feat: Integrate gitlab with external object store (#15)

feat: Integrate gitlab with external object store

chore: Upgrade to uds-cli v0.4.1

Makefile

@@ -1,7 +1,7 @@
 # The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to
 # the build folder.
 # renovate: datasource=github-tags depName=defenseunicorns/zarf
-UDS_CLI_VERSION := v0.4.0
+UDS_CLI_VERSION := v0.4.1
 
 ZARF_VERSION := v0.31.3
 
@@ -50,7 +50,7 @@ help: ## Show a list of all targets
 ########################################################################
 
 .PHONY: build/all
-build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-gitlab build/idam-sonarqube build/db-manifests build/uds-bundle-software-factory ## Build everything
+build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-gitlab build/idam-sonarqube build/db-manifests build/object-store-manifests build/uds-bundle-software-factory ## Build everything
 
 build: ## Create build directory
 	mkdir -p build
@@ -88,7 +88,7 @@ build/idam-dns: | build ## Build idam-dns package
 build/idam-realm: | build ## Build idam-realm package
 	cd build && ./zarf package create ../packages/idam-realm/ --confirm --output-directory .
 
-build/db-manifests:
+build/db-manifests: | build ## Build DB Manifests
 	cd build && ./zarf package create ../packages/databases/confluence/ --confirm --output-directory .
 	cd build && ./zarf package create ../packages/databases/gitlab/ --confirm --output-directory .
 	cd build && ./zarf package create ../packages/databases/jira/ --confirm --output-directory .
@@ -97,6 +97,10 @@ build/db-manifests:
 	cd build && ./zarf package create ../packages/databases/nexus/ --confirm --output-directory .
 	cd build && ./zarf package create ../packages/databases/sonarqube/ --confirm --output-directory .
 
+build/object-store-manifests: | build ## Build object store Manifests
+	cd build && ./zarf package create ../packages/object-store/gitlab/ --confirm --output-directory .
+	cd build && ./zarf package create ../packages/object-store/mattermost/ --confirm --output-directory .
+
 build/uds-bundle-software-factory: | build ## Build the software factory
 	cd build && ./uds create ../ --confirm
 	mv uds-bundle-software-factory-*.tar.zst build/

README.md

@@ -1,37 +1,64 @@
 # uds-bundle-software-factory-nutanix
-A UDS Bundle Containing
-- custom init package
-- metallb
-- dubbd-rke2
-- keycloak
-- gitlab
-- gitlab-runner
-- sonarqube
-- jira
-- confluence
-- mattermost
-- nexus
+Detailed list of packages and dependencies in this bundle:
+[packages-and-dependencies.md](docs/packages-and-dependencies.md)
 
 ## Developer Info
 
 [DEVELOPMENT_MAINTENANCE.md](docs/DEVELOPMENT_MAINTENANCE.md)
 
-## Deploying
+## Key Points
+This project is continually improving and being iterated on. Stay tuned to the latest updates.
+### Things you will need
+- You need an appropriately provisioned kubernetes cluster to deploy to.
+- You need all databases and object storage provisioned with connection configurations ready to plug into your `uds-config.yaml`
+- You need domain configuration and certs ready for use
+- You need [zarf](https://github.com/defenseunicorns/zarf) and [uds](https://github.com/defenseunicorns/uds-cli)
+- You need a bundle artifact. You can build it from this repository, download it or reference it directly from the [oci registry](https://github.com/defenseunicorns/uds-bundle-software-factory-nutanix/pkgs/container/uds-bundle%2Fsoftware-factory-nutanix)
+- You need a `uds-config.yaml` that is set up for your environment.
+- You need a `deploy-dubbd-values.yaml` to configure some resource increases needed for this bundle.
 
-You can run the following command to deploy the published bundle from oci. You can use the breadcrumbs in the [Makefile](Makefile) to understand how the examples in this project are configured, built and deployed.
+## The Bundle
 
-This is only an example. You need to set up and use the `uds-config.yaml`, `deploy-dubbd-values.yaml`, and certs that make sense for your deployment.
+When disconnected, you can download the tarball for this bundle to use for deployment from the oci compliant github container registry connected to this repo [here](https://github.com/defenseunicorns/uds-bundle-software-factory-nutanix/pkgs/container/uds-bundle%2Fsoftware-factory-nutanix). You can also deploy the bundle directly from the oci registry if you are in a connected environment.
 
-`uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/uds-bundle-software-factory-nutanix:v0.x.x-amd64 --confirm`
+## uds-config.yaml
+Once you have the bundle where you need or have access to it via oci, you can then set up a `uds-config.yaml` configuration for your environment. This configuration will be used during deployment.
 
-### UDS Config
-Below are the example configurations used in this project to configure deploy time zarf variables for packages in the bundle.
+Below are the example configurations used in this project to configure deploy time variables for the zarf packages in the bundle.
 - [uds-config.yaml](uds-config/dev-cluster/uds-config.yaml) Example of our nutanix Dev cluster config
 - [uds-config.yaml](uds-config/test-cluster/uds-config.yaml) Example of our nutanix Test cluster config
 
-There will be sensitive values you will need to update before deployment.
+There will be sensitive values you will need to update before deployment. You can search `replace-me` in the above `uds-config.yaml` files for quick reference sensitive values needing updated.
 
-### Certs
-If deploying from this example you will need to insure the contents in the .pem files linked below are correct for your deployment. They contain the public `bigbang.dev` cert and key as placeholders. The [update-certs.sh](scripts/update-certs.sh) will be called in this examples Makefile to update the appropriate kubernetes resources.
-- [test-cluster-ingress-cert.pem](scripts/test-cluster-ingress-cert.pem)
-- [test-cluster-ingress-key.pem](scripts/test-cluster-ingress-key.pem)
+## Certs
+Currently we are deploying the bundle, and then updating the certs in the cluster to our own `mtsi.bigbang.dev` and `mtsi-dev.bigbang.dev` certs using this [update-certs.sh](scripts/update-certs.sh) script. In a future version we will update this example to put the certs in the `uds-config.yaml` to be setup at deploy time.
+
+## High Level Steps
+You can follow the breadcrumbs starting at the [Makefile](Makefile) target `make all/dev-cluster`. This Makefile downloads configured versions of zarf and uds to the build directory, places the `uds-config.yaml` and `deploy-dubbd-values.yaml` in that build directory and performs the deploy command from there. Steps numbered below. Or follow along in the Makefile.
+
+These breadcrumbs will show you how to:
+1) download the tools you need like zarf and uds.
+```bash
+.PHONY: build/zarf
+build/zarf: | build ## Download the Zarf to the build dir
+	if [ -f build/zarf ] && [ "$$(build/zarf version)" = "$(ZARF_VERSION)" ] ; then exit 0; fi && \
+	echo "Downloading zarf" && \
+	curl -sL https://github.com/defenseunicorns/zarf/releases/download/$(ZARF_VERSION)/zarf_$(ZARF_VERSION)_$(UNAME_S)_$(ARCH) -o build/zarf && \
+	chmod +x build/zarf
+
+.PHONY: build/uds
+build/uds: | build ## Download uds-cli to the build dir
+	if [ -f build/uds ] && [ "$$(build/uds version)" = "$(UDS_CLI_VERSION)" ] ; then exit 0; fi && \
+	echo "Downloading uds-cli" && \
+	curl -sL https://github.com/defenseunicorns/uds-cli/releases/download/$(UDS_CLI_VERSION)/uds-cli_$(UDS_CLI_VERSION)_$(UNAME_S)_$(ARCH) -o build/uds && \
+	chmod +x build/uds
+```
+You can also use brew to install zarf and uds-cli
+```bash
+brew tap defenseunicorns/tap && brew install uds && brew install zarf
+```
+2) build all the zarf packages that support this bundle
+1) build the bundle itself
+1) place the `uds-config.yaml` and the `deploy-dubbd-values.yaml` in the directory where the deployment will take place
+1) deploy the software factory.
+1) update the certs with our certs (This step will be replaced with adding the certs to the configuration in a future version)

packages/object-store/gitlab/secret.yaml

@@ -0,0 +1,34 @@
+# Source: bigbang/templates/gitlab/secret-objectstore.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitlab-object-store
+  namespace: gitlab
+type: kubernetes.io/opaque
+stringData:
+  connection: |-
+    provider: AWS
+    region: us-east-1
+    aws_access_key_id: ###ZARF_VAR_ACCESS_KEY###
+    aws_secret_access_key: ###ZARF_VAR_SECRET_KEY###
+    endpoint: ###ZARF_VAR_ENDPOINT###
+    aws_signature_version: 4
+    path_style: true
+  registry: |-
+    s3:
+      bucket: uds-gitlab-registry
+      accesskey: ###ZARF_VAR_ACCESS_KEY###
+      secretkey: ###ZARF_VAR_SECRET_KEY###
+      regionendpoint: ###ZARF_VAR_ENDPOINT###
+      region: us-east-1
+      aws_signature_version: 4
+      path_style: true
+  backups: |-
+    [default]
+    access_key = ###ZARF_VAR_ACCESS_KEY###
+    secret_key = ###ZARF_VAR_SECRET_KEY###
+    host_base = ###ZARF_VAR_ENDPOINT###
+    host_bucket = ###ZARF_VAR_ENDPOINT###
+    bucket_location = us-east-1
+    multipart_chunk_size_mb = 128
+    use_https = False

packages/object-store/gitlab/zarf.yaml

@@ -0,0 +1,22 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: gitlab-object-store
+  version: "0.0.1"
+  architecture: amd64
+
+variables:
+  - name: ENDPOINT
+    default: "replace-me"
+  - name: ACCESS_KEY
+    default: "replace-me"
+  - name: SECRET_KEY
+    default: "replace-me"
+
+components:
+  - name: gitlab-object-store-secret
+    required: true
+    manifests:
+      - name: gitlab-object-store-secret
+        files:
+          - "secret.yaml"

packages/object-store/mattermost/ca-cert.yaml

@@ -0,0 +1,10 @@
+# Source: bigbang/templates/mattermost/secret-objectstore.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-secret
+  namespace: mattermost
+type: kubernetes.io/opaque
+stringData:
+  ca.crt: |
+    ###ZARF_VAR_CA_CERT###

packages/object-store/mattermost/policy-exceptions/externalName.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: mattermost-object-storage-external-names-exception
+  namespace: mattermost
+spec:
+  exceptions:
+  - policyName: restrict-external-names
+    ruleNames:
+    - external-names
+  match:
+    any:
+    - resources:
+        kinds:
+        - Service
+        namespaces:
+        - mattermost
+        names:
+        - mattermost-object-store

packages/object-store/mattermost/secret.yaml

@@ -0,0 +1,10 @@
+# Source: bigbang/templates/mattermost/secret-objectstore.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-object-store
+  namespace: mattermost
+type: kubernetes.io/opaque
+stringData:
+  accesskey: "###ZARF_VAR_ACCESS_KEY###"
+  secretkey: "###ZARF_VAR_SECRET_KEY###"

packages/object-store/mattermost/zarf.yaml

@@ -0,0 +1,35 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: mattermost-object-store
+  version: "0.0.1"
+  architecture: amd64
+
+variables:
+  - name: ACCESS_KEY
+    default: "replace-me"
+  - name: SECRET_KEY
+    default: "replace-me"
+  - name: CA_CERT
+    default: "replace-me"
+    autoIndent: true
+
+components:
+  - name: object-store-kyverno-exceptions
+    required: true
+    manifests:
+      - name: kyverno-exceptions
+        files:
+          - policy-exceptions/externalName.yaml
+  - name: mattermost-object-store-secret
+    required: true
+    manifests:
+      - name: mattermost-object-store-secret
+        files:
+          - "secret.yaml"
+  - name: mattermost-object-store-ca-cert
+    required: true
+    manifests:
+      - name: mattermost-object-store-ca-cert
+        files:
+          - "ca-cert.yaml"

uds-bundle.yaml

@@ -79,9 +79,9 @@ zarf-packages:
     repository: ghcr.io/defenseunicorns/uds-capability/gitlab/dev-dependency/gitlab-redis
     ref: 0.1.8
 
-  - name: gitlab-minio
-    repository: ghcr.io/defenseunicorns/uds-capability/gitlab/dev-dependency/gitlab-minio
-    ref: 0.1.8
+  - name: gitlab-object-store
+    path: build
+    ref: 0.0.1
 
   - name: gitlab-database-manifests
     path: build
@@ -150,17 +150,17 @@ zarf-packages:
     ref: 0.1.3
 
    # Mattermost Operator with a Mattermost instance
-  - name: mattermost-minio
-    repository: ghcr.io/defenseunicorns/uds-capability/mattermost/dev-dependency/mattermost-minio
-    ref: 0.1.2
+  - name: mattermost-object-store
+    path: build
+    ref: 0.0.1
 
   - name: mattermost-database-manifests
     path: build
     ref: 0.0.1
 
   - name: mattermost
     repository: ghcr.io/defenseunicorns/uds-capability/mattermost
-    ref: 0.1.2
+    ref: 0.1.5
 
   # Nexus
   - name: nexus-database-manifests

uds-config/dev-cluster/uds-config.yaml

@@ -26,24 +26,30 @@ bundle:
         set:
           DOMAIN: "mtsi-dev.bigbang.dev"
           KEYCLOAK_DB_USERNAME: "postgres"
-          KEYCLOAK_DB_PASSWORD: "replace-me"
+          KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords"
           KEYCLOAK_DB_NAME: "keycloakdb"
           KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local"
       gitlab-database-manifests:
         set:
           GITLAB_DB_EXTERNAL_NAME: "gitlab-pg.mtsi-dev.bigbang.dev"
-          GITLAB_DB_PASSWORD: "replace-me"
+          GITLAB_DB_PASSWORD: "replace-me-db-passwords"
+      gitlab-object-store:
+        set:
+          ENDPOINT: "http://swf.objects.mtsi.bigbang.dev"
+          ACCESS_KEY: "replace-me-object-store-access-key"
+          SECRET_KEY: "replace-me-object-store-secret-key"
       gitlab:
         set:
           DOMAIN: "mtsi-dev.bigbang.dev"
           GITLAB_DB_NAME: "gitlabdb"
           GITLAB_DB_USERNAME: "postgres"
           GITLAB_PAGES_ENABLED: "true"
           GITLAB_SIGNUP_ENABLED: "false"
+          BUCKET_SUFFIX: "-dev"
       sonarqube-database-manifests:
         set:
           SONARQUBE_DB_EXTERNAL_NAME: "sonarqube-pg.mtsi-dev.bigbang.dev"
-          SONARQUBE_DB_PASSWORD: "replace-me"
+          SONARQUBE_DB_PASSWORD: "replace-me-db-passwords"
       sonarqube:
         set:
           DOMAIN: "mtsi-dev.bigbang.dev"
@@ -53,7 +59,7 @@ bundle:
       jira-database-manifests:
         set:
           JIRA_DB_EXTERNAL_NAME: "jira-pg.mtsi-dev.bigbang.dev"
-          JIRA_DB_PASSWORD: "replace-me"
+          JIRA_DB_PASSWORD: "replace-me-db-passwords"
       jira:
         set:
           DOMAIN: "mtsi-dev.bigbang.dev"
@@ -62,7 +68,7 @@ bundle:
       confluence-database-manifests:
         set:
           CONFLUENCE_DB_EXTERNAL_NAME: "confluence-pg.mtsi-dev.bigbang.dev"
-          CONFLUENCE_DB_PASSWORD: "replace-me"
+          CONFLUENCE_DB_PASSWORD: "replace-me-db-passwords"
       confluence:
         set:
           DOMAIN: "mtsi-dev.bigbang.dev"
@@ -71,16 +77,35 @@ bundle:
       mattermost-database-manifests:
         set:
           MATTERMOST_DB_EXTERNAL_NAME: "mattermost-pg.mtsi-dev.bigbang.dev"
-          MATTERMOST_DB_PASSWORD: "replace-me"
+          MATTERMOST_DB_PASSWORD: "replace-me-db-passwords"
           MATTERMOST_DB_USERNAME: "postgres"
           MATTERMOST_DB_NAME: "mattermostdb"
+      mattermost-object-store:
+        set:
+          ACCESS_KEY: "replace-me-object-store-access-key"
+          SECRET_KEY: "replace-me-object-store-secret-key"
+          CA_CERT: |
+            -----BEGIN CERTIFICATE-----
+            replace-me-ca-cert-to-trust
+            -----END CERTIFICATE-----
       mattermost:
         set:
           DOMAIN: "mtsi-dev.bigbang.dev"
+          MATTERMOST_BUCKET_SUFFIX: "-dev"
+          MATTERMOST_FILE_STORE_ENDPOINT: "swf.objects.mtsi.bigbang.dev"
+          MATTERMOST_VOLUMES: |
+            - name: ca-cert
+              secret:
+                secretName: ca-secret
+                defaultMode: 0644
+          MATTERMOST_VOLUME_MOUNTS: |
+            - name: ca-cert
+              mountPath: /etc/ssl/certs
+              readOnly: true"
       nexus-database-manifests:
         set:
           NEXUS_DB_EXTERNAL_NAME: "nexus-pg.mtsi-dev.bigbang.dev"
-          NEXUS_DB_PASSWORD: "replace-me"
+          NEXUS_DB_PASSWORD: "replace-me-db-passwords"
       nexus:
         set:
           DOMAIN: "mtsi-dev.bigbang.dev"