diff --git a/chart/templates/mattermost-sso-secret.yaml b/chart/templates/mattermost-sso-secret.yaml new file mode 100644 index 00000000..4d3abd00 --- /dev/null +++ b/chart/templates/mattermost-sso-secret.yaml @@ -0,0 +1,15 @@ +# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. +# Mattermost needs to mount the secret and creating it this way avoids creating an unnecessary +# client in the keycloak realm and unnecessary secret data in the cluster. +{{- if not .Values.sso.enabled }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.sso.secretName }} + namespace: {{ .Release.Namespace }} +type: "Opaque" +stringData: + MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled | toString }}" + +{{- end }} diff --git a/chart/templates/mattermost-sso.yaml b/chart/templates/mattermost-sso.yaml deleted file mode 100644 index 84de4369..00000000 --- a/chart/templates/mattermost-sso.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: mattermost-sso - namespace: {{ .Release.Namespace }} -type: Opaque -stringData: - MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled | toString }}" - MM_GITLABSETTINGS_ID: "{{ .Values.sso.client_id }}" - MM_GITLABSETTINGS_SECRET: "{{ .Values.sso.client_secret }}" - MM_GITLABSETTINGS_AUTHENDPOINT: "{{ .Values.sso.auth_endpoint }}" - MM_GITLABSETTINGS_TOKENENDPOINT: "{{ .Values.sso.token_endpoint }}" - MM_GITLABSETTINGS_USERAPIENDPOINT: "{{ .Values.sso.user_api_endpoint }}" - MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email | toString }}" - MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email | toString }}" - MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username | toString }}" diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index efbf7ad2..89cd9060 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -4,6 +4,30 @@ metadata: name: mattermost namespace: {{ .Release.Namespace }} spec: + {{- if .Values.sso.enabled }} + sso: + - name: Mattermost Login + clientId: uds-swf-mattermost + redirectUris: + - "https://chat.uds.dev/*" + defaultClientScopes: + - "openid" + - "mapper-oidc-username-username" + - "mapper-oidc-mattermostid-id" + - "mapper-oidc-email-email" + + secretName: {{ .Values.sso.secretName }} + secretTemplate: + MM_GITLABSETTINGS_ENABLE: "{{ .Values.sso.enabled | toString }}" + MM_GITLABSETTINGS_ID: "clientField(clientId)" + MM_GITLABSETTINGS_SECRET: "clientField(secret)" + MM_GITLABSETTINGS_AUTHENDPOINT: "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/auth" + MM_GITLABSETTINGS_TOKENENDPOINT: "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/token" + MM_GITLABSETTINGS_USERAPIENDPOINT: "https://sso.{{ .Values.domain }}/realms/uds/protocol/openid-connect/userinfo" + MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL: "{{ .Values.sso.enable_sign_up_with_email | toString }}" + MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL: "{{ .Values.sso.enable_sign_in_with_email | toString }}" + MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME: "{{ .Values.sso.enable_sign_in_with_username | toString }}" + {{- end }} network: expose: - service: mattermost-enterprise-edition diff --git a/chart/values.yaml b/chart/values.yaml index 5cd1d54d..9e5a07a7 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,3 +1,5 @@ +domain: "###ZARF_VAR_DOMAIN###" + objectStorage: secure: true accessKey: "" @@ -16,16 +18,13 @@ postgres: connectionOptions: "" sso: - enabled: false - client_id: "" - client_secret: "" - auth_endpoint: "" - token_endpoint: "" - user_api_endpoint: "" + enabled: true + secretName: mattermost-sso + # These should typically be disabled if SSO is enabled - enable_sign_up_with_email: true - enable_sign_in_with_email: true - enable_sign_in_with_username: true + enable_sign_up_with_email: false + enable_sign_in_with_email: false + enable_sign_in_with_username: false # The subdomain for the mattermost server, will be prefixed to your domain (ex: mattermost.example.com) subdomain: "chat" diff --git a/tasks.yaml b/tasks.yaml index 6e7be2b2..708dbd99 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -2,11 +2,11 @@ includes: - cleanup: ./tasks/cleanup.yaml - dependencies: ./tasks/dependencies.yaml - test: ./tasks/test.yaml - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/create.yaml - - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/lint.yaml - - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/pull.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/deploy.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/setup.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/create.yaml + - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/lint.yaml + - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/pull.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/deploy.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/setup.yaml tasks: - name: default @@ -39,6 +39,12 @@ tasks: - task: dependencies:create - task: create:test-bundle + - name: dev + description: Create and deploy the bundle on an existing cluster (for iteration/dev speed) + actions: + - task: create-mm-test-bundle + - task: deploy:test-bundle + # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names - name: test-package