Release 2022-09-27 - (expected chart version 4.24.0) #2728
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Paolo Capriotti <[email protected]>
Master->Develop after release
* gundeck/cassandra: TWCS for 'notifications' table In Gundeck's 'notifications' cassandra table, switch to [TWCS](https://cassandra.apache.org/doc/latest/cassandra/operating/compaction/twcs.html) compaction strategy, which should be more efficient for this workload, and possibly bring performance benefits to latencies. It may be beneficial to run a manual compaction before rolling out this change (but things should also work without this manual operation). In case you have time, run the following before deploying this update: ``` nodetool compact gundeck notifications ``` Co-authored-by: Akshay Mankar <[email protected]>
* docs(swagger): Remove old swagger Client model Old swagger Client model was unused. * docs(swagger): Add mls_public_keys description * docs(swagger): Add base64-specific example string * docs(swagger): Add MLSPublicKeys example value * refactor(split): MLSPublicKeys: separate modifiers General type modifiers for MLSPublicKeys (like name, description) are applied in one location, but adapter for use as an optional field named "mls_public_keys" are done separately. Also, generalize a HasDescription instance. * docs(changelog) * refactor: where clause taste * refactor: allow overlaps of HasExample like HasDescription Co-authored-by: fisx <[email protected]>
#2661) Co-authored-by: Stefan Matting <[email protected]>
* Add /mls/public-keys to nginz chart * Add /mls/public-keys to demo conf
…ndpoint (#2677) * charts/coturn: refactor labels. This adds the labels app, chart, heritage, and release to the coturn chart (same as the wire-server charts), and removes the boilerplate for overriding resource names. * changelog: update. * charts/coturn: add optional ServiceMonitor * charts/coturn: add metrics port to Service. The Service is headless, so this port is not exposed to the outside world; this is required so that the metrics endpoint is visible to the metrics collection agent which consumes the ServiceMonitor. * changelog: update.
* Move module files.
* Change module names inside files.
find ./services/brig/ -name '*.hs' -exec perl -i -pe 's/Brig.Sem/Brig.Effects/g' {} \;
* Fix cabal file.
* changelog
* Remove CPU limits to avoid CPU throttling * adjust request CPU and memory based on observed values. Overall this decreases the amount of CPU/memory that the wire-server chart needs to install/schedule pods.
Cassandra doesn't support transactions. Thus, in rare circumstances, a user could be only partially deleted in brig (e.g. due to the pod shutting down). To be able to clean up a partially deleted user/account, the SCIM user deletion handler now executes the internal deletion function in brig again even if the user is not found in brig as it's only a "tombstone". This internal deletion function then figures out if the user ever existed and if there are any left overs. In case, deletion is executed for the user/account again. To gather the result of a user deletion, the brig endpoint is now synchronous (was asynchronous before). Co-authored-by: Matthias Fischmann <[email protected]>
SER-191: update release notes
Co-authored-by: Stefan Matting <[email protected]>
* Drop the `managed` column from `team_conv` table * Improve the description of the managed key
* Update mls-test-cli to version 0.5
* Implement most of the new MLS test framework * Automatically keep track of clients in the group * Assert that add proposal is forwarded * Remove dead code * Keep track of clients in the test state * Port more external proposal tests to new framework * Refactor test testSenderNotInConversation - Also add a utility for creating an application message * Port welcome tests to new MLS test framework * Refactor test testSendAnotherUsersCommit * Port some commit tests to new MLS test framework * Port more commit tests * Refactor test testAppMessage * Refactor test testRemoteAppMessage * Port more commit tests * Fix bracket in testAppMessage * Finish porting commit tests * Refactor test testAppMessage2 * Port proposal tests * Refactor test testLocalToRemote * Refactor test testLocalToRemoteNonMember * Refactor test testRemoteToLocal * Refactor test testRemoteNonMemberToLocal * Refactor test testRemoteToLocalWrongConversation * Refactor test testAddUsersDirectly * Refactor test testRemoveUsersDirectly * Refactor test testProteusMessage * Refactor test testAddUsersToProteus * Generalise return type of awaitMatch and friends Fix error reporting in assertNoEvent * Port backend removal test * Port final test in API/MLS * Move MLS tests out of the Federation module * Remove old MLS test framework * Add CHANGELOG entry * Fix a test setup in runMLSTest * Update mls-test-cli Co-authored-by: Paolo Capriotti <[email protected]> Co-authored-by: Marko Dimjašević <[email protected]>
* Allow leaving an MLS conversation via Wire API * Add failing test for user leaving * Move MLS clients to their own table * Refactor leave action: remove list of leavers * Update conversation object after removal * Fix integration tests * Implement a remote leaver test * Update federation golden tests * Split leave test into two * Make removing already-removed users a no-op * Add CHANGELOG entries Co-authored-by: Paolo Capriotti <[email protected]>
Co-authored by stefanwire
Co-authored-by: Zebot <[email protected]>
Co-authored-by: Zebot <[email protected]>
* SER-162: updated monitoring * added a new entry in changelog.d
* Add new custom hlint rule for runSetting. Also applies hlint again to the whole codebase (excluding tests), as we had some drift between finalising hlint and new PRs being merged without being linted / having CI catch those cases. I also disalbed the pipefail from the script, as that would short-circuit the linter on first issue found. Hopefully that doesn't mess with CI. PS: This will fail CI linters phase until #2715 has been merged. * Removed Federator.Response from runSettings rule.
…2715) Co-authored-by: Akshay Mankar <[email protected]>
This PR replaces the prefix-tree matcher used in libzauth for matching ACL paths with a simple regex-based matcher, which constructs a single regular expression containing all possible paths. This makes it trivial to accept user-provided regular expressions in the ACL language itself.
* Update nginz whitelists and blacklists * Update cannon zauth.acl * Add changelog entry Co-authored-by: Stefan Matting <[email protected]>
After #2667, when users are kicked out of a conversation, the events being sent out would look like normal leave events. This commit restores the previous behaviour: the events reflect the fact that the user was kicked out, with the originating user set to the user who caused the change that required users to be removed.
Co-authored-by: fisx <[email protected]>
For wire-server cloud, on kubernetes 1.21+, favour topology-aware routing, which reduces unnecessary inter-availability-zone traffic, reducing latency and cloud provider costs. Documentation: https://kubernetes.io/docs/concepts/services-networking/topology-aware-hints/ See SQPIT-1439
* Avoid qualified Util import * Use viewGalley everywhere * Add v2 prefix to all galley requests * Add v2 prefix to all brig requests * client tests * account tests * auth tests wip * Fix one more client test * Add versioned paths to legalhold ACL * Refactor: factor out test cases * fix bug: regex routes match too much * Fix the remaining brig tests * Use versioned API in cargohold tests * Always use most recent version in galley tests * Use latest API version in brig * Use latest API version in cargohold * Use v1 API in End2End tests * Add CHANGELOG entry Co-authored-by: Stefan Matting <[email protected]>
) * Add the DB column for PublicGroupState * Processing a commit bundle: store PublicGroupState * Implement group-info endpoint (local conversation) * Implement group-info endpoint (remote conversation) Co-authored-by: Stefan Matting <[email protected]>
zebot
added
the
ok-to-test
battermann
approved these changes
Sep 27, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[2022-09-27] (Chart Release 4.24.0)
Release notes
For users of the (currently alpha) coturn Helm chart, manual action is
required when upgrading to this version. The labels applied to the Kubernetes
manifests in this chart have changed, in order to match the conventions used
in the wire-server charts. However, this may mean that upgrading with Helm can
fail, due to changes to the
StatefulSetincluded in this chart -- in thiscase, the
StatefulSetmust be deleted before the chart is upgraded. (coturn: refactor resource labels, expose ServiceMonitor for metrics endpoint #2677)wire-server helm charts: Adjust default CPU/Memory resources: Remove CPU limits to avoid CPU throttling; adjust request CPU and memory based on observed values. Overall this decreases the amount of CPU/memory that the wire-server chart needs to install/schedule pods. (wire-server helm chart: Adjust default CPU/Memory #2675)
Upgrade team-settings version to 4.12.1-v0.31.5-0-0167ea4 (Update team-settings version in Helm chart [skip ci] #2180)
Upgrade webapp version to 2022-09-20-production.0-v0.31.2-0-7f74074 (Update webapp version in Helm chart [skip ci] #2302)
API changes
Add new endpoint
/mls/commit-bundlesfor submitting MLSCommitBundles. ACommitBundleis a triple consisting of a commit message, an optional welcome message and a public group state. (Add commit bundle support #2688)MLS: Store and expose group info via
GET /conversations/:domain/:id/groupinfo([FS-923] Store Per-conversation GroupInfo Structure and Expose It #2721)Add /mls/public-keys to nginz chart (Add /mls/public-keys to nginz #2676)
Users being kicked out results in member-leave events originating from the user who caused the change in the conversation (Restore previous behaviour of kicking #2724)
Leaving an MLS conversation is now possible using the regular endpoint
DELETE /conversations/{cnv_domain}/{cnv}/members/{usr_domain}/{usr}. When a user leaves, the backend sends external remove proposals for all their clients in the corresponding MLS group. ([FS-873] Leaving MLS Conversations and Backend-side Removals #2667)Validate remotely claimed key packages ([FS-937] Validate Remotely Claimed Key Packages #2692)
Features
The coturn chart now has support for exposing its metric endpoint with a
ServiceMonitor, which can be ingested by third-party metrics collection tools. (coturn: refactor resource labels, expose ServiceMonitor for metrics endpoint #2677)
Deleting clients creates MLS remove proposals (Deleting clients creates MLS remove proposals #2674)
External remove proposals are now sent to a group when a user is deleted (MLS: Backend sends remove proposal upon user deletion #2650)
Allow non-admins to commit add proposals in MLS conversations (Allow add proposal commits by non-admins #2691)
Optionally add invitation urls to the body of
/teams/{tid}/invitations. This allows further processing; e.g. to send those links with custom emails or distribute them as QR codes. See docs for details and privacy implications. (Feature flag for exposing invite URLs to team admins [SQPIT-1368] #2684)Bug fixes and other updates
SCIM user deletion suffered from a couple of race conditions. The user in now first deleted in spar, because this process depends on data from brig. Then, the user is deleted in brig. If any error occurs, the SCIM deletion request can be made again. This change depends on brig being completely deployed before using the SCIM deletion endpoint in brig. In the unlikely event of using SCIM deletion during the deployment, these requests can be retried (in case of error). (Make deletions via SCIM more stable #2637)
The 2nd factor password challenge team feature is disabled for SSO users ([SQSERVICE- 1509] 2FA in the context of sso #2693)
Less surprising handling of SIGINT, SIGTERM for proxy, stern. Increase grace period for shutdown from 5s to 30s for all services. (Better signal handling for proxy, stern #2715)
Documentation
Drop Client model (unused) from old swagger.
Add a description and example data for mls_public_keys field in new swagger. ([FS-672] Improve swagger docs for Client fields. #2657)
Document user deactivation (aka suspension) with SCIM. (JCT-147: update SCIM documentation how to deactivate user #2720)
Monitoring page showed wrong wrong configuration charts. Updated prometheus-operator to kube-prometheus-stack chart in the documentation. (SER-162: updated monitoring #2708)
Internal changes
Make client deletion asynchronous (Make client deletion asynchronous #2669)
Allow external add proposals without previously uploading key packages. (Fix processing of external add proposals #2661)
Allow legalhold tokens access to
/converations/<uuid>endpoint (Add alias to GET /conversations/{cnv} endpoint for LH devices #2682, Allow /conversations/<uuid> paths for legalhold tokens #2726)Move Brig.Sem.* modules to Brig.Effects (consistency) (Cleanup module structure #2672)
The labels applied to resources in the coturn chart have been changed to
reflect the conventions in the wire-server charts. (coturn: refactor resource labels, expose ServiceMonitor for metrics endpoint #2677)
Drop the
managedcolumn fromteam_convtable in Galley (Drop themanagedColumn fromteam_convTable in Galley #2127)Fix link in PR template (Fix link in PR template #2673)
In Gundeck's 'notifications' cassandra table, switch to TWCS compaction strategy, which should be more efficient for this workload, and possibly bring performance benefits to latencies.
It may be beneficial to run a manual compaction before rolling out this
change (but things should also work without this manual operation).
In case you have time, run the following from a cassandra machine before deploying this update:
nodetool compact gundeck notifications. (gundeck/cassandra: TWCS for 'notifications' table #2615)Add regular expression support to libzauth ACL language (Improve libzauth ACL syntax #2714)
Make test API calls point to the most recent version by default (Make sure integration tests use most recent API version #2695)
Clients and key package refs in an MLS conversation are now stored in their own table. ([FS-873] Leaving MLS Conversations and Backend-side Removals #2667)
Refactor MLS test framework (Refactor MLS test framework #2678)
Update mls-test-cli to version 0.5 (Update to mls-test-cli 0.5 #2685)
Added rusty-jwt-tools to docker images ([FS-736] Add rusty-jwt-tools dependency to docker deps and builder #2686)
The account API is now migrated to servant. ([SQSERVICES-1643] Servantify brig account API 1 -
POST /delete#2699, [SQSERVICES-1643] Servantify brig account API 2 -GET /activate#2700, [SQSERVICES-1643] Servantify brig account API 3 -POST /activate#2701, [SQSERVICES-1643] Servantify brig account API 4 -POST /activate/send#2702, [SQSERVICES-1643] Servantify brig account API 5 -POST /password-reset#2703, [SQSERVICES-1643] Servantify brig account API 6-POST password-reset/complete#2704, [SQSERVICES-1643] Servantify brig account API 7 -POST /password-reset/:key#2705, [SQSERVICES-1643] Servantify brig account API 8 -POST /onboading/v3#2707)Update nginz and cannon ACLs to match api-versioned paths (Update nginz and cannon ACLs to match api-versioned paths #2725)
For wire-server cloud, on kubernetes 1.21+, favour topology-aware routing, which reduces unnecessary inter-availability-zone traffic, reducing latency and cloud provider cross-AZ traffic costs. (charts/wire-server: enable topology-aware hints. #2723)