WPB-6309 deploy the released mandarin version in kind dev environment

Makefile

@@ -512,6 +512,7 @@ guard-inotify:
 
 .PHONY: kind-integration-setup
 kind-integration-setup: guard-inotify .local/kind-kubeconfig
+	KUBECONFIG=$(CURDIR)/.local/kind-kubeconfig helmfile sync -f $(CURDIR)/hack/helmfile-federation-v0.yaml
 	HELMFILE_ENV="kind" KUBECONFIG=$(CURDIR)/.local/kind-kubeconfig make kube-integration-setup
 
 .PHONY: kind-integration-test

changelog.d/5-internal/v0-integration-setup

@@ -1,3 +1,3 @@
 Setup federation-v0 environment for use in integration tests:
  - add federation-v0 domain to test environment
- - provision integration certificates with cert-manager
+ - provision integration certificates with cert-manager (#3849, #3898)

hack/bin/integration-setup-federation.sh

@@ -44,7 +44,7 @@ export FEDERATION_DOMAIN_BASE_2="$NAMESPACE_2.svc.cluster.local"
 export FEDERATION_DOMAIN_2="federation-test-helper.$FEDERATION_DOMAIN_BASE_2"
 
 echo "Fetch federation-ca secret from cert-manager namespace"
-FEDERATION_CA_CERTIFICATE=$(kubectl -n cert-manager get secrets federation-ca -o json -o jsonpath="{.data['tls\.crt']}")
+FEDERATION_CA_CERTIFICATE=$(kubectl -n cert-manager get secrets federation-ca -o json -o jsonpath="{.data['tls\.crt']}" | base64 -d)
 export FEDERATION_CA_CERTIFICATE
 
 echo "Installing charts..."

hack/helm_vars/common.yaml.gotmpl

@@ -4,7 +4,7 @@ federationDomainBase1: {{ requiredEnv "FEDERATION_DOMAIN_BASE_1" }}
 namespace2: {{ requiredEnv "NAMESPACE_2" }}
 federationDomain2: {{ requiredEnv "FEDERATION_DOMAIN_2" }}
 federationDomainBase2: {{ requiredEnv "FEDERATION_DOMAIN_BASE_2" }}
-federationCACertificate: {{ requiredEnv "FEDERATION_CA_CERTIFICATE" }}
+federationCACertificate: {{ requiredEnv "FEDERATION_CA_CERTIFICATE" | quote }}
 ingressChart: {{ requiredEnv "INGRESS_CHART" }}
 rabbitmqUsername: guest
 rabbitmqPassword: guest

hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl

@@ -26,4 +26,4 @@ config:
     # certificateDomain: dynamically set by hack/helmfile.yaml
 
 secrets:
-  tlsClientCA: {{ .Values.federationCACertificate }}
+  tlsClientCA: {{ .Values.federationCACertificate | quote }}

hack/helm_vars/wire-federation-v0/values.yaml.gotmpl

@@ -0,0 +1,306 @@
+tags:
+  nginz: true
+  brig: true
+  galley: true
+  gundeck: true
+  cannon: true
+  cargohold: true
+  spar: true
+  federation: true # also see galley.config.enableFederation and brig.config.enableFederation
+  backoffice: true
+  proxy: false
+  webapp: false
+  team-settings: false
+  account-pages: false
+  legalhold: false
+  sftd: false
+
+cassandra-migrations:
+  cassandra:
+    host: cassandra-ephemeral
+    replicationFactor: 1
+elasticsearch-index:
+  elasticsearch:
+    host: elasticsearch-ephemeral
+    index: directory_test
+  cassandra:
+    host: cassandra-ephemeral
+
+brig:
+  replicaCount: 1
+  resources:
+    requests: {}
+    limits:
+      memory: 512Mi
+  config:
+    externalUrls:
+      nginz: https://kube-staging-nginz-https.zinfra.io
+      teamCreatorWelcome: https://teams.wire.com/login
+      teamMemberWelcome: https://wire.com/download
+    cassandra:
+      host: cassandra-ephemeral
+      replicaCount: 1
+    elasticsearch:
+      host: elasticsearch-ephemeral
+      index: directory_test
+    authSettings:
+      userTokenTimeout: 120
+      sessionTokenTimeout: 20
+      accessTokenTimeout: 30
+      providerTokenTimeout: 60
+    enableFederation: true # keep in sync with galley.config.enableFederation, cargohold.config.enableFederation and tags.federator!
+    optSettings:
+      setActivationTimeout: 10
+      setVerificationTimeout: 10
+      # keep this in sync with brigSettingsTeamInvitationTimeout in spar/templates/tests/configmap.yaml
+      setTeamInvitationTimeout: 10
+      setExpiredUserCleanupTimeout: 1
+      setUserMaxConnections: 16
+      setCookieInsecure: true
+      setUserCookieRenewAge: 2
+      setUserCookieLimit: 5
+      setUserCookieThrottle:
+        stdDev: 5
+        retryAfter: 5
+      setLimitFailedLogins:
+        timeout: 5  # seconds.  if you reach the limit, how long do you have to wait to try again.
+        retryLimit: 5  # how many times can you have a failed login in that timeframe.
+      setSuspendInactiveUsers:
+        suspendTimeout: 10
+      setDefaultTemplateLocale: en
+      setDefaultUserLocale: en
+      setMaxConvAndTeamSize: 16
+      setMaxTeamSize: 32
+      setMaxConvSize: 16
+      setFederationDomain: federation-test-helper.wire-federation-v0.svc.cluster.local
+      setFederationStrategy: allowAll
+      setFederationDomainConfigsUpdateFreq: 10
+      set2FACodeGenerationDelaySecs: 5
+      setNonceTtlSecs: 300
+      setDpopMaxSkewSecs: 1
+      setDpopTokenExpirationTimeSecs: 300
+      setEnableMLS: true
+      setOAuthAuthCodeExpirationTimeSecs: 3 # 3 secs
+      setOAuthAccessTokenExpirationTimeSecs: 3 # 3 secs
+      setOAuthEnabled: true
+      setOAuthRefreshTokenExpirationTimeSecs: 14515200 # 24 weeks
+      setOAuthMaxActiveRefreshTokens: 10
+    aws:
+      sesEndpoint: http://fake-aws-ses:4569
+      sqsEndpoint: http://fake-aws-sqs:4568
+      dynamoDBEndpoint: http://fake-aws-dynamodb:4567
+      sesQueue: integration-brig-events
+      internalQueue: integration-brig-events-internal
+      prekeyTable: integration-brig-prekeys
+    emailSMS:
+      general:
+        emailSender: [email protected]
+        smsSender: dummy
+  secrets:
+    # these secrets are only used during integration tests and should therefore be safe to include unencrypted in git.
+    # Normally these would live in a separately-encrypted secrets.yaml file and incorporated using the helm secrets plugin (wrapper around mozilla sops)
+    zAuth:
+      privateKeys: 7owt9MgvLd3D1nQ5s5Zm-5kOiUZcJ_iqASOYdzLUpjHRRbfyx7XJ6hzltU0S9_kvKsdYZmTK9wZNWKUraB4Z1Q==
+      publicKeys: 0UW38se1yeoc5bVNEvf5LyrHWGZkyvcGTVilK2geGdU=
+    turn:
+      secret: rPrUbws7PQZlfN2GG8Ggi7g5iOYPk7BiCoKHl3VoFZ
+    awsKeyId: dummykey
+    awsSecretKey: dummysecret
+    setTwilio: |
+      sid: "dummy"
+      token: "dummy"
+    setNexmo: |-
+      key: "dummy"
+      secret: "dummy"
+    smtpPassword: dummy-smtp-password
+    dpopSigKeyBundle: |
+      -----BEGIN PRIVATE KEY-----
+      MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX
+      -----END PRIVATE KEY-----
+      -----BEGIN PUBLIC KEY-----
+      MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8=
+      -----END PUBLIC KEY-----
+    oauthJwkKeyPair: |
+      {
+        "kty": "OKP",
+        "crv": "Ed25519",
+        "x": "mhP-NgFw3ifIXGZqJVB0kemt9L3BtD5P8q4Gah4Iklc",
+        "d": "R8-pV2-sPN7dykV8HFJ73S64F3kMHTNnJiSN8UdWk_o"
+      }
+    rabbitmq:
+      username: {{ .Values.rabbitmqUsername }}
+      password: {{ .Values.rabbitmqPassword }}
+  tests:
+    enableFederationTests: true
+cannon:
+  replicaCount: 2
+  resources:
+    requests: {}
+    limits:
+      memory: 512Mi
+  drainTimeout: 0
+cargohold:
+  replicaCount: 1
+  resources:
+    requests: {}
+    limits:
+      memory: 512Mi
+  config:
+    aws:
+      s3Bucket: dummy-bucket
+      s3Endpoint: http://fake-aws-s3:9000
+    enableFederation: true # keep in sync with brig.config.enableFederation, galley.config.enableFederation and tags.federator!
+    settings:
+      federationDomain: federation-test-helper.wire-federation-v0.svc.cluster.local
+  secrets:
+    awsKeyId: dummykey
+    awsSecretKey: dummysecret
+galley:
+  replicaCount: 1
+  config:
+    cassandra:
+      host: cassandra-ephemeral
+      replicaCount: 1
+    enableFederation: true # keep in sync with brig.config.enableFederation, cargohold.config.enableFederation and tags.federator!
+    settings:
+      maxConvAndTeamSize: 16
+      maxTeamSize: 32
+      maxFanoutSize: 18
+      maxConvSize: 16
+      conversationCodeURI: https://kube-staging-nginz-https.zinfra.io/conversation-join/
+      # See helmfile for the real value
+      federationDomain: federation-test-helper.wire-federation-v0.svc.cluster.local
+      featureFlags:
+        sso: disabled-by-default  # this needs to be the default; tests can enable it when needed.
+        legalhold: whitelist-teams-and-implicit-consent
+        teamSearchVisibility: disabled-by-default
+        classifiedDomains:
+          status: enabled
+          config:
+            domains: ["example.com"]
+    journal:
+      endpoint: http://fake-aws-sqs:4568
+      queueName: integration-team-events.fifo
+  secrets:
+    awsKeyId: dummykey
+    awsSecretKey: dummysecret
+    mlsPrivateKeys:
+      removal:
+        ed25519: |
+          -----BEGIN PRIVATE KEY-----
+          MC4CAQAwBQYDK2VwBCIEIAocCDXsKIAjb65gOUn5vEF0RIKnVJkKR4ebQzuZ709c
+          -----END PRIVATE KEY-----
+    rabbitmq:
+      username: {{ .Values.rabbitmqUsername }}
+      password: {{ .Values.rabbitmqPassword }}
+
+gundeck:
+  replicaCount: 1
+  resources:
+    requests: {}
+    limits:
+      memory: 1024Mi
+  config:
+    cassandra:
+      host: cassandra-ephemeral
+      replicaCount: 1
+    redis:
+      host: redis-ephemeral-master
+      connectionMode: master
+    aws:
+      account: "123456789012"
+      region: eu-west-1
+      arnEnv: integration
+      queueName: integration-gundeck-events
+      sqsEndpoint: http://fake-aws-sqs:4568
+      snsEndpoint: http://fake-aws-sns:4575
+    bulkPush: true
+    setMaxConcurrentNativePushes:
+      hard: 30
+      soft: 10
+  secrets:
+    awsKeyId: dummykey
+    awsSecretKey: dummysecret
+nginz:
+  replicaCount: 1
+  nginx_conf:
+    env: staging
+    external_env_domain: zinfra.io
+    # NOTE: Web apps are disabled by default
+    allowlisted_origins: []
+    randomport_allowlisted_origins: [] # default is empty by intention
+    rate_limit_reqs_per_user: "10r/s"
+    rate_limit_reqs_per_addr: "100r/s"
+  secrets:
+    basicAuth: "whatever"
+    zAuth:
+      # this must match the key in brig!
+      publicKeys: 0UW38se1yeoc5bVNEvf5LyrHWGZkyvcGTVilK2geGdU=
+    oAuth:
+      publicKeys: |
+        {
+          "kty": "OKP",
+          "crv": "Ed25519",
+          "x": "mhP-NgFw3ifIXGZqJVB0kemt9L3BtD5P8q4Gah4Iklc"
+        }
+proxy:
+  replicaCount: 1
+  secrets:
+    proxy_config: |-
+      secrets {
+              youtube    = "..."
+              googlemaps = "..."
+              soundcloud = "..."
+              giphy      = "..."
+              spotify    = "Basic ..."
+       }
+spar:
+  replicaCount: 1
+  resources:
+    requests: {}
+    limits:
+      memory: 1024Mi
+  config:
+    tlsDisableCertValidation: true
+    cassandra:
+      host: cassandra-ephemeral
+    logLevel: Debug
+    domain: zinfra.io
+    appUri: http://spar:8080/
+    ssoUri: http://spar:8080/sso
+    maxttlAuthreq: 5
+    maxttlAuthresp: 7200
+    maxScimTokens: 2
+    contacts:
+    - type: ContactSupport
+      company: Example Company
+      email: email:[email protected]
+
+federator:
+  replicaCount: 1
+  resources:
+    requests: {}
+  config:
+    optSettings:
+      useSystemCAStore: false
+  remoteCAContents: {{ .Values.federationCACertificate | quote }}
+  tls:
+    useCertManager: true
+    useSharedFederatorSecret: true
+
+background-worker:
+  replicaCount: 1
+  resources:
+    requests: {}
+  config:
+    backendNotificationPusher:
+      pushBackoffMinWait: 1000 # 1ms
+      pushBackoffMaxWait: 500000 # 0.5s
+  secrets:
+    rabbitmq:
+      username: {{ .Values.rabbitmqUsername }}
+      password: {{ .Values.rabbitmqPassword }}
+
+integration:
+  ingress:
+    class: "nginx-{{ .Release.Namespace }}"

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -393,7 +393,7 @@ federator:
   resources:
     requests: {}
   imagePullPolicy: {{ .Values.imagePullPolicy }}
-  remoteCAContents: {{ .Values.federationCACertificate | b64dec | quote }}
+  remoteCAContents: {{ .Values.federationCACertificate | quote }}
   tls:
     useCertManager: true
     useSharedFederatorSecret: true