diff --git a/ansible/roles/rabbitmq-cluster/tasks/config.yml b/ansible/roles/rabbitmq-cluster/tasks/config.yml index 8abdbeebd..1bf13c909 100644 --- a/ansible/roles/rabbitmq-cluster/tasks/config.yml +++ b/ansible/roles/rabbitmq-cluster/tasks/config.yml @@ -7,7 +7,7 @@ group: root mode: 0644 with_items: - - { src: etc/default/rabbitmq-server.j2 , dest: /etc/default/rabbitmq-server } + - { src: etc/default/rabbitmq-server.j2, dest: /etc/default/rabbitmq-server } - { src: etc/rabbitmq/rabbitmq.config.j2, dest: /etc/rabbitmq/rabbitmq.config } # - { src: etc/rabbitmq/rabbitmq-env.conf.j2, dest: /etc/rabbitmq/rabbitmq-env.conf } notify: @@ -18,15 +18,12 @@ name: rabbitmq-server state: restarted -# - name: Enable the plugins is installed -# rabbitmq_plugin: -# names: "{{ item }}" -# prefix: /usr/lib/rabbitmq -# state: enabled -# new_only: yes -# with_items: "{{ rabbitmq_plugins }}" -# notify: -# restart rabbitmq-server +- name: Enable the plugins is installed + command: rabbitmq-plugins enable --offline {{ item }} + with_items: "{{ rabbitmq_plugins }}" + register: plugin_result + changed_when: "'already enabled' not in plugin_result.stdout" + notify: restart rabbitmq-server - name: restart rabbitmq-server service: diff --git a/bin/offline-secrets.sh b/bin/offline-secrets.sh index 2b6b9fdae..52c9683cd 100755 --- a/bin/offline-secrets.sh +++ b/bin/offline-secrets.sh @@ -22,6 +22,12 @@ zauth_private=$(echo "$zauth" | awk 'NR==2{ print $2}') prometheus_pass="$(tr -dc A-Za-z0-9 $VALUES_DIR/wire-server/secrets.yaml @@ -37,8 +43,8 @@ brig: awsKeyId: dummykey awsSecretKey: dummysecret rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest # These are only necessary if you wish to support sign up via SMS/calls # And require accounts at twilio.com / nexmo.com setTwilio: |- @@ -52,25 +58,38 @@ cargohold: awsKeyId: "$minio_cargohold_access_key" awsSecretKey: "$minio_cargohold_secret_key" rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest cannon: secrets: rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest galley: secrets: + rabbitmq: + username: guest + password: guest pgPassword: verysecurepassword awsKeyId: dummykey awsSecretKey: dummysecret + mlsPrivateKeys: + removal: + ed25519: | +$mls_ed25519_key + ecdsa_secp256r1_sha256: | +$mls_ecdsa_p256_key + ecdsa_secp384r1_sha384: | +$mls_ecdsa_p384_key + ecdsa_secp521r1_sha512: | +$mls_ecdsa_p521_key gundeck: secrets: awsKeyId: dummykey awsSecretKey: dummysecret rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest nginz: secrets: zAuth: @@ -86,8 +105,8 @@ team-settings: background-worker: secrets: rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest EOF fi diff --git a/changelog.d/5-bug-fixes/standardize-features b/changelog.d/5-bug-fixes/standardize-features new file mode 100644 index 000000000..8601b0a0a --- /dev/null +++ b/changelog.d/5-bug-fixes/standardize-features @@ -0,0 +1,3 @@ +Added: missing webapp feature flags to webapp example values +Added: config for MLS deployment into example files +Added: config for Federation deployment into example files diff --git a/values/coturn/prod-values.example.yaml b/values/coturn/prod-values.example.yaml index e38f8a3a0..adde645db 100644 --- a/values/coturn/prod-values.example.yaml +++ b/values/coturn/prod-values.example.yaml @@ -1 +1,28 @@ -# using upstream values for coturn helm \ No newline at end of file +# using upstream values for coturn helm +replicaCount: 3 +# image: +# tag: some-tag # (only override if you want a newer/different version than what is in the chart) +config: + verboseLogging: false +# rateLimit: +# allowlist: # List of IPs to be excluded from rate limiting +# - +coturnTurnExternalIP: "__COTURN_EXT_IP__" +coturnTurnListenIP: "__COTURN_HOST_IP__" +coturnTurnRelayIP: "__COTURN_HOST_IP__" +coturnFederationListeningIP: "__COTURN_HOST_IP__" +# Uncomment to enable federation +# federate: +# enabled: true +# port: 9191 +# dtls: +# enabled: true +# tls: +# issuerRef: letsencrypt-http01 +# kind: ClusterIssuer +# certificate: +# dnsNames: +# - coturn.example.com +# - coturn-0.example.com +# - coturn-1.example.com +# - coturn-2.example.com \ No newline at end of file diff --git a/values/nginx-ingress-services/prod-secrets.example.yaml b/values/nginx-ingress-services/prod-secrets.example.yaml index 50858dd59..5e6a4c6f1 100644 --- a/values/nginx-ingress-services/prod-secrets.example.yaml +++ b/values/nginx-ingress-services/prod-secrets.example.yaml @@ -3,6 +3,10 @@ # as the ingress seems to simply "swallow" errors if any (and serve the Fake default certificate # which is highly confusing) secrets: + tlsClientCA: | # for federating backends root CA certificates + -----BEGIN CERTIFICATE----- + .... THEIR CERTIFICATE .... + -----END CERTIFICATE----- tlsWildcardCert: | -----BEGIN CERTIFICATE----- .... OWN CERTIFICATE ...... diff --git a/values/sftd/prod-values.example.yaml b/values/sftd/prod-values.example.yaml index 25c5cd69f..1455a180c 100644 --- a/values/sftd/prod-values.example.yaml +++ b/values/sftd/prod-values.example.yaml @@ -1,7 +1,17 @@ +replicaCount: 3 +# image: +# tag: some-tag # (only override if you want a newer/different version than what is in the chart) allowOrigin: https://webapp.example.com host: sftd.example.com -replicaCount: 3 tls: issuerRef: name: letsencrypt-http01 kind: ClusterIssuer +# Uncomment to enable SFT to SFT communication for federated calls +# multiSFT: +# enabled: true +# discoveryRequired: false +# turnServerURI: "turn:coturn.public.ip.address:3478?transport=udp" +# secret: "coturn_zrest_secret" +# Turn on secondary IP listener (for internal IP) when using federation +# internalIpListener: false \ No newline at end of file diff --git a/values/webapp/prod-values.example.yaml b/values/webapp/prod-values.example.yaml index 329d340f5..0d6286cd1 100644 --- a/values/webapp/prod-values.example.yaml +++ b/values/webapp/prod-values.example.yaml @@ -19,7 +19,14 @@ envVars: FEATURE_ENABLE_DEBUG: "false" FEATURE_ENABLE_PHONE_LOGIN: "false" FEATURE_ENABLE_SSO: "false" + FEATURE_ENABLE_IN_CALL_REACTIONS: "true" + FEATURE_ENABLE_IN_CALL_HAND_RAISE: "true" + FEATURE_ENABLE_DETACHED_CALLING_WINDOW: "true" + FEATURE_ENABLE_MESSAGE_FORMAT_BUTTONS: "true" FEATURE_SHOW_LOADING_INFORMATION: "false" + FEATURE_ENABLE_CHANNELS: "false" + FEATURE_ENABLE_CHANNELS_HISTORY_SHARING: "false" + FEATURE_ENABLE_PUBLIC_CHANNELS: "false" URL_ACCOUNT_BASE: "https://account.example.com" #URL_MOBILE_BASE: "https://wire-pwa-staging.zinfra.io" # TODO: is this needed? URL_PRIVACY_POLICY: "https://www.example.com/terms-conditions" diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml index 284032d0c..30ab8e519 100644 --- a/values/wire-server/prod-secrets.example.yaml +++ b/values/wire-server/prod-secrets.example.yaml @@ -20,8 +20,8 @@ brig: # These are only necessary if you wish to support sign up via SMS/calls # And require accounts at twilio.com / nexmo.com rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest setTwilio: |- sid: "dummy" token: "dummy" @@ -32,8 +32,8 @@ brig: cannon: secrets: rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest cargohold: secrets: @@ -42,8 +42,8 @@ cargohold: awsKeyId: dummykey # replace with minio_cargohold_access_key awsSecretKey: dummysecret # replace with minio_cargohold_secret_key rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest galley: secrets: @@ -53,8 +53,22 @@ galley: awsKeyId: dummykey awsSecretKey: dummysecret rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest + mlsPrivateKeys: + removal: + ed25519: | + -----BEGIN PRIVATE KEY----- + -----END PRIVATE KEY----- + ecdsa_secp256r1_sha256: | + -----BEGIN PRIVATE KEY----- + -----END PRIVATE KEY----- + ecdsa_secp384r1_sha384: | + -----BEGIN PRIVATE KEY----- + -----END PRIVATE KEY----- + ecdsa_secp521r1_sha512: | + -----BEGIN PRIVATE KEY----- + -----END PRIVATE KEY----- gundeck: secrets: @@ -62,8 +76,8 @@ gundeck: awsKeyId: dummykey awsSecretKey: dummysecret rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest proxy: secrets: @@ -92,8 +106,8 @@ nginz: background-worker: secrets: rabbitmq: - username: wire-server - password: verysecurepassword + username: guest + password: guest # Uncomment for legalhold. Set values accordingly diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml index b9cae333e..d973f358d 100644 --- a/values/wire-server/prod-values.example.yaml +++ b/values/wire-server/prod-values.example.yaml @@ -21,6 +21,8 @@ brig: # image: # tag: some-tag (only override if you want a newer/different version than what is in the chart) config: + multiSFT: + enabled: false # enable to turn on SFT to SFT communication for federated calls cassandra: host: cassandra-external elasticsearch: @@ -51,10 +53,12 @@ brig: teamMemberWelcome: https://wire.example.com/download # change this enableFederation: false # Enable to use federation optSettings: + setEnableMLS: false # Enable for MLS protocol use setFederationDomain: example.com # change this # Sync the domain with the 'host' variable in the sftd chart # Comment the next line (by adding '#' before it) if conference calling is not used setSftStaticUrl: "https://sftd.example.com:443" + # setSftListAllServers: "enabled" # Uncomment for Federation! # If set to true, creating new personal users or new teams on your instance from # outside your backend installation is disabled setRestrictUserCreation: false @@ -127,6 +131,8 @@ cannon: # For demo mode only, we don't need to keep websocket connections open on chart upgrades drainTimeout: 10 config: + rabbitmq: + host: rabbitmq-external cassandra: host: cassandra-external metrics: @@ -163,7 +169,7 @@ galley: cassandra: host: cassandra-external rabbitmq: - host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` + host: rabbitmq-external # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` postgresql: host: postgresql-external-rw # DNS name without protocol port: "5432" @@ -176,7 +182,33 @@ galley: federationDomain: example.com # change this # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/) featureFlags: - sso: disabled-by-default + mls: + defaults: + status: enabled + config: + protocolToggleUsers: [] + defaultProtocol: mls + allowedCipherSuites: [2] + defaultCipherSuite: 2 + supportedProtocols: [proteus, mls] + lockStatus: unlocked + mlsMigration: + defaults: + status: enabled + config: + startTime: null + finalizeRegardlessAfter: null + usersThreshold: 100 + clientsThreshold: 100 + lockStatus: unlocked + sso: enabled-by-default + # channels: # Uncomment to enable channels by default for all newly created teams + # defaults: + # status: enabled + # config: + # allowed_to_create_channels: team-members + # allowed_to_open_channels: team-members + # lockStatus: unlocked # NOTE: Change this to "disabled-by-default" for legalhold support # legalhold: disabled-by-default legalhold: disabled-permanently @@ -197,6 +229,8 @@ gundeck: # image: # tag: some-tag (only override if you want a newer/different version than what is in the chart) config: + rabbitmq: + host: rabbitmq-external cassandra: host: cassandra-external aws: @@ -286,13 +320,22 @@ legalhold: enabled: false # Only needed when federation is enabled federator: + # config: + # optSettings: + # federationStrategy: + # allowedDomains: + # - example.com tls: useSharedFederatorSecret: true + # remoteCAContents: | # Uncomment and place the federating backends root CA certificates in chain (if there are multiple) metrics: serviceMonitor: enabled: false background-worker: config: + # logLevel: Debug + rabbitmq: + host: rabbitmq-external cassandra: host: cassandra-external # Enable for federation