Skip to content
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog.d/5-internal/v0-integration-setup
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Setup federation-v0 environment for use in integration tests:
- add federation-v0 domain to test environment
- provision integration certificates with cert-manager
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ spec:
# integration tests need access to the client certificate private key
- name: "federator-secrets"
secret:
secretName: "federator-secret"
secretName: {{ if .Values.tls.useCertManager }} "federator-certificate-secret" {{ else }} "federator-secret" {{ end }}
# integration tests need access to the CA
- name: "federator-ca"
configMap:
Expand Down
39 changes: 39 additions & 0 deletions charts/integration/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,42 @@ data:
{{- if eq (include "useCassandraTLS" .Values.config) "true" }}
tlsCa: /etc/wire/galley/cassandra/{{- (include "tlsSecretRef" .Values.config | fromYaml).key }}
{{- end }}

federation-v0:
originDomain: federation-test-helper.wire-federation-v0.svc.cluster.local
brig:
host: brig.wire-federation-v0.svc.cluster.local
port: 8080
cannon:
host: cannon.wire-federation-v0.svc.cluster.local
port: 8080
cargohold:
host: cargohold.wire-federation-v0.svc.cluster.local
port: 8080
federatorInternal:
host: federator.wire-federation-v0.svc.cluster.local
port: 8080
federatorExternal:
host: federator.wire-federation-v0.svc.cluster.local
port: 8081
galley:
host: galley.wire-federation-v0.svc.cluster.local
port: 8080
gundeck:
host: gundeck.wire-federation-v0.svc.cluster.local
port: 8080
nginz:
host: nginz-integration-http.wire-federation-v0.svc.cluster.local
port: 8080
spar:
host: spar.wire-federation-v0.svc.cluster.local
port: 8080
proxy:
host: proxy.wire-federation-v0.svc.cluster.local
port: 8080
backgroundWorker:
host: backgroundWorker.wire-federation-v0.svc.cluster.local
port: 8080
stern:
host: stern.wire-federation-v0.svc.cluster.local
port: 8080
2 changes: 1 addition & 1 deletion charts/integration/templates/ingress.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ metadata:
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "{{ $.Values.tls.verify_depth }}"
nginx.ingress.kubernetes.io/auth-tls-secret: "{{ $.Release.Namespace }}/federator-ca-secret"
nginx.ingress.kubernetes.io/auth-tls-secret: "{{ or $.Values.tls.caNamespace $.Release.Namespace }}/federator-ca-secret"
Comment thread
stefanwire marked this conversation as resolved.
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header "X-SSL-Certificate" $ssl_client_escaped_cert;
spec:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,5 @@ spec:
encoding: PKCS1
rotationPolicy: Always
dnsNames:
- {{ .Values.config.dns.federator }}
- "{{ or .Values.config.dns.certificateDomain .Values.config.dns.federator }}"
{{- end -}}
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ metadata:
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "{{ .Values.tls.verify_depth }}"
nginx.ingress.kubernetes.io/auth-tls-secret: "{{ .Release.Namespace }}/federator-ca-secret"
nginx.ingress.kubernetes.io/auth-tls-secret: "{{ or $.Values.tls.caNamespace $.Release.Namespace }}/federator-ca-secret"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header "X-SSL-Certificate" $ssl_client_escaped_cert;
spec:
Expand Down
2 changes: 2 additions & 0 deletions charts/nginx-ingress-services/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,8 @@ config:
# ^ fakeS3 is ignored if fakeS3.enabled == false
# federator: federator.<domain>
# ^ federator is ignored unless federator.enabled == true
# certificateDomain: federator.<domain>
# ^ domain to use in the CSR when using cert-manager
# teamSettings: teams.<domain>
# ^ teamSettings is ignored unless teamSettings.enabled == true
# accountPages: account.<domain>
Expand Down
2 changes: 1 addition & 1 deletion deploy/dockerephemeral/coredns-config/db.example.com
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ _wire-server-federator._tcp.b IN SRV 0 0 9443 localhost.
_wire-server-federator._tcp.d1 IN SRV 0 0 10443 localhost.
_wire-server-federator._tcp.d2 IN SRV 0 0 11443 localhost.
_wire-server-federator._tcp.d3 IN SRV 0 0 12443 localhost.
_wire-server-federator._tcp.v0 IN SRV 0 0 21443 localhost.
_wire-server-federator._tcp.federation-v0 IN SRV 0 0 21443 localhost.
17 changes: 8 additions & 9 deletions hack/bin/integration-setup-federation.sh
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ charts=(fake-aws databases-ephemeral redis-cluster rabbitmq wire-server ingress-
mkdir -p ~/.parallel && touch ~/.parallel/will-cite
printf '%s\n' "${charts[@]}" | parallel -P "${HELM_PARALLELISM}" "$DIR/update.sh" "$CHARTS_DIR/{}"

# FUTUREWORK: use helm functions instead, see https://wearezeta.atlassian.net/browse/SQPIT-723
echo "Generating self-signed certificates..."

KUBERNETES_VERSION_MAJOR="$(kubectl version -o json | jq -r .serverVersion.major)"
KUBERNETES_VERSION_MINOR="$(kubectl version -o json | jq -r .serverVersion.minor)"
KUBERNETES_VERSION_MINOR="${KUBERNETES_VERSION_MINOR//[!0-9]/}" # some clusters report minor versions as a string like '27+'. Strip any non-digit characters.
Expand All @@ -39,14 +36,16 @@ else
fi
echo "kubeVersion: $KUBERNETES_VERSION and ingress controller=$INGRESS_CHART"
export NAMESPACE_1="$NAMESPACE"
export FEDERATION_DOMAIN_BASE="$NAMESPACE_1.svc.cluster.local"
export FEDERATION_DOMAIN_1="federation-test-helper.$FEDERATION_DOMAIN_BASE"
"$DIR/selfsigned-kubernetes.sh" namespace1
export FEDERATION_DOMAIN_BASE_1="$NAMESPACE_1.svc.cluster.local"
export FEDERATION_DOMAIN_1="federation-test-helper.$FEDERATION_DOMAIN_BASE_1"

export NAMESPACE_2="$NAMESPACE-fed2"
export FEDERATION_DOMAIN_BASE="$NAMESPACE_2.svc.cluster.local"
export FEDERATION_DOMAIN_2="federation-test-helper.$FEDERATION_DOMAIN_BASE"
"$DIR/selfsigned-kubernetes.sh" namespace2
export FEDERATION_DOMAIN_BASE_2="$NAMESPACE_2.svc.cluster.local"
export FEDERATION_DOMAIN_2="federation-test-helper.$FEDERATION_DOMAIN_BASE_2"

echo "Fetch federation-ca secret from cert-manager namespace"
FEDERATION_CA_CERTIFICATE="$(kubectl -n cert-manager get secrets federation-ca -o json | jq -r '.data."tls.crt"')"
Comment thread
pcapriotti marked this conversation as resolved.
Outdated
export FEDERATION_CA_CERTIFICATE

echo "Installing charts..."

Expand Down
98 changes: 0 additions & 98 deletions hack/bin/selfsigned-kubernetes.sh

This file was deleted.

3 changes: 3 additions & 0 deletions hack/helm_vars/common.yaml.gotmpl
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
namespace1: {{ requiredEnv "NAMESPACE_1" }}
federationDomain1: {{ requiredEnv "FEDERATION_DOMAIN_1" }}
federationDomainBase1: {{ requiredEnv "FEDERATION_DOMAIN_BASE_1" }}
namespace2: {{ requiredEnv "NAMESPACE_2" }}
federationDomain2: {{ requiredEnv "FEDERATION_DOMAIN_2" }}
federationDomainBase2: {{ requiredEnv "FEDERATION_DOMAIN_BASE_2" }}
federationCACertificate: {{ requiredEnv "FEDERATION_CA_CERTIFICATE" }}
ingressChart: {{ requiredEnv "INGRESS_CHART" }}
rabbitmqUsername: guest
rabbitmqPassword: guest
Expand Down
12 changes: 9 additions & 3 deletions hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,12 @@ federator:
enabled: true
integrationTestHelper: true
tls:
useCertManager: false
useCertManager: true
issuer:
name: federation
kind: ClusterIssuer
createIssuer: false
caNamespace: wire-federation-v0

config:
ingressClass: "nginx-{{ .Release.Namespace }}"
Expand All @@ -18,6 +23,7 @@ config:
teamSettings: "teams.{{ .Release.Namespace }}-integration.example.com"
accountPages: "account.{{ .Release.Namespace }}-integration.example.com"
# federator: dynamically set by hack/helmfile.yaml
# certificateDomain: dynamically set by hack/helmfile.yaml

# secrets/tlsWildcardCert, secrets/tlsWildcardKey and secrets/tlsClientCA
# are dynamically generated by hack/bin/selfsigned-kubernetes.sh
secrets:
tlsClientCA: {{ .Values.federationCACertificate }}
8 changes: 8 additions & 0 deletions hack/helm_vars/wire-server/values.yaml.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -393,6 +393,11 @@ federator:
resources:
requests: {}
imagePullPolicy: {{ .Values.imagePullPolicy }}
remoteCAContents: {{ .Values.federationCACertificate | b64dec | quote }}
tls:
useCertManager: true
useSharedFederatorSecret: true

config:
optSettings:
useSystemCAStore: false
Expand Down Expand Up @@ -441,6 +446,9 @@ integration:
uploadXmlAwsAccessKeyId: {{ .Values.uploadXml.awsAccessKeyId }}
uploadXmlAwsSecretAccessKey: {{ .Values.uploadXml.awsSecretAccessKey }}
{{- end }}
tls:
caNamespace: wire-federation-v0

backoffice:
tests:
{{- if .Values.uploadXml }}
Expand Down
8 changes: 4 additions & 4 deletions hack/helmfile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -118,13 +118,14 @@ releases:
chart: '../.local/charts/nginx-ingress-services'
values:
- './helm_vars/nginx-ingress-services/values.yaml.gotmpl'
- './helm_vars/nginx-ingress-services/certificates-namespace1.yaml'
Comment thread
stefanwire marked this conversation as resolved.
set:
# Federation domain is also the SRV record created by the
# federation-test-helper service. Maybe we can find a way to make these
# differ, so we don't make any silly assumptions in the code.
- name: config.dns.federator
value: '{{ .Values.federationDomain1 }}'
- name: config.dns.certificateDomain
value: '*.{{ .Values.federationDomainBase1 }}'
needs:
- 'ingress'

Expand All @@ -133,13 +134,14 @@ releases:
chart: '../.local/charts/nginx-ingress-services'
values:
- './helm_vars/nginx-ingress-services/values.yaml.gotmpl'
- './helm_vars/nginx-ingress-services/certificates-namespace2.yaml'
set:
# Federation domain is also the SRV record created by the
# federation-test-helper service. Maybe we can find a way to make these
# differ, so we don't make any silly assumptions in the code.
- name: config.dns.federator
value: '{{ .Values.federationDomain2 }}'
- name: config.dns.certificateDomain
value: '*.{{ .Values.federationDomainBase2 }}'
needs:
- 'ingress'

Expand All @@ -153,7 +155,6 @@ releases:
chart: '../.local/charts/wire-server'
values:
- './helm_vars/wire-server/values.yaml.gotmpl'
- './helm_vars/wire-server/certificates-namespace1.yaml'
set:
- name: brig.config.optSettings.setFederationDomain
value: {{ .Values.federationDomain1 }}
Expand All @@ -169,7 +170,6 @@ releases:
chart: '../.local/charts/wire-server'
values:
- './helm_vars/wire-server/values.yaml.gotmpl'
- './helm_vars/wire-server/certificates-namespace2.yaml'
set:
- name: brig.config.optSettings.setFederationDomain
value: {{ .Values.federationDomain2 }}
Expand Down
13 changes: 13 additions & 0 deletions integration/test/Test/Demo.hs
Original file line number Diff line number Diff line change
Expand Up @@ -194,3 +194,16 @@ testUnrace = do
True `shouldMatch` False
-}
retryT $ True `shouldMatch` True

testFedV0Instance :: HasCallStack => App ()
testFedV0Instance = do
res <- BrigP.getAPIVersion FedV0Domain >>= getJSON 200
res %. "domain" `shouldMatch` FedV0Domain

testFedV0Federation :: HasCallStack => App ()
testFedV0Federation = do
alice <- randomUser OwnDomain def
bob <- randomUser FedV0Domain def

bob' <- BrigP.getUser alice bob >>= getJSON 200
bob' %. "qualified_id" `shouldMatch` (bob %. "qualified_id")
5 changes: 5 additions & 0 deletions integration/test/Testlib/App.hs
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,11 @@ instance MakesValue Domain where
make OwnDomain = asks (String . T.pack . (.domain1))
make OtherDomain = asks (String . T.pack . (.domain2))

data FedDomain = FedV0Domain

instance MakesValue FedDomain where
make FedV0Domain = asks (String . T.pack . (.federationV0Domain))

-- | Run an action, `recoverAll`ing with exponential backoff (min step 8ms, total timeout
-- ~15s). Search this package for examples how to use it.
--
Expand Down
5 changes: 4 additions & 1 deletion integration/test/Testlib/Env.hs
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,8 @@ mkGlobalEnv cfgFile = do
let sm =
Map.fromList $
[ (intConfig.backendOne.originDomain, intConfig.backendOne.beServiceMap),
(intConfig.backendTwo.originDomain, intConfig.backendTwo.beServiceMap)
(intConfig.backendTwo.originDomain, intConfig.backendTwo.beServiceMap),
(intConfig.federationV0.originDomain, intConfig.federationV0.beServiceMap)
]
<> [(berDomain resource, resourceServiceMap resource) | resource <- resources]
tempDir <- Codensity $ withSystemTempDirectory "test"
Expand All @@ -98,6 +99,7 @@ mkGlobalEnv cfgFile = do
{ gServiceMap = sm,
gDomain1 = intConfig.backendOne.originDomain,
gDomain2 = intConfig.backendTwo.originDomain,
gFederationV0Domain = intConfig.federationV0.originDomain,
gDynamicDomains = (.domain) <$> Map.elems intConfig.dynamicBackends,
gDefaultAPIVersion = 6,
gManager = manager,
Expand Down Expand Up @@ -135,6 +137,7 @@ mkEnv ge = do
{ serviceMap = gServiceMap ge,
domain1 = gDomain1 ge,
domain2 = gDomain2 ge,
federationV0Domain = gFederationV0Domain ge,
dynamicDomains = gDynamicDomains ge,
defaultAPIVersion = gDefaultAPIVersion ge,
manager = gManager ge,
Expand Down
Loading