charm-k8s-mattermost

Merge ~pjdc/charm-k8s-mattermost/+git/charm-k8s-mattermost:sidecar.2 into charm-k8s-mattermost:master

Git
lp:~pjdc/charm-k8s-mattermost/+git/charm-k8s-mattermost
sidecar.2
Merge into master

Proposed by Paul Collins on 2021-05-26

Status:	Work in progress
Proposed branch:	~pjdc/charm-k8s-mattermost/+git/charm-k8s-mattermost:sidecar.2
Merge into:	charm-k8s-mattermost:master
Diff against target:	1628 lines (+551/-647) 13 files modified .gitignore (+1/-0) .jujuignore (+1/-0) Makefile (+1/-1) README.md (+20/-22) config.yaml (+6/-21) dev/null (+0/-45) lib/charms/nginx_ingress_integrator/v0/ingress.py (+198/-0) metadata.yaml (+13/-3) requirements.txt (+1/-1) src/charm.py (+166/-233) tests/unit/test_charm.py (+143/-293) tests/unit/test_helpers.py (+0/-27) tox.ini (+1/-1)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Mattermost Charmers		2021-05-26	Pending
Review via email: mp+403302@code.launchpad.net

Commit message

convert to sidecar

Includes changes from both Tom and Paul. Rebased onto the renamed old-style charm.

~pjdc/charm-k8s-mattermost/+git/charm-k8s-mattermost:sidecar.2 updated on 2021-06-13

9c40771... by Paul Collins on 2021-06-07: use self.app.name when site_url is empty
c291831... by Paul Collins on 2021-06-13: doc updates

Unmerged commits

c291831... by Paul Collins on 2021-06-13

doc updates

9c40771... by Paul Collins on 2021-06-07

use self.app.name when site_url is empty

c51b211... by Paul Collins on 2021-05-20

document ingress

9806d78... by Paul Collins on 2021-05-18

sidecar charm is on edge for now

6059ba4... by Paul Collins on 2021-05-10

remove _on_upgrade_charm

We work around this issue by setting use_juju_for_stoage=True.
In upgrade-testing we get stuck in "Waiting for pebble", perhaps
just because of this, or perhaps because of other changes since
this workaround was added. Either way, it is no longer needed.

ddd6233... by Paul Collins on 2021-05-09

coerce to dict when comparing live vs proposed configs

df95aa4... by Paul Collins on 2021-05-06

name licence file with crc32 to force restart

We now no longer remove the licence file when the setting is cleared,
which is not really a big deal. Licence files will also build up
on the pods, but they're small and will not survive upgrades anyway.

5955df8... by Paul Collins on 2021-05-05

swap database and pebble checks. defer event after config check

2f6bb61... by Paul Collins on 2021-05-05

split test_get_pebble_config

66763d6... by Paul Collins on 2021-05-05

push the licence into the mattermost container via pebble

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Mattermost Charmers

Paul Collins

 diff --git a/.gitignore b/.gitignore
 index 490cc43..99cead5 100644
 --- a/.gitignore
 +++ b/.gitignore
@@ -4,3 +4,4 @@
  .coverage
  __pycache__
  build
++htmlcov
 diff --git a/.jujuignore b/.jujuignore
 index 2c04000..328fb43 100644
 --- a/.jujuignore
 +++ b/.jujuignore
@@ -5,6 +5,7 @@ Dockerfile
  Makefile
  .coverage
  .gitignore
++htmlcov/
  requirements.txt
  tox.ini
  tests/
 diff --git a/Makefile b/Makefile
 index 1bf76cc..ef5e3fe 100644
 --- a/Makefile
 +++ b/Makefile
@@ -17,7 +17,7 @@ clean:
  	@echo "Cleaning files"
  	@git clean -fXd
--mattermost-k8s.charm: src/*.py requirements.txt
++mattermost-k8s.charm: lib/charms/*/v*/*.py src/*.py requirements.txt
  	charmcraft build
  .PHONY: lint test unittest clean
 diff --git a/README.md b/README.md
 index 2d74794..8a97558 100644
 --- a/README.md
 +++ b/README.md
@@ -1,34 +1,32 @@
  # Mattermost Operator
--A Juju charm deploying and managing Mattermost on Kubernetes, configurable to use a PostgreSQL backend.
--
--## Overview
--
--Mattermost offers both [a Team Edition and an Enterprise Edition](https://mattermost.com/pricing-feature-comparison/).
--This charm supports both, with the default image deploying the Team Edition. Supported
--features include authentication via SAML, Push Notifications, clustering,
--the storage of images and attachments in S3, and a Prometheus exporter for
--performance monitoring. This charm also offers seamless Mattermost version
--upgrades, initiated by switching to an image with a newer version of
--Mattermost than the one currently deployed.
++A Juju charm to deploy and manage Mattermost on Kubernetes.
  ## Usage
--For details on using Kubernetes with Juju [see here](https://juju.is/docs/kubernetes), and for
--details on using Juju with MicroK8s for easy local testing [see here](https://juju.is/docs/microk8s-cloud).
--
  To deploy the charm and relate it to [the PostgreSQL K8s charm](https://charmhub.io/postgresql-k8s) within a Juju
  Kubernetes model:
      juju deploy postgresql-k8s
--    juju deploy mattermost-k8s --config juju-external-hostname=foo.internal
++    juju deploy mattermost-k8s --channel edge
      juju relate mattermost-k8s postgresql-k8s:db
--    juju expose mattermost-k8s
--Once the deployment has completed and the "mattermost-k8s" workload state in `juju
--status` has changed to "active" you can visit http://${mattermost_ip}:8065 in a browser and log in to
--your Mattermost instance, and you'll be presented with a screen to create an
--initial admin account. Further accounts must be created using this admin account, or by
--setting up an external authentication source, such as SAML.
++Then, expose Mattermost via the Kubernetes ingress:
++
++    juju deploy nginx-ingress-integrator
++    juju relate mattermost-k8s nginx-ingress-integrator
++
++Once the deployment has completed and the workload states in `juju
++status` have changed to "active", you can add `mattermost-k8s` to `/etc/hosts`
++with the IP address of your Kubernetes cluster and visit `http://mattermost-k8s/`
++in a browser.
++
++You'll be presented with a screen to create an initial admin
++account. Further accounts must be created using this admin account, or
++by setting up an external authentication source, such as SAML.
++
++For further details, [please consult the documentation](https://charmhub.io/mattermost-charmers-mattermost/docs).
--For further details, [see here](https://charmhub.io/mattermost-charmers-mattermost/docs).
++See also:
++ * [using Kubernetes with Juju](https://juju.is/docs/kubernetes)
++ * [using Juju with MicroK8s for easy local testing](https://juju.is/docs/microk8s-cloud)
 diff --git a/config.yaml b/config.yaml
 index 5827200..71b4aaa 100644
 --- a/config.yaml
 +++ b/config.yaml
@@ -34,25 +34,6 @@ options:
            Some features are not available without a licence.  For more
            information, consult the Mattermost documentation.
          default: ''
--    mattermost_image_path:
--        type: string
--        description: |
--          The location of the image to use, e.g. "registry.example.com/mattermost:v1".
--
--          Switching to a newer image version will initiate an upgrade of Mattermost.
--
--          This setting is required.
--        default: mattermostcharmers/mattermost:v5.33.3-20.04_edge
--    mattermost_image_username:
--        type: string
--        description: |
--          The username for accessing the registry specified in mattermost_image_path.
--        default: ''
--    mattermost_image_password:
--        type: string
--        description: |
--          The password associated with mattermost_image_username for accessing the registry specified in mattermost_image_path.
--        default: ''
      outbound_proxy:
          type: string
          description: The proxy to use for outbound requests.
@@ -96,6 +77,8 @@ options:
        type: string
        description: |
          The push notification server to use.
++
++        Use of Mattermost's Hosted Push Notification Service requires an Enterprise Edition licence.
        default: ''
      push_notifications_include_message_snippet:
        type: boolean
@@ -182,11 +165,13 @@ options:
            Whether to use Ubuntu SSO to log in.
            This will not work unless the administrators of login.ubuntu.com have created a suitable SAML config first.
++
++          This feature requires a Mattermost Enterprise Edition licence.
          default: false
--    use_canonical_defaults:
++    use_enterprise_defaults:
          type: boolean
          description: |
--          If set, apply miscellaneous Mattermost settings as used by Canonical.
++          If set, apply miscellaneous Mattermost settings as used in an Enterprise deployment.
          default: false
      use_experimental_saml_library:
          type: boolean
 diff --git a/lib/charms/nginx_ingress_integrator/v0/ingress.py b/lib/charms/nginx_ingress_integrator/v0/ingress.py
 new file mode 100644
 index 0000000..688a77c
 --- /dev/null
 +++ b/lib/charms/nginx_ingress_integrator/v0/ingress.py
@@ -0,0 +1,198 @@
++"""Library for the ingress relation.
++
++This library contains the Requires and Provides classes for handling
++the ingress interface.
++
++Import `IngressRequires` in your charm, with two required options:
++    - "self" (the charm itself)
++    - config_dict
++
++`config_dict` accepts the following keys:
++    - service-hostname (required)
++    - service-name (required)
++    - service-port (required)
++    - limit-rps
++    - limit-whitelist
++    - max_body-size
++    - retry-errors
++    - service-namespace
++    - session-cookie-max-age
++    - tls-secret-name
++
++See [the config section](https://charmhub.io/nginx-ingress-integrator/configure) for descriptions
++of each, along with the required type.
++
++As an example, add the following to `src/charm.py`:
++```
++from charms.nginx_ingress_integrator.v0.ingress import IngressRequires
++
++# In your charm's `__init__` method.
++self.ingress = IngressRequires(self, {"service-hostname": self.config["external_hostname"],
++                                      "service-name": self.app.name,
++                                      "service-port": 80})
++
++# In your charm's `config-changed` handler.
++self.ingress.update_config({"service-hostname": self.config["external_hostname"]})
++```
++And then add the following to `metadata.yaml`:
++```
++requires:
++  ingress:
++    interface: ingress
++```
++"""
++
++import logging
++
++from ops.charm import CharmEvents
++from ops.framework import EventBase, EventSource, Object
++from ops.model import BlockedStatus
++
++# The unique Charmhub library identifier, never change it
++LIBID = "db0af4367506491c91663468fb5caa4c"
++
++# Increment this major API version when introducing breaking changes
++LIBAPI = 0
++
++# Increment this PATCH version before using `charmcraft publish-lib` or reset
++# to 0 if you are raising the major API version
++LIBPATCH = 5
++
++logger = logging.getLogger(__name__)
++
++REQUIRED_INGRESS_RELATION_FIELDS = {
++    "service-hostname",
++    "service-name",
++    "service-port",
++}
++
++OPTIONAL_INGRESS_RELATION_FIELDS = {
++    "limit-rps",
++    "limit-whitelist",
++    "max-body-size",
++    "retry-errors",
++    "service-namespace",
++    "session-cookie-max-age",
++    "tls-secret-name",
++}
++
++
++class IngressAvailableEvent(EventBase):
++    pass
++
++
++class IngressCharmEvents(CharmEvents):
++    """Custom charm events."""
++
++    ingress_available = EventSource(IngressAvailableEvent)
++
++
++class IngressRequires(Object):
++    """This class defines the functionality for the 'requires' side of the 'ingress' relation.
++
++    Hook events observed:
++        - relation-changed
++    """
++
++    def __init__(self, charm, config_dict):
++        super().__init__(charm, "ingress")
++
++        self.framework.observe(charm.on["ingress"].relation_changed, self._on_relation_changed)
++
++        self.config_dict = config_dict
++
++    def _config_dict_errors(self, update_only=False):
++        """Check our config dict for errors."""
++        blocked_message = "Error in ingress relation, check `juju debug-log`"
++        unknown = [
++            x
++            for x in self.config_dict
++            if x not in REQUIRED_INGRESS_RELATION_FIELDS | OPTIONAL_INGRESS_RELATION_FIELDS
++        ]
++        if unknown:
++            logger.error(
++                "Ingress relation error, unknown key(s) in config dictionary found: %s",
++                ", ".join(unknown),
++            )
++            self.model.unit.status = BlockedStatus(blocked_message)
++            return True
++        if not update_only:
++            missing = [x for x in REQUIRED_INGRESS_RELATION_FIELDS if x not in self.config_dict]
++            if missing:
++                logger.error(
++                    "Ingress relation error, missing required key(s) in config dictionary: %s",
++                    ", ".join(missing),
++                )
++                self.model.unit.status = BlockedStatus(blocked_message)
++                return True
++        return False
++
++    def _on_relation_changed(self, event):
++        """Handle the relation-changed event."""
++        # `self.unit` isn't available here, so use `self.model.unit`.
++        if self.model.unit.is_leader():
++            if self._config_dict_errors():
++                return
++            for key in self.config_dict:
++                event.relation.data[self.model.app][key] = str(self.config_dict[key])
++
++    def update_config(self, config_dict):
++        """Allow for updates to relation."""
++        if self.model.unit.is_leader():
++            self.config_dict = config_dict
++            if self._config_dict_errors(update_only=True):
++                return
++            relation = self.model.get_relation("ingress")
++            if relation:
++                for key in self.config_dict:
++                    relation.data[self.model.app][key] = str(self.config_dict[key])
++
++
++class IngressProvides(Object):
++    """This class defines the functionality for the 'provides' side of the 'ingress' relation.
++
++    Hook events observed:
++        - relation-changed
++    """
++
++    def __init__(self, charm):
++        super().__init__(charm, "ingress")
++        # Observe the relation-changed hook event and bind
++        # self.on_relation_changed() to handle the event.
++        self.framework.observe(charm.on["ingress"].relation_changed, self._on_relation_changed)
++        self.charm = charm
++
++    def _on_relation_changed(self, event):
++        """Handle a change to the ingress relation.
++
++        Confirm we have the fields we expect to receive."""
++        # `self.unit` isn't available here, so use `self.model.unit`.
++        if not self.model.unit.is_leader():
++            return
++
++        ingress_data = {
++            field: event.relation.data[event.app].get(field)
++            for field in REQUIRED_INGRESS_RELATION_FIELDS | OPTIONAL_INGRESS_RELATION_FIELDS
++        }
++
++        missing_fields = sorted(
++            [
++                field
++                for field in REQUIRED_INGRESS_RELATION_FIELDS
++                if ingress_data.get(field) is None
++            ]
++        )
++
++        if missing_fields:
++            logger.error(
++                "Missing required data fields for ingress relation: {}".format(
++                    ", ".join(missing_fields)
++                )
++            )
++            self.model.unit.status = BlockedStatus(
++                "Missing fields for ingress: {}".format(", ".join(missing_fields))
++            )
++
++        # Create an event that our charm can use to decide it's okay to
++        # configure the ingress.
++        self.charm.on.ingress_available.emit()
 diff --git a/metadata.yaml b/metadata.yaml
 index f19cb73..84b3261 100644
 --- a/metadata.yaml
 +++ b/metadata.yaml
@@ -8,10 +8,20 @@ description: |
    Mattermost is a flexible, open source messaging platform that enables
    secure team collaboration.
    https://mattermost.com
--min-juju-version: 2.8.0  # charm storage in state
--series:
--  - kubernetes
++
++containers:
++  mattermost:
++    resource: mattermost-image
++
++resources:
++  mattermost-image:
++    type: oci-image
++    description: Docker image for Mattermost to run
++
  requires:
    db:
      interface: pgsql
      limit: 1
++  ingress:
++    interface: ingress
++    limit: 1
 diff --git a/requirements.txt b/requirements.txt
 index fd6adcd..873493e 100644
 --- a/requirements.txt
 +++ b/requirements.txt
@@ -1,2 +1,2 @@
--ops
++https://github.com/canonical/operator/archive/refs/heads/master.zip
  ops-lib-pgsql
 diff --git a/src/charm.py b/src/charm.py
 index 9416f62..d858d04 100755
 --- a/src/charm.py
 +++ b/src/charm.py
@@ -4,6 +4,7 @@
  # Licensed under the GPLv3, see LICENCE file for details.
  import os
++import logging
  import subprocess
  from ipaddress import ip_network
@@ -28,26 +29,24 @@ from ops.model import (
      WaitingStatus,
+ )
--from utils import extend_list_merging_dicts_matched_by_key
--
--import logging
--
++from charms.nginx_ingress_integrator.v0.ingress import IngressRequires
  pgsql = ops.lib.use("pgsql", 1, "postgresql-charmers@lists.launchpad.net")
  logger = logging.getLogger()
++CONTAINER_NAME = 'mattermost'  # per metadata.yaml
  # Mattermost's default port, and what we expect the image to use
  CONTAINER_PORT = 8065
  # Default port, enforced via envConfig to prevent operator error
  METRICS_PORT = 8067
  DATABASE_NAME = 'mattermost'
--LICENCE_SECRET_KEY_NAME = 'licence'
  REQUIRED_S3_SETTINGS = ['s3_bucket', 's3_region', 's3_access_key_id', 's3_secret_access_key']
--REQUIRED_SETTINGS = ['mattermost_image_path']
++REQUIRED_SETTINGS = []
  REQUIRED_SSO_SETTINGS = ['licence', 'site_url']
  SAML_IDP_CRT = 'saml-idp.crt'
++LICENCE_FILE_TEMPLATE = "/mattermost/licence-{:08x}.txt"
  class MattermostDBMasterAvailableEvent(EventBase):
@@ -76,26 +75,6 @@ def check_ranges(ranges, name):
          return '{}: invalid network(s): {}'.format(name, ', '.join(invalid_networks))
--def get_container(pod_spec, container_name):
--    """Find and return the first container in pod_spec whose name is container_name, otherwise return None."""
--    for container in pod_spec['containers']:
--        if container['name'] == container_name:
--            return container
--    raise ValueError("Unable to find container named '{}' in pod spec".format(container_name))
--
--
--def get_env_config(pod_spec, container_name):
--    """Return the envConfig of the container in pod_spec whose name is container_name, otherwise return None.
--
--    If the container exists but has no envConfig, raise KeyError.
--    """
--    container = get_container(pod_spec, container_name)
--    if 'envConfig' in container:
--        return container['envConfig']
--    else:
--        raise ValueError("Unable to find envConfig for container named '{}'".format(container_name))
--
--
  class MattermostK8sCharm(CharmBase):
      state = StoredState()
@@ -104,21 +83,104 @@ class MattermostK8sCharm(CharmBase):
      def __init__(self, *args):
          super().__init__(*args)
--        self.framework.observe(self.on.start, self.configure_pod)
--        self.framework.observe(self.on.config_changed, self.configure_pod)
--        self.framework.observe(self.on.leader_elected, self.configure_pod)
--        self.framework.observe(self.on.upgrade_charm, self.configure_pod)
++        self.framework.observe(self.on.start, self._on_config_changed)
++        self.framework.observe(self.on.config_changed, self._on_config_changed)
++        self.framework.observe(self.on.leader_elected, self._on_config_changed)
++
++        self.framework.observe(self.on.mattermost_pebble_ready, self._on_mattermost_pebble_ready)
          # actions
          self.framework.observe(self.on.grant_admin_role_action, self._on_grant_admin_role_action)
++        # state
++        self.state.set_default(db_conn_str=None, db_uri=None, db_ro_uris=[], mattermost_pebble_ready=False)
++
          # database
--        self.state.set_default(db_conn_str=None, db_uri=None, db_ro_uris=[])
          self.db = pgsql.PostgreSQLClient(self, 'db')
          self.framework.observe(self.db.on.database_relation_joined, self._on_database_relation_joined)
          self.framework.observe(self.db.on.master_changed, self._on_master_changed)
          self.framework.observe(self.db.on.standby_changed, self._on_standby_changed)
--        self.framework.observe(self.on.db_master_available, self.configure_pod)
++        self.framework.observe(self.on.db_master_available, self._on_config_changed)
++
++        self.ingress = IngressRequires(self, self._make_ingress_config())
++
++    def _make_ingress_config(self):
++        return {
++            "max-body-size": self.config["max_file_size"],
++            "service-hostname": self._get_external_hostname(),
++            "service-name": self.app.name,
++            "service-port": CONTAINER_PORT,
++            "tls-secret-name": self.config["tls_secret_name"],
++        }
++
++    def _get_external_hostname(self):
++        """Extract and return hostname from site_url, otherwise return self.app.name."""
++        site_url = self.config["site_url"]
++        if not site_url:
++            return self.app.name
++        parsed = urlparse(site_url)
++        return parsed.hostname
++
++    def _get_pebble_config(self):
++        """Generate our pebble config."""
++        env_config = self._get_env_config()
++        pebble_config = {
++            "summary": "Mattermost layer",
++            "description": "Mattermost layer",
++            "services": {
++                "mattermost": {
++                    "override": "replace",
++                    "summary": "Mattermost service",
++                    "command": "/mattermost/bin/mattermost",
++                    "startup": "enabled",
++                    "environment": env_config,
++                }
++            },
++        }
++        return pebble_config
++
++    def _on_mattermost_pebble_ready(self, event):
++        """Handle the on pebble ready event."""
++        self.state.mattermost_pebble_ready = True
++
++    def _on_config_changed(self, event):
++        """Handle config-changed event."""
++        if not self.state.db_uri:
++            self.unit.status = WaitingStatus('Waiting for database relation')
++            event.defer()
++            return
++
++        problems = self._check_for_config_problems()
++        if problems:
++            self.unit.status = BlockedStatus(problems)
++            return
++
++        if not self.state.mattermost_pebble_ready:
++            self.unit.status = WaitingStatus('Waiting for pebble')
++            event.defer()
++            return
++
++        pebble_config = self._get_pebble_config()
++        if not pebble_config:
++            # Charm will be in blocked status.
++            event.defer()
++            return
++
++        container = self.unit.get_container(CONTAINER_NAME)
++        services = container.get_plan().to_dict().get("services", {})
++        if services != pebble_config["services"]:
++            self.unit.status = MaintenanceStatus('Adding layer to pebble')
++            container.add_layer("mattermost", pebble_config, combine=True)
++
++            self.unit.status = MaintenanceStatus('Restarting mattermost')
++            service = container.get_service("mattermost")
++            if service.is_running():
++                container.stop("mattermost")
++            container.start("mattermost")
++
++        self.ingress.update_config(self._make_ingress_config())
++
++        self.unit.status = ActiveStatus()
      def _on_database_relation_joined(self, event: pgsql.DatabaseRelationJoinedEvent):
          """Handle db-relation-joined."""
@@ -172,40 +234,12 @@ class MattermostK8sCharm(CharmBase):
          return '; '.join(filter(None, problems))
--    def _make_pod_spec(self):
--        """Return a pod spec with some core configuration."""
--        config = self.model.config
--        mattermost_image_details = {
--            'imagePath': config['mattermost_image_path'],
--        }
--        if config['mattermost_image_username']:
--            mattermost_image_details.update(
--                {'username': config['mattermost_image_username'], 'password': config['mattermost_image_password']}
--            )
--        pod_config = self._make_pod_config()
--        pod_config.update(self._make_s3_pod_config())
--
--        return {
--            'version': 3,  # otherwise resources are ignored
--            'containers': [
--                {
--                    'name': self.app.name,
--                    'imageDetails': mattermost_image_details,
--                    'ports': [{'containerPort': CONTAINER_PORT, 'protocol': 'TCP'}],
--                    'envConfig': pod_config,
--                    'kubernetes': {
--                        'readinessProbe': {'httpGet': {'path': '/api/v4/system/ping', 'port': CONTAINER_PORT}},
--                    },
--                }
--            ],
--        }
--
--    def _make_pod_config(self):
++    def _make_env_config(self):
          """Return an envConfig with some core configuration."""
          config = self.model.config
          # https://github.com/mattermost/mattermost-server/pull/14666
          db_uri = self.state.db_uri.replace('postgresql://', 'postgres://')
--        pod_config = {
++        env_config = {
              'MATTERMOST_HTTPD_LISTEN_PORT': CONTAINER_PORT,
              'MM_CONFIG': db_uri,
              'MM_SQLSETTINGS_DATASOURCE': db_uri,
@@ -219,18 +253,18 @@ class MattermostK8sCharm(CharmBase):
+         }
          if config['primary_team']:
--            pod_config['MM_TEAMSETTINGS_EXPERIMENTALPRIMARYTEAM'] = config['primary_team']
++            env_config['MM_TEAMSETTINGS_EXPERIMENTALPRIMARYTEAM'] = config['primary_team']
          if config['site_url']:
--            pod_config['MM_SERVICESETTINGS_SITEURL'] = config['site_url']
++            env_config['MM_SERVICESETTINGS_SITEURL'] = config['site_url']
          if config['outbound_proxy']:
--            pod_config['HTTP_PROXY'] = config['outbound_proxy']
--            pod_config['HTTPS_PROXY'] = config['outbound_proxy']
++            env_config['HTTP_PROXY'] = config['outbound_proxy']
++            env_config['HTTPS_PROXY'] = config['outbound_proxy']
              if config['outbound_proxy_exceptions']:
--                pod_config['NO_PROXY'] = config['outbound_proxy_exceptions']
++                env_config['NO_PROXY'] = config['outbound_proxy_exceptions']
--        return pod_config
++        return env_config
      def _missing_charm_settings(self):
          """Return a list of settings required to satisfy configuration dependencies, or else an empty list."""
@@ -241,9 +275,6 @@ class MattermostK8sCharm(CharmBase):
          if config['clustering'] and not config['licence']:
              missing.add('licence')
--        if config['mattermost_image_username'] and not config['mattermost_image_password']:
--            missing.add('mattermost_image_password')
--
          if config['performance_monitoring_enabled'] and not config['licence']:
              missing.add('licence')
@@ -258,142 +289,57 @@ class MattermostK8sCharm(CharmBase):
          return sorted(missing)
--    def _make_s3_pod_config(self):
++    def _update_env_config_for_s3(self, env_config):
          """Return an envConfig of S3 settings, if any."""
          config = self.model.config
          if not config['s3_enabled']:
--            return {}
--
--        return {
--            'MM_FILESETTINGS_DRIVERNAME': 'amazons3',
--            'MM_FILESETTINGS_MAXFILESIZE': str(config['max_file_size'] * 1048576),  # LP:1881227
--            'MM_FILESETTINGS_AMAZONS3SSL': 'true',  # defaults to true; belt and braces
--            'MM_FILESETTINGS_AMAZONS3ENDPOINT': config['s3_endpoint'],
--            'MM_FILESETTINGS_AMAZONS3BUCKET': config['s3_bucket'],
--            'MM_FILESETTINGS_AMAZONS3REGION': config['s3_region'],
--            'MM_FILESETTINGS_AMAZONS3ACCESSKEYID': config['s3_access_key_id'],
--            'MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY': config['s3_secret_access_key'],
--            'MM_FILESETTINGS_AMAZONS3SSE': 'true' if config['s3_server_side_encryption'] else 'false',
--            'MM_FILESETTINGS_AMAZONS3TRACE': 'true' if config['debug'] else 'false',
--        }
--
--    def _update_pod_spec_for_k8s_ingress(self, pod_spec):
--        """Add resources to pod_spec configuring site ingress, if needed."""
--        site_url = self.model.config['site_url']
--        if not site_url:
--            return
--
--        parsed = urlparse(site_url)
--
--        if not parsed.scheme.startswith('http'):
              return
--        annotations = {'nginx.ingress.kubernetes.io/proxy-body-size': '{}m'.format(self.model.config['max_file_size'])}
--        ingress = {
--            "name": "{}-ingress".format(self.app.name),
--            "spec": {
--                "rules": [
--                    {
--                        "host": parsed.hostname,
--                        "http": {
--                            "paths": [
--                                {"path": "/", "backend": {"serviceName": self.app.name, "servicePort": CONTAINER_PORT}}
--                            ]
--                        },
--                    }
--                ]
--            },
--        }
--        if parsed.scheme == 'https':
--            ingress['spec']['tls'] = [{'hosts': [parsed.hostname]}]
--            tls_secret_name = self.model.config['tls_secret_name']
--            if tls_secret_name:
--                ingress['spec']['tls'][0]['secretName'] = tls_secret_name
--        else:
--            annotations['nginx.ingress.kubernetes.io/ssl-redirect'] = 'false'
--
--        ingress_whitelist_source_range = self.model.config['ingress_whitelist_source_range']
--        if ingress_whitelist_source_range:
--            annotations['nginx.ingress.kubernetes.io/whitelist-source-range'] = ingress_whitelist_source_range
--
--        ingress['annotations'] = annotations
--
--        # Due to https://github.com/canonical/operator/issues/293 we
--        # can't use pod.set_spec's k8s_resources argument.
--        resources = pod_spec.get('kubernetesResources', {})
--        resources['ingressResources'] = [ingress]
--        pod_spec['kubernetesResources'] = resources
--
--    def _get_licence_secret_name(self):
--        """Compute a content-dependent name for the licence secret.
--
--        The name is varied so that licence updates cause the pods to
--        be respawned.  Mattermost reads the licence file on startup
--        and updates the copy in the database, if necessary.
--        """
--        crc = '{:08x}'.format(crc32(self.model.config['licence'].encode('utf-8')))
--        return '{}-licence-{}'.format(self.app.name, crc)
--
--    def _make_licence_volume_configs(self):
--        """Return volume config for the licence secret."""
--        config = self.model.config
--        if not config['licence']:
--            return []
--        return [
++        env_config.update(
+             {
--                'name': 'licence',
--                'mountPath': '/secrets',
--                'secret': {
--                    'name': self._get_licence_secret_name(),
--                    'files': [{'key': LICENCE_SECRET_KEY_NAME, 'path': 'licence.txt', 'mode': 0o444}],
--                },
++                'MM_FILESETTINGS_DRIVERNAME': 'amazons3',
++                'MM_FILESETTINGS_MAXFILESIZE': str(config['max_file_size'] * 1048576),  # LP:1881227
++                'MM_FILESETTINGS_AMAZONS3SSL': 'true',  # defaults to true; belt and braces
++                'MM_FILESETTINGS_AMAZONS3ENDPOINT': config['s3_endpoint'],
++                'MM_FILESETTINGS_AMAZONS3BUCKET': config['s3_bucket'],
++                'MM_FILESETTINGS_AMAZONS3REGION': config['s3_region'],
++                'MM_FILESETTINGS_AMAZONS3ACCESSKEYID': config['s3_access_key_id'],
++                'MM_FILESETTINGS_AMAZONS3SECRETACCESSKEY': config['s3_secret_access_key'],
++                'MM_FILESETTINGS_AMAZONS3SSE': 'true' if config['s3_server_side_encryption'] else 'false',
++                'MM_FILESETTINGS_AMAZONS3TRACE': 'true' if config['debug'] else 'false',
+             }
--        ]
++        )
--    def _make_licence_k8s_secrets(self):
--        """Return secret for the licence."""
++    def _update_env_config_for_licence(self, env_config):
++        """Create or delete the licence file and, in the former case, add its location to env_config."""
          config = self.model.config
--        if not config['licence']:
--            return []
--        return [
--            {
--                'name': self._get_licence_secret_name(),
--                'type': 'Opaque',
--                'stringData': {LICENCE_SECRET_KEY_NAME: config['licence']},
--            }
--        ]
++        container = self.unit.get_container(CONTAINER_NAME)
--    def _update_pod_spec_for_licence(self, pod_spec):
--        """Update pod_spec to make the licence, if configured, available to Mattermost."""
--        config = self.model.config
          if not config['licence']:
              return
--        secrets = pod_spec['kubernetesResources'].get('secrets', [])
--        secrets = extend_list_merging_dicts_matched_by_key(secrets, self._make_licence_k8s_secrets(), key='name')
--        pod_spec['kubernetesResources']['secrets'] = secrets
--
--        container = get_container(pod_spec, self.app.name)
--        volume_config = container.get('volumeConfig', [])
--        volume_config = extend_list_merging_dicts_matched_by_key(
--            volume_config, self._make_licence_volume_configs(), key='name'
--        )
--        container['volumeConfig'] = volume_config
--
--        get_env_config(pod_spec, self.app.name).update(
--            {'MM_SERVICESETTINGS_LICENSEFILELOCATION': '/secrets/licence.txt'},
++        # XXX: Per https://bugs.launchpad.net/juju/+bug/1854759 and
++        #      https://bugs.launchpad.net/juju/+bug/1878120 we don't currently
++        #      have a way of interacting with k8s secrets. Current guidance is
++        #      to use juju config directly for this, as we're doing here.
++        licence_file = LICENCE_FILE_TEMPLATE.format(crc32(config['licence'].encode('utf-8')))
++        logger.debug('Asking pebble to create {} in the {} container'.format(
++            licence_file, CONTAINER_NAME))
++        container.push(licence_file, config['licence'])
++        env_config.update(
++            {'MM_SERVICESETTINGS_LICENSEFILELOCATION': licence_file},
+         )
--    def _update_pod_spec_for_canonical_defaults(self, pod_spec):
--        """Update pod_spec with various Mattermost settings particular to Canonical's deployment.
++    def _update_env_config_for_enterprise_defaults(self, env_config):
++        """Update env_config with various Mattermost settings particular to an Enterprise deployment.
          These settings may be less generally useful, and so they are controlled here as a unit.
          """
          config = self.model.config
--        if not config['use_canonical_defaults']:
++        if not config['use_enterprise_defaults']:
              return
--        get_env_config(pod_spec, self.app.name).update(
++        env_config.update(
+             {
                  # If this is off, users can't turn it on themselves.
                  'MM_SERVICESETTINGS_CLOSEUNUSEDDIRECTMESSAGES': 'true',
@@ -410,8 +356,8 @@ class MattermostK8sCharm(CharmBase):
+             }
+         )
--    def _update_pod_spec_for_clustering(self, pod_spec):
--        """Update pod_spec with clustering settings, varying the cluster name on the application name.
++    def _update_env_config_for_clustering(self, env_config):
++        """Update env_config with clustering settings, varying the cluster name on the application name.
          This is done so that blue/green deployments in the same model won't talk to each other.
          """
@@ -419,7 +365,7 @@ class MattermostK8sCharm(CharmBase):
          if not config['clustering']:
              return
--        get_env_config(pod_spec, self.app.name).update(
++        env_config.update(
+             {
                  "MM_CLUSTERSETTINGS_ENABLE": "true",
                  "MM_CLUSTERSETTINGS_CLUSTERNAME": '{}-{}'.format(self.app.name, os.environ['JUJU_MODEL_UUID']),
@@ -427,18 +373,18 @@ class MattermostK8sCharm(CharmBase):
+             }
+         )
--    def _update_pod_spec_for_sso(self, pod_spec):
--        """Update pod_spec with settings to use login.ubuntu.com via SAML for single sign-on.
++    def _update_env_config_for_sso(self, env_config):
++        """Update env_config with settings to use login.ubuntu.com via SAML for single sign-on.
          SAML_IDP_CRT must be generated and installed manually by a human (see README.md).
          """
          config = self.model.config
          if not config['sso'] or [setting for setting in REQUIRED_SSO_SETTINGS if not config[setting]]:
              return
--        site_hostname = urlparse(config['site_url']).hostname
++        site_hostname = self._get_external_hostname()
          use_experimental_saml_library = 'true' if config['use_experimental_saml_library'] else 'false'
--        get_env_config(pod_spec, self.app.name).update(
++        env_config.update(
+             {
                  'MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL': 'false',
                  'MM_EMAILSETTINGS_ENABLESIGNINWITHUSERNAME': 'false',
@@ -463,23 +409,24 @@ class MattermostK8sCharm(CharmBase):
+             }
+         )
--    def _update_pod_spec_for_performance_monitoring(self, pod_spec):
++    def _update_env_config_for_performance_monitoring(self, env_config):
          """Update pod_spec with settings for the Prometheus exporter."""
          config = self.model.config
          if not config['performance_monitoring_enabled']:
              return
--        get_env_config(pod_spec, self.app.name).update(
++        env_config.update(
+             {
                  'MM_METRICSSETTINGS_ENABLE': 'true' if config['performance_monitoring_enabled'] else 'false',
                  'MM_METRICSSETTINGS_LISTENADDRESS': ':{}'.format(METRICS_PORT),
+             }
+         )
++        # XXX: See LP:1923820.
          # Ordinarily pods are selected for scraping by the in-cluster
          # Prometheus based on their annotations.  Unfortunately Juju
--        # doesn't support pod annotations yet (LP:1884177).  When it
--        # does, here are the annotations we'll need to add:
++        # doesn't support pod annotations yet.
++        # Here are the annotations we'll need to add:
          # [ fetch or create annotations dict ]
          # annotations.update({
@@ -490,14 +437,14 @@ class MattermostK8sCharm(CharmBase):
          # })
          # [ store annotations in pod_spec ]
--    def _update_pod_spec_for_push(self, pod_spec):
++    def _update_env_config_for_push(self, env_config):
          """Update pod_spec with settings for Mattermost HPNS (hosted push notification service)."""
          config = self.model.config
          if not config['push_notification_server']:
              return
          contents = 'full' if config['push_notifications_include_message_snippet'] else 'id_loaded'
--        get_env_config(pod_spec, self.app.name).update(
++        env_config.update(
+             {
                  'MM_EMAILSETTINGS_SENDPUSHNOTIFICATIONS': 'true',
                  'MM_EMAILSETTINGS_PUSHNOTIFICATIONCONTENTS': contents,
@@ -505,49 +452,32 @@ class MattermostK8sCharm(CharmBase):
+             }
+         )
--    def _update_pod_spec_for_smtp(self, pod_spec):
++    def _update_env_config_for_smtp(self, env_config):
          """Update pod_spec with settings for an outgoing SMTP relay."""
          config = self.model.config
          if not config['smtp_host']:
              return
--        get_env_config(pod_spec, self.app.name).update(
++        env_config.update(
              {'MM_EMAILSETTINGS_SMTPPORT': 25, 'MM_EMAILSETTINGS_SMTPSERVER': config['smtp_host']}
+         )
--    def configure_pod(self, event):
--        """Assemble the pod spec and apply it, if possible."""
--        if not self.state.db_uri:
--            self.unit.status = WaitingStatus('Waiting for database relation')
--            event.defer()
--            return
--
--        if not self.unit.is_leader():
--            self.unit.status = ActiveStatus()
--            return
--
--        problems = self._check_for_config_problems()
--        if problems:
--            self.unit.status = BlockedStatus(problems)
--            return
--
--        self.unit.status = MaintenanceStatus('Assembling pod spec')
--        pod_spec = self._make_pod_spec()
--        self._update_pod_spec_for_canonical_defaults(pod_spec)
--        self._update_pod_spec_for_clustering(pod_spec)
--        self._update_pod_spec_for_k8s_ingress(pod_spec)
--        self._update_pod_spec_for_licence(pod_spec)
--        self._update_pod_spec_for_performance_monitoring(pod_spec)
--        self._update_pod_spec_for_push(pod_spec)
--        self._update_pod_spec_for_sso(pod_spec)
--        self._update_pod_spec_for_smtp(pod_spec)
--
--        self.unit.status = MaintenanceStatus('Setting pod spec')
--        self.model.pod.set_spec(pod_spec)
--        self.unit.status = ActiveStatus()
++    def _get_env_config(self):
++        """Assemble our environment configuration."""
++        env_config = self._make_env_config()
++        self._update_env_config_for_s3(env_config)
++        self._update_env_config_for_enterprise_defaults(env_config)
++        self._update_env_config_for_clustering(env_config)
++        self._update_env_config_for_licence(env_config)
++        self._update_env_config_for_performance_monitoring(env_config)
++        self._update_env_config_for_push(env_config)
++        self._update_env_config_for_sso(env_config)
++        self._update_env_config_for_smtp(env_config)
++        return env_config
      def _on_grant_admin_role_action(self, event):
          """Handle the grant-admin-role action."""
++        # XXX: Currently fails due to https://bugs.launchpad.net/juju/+bug/1923822
          user = event.params["user"]
          cmd = ["/mattermost/bin/mattermost", "roles", "system_admin", user]
          granted = subprocess.run(cmd, capture_output=True)
@@ -561,5 +491,8 @@ class MattermostK8sCharm(CharmBase):
              event.set_results({"info": msg})
--if __name__ == '__main__':
--    main(MattermostK8sCharm, use_juju_for_storage=True)
++if __name__ == '__main__':  # pragma: no cover
++    main(
++        MattermostK8sCharm,
++        use_juju_for_storage=True,  # https://github.com/canonical/operator/issues/506
++    )
 diff --git a/src/utils.py b/src/utils.py
 deleted file mode 100644
 index f02316f..0000000
 --- a/src/utils.py
 +++ /dev/null
@@ -1,20 +0,0 @@
--# Copyright 2020 Canonical Ltd.
--# Licensed under the GPLv3, see LICENCE file for details.
--
--from copy import deepcopy
--
--
--def extend_list_merging_dicts_matched_by_key(dst, src, key):
--    """Merge src, a list of zero or more dictionaries, into dst, also
--    such a list.  Dictionaries with the same key will be copied from dst
--    and then merged using .update(src).  This is not done recursively."""
--    result = []
--    sbk = {s[key]: s for s in src}
--    dbk = {d[key]: d for d in dst}
--    to_merge = set(dbk.keys()).intersection(sbk.keys())
--    result.extend([s for s in src if s[key] not in to_merge])
--    result.extend([d for d in dst if d[key] not in to_merge])
--    for k in sorted(to_merge):
--        result.append(deepcopy(dbk[k]))
--        result[-1].update(sbk[k])
--    return result
 diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
 index 6fb16c7..a30ca8f 100644
 --- a/tests/unit/test_charm.py
 +++ b/tests/unit/test_charm.py
@@ -7,49 +7,13 @@ import unittest
  from unittest.mock import Mock
  from charm import (
++    CONTAINER_PORT,
      MattermostK8sCharm,
      METRICS_PORT,
+ )
  from ops import testing
--CONFIG_IMAGE_NO_CREDS = {
--    'clustering': False,
--    'mattermost_image_path': 'example.com/mattermost:latest',
--    'mattermost_image_username': '',
--    'mattermost_image_password': '',
--    'performance_monitoring_enabled': False,
--    's3_enabled': False,
--    's3_server_side_encryption': False,
--    'sso': False,
--}
--
--CONFIG_IMAGE_NO_IMAGE = {
--    'clustering': False,
--    'mattermost_image_path': '',
--    'mattermost_image_username': '',
--    'mattermost_image_password': '',
--    'performance_monitoring_enabled': False,
--    's3_enabled': False,
--    's3_server_side_encryption': False,
--    'sso': False,
--}
--
--CONFIG_IMAGE_NO_PASSWORD = {
--    'clustering': False,
--    'mattermost_image_path': 'example.com/mattermost:latest',
--    'mattermost_image_username': 'production',
--    'mattermost_image_password': '',
--    'performance_monitoring_enabled': False,
--    's3_enabled': False,
--    's3_server_side_encryption': False,
--    'sso': False,
--}
--
--CONFIG_LICENCE_SECRET = {"licence": "RANDOMSTRING"}
--
--CONFIG_NO_LICENCE_SECRET = {"licence": ""}
--
  CONFIG_NO_S3_SETTINGS_S3_ENABLED = {
      'clustering': False,
      'debug': False,
@@ -106,6 +70,76 @@ CONFIG_LICENCE_REQUIRED_MIXED_INGRESS = {
      'sso': False,
+ }
++DUMMY_LICENCE = "This is not a valid licence!"
++DUMMY_LICENCE_FILE = '/mattermost/licence-67efe49b.txt'
++
++GET_PEBBLE_CONFIG_EXPECTED = {
++    'MATTERMOST_HTTPD_LISTEN_PORT': 8065,
++    'MM_CONFIG': 'postgres://10.0.1.101:5432/',
++    'MM_IMAGEPROXYSETTINGS_ENABLE': 'false',
++    'MM_IMAGEPROXYSETTINGS_IMAGEPROXYTYPE': 'local',
++    'MM_LOGSETTINGS_CONSOLELEVEL': 'INFO',
++    'MM_LOGSETTINGS_ENABLECONSOLE': 'true',
++    'MM_LOGSETTINGS_ENABLEFILE': 'false',
++    'MM_SQLSETTINGS_DATASOURCE': 'postgres://10.0.1.101:5432/',
++}
++
++
++def _mm_env(pebble_config):
++    """Extract mattermost's environment from the given pebble_config."""
++    return pebble_config['services']['mattermost']['environment']
++
++
++class TestMattermostK8sCharmConfig(unittest.TestCase):
++    def setUp(self):
++        self.harness = testing.Harness(MattermostK8sCharm)
++        self.harness.begin()
++        self.harness.disable_hooks()
++        self.harness.charm.state.db_uri = 'postgresql://10.0.1.101:5432/'
++        self._expected = dict(GET_PEBBLE_CONFIG_EXPECTED)
++
++    def test_config_db_uri(self):
++        self.assertEqual(_mm_env(self.harness.charm._get_pebble_config()), self._expected)
++
++    def test_config_primary_team(self):
++        self.harness.update_config({"primary_team": "myteam"})
++        self._expected['MM_TEAMSETTINGS_EXPERIMENTALPRIMARYTEAM'] = "myteam"
++        self.assertEqual(_mm_env(self.harness.charm._get_pebble_config()), self._expected)
++
++    def test_config_site_url(self):
++        self.harness.update_config({"site_url": "https://myteam.mattermost.io/"})
++        self._expected['MM_SERVICESETTINGS_SITEURL'] = "https://myteam.mattermost.io/"
++        self.assertEqual(_mm_env(self.harness.charm._get_pebble_config()), self._expected)
++
++    def test_config_outbound_proxy(self):
++        self.harness.update_config({"outbound_proxy": "http://squid.internal:3128"})
++        self._expected['HTTP_PROXY'] = "http://squid.internal:3128"
++        self._expected['HTTPS_PROXY'] = "http://squid.internal:3128"
++        self.harness.update_config({"outbound_proxy_exceptions": "charmhub.io"})
++        self._expected['NO_PROXY'] = "charmhub.io"
++        self.assertEqual(_mm_env(self.harness.charm._get_pebble_config()), self._expected)
++
++    def test_config_smtp_host(self):
++        self.harness.update_config({"smtp_host": "smtp.internal"})
++        self._expected['MM_EMAILSETTINGS_SMTPPORT'] = 25
++        self._expected['MM_EMAILSETTINGS_SMTPSERVER'] = 'smtp.internal'
++        self.assertEqual(_mm_env(self.harness.charm._get_pebble_config()), self._expected)
++
++    @mock.patch('ops.testing._TestingPebbleClient.push')  # https://github.com/canonical/operator/issues/518
++    def test_config_licence(self, _push):
++        self.harness.update_config({"licence": DUMMY_LICENCE})
++        self._expected['MM_SERVICESETTINGS_LICENSEFILELOCATION'] = DUMMY_LICENCE_FILE
++        self.assertEqual(_mm_env(self.harness.charm._get_pebble_config()), self._expected)
++        _push.assert_called_once()
++        self.assertEqual(_push.call_args.args, (DUMMY_LICENCE_FILE, DUMMY_LICENCE,))
++
++    def test_get_external_hostname_default(self):
++        self.assertEqual(self.harness.charm._get_external_hostname(), self.harness.charm.app.name)
++
++    def test_get_external_hostname_site_url(self):
++        self.harness.update_config({"site_url": "https://chat.example.com/"})
++        self.assertEqual(self.harness.charm._get_external_hostname(), "chat.example.com")
++
  class TestMattermostK8sCharmHooksDisabled(unittest.TestCase):
      def setUp(self):
@@ -121,39 +155,21 @@ class TestMattermostK8sCharmHooksDisabled(unittest.TestCase):
+         )
          self.assertEqual(self.harness.charm._check_for_config_problems(), expected)
--    def test_make_pod_config(self):
--        """Make pod config."""
--        self.harness.charm.state.db_uri = 'postgresql://10.0.1.101:5432/'
++    def test_make_ingress_config(self):
++        hostname = 'myteam.mattermost.io'
++        self.harness.update_config({"site_url": "https://{}/".format(hostname)})
++        self.harness.update_config({"tls_secret_name": "{}-tls".format(hostname)})
++
          expected = {
--            'MATTERMOST_HTTPD_LISTEN_PORT': 8065,
--            'MM_CONFIG': 'postgres://10.0.1.101:5432/',
--            'MM_IMAGEPROXYSETTINGS_ENABLE': 'false',
--            'MM_IMAGEPROXYSETTINGS_IMAGEPROXYTYPE': 'local',
--            'MM_LOGSETTINGS_CONSOLELEVEL': 'INFO',
--            'MM_LOGSETTINGS_ENABLECONSOLE': 'true',
--            'MM_LOGSETTINGS_ENABLEFILE': 'false',
--            'MM_SQLSETTINGS_DATASOURCE': 'postgres://10.0.1.101:5432/',
++            "max-body-size": self.harness.charm.config["max_file_size"],
++            "service-hostname": hostname,
++            "service-name": self.harness.charm.app.name,
++            "service-port": CONTAINER_PORT,
++            "tls-secret-name": '{}-tls'.format(hostname),
+         }
--        self.assertEqual(self.harness.charm._make_pod_config(), expected)
--        # Now test with `primary_team` set.
--        self.harness.update_config({"primary_team": "myteam"})
--        expected['MM_TEAMSETTINGS_EXPERIMENTALPRIMARYTEAM'] = "myteam"
--        self.assertEqual(self.harness.charm._make_pod_config(), expected)
--        # Now test with `site_url` set.
--        self.harness.update_config({"site_url": "myteam.mattermost.io"})
--        expected['MM_SERVICESETTINGS_SITEURL'] = "myteam.mattermost.io"
--        self.assertEqual(self.harness.charm._make_pod_config(), expected)
--        # Now test with `outbound_proxy` set.
--        self.harness.update_config({"outbound_proxy": "http://squid.internal:3128"})
--        expected['HTTP_PROXY'] = "http://squid.internal:3128"
--        expected['HTTPS_PROXY'] = "http://squid.internal:3128"
--        self.assertEqual(self.harness.charm._make_pod_config(), expected)
--        # Now test with `outbound_proxy_exceptions` set.
--        self.harness.update_config({"outbound_proxy_exceptions": "charmhub.io"})
--        expected['NO_PROXY'] = "charmhub.io"
--        self.assertEqual(self.harness.charm._make_pod_config(), expected)
++        self.assertEqual(self.harness.charm._make_ingress_config(), expected)
--    def test_make_s3_pod_config(self):
++    def test_make_s3_env_config(self):
          """Make s3 pod config."""
          self.harness.update_config(CONFIG_NO_S3_SETTINGS_S3_ENABLED)
          expected = {
@@ -168,25 +184,9 @@ class TestMattermostK8sCharmHooksDisabled(unittest.TestCase):
              'MM_FILESETTINGS_AMAZONS3SSE': 'false',
              'MM_FILESETTINGS_AMAZONS3TRACE': 'false',
+         }
--        self.assertEqual(self.harness.charm._make_s3_pod_config(), expected)
--
--    def test_missing_charm_settings_image_no_creds(self):
--        """Credentials are optional."""
--        self.harness.update_config(CONFIG_IMAGE_NO_CREDS)
--        expected = []
--        self.assertEqual(sorted(self.harness.charm._missing_charm_settings()), expected)
--
--    def test_missing_charm_settings_image_no_image(self):
--        """Image path is required."""
--        self.harness.update_config(CONFIG_IMAGE_NO_IMAGE)
--        expected = sorted(['mattermost_image_path'])
--        self.assertEqual(sorted(self.harness.charm._missing_charm_settings()), expected)
--
--    def test_missing_charm_settings_image_no_password(self):
--        """Password is required when username is set."""
--        self.harness.update_config(CONFIG_IMAGE_NO_PASSWORD)
--        expected = sorted(['mattermost_image_password'])
--        self.assertEqual(sorted(self.harness.charm._missing_charm_settings()), expected)
++        env_config = {}
++        self.harness.charm._update_env_config_for_s3(env_config)
++        self.assertEqual(env_config, expected)
      def test_missing_charm_settings_no_s3_settings_s3_enabled(self):
          """If S3 is enabled, we need lots of settings to be set."""
@@ -204,240 +204,90 @@ class TestMattermostK8sCharmHooksDisabled(unittest.TestCase):
          """If push_notification_server is set to an empty string (default) don't update spec"""
          self.harness.update_config(CONFIG_PUSH_NOTIFICATION_SERVER_UNSET)
          expected = {}
--        pod_spec = {}
--        self.harness.charm._update_pod_spec_for_push(pod_spec)
--        self.assertEqual(pod_spec, expected)
++        env_config = {}
++        self.harness.charm._update_env_config_for_push(env_config)
++        self.assertEqual(env_config, expected)
      def test_push_notification_no_message_snippet(self):
          """Push notification configured, but without message snippets"""
          self.harness.update_config(CONFIG_PUSH_NOTIFICATION_NO_MESSAGE_SNIPPET)
          expected = {
--            'containers': [
--                {
--                    'name': 'mattermost-k8s',
--                    'envConfig': {
--                        'MM_EMAILSETTINGS_SENDPUSHNOTIFICATIONS': 'true',
--                        'MM_EMAILSETTINGS_PUSHNOTIFICATIONCONTENTS': 'id_loaded',
--                        'MM_EMAILSETTINGS_PUSHNOTIFICATIONSERVER': 'https://push.mattermost.com/',
--                    },
--                }
--            ],
++            'MM_EMAILSETTINGS_SENDPUSHNOTIFICATIONS': 'true',
++            'MM_EMAILSETTINGS_PUSHNOTIFICATIONCONTENTS': 'id_loaded',
++            'MM_EMAILSETTINGS_PUSHNOTIFICATIONSERVER': 'https://push.mattermost.com/',
+         }
--        pod_spec = {
--            'containers': [{'name': 'mattermost-k8s', 'envConfig': {}}],
--        }
--        self.harness.charm._update_pod_spec_for_push(pod_spec)
--        self.assertEqual(pod_spec, expected)
++        env_config = {}
++        self.harness.charm._update_env_config_for_push(env_config)
++        self.assertEqual(env_config, expected)
      def test_push_notification_message_snippet(self):
          """Push notifications configured, including message snippets"""
          self.harness.update_config(CONFIG_PUSH_NOTIFICATION_MESSAGE_SNIPPET)
          expected = {
--            'containers': [
--                {
--                    'name': 'mattermost-k8s',
--                    'envConfig': {
--                        'MM_EMAILSETTINGS_SENDPUSHNOTIFICATIONS': 'true',
--                        'MM_EMAILSETTINGS_PUSHNOTIFICATIONCONTENTS': 'full',
--                        'MM_EMAILSETTINGS_PUSHNOTIFICATIONSERVER': 'https://push.mattermost.com/',
--                    },
--                }
--            ],
--        }
--        pod_spec = {
--            'containers': [{'name': 'mattermost-k8s', 'envConfig': {}}],
--        }
--        self.harness.charm._update_pod_spec_for_push(pod_spec)
--        self.assertEqual(pod_spec, expected)
--
--    def test_get_licence_secret_name(self):
--        """Test the licence secret name is correctly constructed"""
--        self.harness.update_config(CONFIG_LICENCE_SECRET)
--        self.assertEqual(self.harness.charm._get_licence_secret_name(), "mattermost-k8s-licence-b5bbb1bf")
--
--    def test_make_licence_k8s_secrets(self):
--        """Test making licence k8s secrets"""
--        self.harness.update_config(CONFIG_NO_LICENCE_SECRET)
--        self.assertEqual(self.harness.charm._make_licence_k8s_secrets(), [])
--        self.harness.update_config(CONFIG_LICENCE_SECRET)
--        expected = [
--            {'name': 'mattermost-k8s-licence-b5bbb1bf', 'type': 'Opaque', 'stringData': {'licence': 'RANDOMSTRING'}}
--        ]
--        self.assertEqual(self.harness.charm._make_licence_k8s_secrets(), expected)
--
--    def test_make_licence_volume_configs(self):
--        """Test making licence volume configs"""
--        self.harness.update_config(CONFIG_NO_LICENCE_SECRET)
--        self.assertEqual(self.harness.charm._make_licence_volume_configs(), [])
--        self.harness.update_config(CONFIG_LICENCE_SECRET)
--        expected = [
--            {
--                'name': 'licence',
--                'mountPath': '/secrets',
--                'secret': {
--                    'name': 'mattermost-k8s-licence-b5bbb1bf',
--                    'files': [{'key': 'licence', 'path': 'licence.txt', 'mode': 0o444}],
--                },
--            }
--        ]
--        self.assertEqual(self.harness.charm._make_licence_volume_configs(), expected)
--
--    def test_update_pod_spec_for_k8s_ingress(self):
--        """Test making the k8s ingress, and ensuring ingress name is different to app name
--
--        We're specifically testing that the ingress name is not the same as
--        the app name due to LP#1884674."""
--        self.harness.update_config(
--            {
--                'ingress_whitelist_source_range': '',
--                'max_file_size': 5,
--                'site_url': 'https://chat.example.com',
--                'tls_secret_name': 'chat-example-com-tls',
--            }
--        )
--        ingress_name = 'mattermost-k8s-ingress'
--        self.assertNotEqual(ingress_name, self.harness.charm.app.name)
--        expected = {
--            'kubernetesResources': {
--                'ingressResources': [
--                    {
--                        'name': ingress_name,
--                        'spec': {
--                            'rules': [
--                                {
--                                    'host': 'chat.example.com',
--                                    'http': {
--                                        'paths': [
--                                            {
--                                                'path': '/',
--                                                'backend': {'serviceName': 'mattermost-k8s', 'servicePort': 8065},
--                                            }
--                                        ]
--                                    },
--                                }
--                            ],
--                            'tls': [{'hosts': ['chat.example.com'], 'secretName': 'chat-example-com-tls'}],
--                        },
--                        'annotations': {'nginx.ingress.kubernetes.io/proxy-body-size': '5m'},
--                    }
--                ]
--            }
--        }
--        pod_spec = {}
--        self.harness.charm._update_pod_spec_for_k8s_ingress(pod_spec)
--        self.assertEqual(pod_spec, expected)
--        # And now test with an ingress_whitelist_source_range, and an http
--        # rather than https site_url to test a few more ingress conditions.
--        self.harness.update_config(
--            {'ingress_whitelist_source_range': '10.10.10.10/24', 'site_url': 'http://chat.example.com'}
--        )
--        expected = {
--            'kubernetesResources': {
--                'ingressResources': [
--                    {
--                        'name': ingress_name,
--                        'spec': {
--                            'rules': [
--                                {
--                                    'host': 'chat.example.com',
--                                    'http': {
--                                        'paths': [
--                                            {
--                                                'path': '/',
--                                                'backend': {'serviceName': 'mattermost-k8s', 'servicePort': 8065},
--                                            }
--                                        ]
--                                    },
--                                }
--                            ],
--                        },
--                        'annotations': {
--                            'nginx.ingress.kubernetes.io/proxy-body-size': '5m',
--                            'nginx.ingress.kubernetes.io/ssl-redirect': 'false',
--                            'nginx.ingress.kubernetes.io/whitelist-source-range': '10.10.10.10/24',
--                        },
--                    }
--                ]
--            }
++            'MM_EMAILSETTINGS_SENDPUSHNOTIFICATIONS': 'true',
++            'MM_EMAILSETTINGS_PUSHNOTIFICATIONCONTENTS': 'full',
++            'MM_EMAILSETTINGS_PUSHNOTIFICATIONSERVER': 'https://push.mattermost.com/',
+         }
--        pod_spec = {}
--        self.harness.charm._update_pod_spec_for_k8s_ingress(pod_spec)
--        self.assertEqual(pod_spec, expected)
++        env_config = {}
++        self.harness.charm._update_env_config_for_push(env_config)
++        self.assertEqual(env_config, expected)
--    def test_update_pod_spec_for_performance_monitoring(self):
++    def test_update_env_config_for_performance_monitoring(self):
          """envConfig is updated, and pre-existing annotations are not clobbered."""
          # We can't set annotations yet because of LP:1884177.
          # When we can, this test will need updating.
          self.harness.update_config({'performance_monitoring_enabled': True})
--        pod_spec = {
--            'containers': [{'name': 'mattermost-k8s', 'envConfig': {}}],
--        }
++        env_config = {}
          expected = {
--            'containers': [
--                {
--                    'name': 'mattermost-k8s',
--                    'envConfig': {
--                        'MM_METRICSSETTINGS_ENABLE': 'true',
--                        'MM_METRICSSETTINGS_LISTENADDRESS': ':{}'.format(METRICS_PORT),
--                    },
--                }
--            ],
++            'MM_METRICSSETTINGS_ENABLE': 'true',
++            'MM_METRICSSETTINGS_LISTENADDRESS': ':{}'.format(METRICS_PORT),
+         }
--        self.harness.charm._update_pod_spec_for_performance_monitoring(pod_spec)
--        self.assertEqual(pod_spec, expected)
++        self.harness.charm._update_env_config_for_performance_monitoring(env_config)
++        self.assertEqual(env_config, expected)
      @mock.patch.dict('os.environ', {"JUJU_MODEL_UUID": "fakeuuid"})
--    def test_update_pod_spec_for_clustering(self):
--        """Test clustering config."""
++    def test_update_env_config_for_clustering_disabled(self):
++        """Test config when clustering disabled."""
          self.harness.update_config({'clustering': False})
--        pod_spec = {}
--        self.harness.charm._update_pod_spec_for_clustering(pod_spec)
--        self.assertEqual(pod_spec, {})
++        env_config = {}
++        expected = {}
++        self.harness.charm._update_env_config_for_clustering(env_config)
++        self.assertEqual(env_config, expected)
++
++    @mock.patch.dict('os.environ', {"JUJU_MODEL_UUID": "fakeuuid"})
++    def test_update_env_config_for_clustering_enabled(self):
++        """Test config when clustering enabled."""
          self.harness.update_config({'clustering': True})
--        pod_spec = {
--            'containers': [{'name': 'mattermost-k8s', 'envConfig': {}}],
--        }
++        env_config = {}
          expected = {
--            'containers': [
--                {
--                    'name': 'mattermost-k8s',
--                    'envConfig': {
--                        'MM_CLUSTERSETTINGS_ENABLE': 'true',
--                        'MM_CLUSTERSETTINGS_CLUSTERNAME': 'mattermost-k8s-fakeuuid',
--                        'MM_CLUSTERSETTINGS_USEIPADDRESS': 'true',
--                    },
--                }
--            ],
--        }
--        self.harness.charm._update_pod_spec_for_clustering(pod_spec)
--        self.assertEqual(pod_spec, expected)
--
--    def test_update_pod_spec_for_canonical_defaults(self):
--        """Test canonical defaults."""
--        self.harness.update_config({'use_canonical_defaults': False})
--        pod_spec = {}
--        self.harness.charm._update_pod_spec_for_canonical_defaults(pod_spec)
--        self.assertEqual(pod_spec, {})
--        self.harness.update_config({'use_canonical_defaults': True})
--        pod_spec = {
--            'containers': [{'name': 'mattermost-k8s', 'envConfig': {}}],
++            'MM_CLUSTERSETTINGS_ENABLE': 'true',
++            'MM_CLUSTERSETTINGS_CLUSTERNAME': 'mattermost-k8s-fakeuuid',
++            'MM_CLUSTERSETTINGS_USEIPADDRESS': 'true',
+         }
++        self.harness.charm._update_env_config_for_clustering(env_config)
++        self.assertEqual(env_config, expected)
++
++    def test_update_env_config_for_enterprise_defaults_disabled(self):
++        """Test config when enterprise defaults disabled."""
++        self.harness.update_config({'use_enterprise_defaults': False})
++        env_config = {}
++        expected = {}
++        self.harness.charm._update_env_config_for_enterprise_defaults(env_config)
++        self.assertEqual(env_config, expected)
++
++    def test_update_env_config_for_enterprise_defaults_enabled(self):
++        """Test config when enterprise defaults enabled."""
++        self.harness.update_config({'use_enterprise_defaults': True})
++        env_config = {}
          expected = {
--            'containers': [
--                {
--                    'name': 'mattermost-k8s',
--                    'envConfig': {
--                        'MM_SERVICESETTINGS_CLOSEUNUSEDDIRECTMESSAGES': 'true',
--                        'MM_SERVICESETTINGS_ENABLECUSTOMEMOJI': 'true',
--                        'MM_SERVICESETTINGS_ENABLELINKPREVIEWS': 'true',
--                        'MM_SERVICESETTINGS_ENABLEUSERACCESSTOKENS': 'true',
--                        'MM_TEAMSETTINGS_MAXUSERSPERTEAM': '1000',
--                    },
--                }
--            ],
++            'MM_SERVICESETTINGS_CLOSEUNUSEDDIRECTMESSAGES': 'true',
++            'MM_SERVICESETTINGS_ENABLECUSTOMEMOJI': 'true',
++            'MM_SERVICESETTINGS_ENABLELINKPREVIEWS': 'true',
++            'MM_SERVICESETTINGS_ENABLEUSERACCESSTOKENS': 'true',
++            'MM_TEAMSETTINGS_MAXUSERSPERTEAM': '1000',
+         }
--        self.harness.charm._update_pod_spec_for_canonical_defaults(pod_spec)
--        self.assertEqual(pod_spec, expected)
++        self.harness.charm._update_env_config_for_enterprise_defaults(env_config)
++        self.assertEqual(env_config, expected)
  class TestMattermostK8sCharmHooksEnabled(unittest.TestCase):
 diff --git a/tests/unit/test_helpers.py b/tests/unit/test_helpers.py
 index 9987fd3..6820916 100644
 --- a/tests/unit/test_helpers.py
 +++ b/tests/unit/test_helpers.py
@@ -5,8 +5,6 @@ import unittest
  from charm import (
      check_ranges,
--    get_container,
--    get_env_config,
+ )
  POD_SPEC_MULTIPLE_CONTAINERS = {
@@ -39,28 +37,3 @@ class TestMattermostCharmHelpers(unittest.TestCase):
          """Any CIDRs that has host bits set must be rejected, even if others are OK."""
          expected = 'range_mixed: invalid network(s): 10.242.0.0/8'
          self.assertEqual(check_ranges(RANGE_MIXED, 'range_mixed'), expected)
--
--    def test_get_container(self):
--        """The container with matching name is returned."""
--        expected = {'name': 'two', 'envConfig': {'THIS_CONTAINER': 'two'}}
--        self.assertEqual(get_container(POD_SPEC_MULTIPLE_CONTAINERS, 'two'), expected)
--
--    def test_get_container_nonexistent(self):
--        """No matching container raises ValueError."""
--        with self.assertRaises(ValueError):
--            get_container(POD_SPEC_MULTIPLE_CONTAINERS, 'eleventy-ten')
--
--    def test_get_env_config(self):
--        """The envConfig of the container with the matching name is returned."""
--        expected = {'THIS_CONTAINER': 'two'}
--        self.assertEqual(get_env_config(POD_SPEC_MULTIPLE_CONTAINERS, 'two'), expected)
--
--    def test_get_env_config_nonexistent_container(self):
--        """No matching container raises ValueError."""
--        with self.assertRaises(ValueError):
--            get_env_config(POD_SPEC_MULTIPLE_CONTAINERS, 'eleventy-ten')
--
--    def test_get_env_config_container_no_envconfig(self):
--        """Container with no envConfig raises ValueError."""
--        with self.assertRaises(ValueError):
--            get_env_config(POD_SPEC_NO_ENVCONFIG, 'one')
 diff --git a/tests/unit/test_utils.py b/tests/unit/test_utils.py
 deleted file mode 100644
 index 887c17f..0000000
 --- a/tests/unit/test_utils.py
 +++ /dev/null
@@ -1,45 +0,0 @@
--# Copyright 2020 Canonical Ltd.
--# Licensed under the GPLv3, see LICENCE file for details.
--
--import unittest
--
--from copy import deepcopy
--
--from utils import extend_list_merging_dicts_matched_by_key
--
--
--class TestExtendListMergingDictsByKey(unittest.TestCase):
--    def test_nothing(self):
--        """Nothing in, nothing out."""
--        self.assertEqual(extend_list_merging_dicts_matched_by_key([], [], key=None), [])
--
--    def test_same(self):
--        """Identity."""
--        self.assertEqual(extend_list_merging_dicts_matched_by_key([{1: 1}], [{1: 1}], key=1), [{1: 1}])
--
--    def test_different(self):
--        """Colleagues."""
--        self.assertEqual(extend_list_merging_dicts_matched_by_key([{1: 2}], [{1: 1}], key=1), [{1: 1}, {1: 2}])
--
--    def test_merge_same_key(self):
--        """Now this is what we came here for!"""
--        self.assertEqual(
--            extend_list_merging_dicts_matched_by_key([{1: 1, 3: 4}], [{1: 1, 2: 3}], key=1), [{1: 1, 2: 3, 3: 4}]
--        )
--
--    def test_merge_same_key_different_key(self):
--        """A little of this, a little of that."""
--        self.assertEqual(
--            extend_list_merging_dicts_matched_by_key([{1: 1, 3: 4}], [{1: 1, 2: 3}, {1: 2, 5: 6}, {1: 3, 7: 8}], key=1),
--            [{1: 2, 5: 6}, {1: 3, 7: 8}, {1: 1, 2: 3, 3: 4}],
--        )
--
--    def test_merge_same_key_different_key_deepcopy(self):
--        """Merge targets are deep-copied beforehand."""
--        d = [{1: 1, 3: 4}]
--        dc = deepcopy(d)
--        s = [{1: 1, 2: 3}, {1: 2, 5: 6}, {1: 3, 7: 8}]
--        # Make sure it did something...
--        self.assertNotEqual(extend_list_merging_dicts_matched_by_key(d, s, key=1), d)
--        # ...but without altering d.
--        self.assertEqual(d, dc)
 diff --git a/tox.ini b/tox.ini
 index 066c5a8..ec74287 100644
 --- a/tox.ini
 +++ b/tox.ini
@@ -11,7 +11,7 @@ setenv =
  [testenv:unit]
  commands =
      pytest --ignore mod --ignore {toxinidir}/tests/functional \
--      {posargs:-v  --cov=src --cov-report=term-missing --cov-branch}
++      {posargs:-v  --cov=src --cov-report=term-missing --cov-branch --cov-report=html}
  deps = -r{toxinidir}/tests/unit/requirements.txt
         -r{toxinidir}/requirements.txt
  setenv =