Skip to content

Commit 7a1e98f

Browse files
Wiab staging improvements (#896)
* fix: WPB-24369 added a flag DEPLOY_CALLING_SERVICES to control the calling services and improved the flow based on cert-manager and calling services requirement * fix: WPB-24369 added documentation around managing staging.yml inventory, how to verify, download artifact, and documentation around cert-manager and calling components * docs: WPB-24369 changelog for the PR * fix: WPB-24369 instructions around verifying MTU management and calico kernel requirements * fix: WPB-24369 fix command to display the kube-system pods in offline-deploy.sh * Apply suggestions from code review Co-authored-by: Arthur Wolf <wolf.arthur@gmail.com> * fix: WPB-24369 fix logic for coturn values file changes --------- Co-authored-by: Arthur Wolf <wolf.arthur@gmail.com>
1 parent 6c525fc commit 7a1e98f

4 files changed

Lines changed: 203 additions & 51 deletions

File tree

bin/helm-operations.sh

Lines changed: 81 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,10 @@ CERT_MASTER_EMAIL="${CERT_MASTER_EMAIL:-certmaster@example.com}"
1111
# default is set to TRUE to deploy it unless changed
1212
DEPLOY_CERT_MANAGER="${DEPLOY_CERT_MANAGER:-TRUE}"
1313

14+
# DEPLOY_CALLING_SERVICES env variable is used to decide if sftd and coturn should get deployed
15+
# default is set to TRUE to deploy them unless changed
16+
DEPLOY_CALLING_SERVICES="${DEPLOY_CALLING_SERVICES:-TRUE}"
17+
1418
# DUMP_LOGS_ON_FAIL to dump logs on failure
1519
# it is false by default
1620
DUMP_LOGS_ON_FAIL="${DUMP_LOGS_ON_FAIL:-FALSE}"
@@ -19,9 +23,7 @@ DUMP_LOGS_ON_FAIL="${DUMP_LOGS_ON_FAIL:-FALSE}"
1923
# assuming it to be the public address used by clients to reach public Address
2024
HOST_IP="${HOST_IP:-}"
2125

22-
if [ -z "$HOST_IP" ]; then
23-
HOST_IP=$(wget -qO- https://api.ipify.org)
24-
fi
26+
CALLING_NODE=""
2527

2628
function dump_debug_logs {
2729
local exit_code=$?
@@ -32,12 +34,28 @@ function dump_debug_logs {
3234
}
3335
trap dump_debug_logs ERR
3436

35-
# picking a node for calling traffic (3rd kube worker node)
36-
CALLING_NODE=$(kubectl get nodes --no-headers | tail -n 1 | awk '{print $1}')
37-
if [[ -z "$CALLING_NODE" ]]; then
38-
echo "Error: could not determine the last kube worker node via kubectl"
39-
exit 1
40-
fi
37+
configure_calling_environment() {
38+
39+
if [[ "$DEPLOY_CALLING_SERVICES" != "TRUE" ]]; then
40+
return 0
41+
fi
42+
43+
if [[ -z "$HOST_IP" ]]; then
44+
HOST_IP=$(wget -qO- https://api.ipify.org)
45+
fi
46+
47+
if [[ -z "$HOST_IP" ]]; then
48+
echo "Error: could not determine HOST_IP automatically"
49+
exit 1
50+
fi
51+
52+
# picking a node for calling traffic (3rd kube worker node)
53+
CALLING_NODE=$(kubectl get nodes --no-headers | tail -n 1 | awk '{print $1}')
54+
if [[ -z "$CALLING_NODE" ]]; then
55+
echo "Error: could not determine the last kube worker node via kubectl"
56+
exit 1
57+
fi
58+
}
4159

4260
sync_pg_secrets() {
4361
echo "Retrieving PostgreSQL password from databases-ephemeral for wire-server deployment..."
@@ -60,7 +78,15 @@ process_values() {
6078

6179
ENV=$1
6280
TYPE=$2
63-
charts=(fake-aws smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager)
81+
charts=(fake-aws demo-smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller)
82+
83+
if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then
84+
charts+=(nginx-ingress-services cert-manager)
85+
fi
86+
87+
if [[ "$DEPLOY_CALLING_SERVICES" == "TRUE" ]]; then
88+
charts+=(coturn sftd)
89+
fi
6490

6591
if [[ "$ENV" != "prod" ]] || [[ -z "$TYPE" ]] ; then
6692
echo "Error: This function only supports prod deployments with TYPE as values or secrets. ENV must be 'prod', got: '$ENV' and '$TYPE'"
@@ -92,41 +118,55 @@ configure_values() {
92118
TEMP_DIR=$(mktemp -d)
93119
trap 'rm -rf $TEMP_DIR' EXIT
94120

95-
# to find IP address of calling NODE
96-
CALLING_NODE_IP=$(kubectl get node "$CALLING_NODE" -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
97-
98121
# Fixing the hosts with TARGET_SYSTEM and setting the turn server
99122
sed -e "s/example.com/$TARGET_SYSTEM/g" \
100123
"$BASE_DIR/values/wire-server/values.yaml" > "$TEMP_DIR/wire-server-values.yaml"
101124

102-
# fixing the turnStatic values
103-
yq eval -i ".brig.turnStatic.v2 = [\"turn:$HOST_IP:3478\", \"turn:$HOST_IP:3478?transport=tcp\"]" "$TEMP_DIR/wire-server-values.yaml"
104-
105125
# Fixing the hosts in webapp team-settings and account-pages charts
106126
for chart in webapp team-settings account-pages; do
107127
sed "s/example.com/$TARGET_SYSTEM/g" "$BASE_DIR/values/$chart/values.yaml" > "$TEMP_DIR/$chart-values.yaml"
108128
done
109129

110-
# Setting certManager and DNS records
111-
sed -e 's/useCertManager: false/useCertManager: true/g' \
112-
-e "/certmasterEmail:$/s/certmasterEmail:/certmasterEmail: $CERT_MASTER_EMAIL/" \
113-
-e "s/example.com/$TARGET_SYSTEM/" \
114-
"$BASE_DIR/values/nginx-ingress-services/values.yaml" > "$TEMP_DIR/nginx-ingress-services-values.yaml"
130+
files=(wire-server-values.yaml webapp-values.yaml team-settings-values.yaml account-pages-values.yaml)
131+
132+
if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then
133+
# Setting certManager and DNS records for Let's Encrypt based certificate management
134+
sed -e 's/useCertManager: false/useCertManager: true/g' \
135+
-e "/certmasterEmail:$/s/certmasterEmail:/certmasterEmail: $CERT_MASTER_EMAIL/" \
136+
-e "s/example.com/$TARGET_SYSTEM/" \
137+
"$BASE_DIR/values/nginx-ingress-services/values.yaml" > "$TEMP_DIR/nginx-ingress-services-values.yaml"
138+
139+
files+=(nginx-ingress-services-values.yaml)
140+
fi
141+
142+
if [[ "$DEPLOY_CALLING_SERVICES" == "TRUE" ]]; then
143+
# to find IP address of calling NODE
144+
CALLING_NODE_IP=$(kubectl get node "$CALLING_NODE" -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
145+
146+
# fixing the turnStatic values
147+
yq eval -i ".brig.turnStatic.v2 = [\"turn:$HOST_IP:3478\", \"turn:$HOST_IP:3478?transport=tcp\"]" "$TEMP_DIR/wire-server-values.yaml"
115148

116-
# Fixing SFTD hosts and setting the cert-manager to http01
117-
sed -e "s/webapp.example.com/webapp.$TARGET_SYSTEM/" \
118-
-e "s/sftd.example.com/sftd.$TARGET_SYSTEM/" \
119-
-e 's/name: letsencrypt-prod/name: letsencrypt-http01/' \
120-
"$BASE_DIR/values/sftd/values.yaml" > "$TEMP_DIR/sftd-values.yaml"
149+
# Fix SFTD hostnames, and only enable Let's Encrypt specific issuer changes when cert-manager is enabled.
150+
sed -e "s/webapp.example.com/webapp.$TARGET_SYSTEM/" \
151+
-e "s/sftd.example.com/sftd.$TARGET_SYSTEM/" \
152+
"$BASE_DIR/values/sftd/values.yaml" > "$TEMP_DIR/sftd-values.yaml"
121153

122-
# Setting coturn node IP values
123-
yq eval -i ".coturnTurnListenIP = \"$CALLING_NODE_IP\"" "$BASE_DIR/values/coturn/values.yaml"
124-
yq eval -i ".coturnTurnRelayIP = \"$CALLING_NODE_IP\"" "$BASE_DIR/values/coturn/values.yaml"
125-
yq eval -i ".coturnTurnExternalIP = \"$HOST_IP\"" "$BASE_DIR/values/coturn/values.yaml"
154+
cp "$BASE_DIR/values/coturn/values.yaml" "$TEMP_DIR/coturn-values.yaml"
155+
156+
if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then
157+
yq eval -i '.tls.issuerRef.name = "letsencrypt-http01"' "$TEMP_DIR/sftd-values.yaml"
158+
fi
159+
160+
# Setting coturn node IP values
161+
yq eval -i ".coturnTurnListenIP = \"$CALLING_NODE_IP\"" "$TEMP_DIR/coturn-values.yaml"
162+
yq eval -i ".coturnTurnRelayIP = \"$CALLING_NODE_IP\"" "$TEMP_DIR/coturn-values.yaml"
163+
yq eval -i ".coturnTurnExternalIP = \"$HOST_IP\"" "$TEMP_DIR/coturn-values.yaml"
164+
165+
files+=(sftd-values.yaml coturn-values.yaml)
166+
fi
126167

127168
# Compare and copy files if different
128-
for file in wire-server-values.yaml webapp-values.yaml team-settings-values.yaml account-pages-values.yaml \
129-
nginx-ingress-services-values.yaml sftd-values.yaml; do
169+
for file in "${files[@]}"; do
130170
if ! cmp -s "$TEMP_DIR/$file" "$BASE_DIR/values/${file%-values.yaml}/values.yaml"; then
131171
cp "$TEMP_DIR/$file" "$BASE_DIR/values/${file%-values.yaml}/values.yaml"
132172
echo "Updating $BASE_DIR/values/${file%-values.yaml}/values.yaml"
@@ -188,6 +228,11 @@ deploy_cert_manager() {
188228

189229
deploy_calling_services() {
190230

231+
if [[ "$DEPLOY_CALLING_SERVICES" != "TRUE" ]]; then
232+
echo "Skipping sftd and coturn deployment because DEPLOY_CALLING_SERVICES=$DEPLOY_CALLING_SERVICES"
233+
return 0
234+
fi
235+
191236
echo "Deploying sftd and coturn"
192237
# select the node to deploy sftd
193238
kubectl annotate node "$CALLING_NODE" wire.com/external-ip="$HOST_IP" --overwrite
@@ -202,6 +247,9 @@ deploy_calling_services() {
202247

203248
main() {
204249

250+
# initialize calling-service specific values only when enabled
251+
configure_calling_environment
252+
205253
# Create prod-values.example.yaml to values.yaml and take backup
206254
process_values "prod" "values"
207255
# Create prod-secrets.example.yaml to secrets.yaml and take backup
@@ -228,7 +276,7 @@ if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then
228276
kubectl get certificate
229277
fi
230278

231-
# deploying sft and coturn services
279+
# deploying sft and coturn services when enabled
232280
deploy_calling_services
233281
}
234282

bin/offline-deploy.sh

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,4 +41,7 @@ fi
4141

4242
$DOCKER_RUN_BASE $SSH_MOUNT $WSD_CONTAINER ./bin/offline-cluster.sh
4343

44-
sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" DEPLOY_CERT_MANAGER=TRUE DUMP_LOGS_ON_FAIL=TRUE ./bin/helm-operations.sh'
44+
# verify if all kube-system pods are running well
45+
sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER sh -c 'kubectl -n kube-system get pods'
46+
47+
sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" DEPLOY_CERT_MANAGER=TRUE DUMP_LOGS_ON_FAIL=TRUE DEPLOY_CALLING_SERVICES=TRUE ./bin/helm-operations.sh'
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
Added: documentation around managing staging.yml inventory, how to verify, download artifact, and documentation around cert-manager and calling components
2+
Added: a flag DEPLOY_CALLING_SERVICES to control the calling services and improved the flow based on cert-manager and calling services requirement
3+
Added: instructions around verifying MTU management and calico kernel requirements

0 commit comments

Comments
 (0)