diff --git a/.gitignore b/.gitignore index 5f5ac902c54..9e15d9491d0 100644 --- a/.gitignore +++ b/.gitignore @@ -59,6 +59,7 @@ spar.integration-aws.yaml integration-aws.yaml DOCKER_ID* swagger-ui +!charts/nginz/static/swagger-ui deploy/services-demo/resources/templates/* deploy/services-demo/conf/nginz/zwagger-ui/* diff --git a/CHANGELOG.md b/CHANGELOG.md index 08ffdc33cc0..630d52ebf78 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,175 @@ +# [2022-07-05] (Chart Release 4.18.0) + +## Release notes + + +* For users of the (currently alpha) coturn Helm chart: + **manual intervention may be required** when upgrading to + this version of the chart from a prior version, due to [a bug in + Kubernetes](https://github.com/kubernetes/kubernetes/issues/39188) which + may interfere with applying changes to pod and service port configuration + correctly. + + If, after updating this chart, the coturn pods do not have both a `coturn-udp` + port and a `coturn-tcp` port, then the coturn `StatefulSet` must be manually + deleted from the cluster, and then recreated by re-running Helm. Similarly, if + the coturn `Service` does not have both a `coturn-udp` port and a `coturn-tcp` + port, this `Service` must also be deleted and recreated. (#2500) + +* The `nginz{-tcp,-http}` services have been unified into a `nginz` service, and + moved into the nginz chart. + + The nginz-ingress-services chart simply targets the `nginz` service, so there's + no need to set matching `service.nginz.external{Http,Tcp}Port` inside the + `nginx-ingress-services` chart anymore. + + The `config.http.httpPort` and `config.ws.wsPort` values in the `nginz` chart + still configure the ports the `nginz` service is listening on. + + Metrics were moved from `config.http.httpPort` to a new `http-metrics` port. + + The `nginz` chart also gained support for `metrics.serviceMonitor.enabled`, + creating a `ServiceMonitor` resource to scrape metrics, like for other wire + services. + + (#2476) + +* Upgrade webapp version to 2022-06-30-production.0-v0.30.5-0-3e2aaf6 (#2302) + +* In the helm charts, the `wireService` label has been removed. + + In some cases, we were already setting the `app` label too. + + Now we consistently use the `app` label to label different wire services. + + The `wireService` label was also used in the `spec.selector.matchLabels` field + on existing `Deployment` / `StatefulSet` resources. + As these fields being immutable, changing them isn't possible without recreation. + + If you encounter an issue like + + > field is immutable && cannot patch "*" with kind * + + you need to manually delete these StatefulSet and Deployment resources, and apply helm again, which will recreate them. + + This means downtime, so plan a maintenance window for it. + + The `wire-server-metrics` chart was previously running some custom + configuration to automatically add all payloads with a `wireService` label into + metrics scraping. + + With the removal of the `wireService` label, this custom configuration has been + removed. + + Instead, all services that expose metrics will now create `ServiceMonitor` + resources, if their helm chart is applied with `metrics.serviceMonitor.enable` + set to true. + + This prevents scraping agents from querying services that don't expose metrics + at /i/metrics unnecessarily. + + Additionally, makes it easier to run other metric scraping operators, like + `grafana-agent-operator`, without the need to also create some custom + `wireService` label config there. + + Generally, if you have any monitoring solution installed in your cluster that + uses the Prometheus CRDs, set `metrics.serviceMonitor.enable` for the following charts: + + - brig + - cannon + - cargohold + - galley + - gundeck + - proxy + - spar (#2413) + + +## API changes + + +* The request body of `POST /conversations` endpoint can now contain an optional `creator_client` field. The `creator_client` field is only relevant for MLS conversations, in which case it must be set to the ID of the client making the request. (#2486) + +* Retire deprecated feature config API endpoints for API version V2 (#2492) + + +## Features + + +* Prevent race conditions in concurrent MLS commit requests. (#2525) + +* charts/wire-server: Optionally include backoffice (#2490) + +* The coturn chart has new functionality to enable graceful pod termination, by + waiting for all active allocations on a coturn instance to drain first. When + combined with a suitable external service discovery mechanism which can steer + client traffic away from terminating coturn pods, this can be used to implement + graceful rolling restarts of clusters of coturn instances. (#2456) + +* `./deploy/services-demo/create_team_members.sh` creates users with given roles now (#2137) + +* MLS implementation progress: + - Remote users can be added to MLS conversations + - MLS messages (both handshake and application) are now propagates to remote + conversation participants. (#2415) + +* charts/nginz: Serve swagger-ui for viewing swagger-1.2 docs (#2466) + +* `GET teams/:tid` response now contains an optional field `splash_screen` which contains the asset key of the team's splash screen. `PUT teams/:tid` now supports updating the splash screen asset key. (#2474) + +* Missing feature config mapping added (#2494) + +* Add MLS team feature configuration (#2499) + +* Team feature API now includes endpoints to get and set the `searchVisibilityInbound` feature (#2503) + + +## Bug fixes and other updates + + +* charts/backoffice: Fix version of frontend and auto-bump version of stern on every release (#2490) + +* The service definitions in the coturn Helm chart were missing the control plane + UDP port used by coturn. (#2500) + +* In nginx-ingress-services chart, when enabling useCertManager, now correctly creates the required issuer by default. (#2532) + +* Fix handling of creator client in MLS conversations (#2486) + +* Fix all clients having the same MLS public key (#2501) + +* A user now cannot delete an identity provider that they are authenticated with any more (#2519) + + +## Internal changes + + +* brig-types: remove all re-exports (#2505) + +* Fixed flakiness of email update test, related to the test user account being suspended, causing subsequent runs of the test to fail. (#2497) + +* galley-types: remove all re-exports (#2504) + +* Enforce some IdP invariants (#2533) + +* Switch to new MLS test CLI (https://github.com/wireapp/mls-test-cli) (#2508) + +* Forward /i/users/:uid/features/:feature to brig (#2468) + +* charts/nginz: Forward `/i/legalhold/whitelisted-teams` to galley instead of brig (#2460) + +* make the ldap-scim-bridge chart deployable once per team, and improve docs. (#1843) + +* Refactored and simplified the feature config API (#2435) + +* Removed deprecated internal feature config API endpoints (#2496) + +* Deactivated gundeck's integration tests for local steps (`make ci`). (#2510) + +* retry gundeck's Redis connection in case of network errors such as IP changes or network outages (#2512) + +* Add AWS security token metrics to all services (#2473) + + # [2022-06-14] (Chart Release 4.14.0) ## Release notes diff --git a/Makefile b/Makefile index 8ccab6b4837..6b6852351ff 100644 --- a/Makefile +++ b/Makefile @@ -360,8 +360,8 @@ kube-integration-teardown-sans-federation: .PHONY: kube-restart-% kube-restart-%: - kubectl delete pod -n $(NAMESPACE) -l wireService=$(*) - kubectl delete pod -n $(NAMESPACE)-fed2 -l wireService=$(*) + kubectl delete pod -n $(NAMESPACE) -l app=$(*) + kubectl delete pod -n $(NAMESPACE)-fed2 -l app=$(*) .PHONY: latest-tag latest-tag: @@ -522,8 +522,8 @@ kind-restart-nginx-ingress: .local/kind-kubeconfig kind-restart-%: .local/kind-kubeconfig export KUBECONFIG=$(CURDIR)/.local/kind-kubeconfig && \ - kubectl delete pod -n $(NAMESPACE) -l wireService=$(*) && \ - kubectl delete pod -n $(NAMESPACE)-fed2 -l wireService=$(*) + kubectl delete pod -n $(NAMESPACE) -l app=$(*) && \ + kubectl delete pod -n $(NAMESPACE)-fed2 -l app=$(*) # This target can be used to template a helm chart with values filled in from # hack/helm_vars (what CI uses) as overrrides, if available. This allows debugging helm diff --git a/build/ubuntu/Dockerfile.deps b/build/ubuntu/Dockerfile.deps index b16cc1bc194..c2999b35e00 100644 --- a/build/ubuntu/Dockerfile.deps +++ b/build/ubuntu/Dockerfile.deps @@ -10,20 +10,29 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ export SODIUM_USE_PKG_CONFIG=1 && \ cargo build --release -# compile core-crypto cli tool +# FUTUREWORK: remove core-crypto once #2508 is merged +# compile legacy core-crypto cli tool RUN cd /tmp && \ apt-get install -y libssl-dev && \ git clone -b cli https://github.com/wireapp/core-crypto && \ cd core-crypto/cli && \ cargo build --release +# compile mls-test-cli tool +RUN cd /tmp && \ + git clone https://github.com/wireapp/mls-test-cli && \ + cd mls-test-cli && \ + cargo build --release + # Minimal dependencies for ubuntu-compiled, dynamically linked wire-server Haskell services FROM ubuntu:20.04 COPY --from=cryptobox-builder /tmp/cryptobox-c/target/release/libcryptobox.so /usr/lib -# FUTUREWORK: only copy crypto-cli executable if we are building an integration test image +# FUTUREWORK: only copy crypto-cli and mls-test-cli executables if we are building an +# integration test image COPY --from=cryptobox-builder /tmp/core-crypto/cli/target/release/crypto-cli /usr/bin +COPY --from=cryptobox-builder /tmp/mls-test-cli/target/release/mls-test-cli /usr/bin RUN export DEBIAN_FRONTEND=noninteractive && \ apt-get update && \ diff --git a/cabal.project b/cabal.project index a0ddebf871c..c515c73ee82 100644 --- a/cabal.project +++ b/cabal.project @@ -157,7 +157,7 @@ source-repository-package allow-older: * allow-newer: * --- Changes by ./tools/convert-to-cabal/generate.sh +-- Changes by ./tools/convert-to-cabal/generate.sh tests: True benchmarks: True diff --git a/cassandra-schema.cql b/cassandra-schema.cql index 5afd359b05e..a053e0551c3 100644 --- a/cassandra-schema.cql +++ b/cassandra-schema.cql @@ -143,6 +143,11 @@ CREATE TABLE galley_test.team_features ( guest_links_lock_status int, guest_links_status int, legalhold_status int, + mls_allowed_ciphersuites set, + mls_default_ciphersuite int, + mls_default_protocol int, + mls_protocol_toggle_users set, + mls_status int, search_visibility_inbound_status int, search_visibility_status int, self_deleting_messages_lock_status int, @@ -267,6 +272,7 @@ CREATE TABLE galley_test.member_remote_user ( user_remote_domain text, user_remote_id uuid, conversation_role text, + mls_clients set, PRIMARY KEY (conv, user_remote_domain, user_remote_id) ) WITH CLUSTERING ORDER BY (user_remote_domain ASC, user_remote_id ASC) AND bloom_filter_fp_chance = 0.1 @@ -471,6 +477,26 @@ CREATE TABLE galley_test.team_conv ( AND read_repair_chance = 0.0 AND speculative_retry = '99PERCENTILE'; +CREATE TABLE galley_test.mls_commit_locks ( + group_id blob, + epoch bigint, + PRIMARY KEY (group_id, epoch) +) WITH CLUSTERING ORDER BY (epoch ASC) + AND bloom_filter_fp_chance = 0.01 + AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} + AND comment = '' + AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} + AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} + AND crc_check_chance = 1.0 + AND dclocal_read_repair_chance = 0.1 + AND default_time_to_live = 0 + AND gc_grace_seconds = 864000 + AND max_index_interval = 2048 + AND memtable_flush_period_in_ms = 0 + AND min_index_interval = 128 + AND read_repair_chance = 0.0 + AND speculative_retry = '99PERCENTILE'; + CREATE TABLE galley_test.team ( team uuid PRIMARY KEY, binding boolean, @@ -480,6 +506,7 @@ CREATE TABLE galley_test.team ( icon_key text, name text, search_visibility int, + splash_screen text, status int ) WITH bloom_filter_fp_chance = 0.1 AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} diff --git a/charts/account-pages/templates/deployment.yaml b/charts/account-pages/templates/deployment.yaml index 138e0ce4dd4..10001c35fe6 100644 --- a/charts/account-pages/templates/deployment.yaml +++ b/charts/account-pages/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: account-pages labels: - wireService: account-pages + app: account-pages chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,12 +16,10 @@ spec: maxSurge: {{ .Values.replicaCount | mul 2 }} selector: matchLabels: - wireService: account-pages app: account-pages template: metadata: labels: - wireService: account-pages app: account-pages release: {{ .Release.Name }} spec: diff --git a/charts/aws-ingress/templates/ELB_account_pages_https.yaml b/charts/aws-ingress/templates/ELB_account_pages_https.yaml index 02ef360501b..4613cdffe51 100644 --- a/charts/aws-ingress/templates/ELB_account_pages_https.yaml +++ b/charts/aws-ingress/templates/ELB_account_pages_https.yaml @@ -14,7 +14,7 @@ metadata: spec: type: LoadBalancer selector: - wireService: account-pages + app: account-pages ports: - name: https protocol: TCP diff --git a/charts/aws-ingress/templates/ELB_nginz_https.yaml b/charts/aws-ingress/templates/ELB_nginz_https.yaml index 64a0798fdb7..cb5c5114663 100644 --- a/charts/aws-ingress/templates/ELB_nginz_https.yaml +++ b/charts/aws-ingress/templates/ELB_nginz_https.yaml @@ -13,7 +13,7 @@ metadata: spec: type: LoadBalancer selector: - wireService: nginz + app: nginz ports: - name: https protocol: TCP diff --git a/charts/aws-ingress/templates/ELB_nginz_wss.yaml b/charts/aws-ingress/templates/ELB_nginz_wss.yaml index 10e6afb5262..ce6c8a2c1cc 100644 --- a/charts/aws-ingress/templates/ELB_nginz_wss.yaml +++ b/charts/aws-ingress/templates/ELB_nginz_wss.yaml @@ -14,7 +14,7 @@ metadata: spec: type: LoadBalancer selector: - wireService: nginz + app: nginz ports: - name: wss protocol: TCP diff --git a/charts/aws-ingress/templates/ELB_team_settings_https.yaml b/charts/aws-ingress/templates/ELB_team_settings_https.yaml index 3476bad0fe8..c0d4e2fa698 100644 --- a/charts/aws-ingress/templates/ELB_team_settings_https.yaml +++ b/charts/aws-ingress/templates/ELB_team_settings_https.yaml @@ -14,7 +14,7 @@ metadata: spec: type: LoadBalancer selector: - wireService: team-settings + app: team-settings ports: - name: https protocol: TCP diff --git a/charts/aws-ingress/templates/ELB_webapp_https.yaml b/charts/aws-ingress/templates/ELB_webapp_https.yaml index 7924e2a8a2a..ab52913f51c 100644 --- a/charts/aws-ingress/templates/ELB_webapp_https.yaml +++ b/charts/aws-ingress/templates/ELB_webapp_https.yaml @@ -13,7 +13,7 @@ metadata: spec: type: LoadBalancer selector: - wireService: webapp + app: webapp ports: - name: https protocol: TCP diff --git a/charts/backoffice/templates/deployment.yaml b/charts/backoffice/templates/deployment.yaml index ce5fe28801a..172e3fc1357 100644 --- a/charts/backoffice/templates/deployment.yaml +++ b/charts/backoffice/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: backoffice labels: - wireService: backoffice + app: backoffice chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,11 +16,11 @@ spec: maxSurge: {{ .Values.replicaCount }} selector: matchLabels: - wireService: backoffice + app: backoffice template: metadata: labels: - wireService: backoffice + app: backoffice release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` diff --git a/charts/backoffice/templates/service.yaml b/charts/backoffice/templates/service.yaml index de343846e35..3422d81a77f 100644 --- a/charts/backoffice/templates/service.yaml +++ b/charts/backoffice/templates/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: backoffice labels: - wireService: backoffice + app: backoffice chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -14,5 +14,5 @@ spec: port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} selector: - wireService: backoffice + app: backoffice release: {{ .Release.Name }} diff --git a/charts/backoffice/values.yaml b/charts/backoffice/values.yaml index 55be81f6cc9..a96c84e5ad5 100644 --- a/charts/backoffice/values.yaml +++ b/charts/backoffice/values.yaml @@ -2,11 +2,11 @@ replicaCount: 1 images: frontend: repository: quay.io/wire/backoffice-frontend - tag: 2.93.0 + tag: 2.87.0 pullPolicy: IfNotPresent stern: repository: quay.io/wire/stern - tag: 2.93.0 + tag: do-not-use pullPolicy: IfNotPresent service: internalPort: 8080 diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml index 7b06eb9b55c..210fa59a26c 100644 --- a/charts/brig/templates/configmap.yaml +++ b/charts/brig/templates/configmap.yaml @@ -3,7 +3,7 @@ kind: ConfigMap metadata: name: "brig" labels: - wireService: brig + app: brig chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/brig/templates/deployment.yaml b/charts/brig/templates/deployment.yaml index 531f816948b..860b7acf518 100644 --- a/charts/brig/templates/deployment.yaml +++ b/charts/brig/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: brig labels: - wireService: brig + app: brig chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,11 +16,11 @@ spec: maxSurge: {{ .Values.replicaCount }} selector: matchLabels: - wireService: brig + app: brig template: metadata: labels: - wireService: brig + app: brig release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` diff --git a/charts/brig/templates/geoip-secret.yaml b/charts/brig/templates/geoip-secret.yaml index db6df8a1ee8..8e96ea70c97 100644 --- a/charts/brig/templates/geoip-secret.yaml +++ b/charts/brig/templates/geoip-secret.yaml @@ -4,7 +4,7 @@ kind: Secret metadata: name: brig-geoip labels: - wireService: brig + app: brig chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/charts/brig/templates/secret.yaml b/charts/brig/templates/secret.yaml index 55d90ff9eb5..2ffebba6290 100644 --- a/charts/brig/templates/secret.yaml +++ b/charts/brig/templates/secret.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: brig labels: - wireService: brig + app: brig chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/charts/brig/templates/service.yaml b/charts/brig/templates/service.yaml index 9a12b07bad0..432be27dd18 100644 --- a/charts/brig/templates/service.yaml +++ b/charts/brig/templates/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: brig labels: - wireService: brig + app: brig chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -14,5 +14,5 @@ spec: port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} selector: - wireService: brig + app: brig release: {{ .Release.Name }} diff --git a/charts/brig/templates/serviceaccount.yaml b/charts/brig/templates/serviceaccount.yaml index 48800b82bd6..bc120b624d8 100644 --- a/charts/brig/templates/serviceaccount.yaml +++ b/charts/brig/templates/serviceaccount.yaml @@ -4,7 +4,7 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccount.name }} labels: - wireService: brig + app: brig chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/brig/templates/servicemonitor.yaml b/charts/brig/templates/servicemonitor.yaml new file mode 100644 index 00000000000..03c0b872442 --- /dev/null +++ b/charts/brig/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: brig + labels: + app: brig + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + endpoints: + - port: http + path: /i/metrics + selector: + matchLabels: + app: brig + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/brig/templates/tests/brig-integration.yaml b/charts/brig/templates/tests/brig-integration.yaml index dc2018a0d7c..17921894bf0 100644 --- a/charts/brig/templates/tests/brig-integration.yaml +++ b/charts/brig/templates/tests/brig-integration.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: "brig-integration" labels: - wireService: brig-integration + app: brig-integration chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -13,7 +13,7 @@ spec: - port: 9000 targetPort: 9000 selector: - wireService: brig-integration + app: brig-integration release: {{ .Release.Name }} --- apiVersion: v1 @@ -23,7 +23,7 @@ metadata: annotations: "helm.sh/hook": test-success labels: - wireService: brig-integration + app: brig-integration release: {{ .Release.Name }} spec: volumes: diff --git a/charts/brig/templates/tests/nginz-service.yaml b/charts/brig/templates/tests/nginz-service.yaml index 598ff296dbc..c31128667c7 100644 --- a/charts/brig/templates/tests/nginz-service.yaml +++ b/charts/brig/templates/tests/nginz-service.yaml @@ -11,4 +11,4 @@ spec: - port: 8080 targetPort: 8080 selector: - wireService: nginz + app: nginz diff --git a/charts/brig/templates/turnconfigmap.yaml b/charts/brig/templates/turnconfigmap.yaml index 3f4ef4f54c3..7a62071b578 100644 --- a/charts/brig/templates/turnconfigmap.yaml +++ b/charts/brig/templates/turnconfigmap.yaml @@ -4,7 +4,7 @@ kind: ConfigMap metadata: name: "turn" labels: - wireService: brig + app: brig chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml index 0106d38620f..82d215da491 100644 --- a/charts/brig/values.yaml +++ b/charts/brig/values.yaml @@ -12,6 +12,9 @@ resources: limits: memory: "512Mi" cpu: "500m" +metrics: + serviceMonitor: + enable: false config: logLevel: Info logFormat: JSON diff --git a/charts/cannon/templates/headless-service.yaml b/charts/cannon/templates/headless-service.yaml index e8b0e2b368f..5c107d0bc23 100644 --- a/charts/cannon/templates/headless-service.yaml +++ b/charts/cannon/templates/headless-service.yaml @@ -9,7 +9,7 @@ kind: Service metadata: name: {{ .Values.service.name }} labels: - wireService: cannon + app: cannon chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -23,5 +23,5 @@ spec: targetPort: {{ .Values.service.internalPort }} protocol: TCP selector: - wireService: cannon + app: cannon release: {{ .Release.Name }} diff --git a/charts/cannon/templates/nginz-certificate-secret.yaml b/charts/cannon/templates/nginz-certificate-secret.yaml index 4531ad19e3b..8394ebd8c00 100644 --- a/charts/cannon/templates/nginz-certificate-secret.yaml +++ b/charts/cannon/templates/nginz-certificate-secret.yaml @@ -4,7 +4,6 @@ kind: Secret metadata: name: {{ .Values.service.nginz.tls.secretName }} labels: - wireService: cannon-nginz app: cannon-nginz chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" diff --git a/charts/cannon/templates/nginz-secret.yaml b/charts/cannon/templates/nginz-secret.yaml index 23dd7c7d0c9..0670f7fe272 100644 --- a/charts/cannon/templates/nginz-secret.yaml +++ b/charts/cannon/templates/nginz-secret.yaml @@ -4,7 +4,6 @@ kind: Secret metadata: name: cannon-nginz labels: - wireService: cannon-nginz app: cannon-nginz chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" diff --git a/charts/cannon/templates/nginz-service.yaml b/charts/cannon/templates/nginz-service.yaml index fd820c2b75f..704e2e2a250 100644 --- a/charts/cannon/templates/nginz-service.yaml +++ b/charts/cannon/templates/nginz-service.yaml @@ -13,7 +13,7 @@ kind: Service metadata: name: {{ .Values.service.nginz.name }} labels: - wireService: cannon + app: cannon chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -35,6 +35,6 @@ spec: targetPort: {{ .Values.service.nginz.internalPort }} protocol: TCP selector: - wireService: cannon + app: cannon release: {{ .Release.Name }} {{- end }} diff --git a/charts/cannon/templates/servicemonitor.yaml b/charts/cannon/templates/servicemonitor.yaml new file mode 100644 index 00000000000..df91d18654a --- /dev/null +++ b/charts/cannon/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: cannon + labels: + app: cannon + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + endpoints: + - port: http + path: /i/metrics + selector: + matchLabels: + app: cannon + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/cannon/templates/statefulset.yaml b/charts/cannon/templates/statefulset.yaml index c9adaae62bd..01eebcf2baa 100644 --- a/charts/cannon/templates/statefulset.yaml +++ b/charts/cannon/templates/statefulset.yaml @@ -9,7 +9,7 @@ kind: StatefulSet metadata: name: cannon labels: - wireService: cannon + app: cannon chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -17,7 +17,7 @@ spec: serviceName: {{ .Values.service.name }} selector: matchLabels: - wireService: cannon + app: cannon replicas: {{ .Values.replicaCount }} updateStrategy: type: RollingUpdate @@ -25,7 +25,7 @@ spec: template: metadata: labels: - wireService: cannon + app: cannon release: {{ .Release.Name }} annotations: checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }} diff --git a/charts/cannon/values.yaml b/charts/cannon/values.yaml index f5f4970df22..16c77ee347c 100644 --- a/charts/cannon/values.yaml +++ b/charts/cannon/values.yaml @@ -20,6 +20,10 @@ config: millisecondsBetweenBatches: 50 minBatchSize: 20 +metrics: + serviceMonitor: + enable: false + nginx_conf: user: nginx group: nginx diff --git a/charts/cargohold/templates/deployment.yaml b/charts/cargohold/templates/deployment.yaml index 25146020f5f..771d97f94fb 100644 --- a/charts/cargohold/templates/deployment.yaml +++ b/charts/cargohold/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: cargohold labels: - wireService: cargohold + app: cargohold chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,11 +16,11 @@ spec: maxSurge: {{ .Values.replicaCount }} selector: matchLabels: - wireService: cargohold + app: cargohold template: metadata: labels: - wireService: cargohold + app: cargohold release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` diff --git a/charts/cargohold/templates/service.yaml b/charts/cargohold/templates/service.yaml index 3621ea652fc..af4957e907c 100644 --- a/charts/cargohold/templates/service.yaml +++ b/charts/cargohold/templates/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: cargohold labels: - wireService: cargohold + app: cargohold chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -14,5 +14,5 @@ spec: port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} selector: - wireService: cargohold + app: cargohold release: {{ .Release.Name }} diff --git a/charts/cargohold/templates/serviceaccount.yaml b/charts/cargohold/templates/serviceaccount.yaml index 0460ce90d4a..199206e427a 100644 --- a/charts/cargohold/templates/serviceaccount.yaml +++ b/charts/cargohold/templates/serviceaccount.yaml @@ -4,7 +4,7 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccount.name }} labels: - wireService: cargohold + app: cargohold chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/cargohold/templates/servicemonitor.yaml b/charts/cargohold/templates/servicemonitor.yaml new file mode 100644 index 00000000000..106fad9ff31 --- /dev/null +++ b/charts/cargohold/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: cargohold + labels: + app: cargohold + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + endpoints: + - port: http + path: /i/metrics + selector: + matchLabels: + app: cargohold + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/cargohold/values.yaml b/charts/cargohold/values.yaml index b72ebb6b7bc..b9cc40ff5c8 100644 --- a/charts/cargohold/values.yaml +++ b/charts/cargohold/values.yaml @@ -5,6 +5,9 @@ image: service: externalPort: 8080 internalPort: 8080 +metrics: + serviceMonitor: + enable: false resources: requests: memory: "256Mi" diff --git a/charts/cassandra-migrations/templates/galley-migrate-data.yaml b/charts/cassandra-migrations/templates/galley-migrate-data.yaml index 3800615d2b9..69a15f82384 100644 --- a/charts/cassandra-migrations/templates/galley-migrate-data.yaml +++ b/charts/cassandra-migrations/templates/galley-migrate-data.yaml @@ -7,7 +7,7 @@ kind: Job metadata: name: galley-migrate-data labels: - wireService: "cassandra-migrations" + app: "cassandra-migrations" chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" @@ -20,7 +20,7 @@ spec: metadata: name: "{{.Release.Name}}" labels: - wireService: galley-migrate-data + app: galley-migrate-data app: galley-migrate-data heritage: {{.Release.Service | quote }} release: {{.Release.Name | quote }} diff --git a/charts/cassandra-migrations/templates/migrate-schema.yaml b/charts/cassandra-migrations/templates/migrate-schema.yaml index b64815b6553..5bd3c06055d 100644 --- a/charts/cassandra-migrations/templates/migrate-schema.yaml +++ b/charts/cassandra-migrations/templates/migrate-schema.yaml @@ -3,7 +3,7 @@ kind: Job metadata: name: cassandra-migrations labels: - wireService: cassandra-migrations + app: cassandra-migrations chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -15,7 +15,7 @@ spec: template: metadata: labels: - wireService: cassandra-migrations + app: cassandra-migrations release: {{ .Release.Name }} spec: restartPolicy: OnFailure diff --git a/charts/cassandra-migrations/templates/spar-migrate-data.yaml b/charts/cassandra-migrations/templates/spar-migrate-data.yaml index 26710c73697..1b9c48e0669 100644 --- a/charts/cassandra-migrations/templates/spar-migrate-data.yaml +++ b/charts/cassandra-migrations/templates/spar-migrate-data.yaml @@ -7,7 +7,7 @@ kind: Job metadata: name: spar-migrate-data labels: - wireService: "cassandra-migrations" + app: "cassandra-migrations" chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" @@ -20,7 +20,6 @@ spec: metadata: name: "{{.Release.Name}}" labels: - wireService: spar-migrate-data app: spar-migrate-data heritage: {{.Release.Service | quote }} release: {{.Release.Name | quote }} diff --git a/charts/coturn/Chart.yaml b/charts/coturn/Chart.yaml index f0c1212fe8e..1893104adec 100644 --- a/charts/coturn/Chart.yaml +++ b/charts/coturn/Chart.yaml @@ -11,4 +11,4 @@ version: 0.0.42 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 4.5.2-wireapp.1 +appVersion: 4.5.2-wireapp.6 diff --git a/charts/coturn/templates/configmap-coturn-conf-template.yaml b/charts/coturn/templates/configmap-coturn-conf-template.yaml index a50424e56d5..61f5209e625 100644 --- a/charts/coturn/templates/configmap-coturn-conf-template.yaml +++ b/charts/coturn/templates/configmap-coturn-conf-template.yaml @@ -33,6 +33,7 @@ data: ## prometheus metrics prometheus-ip=__COTURN_POD_IP__ prometheus-port={{ .Values.coturnMetricsListenPort }} + prometheus-no-username-labels ## logs log-file=stdout diff --git a/charts/coturn/templates/service.yaml b/charts/coturn/templates/service.yaml index d932fb06a35..b671439da76 100644 --- a/charts/coturn/templates/service.yaml +++ b/charts/coturn/templates/service.yaml @@ -13,5 +13,9 @@ spec: - name: coturn-tcp port: {{ .Values.coturnTurnListenPort }} targetPort: coturn-tcp + - name: coturn-udp + port: {{ .Values.coturnTurnListenPort }} + targetPort: coturn-udp + protocol: UDP selector: {{- include "coturn.selectorLabels" . | nindent 4 }} diff --git a/charts/coturn/templates/statefulset.yaml b/charts/coturn/templates/statefulset.yaml index cc696530ff8..02cdd122053 100644 --- a/charts/coturn/templates/statefulset.yaml +++ b/charts/coturn/templates/statefulset.yaml @@ -93,11 +93,23 @@ spec: ZREST_SECRET="$(cat /secrets/zrest_secret.txt)" sed -Ee "s;__COTURN_EXT_IP__;$EXTERNAL_IP;g" -e "s;__COTURN_POD_IP__;$POD_IP;g" -e "s;__COTURN_SECRET__;$ZREST_SECRET;" /coturn-template/coturn.conf.template > /coturn-config/turnserver.conf exec /usr/bin/turnserver -c /coturn-config/turnserver.conf + {{- if .Values.coturnGracefulTermination }} + lifecycle: + preStop: + exec: + command: + - /bin/sh + - -c + - exec /usr/local/bin/pre-stop-hook "$POD_IP" {{ .Values.coturnMetricsListenPort }} + {{- end }} ports: - name: coturn-tcp containerPort: {{ .Values.coturnTurnListenPort }} protocol: TCP + - name: coturn-udp + containerPort: {{ .Values.coturnTurnListenPort }} + protocol: UDP - name: status-http containerPort: {{ .Values.coturnMetricsListenPort }} protocol: TCP @@ -114,6 +126,9 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.coturnGracefulTermination }} + terminationGracePeriodSeconds: {{ .Values.coturnGracePeriodSeconds }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml index 75973d8f602..964b816a4b0 100644 --- a/charts/coturn/values.yaml +++ b/charts/coturn/values.yaml @@ -24,3 +24,15 @@ securityContext: coturnTurnListenPort: 3478 coturnMetricsListenPort: 9641 + +# This chart optionally supports waiting for traffic to drain from coturn +# before pods are terminated. Warning: coturn does not have any way to steer +# incoming client traffic away from itself on its own, so this functionality +# relies on external traffic management (e.g. service discovery for active coturn +# instances) to prevent clients from sending new requests to pods which are in a +# terminating state. +coturnGracefulTermination: false +# Grace period for terminating coturn pods, after which they will be forcibly +# terminated. This setting is only effective when coturnGracefulTermination is +# set to true. +coturnGracePeriodSeconds: 86400 # one day diff --git a/charts/elasticsearch-ephemeral/templates/es-svc.yaml b/charts/elasticsearch-ephemeral/templates/es-svc.yaml index b8189bcf8c0..499652ee77d 100644 --- a/charts/elasticsearch-ephemeral/templates/es-svc.yaml +++ b/charts/elasticsearch-ephemeral/templates/es-svc.yaml @@ -3,7 +3,6 @@ kind: Service metadata: name: {{ template "fullname" . }} labels: - wireService: {{ template "fullname" . }} app: {{ template "fullname" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" diff --git a/charts/elasticsearch-ephemeral/templates/es.yaml b/charts/elasticsearch-ephemeral/templates/es.yaml index 855c4488bb5..79526560ad1 100644 --- a/charts/elasticsearch-ephemeral/templates/es.yaml +++ b/charts/elasticsearch-ephemeral/templates/es.yaml @@ -3,7 +3,6 @@ kind: Deployment metadata: name: {{ template "fullname" . }} labels: - wireService: {{ template "fullname" . }} app: {{ template "fullname" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" diff --git a/charts/elasticsearch-index/templates/create-index.yaml b/charts/elasticsearch-index/templates/create-index.yaml index 4a1d8db1078..804ed4af831 100644 --- a/charts/elasticsearch-index/templates/create-index.yaml +++ b/charts/elasticsearch-index/templates/create-index.yaml @@ -3,7 +3,6 @@ kind: Job metadata: name: elasticsearch-index-create labels: - wireService: elasticsearch-index-create app: elasticsearch-index-create heritage: {{.Release.Service | quote }} release: {{.Release.Name | quote }} @@ -16,7 +15,6 @@ spec: metadata: name: "{{.Release.Name}}" labels: - wireService: elasticsearch-index-create app: elasticsearch-index-create heritage: {{.Release.Service | quote }} release: {{.Release.Name | quote }} diff --git a/charts/elasticsearch-index/templates/migrate-data.yaml b/charts/elasticsearch-index/templates/migrate-data.yaml index 2e5ae1f7e83..3ef47bcf5e8 100644 --- a/charts/elasticsearch-index/templates/migrate-data.yaml +++ b/charts/elasticsearch-index/templates/migrate-data.yaml @@ -3,7 +3,6 @@ kind: Job metadata: name: brig-index-migrate-data labels: - wireService: elasticsearch-index-migrate-data app: elasticsearch-index-migrate-data heritage: {{.Release.Service | quote }} release: {{.Release.Name | quote }} @@ -16,7 +15,6 @@ spec: metadata: name: "{{.Release.Name}}" labels: - wireService: elasticsearch-index-migrate-data app: elasticsearch-index-migrate-data heritage: {{.Release.Service | quote }} release: {{.Release.Name | quote }} diff --git a/charts/federator/templates/ca.yaml b/charts/federator/templates/ca.yaml index 8363507e1b2..2a144492247 100644 --- a/charts/federator/templates/ca.yaml +++ b/charts/federator/templates/ca.yaml @@ -3,7 +3,7 @@ kind: ConfigMap metadata: name: "federator-ca" labels: - wireService: federator + app: federator chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/federator/templates/configmap.yaml b/charts/federator/templates/configmap.yaml index 58c13106843..287e4a9ac77 100644 --- a/charts/federator/templates/configmap.yaml +++ b/charts/federator/templates/configmap.yaml @@ -3,7 +3,7 @@ kind: ConfigMap metadata: name: "federator" labels: - wireService: federator + app: federator chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/federator/templates/deployment.yaml b/charts/federator/templates/deployment.yaml index c09a239710c..b87dc660ef6 100644 --- a/charts/federator/templates/deployment.yaml +++ b/charts/federator/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: federator labels: - wireService: federator + app: federator chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,11 +16,11 @@ spec: maxSurge: {{ .Values.replicaCount }} selector: matchLabels: - wireService: federator + app: federator template: metadata: labels: - wireService: federator + app: federator release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` diff --git a/charts/federator/templates/secret.yaml b/charts/federator/templates/secret.yaml index f1337b952d9..201b5c83bd8 100644 --- a/charts/federator/templates/secret.yaml +++ b/charts/federator/templates/secret.yaml @@ -4,7 +4,7 @@ kind: Secret metadata: name: "federator-secret" labels: - wireService: federator + app: federator chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/federator/templates/service.yaml b/charts/federator/templates/service.yaml index 65da250677e..5394e54b1a3 100644 --- a/charts/federator/templates/service.yaml +++ b/charts/federator/templates/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: federator labels: - wireService: federator + app: federator chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -18,5 +18,5 @@ spec: port: {{ .Values.service.externalFederatorPort }} targetPort: {{ .Values.service.externalFederatorPort }} selector: - wireService: federator + app: federator release: {{ .Release.Name }} diff --git a/charts/galley/templates/configmap.yaml b/charts/galley/templates/configmap.yaml index eb7eda5141f..31070a8ab75 100644 --- a/charts/galley/templates/configmap.yaml +++ b/charts/galley/templates/configmap.yaml @@ -98,6 +98,14 @@ data: {{- if .settings.featureFlags.conversationGuestLinks }} conversationGuestLinks: {{- toYaml .settings.featureFlags.conversationGuestLinks | nindent 10 }} - {{- end }} + {{- end }} + {{- if .settings.featureFlags.searchVisibilityInbound }} + searchVisibilityInbound: + {{- toYaml .settings.featureFlags.searchVisibilityInbound | nindent 10 }} + {{- end }} + {{- if .settings.featureFlags.mls }} + mls: + {{- toYaml .settings.featureFlags.mls | nindent 10 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/galley/templates/deployment.yaml b/charts/galley/templates/deployment.yaml index 3f8f4344fef..ca23d999674 100644 --- a/charts/galley/templates/deployment.yaml +++ b/charts/galley/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: galley labels: - wireService: galley + app: galley chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,11 +16,11 @@ spec: maxSurge: {{ .Values.replicaCount }} selector: matchLabels: - wireService: galley + app: galley template: metadata: labels: - wireService: galley + app: galley release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` diff --git a/charts/galley/templates/service.yaml b/charts/galley/templates/service.yaml index 805ea9a89f4..f79d3a70e93 100644 --- a/charts/galley/templates/service.yaml +++ b/charts/galley/templates/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: galley labels: - wireService: galley + app: galley chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -14,5 +14,5 @@ spec: port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} selector: - wireService: galley + app: galley release: {{ .Release.Name }} diff --git a/charts/galley/templates/serviceaccount.yaml b/charts/galley/templates/serviceaccount.yaml index 32c155679f5..29b763c398e 100644 --- a/charts/galley/templates/serviceaccount.yaml +++ b/charts/galley/templates/serviceaccount.yaml @@ -4,7 +4,7 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccount.name }} labels: - wireService: galley + app: galley chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/galley/templates/servicemonitor.yaml b/charts/galley/templates/servicemonitor.yaml new file mode 100644 index 00000000000..8d9e43f8e51 --- /dev/null +++ b/charts/galley/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: galley + labels: + app: galley + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + endpoints: + - port: http + path: /i/metrics + selector: + matchLabels: + app: galley + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/galley/templates/tests/galley-integration.yaml b/charts/galley/templates/tests/galley-integration.yaml index 33034050bff..a688764dfe4 100644 --- a/charts/galley/templates/tests/galley-integration.yaml +++ b/charts/galley/templates/tests/galley-integration.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: "galley-integration" labels: - wireService: galley-integration + app: galley-integration chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -13,7 +13,7 @@ spec: - port: 9000 targetPort: 9000 selector: - wireService: galley-integration + app: galley-integration release: {{ .Release.Name }} --- apiVersion: v1 @@ -23,7 +23,7 @@ metadata: annotations: "helm.sh/hook": test-success labels: - wireService: galley-integration + app: galley-integration release: {{ .Release.Name }} spec: volumes: diff --git a/charts/galley/values.yaml b/charts/galley/values.yaml index d5746c15e3a..5332e3ea9d2 100644 --- a/charts/galley/values.yaml +++ b/charts/galley/values.yaml @@ -6,6 +6,9 @@ image: service: externalPort: 8080 internalPort: 8080 +metrics: + serviceMonitor: + enable: false resources: requests: memory: "256Mi" @@ -27,50 +30,54 @@ config: # refer to notes here: https://github.com/wireapp/wire-server-deploy/releases/tag/v2020-05-15 indexedBillingTeamMember: false featureFlags: # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/) - sso: disabled-by-default - legalhold: disabled-by-default - teamSearchVisibility: disabled-by-default + appLock: + defaults: + config: + enforceAppLock: false + inactivityTimeoutSecs: 60 + status: enabled classifiedDomains: - status: disabled config: domains: [] - # optional - fileSharing: + status: disabled + conferenceCalling: defaults: status: enabled - lockStatus: unlocked - # optional - sndFactorPasswordChallenge: - defaults: - status: disabled - lockStatus: locked - # optional - validateSAMLemails: + conversationGuestLinks: defaults: + lockStatus: unlocked status: enabled - # optional - appLock: + fileSharing: defaults: + lockStatus: unlocked status: enabled + legalhold: disabled-by-default + mls: + defaults: + status: disabled config: - enforceAppLock: false - inactivityTimeoutSecs: 60 - # optional - conferenceCalling: + protocolToggleUsers: [] + defaultProtocol: proteus + allowedCipherSuites: [1] + defaultCipherSuite: 1 + searchVisibilityInbound: defaults: - status: enabled - # optional + status: disabled selfDeletingMessages: defaults: - status: enabled - lockStatus: unlocked config: enforcedTimeoutSeconds: 0 - # optional - conversationGuestLinks: + lockStatus: unlocked + status: enabled + sndFactorPasswordChallenge: + defaults: + lockStatus: locked + status: disabled + sso: disabled-by-default + teamSearchVisibility: disabled-by-default + validateSAMLemails: defaults: status: enabled - lockStatus: unlocked aws: region: "eu-west-1" diff --git a/charts/gundeck/templates/deployment.yaml b/charts/gundeck/templates/deployment.yaml index 4ff4ef01858..a083addfb91 100644 --- a/charts/gundeck/templates/deployment.yaml +++ b/charts/gundeck/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: gundeck labels: - wireService: gundeck + app: gundeck chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,11 +16,11 @@ spec: maxSurge: {{ .Values.replicaCount }} selector: matchLabels: - wireService: gundeck + app: gundeck template: metadata: labels: - wireService: gundeck + app: gundeck release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` diff --git a/charts/gundeck/templates/secret.yaml b/charts/gundeck/templates/secret.yaml index e9de2b6979b..459ab0f24f4 100644 --- a/charts/gundeck/templates/secret.yaml +++ b/charts/gundeck/templates/secret.yaml @@ -4,7 +4,7 @@ kind: Secret metadata: name: gundeck labels: - wireService: gundeck + app: gundeck chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/charts/gundeck/templates/service.yaml b/charts/gundeck/templates/service.yaml index 14921fc655d..0d27085f1a0 100644 --- a/charts/gundeck/templates/service.yaml +++ b/charts/gundeck/templates/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: gundeck labels: - wireService: gundeck + app: gundeck chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -14,5 +14,5 @@ spec: port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} selector: - wireService: gundeck + app: gundeck release: {{ .Release.Name }} diff --git a/charts/gundeck/templates/serviceaccount.yaml b/charts/gundeck/templates/serviceaccount.yaml index 93de4b25f54..59bdd51128e 100644 --- a/charts/gundeck/templates/serviceaccount.yaml +++ b/charts/gundeck/templates/serviceaccount.yaml @@ -4,7 +4,7 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccount.name }} labels: - wireService: gundeck + app: gundeck chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/gundeck/templates/servicemonitor.yaml b/charts/gundeck/templates/servicemonitor.yaml new file mode 100644 index 00000000000..bd1adc4c1d6 --- /dev/null +++ b/charts/gundeck/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: gundeck + labels: + app: gundeck + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + endpoints: + - port: http + path: /i/metrics + selector: + matchLabels: + app: gundeck + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/gundeck/values.yaml b/charts/gundeck/values.yaml index 618c7cf8675..9e8f022004f 100644 --- a/charts/gundeck/values.yaml +++ b/charts/gundeck/values.yaml @@ -5,6 +5,9 @@ image: service: externalPort: 8080 internalPort: 8080 +metrics: + serviceMonitor: + enable: false resources: requests: memory: "256Mi" diff --git a/charts/ldap-scim-bridge/README.md b/charts/ldap-scim-bridge/README.md index 670ba455f68..54a99787f6f 100644 --- a/charts/ldap-scim-bridge/README.md +++ b/charts/ldap-scim-bridge/README.md @@ -15,3 +15,72 @@ The kubernetes cronjob resource will spawn a new `ldap-scim-bridge-XXXXXX` pod e kubectl get pods -n wire kubectl logs ldap-scim-bridge-XXXXXX -n wire ``` +# with AD + +## Add Certificate +add your certificate until it looks like the following: + +``` +ucc@s-admin-host:~/Wire-Server$ d kubectl describe configmap ca-ad-pemstore +Name: ca-ad-pemstore +Namespace: default +Labels: +Annotations: + +Data +==== +ad-root.crt: +---- +-----BEGIN CERTIFICATE----- + + + + + + + + + + + + + + + + + + + + + + + + + +-----END CERTIFICATE----- + +Events: +``` + +## use certificate + +add the following patch after deployment to use the AD certificate. +kubectl patch cronjob ldap-scim-bridge-team-1 "$(cat add-ad-patch.patch)" +``` +spec: + jobTemplate: + spec: + template: + spec: + containers: + - name: ldap-scim-bridge + volumeMounts: + - name: ca-ad-pemstore + mountPath: /etc/ssl/certs/ad-root.crt + subPath: ad-root.crt + readOnly: false + volumes: + - name: ca-ad-pemstore + configMap: + name: ca-ad-pemstore +``` diff --git a/charts/ldap-scim-bridge/templates/cronjob.yaml b/charts/ldap-scim-bridge/templates/cronjob.yaml index fbd10986a2f..365fa67eca8 100644 --- a/charts/ldap-scim-bridge/templates/cronjob.yaml +++ b/charts/ldap-scim-bridge/templates/cronjob.yaml @@ -1,9 +1,9 @@ apiVersion: batch/v1beta1 kind: CronJob metadata: - name: ldap-scim-bridge + name: {{ .Release.Name }} labels: - wireService: ldap-scim-bridge + app: ldap-scim-bridge chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -13,7 +13,7 @@ spec: jobTemplate: metadata: labels: - wireService: ldap-scim-bridge + app: ldap-scim-bridge release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` @@ -26,7 +26,7 @@ spec: volumes: - name: "ldap-scim-bridge-config" secret: - secretName: "ldap-scim-bridge" + secretName: {{ .Release.Name }} containers: - name: ldap-scim-bridge image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/charts/ldap-scim-bridge/templates/secret.yaml b/charts/ldap-scim-bridge/templates/secret.yaml index 01e8bc35682..07074c6c316 100644 --- a/charts/ldap-scim-bridge/templates/secret.yaml +++ b/charts/ldap-scim-bridge/templates/secret.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: Secret metadata: - name: ldap-scim-bridge + name: {{ .Release.Name }} labels: - wireService: ldap-scim-bridge + app: ldap-scim-bridge chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" type: Opaque stringData: config.yaml: | -{{ toYaml .Values.config | indent 4 }} \ No newline at end of file +{{ toYaml .Values.config | indent 4 }} diff --git a/charts/ldap-scim-bridge/values.yaml b/charts/ldap-scim-bridge/values.yaml index 0469e5eaa90..93a900042ac 100644 --- a/charts/ldap-scim-bridge/values.yaml +++ b/charts/ldap-scim-bridge/values.yaml @@ -1,42 +1,44 @@ image: repository: quay.io/wire/ldap-scim-bridge - tag: 0.2 + tag: 0.4 resources: requests: memory: "256Mi" cpu: "100m" limits: - memory: "512Mi" + # based on observation - 20211004 - JEL + memory: "1750Mi" cpu: "500m" # https://v1-19.docs.kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule -# schedule: "@hourly" -schedule: "*/1 * * * *" +# based on observation - 20211004 - JEL +schedule: "*/5 * * * *" # https://github.com/wireapp/ldap-scim-bridge -config: - logLevel: "Debug" # one of Trace,Debug,Info,Warn,Error,Fatal; `Fatal` is least noisy, `Trace` most. - ldapSource: - tls: false - host: "openldap" - port: 389 - dn: "cn=admin,dc=nodomain" - password: "admin" - search: - base: "ou=People,dc=nodomain" - objectClass: "account" - codec: "utf8" - deleteOnAttribute: # optional, related to `delete-from-directory`. - key: "deleted" - value: "true" - deleteFromDirectory: # optional; ok to use together with `delete-on-attribute` if you use both. - base: "ou=DeletedPeople,dc=nodomain" - objectClass: "account" - scimTarget: - tls: false - host: "spar" - port: 8080 - path: "/scim/v2" - token: "Bearer U6DRfAcwsvCg9eBStJWtiHu/XqTB1iVDcvNcsuftvqk=" - mapping: - userName: "uidNumber" - externalId: "uid" - email: "email" +#config: +# logLevel: "Debug" # one of Trace,Debug,Info,Warn,Error,Fatal; `Fatal` is least noisy, `Trace` most. +# ldapSource: +# tls: false +# host: "openldap" +# port: 389 +# dn: "cn=admin,dc=nodomain" +# password: "admin" +# search: +# base: "ou=People,dc=nodomain" +# objectClass: "account" +# codec: "utf8" +# deleteOnAttribute: # optional, related to `delete-from-directory`. +# key: "deleted" +# value: "true" +# deleteFromDirectory: # optional; ok to use together with `delete-on-attribute` if you use both. +# base: "ou=DeletedPeople,dc=nodomain" +# objectClass: "account" +# scimTarget: +# tls: false +# host: "spar" +# port: 8080 +# path: "/scim/v2" +# token: "Bearer U6DRfAcwsvCg9eBStJWtiHu/XqTB1iVDcvNcsuftvqk=" +# mapping: +# displayName: "displayName" +# userName: "uidNumber" +# externalId: "uid" +# email: "email" diff --git a/charts/nginx-ingress-services/templates/ingress.yaml b/charts/nginx-ingress-services/templates/ingress.yaml index 39fe2e33181..6cc9d019e42 100644 --- a/charts/nginx-ingress-services/templates/ingress.yaml +++ b/charts/nginx-ingress-services/templates/ingress.yaml @@ -32,16 +32,16 @@ spec: paths: - path: / backend: - serviceName: nginz-http - servicePort: {{ .Values.service.nginz.externalHttpPort }} + serviceName: nginz + servicePort: http {{- if .Values.websockets.enabled }} - host: {{ .Values.config.dns.ssl }} http: paths: - path: / backend: - serviceName: nginz-tcp - servicePort: {{ .Values.service.nginz.externalTcpPort }} + serviceName: nginz + servicePort: ws {{- end }} {{- if .Values.webapp.enabled }} - host: {{ .Values.config.dns.webapp }} diff --git a/charts/nginx-ingress-services/templates/service.yaml b/charts/nginx-ingress-services/templates/service.yaml index 236789b856d..83551789223 100644 --- a/charts/nginx-ingress-services/templates/service.yaml +++ b/charts/nginx-ingress-services/templates/service.yaml @@ -1,29 +1,4 @@ # FUTUREWORK: move services into the respective charts -apiVersion: v1 -kind: Service -metadata: - name: nginz-http -spec: - type: ClusterIP - ports: - - port: {{ .Values.service.nginz.externalHttpPort }} - targetPort: 8080 - selector: - wireService: nginz -{{- if .Values.websockets.enabled }} ---- -apiVersion: v1 -kind: Service -metadata: - name: nginz-tcp -spec: - type: ClusterIP - ports: - - port: {{ .Values.service.nginz.externalTcpPort }} - targetPort: 8081 - selector: - wireService: nginz -{{- end }} {{- if .Values.webapp.enabled }} --- apiVersion: v1 @@ -36,7 +11,7 @@ spec: - port: {{ .Values.service.webapp.externalPort }} targetPort: 8080 selector: - wireService: webapp + app: webapp {{- end }} {{- if not .Values.service.s3.externallyCreated }} --- @@ -50,7 +25,7 @@ spec: - port: {{ .Values.service.s3.externalPort }} targetPort: 9000 selector: - wireService: {{ .Values.service.s3.serviceName }} + app: {{ .Values.service.s3.serviceName }} {{- end }} {{- if .Values.teamSettings.enabled }} --- @@ -64,7 +39,7 @@ spec: - port: {{ .Values.service.teamSettings.externalPort }} targetPort: 8080 selector: - wireService: team-settings + app: team-settings {{- end }} {{- if .Values.accountPages.enabled }} --- @@ -78,5 +53,5 @@ spec: - port: {{ .Values.service.accountPages.externalPort }} targetPort: 8080 selector: - wireService: account-pages + app: account-pages {{- end }} diff --git a/charts/nginx-ingress-services/values.yaml b/charts/nginx-ingress-services/values.yaml index 44f49f0847e..b76a61390d9 100644 --- a/charts/nginx-ingress-services/values.yaml +++ b/charts/nginx-ingress-services/values.yaml @@ -37,8 +37,8 @@ tls: useCertManager: false # the validation depth between a federator client certificate and tlsClientCA verify_depth: 1 + createIssuer: true issuer: - create: true name: letsencrypt-http01 kind: Issuer # Issuer | ClusterIssuer @@ -80,9 +80,6 @@ certManager: customSolvers: service: - nginz: - externalHttpPort: 8080 - externalTcpPort: 8081 webapp: externalPort: 8080 s3: diff --git a/charts/nginz/conf/static/zauth.acl b/charts/nginz/static/conf/zauth.acl similarity index 100% rename from charts/nginz/conf/static/zauth.acl rename to charts/nginz/static/conf/zauth.acl diff --git a/charts/nginz/static/swagger-ui/index.html b/charts/nginz/static/swagger-ui/index.html new file mode 100644 index 00000000000..3524029f079 --- /dev/null +++ b/charts/nginz/static/swagger-ui/index.html @@ -0,0 +1,77 @@ + + +
+ + + +
+ + + +
+ +
+ + + + + + + + + diff --git a/charts/nginz/static/swagger-ui/tab.html b/charts/nginz/static/swagger-ui/tab.html new file mode 100644 index 00000000000..0798782592e --- /dev/null +++ b/charts/nginz/static/swagger-ui/tab.html @@ -0,0 +1,221 @@ + + + + + + + Swagger UI + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+ + +

+ +
+
+
+
+
+
+ +
+ +
+ +
+ +
+ + + +
 
+
+ + + diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl index 02c422b727a..1a6501429b5 100644 --- a/charts/nginz/templates/conf/_nginx.conf.tpl +++ b/charts/nginz/templates/conf/_nginx.conf.tpl @@ -199,29 +199,6 @@ http { return 200; } - location /vts { - zauth off; - access_log off; - allow 10.0.0.0/8; - allow 127.0.0.1; - deny all; - - # Requests with an X-Forwarded-For header will have the real client - # source IP address set correctly, due to the real_ip_header directive - # in the top-level configuration. However, this will not set the client - # IP correctly for clients which are connected via a load balancer which - # uses the PROXY protocol. - # - # Hence, for safety, we deny access to the vts metrics endpoints to - # clients which are connected via PROXY protocol. - if ($proxy_protocol_addr != "") { - return 403; - } - - vhost_traffic_status_display; - vhost_traffic_status_display_format html; - } - # Block "Franz" -- http://meetfranz.com if ($http_user_agent ~* Franz) { return 403; @@ -352,6 +329,7 @@ http { # location /api-docs { + zauth off; default_type application/json; root {{ $.Values.nginx_conf.swagger_root }}; index resources.json; @@ -399,5 +377,23 @@ http { } {{- end }} } + + server { + # even though we don't use zauth for this server block, + # we need to specify zauth_keystore etc. + zauth_keystore {{ .Values.nginx_conf.zauth_keystore }}; + zauth_acl {{ .Values.nginx_conf.zauth_acl }}; + + listen {{ .Values.config.http.metricsPort }}; + + location /vts { + access_log off; + zauth off; + + vhost_traffic_status_display; + vhost_traffic_status_display_format html; + } + } + } {{- end }} diff --git a/charts/nginz/templates/conf/_zwagger-config.js.tpl b/charts/nginz/templates/conf/_zwagger-config.js.tpl deleted file mode 100644 index ded11c8c5d4..00000000000 --- a/charts/nginz/templates/conf/_zwagger-config.js.tpl +++ /dev/null @@ -1,3 +0,0 @@ -{{ define "nginz_zwagger-config.js" }} -var environment = '{{ .Values.nginx_conf.env }}'; -{{- end }} diff --git a/charts/nginz/templates/configmap.yaml b/charts/nginz/templates/configmap.yaml index cb571488170..0ddba4536b2 100644 --- a/charts/nginz/templates/configmap.yaml +++ b/charts/nginz/templates/configmap.yaml @@ -4,13 +4,11 @@ data: {{- include "nginz_nginx.conf" . | indent 4 }} upstreams.txt: |2 {{- include "nginz_upstreams.txt" . | indent 4 }} - zwagger-config.js: |2 -{{- include "nginz_zwagger-config.js" . | indent 4 }} deeplink.json: |2 {{- include "nginz_deeplink.json" . | indent 4 }} deeplink.html: |2 {{- include "nginz_deeplink.html" . | indent 4 }} -{{ (.Files.Glob "conf/static/*").AsConfig | indent 2 }} +{{ (.Files.Glob "static/conf/*").AsConfig | indent 2 }} kind: ConfigMap metadata: creationTimestamp: null diff --git a/charts/nginz/templates/deployment.yaml b/charts/nginz/templates/deployment.yaml index d790e229137..2f51126402b 100644 --- a/charts/nginz/templates/deployment.yaml +++ b/charts/nginz/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: nginz labels: - wireService: nginz + app: nginz chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,17 +16,17 @@ spec: maxSurge: {{ .Values.replicaCount | mul 2 }} selector: matchLabels: - wireService: nginz app: nginz template: metadata: labels: - wireService: nginz app: nginz release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/swagger-ui-configmap: {{ include (print .Template.BasePath "/swagger-ui-configmap.yaml") . | sha256sum }} + checksum/swagger-resources-configmap: {{ include (print .Template.BasePath "/swagger-resources-configmap.yaml") . | sha256sum }} checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }} fluentbit.io/parser-nginz: nginz spec: @@ -53,11 +53,18 @@ spec: - name: upstreams mountPath: /etc/wire/nginz/upstreams readOnly: true + - name: swagger-ui + mountPath: /opt/zwagger-ui + readOnly: true + - name: swagger-resources + mountPath: {{ .Values.nginx_conf.swagger_root }}/api-docs ports: - name: http containerPort: {{ .Values.config.http.httpPort }} - name: tcp containerPort: {{ .Values.config.ws.wsPort }} + - name: http-metrics + containerPort: {{ .Values.config.http.metricsPort }} readinessProbe: httpGet: path: /status @@ -83,3 +90,9 @@ spec: secretName: nginz - name: upstreams emptyDir: {} + - name: swagger-ui + configMap: + name: nginz-swagger-ui + - name: swagger-resources + configMap: + name: nginz-swagger-resources diff --git a/charts/nginz/templates/secret.yaml b/charts/nginz/templates/secret.yaml index 2dc5ab8509a..12779270f6c 100644 --- a/charts/nginz/templates/secret.yaml +++ b/charts/nginz/templates/secret.yaml @@ -3,7 +3,6 @@ kind: Secret metadata: name: nginz labels: - wireService: nginz app: nginz chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" diff --git a/charts/nginz/templates/service.yaml b/charts/nginz/templates/service.yaml new file mode 100644 index 00000000000..8ed76cdaaae --- /dev/null +++ b/charts/nginz/templates/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginz + labels: + app: nginz + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: ClusterIP + ports: + - name: http + port: {{ .Values.config.http.httpPort }} + targetPort: 8080 + - name: ws + port: {{ .Values.config.ws.wsPort }} + targetPort: 8081 + - name: http-metrics + port: {{ .Values.config.http.metricsPort }} + targetPort: 8082 + selector: + app: nginz diff --git a/charts/nginz/templates/servicemonitor.yaml b/charts/nginz/templates/servicemonitor.yaml new file mode 100644 index 00000000000..a5ffad05b82 --- /dev/null +++ b/charts/nginz/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: nginz + labels: + app: nginz + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + endpoints: + - port: http-metrics + path: /vts/status/format/prometheus + selector: + matchLabels: + app: nginz + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/nginz/templates/swagger-resources-configmap.yaml b/charts/nginz/templates/swagger-resources-configmap.yaml new file mode 100644 index 00000000000..a6b53022f62 --- /dev/null +++ b/charts/nginz/templates/swagger-resources-configmap.yaml @@ -0,0 +1,27 @@ +# Swagger-1.0 JSON to combine swagger-1.0 documents from different services +apiVersion: v1 +data: + resources.json: |2 + { + "apiVersion": "1.0", + "swaggerVersion": "1.2", + "apis": [ + { + "path": "/users", + "description": "Users, Connections and Onboarding" + }, + { + "path": "/push", + "description": "Push Notifications" + }, + { + "path": "/conversations", + "description": "Conversations and Messaging" + } + ] + } + +kind: ConfigMap +metadata: + name: nginz-swagger-resources + diff --git a/charts/nginz/templates/swagger-ui-configmap.yaml b/charts/nginz/templates/swagger-ui-configmap.yaml new file mode 100644 index 00000000000..0ec5e5edc18 --- /dev/null +++ b/charts/nginz/templates/swagger-ui-configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +data: +{{ (.Files.Glob "static/swagger-ui/*").AsConfig | indent 2 }} +kind: ConfigMap +metadata: + name: nginz-swagger-ui diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml index 4b860e400e2..471bb1b14fc 100644 --- a/charts/nginz/values.yaml +++ b/charts/nginz/values.yaml @@ -6,6 +6,9 @@ resources: limits: memory: "1024Mi" cpu: "2" +metrics: + serviceMonitor: + enabled: false images: nginzDisco: repository: quay.io/wire/nginz_disco @@ -16,6 +19,7 @@ images: config: http: httpPort: 8080 + metricsPort: 8082 ws: wsPort: 8081 useProxyProtocol: true @@ -120,6 +124,10 @@ nginx_conf: - all disable_zauth: true unlimited_requests_endpoint: true + - path: /users/api-docs$ + envs: + - staging + disable_zauth: true - path: /users envs: - all @@ -270,27 +278,27 @@ nginx_conf: disable_zauth: true basic_auth: true versioned: false - - path: /i/teams/([^/]*)/suspend + - path: /i/users/([^/]*)/features/([^/])* envs: - staging disable_zauth: true basic_auth: true versioned: false - - path: /i/teams/([^/]*)/unsuspend + - path: /i/teams/([^/]*)/suspend envs: - staging disable_zauth: true basic_auth: true versioned: false - - path: /i/provider/activation-code + - path: /i/teams/([^/]*)/unsuspend envs: - staging disable_zauth: true basic_auth: true versioned: false - - path: /i/legalhold/whitelisted-teams(.*) + - path: /i/provider/activation-code envs: - - staging + - staging disable_zauth: true basic_auth: true versioned: false @@ -354,6 +362,10 @@ nginx_conf: disable_zauth: true envs: - all + - path: /conversations/api-docs$ + envs: + - staging + disable_zauth: true - path: /conversations/([^/]*)/otr/messages envs: - all @@ -418,6 +430,12 @@ nginx_conf: envs: - staging versioned: false + - path: /i/legalhold/whitelisted-teams(.*) + envs: + - staging + disable_zauth: true + basic_auth: true + versioned: false - path: /teams/api-docs envs: - all @@ -454,6 +472,10 @@ nginx_conf: envs: - all gundeck: + - path: /push/api-docs$ + envs: + - staging + disable_zauth: true - path: /push envs: - all diff --git a/charts/openldap/templates/openldap.yaml b/charts/openldap/templates/openldap.yaml index 0e2281d27d4..28ed001aa62 100644 --- a/charts/openldap/templates/openldap.yaml +++ b/charts/openldap/templates/openldap.yaml @@ -3,7 +3,7 @@ kind: Pod metadata: name: "openldap" labels: - wireService: openldap + app: openldap chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -51,4 +51,4 @@ spec: - name: LDAP_ORGANISATION value: "People" - name: LDAP_ADMIN_PASSWORD - value: "admin" \ No newline at end of file + value: "admin" diff --git a/charts/openldap/templates/secret-newusers.yaml b/charts/openldap/templates/secret-newusers.yaml index b78ef5a2207..0397cb0af55 100644 --- a/charts/openldap/templates/secret-newusers.yaml +++ b/charts/openldap/templates/secret-newusers.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: openldap-newusers-ldif labels: - wireService: ldap-scim-bridge + app: ldap-scim-bridge chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/charts/openldap/templates/service.yaml b/charts/openldap/templates/service.yaml index 356597c6056..b140faf3685 100644 --- a/charts/openldap/templates/service.yaml +++ b/charts/openldap/templates/service.yaml @@ -4,9 +4,9 @@ metadata: name: openldap spec: selector: - wireService: openldap + app: openldap ports: - name: openldap protocol: TCP port: 389 - targetPort: 389 \ No newline at end of file + targetPort: 389 diff --git a/charts/proxy/templates/deployment.yaml b/charts/proxy/templates/deployment.yaml index bedb30e16f4..d2f1f4f6a8d 100644 --- a/charts/proxy/templates/deployment.yaml +++ b/charts/proxy/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: proxy labels: - wireService: proxy + app: proxy chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,11 +16,11 @@ spec: maxSurge: {{ .Values.replicaCount }} selector: matchLabels: - wireService: proxy + app: proxy template: metadata: labels: - wireService: proxy + app: proxy release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` diff --git a/charts/proxy/templates/service.yaml b/charts/proxy/templates/service.yaml index 0b60d66f6d0..2bda5053b26 100644 --- a/charts/proxy/templates/service.yaml +++ b/charts/proxy/templates/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: proxy labels: - wireService: proxy + app: proxy chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -14,5 +14,5 @@ spec: port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} selector: - wireService: proxy + app: proxy release: {{ .Release.Name }} diff --git a/charts/proxy/templates/servicemonitor.yaml b/charts/proxy/templates/servicemonitor.yaml new file mode 100644 index 00000000000..88120fe7cdb --- /dev/null +++ b/charts/proxy/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: proxy + labels: + app: proxy + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + endpoints: + - port: http + path: /i/metrics + selector: + matchLabels: + app: proxy + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/proxy/values.yaml b/charts/proxy/values.yaml index ec7b8a81825..f7de774ea03 100644 --- a/charts/proxy/values.yaml +++ b/charts/proxy/values.yaml @@ -5,6 +5,9 @@ image: service: externalPort: 8080 internalPort: 8080 +metrics: + serviceMonitor: + enable: false resources: requests: memory: "128Mi" @@ -14,4 +17,4 @@ resources: cpu: "500m" config: logLevel: Debug - proxy: {} \ No newline at end of file + proxy: {} diff --git a/charts/reaper/templates/deployment.yaml b/charts/reaper/templates/deployment.yaml index 1601a2acbe3..8a11b60b4f0 100644 --- a/charts/reaper/templates/deployment.yaml +++ b/charts/reaper/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: reaper labels: - wireService: reaper + app: reaper chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -11,12 +11,12 @@ spec: replicas: 1 selector: matchLabels: - wireService: reaper + app: reaper release: {{ .Release.Name }} template: metadata: labels: - wireService: reaper + app: reaper release: {{ .Release.Name }} spec: serviceAccountName: reaper-role diff --git a/charts/spar/templates/deployment.yaml b/charts/spar/templates/deployment.yaml index a6b86f8bbda..874caafc427 100644 --- a/charts/spar/templates/deployment.yaml +++ b/charts/spar/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: spar labels: - wireService: spar + app: spar chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,11 +16,11 @@ spec: maxSurge: {{ .Values.replicaCount }} selector: matchLabels: - wireService: spar + app: spar template: metadata: labels: - wireService: spar + app: spar release: {{ .Release.Name }} annotations: # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade` diff --git a/charts/spar/templates/service.yaml b/charts/spar/templates/service.yaml index e360ac0f3d7..711967459f0 100644 --- a/charts/spar/templates/service.yaml +++ b/charts/spar/templates/service.yaml @@ -3,7 +3,7 @@ kind: Service metadata: name: spar labels: - wireService: spar + app: spar chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -14,5 +14,5 @@ spec: port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} selector: - wireService: spar + app: spar release: {{ .Release.Name }} diff --git a/charts/spar/templates/servicemonitor.yaml b/charts/spar/templates/servicemonitor.yaml new file mode 100644 index 00000000000..f2b23703b61 --- /dev/null +++ b/charts/spar/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: spar + labels: + app: spar + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + endpoints: + - port: http + path: /i/metrics + selector: + matchLabels: + app: spar + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/spar/templates/tests/spar-integration.yaml b/charts/spar/templates/tests/spar-integration.yaml index 19646326a7e..c4735ffd15a 100644 --- a/charts/spar/templates/tests/spar-integration.yaml +++ b/charts/spar/templates/tests/spar-integration.yaml @@ -5,7 +5,7 @@ metadata: annotations: "helm.sh/hook": test-success labels: - wireService: spar-integration + app: spar-integration release: {{ .Release.Name }} spec: volumes: diff --git a/charts/spar/values.yaml b/charts/spar/values.yaml index 60f7e8d10d3..3cdd3b84908 100644 --- a/charts/spar/values.yaml +++ b/charts/spar/values.yaml @@ -2,6 +2,9 @@ replicaCount: 3 image: repository: quay.io/wire/spar tag: do-not-use +metrics: + serviceMonitor: + enable: false resources: requests: memory: "128Mi" @@ -20,4 +23,4 @@ config: logLevel: Info maxttlAuthreq: 7200 maxttlAuthresp: 7200 - proxy: {} \ No newline at end of file + proxy: {} diff --git a/charts/team-settings/templates/deployment.yaml b/charts/team-settings/templates/deployment.yaml index 467d6324457..b560d8ca577 100644 --- a/charts/team-settings/templates/deployment.yaml +++ b/charts/team-settings/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: team-settings labels: - wireService: team-settings + app: team-settings chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,12 +16,10 @@ spec: maxSurge: {{ .Values.replicaCount | mul 2 }} selector: matchLabels: - wireService: team-settings app: team-settings template: metadata: labels: - wireService: team-settings app: team-settings release: {{ .Release.Name }} spec: diff --git a/charts/webapp/templates/deployment.yaml b/charts/webapp/templates/deployment.yaml index 14c8f15c786..457d9547b91 100644 --- a/charts/webapp/templates/deployment.yaml +++ b/charts/webapp/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: webapp labels: - wireService: webapp + app: webapp chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,12 +16,10 @@ spec: maxSurge: {{ .Values.replicaCount | mul 2 }} selector: matchLabels: - wireService: webapp app: webapp template: metadata: labels: - wireService: webapp app: webapp release: {{ .Release.Name }} spec: diff --git a/charts/webapp/values.yaml b/charts/webapp/values.yaml index a639cd046a4..78f3b51a12f 100644 --- a/charts/webapp/values.yaml +++ b/charts/webapp/values.yaml @@ -9,7 +9,7 @@ resources: cpu: "1" image: repository: quay.io/wire/webapp - tag: "2022-06-13-production.0-v0.29.7-0-2819b90" + tag: "2022-06-30-production.0-v0.30.5-0-3e2aaf6" service: https: externalPort: 443 diff --git a/charts/wire-server-metrics/values.yaml b/charts/wire-server-metrics/values.yaml index 44bac846a35..7a9a8b87637 100644 --- a/charts/wire-server-metrics/values.yaml +++ b/charts/wire-server-metrics/values.yaml @@ -1,29 +1,4 @@ kube-prometheus-stack: - prometheus: - additionalServiceMonitors: - - name: wire-services - # We copy these labels from the pod onto the collected metrics from that pod - targetLabels: - - wireService - endpoints: - - path: '/i/metrics' - port: http - interval: 10s - metricRelabelings: - # Rename 'service' to 'role' to allow sharing of grafana dashboards - # between k8s and AWS services. - - sourceLabels: [service] - targetLabel: role - # This monitors _all_ namespaces and selects all - # pods that with a wireServices selector - namespaceSelector: - any: true - selector: - matchExpressions: - # select any pod with a 'wireService' label - - key: wireService - operator: Exists - prometheusOperator: # Don't try to create custom resource types; we prefer to do it manually # Otherwise we run into race conditions when installing helm charts diff --git a/charts/wire-server/requirements.yaml b/charts/wire-server/requirements.yaml index ab3d8c1df87..88629b3acf4 100644 --- a/charts/wire-server/requirements.yaml +++ b/charts/wire-server/requirements.yaml @@ -15,6 +15,13 @@ dependencies: ######################## ## wire-servers/services ######################## +- name: backoffice + version: "0.0.42" + repository: "file://../backoffice" + tags: + - backoffice + - haskellServices + - services - name: cannon version: "0.0.42" repository: "file://../cannon" diff --git a/charts/wire-server/values.yaml b/charts/wire-server/values.yaml index de41554b588..cae8e07623a 100644 --- a/charts/wire-server/values.yaml +++ b/charts/wire-server/values.yaml @@ -11,3 +11,4 @@ tags: legalhold: false federator: false # see also galley.config.enableFederator and brig.config.enableFederator sftd: false + backoffice: false diff --git a/deploy/services-demo/create_team_members.sh b/deploy/services-demo/create_team_members.sh index c0fabeafe51..63b70650669 100755 --- a/deploy/services-demo/create_team_members.sh +++ b/deploy/services-demo/create_team_members.sh @@ -18,7 +18,10 @@ USAGE: $0 -a : User ID of the inviting admin. default: ${ADMIN_UUID} -t : ID of the inviting team. default: ${TEAM_UUID} -h : Base URI of brig. default: ${BRIG_HOST} - -c : file containing info on the invitees in format 'Email,UserName'. default: ${CSV_FILE} + -c : file containing info on the invitees in format 'Email,UserName,Role'. default: ${CSV_FILE} + +If role is specified, it must be one of owner, admin, member, partner. +If it is missing, default is member. If you tee(1) stdout, stderr of this script into a log file, you can grep that log file for errors like this: @@ -66,16 +69,20 @@ if [ ! -e "$CSV_FILE" ]; then fi # Generate users -while IFS=, read -r EMAIL USER_NAME +while IFS=, read -r EMAIL USER_NAME ROLE do - echo "inviting $USER_NAME <$EMAIL>..." 1>&2 + if ( echo "$ROLE" | grep -vq "\(owner\|admin\|member\|partner\)" ); then + export ROLE=member + fi + + echo "inviting $USER_NAME <$EMAIL> with role $ROLE..." 1>&2 # Generate the invitation CURL_OUT_INVITATION=$(curl -i -s --show-error \ -XPOST "$BRIG_HOST/teams/$TEAM_UUID/invitations" \ -H'Content-type: application/json' \ -H'Z-User: '"$ADMIN_UUID"'' \ - -d'{"email":"'"$EMAIL"'","name":"'"$USER_NAME"'","inviter_name":"Team admin"}') + -d'{"email":"'"$EMAIL"'","name":"'"$USER_NAME"'","role":"'"$ROLE"'"}') INVITATION_ID=$(echo "$CURL_OUT_INVITATION" | tail -1 | sed 's/.*\"id\":\"\([a-z0-9-]*\)\".*/\1/') diff --git a/deploy/services-demo/create_test_team_scim.sh b/deploy/services-demo/create_test_team_scim.sh index b9ff9612770..552b4e15c1f 100755 --- a/deploy/services-demo/create_test_team_scim.sh +++ b/deploy/services-demo/create_test_team_scim.sh @@ -6,7 +6,7 @@ BRIG_HOST="http://localhost:8082" SPAR_HOST="http://localhost:8088" USAGE=" -This bash script craates +This bash script creates 1) team 2) team admin 3) scim token diff --git a/docs/legacy/reference/config-options.md b/docs/legacy/reference/config-options.md index 87b17e9f3e8..33d8eb04445 100644 --- a/docs/legacy/reference/config-options.md +++ b/docs/legacy/reference/config-options.md @@ -73,9 +73,9 @@ IMPORTANT: If you switch this back to `disabled-permanently` from that have created them while it was allowed. This may change in the future. -### Team Feature teamSearchVisibility +### Team searchVisibility -The feature flag `teamSearchVisibility` affects the outbound search of user +The team flag `searchVisibility` affects the outbound search of user searches. If it is set to `no-name-outside-team` for a team then all users of that team will no longer be able to find users that are not part of their team when searching. This also includes finding other users by by providing their @@ -96,6 +96,9 @@ pull-down-menu "body": "no-name-outside-team" ``` +The team feature flag `teamSearchVisibility` determines whether it is allowed to change the `searchVisibility` setting or not. +The default is `disabled-by-default`. Note that whenever this feature setting is disabled the `searchVisibility` will be reset to `standard`. + The default setting that applies to all teams on the instance can be defined at configuration ```yaml @@ -104,10 +107,6 @@ settings: teamSearchVisibility: disabled-by-default # or enabled-by-default ``` -where disabled is equivalent to `standard` and enabled is equivalent to `no-name-outside-team`. Individual teams may ovewrite the default setting. - -On wire cloud the default setting is `standard`. - ### TeamFeature searchVisibilityInbound The team feature flag `searchVisibilityInbound` affects if the team's users are @@ -236,6 +235,32 @@ sndFactorPasswordChallenge: lockStatus: locked|unlocked ``` +### MLS + +This feature specifies how should behave. It has no effect on the server's behaviour. + +If this feature is enabled then clients that support this feature will allowing its user to switch between Proteus and the MLS protocol provided the user is listed ini `protocolToggleUsers`. The default protocol that clients will create new conversations with is specified in `defaultProtocol`. The `defaultCipherSuite` and `allowedCipherSuites` contain the default ciphersuite and the allowed ciphersuites that clients should be using. The numerical values should correspond to the indices (starting at 1) specified here https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#table-5 + +If this feature is disabled then clients will use the Proteus protocol with this backend. + +The default configuration that applies to all teams that didn't explicitly change their feature configuration can be given in galley's `featureFlags` section in the config file: + +``` +# galley.yaml +mls: + defaults: + status: disabled + config: + protocolToggleUsers: [] + defaultProtocol: proteus + allowedCipherSuites: [1] + defaultCipherSuite: 1 + +``` + +This default configuration can be overriden on a per-team basis through the [feature config API](./features.md) + + ### Federation Domain Regardless of whether a backend wants to enable federation or not, the operator diff --git a/docs/reference/user/registration.md b/docs/reference/user/registration.md index fc24c8699ab..1ebf9383d5b 100644 --- a/docs/reference/user/registration.md +++ b/docs/reference/user/registration.md @@ -1 +1 @@ -file has moved [here](../legacy/reference/user/registration.md) +file has moved [here](../../legacy/reference/user/registration.md) diff --git a/docs/src/_templates/layout.html b/docs/src/_templates/layout.html index cdf6b5c4a82..357a7a120b2 100644 --- a/docs/src/_templates/layout.html +++ b/docs/src/_templates/layout.html @@ -2,7 +2,11 @@ {% block sidebartitle %} + {%- if logo %} + + {%- else %} + {%- endif %}