Release 2022-06-07 - (expected chart version 4.13.0) #2454
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* charts/brig: Support running brig with GeoIP database Co-authored-by: jschaul <[email protected]>
* New internal brig endpoints for galley use * Tests * chore(changelog)
Merge master back into develop for release 2022-05-18
…#2416) Co-authored-by: jschaul <[email protected]>
* Convert CSV endpoint to Servant * Add response header support to LowLevelStream
…lass-have-defaults-for-all-features (#2404)
Co-authored-by: Paolo Capriotti <[email protected]>
* Add security response about wire.com outage on 2022-05-23 Co-authored-by: sanojwr <[email protected]>
By default, incoming network traffic for websockets comes through these network hops: Internet -> LoadBalancer -> kube-proxy -> nginx-ingress-controller -> nginz -> cannon In order to have graceful draining of websockets when something gets restarted (as implemented in #2416 ), as it is not easily possible to implement the graceful draining on nginx-ingress-controller or nginz by itself, with this PR there is now a configuration option to get the following network hops: Internet -> separate LoadBalancer for cannon only -> kube-proxy -> [nginz->cannon (2 containers in the same pod)] More context: https://wearezeta.atlassian.net/wiki/spaces/PS/pages/585564424/How+to+gracefully+drain+cannon+but+not+so+slowly FUTUREWORK: this introduces some nginz config duplication; some way to refactor this (e.g. by moving charts/{cannon, nginz}/* to charts/wire-server/ in a backwards-compatible way) would allow to reduce this duplication. Co-authored-by: jschaul <[email protected]>
* Simplify the federated welcome message request * Add a couple of tests for remote welcomes * Reuse sendLocalWelcomes * We never fail when dereferencing on the remote end fails * Log a remote backend failing to decode a message * Federation call: throw internal error * Parallelise sending welcome messages Co-authored-by: Paolo Capriotti <[email protected]>
…unts-with-saml-credentials (#2430)
Export NIX_BUILD_SHELL for cabal also.
…owlisting (#2438) Some internal test environments like staging, must allow requests from arbitrary domains which different teams use. It should also allow requests from localhost:<some-port>. This PR expands the purpose of nginx_conf.randomport_allowlisted_origins to allow any arbitrary host name.
Linted Cannon.
Linted Spar test files
Lint cargohold
They've deleted the versions we use from the latest index. More details: bitnami/charts#10539
Linted Gundeck
fisx
approved these changes
Jun 7, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[2022-06-07] (Chart Release 4.13.0)
Release notes
The
.cannon.drainTimeoutsetting on the wire-server helm chart has beenremoved and replaced with
.cannon.config.drainOpts. (Cannon: Drain websockets in a controlled fashion on SIGTERM or SIGINT #2416)Note for wire.com operators: deploy nginz (Disable rate limiting for /api-version #2439)
API changes
Features
Drain websockets in a controlled fashion when cannon receives a SIGTERM or
SIGINT. Instead of waiting for connections to close on their own, the websockets
are now severed at a controlled pace. This allows for quicker rollouts of new
versions. (Cannon: Drain websockets in a controlled fashion on SIGTERM or SIGINT #2416)
Optionally allow to run cannon with its own nginz inside the same pod; and connect to a load balancer directly.
This allows the cannon-slow-drain behaviour implemented in Cannon: Drain websockets in a controlled fashion on SIGTERM or SIGINT #2416 to take effect by not having other intermediate network hops which could break websocket connections all at once.
Some (internal) context: https://wearezeta.atlassian.net/wiki/spaces/PS/pages/585564424/How+to+gracefully+drain+cannon+but+not+so+slowly
For details on how to configure this, see docs/src/how-to/install/configuration-options.rst (charts/cannon: Bundle nginz and expose directly to load balancer #2421)
Support running brig with GeoIP database when using helm charts (charts/brig: Support running brig with GeoIP database #2406)
charts/nginz: Add upstream configuration for galeb (charts/nginz: Support galeb and allow upstream services to be in another namespace #2444)
charts/nginz: Allow upstreams to be in other namespaces (charts/nginz: Support galeb and allow upstream services to be in another namespace #2444)
CSV export in team management now includes the number of devices per user (Sqservices 1546 number of devices in csv export in tm #2407)
Bug fixes and other updates
When an IdP issuer (aka entity ID) is updated, the old issuer was still marked as "in use". (SQSERVICES-1519 IdP for SAML that was overridden by update cannot be added again #2400)
On actions that require re-authentication a password is not required if the user has SAML credentials (SQSERVICES-1557-be-unexpected-logic-in-password-verification-for-accounts-with-saml-credentials #2430, SQSERVICES-1557 Added integration test #2434, Fixed check for SAML user #2437)
Documentation
Internal changes
AllFeatureConfigsis now typed (SQSERVICES-559 makeAllFeatureConfigstyped #2403)Type class for default team feature status (SQSERVICES-1560-more-canonical-handling-of-hard-wired-defaults-type-class-have-defaults-for-all-features #2404)
charts/{redis-ephemeral,legalhold}: Use old index for bitnami repo as the new index doesn't have old versions of postgresql and redis helm charts (Use old bitnami helm repo from git for redis and postgresql #2448)
Bump haskell/zlib version to 0.6.3.0 (Bump haskell/zlib to 0.6.3.0 #2431)
New internal brig endpoints for MLS KeyPackage -> Conversation association query/update (KeyPackage -> Conversation Internal API #2375)
galley: refactor withSettingsOverrides (galley: refactor withSettingsOverrides #2381)
charts/{nginz,cannon}: Increase map_hash_bucket_size for nginx to 128 (charts/{cannon,nginz}: Increase map_hash_bucket_size for nginx to 128 #2443)
charts/{cannon,nginz}: values listed in
nginx_conf.randomport_allowlisted_originsmust be full hostnames. Hostnameslisted here will be allowlisted with and without TLS. (charts/{cannon,nginz}: Allow configuring arbitrary hosts for CORS allowlisting #2438)
Remove binding of users to saml idps using saml (this has never been picked up by clients; use scim instead) (Remove binding of users to saml idps using saml. #2441)
Remove golden test case generator
(Remove golden test case generator #2442)
Convert Team CSV endpoint to Servant (Servantify Team CSV endpoint #2419)
Federation changes