diff --git a/Makefile b/Makefile index 385b1750ce..1c3eff0536 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ DOCKER_TAG ?= $(USER) # default helm chart version must be 0.0.42 for local development (because 42 is the answer to the universe and everything) HELM_SEMVER ?= 0.0.42 # The list of helm charts needed on internal kubernetes testing environments -CHARTS_INTEGRATION := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-controller nginx-ingress-services fluent-bit kibana sftd restund coturn k8ssandra-test-cluster +CHARTS_INTEGRATION := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-controller nginx-ingress-services fluent-bit kibana restund coturn k8ssandra-test-cluster # The list of helm charts to publish on S3 # FUTUREWORK: after we "inline local subcharts", # (e.g. move charts/brig to charts/wire-server/brig) @@ -18,7 +18,7 @@ fake-aws fake-aws-s3 fake-aws-sqs aws-ingress fluent-bit kibana backoffice \ calling-test demo-smtp elasticsearch-curator elasticsearch-external \ elasticsearch-ephemeral minio-external cassandra-external \ nginx-ingress-controller ingress-nginx-controller nginx-ingress-services reaper sftd restund coturn \ -inbucket k8ssandra-test-cluster postgresql ldap-scim-bridge +inbucket k8ssandra-test-cluster postgresql ldap-scim-bridge smallstep-accomp KIND_CLUSTER_NAME := wire-server HELM_PARALLELISM ?= 1 # 1 for sequential tests; 6 for all-parallel tests diff --git a/changelog.d/2-features/WPB-6252 b/changelog.d/2-features/WPB-6252 new file mode 100644 index 0000000000..45fcfbc53c --- /dev/null +++ b/changelog.d/2-features/WPB-6252 @@ -0,0 +1 @@ +Add Helm chart `smallstep-accomp` that provides a CRL endpoint proxy for federated E2EI diff --git a/changelog.d/2-features/WPB-7025 b/changelog.d/2-features/WPB-7025 new file mode 100644 index 0000000000..f9fe645e16 --- /dev/null +++ b/changelog.d/2-features/WPB-7025 @@ -0,0 +1 @@ +Remove Helm migrated charts webapp, team-settings, account-pages, sftd diff --git a/changelog.d/2-features/claim-key-packages-rate-limit b/changelog.d/2-features/claim-key-packages-rate-limit new file mode 100644 index 0000000000..909a084348 --- /dev/null +++ b/changelog.d/2-features/claim-key-packages-rate-limit @@ -0,0 +1 @@ +charts/nginz: Rate limiting claiming MLS key-pacakges by requesting and target user \ No newline at end of file diff --git a/changelog.d/2-features/one2one-rate-limit b/changelog.d/2-features/one2one-rate-limit new file mode 100644 index 0000000000..355ca6eb25 --- /dev/null +++ b/changelog.d/2-features/one2one-rate-limit @@ -0,0 +1 @@ +charts/nginz: Allow 3000 reqs/min on /conversations/one2one/:user_domain/:user \ No newline at end of file diff --git a/changelog.d/5-internal/smallstep-accomp-no-client-side-caching b/changelog.d/5-internal/smallstep-accomp-no-client-side-caching new file mode 100644 index 0000000000..a70d4e0496 --- /dev/null +++ b/changelog.d/5-internal/smallstep-accomp-no-client-side-caching @@ -0,0 +1,2 @@ +To ensure certificate revocations get active in a short time frame, disable +caching of proxy results on client side by setting respective HTTP headers. diff --git a/charts/account-pages/.helmignore b/charts/account-pages/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/charts/account-pages/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/account-pages/Chart.yaml b/charts/account-pages/Chart.yaml deleted file mode 100644 index 7fb4845a80..0000000000 --- a/charts/account-pages/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: A Helm chart for the Wire account pages in Kubernetes -name: account-pages -version: 0.0.42 diff --git a/charts/account-pages/README.md b/charts/account-pages/README.md deleted file mode 100644 index f2c38b5f64..0000000000 --- a/charts/account-pages/README.md +++ /dev/null @@ -1 +0,0 @@ -Basic web application that provides a frontend with functionality for account activation and password reset diff --git a/charts/account-pages/templates/_helpers.tpl b/charts/account-pages/templates/_helpers.tpl deleted file mode 100644 index af896de0f4..0000000000 --- a/charts/account-pages/templates/_helpers.tpl +++ /dev/null @@ -1,25 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "account-pages.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "account-pages.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Allow KubeVersion to be overridden. */}} -{{- define "kubeVersion" -}} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}} -{{- end -}} - -{{- define "includeSecurityContext" -}} - {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}} -{{- end -}} diff --git a/charts/account-pages/templates/deployment.yaml b/charts/account-pages/templates/deployment.yaml deleted file mode 100644 index 0c6bdf00ba..0000000000 --- a/charts/account-pages/templates/deployment.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: account-pages - labels: - app: account-pages - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: {{ .Values.replicaCount | mul 2 }} - selector: - matchLabels: - app: account-pages - template: - metadata: - labels: - app: account-pages - release: {{ .Release.Name }} - spec: - containers: - - name: account-pages - {{- if .Values.image.digest }} - image: "{{ .Values.image.repository }}@{{ .Values.image.digest }}" - {{- else }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - {{- end }} - {{- if eq (include "includeSecurityContext" .) "true" }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 10 }} - {{- end }} - env: - - name: BACKEND_REST - value: https://{{ .Values.config.externalUrls.backendRest }} - - name: APP_BASE - value: https://{{ .Values.config.externalUrls.appHost }} - {{- range $key, $val := .Values.envVars }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.service.http.internalPort }} - readinessProbe: - httpGet: - path: /_health/ - port: {{ .Values.service.http.internalPort }} - scheme: HTTP - livenessProbe: - initialDelaySeconds: 30 - timeoutSeconds: 3 - httpGet: - path: /_health/ - port: {{ .Values.service.http.internalPort }} - scheme: HTTP - resources: -{{ toYaml .Values.resources | indent 12 }} - dnsPolicy: ClusterFirst - restartPolicy: Always diff --git a/charts/account-pages/values.yaml b/charts/account-pages/values.yaml deleted file mode 100644 index 4148cfd8dc..0000000000 --- a/charts/account-pages/values.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Default values for the account-pages. -replicaCount: 1 -resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "512Mi" - cpu: "1" -image: - repository: quay.io/wire/account - tag: "2.2.1-v0.28.21-0-6bfd7c5" -service: - https: - externalPort: 443 - http: - internalPort: 8080 - -## The following has to be provided to deploy this chart - -#config: -# externalUrls: -# backendRest: nginz-https.wire.example -# backendWebsocket: nginz-ssl.wire.example -# appHost: account.wire.example - -# Some relevant environment options. For a comprehensive -# list of available variables, please refer to: -# https://github.com/wireapp/wire-web-config-wire/blob/master/wire-account/.env.defaults -# -# NOTE: Without an empty dictionary, you will see warnings -# when overriding envVars -envVars: {} -# E.g. -# envVars: -# FEATURE_ENABLE_DEBUG: "true" -# You are likely to need at least following CSP headers -# due to the fact that you are likely to do cross sub-domain requests -# i.e., from account.wire.example to nginz-https.wire.example -# CSP_EXTRA_CONNECT_SRC: "https://*.wire.example, wss://*.wire.example" -# CSP_EXTRA_IMG_SRC: "https://*.wire.example" -# CSP_EXTRA_SCRIPT_SRC: "https://*.wire.example" -# CSP_EXTRA_DEFAULT_SRC: "https://*.wire.example" -# CSP_EXTRA_FONT_SRC: "https://*.wire.example" -# CSP_EXTRA_FRAME_SRC: "https://*.wire.example" -# CSP_EXTRA_MANIFEST_SRC: "https://*.wire.example" -# CSP_EXTRA_OBJECT_SRC: "https://*.wire.example" -# CSP_EXTRA_MEDIA_SRC: "https://*.wire.example" -# CSP_EXTRA_PREFETCH_SRC: "https://*.wire.example" -# CSP_EXTRA_STYLE_SRC: "https://*.wire.example" -# CSP_EXTRA_WORKER_SRC: "https://*.wire.example" - -podSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsUser: 1000 - runAsGroup: 1000 - seccompProfile: - type: RuntimeDefault diff --git a/charts/elasticsearch-index/templates/migrate-data.yaml b/charts/elasticsearch-index/templates/migrate-data.yaml index b3cb21dae3..b92a972114 100644 --- a/charts/elasticsearch-index/templates/migrate-data.yaml +++ b/charts/elasticsearch-index/templates/migrate-data.yaml @@ -22,8 +22,7 @@ spec: spec: restartPolicy: OnFailure containers: - # Creates index in elasticsearch only when it doesn't exist. - # Does nothing if the index exists. + # Reindexes all users when a new migration is detected. - name: brig-index image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }} diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl index d2c92d579b..e50fadfa02 100644 --- a/charts/nginz/templates/conf/_nginx.conf.tpl +++ b/charts/nginz/templates/conf/_nginx.conf.tpl @@ -125,6 +125,11 @@ http { 0 ""; } + map $rate_limit $rate_limited_by_zuser_path { + 1 "$zauth_user$uri"; + 0 ""; + } + map $http_origin $cors_header { default ""; {{ range $origin := .Values.nginx_conf.allowlisted_origins }} @@ -275,6 +280,10 @@ http { limit_req zone={{ $location.specific_user_rate_limit }}{{ if hasKey $location "specific_user_rate_limit_burst" }} burst={{ $location.specific_user_rate_limit_burst }}{{ end }} nodelay; {{- end }} + {{- range $specific_limit := $location.specific_rate_limits }} + limit_req zone={{ $specific_limit.zone }}{{ if hasKey $specific_limit "burst" }} burst={{ $specific_limit.burst }}{{ end }} nodelay; + {{- end }} + if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Methods' "GET, POST, PUT, DELETE, OPTIONS"; add_header 'Access-Control-Allow-Headers' "$http_access_control_request_headers, DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"; diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml index c9d6594f94..2bfa5ae21d 100644 --- a/charts/nginz/values.yaml +++ b/charts/nginz/values.yaml @@ -67,6 +67,9 @@ nginx_conf: user_rate_limit_request_zones: - limit_req_zone $rate_limited_by_addr zone=reqs_per_addr_sso:12m rate=50r/s; - limit_req_zone $rate_limited_by_zuser zone=reqs_per_user_signatures:12m rate=10r/m; + - limit_req_zone $rate_limited_by_zuser zone=key_package_claims_per_user:12m rate=3000r/m; + - limit_req_zone $rate_limited_by_zuser_path zone=key_package_claims_per_user_per_target:12m rate=100r/m; + - limit_req_zone $rate_limited_by_zuser zone=one2one_conv:12m rate=3000r/m; # The origins from which we allow CORS requests. These are combined with # 'external_env_domain' and 'additional_external_env_domains' to form a full @@ -209,6 +212,20 @@ nginx_conf: - path: /clients envs: - all + - path: /mls/key-packages/claim + envs: + - all + specific_rate_limits: + # This endpoint gets called for every user that will get added to a + # conversation. A lot of these are expected during conversation + # creation. + - zone: key_package_claims_per_user + burst: 600 + - zone: key_package_claims_per_user_per_target + burst: 100 + # The name is a little misleading, this just disables default rate + # limiting in favour of the specific one defined above. + unlimited_requests_endpoint: true - path: /mls/key-packages envs: - all @@ -440,6 +457,15 @@ nginx_conf: - all max_body_size: 40m body_buffer_size: 256k + - path: /conversations/one2one/ + envs: + - all + # During MLS migration, this endpoint gets called _a lot_. + specific_user_rate_limit: one2one_conv + specific_user_rate_limit_burst: 1000 + # The name is a little misleading, this just disables default rate + # limiting in favour of the specific one defined above. + unlimited_requests_endpoint: true - path: /conversations/([^/]*)/([^/]*)/protocol envs: - all diff --git a/charts/sftd/Chart.yaml b/charts/sftd/Chart.yaml deleted file mode 100644 index 3ebbb82a5c..0000000000 --- a/charts/sftd/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v2 -name: sftd -description: SFTD is a component for engaging in conference calls -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.42 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 4.0.10 diff --git a/charts/sftd/README.md b/charts/sftd/README.md deleted file mode 100644 index 2cdb05de31..0000000000 --- a/charts/sftd/README.md +++ /dev/null @@ -1,259 +0,0 @@ -# SFTD Chart - -In theory the `sftd` chart can be installed on its own, but it's usually -installed as part of the `wire-server` umbrella chart. - -## Parameters - -### Required -| Parameter | Description | -|-----------------|---------------------------------------------------------------------------------------------| -| `host` | The domain name on which the SFT will be reachable. Should point to your ingress controller | -| `allowOrigin` | Allows CORS requests on this domain. Set this to the domain of your wire webapp. | - - -### Bring your own certificate -| Parameter | Description | -|-----------------|---------------------------------------------------------------------------------------------| -| `tls.key` | Private key of the TLS certificate for `host` | -| `tls.crt` | TLS certificate for `host` | - -### Cert-manager certificate - -| Parameter | Description | -|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------| -| `tls.issuerRef` | describes what [Issuer](https://cert-manager.io/docs/reference/api-docs/#meta.cert-manager.io/v1.ObjectReference) to use to request a certificate | - - -### Other (optional) parameters - -| Parameter | Default | Description | -|---------------------------------|---------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `terminationGracePeriodSeconds` | `10` | The time to wait after terminating an sft node before shutting it down. Useful to wait for a pod to have less calls before shutting down. Pod won't take new calls whilst terminating | -| `replicaCount` | `1` | Amount of SFT servers to run. Only one SFT server can run per node. So `replicaCount <= nodeCount` | -| `nodeSelector`, `affinity` | `{}` | Used to constraint SFT servers to only run on specific nodes | - -Please see [values.yaml](./values.yaml) for an overview of other parameters that can be configured. - -## Deploy - - -#### As part of `wire-server` umbrella chart - -The `sftd` can be deployed as part of the `wire-server` umbrella chart. You can -edit the `values.yaml` of your `wire-server` chart to configure sftd. - -```yaml -tags: - sftd: true - -sftd: - host: sftd.wire.example - allowOrigin: https://webapp.wire.example - tls: - # The https://cert-manager.io issuer to use to retrieve a certificate - issuerRef: - kind: ClusterIssuer - name: letsencrypt-prod -``` - -#### Standalone - -You can also install `sftd` as stand-alone. This is useful if you want to be -more careful with releases and want to decouple the release lifecycle of `sftd` -and `wire-server`. For example, if you set `terminationGracePeriodSeconds` to -allow calls to drain to a large number (say a few hours), this would make the -deployment of the `wire-server` umbrella-chart that usually is snappy to run -very slow. - - -``` -helm install sftd wire/sftd \ - --set host=sftd.wire.example \ - --set allowOrigin=https://webapp.wire.example \ - --set-file tls.crt=/path/to/tls.crt \ - --set-file tls.key=/path/to/tls.key -``` - - -the `host` option will be used to set up an `Ingress` object. - -The domain in `host` must point to the public IP you have deployed to handle -incoming traffic to your cluster. This is environment-specific. - -You can switch between `cert-manager` and own-provided certificates at any -time. Helm will delete the `sftd` secret automatically and then cert-manager -will create it instead. - - -`allowOrigin` MUST be in sync the domain where the web app is hosted -as configured in the `wire-server` chart or the webapp will not be able to contact the SFT -server. - -You MUST configure `brig` to hand out the SFT server to clients, in order for clients to be -able to use the new conference calling features: - -```yaml -brig: - # ... - optSettings: - # ... - setSftStaticUrl: https://sftd.wire.example:443 -``` - -## Routability - -We currently require network connectivity between clients and the SFT server -and between the SFT server and the restund servers. In other words; the SFT -server needs to be directly reachable on its public IP to clients and should be -able to reach the restund servers on their public IPs. - -More exotic setups _are_ possible but are currently *not* officially supported. Please -contact us if you have different constraints. - -### No public IP on default interface - -Often on-prem or at certain cloud providers your nodes will not have directly routable public IP addresses -but are deployed in 1:1 NAT. This chart is able to auto-detect this scenario if your cloud providers adds -an `ExternalIP` field to your kubernetes node objects. - -On on-prem you should set an `wire.com/external-ip` annotation on your kubernetes nodes so that sftd is aware -of its external IP when it gets scheduled on a node. - -If you use our kubespray playbooks to bootstrap kubernetes, you simply have to -set the `external_ip` field in your `group_vars` -```yaml -# inventory/group_vars/k8s-cluster -node_annotations: - wire.com/external-ip: {{ external_ip }} -``` -And the `external_ip` is set in the inventory per node: -``` -node0 ansible_host=.... ip=... external_ip=aaa.xxx.yyy.zzz -``` - -If you are hosting Kubernetes through other means you can annotate your nodes manually: -``` -$ kubectl annotate node $HOSTNAME wire.com/external-ip=$EXTERNAL_IP -``` - -## Rollout - -Kubernetes will shut down pods and start new ones when rolling out a release. Any calls -that were in progress on said pod will be terminated and will cause the call to drop. - -Kubernetes can be configured to wait for a certain amount of seconds before -stopping the pod. During this timeframe new calls wil not be initiated on the -pod, but existing calls will also not be disrupted. If you want to roll out a -release with minimal impact you can set the -[`terminationGracePeriodSeconds`](./values.yaml#L18) option to the maximum -length you want to wait before cutting off calls. - -For example to cordon SFTs for one hour before dropping calls: -``` -helm upgrade sftd wire/sftd --set terminationGracePeriodSeconds=3600 -``` - -Currently due to the fact we're using a `StatefulSet` to orchestrate update -rollouts, and `StatefulSet`s will not replace all pods at once but instead -one-for-one (aka. *rolling update*), a rollout of a release will take `oldReplicas * terminationGracePeriodSeconds` -to complete. - - -## Scaling up or down - -You can scale up and down by specifying `replicas`: - -```yaml -sftd: - replicaCount: 3 -``` - -By default we provision *1* replica. - -Note that due to the usage of `hostNetwork` there can only be _one_ instance of -`sftd` per Kubernetes node. You will need as many nodes available as you have -replicas. - -As a rule of thumb we support *50* concurrent connections per *1 vCPU*. These -numbers might improve as we work on optimizing the SFTD code. You should adjust -the amount of replicas based on your expected usage patterns and Kubernetes -node specifications. - -If you're using a Kubernetes cloud offering, we recommend setting up cluster -auto-scaling so that you automatically provision new Kubernetes nodes when the -amount of replicas increases above the amount of nodes available. - - -## Multiple sftd deployments in a single cluster -Because sftd uses the `hostNetwork` and binds to the public IP of the node, -there can only be one `sftd` pod running per node in the cluster. Within a -single `StatefulSet` kubernetes will make sure no two pods are scheduled on the -same machine automatically. However, if you have multiple `sftd` deployments under -different releases names or in a different namespace more care has to be taken. - -You can set the `nodeSelector` option; to make sure your sftd releases run on disjoint sets of nodes. - -For example, consider the following inventory of nodes, where there are two groups -annotated with - -``` -[sftd-prod:vars] -node_labels="wire.com/role=sftd-prod" -[sftd-staging:vars] -node_labels="wire.com/role=sftd-staging" - -[sftd-prod] -node0 -node1 -node3 - -[sftd-staging] -node4 -``` - -Then we can make two `sftd` deployments and make sure Kubernetes schedules them on distinct set of nodes: - -``` -helm install wire-prod charts/wire-server --set 'nodeSelector.wire\.com/role=sftd-prod' ...other-flags -helm install wire-staging charts/wire-server --set 'nodeSelector.wire\.com/role=sftd-staging' ...other-flags -``` - - -## Port conflicts and `hostNetwork` - -Kubernetes by default allocates node ports in the `30000-32768` range. This can -be adjusted with the `--service-nodeport-range` flag. -https://kubernetes.io/docs/concepts/services-networking/service/ SFTD asks the -kernel for free ports, which by default are in the `32768-61000` range -(https://ma.ttias.be/linux-increase-ip_local_port_range-tcp-port-range/). - -On a default installation these ranges do not overlap and sftd should never have -conflicts with kubernetes components. You should however check that on your OS -these ranges aren't configured differently. - - - -# Future work - -We're (ab-)using a `StatefulSet` to give each pod a stable DNS name and use -that to route call join requests to the right calling service. - -Downside of `StatefulSet` is that rollouts are slow -- propoerionally to how -high you set `terminationGracePeriodSeconds`. - -However, it seems that `coredns` supports to be configured to have the same DNS -behaviour for any pods, not just pods in `StatefulSet`s. -(https://github.com/kubernetes/kubernetes/issues/47992#issuecomment-499580692) - -This requires a deployer of wire to edit their cluster's CoreDNS config to set -the -[`endpoint_pod_names`](https://github.com/coredns/coredns/tree/master/plugin/kubernetes) -option which they might not have the ability to do. - -If you are able to set this setting, you could use a `Deployment` instead of a -`StatefulSet`. The benefit of a `Deployment` is that it replaces all pods at -once; such that you do not have to wait `replicaCount * -terminationGracePeriodSeconds` for a rollout to finish but just -`terminationGracePeriodSeconds`. This drastically improves operations. We -should expose this as an option for a future release. diff --git a/charts/sftd/templates/_helpers.tpl b/charts/sftd/templates/_helpers.tpl deleted file mode 100644 index 05918c69f6..0000000000 --- a/charts/sftd/templates/_helpers.tpl +++ /dev/null @@ -1,91 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "sftd.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "sftd.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "sftd.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "sftd.labels" -}} -helm.sh/chart: {{ include "sftd.chart" . }} -{{ include "sftd.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} -{{- define "sftd.join-call.labels" -}} -helm.sh/chart: {{ include "sftd.chart" . }} -{{ include "sftd.join-call.selectorLabels" . }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "sftd.selectorLabels" -}} -app.kubernetes.io/name: {{ include "sftd.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} -{{- define "sftd.join-call.selectorLabels" -}} -app.kubernetes.io/name: join-call -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* Allow KubeVersion to be overridden. */}} -{{- define "kubeVersion" -}} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}} -{{- end -}} - -{{/* Get Ingress API Version */}} -{{- define "ingress.apiVersion" -}} - {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" (include "kubeVersion" .)) -}} - {{- print "networking.k8s.io/v1" -}} - {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} - {{- print "networking.k8s.io/v1beta1" -}} - {{- else -}} - {{- print "extensions/v1beta1" -}} - {{- end -}} -{{- end -}} - -{{/* Check Ingress stability */}} -{{- define "ingress.isStable" -}} - {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} -{{- end -}} - -{{/* Check Ingress supports pathType */}} -{{/* pathType was added to networking.k8s.io/v1beta1 in Kubernetes 1.18 */}} -{{- define "ingress.supportsPathType" -}} - {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" (include "kubeVersion" .))) -}} -{{- end -}} - -{{- define "ingress.FieldNotAnnotation" -}} - {{- (semverCompare ">= 1.27-0" (include "kubeVersion" .)) -}} -{{- end -}} diff --git a/charts/sftd/templates/configmap-join-call.yaml b/charts/sftd/templates/configmap-join-call.yaml deleted file mode 100644 index 523d741a2b..0000000000 --- a/charts/sftd/templates/configmap-join-call.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "sftd.fullname" . }}-join-call - labels: - {{- include "sftd.join-call.labels" . | nindent 4 }} - -data: - default.conf.template: | - server { - listen 8080; - resolver ${NAMESERVER}; - - location /healthz { return 204; } - - location ~ ^/sfts/([a-z0-9\-]+)/(.*) { - proxy_pass http://$1.{{ include "sftd.fullname" . }}.${POD_NAMESPACE}.svc.cluster.local:8585/$2; - } - - location ~ ^/sft_servers_all.json$ { - root /etc/wire/sftd-disco/; - } - - } diff --git a/charts/sftd/templates/deployment-join-call.yaml b/charts/sftd/templates/deployment-join-call.yaml deleted file mode 100644 index 3574bf0481..0000000000 --- a/charts/sftd/templates/deployment-join-call.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "sftd.fullname" . }}-join-call - labels: - {{- include "sftd.join-call.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.joinCall.replicaCount }} - selector: - matchLabels: - {{- include "sftd.join-call.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "sftd.join-call.selectorLabels" . | nindent 8 }} - annotations: - checksum/configmap: {{ include (print .Template.BasePath "/configmap-join-call.yaml") . | sha256sum }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - volumes: - - name: nginx-config - configMap: - name: {{ include "sftd.fullname" . }}-join-call - - name: sftd-disco - emptyDir: {} - containers: - - name: sftd-disco - image: quay.io/wire/sftd_disco:wip-2 # TODO configure + version - volumeMounts: - - name: sftd-disco - mountPath: /etc/wire/sftd-disco - readOnly: false - command: - - "/bin/sh" - - "-c" - - | - /usr/bin/sftd_disco.sh _sft._tcp.{{ include "sftd.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - - name: nginx - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.joinCall.image.repository }}:{{ .Values.joinCall.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 8080 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: http - readinessProbe: - httpGet: - path: /healthz - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /etc/nginx/conf.d/default.conf.template - name: nginx-config - subPath: default.conf.template - - name: sftd-disco - mountPath: /etc/wire/sftd-disco - readOnly: true - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - command: - - "/bin/sh" - - "-c" - - | - export NAMESERVER=`cat /etc/resolv.conf | grep "nameserver" | awk '{print $2}' | tr '\n' ' '` - envsubst '$NAMESERVER $POD_NAMESPACE' < /etc/nginx/conf.d/default.conf.template > /etc/nginx/conf.d/default.conf - exec nginx -g 'daemon off;' diff --git a/charts/sftd/templates/ingress.yaml b/charts/sftd/templates/ingress.yaml deleted file mode 100644 index 0c82a936f4..0000000000 --- a/charts/sftd/templates/ingress.yaml +++ /dev/null @@ -1,69 +0,0 @@ -{{- $apiIsStable := eq (include "ingress.isStable" .) "true" -}} -{{- $ingressFieldNotAnnotation := eq (include "ingress.FieldNotAnnotation" .) "true" -}} -{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} -apiVersion: {{ include "ingress.apiVersion" . }} -kind: Ingress -metadata: - name: "{{ include "sftd.fullname" . }}" - labels: - {{- include "sftd.labels" . | nindent 4 }} - annotations: - {{- if not $ingressFieldNotAnnotation }} - kubernetes.io/ingress.class: "{{ .Values.config.ingressClass }}" - {{- end }} - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-origin: "{{ required "Must specify allowOrigin" .Values.allowOrigin }}" -spec: - {{- if $ingressFieldNotAnnotation }} - ingressClassName: "{{ .Values.config.ingressClass }}" - {{- end }} - tls: - - hosts: - - "{{ required "Must specify host" .Values.host }}" - secretName: "{{ include "sftd.fullname" . }}" - rules: - - host: "{{ .Values.host }}" - http: - paths: - - path: /sft/ - {{- if $ingressSupportsPathType }} - pathType: Prefix - {{- end }} - backend: - {{- if $apiIsStable }} - service: - name: {{ include "sftd.fullname" . }} - port: - name: sft - {{- else }} - serviceName: "{{ include "sftd.fullname" . }}" - servicePort: sft - {{- end }} - - path: /sfts/ - {{- if $ingressSupportsPathType }} - pathType: Prefix - {{- end }} - backend: - {{- if $apiIsStable }} - service: - name: "{{ include "sftd.fullname" . }}-join-call" - port: - name: http - {{- else }} - serviceName: "{{ include "sftd.fullname" . }}-join-call" - servicePort: http - {{- end }} - - path: /sft_servers_all.json - {{- if $ingressSupportsPathType }} - pathType: Exact - {{- end }} - backend: - {{- if $apiIsStable }} - service: - name: "{{ include "sftd.fullname" . }}-join-call" - port: - name: http - {{- else }} - serviceName: "{{ include "sftd.fullname" . }}-join-call" - servicePort: http - {{- end }} diff --git a/charts/sftd/templates/secret-or-certificate.yaml b/charts/sftd/templates/secret-or-certificate.yaml deleted file mode 100644 index 44eb6c6526..0000000000 --- a/charts/sftd/templates/secret-or-certificate.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.tls.issuerRef -}} -{{- if or .Values.tls.key .Values.tls.crt }} -{{- fail "ingress.issuer and ingress.{crt,key} are mutually exclusive" -}} -{{- end -}} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "{{ include "sftd.fullname" . }}" - labels: - {{- include "sftd.labels" . | nindent 4 }} -spec: - dnsNames: - - {{ .Values.host }} - secretName: "{{ include "sftd.fullname" . }}" - issuerRef: - {{- toYaml .Values.tls.issuerRef | nindent 4 }} - privateKey: - rotationPolicy: Always - algorithm: ECDSA - size: 384 -{{- else if and .Values.tls.key .Values.tls.crt -}} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ include "sftd.fullname" . }}" - labels: - {{- include "sftd.labels" . | nindent 4 }} -type: kubernetes.io/tls -data: - tls.key: {{ required "tls.key is required" .Values.tls.key | b64enc }} - tls.crt: {{ required "tls.crt is required" .Values.tls.crt | b64enc }} -{{- else -}} -{{- fail "must specify tls.key and tls.crt , or tls.issuerRef" -}} -{{- end -}} diff --git a/charts/sftd/templates/secret.yaml b/charts/sftd/templates/secret.yaml deleted file mode 100644 index 1ad51ec77f..0000000000 --- a/charts/sftd/templates/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if and .Values.multiSFT.enabled (not .Values.multiSFT.discoveryRequired) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "sftd.fullname" . }}-secret - labels: - {{- include "sftd.labels" . | nindent 4 }} -type: Opaque -data: - zrest_secret.txt: {{ required "must specify authentication secret" .Values.multiSFT.secret | b64enc | quote }} -{{- end }} diff --git a/charts/sftd/templates/service-account.yaml b/charts/sftd/templates/service-account.yaml deleted file mode 100644 index 347a4e66e4..0000000000 --- a/charts/sftd/templates/service-account.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "sftd.fullname" . }} - labels: - {{- include "sftd.labels" . | nindent 4 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "sftd.fullname" . }} - labels: - {{- include "sftd.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: [nodes] - verbs: [get] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "sftd.fullname" . }} - labels: - {{- include "sftd.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: {{ include "sftd.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ include "sftd.fullname" . }} - namespace: {{ .Release.Namespace }} diff --git a/charts/sftd/templates/service-join-call.yaml b/charts/sftd/templates/service-join-call.yaml deleted file mode 100644 index 6663681e8a..0000000000 --- a/charts/sftd/templates/service-join-call.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "sftd.fullname" . }}-join-call - labels: - {{- include "sftd.join-call.labels" . | nindent 4 }} -spec: - ports: - - port: 80 - targetPort: http - name: http - selector: - {{- include "sftd.join-call.selectorLabels" . | nindent 4 }} diff --git a/charts/sftd/templates/service.yaml b/charts/sftd/templates/service.yaml deleted file mode 100644 index fe7b69643a..0000000000 --- a/charts/sftd/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "sftd.fullname" . }} - labels: - {{- include "sftd.labels" . | nindent 4 }} -spec: - # Needs to be headless - # See: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ - clusterIP: None - ports: - - port: 8585 - targetPort: sft - name: sft - - port: 49090 - targetPort: metrics - name: metrics - selector: - {{- include "sftd.selectorLabels" . | nindent 4 }} diff --git a/charts/sftd/templates/servicemonitor.yaml b/charts/sftd/templates/servicemonitor.yaml deleted file mode 100644 index 6a2b2fc34a..0000000000 --- a/charts/sftd/templates/servicemonitor.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "sftd.fullname" . }} - labels: - {{- include "sftd.labels" . | nindent 4 }} -spec: - endpoints: - - port: metrics - path: /metrics - selector: - matchLabels: - {{- include "sftd.selectorLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/sftd/templates/statefulset.yaml b/charts/sftd/templates/statefulset.yaml deleted file mode 100644 index 8559acf765..0000000000 --- a/charts/sftd/templates/statefulset.yaml +++ /dev/null @@ -1,209 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "sftd.fullname" . }} - labels: - {{- include "sftd.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - # Allows sfts to start up and shut down in parallel when scaling up and down. - # However this does not affect upgrades. - podManagementPolicy: Parallel - serviceName: {{ include "sftd.fullname" . }} - selector: - matchLabels: - {{- include "sftd.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "sftd.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: {{ include "sftd.fullname" . }} - volumes: - - name: external-ip - emptyDir: {} - {{- if .Values.multiSFT.enabled }} - {{- if .Values.multiSFT.discoveryRequired }} - - name: multi-sft-config - emptyDir: {} - {{- else }} - - name: sft-secret - secret: - secretName: {{ include "sftd.fullname" . }}-secret - {{- end }} - {{- end }} - initContainers: - - name: get-external-ip - image: bitnami/kubectl:1.24.12 - volumeMounts: - - name: external-ip - mountPath: /external-ip - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - command: - - /bin/sh - - -c - - | - set -e - - # In the cloud, this setting is available to indicate the true IP address - addr=$(kubectl get node $NODE_NAME -ojsonpath='{.status.addresses[?(@.type=="ExternalIP")].address}') - - # On on-prem we allow people to set "wire.com/external-ip" to override this - if [ -z "$addr" ]; then - addr=$(kubectl get node $NODE_NAME -ojsonpath='{.metadata.annotations.wire\.com/external-ip}') - fi - echo -n "$addr" | tee /dev/stderr > /external-ip/ip - - {{- if and .Values.multiSFT.enabled .Values.multiSFT.discoveryRequired }} - - name: get-multi-sft-config - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - - volumeMounts: - - name: multi-sft-config - mountPath: /multi-sft-config - - command: - - /bin/sh - - -c - - | - set -e - - - response=$(curl "{{ .Values.multiSFT.turnDiscoveryURL }}") - if [ -z "$response" ]; then - echo "No response from restund server." - exit 1 - fi - - echo "$response" | jq -r '.username' > /multi-sft-config/username - if [ ! -s /multi-sft-config/username ]; then - echo "Response does not contain a username" - exit 1 - fi - - echo "$response" | jq -r '.password' > /multi-sft-config/password - if [ ! -s /multi-sft-config/password ]; then - echo "Response does not contain a password" - exit 1 - fi - - echo "$response" | jq -r '.uris[0]' > /multi-sft-config/turn_server - if [ ! -s /multi-sft-config/turn_server ]; then - echo "Response does not contain a turn server" - exit 1 - fi - {{- end }} - - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - volumeMounts: - - name: external-ip - mountPath: /external-ip - {{- if .Values.multiSFT.enabled }} - {{- if .Values.multiSFT.discoveryRequired }} - - name: multi-sft-config - mountPath: /multi-sft-config - {{- else }} - - name: sft-secret - mountPath: /secrets - {{- end }} - {{- end }} - command: - - /bin/sh - - -c - - | - set -e - EXTERNAL_IP=$(cat /external-ip/ip) - if [ -z "${EXTERNAL_IP}" ]; then - ACCESS_ARGS= - else - ACCESS_ARGS="-A ${EXTERNAL_IP}" - fi - - MULTI_SFT_ARGS="" - - {{- if .Values.multiSFT.enabled }} - {{- if .Values.multiSFT.discoveryRequired }} - MULTI_SFT_ARGS="-t $(cat /multi-sft-config/turn_server) \ - -x $(cat /multi-sft-config/username) \ - -c $(cat /multi-sft-config/password)" - {{- else }} - MULTI_SFT_ARGS="-t {{ required "must specify TURN server URI" .Values.multiSFT.turnServerURI }} \ - -s /secrets/zrest_secret.txt" - {{- end }} - {{- end }} - - exec sftd \ - -I "${POD_IP}" \ - -M "${POD_IP}" \ - ${ACCESS_ARGS} \ - ${MULTI_SFT_ARGS} \ - {{ if .Values.turnDiscoveryEnabled }}-T{{ end }} \ - -u "https://{{ required "must specify host" .Values.host }}/sfts/${POD_NAME}" - ports: - - name: sft - containerPort: 8585 - protocol: TCP - - name: metrics - containerPort: 49090 - protocol: TCP - livenessProbe: - httpGet: - path: /metrics - port: metrics - readinessProbe: - httpGet: - path: /metrics - port: metrics - lifecycle: - preStop: - exec: - # TODO: Workaround because sftd does not support graceful draining natively. - # tracked in https://github.com/zinfra/backend-issues/issues/1451 - command: - - /bin/sleep - - "{{ .Values.terminationGracePeriodSeconds }}" - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/sftd/values.yaml b/charts/sftd/values.yaml deleted file mode 100644 index 4a3b90c6a0..0000000000 --- a/charts/sftd/values.yaml +++ /dev/null @@ -1,110 +0,0 @@ -# Default values for sftd. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# The amount of SFT instances to run. NOTE: Only one SFT can run per node due -# to `hostNetwork`. If this number is higher than the amount of nodes that can -# be used for scheduling (Also see `nodeSelector`) pods will remain in a -# pending state untill you add more capacit. -replicaCount: 1 - -image: - repository: quay.io/wire/sftd - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -config: - ingressClass: "nginx" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -metrics: - serviceMonitor: - enabled: false - -# The time to wait after terminating an sft node before shutting it down. No -# new calls will be initiated whilst a pod is being terminated. -terminationGracePeriodSeconds: 10 - -podAnnotations: {} - -podSecurityContext: - fsGroup: 31337 - -securityContext: - # Pick a high number that is unlikely to conflict with the host - # https://kubesec.io/basics/containers-securitycontext-runasuser/ - runAsUser: 31337 - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -# If you have multiple deployments of sftd running in one cluster, it is -# important that they run on disjoint sets of nodes, you can use nodeSelector to enforce this -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# allowOrigin: https://webapp.wire.example -# host: -tls: {} - # {key,crt} and issuerRef are mutally exclusive - # key: - # crt: - # issuerRef: - # The name of the issuer (e.g. letsencrypr-prod) - # name: ca-issuer - # We can reference ClusterIssuers by changing the kind here. - # The default value is Issuer (i.e. a locally namespaced Issuer) - # kind: Issuer - # This is optional since cert-manager will default to this value however - # if you are using an external issuer, change this to that issuer group. - # group: cert-manager.io - -joinCall: - replicaCount: 3 - image: - repository: nginxinc/nginx-unprivileged - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "1.25.3" - -# Allow SFT instances to choose/consider using a TURN server for themselves as a proxy when -# trying to establish a connection to clients -# DOCS: https://docs.wire.com/understand/sft.html#prerequisites -turnDiscoveryEnabled: false - -# Allow establishing calls involving remote SFT servers (e.g. for Federation) -# Requires appVersion 3.0.9 or later -multiSFT: - enabled: false # keep multiSFT default in sync with brig chart's config.multiSFT - # For sftd versions up to 3.1.3, sftd uses the TURN servers advertised at a - # discovery URL. - turnDiscoveryURL: "" - # For sftd versions 3.1.10 and later, this discovery process is no longer - # required or supported, and must be disabled. sftd must instead be directly - # configured with the authentication secret used by the TURN server and the - # URI for the TURN server. - discoveryRequired: true - secret: - turnServerURI: - diff --git a/charts/smallstep-accomp/README.md b/charts/smallstep-accomp/README.md index 3165073192..ad57924296 100644 --- a/charts/smallstep-accomp/README.md +++ b/charts/smallstep-accomp/README.md @@ -32,13 +32,15 @@ own domain is `acme.alpha.example.com` this helm chart will forward requests - `https://acme.alpha.example.com/proxyCrl/acme.alpha.example.com` to `https://acme.alpha.example.com/crl` - `https://acme.alpha.example.com/proxyCrl/acme.beta.example.com` to `https://acme.beta.example.com/crl` -| Name | Description | -| ------------------------- | ----------------------------------------------------------------------------------------- | -| `upstreams.enable` | Set to `false` in case you want to write custom nginx server block for the upstream rules | -| `upstreams.dnsResolver` | DNS server that nginx uses to resolve the proxied hostnames | -| `upstreams.proxiedHosts` | List of smallstep hostnames to proxy. Please also include the own smallstep host here | -| `nginx.ingress.enable` | Set to `false` in case you'd like to define a custom ingress for the /proxyCrl endpoint | -| `nginx.ingress.hostname` | Hostname of the step-ca server | +| Name | Description | +| -------------------------- | --------------------------------------------------------------------------------------------------------- | +| `upstreams.enable` | Set to `false` in case you want to write custom nginx server block for the upstream rules | +| `upstreams.dnsResolver` | DNS server that nginx uses to resolve the proxied hostnames | +| `upstreams.proxiedHosts` | List of remote (federated) step-ca hostnames to proxy. Also include the own step-ca host here. | +| `nginx.ingress.enable` | Set to `false` if you need to define a custom ingress for the /proxyCrl endpoint. Make sure CORS is set. | +| `nginx.ingress.hostname` | Hostname of the step-ca server | +| `nginx.ingress.extraTls` | The TLS configuration | +| `nginx.ingress.annotations`| CORS config for the ingress, set the hostname of the step-ca server here | For more details on `nginx.*` parameters see README.md documentation in the `nginx` dependency chart. diff --git a/charts/smallstep-accomp/templates/server-block-configmap.yaml b/charts/smallstep-accomp/templates/server-block-configmap.yaml index a6765595d3..59c423d334 100644 --- a/charts/smallstep-accomp/templates/server-block-configmap.yaml +++ b/charts/smallstep-accomp/templates/server-block-configmap.yaml @@ -26,6 +26,11 @@ data: proxy_set_header Host $backend; proxy_hide_header Content-Type; add_header Content-Type application/pkix-crl; + # Prevent caching on client side + add_header Cache-Control 'no-cache, no-store, must-revalidate'; + add_header Pragma 'no-cache'; + add_header Expires '0'; + proxy_pass "https://$backend/crl"; } diff --git a/charts/team-settings/.helmignore b/charts/team-settings/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/charts/team-settings/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/team-settings/Chart.yaml b/charts/team-settings/Chart.yaml deleted file mode 100644 index efc59bdbf7..0000000000 --- a/charts/team-settings/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: A Helm chart for the Wire team-settings in Kubernetes -name: team-settings -version: 0.0.42 diff --git a/charts/team-settings/README.md b/charts/team-settings/README.md deleted file mode 100644 index 5a8e758e94..0000000000 --- a/charts/team-settings/README.md +++ /dev/null @@ -1,5 +0,0 @@ -Team settings are part of a private repo. As such, this chart expects a secret named `wire-teamsettings-readonly-pull-secret` to be made available as a secret. Check the [values file](values.yaml) for more info. - -kubectl create -f wire-teamsettings-readonly-pull-secret.yml --namespace= - -If you want to get access to it, get in [touch with us](https://wire.com/pricing/). diff --git a/charts/team-settings/templates/_helpers.tpl b/charts/team-settings/templates/_helpers.tpl deleted file mode 100644 index 12c09876c3..0000000000 --- a/charts/team-settings/templates/_helpers.tpl +++ /dev/null @@ -1,25 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "team-settings.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "team-settings.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Allow KubeVersion to be overridden. */}} -{{- define "kubeVersion" -}} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}} -{{- end -}} - -{{- define "includeSecurityContext" -}} - {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}} -{{- end -}} diff --git a/charts/team-settings/templates/deployment.yaml b/charts/team-settings/templates/deployment.yaml deleted file mode 100644 index ddd916c15e..0000000000 --- a/charts/team-settings/templates/deployment.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: team-settings - labels: - app: team-settings - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: {{ .Values.replicaCount | mul 2 }} - selector: - matchLabels: - app: team-settings - template: - metadata: - labels: - app: team-settings - release: {{ .Release.Name }} - spec: - # Check the README to find out more about this secret - imagePullSecrets: - - name: wire-teamsettings-readonly-pull-secret - containers: - - name: team-settings - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - {{- if eq (include "includeSecurityContext" .) "true" }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 10 }} - {{- end }} - env: - - name: NODE_PORT - value: "{{ .Values.service.http.internalPort }}" - - name: APP_BASE - value: https://{{ .Values.config.externalUrls.appHost }}/ - - name: BACKEND_REST - value: https://{{ .Values.config.externalUrls.backendRest }} - - name: BACKEND_WS - value: wss://{{ .Values.config.externalUrls.backendWebsocket }} - - {{- if not (hasKey .Values.envVars "FEATURE_ENABLE_PAYMENT") }} - # NOTE defaults to 'true', but since we assume on-prem here, we default to 'false' - # SRC https://github.com/wireapp/wire-web-config-default/blob/master/wire-team-settings/.env.defaults#L48 - - name: FEATURE_ENABLE_PAYMENT - value: {{ .Values.config.enablePayment | default false | quote }} - {{- end }} - {{- range $key, $val := .Values.envVars }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.service.http.internalPort }} - readinessProbe: - httpGet: - path: /_health/ - port: {{ .Values.service.http.internalPort }} - scheme: HTTP - livenessProbe: - initialDelaySeconds: 30 - timeoutSeconds: 3 - httpGet: - path: /_health/ - port: {{ .Values.service.http.internalPort }} - scheme: HTTP - resources: -{{ toYaml .Values.resources | indent 12 }} - dnsPolicy: ClusterFirst - restartPolicy: Always diff --git a/charts/team-settings/templates/secret.yaml b/charts/team-settings/templates/secret.yaml deleted file mode 100644 index 64710da6f4..0000000000 --- a/charts/team-settings/templates/secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: wire-teamsettings-readonly-pull-secret - labels: - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -type: kubernetes.io/dockerconfigjson -data: - {{/* for_helm_linting is necessary only since the 'with' block below does not throw an error upon an empty .Values.secrets */}} - for_helm_linting: {{ required "No .secrets found in configuration. Did you forget to helm -f path/to/secrets.yaml ?" .Values.secrets | quote | b64enc | quote }} - - {{- with .Values.secrets }} - .dockerconfigjson: {{ .configJson }} - {{- end }} diff --git a/charts/team-settings/values.yaml b/charts/team-settings/values.yaml deleted file mode 100644 index a8c8dc8228..0000000000 --- a/charts/team-settings/values.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Default values for the team-settings. -replicaCount: 1 -resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "512Mi" - cpu: "1" -image: - repository: quay.io/wire/team-settings - tag: "4.15.1-v0.31.19-0-ee1dbce" -service: - https: - externalPort: 443 - http: - internalPort: 8080 - -## The following has to be provided to deploy this chart - -#config: -# externalUrls: -# backendRest: nginz-https.wire.example -# backendWebsocket: nginz-ssl.wire.example -# backendDomain: wire.example -# appHost: teams.wire.example - -#secrets: -# configJson: - -# Some relevant environment options. For a comprehensive -# list of available variables, please refer to: -# https://github.com/wireapp/wire-web-config-wire/blob/master/wire-team-settings/.env.defaults -# -# NOTE: Without an empty dictionary, you will see warnings -# when overriding envVars -envVars: {} -# E.g. -# envVars: -# FEATURE_ENABLE_DEBUG: "true" -# You are likely to need at least following CSP headers -# due to the fact that you are likely to do cross sub-domain requests -# i.e., from teams.wire.example to nginz-https.wire.example -# CSP_EXTRA_CONNECT_SRC: "https://*.wire.example, wss://*.wire.example" -# CSP_EXTRA_IMG_SRC: "https://*.wire.example" -# CSP_EXTRA_SCRIPT_SRC: "https://*.wire.example" -# CSP_EXTRA_DEFAULT_SRC: "https://*.wire.example" -# CSP_EXTRA_FONT_SRC: "https://*.wire.example" -# CSP_EXTRA_FRAME_SRC: "https://*.wire.example" -# CSP_EXTRA_MANIFEST_SRC: "https://*.wire.example" -# CSP_EXTRA_OBJECT_SRC: "https://*.wire.example" -# CSP_EXTRA_MEDIA_SRC: "https://*.wire.example" -# CSP_EXTRA_PREFETCH_SRC: "https://*.wire.example" -# CSP_EXTRA_STYLE_SRC: "https://*.wire.example" -# CSP_EXTRA_WORKER_SRC: "https://*.wire.example" - -podSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsUser: 1000 - runAsGroup: 1000 - seccompProfile: - type: RuntimeDefault diff --git a/charts/webapp/.helmignore b/charts/webapp/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/charts/webapp/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/webapp/Chart.yaml b/charts/webapp/Chart.yaml deleted file mode 100644 index 1f94da93f3..0000000000 --- a/charts/webapp/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: A Helm chart for the Wire webapp in Kubernetes -name: webapp -version: 0.0.42 diff --git a/charts/webapp/templates/_helpers.tpl b/charts/webapp/templates/_helpers.tpl deleted file mode 100644 index 2a098feb85..0000000000 --- a/charts/webapp/templates/_helpers.tpl +++ /dev/null @@ -1,25 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "webapp.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "webapp.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Allow KubeVersion to be overridden. */}} -{{- define "kubeVersion" -}} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}} -{{- end -}} - -{{- define "includeSecurityContext" -}} - {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}} -{{- end -}} diff --git a/charts/webapp/templates/deployment.yaml b/charts/webapp/templates/deployment.yaml deleted file mode 100644 index c17491f2fd..0000000000 --- a/charts/webapp/templates/deployment.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: webapp - labels: - app: webapp - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: {{ .Values.replicaCount | mul 2 }} - selector: - matchLabels: - app: webapp - template: - metadata: - labels: - app: webapp - release: {{ .Release.Name }} - spec: - containers: - - name: webapp - {{- if .Values.image.digest }} - image: "{{ .Values.image.repository }}@{{ .Values.image.digest }}" - {{- else }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - {{- end }} - {{- if eq (include "includeSecurityContext" .) "true" }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 10 }} - {{- end }} - # Check variables here: https://github.com/wireapp/wire-webapp/wiki/Self-hosting - env: - # it is vital that you don't add trailing '/' in this section! - - name: NODE_PORT - value: "{{ .Values.service.http.internalPort }}" - - name: APP_BASE - value: "https://{{ .Values.config.externalUrls.appHost }}" - - name: BACKEND_REST - value: "https://{{ .Values.config.externalUrls.backendRest }}" - - name: BACKEND_WS - value: "wss://{{ .Values.config.externalUrls.backendWebsocket }}" - {{- range $key, $val := .Values.envVars }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.service.http.internalPort }} - # NOTE: /test/ returns an HTML document a 200 response code - readinessProbe: - httpGet: - path: /_health/ - port: {{ .Values.service.http.internalPort }} - scheme: HTTP - livenessProbe: - initialDelaySeconds: 30 - timeoutSeconds: 3 - httpGet: - path: /_health/ - port: {{ .Values.service.http.internalPort }} - scheme: HTTP - resources: -{{ toYaml .Values.resources | indent 12 }} - dnsPolicy: ClusterFirst - restartPolicy: Always diff --git a/charts/webapp/values.yaml b/charts/webapp/values.yaml deleted file mode 100644 index 6ce8a3146f..0000000000 --- a/charts/webapp/values.yaml +++ /dev/null @@ -1,62 +0,0 @@ -# Default values for the webapp. -replicaCount: 1 -resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "512Mi" - cpu: "1" -image: - repository: quay.io/wire/webapp - tag: "2024-01-22-production.1-v0.31.17-0-7f83dbe" -service: - https: - externalPort: 443 - http: - internalPort: 8080 - -## The following has to be provided to deploy this chart - -#config: -# externalUrls: -# backendRest: nginz-https.wire.example -# backendWebsocket: nginz-ssl.wire.example -# backendDomain: wire.example -# appHost: webapp.wire.example - -# Some relevant environment options. For a comprehensive -# list of available variables, please refer to: -# https://github.com/wireapp/wire-web-config-wire/blob/master/wire-webapp/.env.defaults -# -# NOTE: Without an empty dictionary, you will see warnings -# when overriding envVars -envVars: {} -# E.g. -# envVars: -# FEATURE_ENABLE_DEBUG: "true" -# You are likely to need at least following CSP headers -# due to the fact that you are likely to do cross sub-domain requests -# i.e., from webapp.wire.example to nginz-https.wire.example -# CSP_EXTRA_CONNECT_SRC: "https://*.wire.example, wss://*.wire.example" -# CSP_EXTRA_IMG_SRC: "https://*.wire.example" -# CSP_EXTRA_SCRIPT_SRC: "https://*.wire.example" -# CSP_EXTRA_DEFAULT_SRC: "https://*.wire.example" -# CSP_EXTRA_FONT_SRC: "https://*.wire.example" -# CSP_EXTRA_FRAME_SRC: "https://*.wire.example" -# CSP_EXTRA_MANIFEST_SRC: "https://*.wire.example" -# CSP_EXTRA_OBJECT_SRC: "https://*.wire.example" -# CSP_EXTRA_MEDIA_SRC: "https://*.wire.example" -# CSP_EXTRA_PREFETCH_SRC: "https://*.wire.example" -# CSP_EXTRA_STYLE_SRC: "https://*.wire.example" -# CSP_EXTRA_WORKER_SRC: "https://*.wire.example" - -podSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsUser: 1000 - runAsGroup: 1000 - seccompProfile: - type: RuntimeDefault diff --git a/charts/wire-server/requirements.yaml b/charts/wire-server/requirements.yaml index b5350be6c8..2d1fafb967 100644 --- a/charts/wire-server/requirements.yaml +++ b/charts/wire-server/requirements.yaml @@ -77,26 +77,6 @@ dependencies: tags: - nginz - services -- name: webapp - version: "0.0.42" - repository: "file://../webapp" - tags: - - web - - webapp -- name: team-settings - version: "0.0.42" - repository: "file://../team-settings" - tags: - - web - - team-settings - - private -- name: account-pages - version: "0.0.42" - repository: "file://../account-pages" - tags: - - web - - account-pages - - private - name: legalhold version: "0.0.42" repository: "file://../legalhold" @@ -119,11 +99,6 @@ dependencies: - federation - haskellServices - services -- name: sftd - version: "0.0.42" - repository: "file://../sftd" - tags: - - sftd - name: integration version: "0.0.42" repository: "file://../integration" diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl index b7ef73d8fa..88b4e27d64 100644 --- a/hack/helm_vars/wire-server/values.yaml.gotmpl +++ b/hack/helm_vars/wire-server/values.yaml.gotmpl @@ -9,9 +9,6 @@ tags: federation: true # also see galley.config.enableFederation and brig.config.enableFederation backoffice: true proxy: false - webapp: false - team-settings: false - account-pages: false legalhold: false sftd: false integration: true