diff --git a/changelog.d/2-features/charts-brig-new-settings b/changelog.d/2-features/charts-brig-new-settings new file mode 100644 index 0000000000..c85317a69e --- /dev/null +++ b/changelog.d/2-features/charts-brig-new-settings @@ -0,0 +1,22 @@ +charts: Various new values can now be configured and some got changed + +Allow new configurations in the brig chart: +* `config.emailSMS.user.invitationUrl` +* `config.emailSMS.team.tInvitationUrl` +* `config.emailSMS.team.tActivationUrl` +* `config.emailSMS.team.tCreatorWelcomeUrl` +* `config.emailSMS.team.tMemberWelcomeUrl` +* `config.setProviderSearchFilter` +* `config.setWhitelist` +* `config.setFeatureFlags` +* `config.setCustomerExtensions` + +If any values in config.emailSMS.team are specified, all must be specified. + +Allow new configurations in the gundeck chart: +* `config.perNativePushConcurrency` +* `config.maxConcurrentNativePushes.soft` +* `config.maxConcurrentNativePushes.hard` + +Other changes: +* Default `maxTeamSize` changed to 10000 from 500. \ No newline at end of file diff --git a/changelog.d/2-features/no-aws-creds b/changelog.d/2-features/no-aws-creds new file mode 100644 index 0000000000..163d0ef3c5 --- /dev/null +++ b/changelog.d/2-features/no-aws-creds @@ -0,0 +1,2 @@ +charts/{brig,cargohol,galley,gundeck}: Allow not configuring AWS credentials and allow using a special service account. +This way, when operating wire in AWS cloud either instance profiles or IAM role attached to a service account can be used to communicate with AWS. \ No newline at end of file diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml index 2554de2a23..60faf48d1c 100644 --- a/charts/brig/templates/configmap.yaml +++ b/charts/brig/templates/configmap.yaml @@ -67,6 +67,9 @@ data: {{- if .dynamoDBEndpoint }} dynamoDBEndpoint: {{ .dynamoDBEndpoint | quote }} {{- end }} + {{- if .userJournalQueue }} + userJournalQueue: {{ .userJournalQueue | quote }} + {{- end }} {{- end }} internalEvents: @@ -112,7 +115,9 @@ data: activationUrl: {{ .emailSMS.user.activationUrl }} smsActivationUrl: {{ .emailSMS.user.smsActivationUrl }} passwordResetUrl: {{ .emailSMS.user.passwordResetUrl }} + {{- if .emailSMS.user.invitationUrl }} invitationUrl: {{ .emailSMS.user.invitationUrl }} + {{- end }} deletionUrl: {{ .emailSMS.user.deletionUrl }} {{- else }} activationUrl: {{ .externalUrls.nginz }}/activate?key=${key}&code=${code} @@ -138,6 +143,12 @@ data: {{- end }} team: + {{- if .emailSMS.team }} + tInvitationUrl: {{ .emailSMS.team.tInvitationUrl }} + tActivationUrl: {{ .emailSMS.team.tActivationUrl }} + tCreatorWelcomeUrl: {{ .emailSMS.team.tCreatorWelcomeUrl }} + tMemberWelcomeUrl: {{ .emailSMS.team.tMemberWelcomeUrl }} + {{- else }} {{- if .externalUrls.teamSettings }} tInvitationUrl: {{ .externalUrls.teamSettings }}/join/?team-code=${code} {{- else }} @@ -146,6 +157,7 @@ data: tActivationUrl: {{ .externalUrls.nginz }}/register?team=${team}&team_code=${code} tCreatorWelcomeUrl: {{ .externalUrls.teamCreatorWelcome }} tMemberWelcomeUrl: {{ .externalUrls.teamMemberWelcome }} + {{- end }} zauth: privateKeys: /etc/wire/brig/secrets/secretkey.txt @@ -226,6 +238,9 @@ data: {{- if .setSearchSameTeamOnly }} setSearchSameTeamOnly: {{ .setSearchSameTeamOnly }} {{- end }} + {{- if .setProviderSearchFilter }} + setProviderSearchFilter: {{ .setProviderSearchFilter }} + {{- end }} {{- if .setUserMaxPermClients }} setUserMaxPermClients: {{ .setUserMaxPermClients }} {{- end }} @@ -242,5 +257,16 @@ data: {{- if .setSftListAllServers }} setSftListAllServers: {{ .setSftListAllServers }} {{- end }} + {{- if .setWhitelist }} + setWhitelist: {{ toYaml .setWhitelist | nindent 8 }} + {{- end }} + {{- if .setFeatureFlags }} + setFeatureFlags: {{ toYaml .setFeatureFlags | nindent 8 }} + {{- end }} + # Customer extensions. If this is not part of your contract with wire, use at your own risk! + # Details: https://github.com/wireapp/wire-server/blob/3a21a82a1781f0d128f503df6a705b0b5f733d7b/services/brig/src/Brig/Options.hs#L465-L503 + {{- if .setCustomerExtensions }} + setCustomerExtensions: {{ toYaml .setCustomerExtensions | nindent 8 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/brig/templates/deployment.yaml b/charts/brig/templates/deployment.yaml index c01004b462..36de44ba80 100644 --- a/charts/brig/templates/deployment.yaml +++ b/charts/brig/templates/deployment.yaml @@ -29,6 +29,7 @@ spec: checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }} fluentbit.io/parser: json spec: + serviceAccountName: {{ .Values.serviceAccount.name }} volumes: - name: "brig-config" configMap: @@ -53,6 +54,7 @@ spec: env: - name: LOG_LEVEL value: {{ .Values.config.logLevel }} + {{- if hasKey .Values.secrets "awsKeyId" }} - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: @@ -63,6 +65,7 @@ spec: secretKeyRef: name: brig key: awsSecretKey + {{- end }} # TODO: Is this the best way to do this? - name: AWS_REGION value: "{{ .Values.config.aws.region }}" diff --git a/charts/brig/templates/secret.yaml b/charts/brig/templates/secret.yaml index 46003f7633..55d90ff9eb 100644 --- a/charts/brig/templates/secret.yaml +++ b/charts/brig/templates/secret.yaml @@ -16,8 +16,10 @@ data: secretkey.txt: {{ .zAuth.privateKeys | b64enc | quote }} publickey.txt: {{ .zAuth.publicKeys | b64enc | quote }} turn-secret.txt: {{ .turn.secret | b64enc | quote }} + {{- if .awsKeyId }} awsKeyId: {{ .awsKeyId | b64enc | quote }} awsSecretKey: {{ .awsSecretKey | b64enc | quote }} + {{- end }} twilio-credentials.yaml: {{ .setTwilio | b64enc | quote }} nexmo-credentials.yaml: {{ .setNexmo | b64enc | quote }} {{- if (not $.Values.config.useSES) }} diff --git a/charts/brig/templates/serviceaccount.yaml b/charts/brig/templates/serviceaccount.yaml new file mode 100644 index 0000000000..48800b82bd --- /dev/null +++ b/charts/brig/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name }} + labels: + wireService: brig + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml index 9751bc1cff..ef9176644b 100644 --- a/charts/brig/values.yaml +++ b/charts/brig/values.yaml @@ -64,7 +64,7 @@ config: retryAfter: 86400 setRichInfoLimit: 5000 setDefaultUserLocale: en - setMaxTeamSize: 500 + setMaxTeamSize: 10000 setMaxConvSize: 500 # Allowed values: https://github.com/wireapp/wire-server/blob/0126651a25aabc0c5589edc2b1988bb06550a03a/services/brig/src/Brig/Options.hs#L304-L306 # Description: https://github.com/wireapp/wire-server/blob/0126651a25aabc0c5589edc2b1988bb06550a03a/services/brig/src/Brig/Options.hs#L290-L299 @@ -92,3 +92,12 @@ turnStatic: - turn:localhost:3478?transport=tcp tests: enableFederationTests: false +serviceAccount: + # When setting this to 'false', either make sure that a service account named + # 'brig' exists or change the 'name' field to 'default' + create: true + name: brig + annotations: {} + automountServiceAccountToken: true + +secrets: {} diff --git a/charts/cargohold/templates/deployment.yaml b/charts/cargohold/templates/deployment.yaml index bac478c52a..25146020f5 100644 --- a/charts/cargohold/templates/deployment.yaml +++ b/charts/cargohold/templates/deployment.yaml @@ -27,6 +27,7 @@ spec: checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }} spec: + serviceAccountName: {{ .Values.serviceAccount.name }} volumes: - name: "cargohold-config" configMap: @@ -44,6 +45,7 @@ spec: - name: "cargohold-config" mountPath: "/etc/wire/cargohold/conf" env: + {{- if hasKey .Values.secrets "awsKeyId" }} - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: @@ -54,6 +56,7 @@ spec: secretKeyRef: name: cargohold key: awsSecretKey + {{- end }} - name: AWS_REGION value: "{{ .Values.config.aws.region }}" {{- with .Values.config.proxy }} diff --git a/charts/cargohold/templates/secret.yaml b/charts/cargohold/templates/secret.yaml index b5d3c13359..504d06584d 100644 --- a/charts/cargohold/templates/secret.yaml +++ b/charts/cargohold/templates/secret.yaml @@ -16,7 +16,9 @@ data: {{ if .cloudFront }} cf-pk.pem: {{ .cloudFront.cfPrivateKey | b64enc | quote }} {{ end }} - + + {{- if .awsKeyId }} awsKeyId: {{ .awsKeyId | b64enc | quote }} awsSecretKey: {{ .awsSecretKey | b64enc | quote }} {{- end }} + {{- end }} diff --git a/charts/cargohold/templates/serviceaccount.yaml b/charts/cargohold/templates/serviceaccount.yaml new file mode 100644 index 0000000000..0460ce90d4 --- /dev/null +++ b/charts/cargohold/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name }} + labels: + wireService: cargohold + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/cargohold/values.yaml b/charts/cargohold/values.yaml index 91d97e1d99..b72ebb6b7b 100644 --- a/charts/cargohold/values.yaml +++ b/charts/cargohold/values.yaml @@ -19,3 +19,12 @@ config: region: "eu-west-1" s3Bucket: assets proxy: {} +serviceAccount: + # When setting this to 'false', either make sure that a service account named + # 'cargohold' exists or change the 'name' field to 'default' + create: true + name: cargohold + annotations: {} + automountServiceAccountToken: true + +secrets: {} diff --git a/charts/galley/templates/configmap.yaml b/charts/galley/templates/configmap.yaml index 84ecb20378..d12801abdc 100644 --- a/charts/galley/templates/configmap.yaml +++ b/charts/galley/templates/configmap.yaml @@ -43,7 +43,7 @@ data: {{- if (.journal) }} journal: - queueName: {{ .journal.queue }} + queueName: {{ .journal.queueName }} endpoint: {{ .journal.endpoint }} {{- end }} diff --git a/charts/galley/templates/deployment.yaml b/charts/galley/templates/deployment.yaml index 9f38c9a4d7..3f8f4344fe 100644 --- a/charts/galley/templates/deployment.yaml +++ b/charts/galley/templates/deployment.yaml @@ -27,23 +27,20 @@ spec: checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }} spec: + serviceAccountName: {{ .Values.serviceAccount.name }} volumes: - name: "galley-config" configMap: name: "galley" - - name: "galley-secrets" - secret: - secretName: "galley" containers: - name: galley image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }} volumeMounts: - - name: "galley-secrets" - mountPath: "/etc/wire/galley/secrets" - name: "galley-config" mountPath: "/etc/wire/galley/conf" env: + {{- if hasKey .Values.secrets "awsKeyId" }} - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: @@ -54,6 +51,7 @@ spec: secretKeyRef: name: galley key: awsSecretKey + {{- end }} - name: AWS_REGION value: "{{ .Values.config.aws.region }}" {{- with .Values.config.proxy }} diff --git a/charts/galley/templates/secret.yaml b/charts/galley/templates/secret.yaml index 0579bd5e4c..449be3903f 100644 --- a/charts/galley/templates/secret.yaml +++ b/charts/galley/templates/secret.yaml @@ -1,3 +1,4 @@ +{{- if hasKey .Values.secrets "awsKeyId" }} apiVersion: v1 kind: Secret metadata: @@ -13,3 +14,4 @@ data: awsKeyId: {{ .awsKeyId | b64enc | quote }} awsSecretKey: {{ .awsSecretKey | b64enc | quote }} {{- end }} +{{- end }} diff --git a/charts/galley/templates/serviceaccount.yaml b/charts/galley/templates/serviceaccount.yaml new file mode 100644 index 0000000000..32c155679f --- /dev/null +++ b/charts/galley/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name }} + labels: + wireService: galley + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/galley/values.yaml b/charts/galley/values.yaml index 91f5d52384..a070ebea49 100644 --- a/charts/galley/values.yaml +++ b/charts/galley/values.yaml @@ -21,7 +21,7 @@ config: replicaCount: 3 enableFederator: false # keep enableFederator default in sync with brig and cargohold chart's config.enableFederator as well as wire-server chart's tag.federator settings: - maxTeamSize: 500 + maxTeamSize: 10000 maxConvSize: 500 # Before making indexedBillingTeamMember true while upgrading, please # refer to notes here: https://github.com/wireapp/wire-server-deploy/releases/tag/v2020-05-15 @@ -48,3 +48,12 @@ config: aws: region: "eu-west-1" proxy: {} +serviceAccount: + # When setting this to 'false', either make sure that a service account named + # 'galley' exists or change the 'name' field to 'default' + create: true + name: galley + annotations: {} + automountServiceAccountToken: true + +secrets: {} diff --git a/charts/gundeck/templates/configmap.yaml b/charts/gundeck/templates/configmap.yaml index 69d9b1a527..44646a6c18 100644 --- a/charts/gundeck/templates/configmap.yaml +++ b/charts/gundeck/templates/configmap.yaml @@ -50,7 +50,13 @@ data: httpPoolSize: 1024 notificationTTL: 2419200 bulkPush: {{ .bulkPush }} + {{- if hasKey . "perNativePushConcurrency" }} + perNativePushConcurrency: {{ .perNativePushConcurrency }} + {{- end }} maxConcurrentNativePushes: - soft: 1000 + soft: {{ .maxConcurrentNativePushes.soft }} + {{- if hasKey .maxConcurrentNativePushes "hard" }} + hard: {{ .maxConcurrentNativePushes.hard }} + {{- end }} # hard: 30 # more than this number of threads will not be allowed {{- end }} diff --git a/charts/gundeck/templates/deployment.yaml b/charts/gundeck/templates/deployment.yaml index 6bf4104a4d..4ff4ef0185 100644 --- a/charts/gundeck/templates/deployment.yaml +++ b/charts/gundeck/templates/deployment.yaml @@ -27,23 +27,20 @@ spec: checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }} spec: + serviceAccountName: {{ .Values.serviceAccount.name }} volumes: - name: "gundeck-config" configMap: name: "gundeck" - - name: "gundeck-secrets" - secret: - secretName: "gundeck" containers: - name: gundeck image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }} volumeMounts: - - name: "gundeck-secrets" - mountPath: "/etc/wire/gundeck/secrets" - name: "gundeck-config" mountPath: "/etc/wire/gundeck/conf" env: + {{- if hasKey .Values.secrets "awsKeyId" }} - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: @@ -54,6 +51,7 @@ spec: secretKeyRef: name: gundeck key: awsSecretKey + {{- end }} - name: AWS_REGION value: "{{ .Values.config.aws.region }}" {{- with .Values.config.proxy }} diff --git a/charts/gundeck/templates/secret.yaml b/charts/gundeck/templates/secret.yaml index 2a90daca95..e9de2b6979 100644 --- a/charts/gundeck/templates/secret.yaml +++ b/charts/gundeck/templates/secret.yaml @@ -1,3 +1,4 @@ +{{- if hasKey .Values.secrets "awsKeyId" }} apiVersion: v1 kind: Secret metadata: @@ -13,3 +14,4 @@ data: awsKeyId: {{ .awsKeyId | b64enc | quote }} awsSecretKey: {{ .awsSecretKey | b64enc | quote }} {{- end }} +{{- end }} diff --git a/charts/gundeck/templates/serviceaccount.yaml b/charts/gundeck/templates/serviceaccount.yaml new file mode 100644 index 0000000000..93de4b25f5 --- /dev/null +++ b/charts/gundeck/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name }} + labels: + wireService: gundeck + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/gundeck/values.yaml b/charts/gundeck/values.yaml index f199887845..618c7cf867 100644 --- a/charts/gundeck/values.yaml +++ b/charts/gundeck/values.yaml @@ -28,3 +28,15 @@ config: aws: region: "eu-west-1" proxy: {} + # perNativePushConcurrency: 32 + maxConcurrentNativePushes: + soft: 1000 +serviceAccount: + # When setting this to 'false', either make sure that a service account named + # 'gundeck' exists or change the 'name' field to 'default' + create: true + name: gundeck + annotations: {} + automountServiceAccountToken: true + +secrets: {} diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml index 329a3a277e..c0f35c83e6 100644 --- a/charts/nginz/values.yaml +++ b/charts/nginz/values.yaml @@ -97,8 +97,6 @@ nginx_conf: - all disable_zauth: true - path: /users - envs: - - all envs: - all doc: true diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl index a38bce4118..8d5c08b34a 100644 --- a/hack/helm_vars/wire-server/values.yaml.gotmpl +++ b/hack/helm_vars/wire-server/values.yaml.gotmpl @@ -162,7 +162,7 @@ galley: domains: ["example.com"] journal: endpoint: http://fake-aws-sqs:4568 - queue: integration-team-events.fifo + queueName: integration-team-events.fifo secrets: awsKeyId: dummykey awsSecretKey: dummysecret