Merge pull request #2461 from wireapp/release_2022-06-08_09_20

Release 2022-06-08 - (expected chart version 4.13.0)

.dockerignore

@@ -9,3 +9,6 @@
 .stack-root-buildah
 .local
 services/nginz/src/objs
+dist-newstyle
+.env
+.direnv

.hlint.yaml

@@ -0,0 +1,15 @@
+# We need quasi quotes support.
+- arguments: [ -XQuasiQuotes, --color ]
+# Used to enforce ormolu styling. Can be revisited if we change formatters.
+- ignore: { name: Redundant $ }
+- ignore: { name: Redundant do }
+- ignore: { name: Use newtype instead of data  }
+#
+# Left for the programmer to decide. See discussion at https://github.com/wireapp/wire-server/pull/2382#discussion_r871194424
+- ignore: { name: Avoid lambda }
+- ignore: { name: Avoid lambda using `infix` }
+
+- ignore: { name: Use section }
+# custom rules:
+- hint: { lhs: (() <$), rhs: void }
+- hint: { lhs: return, rhs: pure }

CHANGELOG.md

@@ -1,3 +1,99 @@
+# [2022-06-08] (Chart Release 4.13.0)
+
+## Release notes
+
+
+* The `.cannon.drainTimeout` setting on the wire-server helm chart has been
+  removed and replaced with `.cannon.config.drainOpts`. (#2416)
+
+* Note for wire.com operators: deploy nginz (#2439)
+
+
+## API changes
+
+
+* The back-office (aka stern) team feature API now accenpts an optional TTL parameter (in days), so features can be activated for a limited period. (#2417)
+
+* Disable rate limiting for /api-version (#2439)
+
+
+## Features
+
+
+* Drain websockets in a controlled fashion when cannon receives a SIGTERM or
+  SIGINT. Instead of waiting for connections to close on their own, the websockets
+  are now severed at a controlled pace. This allows for quicker rollouts of new
+  versions. (#2416)
+
+* Optionally allow to run cannon with its own nginz inside the same pod; and connect to a load balancer directly.
+  This allows the cannon-slow-drain behaviour implemented in #2416 to take effect by not having other intermediate network hops which could break websocket connections all at once.
+  Some (internal) context: https://wearezeta.atlassian.net/wiki/spaces/PS/pages/585564424/How+to+gracefully+drain+cannon+but+not+so+slowly
+  For details on how to configure this, see docs/src/how-to/install/configuration-options.rst (#2421)
+
+* Support running brig with GeoIP database when using helm charts (#2406)
+
+* charts/nginz: Add upstream configuration for galeb (#2444)
+
+* charts/nginz: Allow upstreams to be in other namespaces (#2444)
+
+* CSV export in team management now includes the number of devices per user (#2407)
+
+
+## Bug fixes and other updates
+
+
+* charts/nginz: Resolve collision between brig and galeb endpoints. Ensure
+  /self/consent and /signatures endpoints are configured in all environments (#2457)
+
+* When an IdP issuer (aka entity ID) is updated, the old issuer was still marked as "in use". (#2400)
+
+* On actions that require re-authentication a password is not required if the user has SAML credentials (#2430, #2434, #2437)
+
+* Use SCIM's preferred language as a fallback when privisioning users without a locale. (#2445)
+
+
+## Documentation
+
+
+* Feature configs should have different swagger schema names (#2425)
+
+
+## Internal changes
+
+
+* `AllFeatureConfigs` is now typed (#2403)
+
+* Type class for default team feature status (#2404)
+
+* charts/{redis-ephemeral,legalhold}: Use old index for bitnami repo as the new index doesn't have old versions of postgresql and redis helm charts (#2448)
+
+* Bump haskell/zlib version to 0.6.3.0 (#2431)
+
+* New internal brig endpoints for MLS KeyPackage -> Conversation association query/update (#2375)
+
+* galley: refactor withSettingsOverrides (#2381)
+
+* charts/{nginz,cannon}: Increase map_hash_bucket_size for nginx to 128 (#2443)
+
+* charts/{cannon,nginz}: values listed in
+  `nginx_conf.randomport_allowlisted_origins` must be full hostnames. Hostnames
+  listed here will be allowlisted with and without TLS. (#2438)
+
+* Remove binding of users to saml idps using saml (this has never been picked up by clients; use scim instead) (#2441)
+
+* Remove golden test case generator
+
+   (#2442)
+
+* Convert Team CSV endpoint to Servant (#2419)
+
+
+## Federation changes
+
+
+* Send only the raw welcome message in the Galley "mls-welcome" federation endpoint (#2412)
+
+
 # [2022-05-18] (Chart Release 4.12.0)
 
 ## Release notes

Makefile

@@ -79,7 +79,7 @@ ci: c
 # pass target=package:name to specify which target is watched.
 .PHONY: ghcid
 ghcid:
-	ghcid --command "cabal repl $(target)"
+	ghcid -l=hlint --command "cabal repl $(target)"
 
 # reset db using cabal
 .PHONY: db-reset-package

cabal.project.freeze

@@ -2754,7 +2754,7 @@ constraints: any.AC-Angle ==1.0,
              any.zip-stream ==0.2.1.0,
              any.zipper-extra ==0.1.3.2,
              any.zippers ==0.3.2,
-             any.zlib ==0.6.2.3,
+             any.zlib ==0.6.3.0,
              any.zlib-bindings ==0.1.1.5,
              any.zlib-lens ==0.1.2.1,
              any.zot ==0.0.3,

charts/brig/templates/configmap.yaml

@@ -202,6 +202,11 @@ data:
     {{- end }}
     {{- end }}
 
+    {{- if .geoip.enabled }}
+    # Shared emptyDir with geoipupdate container
+    geoDb: /usr/share/GeoIP/GeoIP2-City.mmdb
+    {{- end }}
+
     {{- with .optSettings }}
     optSettings:
       setActivationTimeout: {{ .setActivationTimeout }}

charts/brig/templates/deployment.yaml

@@ -42,6 +42,40 @@ spec:
         - name: "brig-secrets"
           secret:
             secretName: "brig"
+        {{- if .Values.config.geoip.enabled }}
+        - name: "geoip"
+          emptyDir: {}
+        {{- end }}
+      {{- if .Values.config.geoip.enabled }}
+      # Brig needs GeoIP database to be downloaded before it can start.
+      initContainers:
+        - name: geoipdownload
+          image: "{{ .Values.config.geoip.image.repository }}:{{ .Values.config.geoip.image.tag }}"
+          imagePullPolicy: {{ default "" .Values.config.geoip.imagePullPolicy | quote }}
+          volumeMounts:
+          - name: "geoip"
+            mountPath: "/usr/share/GeoIP"
+          # The environment variables are documented at:
+          # https://github.com/maxmind/geoipupdate/blob/62b34e648a842dc03ccf4ad3f61e2d85eaec98fc/doc/docker.md
+          env:
+          - name: GEOIPUPDATE_ACCOUNT_ID
+            valueFrom:
+              secretKeyRef:
+                name: brig-geoip
+                key: accountId
+          - name: GEOIPUPDATE_LICENSE_KEY
+            valueFrom:
+              secretKeyRef:
+                name: brig-geoip
+                key: licenseKey
+          - name: GEOIPUPDATE_EDITION_IDS
+            valueFrom:
+              secretKeyRef:
+                name: brig-geoip
+                key: editionIds
+          - name: GEOIPUPDATE_FREQUENCY
+            value: "0" # Setting this to 0 makes the script only run geoipupdate once.
+      {{- end }}
       containers:
         - name: brig
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -55,6 +89,10 @@ spec:
           - name: "turn-servers"
             mountPath: "/etc/wire/brig/turn"
           {{- end }}
+          {{- if .Values.config.geoip.enabled }}
+          - name: "geoip"
+            mountPath: "/usr/share/GeoIP"
+          {{- end }}
           env:
           - name: LOG_LEVEL
             value: {{ .Values.config.logLevel }}
@@ -107,3 +145,31 @@ spec:
               port: {{ .Values.service.internalPort }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
+        {{- if .Values.config.geoip.enabled }}
+        - name: geoipupdate
+          image: "{{ .Values.config.geoip.image.repository }}:{{ .Values.config.geoip.image.tag }}"
+          imagePullPolicy: {{ default "" .Values.config.geoip.imagePullPolicy | quote }}
+          volumeMounts:
+          - name: "geoip"
+            mountPath: "/usr/share/GeoIP"
+          # The environment variables are documented at:
+          # https://github.com/maxmind/geoipupdate/blob/62b34e648a842dc03ccf4ad3f61e2d85eaec98fc/doc/docker.md
+          env:
+          - name: GEOIPUPDATE_ACCOUNT_ID
+            valueFrom:
+              secretKeyRef:
+                name: brig-geoip
+                key: accountId
+          - name: GEOIPUPDATE_LICENSE_KEY
+            valueFrom:
+              secretKeyRef:
+                name: brig-geoip
+                key: licenseKey
+          - name: GEOIPUPDATE_EDITION_IDS
+            valueFrom:
+              secretKeyRef:
+                name: brig-geoip
+                key: editionIds
+          - name: GEOIPUPDATE_FREQUENCY
+            value: "24" # hours
+        {{- end }}

charts/brig/templates/geoip-secret.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.config.geoip.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: brig-geoip
+  labels:
+    wireService: brig
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  {{- with .Values.secrets.geoip }}
+  accountId: {{ required ".secrets.geoip.accountId must be provided when .Values.config.geoip.enabled is True" .accountId | b64enc | quote }}
+  licenseKey: {{ required ".secrets.geoip.licenseKey must be provided when .Values.config.geoip.enabled is True" .licenseKey | b64enc | quote }}
+  editionIds: {{ required ".secrets.geoip.editionIds must be provided when .Values.config.geoip.enabled is True" .editionIds | b64enc | quote }}
+  {{- end }}
+{{- end }}

charts/brig/values.yaml

@@ -84,6 +84,14 @@ config:
   smtp:
     passwordFile: /etc/wire/brig/secrets/smtp-password.txt
   proxy: {}
+
+  geoip:
+    # When enabling this, .secrets.geoip.accountId, .secrets.geoip.licenseKey and
+    # .secret.geoip.editionIds must be provided.
+    enabled: false
+    image:
+      repository: docker.io/maxmindinc/geoipupdate
+      tag: v4.9
 turnStatic:
   v1:
   - turn:localhost:3478

charts/cannon/conf/static/zauth.acl

@@ -0,0 +1,17 @@
+a (blacklist (path "/provider")
+             (path "/provider/**")
+             (path "/bot")
+             (path "/bot/**")
+             (path "/i/**"))
+
+b (whitelist (path "/bot")
+             (path "/bot/**"))
+
+p (whitelist (path "/provider")
+             (path "/provider/**"))
+
+# LegalHold Access Tokens
+la (whitelist (path "/notifications")
+              (path "/assets/v3/**")
+              (path "/users")
+              (path "/users/**"))