Open ramesh8830 opened 1 year ago
supersven
commented
1 year ago @ramesh8830 The Access-Control-Allow-Origin header is set by nginz (and cannon's nginx in some special cases.)
Could you please check these Values:
nginz.nginx_conf.allowlisted_originsnginz.nginx_conf.nginx_conf.external_env_domain
ramesh8830
commented
1 year ago @supersven I am sorry, I am new to kubernetes and this wire server deployment.
Please guide me how to and where to check these values.
supersven
commented
1 year ago @ramesh8830 You should have some yaml file or files where you put all config values. The dots (.) refer to nodes in this yaml file.
E.g. Link to nginz.nginx_conf.nginx_conf.external_env_domain if you are using the demo setup values.
I think you need to set:
allowlisted_origins: app (as your webapp is served there)external_env_domain: example.com (as this is your domain)This should give you Access-Control-Allow-Origin headers, when a requests origin is https://app.example.com.
Hope this helps :smiley:
ramesh8830
commented
1 year ago allowlisted_origins: app (as your webapp is served there) added this to the values.yaml files but getting below error when deployed.
nginz:
replicaCount: 3
config:
ws:
useProxyProtocol: false
# images:
# nginz:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
nginx_conf:
# using prod means mostly that some internal endpoints are not exposed
env: prod
allowlisted_origins: app
external_env_domain: example.com
deeplink:
endpoints:
backendURL: "https://api.example.com"
backendWSURL: "https://wss.example.com"
teamsURL: "https://teams.example.com"
accountsURL: "https://account.example.com"
blackListURL: "https://clientblacklist.example.com/prod"
websiteURL: "https://example.com"
title: "My Custom example Backend"bash-5.1# helm upgrade --install --namespace production wire-server wire/wire-server -f values/wire-server/values.yaml -f values/wire-server/secrets.yaml --wait
Error: UPGRADE FAILED: template: wire-server/charts/nginz/templates/deployment.yaml:27:31: executing "wire-server/charts/nginz/templates/deployment.yaml" at <include (print .Template.BasePath "/configmap.yaml") .>: error calling include: template: wire-server/charts/nginz/templates/configmap.yaml:4:4: executing "wire-server/charts/nginz/templates/configmap.yaml" at <include "nginz_nginx.conf" .>: error calling include: template: wire-server/charts/nginz/templates/conf/_nginx.conf.tpl:131:31: executing "nginz_nginx.conf" at <.Values.nginx_conf.allowlisted_origins>: range can't iterate over appAh, sorry, it's a list in yaml. E.g.
nginz:
replicaCount: 3
config:
ws:
useProxyProtocol: false
# images:
# nginz:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
nginx_conf:
# using prod means mostly that some internal endpoints are not exposed
env: prod
allowlisted_origins:
- app
...The default values.yaml file of the Helm chart provides some documentation: https://github.com/wireapp/wire-server/blob/develop/charts/nginz/values.yaml#L71
ramesh8830
commented
1 year ago @supersven It worked. Thank you so much for your help
Have a great day ahead.
supersven
commented
1 year ago @ramesh8830 Welcome :smile:
BTW, there are more web application you may want to use (e.g. account-pages.) If you run into the same issue with one of them, you'll have to add them to the same list.
May I close this ticket?
ramesh8830
commented
1 year ago Yeah. I have used the app, teams and account in there. but I am not getting Pro account creation like we have in the older version.
Old version like below and able to create Pro accounts.
Please let me know if you have any idea about how to activate that.
supersven
commented
1 year ago According to @julialongtin this is only a change in the label.
ramesh8830
commented
1 year ago In the old version of wire, url for pro account is https://app.exacmple.com/auth/#createteam
But in the new version it is redirecting to https://teams.example.com/register/email which lead me to 404 error
ramesh8830
commented
1 year ago unable to send connection request. getting below error.
Request URL:
https://api.example.com/v3/connections/example.com/55cdabbf-720e-4b2b-878a-ca2a974e4bca
Request Method:
POST
Status Code:
500
Remote Address:
external_ip:443
Referrer Policy:
same-origin
Access-Control-Allow-Origin:
https://app.example.com
Access-Control-Expose-Headers:
Request-Id, Location
Content-Encoding:
gzip
Content-Type:
application/json
Date:
Wed, 28 Jun 2023 19:54:53 GMT
Request-Id:
9957b8036d02b7955c3e2e8c0d0d3906
Strict-Transport-Security:
max-age=15724800; includeSubDomains
Vary:
Accept-Encoding
:Authority:
api.example.com
:Method:
POST
:Path:
/v3/connections/example.com/55cdabbf-720e-4b2b-878a-ca2a974e4bca
:Scheme:
https
Accept:
application/json, text/plain, */*
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en;q=0.9,cy;q=0.8
Authorization:
Bearer CEevU7mqc3SMH-XhmxqM8zCfZ2MHF0uhSCkpFEgeNJGaeG_F-SGIGdLAlrvrnQLtzwWWvcORd-8o10VvNWF3Aw==.v=1.k=1.d=1687982745.t=a.l=.u=34d4acb7-dc58-4263-a802-58877e60dfc6.i=5d16c30a1c40226d.c=18361318061627808208
Content-Length:
0
Origin:
https://app.example.com
Sec-Ch-Ua:
"Not.A/Brand";v="8", "Chromium";v="114", "Microsoft Edge";v="114"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
same-site
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.58Please help me on the above. I did not enable federation and legalhold
akshaymankar
commented
1 year ago I haven't tested this, but I think you can set this environment variable in the webapp helm chart to restore the previous behaviour:
URL_TEAMS_CREATE: https://app.example.com/auth/#createteamunable to send connection request. getting below error.
Request URL: https://api.example.com/v3/connections/example.com/55cdabbf-720e-4b2b-878a-ca2a974e4bca Request Method: POST Status Code: 500 Remote Address: external_ip:443 Referrer Policy: same-origin Access-Control-Allow-Origin: https://app.example.com Access-Control-Expose-Headers: Request-Id, Location Content-Encoding: gzip Content-Type: application/json Date: Wed, 28 Jun 2023 19:54:53 GMT Request-Id: 9957b8036d02b7955c3e2e8c0d0d3906 Strict-Transport-Security: max-age=15724800; includeSubDomains Vary: Accept-Encoding :Authority: api.example.com :Method: POST :Path: /v3/connections/example.com/55cdabbf-720e-4b2b-878a-ca2a974e4bca :Scheme: https Accept: application/json, text/plain, */* Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,cy;q=0.8 Authorization: Bearer CEevU7mqc3SMH-XhmxqM8zCfZ2MHF0uhSCkpFEgeNJGaeG_F-SGIGdLAlrvrnQLtzwWWvcORd-8o10VvNWF3Aw==.v=1.k=1.d=1687982745.t=a.l=.u=34d4acb7-dc58-4263-a802-58877e60dfc6.i=5d16c30a1c40226d.c=18361318061627808208 Content-Length: 0 Origin: https://app.example.com Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Microsoft Edge";v="114" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.58
@akshaymankar any idea about this issue. I am unable to send request to any person. When I click on the connect button, I am getting above error in the network and console of browser.
Please let me know
akshaymankar
commented
1 year ago I think only logs from brig can tell us why it is throwing a 500.
ramesh8830
commented
1 year ago Please find the brig when I tried to hit the connect button.
{"level":"Error","message":"RPCException {remote = \"galley\", path = \"/i/conversations/connect\", headers = [(\"Z-User\",\"774463e5-cf67-4863-8825-86981f601d0c\"),(\"Z-Connection\",\"8890799891330291274\"),(\"Content-Type\",\"application/json\"),(\"Request-Id\",\"d87678b0d65c342f135924e7678ad277\")], cause = HttpExceptionRequest Request {\n host = \"galley\"\n port = 8080\n secure = False\n requestHeaders = [(\"Z-User\",\"774463e5-cf67-4863-8825-86981f601d0c\"),(\"Z-Connection\",\"8890799891330291274\"),(\"Content-Type\",\"application/json\"),(\"Request-Id\",\"d87678b0d65c342f135924e7678ad277\")]\n path = \"/i/conversations/connect\"\n queryString = \"\"\n method = \"POST\"\n proxy = Nothing\n rawBody = False\n redirectCount = 10\n responseTimeout = ResponseTimeoutDefault\n requestVersion = HTTP/1.1\n}\n (StatusCodeException (Response {responseStatus = Status {statusCode = 500, statusMessage = \"Internal Server Error\"}, responseVersion = HTTP/1.1, responseHeaders = [(\"Transfer-Encoding\",\"chunked\"),(\"Date\",\"Thu, 29 Jun 2023 10:56:27 GMT\"),(\"Server\",\"Warp/3.3.23\"),(\"Content-Encoding\",\"gzip\"),(\"Content-Type\",\"application/json\"),(\"Vary\",\"Accept-Encoding\")], responseBody = (), responseCookieJar = CJ {expose = []}, responseClose' = ResponseClose}) \"{\\\"code\\\":500,\\\"label\\\":\\\"federation-not-implemented\\\",\\\"message\\\":\\\"Federation is not yet implemented for this endpoint\\\"}\")}","msgs":["IO Exception occurred"],"request":"d87678b0d65c342f135924e7678ad277"}
{"code":"500","label":"server-error","level":"Error","msgs":["\"Server Error\""],"request":"d87678b0d65c342f135924e7678ad277"}I found the problem. I had a bad url for fedaration domain for gally pod values.
Thanks..
ramesh8830
commented
1 year ago I haven't tested this, but I think you can set this environment variable in the webapp helm chart to restore the previous behaviour:
URL_TEAMS_CREATE: https://app.example.com/auth/#createteam
this is not working
keeps redirecting to https://teams.example.com/register/email
ramesh8830
commented
1 year ago Ah, sorry, it's a list in yaml. E.g.
nginz: replicaCount: 3 config: ws: useProxyProtocol: false # images: # nginz: # tag: some-tag (only override if you want a newer/different version than what is in the chart) nginx_conf: # using prod means mostly that some internal endpoints are not exposed env: prod allowlisted_origins: - app ...The default
values.yamlfile of the Helm chart provides some documentation: https://github.com/wireapp/wire-server/blob/develop/charts/nginz/values.yaml#L71
Even after add these values, getting CORS issues with GIF's
/#/conversation/9b1a0e40-aa0d-498f-8106-54a76b0508c6/federator.example.com:1 Access to XMLHttpRequest at 'https://api.example.com/v3/proxy/giphy/v1/gifs/search?limit=100&offset=0&q=Hello' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
nginz:
replicaCount: 3
config:
ws:
useProxyProtocol: false
# images:
# nginz:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
nginx_conf:
# using prod means mostly that some internal endpoints are not exposed
env: prod
allowlisted_origins:
- app
- teams
- wss
- account
- clientblacklist
- api
external_env_domain: example.com
deeplink:
endpoints:
backendURL: "https://api.example.com"
backendWSURL: "https://wss.example.com"
teamsURL: "https://teams.example.com"
accountsURL: "https://account.example.com"
blackListURL: "https://clientblacklist.example.com/prod"
websiteURL: "https://example.com"
title: "My Custom example Backend"Ah, sorry, it's a list in yaml. E.g.
nginz: replicaCount: 3 config: ws: useProxyProtocol: false # images: # nginz: # tag: some-tag (only override if you want a newer/different version than what is in the chart) nginx_conf: # using prod means mostly that some internal endpoints are not exposed env: prod allowlisted_origins: - app ...The default
values.yamlfile of the Helm chart provides some documentation: https://github.com/wireapp/wire-server/blob/develop/charts/nginz/values.yaml#L71Even after add these values, getting CORS issues with GIF's
/#/conversation/9b1a0e40-aa0d-498f-8106-54a76b0508c6/federator.example.com:1 Access to XMLHttpRequest at 'https://api.example.com/v3/proxy/giphy/v1/gifs/search?limit=100&offset=0&q=Hello' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.nginz: replicaCount: 3 config: ws: useProxyProtocol: false # images: # nginz: # tag: some-tag (only override if you want a newer/different version than what is in the chart) nginx_conf: # using prod means mostly that some internal endpoints are not exposed env: prod allowlisted_origins: - app - teams - wss - account - clientblacklist - api external_env_domain: example.com deeplink: endpoints: backendURL: "https://api.example.com" backendWSURL: "https://wss.example.com" teamsURL: "https://teams.example.com" accountsURL: "https://account.example.com" blackListURL: "https://clientblacklist.example.com/prod" websiteURL: "https://example.com" title: "My Custom example Backend"
@julialongtin @akshaymankar @supersven any help on this please?
/#/conversation/9b1a0e40-aa0d-498f-8106-54a76b0508c6/federator.example.com:1 Access to XMLHttpRequest at 'https://api.example.com/v3/proxy/giphy/v1/gifs/search?limit=100&offset=0&q=Hello' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
julialongtin
commented
1 year ago look at the extra CSP headers that are being handed out by the webapp.
ramesh8830
commented
1 year ago Deployed the server in production environment with metallb load balancer. But having issues with CORS.
Below are my CSP headers in webapp values.yaml
CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_IMG_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_SCRIPT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_DEFAULT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_FONT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_FRAME_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_MANIFEST_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_OBJECT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_MEDIA_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_PREFETCH_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_STYLE_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_WORKER_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
I have added the necessary headers already. But still having issues with only GIF's. All others are working fine.
julialongtin
commented
1 year ago can you drop your values.yml file here?
On Fri, Jun 30, 2023 at 4:20 PM ramesh8830 @.***> wrote:
Deployed the server in production environment with metallb load balancer. But having issues with CORS.
Below are my CSP headers in webapp values.yaml
CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://.example.com, https://.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_IMG_SRC: "https://*.example.com, wss://.example.com, https://.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_SCRIPT_SRC: "https://*.example.com, wss://.example.com, https://.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_DEFAULT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_FONT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_FRAME_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_MANIFEST_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_OBJECT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_MEDIA_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_PREFETCH_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_STYLE_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com" CSP_EXTRA_WORKER_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CORS Errors on the browser console
Unrecognized Content-Security-Policy directive 'prefetch-src'.
Access to XMLHttpRequest at 'https://api.example.com/api-version' from origin 'https://app.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. GET https://api.example.com/api-version net::ERR_FAILED 200
Kubernetes Version
:~# kubectl version Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:15:20Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
Wire Webapp Image used
image: repository: quay.io/wire/webapp tag: "2023-04-11-production.0-v0.31.13-0-bb91157"
Please help me fix the CORS issue.
I have added the necessary headers already. But still having issues with only GIF's. All others are working fine.
— Reply to this email directly, view it on GitHub https://github.com/wireapp/wire-server-deploy/issues/627#issuecomment-1614809183, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEAMAATSKGBRQ2SJ5IJYT4DXN3VDDANCNFSM6AAAAAAZXFA3QI . You are receiving this because you were mentioned.Message ID: @.***>
ramesh8830
commented
1 year ago # CHANGEME-PROD: All values here should be changed/reviewed
tags:
proxy: true # enable if you want/need giphy/youtube/etc proxying
account-pages: true
team-settings: false # enable if you need team-settings. Requires a pullSecret
legalhold: false # Enable if you need legalhold
federator: false # Enable to use federation
sftd: true
sftd:
host: sftd.example.com # Replace example.com with your domain
allowOrigin: https://app.example.com # Should be the address you used for the webapp deployment
cassandra-migrations:
# images:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
cassandra:
host: cassandra-external
replicationFactor: 3
elasticsearch-index:
elasticsearch:
host: elasticsearch-external
cassandra:
host: cassandra-external
brig:
replicaCount: 3
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
cassandra:
host: cassandra-external
elasticsearch:
host: elasticsearch-external
useSES: false
# Set to false if you want to hand out DynamoDB to store prekeys
randomPrekeys: true
aws:
# change if using real AWS
region: "us-east-1"
sqsEndpoint: https://sqs.us-east-1.amazonaws.com
# dynamoDBEndpoint: http://fake-aws-dynamodb:4567
# these must match the table names created on fake or real AWS services
internalQueue: example-brig-events-internal
prekeyTable: integration-brig-prekeys
externalUrls:
nginz: https://api.example.com # change this
teamSettings: https://teams.example.com # change this (or unset if team settings are not used)
teamCreatorWelcome: https://teams.example.com/login # change this
teamMemberWelcome: https://welcome.example.com/download # change this
optSettings:
#setCookieDomain: example.com
setFederationDomain: federator.example.com # change this
# Sync the domain with the 'host' variable in the sftd chart
# Comment the next line (by adding '#' before it) if conference calling is not used
setSftStaticUrl: "https://sftd.example.com:443"
emailSMS:
general:
emailSender: no-reply@example.com # change this
smsSender: "+11234567890" # change this if SMS support is desired
templateBranding: # change all of these, they are used in emails
brand: example
brandUrl: https://example.com
brandLabel: example.com
brandLabelUrl: https://example.com
brandLogoUrl: https://example.com/example_logo_email.png
brandService: example
copyright: © example
misuse: misuse@example.com
legal: https://example.com/legal/
forgot: https://account.example.com/forgot/
support: https://support.example.com/
user:
passwordResetUrl: https://account.example.com/reset/?key=${key}&code=${code}
activationUrl: https://account.example.com/verify/?key=${key}&code=${code}
smsActivationUrl: https://account.example.com/v/${code}
deletionUrl: https://account.example.com/d/?key=${key}&code=${code}
invitationUrl: https://account.example.com/i/${code}
smtp:
host: example.com # change this if you want to use your own SMTP server
port: 465 # change this
connType: ssl # change this. Possible values: plain|ssl|tls
username: no-reply@example.com
# proxy:
# httpProxy: "http://proxy.example.com"
# httpsProxy: "https://proxy.example.com"
# noProxyList:
# - "local.example.com"
# - "10.23.0.0/16"
turnStatic:
v1: []
v2:
- "turn:turn01.example.com:80"
- "turn:turn02.example.com:80"
- "turn:turn03.example.com:80"
- "turn:turn01.example.com:80?transport=tcp"
- "turn:turn02.example.com:80?transport=tcp"
- "turn:turn03.example.com:80?transport=tcp"
- "turns:turn01.example.com:443?transport=tcp"
- "turns:turn02.example.com:443?transport=tcp"
- "turns:turn03.example.com:443?transport=tcp"
proxy:
replicaCount: 3
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
# config:
# proxy:
# httpProxy: "http://proxy.example.com"
# httpsProxy: "https://proxy.example.com"
# noProxyList:
# - "local.example.com"
# - "10.23.0.0/16"
cannon:
replicaCount: 3
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
# For demo mode only, we don't need to keep websocket connections open on chart upgrades
#drainTimeout: 10
nginx_conf:
# using prod means mostly that some internal endpoints are not exposed
env: prod
allowlisted_origins:
- app
- teams
- account
external_env_domain: example.com
cargohold:
replicaCount: 3
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
aws:
# change if using real AWS
region: "us-east-1"
s3Bucket: example-assets
s3Endpoint: https://s3.us-east-1.amazonaws.com
s3DownloadEndpoint: https://s3.us-east-1.amazonaws.com
s3Version: latest
s3Signature: v4
settings:
federationDomain: federator.example.com # change this
# proxy:
# httpProxy: "http://proxy.example.com"
# httpsProxy: "https://proxy.example.com"
# noProxyList:
# - "local.example.com"
# - "10.23.0.0/16"
galley:
replicaCount: 3
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
cassandra:
host: cassandra-external
settings:
# prefix URI used when inviting users to a conversation by link
conversationCodeURI: https://account.example.com/conversation-join/ # change this
federationDomain: federator.example.com # change this
# see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/)
featureFlags:
sso: disabled-by-default
# NOTE: Change this to "disabled-by-default" for legalhold support
# legalhold: disabled-by-default
legalhold: disabled-permanently
teamSearchVisibility: enabled-by-default
aws:
region: "us-east-1"
# proxy:
# httpProxy: "http://proxy.example.com"
# httpsProxy: "https://proxy.example.com"
# noProxyList:
# - "local.example.com"
# - "10.23.0.0/16"
gundeck:
replicaCount: 3
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
cassandra:
host: cassandra-external
aws:
# change if using real AWS
account: "11234567890"
region: "us-east-1"
arnEnv: example
queueName: example-gundeck-events
sqsEndpoint: https://sqs.us-east-1.amazonaws.com
snsEndpoint: https://sns.us-east-1.amazonaws.com
# proxy:
# httpProxy: "http://proxy.example.com"
# httpsProxy: "https://proxy.example.com"
# noProxyList:
# - "local.example.com"
# - "10.23.0.0/16"
nginz:
replicaCount: 3
config:
ws:
useProxyProtocol: false
# images:
# nginz:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
nginx_conf:
# using prod means mostly that some internal endpoints are not exposed
env: prod
allowlisted_origins:
- app
- teams
- account
external_env_domain: example.com
deeplink:
endpoints:
backendURL: "https://api.example.com"
backendWSURL: "https://wss.example.com"
teamsURL: "https://teams.example.com"
accountsURL: "https://account.example.com"
blackListURL: "https://clientblacklist.example.com/prod"
websiteURL: "https://example.com"
title: "My Custom example Backend"
# Optional -- Uncomment these if you want to direct all of your mobile users to use the same proxy.
#apiProxy:
#host: "socks5.proxy.com"
#port: 1080
#needsAuthentication: true
# For demo mode only, we don't need to keep websocket connections open on upgrade:
#drainTimeout: 10
#terminationGracePeriodSeconds: 30
spar:
replicaCount: 3
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
cassandra:
host: cassandra-external
logLevel: Debug
domain: example.com
appUri: https://api.example.com
ssoUri: https://api.example.com/sso
maxttlAuthreq: 28800
maxttlAuthresp: 28800
# maxScimTokens: 16 # uncomment this if you want to use SCIM provisioning
contacts:
- type: ContactSupport
company: example
email: email:support@example.com
# proxy:
# httpProxy: "http://proxy.example.com"
# httpsProxy: "https://proxy.example.com"
# noProxyList:
# - "local.example.com"
# - "10.23.0.0/16"
webapp:
replicaCount: 3
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
externalUrls:
backendRest: api.example.com
backendWebsocket: wss.example.com
backendDomain: example.com
backendTeamSettings: teams.example.com
appHost: app.example.com
# See full list of available environment variables: https://github.com/wireapp/wire-webapp/blob/dev/server/config.ts
envVars:
APP_NAME: "example Webapp"
ENFORCE_HTTPS: "true"
FEATURE_CHECK_CONSENT: "false"
FEATURE_ENABLE_ACCOUNT_REGISTRATION: "true"
FEATURE_ENABLE_DEBUG: "false"
FEATURE_ENABLE_PHONE_LOGIN: "true"
FEATURE_ENABLE_SSO: "false"
FEATURE_SHOW_LOADING_INFORMATION: "false"
URL_ACCOUNT_BASE: "https://account.example.com"
#URL_MOBILE_BASE: "https://wire-pwa-staging.zinfra.io" # TODO: is this needed?
URL_PRIVACY_POLICY: "https://www.example.com/terms-conditions"
URL_SUPPORT_BASE: "https://www.example.com/support"
URL_TEAMS_BASE: "https://teams.example.com"
URL_TEAMS_CREATE: "https://app.example.com/auth/#createteam"
URL_TERMS_OF_USE_PERSONAL: "https://www.example.com/terms-conditions"
URL_TERMS_OF_USE_TEAMS: "https://www.example.com/terms-conditions"
URL_WEBSITE_BASE: "https://www.example.com"
CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_IMG_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_SCRIPT_SRC: "https://*.example.com, wss://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_DEFAULT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_FONT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_FRAME_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_MANIFEST_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_OBJECT_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_MEDIA_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_PREFETCH_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_STYLE_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
CSP_EXTRA_WORKER_SRC: "https://*.example.com, https://*.giphy.com, https://s3.us-east-1.amazonaws.com"
# NOTE: Only relevant if you want team-settings
team-settings:
replicaCount: 1
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
externalUrls:
backendRest: api.example.com
backendWebsocket: wss.example.com
backendDomain: example.com
appHost: teams.example.com
# See full list of available environment variables: https://github.com/wireapp/wire-team-settings/blob/dev/server/config.ts
envVars:
APP_NAME: "Team Settings"
ENFORCE_HTTPS: "true"
FEATURE_CHECK_CONSENT: "false"
FEATURE_ENABLE_DEBUG: "false"
FEATURE_ENABLE_NEW_TEAM: "true"
# NOTE: Uncomment this for legalhold support in the Team-settings UI
# FEATURE_ENABLE_LEGAL_HOLD: "true"
URL_ACCOUNT_BASE: "https://account.example.com"
URL_WEBAPP_BASE: "https://app.example.com"
URL_WEBSITE_BASE: "https://www.example.com"
WEBSITE_LABEL: "www.example.com"
CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com"
CSP_EXTRA_IMG_SRC: "https://*.example.com"
CSP_EXTRA_SCRIPT_SRC: "https://*.example.com"
CSP_EXTRA_DEFAULT_SRC: "https://*.example.com"
CSP_EXTRA_FONT_SRC: "https://*.example.com"
CSP_EXTRA_FRAME_SRC: "https://*.example.com"
CSP_EXTRA_MANIFEST_SRC: "https://*.example.com"
CSP_EXTRA_OBJECT_SRC: "https://*.example.com"
CSP_EXTRA_MEDIA_SRC: "https://*.example.com"
CSP_EXTRA_PREFETCH_SRC: "https://*.example.com"
CSP_EXTRA_STYLE_SRC: "https://*.example.com"
CSP_EXTRA_WORKER_SRC: "https://*.example.com"
IS_SELF_HOSTED: "true"
# NOTE: Only relevant if you want account-pages
account-pages:
replicaCount: 1
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
externalUrls:
backendRest: api.example.com
backendDomain: example.com
appHost: account.example.com
# See full list of available environment variables: https://github.com/wireapp/wire-account/blob/dev/server/config.ts
envVars:
APP_NAME: "example Account Management"
COMPANY_NAME: "example"
FEATURE_ENFORCE_HTTPS: "true"
FEATURE_ENABLE_DEBUG: "false"
URL_SUPPORT_BASE: "https://www.example.com/support"
URL_TEAMS_BASE: "https://teams.example.com"
URL_WEBAPP_BASE: "https://app.example.com"
URL_WEBSITE_BASE: "https://www.example.com"
CSP_EXTRA_CONNECT_SRC: "https://*.example.com, wss://*.example.com"
CSP_EXTRA_IMG_SRC: "https://*.example.com"
CSP_EXTRA_SCRIPT_SRC: "https://*.example.com"
CSP_EXTRA_DEFAULT_SRC: "https://*.example.com"
CSP_EXTRA_FONT_SRC: "https://*.example.com"
CSP_EXTRA_FRAME_SRC: "https://*.example.com"
CSP_EXTRA_MANIFEST_SRC: "https://*.example.com"
CSP_EXTRA_OBJECT_SRC: "https://*.example.com"
CSP_EXTRA_MEDIA_SRC: "https://*.example.com"
CSP_EXTRA_PREFETCH_SRC: "https://*.example.com"
CSP_EXTRA_STYLE_SRC: "https://*.example.com"
CSP_EXTRA_WORKER_SRC: "https://*.example.com"
IS_SELF_HOSTED: "true"
# Only needed when legalhold is enabled
legalhold:
host: "legalhold.example.com"
wireApiHost: "https://api.example.com"
# Only needed when federation is enabled
federator:
tls:
useSharedFederatorSecret: true
@julialongtin anything wrong with my values.yaml?
julialongtin
commented
1 year ago nothing sticks out to me. I'll load it up into an environment and poke it here, but it will take me a few days. other priorities, etc.
ramesh8830
commented
1 year ago Looking for your help @julialongtin.
Please help me
ramesh8830
commented
1 year ago nothing sticks out to me. I'll load it up into an environment and poke it here, but it will take me a few days. other priorities, etc.
Hi @julialongtin
have you tried it?
Please help me
ramesh8830
commented
1 year ago any update?
Deployed the server in production environment with metallb load balancer. But having issues with CORS.
Below are my CSP headers in webapp values.yaml
CORS Errors on the browser console
Kubernetes Version
Wire Webapp Image used
Please help me fix the CORS issue.