Merge remote-tracking branch 'upstream/master'

* upstream/master: (54 commits)
  bump to 5.24.2
  bump MM to 5.24.1
  bump MM to 5.24.0
  Update Dockerfile (mattermost#476)
  Add ?src=docker-app query parameter to identify download source (mattermost#475)
  bump docker app to 5.23.0
  Fix : certificate signed by unknown authority refs : mattermost/mattermost#13059 (mattermost#474)
  bump app dockerfile to 5.22.3
  Fixing docker-compose build process (mattermost#471)
  bump mm to 5.22.1
  Update Dockerfile (mattermost#467)
  docker-compose: fix DB Docker building error  mattermost#463 related wal-e 1.0.0 and azure (mattermost#464)
  allow uncommenting for team edition (mattermost#433)
  Fix the linking of the nginx configuration file (mattermost#458)
  docker-compose: remove unused ENV variable (mattermost#456)
  bump mm prod app to 5.21.0
  bump mm prod app to 5.20.2
  web entrypoint: forcefully link existing config (mattermost#454)
  Remove deprecated nginx ssl directive (mattermost#451) (mattermost#452)
  bump mm prod app to 5.20.1
  ...

.circleci/config.yml

@@ -0,0 +1,14 @@
+version: 2.1
+jobs:
+  none:
+    docker:
+      - image: alpine:3.10
+    steps:
+      - run:
+          command: echo "Skipping. not implemented"
+
+workflows:
+  version: 2
+  mainbuild:
+    jobs:
+      - none

CONTRIBUTING.md

@@ -0,0 +1,5 @@
+# Code Contribution Guidelines
+
+Thank you for your interest in contributing! Please see the [Mattermost Contribution Guide](https://developers.mattermost.com/contribute/getting-started/) which describes the process for making code contributions across Mattermost projects and [join our "Contributors" community channel](https://community.mattermost.com/core/channels/tickets) to ask questions from community members and the Mattermost core team.
+
+When you submit a pull request, it goes through a [code review process outlined here](https://developers.mattermost.com/contribute/getting-started/code-review/).

MAINTENANCE.md

@@ -18,7 +18,6 @@ The following people help to maintain this open source project:
 
 | Current Maintainer(s)                 | Start Date    |
 |:--------------------------------------|:--------------|
-| Kyâne Pichou - @pichouk               | Jun 01 2017   |
 | Carlos Tadeu Panato Junior - @cpanato | Feb 18 2018   |
 
 In case something happens where no maintainers are able to complete their responsibilies, the following sponsoring organization can help find a new maintainer:
@@ -56,10 +55,11 @@ Maintainer(s) should periodically review pull requests and issues submitted to p
 
 PREVIOUS MAINTAINERS
 
-| Maintainer             | Start Date    | End Date    |
-|:-----------------------|:--------------|:------------|
-| Yi EungJun - @npcode   | Nov 26 2015   | Nov 30 2016 |
-| Pan Luo - @xcompass    | Nov 30 2015   | Feb 21 2019 |
+| Maintainer              | Start Date    | End Date    |
+|:------------------------|:--------------|:------------|
+| Yi EungJun - @npcode    | Nov 26 2015   | Nov 30 2016 |
+| Pan Luo - @xcompass     | Nov 30 2015   | Feb 21 2019 |
+| Kyâne Pichou - @pichouk | Jun 01 2017   | Aug 15 2019 |
 
 
 CREATOR

README.md

@@ -23,10 +23,13 @@ The following instructions deploy Mattermost in a production configuration using
 
 If you want to install Enterprise Edition, you can skip this section.
 
-To install the team edition, uncomment out these lines in docker-compose.yaml file:
+To install the team edition, change `build: app` to `build:` and uncomment out these lines in `app:` services block to make it look like below in docker-compose.yaml file:
 ```yaml
-args:
-  - edition=team
+app:
+  build:
+    context: app
+    args:
+      - edition=team
 ```
 The `app` Dockerfile will read the `edition` build argument to install Team (`edition = 'team'`) or Enterprise (`edition != team`) edition.
 
@@ -105,6 +108,14 @@ Put your SSL certificate as `./volumes/web/cert/cert.pem` and the private key th
 no password as `./volumes/web/cert/key-no-password.pem`. If you don't have
 them you may generate a self-signed SSL certificate.
 
+#### Configure SSO with GitLab
+If you are looking for SSO with GitLab and you use self signed certificate you have to add the PKI chain of your authority in app because Alpine doesn't know him. This is required to avoid **Token request failed: certificate signed by unknown authority**
+
+For that uncomment this line and replace with the correct path of your PKI chain:
+```
+# - <path_to_your_gitlab_pki>/pki_chain.pem:/etc/ssl/certs/pki_chain.pem:ro
+```
+
 ### Starting/Stopping Docker
 
 #### Start

app/Dockerfile

@@ -1,8 +1,8 @@
-FROM alpine:3.9
+FROM alpine:3.10
 
 # Some ENV variables
 ENV PATH="/mattermost/bin:${PATH}"
-ENV MM_VERSION=5.11.0
+ENV MM_VERSION=5.24.2
 
 # Build argument to set Mattermost edition
 ARG edition=enterprise
@@ -18,6 +18,7 @@ RUN apk add --no-cache \
 	jq \
 	libc6-compat \
 	libffi-dev \
+    libcap \
 	linux-headers \
 	mailcap \
 	netcat-openbsd \
@@ -28,13 +29,14 @@ RUN apk add --no-cache \
 # Get Mattermost
 RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
     && if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
-      elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz | tar -xvz ; \
-      else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz | tar -xvz ; fi \
+      elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
+      else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
     && cp /mattermost/config/config.json /config.json.save \
     && rm -rf /mattermost/config/config.json \
     && addgroup -g ${PGID} mattermost \
     && adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
-    && chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins
+    && chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
+    && setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
 
 USER mattermost
 

contrib/kubernetes/README.md

@@ -76,7 +76,7 @@ Type:                   NodePort
 IP:                     10.0.0.194
 Port:                   http    80/TCP
 NodePort:               http    32283/TCP
-Endpoints:              172.17.0.4:80
+Endpoints:              172.17.0.4:8000
 Session Affinity:       None
 No events.
 ```
@@ -90,7 +90,7 @@ curl -L http://192.168.99.100:32283
 
 ### Optional steps
 
- * If you want your data to be persistent you will need to make persistent volumes for Mattermost and Postgres.
+ * If you want your data to be persistent you will need to make persistent volumes for Mattermost and Postgres. This requires adding a [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#discussion) to the deployment to set `runAsUser: 2000`, `runAsGroup: 2000` and `fsGroup: 2000`.
  * If you want to change advanced settings for the mattermost container you can make a [configMap](http://blog.kubernetes.io/2016/04/configuration-management-with-containers.html) for the /mattermost/config/config.json file
  * If you want the application exposed on port 80 you can either specify the port in the service manifest or use an [ingress controller](http://kubernetes.io/docs/user-guide/ingress/#ingress-controllers) and an ingress map for the mattermost service. A sample ingress map would be
 ```

contrib/kubernetes/mattermost.deployment.yaml

@@ -17,14 +17,14 @@ spec:
     spec:
       containers:
       - name: mattermost-app
-        image: "mattermost/mattermost-prod-app:5.11.0"
+        image: "mattermost/mattermost-prod-app:5.14.1"
         env:
         - name: DB_HOST
           valueFrom:
             secretKeyRef:
               name: mattermost.env
               key: db-host
-        - name: DB_PORT
+        - name: DB_PORT_NUMBER
           valueFrom:
             secretKeyRef:
               name: mattermost.env

contrib/kubernetes/mattermost.svc.yaml

@@ -7,7 +7,7 @@ spec:
   type: NodePort
   ports:
   - port: 80
-    targetPort: 80
+    targetPort: 8000
     protocol: TCP
     name: http
   selector:

contrib/swarm/docker-stack-traefik.yml

@@ -59,7 +59,7 @@ services:
         condition: on-failure
   app:
     # use official mattermost prod-app image
-    image: mattermost/mattermost-prod-app:5.11.0
+    image: mattermost/mattermost-prod-app:5.13.0
     networks:
       - mm-in
       - mm-out

contrib/swarm/docker-stack.yml

@@ -58,7 +58,7 @@ services:
         condition: on-failure
   app:
     # use official mattermost prod-app image
-    image: mattermost/mattermost-prod-app:5.11.0
+    image: mattermost/mattermost-prod-app:5.13.0
     networks:
       - mm-in
       - mm-out

db/Dockerfile

@@ -3,6 +3,7 @@ FROM postgres:9.4-alpine
 ENV DEFAULT_TIMEZONE UTC
 
 # Install some packages to use WAL
+RUN echo "azure<5.0.0" > pip-constraints.txt
 RUN apk add --no-cache \
       build-base \
       curl \
@@ -12,7 +13,10 @@ RUN apk add --no-cache \
       python-dev \
       py-pip \
       py-cryptography \
-    && pip --no-cache-dir install 'wal-e<1.0.0' envdir \
+      pv \
+      libressl-dev \
+    && pip install --upgrade pip \
+    && pip --no-cache-dir install -c pip-constraints.txt 'wal-e<1.0.0' envdir \
     && rm -rf /var/cache/apk/* /tmp/* /var/tmp/*
 
 # Add wale script

db/entrypoint.sh

@@ -58,5 +58,5 @@ if [ "$1" = 'postgres' ]; then
   update_conf $wal_enable
 
   # Run the postgresql entrypoint
-  . /docker-entrypoint.sh
+  docker-entrypoint.sh postgres
 fi

docker-compose.yml

@@ -1,4 +1,4 @@
-version: "2"
+version: "3"
 
 services:
 
@@ -37,11 +37,19 @@ services:
       - ./volumes/app/mattermost/plugins:/mattermost/plugins:rw
       - ./volumes/app/mattermost/client-plugins:/mattermost/client/plugins:rw
       - /etc/localtime:/etc/localtime:ro
+      # When you want to use SSO with GitLab, you have to add the cert pki chain of GitLab inside Alpine
+      # to avoid Token request failed: certificate signed by unknown authority (link: https://github.com/mattermost/mattermost-server/issues/13059)
+      # - <path_to_your_gitlab_pki>/pki_chain.pem:/etc/ssl/certs/pki_chain.pem:ro
     environment:
       # set same as db credentials and dbname
       - MM_USERNAME=mmuser
       - MM_PASSWORD=mmuser_password
       - MM_DBNAME=mattermost
+
+      # use the credentials you've set above, in the format:
+      # MM_SQLSETTINGS_DATASOURCE=postgres://${MM_USERNAME}:${MM_PASSWORD}@db:5432/${MM_DBNAME}?sslmode=disable&connect_timeout=10
+      - MM_SQLSETTINGS_DATASOURCE=postgres://mmuser:mmuser_password@db:5432/mattermost?sslmode=disable&connect_timeout=10
+
       # in case your config is not in default location
       #- MM_CONFIG=/mattermost/config/config.json
 
@@ -57,6 +65,3 @@ services:
       # This directory must have cert files if you want to enable SSL
       - ./volumes/web/cert:/cert:ro
       - /etc/localtime:/etc/localtime:ro
-    # Uncomment for SSL
-    # environment:
-    #  - MATTERMOST_ENABLE_SSL=true

web/entrypoint.sh

@@ -11,8 +11,10 @@ if [ -f "/cert/cert.pem" -a -f "/cert/key-no-password.pem" ]; then
 else
   echo "linking plain config"
 fi
+# Ensure that the configuration file is not present before linking. 
+test -w /etc/nginx/conf.d/mattermost.conf && rm /etc/nginx/conf.d/mattermost.conf
 # Linking Nginx configuration file
-ln -s /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf
+ln -s -f /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf
 
 # Setup app host and port on configuration file
 sed -i "s/{%APP_HOST%}/${APP_HOST}/g" /etc/nginx/conf.d/mattermost.conf

web/mattermost-ssl

@@ -12,7 +12,6 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
 server {
     listen 443 ssl http2;
 
-    ssl on;
     ssl_certificate /cert/cert.pem;
     ssl_certificate_key /cert/key-no-password.pem;
     ssl_session_timeout 5m;