKET: "mattermost-bucket"
+    OBJECT_STORE_REGION: "us-east-1"
+    VOLUME_MOUNTS:
+      - name: ca-cert
+        mountPath: /etc/ssl/certs
+        readOnly: true
+    VOLUMES:
+      - name: ca-cert
+        secret:
+          secretName: ca-secret
+          defaultMode: 0644
   nexus:
     NEXUS_DB_NAME: "nexusdb"
     NEXUS_DB_USERNAME: "postgres"

diff --git a/packages/additional-manifests/mattermost/ca-secret.yaml b/packages/additional-manifests/mattermost/ca-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-secret
+  namespace: mattermost
+type: kubernetes.io/opaque
+data:
+  ca.crt: "###ZARF_VAR_ADDITIONAL_CA_CHAIN###"
diff --git a/packages/additional-manifests/zarf.yaml b/packages/additional-manifests/zarf.yaml
@@ -10,6 +10,8 @@ variables:
   - name: DOMAIN
     description: "Domain to be used in VS hosts and gateway config"
     default: "mtsi.bigbang.dev"
+  - name: ADDITIONAL_CA_CHAIN
+    description: "Additional CA chain"
 
 components:
   - name: gitlab-additional-manifests
@@ -28,3 +30,9 @@ components:
       - name: pepr-policy-exemptions
         files:
           - pepr-policy-exemptions/rook-ceph-exemption.yaml
+  - name: mattermost-ca-secret
+    required: true
+    manifests:
+      - name: mattermost-ca-secret
+        files:
+          - mattermost/ca-secret.yaml