diff --git a/.envrc b/.envrc index 6edee4dad4b..b7b3f2c35fd 100644 --- a/.envrc +++ b/.envrc @@ -13,15 +13,24 @@ store_paths=$(echo "$nix_files" | xargs nix-store --add ./nix) layout_dir=$(direnv_layout_dir) env_dir=./.env +export NIX_CONFIG='extra-experimental-features = nix-command' + [[ -d "$layout_dir" ]] || mkdir -p "$layout_dir" if [[ ! -d "$env_dir" || ! -f "$layout_dir/nix-rebuild" || "$store_paths" != $(< "$layout_dir/nix-rebuild" ) ]]; then - nix-build ./nix -A wireServer.devEnv --out-link ./.env - + bcmd=nix + if command -v nom &> /dev/null; then + if [[ "${USE_NOM}" != "0" ]]; then + bcmd=nom + fi + fi + echo "🔧 Building environment" + $bcmd build -f nix wireServer.devEnv -Lv --out-link ./.env echo "$store_paths" > "$layout_dir/nix-rebuild" fi PATH_add "./.env/bin" +PATH_add "./.env-hs-run/bin" path_add "PKG_CONFIG_PATH" "./.env/lib/pkgconfig" path_add "LIBRARY_PATH" "./.env/lib" path_add "PYTHONPATH" "./hack/python" @@ -32,9 +41,6 @@ PATH_add "./dist" # e.g. "nix-shell -p foo" will get "foo" for pkgs defined in ./nix/default.nix [[ -f "./.env/.profile" ]] && source_env "./.env/.profile" -# allow local .envrc overrides -[[ -f .envrc.local ]] && source_env .envrc.local - # Locale export LC_ALL=en_US.UTF-8 export LANG=en_US.UTF-8 @@ -51,3 +57,9 @@ export INTEGRATION_DYNAMIC_BACKENDS_POOLSIZE=3 export AWS_REGION="eu-west-1" export AWS_ACCESS_KEY_ID="dummykey" export AWS_SECRET_ACCESS_KEY="dummysecret" + +# integration test suite timeout +export TEST_TIMEOUT_SECONDS=2 + +# allow local .envrc overrides +[[ -f .envrc.local ]] && source_env .envrc.local diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bb50982db8f..7bb88e10d9b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,24 +4,6 @@ on: branches: [master, develop] jobs: - treefmt: - name: Run treefmt - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - submodules: true - - uses: cachix/install-nix-action@v20 - - uses: cachix/cachix-action@v12 - with: - name: wire-server - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - name: Install treefmt and nixpkgs-fmt (without pulling in all of dev-env) - run: nix-env -if nix/default.nix -iA pkgs.treefmt pkgs.nixpkgs-fmt pkgs.shellcheck - - name: Run treefmt - run: treefmt - build-docs: name: Build docs runs-on: ubuntu-latest diff --git a/.gitignore b/.gitignore index 44db47dc2e5..a6318e378e3 100644 --- a/.gitignore +++ b/.gitignore @@ -40,25 +40,6 @@ services/nginz/src services/.env tools/api-simulations/mailboxes.json tools/api-simulations/reports -brig-schema.yaml -brig.yaml -brig.integration-aws.yaml -cannon.yaml -cannon.integration-aws.yaml -cannon2.integration-aws.yaml -cargohold.yaml -cargohold.integration-aws.yaml -galley-schema.yaml -galley.yaml -galley.integration-aws.yaml -gundeck-schema.yaml -gundeck.yaml -gundeck.integration-aws.yaml -proxy.yaml -proxy.integration-aws.yaml -spar.yaml -spar.integration-aws.yaml -integration-aws.yaml DOCKER_ID* swagger-ui @@ -105,6 +86,7 @@ result-* # Created by .envrc .direnv .env +.env-hs-run # emacs misc .dir-locals.el @@ -114,3 +96,6 @@ result-* services/nginz/third_party/headers-more-nginx-module services/nginz/third_party/nginx-module-vts + +# dumped out by running tests in kind +logs-integration diff --git a/CHANGELOG.md b/CHANGELOG.md index 62637fa9742..bc2dbb15ccb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,289 @@ +# [2024-02-12] (Chart Release 4.40.0) + +## Release notes + + +* The settings `setDisabledAPIVersions` (brig) and `disabledAPIVersions` (in cannon, cargohold, galley, gundeck, proxy, and spar) are now required. + The default defined in `charts//values.yaml` is set to `[ development ]` and disables all development API versions. + For more information see (#3772) + +* The mls team feature now has a lock status. If the current installation has default settings defined in wire-server's `values.yaml`, the `lockStatus` has to be added, e.g.: + + ```yaml + mls: + defaults: + status: enabled + config: + protocolToggleUsers: [] + defaultProtocol: mls + allowedCipherSuites: [1] + defaultCipherSuite: 1 + supportedProtocols: [proteus, mls] # must contain defaultProtocol + lockStatus: locked + ``` (#3681) + +* * Replace fake-sqs with ElasticMQ + + ElasticMQ is an actively maintained project, fake-sqs hasn't seen a commit since + 2018. This is not expected to have any noticeable effect on deployments that + don't have any extra configurations for the SQS queues. If the fake-aws-sqs + chart had configured custom queue names, they have couple of extra limitations: + - The queue names must only contain alphanumeric characters and hyphens. + - The FIFO queue names must end in `.fifo`. (#3750) + +* Upgrade team-settings version to 4.15.1-v0.31.19-0-ee1dbce (#2180) + +* Upgrade webapp to 2023-12-11-production.0-v0.31.17-0-1e91445 + + Beside using up-to-date versions in Helm charts is generally beneficial, + this version also provides multi-ingress support. (#3803) + +* Upgrade webapp version to 2024-01-22-production.1-v0.31.17-0-7f83dbe (#2302) + + +## API changes + + +* Un-verified users can no longer upload assets (#3604) + +* * Remove IP request header from add-client endpoint. + * Remove longitude and latitude response fields from add-client, list-clients, and get-client endpoints. + + These are not considered breaking changes, since clients are not using this information. (#3792) + +* Create new API version V6 and finalize V5 (#3815) + +* Block changes of userDisplayName, userHandle in mlsE2EI-enabled teams on the backend without SCIM; report `"managed_by" == "scim"` in `GET /self`, but only there (#3827) + +* The federation API can now be versioned. Multiple versions of an RPC can be defined on the same path. After version negotiation, the federation client now sets the `X-Wire-API-Version` header, and federator propagates it to the destination service. (#3762) + +* Improved formatting of federation errors. No extra copy of the response body, and nested errors are now part of the JSON structure, not quoted inside the message. (#3742) + +* New endpoint for replacing MLS key packages in bulk: `PUT /mls/key-packages/self/:client`. It replaces all existing key packages that match the given ciphersuites with the new key packages provided in the body. (#3654) + + +## Features + + +* The lifetime of conversation guest links is now configurable (#3796) + +* Events for a member update, join and leave are not sent to everyone in the team any longer. Only team admins get them. (#3703) + +* Allowlist for who on cloud can connect to on-prem: + - Internal API to configure allowlist + - Restrict federated user search according to team federation policy + (#3697, #3732, #3758) + +* The mls team feature now has a lock status (#3681) + +* add a uniform timeout to the integration test-suite set by the environment variable TEST_TIMEOUT_SECONDS with a default of 10 seconds if the variable isn't set (#3692) + +* Apply team-level federation policies when establishing and updating user connections (#3774) + +* Introduce a feature flag that controls whether the limited event fanout should be used when a team member is deleted (#3797) + +* Send a `conversation.member-leave` event to team admins for each conversation the deleted team member used to be part of (#3790) + +* Allow the configuration of TLS-secured connections to Cassandra. TLS is used + when a certificate is provided. This is either done with + `--tls-ca-certificate-file` for cli commands or the configuration attribute + `cassandra.tlsCa` for services. In Helm charts, the certificate is provided as + literal PEM string; either as attribute `cassandra.tlsCa` (analog to service + configuration) or by a reference to a secret (`cassandra.tlsCaSecretRef`.) (#3587) + +* [SFT chart] Add option to enable serviceMonitor to scrape prometheus metrics (#3770) + + +## Bug fixes and other updates + + +* galley's DB migrations fixed (#3680) + +* The X509 client identity parser supports a new format: `wireapp://{userid}!{deviceid}@{host}` (#3808) + +* Updated `demo-smtp` Helm chart from deprecated docker image namshi/smtp to ixdotai/smtp (#3791) + +* External partners search restriction enforced by backend (#3708) + +* File upload size is now limited to 100 MiB (#3752) + +* Fix a bug where non-team conversation members that are remote would not get a `conversation.member-leave` event (#3745, #3764) + +* Enforce external partner permissions on the backend (#3788) + +* Various improvements around LH policy conflict detection: + * Fix LH policy conflict detection logic when posting messages + * Better policy conflict error messages (distinguish between old clients and missing consent) + * Add first LH scaffolding and tests to `/integration` + * Annotate some API functions in `/integration` with links to openapi3 docs (#3773) + +* Do not match on the `Accept` header for service provider endpoints with no response body (#3766) + +* Guests should not be added to conversations that are under legalhold (#3853) + +* Intra-service calls from brig to galley's public API are now aware of disabled API versions (#3863) + +* fix Helm pretty-printer for disabledAPIVersions (#3877) + +* Adjust the requested memory and upper bound limit of `nginz` pods in the related Helm chart. (We experienced OOM errors with the old settings.) (#3821) + +* don't use shell when communicating with mls-test-cli, move flaking brig tests over to new integration testsuite (#3701) + +* set notificationTimeOut to 28 days, make it legible (#3714) + +* Update coturn image with bugfix to its prestop-hook from https://github.com/wireapp/coturn/pull/10 to allow coturn pods to terminate once their traffic has drained. (#3872) + +* Extra remove proposals were being sent when a user was removed from a conversation (#3672) + +* Remove client check for subconversations (#3677) + +* Ensure that SCIM can find users even after the team admin has changed the SAML issuer for the user. (#3747) + +* addClient used the internal brig API in the integration testsuite when it should use the public one (#3869) + +* Ensure that HTTP 1.1 connections are grafully closed + + To fix this warp had to be patched to fix the bug upstream: https://github.com/yesodweb/wai/pull/958 (#3775) + + +## Documentation + + +* Fix missing code sections on docs.wire.com, notably on "configuring TLS" page. (#3839) + +* Swagger generation no longer adds tags containing information about federation calls. + + Added the federation calling graph to the Federation API Conventions page. (#3674) + +* Backend-to-backend OpenApi Docs added (#3666) + +* Documentation for creating a new API version updated (#3817) + +* Update documentation of MLS group ID (#3705) + +* Turn long summaries in openapi documentation into descriptions (#3706) + +* update the build instructions for wire-server (#3854) + + +## Internal changes + + +* stern/backoffice `PUT /teams/{teamId}/features/conferenceCalling` fixed (#3723) + +* Removed client ID conversion round trip (#3727) + +* Migrate to Servant the Galley conversation internal endpoints (#3718) + +* The development API version is now disabled by default (#3772) + +* Attempt to fix flaky integration test `provider.service.delete` (#3689) + +* The fedcalls tool no longer walks the Swagger/OpenAPI structure when generating call graphs. These graphs are now generated directly from the Servant API types. (#3674, #3691) + +* Increased ingress payload size from 256k to 512k (#3756) + +* Request tracing across federated requests (#3765) + +* upgrade nixpkgs to upgrade haskell-language-server (#3650) + +* upgrade the GHC version to GHC 9.4 (#3679) + +* Removed APNS_VOIP code. (APNS_VOIP is a native push notification channel which we aren't using anymore.) (#3695) + +* Improve error logs (#3782) + +* Migrating tests for Cargohold to the new `integration` test suite. (#3741) + +* Fix calendar integration setting in backoffice / stern (#3761) + +* `Reply-Nonce` is added to `Access-Control-Expose-Headers` (#3729) + +* Add custom feature flag; only supported for some on-prem installations; locked & disabled by default (#3779) + +* Improved how tests are automatically extracted from the `integration` test suite. + + The test extractor parser has been improved to handle block comments, and to more strictly check for Haddock documentation for each test. (#3749) + +* Additional logging on user/team suspension (#3795) + +* cleanup the haskell-pins + - remove many pins + - remove many overrides + - restructure the files such that it's easier to see what is going on (#3814) + +* Version of rusty-jwt-tools bumped to v0.8.0 (#3805) + +* Feature enforceFileDownloadLocation lockstatus can be set with basic auth on staging (#3802) + +* Version of rusty-jwt-tools bumped to v0.8.5 (#3820) + +* Translate integration tests: manually add / delete LH device (#3830) + +* adds a new executable, hs-run, to quickly run haskell scripts (#3716) + +* Represent client IDs as Word64 internally (#3713) + +* Allow to install the coturn chart multiple times in multiple namespaces on the same cluster. (#3698) + +* For some rust packages (cryptobox and libzauth-c), we now use crate2nix as a build tool, rather than the more coarse and FOD-based nixpkgs `rustPlatform.buildRustPackage` approach. (#3686) + +* Delete `shell.nix`. It has been broken for quite some time. The supported way to get a development nix environment is to use direnv. (#3726) + +* Deploy a backend with federation API V0 while setting up services for local testing (#3719) + +* Improve integration test coverage (#3757) + +* Increase timeout for waiting for SQS notifications in galley's integration tests (#3699) + +* Simplify process spawning of dynamic backends in integration tests (#3759) + +* More robust consuming of MLS messages: the behaviour of `sendAndConsumeMessage` and `sendAndConsumeCommitBundle` is changed to actually wait for those messages on the client's websocket (#3671) + +* Update group state after application message (#3678) + +* bump the nixpkgs version to allow updating curl (#3781) + +* Simplify the definition of the servant notification API (#3685) + +* Start refactoring code into subsystems, first subsystem being the NotificationSubsystem. (#3786) + +* Remove apply-refact from CI image + + This gets rid of GHC in the image, making the image smaller. (#3712) + +* Refactor getOptions (#3707) + +* Restored Brig memory quota to 512mb down from 1gb. (prev bump #3751) (#3806) + +* Add tool to analyse test results in junit/ant xml format (#3652) + +* updated annotation for enabling Topology Aware Routing to service.kubernetes.io/topology-mode for k8s 1.27+ (#3878) + +* replace runAsNonRoot with runAsUser and runAsGroup 1000 (#3826) + +* Update SFTD default to 4.0.10 and its nginx to 1.25.3. (#3768) + +* add a Makefile target to make it possible to upload a bom of all services to s3 on every CI run (#3744) + +* Upload bill-of-material (BOM) files directly to the Dependency Tracker via REST. + This eases the life of the security team and prevents cluttering our release + artifact page. (#3810) + +* Passively migrate user passwords from scrypt to argon2id. + + By passively we mean that whenever a user re-enters their passwords, if it was hashed using scrypt, it is then rehashed using argon2id and stored as such. + If that user has a legacy short password (under 8 characters in length), it does not migrate to argon2id. (#3720) + + +## Federation changes + + +* Define a few tests for adding members to an MLS conversation when unreachable backends are involved (#3673) + +* Make sure that remote users can be added to both a Proteus and an MLS conversation when other users are unreachable (#3688) + + # [2023-10-23] (Chart Release 4.39.0) ## Release notes diff --git a/Makefile b/Makefile index 6fad98a6218..9656c7e9d17 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ DOCKER_TAG ?= $(USER) # default helm chart version must be 0.0.42 for local development (because 42 is the answer to the universe and everything) HELM_SEMVER ?= 0.0.42 # The list of helm charts needed on internal kubernetes testing environments -CHARTS_INTEGRATION := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-controller nginx-ingress-services fluent-bit kibana sftd restund coturn +CHARTS_INTEGRATION := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-controller nginx-ingress-services fluent-bit kibana sftd restund coturn k8ssandra-test-cluster # The list of helm charts to publish on S3 # FUTUREWORK: after we "inline local subcharts", # (e.g. move charts/brig to charts/wire-server/brig) @@ -35,7 +35,7 @@ EXE_SCHEMA := ./dist/$(package)-schema # Additionally, if stack is being used with nix, environment variables do not # make it into the shell where hspec is run, to tackle that this variable is # also exported in stack-deps.nix. -export HSPEC_OPTIONS ?= --fail-on-focused +export HSPEC_OPTIONS ?= --fail-on=focused default: install @@ -61,6 +61,7 @@ full-clean: clean clean: cabal clean -rm -rf dist + -rm -f "bill-of-materials.$(HELM_SEMVER).json" .PHONY: clean-hint clean-hint: @@ -77,7 +78,7 @@ cabal.project.local: # Usage: make c package=brig test=1 .PHONY: c -c: cabal-fmt +c: treefmt cabal build $(WIRE_CABAL_BUILD_OPTIONS) $(package) || ( make clean-hint; false ) ifeq ($(test), 1) ./hack/bin/cabal-run-tests.sh $(package) $(testargs) @@ -116,7 +117,7 @@ ci: # Usage: make crun `OR` make crun package=galley .PHONY: cr cr: c db-migrate - ./services/run-services + ./dist/run-services # Run integration from new test suite # Usage: make devtest @@ -141,13 +142,9 @@ list-flaky-tests: @git grep -Hne '\bflakyTestCase \"' @git grep -Hne '[^^]\bflakyTest\b' -.PHONY: cabal-fmt -cabal-fmt: - ./hack/bin/cabal-fmt.sh $(package) - # Get a ghci environment running for the given package. .PHONY: repl -repl: cabal-fmt +repl: treefmt cabal repl $(WIRE_CABAL_BUILD_OPTIONS) $(package) # Use ghcid to watch a particular package. @@ -158,7 +155,7 @@ ghcid: # Used by CI .PHONY: lint-all -lint-all: formatc hlint-check-all check-local-nix-derivations treefmt +lint-all: formatc hlint-check-all check-local-nix-derivations treefmt-check .PHONY: hlint-check-all hlint-check-all: @@ -229,6 +226,10 @@ add-license: treefmt: treefmt +.PHONY: treefmt-check +treefmt-check: + treefmt --fail-on-change + ################################# ## docker targets @@ -542,3 +543,13 @@ kind-restart-%: .local/kind-kubeconfig # make helm-template-wire-server helm-template-%: clean-charts charts-integration ./hack/bin/helm-template.sh $(*) + +# Ask the security team for the `DEPENDENCY_TRACK_API_KEY` (if you need it) +.PHONY: upload-bombon +upload-bombon: + nix build -f nix wireServer.allLocalPackagesBom -o "bill-of-materials.$(HELM_SEMVER).json" + ./hack/bin/bombon.hs -- \ + --bom-filepath "./bill-of-materials.$(HELM_SEMVER).json" \ + --project-version $(HELM_SEMVER) \ + --api-key $(DEPENDENCY_TRACK_API_KEY) \ + --auto-create diff --git a/README.md b/README.md index ada3b2d2cc5..f7ece6aeeea 100644 --- a/README.md +++ b/README.md @@ -94,4 +94,4 @@ You have two options: * Option 1. (recommended) Install wire-server on kubernetes using the configuration and instructions provided in [wire-server-deploy](https://github.com/wireapp/wire-server-deploy). This is the best option to run it on a server and recommended if you want to self-host wire-server. -* Option 2. Compile everything in this repo, then you can use the `services/run-services`. This option is intended as a way to try out wire-server on your local development machine and not suited for production. +* Option 2. Compile everything in this repo, then you can use the `dist/run-services`. This option is intended as a way to try out wire-server on your local development machine and not suited for production. diff --git a/cabal.project b/cabal.project index 2ee9da138e7..471d12e874a 100644 --- a/cabal.project +++ b/cabal.project @@ -31,6 +31,7 @@ packages: , libs/wire-api/ , libs/wire-api-federation/ , libs/wire-message-proto-lens/ + , libs/wire-subsystems/ , libs/zauth/ , services/background-worker/ , services/brig/ @@ -55,6 +56,7 @@ packages: , tools/rex/ , tools/stern/ , tools/mlsstats/ + , tools/test-stats/ tests: True benchmarks: True @@ -113,6 +115,8 @@ package metrics-wai ghc-options: -Werror package migrate-sso-feature-flag ghc-options: -Werror +package mlsstats + ghc-options: -Werror package move-team ghc-options: -Werror package polysemy-wire-zoo @@ -143,6 +147,8 @@ package stern ghc-options: -Werror package tasty-cannon ghc-options: -Werror +package test-stats + ghc-options: -Werror package types-common ghc-options: -Werror package types-common-aws @@ -157,5 +163,20 @@ package wire-api-federation ghc-options: -Werror package wire-message-proto-lens ghc-options: -Werror +package wire-subsystems + ghc-options: -Werror package zauth ghc-options: -Werror +package fedcalls + ghc-options: -Werror + +-- NOTE: +-- - these packages are not provided by nix, reason being, that +-- there is a bug in the nixpkgs haskell compatibility which +-- makes it such that they cannot be installed by the nixpkgs code +-- - these packages have bounds that are justified with their current +-- dependency set, however, we have updated their dependencies, such +-- that they work with newer base and ghc (api) versions +allow-newer: + , proto-lens-protoc:base + , proto-lens-protoc:ghc diff --git a/cassandra-schema.cql b/cassandra-schema.cql index d300556af70..efcf3424035 100644 --- a/cassandra-schema.cql +++ b/cassandra-schema.cql @@ -534,6 +534,26 @@ CREATE TABLE brig_test.login_codes ( AND read_repair_chance = 0.0 AND speculative_retry = '99PERCENTILE'; +CREATE TABLE brig_test.federation_remote_teams ( + domain text, + team uuid, + PRIMARY KEY (domain, team) +) WITH CLUSTERING ORDER BY (team ASC) + AND bloom_filter_fp_chance = 0.01 + AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} + AND comment = '' + AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} + AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} + AND crc_check_chance = 1.0 + AND dclocal_read_repair_chance = 0.1 + AND default_time_to_live = 0 + AND gc_grace_seconds = 864000 + AND max_index_interval = 2048 + AND memtable_flush_period_in_ms = 0 + AND min_index_interval = 128 + AND read_repair_chance = 0.0 + AND speculative_retry = '99PERCENTILE'; + CREATE TABLE brig_test.oauth_client ( id uuid PRIMARY KEY, name text, @@ -932,6 +952,7 @@ CREATE TABLE brig_test.password_reset ( CREATE TABLE brig_test.federation_remotes ( domain text PRIMARY KEY, + restriction int, search_policy int ) WITH bloom_filter_fp_chance = 0.01 AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} @@ -1042,7 +1063,6 @@ CREATE TABLE brig_test.service_prefix ( AND min_index_interval = 128 AND read_repair_chance = 0.0 AND speculative_retry = '99PERCENTILE'; - CREATE KEYSPACE galley_test WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'} AND durable_writes = true; CREATE TYPE galley_test.permissions ( @@ -1171,12 +1191,16 @@ CREATE TABLE galley_test.team_features ( app_lock_status int, conference_calling int, digital_signatures int, + enforce_file_download_location text, + enforce_file_download_location_lock_status int, + enforce_file_download_location_status int, expose_invitation_urls_to_team_admin int, file_sharing int, file_sharing_lock_status int, guest_links_lock_status int, guest_links_status int, legalhold_status int, + limited_event_fanout_status int, mls_allowed_ciphersuites set, mls_default_ciphersuite int, mls_default_protocol int, @@ -1185,6 +1209,7 @@ CREATE TABLE galley_test.team_features ( mls_e2eid_lock_status int, mls_e2eid_status int, mls_e2eid_ver_exp timestamp, + mls_lock_status int, mls_migration_finalise_regardless_after timestamp, mls_migration_lock_status int, mls_migration_start_time timestamp, @@ -1442,19 +1467,15 @@ CREATE TABLE galley_test.team_admin ( AND read_repair_chance = 0.0 AND speculative_retry = '99PERCENTILE'; --- NOTE: this table is unused. It was replaced by mls_group_member_client -CREATE TABLE galley_test.member_client ( - conv uuid, - user_domain text, +CREATE TABLE galley_test.user ( user uuid, - client text, - key_package_ref blob, - PRIMARY KEY (conv, user_domain, user, client) -) WITH CLUSTERING ORDER BY (user_domain ASC, user ASC, client ASC) - AND bloom_filter_fp_chance = 0.01 + conv uuid, + PRIMARY KEY (user, conv) +) WITH CLUSTERING ORDER BY (conv ASC) + AND bloom_filter_fp_chance = 0.1 AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} + AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'} AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} AND crc_check_chance = 1.0 AND dclocal_read_repair_chance = 0.1 @@ -1697,27 +1718,6 @@ CREATE TABLE galley_test.mls_proposal_refs ( AND min_index_interval = 128 AND read_repair_chance = 0.0 AND speculative_retry = '99PERCENTILE'; - -CREATE TABLE galley_test.user ( - user uuid, - conv uuid, - PRIMARY KEY (user, conv) -) WITH CLUSTERING ORDER BY (conv ASC) - AND bloom_filter_fp_chance = 0.1 - AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - CREATE KEYSPACE gundeck_test WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'} AND durable_writes = true; CREATE TABLE gundeck_test.push ( @@ -1832,7 +1832,6 @@ CREATE TABLE gundeck_test.user_push ( AND min_index_interval = 128 AND read_repair_chance = 0.0 AND speculative_retry = '99PERCENTILE'; - CREATE KEYSPACE spar_test WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'} AND durable_writes = true; CREATE TABLE spar_test.bind_cookie ( @@ -2204,4 +2203,3 @@ CREATE TABLE spar_test.user ( AND min_index_interval = 128 AND read_repair_chance = 0.0 AND speculative_retry = '99PERCENTILE'; - diff --git a/charts/account-pages/values.yaml b/charts/account-pages/values.yaml index ae22ad9fb44..4148cfd8dc8 100644 --- a/charts/account-pages/values.yaml +++ b/charts/account-pages/values.yaml @@ -20,9 +20,9 @@ service: #config: # externalUrls: -# backendRest: nginz-https.example.com -# backendWebsocket: nginz-ssl.example.com -# appHost: account.example.com +# backendRest: nginz-https.wire.example +# backendWebsocket: nginz-ssl.wire.example +# appHost: account.wire.example # Some relevant environment options. For a comprehensive # list of available variables, please refer to: @@ -36,25 +36,26 @@ envVars: {} # FEATURE_ENABLE_DEBUG: "true" # You are likely to need at least following CSP headers # due to the fact that you are likely to do cross sub-domain requests -# i.e., from account.example.com to nginz-https.example.com -# CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com" -# CSP_EXTRA_IMG_SRC: "https://*.example.com" -# CSP_EXTRA_SCRIPT_SRC: "https://*.example.com" -# CSP_EXTRA_DEFAULT_SRC: "https://*.example.com" -# CSP_EXTRA_FONT_SRC: "https://*.example.com" -# CSP_EXTRA_FRAME_SRC: "https://*.example.com" -# CSP_EXTRA_MANIFEST_SRC: "https://*.example.com" -# CSP_EXTRA_OBJECT_SRC: "https://*.example.com" -# CSP_EXTRA_MEDIA_SRC: "https://*.example.com" -# CSP_EXTRA_PREFETCH_SRC: "https://*.example.com" -# CSP_EXTRA_STYLE_SRC: "https://*.example.com" -# CSP_EXTRA_WORKER_SRC: "https://*.example.com" +# i.e., from account.wire.example to nginz-https.wire.example +# CSP_EXTRA_CONNECT_SRC: "https://*.wire.example, wss://*.wire.example" +# CSP_EXTRA_IMG_SRC: "https://*.wire.example" +# CSP_EXTRA_SCRIPT_SRC: "https://*.wire.example" +# CSP_EXTRA_DEFAULT_SRC: "https://*.wire.example" +# CSP_EXTRA_FONT_SRC: "https://*.wire.example" +# CSP_EXTRA_FRAME_SRC: "https://*.wire.example" +# CSP_EXTRA_MANIFEST_SRC: "https://*.wire.example" +# CSP_EXTRA_OBJECT_SRC: "https://*.wire.example" +# CSP_EXTRA_MEDIA_SRC: "https://*.wire.example" +# CSP_EXTRA_PREFETCH_SRC: "https://*.wire.example" +# CSP_EXTRA_STYLE_SRC: "https://*.wire.example" +# CSP_EXTRA_WORKER_SRC: "https://*.wire.example" podSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 seccompProfile: type: RuntimeDefault diff --git a/charts/aws-ingress/values.yaml b/charts/aws-ingress/values.yaml index 3373fc6cc8a..eff6b721e4f 100644 --- a/charts/aws-ingress/values.yaml +++ b/charts/aws-ingress/values.yaml @@ -9,26 +9,26 @@ ingress: webapp: https: externalPort: 443 - sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/example.com + sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/wire.example sslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 - hostname: webapp.example.com + hostname: webapp.wire.example ttl: 300 http: webappPort: 8080 nginz: https: externalPort: 443 - sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/example.com + sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/wire.example sslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 - hostname: nginz-https.example.com + hostname: nginz-https.wire.example ttl: 300 http: httpPort: 8080 wss: externalPort: 443 - sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/example.com + sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/wire.example sslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 - hostname: nginz-ssl.example.com + hostname: nginz-ssl.wire.example ttl: 300 ws: wsPort: 8081 @@ -36,9 +36,9 @@ ingress: enabled: false # set to true if you wish to use minio on AWS instead of using real S3 https: externalPort: 443 - sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/example.com + sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/wire.example sslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 - hostname: assets.example.com + hostname: assets.wire.example ttl: 300 http: s3Port: 9000 @@ -48,18 +48,18 @@ ingress: teamSettings: https: externalPort: 443 - sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/example.com + sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/wire.example sslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 - hostname: teams.example.com + hostname: teams.wire.example ttl: 300 http: teamSettingsPort: 8080 accountPages: https: externalPort: 443 - sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/example.com + sslCert: arn:aws:iam::00000-accountnumber-00000:server-certificate/wire.example sslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 - hostname: account.example.com + hostname: account.wire.example ttl: 300 http: accountPagesPort: 8080 diff --git a/charts/background-worker/templates/service.yaml b/charts/background-worker/templates/service.yaml index abd7d27f400..283fbce662d 100644 --- a/charts/background-worker/templates/service.yaml +++ b/charts/background-worker/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/backoffice/templates/service.yaml b/charts/backoffice/templates/service.yaml index a3ae8a9d9b0..43a5d59d7c1 100644 --- a/charts/backoffice/templates/service.yaml +++ b/charts/backoffice/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/brig/templates/_helpers.tpl b/charts/brig/templates/_helpers.tpl index 762fb52c2fa..857c0203de8 100644 --- a/charts/brig/templates/_helpers.tpl +++ b/charts/brig/templates/_helpers.tpl @@ -7,3 +7,19 @@ {{- define "includeSecurityContext" -}} {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}} {{- end -}} + +{{- define "useCassandraTLS" -}} +{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }} +{{- end -}} + +{{/* Return a Dict of TLS CA secret name and key +This is used to switch between provided secret (e.g. by cert-manager) and +created one (in case the CA is provided as PEM string.) +*/}} +{{- define "tlsSecretRef" -}} +{{- if .cassandra.tlsCaSecretRef -}} +{{ .cassandra.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "brig-cassandra" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} diff --git a/charts/brig/templates/cassandra-secret.yaml b/charts/brig/templates/cassandra-secret.yaml new file mode 100644 index 00000000000..fa848001471 --- /dev/null +++ b/charts/brig/templates/cassandra-secret.yaml @@ -0,0 +1,15 @@ +{{/* Secret for the provided Cassandra TLS CA. */}} +{{- if not (empty .Values.config.cassandra.tlsCa) }} +apiVersion: v1 +kind: Secret +metadata: + name: brig-cassandra + labels: + app: brig + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }} +{{- end }} diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml index 2ed6eb6833a..e128169dbe4 100644 --- a/charts/brig/templates/configmap.yaml +++ b/charts/brig/templates/configmap.yaml @@ -28,6 +28,9 @@ data: {{- if hasKey .cassandra "filterNodesByDatacentre" }} filterNodesByDatacentre: {{ .cassandra.filterNodesByDatacentre }} {{- end }} + {{- if eq (include "useCassandraTLS" .) "true" }} + tlsCa: /etc/wire/brig/cassandra/{{- (include "tlsSecretRef" . | fromYaml).key }} + {{- end }} elasticsearch: url: http://{{ .elasticsearch.host }}:{{ .elasticsearch.port }} @@ -203,11 +206,6 @@ data: {{- end }} {{- end }} - {{- if .geoip.enabled }} - # Shared emptyDir with geoipupdate container - geoDb: /usr/share/GeoIP/GeoIP2-City.mmdb - {{- end }} - {{- with .optSettings }} optSettings: setActivationTimeout: {{ .setActivationTimeout }} @@ -325,9 +323,7 @@ data: {{- if .setOAuthEnabled }} setOAuthEnabled: {{ .setOAuthEnabled }} {{- end }} - {{- if .setDisabledAPIVersions }} - setDisabledAPIVersions: {{ .setDisabledAPIVersions }} - {{- end }} + setDisabledAPIVersions: {{ toJson .setDisabledAPIVersions }} {{- if .setOAuthRefreshTokenExpirationTimeSecs }} setOAuthRefreshTokenExpirationTimeSecs: {{ .setOAuthRefreshTokenExpirationTimeSecs }} {{- end }} diff --git a/charts/brig/templates/deployment.yaml b/charts/brig/templates/deployment.yaml index 29f8ebc0032..e37c4142af6 100644 --- a/charts/brig/templates/deployment.yaml +++ b/charts/brig/templates/deployment.yaml @@ -42,45 +42,11 @@ spec: - name: "brig-secrets" secret: secretName: "brig" - {{- if .Values.config.geoip.enabled }} - - name: "geoip" - emptyDir: {} - {{- end }} - {{- if .Values.config.geoip.enabled }} - # Brig needs GeoIP database to be downloaded before it can start. - initContainers: - - name: geoipdownload - image: "{{ .Values.config.geoip.image.repository }}:{{ .Values.config.geoip.image.tag }}" - imagePullPolicy: {{ default "" .Values.config.geoip.imagePullPolicy | quote }} - volumeMounts: - - name: "geoip" - mountPath: "/usr/share/GeoIP" - # The environment variables are documented at: - # https://github.com/maxmind/geoipupdate/blob/62b34e648a842dc03ccf4ad3f61e2d85eaec98fc/doc/docker.md - env: - - name: GEOIPUPDATE_ACCOUNT_ID - valueFrom: - secretKeyRef: - name: brig-geoip - key: accountId - - name: GEOIPUPDATE_LICENSE_KEY - valueFrom: - secretKeyRef: - name: brig-geoip - key: licenseKey - - name: GEOIPUPDATE_EDITION_IDS - valueFrom: - secretKeyRef: - name: brig-geoip - key: editionIds - - name: GEOIPUPDATE_FREQUENCY - value: "0" # Setting this to 0 makes the script only run geoipupdate once. - {{- end }} - {{- if eq (include "includeSecurityContext" .) "true" }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 12 }} - runAsUser: 1000 # see https://github.com/maxmind/geoipupdate/issues/233 - {{- end }} + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "brig-cassandra" + secret: + secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + {{- end}} containers: - name: brig image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -98,9 +64,9 @@ spec: - name: "turn-servers" mountPath: "/etc/wire/brig/turn" {{- end }} - {{- if .Values.config.geoip.enabled }} - - name: "geoip" - mountPath: "/usr/share/GeoIP" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "brig-cassandra" + mountPath: "/etc/wire/brig/cassandra" {{- end }} env: - name: LOG_LEVEL @@ -173,36 +139,3 @@ spec: port: {{ .Values.service.internalPort }} resources: {{ toYaml .Values.resources | indent 12 }} - {{- if .Values.config.geoip.enabled }} - - name: geoipupdate - image: "{{ .Values.config.geoip.image.repository }}:{{ .Values.config.geoip.image.tag }}" - imagePullPolicy: {{ default "" .Values.config.geoip.imagePullPolicy | quote }} - {{- if eq (include "includeSecurityContext" .) "true" }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 12 }} - runAsUser: 1000 # see https://github.com/maxmind/geoipupdate/issues/233 - {{- end }} - volumeMounts: - - name: "geoip" - mountPath: "/usr/share/GeoIP" - # The environment variables are documented at: - # https://github.com/maxmind/geoipupdate/blob/62b34e648a842dc03ccf4ad3f61e2d85eaec98fc/doc/docker.md - env: - - name: GEOIPUPDATE_ACCOUNT_ID - valueFrom: - secretKeyRef: - name: brig-geoip - key: accountId - - name: GEOIPUPDATE_LICENSE_KEY - valueFrom: - secretKeyRef: - name: brig-geoip - key: licenseKey - - name: GEOIPUPDATE_EDITION_IDS - valueFrom: - secretKeyRef: - name: brig-geoip - key: editionIds - - name: GEOIPUPDATE_FREQUENCY - value: "24" # hours - {{- end }} diff --git a/charts/brig/templates/geoip-secret.yaml b/charts/brig/templates/geoip-secret.yaml deleted file mode 100644 index 8e96ea70c97..00000000000 --- a/charts/brig/templates/geoip-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.config.geoip.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: brig-geoip - labels: - app: brig - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -type: Opaque -data: - {{- with .Values.secrets.geoip }} - accountId: {{ required ".secrets.geoip.accountId must be provided when .Values.config.geoip.enabled is True" .accountId | b64enc | quote }} - licenseKey: {{ required ".secrets.geoip.licenseKey must be provided when .Values.config.geoip.enabled is True" .licenseKey | b64enc | quote }} - editionIds: {{ required ".secrets.geoip.editionIds must be provided when .Values.config.geoip.enabled is True" .editionIds | b64enc | quote }} - {{- end }} -{{- end }} diff --git a/charts/brig/templates/service.yaml b/charts/brig/templates/service.yaml index 63d52526e2f..58811c48195 100644 --- a/charts/brig/templates/service.yaml +++ b/charts/brig/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/brig/templates/tests/brig-integration.yaml b/charts/brig/templates/tests/brig-integration.yaml index 1599c3860b7..aff0f6d525a 100644 --- a/charts/brig/templates/tests/brig-integration.yaml +++ b/charts/brig/templates/tests/brig-integration.yaml @@ -44,6 +44,11 @@ spec: - name: "brig-integration-secrets" secret: secretName: "brig-integration" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "brig-cassandra" + secret: + secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + {{- end}} containers: - name: integration image: "{{ .Values.image.repository }}-integration:{{ .Values.image.tag }}" @@ -101,6 +106,10 @@ spec: # non-default locations # (see corresp. TODO in galley.) mountPath: "/etc/wire/integration-secrets" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "brig-cassandra" + mountPath: "/etc/wire/brig/cassandra" + {{- end }} env: # these dummy values are necessary for Amazonka's "Discover" diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml index 818b4a55578..6afcd1a853d 100644 --- a/charts/brig/values.yaml +++ b/charts/brig/values.yaml @@ -20,6 +20,14 @@ config: logNetStrings: false cassandra: host: aws-cassandra +# To enable TLS provide a CA: +# tlsCa: +# +# Or refer to an existing secret (containing the CA): +# tlsCaSecretRef: +# name: +# key: + elasticsearch: host: elasticsearch-client port: 9200 @@ -87,7 +95,7 @@ config: # Details: https://github.com/wireapp/wire-server/blob/3d5684023c54fe580ab27c11d7dae8f19a29ddbc/services/brig/src/Brig/Options.hs#L465-L503 # setCustomerExtensions: # domainsBlockedForRegistration: - # - example.com + # - wire.example set2FACodeGenerationDelaySecs: 300 # 5 minutes setNonceTtlSecs: 300 # 5 minutes setDpopMaxSkewSecs: 1 @@ -99,20 +107,13 @@ config: setOAuthMaxActiveRefreshTokens: 10 # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts: # brig, cannon, cargohold, galley, gundeck, proxy, spar. - # setDisabledAPIVersions: [ v3 ] + setDisabledAPIVersions: [ development ] setFederationStrategy: allowNone setFederationDomainConfigsUpdateFreq: 10 smtp: passwordFile: /etc/wire/brig/secrets/smtp-password.txt proxy: {} - geoip: - # When enabling this, .secrets.geoip.accountId, .secrets.geoip.licenseKey and - # .secret.geoip.editionIds must be provided. - enabled: false - image: - repository: docker.io/maxmindinc/geoipupdate - tag: v5.1.1 turnStatic: v1: - turn:localhost:3478 @@ -122,7 +123,7 @@ turnStatic: turn: serversSource: files # files | dns - # baseDomain: turn.example.com # Must be configured if serversSource is dns + # baseDomain: turn.wire.example # Must be configured if serversSource is dns discoveryIntervalSeconds: 10 # Used only if serversSource is dns serviceAccount: diff --git a/charts/calling-test/values.yaml b/charts/calling-test/values.yaml index 4a8349841da..e6511f4a9c0 100644 --- a/charts/calling-test/values.yaml +++ b/charts/calling-test/values.yaml @@ -6,7 +6,7 @@ image: envVars: # note: this should be overridden in every deployment - BACKEND_HTTPS_URL: https://nginz-https.example.com + BACKEND_HTTPS_URL: https://nginz-https.wire.example # These name overrides are used also for routing. # Wire-server's nginz subchart will route /calling-test to this chart diff --git a/charts/cannon/templates/configmap.yaml b/charts/cannon/templates/configmap.yaml index 940d6013065..6537fc0172a 100644 --- a/charts/cannon/templates/configmap.yaml +++ b/charts/cannon/templates/configmap.yaml @@ -19,9 +19,7 @@ data: millisecondsBetweenBatches: {{ .Values.config.drainOpts.millisecondsBetweenBatches }} minBatchSize: {{ .Values.config.drainOpts.minBatchSize }} - {{- if .Values.config.disabledAPIVersions }} - disabledAPIVersions: {{ .Values.config.disabledAPIVersions }} - {{- end }} + disabledAPIVersions: {{ toJson .Values.config.disabledAPIVersions }} kind: ConfigMap metadata: diff --git a/charts/cannon/templates/headless-service.yaml b/charts/cannon/templates/headless-service.yaml index 2788f00c0d9..e753a88c674 100644 --- a/charts/cannon/templates/headless-service.yaml +++ b/charts/cannon/templates/headless-service.yaml @@ -14,7 +14,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP # This is what makes it a Headless Service diff --git a/charts/cannon/templates/nginz-service.yaml b/charts/cannon/templates/nginz-service.yaml index 901c35abaaf..ea0ba2cfedb 100644 --- a/charts/cannon/templates/nginz-service.yaml +++ b/charts/cannon/templates/nginz-service.yaml @@ -18,7 +18,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} {{- if .Values.service.nginz.externalDNS.enabled }} external-dns.alpha.kubernetes.io/ttl: {{ .Values.service.nginz.externalDNS.ttl | quote }} external-dns.alpha.kubernetes.io/hostname: {{ required "Please provide .service.nginz.hostname when .service.nginz.enabled and .service.nginz.externalDNS.enabled are True" .Values.service.nginz.hostname | quote }} diff --git a/charts/cannon/values.yaml b/charts/cannon/values.yaml index ef45004fca7..350ffebc50a 100644 --- a/charts/cannon/values.yaml +++ b/charts/cannon/values.yaml @@ -24,7 +24,7 @@ config: # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts: # brig, cannon, cargohold, galley, gundeck, proxy, spar. - # disabledAPIVersions: [ v3 ] + disabledAPIVersions: [ development ] metrics: serviceMonitor: diff --git a/charts/cargohold/templates/configmap.yaml b/charts/cargohold/templates/configmap.yaml index 00b0bf981b3..da764c8a50d 100644 --- a/charts/cargohold/templates/configmap.yaml +++ b/charts/cargohold/templates/configmap.yaml @@ -18,6 +18,10 @@ data: port: 8080 {{- end }} + brig: + host: brig + port: 8080 + aws: {{- with .Values.config.aws }} s3Bucket: {{ .s3Bucket }} @@ -52,7 +56,5 @@ data: downloadLinkTTL: {{ .downloadLinkTTL }} {{- end }} federationDomain: {{ .federationDomain }} - {{- if .disabledAPIVersions }} - disabledAPIVersions: {{ .disabledAPIVersions }} - {{- end }} + disabledAPIVersions: {{ toJson .disabledAPIVersions }} {{- end }} diff --git a/charts/cargohold/templates/service.yaml b/charts/cargohold/templates/service.yaml index c6d7422a791..28fd6f8fd38 100644 --- a/charts/cargohold/templates/service.yaml +++ b/charts/cargohold/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/cargohold/templates/tests/configmap.yaml b/charts/cargohold/templates/tests/configmap.yaml index 18a5b29b226..aa5a8aa4a19 100644 --- a/charts/cargohold/templates/tests/configmap.yaml +++ b/charts/cargohold/templates/tests/configmap.yaml @@ -10,3 +10,11 @@ data: cargohold: host: cargohold port: {{ .Values.service.internalPort }} + {{- if .Values.config.enableFederation }} + federator: + host: federator + port: 8080 + {{- end }} + brig: + host: brig + port: 8080 \ No newline at end of file diff --git a/charts/cargohold/values.yaml b/charts/cargohold/values.yaml index 8ef51a263db..14cfaedce64 100644 --- a/charts/cargohold/values.yaml +++ b/charts/cargohold/values.yaml @@ -24,15 +24,15 @@ config: s3Bucket: assets # Multi-ingress configuration: # multiIngress: - # - nginz-https.red.example.com: assets.red.example.com - # - nginz-https.green.example.com: assets.green.example.com + # - nginz-https.red.wire.example: assets.red.wire.example + # - nginz-https.green.wire.example: assets.green.wire.example proxy: {} settings: - maxTotalBytes: 5368709120 + maxTotalBytes: 104857632 # limit to 100 MiB + 32 bytes downloadLinkTTL: 300 # Seconds # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts: # brig, cannon, cargohold, galley, gundeck, proxy, spar. - # disabledAPIVersions: [ v3 ] + disabledAPIVersions: [ development ] serviceAccount: # When setting this to 'false', either make sure that a service account named diff --git a/charts/cassandra-migrations/templates/_helpers.tpl b/charts/cassandra-migrations/templates/_helpers.tpl index 551b901999b..0d805051ffe 100644 --- a/charts/cassandra-migrations/templates/_helpers.tpl +++ b/charts/cassandra-migrations/templates/_helpers.tpl @@ -107,6 +107,125 @@ Thus the order of priority is: {{- end -}} {{- end -}} +{{/* NOTE: Cassandra TLS helpers + +Cassandra connections can be configured per service or with a general configuration. +Thus, there are three functions per service that fallback to the general +configuration if the specific one does not exist: + +- useTls -> Bool: Do we use Cassandra TLS connections for this + service? + +- tlsCa -> String: TLS CA PEM string (if configured) + +- tlsSecretRef -> YAML: Dict with keys `name` (name of the + secret to use) and `key` (name of the entry in the secret) +*/}} + +{{- define "useTlsGalley" -}} +{{ $cassandraGalley := default .Values.cassandra .Values.cassandraGalley }} +{{- if or $cassandraGalley.tlsCa $cassandraGalley.tlsCaSecretRef -}} +true +{{- else}} +false +{{- end }} +{{- end -}} + +{{- define "tlsCaGalley" -}} +{{ $cassandraGalley := default .Values.cassandra .Values.cassandraGalley }} +{{- if hasKey $cassandraGalley "tlsCa" -}} +{{- $cassandraGalley.tlsCa }} +{{ else }} +{{- end -}} +{{- end -}} + +{{- define "tlsSecretRefGalley" -}} +{{ $cassandraGalley := default .Values.cassandra .Values.cassandraGalley }} +{{- if $cassandraGalley.tlsCaSecretRef -}} +{{ $cassandraGalley.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "galley-cassandra-cert" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} + +{{- define "useTlsBrig" -}} +{{ $cassandraBrig := default .Values.cassandra .Values.cassandraBrig }} +{{- if or $cassandraBrig.tlsCa $cassandraBrig.tlsCaSecretRef -}} +true +{{- else}} +false +{{- end }} +{{- end -}} + +{{- define "tlsCaBrig" -}} +{{ $cassandraBrig := default .Values.cassandra .Values.cassandraBrig }} +{{- if hasKey $cassandraBrig "tlsCa" -}} +{{- $cassandraBrig.tlsCa }} +{{ else }} +{{- end -}} +{{- end -}} + +{{- define "tlsSecretRefBrig" -}} +{{ $cassandraBrig := default .Values.cassandra .Values.cassandraBrig }} +{{- if $cassandraBrig.tlsCaSecretRef -}} +{{ $cassandraBrig.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "brig-cassandra-cert" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} + +{{- define "useTlsSpar" -}} +{{ $cassandraSpar := default .Values.cassandra .Values.cassandraSpar }} +{{- if or $cassandraSpar.tlsCa $cassandraSpar.tlsCaSecretRef -}} +true +{{- else}} +false +{{- end }} +{{- end -}} + +{{- define "tlsCaSpar" -}} +{{ $cassandraSpar := default .Values.cassandra .Values.cassandraSpar }} +{{- if hasKey $cassandraSpar "tlsCa" -}} +{{- $cassandraSpar.tlsCa }} +{{ else }} +{{- end -}} +{{- end -}} + +{{- define "tlsSecretRefSpar" -}} +{{ $cassandraSpar := default .Values.cassandra .Values.cassandraSpar }} +{{- if $cassandraSpar.tlsCaSecretRef -}} +{{ $cassandraSpar.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "spar-cassandra-cert" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} + +{{- define "useTlsGundeck" -}} +{{ $cassandraGundeck := default .Values.cassandra .Values.cassandraGundeck }} +{{- if or $cassandraGundeck.tlsCa $cassandraGundeck.tlsCaSecretRef -}} +true +{{- else}} +false +{{- end }} +{{- end -}} + +{{- define "tlsCaGundeck" -}} +{{ $cassandraGundeck := default .Values.cassandra .Values.cassandraGundeck }} +{{- if hasKey $cassandraGundeck "tlsCa" -}} +{{- $cassandraGundeck.tlsCa }} +{{ else }} +{{- end -}} +{{- end -}} + +{{- define "tlsSecretRefGundeck" -}} +{{ $cassandraGundeck := default .Values.cassandra .Values.cassandraGundeck }} +{{- if $cassandraGundeck.tlsCaSecretRef -}} +{{ $cassandraGundeck.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "gundeck-cassandra-cert" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} + {{/* Allow KubeVersion to be overridden. */}} {{- define "kubeVersion" -}} {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}} diff --git a/charts/cassandra-migrations/templates/cassandra-certs.yaml b/charts/cassandra-migrations/templates/cassandra-certs.yaml new file mode 100644 index 00000000000..3bea0c6f5d7 --- /dev/null +++ b/charts/cassandra-migrations/templates/cassandra-certs.yaml @@ -0,0 +1,75 @@ +{{- if ne (trim (include "tlsCaBrig" .)) "" }} +apiVersion: v1 +kind: Secret +metadata: + name: brig-cassandra-cert + labels: + app: cassandra-migrations + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +type: Opaque +data: + ca.pem: {{ include "tlsCaBrig" . | b64enc | quote }} +{{- end}} +{{- if ne (trim (include "tlsCaGalley" .)) "" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: galley-cassandra-cert + labels: + app: cassandra-migrations + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +type: Opaque +data: + ca.pem: {{ include "tlsCaGalley" . | b64enc | quote }} +{{- end}} +{{- if ne (trim (include "tlsCaGundeck" .)) "" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: gundeck-cassandra-cert + labels: + app: cassandra-migrations + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +type: Opaque +data: + ca.pem: {{ include "tlsCaGundeck" . | b64enc | quote }} +{{- end}} +{{- if ne (trim (include "tlsCaSpar" .)) "" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: spar-cassandra-cert + labels: + app: cassandra-migrations + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +type: Opaque +data: + ca.pem: {{ include "tlsCaSpar" . | b64enc | quote }} +{{- end}} diff --git a/charts/cassandra-migrations/templates/galley-migrate-data.yaml b/charts/cassandra-migrations/templates/galley-migrate-data.yaml index dee40d0b245..127a6ab0b54 100644 --- a/charts/cassandra-migrations/templates/galley-migrate-data.yaml +++ b/charts/cassandra-migrations/templates/galley-migrate-data.yaml @@ -42,4 +42,19 @@ spec: - "9042" - --cassandra-keyspace - galley + {{- if eq (include "useTlsGalley" .) "true" }} + - --tls-ca-certificate-file + - /certs/galley/{{- (include "tlsSecretRefGalley" . | fromYaml).key }} + {{- end }} + {{- if eq (include "useTlsGalley" .) "true" }} + volumeMounts: + - name: galley-cassandra-cert + mountPath: "/certs/galley" + {{- end }} + {{- if eq (include "useTlsGalley" .) "true" }} + volumes: + - name: galley-cassandra-cert + secret: + secretName: {{ (include "tlsSecretRefGalley" . | fromYaml).name }} + {{- end }} {{- end }} diff --git a/charts/cassandra-migrations/templates/migrate-schema.yaml b/charts/cassandra-migrations/templates/migrate-schema.yaml index 5129fc4bafd..e06aa2288a1 100644 --- a/charts/cassandra-migrations/templates/migrate-schema.yaml +++ b/charts/cassandra-migrations/templates/migrate-schema.yaml @@ -9,7 +9,7 @@ metadata: heritage: {{ .Release.Service }} annotations: "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "0" + "helm.sh/hook-weight": "1" "helm.sh/hook-delete-policy": "before-hook-creation" spec: template: @@ -22,6 +22,27 @@ spec: # specifying cassandra-migrations as initContainers executes them sequentially, rather than in parallel # to avoid 'Column family ID mismatch' / schema disagreements # see https://stackoverflow.com/questions/29030661/creating-new-table-with-cqlsh-on-existing-keyspace-column-family-id-mismatch#40325651 for details. + volumes: + {{- if eq (include "useTlsGundeck" .) "true" }} + - name: gundeck-cassandra-cert + secret: + secretName: {{ (include "tlsSecretRefGundeck" . | fromYaml).name }} + {{- end }} + {{- if eq (include "useTlsBrig" .) "true" }} + - name: brig-cassandra-cert + secret: + secretName: {{ (include "tlsSecretRefBrig" . | fromYaml).name }} + {{- end }} + {{- if eq (include "useTlsGalley" .) "true" }} + - name: galley-cassandra-cert + secret: + secretName: {{ (include "tlsSecretRefGalley" . | fromYaml).name }} + {{- end }} + {{- if eq (include "useTlsSpar" .) "true" }} + - name: spar-cassandra-cert + secret: + secretName: {{ (include "tlsSecretRefSpar" . | fromYaml).name }} + {{- end }} initContainers: {{- if .Values.enableGundeckMigrations }} - name: gundeck-schema @@ -41,6 +62,16 @@ spec: - gundeck - {{ template "cassandraGundeckReplicationType" . }} - "{{ template "cassandraGundeckReplicationArg" . }}" + {{- if eq (include "useTlsGundeck" .) "true" }} + - --tls-ca-certificate-file + - /certs/gundeck/{{- (include "tlsSecretRefGundeck" . | fromYaml).key }} + {{- end }} + + {{- if eq (include "useTlsGundeck" .) "true" }} + volumeMounts: + - name: gundeck-cassandra-cert + mountPath: "/certs/gundeck" + {{- end }} {{- end }} {{- if .Values.enableBrigMigrations }} @@ -61,6 +92,16 @@ spec: - brig - {{ template "cassandraBrigReplicationType" . }} - "{{ template "cassandraBrigReplicationArg" . }}" + {{- if eq (include "useTlsBrig" .) "true" }} + - --tls-ca-certificate-file + - /certs/brig/{{- (include "tlsSecretRefBrig" . | fromYaml).key }} + {{- end }} + + {{- if eq (include "useTlsBrig" .) "true" }} + volumeMounts: + - name: brig-cassandra-cert + mountPath: "/certs/brig" + {{- end }} {{- end }} {{- if .Values.enableGalleyMigrations }} @@ -81,6 +122,16 @@ spec: - galley - {{ template "cassandraGalleyReplicationType" . }} - "{{ template "cassandraGalleyReplicationArg" . }}" + {{- if eq (include "useTlsGalley" .) "true" }} + - --tls-ca-certificate-file + - /certs/galley/{{- (include "tlsSecretRefGalley" . | fromYaml).key }} + {{- end }} + + {{- if eq (include "useTlsGalley" .) "true" }} + volumeMounts: + - name: galley-cassandra-cert + mountPath: "/certs/galley" + {{- end }} {{- end }} {{- if .Values.enableSparMigrations }} @@ -101,7 +152,17 @@ spec: - spar - {{ template "cassandraSparReplicationType" . }} - "{{ template "cassandraSparReplicationArg" . }}" - {{- end }} + {{- if eq (include "useTlsSpar" .) "true" }} + - --tls-ca-certificate-file + - /certs/spar/{{- (include "tlsSecretRefSpar" . | fromYaml).key }} + {{- end }} + + {{- if eq (include "useTlsSpar" .) "true" }} + volumeMounts: + - name: spar-cassandra-cert + mountPath: "/certs/spar" + {{- end }} + {{- end }} containers: - name: job-done diff --git a/charts/cassandra-migrations/templates/spar-migrate-data.yaml b/charts/cassandra-migrations/templates/spar-migrate-data.yaml index 1b9c48e0669..051946ac2b4 100644 --- a/charts/cassandra-migrations/templates/spar-migrate-data.yaml +++ b/charts/cassandra-migrations/templates/spar-migrate-data.yaml @@ -43,4 +43,32 @@ spec: - "9042" - --cassandra-keyspace-brig - brig + {{- if eq (include "useTlsBrig" .) "true" }} + - --tls-ca-certificate-file-brig + - /certs/brig/{{- (include "tlsSecretRefBrig" . | fromYaml).key }} + {{- end }} + {{- if eq (include "useTlsSpar" .) "true" }} + - --tls-ca-certificate-file-spar + - /certs/spar/{{- (include "tlsSecretRefSpar" . | fromYaml).key }} + {{- end }} + volumeMounts: + {{- if eq (include "useTlsBrig" .) "true" }} + - name: brig-cassandra-cert + mountPath: "/certs/brig" + {{- end }} + {{- if eq (include "useTlsSpar" .) "true" }} + - name: spar-cassandra-cert + mountPath: "/certs/spar" + {{- end }} + volumes: + {{- if eq (include "useTlsBrig" .) "true" }} + - name: brig-cassandra-cert + secret: + secretName: {{ (include "tlsSecretRefBrig" . | fromYaml).name }} + {{- end }} + {{- if eq (include "useTlsSpar" .) "true" }} + - name: spar-cassandra-cert + secret: + secretName: {{ (include "tlsSecretRefSpar" . | fromYaml).name }} + {{- end }} {{- end }} diff --git a/charts/cassandra-migrations/values.yaml b/charts/cassandra-migrations/values.yaml index bf2a31d1b63..283a010884f 100644 --- a/charts/cassandra-migrations/values.yaml +++ b/charts/cassandra-migrations/values.yaml @@ -47,7 +47,29 @@ images: # cassandraGundeck: # host: cassandra-ephemeral-galley # replicationMap: eu-west-1:3 - +# +# To enable TLS/SSL connections provide the certificate as PEM string: +# +# cassandra: +# host: cassandra-external +# replicationFactor: 3 +# tlsCa: +# +# This also works for dedicated service setups. E.g. +# +# cassandraGalley: +# host: cassandra-ephemeral-galley +# replicationMap: eu-west-1:3 +# tlsCa: +# +# You may also directly refer to a Secret resource: +# +# cassandra: +# host: cassandra-external +# replicationFactor: 3 +# tlsCaSecretRef: +# name: +# key: # Overriding the following is only useful during datacenter migration time periods, # where some other job already migrates schemas. diff --git a/charts/coturn/Chart.yaml b/charts/coturn/Chart.yaml index ae35753e9dc..a5b11da7b38 100644 --- a/charts/coturn/Chart.yaml +++ b/charts/coturn/Chart.yaml @@ -11,4 +11,4 @@ version: 0.0.42 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 4.6.2-federation-wireapp.10 +appVersion: 4.6.2-federation-wireapp.12 diff --git a/charts/coturn/templates/service-account.yaml b/charts/coturn/templates/service-account.yaml index ce2803840f1..ec932539fef 100644 --- a/charts/coturn/templates/service-account.yaml +++ b/charts/coturn/templates/service-account.yaml @@ -12,7 +12,7 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: coturn + name: coturn-{{ .Release.Namespace }} labels: app: coturn chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} @@ -26,7 +26,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: coturn + name: coturn-{{ .Release.Namespace }} labels: app: coturn chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} @@ -35,7 +35,7 @@ metadata: roleRef: kind: ClusterRole apiGroup: rbac.authorization.k8s.io - name: coturn + name: coturn-{{ .Release.Namespace }} subjects: - kind: ServiceAccount name: coturn diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml index 683cb2501d6..84934676739 100644 --- a/charts/coturn/values.yaml +++ b/charts/coturn/values.yaml @@ -78,11 +78,11 @@ federate: # # list of host/ip/cert common names / subject alt names, and optional issuer # # names to accept DTLS connections from. There can be multiple entries. # remoteWhitelist: - # - host: example.com + # - host: wire.example # issuer: Issuer Common Name - # - host: another.example.com + # - host: another.wire.example # issuer: "DigiCert SHA2 Extended Validation Server CA" - # - host: another-host-without-issuer.example.com + # - host: another-host-without-issuer.wire.example remoteWhitelist: [] metrics: diff --git a/charts/demo-smtp/values.yaml b/charts/demo-smtp/values.yaml index 45c84a2a277..41f74441892 100644 --- a/charts/demo-smtp/values.yaml +++ b/charts/demo-smtp/values.yaml @@ -1,6 +1,6 @@ fullnameOverride: demo-smtp replicaCount: 1 -image: "quay.io/wire/namshi-smtp:aa63b8" +image: "quay.io/wire/ixdotai-smtp:v0.5.2" service: port: 25 @@ -15,7 +15,7 @@ resources: # Some relevant environment options can be # passed to the SMTP docker image, check -# https://hub.docker.com/r/namshi/smtp/ +# https://github.com/ix-ai/smtp#readme # for more details # NOTE: Without an empty dictionary, you will # see warnings when overriding envVars @@ -24,3 +24,18 @@ envVars: {} # envVars: # RELAY_NETWORKS: ":x.y.z.w/16" # +# PORT: "25" +# NET_DEV: eth0 +# OTHER_HOSTNAMES: other.example.com +# DISABLE_IPV6: 1 +# BIND_IP: 0.0.0.0 +# BIND_IP6: ::0 +# MAILNAME: mail.example.com +# DKIM_KEY_PATH: /etc/exim4/dkim.key +# KEY_PATH: /path/to/key.crt +# CERTIFICATE_PATH: /path/to/certificate.crt +# SMARTHOST_ADDRESS: mail.example.com +# SMARTHOST_PORT: "587" +# SMARTHOST_USER: exampleuser +# SMARTHOST_PASSWORD: secret +# SMARTHOST_ALIASES: "*.example.com" diff --git a/charts/elasticsearch-index/templates/_helpers.tpl b/charts/elasticsearch-index/templates/_helpers.tpl index 762fb52c2fa..47bf703112c 100644 --- a/charts/elasticsearch-index/templates/_helpers.tpl +++ b/charts/elasticsearch-index/templates/_helpers.tpl @@ -7,3 +7,19 @@ {{- define "includeSecurityContext" -}} {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}} {{- end -}} + +{{- define "useCassandraTLS" -}} +{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }} +{{- end -}} + +{{/* Return a Dict of TLS CA secret name and key +This is used to switch between provided secret (e.g. by cert-manager) and +created one (in case the CA is provided as PEM string.) +*/}} +{{- define "tlsSecretRef" -}} +{{- if .cassandra.tlsCaSecretRef -}} +{{ .cassandra.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "elasticsearch-index-migrate-cassandra-client-ca" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} diff --git a/charts/elasticsearch-index/templates/cassandra-secret.yaml b/charts/elasticsearch-index/templates/cassandra-secret.yaml new file mode 100644 index 00000000000..93486dd962a --- /dev/null +++ b/charts/elasticsearch-index/templates/cassandra-secret.yaml @@ -0,0 +1,14 @@ +{{- if not (empty .Values.cassandra.tlsCa) }} +apiVersion: v1 +kind: Secret +metadata: + name: elasticsearch-index-migrate-cassandra-client-ca + labels: + app: elasticsearch-index-migrate-data + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + ca.pem: {{ .Values.cassandra.tlsCa | b64enc | quote }} +{{- end }} diff --git a/charts/elasticsearch-index/templates/migrate-data.yaml b/charts/elasticsearch-index/templates/migrate-data.yaml index 3ef47bcf5e8..3d54e1f51b8 100644 --- a/charts/elasticsearch-index/templates/migrate-data.yaml +++ b/charts/elasticsearch-index/templates/migrate-data.yaml @@ -43,3 +43,18 @@ spec: - "{{ required "missing elasticsearch-index.galley.host!" .Values.galley.host }}" - --galley-port - "{{ required "missing elasticsearch-index.galley.port!" .Values.galley.port }}" + {{- if eq (include "useCassandraTLS" .Values) "true" }} + - --tls-ca-certificate-file + - /certs/{{- (include "tlsSecretRef" .Values | fromYaml).key }} + {{- end }} + {{- if eq (include "useCassandraTLS" .Values) "true" }} + volumeMounts: + - name: elasticsearch-index-migrate-cassandra-client-ca + mountPath: "/certs" + {{- end }} + {{- if eq (include "useCassandraTLS" .Values) "true" }} + volumes: + - name: elasticsearch-index-migrate-cassandra-client-ca + secret: + secretName: {{ (include "tlsSecretRef" .Values | fromYaml).name }} + {{- end}} diff --git a/charts/elasticsearch-index/values.yaml b/charts/elasticsearch-index/values.yaml index 4cbd2e5110c..93e8a97ef6f 100644 --- a/charts/elasticsearch-index/values.yaml +++ b/charts/elasticsearch-index/values.yaml @@ -8,6 +8,13 @@ cassandra: # host: port: 9042 keyspace: brig +# To enable TLS provide a CA: +# tlsCa: +# +# Or refer to an existing secret (containing the CA): +# tlsCaSecretRef: +# name: +# key: galley: host: galley port: 8080 diff --git a/charts/fake-aws-ses/values.yaml b/charts/fake-aws-ses/values.yaml index 3dcc068d8ba..8b82f73e00b 100644 --- a/charts/fake-aws-ses/values.yaml +++ b/charts/fake-aws-ses/values.yaml @@ -16,4 +16,4 @@ resources: ## The following needs to be provided (and consistent with the config in brig) #TODO: It would actually be useful if the deployment _fails_ if this is undefined -#sesSender: "sender@example.com" +#sesSender: "sender@wire.example" diff --git a/charts/fake-aws-sqs/templates/configmap.yaml b/charts/fake-aws-sqs/templates/configmap.yaml new file mode 100644 index 00000000000..baac9d15bca --- /dev/null +++ b/charts/fake-aws-sqs/templates/configmap.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + elasticmq.conf: | + include classpath("application.conf") + + # What is the outside visible address of this ElasticMQ node + # Used to create the queue URL (may be different from bind address!) + node-address { + protocol = http + host = localhost + port = {{ .Values.service.httpPort }} + context-path = "" + } + + rest-sqs { + enabled = true + bind-port = {{ .Values.service.httpPort }} + bind-hostname = "0.0.0.0" + # Possible values: relaxed, strict + sqs-limits = strict + } + + rest-stats { + enabled = true + bind-port = 9325 + bind-hostname = "0.0.0.0" + } + + # Should the node-address be generated from the bind port/hostname + # Set this to true e.g. when assigning port automatically by using port 0. + generate-node-address = false + + queues { + {{- range $i, $queueName := .Values.queueNames }} + "{{ $queueName }}" { + {{- if hasSuffix ".fifo" $queueName }} + fifo = true + {{- end }} + } + {{- end }} + } + + messages-storage { + enabled = true + uri = "jdbc:h2:/data/elasticmq.db" + } + + # Region and accountId which will be included in resource ids + aws { + region = eu-west-1 + accountId = 000000000000 + } diff --git a/charts/fake-aws-sqs/templates/deployment.yaml b/charts/fake-aws-sqs/templates/deployment.yaml index 24055e126a1..39848020c90 100644 --- a/charts/fake-aws-sqs/templates/deployment.yaml +++ b/charts/fake-aws-sqs/templates/deployment.yaml @@ -16,6 +16,8 @@ spec: metadata: labels: app: {{ template "fullname" . }} + annotations: + checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }} spec: containers: - name: fake-aws-sqs @@ -24,45 +26,22 @@ spec: - containerPort: {{ .Values.service.httpPort }} name: http protocol: TCP + command: + - /sbin/tini + - -- + - /opt/elasticmq/bin/elasticmq-native-server + - -Dconfig.file=/config/elasticmq.conf + - -Dlogback.configurationFile=/opt/logback.xml volumeMounts: - name: storage mountPath: /data + - name: config + mountPath: /config resources: {{ toYaml .Values.resources | indent 12 }} - - name: initiate-fake-aws-sqs - image: mesosphere/aws-cli:1.14.5 - command: [/bin/sh] - args: - - -c - - | - exec_until_ready() { - until $1; do echo 'service not ready yet'; sleep 1; done - } - queue_exists() { - # NOTE: we use the '"' to match the queue name more exactly (otherwise there is some overlap) - OUTPUT=$(aws --endpoint-url=http://localhost:{{ $.Values.service.httpPort }} sqs list-queues | grep $1'"' | wc -l) - echo $OUTPUT - } - - echo 'Creating AWS resources' - aws configure set aws_access_key_id dummy - aws configure set aws_secret_access_key dummy - aws configure set region eu-west-1 - - while true - do - # Recreate resources if needed - {{ range $i, $queueName := .Values.queueNames }} - QUEUE=$(queue_exists "{{ $queueName }}") - if [ "$QUEUE" == "1" ] - then echo "Queue {{ $queueName }} exists, no need to re-create" - else exec_until_ready "aws --endpoint-url=http://localhost:{{ $.Values.service.httpPort }} sqs create-queue --queue-name {{ $queueName }}" - fi - {{ end }} - - echo 'Sleeping 10' - sleep 10 - done volumes: - emptyDir: {} name: "storage" + - name: config + configMap: + name: {{ template "fullname" . }} diff --git a/charts/fake-aws-sqs/values.yaml b/charts/fake-aws-sqs/values.yaml index 4f46cd50d94..a5161706986 100644 --- a/charts/fake-aws-sqs/values.yaml +++ b/charts/fake-aws-sqs/values.yaml @@ -1,6 +1,6 @@ image: - repository: airdock/fake-sqs - tag: 0.3.1 + repository: softwaremill/elasticmq-native + tag: 1.5.2 # TODO: in a wire-server chart, these queue names should match the ones defined in galley/brig/gundeck (i.e. only be defined once) queueNames: diff --git a/charts/federator/templates/service.yaml b/charts/federator/templates/service.yaml index 22d018b9135..1e235c0f363 100644 --- a/charts/federator/templates/service.yaml +++ b/charts/federator/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/galley/templates/_helpers.tpl b/charts/galley/templates/_helpers.tpl index 762fb52c2fa..a9de4a20a9b 100644 --- a/charts/galley/templates/_helpers.tpl +++ b/charts/galley/templates/_helpers.tpl @@ -7,3 +7,19 @@ {{- define "includeSecurityContext" -}} {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}} {{- end -}} + +{{- define "useCassandraTLS" -}} +{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }} +{{- end -}} + +{{/* Return a Dict of TLS CA secret name and key +This is used to switch between provided secret (e.g. by cert-manager) and +created one (in case the CA is provided as PEM string.) +*/}} +{{- define "tlsSecretRef" -}} +{{- if .cassandra.tlsCaSecretRef -}} +{{ .cassandra.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "galley-cassandra" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} diff --git a/charts/galley/templates/cassandra-secret.yaml b/charts/galley/templates/cassandra-secret.yaml new file mode 100644 index 00000000000..eb34aeb30bd --- /dev/null +++ b/charts/galley/templates/cassandra-secret.yaml @@ -0,0 +1,15 @@ +{{/* Secret for the provided Cassandra TLS CA. */}} +{{- if not (empty .Values.config.cassandra.tlsCa) }} +apiVersion: v1 +kind: Secret +metadata: + name: galley-cassandra + labels: + app: galley + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }} +{{- end }} diff --git a/charts/galley/templates/configmap.yaml b/charts/galley/templates/configmap.yaml index 690bfd993c3..1ff99379292 100644 --- a/charts/galley/templates/configmap.yaml +++ b/charts/galley/templates/configmap.yaml @@ -21,6 +21,9 @@ data: {{- if hasKey .cassandra "filterNodesByDatacentre" }} filterNodesByDatacentre: {{ .cassandra.filterNodesByDatacentre }} {{- end }} + {{- if eq (include "useCassandraTLS" .) "true" }} + tlsCa: /etc/wire/galley/cassandra/{{- (include "tlsSecretRef" . | fromYaml).key }} + {{- end }} brig: host: brig @@ -76,11 +79,12 @@ data: removal: ed25519: "/etc/wire/galley/secrets/removal_ed25519.pem" {{- end }} - {{- end -}} - {{- if .settings.disabledAPIVersions }} - disabledAPIVersions: {{ .settings.disabledAPIVersions }} {{- end }} + disabledAPIVersions: {{ toJson .settings.disabledAPIVersions }} {{- if .settings.featureFlags }} + {{- if .settings.guestLinkTTLSeconds }} + guestLinkTTLSeconds: {{ .settings.guestLinkTTLSeconds }} + {{- end }} featureFlags: sso: {{ .settings.featureFlags.sso }} legalhold: {{ .settings.featureFlags.legalhold }} @@ -135,5 +139,9 @@ data: mlsMigration: {{- toYaml .settings.featureFlags.mlsMigration | nindent 10 }} {{- end }} + {{- if .settings.featureFlags.limitedEventFanout }} + limitedEventFanout: + {{- toYaml .settings.featureFlags.limitedEventFanout | nindent 10 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/galley/templates/deployment.yaml b/charts/galley/templates/deployment.yaml index a9f2f50fb92..df9eee0c206 100644 --- a/charts/galley/templates/deployment.yaml +++ b/charts/galley/templates/deployment.yaml @@ -36,6 +36,11 @@ spec: - name: "galley-secrets" secret: secretName: "galley" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "galley-cassandra" + secret: + secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + {{- end }} containers: - name: galley image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -49,6 +54,10 @@ spec: mountPath: "/etc/wire/galley/conf" - name: "galley-secrets" mountPath: "/etc/wire/galley/secrets" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "galley-cassandra" + mountPath: "/etc/wire/galley/cassandra" + {{- end }} env: {{- if hasKey .Values.secrets "awsKeyId" }} - name: AWS_ACCESS_KEY_ID diff --git a/charts/galley/templates/service.yaml b/charts/galley/templates/service.yaml index d7cdd38ce45..3e401047911 100644 --- a/charts/galley/templates/service.yaml +++ b/charts/galley/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/galley/templates/tests/galley-integration.yaml b/charts/galley/templates/tests/galley-integration.yaml index e1870228379..1fdd9e206ac 100644 --- a/charts/galley/templates/tests/galley-integration.yaml +++ b/charts/galley/templates/tests/galley-integration.yaml @@ -40,6 +40,11 @@ spec: - name: "galley-secrets" secret: secretName: "galley" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "galley-cassandra" + secret: + secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + {{- end }} containers: - name: integration image: "{{ .Values.image.repository }}-integration:{{ .Values.image.tag }}" @@ -84,6 +89,10 @@ spec: mountPath: "/etc/wire/integration-secrets" - name: "galley-secrets" mountPath: "/etc/wire/galley/secrets" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "galley-cassandra" + mountPath: "/etc/wire/galley/cassandra" + {{- end }} env: # these dummy values are necessary for Amazonka's "Discover" - name: AWS_ACCESS_KEY_ID diff --git a/charts/galley/values.yaml b/charts/galley/values.yaml index 8bd2d28c37f..8239f4019e8 100644 --- a/charts/galley/values.yaml +++ b/charts/galley/values.yaml @@ -22,6 +22,13 @@ config: cassandra: host: aws-cassandra replicaCount: 3 +# To enable TLS provide a CA: +# tlsCa: +# +# Or refer to an existing secret (containing the CA): +# tlsCaSecretRef: +# name: +# key: enableFederation: false # keep enableFederation default in sync with brig and cargohold chart's config.enableFederation as well as wire-server chart's tags.federation # Not used if enableFederation is false rabbitmq: @@ -41,16 +48,19 @@ config: conversationCodeURI: null # # `multiIngress` is a `Z-Host` depended setting of conversationCodeURI. - # Use this only if you want to expose the instance on mutliple ingresses. + # Use this only if you want to expose the instance on multiple ingresses. # If set it must a map from `Z-Host` to URI prefix # Example: - # multiIngress: - # example.com: https://accounts.example.com/conversation-join/ + # multiIngress: + # wire.example: https://accounts.wire.example/conversation-join/ # example.net: https://accounts.example.net/conversation-join/ multiIngress: null # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts: # brig, cannon, cargohold, galley, gundeck, proxy, spar. - # disabledAPIVersions: [ v3 ] + disabledAPIVersions: [ development ] + # The lifetime of a conversation guest link in seconds. Must be a value 0 < x <= 31536000 (365 days) + # Default is 31536000 (365 days) if not set + guestLinkTTLSeconds: 31536000 featureFlags: # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/) appLock: defaults: @@ -83,6 +93,7 @@ config: allowedCipherSuites: [1] defaultCipherSuite: 1 supportedProtocols: [proteus, mls] # must contain defaultProtocol + lockStatus: unlocked searchVisibilityInbound: defaults: status: disabled @@ -121,6 +132,9 @@ config: usersThreshold: 100 clientsThreshold: 100 lockStatus: locked + limitedEventFanout: + defaults: + status: disabled aws: region: "eu-west-1" diff --git a/charts/gundeck/templates/_helpers.tpl b/charts/gundeck/templates/_helpers.tpl index 762fb52c2fa..ed317e0b213 100644 --- a/charts/gundeck/templates/_helpers.tpl +++ b/charts/gundeck/templates/_helpers.tpl @@ -7,3 +7,19 @@ {{- define "includeSecurityContext" -}} {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}} {{- end -}} + +{{- define "useCassandraTLS" -}} +{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }} +{{- end -}} + +{{/* Return a Dict of TLS CA secret name and key +This is used to switch between provided secret (e.g. by cert-manager) and +created one (in case the CA is provided as PEM string.) +*/}} +{{- define "tlsSecretRef" -}} +{{- if .cassandra.tlsCaSecretRef -}} +{{ .cassandra.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "gundeck-cassandra" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} diff --git a/charts/gundeck/templates/cassandra-secret.yaml b/charts/gundeck/templates/cassandra-secret.yaml new file mode 100644 index 00000000000..68dd7c9d34a --- /dev/null +++ b/charts/gundeck/templates/cassandra-secret.yaml @@ -0,0 +1,15 @@ +{{/* Secret for the provided Cassandra TLS CA. */}} +{{- if not (empty .Values.config.cassandra.tlsCa) }} +apiVersion: v1 +kind: Secret +metadata: + name: gundeck-cassandra + labels: + app: brig + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }} +{{- end }} diff --git a/charts/gundeck/templates/configmap.yaml b/charts/gundeck/templates/configmap.yaml index 527f521c263..cac6782ab9a 100644 --- a/charts/gundeck/templates/configmap.yaml +++ b/charts/gundeck/templates/configmap.yaml @@ -25,6 +25,9 @@ data: {{- if hasKey .cassandra "filterNodesByDatacentre" }} filterNodesByDatacentre: {{ .cassandra.filterNodesByDatacentre }} {{- end }} + {{- if eq (include "useCassandraTLS" .) "true" }} + tlsCa: /etc/wire/gundeck/cassandra/{{- (include "tlsSecretRef" . | fromYaml).key }} + {{- end }} redis: host: {{ .redis.host }} @@ -57,9 +60,7 @@ data: {{- if hasKey . "perNativePushConcurrency" }} perNativePushConcurrency: {{ .perNativePushConcurrency }} {{- end }} - {{- if .disabledAPIVersions }} - disabledAPIVersions: {{ .disabledAPIVersions }} - {{- end }} + disabledAPIVersions: {{ toJson .disabledAPIVersions }} # disabledAPIVersions: [ 2 ] maxConcurrentNativePushes: soft: {{ .maxConcurrentNativePushes.soft }} diff --git a/charts/gundeck/templates/deployment.yaml b/charts/gundeck/templates/deployment.yaml index 27255185da5..20ca7988245 100644 --- a/charts/gundeck/templates/deployment.yaml +++ b/charts/gundeck/templates/deployment.yaml @@ -32,6 +32,11 @@ spec: - name: "gundeck-config" configMap: name: "gundeck" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "gundeck-cassandra" + secret: + secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + {{- end}} containers: - name: gundeck image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -43,6 +48,10 @@ spec: volumeMounts: - name: "gundeck-config" mountPath: "/etc/wire/gundeck/conf" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "gundeck-cassandra" + mountPath: "/etc/wire/gundeck/cassandra" + {{- end }} env: {{- if hasKey .Values.secrets "awsKeyId" }} - name: AWS_ACCESS_KEY_ID diff --git a/charts/gundeck/templates/service.yaml b/charts/gundeck/templates/service.yaml index c685bd4504e..1227bec6064 100644 --- a/charts/gundeck/templates/service.yaml +++ b/charts/gundeck/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/gundeck/templates/tests/configmap.yaml b/charts/gundeck/templates/tests/configmap.yaml index c5df36067c8..e2051925c11 100644 --- a/charts/gundeck/templates/tests/configmap.yaml +++ b/charts/gundeck/templates/tests/configmap.yaml @@ -19,7 +19,7 @@ data: # some gundeck integration tests make use of two different # cannon instances to test the distributed case. when running # the integration tests locally, the two instances will be spun - # up separately (see `wire-server/services/run-services`). + # up separately (see `wire-server/dist/run-services`). # # here, we spin up two replicas, provide the integration tests # with the same service coordinates, and rely on the k8s load diff --git a/charts/gundeck/templates/tests/gundeck-integration.yaml b/charts/gundeck/templates/tests/gundeck-integration.yaml index 7f92351be5a..8b00f2c9865 100644 --- a/charts/gundeck/templates/tests/gundeck-integration.yaml +++ b/charts/gundeck/templates/tests/gundeck-integration.yaml @@ -13,6 +13,11 @@ spec: - name: "gundeck-config" configMap: name: "gundeck" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "gundeck-cassandra" + secret: + secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + {{- end}} containers: - name: integration # TODO: When deployed to staging (or real AWS env), _all_ tests should be run @@ -54,6 +59,10 @@ spec: mountPath: "/etc/wire/integration" - name: "gundeck-config" mountPath: "/etc/wire/gundeck/conf" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "gundeck-cassandra" + mountPath: "/etc/wire/gundeck/cassandra" + {{- end }} env: # these dummy values are necessary for Amazonka's "Discover" - name: AWS_ACCESS_KEY_ID diff --git a/charts/gundeck/values.yaml b/charts/gundeck/values.yaml index 28416361448..75f3ce54ef7 100644 --- a/charts/gundeck/values.yaml +++ b/charts/gundeck/values.yaml @@ -20,6 +20,13 @@ config: logNetStrings: false cassandra: host: aws-cassandra +# To enable TLS provide a CA: +# tlsCa: +# +# Or refer to an existing secret (containing the CA): +# tlsCaSecretRef: +# name: +# key: redis: host: redis-ephemeral-master port: 6379 @@ -37,7 +44,7 @@ config: soft: 1000 # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts: # brig, cannon, cargohold, galley, gundeck, proxy, spar. - # disabledAPIVersions: [ v3 ] + disabledAPIVersions: [ development ] # Maximum number of bytes loaded into memory when fetching (referenced) payloads. # Gundeck will return a truncated page if the whole page's payload sizes would exceed this limit in total. diff --git a/charts/inbucket/values.yaml b/charts/inbucket/values.yaml index 0e59481ac99..d438b634748 100644 --- a/charts/inbucket/values.yaml +++ b/charts/inbucket/values.yaml @@ -1,6 +1,6 @@ # Fully qualified domain name (FQDN) of the domain where to serve inbucket. # E.g. 'inbucket.my-test-env.wire.link' -host: "inbucket.example.com" +host: "inbucket.wire.example" config: ingressClass: "nginx" diff --git a/charts/integration/templates/_helpers.tpl b/charts/integration/templates/_helpers.tpl index e138d2f1bbf..e278f287d1f 100644 --- a/charts/integration/templates/_helpers.tpl +++ b/charts/integration/templates/_helpers.tpl @@ -36,4 +36,20 @@ {{- define "integrationTestHelperNewLabels" -}} {{- (semverCompare ">= 1.23-0" (include "kubeVersion" .)) -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{- define "useCassandraTLS" -}} +{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }} +{{- end -}} + +{{/* Return a Dict of TLS CA secret name and key +This is used to switch between provided secret (e.g. by cert-manager) and +created one (in case the CA is provided as PEM string.) +*/}} +{{- define "tlsSecretRef" -}} +{{- if .cassandra.tlsCaSecretRef -}} +{{ .cassandra.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "integration-cassandra" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} diff --git a/charts/integration/templates/cassandra-secret.yaml b/charts/integration/templates/cassandra-secret.yaml new file mode 100644 index 00000000000..dd76b650671 --- /dev/null +++ b/charts/integration/templates/cassandra-secret.yaml @@ -0,0 +1,15 @@ +{{/* Secret for the provided Cassandra TLS CA. */}} +{{- if not (empty .Values.config.cassandra.tlsCa) }} +apiVersion: v1 +kind: Secret +metadata: + name: integration-cassandra + labels: + app: integration + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }} +{{- end }} diff --git a/charts/integration/templates/configmap.yaml b/charts/integration/templates/configmap.yaml index 99a247203ae..e18128cbf58 100644 --- a/charts/integration/templates/configmap.yaml +++ b/charts/integration/templates/configmap.yaml @@ -120,4 +120,8 @@ data: federatorExternalPort: {{ $dynamicBackend.federatorExternalPort }} {{- end }} cassandra: -{{ toYaml .Values.config.cassandra | indent 6}} + host: {{ .Values.config.cassandra.host }} + port: {{ .Values.config.cassandra.port }} + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + tlsCa: /etc/wire/galley/cassandra/{{- (include "tlsSecretRef" .Values.config | fromYaml).key }} + {{- end }} diff --git a/charts/integration/templates/integration-integration.yaml b/charts/integration/templates/integration-integration.yaml index 044b63b3b9a..5199c03def4 100644 --- a/charts/integration/templates/integration-integration.yaml +++ b/charts/integration/templates/integration-integration.yaml @@ -75,17 +75,25 @@ spec: - name: "nginz-secrets" secret: secretName: "nginz" - + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: integration-cassandra + secret: + secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + {{- end }} restartPolicy: Never initContainers: - # FUTUREWORK: reproduce brig's initContainers (for geoip) - name: integration-setup image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" {{- if eq (include "includeSecurityContext" .) "true" }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 6 }} {{- end }} + volumeMounts: + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "integration-cassandra" + mountPath: "/certs" + {{- end }} env: - name: INTEGRATION_DYNAMIC_BACKENDS_POOLSIZE value: "{{ .Values.config.dynamicBackendsPoolsize }}" @@ -111,9 +119,15 @@ spec: - | set -euo pipefail # FUTUREWORK: Do all of this in the integration test binary - integration-dynamic-backends-db-schemas.sh --host {{ .Values.config.cassandra.host }} --port {{ .Values.config.cassandra.port }} --replication-factor {{ .Values.config.cassandra.replicationFactor }} + integration-dynamic-backends-db-schemas.sh \ + --host {{ .Values.config.cassandra.host }} \ + --port {{ .Values.config.cassandra.port }} \ + --replication-factor {{ .Values.config.cassandra.replicationFactor }} \ + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + --tls-ca-certificate-file /certs/{{- (include "tlsSecretRef" .Values.config | fromYaml).key }} + {{ end }} + integration-dynamic-backends-brig-index.sh --elasticsearch-server http://{{ .Values.config.elasticsearch.host }}:9200 - integration-dynamic-backends-sqs.sh {{ .Values.config.sqsEndpointUrl }} integration-dynamic-backends-ses.sh {{ .Values.config.sesEndpointUrl }} integration-dynamic-backends-s3.sh {{ .Values.config.s3EndpointUrl }} {{- range $name, $dynamicBackend := .Values.config.dynamicBackends }} @@ -213,6 +227,23 @@ spec: - name: nginz-secrets mountPath: /etc/wire/nginz/secrets + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "integration-cassandra" + mountPath: "/certs" + + - name: "integration-cassandra" + mountPath: "/etc/wire/brig/cassandra" + + - name: "integration-cassandra" + mountPath: "/etc/wire/galley/cassandra" + + - name: "integration-cassandra" + mountPath: "/etc/wire/gundeck/cassandra" + + - name: "integration-cassandra" + mountPath: "/etc/wire/spar/cassandra" + {{- end }} + env: # these dummy values are necessary for Amazonka's "Discover" - name: AWS_ACCESS_KEY_ID diff --git a/charts/k8ssandra-test-cluster/templates/check-cluster-job.yaml b/charts/k8ssandra-test-cluster/templates/check-cluster-job.yaml index b91292e2762..6fd8de25b93 100644 --- a/charts/k8ssandra-test-cluster/templates/check-cluster-job.yaml +++ b/charts/k8ssandra-test-cluster/templates/check-cluster-job.yaml @@ -12,7 +12,21 @@ spec: containers: - name: cassandra image: cassandra:3.11 + {{- if not .Values.client_encryption_options.enabled }} command: ["cqlsh", "k8ssandra-cluster-datacenter-1-service"] + {{- else }} + command: ["cqlsh", "--ssl", "k8ssandra-cluster-datacenter-1-service"] + env: + - name: SSL_CERTFILE + value: "/certs/ca.crt" + volumeMounts: + - name: cassandra-jks-keystore + mountPath: "/certs" + volumes: + - name: cassandra-jks-keystore + secret: + secretName: cassandra-jks-keystore + {{- end }} restartPolicy: OnFailure # Default is 6 retries. 8 is a bit arbitrary, but should be sufficient for # low resource environments (e.g. Wire-in-a-box.) diff --git a/charts/k8ssandra-test-cluster/templates/jks-store-pass.yaml b/charts/k8ssandra-test-cluster/templates/jks-store-pass.yaml new file mode 100644 index 00000000000..52e6f2d0ebb --- /dev/null +++ b/charts/k8ssandra-test-cluster/templates/jks-store-pass.yaml @@ -0,0 +1,9 @@ +{{- if .Values.client_encryption_options.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: jks-password + namespace: {{ .Release.Namespace }} +data: + keystore-pass: {{ .Values.client_encryption_options.keystorePassword | b64enc }} +{{- end }} diff --git a/charts/k8ssandra-test-cluster/templates/k8ssandra-cluster.yaml b/charts/k8ssandra-test-cluster/templates/k8ssandra-cluster.yaml index 50560a52d5f..35197d8b8fd 100644 --- a/charts/k8ssandra-test-cluster/templates/k8ssandra-cluster.yaml +++ b/charts/k8ssandra-test-cluster/templates/k8ssandra-cluster.yaml @@ -26,6 +26,10 @@ spec: gc_g1_max_gc_pause_ms: 300 gc_g1_initiating_heap_occupancy_percent: 55 gc_g1_parallel_threads: 16 + cassandraYaml: + client_encryption_options: + enabled: {{ .Values.client_encryption_options.enabled }} + optional: {{ .Values.client_encryption_options.optional }} datacenters: - metadata: name: datacenter-1 @@ -38,6 +42,21 @@ spec: resources: requests: storage: {{ .Values.storageSize }} + {{- if .Values.client_encryption_options.enabled }} + clientEncryptionStores: + keystoreSecretRef: + name: cassandra-jks-keystore + key: keystore.jks + keystorePasswordSecretRef: + key: keystore-pass + name: jks-password + truststoreSecretRef: + name: cassandra-jks-keystore + key: truststore.jks + truststorePasswordSecretRef: + key: keystore-pass + name: jks-password + {{- end }} reaper: autoScheduling: enabled: true diff --git a/charts/k8ssandra-test-cluster/templates/tls-certificate-bundle.yaml b/charts/k8ssandra-test-cluster/templates/tls-certificate-bundle.yaml new file mode 100644 index 00000000000..4b06b31110c --- /dev/null +++ b/charts/k8ssandra-test-cluster/templates/tls-certificate-bundle.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.client_encryption_options.enabled .Values.syncCACertToSecret }} +# Let trust-manager sync the CA PEM (and only that!) into secrets named +# `k8ssandra-tls-ca-certificate-` in all configured namespaces or only +# one if syncCACertNamespace is defined. This way we can hide the private key +# from public. +apiVersion: trust.cert-manager.io/v1alpha1 +kind: Bundle +metadata: + name: k8ssandra-tls-ca-certificate + namespace: {{ .Release.Namespace }} +spec: + sources: + - secret: + name: "cassandra-jks-keystore" + key: "ca.crt" + target: + secret: + key: "ca.crt" + {{- if hasKey .Values "syncCACertNamespace" }} + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Values.syncCACertNamespace }} + {{- end }} +{{- end }} diff --git a/charts/k8ssandra-test-cluster/templates/tls-certificate.yaml b/charts/k8ssandra-test-cluster/templates/tls-certificate.yaml new file mode 100644 index 00000000000..c7efd99c8a6 --- /dev/null +++ b/charts/k8ssandra-test-cluster/templates/tls-certificate.yaml @@ -0,0 +1,44 @@ +{{- if .Values.client_encryption_options.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: cassandra-certificate + namespace: {{ .Release.Namespace }} +spec: + # Secret names are always required. + secretName: cassandra-jks-keystore + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - PIT squad + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + # commonName: example.com + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + - client auth + # At least one of a DNS Name, URI, or IP address is required. + dnsNames: + - k8ssandra-cluster-datacenter-1-service.{{ .Release.Namespace }}.svc.cluster.local + - k8ssandra-cluster-datacenter-1-service + issuerRef: + name: ca-issuer + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: Issuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io + keystores: + jks: + create: true + passwordSecretRef: # Password used to encrypt the keystore + key: keystore-pass + name: jks-password +{{- end }} diff --git a/charts/k8ssandra-test-cluster/templates/tls-issuer.yaml b/charts/k8ssandra-test-cluster/templates/tls-issuer.yaml new file mode 100644 index 00000000000..65bc3dbad38 --- /dev/null +++ b/charts/k8ssandra-test-cluster/templates/tls-issuer.yaml @@ -0,0 +1,9 @@ +{{- if .Values.client_encryption_options.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: ca-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +{{- end }} diff --git a/charts/k8ssandra-test-cluster/values.yaml b/charts/k8ssandra-test-cluster/values.yaml index 3aabc8db1ab..a34ca0da5f5 100644 --- a/charts/k8ssandra-test-cluster/values.yaml +++ b/charts/k8ssandra-test-cluster/values.yaml @@ -11,3 +11,22 @@ storageClassName: hcloud-volumes-encrypted # storage, it's fine to request 10GB. The memory units are described here: # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory storageSize: 10G + +# These options relate to the client_encryption_options described in: +# https://cassandra.apache.org/doc/stable/cassandra/configuration/cass_yaml_file.html#client_encryption_options +client_encryption_options: + enabled: false + optional: true + # The password could be secured better. However, this chart is meant to be + # used as test setup. And, protecting a self-signed certificate isn't very + # useful. + keystorePassword: password + +# Guard the private key by syncing only the CA certificate to +# `k8ssandra-test-cluster-tls-ca-certificate` secrets. Requires `trust-manager` +# Helm chart to be installed (including CRDs.) +syncCACertToSecret: false + +# Limit syncing to this namespace. Otherwise, the secret is synced to all +# namespaces. +# syncCACertNamespace: diff --git a/charts/legalhold/templates/service.yaml b/charts/legalhold/templates/service.yaml index 4a178e268eb..4577185b8b0 100644 --- a/charts/legalhold/templates/service.yaml +++ b/charts/legalhold/templates/service.yaml @@ -3,7 +3,11 @@ kind: Service metadata: name: "{{ .Release.Name }}-hold" annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP selector: diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl index 8341c1a7a3b..d2c92d579b2 100644 --- a/charts/nginz/templates/conf/_nginx.conf.tpl +++ b/charts/nginz/templates/conf/_nginx.conf.tpl @@ -322,7 +322,7 @@ http { more_set_headers 'Access-Control-Allow-Origin: $cors_header'; - more_set_headers 'Access-Control-Expose-Headers: Request-Id, Location'; + more_set_headers 'Access-Control-Expose-Headers: Request-Id, Location, Replay-Nonce'; more_set_headers 'Request-Id: $request_id'; more_set_headers 'Strict-Transport-Security: max-age=31536000; preload'; } diff --git a/charts/nginz/templates/service.yaml b/charts/nginz/templates/service.yaml index 6a5c2420f7f..6fcc0ea5b3e 100644 --- a/charts/nginz/templates/service.yaml +++ b/charts/nginz/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml index 83f89007609..c9d6594f942 100644 --- a/charts/nginz/values.yaml +++ b/charts/nginz/values.yaml @@ -1,10 +1,10 @@ replicaCount: 3 resources: requests: - memory: "256Mi" + memory: "850Mi" cpu: "100m" limits: - memory: "800Mi" + memory: "1200Mi" metrics: serviceMonitor: enabled: false @@ -53,7 +53,10 @@ nginx_conf: - /search/top - /search/common - default_client_max_body_size: "256k" + # `default_client_max_body_size` is increased from 256k to 512k because + # client requests like listing users, conversations, filling or getting prekeys and other various MLS requests + # apparently may have bodies larger than 256k. + default_client_max_body_size: "512k" rate_limit_reqs_per_user: "30r/s" rate_limit_reqs_per_addr: "15r/m" @@ -162,6 +165,10 @@ nginx_conf: disable_zauth: true envs: - staging + - path: /api-federation/swagger-ui + disable_zauth: true + envs: + - staging - path: /self$ # Matches exactly /self oauth_scope: self envs: @@ -520,6 +527,12 @@ nginx_conf: - path: /teams/([^/]*)/features/([^/])* envs: - all + - path: /i/teams/([^/]*)/features/enforceFileDownloadLocation/([^/])* + envs: + - staging + disable_zauth: true + basic_auth: true + versioned: false - path: /i/teams/([^/]*)/features/([^/]*) envs: - staging diff --git a/charts/openldap/templates/secret-newusers.yaml b/charts/openldap/templates/secret-newusers.yaml index 0397cb0af55..55157a0ba4f 100644 --- a/charts/openldap/templates/secret-newusers.yaml +++ b/charts/openldap/templates/secret-newusers.yaml @@ -20,7 +20,7 @@ stringData: objectClass: posixAccount objectClass: shadowAccount cn: john - uid: john@example.com + uid: john@wire.example uidNumber: 10001 gidNumber: 10001 homeDirectory: /home/john @@ -33,7 +33,7 @@ stringData: objectClass: posixAccount objectClass: shadowAccount cn: jane - uid: jane@example.com + uid: jane@wire.example uidNumber: 10002 gidNumber: 10002 homeDirectory: /home/jane @@ -46,7 +46,7 @@ stringData: objectClass: posixAccount objectClass: shadowAccount cn: me - uid: me@example.com + uid: me@wire.example uidNumber: 10003 gidNumber: 10003 homeDirectory: /home/me @@ -60,10 +60,10 @@ stringData: objectClass: shadowAccount objectClass: extensibleObject cn: usesemail - uid: usesemail@example.com + uid: usesemail@wire.example uidNumber: 10004 gidNumber: 10004 - email: uses@example.com + email: uses@wire.example homeDirectory: /home/me userPassword: notgonnatelleither loginShell: /bin/bash diff --git a/charts/proxy/templates/configmap.yaml b/charts/proxy/templates/configmap.yaml index 54648797524..a69b96e663f 100644 --- a/charts/proxy/templates/configmap.yaml +++ b/charts/proxy/templates/configmap.yaml @@ -7,9 +7,7 @@ data: logFormat: {{ .Values.config.logFormat }} logLevel: {{ .Values.config.logLevel }} logNetStrings: {{ .Values.config.logNetStrings }} - {{- if .Values.config.disabledAPIVersions }} - disabledAPIVersions: {{ .Values.config.disabledAPIVersions }} - {{- end }} + disabledAPIVersions: {{ toJson .Values.config.disabledAPIVersions }} host: 0.0.0.0 port: {{ .Values.service.internalPort }} httpPoolSize: 1000 diff --git a/charts/proxy/templates/service.yaml b/charts/proxy/templates/service.yaml index f3640fa434a..478ad3d6a37 100644 --- a/charts/proxy/templates/service.yaml +++ b/charts/proxy/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/proxy/values.yaml b/charts/proxy/values.yaml index 2b9c5fc60ce..216851a1226 100644 --- a/charts/proxy/values.yaml +++ b/charts/proxy/values.yaml @@ -21,7 +21,7 @@ config: proxy: {} # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts: # brig, cannon, cargohold, galley, gundeck, proxy, spar. - # disabledAPIVersions: [ v3 ] + disabledAPIVersions: [ development ] podSecurityContext: allowPrivilegeEscalation: false diff --git a/charts/sftd/Chart.yaml b/charts/sftd/Chart.yaml index 5d3b865d616..3ebbb82a5ca 100644 --- a/charts/sftd/Chart.yaml +++ b/charts/sftd/Chart.yaml @@ -11,4 +11,4 @@ version: 0.0.42 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 2.1.19 +appVersion: 4.0.10 diff --git a/charts/sftd/README.md b/charts/sftd/README.md index 2d0fa74a076..2cdb05de31c 100644 --- a/charts/sftd/README.md +++ b/charts/sftd/README.md @@ -48,8 +48,8 @@ tags: sftd: true sftd: - host: sftd.example.com - allowOrigin: https://webapp.example.com + host: sftd.wire.example + allowOrigin: https://webapp.wire.example tls: # The https://cert-manager.io issuer to use to retrieve a certificate issuerRef: @@ -69,8 +69,8 @@ very slow. ``` helm install sftd wire/sftd \ - --set host=sftd.example.com \ - --set allowOrigin=https://webapp.example.com \ + --set host=sftd.wire.example \ + --set allowOrigin=https://webapp.wire.example \ --set-file tls.crt=/path/to/tls.crt \ --set-file tls.key=/path/to/tls.key ``` @@ -98,7 +98,7 @@ brig: # ... optSettings: # ... - setSftStaticUrl: https://sftd.example.com:443 + setSftStaticUrl: https://sftd.wire.example:443 ``` ## Routability diff --git a/charts/sftd/templates/servicemonitor.yaml b/charts/sftd/templates/servicemonitor.yaml new file mode 100644 index 00000000000..6a2b2fc34a3 --- /dev/null +++ b/charts/sftd/templates/servicemonitor.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "sftd.fullname" . }} + labels: + {{- include "sftd.labels" . | nindent 4 }} +spec: + endpoints: + - port: metrics + path: /metrics + selector: + matchLabels: + {{- include "sftd.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/sftd/values.yaml b/charts/sftd/values.yaml index 3b65d81d677..c9e23fa2990 100644 --- a/charts/sftd/values.yaml +++ b/charts/sftd/values.yaml @@ -21,6 +21,10 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +metrics: + serviceMonitor: + enabled: false + # The time to wait after terminating an sft node before shutting it down. No # new calls will be initiated whilst a pod is being terminated. terminationGracePeriodSeconds: 10 @@ -60,7 +64,7 @@ tolerations: [] affinity: {} -# allowOrigin: https://webapp.example.com +# allowOrigin: https://webapp.wire.example # host: tls: {} # {key,crt} and issuerRef are mutally exclusive @@ -82,7 +86,7 @@ joinCall: repository: nginxinc/nginx-unprivileged pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "1.19.5" + tag: "1.25.3" # Allow SFT instances to choose/consider using a TURN server for themselves as a proxy when # trying to establish a connection to clients diff --git a/charts/spar/templates/_helpers.tpl b/charts/spar/templates/_helpers.tpl index 762fb52c2fa..958a0acc362 100644 --- a/charts/spar/templates/_helpers.tpl +++ b/charts/spar/templates/_helpers.tpl @@ -1,4 +1,3 @@ - {{/* Allow KubeVersion to be overridden. */}} {{- define "kubeVersion" -}} {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}} @@ -7,3 +6,19 @@ {{- define "includeSecurityContext" -}} {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}} {{- end -}} + +{{- define "useCassandraTLS" -}} +{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }} +{{- end -}} + +{{/* Return a Dict of TLS CA secret name and key +This is used to switch between provided secret (e.g. by cert-manager) and +created one (in case the CA is provided as PEM string.) +*/}} +{{- define "tlsSecretRef" -}} +{{- if .cassandra.tlsCaSecretRef -}} +{{ .cassandra.tlsCaSecretRef | toYaml }} +{{- else }} +{{- dict "name" "spar-cassandra" "key" "ca.pem" | toYaml -}} +{{- end -}} +{{- end -}} diff --git a/charts/spar/templates/cassandra-secret.yaml b/charts/spar/templates/cassandra-secret.yaml new file mode 100644 index 00000000000..0a480e01bb0 --- /dev/null +++ b/charts/spar/templates/cassandra-secret.yaml @@ -0,0 +1,15 @@ +{{/* Secret for the provided Cassandra TLS CA. */}} +{{- if not (empty .Values.config.cassandra.tlsCa) }} +apiVersion: v1 +kind: Secret +metadata: + name: spar-cassandra + labels: + app: spar + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }} +{{- end }} diff --git a/charts/spar/templates/configmap.yaml b/charts/spar/templates/configmap.yaml index 98711a46791..34718f6a4a0 100644 --- a/charts/spar/templates/configmap.yaml +++ b/charts/spar/templates/configmap.yaml @@ -25,6 +25,9 @@ data: {{- if hasKey .cassandra "filterNodesByDatacentre" }} filterNodesByDatacentre: {{ .cassandra.filterNodesByDatacentre }} {{- end }} + {{- if eq (include "useCassandraTLS" .) "true" }} + tlsCa: /etc/wire/spar/cassandra/{{- (include "tlsSecretRef" . | fromYaml).key }} + {{- end }} maxttlAuthreq: {{ .maxttlAuthreq }} maxttlAuthresp: {{ .maxttlAuthresp }} @@ -33,9 +36,7 @@ data: maxScimTokens: {{ .maxScimTokens }} - {{- if .disabledAPIVersions }} - disabledAPIVersions: {{ .disabledAPIVersions }} - {{- end }} + disabledAPIVersions: {{ toJson .disabledAPIVersions }} saml: version: SAML2.0 diff --git a/charts/spar/templates/deployment.yaml b/charts/spar/templates/deployment.yaml index 6d65b5d1515..c09fc2beacd 100644 --- a/charts/spar/templates/deployment.yaml +++ b/charts/spar/templates/deployment.yaml @@ -30,6 +30,11 @@ spec: - name: "spar-config" configMap: name: "spar" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "spar-cassandra" + secret: + secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + {{- end}} containers: - name: spar image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -41,6 +46,10 @@ spec: volumeMounts: - name: "spar-config" mountPath: "/etc/wire/spar/conf" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "spar-cassandra" + mountPath: "/etc/wire/spar/cassandra" + {{- end }} env: {{- with .Values.config.proxy }} {{- if .httpProxy }} diff --git a/charts/spar/templates/service.yaml b/charts/spar/templates/service.yaml index 201b604a82b..46e652c65be 100644 --- a/charts/spar/templates/service.yaml +++ b/charts/spar/templates/service.yaml @@ -8,7 +8,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: + {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }} + service.kubernetes.io/topology-mode: Auto + {{- else }} service.kubernetes.io/topology-aware-hints: auto + {{- end }} spec: type: ClusterIP ports: diff --git a/charts/spar/templates/tests/spar-integration.yaml b/charts/spar/templates/tests/spar-integration.yaml index ff937f3d18e..9cae732bfb3 100644 --- a/charts/spar/templates/tests/spar-integration.yaml +++ b/charts/spar/templates/tests/spar-integration.yaml @@ -16,6 +16,11 @@ spec: - name: "spar-config" configMap: name: "spar" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "spar-cassandra" + secret: + secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + {{- end}} containers: - name: integration image: "{{ .Values.image.repository }}-integration:{{ .Values.image.tag }}" @@ -56,6 +61,10 @@ spec: mountPath: "/etc/wire/integration" - name: "spar-config" mountPath: "/etc/wire/spar/conf" + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} + - name: "spar-cassandra" + mountPath: "/etc/wire/spar/cassandra" + {{- end }} resources: requests: memory: "512Mi" diff --git a/charts/spar/values.yaml b/charts/spar/values.yaml index 073fd5b0ee6..f3e59ca3347 100644 --- a/charts/spar/values.yaml +++ b/charts/spar/values.yaml @@ -17,6 +17,13 @@ service: config: cassandra: host: aws-cassandra +# To enable TLS provide a CA: +# tlsCa: +# +# Or refer to an existing secret (containing the CA): +# tlsCaSecretRef: +# name: +# key: richInfoLimit: 5000 maxScimTokens: 0 logLevel: Info @@ -27,7 +34,7 @@ config: proxy: {} # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts: # brig, cannon, cargohold, galley, gundeck, proxy, spar. - # disabledAPIVersions: [ v3 ] + disabledAPIVersions: [ development ] podSecurityContext: allowPrivilegeEscalation: false diff --git a/charts/team-settings/values.yaml b/charts/team-settings/values.yaml index fa4545c38b7..a8c8dc82281 100644 --- a/charts/team-settings/values.yaml +++ b/charts/team-settings/values.yaml @@ -9,7 +9,7 @@ resources: cpu: "1" image: repository: quay.io/wire/team-settings - tag: "4.15.0-v0.31.16-0-8138d2e" + tag: "4.15.1-v0.31.19-0-ee1dbce" service: https: externalPort: 443 @@ -20,10 +20,10 @@ service: #config: # externalUrls: -# backendRest: nginz-https.example.com -# backendWebsocket: nginz-ssl.example.com -# backendDomain: example.com -# appHost: teams.example.com +# backendRest: nginz-https.wire.example +# backendWebsocket: nginz-ssl.wire.example +# backendDomain: wire.example +# appHost: teams.wire.example #secrets: # configJson: @@ -40,25 +40,26 @@ envVars: {} # FEATURE_ENABLE_DEBUG: "true" # You are likely to need at least following CSP headers # due to the fact that you are likely to do cross sub-domain requests -# i.e., from teams.example.com to nginz-https.example.com -# CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com" -# CSP_EXTRA_IMG_SRC: "https://*.example.com" -# CSP_EXTRA_SCRIPT_SRC: "https://*.example.com" -# CSP_EXTRA_DEFAULT_SRC: "https://*.example.com" -# CSP_EXTRA_FONT_SRC: "https://*.example.com" -# CSP_EXTRA_FRAME_SRC: "https://*.example.com" -# CSP_EXTRA_MANIFEST_SRC: "https://*.example.com" -# CSP_EXTRA_OBJECT_SRC: "https://*.example.com" -# CSP_EXTRA_MEDIA_SRC: "https://*.example.com" -# CSP_EXTRA_PREFETCH_SRC: "https://*.example.com" -# CSP_EXTRA_STYLE_SRC: "https://*.example.com" -# CSP_EXTRA_WORKER_SRC: "https://*.example.com" +# i.e., from teams.wire.example to nginz-https.wire.example +# CSP_EXTRA_CONNECT_SRC: "https://*.wire.example, wss://*.wire.example" +# CSP_EXTRA_IMG_SRC: "https://*.wire.example" +# CSP_EXTRA_SCRIPT_SRC: "https://*.wire.example" +# CSP_EXTRA_DEFAULT_SRC: "https://*.wire.example" +# CSP_EXTRA_FONT_SRC: "https://*.wire.example" +# CSP_EXTRA_FRAME_SRC: "https://*.wire.example" +# CSP_EXTRA_MANIFEST_SRC: "https://*.wire.example" +# CSP_EXTRA_OBJECT_SRC: "https://*.wire.example" +# CSP_EXTRA_MEDIA_SRC: "https://*.wire.example" +# CSP_EXTRA_PREFETCH_SRC: "https://*.wire.example" +# CSP_EXTRA_STYLE_SRC: "https://*.wire.example" +# CSP_EXTRA_WORKER_SRC: "https://*.wire.example" podSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 seccompProfile: type: RuntimeDefault diff --git a/charts/webapp/values.yaml b/charts/webapp/values.yaml index 3235cbcbb37..6ce8a3146f1 100644 --- a/charts/webapp/values.yaml +++ b/charts/webapp/values.yaml @@ -9,7 +9,7 @@ resources: cpu: "1" image: repository: quay.io/wire/webapp - tag: "2023-07-13-production.0-v0.31.16-0-a9b67c6" + tag: "2024-01-22-production.1-v0.31.17-0-7f83dbe" service: https: externalPort: 443 @@ -20,10 +20,10 @@ service: #config: # externalUrls: -# backendRest: nginz-https.example.com -# backendWebsocket: nginz-ssl.example.com -# backendDomain: example.com -# appHost: webapp.example.com +# backendRest: nginz-https.wire.example +# backendWebsocket: nginz-ssl.wire.example +# backendDomain: wire.example +# appHost: webapp.wire.example # Some relevant environment options. For a comprehensive # list of available variables, please refer to: @@ -37,25 +37,26 @@ envVars: {} # FEATURE_ENABLE_DEBUG: "true" # You are likely to need at least following CSP headers # due to the fact that you are likely to do cross sub-domain requests -# i.e., from webapp.example.com to nginz-https.example.com -# CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com" -# CSP_EXTRA_IMG_SRC: "https://*.example.com" -# CSP_EXTRA_SCRIPT_SRC: "https://*.example.com" -# CSP_EXTRA_DEFAULT_SRC: "https://*.example.com" -# CSP_EXTRA_FONT_SRC: "https://*.example.com" -# CSP_EXTRA_FRAME_SRC: "https://*.example.com" -# CSP_EXTRA_MANIFEST_SRC: "https://*.example.com" -# CSP_EXTRA_OBJECT_SRC: "https://*.example.com" -# CSP_EXTRA_MEDIA_SRC: "https://*.example.com" -# CSP_EXTRA_PREFETCH_SRC: "https://*.example.com" -# CSP_EXTRA_STYLE_SRC: "https://*.example.com" -# CSP_EXTRA_WORKER_SRC: "https://*.example.com" +# i.e., from webapp.wire.example to nginz-https.wire.example +# CSP_EXTRA_CONNECT_SRC: "https://*.wire.example, wss://*.wire.example" +# CSP_EXTRA_IMG_SRC: "https://*.wire.example" +# CSP_EXTRA_SCRIPT_SRC: "https://*.wire.example" +# CSP_EXTRA_DEFAULT_SRC: "https://*.wire.example" +# CSP_EXTRA_FONT_SRC: "https://*.wire.example" +# CSP_EXTRA_FRAME_SRC: "https://*.wire.example" +# CSP_EXTRA_MANIFEST_SRC: "https://*.wire.example" +# CSP_EXTRA_OBJECT_SRC: "https://*.wire.example" +# CSP_EXTRA_MEDIA_SRC: "https://*.wire.example" +# CSP_EXTRA_PREFETCH_SRC: "https://*.wire.example" +# CSP_EXTRA_STYLE_SRC: "https://*.wire.example" +# CSP_EXTRA_WORKER_SRC: "https://*.wire.example" podSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 seccompProfile: type: RuntimeDefault diff --git a/deploy/dockerephemeral/build/Makefile b/deploy/dockerephemeral/build/Makefile index c0d254bd185..9ea871794fe 100644 --- a/deploy/dockerephemeral/build/Makefile +++ b/deploy/dockerephemeral/build/Makefile @@ -177,7 +177,7 @@ MINIO_COMMIT ?= 118270d76fc90f1e54cd9510cee9688bd717250b CASSANDRA_COMMIT ?= 064fb4e2682bf9c1909e4cb27225fa74862c9086 smtp/Dockerfile: - git clone https://github.com/namshi/docker-smtp.git smtp + git clone https://github.com/ix-ai/smtp.git smtp cd smtp && git reset --hard $(SMTP_COMMIT) dynamodb_local/Dockerfile: diff --git a/deploy/dockerephemeral/coredns-config/db.example.com b/deploy/dockerephemeral/coredns-config/db.example.com index f52268e7ff6..1c33e941fb1 100644 --- a/deploy/dockerephemeral/coredns-config/db.example.com +++ b/deploy/dockerephemeral/coredns-config/db.example.com @@ -17,3 +17,4 @@ _wire-server-federator._tcp.b IN SRV 0 0 9443 localhost. _wire-server-federator._tcp.d1 IN SRV 0 0 10443 localhost. _wire-server-federator._tcp.d2 IN SRV 0 0 11443 localhost. _wire-server-federator._tcp.d3 IN SRV 0 0 12443 localhost. +_wire-server-federator._tcp.v0 IN SRV 0 0 21443 localhost. diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index a988af62cae..2ac1a1843e8 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -1,14 +1,23 @@ version: '2' networks: - demo_wire: - external: false - redis: driver: bridge ipam: config: - subnet: 172.20.0.0/24 + coredns: + driver: bridge + ipam: + config: + - subnet: 172.20.1.0/24 + + demo_wire: + driver: bridge + ipam: + config: + - subnet: 172.20.2.0/24 + services: fake_dynamodb: container_name: demo_wire_dynamodb @@ -25,10 +34,12 @@ services: fake_sqs: container_name: demo_wire_sqs -# image: airdock/fake-sqs:0.3.1 - image: julialongtin/airdock_fakesqs:0.0.9 + image: softwaremill/elasticmq-native:1.5.2 ports: - 127.0.0.1:4568:4568 + - 127.0.0.1:9325:9325 + volumes: + - ./docker/elasticmq.conf:/opt/elasticmq.conf networks: - demo_wire @@ -48,8 +59,7 @@ services: basic_smtp: # needed for demo setup container_name: demo_wire_smtp -# image: namshi/smtp - image: julialongtin/smtp:0.0.9 + image: ixdotai/smtp:v0.5.2 ports: - 127.0.0.1:2500:25 networks: @@ -67,20 +77,6 @@ services: networks: - demo_wire - # activemq: - # image: rmohr/activemq:5.15.4 - # ports: - # - "61613:61613" - - # FIXME: replace redis image with one we build. - redis: - container_name: demo_wire_redis - image: redis:3.0.7-alpine - ports: - - "127.0.0.1:6379:6379" - networks: - - demo_wire - redis-cluster: image: 'redis:6.0-alpine' command: redis-cli --cluster create 172.20.0.31:6373 172.20.0.32:6374 172.20.0.33:6375 172.20.0.34:6376 172.20.0.35:6377 172.20.0.36:6378 --cluster-replicas 1 --cluster-yes @@ -197,6 +193,12 @@ services: environment: - "CS_JVM_OPTIONS=-Xmx1024M -Xms1024M -Xmn200M" + healthcheck: + test: "nodetool status" + interval: 10s + start_period: 20s + timeout: 2s + # on nixos, you also may need to run # sysctl -w vm.max_map_count=1048576 # or add that to your `configuration.nix` @@ -247,6 +249,7 @@ services: - ./:/scripts networks: - demo_wire + coredns: image: docker.io/coredns/coredns:1.8.4 volumes: @@ -258,6 +261,9 @@ services: ports: - "9053:53" - "9053:53/udp" + networks: + coredns: + ipv4_address: 172.20.1.2 volumes: redis-node-1-data: diff --git a/deploy/dockerephemeral/docker/elasticmq.conf b/deploy/dockerephemeral/docker/elasticmq.conf new file mode 100644 index 00000000000..7cd41d7317e --- /dev/null +++ b/deploy/dockerephemeral/docker/elasticmq.conf @@ -0,0 +1,80 @@ +include classpath("application.conf") + +# What is the outside visible address of this ElasticMQ node +# Used to create the queue URL (may be different from bind address!) +node-address { + protocol = http + host = localhost + port = 4568 + context-path = "" +} + +rest-sqs { + enabled = true + bind-port = 4568 + bind-hostname = "0.0.0.0" + # Possible values: relaxed, strict + sqs-limits = strict +} + +rest-stats { + enabled = true + bind-port = 9325 + bind-hostname = "0.0.0.0" +} + +# Should the node-address be generated from the bind port/hostname +# Set this to true e.g. when assigning port automatically by using port 0. +generate-node-address = false + +queues { + default-queue-template { + defaultVisibilityTimeout = 1s + } + + fifo-queue-template { + defaultVisibilityTimeout = 1s + fifo = true + } + + integration-brig-events = ${queues.default-queue-template} + integration-brig-events2 = ${queues.default-queue-template} + integration-brig-events3 = ${queues.default-queue-template} + integration-brig-events4 = ${queues.default-queue-template} + integration-brig-events5 = ${queues.default-queue-template} + integration-brig-events-federation-v0 = ${queues.default-queue-template} + + integration-brig-events-internal = ${queues.default-queue-template} + integration-brig-events-internal2 = ${queues.default-queue-template} + integration-brig-events-internal3 = ${queues.default-queue-template} + integration-brig-events-internal4 = ${queues.default-queue-template} + integration-brig-events-internal5 = ${queues.default-queue-template} + integration-brig-events-internal-federation-v0 = ${queues.default-queue-template} + + "integration-user-events.fifo" = ${queues.fifo-queue-template} + "integration-user-events2.fifo" = ${queues.fifo-queue-template} + "integration-user-events3.fifo" = ${queues.fifo-queue-template} + "integration-user-events4.fifo" = ${queues.fifo-queue-template} + "integration-user-events5.fifo" = ${queues.fifo-queue-template} + "integration-user-events-federation-v0.fifo" = ${queues.fifo-queue-template} + + integration-gundeck-events = ${queues.default-queue-template} + integration-gundeck-events2 = ${queues.default-queue-template} + integration-gundeck-events3 = ${queues.default-queue-template} + integration-gundeck-events4 = ${queues.default-queue-template} + integration-gundeck-events5 = ${queues.default-queue-template} + integration-gundeck-events-federation-v0 = ${queues.default-queue-template} + + "integration-team-events.fifo" = ${queues.fifo-queue-template} + "integration-team-events2.fifo" = ${queues.fifo-queue-template} + "integration-team-events3.fifo" = ${queues.fifo-queue-template} + "integration-team-events4.fifo" = ${queues.fifo-queue-template} + "integration-team-events5.fifo" = ${queues.fifo-queue-template} + "integration-team-events-federation-v0.fifo" = ${queues.fifo-queue-template} +} + +# Region and accountId which will be included in resource ids +aws { + region = eu-west-1 + accountId = 000000000000 +} \ No newline at end of file diff --git a/deploy/dockerephemeral/federation-v0.yaml b/deploy/dockerephemeral/federation-v0.yaml new file mode 100644 index 00000000000..1342056cac5 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0.yaml @@ -0,0 +1,271 @@ +version: '2.3' + +networks: + demo_wire: + external: false + +services: + brig_schema: + container_name: brig-schema-federation-v0 + image: quay.io/wire/brig-schema:4.38.51 + command: --host cassandra --keyspace brig_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + deploy: + restart_policy: + condition: on-failure + networks: + - demo_wire + brig: + container_name: brig-federation-v0 + image: quay.io/wire/brig:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/brig/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21082:8080' + healthcheck: &haskell_health_check + test: "curl --fail localhost:8080/i/status" + depends_on: + brig_schema: + condition: service_completed_successfully + aws_cli: + condition: service_completed_successfully + init_vhosts: + condition: service_completed_successfully + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} + - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} + + galley_schema: + container_name: galley-schema-federation-v0 + image: quay.io/wire/galley-schema:4.38.51 + command: --host cassandra --keyspace galley_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + deploy: + restart_policy: + condition: on-failure + networks: + - demo_wire + + galley: + container_name: galley-federation-v0 + image: quay.io/wire/galley:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/galley/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21085:8080' + healthcheck: *haskell_health_check + depends_on: + galley_schema: + condition: service_completed_successfully + aws_cli: + condition: service_completed_successfully + init_vhosts: + condition: service_completed_successfully + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} + - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} + + cargohold: + container_name: cargohold-federation-v0 + image: quay.io/wire/cargohold:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/cargohold/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21084:8080' + healthcheck: *haskell_health_check + depends_on: + aws_cli: + condition: service_completed_successfully + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + + gundeck_schema: + container_name: gundeck-schema-federation-v0 + image: quay.io/wire/gundeck-schema:4.38.51 + command: --host cassandra --keyspace gundeck_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + deploy: + restart_policy: + condition: on-failure + networks: + - demo_wire + + gundeck: + container_name: gundeck-federation-v0 + image: quay.io/wire/gundeck:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/gundeck/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21086:8080' + healthcheck: *haskell_health_check + depends_on: + gundeck_schema: + condition: service_completed_successfully + aws_cli: + condition: service_completed_successfully + redis: + condition: service_started + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + + spar_schema: + container_name: spar-schema-federation-v0 + image: quay.io/wire/spar-schema:4.38.51 + command: --host cassandra --keyspace spar_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + deploy: + restart_policy: + condition: on-failure + networks: + - demo_wire + + spar: + container_name: spar-federation-v0 + image: quay.io/wire/spar:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/spar/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21088:8080' + healthcheck: *haskell_health_check + depends_on: + spar_schema: + condition: service_completed_successfully + + cannon: + container_name: cannon-federation-v0 + image: quay.io/wire/cannon:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/cannon/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21083:8080' + healthcheck: *haskell_health_check + + federator: + container_name: federator-federation-v0 + image: quay.io/wire/federator:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/federator/conf + networks: + - demo_wire + - coredns + ports: + - '127.0.0.1:21097:8080' + - '127.0.0.1:21098:8081' + # healthcheck: *haskell_health_check + healthcheck: + test: "true" + depends_on: + coredns-federation: + condition: service_started + + background_worker: + container_name: background-worker-federation-v0 + image: quay.io/wire/background-worker:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/background-worker/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21089:8080' + depends_on: + init_vhosts: + condition: service_completed_successfully + environment: + - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} + - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} + + proxy: + container_name: proxy-federation-v0 + image: quay.io/wire/proxy:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/proxy/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21087:8080' + healthcheck: *haskell_health_check + + nginz: + container_name: nginz-federation-v0 + image: quay.io/wire/nginz:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/ + networks: + - demo_wire + ports: + - '127.0.0.1:21080:8080' + - '127.0.0.1:21443:8443' + depends_on: + brig: + condition: service_healthy + galley: + condition: service_healthy + gundeck: + condition: service_healthy + cargohold: + condition: service_healthy + cannon: + condition: service_healthy + spar: + condition: service_healthy + federator: + condition: service_healthy + proxy: + condition: service_healthy + + # We have to run a separate redis instance for each version of wire-server we + # want. This is because gundeck just assumes the whole redis is for itself + redis: + container_name: redis-federation-v0 + image: redis:6.0-alpine + networks: + - demo_wire + + # This coredns serves slightly different SRV records, so federator running in + # a docker container can talk to federator running on the host. + coredns-federation: + image: docker.io/coredns/coredns:1.8.4 + volumes: + - ./federation-v0/coredns-config:/coredns-config + entrypoint: + - /coredns + - -conf + - /coredns-config/Corefile + networks: + coredns: + ipv4_address: 172.20.1.3 + diff --git a/deploy/dockerephemeral/federation-v0/background-worker.yaml b/deploy/dockerephemeral/federation-v0/background-worker.yaml new file mode 100644 index 00000000000..e0fd5113d6a --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/background-worker.yaml @@ -0,0 +1,27 @@ +logLevel: Debug + +backgroundWorker: + host: 0.0.0.0 + port: 8080 + +federatorInternal: + host: federator-federation-v0 + port: 8080 + +galley: + host: galley-federation-v0 + port: 8080 + +brig: + host: brig-federation-v0 + port: 8080 + +rabbitmq: + host: rabbitmq + port: 5672 + vHost: federation-v0 + adminPort: 15672 + +backendNotificationPusher: + pushBackoffMinWait: 1000 + pushBackoffMaxWait: 1000000 diff --git a/deploy/dockerephemeral/federation-v0/brig.yaml b/deploy/dockerephemeral/federation-v0/brig.yaml new file mode 100644 index 00000000000..06dfefe80e3 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/brig.yaml @@ -0,0 +1,215 @@ +brig: + host: 0.0.0.0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: brig_test_federation_v0 + # filterNodesByDatacentre: datacenter1 + +elasticsearch: + url: http://demo_wire_elasticsearch:9200 + index: directory_test + +rabbitmq: + host: rabbitmq + port: 5672 + vHost: federation-v0 + +cargohold: + host: cargohold-federation-v0 + port: 8080 + +galley: + host: galley-federation-v0 + port: 8080 + +gundeck: + host: gundeck-federation-v0 + port: 8080 + +federatorInternal: + host: federator-federation-v0 + port: 8080 + +# You can set up local SQS/Dynamo running e.g. `../../deploy/dockerephemeral/run.sh` +aws: + userJournalQueue: integration-user-events-federation-v0.fifo + # ^ Comment this out if you don't want to journal user events + prekeyTable: integration-brig-prekeys-federation-v0 + sqsEndpoint: http://fake_sqs:4568 # https://sqs.eu-west-1.amazonaws.com + # dynamoDBEndpoint: http://localhost:4567 # https://dynamodb.eu-west-1.amazonaws.com + +# Uncomment to use the randomPrekey allocation strategy instead of dynamoDB +randomPrekeys: true + +# Uncomment this if you want STOMP. +# +# stomp: +# stompHost: localhost +# stompPort: 61613 +# stompTls: false + +# TODO: possibly move 'userJournalQueue' to the top level as well +internalEvents: + queueType: sqs + queueName: integration-brig-events-internal-federation-v0 + # queueType: stomp + # queueName: /queue/integration-brig-events-internal + +emailSMS: + # You can either use SES directly (in which case, ensure a feedback queue is configured) + # or you can use SMTP directly (blacklisting of email/phone must be otherwise handled by + # the operator). + email: + sesQueue: integration-brig-events-federation-v0 + sesEndpoint: http://ses:4569 # https://email.eu-west-1.amazonaws.com + # If you prefer to use SMTP directly, uncomment the following lines + # and set the correct credentials. + # NOTE: In case a user tries to supply config values for both SES and SMTP, + # SES takes precedence and gets used instead + # smtpEndpoint: + # host: localhost + # port: 2500 + # smtpCredentials: + # username: + # password: test/resources/smtp-secret.txt + # smtpConnType: plain + # ^ NOTE: blacklisting of emails (processing of bounces and complaints) is only done + # automatically IF sesQueue/sesEndpoint are used. If SMTP is used directly, the + # operator must handle these notifications "manually" (there are internal endpoints) + # that may be used for this + + general: + templateDir: /usr/share/wire/templates + emailSender: backend-integration@wire.com + smsSender: "+123456789" # or MG123456789... (twilio alphanumeric sender id) + templateBranding: + brand: Wire + brandUrl: https://wire.com + brandLabelUrl: wire.com # This is the text in the label for the above URL + brandLogoUrl: https://wire.com/p/img/email/logo-email-black.png + brandService: Wire Service Provider + copyright: © WIRE SWISS GmbH + misuse: misuse@wire.com + legal: https://wire.com/legal/ + forgot: https://wire.com/forgot/ + support: https://support.wire.com/ + user: + activationUrl: http://127.0.0.1:8080/activate?key=${key}&code=${code} + smsActivationUrl: http://127.0.0.1:8080/v/${code} + passwordResetUrl: http://127.0.0.1:8080/password-reset/${key}?code=${code} + invitationUrl: http://127.0.0.1:8080/register?invitation_code=${code} + deletionUrl: http://127.0.0.1:8080/users/delete?key=${key}&code=${code} + + provider: + homeUrl: https://provider.localhost/ + providerActivationUrl: http://127.0.0.1:8080/provider/activate?key=${key}&code=${code} + approvalUrl: http://127.0.0.1:8080/provider/approve?key=${key}&code=${code} + approvalTo: success@simulator.amazonses.com + providerPwResetUrl: http://127.0.0.1:8080/provider/password-reset?key=${key}&code=${code} + + team: + tInvitationUrl: http://127.0.0.1:8080/register?team=${team}&team_code=${code} + tActivationUrl: http://127.0.0.1:8080/register?team=${team}&team_code=${code} + tCreatorWelcomeUrl: http://127.0.0.1:8080/creator-welcome-website + tMemberWelcomeUrl: http://127.0.0.1:8080/member-welcome-website + +zauth: + privateKeys: /etc/wire/brig/conf/zauth-privkeys.txt + publicKeys: /etc/wire/brig/conf/zauth-pubkeys.txt + authSettings: + keyIndex: 1 + userTokenTimeout: 120 + sessionTokenTimeout: 20 + accessTokenTimeout: 30 + providerTokenTimeout: 60 + legalHoldUserTokenTimeout: 120 + legalHoldAccessTokenTimeout: 30 + +turn: + serversSource: dns # files | dns + baseDomain: example.com + discoveryIntervalSeconds: 100 + + # This should be the same secret as used by the TURN servers + secret: /etc/wire/brig/conf/turn-secret.txt + configTTL: 3600 + tokenTTL: 21600 + +optSettings: + setActivationTimeout: 10 + setVerificationTimeout: 10 + setTeamInvitationTimeout: 10 + setExpiredUserCleanupTimeout: 1 + setTwilio: /etc/wire/brig/conf/twilio-credentials.yaml + setNexmo: /etc/wire/brig/conf/nexmo-credentials.yaml + # setStomp: test/resources/stomp-credentials.yaml + setUserMaxConnections: 16 + setCookieInsecure: true + setUserCookieRenewAge: 2 + setUserCookieLimit: 5 + setUserCookieThrottle: + stdDev: 5 + retryAfter: 3 + setLimitFailedLogins: + timeout: 5 # seconds. if you reach the limit, how long do you have to wait to try again. + retryLimit: 5 # how many times can you have a failed login in that timeframe. + setSuspendInactiveUsers: # if this is omitted: never suspend inactive users. + suspendTimeout: 10 + setRichInfoLimit: 5000 # should be in sync with Spar + setDefaultUserLocale: en + setMaxTeamSize: 32 + setMaxConvSize: 16 + setEmailVisibility: visible_to_self + setPropertyMaxKeyLen: 1024 + setPropertyMaxValueLen: 4096 + setDeleteThrottleMillis: 0 + setSqsThrottleMillis: 1000 + setRestrictUserCreation: false + # setSearchSameTeamOnly: false + # ^ NOTE: this filters out search results for team users, + # i.e., if you are a team user the search endpoints will + # return only users part of the same team. For name search, + # this is slightly more inefficient as it requires 2 extra DB lookups + # setUserMaxPermClients: 7 + # ^ You can limit the max number of permanent clients that a user is allowed + # to register, per account. The default value is '7' if the option is unset. + + # Federation domain is used to qualify local IDs and handles, + # e.g. 0c4d8944-70fa-480e-a8b7-9d929862d18c@wire.com and somehandle@wire.com. + # It should also match the SRV DNS records under which other wire-server installations can find this backend: + # _wire-server-federator._tcp. + # Once set, DO NOT change it: if you do, existing users may have a broken experience and/or stop working + # Remember to keep it the same in Galley. + setFederationDomain: federation-v0.example.com + setFeatureFlags: # see #RefConfigOptions in `/docs/reference` + setFederationDomainConfigsUpdateFreq: 1 + setFederationStrategy: allowAll + setFederationDomainConfigs: + - domain: example.com + search_policy: full_search + set2FACodeGenerationDelaySecs: 5 + setNonceTtlSecs: 5 + setDpopMaxSkewSecs: 1 + setDpopTokenExpirationTimeSecs: 300 # 5 minutes + setPublicKeyBundle: /etc/wire/brig/conf/jwt-ed25519-bundle.pem + setEnableMLS: true + # To only allow specific email address domains to register, uncomment and update the setting below + # setAllowlistEmailDomains: + # - wire.com + # To only allow specific phone number prefixes to register uncomment and update the settings below + # setAllowlistPhonePrefixes: + # - "+1555555" + # needs to be kept in sync with services/nginz/integration-test/resources/oauth/ed25519_public.jwk + setOAuthJwkKeyPair: /etc/wire/brig/conf/oauth-ed25519.jwk + setOAuthAuthCodeExpirationTimeSecs: 3 # 3 secs + setOAuthAccessTokenExpirationTimeSecs: 3 # 3 secs + setOAuthEnabled: true + setOAuthRefreshTokenExpirationTimeSecs: 14515200 # 24 weeks + setOAuthMaxActiveRefreshTokens: 10 + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/cannon.yaml b/deploy/dockerephemeral/federation-v0/cannon.yaml new file mode 100644 index 00000000000..3ad681fefc2 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/cannon.yaml @@ -0,0 +1,25 @@ +# Example yaml-formatted configuration for cannon used in integration tests + +# cannon can be started with a config file (e.g. ./dist/cannon -c cannon.yaml.example) + +cannon: + host: 0.0.0.0 + port: 8080 + + # Each cannon instance advertises its own location (ip or dns name) to gundeck. + # Either externalHost or externalHostFile must be set (externalHost takes precedence if both are defined) + # externalHostFile expects a file with a single line containing the IP or dns name of this instance of cannon + externalHost: cannon-federation-v0 + #externalHostFile: /etc/wire/cannon/cannon-host.txt + +gundeck: + host: gundeck-federation-v0 + port: 8080 + +drainOpts: + gracePeriodSeconds: 1 + millisecondsBetweenBatches: 500 + minBatchSize: 5 + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/cargohold.yaml b/deploy/dockerephemeral/federation-v0/cargohold.yaml new file mode 100644 index 00000000000..f3a5099a33e --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/cargohold.yaml @@ -0,0 +1,28 @@ +cargohold: + host: 0.0.0.0 + port: 8080 + +federator: + host: federator-federation-v0 + port: 8080 + +aws: + s3Bucket: dummy-bucket-federation-v0 # <-- insert-bucket-name-here + s3Endpoint: http://fake_s3:4570 # https://s3-eu-west-1.amazonaws.com:443 + # s3DownloadEndpoint: http://fake-s3:4570 + # ^ When not using a real S3 service, we may need to use a different, + # publicly accessible endpoint for downloading assets. + # + # If you want to use cloudfront for asset downloads + # cloudFront: + # domain: + # keyPairId: + # privateKey: cf-pk.pem + +settings: + maxTotalBytes: 27262976 + downloadLinkTTL: 300 # Seconds + federationDomain: example.com + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/coredns-config/Corefile b/deploy/dockerephemeral/federation-v0/coredns-config/Corefile new file mode 100644 index 00000000000..7bf495f2e89 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/coredns-config/Corefile @@ -0,0 +1,4 @@ +example.com { + file /coredns-config/db.example.com + log +} \ No newline at end of file diff --git a/deploy/dockerephemeral/federation-v0/coredns-config/db.example.com b/deploy/dockerephemeral/federation-v0/coredns-config/db.example.com new file mode 100644 index 00000000000..448d8b5f594 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/coredns-config/db.example.com @@ -0,0 +1,20 @@ +$ORIGIN example.com. +@ 3600 IN SOA sns.dns.icann.org. noc.dns.icann.org. ( + 2017042745 ; serial + 7200 ; refresh (2 hours) + 3600 ; retry (1 hour) + 1209600 ; expire (2 weeks) + 3600 ; minimum (1 hour) + ) + + 3600 IN NS a.iana-servers.net. + 3600 IN NS b.iana-servers.net. + +www IN A 127.0.0.1 + IN AAAA ::1 +_wire-server-federator._tcp IN SRV 0 0 8443 host.docker.internal. +_wire-server-federator._tcp.b IN SRV 0 0 9443 host.docker.internal. +_wire-server-federator._tcp.d1 IN SRV 0 0 10443 host.docker.internal. +_wire-server-federator._tcp.d2 IN SRV 0 0 11443 host.docker.internal. +_wire-server-federator._tcp.d3 IN SRV 0 0 12443 host.docker.internal. +_wire-server-federator._tcp.v0 IN SRV 0 0 21443 host.docker.internal. diff --git a/deploy/dockerephemeral/federation-v0/federator.yaml b/deploy/dockerephemeral/federation-v0/federator.yaml new file mode 100644 index 00000000000..6ff8d119ae0 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/federator.yaml @@ -0,0 +1,29 @@ +federatorInternal: + host: 0.0.0.0 + port: 8080 +federatorExternal: + host: 0.0.0.0 + port: 8081 +brig: + host: brig-federation-v0 + port: 8080 +cargohold: + host: cargohold-federation-v0 + port: 8080 +galley: + host: galley-federation-v0 + port: 8080 + +logLevel: Warn +logNetStrings: false + +optSettings: + # Filepath to one or more PEM-encoded server certificates to use as a trust + # store when making requests to remote backends + remoteCAStore: "/etc/wire/federator/conf/integration-ca.pem" + useSystemCAStore: false + clientCertificate: "/etc/wire/federator/conf/integration-leaf.pem" + clientPrivateKey: "/etc/wire/federator/conf/integration-leaf-key.pem" + tcpConnectionTimeout: 5000000 + dnsHost: 172.20.1.3 + dnsPort: 53 diff --git a/deploy/dockerephemeral/federation-v0/galley.yaml b/deploy/dockerephemeral/federation-v0/galley.yaml new file mode 100644 index 00000000000..ab2644a8ef5 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/galley.yaml @@ -0,0 +1,93 @@ +galley: + host: 0.0.0.0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: galley_test_federation_v0 + # filterNodesByDatacentre: datacenter1 + +brig: + host: brig-federation-v0 + port: 8080 + +gundeck: + host: gundeck-federation-v0 + port: 8080 + +spar: + host: spar-federation-v0 + port: 8080 + +federator: + host: federator-federation-v0 + port: 8080 + +rabbitmq: + host: rabbitmq + port: 5672 + vHost: federation-v0 + +settings: + httpPoolSize: 128 + maxTeamSize: 32 + maxFanoutSize: 18 + exposeInvitationURLsTeamAllowlist: [] + maxConvSize: 16 + intraListing: false + conversationCodeURI: https://account.wire.com/conversation-join/ + concurrentDeletionEvents: 1024 + deleteConvThrottleMillis: 0 + # Federation domain is used to qualify local IDs and handles, + # e.g. 0c4d8944-70fa-480e-a8b7-9d929862d18c@wire.com and somehandle@wire.com. + # It should also match the SRV DNS records under which other wire-server installations can find this backend: + # _wire-server-federator._tcp. + # Once set, DO NOT change it: if you do, existing users may have a broken experience and/or stop working + # Remember to keep it the same in Brig + federationDomain: federation-v0.example.com + mlsPrivateKeyPaths: + removal: + ed25519: /etc/wire/galley/conf/mls-private-key-ed25519.pem + + featureFlags: # see #RefConfigOptions in `/docs/reference` + sso: disabled-by-default + legalhold: whitelist-teams-and-implicit-consent + teamSearchVisibility: disabled-by-default + appLock: + defaults: + status: enabled + config: + enforceAppLock: false + inactivityTimeoutSecs: 60 + classifiedDomains: + status: enabled + config: + domains: ["example.com"] + fileSharing: + defaults: + status: enabled + lockStatus: unlocked + conferenceCalling: + defaults: + status: enabled + outlookCalIntegration: + defaults: + status: disabled + lockStatus: locked + mlsE2EId: + defaults: + status: disabled + config: + verificationExpiration: 86400 + acmeDiscoveryUrl: null + lockStatus: unlocked + +logLevel: Warn +logNetStrings: false + +journal: # if set, journals; if not set, disables journaling + queueName: integration-team-events-federation-v0.fifo + endpoint: http://demo_wire_sqs:4568 # https://sqs.eu-west-1.amazonaws.com + region: eu-west-1 diff --git a/deploy/dockerephemeral/federation-v0/gundeck.yaml b/deploy/dockerephemeral/federation-v0/gundeck.yaml new file mode 100644 index 00000000000..528fc38c1d9 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/gundeck.yaml @@ -0,0 +1,45 @@ +gundeck: + host: 0.0.0.0 + port: 8080 + +brig: + host: brig-federation-v0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: gundeck_test_federation_v0 + # filterNodesByDatacentre: datacenter1 + +redis: + host: redis-federation-v0 + port: 6379 + connectionMode: master + +# redisAdditionalWrite: +# host: 127.0.0.1 +# port: 6379 +# connectionMode: master + +aws: + queueName: integration-gundeck-events-federation-v0 + region: eu-west-1 + account: "123456789012" # Default account nr used by localstack + arnEnv: integration + sqsEndpoint: http://demo_wire_sqs:4568 # https://sqs.eu-west-1.amazonaws.com + snsEndpoint: http://demo_wire_sns:4575 # https://sns.eu-west-1.amazonaws.com + +settings: + httpPoolSize: 1024 + notificationTTL: 24192200 + bulkPush: true + perNativePushConcurrency: 32 + sqsThrottleMillis: 1000 + maxConcurrentNativePushes: + hard: 30 # more than this number of threads will not be allowed + soft: 10 # more than this number of threads will be warned about + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/integration-ca.pem b/deploy/dockerephemeral/federation-v0/integration-ca.pem new file mode 100644 index 00000000000..2315c7c7404 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/integration-ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAjCCAeqgAwIBAgIULBRPt7tLLvsw7kciIdjbXB8tddQwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjgxMTE5MTM1ODAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcUoMS1MjHMEB4RN84hGz4J/pvS/BJF +7HL7FgOjGuJ+aMCtpmO2ht59mUWJVvt1TAYtEraz4fpZl2Vs4MsPm8R5GjWBU6Su +9MVBk8d5R38ruhKSgTtBJdUjRMZ68fDjVGy8mPy8J45QuXVjgfZeDzcpVH+A1K+3 +gJRazCD9r9vxVlc/W335uX1q8uH1u4kXCxkESjWK7/we/fHVcRI/caIdjoluqfP7 +bhDQ+jTJCYhrLR0yWLZocJhe+FgMaOxEBw+ojYKa+Xq6wEMK2YXkhmDZW49O/JQP +ZqROwXD8BHQ2IJyOES25adL3F7yN7sODXuPhDAg8SYV1/kr2nALQTzECAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJO6 +JJpzdazNjXtum3zX8UYWaQIJMA0GCSqGSIb3DQEBCwUAA4IBAQCoV7sw9CgICo9O +JacaB+P0Uk0dnISjsrKpcAKnuVdh1rN94+beXyttSBgQtDgVBehlESN+/B9fefLb +lhVxgCYq8inx4wZs22h8ZkjpJiOmBDjvHwgkCQOoh/Kog9gkmDr4qbFahU5GpaTp +x1rlNF3qaNRvZSVoxIVwYYiexKS5/KYMedII2EoBMHcFj0qKMhdDIT1Uw2PJZwiA +qjGDsSnLS+VeA8Zluc3m/os0ynjR6BEFQF1sn/OGO0eFaSMxXz0+Z4vT3J+c08Be +z2uZWQBgCiV/bL8F5xgokbHx+Vl0lz+1PEoFre8IJihmcnT8ZPWv/8eWPAr0gavH ++R0lNAyw +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem new file mode 100644 index 00000000000..8ed90523cd3 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk ++RAYeKupGF9eqGBkiYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7Y +uXYWfHw4NdFkSZoE0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J +4cU3JfXQQzdNCMiXlpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iR +qwdy4edjKhcvJxuxHw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa +27UrBdRSg+Wb3FDQ+J8IeS6PR5JwjBcwt+DAjQIDAQABAoIBAHXZSS/TOqZZeWXI +sbH4824xX7weu+pHHqHqQaiphNWllRmgyv72H6VU5YbTDdKiAaAV50LB2CtAQjT2 +2I2YRdpiMKEgblxkPYKxwCAlGU7rXayddVXG9y/O4vhIWomuJ4SS9U7DB4Gv7/C0 +UQuFtyM7ugwIdISWEwOLv7Q5nSn2DYYXapNSmCUYv2FJEd57MJFtZ+CTHPu+ALxY +/qCGga8WBQ9Io/4A6UWN76m5IREeGh/pBwwhestpvUB9hXXe037Z11G3j/mNjqmz +SoUdEXnXpqJMA4c73hrryZR7TRPjRQx2P7YTyMwwOaJenhCS2F7ohJrwXNEtfbXt +Tb4mAQECgYEA8Qc4YqbF+xDmav1Mw7tpQ34EW7U1BF6RW+zpaRVVYXc+hZq8Rscl +yhzvYI2F4b9qOXw73Vdj3Hbd3f3BRC2ayMUk82pmbFEhZjQR9cGaLH1JfNXBdgz+ +wenmdczUAhmDiIseXTYdXL0FFgc9F/UFzmAYmD/kkMHTO2wnfeAci00CgYEA5EDv +UJzW/hWUtawWfg0Bw+H5RR2W/28dGG+680zazZwVHtDF7sEiThmR8AlLu74tWUMg +PBREdxOui5qRhmZO3y3JLJ8mjmEUQqC4x1NWReZCAcWGTNXn/PHsWPlK82qp/Q98 +lYJLShtbOOgo1hUPYeQ3hFnDi8HM3QssEeYB6kECgYA0kdSUf7dyuQ7oivKxRjEB +TXz5254Co/WkTRnjl4mVxoJWdZdXAJyXZpQ3RObMhAlRHG2aKzNWpH5jqrL6gc/e +tlEG3lAUk+Vq+zRnm6Baz8C1f5HAg7kU5kUjsFcVVidAIseuoNzqmzd+xHlovkJT +7tWub1EU2ZGOxloetEDFiQKBgQCfPrp4OGQ6cp4EvaIXoUV4/0Aku0cswL3A3brF +ofoJdvq5PBjLwQ0JBgfuOt4OhtkmrJFhuRYnKaEeHuGmrdwbEtuG+SYyMYKsFWu1 +DOxk6gdlKwTOuHIY5EPrs0laWDFur45Q1M1oT3uuUTKkYZ8QweMFwIaQC8687N17 +Q0hUwQKBgQDu55deAXAAS9FCqT4qidyxmvjdpkn8BKZhetss+t0m7Rum9OJCiMI5 +90exbnlRtUP4soNOccS3w3ie2HPspdlIsllYnd4/KaHQbdEoGtvrF5rM77X+81N1 +xPgNsMJM167VEWWJJCE+rkeWiF+irrjiHj7QlLmKkK4bmEzp5XuLyg== +-----END RSA PRIVATE KEY----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf.pem b/deploy/dockerephemeral/federation-v0/integration-leaf.pem new file mode 100644 index 00000000000..d8e7ee0955c --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/integration-leaf.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDcjCCAlqgAwIBAgIUXlJ06fjgHbzEvIRscFvEwxpsioMwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjQxMTIwMTM1ODAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk+RAYeKupGF9eqGBk +iYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7YuXYWfHw4NdFkSZoE +0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J4cU3JfXQQzdNCMiX +lpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iRqwdy4edjKhcvJxux +Hw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa27UrBdRSg+Wb3FDQ ++J8IeS6PR5JwjBcwt+DAjQIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E +FgQUWm43ORCCQGlDu3JaPIm15lsr5swwHwYDVR0jBBgwFoAUk7okmnN1rM2Ne26b +fNfxRhZpAgkwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv +bYIUaG9zdC5kb2NrZXIuaW50ZXJuYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsF +AAOCAQEAfrlC1maUJMg5n61YEpBwIS9O0LLhNidZ6dBEPwDiBwskzkTKoWksSR+n +7OytNFQvrdclejxIyvoOvBhLqNY4pFYdNRUu42GESUpCA6cQlW3a9QchTEuNASWR +AdrmGmjXYwPFGjnVUVPR+Abs9lG7/8eDYoq1B1AdBkW1EJ7+0/DrLOLDtloxYmBF +bydmLcesdPvgBLkHfBlOG54jH/ILXHAHxskWmGqixY6L1svhrcnwsindxRcfT4QB +fAtNDfAfiftUdb96QJfpwN1/N1oEHFl2D0ynE8sFOuVFm0gQ6mblH+Vahune6cSK +7SDUwM9Ia1OAO/r2cdEAvCrQqaeDZQ== +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem b/deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem new file mode 100644 index 00000000000..afbd4dfb0ec --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX +-----END PRIVATE KEY----- +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8= +-----END PUBLIC KEY----- diff --git a/deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem b/deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem new file mode 100644 index 00000000000..182df6f5a7d --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIKqoSUVW579Aw8Nz47CRwArSigl/25jg0suQmg6mOwdy +-----END PRIVATE KEY----- diff --git a/deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml b/deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml new file mode 100644 index 00000000000..1f83517f2ee --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml @@ -0,0 +1,2 @@ +key: "dummy" +secret: "dummy" diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/README.md b/deploy/dockerephemeral/federation-v0/nginz/conf/README.md new file mode 100644 index 00000000000..c8e81957c62 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/README.md @@ -0,0 +1,7 @@ +# How to regenerate certificates in this directory + +Run from this directory: + +```bash +../../../../../hack/bin/selfsigned.sh +``` diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf new file mode 100644 index 00000000000..1b8a947f437 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf @@ -0,0 +1,38 @@ + # remove access_token from logs, see 'Note sanitized_request'. + set $sanitized_request $request; + if ($sanitized_request ~ (.*)access_token=[^&]*(.*)) { + set $sanitized_request $1access_token=****$2; + } + + # Should be overriden when using websockets + proxy_set_header Connection ""; + proxy_set_header Z-Type $zauth_type; + proxy_set_header Z-User $zauth_user; + proxy_set_header Z-Client $zauth_client; + proxy_set_header Z-Connection $zauth_connection; + proxy_set_header Z-Provider $zauth_provider; + proxy_set_header Z-Bot $zauth_bot; + proxy_set_header Z-Conversation $zauth_conversation; + proxy_set_header Request-Id $request_id; + + # NOTE: This should only be used on endpoints where credentials are needed + more_set_headers 'Access-Control-Allow-Credentials: true'; + # NOTE: This allows all origins, you may want to tune this value + more_set_headers 'Access-Control-Allow-Origin: $http_origin'; + more_set_headers 'Access-Control-Expose-Headers: Request-Id, Location'; + more_set_headers 'Request-Id: $request_id'; + more_set_headers 'Strict-Transport-Security: max-age=31536000; preload'; + + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Methods' "GET, POST, PUT, DELETE, OPTIONS"; + add_header 'Access-Control-Allow-Headers' "$http_access_control_request_headers, DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"; + add_header 'Content-Type' 'text/plain; charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + + + proxy_http_version 1.1; + + # NOTE: You may want to tune this + client_max_body_size 64M; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf new file mode 100644 index 00000000000..4277ede8c0f --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf @@ -0,0 +1,2 @@ + zauth off; + include common_response.conf; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf new file mode 100644 index 00000000000..699dd263b31 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf @@ -0,0 +1,3 @@ + include common_response.conf; + proxy_set_header Authorization ""; + proxy_set_header Z-Host $host; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf new file mode 100644 index 00000000000..baae352c92a --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf @@ -0,0 +1,19 @@ +# plain TCP/http listening for integration tests only. +listen 8080; +listen 8081; + +# for nginx-without-tls, we need to use a separate port for http2 traffic, +# as nginx cannot handle unencrypted http1 and http2 trafic on the same +# port. +# This port is only used for trying out nginx http2 forwarding without TLS locally and should not +# be ported to any production nginz config. +listen 8090 http2; + +######## TLS/SSL block start ############## +# +# Most integration tests simply use the http ports 8080 and 8081 +# But to also test tls forwarding, this port can be used. +# This applies only locally, as for kubernetes (helm chart) based deployments, +# TLS is terminated at the ingress level, not at nginz level +listen 8443 ssl http2; +listen [::]:8443 ssl http2; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf new file mode 100644 index 00000000000..a604e9ab199 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf @@ -0,0 +1,501 @@ +worker_processes 4; +worker_rlimit_nofile 1024; +include pid.conf; # for easy overriding + +# nb. start up errors (eg. misconfiguration) may still end up in /$(LOG_PATH)/error.log +error_log stderr warn; + +events { + worker_connections 1024; + multi_accept off; +} + +http { + # + # Some temporary paths (by default, will use the `prefix` path given when starting nginx) + # + + client_body_temp_path /tmp; + fastcgi_temp_path /tmp; + proxy_temp_path /tmp; + scgi_temp_path /tmp; + uwsgi_temp_path /tmp; + + # + # Sockets + # + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + # + # Timeouts + # + + client_body_timeout 60; + client_header_timeout 60; + keepalive_timeout 75; + send_timeout 60; + + ignore_invalid_headers off; + + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + server_name_in_redirect off; + + large_client_header_buffers 4 8k; + + + # + # Security + # + + server_tokens off; + + # + # Logging + # + # Note sanitized_request: + # We allow passing access_token as query parameter for e.g. websockets + # However we do not want to log access tokens. + # + + log_format custom_zeta '$remote_addr - $remote_user [$time_local] "$sanitized_request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" - $connection $request_time $upstream_response_time $upstream_cache_status $zauth_user $zauth_connection $request_id $proxy_protocol_addr'; + access_log /dev/stdout custom_zeta; + + # + # Monitoring + # + vhost_traffic_status_zone; + + # + # Gzip + # + + gzip on; + gzip_disable msie6; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_min_length 1024; + gzip_types 'text/plain text/css application/json text/xml'; + + # + # Proxied Upstream Services + # + + include ../upstreams; + + # + # Mapping for websocket connections + # + + map $http_upgrade $connection_upgrade { + websocket upgrade; + default ''; + } + + + + # + # Locations + # + + server { + include integration.conf; + + # self-signed certificates generated using wire-server/hack/bin/selfsigned.sh + ssl_certificate /etc/wire/integration-leaf.pem; + ssl_certificate_key /etc/wire/integration-leaf-key.pem; + + ssl_verify_client on; + ssl_client_certificate /etc/wire/integration-ca.pem; + ######## TLS/SSL block end ############## + + zauth_keystore /etc/wire/zauth-pubkeys.txt; + zauth_acl /etc/wire/nginz/conf/zauth_acl.txt; + # needs to be kept in sync with services/brig/test/resources/oauth/ed25519.jwk + oauth_pub_key /etc/wire/oauth-ed25519_public.jwk; + + location /status { + set $sanitized_request $request; + zauth off; + return 200; + } + + location /i/status { + set $sanitized_request $request; + zauth off; + return 200; + } + + location /vts { + set $sanitized_request $request; + zauth off; + vhost_traffic_status_display; + vhost_traffic_status_display_format html; + } + + # + # Service Routing + # + + # Federator endpoints: expose the federatorExternal port (Inward service) + location /federation { + set $sanitized_request $request; + zauth off; + + proxy_set_header "X-SSL-Certificate" $ssl_client_escaped_cert; + proxy_pass http://federator_external; + + # FUTUREWORK(federation): are any other settings + # (e.g. timeouts, body size, buffers, headers,...) + # useful/recommended/important-for-security?) + } + + # Brig Endpoints + # + ## brig unauthenticated endpoints + + location ~* ^(/v[0-9]+)?/api/swagger-ui { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/api/swagger.json { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/api-internal/swagger-ui { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/api-internal/swagger.json { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /register { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /access { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /activate { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /login { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/teams/invitations/([^/]*)$ { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /verification-code/send { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + ## brig authenticated endpoints + + location ~* ^(/v[0-9]+)?/self$ { + include common_response_with_zauth.conf; + oauth_scope self; + proxy_pass http://brig; + } + + location /users { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /list-users { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /search { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /list-connections { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/teams/([^/]+)/search$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /connections { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/clients { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/mls/key-packages { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /properties { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /calls/config { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/teams/([^/]*)/size$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/system/settings/unauthorized$ { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/system/settings$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/oauth/clients/([^/]*)$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/oauth/authorization/codes$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /oauth/token { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /oauth/revoke { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /oauth/applications { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + # Cargohold Endpoints + + location ~* ^(/v[0-9]+)?/assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + location /assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + location /bot/assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + location /provider/assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + # Galley Endpoints + + location ~* ^(/v[0-9]+)?/legalhold/conversations/(.*)$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/conversations$ { + include common_response_with_zauth.conf; + oauth_scope conversations; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/conversations/([^/]*)/code { + include common_response_with_zauth.conf; + oauth_scope conversations_code; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/conversations.* { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/conversations/([^/]*)/otr/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/conversations/([^/]*)/([^/]*)/proteus/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /broadcast { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /bot/conversation { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /bot/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/members(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/conversations(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/features { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/features/([^/]*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/feature-configs$ { + include common_response_with_zauth.conf; + oauth_scope feature_configs; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/feature-configs(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/legalhold(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/members/csv$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /mls/welcome { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /mls/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/mls/commit-bundles { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/mls/public-keys { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + # Gundeck Endpoints + + location /push { + include common_response_with_zauth.conf; + proxy_pass http://gundeck; + } + + location /presences { + include common_response_with_zauth.conf; + proxy_pass http://gundeck; + } + + location ~* ^(/v[0-9]+)?/notifications$ { + include common_response_with_zauth.conf; + proxy_pass http://gundeck; + } + + # Proxy Endpoints + + location /proxy { + include common_response_with_zauth.conf; + proxy_pass http://proxy; + } + + # Cannon Endpoints + + location /await { + include common_response_with_zauth.conf; + proxy_pass http://cannon; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_read_timeout 1h; + } + + # Spar Endpoints + + location /sso { + include common_response_no_zauth.conf; + proxy_pass http://spar; + } + + location /identity-providers { + include common_response_with_zauth.conf; + proxy_pass http://spar; + } + } +} diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf new file mode 100644 index 00000000000..e722aa5ae23 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf @@ -0,0 +1 @@ +pid /tmp/nginz.pid; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt b/deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt new file mode 100644 index 00000000000..3b644bf3d98 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt @@ -0,0 +1,15 @@ +a (blacklist (regex "(/v[0-9]+)?/provider(/.*)?") + (regex "(/v[0-9]+)?/bot(/.*)?") + (regex "(/v[0-9]+)?/i/.*")) + +b (whitelist (regex "(/v[0-9]+)?/bot(/.*)?")) + +p (whitelist (regex "(/v[0-9]+)?/provider(/.*)?")) + +# LegalHold Access Tokens +# FUTUREWORK: remove /legalhold/conversations/ when support for v1 dropped +la (whitelist (regex "(/v[0-9]+)?/notifications") + (regex "(/v[0-9]+)?/assets/v3/.*") + (regex "(/v[0-9]+)?/users(/.*)?") + (regex "(/v[0-9]+)?/legalhold/conversations/[^/]+") + (regex "(/v[0-9]+)?/conversations/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$")) diff --git a/deploy/dockerephemeral/federation-v0/nginz/upstreams b/deploy/dockerephemeral/federation-v0/nginz/upstreams new file mode 100644 index 00000000000..a3e6afada32 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/upstreams @@ -0,0 +1,38 @@ +upstream cargohold { + least_conn; + keepalive 32; + server cargohold:8080 max_fails=3 weight=1; +} +upstream gundeck { + least_conn; + keepalive 32; + server gundeck:8080 max_fails=3 weight=1; +} +upstream cannon { + least_conn; + keepalive 32; + server cannon:8080 max_fails=3 weight=1; +} +upstream galley { + least_conn; + keepalive 32; + server galley:8080 max_fails=3 weight=1; +} +upstream proxy { + least_conn; + keepalive 32; + server proxy:8080 max_fails=3 weight=1; +} +upstream brig { + least_conn; + keepalive 32; + server brig:8080 max_fails=3 weight=1; +} +upstream spar { + least_conn; + keepalive 32; + server spar:8080 max_fails=3 weight=1; +} +upstream federator_external { + server federator:8081 max_fails=3 weight=1; +} diff --git a/deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk b/deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk new file mode 100644 index 00000000000..c00a8270aa4 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk @@ -0,0 +1 @@ +{"kty":"OKP","crv":"Ed25519","x":"mhP-NgFw3ifIXGZqJVB0kemt9L3BtD5P8q4Gah4Iklc","d":"R8-pV2-sPN7dykV8HFJ73S64F3kMHTNnJiSN8UdWk_o"} diff --git a/deploy/dockerephemeral/federation-v0/proxy.config b/deploy/dockerephemeral/federation-v0/proxy.config new file mode 100644 index 00000000000..d2225ca26c9 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/proxy.config @@ -0,0 +1,8 @@ +secrets { + youtube = "my-youtube-secret" + googlemaps = "my-googlemaps-secret" + soundcloud = "my-soundcloud-secret" + giphy = "my-giphy-secret" + # Base64 encoded client ID and secret: `Bearer id:secret`: + spotify = "my-spotify-secret" +} diff --git a/deploy/dockerephemeral/federation-v0/proxy.yaml b/deploy/dockerephemeral/federation-v0/proxy.yaml new file mode 100644 index 00000000000..c5824166a57 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/proxy.yaml @@ -0,0 +1,18 @@ +# Example yaml-formatted configuration for proxy +# proxy can be started with a config file (e.g. ./dist/proxy -c proxy.yaml.example) + +host: 0.0.0.0 +port: 8080 + +# number of connections for the http pool +httpPoolSize: 1000 + +# maximum number of incoming connections +maxConns: 5000 + +# File containing upstream secrets. +secretsConfig: /etc/wire/proxy/conf/proxy.config + +# Logging settings +logLevel: Info +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/spar.yaml b/deploy/dockerephemeral/federation-v0/spar.yaml new file mode 100644 index 00000000000..4a7024d0c68 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/spar.yaml @@ -0,0 +1,42 @@ +saml: + version: SAML2.0 + logLevel: Warn + + spHost: 0.0.0.0 + spPort: 8080 + # TODO: change these + spAppUri: http://localhost:8080/ + spSsoUri: http://localhost:8080/sso + + contacts: + - type: ContactBilling + company: evil corp. + givenName: Dr. + surname: Girlfriend + email: email:president@evil.corp + +brig: + host: brig-federation-v0 + port: 8080 + +galley: + host: galley-federation-v0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: spar_test_federation_v0 + filterNodesByDatacentre: datacenter1 + +# Wire/AWS specific, optional +# discoUrl: "https://" + +maxttlAuthreq: 5 # seconds. don't set this too large, it is also the run time of one TTL test. +maxttlAuthresp: 7200 # seconds. do not set this to 1h or less, as that is what the mock idp wants. + +maxScimTokens: 2 # Token limit {#RefScimToken} +richInfoLimit: 5000 # should be in sync with Brig + +logNetStrings: False # log using netstrings encoding (see http://cr.yp.to/proto/netstrings.txt) diff --git a/deploy/dockerephemeral/federation-v0/turn-secret.txt b/deploy/dockerephemeral/federation-v0/turn-secret.txt new file mode 100644 index 00000000000..5e558cab2cc --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/turn-secret.txt @@ -0,0 +1 @@ +xMtZyTpu=Leb?YKCoq#BXQR:gG^UrE83dNWzFJ2VcD \ No newline at end of file diff --git a/deploy/dockerephemeral/federation-v0/twilio-credentials.yaml b/deploy/dockerephemeral/federation-v0/twilio-credentials.yaml new file mode 100644 index 00000000000..d64e0ec4f23 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/twilio-credentials.yaml @@ -0,0 +1,2 @@ +sid: "dummy" +token: "dummy" diff --git a/deploy/dockerephemeral/federation-v0/zauth-privkeys.txt b/deploy/dockerephemeral/federation-v0/zauth-privkeys.txt new file mode 100644 index 00000000000..373e316cb8e --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/zauth-privkeys.txt @@ -0,0 +1,4 @@ +qjIAZtKrpXInwyqgM7JCZ3QeK9B4JGBYAv0_63YjTtgDylLfTTpdwvDYSy32is13biThD03QZAUOhBO042Odrw== +dNLsH_oIA6hJCyw-AwokLz3AukHNghlP3H-pW5Ao1Wy06OI2MGgBwRnvjgfI2l1mgCLPJQflUR-7DsYO0p6zoQ== +drShe2GnggBy-VAW1gdE6myf4UAFcN1ZdixCO8NRuYLv_TO-xNQzRj-8RfemJ4R6Oz-R5KTfP6Oj_Tj0qezDTw== +tZWlAKOCe5-vlQl0TbECvxeIptEBGRrnGSiej-olAFe-46gXpFkWTas2Ci84VUWyhWzRJj4rtBmyJkAm-TMvwQ== diff --git a/deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt b/deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt new file mode 100644 index 00000000000..661fcfc71ba --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt @@ -0,0 +1,4 @@ +A8pS3006XcLw2Est9orNd24k4Q9N0GQFDoQTtONjna8= +tOjiNjBoAcEZ744HyNpdZoAizyUH5VEfuw7GDtKes6E= +7_0zvsTUM0Y_vEX3pieEejs_keSk3z-jo_049Knsw08= +vuOoF6RZFk2rNgovOFVFsoVs0SY-K7QZsiZAJvkzL8E= diff --git a/deploy/dockerephemeral/init.sh b/deploy/dockerephemeral/init.sh index b22e9b7ed13..7f11fc7ee0c 100755 --- a/deploy/dockerephemeral/init.sh +++ b/deploy/dockerephemeral/init.sh @@ -18,29 +18,14 @@ while (! aws --endpoint-url=http://dynamodb:8000 --cli-connect-timeout=1 dynamod done echo " [ok!]" -for suffix in "" "2" "3" "4" "5"; do +for suffix in "" "2" "3" "4" "5" "-federation-v0"; do aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-userkey-blacklist$suffix || true aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-prekeys$suffix || true - # Create Dynamo/SQS resources + # Create Dynamo resources exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-userkey-blacklist$suffix --attribute-definitions AttributeName=key,AttributeType=S --key-schema AttributeName=key,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-prekeys$suffix --attribute-definitions AttributeName=client,AttributeType=S --key-schema AttributeName=client,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events$suffix --attributes VisibilityTimeout=1" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events-internal$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events-internal$suffix --attributes VisibilityTimeout=1" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-user-events.fifo$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-user-events.fifo$suffix --attributes VisibilityTimeout=1" - - # Gundeck's feedback queue - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-gundeck-events$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-gundeck-events$suffix --attributes VisibilityTimeout=1" - - # Galley's team event queue - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-team-events.fifo$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-team-events.fifo$suffix --attributes VisibilityTimeout=1" - # Verify sender's email address (ensure the sender address is in sync with the config in brig) exec_until_ready "aws --endpoint-url=http://ses:4579 ses verify-email-identity --email-address backend-integration$suffix@wire.com" @@ -53,6 +38,13 @@ for suffix in "" "2" "3" "4" "5"; do # TODO: Lifecycle configuration for the bucket, if supported. aws --endpoint-url=http://s3:9000 s3api create-bucket --bucket "dummy-bucket$suffix" aws --endpoint-url=http://s3:9000 s3api wait bucket-exists --bucket "dummy-bucket$suffix" + + # Check that SQS resources are created + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs get-queue-url --queue-name integration-brig-events$suffix" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs get-queue-url --queue-name integration-brig-events-internal$suffix" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs get-queue-url --queue-name integration-user-events$suffix.fifo" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs get-queue-url --queue-name integration-gundeck-events" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs get-queue-url --queue-name integration-team-events$suffix.fifo" done echo 'AWS resources created successfully!' diff --git a/deploy/dockerephemeral/init_vhosts.sh b/deploy/dockerephemeral/init_vhosts.sh index 4c169ba4431..9323e6f5a43 100755 --- a/deploy/dockerephemeral/init_vhosts.sh +++ b/deploy/dockerephemeral/init_vhosts.sh @@ -11,5 +11,6 @@ exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://ra exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d1.example.com" exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d2.example.com" exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d3.example.com" +exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/federation-v0" echo 'RabbitMQ resources created successfully!' diff --git a/deploy/dockerephemeral/run.sh b/deploy/dockerephemeral/run.sh index e982094a13d..57d0e7223ae 100755 --- a/deploy/dockerephemeral/run.sh +++ b/deploy/dockerephemeral/run.sh @@ -6,5 +6,12 @@ set -x SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DOCKER_FILE="$SCRIPT_DIR/docker-compose.yaml" -docker-compose --file "$DOCKER_FILE" up -docker-compose --file "$DOCKER_FILE" down +cleanup () { + docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" down +} + +docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" up -d +trap cleanup EXIT +echo "All Services started successfully, press Ctrl+C to stop them" +# Wait for something to kill this +while true; do sleep 100000000; done diff --git a/docs/README.md b/docs/README.md index adf1c9be461..c52e21e3a15 100644 --- a/docs/README.md +++ b/docs/README.md @@ -101,6 +101,21 @@ Run `make pdf` and look at files in `./build/pdf/`. You can use the `make dev-pdf` target to get auto-refreshing PDF files as you save source files. This is also acessible at `http://localhost:3000/wire_federation.pdf`. +### Testing CI build locally + +In order to test changes to the deployment process (eg. nix changes, new grepinclude defaults), the build process can be invoked locally with + +``` +nix-build --no-out-link ./nix -A docs +``` + +If the command succeeds, the static content can be viewed in the browser directly from the nix build dir (adjust the build path) + +``` +firefox /nix/store/isjbzhmm34kr1i1xdgwfrrn98s4hgj43-wire-docs/html/index.html +``` + + ### Upload to S3 CI is set up to do this automatically on a push to master. If for some reason you wish to upload manually to S3: diff --git a/docs/src/developer/developer/FedCalls.png b/docs/src/developer/developer/FedCalls.png new file mode 100644 index 00000000000..50070640b77 Binary files /dev/null and b/docs/src/developer/developer/FedCalls.png differ diff --git a/docs/src/developer/developer/api-versioning.md b/docs/src/developer/developer/api-versioning.md index 29ebb8dee32..1ef2f7bc6fd 100644 --- a/docs/src/developer/developer/api-versioning.md +++ b/docs/src/developer/developer/api-versioning.md @@ -107,15 +107,20 @@ non-overlapping version ranges. When making the client API version bump, i.e., when finalising a version, there are several steps to make apart from deciding what endpoint changes are part of -the version: - - - In `wire-api` extend the `Version` type with a new version by appending the - new version to the end, e.g., by adding `V6`. - - In the same `Version` module update the `developmentVersions` value to list - only the new version, - - Consider updating the `backendApiVersion` value in Stern, which is - unit-tested by checking if it is listed as supported in the response to `GET - /api-version`. +the version. In these example we assume that version `V6` should be finalized and `V7` should be created: + +- Run wire-server and download the `swagger.json` of the current development version, e.g. with the following command: `curl localhost:8080/v6/api/swagger.json | jq > swagger-v6.json` and copy the file to `services/brig/docs/swagger-v6.json`. +- In `wire-api` extend the `Version` type with a new version by appending the + new version to the end. +- In the same `Version` module update the `developmentVersions` value to list + only the new version. +- In `services/brig/src/Brig/API/Public.hs` + - update `versionedSwaggerDocsAPI` so that the finalized version points to the pregenerated swagger + - and `internalEndpointsSwaggerDocsAPI` so that the finalized version `V6`, the new version `V7`, as well as the unversioned path point to the swagger of the internal API, and the previous latest stable version V5 points to an empty swagger. +- Set the version for `gDefaultAPIVersion` in `integration/test/Testlib/Env.hs` to 7. +- Consider updating the `backendApiVersion` value in Stern, which is + unit-tested by checking if it is listed as supported in the response to `GET + /api-version`. ### Examples of endpoint evolution diff --git a/docs/src/developer/developer/building.md b/docs/src/developer/developer/building.md index ee219d3b98b..2096fe9d93f 100644 --- a/docs/src/developer/developer/building.md +++ b/docs/src/developer/developer/building.md @@ -1,36 +1,140 @@ # How to build wire-server -As a prerequisiste install the [nix package manager](https://nixos.org/) and [direnv](https://direnv.net/). Follow [these instructions](https://wire-server.cachix.org) to setup the Nix cache which will save you many hours of building. +## Getting up to speed -All following commands expect that you've entered the nix-provided build-environment by running `direnv allow`. +### nix +0. make sure you have `git` installed. It will be + assumed by `nix`. Also make sure to run on an amd64 + machine, `wire-server` is not yet compatible with arm64. -1. Create a `cabal.project.local`. This file is not included in wire-server because it disables optimization. +1. Install the [nix package manager](https://nixos.org/download.html). + Please follow the install instruction provided on their website. +2. Add the `wire-server` `cachix` cache to your system. + This is best done by using the `cachix` executable, which, as soon as you have + `nix` itself installed can be run with this (a bit unwieldy) command: - make cabal.project.local + ```bash + nix run \ + --experimental-features 'nix-command flakes' \ + github:nixos/nixpkgs/nixpkgs-unstable#cachix -- \ + use wire-server + ``` + +### direnv +1. Install [`direnv`](https://direnv.net/). See the [installation documentation](https://direnv.net/docs/installation.html) + for further details. - This should be re-run whenver a new local cabal package is added to the cabal project. +### checking out the repo -Then the following Makefile targets can be used to compile and test wire-server locally: +1. clone the git repo, it can be found at [the wireapp/wire-server github](https://github.com/wireapp/wire-server) +2. initialize this repo's submodules with + ```bash + git submodule update --init --recursive + ``` +### run direnv - # to compile all binaries to ./dist run - make +Now it's time to let nix fetch all dependencies. Enter the `wire-server` checkout, run - # to build and install all of galley's executables - make c package=galley +```bash +direnv allow +``` + +and go and grab a coffee. ☕ + +Your system will likely not build much, but it will definitely +spend some time fetching things from different caches. + +### initializing the cabal mirrors + +There are a few dependencies that are not provided by the nix env, for these, please run +```bash +cabal update +``` +now that you're in the devshell. - # also run galley's unit tests - make c package=galley test=1 +### building wire-server +#### with cabal + +You can build within the devshell by using the `Makefile` targets and +cabal. +The binaries are then dropped into `./dist/` + +You may build all services in `wire-server` by running + +```bash +make c +``` + +you may build a single package by running + +```bash +make c package=brig +``` + +you may run the tests by first starting background services with + +```bash +./deploy/dockerephemeral/run.sh +``` + +and then executing + +```bash +ulimit 10240 # set your resource limit to some high number +make ci-safe # run the ci +``` +If the former command fails, make sure you have a working installation of `docker` +or continue to the troubleshooting section right below. + +#### with nix + +you may build each individual service by running + +```bash +nix build -Lv \ + --experimental-features 'nix-command' \ + -f ./nix wireServer. +``` + +you may build all the libraries that exist locally or are in the closure of `wire-server` by running + +```bash +nix build -Lv \ + --experimental-features 'nix-command' \ + -f ./nix wireServer.haskellPackages. +``` + +you may build all the images that would be deployed by running + +```bash +nix build -Lv \ + --experimental-features 'nix-command' \ + -f ./nix wireServer.allImages +``` + +> ℹ️ Info +> +> if you don't want to pass the `--experimental-features` flag to nix, you may as well +> add this to your `nix.conf` which is documented [in the nix manual](https://nixos.org/manual/nix/unstable/command-ref/conf-file.html) + +`nix` puts all the build outputs into the nix store but leaves a link in the `result` directory +that will appear in the same directory that you have run the command in. To find out what +artifacts where build, just run + +```bash +ls -l result +``` ## Troubleshooting ### If the PR doesn't pass the CI (read check marks on github) -``` +```bash make sanitize-pr ``` @@ -42,7 +146,7 @@ Haskell Language Server stores its build artifacts in `~/.cache/hie-bios` (equiv The easiest course of action is to to remove these directories via: -``` +```bash make full-clean ``` @@ -73,7 +177,7 @@ Furthermore, testing federation requires a local DNS server set up with appropri Setting up these real, but in-memory internal and "fake" external dependencies is done easiest using [`docker-compose`](https://docs.docker.com/compose/install/). Run the following in a separate terminal (it will block that terminal, C-c to shut all these docker images down again): -``` +```bash deploy/dockerephemeral/run.sh ``` diff --git a/docs/src/developer/developer/dependencies.md b/docs/src/developer/developer/dependencies.md index 68db64e56d9..333b84f0fc7 100644 --- a/docs/src/developer/developer/dependencies.md +++ b/docs/src/developer/developer/dependencies.md @@ -65,7 +65,7 @@ including `cryptobox-c`. If new system dependencies are needed, add them to the ### Fedora: ```bash -sudo dnf install -y pkgconfig haskell-platform libstdc++-devel libstdc++-static gcc-c++ libtool automake openssl-devel libsodium-devel ncurses-compat-libs libicu-devel GeoIP-devel libxml2-devel snappy-devel protobuf-compiler +sudo dnf install -y pkgconfig haskell-platform libstdc++-devel libstdc++-static gcc-c++ libtool automake openssl-devel libsodium-devel ncurses-compat-libs libicu-devel libxml2-devel snappy-devel protobuf-compiler ``` ### Ubuntu / Debian: @@ -73,7 +73,7 @@ sudo dnf install -y pkgconfig haskell-platform libstdc++-devel libstdc++-static _Note_: Debian is not recommended due to this issue when running local integration tests: [#327](https://github.com/wireapp/wire-server/issues/327). This issue does not occur with Ubuntu. ```bash -sudo apt install pkg-config libsodium-dev openssl-dev libtool automake build-essential libicu-dev libsnappy-dev libgeoip-dev protobuf-compiler libxml2-dev zlib1g-dev libtinfo-dev liblzma-dev libpcre3 libpcre3-dev -y +sudo apt install pkg-config libsodium-dev openssl-dev libtool automake build-essential libicu-dev libsnappy-dev protobuf-compiler libxml2-dev zlib1g-dev libtinfo-dev liblzma-dev libpcre3 libpcre3-dev -y ``` If `openssl-dev` does not work for you, try `libssl-dev`. @@ -83,13 +83,13 @@ If `openssl-dev` does not work for you, try `libssl-dev`. ``` # You might also need 'sudo pacman -S base-devel' if you haven't # installed the base-devel group already. - sudo pacman -S geoip snappy icu openssl ncurses-compat-libs + sudo pacman -S snappy icu openssl ncurses-compat-libs ``` ### macOS: ```bash -brew install pkg-config libsodium openssl automake icu4c geoip snappy protobuf +brew install pkg-config libsodium openssl automake icu4c snappy protobuf ``` _Note_: macOS users will need to make sure to link Haskell services against a more recent version of OpenSSL than what ships with the OS by default. Additionally, `icu4c` is installed in a non-standard location by `homebrew`. Add the following to your `.stack/config.yaml`: diff --git a/docs/src/developer/developer/federation-api-conventions.md b/docs/src/developer/developer/federation-api-conventions.md index 612a4eb67ed..f27e148ff73 100644 --- a/docs/src/developer/developer/federation-api-conventions.md +++ b/docs/src/developer/developer/federation-api-conventions.md @@ -31,3 +31,7 @@ this request has authority on, like a conversation got created, or a message is sent, then use the second format like `on-conversation-created` or `on-message-sent` + + A call graph of the API endpoints the can call to federation members is included below. + + ![Federation call graph](FedCalls.png) \ No newline at end of file diff --git a/docs/src/developer/developer/how-to.md b/docs/src/developer/developer/how-to.md index 6c7cc0e1cb2..2aa7eb1bc49 100644 --- a/docs/src/developer/developer/how-to.md +++ b/docs/src/developer/developer/how-to.md @@ -15,7 +15,7 @@ Terminal 1: * Set up backing services: `./deploy/dockerephemeral/run.sh` Terminal 2: -* Build and start wire-server services: ` make c && ./services/run-services` +* Build and start wire-server services: ` make c && ./dist/run-services` Open your browser at: [http://localhost:8080/api/swagger-ui](http://localhost:8080/api/swagger-ui) for a list of API verions. diff --git a/docs/src/developer/reference/config-options.md b/docs/src/developer/reference/config-options.md index d92d461479b..595d683b68f 100644 --- a/docs/src/developer/reference/config-options.md +++ b/docs/src/developer/reference/config-options.md @@ -291,25 +291,26 @@ sndFactorPasswordChallenge: ### MLS -This feature specifies how should behave. It has no effect on the server's behaviour. +If this feature is enabled then clients that support the MLS feature will allow its user to switch between Proteus and the MLS protocol provided the user is listed in `protocolToggleUsers`. The default protocol that clients will create new conversations with is specified in `defaultProtocol`. The `supportedProtocols` array is an ordered list of protocols which may be used by the client. It is used to determine the protocol to use for 1:1 conversations. It must contain the `defaultProtocol`. -If this feature is enabled then clients that support this feature will allowing its user to switch between Proteus and the MLS protocol provided the user is listed ini `protocolToggleUsers`. The default protocol that clients will create new conversations with is specified in `defaultProtocol`. The `defaultCipherSuite` and `allowedCipherSuites` contain the default ciphersuite and the allowed ciphersuites that clients should be using. The numerical values should correspond to the indices (starting at 1) specified here https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#table-5 +The `defaultCipherSuite` and `allowedCipherSuites` contain the default ciphersuite and the allowed ciphersuites that clients should be using. The numerical values should correspond to the indices (starting at 1) specified [here](https://www.rfc-editor.org/rfc/rfc9420.html#table-6). -If this feature is disabled then clients will use the Proteus protocol with this backend. +If the MLS feature is disabled then clients will use the Proteus protocol with this backend. The default configuration that applies to all teams that didn't explicitly change their feature configuration can be given in galley's `featureFlags` section in the config file: -``` +```yaml # galley.yaml mls: defaults: - status: disabled + status: enabled config: protocolToggleUsers: [] - defaultProtocol: proteus + defaultProtocol: mls + supportedProtocols: [proteus, mls] # must contain defaultProtocol allowedCipherSuites: [1] defaultCipherSuite: 1 - + lockStatus: locked ``` This default configuration can be overriden on a per-team basis through the [feature config API](../developer/features.md) @@ -424,7 +425,7 @@ federator: clientPrivateKey: client-key.pem ``` -## Outlook calalendar integration +### Outlook calendar integration This feature setting only applies to the Outlook Calendar extension for Wire. As it is an external service, it should only be configured through this feature flag and otherwise ignored by the backend. @@ -438,6 +439,34 @@ outlookCalIntegration: lockStatus: locked ``` +### Guest Link Lifetime + +To set the validity duration of conversation guest links set `guestLinkTTLSeconds` to the desired number of seconds, maximum 1 year, a value ∈ (0, 31536000]. E.g. + +```yaml +# galley.yaml +config: + settings: + GuestLinkTTLSeconds: 604800 +``` + +### Limited Event Fanout + +To maintain compatibility with clients and their versions that do not implement +the limited event fanout when a team member is deleted, the limited event fanout +flag is used. Its default value `disabled` means that the old-style full event +fanout will take place when a team member is deleted. Set the flag to `enabled` +to send team events only to team owners and administrators. + +Example configuration: + +```yaml +# galley.yaml +limitedEventFanout: + defaults: + status: disabled +``` + ## Settings in brig Some features (as of the time of writing this: only @@ -562,10 +591,6 @@ See {ref}`configure-federation-strategy-in-brig` (since [PR#3260](https://github ### API Versioning -#### `setEnableDevelopmentVersions` - -This options determines whether development versions should be enabled. If set to `False`, all development versions are removed from the `supported` field of the `/api-version` endpoint. Note that they are still listed in the `development` field, and continue to work normally. - ### OAuth For more information on OAuth please refer to . @@ -625,10 +650,9 @@ It is possible to disable one ore more API versions. When an API version is disa Each of the services brig, cannon, cargohold, galley, gundeck, proxy, spar should to be configured with the same set of disable API versions in each service's values.yaml config files. - For example to disable API version v3, you need to configure: -``` +```yaml # brig's values.yaml config.optSettings.setDisabledAPIVersions: [ v3 ] @@ -642,7 +666,7 @@ config.settings.disabledAPIVersions: [ v3 ] config.settings.disabledAPIVersions: [ v3 ] # gundecks' values.yaml -config.disabledAPIVersions: [ v3 ] +config.settings.disabledAPIVersions: [ v3 ] # proxy's values.yaml config.disabledAPIVersions: [ v3 ] @@ -651,7 +675,15 @@ config.disabledAPIVersions: [ v3 ] config.disabledAPIVersions: [ v3 ] ``` -The default setting is that no API version is disabled. +The development API version(s) can be disabled either explicitly or by adding the `development` keyword to the list of disabled API versions. E.g.: + +```yaml +config.disabledAPIVersions: [ v3, development ] +``` + +This setting is required to be present for all the services (brig, cannon, cargohold, galley, gundeck, proxy, and spar). + +The default value (provided under `charts//values.yaml`) is `[ development ]` and disables the development versions. To enable all versions including the development versions set the value to be empty: `[]`. ## Settings in cargohold @@ -748,7 +780,7 @@ to the configuration example above: ![Sequence Diagram: Alice and Bob download an asset](./multi-ingress-example-sequence.svg) -