Release 2022-05-18 - (expected chart version 4.12.0)#2411
Merged
Conversation
* Prevent PROXY protocol clients from accessing metrics endpoint. * Update changelog for nginz configuration change.
Merge master back to develop for release 2022-04-25
* Apply versionMiddleware last This makes sure that every other middleware sees the rewritten (unversioned) path. In particular, the prometheus middleware will now only see paths it knows about, which prevents it from reporting "N/A" as the path.
This PR: * allows to configure gundeck to write to an additional redis (cluster or master mode); optionally. Reads will happen from the main redis. * adds a test for the redis-migration scenario: configure to write to two redises (old and new); insert some data; configure only the new redis as default redis, read, ensure data is present. * adds redis-cluster in docker-compose for local integration tests (a little more CPU/RAM needed) * adds redis-cluster wrapper helm chart for CI/kubernetes-based integration tests (and more generally also for on-premise deployments). redis-cluster requires dynamic persistent volume provisioning present on the cluster; which was introduced in our kube-ci cluster with zinfra/cailleach#1037 Drive-by refactoring change (not strictly needed on this PR): * [Move cannon's internal API type to wire-api](7ace63f) Related to zinfra/cailleach#1021 This is needed to perform a smooth no-downtime migration from one redis to another as detailed in https://github.com/zinfra/cailleach/blob/master/targets/wire/notes-redis-migration.md#how-to-migrate-traffic-from-redis-in-ec2classic-to-redis-in-eks Co-authored-by: Akshay Mankar <akshay@wire.com>
* Move old /docs to /docs/legacy, leaving symlinks behind. * Link every file individually, making sure URLs into github keep working. * Fixup * Special case: cassandra-dump.cql * Special case: wire_scim_token.py * Changelog
Fix markdown links in RST changelog
Co-authored-by: Zebot <zebot@users.noreply.github.com>
…#2306) * Generalise the Spar.Sem.Logger effect - The logging level in the log action is not SAML-specific anymore * Move the Logger effect into polysemy-wire-zoo * Use the new Logger effect in Galley and Federator
It's needed by hack/bin/serve-charts.sh .
If the FEATURE_ENABLE_PAYMENT feature flag is set by envVars, do not render it again. Otherwise, we might end up in confusing cases like: The flag was set to true, but it's additionally rendered with a default to false.
Actually, this redis runs in "master" mode on that port (from docker-compose). There are other redises launched on other parts that run in cluster mode. Redis part of cluster: https://github.com/wireapp/wire-server/blob/develop/deploy/dockerephemeral/docker-compose.yaml#L98 (ports 6373 - 6378) Redis standalone in master mode on port 6379 https://github.com/wireapp/wire-server/blob/develop/deploy/dockerephemeral/docker-compose.yaml#L77
Add back x86_64-darwin builds, so we can ensure the dev-env builds on MacOS, and devs on Mac have a cache to substitute from, instead of waiting for builds to finish locally.
The assertion was (very rarely) picking up a connection event between alice and bob, and failing. Since bob is irrelevant to the test, this commit removes bob and the related assertion altogether.
* Log IO exceptions in brig * Log IO exceptions in Galley
* Use a new internal endpoint to insert a key package ref for a remote client Co-authored-by: Stefan Matting <stefan@wire.com>
* Brig: Start turn discovery when the App start Instead of starting it when the `Env` is created. This aligns the service discovery of TURN with that of SFT. In next commits, SRV based discovery for TURN will be implemented. * Brig: Refactor SFT discovery to extract generic SRV discovery code * Brig: Refactor SFT Discovery tests * Simplify sftDiscoveryLoop tests and make them srvDiscoveryLoop tests Introduce a Delay Effect to deal with threadDelay and mock it to get rid of wait loop in tests * CHANGELOG
Added convert-to-cabal and stern docs to /docs.
Instead of generating `String` values, which might be invalid for the file system encoding in some locales, generate bytestrings directy and encode them as paths.
Co-authored-by: Paolo Capriotti <paolo@capriotti.io>
Co-authored-by: Zebot <zebot@users.noreply.github.com>
We were previously using IN queries when fetching multiple conversations. This can cause performance issues, as cassandra needs to contact all nodes.
Co-authored-by: jschaul <jschaul@users.noreply.github.com>
…d configurability (#2401) * Allow more fine-grained control over what services are installed. (e.g. allow webapp/fakeS3 to not be installed, and federator dns name to not be set if not using federator) * Upgrade Certificate/Issuer resources: If using [cert-manager](https://github.com/cert-manager/cert-manager), you need to have least version 1.0.0 installed (0.15.X will no longer work). Related to zinfra/cailleach#1079 Co-authored-by: Akshay Mankar <akshay@wire.com>
…scim-before-the-user-registered (#2396)
This was missed in #2401
battermann
approved these changes
May 18, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[2022-05-18] (Chart Release 4.12.0)
Release notes
If using cert-manager, you need to have least version 1.0.0 (1.8.0 works at the time of writing) installed. Older cert-manager 0.15.X will no longer work. (chart/nginx-ingress-services: upgrade resources and allow fine-grained configurability #2401)
Upgrade team-settings version to 4.9.0-v0.29.7-0-142a76f (Update team-settings version in Helm chart [skip ci] #2180)
API changes
Start version 2 of the public API. Main changes:
v3andv4suffixes. So for example/assets/v3has been replaced by/assets.GET /conversations/:conv/assets/:idandGET /conversations/:conv/otr/assets/:idhave been removed.GET /assets/:key/v3has been removed. Use the qualified endpointGET /assets/:domain/:keyinstead.DELETE /assets/:key/v3has been removed. Use the qualified endpointDELETE /assets/:domain/:keyinstead.GET /connectionshas been removed. UsePOST /list-connectionsinstead.POST /connectionshas been removed. UsePOST /connections/:domain/:userinstead.PUT /connections/:domain/:userhas been removed: usePOSTinstead.GET /conversationshas been removed. UsePOST /conversations/list-idsfollowed by
POST /conversations/listinstead.POST /conversations/list/v2has been replaced byPOST /conversations/list.POST /conversations/:domain/:conv/members/v2has lost itsv2suffix, soit is now
POST /conversations/:domain/:conv/members.GET /users,GET /users/by-handleandGET /users/handleshave beenremoved. Use
POST /search/contactsinstead.GET /users/:idhas been removed. Use the qualified endpointGET /users/:domain/:idinstead.GET /users/:id/clientshas been removed. Use the qualified endpointGET /users/:domain/:id/clientsinstead.GET /users/:id/clients/:clienthas been removed. Use the qualifiedendpoint
GET /users/:domain/:id/clients/:clientinstead.Swagger documentation for the previous version of the API can be accessed at
/v1/api/swagger-ui. (API versioning #2297)A new field
developmenthas been added to the object returned byGET /api-version. Versions listed there are considered in flux, meaning that thecorresponding API contracts can change arbitrarily over time. Clients are free
to use development versions, as long as they are also listed in
supported,and failures due to incompatibilities are acceptable (e.g. in testing
environments). Backends are the authoritative source on whether a development
version can be used at all. If a development version should not be used, the
backend will not list it among the supported versions at all. (API versioning #2297)
Features
charts: Various new values can now be configured and some got changed
Allow new configurations in the brig chart:
config.emailSMS.user.invitationUrlconfig.emailSMS.team.tInvitationUrlconfig.emailSMS.team.tActivationUrlconfig.emailSMS.team.tCreatorWelcomeUrlconfig.emailSMS.team.tMemberWelcomeUrlconfig.setProviderSearchFilterconfig.setWhitelistconfig.setFeatureFlagsconfig.setCustomerExtensionsIf any values in config.emailSMS.team are specified, all must be specified.
Allow new configurations in the gundeck chart:
config.perNativePushConcurrencyconfig.maxConcurrentNativePushes.softconfig.maxConcurrentNativePushes.hardOther changes:
maxTeamSizechanged to 10000 from 500. (Adapt wire-server charts so they can be used to run wire cloud #2347)charts/nginx-ingress-services: Allow more fine-grained control over what services are installed. Upgrade Certificate/Issuer resources to 'cert-manager.io/v1' (chart/nginx-ingress-services: upgrade resources and allow fine-grained configurability #2401)
MLS implementation progress:
charts/{brig,cargohold,galley,gundeck}: Allow not configuring AWS credentials and allow using a special service account.
This way, when operating wire in AWS cloud either instance profiles or IAM role attached to a service account can be used to communicate with AWS. (Adapt wire-server charts so they can be used to run wire cloud #2347)
Implement TURN service discovery using SRV records (Brig: Implement TURN service discovery using SRV records #2389)
Bug fixes and other updates
When
config.enablePaymentandFEATURE_ENABLE_PAYMENT(envVars) were set,the team-settings feature flag
FEATURE_ENABLE_PAYMENTwas rendered two times.The new behavior is to give the
envVarsentry priority. I.e. when it's set,it's used instead of the
config.enablePaymentvalue. (Prevent duplicated rendering of FEATURE_ENABLE_PAYMENT #2332)Modify the nginz access control configuration to prevent clients connecting
to listeners with PROXY protocol enabled (such as the websocket listener) from
accessing a private metrics endpoint. (Prevent PROXY protocol clients from accessing metrics endpoint. #2307)
Verification email is sent when external id is updated via SCIM (SQSERVICES-377 fix email verification when external id is updated via SCIM #2374)
Documentation
Move old /docs to /docs/legacy (leaving references). (Move old /docs to /docs/legacy (leaving references) #2328)
Fixup for docs: add latex to docs and publish pdf if exists #2321 (Fixup for #2321 #2323)
Add pagination docs to
POST /list-connections(Add pagination docs tolist-connections#2369)Documentation for the 2nd factor password challenge feature ([DOC] SQSERVICES-1500 Document 2nd Factor Password Challenge Team Feature #2329)
Documentation on how to enforce desktop application only for web app (Sqservices 1505 doc 1 4 #2334)
Documentation on how to enforce constant bit rate for all calls (Sqservices 1507 doc 1 11 #2336)
Documentation on how to disable media plugins for the web app (SQSERVICES-1503-doc-1-1 #2337)
Documentation on how to extra entropy in the web app (SQSERVICES-1506-doc-1-5 #2338)
Documentation on how to set the instance connection parameters and proxy settings (SQSERVICES-1504-doc-1-3 #2340)
Merged SAML/SCIM docs with its main documentation (#PR_NOT_FOUND)
Internal changes
View and change team feature permissions apply to all features now (SQSERVICES-1530 view and change team feature permission not by individual feature #2402)
Add sed to direnv (Add "sed" to direnv #2319)
Add python3 to nix development environment. It's needed by hack/bin/serve-charts.sh . (Add python3 dependency to nix development environment #2333)
Add a target to the Makefile to run ShellCheck. I.e. to run a linter on shell scripts. This will be used in the CI. For now, all scripts with linter issues are excluded from this check. (Add ShellCheck linter target #2361)
Drop snappy support from bonanza (Drop snappy support from bonanza #2350)
Use cabal in buildah-based builds (buildah-docker: use cabal instead of stack #2341)
Fix flakyness of path traversal test (Attempt to fix flakyness of path traversal test #2387)
Github Actions: disable mac builds (Github Actions: disable mac builds #2355)
Apply
versionMiddlewarelast. This makes sure that every other middleware seesthe rewritten (unversioned) path. In particular, the prometheus middleware will
now only see paths it knows about, which prevents it from reporting "N/A" as the
path.
(Fix versioned metrics #2316)
Upgrade version of libzauth dependencies, notably sodiumoxide bindings to libsodium, and fix resulting errors and warnings. (update deps of libzauth #2327)
libzauth: Update sha256 for source in nix expression (libzauth: Update sha256 for source in nix expression #2354)
Log IO exceptions in Galley and Brig (Log IO exceptions in Brig and Galley #2385)
Generalise and move the Logger effect ([Polysemy] Generalise and Move the Logger Effect to polysemy-wire-zoo #2306)
Fix a comment in a Makefile target (Fix a comment in a Makefile target #2330)
Fix flaky MLS conversation creation test (Fix flaky MLS conversation creation test #2386)
Fix flaky key package test (Fix flaky key package test #2384)
Fix locale variables in Nix and .envrc (Fix locale variables in Nix and .envrc #2393)
Team Member API has been migrated to Servant (SQSERVICES-1012-backend-servantify-galley-team-member-api #2309)
Integration test for edge case: change external id before account registration (SQSERVICES-1538-be-email-cannot-be-activated-when-it-was-changed-via-scim-before-the-user-registered #2396)
Allow specifying 'redisAdditionalWrite' for a secondary redis to which gundeck will write in the context of a redis migration without downtime. (Additional redis write #2304)
Start TURN discovery only when the app starts and not when the Env is created (Brig: Prepare for TURN Discovery using SRV records #2376)
Avoid using IN queries for fetching multiple conversations (Replace IN queries for convs with async #2397)
Remove oromolu GH action (has been moved to concourse https://github.com/zinfra/cailleach/pull/1033) (Remove oromolu Github action #2320)
Remove unused data type AllowedUserSearch (Remove unused data type AllowedUserSearch #2373)
docs: add latex to docs and publish pdf if exists (docs: add latex to docs and publish pdf if exists #2321)
Federation changes
We now fetch version information from other backends and negotiate a version to use. (API versioning #2297)
Fix assertion in testWelcomeNoKey (Fix assertion in testWelcomeNoKey #2372)
Support remote welcome messages ([FS-507] Support for Remote Welcome Messages #2368)
Implement remote admin action: Update receipt mode (Implement remote admin action: Update receipt mode #2141)