Add helm chart for wire-server-enterprise (#4359)

Makefile

@@ -7,7 +7,7 @@ DOCKER_TAG            ?= $(USER)
 # default helm chart version must be 0.0.42 for local development (because 42 is the answer to the universe and everything)
 HELM_SEMVER           ?= 0.0.42
 # The list of helm charts needed on internal kubernetes testing environments
-CHARTS_INTEGRATION    := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-controller nginx-ingress-services fluent-bit kibana restund k8ssandra-test-cluster
+CHARTS_INTEGRATION    := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-controller nginx-ingress-services fluent-bit kibana restund k8ssandra-test-cluster wire-server-enterprise
 # The list of helm charts to publish on S3
 # FUTUREWORK: after we "inline local subcharts",
 # (e.g. move charts/brig to charts/wire-server/brig)
@@ -18,7 +18,7 @@ fake-aws fake-aws-s3 fake-aws-sqs aws-ingress fluent-bit kibana backoffice		\
 calling-test demo-smtp elasticsearch-curator elasticsearch-external				\
 elasticsearch-ephemeral minio-external cassandra-external						\
 nginx-ingress-controller ingress-nginx-controller nginx-ingress-services reaper restund \
-k8ssandra-test-cluster ldap-scim-bridge
+k8ssandra-test-cluster ldap-scim-bridge wire-server-enterprise
 KIND_CLUSTER_NAME     := wire-server
 HELM_PARALLELISM      ?= 1 # 1 for sequential tests; 6 for all-parallel tests
 

changelog.d/2-features/enterprise-helm-chart

@@ -0,0 +1,3 @@
+`charts/wire-server-enterprise` is a Helm chart to run the `wire-server-enterprise`
+service. This service can only be deployed with an image pull secret (the
+registry is not open to public.)

charts/README.md

@@ -0,0 +1,6 @@
+# wire-server-enterprise
+
+This service contains the non-open parts of wire-server.
+
+The image registry is password protected. The credential can e.g. be provided by
+defining `secrets.configJson` with the value provided by Wire.

charts/wire-server-enterprise/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+description: additional enterprise features for wire-server
+name: wire-server-enterprise
+version: 0.0.42

charts/wire-server-enterprise/templates/configmap.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: wire-server-enterprise
+  labels:
+    app: wire-server-enterprise
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  {{- with .Values.config }}
+  wire-server-enterprise.yaml: |
+    logNetStrings: {{ .logNetStrings }}
+    logFormat: {{ .logFormat }}
+    logLevel: {{ .logLevel }}
+
+    wireServerEnterprise:
+      host: 0.0.0.0
+      port: 8080
+  {{- end }}

charts/wire-server-enterprise/templates/deployment.yaml

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wire-server-enterprise
+  labels:
+    app: wire-server-enterprise
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: wire-server-enterprise
+  template:
+    metadata:
+      labels:
+        app: wire-server-enterprise
+        release: {{ .Release.Name }}
+      annotations:
+        # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade`
+        checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
+    spec:
+      imagePullSecrets:
+      - name: wire-server-enterprise-readonly-pull-secret
+      volumes:
+        - name: "wire-server-enterprise-config"
+          configMap:
+            name: "wire-server-enterprise"
+      containers:
+        - name: wire-server-enterprise
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
+          ports:
+            - containerPort: {{ .Values.service.internalPort }}
+          livenessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /i/status
+              port: {{ .Values.service.internalPort }}
+          readinessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /i/status
+              port: {{ .Values.service.internalPort }}
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+          volumeMounts:
+          - name: "wire-server-enterprise-config"
+            mountPath: "/etc/wire/wire-server-enterprise/conf"
+      automountServiceAccountToken: false

charts/wire-server-enterprise/templates/image-pull-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wire-server-enterprise-readonly-pull-secret
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: kubernetes.io/dockerconfigjson
+data:
+  {{/* for_helm_linting is necessary only since the 'with' block below does not throw an error upon an empty .Values.secrets */}}
+  for_helm_linting: {{ required "No .secrets found in configuration." .Values.secrets | quote | b64enc | quote }}
+
+  {{- with .Values.secrets }}
+  .dockerconfigjson: {{ .configJson }}
+  {{- end }}

charts/wire-server-enterprise/templates/service.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: wire-server-enterprise
+  labels:
+    app: wire-server-enterprise
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    {{- if ge (.Capabilities.KubeVersion.Minor|int) 26 }}
+    service.kubernetes.io/topology-mode: Auto
+    {{- else }}
+    service.kubernetes.io/topology-aware-hints: auto
+    {{- end }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: {{ .Values.service.externalPort }}
+      targetPort: {{ .Values.service.internalPort }}
+  selector:
+    app: wire-server-enterprise
+    release: {{ .Release.Name }}

charts/wire-server-enterprise/templates/servicemonitor.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: wire-server-enterprise
+  labels:
+    app: wire-server-enterprise
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  endpoints:
+    - port: http
+      path: /i/metrics
+  selector:
+    matchLabels:
+      app: wire-server-enterprise
+      release: {{ .Release.Name }}
+{{- end }}

charts/wire-server-enterprise/values.yaml

@@ -0,0 +1,25 @@
+replicaCount: 1
+
+image:
+  repository: quay.io/wire/wire-server-enterprise
+  tag: do-not-use
+
+resources:
+  requests:
+    memory: "200Mi"
+    cpu: "100m"
+  limits:
+    memory: "512Mi"
+
+service:
+  internalPort: 8080
+  externalPort: 8080
+
+metrics:
+  serviceMonitor:
+    enabled: false
+
+config:
+  logLevel: Info
+  logFormat: StructuredJSON
+  logNetStrings: false