wire-server-enterprise as a service (wireapp#4357)

* services/wire-server-enterprise: Introduce

* GHA: Use special token to checkout so private submodules can be pulled

* services/wire-server-enterprise: Use https URL for submodule

* cabal.project: Add wire-server-enterprise service

* Update wire-server-enterprise submodule

* Add internal endpoint for enterprise

It defines only /status.

* Follow feature branch

* docs: Describe the Git repo URL rewriting hack

* Add `wire-server-enterprise` to `integration`

No tests so far, however we can start the service this way (`make cr`.)

* Add changelog entry

This should be improved / added to while we grow this feature.

* Use latest version of actions/checkout

We use this to clone wire-server for checking docs.

* CI: Try different auth token

Debugging...

* Hi CI

* Hi CI

* Upgrade wire-server-enterprise

* Install wire-server-enterprise for integration tests

This may not work due to missing registry pull secrets. We'll see...

* Provide wire-server-enterprise config to integration

* Set image chart version for wire-server-enterprise

* Take image pull secret from env variable

Secrets won't work as they are scoped to the namespace.

* Document usage of ENTERPRISE_IMAGE_PULL_SECRET

* `integration` needs service binary

* Mention that wire-server-enterprise is required to build wire-server

* Let submodule point to main

Feature branch has been merged.

* More changelog

---------

Co-authored-by: Matthias Fischmann <[email protected]>

.github/workflows/ci.yml

@@ -11,9 +11,10 @@ jobs:
       id-token: write
       contents: read
     steps:
-     - uses: actions/checkout@v2
+     - uses: actions/checkout@v4
        with:
          submodules: true
+         token: '${{ secrets.GH_DOCS_WORKFLOW }}'
      - uses: cachix/install-nix-action@v27
      - uses: cachix/cachix-action@v15
        with:

.gitmodules

@@ -1,3 +1,7 @@
 [submodule "libs/wire-message-proto-lens/generic-message-proto"]
 	path = libs/wire-message-proto-lens/generic-message-proto
 	url = https://github.com/wireapp/generic-message-proto
+[submodule "services/wire-server-enterprise"]
+	path = services/wire-server-enterprise
+	url = https://github.com/wireapp/wire-server-enterprise
+	branch = main

cabal.project

@@ -40,6 +40,7 @@ packages:
   , services/galley/
   , services/gundeck/
   , services/proxy/
+  , services/wire-server-enterprise
   , services/spar/
   , tools/db/assets/
   , tools/db/auto-whitelist/

changelog.d/0-release-notes/enterprise

@@ -0,0 +1,8 @@
+This release contains a new Git submodule: `wire-server-enterprise`. This module
+represents a service which contains all non-open-source features. Wire can still
+be deployed and run without this service. Building it without
+`wire-server-enterprise` is currently not documented, but Wire will keep providing the artefacts.
+
+The service can be deployed with a dedicated Helm chart
+(`charts/wire-server-enterprise`.) The required service image is not freely
+available (the registry is password protected.)

charts/integration/templates/configmap.yaml

@@ -61,6 +61,10 @@ data:
       host: stern.{{ .Release.Namespace }}.svc.cluster.local
       port: 8080
 
+    wireServerEnterprise:
+      host: wireServerEnterprise.{{ .Release.Namespace }}.svc.cluster.local
+      port: 8080
+
     originDomain: federation-test-helper.{{ .Release.Namespace }}.svc.cluster.local
 
     rabbitmq:
@@ -117,6 +121,10 @@ data:
         host: stern.{{ .Release.Namespace }}-fed2.svc.cluster.local
         port: 8080
 
+      wireServerEnterprise:
+        host: wireServerEnterprise.{{ .Release.Namespace }}-fed2.svc.cluster.local
+        port: 8080
+
       originDomain: federation-test-helper.{{ .Release.Namespace }}-fed2.svc.cluster.local
 
     dynamicBackends:
@@ -176,6 +184,9 @@ data:
       stern:
         host: stern.wire-federation-v0.svc.cluster.local
         port: 8080
+      wireServerEnterprise:
+        host: wireServerEnterprise.wire-federation-v0.svc.cluster.local
+        port: 8080
 
     federation-v1:
       originDomain: federation-test-helper.wire-federation-v1.svc.cluster.local
@@ -215,5 +226,8 @@ data:
       stern:
         host: stern.wire-federation-v1.svc.cluster.local
         port: 8080
+      wireServerEnterprise:
+        host: wireServerEnterprise.wire-federation-v1.svc.cluster.local
+        port: 8080
 
     integrationTestHostName: integration-headless.{{ .Release.Namespace }}.svc.cluster.local

charts/integration/templates/integration-integration.yaml

@@ -93,6 +93,11 @@ spec:
       secret:
         secretName: {{ include "cassandraTlsSecretName" .Values.config }}
     {{- end }}
+
+    - name: wire-server-enterprise-config
+      configMap:
+        name: wire-server-enterprise
+
   restartPolicy: Never
 
   initContainers:
@@ -284,6 +289,9 @@ spec:
       mountPath: "/etc/wire/spar/cassandra"
     {{- end }}
 
+    - name: wire-server-enterprise-config
+      mountPath: /etc/wire/wire-server-enterprise/conf
+
     env:
     # these dummy values are necessary for Amazonka's "Discover"
     - name: AWS_ACCESS_KEY_ID

docs/src/developer/developer/how-to.md

@@ -135,9 +135,13 @@ Start by deploying a published release (see 2.1 or 2.2).
 ```
 export NAMESPACE=$USER
 export DOCKER_TAG=2.116.32
+export ENTERPRISE_IMAGE_PULL_SECRET=... # .dockerconfigjson of wire+wire_server_enterprise quay.io robot
 make kube-integration-setup
 ```
 
+(You may consider to export `ENTERPRISE_IMAGE_PULL_SECRET` in `.envrc.local` as
+well.)
+
 Then build and push the `brig` image by running
 
 ```
@@ -211,3 +215,22 @@ Note: Simply deleting the namespaces is insufficient, because it leaves some res
 We support two different ways of managing the docker-compose instance of rabbitmq:
 * A web console interface is available [here](http://localhost:15672)
 * `rabbitmqadmin` CLI is made available in the dev environment
+
+## Avoid Github HTTPS authentication for wire-server-enterprise
+
+Having to provide HTTPS authentication credentials is annoying. Unfortunately,
+we have to use HTTPS Git repository URLs for submodules, because some
+Concourse tasks require them (cannot clone with SSH.)
+
+A hacky workaround is to rewrite the URLs in the `~/.gitconfig`:
+
+```
+git config --global url."[email protected]:".insteadOf "https://github.com/"
+```
+
+This leads to such entry:
+
+```
+[url "[email protected]:"]
+        insteadOf = https://github.com/
+```

hack/bin/set-wire-server-image-version.sh

@@ -6,7 +6,7 @@ target_version=${1?$USAGE}
 TOP_LEVEL="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../.." && pwd )"
 CHARTS_DIR="$TOP_LEVEL/.local/charts"
 
-charts=(brig cannon galley gundeck spar cargohold proxy cassandra-migrations elasticsearch-index federator backoffice background-worker integration)
+charts=(brig cannon galley gundeck spar cargohold proxy cassandra-migrations elasticsearch-index federator backoffice background-worker integration wire-server-enterprise)
 
 for chart in "${charts[@]}"; do
     sed -i "s/^  tag: .*/  tag: $target_version/g" "$CHARTS_DIR/$chart/values.yaml"

hack/helmfile.yaml

@@ -247,3 +247,17 @@ releases:
         value: {{ .Values.federationDomain2 }}
     needs:
       - 'databases-ephemeral'
+
+  - name: wire-server-enterprise
+    namespace: '{{ .Values.namespace1 }}'
+    chart: '../.local/charts/wire-server-enterprise'
+    values:
+      - secrets:
+          configJson: {{ requiredEnv "ENTERPRISE_IMAGE_PULL_SECRET" }}
+
+  - name: wire-server-enterprise
+    namespace: '{{ .Values.namespace2 }}'
+    chart: '../.local/charts/wire-server-enterprise'
+    values:
+      - secrets:
+          configJson: {{ requiredEnv "ENTERPRISE_IMAGE_PULL_SECRET" }}

integration/test/Testlib/Env.hs

@@ -39,6 +39,7 @@ serviceHostPort m Spar = m.spar
 serviceHostPort m BackgroundWorker = m.backgroundWorker
 serviceHostPort m Stern = m.stern
 serviceHostPort m FederatorInternal = m.federatorInternal
+serviceHostPort m WireServerEnterprise = m.wireServerEnterprise
 
 mkGlobalEnv :: FilePath -> Codensity IO GlobalEnv
 mkGlobalEnv cfgFile = do

integration/test/Testlib/Ports.hs

@@ -23,6 +23,7 @@ port (ServiceInternal Gundeck) bn = mkPort 8086 bn
 port (ServiceInternal Nginz) bn = mkPort 8080 bn
 port (ServiceInternal Spar) bn = mkPort 8088 bn
 port (ServiceInternal Stern) bn = mkPort 8091 bn
+port (ServiceInternal WireServerEnterprise) bn = mkPort 8079 bn
 
 portForDyn :: (Num a) => PortNamespace -> Int -> a
 portForDyn ns i = port ns (DynamicBackend i)

integration/test/Testlib/ResourcePool.hs

@@ -48,7 +48,8 @@ resourceServiceMap resource =
           spar = g Spar,
           -- FUTUREWORK: Set to g Proxy, when we add Proxy to spawned services
           proxy = HostPort "127.0.0.1" 9087,
-          stern = g Stern
+          stern = g Stern,
+          wireServerEnterprise = g WireServerEnterprise
         }
 
 acquireResources :: forall m a. (Ord a, MonadIO m, MonadMask m, HasCallStack) => Int -> ResourcePool a -> Codensity m [a]

integration/test/Testlib/Types.hs

@@ -156,7 +156,8 @@ data ServiceMap = ServiceMap
     nginz :: HostPort,
     spar :: HostPort,
     proxy :: HostPort,
-    stern :: HostPort
+    stern :: HostPort,
+    wireServerEnterprise :: HostPort
   }
   deriving (Show, Generic)
 
@@ -443,7 +444,8 @@ data ServiceOverrides = ServiceOverrides
     sparCfg :: Value -> App Value,
     backgroundWorkerCfg :: Value -> App Value,
     sternCfg :: Value -> App Value,
-    federatorInternalCfg :: Value -> App Value
+    federatorInternalCfg :: Value -> App Value,
+    wireServerEnterpriseCfg :: Value -> App Value
   }
 
 instance Default ServiceOverrides where
@@ -461,7 +463,8 @@ instance Semigroup ServiceOverrides where
         sparCfg = sparCfg a >=> sparCfg b,
         backgroundWorkerCfg = backgroundWorkerCfg a >=> backgroundWorkerCfg b,
         sternCfg = sternCfg a >=> sternCfg b,
-        federatorInternalCfg = federatorInternalCfg a >=> federatorInternalCfg b
+        federatorInternalCfg = federatorInternalCfg a >=> federatorInternalCfg b,
+        wireServerEnterpriseCfg = wireServerEnterpriseCfg a >=> wireServerEnterpriseCfg b
       }
 
 instance Monoid ServiceOverrides where
@@ -479,7 +482,8 @@ defaultServiceOverrides =
       sparCfg = pure,
       backgroundWorkerCfg = pure,
       sternCfg = pure,
-      federatorInternalCfg = pure
+      federatorInternalCfg = pure,
+      wireServerEnterpriseCfg = pure
     }
 
 lookupConfigOverride :: ServiceOverrides -> Service -> (Value -> App Value)
@@ -494,6 +498,7 @@ lookupConfigOverride overrides = \case
   BackgroundWorker -> overrides.backgroundWorkerCfg
   Stern -> overrides.sternCfg
   FederatorInternal -> overrides.federatorInternalCfg
+  WireServerEnterprise -> overrides.wireServerEnterpriseCfg
 
 data Service
   = Brig
@@ -506,6 +511,7 @@ data Service
   | BackgroundWorker
   | Stern
   | FederatorInternal
+  | WireServerEnterprise
   deriving
     ( Show,
       Eq,
@@ -526,6 +532,7 @@ serviceName = \case
   BackgroundWorker -> "backgroundWorker"
   Stern -> "stern"
   FederatorInternal -> "federator"
+  WireServerEnterprise -> "wireServerEnterprise"
 
 -- | Converts the service name to kebab-case.
 configName :: Service -> String
@@ -540,6 +547,7 @@ configName = \case
   BackgroundWorker -> "background-worker"
   Stern -> "stern"
   FederatorInternal -> "federator"
+  WireServerEnterprise -> "wire-server-enterprise"
 
 data BackendName
   = BackendA

libs/wire-api/src/Wire/API/Routes/Internal/Enterprise.hs

@@ -0,0 +1,13 @@
+module Wire.API.Routes.Internal.Enterprise where
+
+import Servant
+import Wire.API.Routes.MultiVerb
+import Wire.API.Routes.Named
+
+type InternalAPI = "i" :> InternalAPIBase
+
+type InternalAPIBase =
+  Named
+    "status"
+    ( "status" :> MultiVerb 'GET '[JSON] '[RespondEmpty 200 "OK"] ()
+    )

libs/wire-api/wire-api.cabal

@@ -167,6 +167,7 @@ library
     Wire.API.Routes.Internal.Brig.SearchIndex
     Wire.API.Routes.Internal.Cannon
     Wire.API.Routes.Internal.Cargohold
+    Wire.API.Routes.Internal.Enterprise
     Wire.API.Routes.Internal.Galley
     Wire.API.Routes.Internal.Galley.ConversationsIntra
     Wire.API.Routes.Internal.Galley.TeamFeatureNoConfigMulti

nix/local-haskell-packages.nix

@@ -42,6 +42,7 @@
   gundeck = hself.callPackage ../services/gundeck/default.nix { inherit gitignoreSource; };
   proxy = hself.callPackage ../services/proxy/default.nix { inherit gitignoreSource; };
   spar = hself.callPackage ../services/spar/default.nix { inherit gitignoreSource; };
+  wire-server-enterprise = hself.callPackage ../services/wire-server-enterprise/default.nix { inherit gitignoreSource; };
   assets = hself.callPackage ../tools/db/assets/default.nix { inherit gitignoreSource; };
   auto-whitelist = hself.callPackage ../tools/db/auto-whitelist/default.nix { inherit gitignoreSource; };
   find-undead = hself.callPackage ../tools/db/find-undead/default.nix { inherit gitignoreSource; };

nix/wire-server.nix

@@ -87,6 +87,7 @@ let
     rabbitmq-consumer = [ "rabbitmq-consumer" ];
     test-stats = [ "test-stats" ];
     team-info = [ "team-info" ];
+    wire-server-enterprise = [ "wire-server-enterprise" ];
   };
 
   inherit (lib) attrsets;
@@ -290,6 +291,7 @@ let
       stern
       brig-templates
       background-worker
+      wire-server-enterprise
       pkgs.nginz
       pkgs.mls-test-cli
       pkgs.awscli2

services/integration.yaml

@@ -43,6 +43,10 @@ stern:
   host: 127.0.0.1
   port: 8091
 
+wireServerEnterprise:
+  host: 127.0.0.1
+  port: 8079
+
 # client-API:
 # webapp ---> load balancer  ---> nginx-ingress (TLS termination) ---> nginz ----> brig
 #
@@ -115,6 +119,9 @@ backendTwo:
   stern:
     host: 127.0.0.1
     port: 9091
+  wireServerEnterprise:
+    host: 127.0.0.1
+    port: 9079
 
   originDomain: b.example.com
 
@@ -200,6 +207,9 @@ federation-v0:
   stern:
     host: 127.0.0.1
     port: 21091
+  wireServerEnterprise:
+    host: 127.0.0.1
+    port: 21079
 
 federation-v1:
   originDomain: federation-v1.example.com
@@ -239,5 +249,8 @@ federation-v1:
   stern:
     host: 127.0.0.1
     port: 22091
+  wireServerEnterprise:
+    host: 127.0.0.1
+    port: 22079
 
 integrationTestHostName: "localhost"