Release 2022-07-19 - (expected chart version 4.21.0)

CHANGELOG.md

@@ -1,3 +1,62 @@
+# [2022-07-19] (Chart Release 4.21.0)
+
+## Release notes
+
+
+* Users of the (currently alpha) coturn Helm chart must **manually update
+  their configuration** due to changes in how the chart handles authentication
+  secrets. Please see below for further details. (#2553)
+
+
+## API changes
+
+
+* The response to POST /mls/messages adds a timestamp (#2560)
+
+
+## Features
+
+
+* charts/wire-server: default log format everywhere to StructuredJSON format (introduced in #1951 and #1959) (#2559)
+
+* The coturn chart now supports multiple authentication secrets, which permits
+  multiple backend instances to use the same TURN servers without needing to
+  share authentication secrets between the backend instances.
+
+  Correspondingly, the `.Values.secrets.zrestSecret` configuration option, which
+  took a single authentication secret as its argument, has been replaced with the
+  option `.Values.secrets.zrestSecrets` (note spelling!), which instead takes a
+  *list* of authentication secrets as its argument. (#2553)
+
+* Add support for bare MLS proposals (#2436)
+
+
+## Bug fixes and other updates
+
+
+* Fix a bug in charts/cannon. It's now possible to use a custom TLS certificate when enabling cannon's nginz sidecar container. (Previously only letsencrypt certificates worked, and were tested) (#2558)
+
+* Minor fixes in helmcharts:
+  - charts/nginz: Rate limit SSO endpoints less
+  - charts/nginz: Ensure rate limiting isn't commented out
+  - charts/galley: Honour .setttings.httpPoolSize
+  - charts/galley: Fix typo in settings.featureFlags.validateSAMLEmails
+  - charts/gundeck: Remove aws.connectionLimit
+  - charts/brig: Fix default brandLabelUrl and remove brandLabel (#2563)
+
+
+## Internal changes
+
+
+* Port brig UserHandle API to servant (#2556)
+
+* Bump timeout for integration tests to 15 minutes (from 10 minutes), as 10 minutes is no longer enough. (#2570)
+
+* Internal endpoints to `PATCH` feature status (#2555)
+
+*  Change the proposal hold time to 28 days (#2568)
+
+
 # [2022-07-12] (Chart Release 4.19.0)
 
 ## Release notes

cassandra-schema.cql

@@ -35,22 +35,13 @@ CREATE TABLE galley_test.meta (
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
 
-CREATE TABLE galley_test.conversation (
-    conv uuid PRIMARY KEY,
-    access set<int>,
-    access_role int,
-    access_roles_v2 set<int>,
-    creator uuid,
-    deleted boolean,
-    epoch bigint,
-    group_id blob,
-    message_timer bigint,
-    name text,
-    protocol int,
-    receipt_mode int,
+CREATE TABLE galley_test.team_conv (
     team uuid,
-    type int
-) WITH bloom_filter_fp_chance = 0.1
+    conv uuid,
+    managed boolean,
+    PRIMARY KEY (team, conv)
+) WITH CLUSTERING ORDER BY (conv ASC)
+    AND bloom_filter_fp_chance = 0.1
     AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
     AND comment = ''
     AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'}
@@ -456,13 +447,23 @@ CREATE TABLE galley_test.clients (
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
 
-CREATE TABLE galley_test.team_conv (
+CREATE TABLE galley_test.conversation (
+    conv uuid PRIMARY KEY,
+    access set<int>,
+    access_role int,
+    access_roles_v2 set<int>,
+    cipher_suite int,
+    creator uuid,
+    deleted boolean,
+    epoch bigint,
+    group_id blob,
+    message_timer bigint,
+    name text,
+    protocol int,
+    receipt_mode int,
     team uuid,
-    conv uuid,
-    managed boolean,
-    PRIMARY KEY (team, conv)
-) WITH CLUSTERING ORDER BY (conv ASC)
-    AND bloom_filter_fp_chance = 0.1
+    type int
+) WITH bloom_filter_fp_chance = 0.1
     AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
     AND comment = ''
     AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'}
@@ -543,6 +544,28 @@ CREATE TABLE galley_test.billing_team_member (
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
 
+CREATE TABLE galley_test.mls_proposal_refs (
+    group_id blob,
+    epoch bigint,
+    ref blob,
+    proposal blob,
+    PRIMARY KEY (group_id, epoch, ref)
+) WITH CLUSTERING ORDER BY (epoch ASC, ref ASC)
+    AND bloom_filter_fp_chance = 0.01
+    AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
+    AND comment = ''
+    AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
+    AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
+    AND crc_check_chance = 1.0
+    AND dclocal_read_repair_chance = 0.1
+    AND default_time_to_live = 0
+    AND gc_grace_seconds = 864000
+    AND max_index_interval = 2048
+    AND memtable_flush_period_in_ms = 0
+    AND min_index_interval = 128
+    AND read_repair_chance = 0.0
+    AND speculative_retry = '99PERCENTILE';
+
 CREATE KEYSPACE gundeck_test WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'}  AND durable_writes = true;
 
 CREATE TABLE gundeck_test.push (

charts/brig/templates/configmap.yaml

@@ -10,8 +10,7 @@ metadata:
 data:
   {{- with .Values.config }}
   brig.yaml: |
-    logNetStrings: True # log using netstrings encoding:
-                        # http://cr.yp.to/proto/netstrings.txt
+    logNetStrings: {{ .logNetStrings }}
     logFormat: {{ .logFormat }}
     logLevel: {{ .logLevel }}
 

charts/brig/values.yaml

@@ -17,7 +17,8 @@ metrics:
     enable: false
 config:
   logLevel: Info
-  logFormat: JSON
+  logFormat: StructuredJSON
+  logNetStrings: false
   cassandra:
     host: aws-cassandra
   elasticsearch:
@@ -38,8 +39,7 @@ config:
       templateBranding:
         brand: Wire
         brandUrl: https://wire.com
-        brandLabel: wire.com
-        brandLabelUrl: https://wire.com
+        brandLabelUrl: wire.com
         brandLogoUrl: https://wire.com/p/img/email/logo-email-black.png
         brandService: Wire Service Provider
         copyright: © WIRE SWISS GmbH

charts/cannon/templates/conf/_nginx.conf.tpl

@@ -142,8 +142,8 @@ http {
   # Rate Limiting
   #
 
-  limit_req_zone $rate_limited_by_zuser zone=reqs_per_user:12m rate=10r/s;
-  limit_req_zone $rate_limited_by_addr zone=reqs_per_addr:12m rate=5r/m;
+  limit_req_zone $rate_limited_by_zuser zone=reqs_per_user:12m rate={{ .Values.nginx_conf.rate_limit_reqs_per_user }};
+  limit_req_zone $rate_limited_by_addr zone=reqs_per_addr:12m rate={{ .Values.nginx_conf.rate_limit_reqs_per_addr }};
 
 {{- range $limit := .Values.nginx_conf.user_rate_limit_request_zones }}
   {{ $limit }}

charts/cannon/templates/configmap.yaml

@@ -1,8 +1,9 @@
 apiVersion: v1
 data:
   cannon.yaml: |
-    logFormat: StructuredJSON
+    logFormat: {{ .Values.config.logFormat }}
     logLevel: {{ .Values.config.logLevel }}
+    logNetStrings: {{ .Values.config.logNetStrings }}
 
     cannon:
       host: 0.0.0.0

charts/cannon/templates/nginz-certificate-secret.yaml

@@ -10,6 +10,6 @@ metadata:
     heritage: "{{ .Release.Service }}"
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Values.secrets.nginz.tls.crt }}
-  tls.key: {{ .Values.secrets.nginz.tls.key }}
+  tls.crt: {{ .Values.secrets.nginz.tls.crt | b64enc | quote }}
+  tls.key: {{ .Values.secrets.nginz.tls.key | b64enc | quote }}
 {{- end }}

charts/cannon/values.yaml

@@ -9,6 +9,8 @@ nginzImage:
   pullPolicy: IfNotPresent
 config:
   logLevel: Info
+  logFormat: StructuredJSON
+  logNetStrings: false
 
   # See also the section 'Controlling the speed of websocket draining during
   # cannon pod replacement' in docs/how-to/install/configuration-options.rst
@@ -33,6 +35,8 @@ nginx_conf:
   worker_rlimit_nofile: 131072
   worker_connections: 65536
   disabled_paths: []
+  rate_limit_reqs_per_user: "10r/s"
+  rate_limit_reqs_per_addr: "5r/m"
   user_rate_limit_request_zones: []
 
   tls:

charts/cargohold/templates/configmap.yaml

@@ -4,8 +4,9 @@ metadata:
   name: "cargohold"
 data:
   cargohold.yaml: |
-    logNetStrings: True # log using netstrings encoding: http://cr.yp.to/proto/netstrings.txt
+    logFormat: {{ .Values.config.logFormat }}
     logLevel: {{ .Values.config.logLevel }}
+    logNetStrings: {{ .Values.config.logNetStrings }}
 
     cargohold:
       host: 0.0.0.0

charts/cargohold/values.yaml

@@ -17,6 +17,8 @@ resources:
     cpu: "500m"
 config:
   logLevel: Info
+  logFormat: StructuredJSON
+  logNetStrings: false
   enableFederator: false # keep enableFederator default in sync with brig and galley chart's config.enableFederator as well as wire-server chart's tag.federator
   aws:
     region: "eu-west-1"

charts/coturn/templates/configmap-coturn-conf-template.yaml

@@ -15,11 +15,6 @@ data:
     ## don't turn on coturn's cli.
     no-cli
 
-    ## authentication setup
-    # FUTUREWORK: enable support for multiple secrets?
-    zrest
-    static-auth-secret=__COTURN_SECRET__
-
     ## turn, stun.
     listening-ip=__COTURN_EXT_IP__
     listening-port={{ .Values.coturnTurnListenPort }}
@@ -73,3 +68,8 @@ data:
     denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 
     # FUTUREWORK: expose customisable access control settings.
+
+    ## authentication setup
+    zrest
+    ## static authentication secrets will be added below this line when the
+    ## runtime configuration is generated.

charts/coturn/templates/secret.yaml

@@ -1,3 +1,8 @@
+{{- if or (not .Values.secrets) (not .Values.secrets.zrestSecrets) }}
+{{- fail "Secrets are not defined" }}
+{{- else if eq (len .Values.secrets.zrestSecrets) 0 }}
+{{- fail "At least one authentication secret must be defined" }}
+{{- else }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,6 +12,8 @@ metadata:
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
 type: Opaque
-data:
-  zrest_secret.txt: {{ .Values.secrets.zrestSecret | b64enc | quote }}
-
+stringData:
+  zrest_secret.txt: |
+    {{- range .Values.secrets.zrestSecrets }}{{ . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/coturn/templates/statefulset.yaml

@@ -90,8 +90,8 @@ spec:
             - |
               set -e
               EXTERNAL_IP=$(cat /external-ip/ip)
-              ZREST_SECRET="$(cat /secrets/zrest_secret.txt)"
-              sed -Ee "s;__COTURN_EXT_IP__;$EXTERNAL_IP;g" -e "s;__COTURN_POD_IP__;$POD_IP;g" -e "s;__COTURN_SECRET__;$ZREST_SECRET;" /coturn-template/coturn.conf.template > /coturn-config/turnserver.conf
+              sed -Ee "s;__COTURN_EXT_IP__;$EXTERNAL_IP;g" -e "s;__COTURN_POD_IP__;$POD_IP;g" /coturn-template/coturn.conf.template > /coturn-config/turnserver.conf
+              sed -Ee 's/^/static-auth-secret=/' /secrets/zrest_secret.txt >> /coturn-config/turnserver.conf
               exec /usr/bin/turnserver -c /coturn-config/turnserver.conf
           {{- if .Values.coturnGracefulTermination }}
           lifecycle:

charts/federator/templates/configmap.yaml

@@ -37,8 +37,7 @@ data:
 
     {{- with .Values.config }}
 
-    logNetStrings: True # log using netstrings encoding:
-                        # http://cr.yp.to/proto/netstrings.txt
+    logNetStrings: {{ .logNetStrings }}
     logFormat: {{ .logFormat }}
     logLevel: {{ .logLevel }}
 

charts/federator/values.yaml

@@ -24,7 +24,8 @@ resources:
     cpu: "500m"
 config:
   logLevel: Info
-  logFormat: JSON
+  logFormat: StructuredJSON
+  logNetStrings: false
   optSettings:
     # Defaults to using system CA store in the federator image for making
     # connections to remote federators.

charts/galley/templates/configmap.yaml

@@ -5,10 +5,9 @@ metadata:
 data:
   {{- with .Values.config }}
   galley.yaml: |
-    logNetStrings: True # log using netstrings encoding:
-                        # http://cr.yp.to/proto/netstrings.txt
-    logLevel: {{ .logLevel }}
     logFormat: {{ .logFormat }}
+    logLevel: {{ .logLevel }}
+    logNetStrings: {{ .logNetStrings }}
 
     galley:
       host: 0.0.0.0
@@ -48,7 +47,7 @@ data:
     {{- end }}
 
     settings:
-      httpPoolSize: 128
+      httpPoolSize: {{ .settings.httpPoolSize }}
       intraListing: false
       maxTeamSize: {{ .settings.maxTeamSize }}
       maxConvSize: {{ .settings.maxConvSize }}
@@ -79,9 +78,9 @@ data:
         searchVisibilityInbound:
           {{- toYaml .settings.featureFlags.searchVisibilityInbound | nindent 10 }}
         {{- end }}
-        {{- if .settings.featureFlags.validateSAMLemails }}
-        validateSAMLemails:
-          {{- toYaml .settings.featureFlags.validateSAMLemails | nindent 10 }}
+        {{- if .settings.featureFlags.validateSAMLEmails }}
+        validateSAMLEmails:
+          {{- toYaml .settings.featureFlags.validateSAMLEmails | nindent 10 }}
         {{- end }}
         {{- if .settings.featureFlags.appLock }}
         appLock:

charts/galley/values.yaml

@@ -18,12 +18,14 @@ resources:
     cpu: "500m"
 config:
   logLevel: Info
-  logFormat: JSON
+  logFormat: StructuredJSON
+  logNetStrings: false
   cassandra:
     host: aws-cassandra
     replicaCount: 3
   enableFederator: false # keep enableFederator default in sync with brig and cargohold chart's config.enableFederator as well as wire-server chart's tag.federator
   settings:
+    httpPoolSize: 128
     maxTeamSize: 10000
     maxConvSize: 500
     # Before making indexedBillingTeamMember true while upgrading, please

charts/gundeck/templates/configmap.yaml

@@ -5,8 +5,9 @@ metadata:
 data:
   {{- with .Values.config }}
   gundeck.yaml: |
-    logNetStrings: True # log using netstrings encoding: http://cr.yp.to/proto/netstrings.txt
+    logFormat: {{ .logFormat }}
     logLevel: {{ .logLevel }}
+    logNetStrings: {{ .logNetStrings }}
 
     gundeck:
       host: 0.0.0.0
@@ -43,7 +44,6 @@ data:
       arnEnv: {{ .arnEnv }}
       sqsEndpoint: {{ .sqsEndpoint | quote }}
       snsEndpoint: {{ .snsEndpoint | quote }}
-      connectionLimit: 256
     {{- end }}
 
     settings: