From dfc004f2748be17b9fc3e8ad58b04197c3780cb1 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 15 Nov 2023 16:34:04 +0100 Subject: [PATCH 01/13] docker-ephemeral: Run federation-v0 galley and brig servers --- .gitignore | 19 -- deploy/dockerephemeral/docker-compose.yaml | 3 + deploy/dockerephemeral/federation-v0.yaml | 73 ++++++ .../dockerephemeral/federation-v0/brig.yaml | 215 ++++++++++++++++++ .../dockerephemeral/federation-v0/galley.yaml | 93 ++++++++ .../federation-v0/jwt-ed25519-bundle.pem | 6 + .../federation-v0/mls-private-key-ed25519.pem | 3 + .../federation-v0/nexmo-credentials.yaml | 2 + .../federation-v0/oauth-ed25519.jwk | 1 + .../federation-v0/turn-secret.txt | 1 + .../federation-v0/twilio-credentials.yaml | 2 + .../federation-v0/zauth-privkeys.txt | 4 + .../federation-v0/zauth-pubkeys.txt | 4 + deploy/dockerephemeral/init.sh | 2 +- deploy/dockerephemeral/init_vhosts.sh | 1 + deploy/dockerephemeral/run.sh | 4 +- services/galley/galley.integration.yaml | 9 - 17 files changed, 411 insertions(+), 31 deletions(-) create mode 100644 deploy/dockerephemeral/federation-v0.yaml create mode 100644 deploy/dockerephemeral/federation-v0/brig.yaml create mode 100644 deploy/dockerephemeral/federation-v0/galley.yaml create mode 100644 deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem create mode 100644 deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem create mode 100644 deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml create mode 100644 deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk create mode 100644 deploy/dockerephemeral/federation-v0/turn-secret.txt create mode 100644 deploy/dockerephemeral/federation-v0/twilio-credentials.yaml create mode 100644 deploy/dockerephemeral/federation-v0/zauth-privkeys.txt create mode 100644 deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt diff --git a/.gitignore b/.gitignore index 0098fc0a6f..a6318e378e 100644 --- a/.gitignore +++ b/.gitignore @@ -40,25 +40,6 @@ services/nginz/src services/.env tools/api-simulations/mailboxes.json tools/api-simulations/reports -brig-schema.yaml -brig.yaml -brig.integration-aws.yaml -cannon.yaml -cannon.integration-aws.yaml -cannon2.integration-aws.yaml -cargohold.yaml -cargohold.integration-aws.yaml -galley-schema.yaml -galley.yaml -galley.integration-aws.yaml -gundeck-schema.yaml -gundeck.yaml -gundeck.integration-aws.yaml -proxy.yaml -proxy.integration-aws.yaml -spar.yaml -spar.integration-aws.yaml -integration-aws.yaml DOCKER_ID* swagger-ui diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index a988af62ca..013511bb49 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -197,6 +197,9 @@ services: environment: - "CS_JVM_OPTIONS=-Xmx1024M -Xms1024M -Xmn200M" + healthcheck: + test: [ "CMD", "nodetool", "status" ] + # on nixos, you also may need to run # sysctl -w vm.max_map_count=1048576 # or add that to your `configuration.nix` diff --git a/deploy/dockerephemeral/federation-v0.yaml b/deploy/dockerephemeral/federation-v0.yaml new file mode 100644 index 0000000000..15963f31e4 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0.yaml @@ -0,0 +1,73 @@ +version: '2.3' + +networks: + demo_wire: + external: false + +services: + brig_schema: + container_name: brig-schema-federation-v0 + image: quay.io/wire/brig-schema:4.38.51 + command: --host cassandra --keyspace brig_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + networks: + - demo_wire + brig: + container_name: brig-federation-v0 + image: quay.io/wire/brig:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/brig/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21082:8080' + depends_on: + brig_schema: + condition: service_completed_successfully + aws_cli: + condition: service_completed_successfully + init_vhosts: + condition: service_completed_successfully + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} + - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} + + galley_schema: + container_name: galley-schema-federation-v0 + image: quay.io/wire/galley-schema:4.38.51 + command: --host cassandra --keyspace galley_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + networks: + - demo_wire + + galley: + container_name: galley-federation-v0 + image: quay.io/wire/galley:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/galley/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21085:8080' + depends_on: + galley_schema: + condition: service_completed_successfully + aws_cli: + condition: service_completed_successfully + init_vhosts: + condition: service_completed_successfully + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} + - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} diff --git a/deploy/dockerephemeral/federation-v0/brig.yaml b/deploy/dockerephemeral/federation-v0/brig.yaml new file mode 100644 index 0000000000..b26b94c57a --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/brig.yaml @@ -0,0 +1,215 @@ +brig: + host: 0.0.0.0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: brig_test_federation_v0 + # filterNodesByDatacentre: datacenter1 + +elasticsearch: + url: http://demo_wire_elasticsearch:9200 + index: directory_test + +rabbitmq: + host: rabbitmq + port: 5672 + vHost: / + +cargohold: + host: cargohold + port: 8080 + +galley: + host: galley + port: 8080 + +gundeck: + host: gundeck + port: 8080 + +federatorInternal: + host: federator + port: 8080 + +# You can set up local SQS/Dynamo running e.g. `../../deploy/dockerephemeral/run.sh` +aws: + userJournalQueue: integration-user-events.fifo-federation-v0 + # ^ Comment this out if you don't want to journal user events + prekeyTable: integration-brig-prekeys-federation-v0 + sqsEndpoint: http://fake_sqs:4568 # https://sqs.eu-west-1.amazonaws.com + # dynamoDBEndpoint: http://localhost:4567 # https://dynamodb.eu-west-1.amazonaws.com + +# Uncomment to use the randomPrekey allocation strategy instead of dynamoDB +randomPrekeys: true + +# Uncomment this if you want STOMP. +# +# stomp: +# stompHost: localhost +# stompPort: 61613 +# stompTls: false + +# TODO: possibly move 'userJournalQueue' to the top level as well +internalEvents: + queueType: sqs + queueName: integration-brig-events-internal-federation-v0 + # queueType: stomp + # queueName: /queue/integration-brig-events-internal + +emailSMS: + # You can either use SES directly (in which case, ensure a feedback queue is configured) + # or you can use SMTP directly (blacklisting of email/phone must be otherwise handled by + # the operator). + email: + sesQueue: integration-brig-events-federation-v0 + sesEndpoint: http://ses:4569 # https://email.eu-west-1.amazonaws.com + # If you prefer to use SMTP directly, uncomment the following lines + # and set the correct credentials. + # NOTE: In case a user tries to supply config values for both SES and SMTP, + # SES takes precedence and gets used instead + # smtpEndpoint: + # host: localhost + # port: 2500 + # smtpCredentials: + # username: + # password: test/resources/smtp-secret.txt + # smtpConnType: plain + # ^ NOTE: blacklisting of emails (processing of bounces and complaints) is only done + # automatically IF sesQueue/sesEndpoint are used. If SMTP is used directly, the + # operator must handle these notifications "manually" (there are internal endpoints) + # that may be used for this + + general: + templateDir: /usr/share/wire/templates + emailSender: backend-integration@wire.com + smsSender: "+123456789" # or MG123456789... (twilio alphanumeric sender id) + templateBranding: + brand: Wire + brandUrl: https://wire.com + brandLabelUrl: wire.com # This is the text in the label for the above URL + brandLogoUrl: https://wire.com/p/img/email/logo-email-black.png + brandService: Wire Service Provider + copyright: © WIRE SWISS GmbH + misuse: misuse@wire.com + legal: https://wire.com/legal/ + forgot: https://wire.com/forgot/ + support: https://support.wire.com/ + user: + activationUrl: http://127.0.0.1:8080/activate?key=${key}&code=${code} + smsActivationUrl: http://127.0.0.1:8080/v/${code} + passwordResetUrl: http://127.0.0.1:8080/password-reset/${key}?code=${code} + invitationUrl: http://127.0.0.1:8080/register?invitation_code=${code} + deletionUrl: http://127.0.0.1:8080/users/delete?key=${key}&code=${code} + + provider: + homeUrl: https://provider.localhost/ + providerActivationUrl: http://127.0.0.1:8080/provider/activate?key=${key}&code=${code} + approvalUrl: http://127.0.0.1:8080/provider/approve?key=${key}&code=${code} + approvalTo: success@simulator.amazonses.com + providerPwResetUrl: http://127.0.0.1:8080/provider/password-reset?key=${key}&code=${code} + + team: + tInvitationUrl: http://127.0.0.1:8080/register?team=${team}&team_code=${code} + tActivationUrl: http://127.0.0.1:8080/register?team=${team}&team_code=${code} + tCreatorWelcomeUrl: http://127.0.0.1:8080/creator-welcome-website + tMemberWelcomeUrl: http://127.0.0.1:8080/member-welcome-website + +zauth: + privateKeys: /etc/wire/brig/conf/zauth-privkeys.txt + publicKeys: /etc/wire/brig/conf/zauth-pubkeys.txt + authSettings: + keyIndex: 1 + userTokenTimeout: 120 + sessionTokenTimeout: 20 + accessTokenTimeout: 30 + providerTokenTimeout: 60 + legalHoldUserTokenTimeout: 120 + legalHoldAccessTokenTimeout: 30 + +turn: + serversSource: dns # files | dns + baseDomain: example.com + discoveryIntervalSeconds: 100 + + # This should be the same secret as used by the TURN servers + secret: /etc/wire/brig/conf/turn-secret.txt + configTTL: 3600 + tokenTTL: 21600 + +optSettings: + setActivationTimeout: 10 + setVerificationTimeout: 10 + setTeamInvitationTimeout: 10 + setExpiredUserCleanupTimeout: 1 + setTwilio: /etc/wire/brig/conf/twilio-credentials.yaml + setNexmo: /etc/wire/brig/conf/nexmo-credentials.yaml + # setStomp: test/resources/stomp-credentials.yaml + setUserMaxConnections: 16 + setCookieInsecure: true + setUserCookieRenewAge: 2 + setUserCookieLimit: 5 + setUserCookieThrottle: + stdDev: 5 + retryAfter: 3 + setLimitFailedLogins: + timeout: 5 # seconds. if you reach the limit, how long do you have to wait to try again. + retryLimit: 5 # how many times can you have a failed login in that timeframe. + setSuspendInactiveUsers: # if this is omitted: never suspend inactive users. + suspendTimeout: 10 + setRichInfoLimit: 5000 # should be in sync with Spar + setDefaultUserLocale: en + setMaxTeamSize: 32 + setMaxConvSize: 16 + setEmailVisibility: visible_to_self + setPropertyMaxKeyLen: 1024 + setPropertyMaxValueLen: 4096 + setDeleteThrottleMillis: 0 + setSqsThrottleMillis: 1000 + setRestrictUserCreation: false + # setSearchSameTeamOnly: false + # ^ NOTE: this filters out search results for team users, + # i.e., if you are a team user the search endpoints will + # return only users part of the same team. For name search, + # this is slightly more inefficient as it requires 2 extra DB lookups + # setUserMaxPermClients: 7 + # ^ You can limit the max number of permanent clients that a user is allowed + # to register, per account. The default value is '7' if the option is unset. + + # Federation domain is used to qualify local IDs and handles, + # e.g. 0c4d8944-70fa-480e-a8b7-9d929862d18c@wire.com and somehandle@wire.com. + # It should also match the SRV DNS records under which other wire-server installations can find this backend: + # _wire-server-federator._tcp. + # Once set, DO NOT change it: if you do, existing users may have a broken experience and/or stop working + # Remember to keep it the same in Galley. + setFederationDomain: federation-v0.example.com + setFeatureFlags: # see #RefConfigOptions in `/docs/reference` + setFederationDomainConfigsUpdateFreq: 1 + setFederationStrategy: allowAll + setFederationDomainConfigs: + - domain: example.com + search_policy: full_search + set2FACodeGenerationDelaySecs: 5 + setNonceTtlSecs: 5 + setDpopMaxSkewSecs: 1 + setDpopTokenExpirationTimeSecs: 300 # 5 minutes + setPublicKeyBundle: /etc/wire/brig/conf/jwt-ed25519-bundle.pem + setEnableMLS: true + # To only allow specific email address domains to register, uncomment and update the setting below + # setAllowlistEmailDomains: + # - wire.com + # To only allow specific phone number prefixes to register uncomment and update the settings below + # setAllowlistPhonePrefixes: + # - "+1555555" + # needs to be kept in sync with services/nginz/integration-test/resources/oauth/ed25519_public.jwk + setOAuthJwkKeyPair: /etc/wire/brig/conf/oauth-ed25519.jwk + setOAuthAuthCodeExpirationTimeSecs: 3 # 3 secs + setOAuthAccessTokenExpirationTimeSecs: 3 # 3 secs + setOAuthEnabled: true + setOAuthRefreshTokenExpirationTimeSecs: 14515200 # 24 weeks + setOAuthMaxActiveRefreshTokens: 10 + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/galley.yaml b/deploy/dockerephemeral/federation-v0/galley.yaml new file mode 100644 index 0000000000..4da4095165 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/galley.yaml @@ -0,0 +1,93 @@ +galley: + host: 0.0.0.0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: galley_test_federation_v0 + # filterNodesByDatacentre: datacenter1 + +brig: + host: brig + port: 8080 + +gundeck: + host: gundeck + port: 8080 + +spar: + host: spar + port: 8080 + +federator: + host: federator + port: 8080 + +rabbitmq: + host: rabbitmq + port: 5672 + vHost: federation-v0 + +settings: + httpPoolSize: 128 + maxTeamSize: 32 + maxFanoutSize: 18 + exposeInvitationURLsTeamAllowlist: [] + maxConvSize: 16 + intraListing: false + conversationCodeURI: https://account.wire.com/conversation-join/ + concurrentDeletionEvents: 1024 + deleteConvThrottleMillis: 0 + # Federation domain is used to qualify local IDs and handles, + # e.g. 0c4d8944-70fa-480e-a8b7-9d929862d18c@wire.com and somehandle@wire.com. + # It should also match the SRV DNS records under which other wire-server installations can find this backend: + # _wire-server-federator._tcp. + # Once set, DO NOT change it: if you do, existing users may have a broken experience and/or stop working + # Remember to keep it the same in Brig + federationDomain: federation-v0.example.com + mlsPrivateKeyPaths: + removal: + ed25519: /etc/wire/galley/conf/mls-private-key-ed25519.pem + + featureFlags: # see #RefConfigOptions in `/docs/reference` + sso: disabled-by-default + legalhold: whitelist-teams-and-implicit-consent + teamSearchVisibility: disabled-by-default + appLock: + defaults: + status: enabled + config: + enforceAppLock: false + inactivityTimeoutSecs: 60 + classifiedDomains: + status: enabled + config: + domains: ["example.com"] + fileSharing: + defaults: + status: enabled + lockStatus: unlocked + conferenceCalling: + defaults: + status: enabled + outlookCalIntegration: + defaults: + status: disabled + lockStatus: locked + mlsE2EId: + defaults: + status: disabled + config: + verificationExpiration: 86400 + acmeDiscoveryUrl: null + lockStatus: unlocked + +logLevel: Warn +logNetStrings: false + +journal: # if set, journals; if not set, disables journaling + queueName: integration-team-events.fifo-federation-v0 + endpoint: http://demo_wire_sqs:4568 # https://sqs.eu-west-1.amazonaws.com + region: eu-west-1 diff --git a/deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem b/deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem new file mode 100644 index 0000000000..afbd4dfb0e --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX +-----END PRIVATE KEY----- +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8= +-----END PUBLIC KEY----- diff --git a/deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem b/deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem new file mode 100644 index 0000000000..182df6f5a7 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIKqoSUVW579Aw8Nz47CRwArSigl/25jg0suQmg6mOwdy +-----END PRIVATE KEY----- diff --git a/deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml b/deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml new file mode 100644 index 0000000000..1f83517f2e --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml @@ -0,0 +1,2 @@ +key: "dummy" +secret: "dummy" diff --git a/deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk b/deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk new file mode 100644 index 0000000000..c00a8270aa --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk @@ -0,0 +1 @@ +{"kty":"OKP","crv":"Ed25519","x":"mhP-NgFw3ifIXGZqJVB0kemt9L3BtD5P8q4Gah4Iklc","d":"R8-pV2-sPN7dykV8HFJ73S64F3kMHTNnJiSN8UdWk_o"} diff --git a/deploy/dockerephemeral/federation-v0/turn-secret.txt b/deploy/dockerephemeral/federation-v0/turn-secret.txt new file mode 100644 index 0000000000..5e558cab2c --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/turn-secret.txt @@ -0,0 +1 @@ +xMtZyTpu=Leb?YKCoq#BXQR:gG^UrE83dNWzFJ2VcD \ No newline at end of file diff --git a/deploy/dockerephemeral/federation-v0/twilio-credentials.yaml b/deploy/dockerephemeral/federation-v0/twilio-credentials.yaml new file mode 100644 index 0000000000..d64e0ec4f2 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/twilio-credentials.yaml @@ -0,0 +1,2 @@ +sid: "dummy" +token: "dummy" diff --git a/deploy/dockerephemeral/federation-v0/zauth-privkeys.txt b/deploy/dockerephemeral/federation-v0/zauth-privkeys.txt new file mode 100644 index 0000000000..373e316cb8 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/zauth-privkeys.txt @@ -0,0 +1,4 @@ +qjIAZtKrpXInwyqgM7JCZ3QeK9B4JGBYAv0_63YjTtgDylLfTTpdwvDYSy32is13biThD03QZAUOhBO042Odrw== +dNLsH_oIA6hJCyw-AwokLz3AukHNghlP3H-pW5Ao1Wy06OI2MGgBwRnvjgfI2l1mgCLPJQflUR-7DsYO0p6zoQ== +drShe2GnggBy-VAW1gdE6myf4UAFcN1ZdixCO8NRuYLv_TO-xNQzRj-8RfemJ4R6Oz-R5KTfP6Oj_Tj0qezDTw== +tZWlAKOCe5-vlQl0TbECvxeIptEBGRrnGSiej-olAFe-46gXpFkWTas2Ci84VUWyhWzRJj4rtBmyJkAm-TMvwQ== diff --git a/deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt b/deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt new file mode 100644 index 0000000000..661fcfc71b --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt @@ -0,0 +1,4 @@ +A8pS3006XcLw2Est9orNd24k4Q9N0GQFDoQTtONjna8= +tOjiNjBoAcEZ744HyNpdZoAizyUH5VEfuw7GDtKes6E= +7_0zvsTUM0Y_vEX3pieEejs_keSk3z-jo_049Knsw08= +vuOoF6RZFk2rNgovOFVFsoVs0SY-K7QZsiZAJvkzL8E= diff --git a/deploy/dockerephemeral/init.sh b/deploy/dockerephemeral/init.sh index b22e9b7ed1..f10067319a 100755 --- a/deploy/dockerephemeral/init.sh +++ b/deploy/dockerephemeral/init.sh @@ -18,7 +18,7 @@ while (! aws --endpoint-url=http://dynamodb:8000 --cli-connect-timeout=1 dynamod done echo " [ok!]" -for suffix in "" "2" "3" "4" "5"; do +for suffix in "" "2" "3" "4" "5" "-federation-v0"; do aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-userkey-blacklist$suffix || true aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-prekeys$suffix || true diff --git a/deploy/dockerephemeral/init_vhosts.sh b/deploy/dockerephemeral/init_vhosts.sh index 4c169ba443..9323e6f5a4 100755 --- a/deploy/dockerephemeral/init_vhosts.sh +++ b/deploy/dockerephemeral/init_vhosts.sh @@ -11,5 +11,6 @@ exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://ra exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d1.example.com" exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d2.example.com" exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d3.example.com" +exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/federation-v0" echo 'RabbitMQ resources created successfully!' diff --git a/deploy/dockerephemeral/run.sh b/deploy/dockerephemeral/run.sh index e982094a13..17005e556e 100755 --- a/deploy/dockerephemeral/run.sh +++ b/deploy/dockerephemeral/run.sh @@ -6,5 +6,5 @@ set -x SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DOCKER_FILE="$SCRIPT_DIR/docker-compose.yaml" -docker-compose --file "$DOCKER_FILE" up -docker-compose --file "$DOCKER_FILE" down +docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" up +docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" down diff --git a/services/galley/galley.integration.yaml b/services/galley/galley.integration.yaml index e47801460b..1d68ca943a 100644 --- a/services/galley/galley.integration.yaml +++ b/services/galley/galley.integration.yaml @@ -83,15 +83,6 @@ settings: verificationExpiration: 86400 acmeDiscoveryUrl: null lockStatus: unlocked - mlsMigration: - defaults: - status: enabled - config: - startTime: "2029-05-16T10:11:12.123Z" - finaliseRegardlessAfter: "2029-10-17T00:00:00.000Z" - usersThreshold: 100 - clientsThreshold: 50 - lockStatus: locked logLevel: Warn logNetStrings: false From 4bd589c17b5097a297c1b41d1e20caf1be4b4b15 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 21 Nov 2023 10:19:17 +0100 Subject: [PATCH 02/13] docker-ephemeral: Get rest of the services running --- .../coredns-config/db.example.com | 1 + deploy/dockerephemeral/docker-compose.yaml | 33 +- deploy/dockerephemeral/federation-v0.yaml | 153 ++++++ .../federation-v0/background-worker.yaml | 27 + .../dockerephemeral/federation-v0/cannon.yaml | 25 + .../federation-v0/cargohold.yaml | 28 + .../federation-v0/coredns-config/Corefile | 4 + .../coredns-config/db.example.com | 20 + .../federation-v0/federator.yaml | 29 + .../federation-v0/gundeck.yaml | 45 ++ .../federation-v0/integration-ca.pem | 19 + .../federation-v0/integration-leaf-key.pem | 27 + .../federation-v0/integration-leaf.pem | 21 + .../federation-v0/nginz/conf/README.md | 7 + .../nginz/conf/common_response.conf | 38 ++ .../nginz/conf/common_response_no_zauth.conf | 2 + .../conf/common_response_with_zauth.conf | 3 + .../federation-v0/nginz/conf/integration.conf | 19 + .../federation-v0/nginz/conf/nginx.conf | 496 ++++++++++++++++++ .../federation-v0/nginz/conf/pid.conf | 1 + .../federation-v0/nginz/conf/zauth_acl.txt | 15 + .../federation-v0/nginz/upstreams | 38 ++ .../federation-v0/proxy.config | 8 + .../dockerephemeral/federation-v0/proxy.yaml | 18 + .../dockerephemeral/federation-v0/spar.yaml | 42 ++ deploy/dockerephemeral/init.sh | 108 ++-- hack/bin/selfsigned.sh | 2 +- .../conf/nginz/integration-ca-key.pem | 50 +- .../conf/nginz/integration-ca.pem | 34 +- .../conf/nginz/integration-leaf-key.pem | 50 +- .../conf/nginz/integration-leaf.pem | 35 +- 31 files changed, 1242 insertions(+), 156 deletions(-) create mode 100644 deploy/dockerephemeral/federation-v0/background-worker.yaml create mode 100644 deploy/dockerephemeral/federation-v0/cannon.yaml create mode 100644 deploy/dockerephemeral/federation-v0/cargohold.yaml create mode 100644 deploy/dockerephemeral/federation-v0/coredns-config/Corefile create mode 100644 deploy/dockerephemeral/federation-v0/coredns-config/db.example.com create mode 100644 deploy/dockerephemeral/federation-v0/federator.yaml create mode 100644 deploy/dockerephemeral/federation-v0/gundeck.yaml create mode 100644 deploy/dockerephemeral/federation-v0/integration-ca.pem create mode 100644 deploy/dockerephemeral/federation-v0/integration-leaf-key.pem create mode 100644 deploy/dockerephemeral/federation-v0/integration-leaf.pem create mode 100644 deploy/dockerephemeral/federation-v0/nginz/conf/README.md create mode 100644 deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf create mode 100644 deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf create mode 100644 deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf create mode 100644 deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf create mode 100644 deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf create mode 100644 deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf create mode 100644 deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt create mode 100644 deploy/dockerephemeral/federation-v0/nginz/upstreams create mode 100644 deploy/dockerephemeral/federation-v0/proxy.config create mode 100644 deploy/dockerephemeral/federation-v0/proxy.yaml create mode 100644 deploy/dockerephemeral/federation-v0/spar.yaml diff --git a/deploy/dockerephemeral/coredns-config/db.example.com b/deploy/dockerephemeral/coredns-config/db.example.com index f52268e7ff..1c33e941fb 100644 --- a/deploy/dockerephemeral/coredns-config/db.example.com +++ b/deploy/dockerephemeral/coredns-config/db.example.com @@ -17,3 +17,4 @@ _wire-server-federator._tcp.b IN SRV 0 0 9443 localhost. _wire-server-federator._tcp.d1 IN SRV 0 0 10443 localhost. _wire-server-federator._tcp.d2 IN SRV 0 0 11443 localhost. _wire-server-federator._tcp.d3 IN SRV 0 0 12443 localhost. +_wire-server-federator._tcp.v0 IN SRV 0 0 21443 localhost. diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index 013511bb49..abc44b8140 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -1,14 +1,23 @@ version: '2' networks: - demo_wire: - external: false - redis: driver: bridge ipam: config: - subnet: 172.20.0.0/24 + coredns: + driver: bridge + ipam: + config: + - subnet: 172.20.1.0/24 + + demo_wire: + driver: bridge + ipam: + config: + - subnet: 172.20.2.0/24 + services: fake_dynamodb: container_name: demo_wire_dynamodb @@ -67,20 +76,6 @@ services: networks: - demo_wire - # activemq: - # image: rmohr/activemq:5.15.4 - # ports: - # - "61613:61613" - - # FIXME: replace redis image with one we build. - redis: - container_name: demo_wire_redis - image: redis:3.0.7-alpine - ports: - - "127.0.0.1:6379:6379" - networks: - - demo_wire - redis-cluster: image: 'redis:6.0-alpine' command: redis-cli --cluster create 172.20.0.31:6373 172.20.0.32:6374 172.20.0.33:6375 172.20.0.34:6376 172.20.0.35:6377 172.20.0.36:6378 --cluster-replicas 1 --cluster-yes @@ -250,6 +245,7 @@ services: - ./:/scripts networks: - demo_wire + coredns: image: docker.io/coredns/coredns:1.8.4 volumes: @@ -261,6 +257,9 @@ services: ports: - "9053:53" - "9053:53/udp" + networks: + coredns: + ipv4_address: 172.20.1.2 volumes: redis-node-1-data: diff --git a/deploy/dockerephemeral/federation-v0.yaml b/deploy/dockerephemeral/federation-v0.yaml index 15963f31e4..4f9e47eeb4 100644 --- a/deploy/dockerephemeral/federation-v0.yaml +++ b/deploy/dockerephemeral/federation-v0.yaml @@ -71,3 +71,156 @@ services: - AWS_SECRET_ACCESS_KEY=dummysecret - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} + + cargohold: + container_name: cargohold-federation-v0 + image: quay.io/wire/cargohold:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/cargohold/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21084:8080' + depends_on: + aws_cli: + condition: service_completed_successfully + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + + gundeck_schema: + container_name: gundeck-schema-federation-v0 + image: quay.io/wire/gundeck-schema:4.38.51 + command: --host cassandra --keyspace gundeck_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + networks: + - demo_wire + + gundeck: + container_name: gundeck-federation-v0 + image: quay.io/wire/gundeck:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/gundeck/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21086:8080' + depends_on: + gundeck_schema: + condition: service_completed_successfully + aws_cli: + condition: service_completed_successfully + redis: + condition: service_started + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + + spar_schema: + container_name: spar-schema-federation-v0 + image: quay.io/wire/spar-schema:4.38.51 + command: --host cassandra --keyspace spar_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + networks: + - demo_wire + + spar: + container_name: spar-federation-v0 + image: quay.io/wire/spar:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/spar/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21088:8080' + depends_on: + spar_schema: + condition: service_completed_successfully + + cannon: + container_name: cannon-federation-v0 + image: quay.io/wire/cannon:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/cannon/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21083:8080' + + federator: + container_name: federator-federation-v0 + image: quay.io/wire/federator:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/federator/conf + networks: + - demo_wire + - coredns + ports: + - '127.0.0.1:21097:8080' + - '127.0.0.1:21098:8081' + depends_on: + coredns-federation-v0: + condition: service_started + + background_worker: + container_name: background-worker-federation-v0 + image: quay.io/wire/background-worker:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/background-worker/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21089:8080' + depends_on: + init_vhosts: + condition: service_completed_successfully + environment: + - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} + - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} + + redis: + container_name: redis-federation-v0 + image: redis:6.0-alpine + networks: + - demo_wire + + coredns-federation-v0: + image: docker.io/coredns/coredns:1.8.4 + volumes: + - ./federation-v0/coredns-config:/coredns-config + entrypoint: + - /coredns + - -conf + - /coredns-config/Corefile + networks: + coredns: + ipv4_address: 172.20.1.3 + + proxy: + container_name: proxy-federation-v0 + image: quay.io/wire/proxy:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/proxy/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21087:8080' + + nginz: + container_name: nginz-federation-v0 + image: quay.io/wire/nginz:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/ + networks: + - demo_wire + ports: + - '127.0.0.1:21080:8080' + - '127.0.0.1:21443:8443' diff --git a/deploy/dockerephemeral/federation-v0/background-worker.yaml b/deploy/dockerephemeral/federation-v0/background-worker.yaml new file mode 100644 index 0000000000..c2274e45f0 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/background-worker.yaml @@ -0,0 +1,27 @@ +logLevel: Debug + +backgroundWorker: + host: 0.0.0.0 + port: 8080 + +federatorInternal: + host: federator + port: 8080 + +galley: + host: galley + port: 8080 + +brig: + host: brig + port: 8080 + +rabbitmq: + host: rabbitmq + port: 5672 + vHost: federation-v0 + adminPort: 15672 + +backendNotificationPusher: + pushBackoffMinWait: 1000 + pushBackoffMaxWait: 1000000 diff --git a/deploy/dockerephemeral/federation-v0/cannon.yaml b/deploy/dockerephemeral/federation-v0/cannon.yaml new file mode 100644 index 0000000000..1764932cbd --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/cannon.yaml @@ -0,0 +1,25 @@ +# Example yaml-formatted configuration for cannon used in integration tests + +# cannon can be started with a config file (e.g. ./dist/cannon -c cannon.yaml.example) + +cannon: + host: 0.0.0.0 + port: 8080 + + # Each cannon instance advertises its own location (ip or dns name) to gundeck. + # Either externalHost or externalHostFile must be set (externalHost takes precedence if both are defined) + # externalHostFile expects a file with a single line containing the IP or dns name of this instance of cannon + externalHost: cannon + #externalHostFile: /etc/wire/cannon/cannon-host.txt + +gundeck: + host: gundeck + port: 8080 + +drainOpts: + gracePeriodSeconds: 1 + millisecondsBetweenBatches: 500 + minBatchSize: 5 + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/cargohold.yaml b/deploy/dockerephemeral/federation-v0/cargohold.yaml new file mode 100644 index 0000000000..7b70f80418 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/cargohold.yaml @@ -0,0 +1,28 @@ +cargohold: + host: 0.0.0.0 + port: 8080 + +federator: + host: 127.0.0.1 + port: 8080 + +aws: + s3Bucket: dummy-bucket-federation-v0 # <-- insert-bucket-name-here + s3Endpoint: http://fake_s3:4570 # https://s3-eu-west-1.amazonaws.com:443 + # s3DownloadEndpoint: http://fake-s3:4570 + # ^ When not using a real S3 service, we may need to use a different, + # publicly accessible endpoint for downloading assets. + # + # If you want to use cloudfront for asset downloads + # cloudFront: + # domain: + # keyPairId: + # privateKey: cf-pk.pem + +settings: + maxTotalBytes: 27262976 + downloadLinkTTL: 300 # Seconds + federationDomain: example.com + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/coredns-config/Corefile b/deploy/dockerephemeral/federation-v0/coredns-config/Corefile new file mode 100644 index 0000000000..7bf495f2e8 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/coredns-config/Corefile @@ -0,0 +1,4 @@ +example.com { + file /coredns-config/db.example.com + log +} \ No newline at end of file diff --git a/deploy/dockerephemeral/federation-v0/coredns-config/db.example.com b/deploy/dockerephemeral/federation-v0/coredns-config/db.example.com new file mode 100644 index 0000000000..448d8b5f59 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/coredns-config/db.example.com @@ -0,0 +1,20 @@ +$ORIGIN example.com. +@ 3600 IN SOA sns.dns.icann.org. noc.dns.icann.org. ( + 2017042745 ; serial + 7200 ; refresh (2 hours) + 3600 ; retry (1 hour) + 1209600 ; expire (2 weeks) + 3600 ; minimum (1 hour) + ) + + 3600 IN NS a.iana-servers.net. + 3600 IN NS b.iana-servers.net. + +www IN A 127.0.0.1 + IN AAAA ::1 +_wire-server-federator._tcp IN SRV 0 0 8443 host.docker.internal. +_wire-server-federator._tcp.b IN SRV 0 0 9443 host.docker.internal. +_wire-server-federator._tcp.d1 IN SRV 0 0 10443 host.docker.internal. +_wire-server-federator._tcp.d2 IN SRV 0 0 11443 host.docker.internal. +_wire-server-federator._tcp.d3 IN SRV 0 0 12443 host.docker.internal. +_wire-server-federator._tcp.v0 IN SRV 0 0 21443 host.docker.internal. diff --git a/deploy/dockerephemeral/federation-v0/federator.yaml b/deploy/dockerephemeral/federation-v0/federator.yaml new file mode 100644 index 0000000000..f0dded7fe9 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/federator.yaml @@ -0,0 +1,29 @@ +federatorInternal: + host: 0.0.0.0 + port: 8090 +federatorExternal: + host: 0.0.0.0 + port: 8081 +brig: + host: brig + port: 8080 +cargohold: + host: cargohold + port: 8080 +galley: + host: galley + port: 8080 + +logLevel: Warn +logNetStrings: false + +optSettings: + # Filepath to one or more PEM-encoded server certificates to use as a trust + # store when making requests to remote backends + remoteCAStore: "/etc/wire/federator/conf/integration-ca.pem" + useSystemCAStore: false + clientCertificate: "/etc/wire/federator/conf/integration-leaf.pem" + clientPrivateKey: "/etc/wire/federator/conf/integration-leaf-key.pem" + tcpConnectionTimeout: 5000000 + dnsHost: 172.20.1.3 + dnsPort: 53 diff --git a/deploy/dockerephemeral/federation-v0/gundeck.yaml b/deploy/dockerephemeral/federation-v0/gundeck.yaml new file mode 100644 index 0000000000..4dd4a6e2bf --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/gundeck.yaml @@ -0,0 +1,45 @@ +gundeck: + host: 0.0.0.0 + port: 8080 + +brig: + host: brig + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: gundeck_test_federation_v0 + # filterNodesByDatacentre: datacenter1 + +redis: + host: redis-federation-v0 + port: 6379 + connectionMode: master + +# redisAdditionalWrite: +# host: 127.0.0.1 +# port: 6379 +# connectionMode: master + +aws: + queueName: integration-gundeck-events-federation-v0 + region: eu-west-1 + account: "123456789012" # Default account nr used by localstack + arnEnv: integration + sqsEndpoint: http://demo_wire_sqs:4568 # https://sqs.eu-west-1.amazonaws.com + snsEndpoint: http://demo_wire_sns:4575 # https://sns.eu-west-1.amazonaws.com + +settings: + httpPoolSize: 1024 + notificationTTL: 24192200 + bulkPush: true + perNativePushConcurrency: 32 + sqsThrottleMillis: 1000 + maxConcurrentNativePushes: + hard: 30 # more than this number of threads will not be allowed + soft: 10 # more than this number of threads will be warned about + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/integration-ca.pem b/deploy/dockerephemeral/federation-v0/integration-ca.pem new file mode 100644 index 0000000000..e0b211b371 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/integration-ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAjCCAeqgAwIBAgIUGAGMageZja7d2r8voH2QcxF+z4cwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTEwNzAwWhcN +MjgxMTE5MTEwNzAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9adDVOHzHOMn64E/YsgDVwktAKp535 +N2HIl1g+8kKRCGy3rNUv4I91EtmnGoZXIEkwzuCRgU4p3SzNqCsNCLXcTfquje7g +zEPnRM4+xs+YfAQcn2BhROlx6PC+zUJrBYK4K3dNQpMXOYE1cu5M9FyJ7XLXo11Z +ZnCigTwkvr2xD9is+ZYJ0jVZVCNSkIjbqRrLqzbYQx+vwTlI9ixWuKoV4lQtYs5O +JoryvIhvKIlRwcmoh2ZtqWFhKsDoiqNKshfeSlCfqL8aD54dzUlpCjxezPq5bdpm +Uj7o6dLLj1tInKuqFNOI+DHnqwxmtT9KYgXdHsP2EldEmPn4aH5MS0ECAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOrl +oSUQH72FPazbx5cV59y+LFawMA0GCSqGSIb3DQEBCwUAA4IBAQARUQWt7vaDIOZH +2ZmxKjYObH1yhGsNcq8UpP3D5H1PvnxWTIodW30P1sSmnpBMoWCCW8MOzX9HL9PI +tpSkDT4j7//EClStTnRNO1GdyMxaL7vQ0LXl/aVT8lfpw7MpUv+nQYJgpN7MpI4b +TZM+Dx9KoKMqtHBSX6eqgVd54dqnyw/3twDc4jZAwJ4ZogXCABfJFNH7Tiu/PUET +8RP8Gn0vUgNkvznYGCwMaAGbY+ihlKeqUZmpdTyq/A82wOmBLmPpDthg7+6U7kGs +zLwkR6wwCkwLM/KjHQ9WW1ggPT1oPsGU8EDwl/qxu896HP6s12vuAyY1WwsTuiI3 +vD1lYlAF +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem new file mode 100644 index 0000000000..f0e536bde0 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAp9LD22T6GUuo2jIwFdUpbJlYAxfmu+KAfyeVnYP22PmwffaQ +fzT7zEdtl3sAwtE3IGDsWel1OzDjR33Nw1Z1mAdtDDAUjh8PHOSwprfWqV+3c7w4 +Nlh0L+4qP+HNJbI4MhF5MdCAJmGrmjdGdw5yiPeGCWV4qegIJVuKkGycOo7egEWQ +l+3Yep1nQV9QRqShrnHrhVdJfLdl7L5jB2YV3K5ODsEYXlLRgZBvQjX61WLLZcYu +qcj5EpiM+xc58ns3E5Aw+5y8IfZxAcm3CjQHD+sJXyhBkVTtJv9zja77IJv7aSF8 +cnFUU/2CzCCi0UAZllEUkUefvDYrliYLyetSSwIDAQABAoIBABzJsMMvvR8dtWdI +eKsmF6cDXu+Y6AGOxxAI0Edm3a82lanl47+ObSsLjacQeH7yuIwbVC/QNkXjCvm2 +gNdjO2TK0U/n537BoSwJpqvSmUYQnz2BKftYjQWzyxeOOkyfF7iu+qUq6PCsjG01 +0iaWGduY6isudtZecRdHbqt7lgkNNcvFKKLbjuVmKDzrKicnSg6Fj/O00or8JMMX +Z/lBz7r35VDbQtahUIuqT1Y8lzCs4nq4KAoGCup48AMANgsI5+G5/e5wqdFUuP6/ +kFc2molEgF5/IogqlyxxizQduU9mQrTu7f1BQYDhVlCODU5XVGSsg/XXdNQRGU0N +07LNkyECgYEAzLc4FSKwXll3825m90RYj3DKN6oJOiSGgoJiyP0DPo1OwodFb1gk +vOdLU0B53vgxkeSy34qvHW43BptT/Wa4cbiTs8gpovtqaNAJRL3dUdp39mlcqS8i +lx6T8TLZ+t8DP90auU/VXTFn+XkSOJkHxvwk4oj2zy5U164OkNmrU2kCgYEA0d2S +L89SHSdFS60AHHlznvl8Mp7xMOoYwYxrp4GftdFc5aSG00p95DaORmU0FV43HnXb +dJmFIxaP1OR4qHSmDsHTjaHhCMzzXN8rLPaatcIcGCEeUwloI1HGMcAlK63c//i/ +POoPuDyGV93dUnuE0asjwWUxMTVYZJJxuvVSZZMCgYBP1ni5zXCJK01bk8f2USJU +tsE2mkrE8S/AQEd0aTBVudhoh0buGKsjPPUkf7XH3nW+lzmncre+u5gcLIHCBsiS +GVEJQVvzoyepvtCOjZl97bzxTcAEf0x3MUazP4jBjS4APyPH97mXgcgyBCS2DAB7 +eySLcK0IueH+x3QIy8tEWQKBgHXiXTRn43smzQD2O6LDAhRhlcclitvsE13dD7e2 +00yhPupr4aQcKt0fXAnk3T3Hf3SnxU8Y0TVlfgObFr+hTonpjHj5XlvALE+VuD34 +g+znDTrsl4kTNqDoVUkq4nZHomVSh7Gi1JOrw9bldGXZpkDUPjBrNBetHGrZ6/KV +zOPrAoGAdZZMAgIBzEop9mA/ApHuPlVO43VnqJPo8nYeQ2bEsjU3KI0TfqcbUjgG +8c4sJRw0xcV8F1Y9MaQhOHPl++c/6HTfQNEtNEsB5JDKqToExUll2x+07AAbQQ+h +6Qhk+DBImTCzoOemYYhlAvrvEZw/onYTKQAjudGT6BdshRg56cw= +-----END RSA PRIVATE KEY----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf.pem b/deploy/dockerephemeral/federation-v0/integration-leaf.pem new file mode 100644 index 0000000000..3e8ba2f3b9 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/integration-leaf.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDcjCCAlqgAwIBAgIUfT3hrFYCO/wnKZCc0SRIM0j/3JQwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTEwNzAwWhcN +MjQxMTIwMTEwNzAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +p9LD22T6GUuo2jIwFdUpbJlYAxfmu+KAfyeVnYP22PmwffaQfzT7zEdtl3sAwtE3 +IGDsWel1OzDjR33Nw1Z1mAdtDDAUjh8PHOSwprfWqV+3c7w4Nlh0L+4qP+HNJbI4 +MhF5MdCAJmGrmjdGdw5yiPeGCWV4qegIJVuKkGycOo7egEWQl+3Yep1nQV9QRqSh +rnHrhVdJfLdl7L5jB2YV3K5ODsEYXlLRgZBvQjX61WLLZcYuqcj5EpiM+xc58ns3 +E5Aw+5y8IfZxAcm3CjQHD+sJXyhBkVTtJv9zja77IJv7aSF8cnFUU/2CzCCi0UAZ +llEUkUefvDYrliYLyetSSwIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E +FgQUM1QB4eHYCLRO2pyYA5PXUQN+ZVwwHwYDVR0jBBgwFoAU6uWhJRAfvYU9rNvH +lxXn3L4sVrAwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv +bYIUaG9zdC5kb2NrZXIuaW50ZXJuYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsF +AAOCAQEArYqKia5b/zZ12CrPdXsrf0qjEKDshy0gGo/WPPC5dbLG6yu3i5gktdsB +jEL6AF0rkL+RhBwH9ICXbMfNlM21laddsg6SVi1EWFUHLgII6+wiArQGc1BUGltt +f+9Ggu1eZ/pN8DvI6yiE4sUrN3MZQOmMDpyAOTETgeTg/Hqr2f854zSebN1ILMTi +b2LYC1d8CfblEUTTI2VNkakbrAVcrPQS/Dj8uqxs7CBSke0jxdkXXecS/2cHatGg +2iAd0GLOYtQxQr1v/qtNqJeAKQ3qQ0tEmQXv+ksqU4IDjcjMoSQ0p5uguJd6NFF6 +oroZ73cn0+l428+iR5crB7GCbsC7og== +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/README.md b/deploy/dockerephemeral/federation-v0/nginz/conf/README.md new file mode 100644 index 0000000000..c8e81957c6 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/README.md @@ -0,0 +1,7 @@ +# How to regenerate certificates in this directory + +Run from this directory: + +```bash +../../../../../hack/bin/selfsigned.sh +``` diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf new file mode 100644 index 0000000000..1b8a947f43 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf @@ -0,0 +1,38 @@ + # remove access_token from logs, see 'Note sanitized_request'. + set $sanitized_request $request; + if ($sanitized_request ~ (.*)access_token=[^&]*(.*)) { + set $sanitized_request $1access_token=****$2; + } + + # Should be overriden when using websockets + proxy_set_header Connection ""; + proxy_set_header Z-Type $zauth_type; + proxy_set_header Z-User $zauth_user; + proxy_set_header Z-Client $zauth_client; + proxy_set_header Z-Connection $zauth_connection; + proxy_set_header Z-Provider $zauth_provider; + proxy_set_header Z-Bot $zauth_bot; + proxy_set_header Z-Conversation $zauth_conversation; + proxy_set_header Request-Id $request_id; + + # NOTE: This should only be used on endpoints where credentials are needed + more_set_headers 'Access-Control-Allow-Credentials: true'; + # NOTE: This allows all origins, you may want to tune this value + more_set_headers 'Access-Control-Allow-Origin: $http_origin'; + more_set_headers 'Access-Control-Expose-Headers: Request-Id, Location'; + more_set_headers 'Request-Id: $request_id'; + more_set_headers 'Strict-Transport-Security: max-age=31536000; preload'; + + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Methods' "GET, POST, PUT, DELETE, OPTIONS"; + add_header 'Access-Control-Allow-Headers' "$http_access_control_request_headers, DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"; + add_header 'Content-Type' 'text/plain; charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + + + proxy_http_version 1.1; + + # NOTE: You may want to tune this + client_max_body_size 64M; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf new file mode 100644 index 0000000000..4277ede8c0 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf @@ -0,0 +1,2 @@ + zauth off; + include common_response.conf; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf new file mode 100644 index 0000000000..699dd263b3 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf @@ -0,0 +1,3 @@ + include common_response.conf; + proxy_set_header Authorization ""; + proxy_set_header Z-Host $host; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf new file mode 100644 index 0000000000..baae352c92 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf @@ -0,0 +1,19 @@ +# plain TCP/http listening for integration tests only. +listen 8080; +listen 8081; + +# for nginx-without-tls, we need to use a separate port for http2 traffic, +# as nginx cannot handle unencrypted http1 and http2 trafic on the same +# port. +# This port is only used for trying out nginx http2 forwarding without TLS locally and should not +# be ported to any production nginz config. +listen 8090 http2; + +######## TLS/SSL block start ############## +# +# Most integration tests simply use the http ports 8080 and 8081 +# But to also test tls forwarding, this port can be used. +# This applies only locally, as for kubernetes (helm chart) based deployments, +# TLS is terminated at the ingress level, not at nginz level +listen 8443 ssl http2; +listen [::]:8443 ssl http2; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf new file mode 100644 index 0000000000..b05c0cbe94 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf @@ -0,0 +1,496 @@ +worker_processes 4; +worker_rlimit_nofile 1024; +include pid.conf; # for easy overriding + +# nb. start up errors (eg. misconfiguration) may still end up in /$(LOG_PATH)/error.log +error_log stderr warn; + +events { + worker_connections 1024; + multi_accept off; +} + +http { + # + # Some temporary paths (by default, will use the `prefix` path given when starting nginx) + # + + client_body_temp_path /tmp; + fastcgi_temp_path /tmp; + proxy_temp_path /tmp; + scgi_temp_path /tmp; + uwsgi_temp_path /tmp; + + # + # Sockets + # + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + # + # Timeouts + # + + client_body_timeout 60; + client_header_timeout 60; + keepalive_timeout 75; + send_timeout 60; + + ignore_invalid_headers off; + + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + server_name_in_redirect off; + + large_client_header_buffers 4 8k; + + + # + # Security + # + + server_tokens off; + + # + # Logging + # + # Note sanitized_request: + # We allow passing access_token as query parameter for e.g. websockets + # However we do not want to log access tokens. + # + + log_format custom_zeta '$remote_addr - $remote_user [$time_local] "$sanitized_request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" - $connection $request_time $upstream_response_time $upstream_cache_status $zauth_user $zauth_connection $request_id $proxy_protocol_addr'; + access_log /dev/stdout custom_zeta; + + # + # Monitoring + # + vhost_traffic_status_zone; + + # + # Gzip + # + + gzip on; + gzip_disable msie6; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_min_length 1024; + gzip_types 'text/plain text/css application/json text/xml'; + + # + # Proxied Upstream Services + # + + include ../upstreams; + + # + # Mapping for websocket connections + # + + map $http_upgrade $connection_upgrade { + websocket upgrade; + default ''; + } + + + + # + # Locations + # + + server { + include integration.conf; + + # self-signed certificates generated using wire-server/hack/bin/selfsigned.sh + ssl_certificate /etc/wire/integration-leaf.pem; + ssl_certificate_key /etc/wire/integration-leaf-key.pem; + + ssl_verify_client on; + ssl_client_certificate /etc/wire/integration-ca.pem; + ######## TLS/SSL block end ############## + + zauth_keystore /etc/wire/zauth-pubkeys.txt; + zauth_acl /etc/wire/nginz/conf/zauth_acl.txt; + # needs to be kept in sync with services/brig/test/resources/oauth/ed25519.jwk + oauth_pub_key /etc/wire/oauth-ed25519_public.jwk; + + location /status { + set $sanitized_request $request; + zauth off; + return 200; + } + + location /i/status { + set $sanitized_request $request; + zauth off; + return 200; + } + + location /vts { + set $sanitized_request $request; + zauth off; + vhost_traffic_status_display; + vhost_traffic_status_display_format html; + } + + # + # Service Routing + # + + # Federator endpoints: expose the federatorExternal port (Inward service) + location /federation { + set $sanitized_request $request; + zauth off; + + proxy_set_header "X-SSL-Certificate" $ssl_client_escaped_cert; + proxy_pass http://federator_external; + + # FUTUREWORK(federation): are any other settings + # (e.g. timeouts, body size, buffers, headers,...) + # useful/recommended/important-for-security?) + } + + # Brig Endpoints + # + ## brig unauthenticated endpoints + + location ~* ^(/v[0-9]+)?/api/swagger-ui { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/api/swagger.json { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/api-internal/swagger-ui { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/api-internal/swagger.json { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /register { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /access { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /activate { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /login { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/teams/invitations/([^/]*)$ { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /verification-code/send { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + ## brig authenticated endpoints + + location ~* ^(/v[0-9]+)?/self$ { + include common_response_with_zauth.conf; + oauth_scope self; + proxy_pass http://brig; + } + + location /users { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /list-users { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /search { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /list-connections { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/teams/([^/]+)/search$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /connections { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/clients { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/mls/key-packages { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /properties { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /calls/config { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/teams/([^/]*)/size$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/system/settings/unauthorized$ { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/system/settings$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/oauth/clients/([^/]*)$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/oauth/authorization/codes$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /oauth/token { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /oauth/revoke { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /oauth/applications { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + # Cargohold Endpoints + + location /assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + location /bot/assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + location /provider/assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + # Galley Endpoints + + location ~* ^(/v[0-9]+)?/legalhold/conversations/(.*)$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/conversations$ { + include common_response_with_zauth.conf; + oauth_scope conversations; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/conversations/([^/]*)/code { + include common_response_with_zauth.conf; + oauth_scope conversations_code; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/conversations.* { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/conversations/([^/]*)/otr/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/conversations/([^/]*)/([^/]*)/proteus/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /broadcast { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /bot/conversation { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /bot/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/members(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/conversations(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/features { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/features/([^/]*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/feature-configs$ { + include common_response_with_zauth.conf; + oauth_scope feature_configs; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/feature-configs(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/legalhold(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/members/csv$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /mls/welcome { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /mls/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/mls/commit-bundles { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/mls/public-keys { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + # Gundeck Endpoints + + location /push { + include common_response_with_zauth.conf; + proxy_pass http://gundeck; + } + + location /presences { + include common_response_with_zauth.conf; + proxy_pass http://gundeck; + } + + location ~* ^(/v[0-9]+)?/notifications$ { + include common_response_with_zauth.conf; + proxy_pass http://gundeck; + } + + # Proxy Endpoints + + location /proxy { + include common_response_with_zauth.conf; + proxy_pass http://proxy; + } + + # Cannon Endpoints + + location /await { + include common_response_with_zauth.conf; + proxy_pass http://cannon; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_read_timeout 1h; + } + + # Spar Endpoints + + location /sso { + include common_response_no_zauth.conf; + proxy_pass http://spar; + } + + location /identity-providers { + include common_response_with_zauth.conf; + proxy_pass http://spar; + } + } +} diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf new file mode 100644 index 0000000000..e722aa5ae2 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf @@ -0,0 +1 @@ +pid /tmp/nginz.pid; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt b/deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt new file mode 100644 index 0000000000..3b644bf3d9 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt @@ -0,0 +1,15 @@ +a (blacklist (regex "(/v[0-9]+)?/provider(/.*)?") + (regex "(/v[0-9]+)?/bot(/.*)?") + (regex "(/v[0-9]+)?/i/.*")) + +b (whitelist (regex "(/v[0-9]+)?/bot(/.*)?")) + +p (whitelist (regex "(/v[0-9]+)?/provider(/.*)?")) + +# LegalHold Access Tokens +# FUTUREWORK: remove /legalhold/conversations/ when support for v1 dropped +la (whitelist (regex "(/v[0-9]+)?/notifications") + (regex "(/v[0-9]+)?/assets/v3/.*") + (regex "(/v[0-9]+)?/users(/.*)?") + (regex "(/v[0-9]+)?/legalhold/conversations/[^/]+") + (regex "(/v[0-9]+)?/conversations/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$")) diff --git a/deploy/dockerephemeral/federation-v0/nginz/upstreams b/deploy/dockerephemeral/federation-v0/nginz/upstreams new file mode 100644 index 0000000000..a3e6afada3 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/upstreams @@ -0,0 +1,38 @@ +upstream cargohold { + least_conn; + keepalive 32; + server cargohold:8080 max_fails=3 weight=1; +} +upstream gundeck { + least_conn; + keepalive 32; + server gundeck:8080 max_fails=3 weight=1; +} +upstream cannon { + least_conn; + keepalive 32; + server cannon:8080 max_fails=3 weight=1; +} +upstream galley { + least_conn; + keepalive 32; + server galley:8080 max_fails=3 weight=1; +} +upstream proxy { + least_conn; + keepalive 32; + server proxy:8080 max_fails=3 weight=1; +} +upstream brig { + least_conn; + keepalive 32; + server brig:8080 max_fails=3 weight=1; +} +upstream spar { + least_conn; + keepalive 32; + server spar:8080 max_fails=3 weight=1; +} +upstream federator_external { + server federator:8081 max_fails=3 weight=1; +} diff --git a/deploy/dockerephemeral/federation-v0/proxy.config b/deploy/dockerephemeral/federation-v0/proxy.config new file mode 100644 index 0000000000..d2225ca26c --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/proxy.config @@ -0,0 +1,8 @@ +secrets { + youtube = "my-youtube-secret" + googlemaps = "my-googlemaps-secret" + soundcloud = "my-soundcloud-secret" + giphy = "my-giphy-secret" + # Base64 encoded client ID and secret: `Bearer id:secret`: + spotify = "my-spotify-secret" +} diff --git a/deploy/dockerephemeral/federation-v0/proxy.yaml b/deploy/dockerephemeral/federation-v0/proxy.yaml new file mode 100644 index 0000000000..dc91440dd1 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/proxy.yaml @@ -0,0 +1,18 @@ +# Example yaml-formatted configuration for proxy +# proxy can be started with a config file (e.g. ./dist/proxy -c proxy.yaml.example) + +host: 0.0.0.0 +port: 8087 + +# number of connections for the http pool +httpPoolSize: 1000 + +# maximum number of incoming connections +maxConns: 5000 + +# File containing upstream secrets. +secretsConfig: /etc/wire/proxy/conf/proxy.config + +# Logging settings +logLevel: Info +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/spar.yaml b/deploy/dockerephemeral/federation-v0/spar.yaml new file mode 100644 index 0000000000..9ffbe4784f --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/spar.yaml @@ -0,0 +1,42 @@ +saml: + version: SAML2.0 + logLevel: Warn + + spHost: 0.0.0.0 + spPort: 8080 + # TODO: change these + spAppUri: http://localhost:8080/ + spSsoUri: http://localhost:8080/sso + + contacts: + - type: ContactBilling + company: evil corp. + givenName: Dr. + surname: Girlfriend + email: email:president@evil.corp + +brig: + host: brig + port: 8080 + +galley: + host: galley + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: spar_test_federation_v0 + filterNodesByDatacentre: datacenter1 + +# Wire/AWS specific, optional +# discoUrl: "https://" + +maxttlAuthreq: 5 # seconds. don't set this too large, it is also the run time of one TTL test. +maxttlAuthresp: 7200 # seconds. do not set this to 1h or less, as that is what the mock idp wants. + +maxScimTokens: 2 # Token limit {#RefScimToken} +richInfoLimit: 5000 # should be in sync with Brig + +logNetStrings: False # log using netstrings encoding (see http://cr.yp.to/proto/netstrings.txt) diff --git a/deploy/dockerephemeral/init.sh b/deploy/dockerephemeral/init.sh index f10067319a..b697dd9169 100755 --- a/deploy/dockerephemeral/init.sh +++ b/deploy/dockerephemeral/init.sh @@ -1,58 +1,58 @@ #!/usr/bin/env sh -exec_until_ready() { - until $1; do echo 'service not ready yet'; sleep 1; done -} - -# Assumes this to be run in an environment with `aws` installed -# Keep these in sync with .envrc -echo 'Creating AWS resources' -aws configure set aws_access_key_id dummykey -aws configure set aws_secret_access_key dummysecret -aws configure set region eu-west-1 - -# Potentially delete pre-existing tables -echo -n "waiting for dynamo: " -while (! aws --endpoint-url=http://dynamodb:8000 --cli-connect-timeout=1 dynamodb list-tables); do - sleep 1; -done -echo " [ok!]" - -for suffix in "" "2" "3" "4" "5" "-federation-v0"; do - aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-userkey-blacklist$suffix || true - aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-prekeys$suffix || true - - # Create Dynamo/SQS resources - exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-userkey-blacklist$suffix --attribute-definitions AttributeName=key,AttributeType=S --key-schema AttributeName=key,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" - exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-prekeys$suffix --attribute-definitions AttributeName=client,AttributeType=S --key-schema AttributeName=client,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" - - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events$suffix --attributes VisibilityTimeout=1" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events-internal$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events-internal$suffix --attributes VisibilityTimeout=1" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-user-events.fifo$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-user-events.fifo$suffix --attributes VisibilityTimeout=1" - - # Gundeck's feedback queue - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-gundeck-events$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-gundeck-events$suffix --attributes VisibilityTimeout=1" - - # Galley's team event queue - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-team-events.fifo$suffix" - exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-team-events.fifo$suffix --attributes VisibilityTimeout=1" - - # Verify sender's email address (ensure the sender address is in sync with the config in brig) - exec_until_ready "aws --endpoint-url=http://ses:4579 ses verify-email-identity --email-address backend-integration$suffix@wire.com" - - # Create SNS resources for gundeck's notifications - exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-test$suffix --platform GCM --attributes PlatformCredential=testkey" - exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-test$suffix --platform APNS_SANDBOX --attributes PlatformCredential=testprivatekey" - exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-com.wire.ent$suffix --platform APNS_SANDBOX --attributes PlatformCredential=testprivatekey" - - # Cargohold's bucket; creating a bucket is not idempotent so we just try once and wait until it is ready - # TODO: Lifecycle configuration for the bucket, if supported. - aws --endpoint-url=http://s3:9000 s3api create-bucket --bucket "dummy-bucket$suffix" - aws --endpoint-url=http://s3:9000 s3api wait bucket-exists --bucket "dummy-bucket$suffix" -done +# exec_until_ready() { +# until $1; do echo 'service not ready yet'; sleep 1; done +# } + +# # Assumes this to be run in an environment with `aws` installed +# # Keep these in sync with .envrc +# echo 'Creating AWS resources' +# aws configure set aws_access_key_id dummykey +# aws configure set aws_secret_access_key dummysecret +# aws configure set region eu-west-1 + +# # Potentially delete pre-existing tables +# echo -n "waiting for dynamo: " +# while (! aws --endpoint-url=http://dynamodb:8000 --cli-connect-timeout=1 dynamodb list-tables); do +# sleep 1; +# done +# echo " [ok!]" + +# for suffix in "" "2" "3" "4" "5" "-federation-v0"; do +# aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-userkey-blacklist$suffix || true +# aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-prekeys$suffix || true + +# # Create Dynamo/SQS resources +# exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-userkey-blacklist$suffix --attribute-definitions AttributeName=key,AttributeType=S --key-schema AttributeName=key,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" +# exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-prekeys$suffix --attribute-definitions AttributeName=client,AttributeType=S --key-schema AttributeName=client,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" + +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events$suffix" +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events$suffix --attributes VisibilityTimeout=1" +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events-internal$suffix" +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events-internal$suffix --attributes VisibilityTimeout=1" +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-user-events.fifo$suffix" +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-user-events.fifo$suffix --attributes VisibilityTimeout=1" + +# # Gundeck's feedback queue +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-gundeck-events$suffix" +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-gundeck-events$suffix --attributes VisibilityTimeout=1" + +# # Galley's team event queue +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-team-events.fifo$suffix" +# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-team-events.fifo$suffix --attributes VisibilityTimeout=1" + +# # Verify sender's email address (ensure the sender address is in sync with the config in brig) +# exec_until_ready "aws --endpoint-url=http://ses:4579 ses verify-email-identity --email-address backend-integration$suffix@wire.com" + +# # Create SNS resources for gundeck's notifications +# exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-test$suffix --platform GCM --attributes PlatformCredential=testkey" +# exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-test$suffix --platform APNS_SANDBOX --attributes PlatformCredential=testprivatekey" +# exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-com.wire.ent$suffix --platform APNS_SANDBOX --attributes PlatformCredential=testprivatekey" + +# # Cargohold's bucket; creating a bucket is not idempotent so we just try once and wait until it is ready +# # TODO: Lifecycle configuration for the bucket, if supported. +# aws --endpoint-url=http://s3:9000 s3api create-bucket --bucket "dummy-bucket$suffix" +# aws --endpoint-url=http://s3:9000 s3api wait bucket-exists --bucket "dummy-bucket$suffix" +# done echo 'AWS resources created successfully!' diff --git a/hack/bin/selfsigned.sh b/hack/bin/selfsigned.sh index 46332c72cb..6f9ece914b 100755 --- a/hack/bin/selfsigned.sh +++ b/hack/bin/selfsigned.sh @@ -32,7 +32,7 @@ echo '{ }' > "$CSR" # generate cert and key based on CA given comma-separated hostnames as SANs -cfssl gencert -ca "$OUTPUTNAME_CA.pem" -ca-key "$OUTPUTNAME_CA-key.pem" -hostname=*.integration.example.com,localhost "$CSR" | cfssljson -bare "$OUTPUTNAME_LEAF_CERT" +cfssl gencert -ca "$OUTPUTNAME_CA.pem" -ca-key "$OUTPUTNAME_CA-key.pem" -hostname=*.integration.example.com,host.docker.internal,localhost "$CSR" | cfssljson -bare "$OUTPUTNAME_LEAF_CERT" # cleanup unneeded files rm "$OUTPUTNAME_LEAF_CERT.csr" diff --git a/services/nginz/integration-test/conf/nginz/integration-ca-key.pem b/services/nginz/integration-test/conf/nginz/integration-ca-key.pem index 774b9d30c9..7cdb89c467 100644 --- a/services/nginz/integration-test/conf/nginz/integration-ca-key.pem +++ b/services/nginz/integration-test/conf/nginz/integration-ca-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAoYyNk0aNoe2AYoWa4ey6P4LR4BxKGk0A9LeFiCP4tWqbU/aZ -DzDATytklxaQiDMDbZQboFngf5/X0S+pjSiZ+LSgIR30/g0yoDEubfUXvF+q+rEh -Om91OHnkwwNoSN1EK687N1nATFXd7YL6Lv2SOrMcyOCtqwnGFwRrH8MR3z87nL+H -vuot2ciXvyeJ3q4RG2G9t8UTjqo1jK/NJHyNZYSY4vGTGZTwGi1BCuNlizi6xzmI -Mh3HS/px/kihR7wLkQ7NpovqjfQVef3JwiJutrRYG6lJT9xXpNu2gKg8KKiZJUgb -gqnPWl+4IdRdZ/q/12Jsg9qAf8tbS+tQ2CnlLQIDAQABAoIBAQCJKkrm+me1Tm/M -tz4bh6FX3Z6Pl9V/YVRndA9n2YsJljvOXbn1wOH4FpLxChKr4gyOFMwkKUvJcRGQ -ptRia0/YcJzpoYLr1o7enwOaDxkZM218L7tT32D7E9wdjJ4WB/Ei2kUAKS9yYRHu -4V/FWD25o2zUTpiGeeT8lB7UuA9Lqg529dGlJcanlZjMe0Wj92ec1jjelERGuGdr -lujikHl8whZRwxCGC09WM48myWnsCVdJ1oqGhYM8nzqImsiMc10K6/8CmVrl3aXV -KrExPLtxCRK3pe5olyCLIkPn3OwSc/ZPSkxVQF4j/PwatqqHE98TQBi5bzKIF2JE -17+DBVxNAoGBAM4lR1WRAtXvAe6/jl5zYHr/v2D69o7v85PuXrnmSLK29h3ACSDM -svTsIkoPIZ/lotM8O/OpOHKWmbXH7MOIu9mRKQAKFlTKtw4xl36SPynegq1H5JBv -bd8N8pQtf8pLuh8qxZvZplBsg9HJHBPlbZo/dMQa8oYDI4BakMyYJEMbAoGBAMie -PyHPgI7RpE5GPXcl/rOxeMF++7qOsOX5XGUhoGoH2feYzj19V2/ptx4KdmD+M3NF -dT1ucmQKqocrE6U3sEMok3BmgajGoGOLQMPXsK18bs0VowI+mmt+uL2BwOr9hHPK -IuZrzwm9vtLYldBU3sdxGA1sLXPB2oUZalwCf7VXAoGAZo77X2GmtIKVRo98qBbk -sCzerMQOuGw+laFo9TnRf0AxT/nDUNMmUV3NbWT7yI45pLf5566Py8qLLHoLm/hB -5OsoJ8Hc/FBiJCieAzWFQTJXdxgmaYlWczuALSI5yo5ESc9AwtnUuXxTVKKmWmux -TKU3VX1GnU+gcPIdyfwDRnMCgYAWg8P8DGiWHqr86d8eDxKNoh42QQUJQ9hQhvK6 -mtKA886fffOvbPCyK52UboIokn69sg7dTRbjaVsH/mqfASfz8YrSc36brWb0pP0o -vX0jizJ4K7R2nQYBiGA9TGGVPcxunkHacED1C+ltikcN8WhrI6MaZoiXVCstAtQv -7Uvd0wKBgQDCC9xoSTr7kFiwp76f7dIBdxLKBiL1tZM/qJIP3lnX9TnLhBiHNxoR -4DbIF5yEdRRNBVfS4rJLa1zAAY3d5u4LENaZEvf7fmsjHTLEIf3gJVviHZSBMP6C -kSPQbfcNTNZaEt/40GAZzgjNiO0rTpsLLI4fGDiHeaMMBHEzAiXJmw== +MIIEowIBAAKCAQEAv1p0NU4fMc4yfrgT9iyANXCS0Aqnnfk3YciXWD7yQpEIbLes +1S/gj3US2acahlcgSTDO4JGBTindLM2oKw0ItdxN+q6N7uDMQ+dEzj7Gz5h8BByf +YGFE6XHo8L7NQmsFgrgrd01Ckxc5gTVy7kz0XIntctejXVlmcKKBPCS+vbEP2Kz5 +lgnSNVlUI1KQiNupGsurNthDH6/BOUj2LFa4qhXiVC1izk4mivK8iG8oiVHByaiH +Zm2pYWEqwOiKo0qyF95KUJ+ovxoPnh3NSWkKPF7M+rlt2mZSPujp0suPW0icq6oU +04j4MeerDGa1P0piBd0ew/YSV0SY+fhofkxLQQIDAQABAoIBAQCDNjhXUQFs+pJ/ +eCQf+vXTLyVMyPGVDo4eXBkDZu5iHOdk/THjYZgfZs0NOFuk4Nt/tJs3PC8pdOV3 +0nHNS3u8kJtcGRO0SKtoqI3yyvMy6MGpZCMZSLmjRfvQEVXYhGBb+YO8o9rR1+wT +oJ31sAkj52ROCnW4DhSDibsKjbvJgA9mVwSscOtRU3KSoTl5TyCpSYRLJFkpK4cl +GLpwVugdlBGW3yI1S3AzGYEO2F8hmjBFLhsxC/ULaXMAp0TAYDIR6+jtEkg+tdNf +WYqophBQTTKuO2bHDLjfFLHr8pk5AZaG9RCfWD8lJKov8zK9hEZ2H2mFMl+kj36P +o17NWGABAoGBAOrcjVyusIXzdX1/NFhQm5SmbcE2nZjWDFG6mSZuNQkAyo9vSlAO +SfZ/h/1j8xSk65IqELsL70sUQqh4ckyVBfUxQQjzUO9TR9hJnyh7iGAQTfz6YOi5 +qdBz5LbCX0TCYt+IuaonEnryjyuYlkddOEOKBgWzDbPO00a995ctnHPBAoGBANCT +bcU0YXZmRozFzxfU2jgOVuvHuf0Innu+picWpMBPStyGSPNzUEHlC9oC7d+THMZH +ko4lR95NT19BBrkmbw+pGMDGZbyfajrPR6ps+WB5Fi3GyWjjH+nO/r9vtoRrjDsK +NO6mgrkH+ci8XTBFKcnjBg6e5XWPHklnZQkdd7eBAoGAWk7UTH8fgWJMGyV+izbz +nAUiztihYNNtiT+nBA/8dKnJOb4hZQcZiZ8gO17jaVzA+EMUi9fa+5OezgkCalAj +KlT2HOryhBQR3Cjy+i4GEmoyksPz34kEsxLdLykuWNImEq4QNk0v3fbG9oyFvIsr +x0ybZDWlXy54Lwt82LTBJAECgYATa4au89+XPJKZDNnpaCIhUgR505DXpHPNJcUm +oo8YcMmRmtc0A6qXWBIwbFFlnbbyJzvYDFSSuDQJtG5B0vhIRwBNAqv6UgV8EEyl +65uUhfGwtW+PWoZgKKvDe01NKw5VeO/QwKQvQjTZoeAzXF01tPOdbOIEfhzdzMi1 +fo7lAQKBgDlU5y0o4VWNm2v2rss3f+Ig3iqsh76ay7UgcY4Y/ZiC9dGW7KL1keDl +3pf1YJieSd0wptoMC/jzME+kpZU9OASsE1VX/XX6UCh1xHgLzV+S7tDS6EWMgnLz +IbvzZ2iC2hKM9vPtL+34gDjAwNot3kCMJNx4c+TSxSXfXIKbqjAW -----END RSA PRIVATE KEY----- diff --git a/services/nginz/integration-test/conf/nginz/integration-ca.pem b/services/nginz/integration-test/conf/nginz/integration-ca.pem index 2aff84d758..e0b211b371 100644 --- a/services/nginz/integration-test/conf/nginz/integration-ca.pem +++ b/services/nginz/integration-test/conf/nginz/integration-ca.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDAjCCAeqgAwIBAgIUaq5Rk0z4WRqKc9dEtkxgVdL0LBIwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMwNDI0MDkzMTAwWhcN -MjgwNDIyMDkzMTAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKGMjZNGjaHtgGKFmuHsuj+C0eAcShpN -APS3hYgj+LVqm1P2mQ8wwE8rZJcWkIgzA22UG6BZ4H+f19EvqY0omfi0oCEd9P4N -MqAxLm31F7xfqvqxITpvdTh55MMDaEjdRCuvOzdZwExV3e2C+i79kjqzHMjgrasJ -xhcEax/DEd8/O5y/h77qLdnIl78nid6uERthvbfFE46qNYyvzSR8jWWEmOLxkxmU -8BotQQrjZYs4usc5iDIdx0v6cf5IoUe8C5EOzaaL6o30FXn9ycIibra0WBupSU/c -V6TbtoCoPCiomSVIG4Kpz1pfuCHUXWf6v9dibIPagH/LW0vrUNgp5S0CAwEAAaNC -MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBuq -33I+JaC5KOsrFeHkzhBuFqtzMA0GCSqGSIb3DQEBCwUAA4IBAQBaOq1YyLjpMz+O -mxw0yRpROgPaPt0QMsSbUCeNXPrlMFi+7QarmKfz0EGoGJEfU8Eu22+mqnAC2tTO -iSLy89tlR21i0+x+0V+qedzZCQfMlm00SS29wzbXomeUunQxlHNuGuRzkzh7g80G -+wIJuIZRvs+qgGofd4yp2BGGQNOlNRhPmc0LP5DSB+snmIscx+sDnVUn7MWunH80 -Doj+CL6wSbP79hfJXeK5LxSBmAtQU8dpZlgNaRCO5TAU10xgzFNCKWbKJ7nf4wC5 -cMGhRWFYP3babARd42KWViRYLZ7bxTtNBnKOvo7AtQJ3YIOUwk1ofq3/PhLHDxiG -XWlMKqrV +MIIDAjCCAeqgAwIBAgIUGAGMageZja7d2r8voH2QcxF+z4cwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTEwNzAwWhcN +MjgxMTE5MTEwNzAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9adDVOHzHOMn64E/YsgDVwktAKp535 +N2HIl1g+8kKRCGy3rNUv4I91EtmnGoZXIEkwzuCRgU4p3SzNqCsNCLXcTfquje7g +zEPnRM4+xs+YfAQcn2BhROlx6PC+zUJrBYK4K3dNQpMXOYE1cu5M9FyJ7XLXo11Z +ZnCigTwkvr2xD9is+ZYJ0jVZVCNSkIjbqRrLqzbYQx+vwTlI9ixWuKoV4lQtYs5O +JoryvIhvKIlRwcmoh2ZtqWFhKsDoiqNKshfeSlCfqL8aD54dzUlpCjxezPq5bdpm +Uj7o6dLLj1tInKuqFNOI+DHnqwxmtT9KYgXdHsP2EldEmPn4aH5MS0ECAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOrl +oSUQH72FPazbx5cV59y+LFawMA0GCSqGSIb3DQEBCwUAA4IBAQARUQWt7vaDIOZH +2ZmxKjYObH1yhGsNcq8UpP3D5H1PvnxWTIodW30P1sSmnpBMoWCCW8MOzX9HL9PI +tpSkDT4j7//EClStTnRNO1GdyMxaL7vQ0LXl/aVT8lfpw7MpUv+nQYJgpN7MpI4b +TZM+Dx9KoKMqtHBSX6eqgVd54dqnyw/3twDc4jZAwJ4ZogXCABfJFNH7Tiu/PUET +8RP8Gn0vUgNkvznYGCwMaAGbY+ihlKeqUZmpdTyq/A82wOmBLmPpDthg7+6U7kGs +zLwkR6wwCkwLM/KjHQ9WW1ggPT1oPsGU8EDwl/qxu896HP6s12vuAyY1WwsTuiI3 +vD1lYlAF -----END CERTIFICATE----- diff --git a/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem b/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem index b1718af2d0..f0e536bde0 100644 --- a/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem +++ b/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAr8i0VsoPb1ITTQO1O+uZ4b3+19F42kwXSpaBmgGwK9PQMjiw -+mNGKQf0AM8HISPAEWN3+7ildrl7o9gaFW6e6L00LGyRrKr9hJ46yWNhLb7auJi6 -sq5WK6Wjt+BDMWHmokfKDGOTyh4d+Q5R3uoY/Smi+QQLxUb8VkAESy6lLvff1HXy -jmcvoHigCMedOX0ipgoDg0OOMUiwDaJslsKnJ+Irn7VpfUjmIPPz4J8VRRlqxK6u -tSktq8uzZEUP03elZvlDYGuKEar5qLwgVENJKjgWWG6+gSJniQRNFKIOEvMsybip -wGdA/+da/s27NLBZvnMCLfSKVe15PnBfcEi3FwIDAQABAoIBABM4gO+UfIeRk+ax -5xk8M8FJQxpaHzrPYySWvGkYkijYqkUzibZ3MG7AHeAQwxjOjevY0n/FuuH2ehx6 -Pq/lPp74QUIyRON6duoPWyI2KaQU4Fma6Z8sDOQM4o/yh6ZYrB1GeENOiBRrop9e -/3i+ZCkaamWMGbVig6jyqwWFfi5aYZmL9BB3g7mMYz+DAnSD9eAI0Fl+dCjY3PLq -I5+BjnjHDdA9ixjyNhobBPUN67qAQLox7b5+joM+dW9TD2+2wLF8ubBP/ZjZxJpR -WRGG9tikdyR0ojC9cx4hg9+tN1OV9lAfOgWZO4ZwgCMsDFrKCf76DpG8nNbGMkUi -D8mGmhECgYEA6M6mlQuax9jvd7PhN/E5pqgDDr9gT0+6i9JRSNdX2zGxcH8QPMuE -WQN9gIT+HGfgZQR9r7DvEtl58IzMadF3Jj+zq2C1UMQujWktTp2wA+Lj+JTmSkSx -OdhFwOnouWqeHacdrP+LDahrxTAoQLWkFY7gbzYJARhT8U+MD17yFOMCgYEAwUvG -KY2H4SHqA2V3gjxjaGpj01D4Q4zaK4cDdLYofkkEIECbDXQ0MBPrhEng0bH/P4ld -8H9Sbsfaave/kdTpQunrGRG6cUnLG2/b3NPwf2FcROJ6bVP2JjQLSHZroV1WNLbO -WokoLn61AllkjHisyHjgeBx1oCBE08OVCyJ43z0CgYEAvbUHkZSvQALKwGRYNlnf -fKqUM0RHmtmBTcbIbe7srLVFvkIMXT4KTu7FKiE1YLhU5nxOXwhzCI0nDJnvSJtj -2Es4gYKAvZvfw2Pdg56De+c7lajgL8ziDhzqWlVBSzZSOh+f0wU5rpt7lmezpWde -miKfSIBjvfyxCoajvzLDWbkCgYBtFY8yeg3ZzqLa4dNM6zmKfqfxZHuG26Fv+RTJ -M9esVRaAARW/xPmCvGsoT+0RSitrNuGNzLy/igfIYCJ7cTVmrs4farLWJjf6NulU -OUM7D73bnhhLRJvgOXS4oyPgf+UbgKL50vebLaSHO92TrLKNvDGpdx4mjK9q9rBR -BVZDXQKBgBxHESayFWS0tAyV67GlOaiy3mbjVvxpRT7IGwXZAX+3NMvRmCzN8sIB -zkYMuRC3P/9RAZkBQ2qp8Fu0W8G7b32ImWyP7/HJb0hnBIfwBnePSUA1nS8jEkMp -IkrYAiU2viJTMiHNcqoVuJUY/FmxiZPPewqnJwQYAE4nrUD/oU8F +MIIEogIBAAKCAQEAp9LD22T6GUuo2jIwFdUpbJlYAxfmu+KAfyeVnYP22PmwffaQ +fzT7zEdtl3sAwtE3IGDsWel1OzDjR33Nw1Z1mAdtDDAUjh8PHOSwprfWqV+3c7w4 +Nlh0L+4qP+HNJbI4MhF5MdCAJmGrmjdGdw5yiPeGCWV4qegIJVuKkGycOo7egEWQ +l+3Yep1nQV9QRqShrnHrhVdJfLdl7L5jB2YV3K5ODsEYXlLRgZBvQjX61WLLZcYu +qcj5EpiM+xc58ns3E5Aw+5y8IfZxAcm3CjQHD+sJXyhBkVTtJv9zja77IJv7aSF8 +cnFUU/2CzCCi0UAZllEUkUefvDYrliYLyetSSwIDAQABAoIBABzJsMMvvR8dtWdI +eKsmF6cDXu+Y6AGOxxAI0Edm3a82lanl47+ObSsLjacQeH7yuIwbVC/QNkXjCvm2 +gNdjO2TK0U/n537BoSwJpqvSmUYQnz2BKftYjQWzyxeOOkyfF7iu+qUq6PCsjG01 +0iaWGduY6isudtZecRdHbqt7lgkNNcvFKKLbjuVmKDzrKicnSg6Fj/O00or8JMMX +Z/lBz7r35VDbQtahUIuqT1Y8lzCs4nq4KAoGCup48AMANgsI5+G5/e5wqdFUuP6/ +kFc2molEgF5/IogqlyxxizQduU9mQrTu7f1BQYDhVlCODU5XVGSsg/XXdNQRGU0N +07LNkyECgYEAzLc4FSKwXll3825m90RYj3DKN6oJOiSGgoJiyP0DPo1OwodFb1gk +vOdLU0B53vgxkeSy34qvHW43BptT/Wa4cbiTs8gpovtqaNAJRL3dUdp39mlcqS8i +lx6T8TLZ+t8DP90auU/VXTFn+XkSOJkHxvwk4oj2zy5U164OkNmrU2kCgYEA0d2S +L89SHSdFS60AHHlznvl8Mp7xMOoYwYxrp4GftdFc5aSG00p95DaORmU0FV43HnXb +dJmFIxaP1OR4qHSmDsHTjaHhCMzzXN8rLPaatcIcGCEeUwloI1HGMcAlK63c//i/ +POoPuDyGV93dUnuE0asjwWUxMTVYZJJxuvVSZZMCgYBP1ni5zXCJK01bk8f2USJU +tsE2mkrE8S/AQEd0aTBVudhoh0buGKsjPPUkf7XH3nW+lzmncre+u5gcLIHCBsiS +GVEJQVvzoyepvtCOjZl97bzxTcAEf0x3MUazP4jBjS4APyPH97mXgcgyBCS2DAB7 +eySLcK0IueH+x3QIy8tEWQKBgHXiXTRn43smzQD2O6LDAhRhlcclitvsE13dD7e2 +00yhPupr4aQcKt0fXAnk3T3Hf3SnxU8Y0TVlfgObFr+hTonpjHj5XlvALE+VuD34 +g+znDTrsl4kTNqDoVUkq4nZHomVSh7Gi1JOrw9bldGXZpkDUPjBrNBetHGrZ6/KV +zOPrAoGAdZZMAgIBzEop9mA/ApHuPlVO43VnqJPo8nYeQ2bEsjU3KI0TfqcbUjgG +8c4sJRw0xcV8F1Y9MaQhOHPl++c/6HTfQNEtNEsB5JDKqToExUll2x+07AAbQQ+h +6Qhk+DBImTCzoOemYYhlAvrvEZw/onYTKQAjudGT6BdshRg56cw= -----END RSA PRIVATE KEY----- diff --git a/services/nginz/integration-test/conf/nginz/integration-leaf.pem b/services/nginz/integration-test/conf/nginz/integration-leaf.pem index 120d96cda5..3e8ba2f3b9 100644 --- a/services/nginz/integration-test/conf/nginz/integration-leaf.pem +++ b/services/nginz/integration-test/conf/nginz/integration-leaf.pem @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDXDCCAkSgAwIBAgIUV3PHvpBx77MqGBo+PM2RIuIcBfAwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMwNDI0MDkzMTAwWhcN -MjQwNDIzMDkzMTAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -r8i0VsoPb1ITTQO1O+uZ4b3+19F42kwXSpaBmgGwK9PQMjiw+mNGKQf0AM8HISPA -EWN3+7ildrl7o9gaFW6e6L00LGyRrKr9hJ46yWNhLb7auJi6sq5WK6Wjt+BDMWHm -okfKDGOTyh4d+Q5R3uoY/Smi+QQLxUb8VkAESy6lLvff1HXyjmcvoHigCMedOX0i -pgoDg0OOMUiwDaJslsKnJ+Irn7VpfUjmIPPz4J8VRRlqxK6utSktq8uzZEUP03el -ZvlDYGuKEar5qLwgVENJKjgWWG6+gSJniQRNFKIOEvMsybipwGdA/+da/s27NLBZ -vnMCLfSKVe15PnBfcEi3FwIDAQABo4G0MIGxMA4GA1UdDwEB/wQEAwIFoDAdBgNV +MIIDcjCCAlqgAwIBAgIUfT3hrFYCO/wnKZCc0SRIM0j/3JQwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTEwNzAwWhcN +MjQxMTIwMTEwNzAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +p9LD22T6GUuo2jIwFdUpbJlYAxfmu+KAfyeVnYP22PmwffaQfzT7zEdtl3sAwtE3 +IGDsWel1OzDjR33Nw1Z1mAdtDDAUjh8PHOSwprfWqV+3c7w4Nlh0L+4qP+HNJbI4 +MhF5MdCAJmGrmjdGdw5yiPeGCWV4qegIJVuKkGycOo7egEWQl+3Yep1nQV9QRqSh +rnHrhVdJfLdl7L5jB2YV3K5ODsEYXlLRgZBvQjX61WLLZcYuqcj5EpiM+xc58ns3 +E5Aw+5y8IfZxAcm3CjQHD+sJXyhBkVTtJv9zja77IJv7aSF8cnFUU/2CzCCi0UAZ +llEUkUefvDYrliYLyetSSwIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E -FgQUa7feIJTIqMh5UjDi0UR7Ub5MrvcwHwYDVR0jBBgwFoAUG6rfcj4loLko6ysV -4eTOEG4Wq3MwMgYDVR0RAQH/BCgwJoIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv -bYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAIfB/q/+jHWbN5goGMaPh8 -CL8kynzf0dmkwOs6f6sqDIRo+9BQneWCWVOTLbO3LK6ITsZhVTFmKT3bkEmj04sy -ZUnXfqi9CqDHjQKZU9OxIWoCgbe6r4siInI46K3rSYGsmP37x9jWop1fbJBLl1HC -ray3LR8zanzsR9ksbyfA9VbNmWY1nWxTkZZ5RM+IAlU0/8qRgo5Ypsl35Gd9RJiN -DtbU3+rU9bYQ1YgYDk0h1s2woEberjp1xnvGBJLhDjewv9jXXaQXr1GlwfnJBenO -TV+GWqTeXwPclK0mSKDGs/Ixh+dH3J+8GGCGd8CJTnQfCzGZIBf4I7re8QkeNsVb +FgQUM1QB4eHYCLRO2pyYA5PXUQN+ZVwwHwYDVR0jBBgwFoAU6uWhJRAfvYU9rNvH +lxXn3L4sVrAwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv +bYIUaG9zdC5kb2NrZXIuaW50ZXJuYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsF +AAOCAQEArYqKia5b/zZ12CrPdXsrf0qjEKDshy0gGo/WPPC5dbLG6yu3i5gktdsB +jEL6AF0rkL+RhBwH9ICXbMfNlM21laddsg6SVi1EWFUHLgII6+wiArQGc1BUGltt +f+9Ggu1eZ/pN8DvI6yiE4sUrN3MZQOmMDpyAOTETgeTg/Hqr2f854zSebN1ILMTi +b2LYC1d8CfblEUTTI2VNkakbrAVcrPQS/Dj8uqxs7CBSke0jxdkXXecS/2cHatGg +2iAd0GLOYtQxQr1v/qtNqJeAKQ3qQ0tEmQXv+ksqU4IDjcjMoSQ0p5uguJd6NFF6 +oroZ73cn0+l428+iR5crB7GCbsC7og== -----END CERTIFICATE----- From 59a4b613c57604fbef75cdd7cbe613a5257e774c Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 21 Nov 2023 14:45:04 +0100 Subject: [PATCH 03/13] futureproof names --- .../federation-v0/background-worker.yaml | 6 +++--- deploy/dockerephemeral/federation-v0/brig.yaml | 10 +++++----- deploy/dockerephemeral/federation-v0/cannon.yaml | 4 ++-- deploy/dockerephemeral/federation-v0/cargohold.yaml | 2 +- deploy/dockerephemeral/federation-v0/federator.yaml | 6 +++--- deploy/dockerephemeral/federation-v0/galley.yaml | 8 ++++---- deploy/dockerephemeral/federation-v0/gundeck.yaml | 2 +- deploy/dockerephemeral/federation-v0/spar.yaml | 4 ++-- 8 files changed, 21 insertions(+), 21 deletions(-) diff --git a/deploy/dockerephemeral/federation-v0/background-worker.yaml b/deploy/dockerephemeral/federation-v0/background-worker.yaml index c2274e45f0..e0fd5113d6 100644 --- a/deploy/dockerephemeral/federation-v0/background-worker.yaml +++ b/deploy/dockerephemeral/federation-v0/background-worker.yaml @@ -5,15 +5,15 @@ backgroundWorker: port: 8080 federatorInternal: - host: federator + host: federator-federation-v0 port: 8080 galley: - host: galley + host: galley-federation-v0 port: 8080 brig: - host: brig + host: brig-federation-v0 port: 8080 rabbitmq: diff --git a/deploy/dockerephemeral/federation-v0/brig.yaml b/deploy/dockerephemeral/federation-v0/brig.yaml index b26b94c57a..693ba49278 100644 --- a/deploy/dockerephemeral/federation-v0/brig.yaml +++ b/deploy/dockerephemeral/federation-v0/brig.yaml @@ -16,22 +16,22 @@ elasticsearch: rabbitmq: host: rabbitmq port: 5672 - vHost: / + vHost: federation-v0 cargohold: - host: cargohold + host: cargohold-federation-v0 port: 8080 galley: - host: galley + host: galley-federation-v0 port: 8080 gundeck: - host: gundeck + host: gundeck-federation-v0 port: 8080 federatorInternal: - host: federator + host: federator-federation-v0 port: 8080 # You can set up local SQS/Dynamo running e.g. `../../deploy/dockerephemeral/run.sh` diff --git a/deploy/dockerephemeral/federation-v0/cannon.yaml b/deploy/dockerephemeral/federation-v0/cannon.yaml index 1764932cbd..3ad681fefc 100644 --- a/deploy/dockerephemeral/federation-v0/cannon.yaml +++ b/deploy/dockerephemeral/federation-v0/cannon.yaml @@ -9,11 +9,11 @@ cannon: # Each cannon instance advertises its own location (ip or dns name) to gundeck. # Either externalHost or externalHostFile must be set (externalHost takes precedence if both are defined) # externalHostFile expects a file with a single line containing the IP or dns name of this instance of cannon - externalHost: cannon + externalHost: cannon-federation-v0 #externalHostFile: /etc/wire/cannon/cannon-host.txt gundeck: - host: gundeck + host: gundeck-federation-v0 port: 8080 drainOpts: diff --git a/deploy/dockerephemeral/federation-v0/cargohold.yaml b/deploy/dockerephemeral/federation-v0/cargohold.yaml index 7b70f80418..f3a5099a33 100644 --- a/deploy/dockerephemeral/federation-v0/cargohold.yaml +++ b/deploy/dockerephemeral/federation-v0/cargohold.yaml @@ -3,7 +3,7 @@ cargohold: port: 8080 federator: - host: 127.0.0.1 + host: federator-federation-v0 port: 8080 aws: diff --git a/deploy/dockerephemeral/federation-v0/federator.yaml b/deploy/dockerephemeral/federation-v0/federator.yaml index f0dded7fe9..559a264447 100644 --- a/deploy/dockerephemeral/federation-v0/federator.yaml +++ b/deploy/dockerephemeral/federation-v0/federator.yaml @@ -5,13 +5,13 @@ federatorExternal: host: 0.0.0.0 port: 8081 brig: - host: brig + host: brig-federation-v0 port: 8080 cargohold: - host: cargohold + host: cargohold-federation-v0 port: 8080 galley: - host: galley + host: galley-federation-v0 port: 8080 logLevel: Warn diff --git a/deploy/dockerephemeral/federation-v0/galley.yaml b/deploy/dockerephemeral/federation-v0/galley.yaml index 4da4095165..6879901c48 100644 --- a/deploy/dockerephemeral/federation-v0/galley.yaml +++ b/deploy/dockerephemeral/federation-v0/galley.yaml @@ -10,19 +10,19 @@ cassandra: # filterNodesByDatacentre: datacenter1 brig: - host: brig + host: brig-federation-v0 port: 8080 gundeck: - host: gundeck + host: gundeck-federation-v0 port: 8080 spar: - host: spar + host: spar-federation-v0 port: 8080 federator: - host: federator + host: federator-federation-v0 port: 8080 rabbitmq: diff --git a/deploy/dockerephemeral/federation-v0/gundeck.yaml b/deploy/dockerephemeral/federation-v0/gundeck.yaml index 4dd4a6e2bf..528fc38c1d 100644 --- a/deploy/dockerephemeral/federation-v0/gundeck.yaml +++ b/deploy/dockerephemeral/federation-v0/gundeck.yaml @@ -3,7 +3,7 @@ gundeck: port: 8080 brig: - host: brig + host: brig-federation-v0 port: 8080 cassandra: diff --git a/deploy/dockerephemeral/federation-v0/spar.yaml b/deploy/dockerephemeral/federation-v0/spar.yaml index 9ffbe4784f..4a7024d0c6 100644 --- a/deploy/dockerephemeral/federation-v0/spar.yaml +++ b/deploy/dockerephemeral/federation-v0/spar.yaml @@ -16,11 +16,11 @@ saml: email: email:president@evil.corp brig: - host: brig + host: brig-federation-v0 port: 8080 galley: - host: galley + host: galley-federation-v0 port: 8080 cassandra: From 4055e7bfd2a795ee6b5b18165afd534e3348aa4e Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 21 Nov 2023 15:02:54 +0100 Subject: [PATCH 04/13] hack/bin/selfsigned.sh: Put files where they need to be --- .../federation-v0/integration-ca.pem | 34 ++++++------- .../federation-v0/integration-leaf-key.pem | 50 +++++++++---------- .../federation-v0/integration-leaf.pem | 34 ++++++------- hack/bin/selfsigned.sh | 23 ++++++--- .../conf/nginz/integration-ca-key.pem | 50 +++++++++---------- .../conf/nginz/integration-ca.pem | 34 ++++++------- .../conf/nginz/integration-leaf-key.pem | 50 +++++++++---------- .../conf/nginz/integration-leaf.pem | 34 ++++++------- 8 files changed, 159 insertions(+), 150 deletions(-) diff --git a/deploy/dockerephemeral/federation-v0/integration-ca.pem b/deploy/dockerephemeral/federation-v0/integration-ca.pem index e0b211b371..2315c7c740 100644 --- a/deploy/dockerephemeral/federation-v0/integration-ca.pem +++ b/deploy/dockerephemeral/federation-v0/integration-ca.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDAjCCAeqgAwIBAgIUGAGMageZja7d2r8voH2QcxF+z4cwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTEwNzAwWhcN -MjgxMTE5MTEwNzAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9adDVOHzHOMn64E/YsgDVwktAKp535 -N2HIl1g+8kKRCGy3rNUv4I91EtmnGoZXIEkwzuCRgU4p3SzNqCsNCLXcTfquje7g -zEPnRM4+xs+YfAQcn2BhROlx6PC+zUJrBYK4K3dNQpMXOYE1cu5M9FyJ7XLXo11Z -ZnCigTwkvr2xD9is+ZYJ0jVZVCNSkIjbqRrLqzbYQx+vwTlI9ixWuKoV4lQtYs5O -JoryvIhvKIlRwcmoh2ZtqWFhKsDoiqNKshfeSlCfqL8aD54dzUlpCjxezPq5bdpm -Uj7o6dLLj1tInKuqFNOI+DHnqwxmtT9KYgXdHsP2EldEmPn4aH5MS0ECAwEAAaNC -MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOrl -oSUQH72FPazbx5cV59y+LFawMA0GCSqGSIb3DQEBCwUAA4IBAQARUQWt7vaDIOZH -2ZmxKjYObH1yhGsNcq8UpP3D5H1PvnxWTIodW30P1sSmnpBMoWCCW8MOzX9HL9PI -tpSkDT4j7//EClStTnRNO1GdyMxaL7vQ0LXl/aVT8lfpw7MpUv+nQYJgpN7MpI4b -TZM+Dx9KoKMqtHBSX6eqgVd54dqnyw/3twDc4jZAwJ4ZogXCABfJFNH7Tiu/PUET -8RP8Gn0vUgNkvznYGCwMaAGbY+ihlKeqUZmpdTyq/A82wOmBLmPpDthg7+6U7kGs -zLwkR6wwCkwLM/KjHQ9WW1ggPT1oPsGU8EDwl/qxu896HP6s12vuAyY1WwsTuiI3 -vD1lYlAF +MIIDAjCCAeqgAwIBAgIULBRPt7tLLvsw7kciIdjbXB8tddQwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjgxMTE5MTM1ODAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcUoMS1MjHMEB4RN84hGz4J/pvS/BJF +7HL7FgOjGuJ+aMCtpmO2ht59mUWJVvt1TAYtEraz4fpZl2Vs4MsPm8R5GjWBU6Su +9MVBk8d5R38ruhKSgTtBJdUjRMZ68fDjVGy8mPy8J45QuXVjgfZeDzcpVH+A1K+3 +gJRazCD9r9vxVlc/W335uX1q8uH1u4kXCxkESjWK7/we/fHVcRI/caIdjoluqfP7 +bhDQ+jTJCYhrLR0yWLZocJhe+FgMaOxEBw+ojYKa+Xq6wEMK2YXkhmDZW49O/JQP +ZqROwXD8BHQ2IJyOES25adL3F7yN7sODXuPhDAg8SYV1/kr2nALQTzECAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJO6 +JJpzdazNjXtum3zX8UYWaQIJMA0GCSqGSIb3DQEBCwUAA4IBAQCoV7sw9CgICo9O +JacaB+P0Uk0dnISjsrKpcAKnuVdh1rN94+beXyttSBgQtDgVBehlESN+/B9fefLb +lhVxgCYq8inx4wZs22h8ZkjpJiOmBDjvHwgkCQOoh/Kog9gkmDr4qbFahU5GpaTp +x1rlNF3qaNRvZSVoxIVwYYiexKS5/KYMedII2EoBMHcFj0qKMhdDIT1Uw2PJZwiA +qjGDsSnLS+VeA8Zluc3m/os0ynjR6BEFQF1sn/OGO0eFaSMxXz0+Z4vT3J+c08Be +z2uZWQBgCiV/bL8F5xgokbHx+Vl0lz+1PEoFre8IJihmcnT8ZPWv/8eWPAr0gavH ++R0lNAyw -----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem index f0e536bde0..8ed90523cd 100644 --- a/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem +++ b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAp9LD22T6GUuo2jIwFdUpbJlYAxfmu+KAfyeVnYP22PmwffaQ -fzT7zEdtl3sAwtE3IGDsWel1OzDjR33Nw1Z1mAdtDDAUjh8PHOSwprfWqV+3c7w4 -Nlh0L+4qP+HNJbI4MhF5MdCAJmGrmjdGdw5yiPeGCWV4qegIJVuKkGycOo7egEWQ -l+3Yep1nQV9QRqShrnHrhVdJfLdl7L5jB2YV3K5ODsEYXlLRgZBvQjX61WLLZcYu -qcj5EpiM+xc58ns3E5Aw+5y8IfZxAcm3CjQHD+sJXyhBkVTtJv9zja77IJv7aSF8 -cnFUU/2CzCCi0UAZllEUkUefvDYrliYLyetSSwIDAQABAoIBABzJsMMvvR8dtWdI -eKsmF6cDXu+Y6AGOxxAI0Edm3a82lanl47+ObSsLjacQeH7yuIwbVC/QNkXjCvm2 -gNdjO2TK0U/n537BoSwJpqvSmUYQnz2BKftYjQWzyxeOOkyfF7iu+qUq6PCsjG01 -0iaWGduY6isudtZecRdHbqt7lgkNNcvFKKLbjuVmKDzrKicnSg6Fj/O00or8JMMX -Z/lBz7r35VDbQtahUIuqT1Y8lzCs4nq4KAoGCup48AMANgsI5+G5/e5wqdFUuP6/ -kFc2molEgF5/IogqlyxxizQduU9mQrTu7f1BQYDhVlCODU5XVGSsg/XXdNQRGU0N -07LNkyECgYEAzLc4FSKwXll3825m90RYj3DKN6oJOiSGgoJiyP0DPo1OwodFb1gk -vOdLU0B53vgxkeSy34qvHW43BptT/Wa4cbiTs8gpovtqaNAJRL3dUdp39mlcqS8i -lx6T8TLZ+t8DP90auU/VXTFn+XkSOJkHxvwk4oj2zy5U164OkNmrU2kCgYEA0d2S -L89SHSdFS60AHHlznvl8Mp7xMOoYwYxrp4GftdFc5aSG00p95DaORmU0FV43HnXb -dJmFIxaP1OR4qHSmDsHTjaHhCMzzXN8rLPaatcIcGCEeUwloI1HGMcAlK63c//i/ -POoPuDyGV93dUnuE0asjwWUxMTVYZJJxuvVSZZMCgYBP1ni5zXCJK01bk8f2USJU -tsE2mkrE8S/AQEd0aTBVudhoh0buGKsjPPUkf7XH3nW+lzmncre+u5gcLIHCBsiS -GVEJQVvzoyepvtCOjZl97bzxTcAEf0x3MUazP4jBjS4APyPH97mXgcgyBCS2DAB7 -eySLcK0IueH+x3QIy8tEWQKBgHXiXTRn43smzQD2O6LDAhRhlcclitvsE13dD7e2 -00yhPupr4aQcKt0fXAnk3T3Hf3SnxU8Y0TVlfgObFr+hTonpjHj5XlvALE+VuD34 -g+znDTrsl4kTNqDoVUkq4nZHomVSh7Gi1JOrw9bldGXZpkDUPjBrNBetHGrZ6/KV -zOPrAoGAdZZMAgIBzEop9mA/ApHuPlVO43VnqJPo8nYeQ2bEsjU3KI0TfqcbUjgG -8c4sJRw0xcV8F1Y9MaQhOHPl++c/6HTfQNEtNEsB5JDKqToExUll2x+07AAbQQ+h -6Qhk+DBImTCzoOemYYhlAvrvEZw/onYTKQAjudGT6BdshRg56cw= +MIIEpAIBAAKCAQEA1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk ++RAYeKupGF9eqGBkiYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7Y +uXYWfHw4NdFkSZoE0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J +4cU3JfXQQzdNCMiXlpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iR +qwdy4edjKhcvJxuxHw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa +27UrBdRSg+Wb3FDQ+J8IeS6PR5JwjBcwt+DAjQIDAQABAoIBAHXZSS/TOqZZeWXI +sbH4824xX7weu+pHHqHqQaiphNWllRmgyv72H6VU5YbTDdKiAaAV50LB2CtAQjT2 +2I2YRdpiMKEgblxkPYKxwCAlGU7rXayddVXG9y/O4vhIWomuJ4SS9U7DB4Gv7/C0 +UQuFtyM7ugwIdISWEwOLv7Q5nSn2DYYXapNSmCUYv2FJEd57MJFtZ+CTHPu+ALxY +/qCGga8WBQ9Io/4A6UWN76m5IREeGh/pBwwhestpvUB9hXXe037Z11G3j/mNjqmz +SoUdEXnXpqJMA4c73hrryZR7TRPjRQx2P7YTyMwwOaJenhCS2F7ohJrwXNEtfbXt +Tb4mAQECgYEA8Qc4YqbF+xDmav1Mw7tpQ34EW7U1BF6RW+zpaRVVYXc+hZq8Rscl +yhzvYI2F4b9qOXw73Vdj3Hbd3f3BRC2ayMUk82pmbFEhZjQR9cGaLH1JfNXBdgz+ +wenmdczUAhmDiIseXTYdXL0FFgc9F/UFzmAYmD/kkMHTO2wnfeAci00CgYEA5EDv +UJzW/hWUtawWfg0Bw+H5RR2W/28dGG+680zazZwVHtDF7sEiThmR8AlLu74tWUMg +PBREdxOui5qRhmZO3y3JLJ8mjmEUQqC4x1NWReZCAcWGTNXn/PHsWPlK82qp/Q98 +lYJLShtbOOgo1hUPYeQ3hFnDi8HM3QssEeYB6kECgYA0kdSUf7dyuQ7oivKxRjEB +TXz5254Co/WkTRnjl4mVxoJWdZdXAJyXZpQ3RObMhAlRHG2aKzNWpH5jqrL6gc/e +tlEG3lAUk+Vq+zRnm6Baz8C1f5HAg7kU5kUjsFcVVidAIseuoNzqmzd+xHlovkJT +7tWub1EU2ZGOxloetEDFiQKBgQCfPrp4OGQ6cp4EvaIXoUV4/0Aku0cswL3A3brF +ofoJdvq5PBjLwQ0JBgfuOt4OhtkmrJFhuRYnKaEeHuGmrdwbEtuG+SYyMYKsFWu1 +DOxk6gdlKwTOuHIY5EPrs0laWDFur45Q1M1oT3uuUTKkYZ8QweMFwIaQC8687N17 +Q0hUwQKBgQDu55deAXAAS9FCqT4qidyxmvjdpkn8BKZhetss+t0m7Rum9OJCiMI5 +90exbnlRtUP4soNOccS3w3ie2HPspdlIsllYnd4/KaHQbdEoGtvrF5rM77X+81N1 +xPgNsMJM167VEWWJJCE+rkeWiF+irrjiHj7QlLmKkK4bmEzp5XuLyg== -----END RSA PRIVATE KEY----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf.pem b/deploy/dockerephemeral/federation-v0/integration-leaf.pem index 3e8ba2f3b9..d8e7ee0955 100644 --- a/deploy/dockerephemeral/federation-v0/integration-leaf.pem +++ b/deploy/dockerephemeral/federation-v0/integration-leaf.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDcjCCAlqgAwIBAgIUfT3hrFYCO/wnKZCc0SRIM0j/3JQwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTEwNzAwWhcN -MjQxMTIwMTEwNzAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -p9LD22T6GUuo2jIwFdUpbJlYAxfmu+KAfyeVnYP22PmwffaQfzT7zEdtl3sAwtE3 -IGDsWel1OzDjR33Nw1Z1mAdtDDAUjh8PHOSwprfWqV+3c7w4Nlh0L+4qP+HNJbI4 -MhF5MdCAJmGrmjdGdw5yiPeGCWV4qegIJVuKkGycOo7egEWQl+3Yep1nQV9QRqSh -rnHrhVdJfLdl7L5jB2YV3K5ODsEYXlLRgZBvQjX61WLLZcYuqcj5EpiM+xc58ns3 -E5Aw+5y8IfZxAcm3CjQHD+sJXyhBkVTtJv9zja77IJv7aSF8cnFUU/2CzCCi0UAZ -llEUkUefvDYrliYLyetSSwIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV +MIIDcjCCAlqgAwIBAgIUXlJ06fjgHbzEvIRscFvEwxpsioMwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjQxMTIwMTM1ODAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk+RAYeKupGF9eqGBk +iYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7YuXYWfHw4NdFkSZoE +0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J4cU3JfXQQzdNCMiX +lpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iRqwdy4edjKhcvJxux +Hw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa27UrBdRSg+Wb3FDQ ++J8IeS6PR5JwjBcwt+DAjQIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E -FgQUM1QB4eHYCLRO2pyYA5PXUQN+ZVwwHwYDVR0jBBgwFoAU6uWhJRAfvYU9rNvH -lxXn3L4sVrAwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv +FgQUWm43ORCCQGlDu3JaPIm15lsr5swwHwYDVR0jBBgwFoAUk7okmnN1rM2Ne26b +fNfxRhZpAgkwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv bYIUaG9zdC5kb2NrZXIuaW50ZXJuYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsF -AAOCAQEArYqKia5b/zZ12CrPdXsrf0qjEKDshy0gGo/WPPC5dbLG6yu3i5gktdsB -jEL6AF0rkL+RhBwH9ICXbMfNlM21laddsg6SVi1EWFUHLgII6+wiArQGc1BUGltt -f+9Ggu1eZ/pN8DvI6yiE4sUrN3MZQOmMDpyAOTETgeTg/Hqr2f854zSebN1ILMTi -b2LYC1d8CfblEUTTI2VNkakbrAVcrPQS/Dj8uqxs7CBSke0jxdkXXecS/2cHatGg -2iAd0GLOYtQxQr1v/qtNqJeAKQ3qQ0tEmQXv+ksqU4IDjcjMoSQ0p5uguJd6NFF6 -oroZ73cn0+l428+iR5crB7GCbsC7og== +AAOCAQEAfrlC1maUJMg5n61YEpBwIS9O0LLhNidZ6dBEPwDiBwskzkTKoWksSR+n +7OytNFQvrdclejxIyvoOvBhLqNY4pFYdNRUu42GESUpCA6cQlW3a9QchTEuNASWR +AdrmGmjXYwPFGjnVUVPR+Abs9lG7/8eDYoq1B1AdBkW1EJ7+0/DrLOLDtloxYmBF +bydmLcesdPvgBLkHfBlOG54jH/ILXHAHxskWmGqixY6L1svhrcnwsindxRcfT4QB +fAtNDfAfiftUdb96QJfpwN1/N1oEHFl2D0ynE8sFOuVFm0gQ6mblH+Vahune6cSK +7SDUwM9Ia1OAO/r2cdEAvCrQqaeDZQ== -----END CERTIFICATE----- diff --git a/hack/bin/selfsigned.sh b/hack/bin/selfsigned.sh index 6f9ece914b..a7107c436a 100755 --- a/hack/bin/selfsigned.sh +++ b/hack/bin/selfsigned.sh @@ -4,11 +4,15 @@ # Requires 'cfssl' to be on your PATH (see https://github.com/cloudflare/cfssl) # These certificates are only meant for integration tests that explicitly disable certificate checking -set -e -TEMP=${TEMP:-/tmp} +set -euo pipefail + +SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +ROOT_DIR=$(cd -- "$SCRIPT_DIR/../../" &> /dev/null && pwd) + +TEMP=$(mktemp -d wire-server-self-signed-XXXXXX) CSR="$TEMP/csr.json" -OUTPUTNAME_CA="integration-ca" -OUTPUTNAME_LEAF_CERT="integration-leaf" +OUTPUTNAME_CA="$TEMP/integration-ca" +OUTPUTNAME_LEAF_CERT="$TEMP/integration-leaf" command -v cfssl >/dev/null 2>&1 || { echo >&2 "cfssl is not installed, aborting. See https://github.com/cloudflare/cfssl"; exit 1; } command -v cfssljson >/dev/null 2>&1 || { echo >&2 "cfssljson is not installed, aborting. See https://github.com/cloudflare/cfssl"; exit 1; } @@ -34,8 +38,13 @@ echo '{ # generate cert and key based on CA given comma-separated hostnames as SANs cfssl gencert -ca "$OUTPUTNAME_CA.pem" -ca-key "$OUTPUTNAME_CA-key.pem" -hostname=*.integration.example.com,host.docker.internal,localhost "$CSR" | cfssljson -bare "$OUTPUTNAME_LEAF_CERT" -# cleanup unneeded files -rm "$OUTPUTNAME_LEAF_CERT.csr" -rm "$OUTPUTNAME_CA.csr" +cp "$OUTPUTNAME_CA.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$OUTPUTNAME_CA-key.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$OUTPUTNAME_LEAF_CERT.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$OUTPUTNAME_LEAF_CERT-key.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$OUTPUTNAME_CA.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" +cp "$OUTPUTNAME_LEAF_CERT.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" +cp "$OUTPUTNAME_LEAF_CERT-key.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" +rm -rf "$TEMP" diff --git a/services/nginz/integration-test/conf/nginz/integration-ca-key.pem b/services/nginz/integration-test/conf/nginz/integration-ca-key.pem index 7cdb89c467..c92a5f1359 100644 --- a/services/nginz/integration-test/conf/nginz/integration-ca-key.pem +++ b/services/nginz/integration-test/conf/nginz/integration-ca-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAv1p0NU4fMc4yfrgT9iyANXCS0Aqnnfk3YciXWD7yQpEIbLes -1S/gj3US2acahlcgSTDO4JGBTindLM2oKw0ItdxN+q6N7uDMQ+dEzj7Gz5h8BByf -YGFE6XHo8L7NQmsFgrgrd01Ckxc5gTVy7kz0XIntctejXVlmcKKBPCS+vbEP2Kz5 -lgnSNVlUI1KQiNupGsurNthDH6/BOUj2LFa4qhXiVC1izk4mivK8iG8oiVHByaiH -Zm2pYWEqwOiKo0qyF95KUJ+ovxoPnh3NSWkKPF7M+rlt2mZSPujp0suPW0icq6oU -04j4MeerDGa1P0piBd0ew/YSV0SY+fhofkxLQQIDAQABAoIBAQCDNjhXUQFs+pJ/ -eCQf+vXTLyVMyPGVDo4eXBkDZu5iHOdk/THjYZgfZs0NOFuk4Nt/tJs3PC8pdOV3 -0nHNS3u8kJtcGRO0SKtoqI3yyvMy6MGpZCMZSLmjRfvQEVXYhGBb+YO8o9rR1+wT -oJ31sAkj52ROCnW4DhSDibsKjbvJgA9mVwSscOtRU3KSoTl5TyCpSYRLJFkpK4cl -GLpwVugdlBGW3yI1S3AzGYEO2F8hmjBFLhsxC/ULaXMAp0TAYDIR6+jtEkg+tdNf -WYqophBQTTKuO2bHDLjfFLHr8pk5AZaG9RCfWD8lJKov8zK9hEZ2H2mFMl+kj36P -o17NWGABAoGBAOrcjVyusIXzdX1/NFhQm5SmbcE2nZjWDFG6mSZuNQkAyo9vSlAO -SfZ/h/1j8xSk65IqELsL70sUQqh4ckyVBfUxQQjzUO9TR9hJnyh7iGAQTfz6YOi5 -qdBz5LbCX0TCYt+IuaonEnryjyuYlkddOEOKBgWzDbPO00a995ctnHPBAoGBANCT -bcU0YXZmRozFzxfU2jgOVuvHuf0Innu+picWpMBPStyGSPNzUEHlC9oC7d+THMZH -ko4lR95NT19BBrkmbw+pGMDGZbyfajrPR6ps+WB5Fi3GyWjjH+nO/r9vtoRrjDsK -NO6mgrkH+ci8XTBFKcnjBg6e5XWPHklnZQkdd7eBAoGAWk7UTH8fgWJMGyV+izbz -nAUiztihYNNtiT+nBA/8dKnJOb4hZQcZiZ8gO17jaVzA+EMUi9fa+5OezgkCalAj -KlT2HOryhBQR3Cjy+i4GEmoyksPz34kEsxLdLykuWNImEq4QNk0v3fbG9oyFvIsr -x0ybZDWlXy54Lwt82LTBJAECgYATa4au89+XPJKZDNnpaCIhUgR505DXpHPNJcUm -oo8YcMmRmtc0A6qXWBIwbFFlnbbyJzvYDFSSuDQJtG5B0vhIRwBNAqv6UgV8EEyl -65uUhfGwtW+PWoZgKKvDe01NKw5VeO/QwKQvQjTZoeAzXF01tPOdbOIEfhzdzMi1 -fo7lAQKBgDlU5y0o4VWNm2v2rss3f+Ig3iqsh76ay7UgcY4Y/ZiC9dGW7KL1keDl -3pf1YJieSd0wptoMC/jzME+kpZU9OASsE1VX/XX6UCh1xHgLzV+S7tDS6EWMgnLz -IbvzZ2iC2hKM9vPtL+34gDjAwNot3kCMJNx4c+TSxSXfXIKbqjAW +MIIEpAIBAAKCAQEAxxSgxLUyMcwQHhE3ziEbPgn+m9L8EkXscvsWA6Ma4n5owK2m +Y7aG3n2ZRYlW+3VMBi0StrPh+lmXZWzgyw+bxHkaNYFTpK70xUGTx3lHfyu6EpKB +O0El1SNExnrx8ONUbLyY/LwnjlC5dWOB9l4PNylUf4DUr7eAlFrMIP2v2/FWVz9b +ffm5fWry4fW7iRcLGQRKNYrv/B798dVxEj9xoh2OiW6p8/tuEND6NMkJiGstHTJY +tmhwmF74WAxo7EQHD6iNgpr5errAQwrZheSGYNlbj078lA9mpE7BcPwEdDYgnI4R +Lblp0vcXvI3uw4Ne4+EMCDxJhXX+SvacAtBPMQIDAQABAoIBAQCCfuwPZTLc34Wl +H+YzsRHZbdW+sONY2wruJ9Y7VhwWYYQq4OkTrZ7kkvH4WdlxhWbrGXqN1oYHg9iw +vFjx4m5ZsIRUlEyOw7xg3OaQt9f87V3QNMaPX9n7x12auRaEr480o7+o03EeYZ3f +6/VR2EAjCW2BEqLX9/JJzObHrWMsSPMaXIV60V8K7kou1Ol3gdERG/+vAKhqzjFv +xdGQ0J6UHuYsZ5GP+xc1VLmE4WFQBAxcGbm+KWIHPeR/cq40JSsv5iRY5wBYRERK +szqDtwYAObf6DK4qSe8KKHMCfXP1RjWm5cvSebwyIjIqCnFXXUXpE0UNBkiUTVx6 +9xFpaJSRAoGBANuF2ucn0QwPNlyWdkAy9ItVmtwO+Rq8nlFai8KOt/Dauw5IqNye +xy6I8oEHCVrl7rHU6XRXqo3rJHrskcSJhYbiV+dYwusUnkqB27X/qv+CYJ/MQRC6 +v++ceNu/ybAF4UXxbIkEKR5BYaUAjXIN8kGp6Y1hF/wkUmjHQMQiwJP1AoGBAOgp +MOukoVDUQpu8Izzt9ff++S2531LUL66BCmxPQR3vhdxnYLFqs216uTevDrGTgLRS +mXwddVHLKW+zJiGZ0QssnCHmPzzg+USLQzCqJLUKCOoT9s3sDq/TsJwVuZy6sPcr +qWJ/sC9Ge+ZB6CRDrvZGdMSFvRkGT0cpT/mW4gTNAoGAX8ZxsCJmCV3luNWIeBAD +M3tA2jvKIQkkBZh8m4DK7dFwhRXcXo0Dl+D19KdORJNG5d1fkXviFJL/0oW+P0JE +uImuEmheelP/j8BCTJBkWZ/XakCiLptbvD3HWRC+/QZDt9FSKiFfkyyxXlz0WUuO +Y2mvVRiEb2Slc8NjFW+YF7UCgYAG2Pgtaxyq8qfISiNL78TafLXCyIGywrlpTzsM +eMX16ROsrYvnj7sdFoqR/uLTEAOyzeDjDUdhkzl0pvcP9KZ6yuUMBuuEkyonAGiJ +7erJQDOFG/OinTzNqNPDtsxTuBnyIGKNmjCLJGwRHY6IS0rEzs0w4rTyIQKDmc9X +EEE4XQKBgQDWr+hrUDfMa0JeiiB+mFCebNZptDMe0WN5oh+l1FkNlhSauaIb19Fu +qNtrC/F7ZihJW7i4xzEeakaZLpTEMjhdDLD4aQ+RiqW8iR7qmLKDYKWd8g2sanL1 +Tspko3Sj2Oq00BAU5tlNvVvxIaGraQ+HfNRi7p1HEPm7CeLg4ucmTg== -----END RSA PRIVATE KEY----- diff --git a/services/nginz/integration-test/conf/nginz/integration-ca.pem b/services/nginz/integration-test/conf/nginz/integration-ca.pem index e0b211b371..2315c7c740 100644 --- a/services/nginz/integration-test/conf/nginz/integration-ca.pem +++ b/services/nginz/integration-test/conf/nginz/integration-ca.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDAjCCAeqgAwIBAgIUGAGMageZja7d2r8voH2QcxF+z4cwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTEwNzAwWhcN -MjgxMTE5MTEwNzAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9adDVOHzHOMn64E/YsgDVwktAKp535 -N2HIl1g+8kKRCGy3rNUv4I91EtmnGoZXIEkwzuCRgU4p3SzNqCsNCLXcTfquje7g -zEPnRM4+xs+YfAQcn2BhROlx6PC+zUJrBYK4K3dNQpMXOYE1cu5M9FyJ7XLXo11Z -ZnCigTwkvr2xD9is+ZYJ0jVZVCNSkIjbqRrLqzbYQx+vwTlI9ixWuKoV4lQtYs5O -JoryvIhvKIlRwcmoh2ZtqWFhKsDoiqNKshfeSlCfqL8aD54dzUlpCjxezPq5bdpm -Uj7o6dLLj1tInKuqFNOI+DHnqwxmtT9KYgXdHsP2EldEmPn4aH5MS0ECAwEAAaNC -MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOrl -oSUQH72FPazbx5cV59y+LFawMA0GCSqGSIb3DQEBCwUAA4IBAQARUQWt7vaDIOZH -2ZmxKjYObH1yhGsNcq8UpP3D5H1PvnxWTIodW30P1sSmnpBMoWCCW8MOzX9HL9PI -tpSkDT4j7//EClStTnRNO1GdyMxaL7vQ0LXl/aVT8lfpw7MpUv+nQYJgpN7MpI4b -TZM+Dx9KoKMqtHBSX6eqgVd54dqnyw/3twDc4jZAwJ4ZogXCABfJFNH7Tiu/PUET -8RP8Gn0vUgNkvznYGCwMaAGbY+ihlKeqUZmpdTyq/A82wOmBLmPpDthg7+6U7kGs -zLwkR6wwCkwLM/KjHQ9WW1ggPT1oPsGU8EDwl/qxu896HP6s12vuAyY1WwsTuiI3 -vD1lYlAF +MIIDAjCCAeqgAwIBAgIULBRPt7tLLvsw7kciIdjbXB8tddQwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjgxMTE5MTM1ODAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcUoMS1MjHMEB4RN84hGz4J/pvS/BJF +7HL7FgOjGuJ+aMCtpmO2ht59mUWJVvt1TAYtEraz4fpZl2Vs4MsPm8R5GjWBU6Su +9MVBk8d5R38ruhKSgTtBJdUjRMZ68fDjVGy8mPy8J45QuXVjgfZeDzcpVH+A1K+3 +gJRazCD9r9vxVlc/W335uX1q8uH1u4kXCxkESjWK7/we/fHVcRI/caIdjoluqfP7 +bhDQ+jTJCYhrLR0yWLZocJhe+FgMaOxEBw+ojYKa+Xq6wEMK2YXkhmDZW49O/JQP +ZqROwXD8BHQ2IJyOES25adL3F7yN7sODXuPhDAg8SYV1/kr2nALQTzECAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJO6 +JJpzdazNjXtum3zX8UYWaQIJMA0GCSqGSIb3DQEBCwUAA4IBAQCoV7sw9CgICo9O +JacaB+P0Uk0dnISjsrKpcAKnuVdh1rN94+beXyttSBgQtDgVBehlESN+/B9fefLb +lhVxgCYq8inx4wZs22h8ZkjpJiOmBDjvHwgkCQOoh/Kog9gkmDr4qbFahU5GpaTp +x1rlNF3qaNRvZSVoxIVwYYiexKS5/KYMedII2EoBMHcFj0qKMhdDIT1Uw2PJZwiA +qjGDsSnLS+VeA8Zluc3m/os0ynjR6BEFQF1sn/OGO0eFaSMxXz0+Z4vT3J+c08Be +z2uZWQBgCiV/bL8F5xgokbHx+Vl0lz+1PEoFre8IJihmcnT8ZPWv/8eWPAr0gavH ++R0lNAyw -----END CERTIFICATE----- diff --git a/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem b/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem index f0e536bde0..8ed90523cd 100644 --- a/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem +++ b/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAp9LD22T6GUuo2jIwFdUpbJlYAxfmu+KAfyeVnYP22PmwffaQ -fzT7zEdtl3sAwtE3IGDsWel1OzDjR33Nw1Z1mAdtDDAUjh8PHOSwprfWqV+3c7w4 -Nlh0L+4qP+HNJbI4MhF5MdCAJmGrmjdGdw5yiPeGCWV4qegIJVuKkGycOo7egEWQ -l+3Yep1nQV9QRqShrnHrhVdJfLdl7L5jB2YV3K5ODsEYXlLRgZBvQjX61WLLZcYu -qcj5EpiM+xc58ns3E5Aw+5y8IfZxAcm3CjQHD+sJXyhBkVTtJv9zja77IJv7aSF8 -cnFUU/2CzCCi0UAZllEUkUefvDYrliYLyetSSwIDAQABAoIBABzJsMMvvR8dtWdI -eKsmF6cDXu+Y6AGOxxAI0Edm3a82lanl47+ObSsLjacQeH7yuIwbVC/QNkXjCvm2 -gNdjO2TK0U/n537BoSwJpqvSmUYQnz2BKftYjQWzyxeOOkyfF7iu+qUq6PCsjG01 -0iaWGduY6isudtZecRdHbqt7lgkNNcvFKKLbjuVmKDzrKicnSg6Fj/O00or8JMMX -Z/lBz7r35VDbQtahUIuqT1Y8lzCs4nq4KAoGCup48AMANgsI5+G5/e5wqdFUuP6/ -kFc2molEgF5/IogqlyxxizQduU9mQrTu7f1BQYDhVlCODU5XVGSsg/XXdNQRGU0N -07LNkyECgYEAzLc4FSKwXll3825m90RYj3DKN6oJOiSGgoJiyP0DPo1OwodFb1gk -vOdLU0B53vgxkeSy34qvHW43BptT/Wa4cbiTs8gpovtqaNAJRL3dUdp39mlcqS8i -lx6T8TLZ+t8DP90auU/VXTFn+XkSOJkHxvwk4oj2zy5U164OkNmrU2kCgYEA0d2S -L89SHSdFS60AHHlznvl8Mp7xMOoYwYxrp4GftdFc5aSG00p95DaORmU0FV43HnXb -dJmFIxaP1OR4qHSmDsHTjaHhCMzzXN8rLPaatcIcGCEeUwloI1HGMcAlK63c//i/ -POoPuDyGV93dUnuE0asjwWUxMTVYZJJxuvVSZZMCgYBP1ni5zXCJK01bk8f2USJU -tsE2mkrE8S/AQEd0aTBVudhoh0buGKsjPPUkf7XH3nW+lzmncre+u5gcLIHCBsiS -GVEJQVvzoyepvtCOjZl97bzxTcAEf0x3MUazP4jBjS4APyPH97mXgcgyBCS2DAB7 -eySLcK0IueH+x3QIy8tEWQKBgHXiXTRn43smzQD2O6LDAhRhlcclitvsE13dD7e2 -00yhPupr4aQcKt0fXAnk3T3Hf3SnxU8Y0TVlfgObFr+hTonpjHj5XlvALE+VuD34 -g+znDTrsl4kTNqDoVUkq4nZHomVSh7Gi1JOrw9bldGXZpkDUPjBrNBetHGrZ6/KV -zOPrAoGAdZZMAgIBzEop9mA/ApHuPlVO43VnqJPo8nYeQ2bEsjU3KI0TfqcbUjgG -8c4sJRw0xcV8F1Y9MaQhOHPl++c/6HTfQNEtNEsB5JDKqToExUll2x+07AAbQQ+h -6Qhk+DBImTCzoOemYYhlAvrvEZw/onYTKQAjudGT6BdshRg56cw= +MIIEpAIBAAKCAQEA1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk ++RAYeKupGF9eqGBkiYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7Y +uXYWfHw4NdFkSZoE0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J +4cU3JfXQQzdNCMiXlpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iR +qwdy4edjKhcvJxuxHw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa +27UrBdRSg+Wb3FDQ+J8IeS6PR5JwjBcwt+DAjQIDAQABAoIBAHXZSS/TOqZZeWXI +sbH4824xX7weu+pHHqHqQaiphNWllRmgyv72H6VU5YbTDdKiAaAV50LB2CtAQjT2 +2I2YRdpiMKEgblxkPYKxwCAlGU7rXayddVXG9y/O4vhIWomuJ4SS9U7DB4Gv7/C0 +UQuFtyM7ugwIdISWEwOLv7Q5nSn2DYYXapNSmCUYv2FJEd57MJFtZ+CTHPu+ALxY +/qCGga8WBQ9Io/4A6UWN76m5IREeGh/pBwwhestpvUB9hXXe037Z11G3j/mNjqmz +SoUdEXnXpqJMA4c73hrryZR7TRPjRQx2P7YTyMwwOaJenhCS2F7ohJrwXNEtfbXt +Tb4mAQECgYEA8Qc4YqbF+xDmav1Mw7tpQ34EW7U1BF6RW+zpaRVVYXc+hZq8Rscl +yhzvYI2F4b9qOXw73Vdj3Hbd3f3BRC2ayMUk82pmbFEhZjQR9cGaLH1JfNXBdgz+ +wenmdczUAhmDiIseXTYdXL0FFgc9F/UFzmAYmD/kkMHTO2wnfeAci00CgYEA5EDv +UJzW/hWUtawWfg0Bw+H5RR2W/28dGG+680zazZwVHtDF7sEiThmR8AlLu74tWUMg +PBREdxOui5qRhmZO3y3JLJ8mjmEUQqC4x1NWReZCAcWGTNXn/PHsWPlK82qp/Q98 +lYJLShtbOOgo1hUPYeQ3hFnDi8HM3QssEeYB6kECgYA0kdSUf7dyuQ7oivKxRjEB +TXz5254Co/WkTRnjl4mVxoJWdZdXAJyXZpQ3RObMhAlRHG2aKzNWpH5jqrL6gc/e +tlEG3lAUk+Vq+zRnm6Baz8C1f5HAg7kU5kUjsFcVVidAIseuoNzqmzd+xHlovkJT +7tWub1EU2ZGOxloetEDFiQKBgQCfPrp4OGQ6cp4EvaIXoUV4/0Aku0cswL3A3brF +ofoJdvq5PBjLwQ0JBgfuOt4OhtkmrJFhuRYnKaEeHuGmrdwbEtuG+SYyMYKsFWu1 +DOxk6gdlKwTOuHIY5EPrs0laWDFur45Q1M1oT3uuUTKkYZ8QweMFwIaQC8687N17 +Q0hUwQKBgQDu55deAXAAS9FCqT4qidyxmvjdpkn8BKZhetss+t0m7Rum9OJCiMI5 +90exbnlRtUP4soNOccS3w3ie2HPspdlIsllYnd4/KaHQbdEoGtvrF5rM77X+81N1 +xPgNsMJM167VEWWJJCE+rkeWiF+irrjiHj7QlLmKkK4bmEzp5XuLyg== -----END RSA PRIVATE KEY----- diff --git a/services/nginz/integration-test/conf/nginz/integration-leaf.pem b/services/nginz/integration-test/conf/nginz/integration-leaf.pem index 3e8ba2f3b9..d8e7ee0955 100644 --- a/services/nginz/integration-test/conf/nginz/integration-leaf.pem +++ b/services/nginz/integration-test/conf/nginz/integration-leaf.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDcjCCAlqgAwIBAgIUfT3hrFYCO/wnKZCc0SRIM0j/3JQwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTEwNzAwWhcN -MjQxMTIwMTEwNzAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -p9LD22T6GUuo2jIwFdUpbJlYAxfmu+KAfyeVnYP22PmwffaQfzT7zEdtl3sAwtE3 -IGDsWel1OzDjR33Nw1Z1mAdtDDAUjh8PHOSwprfWqV+3c7w4Nlh0L+4qP+HNJbI4 -MhF5MdCAJmGrmjdGdw5yiPeGCWV4qegIJVuKkGycOo7egEWQl+3Yep1nQV9QRqSh -rnHrhVdJfLdl7L5jB2YV3K5ODsEYXlLRgZBvQjX61WLLZcYuqcj5EpiM+xc58ns3 -E5Aw+5y8IfZxAcm3CjQHD+sJXyhBkVTtJv9zja77IJv7aSF8cnFUU/2CzCCi0UAZ -llEUkUefvDYrliYLyetSSwIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV +MIIDcjCCAlqgAwIBAgIUXlJ06fjgHbzEvIRscFvEwxpsioMwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjQxMTIwMTM1ODAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk+RAYeKupGF9eqGBk +iYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7YuXYWfHw4NdFkSZoE +0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J4cU3JfXQQzdNCMiX +lpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iRqwdy4edjKhcvJxux +Hw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa27UrBdRSg+Wb3FDQ ++J8IeS6PR5JwjBcwt+DAjQIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E -FgQUM1QB4eHYCLRO2pyYA5PXUQN+ZVwwHwYDVR0jBBgwFoAU6uWhJRAfvYU9rNvH -lxXn3L4sVrAwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv +FgQUWm43ORCCQGlDu3JaPIm15lsr5swwHwYDVR0jBBgwFoAUk7okmnN1rM2Ne26b +fNfxRhZpAgkwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv bYIUaG9zdC5kb2NrZXIuaW50ZXJuYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsF -AAOCAQEArYqKia5b/zZ12CrPdXsrf0qjEKDshy0gGo/WPPC5dbLG6yu3i5gktdsB -jEL6AF0rkL+RhBwH9ICXbMfNlM21laddsg6SVi1EWFUHLgII6+wiArQGc1BUGltt -f+9Ggu1eZ/pN8DvI6yiE4sUrN3MZQOmMDpyAOTETgeTg/Hqr2f854zSebN1ILMTi -b2LYC1d8CfblEUTTI2VNkakbrAVcrPQS/Dj8uqxs7CBSke0jxdkXXecS/2cHatGg -2iAd0GLOYtQxQr1v/qtNqJeAKQ3qQ0tEmQXv+ksqU4IDjcjMoSQ0p5uguJd6NFF6 -oroZ73cn0+l428+iR5crB7GCbsC7og== +AAOCAQEAfrlC1maUJMg5n61YEpBwIS9O0LLhNidZ6dBEPwDiBwskzkTKoWksSR+n +7OytNFQvrdclejxIyvoOvBhLqNY4pFYdNRUu42GESUpCA6cQlW3a9QchTEuNASWR +AdrmGmjXYwPFGjnVUVPR+Abs9lG7/8eDYoq1B1AdBkW1EJ7+0/DrLOLDtloxYmBF +bydmLcesdPvgBLkHfBlOG54jH/ILXHAHxskWmGqixY6L1svhrcnwsindxRcfT4QB +fAtNDfAfiftUdb96QJfpwN1/N1oEHFl2D0ynE8sFOuVFm0gQ6mblH+Vahune6cSK +7SDUwM9Ia1OAO/r2cdEAvCrQqaeDZQ== -----END CERTIFICATE----- From 7dd804d2a44ef83104b5d006a8bc2712b2ff2735 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 21 Nov 2023 15:05:01 +0100 Subject: [PATCH 05/13] Uncomment the beast --- deploy/dockerephemeral/init.sh | 108 ++++++++++++++++----------------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/deploy/dockerephemeral/init.sh b/deploy/dockerephemeral/init.sh index b697dd9169..f10067319a 100755 --- a/deploy/dockerephemeral/init.sh +++ b/deploy/dockerephemeral/init.sh @@ -1,58 +1,58 @@ #!/usr/bin/env sh -# exec_until_ready() { -# until $1; do echo 'service not ready yet'; sleep 1; done -# } - -# # Assumes this to be run in an environment with `aws` installed -# # Keep these in sync with .envrc -# echo 'Creating AWS resources' -# aws configure set aws_access_key_id dummykey -# aws configure set aws_secret_access_key dummysecret -# aws configure set region eu-west-1 - -# # Potentially delete pre-existing tables -# echo -n "waiting for dynamo: " -# while (! aws --endpoint-url=http://dynamodb:8000 --cli-connect-timeout=1 dynamodb list-tables); do -# sleep 1; -# done -# echo " [ok!]" - -# for suffix in "" "2" "3" "4" "5" "-federation-v0"; do -# aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-userkey-blacklist$suffix || true -# aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-prekeys$suffix || true - -# # Create Dynamo/SQS resources -# exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-userkey-blacklist$suffix --attribute-definitions AttributeName=key,AttributeType=S --key-schema AttributeName=key,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" -# exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-prekeys$suffix --attribute-definitions AttributeName=client,AttributeType=S --key-schema AttributeName=client,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" - -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events$suffix" -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events$suffix --attributes VisibilityTimeout=1" -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events-internal$suffix" -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events-internal$suffix --attributes VisibilityTimeout=1" -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-user-events.fifo$suffix" -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-user-events.fifo$suffix --attributes VisibilityTimeout=1" - -# # Gundeck's feedback queue -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-gundeck-events$suffix" -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-gundeck-events$suffix --attributes VisibilityTimeout=1" - -# # Galley's team event queue -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-team-events.fifo$suffix" -# exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-team-events.fifo$suffix --attributes VisibilityTimeout=1" - -# # Verify sender's email address (ensure the sender address is in sync with the config in brig) -# exec_until_ready "aws --endpoint-url=http://ses:4579 ses verify-email-identity --email-address backend-integration$suffix@wire.com" - -# # Create SNS resources for gundeck's notifications -# exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-test$suffix --platform GCM --attributes PlatformCredential=testkey" -# exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-test$suffix --platform APNS_SANDBOX --attributes PlatformCredential=testprivatekey" -# exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-com.wire.ent$suffix --platform APNS_SANDBOX --attributes PlatformCredential=testprivatekey" - -# # Cargohold's bucket; creating a bucket is not idempotent so we just try once and wait until it is ready -# # TODO: Lifecycle configuration for the bucket, if supported. -# aws --endpoint-url=http://s3:9000 s3api create-bucket --bucket "dummy-bucket$suffix" -# aws --endpoint-url=http://s3:9000 s3api wait bucket-exists --bucket "dummy-bucket$suffix" -# done +exec_until_ready() { + until $1; do echo 'service not ready yet'; sleep 1; done +} + +# Assumes this to be run in an environment with `aws` installed +# Keep these in sync with .envrc +echo 'Creating AWS resources' +aws configure set aws_access_key_id dummykey +aws configure set aws_secret_access_key dummysecret +aws configure set region eu-west-1 + +# Potentially delete pre-existing tables +echo -n "waiting for dynamo: " +while (! aws --endpoint-url=http://dynamodb:8000 --cli-connect-timeout=1 dynamodb list-tables); do + sleep 1; +done +echo " [ok!]" + +for suffix in "" "2" "3" "4" "5" "-federation-v0"; do + aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-userkey-blacklist$suffix || true + aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-prekeys$suffix || true + + # Create Dynamo/SQS resources + exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-userkey-blacklist$suffix --attribute-definitions AttributeName=key,AttributeType=S --key-schema AttributeName=key,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" + exec_until_ready "aws --endpoint-url=http://dynamodb:8000 dynamodb create-table --table-name integration-brig-prekeys$suffix --attribute-definitions AttributeName=client,AttributeType=S --key-schema AttributeName=client,KeyType=HASH --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5" + + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events$suffix" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events$suffix --attributes VisibilityTimeout=1" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-brig-events-internal$suffix" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-brig-events-internal$suffix --attributes VisibilityTimeout=1" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-user-events.fifo$suffix" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-user-events.fifo$suffix --attributes VisibilityTimeout=1" + + # Gundeck's feedback queue + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-gundeck-events$suffix" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-gundeck-events$suffix --attributes VisibilityTimeout=1" + + # Galley's team event queue + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs create-queue --queue-name integration-team-events.fifo$suffix" + exec_until_ready "aws --endpoint-url=http://sqs:4568 sqs set-queue-attributes --queue-url http://sqs:4568/integration-team-events.fifo$suffix --attributes VisibilityTimeout=1" + + # Verify sender's email address (ensure the sender address is in sync with the config in brig) + exec_until_ready "aws --endpoint-url=http://ses:4579 ses verify-email-identity --email-address backend-integration$suffix@wire.com" + + # Create SNS resources for gundeck's notifications + exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-test$suffix --platform GCM --attributes PlatformCredential=testkey" + exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-test$suffix --platform APNS_SANDBOX --attributes PlatformCredential=testprivatekey" + exec_until_ready "aws --endpoint-url=http://sns:4575 sns create-platform-application --name integration-com.wire.ent$suffix --platform APNS_SANDBOX --attributes PlatformCredential=testprivatekey" + + # Cargohold's bucket; creating a bucket is not idempotent so we just try once and wait until it is ready + # TODO: Lifecycle configuration for the bucket, if supported. + aws --endpoint-url=http://s3:9000 s3api create-bucket --bucket "dummy-bucket$suffix" + aws --endpoint-url=http://s3:9000 s3api wait bucket-exists --bucket "dummy-bucket$suffix" +done echo 'AWS resources created successfully!' From bd2ca4b6a6e8d1272baba023ce85c630c88933d3 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 21 Nov 2023 15:41:58 +0100 Subject: [PATCH 06/13] some comments, tiny fixup --- deploy/dockerephemeral/federation-v0.yaml | 43 +++++++++++-------- .../federation-v0/federator.yaml | 2 +- 2 files changed, 25 insertions(+), 20 deletions(-) diff --git a/deploy/dockerephemeral/federation-v0.yaml b/deploy/dockerephemeral/federation-v0.yaml index 4f9e47eeb4..89be3488c2 100644 --- a/deploy/dockerephemeral/federation-v0.yaml +++ b/deploy/dockerephemeral/federation-v0.yaml @@ -167,7 +167,7 @@ services: - '127.0.0.1:21097:8080' - '127.0.0.1:21098:8081' depends_on: - coredns-federation-v0: + coredns-federation: condition: service_started background_worker: @@ -186,24 +186,6 @@ services: - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} - redis: - container_name: redis-federation-v0 - image: redis:6.0-alpine - networks: - - demo_wire - - coredns-federation-v0: - image: docker.io/coredns/coredns:1.8.4 - volumes: - - ./federation-v0/coredns-config:/coredns-config - entrypoint: - - /coredns - - -conf - - /coredns-config/Corefile - networks: - coredns: - ipv4_address: 172.20.1.3 - proxy: container_name: proxy-federation-v0 image: quay.io/wire/proxy:4.38.0-mandarin.14 @@ -224,3 +206,26 @@ services: ports: - '127.0.0.1:21080:8080' - '127.0.0.1:21443:8443' + + # We have to run a separate redis instance for each version of wire-server we + # want. This is because gundeck just assumes the whole redis is for itself + redis: + container_name: redis-federation-v0 + image: redis:6.0-alpine + networks: + - demo_wire + + # This coredns serves slightly different SRV records, so federator running in + # a docker container can talk to federator running on the host. + coredns-federation: + image: docker.io/coredns/coredns:1.8.4 + volumes: + - ./federation-v0/coredns-config:/coredns-config + entrypoint: + - /coredns + - -conf + - /coredns-config/Corefile + networks: + coredns: + ipv4_address: 172.20.1.3 + diff --git a/deploy/dockerephemeral/federation-v0/federator.yaml b/deploy/dockerephemeral/federation-v0/federator.yaml index 559a264447..6ff8d119ae 100644 --- a/deploy/dockerephemeral/federation-v0/federator.yaml +++ b/deploy/dockerephemeral/federation-v0/federator.yaml @@ -1,6 +1,6 @@ federatorInternal: host: 0.0.0.0 - port: 8090 + port: 8080 federatorExternal: host: 0.0.0.0 port: 8081 From 603f5e793c961e08c48b8203b31e9e736721eda7 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 21 Nov 2023 15:47:47 +0100 Subject: [PATCH 07/13] Changelog --- changelog.d/5-internal/docker-mandarin | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/5-internal/docker-mandarin diff --git a/changelog.d/5-internal/docker-mandarin b/changelog.d/5-internal/docker-mandarin new file mode 100644 index 0000000000..b9d0ac4857 --- /dev/null +++ b/changelog.d/5-internal/docker-mandarin @@ -0,0 +1 @@ +Deploy a backend with federation API V0 while setting up services for local testing \ No newline at end of file From c39548e3ee665a609a23ae0f52929a4250e62fb3 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 22 Nov 2023 12:30:36 +0100 Subject: [PATCH 08/13] Fix proxy config --- deploy/dockerephemeral/federation-v0/proxy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/dockerephemeral/federation-v0/proxy.yaml b/deploy/dockerephemeral/federation-v0/proxy.yaml index dc91440dd1..c5824166a5 100644 --- a/deploy/dockerephemeral/federation-v0/proxy.yaml +++ b/deploy/dockerephemeral/federation-v0/proxy.yaml @@ -2,7 +2,7 @@ # proxy can be started with a config file (e.g. ./dist/proxy -c proxy.yaml.example) host: 0.0.0.0 -port: 8087 +port: 8080 # number of connections for the http pool httpPoolSize: 1000 From 8d4966d60ba70badd75f297285d82fe90360ccc9 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Thu, 23 Nov 2023 17:39:44 +0100 Subject: [PATCH 09/13] Add healthchecks to haskell things and make nginz wait for haskell things --- deploy/dockerephemeral/docker-compose.yaml | 5 ++++- deploy/dockerephemeral/federation-v0.yaml | 26 ++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index abc44b8140..564141eebc 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -193,7 +193,10 @@ services: - "CS_JVM_OPTIONS=-Xmx1024M -Xms1024M -Xmn200M" healthcheck: - test: [ "CMD", "nodetool", "status" ] + test: "nodetool status" + interval: 10s + start_period: 20s + timeout: 2s # on nixos, you also may need to run # sysctl -w vm.max_map_count=1048576 diff --git a/deploy/dockerephemeral/federation-v0.yaml b/deploy/dockerephemeral/federation-v0.yaml index 89be3488c2..add1796fee 100644 --- a/deploy/dockerephemeral/federation-v0.yaml +++ b/deploy/dockerephemeral/federation-v0.yaml @@ -23,6 +23,8 @@ services: - demo_wire ports: - '127.0.0.1:21082:8080' + healthcheck: &haskell_health_check + test: "curl --fail localhost:8080/i/status" depends_on: brig_schema: condition: service_completed_successfully @@ -57,6 +59,7 @@ services: - demo_wire ports: - '127.0.0.1:21085:8080' + healthcheck: *haskell_health_check depends_on: galley_schema: condition: service_completed_successfully @@ -81,6 +84,7 @@ services: - demo_wire ports: - '127.0.0.1:21084:8080' + healthcheck: *haskell_health_check depends_on: aws_cli: condition: service_completed_successfully @@ -109,6 +113,7 @@ services: - demo_wire ports: - '127.0.0.1:21086:8080' + healthcheck: *haskell_health_check depends_on: gundeck_schema: condition: service_completed_successfully @@ -141,6 +146,7 @@ services: - demo_wire ports: - '127.0.0.1:21088:8080' + healthcheck: *haskell_health_check depends_on: spar_schema: condition: service_completed_successfully @@ -154,6 +160,7 @@ services: - demo_wire ports: - '127.0.0.1:21083:8080' + healthcheck: *haskell_health_check federator: container_name: federator-federation-v0 @@ -166,6 +173,7 @@ services: ports: - '127.0.0.1:21097:8080' - '127.0.0.1:21098:8081' + healthcheck: *haskell_health_check depends_on: coredns-federation: condition: service_started @@ -195,6 +203,7 @@ services: - demo_wire ports: - '127.0.0.1:21087:8080' + healthcheck: *haskell_health_check nginz: container_name: nginz-federation-v0 @@ -206,6 +215,23 @@ services: ports: - '127.0.0.1:21080:8080' - '127.0.0.1:21443:8443' + depends_on: + brig: + condition: service_healthy + galley: + condition: service_healthy + gundeck: + condition: service_healthy + cargohold: + condition: service_healthy + cannon: + condition: service_healthy + spar: + condition: service_healthy + federator: + condition: service_healthy + proxy: + condition: service_healthy # We have to run a separate redis instance for each version of wire-server we # want. This is because gundeck just assumes the whole redis is for itself From b6ee0c136b9b08442a97aad7945111e12da278d3 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Thu, 23 Nov 2023 17:40:08 +0100 Subject: [PATCH 10/13] Retry schema migrations Maybe nodetool status isn't such a good healthcheck because it doesn't actually check if the node is up. Its probably too hard to do this, so retrying should be good enough. --- deploy/dockerephemeral/federation-v0.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/deploy/dockerephemeral/federation-v0.yaml b/deploy/dockerephemeral/federation-v0.yaml index add1796fee..e262a4693a 100644 --- a/deploy/dockerephemeral/federation-v0.yaml +++ b/deploy/dockerephemeral/federation-v0.yaml @@ -12,6 +12,9 @@ services: depends_on: cassandra: condition: service_healthy + deploy: + restart_policy: + condition: on-failure networks: - demo_wire brig: @@ -47,6 +50,9 @@ services: depends_on: cassandra: condition: service_healthy + deploy: + restart_policy: + condition: on-failure networks: - demo_wire @@ -101,6 +107,9 @@ services: depends_on: cassandra: condition: service_healthy + deploy: + restart_policy: + condition: on-failure networks: - demo_wire @@ -134,6 +143,9 @@ services: depends_on: cassandra: condition: service_healthy + deploy: + restart_policy: + condition: on-failure networks: - demo_wire From d6e2279250a5a6945d048a682567e177f67377b0 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Thu, 23 Nov 2023 17:41:02 +0100 Subject: [PATCH 11/13] Less noisy run script, this gives a clear message when things are all setup --- deploy/dockerephemeral/run.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/deploy/dockerephemeral/run.sh b/deploy/dockerephemeral/run.sh index 17005e556e..00113f3329 100755 --- a/deploy/dockerephemeral/run.sh +++ b/deploy/dockerephemeral/run.sh @@ -6,5 +6,12 @@ set -x SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DOCKER_FILE="$SCRIPT_DIR/docker-compose.yaml" -docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" up -docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" down +cleanup () { + docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" down +} + +docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" up -d +echo "All Services started successfully, press Ctrl+C to stop them" +trap cleanup EXIT +# Wait for something to kill this +while true; do sleep 100000000; done From ef8da8b9b908319d1e9ccdb2246d3f23f99f25d2 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Thu, 23 Nov 2023 17:47:51 +0100 Subject: [PATCH 12/13] Undo unwanted change --- services/galley/galley.integration.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/services/galley/galley.integration.yaml b/services/galley/galley.integration.yaml index 1d68ca943a..e47801460b 100644 --- a/services/galley/galley.integration.yaml +++ b/services/galley/galley.integration.yaml @@ -83,6 +83,15 @@ settings: verificationExpiration: 86400 acmeDiscoveryUrl: null lockStatus: unlocked + mlsMigration: + defaults: + status: enabled + config: + startTime: "2029-05-16T10:11:12.123Z" + finaliseRegardlessAfter: "2029-10-17T00:00:00.000Z" + usersThreshold: 100 + clientsThreshold: 50 + lockStatus: locked logLevel: Warn logNetStrings: false From 0025191655e69957c0b0e52b322d0d525712836a Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Thu, 23 Nov 2023 17:51:16 +0100 Subject: [PATCH 13/13] Enable trap before telling people to use it --- deploy/dockerephemeral/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/dockerephemeral/run.sh b/deploy/dockerephemeral/run.sh index 00113f3329..57d0e7223a 100755 --- a/deploy/dockerephemeral/run.sh +++ b/deploy/dockerephemeral/run.sh @@ -11,7 +11,7 @@ cleanup () { } docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" up -d -echo "All Services started successfully, press Ctrl+C to stop them" trap cleanup EXIT +echo "All Services started successfully, press Ctrl+C to stop them" # Wait for something to kill this while true; do sleep 100000000; done