How to Upgrade this Package📜
Upgrading the mattermost operator instance can be a little tricky since there are a number of changes that are unique to the mattermost operator instance deployed by Big Bang.
Since the mattermost operator chart is built and maintained by Big Bang syncing with upstream is not as straight forward as a kpt pkg update
.
-
Run
kpt pkg update docs/upstream@{NEW OPERATOR TAG} --strategy force-delete-replace
. Notice that this updates the folderdocs/upstream
. -
Incrementally copy the CRD sections from
docs/upstream/mattermost-operator.yaml
into their respective files inchart/mattermost-operator-crds/templates
(it can be helpful to search for---
to find the sections). At this step the following file names to match the CRD names are:clusterinstallations.mattermost.com
,mattermostrestoredbs.mattermost.com
, andmattermosts.installation.mattermost.com
. -
Modify each CRD file to remove
creationTimestamp: null
and add labels. Labels to add:
labels:
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version }}'
-
Update
chart/mattermost-operator-crds/Chart.yaml
version
andappVersion
to the new operator version. -
Update the versions for
chart/Chart.yaml
to the new operator version (version
,appVersion
, dependencyversion
, and annotations). -
Run
helm dependency update ./chart
and validate that the new CRD chart tgz is underchart/charts
. -
Incrementally copy out the remaining sections from
docs/upstream/mattermost-operator.yaml
into their respective files inchart/templates
. At this step the following file names to match the object types are:clusterrole
,clusterrolebinding
,service
,serviceaccount
, anddeployment
. -
Modify each to add labels and remove
creationTimestamp: null
. Any spot wherenamespace:
if referenced should become{{ .Release.Namespace }}
instead of hardcodedmattermost-operator
. As before, the labels to add:
labels:
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version }}'
-
For the deployment file: make sure that you maintain the existing values mapping for
replicas
,image
,resources
,imagePullSecrets
,securityContext
,nodeSelector
,affinity
, andtolerations
. These are all BigBang additions that we need to keep. -
Modify
chart/values.yaml
to use the latest image underimage.tag
. -
Add a changelog entry for the Chart version.
-
Update top-level ./README.md using script from gluon library.
-
Open an MR on Repo1 and validate that all changes look as expected in the diffs and CI passes. Make any necessary changes if something looks off or CI fails.
How to test the upgrade📜
Cluster setup📜
Always make sure your local bigbang repo is current before deploying.
- Export your Ironbank/Harbor credentials (this can be done in your ~/.bashrc or ~/.zshrc file if desired). These specific variables are expected by the k3d-dev.sh script when deploying metallb, and are referenced in other commands for consistency:
export REGISTRY_USERNAME='<your_username>'
export REGISTRY_PASSWORD='<your_password>'
export BIGBANG_REPO_DIR=<absolute_path_to_local_bigbang_repo>
export BIGBANG_REPO_DIR=~/repos/bigbang
"${BIGBANG_REPO_DIR}/docs/assets/scripts/developer/k3d-dev.sh"
export KUBECONFIG=~/.kube/<your_kubeconfig_file>
export KUBECONFIG=~/.kube/Sam.Sarnowski-dev-config
"${BIGBANG_REPO_DIR}/scripts/install_flux.sh -u ${REGISTRY_USERNAME} -p ${REGISTRY_PASSWORD}"
Deploy Bigbang Mattermost📜
helm upgrade -i bigbang ${BIGBANG_REPO_DIR}/chart/ -n bigbang --create-namespace \
--set registryCredentials.username=${REGISTRY_USERNAME} --set registryCredentials.password=${REGISTRY_PASSWORD} \
-f https://repo1.dso.mil/big-bang/bigbang/-/raw/master/tests/test-values.yaml \
-f https://repo1.dso.mil/big-bang/bigbang/-/raw/master/chart/ingress-certs.yaml \
-f docs/dev-overrides/minimal.yaml \
-f docs/dev-overrides/docs/dev-overrides/mattermost-testing.yaml
```
This will deploy the following apps for testing:
Mattermost, Mattermost Operator
Grafana, Prometheus, ElasticSearch (if enabled)
- Make sure Mattermost Operator pods/services is up and running with healthy status.
- Scaled Mattermost via Operator
- Accessed web UI
## Big Bang Integration Testing
As part of your MR that modifies bigbang packages, you should modify the bigbang [bigbang/tests/test-values.yaml](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/tests/test-values.yaml?ref_type=heads) against your branch for the CI/CD MR testing by enabling your packages.
To do this, at a minimum, you will need to follow the instructions at [bigbang/docs/developer/test-package-against-bb.md](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/docs/developer/test-package-against-bb.md?ref_type=heads) with changes for Velero enabled (the below is a reference, actual changes could be more depending on what changes where made to Velero in the pakcage MR).
```yaml
addons:
mattermost:
enabled: true
sso:
enabled: true
values:
enterprise:
enabled: true
monitoring:
enabled: true
mattermostOperator:
enabled: true
git:
tag: null
# branch: 33-implement-istio-authorization-policies
branch: "renovate/ironbank"
values:
istio:
hardened:
enabled: true
# enabled: false
minio:
enabled: true
# git:
# tag: null
# branch: master
Chart Additions📜
automountServiceAccountToken📜
The mutating Kyverno policy named update-automountserviceaccounttokens
is leveraged to harden all ServiceAccounts in this package with automountServiceAccountToken: false
. This policy is configured by namespace in the Big Bang umbrella chart repository at chart/templates/kyverno-policies/values.yaml.
This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the pods:
array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.
Files that need integration testing📜
If you modify any of these things, you should perform an integration test with your branch against the rest of bigbang. Some of these files have automatic tests already defined, but those automatic tests may not model corner cases found in full integration scenarios.
./chart/templates/bigbang/*
./chart/templates/clusterrole.yaml
./chart/templates/clusterrolebinding.yaml
./chart/values.yaml
if it involves any of:- monitoring changes
- network policy changes
- kyverno policy changes
- istio hardening rule changes
- service definition changes
- TLS settings
Follow the standard process for performing an integration test against bigbang.