From 6092fbc57b9880dfe94c4d479499e09ec3d6c433 Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Mon, 16 Dec 2024 10:46:58 +0100 Subject: [PATCH] wire-server-enterprise as a service (#4357) * services/wire-server-enterprise: Introduce * GHA: Use special token to checkout so private submodules can be pulled * services/wire-server-enterprise: Use https URL for submodule * cabal.project: Add wire-server-enterprise service * Update wire-server-enterprise submodule * Add internal endpoint for enterprise It defines only /status. * Follow feature branch * docs: Describe the Git repo URL rewriting hack * Add `wire-server-enterprise` to `integration` No tests so far, however we can start the service this way (`make cr`.) * Add changelog entry This should be improved / added to while we grow this feature. * Use latest version of actions/checkout We use this to clone wire-server for checking docs. * CI: Try different auth token Debugging... * Hi CI * Hi CI * Upgrade wire-server-enterprise * Install wire-server-enterprise for integration tests This may not work due to missing registry pull secrets. We'll see... * Provide wire-server-enterprise config to integration * Set image chart version for wire-server-enterprise * Take image pull secret from env variable Secrets won't work as they are scoped to the namespace. * Document usage of ENTERPRISE_IMAGE_PULL_SECRET * `integration` needs service binary * Mention that wire-server-enterprise is required to build wire-server * Let submodule point to main Feature branch has been merged. * More changelog --------- Co-authored-by: Matthias Fischmann --- .github/workflows/ci.yml | 3 ++- .gitmodules | 4 ++++ cabal.project | 1 + changelog.d/0-release-notes/enterprise | 8 +++++++ charts/integration/templates/configmap.yaml | 14 +++++++++++ .../templates/integration-integration.yaml | 8 +++++++ docs/src/developer/developer/how-to.md | 23 +++++++++++++++++++ hack/bin/set-wire-server-image-version.sh | 2 +- hack/helmfile.yaml | 14 +++++++++++ integration/test/Testlib/Env.hs | 1 + integration/test/Testlib/Ports.hs | 1 + integration/test/Testlib/ResourcePool.hs | 3 ++- integration/test/Testlib/Types.hs | 16 +++++++++---- .../Wire/API/Routes/Internal/Enterprise.hs | 13 +++++++++++ libs/wire-api/wire-api.cabal | 1 + nix/local-haskell-packages.nix | 1 + nix/wire-server.nix | 2 ++ services/integration.yaml | 13 +++++++++++ services/wire-server-enterprise | 1 + 19 files changed, 122 insertions(+), 7 deletions(-) create mode 100644 changelog.d/0-release-notes/enterprise create mode 100644 libs/wire-api/src/Wire/API/Routes/Internal/Enterprise.hs create mode 160000 services/wire-server-enterprise diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c8adcfe6995..a9fb8f0d325 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,9 +11,10 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: submodules: true + token: '${{ secrets.GH_DOCS_WORKFLOW }}' - uses: cachix/install-nix-action@v27 - uses: cachix/cachix-action@v15 with: diff --git a/.gitmodules b/.gitmodules index ad996d503f7..de3af4ff464 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,7 @@ [submodule "libs/wire-message-proto-lens/generic-message-proto"] path = libs/wire-message-proto-lens/generic-message-proto url = https://github.com/wireapp/generic-message-proto +[submodule "services/wire-server-enterprise"] + path = services/wire-server-enterprise + url = https://github.com/wireapp/wire-server-enterprise + branch = main diff --git a/cabal.project b/cabal.project index 2daabf40f47..d7cdd3afd99 100644 --- a/cabal.project +++ b/cabal.project @@ -40,6 +40,7 @@ packages: , services/galley/ , services/gundeck/ , services/proxy/ + , services/wire-server-enterprise , services/spar/ , tools/db/assets/ , tools/db/auto-whitelist/ diff --git a/changelog.d/0-release-notes/enterprise b/changelog.d/0-release-notes/enterprise new file mode 100644 index 00000000000..18f3c895b41 --- /dev/null +++ b/changelog.d/0-release-notes/enterprise @@ -0,0 +1,8 @@ +This release contains a new Git submodule: `wire-server-enterprise`. This module +represents a service which contains all non-open-source features. Wire can still +be deployed and run without this service. Building it without +`wire-server-enterprise` is currently not documented, but Wire will keep providing the artefacts. + +The service can be deployed with a dedicated Helm chart +(`charts/wire-server-enterprise`.) The required service image is not freely +available (the registry is password protected.) diff --git a/charts/integration/templates/configmap.yaml b/charts/integration/templates/configmap.yaml index 77177433dee..ae450fe9a7a 100644 --- a/charts/integration/templates/configmap.yaml +++ b/charts/integration/templates/configmap.yaml @@ -61,6 +61,10 @@ data: host: stern.{{ .Release.Namespace }}.svc.cluster.local port: 8080 + wireServerEnterprise: + host: wireServerEnterprise.{{ .Release.Namespace }}.svc.cluster.local + port: 8080 + originDomain: federation-test-helper.{{ .Release.Namespace }}.svc.cluster.local rabbitmq: @@ -117,6 +121,10 @@ data: host: stern.{{ .Release.Namespace }}-fed2.svc.cluster.local port: 8080 + wireServerEnterprise: + host: wireServerEnterprise.{{ .Release.Namespace }}-fed2.svc.cluster.local + port: 8080 + originDomain: federation-test-helper.{{ .Release.Namespace }}-fed2.svc.cluster.local dynamicBackends: @@ -176,6 +184,9 @@ data: stern: host: stern.wire-federation-v0.svc.cluster.local port: 8080 + wireServerEnterprise: + host: wireServerEnterprise.wire-federation-v0.svc.cluster.local + port: 8080 federation-v1: originDomain: federation-test-helper.wire-federation-v1.svc.cluster.local @@ -215,5 +226,8 @@ data: stern: host: stern.wire-federation-v1.svc.cluster.local port: 8080 + wireServerEnterprise: + host: wireServerEnterprise.wire-federation-v1.svc.cluster.local + port: 8080 integrationTestHostName: integration-headless.{{ .Release.Namespace }}.svc.cluster.local diff --git a/charts/integration/templates/integration-integration.yaml b/charts/integration/templates/integration-integration.yaml index dd351986e7b..454a3fa151e 100644 --- a/charts/integration/templates/integration-integration.yaml +++ b/charts/integration/templates/integration-integration.yaml @@ -93,6 +93,11 @@ spec: secret: secretName: {{ include "cassandraTlsSecretName" .Values.config }} {{- end }} + + - name: wire-server-enterprise-config + configMap: + name: wire-server-enterprise + restartPolicy: Never initContainers: @@ -284,6 +289,9 @@ spec: mountPath: "/etc/wire/spar/cassandra" {{- end }} + - name: wire-server-enterprise-config + mountPath: /etc/wire/wire-server-enterprise/conf + env: # these dummy values are necessary for Amazonka's "Discover" - name: AWS_ACCESS_KEY_ID diff --git a/docs/src/developer/developer/how-to.md b/docs/src/developer/developer/how-to.md index 2aa7eb1bc49..71c8c064c75 100644 --- a/docs/src/developer/developer/how-to.md +++ b/docs/src/developer/developer/how-to.md @@ -135,9 +135,13 @@ Start by deploying a published release (see 2.1 or 2.2). ``` export NAMESPACE=$USER export DOCKER_TAG=2.116.32 +export ENTERPRISE_IMAGE_PULL_SECRET=... # .dockerconfigjson of wire+wire_server_enterprise quay.io robot make kube-integration-setup ``` +(You may consider to export `ENTERPRISE_IMAGE_PULL_SECRET` in `.envrc.local` as +well.) + Then build and push the `brig` image by running ``` @@ -211,3 +215,22 @@ Note: Simply deleting the namespaces is insufficient, because it leaves some res We support two different ways of managing the docker-compose instance of rabbitmq: * A web console interface is available [here](http://localhost:15672) * `rabbitmqadmin` CLI is made available in the dev environment + +## Avoid Github HTTPS authentication for wire-server-enterprise + +Having to provide HTTPS authentication credentials is annoying. Unfortunately, +we have to use HTTPS Git repository URLs for submodules, because some +Concourse tasks require them (cannot clone with SSH.) + +A hacky workaround is to rewrite the URLs in the `~/.gitconfig`: + +``` +git config --global url."git@github.com:".insteadOf "https://github.com/" +``` + +This leads to such entry: + +``` +[url "git@github.com:"] + insteadOf = https://github.com/ +``` diff --git a/hack/bin/set-wire-server-image-version.sh b/hack/bin/set-wire-server-image-version.sh index 5277b69927a..03a6024378c 100755 --- a/hack/bin/set-wire-server-image-version.sh +++ b/hack/bin/set-wire-server-image-version.sh @@ -6,7 +6,7 @@ target_version=${1?$USAGE} TOP_LEVEL="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../.." && pwd )" CHARTS_DIR="$TOP_LEVEL/.local/charts" -charts=(brig cannon galley gundeck spar cargohold proxy cassandra-migrations elasticsearch-index federator backoffice background-worker integration) +charts=(brig cannon galley gundeck spar cargohold proxy cassandra-migrations elasticsearch-index federator backoffice background-worker integration wire-server-enterprise) for chart in "${charts[@]}"; do sed -i "s/^ tag: .*/ tag: $target_version/g" "$CHARTS_DIR/$chart/values.yaml" diff --git a/hack/helmfile.yaml b/hack/helmfile.yaml index 447b980777e..664fb563d19 100644 --- a/hack/helmfile.yaml +++ b/hack/helmfile.yaml @@ -247,3 +247,17 @@ releases: value: {{ .Values.federationDomain2 }} needs: - 'databases-ephemeral' + + - name: wire-server-enterprise + namespace: '{{ .Values.namespace1 }}' + chart: '../.local/charts/wire-server-enterprise' + values: + - secrets: + configJson: {{ requiredEnv "ENTERPRISE_IMAGE_PULL_SECRET" }} + + - name: wire-server-enterprise + namespace: '{{ .Values.namespace2 }}' + chart: '../.local/charts/wire-server-enterprise' + values: + - secrets: + configJson: {{ requiredEnv "ENTERPRISE_IMAGE_PULL_SECRET" }} diff --git a/integration/test/Testlib/Env.hs b/integration/test/Testlib/Env.hs index 2a9d3f8dafd..f276f624c52 100644 --- a/integration/test/Testlib/Env.hs +++ b/integration/test/Testlib/Env.hs @@ -39,6 +39,7 @@ serviceHostPort m Spar = m.spar serviceHostPort m BackgroundWorker = m.backgroundWorker serviceHostPort m Stern = m.stern serviceHostPort m FederatorInternal = m.federatorInternal +serviceHostPort m WireServerEnterprise = m.wireServerEnterprise mkGlobalEnv :: FilePath -> Codensity IO GlobalEnv mkGlobalEnv cfgFile = do diff --git a/integration/test/Testlib/Ports.hs b/integration/test/Testlib/Ports.hs index 29367b64dd8..52d9aa2d05c 100644 --- a/integration/test/Testlib/Ports.hs +++ b/integration/test/Testlib/Ports.hs @@ -23,6 +23,7 @@ port (ServiceInternal Gundeck) bn = mkPort 8086 bn port (ServiceInternal Nginz) bn = mkPort 8080 bn port (ServiceInternal Spar) bn = mkPort 8088 bn port (ServiceInternal Stern) bn = mkPort 8091 bn +port (ServiceInternal WireServerEnterprise) bn = mkPort 8079 bn portForDyn :: (Num a) => PortNamespace -> Int -> a portForDyn ns i = port ns (DynamicBackend i) diff --git a/integration/test/Testlib/ResourcePool.hs b/integration/test/Testlib/ResourcePool.hs index 83bd1499a84..610d951bca7 100644 --- a/integration/test/Testlib/ResourcePool.hs +++ b/integration/test/Testlib/ResourcePool.hs @@ -48,7 +48,8 @@ resourceServiceMap resource = spar = g Spar, -- FUTUREWORK: Set to g Proxy, when we add Proxy to spawned services proxy = HostPort "127.0.0.1" 9087, - stern = g Stern + stern = g Stern, + wireServerEnterprise = g WireServerEnterprise } acquireResources :: forall m a. (Ord a, MonadIO m, MonadMask m, HasCallStack) => Int -> ResourcePool a -> Codensity m [a] diff --git a/integration/test/Testlib/Types.hs b/integration/test/Testlib/Types.hs index f7f20c36782..f9189116cb1 100644 --- a/integration/test/Testlib/Types.hs +++ b/integration/test/Testlib/Types.hs @@ -156,7 +156,8 @@ data ServiceMap = ServiceMap nginz :: HostPort, spar :: HostPort, proxy :: HostPort, - stern :: HostPort + stern :: HostPort, + wireServerEnterprise :: HostPort } deriving (Show, Generic) @@ -443,7 +444,8 @@ data ServiceOverrides = ServiceOverrides sparCfg :: Value -> App Value, backgroundWorkerCfg :: Value -> App Value, sternCfg :: Value -> App Value, - federatorInternalCfg :: Value -> App Value + federatorInternalCfg :: Value -> App Value, + wireServerEnterpriseCfg :: Value -> App Value } instance Default ServiceOverrides where @@ -461,7 +463,8 @@ instance Semigroup ServiceOverrides where sparCfg = sparCfg a >=> sparCfg b, backgroundWorkerCfg = backgroundWorkerCfg a >=> backgroundWorkerCfg b, sternCfg = sternCfg a >=> sternCfg b, - federatorInternalCfg = federatorInternalCfg a >=> federatorInternalCfg b + federatorInternalCfg = federatorInternalCfg a >=> federatorInternalCfg b, + wireServerEnterpriseCfg = wireServerEnterpriseCfg a >=> wireServerEnterpriseCfg b } instance Monoid ServiceOverrides where @@ -479,7 +482,8 @@ defaultServiceOverrides = sparCfg = pure, backgroundWorkerCfg = pure, sternCfg = pure, - federatorInternalCfg = pure + federatorInternalCfg = pure, + wireServerEnterpriseCfg = pure } lookupConfigOverride :: ServiceOverrides -> Service -> (Value -> App Value) @@ -494,6 +498,7 @@ lookupConfigOverride overrides = \case BackgroundWorker -> overrides.backgroundWorkerCfg Stern -> overrides.sternCfg FederatorInternal -> overrides.federatorInternalCfg + WireServerEnterprise -> overrides.wireServerEnterpriseCfg data Service = Brig @@ -506,6 +511,7 @@ data Service | BackgroundWorker | Stern | FederatorInternal + | WireServerEnterprise deriving ( Show, Eq, @@ -526,6 +532,7 @@ serviceName = \case BackgroundWorker -> "backgroundWorker" Stern -> "stern" FederatorInternal -> "federator" + WireServerEnterprise -> "wireServerEnterprise" -- | Converts the service name to kebab-case. configName :: Service -> String @@ -540,6 +547,7 @@ configName = \case BackgroundWorker -> "background-worker" Stern -> "stern" FederatorInternal -> "federator" + WireServerEnterprise -> "wire-server-enterprise" data BackendName = BackendA diff --git a/libs/wire-api/src/Wire/API/Routes/Internal/Enterprise.hs b/libs/wire-api/src/Wire/API/Routes/Internal/Enterprise.hs new file mode 100644 index 00000000000..364d055266a --- /dev/null +++ b/libs/wire-api/src/Wire/API/Routes/Internal/Enterprise.hs @@ -0,0 +1,13 @@ +module Wire.API.Routes.Internal.Enterprise where + +import Servant +import Wire.API.Routes.MultiVerb +import Wire.API.Routes.Named + +type InternalAPI = "i" :> InternalAPIBase + +type InternalAPIBase = + Named + "status" + ( "status" :> MultiVerb 'GET '[JSON] '[RespondEmpty 200 "OK"] () + ) diff --git a/libs/wire-api/wire-api.cabal b/libs/wire-api/wire-api.cabal index cebcabd0640..f8b6886e44f 100644 --- a/libs/wire-api/wire-api.cabal +++ b/libs/wire-api/wire-api.cabal @@ -167,6 +167,7 @@ library Wire.API.Routes.Internal.Brig.SearchIndex Wire.API.Routes.Internal.Cannon Wire.API.Routes.Internal.Cargohold + Wire.API.Routes.Internal.Enterprise Wire.API.Routes.Internal.Galley Wire.API.Routes.Internal.Galley.ConversationsIntra Wire.API.Routes.Internal.Galley.TeamFeatureNoConfigMulti diff --git a/nix/local-haskell-packages.nix b/nix/local-haskell-packages.nix index 414a5443410..25e4f6f2f76 100644 --- a/nix/local-haskell-packages.nix +++ b/nix/local-haskell-packages.nix @@ -42,6 +42,7 @@ gundeck = hself.callPackage ../services/gundeck/default.nix { inherit gitignoreSource; }; proxy = hself.callPackage ../services/proxy/default.nix { inherit gitignoreSource; }; spar = hself.callPackage ../services/spar/default.nix { inherit gitignoreSource; }; + wire-server-enterprise = hself.callPackage ../services/wire-server-enterprise/default.nix { inherit gitignoreSource; }; assets = hself.callPackage ../tools/db/assets/default.nix { inherit gitignoreSource; }; auto-whitelist = hself.callPackage ../tools/db/auto-whitelist/default.nix { inherit gitignoreSource; }; find-undead = hself.callPackage ../tools/db/find-undead/default.nix { inherit gitignoreSource; }; diff --git a/nix/wire-server.nix b/nix/wire-server.nix index 370397a809f..cff79da4f4f 100644 --- a/nix/wire-server.nix +++ b/nix/wire-server.nix @@ -87,6 +87,7 @@ let rabbitmq-consumer = [ "rabbitmq-consumer" ]; test-stats = [ "test-stats" ]; team-info = [ "team-info" ]; + wire-server-enterprise = [ "wire-server-enterprise" ]; }; inherit (lib) attrsets; @@ -290,6 +291,7 @@ let stern brig-templates background-worker + wire-server-enterprise pkgs.nginz pkgs.mls-test-cli pkgs.awscli2 diff --git a/services/integration.yaml b/services/integration.yaml index 174d6db1477..43ac98a343c 100644 --- a/services/integration.yaml +++ b/services/integration.yaml @@ -43,6 +43,10 @@ stern: host: 127.0.0.1 port: 8091 +wireServerEnterprise: + host: 127.0.0.1 + port: 8079 + # client-API: # webapp ---> load balancer ---> nginx-ingress (TLS termination) ---> nginz ----> brig # @@ -115,6 +119,9 @@ backendTwo: stern: host: 127.0.0.1 port: 9091 + wireServerEnterprise: + host: 127.0.0.1 + port: 9079 originDomain: b.example.com @@ -200,6 +207,9 @@ federation-v0: stern: host: 127.0.0.1 port: 21091 + wireServerEnterprise: + host: 127.0.0.1 + port: 21079 federation-v1: originDomain: federation-v1.example.com @@ -239,5 +249,8 @@ federation-v1: stern: host: 127.0.0.1 port: 22091 + wireServerEnterprise: + host: 127.0.0.1 + port: 22079 integrationTestHostName: "localhost" diff --git a/services/wire-server-enterprise b/services/wire-server-enterprise new file mode 160000 index 00000000000..61560248714 --- /dev/null +++ b/services/wire-server-enterprise @@ -0,0 +1 @@ +Subproject commit 615602487147e7ac4fae49e72b661ace437e8ce6