From a544d56dfad194046693ad4c68f72f13ec442c91 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Tue, 30 Jan 2024 11:24:50 +0100 Subject: [PATCH 01/12] Introduce federation-v0 domain in integration --- integration/test/Testlib/Env.hs | 3 ++- integration/test/Testlib/Types.hs | 2 ++ services/integration.yaml | 39 +++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/integration/test/Testlib/Env.hs b/integration/test/Testlib/Env.hs index 39f274b1f94..77f20f22736 100644 --- a/integration/test/Testlib/Env.hs +++ b/integration/test/Testlib/Env.hs @@ -86,7 +86,8 @@ mkGlobalEnv cfgFile = do let sm = Map.fromList $ [ (intConfig.backendOne.originDomain, intConfig.backendOne.beServiceMap), - (intConfig.backendTwo.originDomain, intConfig.backendTwo.beServiceMap) + (intConfig.backendTwo.originDomain, intConfig.backendTwo.beServiceMap), + (intConfig.federationV0.originDomain, intConfig.federationV0.beServiceMap) ] <> [(berDomain resource, resourceServiceMap resource) | resource <- resources] tempDir <- Codensity $ withSystemTempDirectory "test" diff --git a/integration/test/Testlib/Types.hs b/integration/test/Testlib/Types.hs index 025ef39ba76..e7fd653eee7 100644 --- a/integration/test/Testlib/Types.hs +++ b/integration/test/Testlib/Types.hs @@ -116,6 +116,7 @@ data GlobalEnv = GlobalEnv data IntegrationConfig = IntegrationConfig { backendOne :: BackendConfig, backendTwo :: BackendConfig, + federationV0 :: BackendConfig, dynamicBackends :: Map String DynamicBackendConfig, rabbitmq :: RabbitMQConfig, cassandra :: CassandraConfig @@ -128,6 +129,7 @@ instance FromJSON IntegrationConfig where IntegrationConfig <$> parseJSON (Object o) <*> o .: fromString "backendTwo" + <*> o .: fromString "federation-v0" <*> o .: fromString "dynamicBackends" <*> o .: fromString "rabbitmq" <*> o .: fromString "cassandra" diff --git a/services/integration.yaml b/services/integration.yaml index 65543e45f10..864f2db362e 100644 --- a/services/integration.yaml +++ b/services/integration.yaml @@ -142,3 +142,42 @@ rabbitmq: cassandra: host: 127.0.0.1 port: 9042 + +federation-v0: + originDomain: v0.example.com + brig: + host: 127.0.0.1 + port: 21082 + cannon: + host: 127.0.0.1 + port: 21083 + cargohold: + host: 127.0.0.1 + port: 21084 + federatorInternal: + host: 127.0.0.1 + port: 21097 + federatorExternal: + host: 127.0.0.1 + port: 21098 + galley: + host: 127.0.0.1 + port: 21085 + gundeck: + host: 127.0.0.1 + port: 21086 + nginz: + host: 127.0.0.1 + port: 21080 + spar: + host: 127.0.0.1 + port: 21088 + proxy: + host: 127.0.0.1 + port: 21087 + backgroundWorker: + host: 127.0.0.1 + port: 21089 + stern: + host: 127.0.0.1 + port: 21091 From 38fc67b22f48ccf8bc0022ec36657d506a80bca1 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Tue, 30 Jan 2024 14:18:54 +0100 Subject: [PATCH 02/12] Add federation-v0 domain to environment --- integration/test/Testlib/Env.hs | 2 ++ integration/test/Testlib/Types.hs | 2 ++ 2 files changed, 4 insertions(+) diff --git a/integration/test/Testlib/Env.hs b/integration/test/Testlib/Env.hs index 77f20f22736..f143fea4828 100644 --- a/integration/test/Testlib/Env.hs +++ b/integration/test/Testlib/Env.hs @@ -99,6 +99,7 @@ mkGlobalEnv cfgFile = do { gServiceMap = sm, gDomain1 = intConfig.backendOne.originDomain, gDomain2 = intConfig.backendTwo.originDomain, + gFederationV0Domain = intConfig.federationV0.originDomain, gDynamicDomains = (.domain) <$> Map.elems intConfig.dynamicBackends, gDefaultAPIVersion = 6, gManager = manager, @@ -136,6 +137,7 @@ mkEnv ge = do { serviceMap = gServiceMap ge, domain1 = gDomain1 ge, domain2 = gDomain2 ge, + federationV0Domain = gFederationV0Domain ge, dynamicDomains = gDynamicDomains ge, defaultAPIVersion = gDefaultAPIVersion ge, manager = gManager ge, diff --git a/integration/test/Testlib/Types.hs b/integration/test/Testlib/Types.hs index e7fd653eee7..ed18a345dd3 100644 --- a/integration/test/Testlib/Types.hs +++ b/integration/test/Testlib/Types.hs @@ -102,6 +102,7 @@ data GlobalEnv = GlobalEnv { gServiceMap :: Map String ServiceMap, gDomain1 :: String, gDomain2 :: String, + gFederationV0Domain :: String, gDynamicDomains :: [String], gDefaultAPIVersion :: Int, gManager :: HTTP.Manager, @@ -194,6 +195,7 @@ data Env = Env { serviceMap :: Map String ServiceMap, domain1 :: String, domain2 :: String, + federationV0Domain :: String, dynamicDomains :: [String], defaultAPIVersion :: Int, manager :: HTTP.Manager, From b4fc2c92f513814a5327c0aa54b4cd39ae0dc8ce Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Wed, 31 Jan 2024 10:05:42 +0100 Subject: [PATCH 03/12] Fix federation-v0 SRV record --- deploy/dockerephemeral/coredns-config/db.example.com | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/dockerephemeral/coredns-config/db.example.com b/deploy/dockerephemeral/coredns-config/db.example.com index 1c33e941fb1..a458686bca7 100644 --- a/deploy/dockerephemeral/coredns-config/db.example.com +++ b/deploy/dockerephemeral/coredns-config/db.example.com @@ -17,4 +17,4 @@ _wire-server-federator._tcp.b IN SRV 0 0 9443 localhost. _wire-server-federator._tcp.d1 IN SRV 0 0 10443 localhost. _wire-server-federator._tcp.d2 IN SRV 0 0 11443 localhost. _wire-server-federator._tcp.d3 IN SRV 0 0 12443 localhost. -_wire-server-federator._tcp.v0 IN SRV 0 0 21443 localhost. +_wire-server-federator._tcp.federation-v0 IN SRV 0 0 21443 localhost. From 7842fc2db5e04774220e7fe0471e032d03e904fb Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Wed, 31 Jan 2024 10:06:01 +0100 Subject: [PATCH 04/12] Add demo test involving federation-v0 --- integration/test/Test/Demo.hs | 13 +++++++++++++ integration/test/Testlib/App.hs | 5 +++++ services/integration.yaml | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/integration/test/Test/Demo.hs b/integration/test/Test/Demo.hs index 509a879bcdb..5469e0a8645 100644 --- a/integration/test/Test/Demo.hs +++ b/integration/test/Test/Demo.hs @@ -194,3 +194,16 @@ testUnrace = do True `shouldMatch` False -} retryT $ True `shouldMatch` True + +testFedV0Instance :: App () +testFedV0Instance = do + res <- BrigP.getAPIVersion FedV0Domain >>= getJSON 200 + res %. "domain" `shouldMatch` FedV0Domain + +testFedV0Federation :: App () +testFedV0Federation = do + alice <- randomUser OwnDomain def + bob <- randomUser FedV0Domain def + + bob' <- BrigP.getUser alice bob >>= getJSON 200 + bob' %. "qualified_id" `shouldMatch` (bob %. "qualified_id") diff --git a/integration/test/Testlib/App.hs b/integration/test/Testlib/App.hs index e0978f4e382..0e85badb2f7 100644 --- a/integration/test/Testlib/App.hs +++ b/integration/test/Testlib/App.hs @@ -57,6 +57,11 @@ instance MakesValue Domain where make OwnDomain = asks (String . T.pack . (.domain1)) make OtherDomain = asks (String . T.pack . (.domain2)) +data FedDomain = FedV0Domain + +instance MakesValue FedDomain where + make FedV0Domain = asks (String . T.pack . (.federationV0Domain)) + -- | Run an action, `recoverAll`ing with exponential backoff (min step 8ms, total timeout -- ~15s). Search this package for examples how to use it. -- diff --git a/services/integration.yaml b/services/integration.yaml index 864f2db362e..00d54a5efa3 100644 --- a/services/integration.yaml +++ b/services/integration.yaml @@ -144,7 +144,7 @@ cassandra: port: 9042 federation-v0: - originDomain: v0.example.com + originDomain: federation-v0.example.com brig: host: 127.0.0.1 port: 21082 From 1a237397970d59a06212cf0cdb23d9288eee7c64 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Wed, 31 Jan 2024 10:53:47 +0100 Subject: [PATCH 05/12] Add federation-v0 config to integration chart --- charts/integration/templates/configmap.yaml | 39 +++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/charts/integration/templates/configmap.yaml b/charts/integration/templates/configmap.yaml index e18128cbf58..60356651154 100644 --- a/charts/integration/templates/configmap.yaml +++ b/charts/integration/templates/configmap.yaml @@ -125,3 +125,42 @@ data: {{- if eq (include "useCassandraTLS" .Values.config) "true" }} tlsCa: /etc/wire/galley/cassandra/{{- (include "tlsSecretRef" .Values.config | fromYaml).key }} {{- end }} + + federation-v0: + originDomain: wire-federation-v0.svc.cluster.local + brig: + host: brig.wire-federation-v0.svc.cluster.local + port: 8080 + cannon: + host: cannon.wire-federation-v0.svc.cluster.local + port: 8080 + cargohold: + host: cargohold.wire-federation-v0.svc.cluster.local + port: 8080 + federatorInternal: + host: federator.wire-federation-v0.svc.cluster.local + port: 8080 + federatorExternal: + host: federator.wire-federation-v0.svc.cluster.local + port: 8081 + galley: + host: galley.wire-federation-v0.svc.cluster.local + port: 8080 + gundeck: + host: gundeck.wire-federation-v0.svc.cluster.local + port: 8080 + nginz: + host: nginz-integration-http.wire-federation-v0.svc.cluster.local + port: 8080 + spar: + host: spar.wire-federation-v0.svc.cluster.local + port: 8080 + proxy: + host: proxy.wire-federation-v0.svc.cluster.local + port: 8080 + backgroundWorker: + host: backgroundWorker.wire-federation-v0.svc.cluster.local + port: 8080 + stern: + host: stern.wire-federation-v0.svc.cluster.local + port: 8080 From 714eefa66c57461884fef1f03ecd0147f159d58a Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Fri, 2 Feb 2024 09:13:58 +0100 Subject: [PATCH 06/12] Tweak federation-v0 hostname --- charts/integration/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/integration/templates/configmap.yaml b/charts/integration/templates/configmap.yaml index 60356651154..f211ab25105 100644 --- a/charts/integration/templates/configmap.yaml +++ b/charts/integration/templates/configmap.yaml @@ -127,7 +127,7 @@ data: {{- end }} federation-v0: - originDomain: wire-federation-v0.svc.cluster.local + originDomain: federation-test-helper.wire-federation-v0.svc.cluster.local brig: host: brig.wire-federation-v0.svc.cluster.local port: 8080 From 568ccaf019d174d0845d94d8af1017b563ff7739 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Fri, 2 Feb 2024 10:31:16 +0100 Subject: [PATCH 07/12] Add HasCallStack constraints --- integration/test/Test/Demo.hs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integration/test/Test/Demo.hs b/integration/test/Test/Demo.hs index 5469e0a8645..824af5a7d2c 100644 --- a/integration/test/Test/Demo.hs +++ b/integration/test/Test/Demo.hs @@ -195,12 +195,12 @@ testUnrace = do -} retryT $ True `shouldMatch` True -testFedV0Instance :: App () +testFedV0Instance :: HasCallStack => App () testFedV0Instance = do res <- BrigP.getAPIVersion FedV0Domain >>= getJSON 200 res %. "domain" `shouldMatch` FedV0Domain -testFedV0Federation :: App () +testFedV0Federation :: HasCallStack => App () testFedV0Federation = do alice <- randomUser OwnDomain def bob <- randomUser FedV0Domain def From 71648b48843a16a70cdd437bee58221ad703d5c4 Mon Sep 17 00:00:00 2001 From: Stefan Berthold Date: Tue, 6 Feb 2024 15:30:26 +0000 Subject: [PATCH 08/12] use certmanager for federator --- .../tests/federator-integration.yaml | 2 +- charts/integration/templates/ingress.yaml | 2 +- .../templates/certificate_federator.yaml | 2 +- .../templates/ingress_federator.yaml | 2 +- charts/nginx-ingress-services/values.yaml | 2 + hack/bin/integration-setup-federation.sh | 17 ++-- hack/bin/selfsigned-kubernetes.sh | 98 ------------------- hack/helm_vars/common.yaml.gotmpl | 3 + .../nginx-ingress-services/values.yaml.gotmpl | 12 ++- hack/helm_vars/wire-server/values.yaml.gotmpl | 8 ++ hack/helmfile.yaml | 8 +- 11 files changed, 38 insertions(+), 118 deletions(-) delete mode 100755 hack/bin/selfsigned-kubernetes.sh diff --git a/charts/federator/templates/tests/federator-integration.yaml b/charts/federator/templates/tests/federator-integration.yaml index f30d7873798..e0d9673cd3e 100644 --- a/charts/federator/templates/tests/federator-integration.yaml +++ b/charts/federator/templates/tests/federator-integration.yaml @@ -16,7 +16,7 @@ spec: # integration tests need access to the client certificate private key - name: "federator-secrets" secret: - secretName: "federator-secret" + secretName: {{ if .Values.tls.useCertManager }} "federator-certificate-secret" {{ else }} "federator-secret" {{ end }} # integration tests need access to the CA - name: "federator-ca" configMap: diff --git a/charts/integration/templates/ingress.yaml b/charts/integration/templates/ingress.yaml index 8ae7a87b23a..7d2748022f0 100644 --- a/charts/integration/templates/ingress.yaml +++ b/charts/integration/templates/ingress.yaml @@ -17,7 +17,7 @@ metadata: nginx.ingress.kubernetes.io/backend-protocol: "HTTP" nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-verify-depth: "{{ $.Values.tls.verify_depth }}" - nginx.ingress.kubernetes.io/auth-tls-secret: "{{ $.Release.Namespace }}/federator-ca-secret" + nginx.ingress.kubernetes.io/auth-tls-secret: "{{ or $.Values.tls.caNamespace $.Release.Namespace }}/federator-ca-secret" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header "X-SSL-Certificate" $ssl_client_escaped_cert; spec: diff --git a/charts/nginx-ingress-services/templates/certificate_federator.yaml b/charts/nginx-ingress-services/templates/certificate_federator.yaml index 3437ab5aad5..0ac26b6b2f1 100644 --- a/charts/nginx-ingress-services/templates/certificate_federator.yaml +++ b/charts/nginx-ingress-services/templates/certificate_federator.yaml @@ -31,5 +31,5 @@ spec: encoding: PKCS1 rotationPolicy: Always dnsNames: - - {{ .Values.config.dns.federator }} + - "{{ or .Values.config.dns.certificateDomain .Values.config.dns.federator }}" {{- end -}} diff --git a/charts/nginx-ingress-services/templates/ingress_federator.yaml b/charts/nginx-ingress-services/templates/ingress_federator.yaml index e9fa137ebca..fa76aae8d95 100644 --- a/charts/nginx-ingress-services/templates/ingress_federator.yaml +++ b/charts/nginx-ingress-services/templates/ingress_federator.yaml @@ -19,7 +19,7 @@ metadata: nginx.ingress.kubernetes.io/backend-protocol: "HTTP" nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-verify-depth: "{{ .Values.tls.verify_depth }}" - nginx.ingress.kubernetes.io/auth-tls-secret: "{{ .Release.Namespace }}/federator-ca-secret" + nginx.ingress.kubernetes.io/auth-tls-secret: "{{ or $.Values.tls.caNamespace $.Release.Namespace }}/federator-ca-secret" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header "X-SSL-Certificate" $ssl_client_escaped_cert; spec: diff --git a/charts/nginx-ingress-services/values.yaml b/charts/nginx-ingress-services/values.yaml index bbdb5928bc8..8a9e73b7eaa 100644 --- a/charts/nginx-ingress-services/values.yaml +++ b/charts/nginx-ingress-services/values.yaml @@ -118,6 +118,8 @@ config: # ^ fakeS3 is ignored if fakeS3.enabled == false # federator: federator. # ^ federator is ignored unless federator.enabled == true +# certificateDomain: federator. +# ^ domain to use in the CSR when using cert-manager # teamSettings: teams. # ^ teamSettings is ignored unless teamSettings.enabled == true # accountPages: account. diff --git a/hack/bin/integration-setup-federation.sh b/hack/bin/integration-setup-federation.sh index d7e19e66aeb..36858079b72 100755 --- a/hack/bin/integration-setup-federation.sh +++ b/hack/bin/integration-setup-federation.sh @@ -25,9 +25,6 @@ charts=(fake-aws databases-ephemeral redis-cluster rabbitmq wire-server ingress- mkdir -p ~/.parallel && touch ~/.parallel/will-cite printf '%s\n' "${charts[@]}" | parallel -P "${HELM_PARALLELISM}" "$DIR/update.sh" "$CHARTS_DIR/{}" -# FUTUREWORK: use helm functions instead, see https://wearezeta.atlassian.net/browse/SQPIT-723 -echo "Generating self-signed certificates..." - KUBERNETES_VERSION_MAJOR="$(kubectl version -o json | jq -r .serverVersion.major)" KUBERNETES_VERSION_MINOR="$(kubectl version -o json | jq -r .serverVersion.minor)" KUBERNETES_VERSION_MINOR="${KUBERNETES_VERSION_MINOR//[!0-9]/}" # some clusters report minor versions as a string like '27+'. Strip any non-digit characters. @@ -39,14 +36,16 @@ else fi echo "kubeVersion: $KUBERNETES_VERSION and ingress controller=$INGRESS_CHART" export NAMESPACE_1="$NAMESPACE" -export FEDERATION_DOMAIN_BASE="$NAMESPACE_1.svc.cluster.local" -export FEDERATION_DOMAIN_1="federation-test-helper.$FEDERATION_DOMAIN_BASE" -"$DIR/selfsigned-kubernetes.sh" namespace1 +export FEDERATION_DOMAIN_BASE_1="$NAMESPACE_1.svc.cluster.local" +export FEDERATION_DOMAIN_1="federation-test-helper.$FEDERATION_DOMAIN_BASE_1" export NAMESPACE_2="$NAMESPACE-fed2" -export FEDERATION_DOMAIN_BASE="$NAMESPACE_2.svc.cluster.local" -export FEDERATION_DOMAIN_2="federation-test-helper.$FEDERATION_DOMAIN_BASE" -"$DIR/selfsigned-kubernetes.sh" namespace2 +export FEDERATION_DOMAIN_BASE_2="$NAMESPACE_2.svc.cluster.local" +export FEDERATION_DOMAIN_2="federation-test-helper.$FEDERATION_DOMAIN_BASE_2" + +echo "Fetch federation-ca secret from cert-manager namespace" +FEDERATION_CA_CERTIFICATE="$(kubectl -n cert-manager get secrets federation-ca -o json | jq -r '.data."tls.crt"')" +export FEDERATION_CA_CERTIFICATE echo "Installing charts..." diff --git a/hack/bin/selfsigned-kubernetes.sh b/hack/bin/selfsigned-kubernetes.sh deleted file mode 100755 index d0023cce0f3..00000000000 --- a/hack/bin/selfsigned-kubernetes.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/usr/bin/env bash - -# Create a self-signed x509 certificate in the hack/helm_vars directories (as helm yaml config). -# Requires 'cfssl' to be on your PATH (see https://github.com/cloudflare/cfssl) -# These certificates are only meant for integration tests. -# (The CA certificates are assumed to be re-used across the domains A and B for end2end integration tests.) - -set -e -SUFFIX=${1:?"need suffix argument"} -TEMP=${TEMP:-/tmp} -CSR="$TEMP/csr.json" -OUTPUTNAME_CA="integration-ca" -OUTPUTNAME_LEAF_CERT="integration-leaf" -OUTPUTNAME_CLIENT_CERT="integration-client" -DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -TOP_LEVEL="$DIR/../.." -OUTPUT_CONFIG_FEDERATOR="$TOP_LEVEL/hack/helm_vars/wire-server/certificates-$SUFFIX.yaml" -OUTPUT_CONFIG_INGRESS="$TOP_LEVEL/hack/helm_vars/nginx-ingress-services/certificates-$SUFFIX.yaml" - -command -v cfssl >/dev/null 2>&1 || { - echo >&2 "cfssl is not installed, aborting. See https://github.com/cloudflare/cfssl" - exit 1 -} -command -v cfssljson >/dev/null 2>&1 || { - echo >&2 "cfssljson is not installed, aborting. See https://github.com/cloudflare/cfssl" - exit 1 -} - -FEDERATION_DOMAIN_BASE=${FEDERATION_DOMAIN_BASE:?"you must provide a FEDERATION_DOMAIN_BASE env variable"} - -# generate CA key and cert -if [ ! -f "$OUTPUTNAME_CA.pem" ]; then - echo "CA file not found, generating CA..." - echo '{ - "CN": "ca.example.com", - "key": { - "algo": "rsa", - "size": 2048 - } - }' >"$CSR" - cfssl gencert -initca "$CSR" | cfssljson -bare "$OUTPUTNAME_CA" - rm "$OUTPUTNAME_CA.csr" -else - echo "Re-using previous CA" -fi - -# For federation end2end tests, only the -# 'federation-test-helper.$FEDERATION_DOMAIN_BASE' is necessary for -# ingress->federator traffic. For other potential traffic in the integration -# tests of the future, we use a wildcard certificate here. -echo '{ - "key": { - "algo": "rsa", - "size": 2048 - } -}' >"$CSR" -# generate cert and key based on CA given comma-separated hostnames as SANs -cfssl gencert -ca "$OUTPUTNAME_CA.pem" -ca-key "$OUTPUTNAME_CA-key.pem" -hostname="*.$FEDERATION_DOMAIN_BASE" "$CSR" | cfssljson -bare "$OUTPUTNAME_LEAF_CERT" - -# generate client certificate and key -cfssl gencert -ca "$OUTPUTNAME_CA.pem" -ca-key "$OUTPUTNAME_CA-key.pem" -hostname="*.$FEDERATION_DOMAIN_BASE" "$CSR" | cfssljson -bare "$OUTPUTNAME_CLIENT_CERT" - -# the following yaml override file is needed as an override to -# nginx-ingress-services helm chart -# for domain A, ingress@A needs cert+key for A -{ - echo "secrets:" - echo " tlsWildcardCert: |" - sed -e 's/^/ /' $OUTPUTNAME_LEAF_CERT.pem - echo " tlsWildcardKey: |" - sed -e 's/^/ /' $OUTPUTNAME_LEAF_CERT-key.pem - echo " tlsClientCA: |" - sed -e 's/^/ /' $OUTPUTNAME_CA.pem -} >"$OUTPUT_CONFIG_INGRESS" - -# the following yaml override file is needed as an override to -# the wire-server (federator) helm chart -# e.g. for installing on domain A, federator@A needs the CA for B -# As a "shortcut" for integration tests, we re-use the same CA for both domains -# A and B. -{ - echo "federator:" - echo " remoteCAContents: |" - sed -e 's/^/ /' $OUTPUTNAME_CA.pem - echo " clientCertificateContents: |" - sed -e 's/^/ /' $OUTPUTNAME_CLIENT_CERT.pem - echo " clientPrivateKeyContents: |" - sed -e 's/^/ /' $OUTPUTNAME_CLIENT_CERT-key.pem -} >"$OUTPUT_CONFIG_FEDERATOR" - -# cleanup unneeded files -rm "$OUTPUTNAME_LEAF_CERT.csr" -rm "$OUTPUTNAME_LEAF_CERT.pem" -rm "$OUTPUTNAME_LEAF_CERT-key.pem" -rm "$OUTPUTNAME_CLIENT_CERT.csr" -rm "$OUTPUTNAME_CLIENT_CERT.pem" -rm "$OUTPUTNAME_CLIENT_CERT-key.pem" -rm "$CSR" diff --git a/hack/helm_vars/common.yaml.gotmpl b/hack/helm_vars/common.yaml.gotmpl index 56f209fcce8..1e4b9b4d06d 100644 --- a/hack/helm_vars/common.yaml.gotmpl +++ b/hack/helm_vars/common.yaml.gotmpl @@ -1,7 +1,10 @@ namespace1: {{ requiredEnv "NAMESPACE_1" }} federationDomain1: {{ requiredEnv "FEDERATION_DOMAIN_1" }} +federationDomainBase1: {{ requiredEnv "FEDERATION_DOMAIN_BASE_1" }} namespace2: {{ requiredEnv "NAMESPACE_2" }} federationDomain2: {{ requiredEnv "FEDERATION_DOMAIN_2" }} +federationDomainBase2: {{ requiredEnv "FEDERATION_DOMAIN_BASE_2" }} +federationCACertificate: {{ requiredEnv "FEDERATION_CA_CERTIFICATE" }} ingressChart: {{ requiredEnv "INGRESS_CHART" }} rabbitmqUsername: guest rabbitmqPassword: guest diff --git a/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl b/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl index d1297da5fcc..10ca09507ef 100644 --- a/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl +++ b/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl @@ -6,7 +6,12 @@ federator: enabled: true integrationTestHelper: true tls: - useCertManager: false + useCertManager: true + issuer: + name: federation + kind: ClusterIssuer + createIssuer: false + caNamespace: wire-federation-v0 config: ingressClass: "nginx-{{ .Release.Namespace }}" @@ -18,6 +23,7 @@ config: teamSettings: "teams.{{ .Release.Namespace }}-integration.example.com" accountPages: "account.{{ .Release.Namespace }}-integration.example.com" # federator: dynamically set by hack/helmfile.yaml + # certificateDomain: dynamically set by hack/helmfile.yaml -# secrets/tlsWildcardCert, secrets/tlsWildcardKey and secrets/tlsClientCA -# are dynamically generated by hack/bin/selfsigned-kubernetes.sh +secrets: + tlsClientCA: {{ .Values.federationCACertificate }} diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl index 509da39f8e9..0d1ffba6b87 100644 --- a/hack/helm_vars/wire-server/values.yaml.gotmpl +++ b/hack/helm_vars/wire-server/values.yaml.gotmpl @@ -393,6 +393,11 @@ federator: resources: requests: {} imagePullPolicy: {{ .Values.imagePullPolicy }} + remoteCAContents: {{ .Values.federationCACertificate | b64dec | quote }} + tls: + useCertManager: true + useSharedFederatorSecret: true + config: optSettings: useSystemCAStore: false @@ -441,6 +446,9 @@ integration: uploadXmlAwsAccessKeyId: {{ .Values.uploadXml.awsAccessKeyId }} uploadXmlAwsSecretAccessKey: {{ .Values.uploadXml.awsSecretAccessKey }} {{- end }} + tls: + caNamespace: wire-federation-v0 + backoffice: tests: {{- if .Values.uploadXml }} diff --git a/hack/helmfile.yaml b/hack/helmfile.yaml index e82a1373a3a..78634f17b25 100644 --- a/hack/helmfile.yaml +++ b/hack/helmfile.yaml @@ -118,13 +118,14 @@ releases: chart: '../.local/charts/nginx-ingress-services' values: - './helm_vars/nginx-ingress-services/values.yaml.gotmpl' - - './helm_vars/nginx-ingress-services/certificates-namespace1.yaml' set: # Federation domain is also the SRV record created by the # federation-test-helper service. Maybe we can find a way to make these # differ, so we don't make any silly assumptions in the code. - name: config.dns.federator value: '{{ .Values.federationDomain1 }}' + - name: config.dns.certificateDomain + value: '*.{{ .Values.federationDomainBase1 }}' needs: - 'ingress' @@ -133,13 +134,14 @@ releases: chart: '../.local/charts/nginx-ingress-services' values: - './helm_vars/nginx-ingress-services/values.yaml.gotmpl' - - './helm_vars/nginx-ingress-services/certificates-namespace2.yaml' set: # Federation domain is also the SRV record created by the # federation-test-helper service. Maybe we can find a way to make these # differ, so we don't make any silly assumptions in the code. - name: config.dns.federator value: '{{ .Values.federationDomain2 }}' + - name: config.dns.certificateDomain + value: '*.{{ .Values.federationDomainBase2 }}' needs: - 'ingress' @@ -153,7 +155,6 @@ releases: chart: '../.local/charts/wire-server' values: - './helm_vars/wire-server/values.yaml.gotmpl' - - './helm_vars/wire-server/certificates-namespace1.yaml' set: - name: brig.config.optSettings.setFederationDomain value: {{ .Values.federationDomain1 }} @@ -169,7 +170,6 @@ releases: chart: '../.local/charts/wire-server' values: - './helm_vars/wire-server/values.yaml.gotmpl' - - './helm_vars/wire-server/certificates-namespace2.yaml' set: - name: brig.config.optSettings.setFederationDomain value: {{ .Values.federationDomain2 }} From 5fed86a9e35c64eef4dd7bb9241a5477c34a661b Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Fri, 9 Feb 2024 16:03:23 +0100 Subject: [PATCH 09/12] Add CHANGELOG entry --- changelog.d/5-internal/v0-integration-setup | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog.d/5-internal/v0-integration-setup diff --git a/changelog.d/5-internal/v0-integration-setup b/changelog.d/5-internal/v0-integration-setup new file mode 100644 index 00000000000..a25f4d3a6c0 --- /dev/null +++ b/changelog.d/5-internal/v0-integration-setup @@ -0,0 +1,3 @@ +Setup federation-v0 environment for use in integration tests: + - add federation-v0 domain to test environment + - provision integration certificates with cert-manager From ff29a60e155e2ecc98da5e4bcb0eb5ada21b0e4d Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Wed, 14 Feb 2024 16:58:21 +0100 Subject: [PATCH 10/12] Avoid using jq Co-authored-by: Sven Tennie --- hack/bin/integration-setup-federation.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/bin/integration-setup-federation.sh b/hack/bin/integration-setup-federation.sh index 36858079b72..95261e8cccc 100755 --- a/hack/bin/integration-setup-federation.sh +++ b/hack/bin/integration-setup-federation.sh @@ -44,7 +44,7 @@ export FEDERATION_DOMAIN_BASE_2="$NAMESPACE_2.svc.cluster.local" export FEDERATION_DOMAIN_2="federation-test-helper.$FEDERATION_DOMAIN_BASE_2" echo "Fetch federation-ca secret from cert-manager namespace" -FEDERATION_CA_CERTIFICATE="$(kubectl -n cert-manager get secrets federation-ca -o json | jq -r '.data."tls.crt"')" +FEDERATION_CA_CERTIFICATE=$(kubectl -n cert-manager get secrets federation-ca -o json -o jsonpath="{.data['tls\.crt']}") export FEDERATION_CA_CERTIFICATE echo "Installing charts..." From 0db448626e45ce0c570e1e0d0d528c3209283d64 Mon Sep 17 00:00:00 2001 From: Stefan Berthold Date: Thu, 15 Feb 2024 10:11:51 +0000 Subject: [PATCH 11/12] add comments for caNamespace --- charts/integration/values.yaml | 3 +++ charts/nginx-ingress-services/values.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/charts/integration/values.yaml b/charts/integration/values.yaml index 25de2d456e7..f1310f8fa4e 100644 --- a/charts/integration/values.yaml +++ b/charts/integration/values.yaml @@ -39,6 +39,9 @@ config: tls: verify_depth: 1 + # Namespace from which to obtain the secret containing the CA trusted by + # federator. + # caNamespace: wire-federation-v0 ingress: class: nginx diff --git a/charts/nginx-ingress-services/values.yaml b/charts/nginx-ingress-services/values.yaml index 8a9e73b7eaa..73d7ee2ee6f 100644 --- a/charts/nginx-ingress-services/values.yaml +++ b/charts/nginx-ingress-services/values.yaml @@ -45,6 +45,9 @@ tls: # leak a hint about a common origin. name: letsencrypt-http01 kind: Issuer # Issuer | ClusterIssuer + # Namespace from which to obtain the secret containing the CA trusted by + # federator. + # caNamespace: wire-federation-v0 # Name of the ingress. # From b5d2bd98723a25f88f60babee9b4a2125997c003 Mon Sep 17 00:00:00 2001 From: Stefan Berthold Date: Thu, 15 Feb 2024 10:13:55 +0000 Subject: [PATCH 12/12] remove certificates-namespace[12].yaml from .gitignore --- hack/helm_vars/.gitignore | 2 -- 1 file changed, 2 deletions(-) diff --git a/hack/helm_vars/.gitignore b/hack/helm_vars/.gitignore index 38a7ff397ae..9849d951a02 100644 --- a/hack/helm_vars/.gitignore +++ b/hack/helm_vars/.gitignore @@ -1,3 +1 @@ certificates.yaml -certificates-namespace1.yaml -certificates-namespace2.yaml