Add FIPS migration guide for existing deployments#8936
Open
ewwollesen wants to merge 4 commits intomasterfrom
Open
Add FIPS migration guide for existing deployments#8936ewwollesen wants to merge 4 commits intomasterfrom
ewwollesen wants to merge 4 commits intomasterfrom
Conversation
Adds a step-by-step guide for migrating an existing Docker or Kubernetes Mattermost deployment to the FIPS-compliant container image, separate from the existing FIPS overview which covers new deployments. Links the new page from the existing FIPS overview note and registers it via a hidden toctree on the containers deployment page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ewwollesen
force-pushed
the
docs/fips-migration-guide
branch
from
a0f380e to
b30d4f4
Compare
Contributor
📝 WalkthroughWalkthroughThis PR adds a new FIPS migration guide for Mattermost containers and updates navigation and an existing FIPS doc to link to it. The new guide details prerequisites, downtime planning, Kubernetes and Docker/Docker Compose migration steps, post-migration checks, and rollback procedures. ChangesFIPS Container Migration Documentation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
|
Newest code from mattermost has been published to preview environment for Git SHA a0f380e |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new documentation page that provides step-by-step instructions for migrating existing Docker/Compose and Kubernetes (Operator-managed) Mattermost deployments to the FIPS-compliant Enterprise container image, and wires that page into the existing containers/FIPS documentation so it’s discoverable and indexed by Sphinx.
Changes:
- Adds a new FIPS migration guide page for existing deployments.
- Updates the FIPS/STIG overview to link to the new migration guide.
- Registers the new page via a hidden toctree so it’s included in the Sphinx build/search index.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| source/deployment-guide/server/deploy-containers.rst | Adds a hidden toctree entry so the new FIPS migration page is included in Sphinx output/search. |
| source/deployment-guide/server/containers/fips-stig.rst | Adds a direct link from the FIPS/STIG overview note to the new migration guide. |
| source/deployment-guide/server/containers/fips-migration.rst | Introduces a new migration procedure doc for swapping existing deployments to the FIPS Enterprise image (Kubernetes Operator + Docker/Compose). |
Contributor
|
Newest code from mattermost has been published to preview environment for Git SHA b30d4f4 |
FIPS is a Kubernetes/Docker-only offering and follows the same plan availability as Kubernetes deployments — not available on Professional. Swap the badge from all-commercial to entry-ent to match the existing Kubernetes deployment page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Newest code from mattermost has been published to preview environment for Git SHA 0edcf76 |
- Make Kubernetes commands namespace-aware and workload-agnostic. Use kubectl -n [namespace] consistently and replace deployment- targeted rollout/log commands with pod-level equivalents that don't assume the workload kind or naming derived from the CR name. - Switch the Docker section to the .env-based image swap supported by the official mattermost/docker deployment (MATTERMOST_IMAGE / MATTERMOST_IMAGE_TAG) instead of editing docker-compose.yml directly. Use a <tag> placeholder rather than a hardcoded version. - Rewrite the FIPS overview cross-link to point readers explicitly at the FIPS/STIG tab on Deploy Mattermost using Containers. - Expand the v11.7 14-character Postgres password prerequisite with pointers to where the password is stored in each supported deployment (.env for Docker, the database Secret referenced by the Mattermost CR for Operator deployments). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Newest code from mattermost has been published to preview environment for Git SHA 4ec3a6e |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
source/deployment-guide/server/containers/fips-migration.rst (2)
80-80: ⚡ Quick winBreak up long introductory sentence for readability.
This 79-word sentence is difficult to scan and may overwhelm Novice Nate. Consider breaking it into two sentences or using a structured list to separate the context (official deployment) from the customization note.
Suggested revision
-These steps are written for the official `Mattermost Docker deployment <https://github.com/mattermost/docker>`_, which selects the Mattermost image and tag through ``.env`` variables (``MATTERMOST_IMAGE`` and ``MATTERMOST_IMAGE_TAG``) referenced from ``docker-compose.yml`` as ``mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG}``. If you're using a custom Docker setup that hardcodes the image in ``docker-compose.yml`` or uses different variable names, adapt these steps accordingly. +These steps are written for the official `Mattermost Docker deployment <https://github.com/mattermost/docker>`_. That deployment selects the Mattermost image and tag through ``.env`` variables (``MATTERMOST_IMAGE`` and ``MATTERMOST_IMAGE_TAG``) referenced from ``docker-compose.yml`` as ``mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG}``. + +If you're using a custom Docker setup that hardcodes the image in ``docker-compose.yml`` or uses different variable names, adapt these steps accordingly.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@source/deployment-guide/server/containers/fips-migration.rst` at line 80, Split the long introductory sentence in the fips-migration.rst paragraph into two clearer sentences (or a short list): first state that the steps target the official Mattermost Docker deployment and how the image/tag are selected via .env variables, and then add a separate sentence explaining that if a custom Docker setup hardcodes the image in docker-compose.yml or uses different variable names (notably MATTERMOST_IMAGE and MATTERMOST_IMAGE_TAG) the reader should adapt the steps accordingly; update the text around the references to docker-compose.yml, MATTERMOST_IMAGE and MATTERMOST_IMAGE_TAG to keep them intact but move them into the second, shorter sentence for readability.
71-75: ⚡ Quick winAdd expected output example for verification command.
The
jsonpathcommand in step 6 is useful but complex. Novice Nate would benefit from knowing what successful output looks like to confirm the FIPS image is running.Consider adding a brief example of expected output, such as:
6. Verify the running pods are using the FIPS image: .. code-block:: sh kubectl -n [namespace] get pods -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[*].image}{"\n"}{end}' + + You should see output showing your Mattermost pods running the ``mattermost-enterprise-fips-edition`` image.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@source/deployment-guide/server/containers/fips-migration.rst` around lines 71 - 75, Add a short example of the expected command output immediately after the kubectl jsonpath command so readers can verify success; show the output format is "pod-name<TAB>container-image" and include a sample line such as: my-app-xxxx<TAB>myrepo/myapp:fips (or my-app-xxxx<TAB>myrepo/myapp:fips-1.0) to indicate the FIPS-tagged image is being used; update the text near the command invocation (the kubectl -n [...] get pods -o jsonpath=... line) to include this example output for clarity.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@source/deployment-guide/server/containers/fips-migration.rst`:
- Line 26: Split the dense prerequisite into short ordered steps: state the
requirement (PostgreSQL password must be ≥14 chars for FIPS), then give explicit
sub-steps: (1) rotate the DB password in PostgreSQL using your DB admin tool or
psql; (2) update the stored credential in your deployment (update
POSTGRES_PASSWORD in .env for the Docker deployment or the Secret referenced by
spec.database.external.secret for Operator/Kubernetes); and (3) ensure
Mattermost loads the new credential — either restart Mattermost after updating
the secret to make the server pick up the new password, or skip a separate
restart if you plan to perform the migration immediately because the migration
will recreate the container and apply the image swap; mention updating
credentials before migration to avoid connectivity failures. Reference
POSTGRES_PASSWORD, .env, spec.database.external.secret and Mattermost in the
steps.
---
Nitpick comments:
In `@source/deployment-guide/server/containers/fips-migration.rst`:
- Line 80: Split the long introductory sentence in the fips-migration.rst
paragraph into two clearer sentences (or a short list): first state that the
steps target the official Mattermost Docker deployment and how the image/tag are
selected via .env variables, and then add a separate sentence explaining that if
a custom Docker setup hardcodes the image in docker-compose.yml or uses
different variable names (notably MATTERMOST_IMAGE and MATTERMOST_IMAGE_TAG) the
reader should adapt the steps accordingly; update the text around the references
to docker-compose.yml, MATTERMOST_IMAGE and MATTERMOST_IMAGE_TAG to keep them
intact but move them into the second, shorter sentence for readability.
- Around line 71-75: Add a short example of the expected command output
immediately after the kubectl jsonpath command so readers can verify success;
show the output format is "pod-name<TAB>container-image" and include a sample
line such as: my-app-xxxx<TAB>myrepo/myapp:fips (or
my-app-xxxx<TAB>myrepo/myapp:fips-1.0) to indicate the FIPS-tagged image is
being used; update the text near the command invocation (the kubectl -n [...]
get pods -o jsonpath=... line) to include this example output for clarity.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 7ce1e735-3a0d-4edc-bfe1-8fd5b46767b4
📒 Files selected for processing (3)
source/deployment-guide/server/containers/fips-migration.rstsource/deployment-guide/server/containers/fips-stig.rstsource/deployment-guide/server/deploy-containers.rst
Break the dense v11.7 14-character password prerequisite into a/b/c sub-steps so the sequencing is unambiguous: rotate the password in Postgres, then update where the deployment stores it, then proceed to the image swap. Add a one-line ALTER USER example so novice admins have a starting point. Resolve the contradictory restart guidance: the migration's container recreate applies the new credentials, so no separate restart is needed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
source/deployment-guide/server/containers/fips-migration.rst (1)
26-37: ⚡ Quick winPromote the v11.7+ password constraint to an
importantadmonition.Line 26 contains a hard prerequisite that can break migration if missed; surfacing it as
.. important::will make it easier for admins to spot before executing steps.Suggested minimal diff
-5. **PostgreSQL password length.** Beginning with Mattermost v11.7, the Postgres password used by the Mattermost server must be at least 14 characters when running the FIPS image. If your current password is shorter, complete these steps before swapping the image: +.. important:: + **PostgreSQL password length (v11.7+).** Beginning with Mattermost v11.7, the Postgres password used by the Mattermost server must be at least 14 characters when running the FIPS image. If your current password is shorter, complete these steps before swapping the image: - a. Rotate the password in PostgreSQL. For example, connecting as a Postgres superuser and replacing ``mmuser`` and ``<new password>`` to match your deployment: + 1. Rotate the password in PostgreSQL. For example, connecting as a Postgres superuser and replacing ``mmuser`` and ``<new password>`` to match your deployment: .. code-block:: sql ALTER USER mmuser WITH PASSWORD '<new password>'; - b. Update the password where your deployment stores it: in the official Docker deployment, the ``POSTGRES_PASSWORD`` value in ``.env``; in Operator-managed Kubernetes deployments, the database Secret referenced by your ``Mattermost`` custom resource (commonly under ``spec.database.external.secret``). + 2. Update the password where your deployment stores it: in the official Docker deployment, the ``POSTGRES_PASSWORD`` value in ``.env``; in Operator-managed Kubernetes deployments, the database Secret referenced by your ``Mattermost`` custom resource (commonly under ``spec.database.external.secret``). - c. Proceed to the image swap procedure for your deployment type below. Recreating the container as part of the migration applies the new credentials — no separate restart is required. + 3. Proceed to the image swap procedure for your deployment type below. Recreating the container as part of the migration applies the new credentials — no separate restart is required.As per coding guidelines, use
importantadmonition for prerequisites, constraints, or high-impact information that materially affects correctness, supportability, compliance, or success.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@source/deployment-guide/server/containers/fips-migration.rst` around lines 26 - 37, Convert the "5. **PostgreSQL password length.**" prerequisite paragraph (the paragraph and its sub-steps a–c) into an important admonition by replacing the plain paragraph with a reST ".. important::" block containing the same text and the SQL code-block; ensure the heading text ("PostgreSQL password length.") and the three steps (a. ALTER USER..., b. Update the password..., c. Proceed to the image swap...) are preserved verbatim inside that admonition so the constraint is highlighted to admins.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@source/deployment-guide/server/containers/fips-migration.rst`:
- Around line 26-37: Convert the "5. **PostgreSQL password length.**"
prerequisite paragraph (the paragraph and its sub-steps a–c) into an important
admonition by replacing the plain paragraph with a reST ".. important::" block
containing the same text and the SQL code-block; ensure the heading text
("PostgreSQL password length.") and the three steps (a. ALTER USER..., b. Update
the password..., c. Proceed to the image swap...) are preserved verbatim inside
that admonition so the constraint is highlighted to admins.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 82b24583-9546-4d82-bade-911837c10857
📒 Files selected for processing (1)
source/deployment-guide/server/containers/fips-migration.rst
Contributor
|
Newest code from mattermost has been published to preview environment for Git SHA ff5f1e5 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
source/deployment-guide/server/containers/fips-migration.rst— a step-by-step guide for migrating an existing Docker or Kubernetes Mattermost deployment to themattermost/mattermost-enterprise-fips-editionimage.fips-stig.rst), which previously only said "existing deployments can change the image" without procedure.deploy-containers.rstso Sphinx picks it up and search indexes it.This is a rough draft. Scope was intentionally kept narrow: Mattermost Server image swap only, on Docker/Compose and Kubernetes (Mattermost Operator). The Operator container's own FIPS variant and Push Proxy migration are mentioned in the intro but procedures are out of scope for this first pass.
The page covers a new v11.7 prerequisite (minimum 14-character Postgres password) as a bullet in "Before you begin", flagged with the v11.7+ version requirement.
Test plan
gmake htmlsucceeds with no new warnings on the changed files (pre-existing 46 warnings are all in unrelated files)build/html/deployment-guide/server/containers/fips-migration.htmldeploy-containers.htmlto confirm the new "see migration guide" link resolves🤖 Generated with Claude Code