Skip to content
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions changelog.d/3-bug-fixes/charts-minor-fixes
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Minor fixes in helmcharts:
- charts/nginz: Rate limit SSO endpoints less
- charts/nginz: Ensure rate limiting isn't commented out
- charts/galley: Honour .setttings.httpPoolSize
- charts/galley: Fix typo in settings.featureFlags.validateSAMLEmails
- charts/gundeck: Remove aws.connectionLimit
- charts/brig: Fix default brandLabelUrl and remove brandLabel
3 changes: 1 addition & 2 deletions charts/brig/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,7 @@ config:
templateBranding:
brand: Wire
brandUrl: https://wire.com
brandLabel: wire.com
brandLabelUrl: https://wire.com
brandLabelUrl: wire.com
brandLogoUrl: https://wire.com/p/img/email/logo-email-black.png
brandService: Wire Service Provider
copyright: © WIRE SWISS GmbH
Expand Down
8 changes: 4 additions & 4 deletions charts/galley/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ data:
{{- end }}

settings:
httpPoolSize: 128
httpPoolSize: {{ .settings.httpPoolSize }}
intraListing: false
maxTeamSize: {{ .settings.maxTeamSize }}
maxConvSize: {{ .settings.maxConvSize }}
Expand Down Expand Up @@ -79,9 +79,9 @@ data:
searchVisibilityInbound:
{{- toYaml .settings.featureFlags.searchVisibilityInbound | nindent 10 }}
{{- end }}
{{- if .settings.featureFlags.validateSAMLemails }}
validateSAMLemails:
{{- toYaml .settings.featureFlags.validateSAMLemails | nindent 10 }}
{{- if .settings.featureFlags.validateSAMLEmails }}
validateSAMLEmails:
{{- toYaml .settings.featureFlags.validateSAMLEmails | nindent 10 }}
{{- end }}
{{- if .settings.featureFlags.appLock }}
appLock:
Expand Down
1 change: 0 additions & 1 deletion charts/gundeck/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ data:
arnEnv: {{ .arnEnv }}
sqsEndpoint: {{ .sqsEndpoint | quote }}
snsEndpoint: {{ .snsEndpoint | quote }}
connectionLimit: 256
{{- end }}

settings:
Expand Down
15 changes: 8 additions & 7 deletions charts/nginz/templates/conf/_nginx.conf.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -246,25 +246,26 @@ http {
{{- if ($location.basic_auth) }}
auth_basic "Restricted";
auth_basic_user_file {{ $.Values.nginx_conf.basic_auth_file }};
{{- end -}}
{{- end }}

{{- if ($location.disable_zauth) }}
zauth off;

# If zauth is off, limit by remote address if not part of limit exemptions
{{- if ($location.unlimited_requests_endpoint) }}
# Note that this endpoint has no rate limit
{{- else -}}
{{- else }}
{{- if not (hasKey $location "specific_user_rate_limit") }}
limit_req zone=reqs_per_addr burst=5 nodelay;
limit_conn conns_per_addr 20;
{{- end -}}
{{- else }}

{{- if hasKey $location "specific_user_rate_limit" }}
limit_req zone={{ $location.specific_user_rate_limit }} nodelay;
{{- end }}
{{- end }}
{{- end }}

{{- if hasKey $location "specific_user_rate_limit" }}
limit_req zone={{ $location.specific_user_rate_limit }}{{ if hasKey $location "specific_user_rate_limit_burst" }} burst={{ $location.specific_user_rate_limit_burst }}{{ end }} nodelay;
{{- end }}

if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Methods' "GET, POST, PUT, DELETE, OPTIONS";
add_header 'Access-Control-Allow-Headers' "$http_access_control_request_headers, DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type";
Expand Down
9 changes: 9 additions & 0 deletions charts/nginz/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ nginx_conf:
# used to create request zones which can then be specified in
# 'upstreams.<upstream>.<n>.specific_user_rate_limit'.
user_rate_limit_request_zones:
- limit_req_zone $rate_limited_by_addr zone=reqs_per_addr_sso:12m rate=50r/s;
- limit_req_zone $rate_limited_by_zuser zone=reqs_per_user_signatures:12m rate=10r/m;

# The origins from which we allow CORS requests. These are combined with
Expand Down Expand Up @@ -502,20 +503,28 @@ nginx_conf:
- all
disable_zauth: true
allow_credentials: true
specific_user_rate_limit: reqs_per_addr_sso
specific_user_rate_limit_burst: "10"
- path: /sso/finalize-login
envs:
- all
disable_zauth: true
allow_credentials: true
specific_user_rate_limit: reqs_per_addr_sso
specific_user_rate_limit_burst: "10"
- path: /sso
envs:
- all
disable_zauth: true
specific_user_rate_limit: reqs_per_addr_sso
specific_user_rate_limit_burst: "10"
- path: /scim/v2
envs:
- all
disable_zauth: true
allow_credentials: true
specific_user_rate_limit: reqs_per_addr_sso
specific_user_rate_limit_burst: "10"
- path: /scim
envs:
- all
Expand Down