feat!: add object store secret generation (#229)

## Description

-  add object store secret generation
- switch to minio operator for object store dependency

## Related Issue

Fixes #
<!-- or -->
Relates to #

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-package-gitlab/blob/main/CONTRIBUTING.md#developer-workflow)
followed

.gitignore

@@ -18,7 +18,7 @@ zarf-sbom
 tmp/
 values-*.yaml
 overlay-values-*
-
+upgrade-test/
 # Tests
 node_modules/
 tests/node_modules/*
@@ -29,3 +29,4 @@ tests/.playwright/**/*
 tests/data/gitlab-test-ssh-key
 tests/data/gitlab-test-ssh-key.pub
 tests/data/uds-package-test-*
+oscal-assessment-results.yaml

bundle/uds-bundle.yaml

@@ -10,13 +10,39 @@ metadata:
   # x-release-please-end
 
 packages:
-  - name: dev-minio
-    repository: ghcr.io/defenseunicorns/packages/uds/dev-minio
-    ref: 0.0.2
-
-  - name: dev-namespace
-    path: ../
-    ref: 0.1.0
+  - name: minio-operator
+    repository: ghcr.io/defenseunicorns/packages/uds/minio-operator
+    # x-release-please-start-version
+    ref: 6.0.4-uds.0-upstream
+    # x-release-please-end
+    overrides:
+      minio-operator:
+        uds-minio-config:
+          values:
+            # Test helm overrides to provision app specific buckets, policies and creds
+            - path: apps
+              value:
+                - name: gitlab
+                  namespace: gitlab
+                  bucketNames:
+                    - uds-gitlab-artifacts
+                    - uds-gitlab-backups
+                    - uds-gitlab-ci-secure-files
+                    - uds-gitlab-dependency-proxy
+                    - uds-gitlab-lfs
+                    - uds-gitlab-mr-diffs
+                    - uds-gitlab-packages
+                    - uds-gitlab-pages
+                    - uds-gitlab-terraform-state
+                    - uds-gitlab-uploads
+                    - uds-gitlab-registry
+                    - uds-gitlab-tmp
+                  policy: ""
+                  copyPassword:
+                    enabled: true
+                    secretName: "gitlab-minio"
+                    secretIDKey: "access_key"
+                    secretPasswordKey: "secret_key"
 
   - name: postgres-operator
     repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator
@@ -62,10 +88,6 @@ packages:
                 secretName: gitlab-redis
                 secretKey: password
 
-  - name: dev-secrets
-    path: ../
-    ref: 0.1.0
-
   - name: gitlab
     path: ../
     # x-release-please-start-version

bundle/uds-config.yaml

@@ -2,20 +2,6 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 variables:
-  dev-minio:
-    buckets: |
-      - name: uds-gitlab-artifacts
-      - name: uds-gitlab-backups
-      - name: uds-gitlab-ci-secure-files
-      - name: uds-gitlab-dependency-proxy
-      - name: uds-gitlab-lfs
-      - name: uds-gitlab-mr-diffs
-      - name: uds-gitlab-packages
-      - name: uds-gitlab-pages
-      - name: uds-gitlab-terraform-state
-      - name: uds-gitlab-uploads
-      - name: uds-gitlab-registry
-      - name: uds-gitlab-tmp
   gitlab:
     DISABLE_REGISTRY_REDIRECT: "true"
     GITLAB_PAGES_ENABLED: true

charts/config/templates/gitlab-object-store-secret.yaml

@@ -0,0 +1,77 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+{{- if .Values.storage.createSecret.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitlab-object-store
+  namespace: gitlab
+type: kubernetes.io/opaque
+stringData:
+  {{- $awsAccessKey := "" }}
+  {{- $awsSecretKey := "" }}
+
+  {{- if eq .Values.storage.createSecret.provider "minio" }}
+
+  {{- $secret := lookup "v1" "Secret" .Values.storage.createSecret.secretRef.secretNamespace .Values.storage.createSecret.secretRef.secretName }}
+  {{- if and $secret (index $secret.data .Values.storage.createSecret.secretRef.secretIDKey) }}
+    {{- $awsAccessKey = (index $secret.data .Values.storage.createSecret.secretRef.secretIDKey | b64dec) }}
+  {{- else }}
+    {{- $awsAccessKey = .Values.storage.createSecret.accessKey | quote }}
+  {{- end }}
+
+  {{- if and $secret (index $secret.data .Values.storage.createSecret.secretRef.secretPasswordKey) }}
+    {{- $awsSecretKey = (index $secret.data .Values.storage.createSecret.secretRef.secretPasswordKey | b64dec) }}
+  {{- else }}
+    {{- $awsSecretKey = .Values.storage.createSecret.secretKey | quote }}
+  {{- end }}
+
+  connection: |-
+    provider: AWS
+    region: {{ .Values.storage.createSecret.region | quote }}
+    aws_access_key_id: {{ $awsAccessKey }}
+    aws_secret_access_key: {{ $awsSecretKey }}
+    endpoint: {{ .Values.storage.endpoint | quote }}
+    aws_signature_version: 4
+    path_style: true
+  registry: |-
+    s3:
+      bucket: {{ .Values.storage.createSecret.bucketPrefix }}gitlab-registry{{ .Values.storage.createSecret.bucketSuffix }}
+      aws_access_key_id: {{ $awsAccessKey }}
+      aws_secret_access_key: {{ $awsSecretKey }}
+      regionendpoint: {{ .Values.storage.endpoint | quote }}
+      region: {{ .Values.storage.createSecret.region | quote }}
+      aws_signature_version: 4
+      path_style: true
+  backups: |-
+    [default]
+    aws_access_key_id = {{ $awsAccessKey }}
+    aws_secret_access_key = {{ $awsSecretKey }}
+    host_base = {{ .Values.storage.endpoint | quote }}
+    host_bucket = {{ .Values.storage.endpoint | quote }}
+    bucket_location = {{ .Values.storage.createSecret.region | quote }}
+    multipart_chunk_size_mb = 128
+    use_https = False
+
+  {{- else if eq .Values.storage.createSecret.provider "aws" }}
+  ### AWS
+  connection: |-
+    provider: AWS
+    region: {{ .Values.storage.createSecret.region | quote }}
+    use_iam_profile: true
+    aws_signature_version: 4
+    path_style: false
+  registry: |-
+    s3:
+      bucket: {{ .Values.storage.createSecret.bucketPrefix }}gitlab-registry{{ .Values.storage.createSecret.bucketSuffix }}
+      region: {{ .Values.storage.createSecret.region | quote }}
+  backups: |-
+    [default]
+    host_base = "s3.{{ .Values.storage.createSecret.region }}.amazonaws.com"
+    host_bucket = "s3.{{ .Values.storage.createSecret.region }}.amazonaws.com"
+    bucket_location = AWS
+    multipart_chunk_size_mb = 128
+    use_https = True
+  {{- end }}
+{{- end }}

charts/config/values.yaml

@@ -18,12 +18,29 @@ sso:
   requiredGroups: []
   adminGroups: ["/GitLab Admin", "/UDS Core/Admin"]
 storage:
-  # Set to false to use external storage
-  internal: true
+  internal: true  # Set to false to use external storage
   selector:
     app: minio
-  namespace: dev-minio
+  namespace: minio
   port: 9000
+  endpoint: "http://uds-minio-hl.minio.svc.cluster.local:9000"
+  createSecret:
+    enabled: true
+    accessKey: ""
+    secretKey: ""
+    bucketPrefix: "###ZARF_VAR_BUCKET_PREFIX###"
+    bucketSuffix: "###ZARF_VAR_BUCKET_SUFFIX###"
+    region: "minio"
+    # provider: aws or minio; if aws, assumed IRSA is used
+    # and annotations need to be passed to necessary service accounts in the gitlab chart
+    provider: "minio"
+    secretRef:
+      enabled: true  # Set to true to use secret reference
+      secretNamespace: "gitlab"
+      secretName: "gitlab-minio"
+      secretIDKey: "access_key"
+      secretPasswordKey: "secret_key"
+
 redis:
   password: ""
 

common/zarf.yaml

@@ -28,6 +28,10 @@ components:
         localPath: ../charts/settings
     actions:
       onDeploy:
+        before:
+          - cmd: ./zarf tools kubectl annotate secret -n gitlab gitlab-object-store meta.helm.sh/release-namespace=gitlab --overwrite || true
+          - cmd: ./zarf tools kubectl label secret -n gitlab gitlab-object-store app.kubernetes.io/managed-by=Helm --overwrite || true
+          - cmd: ./zarf tools kubectl annotate secret -n gitlab gitlab-object-store meta.helm.sh/release-name=uds-gitlab-config --overwrite || true
         after:
           - description: Validate GitLab Package
             maxTotalSeconds: 300

tasks.yaml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 includes:
-  - dependencies: ./tasks/dependencies.yaml
+  # TODO Delete dependencies.yaml after next releaser
   - test: ./tasks/test.yaml
   - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.2.2/tasks/create.yaml
   - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.2.2/tasks/publish.yaml
@@ -33,9 +33,10 @@ tasks:
   - name: create-deploy-test-bundle
     description: Test and validate cluster is deployed with GitLab
     actions:
-      - task: dependencies:create
       - task: create:test-bundle
       - task: deploy:test-bundle
+      - cmd: ./uds zarf tools kubectl -n gitlab rollout restart deployment
+      - cmd: ./uds zarf tools kubectl rollout status deploy -n gitlab
       - task: setup:create-doug-user
       - task: test:all
 
@@ -59,6 +60,7 @@ tasks:
   - name: test-upgrade
     description: Test an upgrade from the latest released package to the current branch
     actions:
+      # TODO Delete dependencies.yaml after next releaser
       - task: upgrade:create-latest-tag-bundle
         with:
           dep_commands: ./uds run dependencies:create
@@ -79,8 +81,6 @@ tasks:
         if: ${{ or (ne .variables.FLAVOR "upstream") (ne .variables.ARCH "arm64") }}
       - task: create-deploy-test-bundle
         if: ${{ or (ne .variables.FLAVOR "upstream") (ne .variables.ARCH "arm64") }}
-      - task: dependencies:create
-        if: ${{ and (eq .variables.FLAVOR "upstream") (eq .variables.ARCH "arm64") }}
       - task: create:test-bundle
         if: ${{ and (eq .variables.FLAVOR "upstream") (eq .variables.ARCH "arm64") }}
       - description: Publish the package