Merge branch 'wireapp:develop' into develop

CODEOWNERS

@@ -0,0 +1,3 @@
+*	@wireapp/backend
+/charts/	@wireapp/backend @wireapp/platform-engineering
+/changelog.d/	@wireapp/backend @wireapp/platform-engineering

changelog.d/0-release-notes/es6-os13-compatibility

@@ -0,0 +1,3 @@
+This release is compatible to ElasticSearch 6.8 and OpenSearch 1.3. It is meant
+as a migration release to switch to the newer OpenSearch 1.3 index search.
+Later releases may drop support of ElasticSearch 6.8.

changelog.d/3-bug-fixes/W-16210

@@ -0,0 +1 @@
+Allow transition of the domain redirect value to and from `no-registration` and `backend`.

changelog.d/3-bug-fixes/WPB-15480

@@ -0,0 +1 @@
+Fixed CVEs in sftd_disco image

changelog.d/5-internal/alpine-version

@@ -0,0 +1 @@
+Alpine version bump to v3.21.3 for cassandra-migrations and cannon helm charts

changelog.d/5-internal/os13-integration-tests

@@ -0,0 +1 @@
+OpenSearch 1.3 has been added to the local and CI integration test setup.

changelog.d/5-internal/update-fake-aws-sqs-elasticmq-native

@@ -0,0 +1 @@
+update fake-aws-sqs chart / elasticmq-native from v1.5.2 to v1.6.11

changelog.d/5-internal/update-kubectl-image-reaper-helm-chart

@@ -0,0 +1 @@
+reaper helm chart: bump bitnami/kubectl docker image from 1.24.12 to 1.32.2

charts/brig/templates/tests/configmap.yaml

@@ -89,3 +89,5 @@ data:
       federatorExternal:
         host: federator.{{ .Release.Namespace }}-fed2.svc.cluster.local
         port: 8081
+
+    additionalElasticSearch: https://{{ .Values.test.elasticsearch.additionalHost }}:9200

charts/brig/values.yaml

@@ -264,3 +264,7 @@ tests:
       hZMuK3BWD3fzkQVfW0yMwz6fWRXB483ZmekGkgndOTDoJQMdJXZxHpI3t2FcxQYj
       T45GXxRd18neXtuYa/OoAw9UQFDN5XfXN0g=
       -----END CERTIFICATE-----
+
+test:
+  elasticsearch:
+    additionalHost: elasticsearch-ephemeral

charts/cannon/templates/statefulset.yaml

@@ -141,7 +141,7 @@ spec:
 {{ toYaml .Values.resources | indent 12 }}
       initContainers:
       - name: cannon-configurator
-        image: alpine:3.18.2
+        image: alpine:3.21.3
         {{- if eq (include "includeSecurityContext" .) "true" }}
         securityContext:
           {{- toYaml .Values.podSecurityContext | nindent 10 }}

charts/cassandra-migrations/templates/migrate-schema.yaml

@@ -166,7 +166,7 @@ spec:
 
       containers:
         - name: job-done
-          image: alpine:3.18.2
+          image: alpine:3.21.3
         {{- if eq (include "includeSecurityContext" .) "true" }}
           securityContext:
             {{- toYaml .Values.podSecurityContext | nindent 12 }}

charts/fake-aws-sqs/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: softwaremill/elasticmq-native
-  tag: 1.5.2
+  tag: 1.6.11
 
 # TODO: in a wire-server chart, these queue names should match the ones defined in galley/brig/gundeck (i.e. only be defined once)
 queueNames:

charts/reaper/templates/deployment.yaml

@@ -29,7 +29,7 @@ spec:
               app: reaper
       containers:
       - name: reaper
-        image: bitnami/kubectl:1.24.12
+        image: bitnami/kubectl:1.32.2
         command: ["bash"]
         args:
         - -c

deploy/dockerephemeral/docker-compose.yaml

@@ -232,6 +232,51 @@ services:
     networks:
       - demo_wire
 
+  opensearch:
+    container_name: opensearch
+    image: opensearchproject/opensearch:1.3.20
+    ulimits:
+      nofile:
+        soft: 65536
+        hard: 65536
+    ports:
+      - "127.0.0.1:9201:9200"
+      - "127.0.0.1:9301:9300"
+    environment:
+      - "bootstrap.system_call_filter=false"
+      - "JVM_OPTIONS_ES=-Xmx512m -Xms512m"
+      - "discovery.type=single-node"
+
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=Ch4ng3m3Secr3t!"
+    volumes:
+      - ./docker/elasticsearch-cert.pem:/usr/share/opensearch/config/certs/tls.crt
+      - ./docker/elasticsearch-key.pem:/usr/share/opensearch/config/certs/tls.key
+      - ./docker/elasticsearch-ca.pem:/usr/share/opensearch/config/certs/ca.crt
+      - ./docker/opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
+      - ./docker/opensearch/opensearch-security/config.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml
+      - ./docker/opensearch/opensearch-security/internal_users.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
+      - ./docker/opensearch/opensearch-security/roles_mapping.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
+      - ./docker/opensearch/opensearch-security/allowlist.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/allowlist.yml
+      - ./docker/opensearch/opensearch-security/roles.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml
+      - ./docker/opensearch/opensearch-security/nodes_dn.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/nodes_dn.yml
+      - ./docker/opensearch/opensearch-security/action_groups.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/action_groups.yml
+      - ./docker/opensearch/opensearch-security/tenants.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml
+    networks:
+      - demo_wire
+
+  opensearch-dashboard:
+    image: opensearchproject/opensearch-dashboards:1
+    container_name: opensearch-dashboards
+    ports:
+      - 5601:5601
+    expose:
+      - "5601"
+    volumes:
+      - ./docker/opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
+    networks:
+      - demo_wire
+
   cassandra:
     container_name: demo_wire_cassandra
     #image: cassandra:3.11.2

deploy/dockerephemeral/docker/opensearch/opensearch-security/action_groups.yml

@@ -0,0 +1,3 @@
+_meta:
+  type: "actiongroups"
+  config_version: 2

deploy/dockerephemeral/docker/opensearch/opensearch-security/allowlist.yml

@@ -0,0 +1,6 @@
+_meta:
+  type: "allowlist"
+  config_version: 2
+
+config:
+  enabled: false

deploy/dockerephemeral/docker/opensearch/opensearch-security/config.yml

@@ -0,0 +1,17 @@
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      basic_internal_auth_domain:
+        description: "Authenticate using HTTP basic against the internal users database"
+        http_enabled: true
+        transport_enabled: true
+        order: 1
+        http_authenticator:
+          type: basic
+          challenge: true
+        authentication_backend:
+          type: internal

deploy/dockerephemeral/docker/opensearch/opensearch-security/internal_users.yml

@@ -0,0 +1,12 @@
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# User: elastic
+# Password: changeme
+elastic:
+  hash: "$2y$12$GRc68jkEX1m4uQpTVbwURu79xHxZ7vsbyEctOAADQwPjlhYS4LJVa"
+  reserved: true
+  description: "Wire User"
+  backend_roles:
+    - index_manager

deploy/dockerephemeral/docker/opensearch/opensearch-security/nodes_dn.yml

@@ -0,0 +1,3 @@
+_meta:
+  type: "nodesdn"
+  config_version: 2

deploy/dockerephemeral/docker/opensearch/opensearch-security/roles.yml

@@ -0,0 +1,3 @@
+_meta:
+  type: "roles"
+  config_version: 2

deploy/dockerephemeral/docker/opensearch/opensearch-security/roles_mapping.yml

@@ -0,0 +1,9 @@
+_meta:
+  type: "rolesmapping"
+  config_version: 2
+
+all_access:
+  reserved: false
+  backend_roles:
+    - index_manager
+  description: "Map index_manager to full_access"

deploy/dockerephemeral/docker/opensearch/opensearch-security/tenants.yml

@@ -0,0 +1,3 @@
+_meta:
+  type: "tenants"
+  config_version: 2

deploy/dockerephemeral/docker/opensearch/opensearch.yml

@@ -0,0 +1,45 @@
+cluster.name: opensearch-cluster
+
+# Bind to all interfaces because we don't know what IP address Docker will assign to us.
+network.host: 0.0.0.0
+
+# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
+discovery.type: single-node
+
+path.data: /usr/share/opensearch/data
+
+# WARNING: This is not a production-ready config! (Good enough for testing,
+# though.)
+plugins:
+  security:
+    ssl:
+      transport:
+          pemcert_filepath: certs/tls.crt
+          pemkey_filepath: certs/tls.key
+          pemtrustedcas_filepath: certs/ca.crt
+          enforce_hostname_verification: false
+      http:
+        enabled: true
+        pemcert_filepath: certs/tls.crt
+        pemkey_filepath: certs/tls.key
+        pemtrustedcas_filepath: certs/ca.crt
+    allow_unsafe_democertificates: true
+    allow_default_init_securityindex: true
+    audit.type: internal_opensearch
+    restapi:
+      roles_enabled: ["all_access", "security_rest_api_access"]
+    system_indices:
+      enabled: true
+      indices:
+        [
+          ".opendistro-alerting-config",
+          ".opendistro-alerting-alert*",
+          ".opendistro-anomaly-results*",
+          ".opendistro-anomaly-detector*",
+          ".opendistro-anomaly-checkpoints",
+          ".opendistro-anomaly-detection-state",
+          ".opendistro-reports-*",
+          ".opendistro-notifications-*",
+          ".opendistro-notebooks",
+          ".opendistro-asynchronous-search-response*",
+        ]

deploy/dockerephemeral/docker/opensearch/opensearch_dashboards.yml

@@ -0,0 +1,8 @@
+opensearch.hosts: [https://opensearch:9200]
+opensearch.ssl.verificationMode: none
+opensearch.username: elastic
+opensearch.password: changeme
+
+# Use this setting if you are running opensearch-dashboards without https
+opensearch_security.cookie.secure: false
+server.host: '0.0.0.0'

hack/bin/integration-setup-federation.sh

@@ -54,6 +54,7 @@ set +e
 # This exists because we need to run `helmfile` with `--skip-deps`, without that it doesn't work.
 helm repo add bedag https://bedag.github.io/helm-charts/
 helm repo add obeone https://charts.obeone.cloud
+helm repo add opensearch https://opensearch-project.github.io/helm-charts/
 
 helmfile --environment "$HELMFILE_ENV" --file "${TOP_LEVEL}/hack/helmfile.yaml" sync --skip-deps --concurrency 0
 EXIT_CODE=$?