configure brig cassandra client for background worker

Author: battermann

charts/background-worker/README.md

@@ -1,5 +1,19 @@
-Note that background-worker depends on some provisioned storage, namely:
+Note that background-worker depends on some provisioned storage/services, namely:
 
 - rabbitmq
+- postgresql
+- cassandra (two clusters)
+
+PostgreSQL configuration
+- Set connection parameters under `config.postgresql` (libpq keywords: `host`, `port`, `user`, `dbname`, etc.).
+- Provide the password via `secrets.pgPassword`; it is mounted at `/etc/wire/background-worker/secrets/pgPassword` and referenced from the configmap.
+
+Cassandra configuration
+- Background-worker connects to two Cassandra clusters:
+  - `config.cassandraGundeck` (keyspace: `gundeck`) for the dead user notification watcher.
+  - `config.cassandraBrig` (keyspace: `brig`) for the user store.
+- TLS may be configured via either a reference (`tlsCaSecretRef`) or inline CA (`tlsCa`) for each cluster. Secrets mount under:
+  - `/etc/wire/background-worker/cassandra-gundeck`
+  - `/etc/wire/background-worker/cassandra-brig`
 
 These are dealt with independently from this chart.

charts/background-worker/templates/_helpers.tpl

@@ -8,18 +8,26 @@
   {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}}
 {{- end -}}
 
-{{- define "useCassandraTLS" -}}
-{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }}
+{{- define "useGundeckCassandraTLS" -}}
+{{ or (hasKey .cassandraGundeck "tlsCa") (hasKey .cassandraGundeck "tlsCaSecretRef") }}
 {{- end -}}
 
-{{/* Return a Dict of TLS CA secret name and key
-This is used to switch between provided secret (e.g. by cert-manager) and
-created one (in case the CA is provided as PEM string.)
-*/}}
-{{- define "tlsSecretRef" -}}
-{{- if .cassandra.tlsCaSecretRef -}}
-{{ .cassandra.tlsCaSecretRef | toYaml }}
+{{- define "useBrigCassandraTLS" -}}
+{{ or (hasKey .cassandraBrig "tlsCa") (hasKey .cassandraBrig "tlsCaSecretRef") }}
+{{- end -}}
+
+{{- define "gundeckTlsSecretRef" -}}
+{{- if .cassandraGundeck.tlsCaSecretRef -}}
+{{ .cassandraGundeck.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "background-worker-cassandra-gundeck" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "brigTlsSecretRef" -}}
+{{- if .cassandraBrig.tlsCaSecretRef -}}
+{{ .cassandraBrig.tlsCaSecretRef | toYaml }}
 {{- else }}
-{{- dict "name" "background-worker-cassandra" "key" "ca.pem" | toYaml -}}
+{{- dict "name" "background-worker-cassandra-brig" "key" "ca.pem" | toYaml -}}
 {{- end -}}
 {{- end -}}

charts/background-worker/templates/cassandra-secret.yaml

@@ -1,15 +1,30 @@
-{{/* Secret for the provided Cassandra TLS CA. */}}
-{{- if not (empty .Values.config.cassandra.tlsCa) }}
+{{/* Secrets for provided Cassandra TLS CAs */}}
+{{- if not (empty .Values.config.cassandraGundeck.tlsCa) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: background-worker-cassandra
+  name: background-worker-cassandra-gundeck
   labels:
     app: background-worker
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-  ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }}
+  ca.pem: {{ .Values.config.cassandraGundeck.tlsCa | b64enc | quote }}
+{{- end }}
+{{- if not (empty .Values.config.cassandraBrig.tlsCa) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: background-worker-cassandra-brig
+  labels:
+    app: background-worker
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  ca.pem: {{ .Values.config.cassandraBrig.tlsCa | b64enc | quote }}
 {{- end }}

charts/background-worker/templates/configmap.yaml

@@ -21,13 +21,22 @@ data:
       host: federator
       port: 8080
 
-    cassandra:
+    cassandraGundeck:
       endpoint:
-        host: {{ .cassandra.host }}
+        host: {{ .cassandraGundeck.host }}
         port: 9042
       keyspace: gundeck
-      {{- if eq (include "useCassandraTLS" .) "true" }}
-      tlsCa: /etc/wire/background-worker/cassandra/{{- (include "tlsSecretRef" . | fromYaml).key }}
+      {{- if eq (include "useGundeckCassandraTLS" .) "true" }}
+      tlsCa: /etc/wire/background-worker/cassandra-gundeck/{{- (include "gundeckTlsSecretRef" . | fromYaml).key }}
+      {{- end }}
+
+    cassandraBrig:
+      endpoint:
+        host: {{ .cassandraBrig.host }}
+        port: 9042
+      keyspace: brig
+      {{- if eq (include "useBrigCassandraTLS" .) "true" }}
+      tlsCa: /etc/wire/background-worker/cassandra-brig/{{- (include "brigTlsSecretRef" . | fromYaml).key }}
       {{- end }}
 
     {{- with .rabbitmq }}

charts/background-worker/templates/deployment.yaml

@@ -39,10 +39,15 @@ spec:
         - name: "background-worker-secrets"
           secret:
             secretName: "background-worker"
-        {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
-        - name: "background-worker-cassandra"
+        {{- if eq (include "useGundeckCassandraTLS" .Values.config) "true" }}
+        - name: "background-worker-cassandra-gundeck"
           secret:
-            secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }}
+            secretName: {{ (include "gundeckTlsSecretRef" .Values.config | fromYaml).name }}
+        {{- end }}
+        {{- if eq (include "useBrigCassandraTLS" .Values.config) "true" }}
+        - name: "background-worker-cassandra-brig"
+          secret:
+            secretName: {{ (include "brigTlsSecretRef" .Values.config | fromYaml).name }}
         {{- end }}
         {{- if .Values.config.rabbitmq.tlsCaSecretRef }}
         - name: "rabbitmq-ca"
@@ -62,9 +67,13 @@ spec:
             mountPath: "/etc/wire/background-worker/secrets"
           - name: "background-worker-config"
             mountPath: "/etc/wire/background-worker/conf"
-          {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
-          - name: "background-worker-cassandra"
-            mountPath: "/etc/wire/background-worker/cassandra"
+          {{- if eq (include "useGundeckCassandraTLS" .Values.config) "true" }}
+          - name: "background-worker-cassandra-gundeck"
+            mountPath: "/etc/wire/background-worker/cassandra-gundeck"
+          {{- end }}
+          {{- if eq (include "useBrigCassandraTLS" .Values.config) "true" }}
+          - name: "background-worker-cassandra-brig"
+            mountPath: "/etc/wire/background-worker/cassandra-brig"
           {{- end }}
           {{- if .Values.config.rabbitmq.tlsCaSecretRef }}
           - name: "rabbitmq-ca"

charts/background-worker/values.yaml

@@ -40,7 +40,10 @@ config:
     # tlsCaSecretRef:
     #   name: <secret-name>
     #   key: <ca-attribute>
-  cassandra:
+  # Cassandra clusters used by background-worker
+  cassandraGundeck:
+    host: aws-cassandra
+  cassandraBrig:
     host: aws-cassandra
 
   backendNotificationPusher:

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -58,6 +58,7 @@ brig:
       teamCreatorWelcome: https://teams.wire.com/login
       teamMemberWelcome: https://wire.com/download
       accountPages: https://account.wire.com
+    # Background-worker uses Brig's Cassandra keyspace.
     cassandra:
       host: {{ .Values.cassandraHost }}
       replicaCount: 1
@@ -607,7 +608,16 @@ background-worker:
       concurrency: 8
       jobTimeout: 60
       maxAttempts: 3
-    cassandra:
+    # Cassandra clusters used by background-worker
+    cassandraGundeck:
+      host: {{ .Values.cassandraHost }}
+      replicaCount: 1
+      {{- if .Values.useK8ssandraSSL.enabled }}
+      tlsCaSecretRef:
+          name: "cassandra-jks-keystore"
+          key: "ca.crt"
+      {{- end }}
+    cassandraBrig:
       host: {{ .Values.cassandraHost }}
       replicaCount: 1
       {{- if .Values.useK8ssandraSSL.enabled }}

services/background-worker/background-worker.integration.yaml

@@ -8,12 +8,18 @@ federatorInternal:
   host: 127.0.0.1
   port: 8097
 
-cassandra:
+cassandraGundeck:
   endpoint:
     host: 127.0.0.1
     port: 9042
   keyspace: gundeck_test
 
+cassandraBrig:
+  endpoint:
+    host: 127.0.0.1
+    port: 9042
+  keyspace: brig_test
+
 rabbitmq:
   host: 127.0.0.1
   port: 5671

services/background-worker/src/Wire/BackgroundWorker/Env.hs

@@ -55,7 +55,8 @@ data Env = Env
     backgroundJobsConfig :: BackgroundJobsConfig,
     workerRunningGauge :: Vector Text Gauge,
     statuses :: IORef (Map Worker IsWorking),
-    cassandra :: ClientState,
+    gundeckCassandra :: ClientState,
+    brigCassandra :: ClientState,
     hasqlPool :: HasqlPool.Pool,
     backgroundJobsQueue :: MVar Q.Channel
   }
@@ -80,7 +81,8 @@ mkWorkerRunningGauge =
 mkEnv :: Opts -> IO Env
 mkEnv opts = do
   logger <- Log.mkLogger opts.logLevel Nothing opts.logFormat
-  cassandra <- defInitCassandra opts.cassandra logger
+  gundeckCassandra <- defInitCassandra opts.cassandraGundeck logger
+  brigCassandra <- defInitCassandra opts.cassandraBrig logger
   http2Manager <- initHttp2Manager
   httpManager <- newManager defaultManagerSettings
   let federatorInternal = opts.federatorInternal

services/background-worker/src/Wire/BackgroundWorker/Jobs/Registry.hs

@@ -28,7 +28,7 @@ dispatchJob job = do
         . mapError @BackgroundJobError (T.pack . show)
         . mapError @UsageError (T.pack . show)
         . runInputConst @Pool env.hasqlPool
-        . interpretUserStoreCassandra env.cassandra
+        . interpretUserStoreCassandra env.brigCassandra
         . interpretUserGroupStoreToPostgres
         . runInputSem (readMVar env.backgroundJobsQueue)
         . interpretBackgroundJobsPublisherRabbitMQ job.requestId