diff --git a/.github/workflows/changelog-verify.yml b/.github/workflows/changelog-verify.yml index 79441a420..164e6beb8 100644 --- a/.github/workflows/changelog-verify.yml +++ b/.github/workflows/changelog-verify.yml @@ -1,9 +1,7 @@ name: Changelog verification on: pull_request: - branches: [master] - push: - branches: [master] + branches: ["**"] permissions: contents: read diff --git a/ansible/inventory/demo/wiab-staging.yml b/ansible/inventory/demo/wiab-staging.yml index cb95c01aa..fb3ee33fd 100644 --- a/ansible/inventory/demo/wiab-staging.yml +++ b/ansible/inventory/demo/wiab-staging.yml @@ -6,4 +6,4 @@ wiab-staging: ansible_user: 'demo' ansible_ssh_private_key_file: "~/.ssh/id_ed25519" vars: - artifact_hash: 82edf88d9193e9f7e0a62ee4b287fd0c7cebb1bd + artifact_hash: 2200257f7a528f3a8157e8878fc7ee1c945594d1 diff --git a/ansible/wiab-demo/wire_secrets.yml b/ansible/wiab-demo/wire_secrets.yml index 8b1ef9681..4afd87b8f 100644 --- a/ansible/wiab-demo/wire_secrets.yml +++ b/ansible/wiab-demo/wire_secrets.yml @@ -418,6 +418,9 @@ galley: secrets: pgPassword: "{{ pgpassword }}" + background-worker: + secrets: + pgPassword: "{{ pgpassword }}" when: "'postgresql' in charts_to_deploy" - name: Update secrets in-place diff --git a/bin/offline-secrets.sh b/bin/offline-secrets.sh index 76756a1a6..bb8d1f990 100755 --- a/bin/offline-secrets.sh +++ b/bin/offline-secrets.sh @@ -51,8 +51,6 @@ brig: rabbitmq: username: guest password: guest - # These are only necessary if you wish to support sign up via SMS/calls - # And require accounts at twilio.com / nexmo.com cargohold: secrets: @@ -105,6 +103,7 @@ team-settings: configJson: "e30K" background-worker: secrets: + pgPassword: verysecurepassword rabbitmq: username: guest password: guest diff --git a/changelog.d/3-deploy-builds/wiab-dev-5.25-fixes b/changelog.d/3-deploy-builds/wiab-dev-5.25-fixes new file mode 100644 index 000000000..0b7a84bad --- /dev/null +++ b/changelog.d/3-deploy-builds/wiab-dev-5.25-fixes @@ -0,0 +1,4 @@ +Fixed: sync offline-secrets and prod-secrets.example.yaml and add comments +Added: enable postgresql secret for background-worker in wiab-dev +Fixed: sync wire-server helm chart values for wiab-dev from prod values for 5.25 +Fixed: sync wire-server helm chart secrets for wiab-dev from prod values for 5.25 diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml index 7bc5ecad3..0780cc146 100644 --- a/values/wire-server/demo-secrets.example.yaml +++ b/values/wire-server/demo-secrets.example.yaml @@ -1,66 +1,93 @@ -# CHANGEME-DEMO: All values here should be changed/reviewed +# CHANGEME-DEV: All values here should be changed/reviewed +# check the ansible playbook ansible/wiab-demo/wire_secrets.yml on how these secrets are being randomly generated and rotated +# make sure that any secrets related to external services like AWS, giphy, youtube, spotify etc are being updated before running the random secret generation (ansible/wiab-demo/wire_secrets.yml) at demo-secrets.example.yaml and before deploying the helm charts using the playbook (ansible/wiab-demo/helm_install.yml) + +# The secrets for services like elasticsearch, postgresql, rabbitmq and AWS (fake) secretID and key are configured in their helm charts. The values passed to these charts can be modified at wire-server-deploy/service-name/demo-[values|secrets].example.yaml +# postgresql - https://github.com/wireapp/helm-charts/tree/dev/charts/postgresql +# elasticsearch - https://github.com/wireapp/wire-server/blob/develop/charts/elasticsearch-ephemeral +# rabbitMQ - https://github.com/wireapp/wire-server/tree/develop/charts/rabbitmq +# fake-aws - https://github.com/wireapp/wire-server/tree/develop/charts/fake-aws +# AWS - this needs to be checked with wire support if needs to use real AWS services + elasticsearch-index: secrets: elasticsearch: - username: elastic - password: changeme + username: "elastic" + password: "changeme" + brig: secrets: + pgPassword: verysecurepassword smtpPassword: dummyPassword zAuth: # generate zauth public/private keys with the 'zauth' executable from wire-server: - # ./dist/zauth -m gen-keypair -i 1 + # sudo docker run $ZAUTH_CONTAINER -m gen-keypair publicKeys: "" privateKeys: "" turn: # generate a high-entropy random string, e.g. using - # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 42 + # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 64 secret: CHANGEMEE6KHMJU1uDhhgvsVWoIyzmn3u3GHRoWjTp - # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - # These are only necessary if you wish to support sign up via SMS/calls - # And require accounts at twilio.com / nexmo.com rabbitmq: username: wire-server password: verysecurepassword - # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster - # To extract the secret from an existing Kubernetes cluster: - # kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d - pgPassword: dummyPassword # gets replaced by the actual secret elasticsearch: username: "elastic" password: "changeme" elasticsearchAdditional: username: "elastic" password: "changeme" -cannon: + +cargohold: secrets: + awsKeyId: dummykey + awsSecretKey: dummysecret rabbitmq: username: wire-server password: verysecurepassword -cargohold: +cannon: secrets: - # these only need to be changed if using real AWS services - awsKeyId: dummykey - awsSecretKey: dummysecret rabbitmq: username: wire-server password: verysecurepassword galley: secrets: - # these only need to be changed if using real AWS services - awsKeyId: dummykey - awsSecretKey: dummysecret - # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster - # To extract the secret from an existing Kubernetes cluster: - # kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d - pgPassword: dummyPassword # gets replaced by the actual secret rabbitmq: username: wire-server password: verysecurepassword + pgPassword: verysecurepassword + # these only need to be changed if using real AWS services + awsKeyId: dummykey + awsSecretKey: dummysecret + + # Generate MLS private keys using openssl + # readonly MLS_KEY_INDENT=" " + # Keys need 10 spaces indent (5 levels deep: galley.secrets.mlsPrivateKeys.removal.keyname) + # generate_mls_key() { openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}'} + # mls_ed25519_key="$(generate_mls_key -algorithm ed25519)" + # mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)" + # mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)" + # mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)" + + # this will get initialized from wire_secrets.yml playbook or can be generated using above logic + # mlsPrivateKeys: + # removal: + # ed25519: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + # ecdsa_secp256r1_sha256: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + # ecdsa_secp384r1_sha384: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + # ecdsa_secp521r1_sha512: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- gundeck: secrets: @@ -71,19 +98,19 @@ gundeck: username: wire-server password: verysecurepassword -proxy: - secrets: - # If you desire proxying/previews for the following services, - # set 'tags.proxy: true' in demo-values.yaml, - # create accounts with them and fill in these values: - proxy_config: |- - secrets { - youtube = "..." - googlemaps = "..." - soundcloud = "..." - giphy = "..." - spotify = "Basic ..." - } +# proxy: +# secrets: +# # If you desire proxying/previews for the following services, +# # set 'tags.proxy: true' in demo-values.yaml, +# # create accounts with them and fill in these values: +# proxy_config: |- +# secrets { +# youtube = "..." +# googlemaps = "..." +# soundcloud = "..." +# giphy = "..." +# spotify = "Basic ..." +# } nginz: secrets: @@ -93,9 +120,11 @@ nginz: # only necessary in test environments (env="staging"). See charts/nginz/README.md basicAuth: ":" + # RabbitMQ credentials for background-worker. background-worker: secrets: + pgPassword: verysecurepassword rabbitmq: username: wire-server password: verysecurepassword diff --git a/values/wire-server/demo-values.example.yaml b/values/wire-server/demo-values.example.yaml index fed128a0a..bda10b12c 100644 --- a/values/wire-server/demo-values.example.yaml +++ b/values/wire-server/demo-values.example.yaml @@ -1,3 +1,4 @@ +# CHANGEME-DEV: All values here should be changed/reviewed tags: proxy: false # enable if you want/need giphy/youtube/etc proxying legalhold: false # Enable if you need legalhold @@ -15,18 +16,21 @@ elasticsearch-index: host: elasticsearch-ephemeral cassandra: host: cassandra-ephemeral - brig: replicaCount: 1 # image: # tag: some-tag (only override if you want a newer/different version than what is in the chart) config: + multiSFT: + enabled: false # enable to turn on SFT to SFT communication for federated calls cassandra: host: cassandra-ephemeral elasticsearch: host: elasticsearch-ephemeral rabbitmq: - host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq postgresql: host: postgresql # DNS name without protocol port: "5432" @@ -34,27 +38,29 @@ brig: dbname: wire-server useSES: false # Set to false if you want to hand out DynamoDB to store prekeys - randomPrekeys: true + randomPrekeys: true aws: # change if using real AWS region: "eu-west-1" sqsEndpoint: http://fake-aws-sqs:4568 - #dynamoDBEndpoint: http://fake-aws-dynamodb:4567 - + # dynamoDBEndpoint: http://fake-aws-dynamodb:4567 + # these must match the table names created on fake or real AWS services internalQueue: integration-brig-events-internal prekeyTable: integration-brig-prekeys externalUrls: nginz: https://nginz-https.example.com # change this - teamSettings: https://teams.example.com # change this (on unset if team settings are not used) + teamSettings: https://teams.example.com # change this (or unset if team settings are not used) teamCreatorWelcome: https://teams.example.com/login # change this teamMemberWelcome: https://wire.example.com/download # change this - enableFederation: false # Enable to use federation + enableFederation: false # Keep false unless federation is explicitly configured optSettings: - setFederationDomain: example.com # change this + setEnableMLS: false # Enable for MLS protocol use + setFederationDomain: example.com # change this per host deployment # Sync the domain with the 'host' variable in the sftd chart # Comment the next line (by adding '#' before it) if conference calling is not used setSftStaticUrl: "https://sftd.example.com:443" + # setSftListAllServers: "enabled" # Uncomment for Federation! # If set to true, creating new personal users or new teams on your instance from # outside your backend installation is disabled setRestrictUserCreation: false @@ -86,7 +92,9 @@ brig: deletionUrl: https://account.example.com/d/?key=${key}&code=${code} invitationUrl: https://account.example.com/i/${code} smtp: - host: smtp # change this if you want to use your own SMTP server + # Default: smtp (for CI/demo environments with demo-smtp chart) + # Production: Change to your actual SMTP server hostname + host: smtp port: 25 # change this connType: plain # change this. Possible values: plain|ssl|tls # proxy: @@ -127,12 +135,15 @@ cannon: # For demo mode only, we don't need to keep websocket connections open on chart upgrades drainTimeout: 10 config: - cassandra: + rabbitmq: + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq + cassandra: host: cassandra-ephemeral metrics: serviceMonitor: enabled: true - cargohold: replicaCount: 1 # image: @@ -142,8 +153,9 @@ cargohold: # change if using real AWS region: "eu-west-1" s3Bucket: assets - s3Endpoint: http://fake-aws-s3:9000 + s3Endpoint: http://minio-external:9000 s3DownloadEndpoint: https://assets.example.com + enableFederation: false # Enable to use federation settings: federationDomain: example.com # change this # proxy: @@ -155,7 +167,6 @@ cargohold: metrics: serviceMonitor: enabled: true - galley: replicaCount: 1 # image: @@ -164,12 +175,18 @@ galley: cassandra: host: cassandra-ephemeral rabbitmq: - host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq postgresql: host: postgresql # DNS name without protocol port: "5432" user: wire-server dbname: wire-server + # Explicitly set postgresMigration to cassandra for fresh deployments. + # This controls whether galley reads conversations from Cassandra or PostgreSQL. + postgresMigration: + conversation: cassandra enableFederation: false # Enable to use federation settings: # prefix URI used when inviting users to a conversation by link @@ -177,7 +194,33 @@ galley: federationDomain: example.com # change this # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/) featureFlags: + mls: # Keep disabled unless MLS is explicitly configured + defaults: + status: disabled + config: + protocolToggleUsers: [] + defaultProtocol: mls + allowedCipherSuites: [2] + defaultCipherSuite: 2 + supportedProtocols: [proteus, mls] + lockStatus: unlocked + mlsMigration: # Keep disabled unless MLS migration is explicitly configured + defaults: + status: disabled + config: + startTime: null + finalizeRegardlessAfter: null + usersThreshold: 100 + clientsThreshold: 100 + lockStatus: unlocked sso: disabled-by-default + # channels: # Uncomment to enable channels by default for all newly created teams + # defaults: + # status: enabled + # config: + # allowed_to_create_channels: team-members + # allowed_to_open_channels: team-members + # lockStatus: unlocked # NOTE: Change this to "disabled-by-default" for legalhold support # legalhold: disabled-by-default legalhold: disabled-permanently @@ -193,12 +236,17 @@ galley: metrics: serviceMonitor: enabled: true - gundeck: replicaCount: 1 # image: # tag: some-tag (only override if you want a newer/different version than what is in the chart) config: + redis: + host: databases-ephemeral-redis-ephemeral # Updated hostname for redis-ephemeral chart + rabbitmq: + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq cassandra: host: cassandra-ephemeral aws: @@ -218,7 +266,6 @@ gundeck: metrics: serviceMonitor: enabled: true - nginz: replicaCount: 1 config: @@ -281,19 +328,51 @@ spar: enabled: true # Only needed when legalhold is enabled -#legalhold: -# host: "legalhold.example.com" -# wireApiHost: "https://nginz-https.example.com" - +legalhold: + host: "legalhold.example.com" + wireApiHost: "https://nginz-https.example.com" + metrics: + serviceMonitor: + enabled: true # Only needed when federation is enabled -#federator: -# tls: -# useSharedFederatorSecret: true - +federator: + # config: + # optSettings: + # federationStrategy: + # allowedDomains: + # - example.com + tls: + useSharedFederatorSecret: true + # remoteCAContents: | # Uncomment and place the federating backends root CA certificates in chain (if there are multiple) + metrics: + serviceMonitor: + enabled: true background-worker: config: + federationDomain: example.com + # logLevel: Debug + rabbitmq: + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq cassandra: host: cassandra-ephemeral + cassandraGalley: + host: cassandra-ephemeral + cassandraBrig: + host: cassandra-ephemeral + postgresql: + host: postgresql # DNS name without protocol + port: "5432" + user: wire-server + dbname: wire-server + # IMPORTANT: At Chart 5.25.0, the background-worker Helm chart incorrectly defaults + # postgresMigration.conversation to "postgresql" instead of "cassandra". + # This MUST be explicitly set to "cassandra" unless you have already migrated + # conversations to PostgreSQL. Without this override, User Group to Channel sync + # jobs will silently skip member synchronization. + postgresMigration: + conversation: cassandra # Enable for federation enableFederation: false metrics: diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml index c60a0f434..fee8c28d6 100644 --- a/values/wire-server/prod-secrets.example.yaml +++ b/values/wire-server/prod-secrets.example.yaml @@ -1,30 +1,25 @@ # CHANGEME-PROD: All values here should be changed/reviewed +# check the script bin/offline-secrets.sh on how these secrets are being randomly generated. +# check the script bin/helm-operations.sh on how the secrets are being rotated and updated. +# make sure that any secrets related to external services like AWS, giphy, youtube, spotify etc are being updated post running the random secret generation by bin/offline-secrets.sh and before deploying the helm charts using the script bin/helm-operations.sh + brig: secrets: #retrieve postgresql password from Kubernetes Secret with "kubectl get secret wire-postgresql-external-secret -n default -o jsonpath='{.data.password}' | base64 -d" pgPassword: verysecurepassword - smtpPassword: dummyPassword zAuth: # generate zauth public/private keys with the 'zauth' executable from wire-server: - # ./dist/zauth -m gen-keypair -i 1 + # sudo docker run $ZAUTH_CONTAINER -m gen-keypair publicKeys: "" privateKeys: "" turn: # generate a high-entropy random string, e.g. using - # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 42 + # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 64 secret: CHANGEMEE6KHMJU1uDhhgvsVWoIyzmn3u3GHRoWjTp # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - # These are only necessary if you wish to support sign up via SMS/calls - # And require accounts at twilio.com / nexmo.com - rabbitmq: - username: guest - password: guest - -cannon: - secrets: rabbitmq: username: guest password: guest @@ -39,16 +34,22 @@ cargohold: username: guest password: guest +cannon: + secrets: + rabbitmq: + username: guest + password: guest + galley: secrets: + rabbitmq: + username: guest + password: guest #retrieve postgresql password from Kubernetes Secret with "kubectl get secret wire-postgresql-external-secret -n default -o jsonpath='{.data.password}' | base64 -d" pgPassword: verysecurepassword # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - rabbitmq: - username: guest - password: guest mlsPrivateKeys: removal: ed25519: |