Merge pull request #824 from wireapp/standardize-deployment-features

Veki301 · web-flow · commit c99cdfc420c5 · 2025-12-17T12:25:56.000+01:00
Standardize deployment features
diff --git a/ansible/roles/rabbitmq-cluster/tasks/config.yml b/ansible/roles/rabbitmq-cluster/tasks/config.yml
@@ -7,7 +7,7 @@
     group: root
     mode: 0644
   with_items:
-    - { src: etc/default/rabbitmq-server.j2 , dest: /etc/default/rabbitmq-server }
+    - { src: etc/default/rabbitmq-server.j2, dest: /etc/default/rabbitmq-server }
     - { src: etc/rabbitmq/rabbitmq.config.j2, dest: /etc/rabbitmq/rabbitmq.config }
     # - { src: etc/rabbitmq/rabbitmq-env.conf.j2, dest: /etc/rabbitmq/rabbitmq-env.conf }
   notify:
@@ -18,15 +18,12 @@
     name: rabbitmq-server
     state: restarted
 
-# - name: Enable the plugins is installed
-#   rabbitmq_plugin:
-#     names: "{{ item }}"
-#     prefix: /usr/lib/rabbitmq
-#     state: enabled
-#     new_only: yes
-#   with_items: "{{ rabbitmq_plugins }}"
-#   notify:
-#     restart rabbitmq-server
+- name: Enable the plugins is installed
+  command: rabbitmq-plugins enable --offline {{ item }}
+  with_items: "{{ rabbitmq_plugins }}"
+  register: plugin_result
+  changed_when: "'already enabled' not in plugin_result.stdout"
+  notify: restart rabbitmq-server
 
 - name: restart rabbitmq-server
   service:
diff --git a/bin/offline-helm.sh b/bin/offline-helm.sh
@@ -3,12 +3,26 @@
 set -euo pipefail
 set -x
 
+sync_pg_secrets() {
+  # Sync postgresql secret
+  ./bin/sync-k8s-secret-to-wire-secrets.sh \
+    wire-postgresql-external-secret \
+    password \
+    values/wire-server/secrets.yaml \
+    .brig.secrets.pgPassword \
+    .galley.secrets.pgPassword \
+    .spar.secrets.pgPassword \
+    .gundeck.secrets.pgPassword
+}
+
 helm upgrade --install --wait cassandra-external ./charts/cassandra-external --values ./values/cassandra-external/values.yaml
 helm upgrade --install --wait postgresql-external ./charts/postgresql-external --values ./values/postgresql-external/values.yaml
 helm upgrade --install --wait elasticsearch-external ./charts/elasticsearch-external --values ./values/elasticsearch-external/values.yaml
 helm upgrade --install --wait minio-external ./charts/minio-external --values ./values/minio-external/values.yaml
 helm upgrade --install --wait fake-aws ./charts/fake-aws --values ./values/fake-aws/prod-values.example.yaml
 
+sync_pg_secrets
+
 # ensure that the RELAY_NETWORKS value is set to the podCIDR
 SMTP_VALUES_FILE="./values/smtp/prod-values.example.yaml"
 podCIDR=$(kubectl get configmap -n kube-system kubeadm-config -o yaml | grep -i 'podSubnet' | awk '{print $2}' 2>/dev/null)
@@ -20,12 +34,11 @@ else
 fi
 helm upgrade --install --wait smtp ./charts/smtp --values $SMTP_VALUES_FILE
 
-# remove postgresql chart as postgresql is now external
-# helm upgrade --install --wait postgresql ./charts/postgresql --values ./values/postgresql/prod-values.example.yaml --values ./values/postgresql/prod-secrets.example.yaml
 helm upgrade --install --wait rabbitmq ./charts/rabbitmq --values ./values/rabbitmq/prod-values.example.yaml --values ./values/rabbitmq/prod-secrets.example.yaml
 # it will only deploy the redis cluster
 helm upgrade --install --wait databases-ephemeral ./charts/databases-ephemeral --values ./values/databases-ephemeral/prod-values.example.yaml
 helm upgrade --install --wait reaper ./charts/reaper --values ./values/reaper/prod-values.example.yaml
+
 helm upgrade --install --wait --timeout=30m0s wire-server ./charts/wire-server --values ./values/wire-server/prod-values.example.yaml --values ./values/wire-server/secrets.yaml
 
 # if charts/webapp directory exists
diff --git a/bin/offline-secrets.sh b/bin/offline-secrets.sh
@@ -22,6 +22,18 @@ zauth_private=$(echo "$zauth" | awk 'NR==2{ print $2}')
 
 prometheus_pass="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16)"
 
+# Generate MLS private keys using openssl
+# Keys need 10 spaces indent (5 levels deep: galley > secrets > mlsPrivateKeys > removal > keyname)
+readonly MLS_KEY_INDENT="          "
+generate_mls_key() {
+    openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}'
+}
+
+mls_ed25519_key="$(generate_mls_key -algorithm ed25519)"
+mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)"
+mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)"
+mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)"
+
 if [[ ! -f $VALUES_DIR/wire-server/secrets.yaml ]]; then
   echo "Writing $VALUES_DIR/wire-server/secrets.yaml"
   cat <<EOF > $VALUES_DIR/wire-server/secrets.yaml
@@ -37,8 +49,8 @@ brig:
     awsKeyId: dummykey
     awsSecretKey: dummysecret
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
     # These are only necessary if you wish to support sign up via SMS/calls
     # And require accounts at twilio.com / nexmo.com
     setTwilio: |-
@@ -52,25 +64,38 @@ cargohold:
     awsKeyId: "$minio_cargohold_access_key"
     awsSecretKey: "$minio_cargohold_secret_key"
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 cannon:
   secrets:
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 galley:
   secrets:
+    rabbitmq:
+      username: guest
+      password: guest
     pgPassword: verysecurepassword
     awsKeyId: dummykey
     awsSecretKey: dummysecret
+    mlsPrivateKeys:
+      removal:
+        ed25519: |
+$mls_ed25519_key
+        ecdsa_secp256r1_sha256: |
+$mls_ecdsa_p256_key
+        ecdsa_secp384r1_sha384: |
+$mls_ecdsa_p384_key
+        ecdsa_secp521r1_sha512: |
+$mls_ecdsa_p521_key
 gundeck:
   secrets:
     awsKeyId: dummykey
     awsSecretKey: dummysecret
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 nginz:
   secrets:
     zAuth:
@@ -86,8 +111,8 @@ team-settings:
 background-worker:
   secrets:
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 EOF
 
 fi
diff --git a/changelog.d/5-bug-fixes/standardize-features b/changelog.d/5-bug-fixes/standardize-features
@@ -0,0 +1,3 @@
+Added: missing webapp feature flags to webapp example values
+Added: config for MLS deployment into example files
+Added: config for Federation deployment into example files
diff --git a/values/coturn/prod-values.example.yaml b/values/coturn/prod-values.example.yaml
@@ -1 +1,28 @@
-# using upstream values for coturn helm
+# using upstream values for coturn helm
+replicaCount: 3
+# image:
+#  tag: some-tag # (only override if you want a newer/different version than what is in the chart)
+config:
+  verboseLogging: false
+# rateLimit:
+#   allowlist: # List of IPs to be excluded from rate limiting
+#     -
+coturnTurnExternalIP: "__COTURN_EXT_IP__"
+coturnTurnListenIP: "__COTURN_HOST_IP__"
+coturnTurnRelayIP: "__COTURN_HOST_IP__"
+coturnFederationListeningIP: "__COTURN_HOST_IP__"
+# Uncomment to enable federation
+# federate:
+#   enabled: true
+#   port: 9191
+#   dtls:
+#     enabled: true
+#     tls:
+#       issuerRef: letsencrypt-http01
+#       kind: ClusterIssuer
+#     certificate:
+#       dnsNames:
+#         - coturn.example.com
+#         - coturn-0.example.com
+#         - coturn-1.example.com
+#         - coturn-2.example.com
diff --git a/values/nginx-ingress-services/prod-secrets.example.yaml b/values/nginx-ingress-services/prod-secrets.example.yaml
@@ -3,6 +3,10 @@
 # as the ingress seems to simply "swallow" errors if any (and serve the Fake default certificate
 # which is highly confusing)
 secrets:
+  tlsClientCA: | # for federating backends root CA certificates
+    -----BEGIN CERTIFICATE-----
+    .... THEIR CERTIFICATE ....
+    -----END CERTIFICATE-----
   tlsWildcardCert: |
     -----BEGIN CERTIFICATE-----
     .... OWN CERTIFICATE ......
diff --git a/values/rabbitmq/prod-secrets.example.yaml b/values/rabbitmq/prod-secrets.example.yaml
@@ -1,4 +1,4 @@
 rabbitmq:
   auth:
-    username: wire-server
-    password: verysecurepassword
+    username: guest
+    password: guest
diff --git a/values/sftd/prod-values.example.yaml b/values/sftd/prod-values.example.yaml
@@ -1,7 +1,17 @@
+replicaCount: 3
+# image:
+#   tag: some-tag # (only override if you want a newer/different version than what is in the chart)
 allowOrigin: https://webapp.example.com
 host: sftd.example.com
-replicaCount: 3
 tls:
   issuerRef:
     name: letsencrypt-http01
     kind: ClusterIssuer
+# Uncomment to enable SFT to SFT communication for federated calls
+# multiSFT:
+#   enabled: true
+#   discoveryRequired: false
+#   turnServerURI: "turn:coturn.public.ip.address:3478?transport=udp"
+#   secret: "coturn_zrest_secret"
+# Turn on secondary IP listener (for internal IP) when using federation
+# internalIpListener: false
diff --git a/values/webapp/prod-values.example.yaml b/values/webapp/prod-values.example.yaml
@@ -19,7 +19,14 @@ envVars:
   FEATURE_ENABLE_DEBUG: "false"
   FEATURE_ENABLE_PHONE_LOGIN: "false"
   FEATURE_ENABLE_SSO: "false"
+  FEATURE_ENABLE_IN_CALL_REACTIONS: "true"
+  FEATURE_ENABLE_IN_CALL_HAND_RAISE: "true"
+  FEATURE_ENABLE_DETACHED_CALLING_WINDOW: "true"
+  FEATURE_ENABLE_MESSAGE_FORMAT_BUTTONS: "true"
   FEATURE_SHOW_LOADING_INFORMATION: "false"
+  FEATURE_ENABLE_CHANNELS: "false"
+  FEATURE_ENABLE_CHANNELS_HISTORY_SHARING: "false"
+  FEATURE_ENABLE_PUBLIC_CHANNELS: "false"
   URL_ACCOUNT_BASE: "https://account.example.com"
   #URL_MOBILE_BASE: "https://wire-pwa-staging.zinfra.io" # TODO: is this needed?
   URL_PRIVACY_POLICY: "https://www.example.com/terms-conditions"
diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml
@@ -32,8 +32,8 @@ brig:
 cannon:
   secrets:
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 
 cargohold:
   secrets:
@@ -42,8 +42,8 @@ cargohold:
     awsKeyId: dummykey # replace with minio_cargohold_access_key
     awsSecretKey: dummysecret # replace with minio_cargohold_secret_key
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 
 galley:
   secrets:
@@ -55,15 +55,29 @@ galley:
     rabbitmq:
       username: guest
       password: guest
+    mlsPrivateKeys:
+      removal:
+        ed25519: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp256r1_sha256: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp384r1_sha384: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp521r1_sha512: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
 
 gundeck:
   secrets:
     # these only need to be changed if using real AWS services
     awsKeyId: dummykey
     awsSecretKey: dummysecret
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 
 proxy:
   secrets:
@@ -92,8 +106,8 @@ nginz:
 background-worker:
   secrets:
     rabbitmq:
-      username: wire-server
-      password: verysecurepassword
+      username: guest
+      password: guest
 
 # Uncomment for legalhold. Set values accordingly
 
diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Added: missing webapp feature flags to webapp example values`
	`2`	`+Added: config for MLS deployment into example files`
	`3`	`+Added: config for Federation deployment into example files`