diff --git a/.github/workflows/offline-min.yml b/.github/workflows/offline-min.yml new file mode 100644 index 000000000..954808765 --- /dev/null +++ b/.github/workflows/offline-min.yml @@ -0,0 +1,57 @@ +on: + push: + branches: [min-release*] + tags: [ v* ] + paths-ignore: + - '*.md' + - '**/*.md' + pull_request: + branches: [min-release*] + paths-ignore: + - '*.md' + - '**/*.md' +jobs: + offline: + name: Prepare min offline package + # Useful to skip expensive CI when writing docs + if: "!contains(github.event.head_commit.message, 'skip ci')" + runs-on: + group: wire-server-deploy + steps: + - uses: actions/checkout@v2 + with: + submodules: true + - uses: cachix/install-nix-action@v27 + - uses: cachix/cachix-action@v15 + with: + name: wire-server + signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" + + - name: Install nix environment + run: nix-env -f default.nix -iA env + + - name: Get upload name + id: upload_name + run: | + # FIXME: Tag with a nice release name using the github tag... + # SOURCE_TAG=${GITHUB_REF#refs/tags/} + echo ::set-output name=UPLOAD_NAME::$GITHUB_SHA + # echo ::set-output name=UPLOAD_NAME::${SOURCE_TAG:-$GITHUB_SHA} + + - name: Process the min profile build + run: ./offline/min-build/build.sh + env: + GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}' + DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}' + + - name: Copy min build assets tarball to S3 + run: | + # Upload tarball for each profile by specifying their OUTPUT_TAR path + aws s3 cp offline/min-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz + echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz" + # remove the archives from the build to optimize the space on the server + rm -rf offline/min-build/output/* + env: + AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}' + AWS_REGION: "eu-west-1" \ No newline at end of file diff --git a/.github/workflows/offline.yml b/.github/workflows/offline.yml index 8577ee54e..42dd68ca6 100644 --- a/.github/workflows/offline.yml +++ b/.github/workflows/offline.yml @@ -1,6 +1,6 @@ on: push: - branches: [master, develop] + branches: [master,develop,min-release*] tags: [ v* ] paths-ignore: - '*.md' @@ -66,43 +66,24 @@ jobs: env: DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}' - # demo profile build - - name: Process the demo profile build - run: ./offline/demo-build/build.sh - env: - GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}' - DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}' + # # demo profile build + # - name: Process the demo profile build + # run: ./offline/demo-build/build.sh + # env: + # GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}' + # DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}' - - name: Copy demo build assets tarball to S3 and clean up - run: | - # Upload tarball for each profile by specifying their OUTPUT_TAR path - aws s3 cp offline/demo-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz - echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz" - # remove the assets from the build to optimize the space on the server - rm -rf offline/demo-build/output/* - env: - AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}' - AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}' - AWS_REGION: "eu-west-1" - - # min profile build - - name: Process the min profile build - run: ./offline/min-build/build.sh - env: - GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}' - DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}' - - - name: Copy min build assets tarball to S3 - run: | - # Upload tarball for each profile by specifying their OUTPUT_TAR path - aws s3 cp offline/min-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz - echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz" - # remove the archives from the build to optimize the space on the server - rm -rf offline/min-build/output/* - env: - AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}' - AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}' - AWS_REGION: "eu-west-1" + # - name: Copy demo build assets tarball to S3 and clean up + # run: | + # # Upload tarball for each profile by specifying their OUTPUT_TAR path + # aws s3 cp offline/demo-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz + # echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz" + # # remove the assets from the build to optimize the space on the server + # rm -rf offline/demo-build/output/* + # env: + # AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}' + # AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}' + # AWS_REGION: "eu-west-1" - name: Install terraform uses: hashicorp/setup-terraform@v3 @@ -116,8 +97,8 @@ jobs: env: HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' - #- name: Clean up hetzner environment; just in case - # if: always() - # run: (cd terraform/examples/wire-server-deploy-offline-hetzner ; terraform init && terraform destroy -auto-approve) - # env: - # HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' + - name: Clean up hetzner environment; just in case + if: always() + run: (cd terraform/examples/wire-server-deploy-offline-hetzner ; terraform init && terraform destroy -auto-approve) + env: + HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' diff --git a/changelog.d/2-wire-builds/q2-2025 b/changelog.d/2-wire-builds/q2-2025 new file mode 100644 index 000000000..bd40bd2f3 --- /dev/null +++ b/changelog.d/2-wire-builds/q2-2025 @@ -0,0 +1 @@ +Added: a separate workflow for min build to be able to generate separate artifacts diff --git a/offline/min-build/build.sh b/offline/min-build/build.sh index ff249ed96..277d69965 100755 --- a/offline/min-build/build.sh +++ b/offline/min-build/build.sh @@ -31,7 +31,7 @@ HELM_CHART_EXCLUDE_LIST="inbucket,wire-server-enterprise,k8ssandra-operator,k8ss "${TASKS_DIR}"/proc_pull_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" HELM_CHART_EXCLUDE_LIST="${HELM_CHART_EXCLUDE_LIST}" # pulling the charts from helm-charts repo, charts to be included are passed as arguments HELM_CHART_INCLUDE_LIST -"${TASKS_DIR}"/proc_pull_ext_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" HELM_CHART_INCLUDE_LIST="postgresql-external" +# "${TASKS_DIR}"/proc_pull_ext_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" HELM_CHART_INCLUDE_LIST="postgresql-external" # copy local copy of values from root directory to output directory cp -r "${ROOT_DIR}"/values "${OUTPUT_DIR}"/ @@ -49,7 +49,7 @@ cp -r "${ROOT_DIR}"/values "${OUTPUT_DIR}"/ # processing the charts # here we also filter the images post processing the helm charts # pass the image names to be filtered as arguments as regex #IMAGE_EXCLUDE_LIST='brig|galley' -"${TASKS_DIR}"/process_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" VALUES_TYPE="demo" #IMAGE_EXCLUDE_LIST="" +"${TASKS_DIR}"/process_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" VALUES_TYPE="prod" #IMAGE_EXCLUDE_LIST="" # all basic chart pre-processing tasks "${TASKS_DIR}"/post_chart_process_0.sh "${OUTPUT_DIR}" diff --git a/offline/tasks/proc_pull_charts.sh b/offline/tasks/proc_pull_charts.sh index 7d6f7d995..b3baf4518 100755 --- a/offline/tasks/proc_pull_charts.sh +++ b/offline/tasks/proc_pull_charts.sh @@ -83,5 +83,5 @@ pull_charts() { echo "Pulling charts done." } -wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/5f5af940a89c50f485327391b293419e42ba92c0/build.json" +wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/0ed27ef439f741d1e7313af69349c7bba8f7047b/build.json" wire_build_chart_release "$wire_build" | pull_charts diff --git a/values/ingress-nginx-controller/prod-values.example.yaml b/values/ingress-nginx-controller/prod-values.example.yaml index 3fa9e238b..f248a452e 100644 --- a/values/ingress-nginx-controller/prod-values.example.yaml +++ b/values/ingress-nginx-controller/prod-values.example.yaml @@ -12,8 +12,3 @@ ingress-nginx: image: tag: "v20220916-gd32f8c343" digest: "" - # Enable prometheus operator to scrape metrics from the ingress-nginx controller with servicemonitor. - metrics: - enabled: true - serviceMonitor: - enabled: true diff --git a/values/nginx-ingress-services/demo-secrets.example.yaml b/values/nginx-ingress-services/demo-secrets.example.yaml index 36c23bdf2..b67739b69 100644 --- a/values/nginx-ingress-services/demo-secrets.example.yaml +++ b/values/nginx-ingress-services/demo-secrets.example.yaml @@ -1,14 +1,10 @@ -# CHANGEME-DEMO: Assuming you run helm directly (and not helm-wrapper with sops), you can -# simply drop your certificate/private key here. Be careful with spaces/indentation, -# as the ingress seems to simply "swallow" errors if any (and serve the Fake default certificate -# which is highly confusing) secrets: tlsWildcardCert: | -----BEGIN CERTIFICATE----- - .... OWN CERTIFICATE ...... + .... REAL CERTIFICATE ..... -----END CERTIFICATE------- -----BEGIN CERTIFICATE----- - .... INTERMEDIATE CERT .... + .... MAYBE CHAIN CERT ..... -----END CERTIFICATE------- tlsWildcardKey: | -----BEGIN PRIVATE KEY----- diff --git a/values/nginx-ingress-services/demo-values.example.yaml b/values/nginx-ingress-services/demo-values.example.yaml index 2e241b933..4618c6c37 100644 --- a/values/nginx-ingress-services/demo-values.example.yaml +++ b/values/nginx-ingress-services/demo-values.example.yaml @@ -1,24 +1,22 @@ teamSettings: - enabled: true + enabled: false accountPages: - enabled: true + enabled: false tls: enabled: true # NOTE: enable to automate certificate issuing with jetstack/cert-manager instead of # providing your own certs in secrets.yaml. Cert-manager is not installed automatically, # it needs to be installed beforehand (see ./../../charts/certificate-manager/README.md) useCertManager: false - issuer: - kind: ClusterIssuer certManager: - inTestMode: false + # NOTE: change to tell cert-manager to issue a valid certificate + inTestMode: true # CHANGEME-PROD: required, if certificate manager is used; set to receive cert expiration # notice and other Letsencrypt related notification certmasterEmail: -# CHANGEME-PROD: These values are suggested for deployments on bare metal and -# should be adjusted on a per installation basis +# NOTE: These values must be adjusted on a per installation basis config: dns: https: nginz-https.example.com @@ -27,12 +25,3 @@ config: fakeS3: assets.example.com teamSettings: teams.example.com accountPages: account.example.com - # uncomment below to activate cert acquisition for federator ingress - # federator: federator.example.com - -# Redirection configuration for fake-aws-s3 -service: - useFakeS3: true - s3: - externalPort: 9000 - serviceName: fake-aws-s3 diff --git a/values/nginx-ingress-services/prod-values.example.yaml b/values/nginx-ingress-services/prod-values.example.yaml index 2f34acade..91b358fbe 100644 --- a/values/nginx-ingress-services/prod-values.example.yaml +++ b/values/nginx-ingress-services/prod-values.example.yaml @@ -8,8 +8,7 @@ tls: # providing your own certs in secrets.yaml. Cert-manager is not installed automatically, # it needs to be installed beforehand (see ./../../charts/certificate-manager/README.md) useCertManager: false - issuer: - kind: ClusterIssuer + certManager: inTestMode: false # CHANGEME-PROD: required, if certificate manager is used; set to receive cert expiration @@ -18,7 +17,6 @@ certManager: # CHANGEME-PROD: These values are suggested for deployments on bare metal and # should be adjusted on a per installation basis - config: dns: https: nginz-https.example.com diff --git a/values/sftd/prod-values.example.yaml b/values/sftd/prod-values.example.yaml index 25c5cd69f..7835892a4 100644 --- a/values/sftd/prod-values.example.yaml +++ b/values/sftd/prod-values.example.yaml @@ -4,4 +4,3 @@ replicaCount: 3 tls: issuerRef: name: letsencrypt-http01 - kind: ClusterIssuer diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml index 27815f5e8..c37f1c037 100644 --- a/values/wire-server/demo-secrets.example.yaml +++ b/values/wire-server/demo-secrets.example.yaml @@ -1,9 +1,3 @@ -# CHANGEME-DEMO: All values here should be changed/reviewed -elasticsearch-index: - secrets: - elasticsearch: - username: elastic - password: changeme brig: secrets: smtpPassword: dummyPassword @@ -15,61 +9,36 @@ brig: turn: # generate a high-entropy random string, e.g. using # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 42 - secret: CHANGEMEE6KHMJU1uDhhgvsVWoIyzmn3u3GHRoWjTp + secret: # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret # These are only necessary if you wish to support sign up via SMS/calls # And require accounts at twilio.com / nexmo.com - rabbitmq: - username: wire-server - password: verysecurepassword - pgPassword: verysecurepassword setTwilio: |- sid: "dummy" token: "dummy" setNexmo: |- key: "dummy" secret: "dummy" - elasticsearch: - username: "elastic" - password: "changeme" - elasticsearchAdditional: - username: "elastic" - password: "changeme" -cannon: - secrets: - rabbitmq: - username: wire-server - password: verysecurepassword cargohold: secrets: # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - rabbitmq: - username: wire-server - password: verysecurepassword galley: secrets: # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - pgPassword: verysecurepassword - rabbitmq: - username: wire-server - password: verysecurepassword gundeck: secrets: # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - rabbitmq: - username: wire-server - password: verysecurepassword proxy: secrets: @@ -93,24 +62,7 @@ nginz: # only necessary in test environments (env="staging"). See charts/nginz/README.md basicAuth: ":" -# RabbitMQ credentials for background-worker. -background-worker: +team-settings: secrets: - rabbitmq: - username: wire-server - password: verysecurepassword - -# Uncomment for legalhold. Set values accordingly - -# legalhold: -# serviceToken: "supersecret" -# # openssl req -x509 -newkey rsa:4096 -sha256 -keyout tls.key -out tls.crt -days -# # 365 -subj '/CN={{ .Values.legalhold.host }}' Or provide your own signed by a -# # proper CA -# tlsKey: | -# -----BEGIN PRIVATE KEY----- -# -----END PRIVATE KEY----- -# -# tlsCrt: | -# -----BEGIN CERTIFICATE----- -# -----END CERTIFICATE----- + # Required if you want to use team-settings + configJson: diff --git a/values/wire-server/demo-values.example.yaml b/values/wire-server/demo-values.example.yaml index 9943d6943..c3967ee3d 100644 --- a/values/wire-server/demo-values.example.yaml +++ b/values/wire-server/demo-values.example.yaml @@ -1,7 +1,6 @@ tags: proxy: false # enable if you want/need giphy/youtube/etc proxying - legalhold: false # Enable if you need legalhold - federation: false # Enable to use federation + spar: false # enable if you want/need Single-Sign-On (SSO) cassandra-migrations: # images: @@ -23,70 +22,34 @@ brig: config: cassandra: host: cassandra-ephemeral + replicaCount: 1 elasticsearch: host: elasticsearch-ephemeral - rabbitmq: - host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` - postgresql: - host: postgresql # DNS name without protocol - port: "5432" - user: wire-server - dbname: wire-server useSES: false - # Set to false if you want to hand out DynamoDB to store prekeys - randomPrekeys: true aws: # change if using real AWS region: "eu-west-1" sqsEndpoint: http://fake-aws-sqs:4568 - #dynamoDBEndpoint: http://fake-aws-dynamodb:4567 - + dynamoDBEndpoint: http://fake-aws-dynamodb:4567 # these must match the table names created on fake or real AWS services internalQueue: integration-brig-events-internal prekeyTable: integration-brig-prekeys externalUrls: - nginz: https://nginz-https.example.com # change this + nginz: https://api.example.com # change this teamSettings: https://teams.example.com # change this (on unset if team settings are not used) teamCreatorWelcome: https://teams.example.com/login # change this teamMemberWelcome: https://wire.example.com/download # change this - enableFederation: false # Enable to use federation optSettings: setFederationDomain: example.com # change this # Sync the domain with the 'host' variable in the sftd chart - # Comment the next line (by adding '#' before it) if conference calling is not used - setSftStaticUrl: "https://sftd.example.com:443" - # If set to true, creating new personal users or new teams on your instance from - # outside your backend installation is disabled - setRestrictUserCreation: false - # Uncomment and replace values below for adding federated backends - # setFederationStrategy: allowDynamic - # setFederationDomainConfigs: - # - domain: remotebackend1.example.com - # search_policy: full_search + # uncomment this section if conference calling is not used + setSftStaticUrl: "https://sftd.example.om:443" emailSMS: general: emailSender: email@example.com # change this smsSender: "insert-sms-sender-for-twilio" # change this if SMS support is desired - templateBranding: # change all of these, they are used in emails - brand: Wire - brandUrl: https://wire.com - brandLabel: wire.com - brandLabelUrl: https://wire.com - brandLogoUrl: https://wire.com/p/img/email/logo-email-black.png - brandService: Wire Service Provider - copyright: © WIRE SWISS GmbH - misuse: misuse@wire.com - legal: https://wire.com/legal/ - forgot: https://wire.com/forgot/ - support: https://support.wire.com/ - user: - passwordResetUrl: https://account.example.com/reset/?key=${key}&code=${code} - activationUrl: https://account.example.com/verify/?key=${key}&code=${code} - smsActivationUrl: https://account.example.com/v/${code} - deletionUrl: https://account.example.com/d/?key=${key}&code=${code} - invitationUrl: https://account.example.com/i/${code} smtp: - host: smtp # change this if you want to use your own SMTP server + host: demo-smtp # change this if you want to use your own SMTP server port: 25 # change this connType: plain # change this. Possible values: plain|ssl|tls # proxy: @@ -95,16 +58,6 @@ brig: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - turnStatic: - v1: [] - v2: - # - "turn::3478" - # - "turn::3478" - # - "turn::3478?transport=tcp" - # - "turn::3478?transport=tcp" - metrics: - serviceMonitor: - enabled: false proxy: replicaCount: 1 @@ -117,21 +70,13 @@ proxy: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false + cannon: replicaCount: 1 # image: # tag: some-tag (only override if you want a newer/different version than what is in the chart) # For demo mode only, we don't need to keep websocket connections open on chart upgrades drainTimeout: 10 - config: - cassandra: - host: cassandra-ephemeral - metrics: - serviceMonitor: - enabled: false cargohold: replicaCount: 1 @@ -141,7 +86,7 @@ cargohold: aws: # change if using real AWS region: "eu-west-1" - s3Bucket: assets + s3Bucket: dummy-bucket s3Endpoint: http://fake-aws-s3:9000 s3DownloadEndpoint: https://assets.example.com settings: @@ -152,9 +97,6 @@ cargohold: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false galley: replicaCount: 1 @@ -163,25 +105,11 @@ galley: config: cassandra: host: cassandra-ephemeral - rabbitmq: - host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` - postgresql: - host: postgresql # DNS name without protocol - port: "5432" - user: wire-server - dbname: wire-server - enableFederation: false # Enable to use federation + replicaCount: 1 settings: - # prefix URI used when inviting users to a conversation by link - conversationCodeURI: https://account.example.com/conversation-join/ # change this federationDomain: example.com # change this - # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/) - featureFlags: - sso: disabled-by-default - # NOTE: Change this to "disabled-by-default" for legalhold support - # legalhold: disabled-by-default - legalhold: disabled-permanently - teamSearchVisibility: disabled-by-default + # prefix URI used when inviting users to a conversation by link + conversationCodeURI: https://example.com/conversation-join/ # change this to poitn to your account pages. aws: region: "eu-west-1" # proxy: @@ -190,9 +118,6 @@ galley: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false gundeck: replicaCount: 1 @@ -201,6 +126,7 @@ gundeck: config: cassandra: host: cassandra-ephemeral + replicaCount: 1 aws: # change if using real AWS account: "123456789012" @@ -215,9 +141,6 @@ gundeck: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false nginz: replicaCount: 1 @@ -231,70 +154,75 @@ nginz: # using prod means mostly that some internal endpoints are not exposed env: prod external_env_domain: example.com - deeplink: - endpoints: - backendURL: "https://nginz-https.example.com" - backendWSURL: "https://nginz-ssl.example.com" - teamsURL: "https://teams.example.com" - accountsURL: "https://account.example.com" - blackListURL: "https://clientblacklist.wire.com/prod" - websiteURL: "https://wire.com" - title: "My Custom Wire Backend" - # Optional -- Uncomment these if you want to direct all of your mobile users to use the same proxy. - #apiProxy: - #host: "socks5.proxy.com" - #port: 1080 - #needsAuthentication: true # For demo mode only, we don't need to keep websocket connections open on upgrade: drainTimeout: 10 terminationGracePeriodSeconds: 30 - metrics: - serviceMonitor: - enabled: false -spar: + +webapp: replicaCount: 1 # image: # tag: some-tag (only override if you want a newer/different version than what is in the chart) config: - cassandra: - host: cassandra-ephemeral - logLevel: Debug - domain: example.com - appUri: https://nginz-https.example.com - ssoUri: https://nginz-https.example.com/sso - maxttlAuthreq: 28800 - maxttlAuthresp: 28800 - # maxScimTokens: 16 # uncomment this if you want to use SCIM provisioning - contacts: - - type: ContactSupport - company: YourCompany - email: email:support@example.com -# proxy: -# httpProxy: "http://proxy.example.com" -# httpsProxy: "https://proxy.example.com" -# noProxyList: -# - "local.example.com" -# - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false - -# Only needed when legalhold is enabled -#legalhold: -# host: "legalhold.example.com" -# wireApiHost: "https://nginz-https.example.com" + externalUrls: + backendRest: nginz-https.example.com + backendWebsocket: nginz-ssl.example.com + backendDomain: example.com + # When 'tags.team-settings: true' + backendTeamSettings: teams.example.com + appHost: webapp.example.com + # See full list of available environment variables: https://github.com/wireapp/wire-webapp/blob/dev/server/config.ts + envVars: + APP_NAME: "Webapp" + ENFORCE_HTTPS: "false" + FEATURE_CHECK_CONSENT: "false" + FEATURE_ENABLE_ACCOUNT_REGISTRATION: "true" + FEATURE_ENABLE_DEBUG: "false" + FEATURE_ENABLE_PHONE_LOGIN: "false" + FEATURE_ENABLE_SSO: "false" + FEATURE_SHOW_LOADING_INFORMATION: "false" + URL_ACCOUNT_BASE: "https://account.example.com" + #URL_MOBILE_BASE: "https://wire-pwa-staging.zinfra.io" # TODO: is this needed? + URL_PRIVACY_POLICY: "https://www.example.com/terms-conditions" + URL_SUPPORT_BASE: "https://www.example.com/support" + URL_TEAMS_BASE: "https://teams.example.com" + URL_TEAMS_CREATE: "https://teams.example.com" + URL_TERMS_OF_USE_PERSONAL: "https://www.example.com/terms-conditions" + URL_TERMS_OF_USE_TEAMS: "https://www.example.com/terms-conditions" + URL_WEBSITE_BASE: "https://www.example.com" + CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com" + CSP_EXTRA_IMG_SRC: "https://*.example.com" + CSP_EXTRA_SCRIPT_SRC: "https://*.example.com" + CSP_EXTRA_DEFAULT_SRC: "https://*.example.com" + CSP_EXTRA_FONT_SRC: "https://*.example.com" + CSP_EXTRA_FRAME_SRC: "https://*.example.com" + CSP_EXTRA_MANIFEST_SRC: "https://*.example.com" + CSP_EXTRA_OBJECT_SRC: "https://*.example.com" + CSP_EXTRA_MEDIA_SRC: "https://*.example.com" + CSP_EXTRA_PREFETCH_SRC: "https://*.example.com" + CSP_EXTRA_STYLE_SRC: "https://*.example.com" + CSP_EXTRA_WORKER_SRC: "https://*.example.com" -# Only needed when federation is enabled -#federator: -# tls: -# useSharedFederatorSecret: true +team-settings: + replicaCount: 1 +# image: +# tag: some-tag (only override if you want a newer/different version than what is in the chart) + envVars: + IS_SELF_HOSTED: "true" + config: + externalUrls: + backendRest: nginz-https.example.com + backendWebsocket: nginz-ssl.example.com + backendDomain: example.com + appHost: teams.example.com -background-worker: +account-pages: + replicaCount: 1 +# image: +# tag: some-tag (only override if you want a newer/different version than what is in the chart) + envVars: + IS_SELF_HOSTED: "true" config: - cassandra: - host: cassandra-ephemeral - # Enable for federation - enableFederation: false - metrics: - serviceMonitor: - enabled: false + externalUrls: + backendRest: nginz-https.example.com + backendDomain: example.com + appHost: account.example.com diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml index 04e44c932..051ece86c 100644 --- a/values/wire-server/prod-secrets.example.yaml +++ b/values/wire-server/prod-secrets.example.yaml @@ -1,7 +1,6 @@ # CHANGEME-PROD: All values here should be changed/reviewed brig: secrets: - pgPassword: verysecurepassword smtpPassword: dummyPassword zAuth: # generate zauth public/private keys with the 'zauth' executable from wire-server: @@ -44,7 +43,6 @@ cargohold: galley: secrets: - pgPassword: verysecurepassword # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml index f7ce5d5a3..92bfe25b5 100644 --- a/values/wire-server/prod-values.example.yaml +++ b/values/wire-server/prod-values.example.yaml @@ -26,12 +26,7 @@ brig: elasticsearch: host: elasticsearch-external rabbitmq: - host: rabbitmq-external # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` - postgresql: - host: postgresql-external-rw # DNS name without protocol - port: "5432" - user: wire-server - dbname: wire-server + host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` useSES: false # Set to false if you want to hand out DynamoDB to store prekeys randomPrekeys: true @@ -86,7 +81,7 @@ brig: deletionUrl: https://account.example.com/d/?key=${key}&code=${code} invitationUrl: https://account.example.com/i/${code} smtp: - host: smtp # change this if you want to use your own SMTP server + host: demo-smtp # change this if you want to use your own SMTP server port: 25 # change this connType: plain # change this. Possible values: plain|ssl|tls # proxy: @@ -102,9 +97,7 @@ brig: # - "turn::3478" # - "turn::3478?transport=tcp" # - "turn::3478?transport=tcp" - metrics: - serviceMonitor: - enabled: false + proxy: replicaCount: 3 @@ -117,9 +110,7 @@ proxy: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false + cannon: replicaCount: 3 # image: @@ -129,9 +120,7 @@ cannon: config: cassandra: host: cassandra-external - metrics: - serviceMonitor: - enabled: false + cargohold: replicaCount: 3 # image: @@ -152,9 +141,7 @@ cargohold: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false + galley: replicaCount: 3 # image: @@ -164,11 +151,6 @@ galley: host: cassandra-external rabbitmq: host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` - postgresql: - host: postgresql-external-rw # DNS name without protocol - port: "5432" - user: wire-server - dbname: wire-server enableFederation: false # Enable to use federation settings: # prefix URI used when inviting users to a conversation by link @@ -189,9 +171,7 @@ galley: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false + gundeck: replicaCount: 3 # image: @@ -213,9 +193,7 @@ gundeck: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false + nginz: replicaCount: 3 config: @@ -245,9 +223,7 @@ nginz: # For demo mode only, we don't need to keep websocket connections open on upgrade: drainTimeout: 10 terminationGracePeriodSeconds: 30 - metrics: - serviceMonitor: - enabled: false + spar: replicaCount: 3 # image: @@ -272,30 +248,21 @@ spar: # noProxyList: # - "local.example.com" # - "10.23.0.0/16" - metrics: - serviceMonitor: - enabled: false + # Only needed when legalhold is enabled legalhold: host: "legalhold.example.com" wireApiHost: "https://nginz-https.example.com" - metrics: - serviceMonitor: - enabled: false + # Only needed when federation is enabled federator: tls: useSharedFederatorSecret: true - metrics: - serviceMonitor: - enabled: false + background-worker: config: cassandra: host: cassandra-external # Enable for federation enableFederation: false - metrics: - serviceMonitor: - enabled: false