Merge pull request #221 from wireapp/release_2020_04_15

wireapp · Apr 15, 2020 · f9ff602 · f9ff602
2 parents 6c2ed95 + f85bf78
commit f9ff602
Show file tree

Hide file tree

Showing 18 changed files with 220 additions and 124 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,30 @@
+# [ 2020-04-15 ]
+
+## Release Notes
+
+- This version adds a new migration to the elasticsearch index, it will go through all users in
+  cassandra and (re-)create all users in elasticsearch. So, it could take a long time to finish 
+  depending on the number of users in the system.
+
+## Features
+
+- Use brig-index to create index in ES (#189)
+- Allow docker registry to run with custom host and port (023eb5e)
+- Verify proper NTP installation on Cassandra hosts (#199, c1acc03)
+- Pin openjdk 8 (#211)
+- Add brig index migrations (#212)
+- Bump external role ansible-helm to support installing newer versions of Helm (c86c36f)
+- Add ES, restund_network_interface and http_proxy settings to terraform inventory template (#216)
+- Add important envVars for team-settings and account-pages in example values (#215)
+- Add comment about configuring maxScimTokens setting (#214)
+- Lock ES version in ES ansible (#219)
+- Add comment about restund_network_interface in example hosts.ini (#219)
+- Allow network interfaces being unset in inventory for nodes hosting backing services (#213)
+
+## Bug fixes
+
+- Fix incorrect bash used in docker-registry (cb73c38)
+
 # 2020-03-25
 
 ## Features

diff --git a/ansible/cassandra-verify-ntp.yml b/ansible/cassandra-verify-ntp.yml
@@ -0,0 +1,12 @@
+#
+# This playbook helps you check if ntp has been properly setup on the host that Cassandra
+# is running on. Verifies that the daemon is running and that there is no more than
+# `allowed_time_diff_between_servers_in_ms` diff between all servers
+#
+# NOTE: This playbook has been tested on Ubuntu and using ansible2.7
+# TODO: Adjust this to be run on _ALL_ hosts in the inventory
+#
+- hosts: cassandra
+  any_errors_fatal: true
+  roles:
+    - role: ansible-ntp-verify
diff --git a/ansible/cassandra.yml b/ansible/cassandra.yml
@@ -6,6 +6,9 @@
       - galley
       - gundeck
       - spar
+    # cassandra 3.11 doesn't support java 11 yet, use openjdk-8.
+    java_packages:
+      - openjdk-8-jdk
   roles:
     - role: hostname
       tags:
@@ -22,6 +25,10 @@
     - role: ansible-cassandra
       tags:
         - cassandra
+
+    - role: ansible-ntp-verify
+      tags:
+        - ntp
   tasks:
     # these are optional debug tasks to see that the cluser has come up sucessfully
     - shell: nodetool status

diff --git a/ansible/elasticsearch.yml b/ansible/elasticsearch.yml
@@ -6,6 +6,10 @@
     # comment that line when deploying on machines with >= 4GB memory.
     es_heap_size: "1g"
 
+    # Put a hold on the ES package.
+    # Updating ES to a different version than 6.6 currently breaks its integration with Wire.
+    es_version_lock: true
+
     es_enable_xpack: false
     es_xpack_features: [] # disable features
     es_instance_name: "{{ ansible_hostname }}"
@@ -29,7 +33,7 @@
       bind_host:
         - "_{{ es_network_interface }}_"
         - "_local_"
-    es_masters: '{% for host in groups["elasticsearch_master"] %}{{ hostvars[host]["ansible_" + elasticsearch_network_interface]["ipv4"]["address"] }}:9300{% if not loop.last %},{% endif %}{% endfor %}'
+    es_masters: '{% for host in groups["elasticsearch_master"] %}{{ hostvars[host]["ansible_" + es_network_interface]["ipv4"]["address"] }}:9300{% if not loop.last %},{% endif %}{% endfor %}'
     es_config:
       cluster.name: "elasticsearch-directory"
       http.port: "{{ es_api_port }}" # 9200 by default

diff --git a/ansible/files/registry/mk-sub-certificate b/ansible/files/registry/mk-sub-certificate
@@ -9,8 +9,8 @@ CERT_DIR="${SCRIPT_DIR}/certs"
 mkdir -p "$CERT_DIR"
 
 
-CA_cert=${2:?wire.com.crt}
-CA_key=${2:?private.pem}
+CA_cert=${2:-"wire.com.crt"}
+CA_key=${3:-"private.pem"}
 
 cd "$CERT_DIR" || exit
 

diff --git a/ansible/files/registry/registry-run.sh b/ansible/files/registry/registry-run.sh
@@ -1,13 +1,16 @@
 #!/usr/bin/env bash
 
+IP=${1:-"0.0.0.0"}
+PORT=${2:-"5001"}
+
 docker run \
   -d \
   --network=host \
   --restart=always \
   --name registry \
   -v $(pwd)/../../mnt/registry:/var/lib/registry \
   -v "$(pwd)/certs:/certs" \
-  -e REGISTRY_HTTP_ADDR=0.0.0.0:5001 \
+  -e REGISTRY_HTTP_ADDR=${IP}:${PORT} \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/client.crt \
   -e REGISTRY_HTTP_TLS_KEY=/certs/client.key \
   registry:2
diff --git a/ansible/helm_external.yml b/ansible/helm_external.yml
@@ -2,8 +2,6 @@
 # that these databases listen on. These files are used as overrides with the
 # <database>-external helm charts (e.g. cassandra-external).
 #
-# Prerequisite: the '<database>_network_interface' must be defined.
-#
 # After any change to IPs/servers:
 # 1. run this playbook:
 #      poetry run ansible-playbook -i hosts.ini helm_external.yml -vv --diff
@@ -24,25 +22,25 @@
       vars:
         external_dir_name: elasticsearch-external
         server_type: elasticsearch
-        network_interface: "{{ elasticsearch_network_interface }}"
+        network_interface: "{{ elasticsearch_network_interface | default('') }}"
 
     - name: Generate minio IPs for helm
       include_tasks: tasks/helm_external.yml
       vars:
         external_dir_name: minio-external
         server_type: minio
-        network_interface: "{{ minio_network_interface }}"
+        network_interface: "{{ minio_network_interface | default('') }}"
 
     - name: Generate cassandra IPs for helm
       include_tasks: tasks/helm_external.yml
       vars:
         external_dir_name: cassandra-external
         server_type: cassandra
-        network_interface: "{{ cassandra_network_interface }}"
+        network_interface: "{{ cassandra_network_interface | default('') }}"
 
     - name: Generate redis IPs for helm
       include_tasks: tasks/helm_external.yml
       vars:
         external_dir_name: redis-external
         server_type: redis
-        network_interface: "{{ redis_network_interface }}"
+        network_interface: "{{ redis_network_interface | default('') }}"
diff --git a/ansible/hosts.example.ini b/ansible/hosts.example.ini
@@ -131,6 +131,9 @@ is_aws_environment = False
 ## Set this to a name of a network interface (e.g. 'eth0'), on which you wish minio processes to talk to each other.
 # minio_network_interface = "ens123"
 
+### RESTUND section ###
+# restund_network_interface = "..."
+
 ### KUBERNETES section (see kubespray documentation for details) ###
 
 bootstrap_os = ubuntu

diff --git a/ansible/requirements.yml b/ansible/requirements.yml
@@ -50,8 +50,12 @@
 
 - src: https://github.com/andrewrothstein/ansible-kubernetes-helm.git
   name: ansible-helm
-  version: 33978bc2e486f087066acc737d4468f1fa1c5883 # 2019-05-17
+  version: "v1.3.7" # 2020-04-02
 
 - src: https://github.com/cchurch/ansible-role-admin-users.git
   name: admin_users
   version: "0.7.2"
+
+- src: git+https://github.com/wireapp/ansible-ntp-verify.git
+  name: ansible-ntp-verify
+  version: v0.0.1
diff --git a/ansible/templates/helm_external.yaml.j2 b/ansible/templates/helm_external.yaml.j2
@@ -1,4 +1,4 @@
 IPs:
 {% for host in groups[server_type] %}
-  - {{ hostvars[host]["ansible_" + network_interface]["ipv4"]["address"] }}
+  - {{ hostvars[host]["ansible_" + (network_interface | default(hostvars[host].ansible_default_ipv4.interface, true)) ]["ipv4"]["address"] }}
 {% endfor %}
diff --git a/bin/set-wire-server-image-version.sh b/bin/set-wire-server-image-version.sh
@@ -3,7 +3,7 @@
 USAGE="$0 <target-backend-version>"
 target_version=${1?$USAGE}
 
-charts=(brig cannon galley gundeck spar cargohold proxy cassandra-migrations backoffice)
+charts=(brig cannon galley gundeck spar cargohold proxy cassandra-migrations backoffice elasticsearch-index)
 
 for chart in "${charts[@]}"; do
     sed -i "s/  tag: .*/  tag: $target_version/g" "charts/$chart/values.yaml"

diff --git a/charts/elasticsearch-index/templates/configmap.yaml b/charts/elasticsearch-index/templates/configmap.yaml
diff --git a/charts/elasticsearch-index/templates/create-index.yaml b/charts/elasticsearch-index/templates/create-index.yaml
@@ -0,0 +1,48 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: elasticsearch-index-create
+  labels:
+    wireService: elasticsearch-index-create
+    app: elasticsearch-index-create
+    heritage: {{.Release.Service | quote }}
+    release: {{.Release.Name | quote }}
+    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+spec:
+  template:
+    metadata:
+      name: "{{.Release.Name}}"
+      labels:
+        wireService: elasticsearch-index-create
+        app: elasticsearch-index-create
+        heritage: {{.Release.Service | quote }}
+        release: {{.Release.Name | quote }}
+        chart: "{{.Chart.Name}}-{{.Chart.Version}}"
+    spec:
+      restartPolicy: OnFailure
+      initContainers:
+        # Creates index in elasticsearch only when it doesn't exist.
+        # Does nothing if the index exists.
+        - name: brig-index-create
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          args:
+            - create
+            - --elasticsearch-server
+            - "http://{{ required "missing elasticsearch-index.elasticsearch.host!" .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}"
+            - --elasticsearch-index
+            - "{{ .Values.elasticsearch.index }}"
+            - --elasticsearch-shards=5
+            - --elasticsearch-replicas=2
+            - --elasticsearch-refresh-interval=5
+      containers:
+        - name: brig-index-update-mapping
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          args:
+            - update-mapping
+            - --elasticsearch-server
+            - "http://{{ required "missing elasticsearch-index.elasticsearch.host!" .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}"
+            - --elasticsearch-index
+            - "{{ .Values.elasticsearch.index }}"
diff --git a/charts/elasticsearch-index/templates/job.yaml b/charts/elasticsearch-index/templates/job.yaml
diff --git a/charts/elasticsearch-index/templates/migrate-data.yaml b/charts/elasticsearch-index/templates/migrate-data.yaml
@@ -0,0 +1,42 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: brig-index-migrate-data
+  labels:
+    wireService: elasticsearch-index-migrate-data
+    app: elasticsearch-index-migrate-data
+    heritage: {{.Release.Service | quote }}
+    release: {{.Release.Name | quote }}
+    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+spec:
+  template:
+    metadata:
+      name: "{{.Release.Name}}"
+      labels:
+        wireService: elasticsearch-index-migrate-data
+        app: elasticsearch-index-migrate-data
+        heritage: {{.Release.Service | quote }}
+        release: {{.Release.Name | quote }}
+        chart: "{{.Chart.Name}}-{{.Chart.Version}}"
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        # Creates index in elasticsearch only when it doesn't exist.
+        # Does nothing if the index exists.
+        - name: brig-index
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          args:
+            - migrate-data
+            - --elasticsearch-server
+            - "http://{{ required "missing elasticsearch-index.elasticsearch.host!" .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}"
+            - --elasticsearch-index
+            - "{{ .Values.elasticsearch.index }}"
+            - --cassandra-host
+            - "{{ required "missing elasticsearch-index.cassandra.host!" .Values.cassandra.host }}"
+            - --cassandra-port
+            - "{{ required "missing elasticsearch-index.cassandra.port!" .Values.cassandra.port }}"
+            - --cassandra-keyspace
+            - "{{ required "missing elasticsearch-index.cassandra.keyspace!" .Values.cassandra.keyspace }}"