Upgrading to a new version📜
Mattermost is a Big Bang built chart. As a result there is no Kptfile
to handle any automatic updates from upstream. The below details the steps required to update to a new version of the Mattermost package.
-
Review the upstream changelog for the update you are going to, as well as any versions skipped over between the last BB release and this one. Note any breaking changes and new features.
-
Modify the
image.tag
value inchart/values.yaml
to point to the newest version of Mattermost. -
Based on the upstream changelog review from earlier, make any changes required to resolve breaking changes.
-
Modify the
version
inChart.yaml
- this is a BigBang built and owned chart so we sync the chart version with the appVersion (ex: appVersion6.6.0
-> chart version6.6.0-bb.0
). Also modify theappVersion
and thebigbang.dev/applicationVersions
to the new upstream version of Mattermost (same version you put in for the image tag value). -
You should check the latest version of
minio-instance
withinChart.yaml
then runhelm dependency update chart
if applicable. -
make sure that the
helm.sh/images
inchart.yaml
to point to the correct images forminio
andpostgresql
-
Update
CHANGELOG.md
adding an entry for the new version and noting all changes (at minimum should includeUpdated Mattermost to x.x.x
). -
Generate the
README.md
updates by following the guide in gluon. -
Validate that
tests/dependencies.yaml
points to the latest tag formattermost-operator
. If it doesn’t, update it. -
Open an MR in “Draft” status and validate that CI passes. This will perform a number of smoke tests against the package, but it is good to manually deploy to test some things that CI doesn’t. Follow the steps below for manual testing.
-
Once all manual testing is complete take your MR out of “Draft” status and add the review label.
Testing for updates📜
NOTE: For these testing steps it is good to do them on both a clean install and an upgrade. For clean install, point mattermost to your branch. For an upgrade do an install with mattermost pointing to the latest tag, then perform a helm upgrade with mattermost pointing to your branch.
You will want to install with:
- -b
on the k3d script, if you are using it
- Mattermost, Mattermost Operator, and Minio Operator enabled
- Istio enabled
- Dev SSO values for Mattermost
- Enterprise enabled - if you do not pass a license in, navigate to the System Console after install to start a trial
- You can generate a license by
- Starting the free trial.
- You can recover your license by running the following command. This is not necessary unless you wish to re-use the license on subsequent installs.
kubectl exec -n mattermost mattermost-postgresql-0 -- bash -c 'PGPASSWORD=bigbang psql -t -U mattermost -c "select bytes from licenses;"' > encoded.mattermost-license
- Note: this is a base64 file that you can decode to read parts of the json (though it contains other data that does not come out correctly as json), but Mattermost expects the encoded file
- Elasticsearch enabled + integration enabled
- Monitoring enabled
Here is an example override file.
Testing Steps:
- Log in with SSO via your login.dso.mil
account.
- Follow the initial setup to create a team and send an initial chat.
- Under account settings, upload a profile picture. Validate the upload is successful and your profile picture is visible.
- Navigate to prometheus and validate that the Mattermost target shows as up (make sure you are on enterprise and have started a trial).
- Under system console -> elastic -> index now and validate success (make sure you are on enterprise and have started a trial).
- NOTE: This doesn’t seem to be working at the moment.
- Check Grafana for data in the Mattermost Performance Monitoring v2
dashboard (Ensure you change the server on the dashboard to point to the mattermost pod ip)
When in doubt with any testing or upgrade steps ask one of the CODEOWNERS for assistance.
Chart Additions📜
automountServiceAccountToken📜
The mutating Kyverno policy named update-automountserviceaccounttokens
is leveraged to harden all ServiceAccounts in this package with automountServiceAccountToken: false
. This policy is configured by namespace in the Big Bang umbrella chart repository at chart/templates/kyverno-policies/values.yaml.
This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the pods:
array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.