• update Cassandra role (#455)
• fix automated Ansible deployment (#468)

Fixes

• [Ansible] Prevent Minio installation from breaking when access or secret key contains $
• [CI] Ensure that the right version of wire-server is built into the air-gap bundle

Fixes

• update Cassandra role (#455)
• fix automated Ansible deployment (#468)

Features

• Airgap installer is available. See [./offline/docs.md] for rudimentary instructions. We will integrate this into https://docs.wire.com/ over time
• Switched to nix+direnv for installing all the required dependencies for wire-server-deploy. If you do not want to use these tools you can use the quay.io/wire/wire-server-deploy container image and mount wire-server-deploy into it.

Versions

• wire version 2.106.0 when using the offline installer. However airgap bundles for charts might be moved to wire-server repository in the future; to decouple wire-server releases from the base platform.
• kubespray 2.15.0 (kubernetes 1.19.7)
• ansible-restund v0.2.6 (restund version v0.4.16b1.0.53)
• ansible-minio v2.1.0
• ansible-cassandra version v0.1.3
• ansible-elasticsearch 6.6.0

Breaking changes

• Nix and direnv are used for installing all required tooling.

• charts have been moved to wire-server. Chart lifecycle is now tied to wire-server instead and is decoupled from the underlying platform. Charts in wire-server should be installed with helm 3.

• Our kubespray reference implementation has been bumped to kuberspray 2.15.0 and kubernetes 1.19.7. This allows us to use Kubespray's support for offline deployments and new Kubernetes API features.

  If you were using our reference playbooks for setting up kubernetes, there is no direct upgrade path. Instead you should set up a new cluster; migrate the deployments there, and then point to the new cluster. This is rather easy at the moment as we only run stateless services in Kubernetes at this point.

• Restund role was bumped and uses docker instead of rkt now. We advice bringing up a fresh restund server; so that rkt is not installed. See https://github.com/wireapp/ansible-restund/commit/4db0bc066ded89cf0ae061e3ccac59f3738b33d9

  If you want to re-use your existing server we recommend:

  1. ssh into your restund server.
  2. systemctl stop restund.service
  3. now outside again, run the restund.yml playbook.

• brig: Add setExpiredUserCleanupTimeout to configmap (#399) see also: https://github.com/wireapp/wire-server/pull/1264
• [helm] Remove duplicate fields from brig section in the example value files (#398)
• Add spar to the integration tests for brig (#397)

Update instructions

A new mandatory option has been introduced to brig and galley which in the future will be used for Wire federation. This domain name is not optional even if federation is not used.

Please update your values/wire-server/values.yaml to set brig.optSettings.setFederationDomain and galley.settings.federationDomain (Note the slightly different option name).

Because federation is not enabled yet the value of this option does not really matter at this point, but we advise you to set it to the base domain of your wire instalation.

NOTE: These changes apply to chart version 0.129.0 and later eventhough this release was made later than that 0.129.0 chart was published. We're sorry for the inconvenience.

Features

• A chart has been added for setting up a single-node conferencing server (Also known as SFT) (#382)

Update instructions

The redis chart that we updated to exposes the redis service as redis-ephemeral-master instead of redis-ephemeral.

You should update your values/wire-server/values.yaml to point gundeck to the new service name

       redis:
-        host: redis-ephemeral
+        host: redis-ephemeral-master

If a gundeck crashes whilst deploying this release, it might not be able to reconnect to redis until the release is fully rolled out. However this risk is small.

If you installed the wire/redis-ephemeral chart directly:

helm upgrade redis-ephemeral wire/redis-ephemeral -f <values>
helm upgrade wire-server wire/wire-server -f <values>

If you installed the wire/databases-ephemeral chart:

helm upgrade databases-ephemeral wire/databases-ephemeral -f <values>
helm upgrade wire-server wire/wire-server -f  <values>

Features

• The redis chart is now backed by https://github.com/bitnami/charts/tree/master/bitnami/redis
• Bump versions for webapp to latest production (#375, #386)
• Introduce helm chart for legalhold (#378)
• Add features endpoint to galley (#381)
• Add tracestate header to nginz logs (#376)
• Allow configuring customer extensions in brig (#279)
• Remove cookie domain configuration from brig (#239)

Bug fixes

• Fix invalid ObjectMeta in nginx-ingress-services chart (#385)
• Fix fake-aws chart on Helm 3 (#379)

Internal Changes

• New config parameters for federation (#384) NOTE: This is not used yet.
• Update to newer version of helm s3 plugin (#373)
• Pin image version in cassandra-migrations and demo-smtp charts (#374)
• Ansible: Allow custom log dir when pulling logs from an instance (#372)

Features

• ansible/requirements.yml: Bump SFT for new checksum format (#361)
• Create SFT servers in two groups (#356)
• Skip creating SFT monitoring certs if there are no SFT servers (#357)
• Delete the SFT SRV record after provsioning (#368)
• Update message stats dashboard (#208)

Bug fixes / work-arounds

• add support for cargohold s3Compatibility option (#364)

Documentation

• Comment on email visibility feature flag (#276)

Internal

• Better nix support (#362, #358, #367, #369)
• ansible/Makefile: Print errors correctly when ENV is not in order (#359)
• Makefile target to get logs (#355)
• Makefile target to decrypt sops containers (#354)
• [tf-module:push-notifications] Allow to define multiple apps per client platform (#347)

2020-10-06

Internal

• Ansible & Terraform for bootstrapping Kubernetes (#343)
• Ansible & Terraform SFT improvements (#344, #346, #348, #350)

Features

• Documentation: Add galley feature flags and default AWS region to example values files (#328, #335)
• Privacy: Add logrotation of 3 days to all pod logs (#329)
• Security: Update TLS config: Drop CBC cipher suites (#323, #324)

Bug Fixes

• fix sanitized_request parsing on nginx (#330)

Internal

• Add automation for deploying SFT servers (#337, #341, #322)
• Add account number to output of terraform gundeck module (#326)
• remove issuance of a default search domain via the AWS dhcp servers. breaks dns lookup inside of k8s. (#338)
• [terraform-module:cargohold] Replace subnet IDs input with route table IDs (#331)
• [terraform-module] Introduce network load balancer (#299)