Skip to content

Commit

Permalink
Merge pull request #1832 from wireapp/release-2021-10-01
Browse files Browse the repository at this point in the history
  • Loading branch information
fisx authored Oct 4, 2021
2 parents 26d73d0 + d98b142 commit 143ee9f
Show file tree
Hide file tree
Showing 358 changed files with 13,318 additions and 12,263 deletions.
12 changes: 7 additions & 5 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@

- [ ] The **PR Title** explains the impact of the change.
- [ ] The **PR description** provides context as to why the change should occur and what the code contributes to that effect. This could also be a link to a JIRA ticket or a Github issue, if there is one.
- [ ] If end-points have been added or changed: the **endpoint / config-flag checklist** (see Wire-employee only backend [wiki page](https://github.com/zinfra/backend-wiki/wiki/Checklists)) has been followed.
- [ ] If a schema migration has been added, I ran **`make git-add-cassandra-schema`** to update the cassandra schema documentation.
- [ ] If HTTP endpoint paths have been added or renamed, the **endpoint / config-flag checklist** (see Wire-employee only backend [wiki page](https://github.com/zinfra/backend-wiki/wiki/Checklists)) has been followed.
- [ ] If a cassandra schema migration has been added, I ran **`make git-add-cassandra-schema`** to update the cassandra schema documentation.
- [ ] **changelog.d** contains the following bits of information:
- [ ] A file with the changelog entry in one or more suitable sub-sections. The sub-sections are marked by directories inside `changelog.d`.
- [ ] If /a: measures to be taken by instance operators.
- [ ] If /a: list of cassandra migrations.
- [ ] If public end-points have been changed or added: does nginz need upgrade?
- [ ] If new config options introduced: added usage description under docs/reference/config-options.md
- [ ] If new config options introduced: recommended measures to be taken by on-premise instance operators.
- [ ] If a cassandra schema migration is backwards incompatible (see also [these docs](https://github.com/wireapp/wire-server/blob/develop/docs/developer/cassandra-interaction.md#cassandra-schema-migrations)), measures to be taken by on-premise instance operators are explained.
- [ ] If a data migration (not schema migration) introduced: measures to be taken by on-premise instance operators.
- [ ] If public end-points have been changed or added: does nginz need un upgrade?
- [ ] If internal end-points have been added or changed: which services have to be deployed in a specific order?
95 changes: 94 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,98 @@
<!-- if you're not the release manager, do your edits to changelog under CHANGELOG.d/ -->

# [2021-10-01]

## Release notes

* Deploy brig before galley (#1811, #1818)
* The conference call initiation feature can now be configured for personal accounts in `brig.yaml`. `enabled` is the default and the previous behavior. If you want to change that, read [/docs/reference/config-options.md#conference-calling-1](https://github.com/wireapp/wire-server/blob/develop/docs/reference/config-options.md#conference-calling-1) (#1811, #1818)
* Only if you are an early adopter of multi-team IdP issuers on release [2021-09-14](https://github.com/wireapp/wire-server/releases/tag/v2021-09-14): note that the [query parameter for IdP creation has changed](https://github.com/wireapp/wire-server/pull/1763/files#diff-bd66bf2f3a2445e08650535a431fc33cc1f6a9e0763c7afd9c9d3f2d67fac196). This only affects future calls to this one end-point. (#1763)
* For wire.com cloud operators: reminder to also deploy nginz. (No special action needed for on-premise operators) (#1773)

## API changes

* Add endpoint `POST /connections/:domain/:userId` to create a connection (#1773)
* Deprecate `PUT /conversations/:cnv/access` endpoint (#1807)
* Deprecate `PUT /conversations/:cnv/message-timer` endpoint (#1780)
* Deprecate `PUT /conversations/:cnv/members/:usr` endpoint (#1784)
* Deprecate `PUT /conversations/:cnv/receipt-mode` endpoint (#1797)
* Add endpoint `GET /connections/:domain/:userId` to get a single connection (#1773)
* Add `POST /list-connections` endpoint to get connections (#1773)
* Add qualified endpoint for updating conversation access (#1807)
* Add qualified endpoint for updating message timer (#1780)
* Add qualified endpoint for updating conversation members (#1784)
* Add qualified endpoint for updating receipt mode (#1797)
* Add endpoint `PUT /connections/:domain/:userId` to update a connection (#1773)

## Features

* Helm charts to deploy [ldap-scim-bridge](https://github.com/wireapp/ldap-scim-bridge) (#1709)
* Per-account configuration of conference call initiation (details: /docs/reference/config-options.md#conference-calling-1) (#1811, #1818)

## Bug fixes and other updates

* An attempt to create a 3rd IdP with the same issuer was triggering an exception. (#1763)
* When a user was auto-provisioned into two teams under the same pair of `Issuer` and `NameID`, they where directed into the wrong team, and not rejected. (#1763)

## Documentation

* Expand documentation of `conversations/list-ids` endpoint (#1779)
* Add documentation of the multi-table paging abstraction (#1803)
* Document how to use IdP issuers for multiple teams (#1763)
* All named Swagger schemas are now displayed in the Swagger UI (#1802)

## Internal changes

* Abstract out multi-table-pagination used in list conversation-ids endpoint (#1788)
* Testing: rewrite monadic to applicative style generators (#1782)
* Add a test checking that creating conversations of exactly the size limit is allowed (#1820)
* Rewrite the DELETE /self endpoint to Servant (#1771)
* Fix conversation generator in mapping test (#1778)
* Polysemize spar (#1806, #1787, #1793, #1814, #1792, #1781, #1786, #1810, #1816, #1815)
* Refactored a few functions dealing with conversation updates, in an attempt to
make the conversation update code paths more uniform, and also reduce special
cases for local and remote objects. (#1801)
* Merged http2-client fixes as mentioned in the comments of #1703 (#1809)
* Some executables now have a runtime dependency on ncurses (#1791)
* Minor changes around SAML and multi-team Issuers.
- Change query param to not contain `-`, but `_`. (This is considered an internal change because the feature has been release in the last release, but only been documented in this one.)
- Haddocks.
- Simplify code.
- Remove unnecessary calls to cassandra. (#1763)
* Clean up JSON Golden Tests (Part 6) (#1769)
* Remove explicit instantiations of ErrorDescription (#1794)
* Remove one flaky integration test about ordering of search results (#1798)
* Report all failures in JSON golden tests in a group at once (#1746)
* Convert the `PUT /conversations/:cnv/access` endpoint to Servant (#1807)
* Move /connections/* endpoints to Servant (#1770)
* Servantify Galley's DELETE /i/user endpoint (#1772)
* Convert the `PUT /conversations/:cnv/message-timer` endpoint to Servant (#1780)
* Convert the `PUT /conversations/:cnv/members/:usr` endpoint to Servant (#1796)
* Convert the `PUT /conversations/:cnv/receipt-mode` endpoint to Servant (#1797)
* Expose wire.com internal EJDP process to backoffice/stern. (#1831)
* Update configurable boolean team feature list in backoffice/stern. (#1829)
* Handle upper/lower case more consistently in scim and rich-info data. (#1754)

## Federation changes

* Add value for verification depth of client certificates in federator ingress (#1812)
* Document federation API conventions and align already existing APIs (#1765)
* Notify remote users when a conversation access settings are updated (#1808)
* Notify remote users when a conversation member role is updated (#1785)
* Notify remote users when a conversation message timer is updated (#1783)
* Notify remote users when a conversation is renamed (#1767)
* Make sure that only users that are actually part of a conversation get notified about updates in the conversation metadata (#1767)
* Notify remote users when a conversation receipt mode is updated (#1801)
* Implement updates to remote members (#1785)
* Make conversation ID of the on-conversation-created RPC unqualified (#1766)
* 4 endpoints for create/update/get/list connections designed for remote users in mind. So far, the implementation only works for local users (actual implementation will come as a follow-up) (#1773)
* The returned `connection` object now has a `qualified_to` field with the domain of the (potentially remote) user. (#1773)
* Add migration for remote connection table (#1789)
* Remove a user from remote conversations upon deleting their account (#1790)
* Remove elasticsearch specific details from the search endpoint (#1768)
* Added support for updating self member status of remote conversations (#1753)


# [2021-09-14]

## API changes
Expand All @@ -16,7 +109,7 @@
## Features

* Disallow changing phone number to a black listed phone number (#1758)
* Support using a single IDP with a single EntityID (aka issuer ID) to set up two teams. Required to support multiple teams in environments where the IDP software cannot present anything but one EntityID (E.G.: DualShield). (#1755)
* Support using a single IDP with a single EntityID (aka issuer ID) to set up two teams. Sets up a migration, and makes teamID + EntityID unique, rather than relying on EntityID to be unique. Required to support multiple teams in environments where the IDP software cannot present anything but one EntityID (E.G.: DualShield). (#1755)

## Documentation

Expand Down
3 changes: 2 additions & 1 deletion build/alpine/Dockerfile.deps
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,5 @@ RUN apk add --no-cache \
llvm-libunwind \
ca-certificates \
dumb-init \
libxml2
libxml2 \
ncurses
3 changes: 0 additions & 3 deletions changelog.d/2-features/pr-1755

This file was deleted.

2 changes: 1 addition & 1 deletion changelog.d/mk-changelog.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ for d in "$DIR"/*; do
echo -n "## "
sed '$ a\' "$d/.title"
echo ""
for f in "$d"/*; do
for f in "$d"/*[^~]; do
pr=$(getPRNumber $f)
sed -r '
# create a bullet point on the first line
Expand Down
21 changes: 21 additions & 0 deletions charts/ldap-scim-bridge/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
4 changes: 4 additions & 0 deletions charts/ldap-scim-bridge/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
description: ldap-scim-bridge - Sync LDAP via Wire Server SCIM API
name: ldap-scim-bridge
version: 0.0.1
17 changes: 17 additions & 0 deletions charts/ldap-scim-bridge/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# ldap-scim-bridge

To do a test deployment on a existing cluster from a machine able to deploy helm charts…
```bash
git clone wire-server
cd wire-server
# deploy test instance of openldap with preloaded users
helm upgrade --install -n wire openldap charts/openldap/
# deploy ldap-scim-bridge with default chart values
helm upgrade --install -n wire ldap-scim-bridge charts/ldap-scim-bridge -f charts/ldap-scim-bridge/values.yaml
```

The kubernetes cronjob resource will spawn a new `ldap-scim-bridge-XXXXXX` pod every minute. Logs for the pod can be gathered with `kubectl log`.
```
kubectl get pods -n wire
kubectl logs ldap-scim-bridge-XXXXXX -n wire
```
39 changes: 39 additions & 0 deletions charts/ldap-scim-bridge/templates/cronjob.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: ldap-scim-bridge
labels:
wireService: ldap-scim-bridge
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
concurrencyPolicy: Forbid
schedule: {{ .Values.schedule | quote }}
jobTemplate:
metadata:
labels:
wireService: ldap-scim-bridge
release: {{ .Release.Name }}
annotations:
# An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade`
checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
spec:
backoffLimit: 0
template:
spec:
restartPolicy: Never
volumes:
- name: "ldap-scim-bridge-config"
secret:
secretName: "ldap-scim-bridge"
containers:
- name: ldap-scim-bridge
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
args: ["ldap-scim-bridge", "/etc/ldap-scim-bridge/config.yaml"]
volumeMounts:
- name: "ldap-scim-bridge-config"
mountPath: "/etc/ldap-scim-bridge/"
resources:
{{ toYaml .Values.resources | indent 16 }}
13 changes: 13 additions & 0 deletions charts/ldap-scim-bridge/templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Secret
metadata:
name: ldap-scim-bridge
labels:
wireService: ldap-scim-bridge
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
stringData:
config.yaml: |
{{ toYaml .Values.config | indent 4 }}
42 changes: 42 additions & 0 deletions charts/ldap-scim-bridge/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
image:
repository: quay.io/wire/ldap-scim-bridge
tag: 0.2
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
# https://v1-19.docs.kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule
# schedule: "@hourly"
schedule: "*/1 * * * *"
# https://github.com/wireapp/ldap-scim-bridge
config:
logLevel: "Debug" # one of Trace,Debug,Info,Warn,Error,Fatal; `Fatal` is least noisy, `Trace` most.
ldapSource:
tls: false
host: "openldap"
port: 389
dn: "cn=admin,dc=nodomain"
password: "admin"
search:
base: "ou=People,dc=nodomain"
objectClass: "account"
codec: "utf8"
deleteOnAttribute: # optional, related to `delete-from-directory`.
key: "deleted"
value: "true"
deleteFromDirectory: # optional; ok to use together with `delete-on-attribute` if you use both.
base: "ou=DeletedPeople,dc=nodomain"
objectClass: "account"
scimTarget:
tls: false
host: "spar"
port: 8080
path: "/scim/v2"
token: "Bearer U6DRfAcwsvCg9eBStJWtiHu/XqTB1iVDcvNcsuftvqk="
mapping:
userName: "uidNumber"
externalId: "uid"
email: "email"
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ metadata:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "{{ .Values.tls.verify_depth }}"
nginx.ingress.kubernetes.io/auth-tls-secret: "{{ .Release.Namespace }}/federator-ca-secret"
nginx.ingress.kubernetes.io/configuration-snippet: |
grpc_set_header "X-SSL-Certificate" $ssl_client_escaped_cert;
Expand Down
2 changes: 2 additions & 0 deletions charts/nginx-ingress-services/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ tls:
# `helm upgrade --install -n cert-manager-ns --set 'installCRDs=true' cert-manager jetstack/cert-manager`
#
useCertManager: false
# the validation depth between a federator client certificate and tlsClientCA
verify_depth: 1

certManager:
# Indicates whether Letsencrypt's staging API server is used and therefore certificates are NOT trusted
Expand Down
3 changes: 3 additions & 0 deletions charts/nginz/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,9 @@ nginx_conf:
- path: /connections
envs:
- all
- path: ~* ^/list-connections$
envs:
- all
- path: /invitations
envs:
- all
Expand Down
21 changes: 21 additions & 0 deletions charts/openldap/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
4 changes: 4 additions & 0 deletions charts/openldap/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
description: openldap - Test instance for LDAP sync with ldap-scim-bridge
name: openldap
version: 0.0.1
Loading

0 comments on commit 143ee9f

Please sign in to comment.