Skip to content

Adapt wire-server charts so they can be used to run wire cloud #2347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
May 5, 2022
Merged

Adapt wire-server charts so they can be used to run wire cloud #2347

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
4764f28
charts/galley: Optional AWS creds, allow setting serviceAccountName
akshaymankar May 2, 2022
c9fcc21
charts/gundeck: Optional AWS creds, allow setting serviceAccountName
akshaymankar May 2, 2022
bb71197
charts/cargohold: Optional AWS creds, allow setting serviceAccountName
akshaymankar May 2, 2022
9d068c9
charts/brig: Optional AWS creds, allow setting serviceAccountName
akshaymankar May 2, 2022
65ff3ba
charts/{brig,cargohold,galley,gundeck}: Create service account
akshaymankar May 3, 2022
b39e656
charts/{brig,cargohold,galley,gundeck}: Add default secrets map
akshaymankar May 3, 2022
50b5ecc
charts/galley: Rename journal.queue -> journal.queueName
akshaymankar May 3, 2022
6c1db3c
charts/gundeck: More variables
akshaymankar May 3, 2022
71ef4ec
support more brig configuration values
jschaul May 3, 2022
a83f919
tweak brig configs
jschaul May 3, 2022
59c7d03
fix duplicate entry
jschaul May 3, 2022
5feb109
tweak gundeck configmap
jschaul May 3, 2022
b43374a
comment
jschaul May 3, 2022
54ac125
Fix helm vars for CI
akshaymankar May 4, 2022
edfed93
Add changelogs
akshaymankar May 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions changelog.d/2-features/charts-brig-new-settings
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
charts: Various new values can now be configured and some got changed

Allow new configurations in the brig chart:
* `config.emailSMS.user.invitationUrl`
* `config.emailSMS.team.tInvitationUrl`
* `config.emailSMS.team.tActivationUrl`
* `config.emailSMS.team.tCreatorWelcomeUrl`
* `config.emailSMS.team.tMemberWelcomeUrl`
* `config.setProviderSearchFilter`
* `config.setWhitelist`
* `config.setFeatureFlags`
* `config.setCustomerExtensions`

If any values in config.emailSMS.team are specified, all must be specified.

Allow new configurations in the gundeck chart:
* `config.perNativePushConcurrency`
* `config.maxConcurrentNativePushes.soft`
* `config.maxConcurrentNativePushes.hard`

Other changes:
* Default `maxTeamSize` changed to 10000 from 500.
2 changes: 2 additions & 0 deletions changelog.d/2-features/no-aws-creds
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
charts/{brig,cargohol,galley,gundeck}: Allow not configuring AWS credentials and allow using a special service account.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/cargohol/cargohold

small typo

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed here: #2399

This way, when operating wire in AWS cloud either instance profiles or IAM role attached to a service account can be used to communicate with AWS.
26 changes: 26 additions & 0 deletions charts/brig/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,9 @@ data:
{{- if .dynamoDBEndpoint }}
dynamoDBEndpoint: {{ .dynamoDBEndpoint | quote }}
{{- end }}
{{- if .userJournalQueue }}
userJournalQueue: {{ .userJournalQueue | quote }}
{{- end }}
{{- end }}

internalEvents:
Expand Down Expand Up @@ -112,7 +115,9 @@ data:
activationUrl: {{ .emailSMS.user.activationUrl }}
smsActivationUrl: {{ .emailSMS.user.smsActivationUrl }}
passwordResetUrl: {{ .emailSMS.user.passwordResetUrl }}
{{- if .emailSMS.user.invitationUrl }}
invitationUrl: {{ .emailSMS.user.invitationUrl }}
{{- end }}
deletionUrl: {{ .emailSMS.user.deletionUrl }}
{{- else }}
activationUrl: {{ .externalUrls.nginz }}/activate?key=${key}&code=${code}
Expand All @@ -138,6 +143,12 @@ data:
{{- end }}

team:
{{- if .emailSMS.team }}
tInvitationUrl: {{ .emailSMS.team.tInvitationUrl }}
tActivationUrl: {{ .emailSMS.team.tActivationUrl }}
tCreatorWelcomeUrl: {{ .emailSMS.team.tCreatorWelcomeUrl }}
tMemberWelcomeUrl: {{ .emailSMS.team.tMemberWelcomeUrl }}
{{- else }}
{{- if .externalUrls.teamSettings }}
tInvitationUrl: {{ .externalUrls.teamSettings }}/join/?team-code=${code}
{{- else }}
Expand All @@ -146,6 +157,7 @@ data:
tActivationUrl: {{ .externalUrls.nginz }}/register?team=${team}&team_code=${code}
tCreatorWelcomeUrl: {{ .externalUrls.teamCreatorWelcome }}
tMemberWelcomeUrl: {{ .externalUrls.teamMemberWelcome }}
{{- end }}

zauth:
privateKeys: /etc/wire/brig/secrets/secretkey.txt
Expand Down Expand Up @@ -226,6 +238,9 @@ data:
{{- if .setSearchSameTeamOnly }}
setSearchSameTeamOnly: {{ .setSearchSameTeamOnly }}
{{- end }}
{{- if .setProviderSearchFilter }}
setProviderSearchFilter: {{ .setProviderSearchFilter }}
{{- end }}
{{- if .setUserMaxPermClients }}
setUserMaxPermClients: {{ .setUserMaxPermClients }}
{{- end }}
Expand All @@ -242,5 +257,16 @@ data:
{{- if .setSftListAllServers }}
setSftListAllServers: {{ .setSftListAllServers }}
{{- end }}
{{- if .setWhitelist }}
setWhitelist: {{ toYaml .setWhitelist | nindent 8 }}
{{- end }}
{{- if .setFeatureFlags }}
setFeatureFlags: {{ toYaml .setFeatureFlags | nindent 8 }}
{{- end }}
# Customer extensions. If this is not part of your contract with wire, use at your own risk!
# Details: https://github.com/wireapp/wire-server/blob/3a21a82a1781f0d128f503df6a705b0b5f733d7b/services/brig/src/Brig/Options.hs#L465-L503
{{- if .setCustomerExtensions }}
setCustomerExtensions: {{ toYaml .setCustomerExtensions | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
3 changes: 3 additions & 0 deletions charts/brig/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ spec:
checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
fluentbit.io/parser: json
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
volumes:
- name: "brig-config"
configMap:
Expand All @@ -53,6 +54,7 @@ spec:
env:
- name: LOG_LEVEL
value: {{ .Values.config.logLevel }}
{{- if hasKey .Values.secrets "awsKeyId" }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
Expand All @@ -63,6 +65,7 @@ spec:
secretKeyRef:
name: brig
key: awsSecretKey
{{- end }}
# TODO: Is this the best way to do this?
- name: AWS_REGION
value: "{{ .Values.config.aws.region }}"
Expand Down
2 changes: 2 additions & 0 deletions charts/brig/templates/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,10 @@ data:
secretkey.txt: {{ .zAuth.privateKeys | b64enc | quote }}
publickey.txt: {{ .zAuth.publicKeys | b64enc | quote }}
turn-secret.txt: {{ .turn.secret | b64enc | quote }}
{{- if .awsKeyId }}
awsKeyId: {{ .awsKeyId | b64enc | quote }}
awsSecretKey: {{ .awsSecretKey | b64enc | quote }}
{{- end }}
twilio-credentials.yaml: {{ .setTwilio | b64enc | quote }}
nexmo-credentials.yaml: {{ .setNexmo | b64enc | quote }}
{{- if (not $.Values.config.useSES) }}
Expand Down
16 changes: 16 additions & 0 deletions charts/brig/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount.name }}
labels:
wireService: brig
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
11 changes: 10 additions & 1 deletion charts/brig/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ config:
retryAfter: 86400
setRichInfoLimit: 5000
setDefaultUserLocale: en
setMaxTeamSize: 500
setMaxTeamSize: 10000
setMaxConvSize: 500
# Allowed values: https://github.com/wireapp/wire-server/blob/0126651a25aabc0c5589edc2b1988bb06550a03a/services/brig/src/Brig/Options.hs#L304-L306
# Description: https://github.com/wireapp/wire-server/blob/0126651a25aabc0c5589edc2b1988bb06550a03a/services/brig/src/Brig/Options.hs#L290-L299
Expand Down Expand Up @@ -92,3 +92,12 @@ turnStatic:
- turn:localhost:3478?transport=tcp
tests:
enableFederationTests: false
serviceAccount:
# When setting this to 'false', either make sure that a service account named
# 'brig' exists or change the 'name' field to 'default'
create: true
name: brig
annotations: {}
automountServiceAccountToken: true

secrets: {}
3 changes: 3 additions & 0 deletions charts/cargohold/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ spec:
checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
volumes:
- name: "cargohold-config"
configMap:
Expand All @@ -44,6 +45,7 @@ spec:
- name: "cargohold-config"
mountPath: "/etc/wire/cargohold/conf"
env:
{{- if hasKey .Values.secrets "awsKeyId" }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
Expand All @@ -54,6 +56,7 @@ spec:
secretKeyRef:
name: cargohold
key: awsSecretKey
{{- end }}
- name: AWS_REGION
value: "{{ .Values.config.aws.region }}"
{{- with .Values.config.proxy }}
Expand Down
4 changes: 3 additions & 1 deletion charts/cargohold/templates/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ data:
{{ if .cloudFront }}
cf-pk.pem: {{ .cloudFront.cfPrivateKey | b64enc | quote }}
{{ end }}


{{- if .awsKeyId }}
awsKeyId: {{ .awsKeyId | b64enc | quote }}
awsSecretKey: {{ .awsSecretKey | b64enc | quote }}
{{- end }}
{{- end }}
16 changes: 16 additions & 0 deletions charts/cargohold/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount.name }}
labels:
wireService: cargohold
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
9 changes: 9 additions & 0 deletions charts/cargohold/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,12 @@ config:
region: "eu-west-1"
s3Bucket: assets
proxy: {}
serviceAccount:
# When setting this to 'false', either make sure that a service account named
# 'cargohold' exists or change the 'name' field to 'default'
create: true
name: cargohold
annotations: {}
automountServiceAccountToken: true

secrets: {}
2 changes: 1 addition & 1 deletion charts/galley/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ data:

{{- if (.journal) }}
journal:
queueName: {{ .journal.queue }}
queueName: {{ .journal.queueName }}
endpoint: {{ .journal.endpoint }}
{{- end }}

Expand Down
8 changes: 3 additions & 5 deletions charts/galley/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,23 +27,20 @@ spec:
checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
volumes:
- name: "galley-config"
configMap:
name: "galley"
- name: "galley-secrets"
secret:
secretName: "galley"
containers:
- name: galley
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
volumeMounts:
- name: "galley-secrets"
mountPath: "/etc/wire/galley/secrets"
- name: "galley-config"
mountPath: "/etc/wire/galley/conf"
env:
{{- if hasKey .Values.secrets "awsKeyId" }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
Expand All @@ -54,6 +51,7 @@ spec:
secretKeyRef:
name: galley
key: awsSecretKey
{{- end }}
- name: AWS_REGION
value: "{{ .Values.config.aws.region }}"
{{- with .Values.config.proxy }}
Expand Down
2 changes: 2 additions & 0 deletions charts/galley/templates/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if hasKey .Values.secrets "awsKeyId" }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -13,3 +14,4 @@ data:
awsKeyId: {{ .awsKeyId | b64enc | quote }}
awsSecretKey: {{ .awsSecretKey | b64enc | quote }}
{{- end }}
{{- end }}
16 changes: 16 additions & 0 deletions charts/galley/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount.name }}
labels:
wireService: galley
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
11 changes: 10 additions & 1 deletion charts/galley/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ config:
replicaCount: 3
enableFederator: false # keep enableFederator default in sync with brig and cargohold chart's config.enableFederator as well as wire-server chart's tag.federator
settings:
maxTeamSize: 500
maxTeamSize: 10000
maxConvSize: 500
# Before making indexedBillingTeamMember true while upgrading, please
# refer to notes here: https://github.com/wireapp/wire-server-deploy/releases/tag/v2020-05-15
Expand All @@ -48,3 +48,12 @@ config:
aws:
region: "eu-west-1"
proxy: {}
serviceAccount:
# When setting this to 'false', either make sure that a service account named
# 'galley' exists or change the 'name' field to 'default'
create: true
name: galley
annotations: {}
automountServiceAccountToken: true

secrets: {}
8 changes: 7 additions & 1 deletion charts/gundeck/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,13 @@ data:
httpPoolSize: 1024
notificationTTL: 2419200
bulkPush: {{ .bulkPush }}
{{- if hasKey . "perNativePushConcurrency" }}
perNativePushConcurrency: {{ .perNativePushConcurrency }}
{{- end }}
maxConcurrentNativePushes:
soft: 1000
soft: {{ .maxConcurrentNativePushes.soft }}
{{- if hasKey .maxConcurrentNativePushes "hard" }}
hard: {{ .maxConcurrentNativePushes.hard }}
{{- end }}
# hard: 30 # more than this number of threads will not be allowed
{{- end }}
8 changes: 3 additions & 5 deletions charts/gundeck/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,23 +27,20 @@ spec:
checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
volumes:
- name: "gundeck-config"
configMap:
name: "gundeck"
- name: "gundeck-secrets"
secret:
secretName: "gundeck"
containers:
- name: gundeck
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
volumeMounts:
- name: "gundeck-secrets"
mountPath: "/etc/wire/gundeck/secrets"
- name: "gundeck-config"
mountPath: "/etc/wire/gundeck/conf"
env:
{{- if hasKey .Values.secrets "awsKeyId" }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
Expand All @@ -54,6 +51,7 @@ spec:
secretKeyRef:
name: gundeck
key: awsSecretKey
{{- end }}
- name: AWS_REGION
value: "{{ .Values.config.aws.region }}"
{{- with .Values.config.proxy }}
Expand Down
2 changes: 2 additions & 0 deletions charts/gundeck/templates/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if hasKey .Values.secrets "awsKeyId" }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -13,3 +14,4 @@ data:
awsKeyId: {{ .awsKeyId | b64enc | quote }}
awsSecretKey: {{ .awsSecretKey | b64enc | quote }}
{{- end }}
{{- end }}
Loading