mattermost · fmartingr · Nov 4, 2024 · Jan 14, 2025 · streamer45 · Jan 14, 2025
diff --git a/cmd/ltkeycloak/from_mattermost.go b/cmd/ltkeycloak/from_mattermost.go
@@ -203,7 +203,7 @@ func RunSyncFromMattermostCommandF(cmd *cobra.Command, _ []string) error {
 		siteURL = mattermostHost
 	}
 
-	mmClient := model.NewAPIv4Client("http://" + siteURL)
+	mmClient := model.NewAPIv4Client(deploymentConfig.ServerScheme + "://" + siteURL)
 
 	_, _, err = mmClient.Login(cmd.Context(), deploymentConfig.AdminEmail, deploymentConfig.AdminPassword)
 	if err != nil {

diff --git a/config/deployer.sample.json b/config/deployer.sample.json
@@ -55,6 +55,8 @@
   "S3BucketDumpURI" : "",
   "DBDumpURI": "",
   "SiteURL": "",
+  "ServerURL": "",
+  "ServerScheme": "http",
   "EnableNetPeekMetrics": false,
   "TerraformDBSettings": {
     "InstanceCount": 1,

diff --git a/config/deployer.sample.toml b/config/deployer.sample.toml
@@ -13,7 +13,8 @@ MattermostDownloadURL = 'https://latest.mattermost.com/mattermost-enterprise-lin
 MattermostLicenseFile = ''
 S3BucketDumpURI = ''
 SiteURL = ''
-EnableNetPeekMetrics = false
+ServerURL = ''
+ServerScheme = 'http'
 
 # Agent configuration
 AgentInstanceCount = 2
@@ -46,6 +47,9 @@ ProxyInstanceType = 'c5.xlarge'
 ProxyInstanceCount = 1
 ProxyAllocatePublicIPAddress = true
 
+# Metrics
+EnableNetPeekMetrics = false
+
 [ClusterSubnetIDs]
 App = []
 Job = []

diff --git a/deployment/config.go b/deployment/config.go
@@ -119,6 +119,8 @@ type Config struct {
 	// Mattermost servers. This is used to override the server URL in the agent's config in case there's a
 	// proxy in front of the Mattermost server.
 	ServerURL string `default:""`
+	// ServerScheme is the scheme to use when connecting to the Mattermost server.
+	ServerScheme string `default:"http" validate:"oneof:{http,https}"`
 	// UsersFilePath specifies the path to an optional file containing a list of credentials for the controllers
 	// to use. If present, it is used to automatically upload it to the agents and override the agent's config's
 	// own UsersFilePath.

diff --git a/deployment/terraform/agent.go b/deployment/terraform/agent.go
@@ -28,8 +28,13 @@ func (t *Terraform) generateLoadtestAgentConfig() (*loadtest.Config, error) {
 
 	url := getServerURL(t.output, t.config)
 
-	cfg.ConnectionConfiguration.ServerURL = "http://" + url
-	cfg.ConnectionConfiguration.WebSocketURL = "ws://" + url
+	websocketScheme := "ws"
+	if t.config.ServerScheme == "https" {
+		websocketScheme = "wss"
+	}
+
+	cfg.ConnectionConfiguration.ServerURL = url
+	cfg.ConnectionConfiguration.WebSocketURL = strings.Replace(url, t.config.ServerScheme+"://", websocketScheme+"://", 1)
 	cfg.ConnectionConfiguration.AdminEmail = t.config.AdminEmail
 	cfg.ConnectionConfiguration.AdminPassword = t.config.AdminPassword
 

diff --git a/deployment/terraform/create.go b/deployment/terraform/create.go
@@ -213,19 +213,21 @@ func (t *Terraform) Create(extAgent *ssh.ExtAgent, initData bool) error {
 		switch {
 		// SiteURL defined, multiple app nodes: we use SiteURL, since that points to the proxy itself
 		case t.config.SiteURL != "" && t.output.HasProxy():
-			siteURL = "http://" + t.config.SiteURL
+			siteURL = t.config.ServerScheme + "://" + t.config.SiteURL
 		// SiteURL defined, single app node: we use SiteURL plus the port, since SiteURL points to the app node (which is listening in 8065)
 		case t.config.SiteURL != "":
-			siteURL = "http://" + t.config.SiteURL + ":8065"
+			siteURL = t.config.ServerScheme + "://" + t.config.SiteURL + ":8065"
 		// SiteURL not defined, multiple app nodes: we use the proxy's public DNS
 		case t.output.HasProxy():
 			// This case will only succeed if siteURL is empty.
 			// And it's an error to have siteURL empty and set multiple proxies. (see (c *Config) validateProxyConfig)
 			// So we can safely take the DNS of the first entry.
-			siteURL = "http://" + t.output.Proxies[0].PublicDNS
+			siteURL = t.config.ServerScheme + "://" + t.output.Proxies[0].PublicDNS
 		// SiteURL not defined, single app node: we use the app node's public DNS plus port
+		case t.config.ServerURL != "":
+			siteURL = t.config.ServerScheme + "://" + t.config.ServerURL
 		default:
-			siteURL = "http://" + t.output.Instances[0].PublicDNS + ":8065"
+			siteURL = t.config.ServerScheme + "://" + t.output.Instances[0].PublicDNS + ":8065"
 		}
 
 		// Updating the config.json for each instance of app server
@@ -245,6 +247,7 @@ func (t *Terraform) Create(extAgent *ssh.ExtAgent, initData bool) error {
 			pingURL = t.output.Proxies[0].PublicDNS
 		}
 
+		// Non-ssl is used for pinging the server
 		if err := pingServer("http://" + pingURL); err != nil {
 			return fmt.Errorf("error whiling pinging server: %w", err)
 		}

diff --git a/deployment/terraform/keycloak.go b/deployment/terraform/keycloak.go
@@ -374,7 +374,7 @@ func (t *Terraform) setupKeycloakAppConfig(sshc *ssh.Client, cfg *model.Config)
 	cfg.SamlSettings.IdpDescriptorURL = model.NewPointer(keycloakUrl + "/realms/" + t.config.ExternalAuthProviderSettings.KeycloakRealmName)
 	cfg.SamlSettings.IdpMetadataURL = model.NewPointer(keycloakUrl + "/realms/" + t.config.ExternalAuthProviderSettings.KeycloakRealmName + "/protocol/saml/descriptor")
 	cfg.SamlSettings.ServiceProviderIdentifier = model.NewPointer(t.config.ExternalAuthProviderSettings.KeycloakSAMLClientID)
-	cfg.SamlSettings.AssertionConsumerServiceURL = model.NewPointer("http://" + getServerURL(t.output, t.config) + "/login/sso/saml")
+	cfg.SamlSettings.AssertionConsumerServiceURL = model.NewPointer(t.config.ServerScheme + "://" + getServerURL(t.output, t.config) + "/login/sso/saml")
 	cfg.SamlSettings.SignatureAlgorithm = model.NewPointer("RSAwithSHA1")
 	cfg.SamlSettings.CanonicalAlgorithm = model.NewPointer("Canonical1.0")
 	cfg.SamlSettings.ScopingIDPProviderId = model.NewPointer("")

diff --git a/deployment/terraform/utils.go b/deployment/terraform/utils.go
@@ -328,7 +328,7 @@ func (t *Terraform) getAsset(filename string) string {
 // 4. First app server IP
 func getServerURL(output *Output, deploymentConfig *deployment.Config) string {
 	if deploymentConfig.ServerURL != "" {
-		return deploymentConfig.ServerURL
+		return deploymentConfig.ServerScheme + "://" + deploymentConfig.ServerURL
 	}
 
 	url := output.Instances[0].PrivateIP
@@ -344,7 +344,7 @@ func getServerURL(output *Output, deploymentConfig *deployment.Config) string {
 		url = output.Proxies[0].PrivateIP
 	}
 
-	return url
+	return deploymentConfig.ServerScheme + "://" + url
 }
 
 // GetAWSConfig returns the AWS config, using the profile configured in the

diff --git a/deployment/terraform/utils_test.go b/deployment/terraform/utils_test.go
@@ -50,8 +50,10 @@ func TestGetServerURL(t *testing.T) {
 					PrivateIP: "localhost",
 				}},
 			},
-			config:   &deployment.Config{},
-			expected: "localhost:8065",
+			config: &deployment.Config{
+				ServerScheme: "http",
+			},
+			expected: "http://localhost:8065",
 		}, {
 			name: "proxy, no siteurl",
 			output: &Output{
@@ -62,8 +64,10 @@ func TestGetServerURL(t *testing.T) {
 					PrivateIP: "proxy_ip",
 				}},
 			},
-			config:   &deployment.Config{},
-			expected: "proxy_ip",
+			config: &deployment.Config{
+				ServerScheme: "http",
+			},
+			expected: "http://proxy_ip",
 		}, {
 			name: "no proxy, siteurl",
 			output: &Output{
@@ -72,9 +76,10 @@ func TestGetServerURL(t *testing.T) {
 				}},
 			},
 			config: &deployment.Config{
-				SiteURL: "ltserver",
+				SiteURL:      "ltserver",
+				ServerScheme: "http",
 			},
-			expected: "ltserver:8065",
+			expected: "http://ltserver:8065",
 		}, {
 			name: "proxy, siteurl",
 			output: &Output{
@@ -86,9 +91,10 @@ func TestGetServerURL(t *testing.T) {
 				}},
 			},
 			config: &deployment.Config{
-				SiteURL: "ltserver",
+				SiteURL:      "ltserver",
+				ServerScheme: "http",
 			},
-			expected: "ltserver",
+			expected: "http://ltserver",
 		}, {
 			name: "serverurl takes priority",
 			output: &Output{
@@ -100,10 +106,23 @@ func TestGetServerURL(t *testing.T) {
 				}},
 			},
 			config: &deployment.Config{
-				SiteURL:   "siteurl",
-				ServerURL: "serverurl",
+				SiteURL:      "siteurl",
+				ServerURL:    "serverurl",
+				ServerScheme: "http",
+			},
+			expected: "http://serverurl",
+		}, {
+			name: "https is supported",
+			output: &Output{
+				Instances: []Instance{{
+					PrivateIP: "localhost",
+				}},
+			},
+			config: &deployment.Config{
+				SiteURL:      "ltserver",
+				ServerScheme: "https",
 			},
-			expected: "serverurl",
+			expected: "https://ltserver:8065",
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {

diff --git a/docs/config/deployer.md b/docs/config/deployer.md
@@ -581,6 +581,18 @@ The name of a host that will be used for two purposes:
 - It will populate a new entry in the /etc/hosts file of the app nodes, so that it points to the proxy private IP or, if there's no proxy, to the current app node.
 This config is used for tests that require an existing database dump that contains permalinks. These permalinks point to a specific hostname. Without this setting, that hostname is not known by the nodes of a new deployment and the permalinks cannot be resolved.
 
+## ServerURL
+
+*string*
+
+The URL of the Mattermost server. This is used to override the server's `SiteURL` setting for specific scenarios where a different URL is needed on deployments without the proxy server.
+
+## ServerScheme
+
+*string*
+
+The scheme of the Mattermost server. Defaults to `http`.
+
 ## UsersFilePath
 
 *string*