Release 2023-04-17 - (expected chart version 4.35.0) #3230
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Docs: add a client API version bump checklist * Add a changelog Co-authored-by: fisx <[email protected]>
* Introduce VersionNumber newtype. See `/libs/wire-api/test/unit/Test/Wire/API/Routes/Version.hs` for explanation. Co-authored-by: Sven Tennie <[email protected]> Co-authored-by: Paolo Capriotti <[email protected]> Co-authored-by: Stefan Matting <[email protected]> Co-authored-by: Leif Battermann <[email protected]>
Co-authored-by: Zebot <[email protected]>
* FS-51 Report unavailable clients for Proteus messages Changing the return types to match the ticket. Adding tests and fixing some logic errors. * testing changes. Reworking how failing federators are tested. Rewriting the test, basing it off an existing test that is almost what is needed, and removing the prior test. * FS-51: Adding changes from PR review and more tests * Updating tests * FS-51: Moving unit tests to a better module * FS-51: Formatting and linters * FS-51: Updating nix with generate-local-nix-packages.sh * FS-51: Fixing an error
* Downgrade to our fork of http2 It seems the released version of http2 is causing issues with streaming of assets via federator. * Add CHANGELOG entry
Master->Develop after release
* Fix ES reset command in Makefile * fixup! Fix ES reset command in Makefile
* Upgrade cachix to 1.3.1 * Trivial change to force rebuilding of haddocks
* Add `flakyTestCase` command and use it. This should make life slightly more bearable for everybody including concourse, while still allowing to run the pending tests locally by setting `RUN_FLAKY_TESTS=1`. * Make sanitize-pr faster by only looking at changed files.
Add docs for creating diagrams in markdown files
…on (#3134) * FS-1530: Allow partial success when removing users from conversations * FS-1530 Adding tests for deleting conversations and removing members * FS-1530 Formatting and hlint * Hi CI * HI CI --------- Co-authored-by: Marko Dimjašević <[email protected]> Co-authored-by: Igor Ranieri <[email protected]>
This reverts commit cad8b61.
…ord restrictions when setting a password (#3137)
As discussed with QA and security: This adds TLS (HTTPS) and HTTP basic authentication to the inbucket Helm chart. (It was: No authentication, no HTTPS.)
This is not used by CI, and whenever our ghc version string (coming from nixpkgs) changes, we need to manually update this. Our `ghc` is coming from nixpkgs, which is pulled in by the dev env, there's no need to have another pin/restriction here.
cabal.project: drop with-compiler statement
* Make exports explicit. * Don't version-control internal APIs (code and test). * Update docs. * Fix docs: legalhold is not a service. Co-authored-by: Sven Tennie <[email protected]> --------- Co-authored-by: Sven Tennie <[email protected]>
* Make cassandra table dump update rule faster. * Correct code comments. * Make falky test potentially slightly less flaky.
* FS-879 Adding a new list-users route that can return partial successes * FS-897: Updates before pulling in upstream changes * FS-897: Merging in upstream changes and adding golden tests * FS-897: Updating an integration test, setting API version. * FS-897: Updating tests and types to remove an edge case in output. * FS-897: Fixing tests and moving files * FS-897: PR formatting * FS-897: Updating names to reflect their api version --------- Co-authored-by: Igor Ranieri <[email protected]>
Increase default of liveness/readiness probe and make it configurable. Under high load, the default of failureThreshold=3 timeoutSeconds=1 can lead to restarts of the coturn pod due to the http port being temporarily starved of CPU, leading to an unnecessary restart of the coturn pods. This change should make this less frequent and improve call stability.
Add memory-backed mount /var/lib/coturn to store sqllite DB to improve performance, as described on https://github.com/wireapp/coturn/tree/master/docker/coturn#persistence
* FS-1517 Partial success on fetch prekeys Adding a new version of the list-prekeys routes that can return partial successes, listing qualified users that they weren't able to list. * FS-1517: Updating based on PR feedback before merging in changes * FS-1517. Merging upstream changes, updating and fixing new tests * FS-1517: Updating tests and pulling out some common code * FS-1517 Updating tests based on feedback * FS-1517: PR formatting --------- Co-authored-by: Igor Ranieri <[email protected]>
This adds sphinxcontrib.plantuml, to support rendering PlantUML diagrams directly, rather than committing rendered images directly. It then re-rolls the "Wire SAML Authentication Flow" diagram in plantuml, fixing the typo recirect/redirect.
docs: render plantuml
* Fix Swagger docs for failed_to_send and QualifiedUserClients fields in Proteus
Corrected a spelling mistake in docs-sso-okta
* Add call hierarchy and documentation. * Fix typo
Co-authored-by: Zebot <[email protected]>
zebot
added
the
ok-to-test
elland
approved these changes
Apr 18, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[2023-04-17] (Chart Release 4.35.0)
Release notes
Wire cloud operators only: Before deploying apply the changes from https://github.com/zinfra/cailleach/pull/1586 to production as well. (Add release note for Wire cloud operators #3146)
New 'ingress-nginx-controller' wrapper chart compatible with kubernetes versions [1.23 - 1.26]. The old one 'nginx-ingress-controller' (compatible only up to k8s 1.19) is now DEPRECATED.
We advise to upgrade your version of kubernetes in use to 1.23 or higher (we tested on kubernetes version 1.26), and to make use of the new ingress controller chart. Main features:
The 'kind: Ingress' resources installed via 'nginx-ingress-services' chart remain compatible with both the old and the new ingress controller, and k8s versions [1.18 - 1.26]. In case you upgrade an existing kubernetes cluster (not recommended), you may need to first uninstall the old controller before installing the new controller chart.
In case you have custom overrides, you need to modify the directory name and top-level configuration key:
and double-check if all overrides you use are indeed provided under the same name by the upstream chart. See also the default overrides in the default values.yaml.
In case you use helmfile change your ingress controller like this:
For more information read the documentation under https://docs.wire.com/how-to/install/ingress.html (or go to https://docs.wire.com and search for "ingress-nginx-controller") (New ingress controller chart #3140)
If you are using OAuth (
optSettings.setOAuthEnabled: truein brig config): before the deployment of wire-server the private and public keys for OAuth have to be provided forbrigandnginz(seedocs/src/developer/reference/oauth.mdfor more information) (OAuth #2989)Upgrade webapp version to 2023-04-11-production.0-v0.31.13-0-bb91157 (Update webapp version in Helm chart [skip ci] #2302)
API changes
Adding a new version of /list-users that allows for partial success. (Fs 897 partial success for list users #3117)
Added a
failed_to_sendfield to response when sending mls messages. ([FS-1493]: Report federated message sending errors to clients #3081)List failed-to-add remote users in response to
POST /conversations([FS-1147] Proteus: Support creating a conversation when remote backends are unavailable #3150)Updating the V4 version of /users/list-prekeys to return partial successes, listing users that could not be listed. (FS-1517 Partial success on fetch prekeys #3108)
Non-binding team endpoints are removed from API version V4 ([SQSERVICES-1619] Tech Debt Remove Non Binding Teams Code #3213)
Features
Add TLS and basic authentication to the inbucket (fake webmailer) ingress. (inbucket Helm chart: TLS and basic authentication #3161)
OAuth support for authorization of a curated list of 3rd party applications (see https://docs.wire.com/developer/reference/oauth.html for details) (OAuth #2989)
Enforce a minimum length of 8 characters when setting a new password ([SQSERVICES-1931] wire server allow backend to enforce stronger password restrictions when setting a password #3137)
Optional password for guest links ([SQSERVICES-1693] Guest links with passwords #3149)
Authorization Code Flow with PKCE support ([SQSERVICES 1953] Support OAuth Auhorization Code Flow with PKCE #3165)
conversations/joinendpoint rate limited per IP address ([SQSERVICES-1980] Guest Links Password Retry Limit #3202)Bug fixes and other updates
coturn helm chart: use a memory-backed folder to store sqllite DB to improve performance (coturn helm chart: use a memory-backed mount #3220)
Coturn helm chart: Increase the default timeout of liveness/readiness probe and make it configurable (Coturn helm chart: Increase liveness timeout #3218)
When using the (now deprecated) ingress controller on older versions of kubernetes, ensure query parameters are not logged in the ingress logs (old-ingress-stop-logging-query-parameters #3139)
Fix version parsing in swagger-ui end-points (Fix version paths #3152)
Fix a rate-limit exemption whereby authenticated endpoints did not get the unlimited_requests_endpoint, if set, applied. This is a concern for the webapp and calls to /assets, which can happen in larger numbers on initial loading. A previous change in this PR had no effect. This PR also increases default rate limits, to compensate for new ingress controller chart's default topologyAwareRouting. (nginz: enable unlimited_requests_endpoint for authenticated requests, too #3138, Nginz: rate-limiting follow-up to #3138 #3201)
Documentation
Add a client API version bump checklist (Add a client API version bump checklist #3135)
Fix the Swagger documentation for the failed_to_send field in the response of the Proteus message sending endpoint ([FS-51] Fix Swagger for failed_to_send in Proteus #3223)
Extend docs to support render plantuml directly, rewrote the saml flow diagram in plantum. (docs: render plantuml #3226)
Allow swagger on disabled versions. (Allow swagger on disabled versions. #3196)
Documentation of setting up SSO integration with Okta was outdated with images from Okta Classic UI, the new version was updated using Oktas latest design. (Update of sso integration documentation #3175)
Internal changes
When sending a push message, stop deleting the push token and start recreating
ARN when ARN is reported as invalid on AWS, but push token still is present in
Cassandra. This allows on-demand migrations from one AWS account used for push
notifications to another one. (try recreating ARN when token exists in Cassandra #3162)
We don't explicitly set with-compiler inside the cabal.project file anymore, because the version of GHC is controlled by Nix, and our nixpkgs pin. (cabal.project: drop with-compiler statement #3209)
kubectlto default from the nixpkgs channel (currently1.26) by removing the manual version pin on 1.19helmfileto default from the nixpkgs channel by removing the manual version pinhelmto default from the nixpkgs channel by removing the manual version pinkubelogin-oidcso the kubectl in this environment can also talk to kubernetes clusters using OIDC (New ingress controller chart #3140)Make new record syntax a language default (New record syntax #3192)
nixpkgs has been bumped to a more recent checkout (8c619a1f3cedd16ea172146e30645e703d21bfc1 -> 402cc3633cc60dfc50378197305c984518b30773, 2023-02-12 -> 2023-03-28). (Bump nixpkgs #3206)
Introduce VersionNumber newtype (see
/libs/wire-api/src/Wire/API/Routes/Version.hsfor explanation) (Introduce VersionNumber newtype. #3075)Fix a memory leak in
gundeckwhen Redis is offline (Fix gundeck leak #3136)Rust library
rusty-jwt-toolsupgraded to latest version ([SQSERVICES-1942] Fix DPoP access token error propagation (2/2) #3142)Updated rusty-jwt-tools to version 0.3.4 (rusty_jwt_tools_ffi: bump + fix build #3194)
Integration tests for backoffice/stern (Stern Integration Tests #3216)
ormolu: don't redundantly add language extensions from dead package-defaults.yaml (Unclutter ormolu script #3193)
Stop support for versions on internal APIs (Un-version internal apis #3200)
helm charts: bump kubectl docker images from 1.19.7 to 1.24.12 (upgrade kubectl images #3221)
Add an option (
UPLOAD_LOGS) to upload integration test logs to AWS S3. (Upload test results to AWS #3169)Federation changes
Do not cause denial of service when creating a conversation with users from an unreachable backend ([FS-1147] Proteus: Support creating a conversation when remote backends are unavailable #3150)
Report federated Proteus message sending errors to clients (FS-51 Report unavailable clients for Proteus messages #3097)
Fix bug with asset downloads and large federated responses (Use openssl instead of tls in federator http2 client #3154)