Merge pull request #345 from wireapp/release_2020_09_28

CHANGELOG.md

@@ -1,4 +1,21 @@
-# 2020-07-39
+# 2020-09-28
+
+## Features
+* Documentation: Add galley feature flags and default AWS region to example values files (#328, #335)
+* Privacy: Add logrotation of 3 days to all pod logs (#329)
+* Security: Update TLS config: Drop CBC cipher suites (#323, #324)
+
+## Bug Fixes
+* fix sanitized_request parsing on nginx (#330)
+
+## Internal
+* Add automation for deploying SFT servers (#337, #341, #322)
+* Add account number to output of terraform gundeck module (#326)
+* remove issuance of a default search domain via the AWS dhcp servers. breaks dns lookup inside of k8s. (#338)
+* [terraform-module:cargohold] Replace subnet IDs input with route table IDs (#331)
+* [terraform-module] Introduce network load balancer (#299)
+
+# 2020-07-29
 
 ## Features
 

ansible/Makefile

@@ -1,3 +1,7 @@
+ANSIBLE_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+# Please ignore this if you're not a wire employee
+CAILLEACH_DIR:=$(abspath ${ANSIBLE_DIR}/../../cailleach)
+SHELL:=/usr/bin/env bash -eo pipefail
 
 default: download
 
@@ -21,3 +25,38 @@ download-ansible-roles:
 .PHONY: download-ansible-roles-force
 download-ansible-roles-force:
 	poetry run ansible-galaxy install -r requirements.yml --force
+
+.PHONY: provision-sft
+provision-sft: check-env
+	poetry run ansible-playbook ${ANSIBLE_DIR}/provision-sft.yml  \
+		-i ${ENV_DIR}/gen/terraform-inventory.yml \
+		-i ${ENV_DIR}/inventory.yml \
+		--private-key ${ENV_DIR}/operator-ssh.dec \
+		-vv
+
+.PHONY: bootstrap
+bootstrap: check-env
+	poetry run ansible-playbook ${ANSIBLE_DIR}/bootstrap.yml \
+		-i ${ENV_DIR}/gen/terraform-inventory.yml \
+		-i ${ENV_DIR}/inventory.yml \
+		--private-key ${ENV_DIR}/operator-ssh.dec \
+		-vv
+
+.PHONY: check-env
+check-env:
+ifndef ENV_DIR
+ifndef ENV
+	$(error please define either ENV or ENV_DIR)
+else
+ENV_DIR=${CAILLEACH_DIR}/environments/${ENV}
+endif
+endif
+ifeq ("$(wildcard ${ENV_DIR}/inventory.yml)", "")
+	$(error please make sure ${ENV_DIR}/inventory.yml exists)
+endif
+ifeq ("$(wildcard ${ENV_DIR}/gen/terraform-inventory.yml)", "")
+	$(error please make you have applied terraform for ${ENV_DIR})
+endif
+ifeq ("$(wildcard ${ENV_DIR}/operator-ssh.dec)", "")
+	$(error please make sure ${ENV_DIR}/operator-ssh.dec exists and contains the private key to ssh into servers)
+endif

ansible/README.md

@@ -3,3 +3,28 @@
 In a production environment, some parts of the wire-server infrastructure (such as e.g. cassandra databases) are best configured outside kubernetes. Additionally, kubernetes can be rapidly set up with a project called kubespray, via ansible.
 
 This directory hosts a range of ansible playbooks to install kubernetes and databases necessary for wire-server. For documentation on usage, please refer to the [Administrator's Guide](https://docs.wire.com), notably the production installation.
+
+
+## Bootrap environment created by `terraform/environment`
+
+An 'environment' is supposed to represent all the setup required for the Wire
+backend to function.
+
+'Bootstrapping' an environment means running a range of idempotent ansible
+playbooks against servers specified in an inventory, resulting in a fully
+functional environment. This action can be re-run as often as you want (e.g. in
+case you change some variables or upgrade to new versions).
+
+To start with, the environment only has SFT servers; but more will be added here
+soon.
+
+1. Please ensure `ENV_DIR` or `ENV` are exported as specified in the [docs in
+   the terraform folder](../terraform/README.md)
+1. Ensure `$ENV_DIR/operator-ssh.dec` exists and contains an ssh key for the
+   environment.
+1. Ensure that `make apply` has been run for the environment. Please refer to
+   the [docs in the terraform folder](../terraform/README.md) for details about
+   how to run this.
+1. Ensure all required variables are set in `$ENV_DIR/inventory.yml`
+1. Running `make bootstrap` from this directory will bootstrap the
+   environment.

ansible/ansible.cfg

@@ -4,7 +4,7 @@ control_path           = /tmp/ansible-%%r@%%h:%%p
 
 [defaults]
 retry_files_enabled     = False
-roles_path              = ./roles-external:./roles
+roles_path              = ./roles-external:./roles:./roles-external/sft/roles
 
 gathering               = smart
 

ansible/bootstrap.yml

@@ -0,0 +1 @@
+- import_playbook: ./provision-sft.yml

ansible/kubernetes.yml

@@ -7,3 +7,5 @@
   environment: "{{ proxy_env | default({}) }}"
   roles:
     - etcd-helpers
+
+- import_playbook: kubernetes_logging.yml

ansible/kubernetes_logging.yml

@@ -0,0 +1,23 @@
+- hosts: k8s-cluster
+  environment: "{{ proxy_env | default({}) }}"
+  roles:
+    - role: logrotate
+      logrotate_scripts:
+        # The following will rotate pod logs once per day to keep no more than
+        # 3 days (maxage 1, rotate 2) of logs for data minimization/protection
+        # reasons.
+        #
+        # NOTE for wire-server-deploy maintainers: if you change the following
+        # options, ensure to also keep the documentation up-to-date, see the
+        # documentation introduced in
+        # https://github.com/wireapp/wire-docs/pull/79
+        - name: podlogs
+          path: "/var/lib/docker/containers/*/*.log"
+          options:
+            - daily
+            - missingok
+            - rotate 2
+            - maxage 1
+            - copytruncate
+            - nocreate
+            - nocompress