Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MLS: Make missing MLS removal keys a template error #4369

Merged
merged 3 commits into from
Dec 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/5-internal/mls
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
charts/galley: Make missing mls keys a templating error. Update MLS docs.
8 changes: 0 additions & 8 deletions charts/galley/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,11 @@ metadata:
type: Opaque
data:
{{- if .Values.secrets.mlsPrivateKeys }}
{{- if .Values.secrets.mlsPrivateKeys.removal.ed25519 }}
removal_ed25519.pem: {{ .Values.secrets.mlsPrivateKeys.removal.ed25519 | b64enc | quote }}
{{- end -}}
{{- if .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp256r1_sha256 }}
removal_ecdsa_secp256r1_sha256.pem: {{ .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp256r1_sha256 | b64enc | quote }}
{{- end -}}
{{- if .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp384r1_sha384 }}
removal_ecdsa_secp384r1_sha384.pem: {{ .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp384r1_sha384 | b64enc | quote }}
{{- end -}}
{{- if .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp521r1_sha512 }}
removal_ecdsa_secp521r1_sha512.pem: {{ .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp521r1_sha512 | b64enc | quote }}
{{- end -}}
{{- end -}}

{{- if $.Values.config.enableFederation }}
rabbitmqUsername: {{ .Values.secrets.rabbitmq.username | b64enc | quote }}
Expand Down
34 changes: 24 additions & 10 deletions docs/src/understand/mls.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,14 @@ enables the server to remove clients from MLS groups, e.g. when users leave
conversations or delete their clients.

The removal key is configured at path
`galley.secrets.mlsPrivateKeys.removal.ed25519` in the wire-server helm chart.
`galley.secrets.mlsPrivateKeys.removal` in the wire-server helm chart.
You need to provide a variant for each supported ciphersuite:
- `ed25519`
- `ecdsa_secp256r1_sha256`
- `ecdsa_secp384r1_sha384`
- `ecdsa_secp521r1_sha512`


For example:

```yaml
Expand All @@ -20,25 +27,32 @@ galley:
removal:
ed25519: |
-----BEGIN PRIVATE KEY-----
MC4CAQA....Z709c
-----END PRIVATE KEY-----
...
ecdsa_secp256r1_sha256: |
-----BEGIN PRIVATE KEY-----
...
ecdsa_secp384r1_sha384: |
-----BEGIN PRIVATE KEY-----
...
ecdsa_secp521r1_sha512: |
-----BEGIN PRIVATE KEY-----
...
```

The key is a private ED25519 key in PEM format. It can be created by openssl
with this command:
These private keys can be created with with these commands:

```sh
openssl req -nodes -newkey ed25519 -keyout ed25519.pem -out /dev/null -subj /
openssl genpkey -algorithm ed25519
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-384
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521
```

This will create a `ed25519.pem`. Use the contents of this file as the
configuration value.

This is a sensitive configuration value. Consider using Helm/Helmfile's support
for managing secrets instead of putting this value in plaintext in a
`values.yaml` file.

Next, MLS needs to be explictly enabled in brig. This can be configured at
In addition to removal keys, MLS needs to be explictly enabled in brig. This can be configured at
`brig.config.optSettings.setEnableMLS`, for example:

```yaml
Expand Down
Loading