Release 2023-03-06 - (expected chart version 4.34.0) #3132
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Master->Develop after release
Broad Changes: - Introduce `SQSWatcher` in `Util.Test.SQS`. This can be used to watch an SQS queue in separate thread from tests. It keeps whatever comes in the queue in an `IORef [a]`. The tests then make assertions on whatever they expect to be in the queue. The tests can no longer assume that the queue will be empty and only used by calls made by the test, so they always need to make assertion using `id` of the team of user depending on which queue they are making an assertion. - brig-integration: Remove hard coded port for running mock bot services during the test. This allows multiple mocks to be running at the same time. To make this work in K8s, the service needs to be headless. - galley-integation: Same as above, but for mock legalhold services - Increase timeouts for expiring various codes and invitations. Since the tests run in parallel, some tests may starve for CPU. These timeouts then start affecting the tests. Most of them were 5 seconds and have been updated to 10 seconds. This makes the some tests (which test the fact that these timeouts work) run longer, but it is ok. - Increase timeouts further in 1 test (`brig-integration:API.Team.testInvitationPaging`) because it was running for longer than 10 seconds and failing intermittently - galley-integration: De-duplicate code in `API..Teams.LegalHold` and `API.Teams.LegalHold.DisabledByDefault`. - Remove any obvious uses of `putStrLn`, `print` etc. from tests. These don't interleave very well when tests are running in parallel. Some tests legalhold tests were being "skipped" based on feature flags, these are now clearly marked skipped using tasty machinery. - Bonus: Make upload-images script upload the images in parallel. - FUTUREWORK: Make spar tests run in parallel, they take more than 5 mins to run. Co-authored-by: jschaul <jschaul@users.noreply.github.com>
#3037) * charts: Mark all test resources to be only created while running tests * Use patched helm to ensure it doesn't try to get logs of configmaps * ciImage,devSetup: Add awk * ciImage: Add cfssl
Co-authored-by: Sebastian Willenborg <sebastian.willenborg@wire.com>
Co-authored-by: Sebastian Willenborg <sebastian.willenborg@wire.com>
Add security response about wire.com DoS and HTML injection
* change helm hook type of test resources which are not Pods * changelog adjustment
- change liveness and readyness probes to start querying more quickly to see if cassandra is up. Instead of 90 - 120 seconds, if cassandra is up earlier that should manifest itself in the setup time of 'make kube-integration-setup' - change helmfile for wire-server to wait for databases-ephemeral to be up before launching pods: cassandra-migration needs to have a working cassandra anyway - the crashloop-backoff strategy leads to a lot of waiting in between restarts; so it should be faster to wait for cassandra to be up before attempting schema migrations
example case where this test failed: https://concourse.ops.zinfra.io/teams/main/pipelines/staging/jobs/test/builds/342 output of failing test: ``` metrics prometheus: OK (0.02s) work: FAIL (1.06s) Error message: /login was called twice expected: 2 but got: 3 CallStack (from HasCallStack): assertFailure, called at ./Test/Tasty/HUnit/Orig.hs:86:32 in tasty-hunit-0.10.0.3-KJER1RJhmod6e0raY4U8z6:Test.Tasty.HUnit.Orig assertEqual, called at test/integration/API/Metrics.hs:78:12 in main:API.Metrics Use -p '(!/turn/&&!/user.auth.cookies.limit/)&&/metrics.work/' to rerun this test only. ```
…#3045) * Extend the docs on the federation error type
* Test helper SQSWatcher: use purgeQueue The previous logic of emptying the queue by reading all messages and deleting them assumes there is no other process writing anything into the queue, which might not be the case (in case of parallel brig/galley/spar tests). Instead, use purgeQueue to empty the queue, which should be faster and more reliable. * Hi CI
… to flaky tests) for parallel helm test executions. (#3040) 1. Allow running helm tests in parallel if desired, using `HELM_PARALLELISM=6` (disabled for now until we have fixed some flaky tests which fail more often when tests run in parallel) 2. rework integration test output: logs from test runs will only show if there are any failed tests. Also, the bottom of the output will have a summary of what failed and what didn't; as well as only the failed test lines with a context of +- 10 lines. This should hopefully make it easier to see what went wrong: just scroll to the bottom. The summary looks like this: ``` === tail cargohold: === All 21 tests passed (8.45s) === tail gundeck: === All 33 tests passed (56.60s) === tail federator: === Finished in 0.6576 seconds 9 examples, 0 failures === tail spar: === Finished in 397.2779 seconds 553 examples, 0 failures, 65 pending === tail brig: === 2 out of 449 tests failed (123.07s) === tail galley: === 1 out of 414 tests failed (136.33s) cargohold-integration passed ✅. gundeck-integration passed ✅. federator-integration passed ✅. spar-integration passed ✅. brig-integration FAILED ❌. pfff... galley-integration FAILED ❌. pfff... Tests failed. ```
* Lower the log level of federator inotify --------- Co-authored-by: jschaul <jschaul@users.noreply.github.com>
Co-authored-by: Leif Battermann <leif.battermann@wire.com>
Co-authored-by: Leif Battermann <leif.battermann@wire.com> Co-authored-by: Leif Battermann <leif.battermann@wire.com>
Make account registration whitelists local #3043 https://wearezeta.atlassian.net/browse/SQPIT-405 (a related wire infrastructure PR is linked in the ticket) This is changing a feature wire has been using on our staging environment, and (probably?) not anywhere else. See the changelog if you think you may be affected. Since the service is both outdated and almost unused, this PR moves the data from that service into the local server config yaml. Migration should be painless, since the new settings are in a different place than the old ones. Just make sure the new fields are added to the config before the upgrade, and then you can remove the old ones at any time after.
Render a Swagger docs page per internal endpoint. The benefit is that we don't have to play crazy tricks to get all (overlapping!) paths right. Currently, this is solved in develop by prefixing the paths by their service name (e.g. /<brig>/i/status.) Executing the swagger operations by clicking on *Execute* doesn't work and never will: The services do not handle CORS related headers. Thus, the browser refuses to accept the response. But, the rendered curl command works if kubectl forward-port is called as described.
Make brig-schema a little faster by merging the first 34 schema migrations and thereby removing some redundancies on fresh installations.
Introduces an integration test / regression test to check that control-level pings with a payload result in a control-level pong with the same payload as specified in the [RFC](https://www.rfc-editor.org/rfc/rfc6455#section-5.5.2) This was used in debugging https://wearezeta.atlassian.net/browse/FS-1489 (related ping-pong prior work: #561 and prior discussion: #560)
* Use openssl instead of tls in federator http2 client * changelog * Strip trailing dot for hostname validation * Move blessed ciphers close to where context is being built Make it clear that this only works with TLS 1.2 as of now * Check client certificate and private key to ensure they match This will prevent reloading in case the files are being updated one by one. * Add options to ssl context to workaround various bugs https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html#SSL_OP_ALL * Remove leftover debugging code * Ensure test for testing hostname with trailing dot is correct It was broken in a previous commit so it was not testing with a hostname with trailing dot at all. * Remove commented out code for hs-tls * Remove duplicated comment * Slightly better types for CertifiateAndPrivateKeyDoNotMatch * Share code to create ssl context between test and src * Grammar Co-authored-by: Paolo Capriotti <paolo@capriotti.io> * federator: Pass response consumer continuation to discoverAndCall This ensures that HTTP2 client doesn't close the connection before the response body gets consumed. In current implementation of the HTTP2 client there is a race between the part which consumes the response and "background threads". These background threads are sending and receiving data and they are not supposed to finish unless connection gets abruptly terminated, however, due to the race they get a `Async.cancel` when the response consumer function finishes executing. Before this change, `Codensity` was supposed to ensure that the consumer doesn't finish executing, but I am not sure why it didn't work, changing the code to use CPS fixes this. * Remove `-Wno-unused-imports`, perhaps added by mistake * Federator Client: Simplify reading data from SSL * Revert "federator: Pass response consumer continuation to discoverAndCall" This reverts commit febf71a. Thanks to @pcapriotti for clarifying that the test was failing because the test was exiting Codensity before making the assertion causing the test to fail. * federator-integration: Avoid exiting Codensity too soon * federator: Run all code warpped in `withOpenSSL` * federator-unit-tests: Ensure assertions happen without exiting Codensity * Special handling for reading 0 bytes out of the TLS socket --------- Co-authored-by: Paolo Capriotti <paolo@capriotti.io>
Better error message for invalid ID in credential
This fixes compatibility with Nix 2.14.
* Cleanup haskell-pins * Bring back forked http-client The ssl-util package relies on the fork. * Fix compile error due to http2 bump
* retry with exp backoff when rate limited by Amazon * add changelog * factor our retry function + review comments
* Add pregenerated v3 swagger * Finalise API v3 * Use v2 for welcome messages in tests * Add CHANGELOG entry * Set v4 as the development version * Update golden tests * Add assertion for v4 to version test * Use v2 welcome in end2end tests
* replace "tho" with "the" * fix glossary reference * fix terminology list upstream uses "End User/Browser" here, in our context Transport makes more sense
zebot
added
the
ok-to-test
smatting
approved these changes
Mar 6, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[2023-03-06] (Chart Release 4.34.0)
Release notes
In (the unlikely) case your server config file contains
setWhitelist:, you need to change this before the upgrade! It used to refer to a whitelisting service, which is now replaced with a local list of allowed domains and phone numbers. See docs for details. Migration path: add new config fields; upgrade, remove old config fields. (Make account registration whitelists local #3043)The coturn Helm chart has been promoted to beta level stability. (Update container images in coturn Helm chart #3078)
API changes
Features
Add internal endpoints of
cargohold,galley,legalholdandsparto the Swagger docs for internal endpoints. (internal endpoints swagger additional endpoints #3007)The coturn container image included in the coturn Helm chart was updated to
version
4.6.0-wireapp.4.With this version of coturn, the Prometheus metrics endpoint has been
updated, and the
turn_active_allocationsmetric label has been renamed toturn_total_allocations. (Update container images in coturn Helm chart #3078)Better error message for invalid ID in a credential when uploading MLS key packages (Improve error message #3102)
Add Swagger documentation for internal endpoints. It's reachable at the path
/v<n>/api-internal/swagger{-ui,.json}. (internal endpoints swagger (brig, cannon) #3003)Render one Swagger page per internal endpoint. This superseeds the previous Swagger docs page for all internal endpoints. (Swagger page per internal endpoint #3094)
Feature flag for Outlook calendar integration ([SQSERVICES-1843] Outlook calendar feature flag #3025)
Team feature setting for MLS end-to-end identity was added and server setting
setEnableMlsis exposed via new authorized endpointGET /system/settings([SQSERVICES-1911] Team features MLS E2E ID #3082)Bug fixes and other updates
The container image used for handling online TLS certificate updates in the
coturn Helm chart was updated to a version with metadata compatible with
containerd. (Update container images in coturn Helm chart #3078)
Fix a bug in the helm chart's nginx-ingress-services / federator Ingress resource introduced in the last release. (fixup to federator ingress helm chart syntax from the changes in #3002 #3034)
Remove overly restricte api check (stern: make api version check a unit test #3131)
Typing indicators not working accross federated backends (Remote typing indicators #3118)
Documentation
Extend the docs on the federation error type ([FS-1075] Extend the Swagger documentation for federation error types #3045)
Update SAML/SCIM docs (Update spar docs #3038)
Internal changes
Also run the 'backoffice' pod in CI (to test it can successfully start) (launch a backoffice pod in CI to catch issues with it earlier #3130)
Make brig-schema a little faster by merging the first 34 schema migrations on fresh installations. (Brig schema fold #3099)
Deflake integration test: metrics (Deflake metrics test #3053)
Document in code a function that sends remote Proteus messages (#PR_NOT_FOUND)
Lower the log level of federator inotify (Lower the log level of federator inotify #3056)
use Wai's settings for graceful shutdown (use Wai's settings for graceful shutdown #3069)
CI integration setup time should be reduced: tweak the way cassandra-ephemeral is started (helmfile sync: speedup #3052)
charts: Mark all service/secret/configmap test resources to be re-created by defining them as helm hooks (charts: Mark all test resources to be only created while running tests #3037, Helm hook type #3049)
New integration test script with support for running end2end tests locally (Local setup for end2end tests #3062)
Bump nixpkgs to latest commit on nixpkgs-unstable branch (Bump nixpkgs #3084)
Add config to allow to run helm tests for different services in parallel; improve integration test output logs (Improve helm test output; and provide the means (even if disabled due to flaky tests) for parallel helm test executions. #3040)
Run brig and galley integration tests concurrently (Run brig and galley integration tests concurrently #2825)
Add wrapper for bitnami/postgresql chart. (bitnami/postgresql wrapper to use in different bots and related services #3012)
Branch on performAction tags for finer-grained CallsFed constraints (Discriminate against performAction tags for CallsFed constraints #3030)
Fixed broken stern endpoint
POST i/user/meta-info(fix conversation list parser in stern #3035)Make stern fail on startup if supported backend api version needs bumping (fix conversation list parser in stern #3035)
Automatically track CallsFed constraints via a GHC plugin (Automatic tracking of CallsFed constraints #3083)
Rust library
rusty-jwt-toolsupgraded to latest version (Upgrade rusty-jwt-tools #3112)Fixed test of jwt-tools Rust FFI (Fix dpop access token test #3125)
Enabling warnings for redundant constraints and removing the redundant
constraints. (Set -Wredundant-constraints and fix the errors #3009)
Migrate
/teams/notificationsto use the Servant library. (Servantify /teams/notifications #3020)Split polysemy
Membersconstraints into multipleMemberconstraints (SplitMembersinto multiple constraints #3093)Federation changes
HsOpenSSLinstead oftlsfor federation communication. (Use openssl instead of tls in federator http2 client #3051)