wireapp · stefanwire · Feb 10, 2025 · Dec 30, 2024 · Jan 7, 2025 · Jan 7, 2025
diff --git a/.gitmodules b/.gitmodules
@@ -4,4 +4,3 @@
 [submodule "services/wire-server-enterprise"]
 	path = services/wire-server-enterprise
 	url = https://github.com/wireapp/wire-server-enterprise
-	branch = main
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,70 @@
+# [2025-02-07] (Chart Release 5.11.0)
+
+## API changes
+
+
+* New endpoints for domain registration and verification (#4389, #4422, #4433, #4434, #4438)
+    - POST /domain-verification/:domain/team
+    - POST /domain-verification/:domain/backend
+    - POST /domain-verification/:domain/challenges
+    - POST /domain-verification/:domain/challenges/:challengeId
+    - POST /domain-verification/:domain/authorize-team
+    - POST /get-domain-registration
+    - GET /teams/:tid/registered-domains
+    - DELETE /teams/:tid/registered-domains/:domain
+
+* Deprecated API endpoints were removed from API version V8. (#4407)
+
+* Add a flag to the response body of `POST /get-domain-registration` to indicate
+  whether `domain_redirect` is set to `none` due to the existence of a registered
+  account. This makes it possible for clients to let a user log in with an
+  existing cloud account even if a redirection to an on-prem backend is set up
+  for their domain. (#4441)
+
+
+## Features
+
+
+* Team feature config for domain registration (#4429)
+
+
+## Bug fixes and other updates
+
+
+* Fix 503 on user registration when the enterprise service is disabled (#4421)
+
+* Fix 503 on team invitation when wire-server-enterprise is disabled (#4439)
+
+* Fix bug in nginz: `/consent/<foo>` requests not correctly forwarded to `galeb`. (#4376)
+
+* MLS: when recreating external (backend) proposals, these are now propagated to
+  the clients only after the corresponding external commit has been forwarded to
+  the clients. (#4412)
+
+* MLS group info is now saved with the commit lock held. This prevents a bug where group info on a later commit was overwritten by an earlier group info, leading to out-of-sync MLS state between backends and clients. (#4436)
+
+
+## Internal changes
+
+
+* Internal spar endpoint to retrieve the team's identity providers (#4417)
+
+* Adjust existing onboarding flow to new domain registration constraints.
+
+  Endpoints:
+
+  - POST /teams/{id}/invitations
+  - POST /register (#4409)
+
+* federator: Install signal handlers for SIGINT and SIGTERM, close sockets when receiving these signals (#4398)
+
+* /i/index/refresh now uses the correct URL for additional indices. Thus, the
+  refreshed indices can reside on different ElasticSearch instances. This
+  endpoint is exclusively called from tests. (#4413)
+
+* Test single consumer behaviour of notifications (#4443)
+
+
 # [2025-01-28] (Chart Release 5.10.0)
 
 ## Release notes

diff --git a/cassandra-schema.cql b/cassandra-schema.cql
@@ -355,9 +355,11 @@ CREATE TABLE brig_test.oauth_user_refresh_token (
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
 
-CREATE TABLE brig_test.users_pending_activation (
-    user uuid PRIMARY KEY,
-    expires_at timestamp
+CREATE TABLE brig_test.domain_registration_challenge (
+    id uuid PRIMARY KEY,
+    challenge_token_hash blob,
+    dns_verification_token ascii,
+    domain text
 ) WITH bloom_filter_fp_chance = 0.01
     AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
     AND comment = ''
@@ -556,10 +558,12 @@ CREATE TABLE brig_test.federation_remote_teams (
 
 CREATE TABLE brig_test.domain_registration (
     domain text PRIMARY KEY,
+    authorized_team uuid,
     backend_url blob,
     dns_verification_token ascii,
     domain_redirect int,
     idp_id uuid,
+    ownership_token_hash blob,
     team uuid,
     team_invite int
 ) WITH bloom_filter_fp_chance = 0.01
@@ -889,6 +893,24 @@ CREATE TABLE brig_test.connection_remote (
     AND speculative_retry = '99PERCENTILE';
 CREATE INDEX connection_remote_right_domain_idx ON brig_test.connection_remote (right_domain);
 
+CREATE TABLE brig_test.users_pending_activation (
+    user uuid PRIMARY KEY,
+    expires_at timestamp
+) WITH bloom_filter_fp_chance = 0.01
+    AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
+    AND comment = ''
+    AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
+    AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
+    AND crc_check_chance = 1.0
+    AND dclocal_read_repair_chance = 0.1
+    AND default_time_to_live = 0
+    AND gc_grace_seconds = 864000
+    AND max_index_interval = 2048
+    AND memtable_flush_period_in_ms = 0
+    AND min_index_interval = 128
+    AND read_repair_chance = 0.0
+    AND speculative_retry = '99PERCENTILE';
+
 CREATE TABLE brig_test.connection (
     left uuid,
     right uuid,
@@ -1023,6 +1045,26 @@ CREATE TABLE brig_test.service_prefix (
     AND min_index_interval = 128
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
+
+CREATE TABLE brig_test.domain_registration_by_team (
+    team uuid,
+    domain text,
+    PRIMARY KEY (team, domain)
+) WITH CLUSTERING ORDER BY (domain ASC)
+    AND bloom_filter_fp_chance = 0.01
+    AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
+    AND comment = ''
+    AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
+    AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
+    AND crc_check_chance = 1.0
+    AND dclocal_read_repair_chance = 0.1
+    AND default_time_to_live = 0
+    AND gc_grace_seconds = 864000
+    AND max_index_interval = 2048
+    AND memtable_flush_period_in_ms = 0
+    AND min_index_interval = 128
+    AND read_repair_chance = 0.0
+    AND speculative_retry = '99PERCENTILE';
 CREATE KEYSPACE galley_test WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'}  AND durable_writes = true;
 
 CREATE TYPE galley_test.permissions (
@@ -1153,6 +1195,8 @@ CREATE TABLE galley_test.team_features (
     conference_calling_one_to_one int,
     conference_calling_status int,
     digital_signatures int,
+    domain_registration_lock_status int,
+    domain_registration_status int,
     enforce_file_download_location text,
     enforce_file_download_location_lock_status int,
     enforce_file_download_location_status int,

diff --git a/changelog.d/mk-changelog.sh b/changelog.d/mk-changelog.sh
@@ -21,27 +21,34 @@ for d in "$DIR"/*; do
     # shellcheck disable=SC1003
     sed '$ a\' "$d/.title"
     echo ""
+    # shellcheck disable=SC2094
     for f in "${entries[@]}"; do
         pr=$(getPRNumber "$f")
         # shellcheck disable=SC1003
-        sed -r '
+        < "$f" sed -r '
           # create a bullet point on the first line
           1 { s/^/\* /; }
 
           # indent subsequent lines
           1 !{ s/^/  /; }
 
           # replace ## with PR number throughout
-          s/##/'"$pr"'/g
-
-          # add PR number at the end (unless already present)
-          $ { /^.*\((#.*)\)$/ ! { s/$/ ('"$pr"')/; } }
-
+          s/##/'"$pr"'/g' |
+          (
+            if grep -q -r '\(#[^)]\)' "$f"; then
+              cat
+            else
+              sed -r '
+                # add PR number at the end (unless already present)
+                $ { /^.*\((#.*)\)$/ ! { s/$/ ('"$pr"')/; } }
+            '
+            fi
+          ) | sed -r '
           # remove trailing whitespace
           s/\s+$//
 
           # make sure there is a trailing newline
-          $ a\' "$f"
+          $ a\'
     done
     echo ""
 done
diff --git a/charts/background-worker/templates/_helpers.tpl b/charts/background-worker/templates/_helpers.tpl
@@ -7,3 +7,19 @@
 {{- define "includeSecurityContext" -}}
   {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}}
 {{- end -}}
+
+{{- define "useCassandraTLS" -}}
+{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }}
+{{- end -}}
+
+{{/* Return a Dict of TLS CA secret name and key
+This is used to switch between provided secret (e.g. by cert-manager) and
+created one (in case the CA is provided as PEM string.)
+*/}}
+{{- define "tlsSecretRef" -}}
+{{- if .cassandra.tlsCaSecretRef -}}
+{{ .cassandra.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "background-worker-cassandra" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/background-worker/templates/cassandra-secret.yaml b/charts/background-worker/templates/cassandra-secret.yaml
@@ -0,0 +1,15 @@
+{{/* Secret for the provided Cassandra TLS CA. */}}
+{{- if not (empty .Values.config.cassandra.tlsCa) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: background-worker-cassandra
+  labels:
+    app: background-worker
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }}
+{{- end }}
diff --git a/charts/background-worker/templates/configmap.yaml b/charts/background-worker/templates/configmap.yaml
@@ -26,6 +26,9 @@ data:
         host: {{ .cassandra.host }}
         port: 9042
       keyspace: gundeck
+      {{- if eq (include "useCassandraTLS" .) "true" }}
+      tlsCa: /etc/wire/background-worker/cassandra/{{- (include "tlsSecretRef" . | fromYaml).key }}
+      {{- end }}
 
     {{- with .rabbitmq }}
     rabbitmq:

diff --git a/charts/background-worker/templates/deployment.yaml b/charts/background-worker/templates/deployment.yaml
@@ -26,9 +26,12 @@ spec:
         # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade`
         checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
         checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
+        checksum/cassandra-secret: {{ include (print .Template.BasePath "/cassandra-secret.yaml") . | sha256sum }}
         fluentbit.io/parser: json
     spec:
-      serviceAccountName: {{ .Values.serviceAccount.name }}
+      serviceAccount: null
+      serviceAccountName: null
+      automountServiceAccountToken: false
       volumes:
         - name: "background-worker-config"
           configMap:

diff --git a/charts/background-worker/templates/serviceaccount.yaml b/charts/background-worker/templates/serviceaccount.yaml
diff --git a/charts/background-worker/values.yaml b/charts/background-worker/values.yaml
@@ -37,14 +37,6 @@ config:
     pushBackoffMaxWait: 300000000 # microseconds, so 300s
     remotesRefreshInterval: 300000000 # microseconds, so 300s
 
-serviceAccount:
-  # When setting this to 'false', either make sure that a service account named
-  # 'background-worker' exists or change the 'name' field to 'default'
-  create: true
-  name: background-worker
-  annotations: {}
-  automountServiceAccountToken: true
-
 secrets: {}
 
 podSecurityContext:

diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml
@@ -64,6 +64,10 @@ data:
       host: galley
       port: 8080
 
+    spar:
+      host: spar
+      port: 8080
+
     gundeck:
       host: gundeck
       port: 8080
@@ -81,6 +85,12 @@ data:
       host: federator
       port: 8080
 
+    {{- if and (.wireServerEnterprise) (default false .wireServerEnterprise.enabled) }}
+    wireServerEnterprise:
+      host: wire-server-enterprise
+      port: 8080
+    {{- end }}
+
     {{- with .rabbitmq }}
     rabbitmq:
       host: {{ .host }}
@@ -371,5 +381,6 @@ data:
       {{- if .setAuditLogEmailRecipient }}
       setAuditLogEmailRecipient: {{ .setAuditLogEmailRecipient }}
       {{- end }}
+      setChallengeTTL: {{ or .setChallengeTTL 172800 }}
     {{- end }}
   {{- end }}
diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml
@@ -160,6 +160,8 @@ config:
   smtp:
     passwordFile: /etc/wire/brig/secrets/smtp-password.txt
   proxy: {}
+  wireServerEnterprise:
+    enabled: false
 
 turnStatic:
   v1:

diff --git a/charts/cannon/templates/_helpers.tpl b/charts/cannon/templates/_helpers.tpl
@@ -23,3 +23,19 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- define "includeSecurityContext" -}}
   {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}}
 {{- end -}}
+
+{{- define "useCassandraTLS" -}}
+{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }}
+{{- end -}}
+
+{{/* Return a Dict of TLS CA secret name and key
+This is used to switch between provided secret (e.g. by cert-manager) and
+created one (in case the CA is provided as PEM string.)
+*/}}
+{{- define "tlsSecretRef" -}}
+{{- if .cassandra.tlsCaSecretRef -}}
+{{ .cassandra.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "cannon-cassandra" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cannon/templates/cassandra-secret.yaml b/charts/cannon/templates/cassandra-secret.yaml
@@ -0,0 +1,15 @@
+{{/* Secret for the provided Cassandra TLS CA. */}}
+{{- if not (empty .Values.config.cassandra.tlsCa) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cannon-cassandra
+  labels:
+    app: cannon
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }}
+{{- end }}
diff --git a/charts/cannon/templates/configmap.yaml b/charts/cannon/templates/configmap.yaml
@@ -20,6 +20,9 @@ data:
         host: {{ .config.cassandra.host }}
         port: 9042
       keyspace: gundeck
+      {{- if eq (include "useCassandraTLS" .config) "true" }}
+      tlsCa: /etc/wire/cannon/cassandra/{{- (include "tlsSecretRef" .config | fromYaml).key }}
+      {{- end }}
 
     {{- with .config.rabbitmq }}
     rabbitmq: