Releases: wireapp/wire-server
2024-12-30 (Chart Release 5.9.0)
Release notes
-
POST /scim/auth-token request body allows you to choose an IdP UUID to associate with. If none is given, do not associate.
WARNING: the new behavior differs from the old one when first creating a unique SAML IdP and then the SCIM token: before this release, this request would associate the two, now it doesn't. (#4349)
-
We changed the default MLS cipher suite from
- MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519
to
- MLS_128_DHKEMP256_AES128GCM_SHA256_P256
and the allowed MLS cipher suites from only
- MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519
to only
- MLS_128_DHKEMP256_AES128GCM_SHA256_P256.
ATTENTION: This breaks your MLS clients if they used the previous defaults before. This is even true if you allow several cipher suites, since current MLS clients only support one cipher suite at a time.
Adjust the defaults in the server configuration to switch the values of
defaultCipherSuite
andallowedCipherSuites
back to the previous defaults,1
and[1]
, respectively. Once MLS clients support several cipher suites, you could even use[1,2]
or a list of other cipher suites inallowedCipherSuites
. Make sure that this list contains the currently used cipher suite! (#4373) -
This release contains a new Git submodule:
wire-server-enterprise
. This module represents a service which contains all non-open-source features. Wire can still be deployed and run without this service. Building it withoutwire-server-enterprise
is currently not documented, but Wire will keep providing the artefacts.The service can be deployed with a dedicated Helm chart (
charts/wire-server-enterprise
.) The required service image is not freely available (the registry is password protected.) (#4357)
API changes
- The
client_id
query parameter of theGET /events
endpoint is now optional. When not provided, events are returned from a temporary queue that's not bound to any specific client. The queue is deleted when the websocket disconnects. (#4360)
Features
-
You can now create both multiple SCIM peers and multiple SAML IdPs, and freely associate them with each other (team management app implementation pending). (#4349)
-
Internal API and backoffice support for managing email domains for enterprise login (#4364)
Bug fixes and other updates
-
Fix
gzip filter failed to use preallocated memory
alerts in nginz by upgrading (#4365) -
Send team active event in personal user to team flow (#4380)
-
Add profile name to new team owner welcome mail (#4378)
Internal changes
2024-12-11 (Chart Release 5.8.0)
Release notes
-
[RabbitMQ events] Notifications are now also sent via RabbitMQ. Therefore RabbitMQ is now a required dependency for Cannon and Gundeck. Cassandra is now a required dependency for Cannon and Background-Worker. Both of them need access to the Gundeck keyspace. These are breaking changes for Charts. (#4272, #4358, #4340)
-
If brig's server values config has the field
emailSMS.team
, the correct value for the personal user to team invitation URL must be set underemailSMS.team.tExistingUserInvitationUrl
. Otherwise the URL will point to a path under the account pages and therefore a value forexternalUrls.accountPages
is required. (#4341)
API changes
- The endpoint
POST /teams/:tid/invitations
gained a new optional fieldallow_existing
, which controls whether an existing personal user should be invited to the team (#4336)
Features
-
Welcome email for new team owner. (#4333)
-
Added inviter's email to
GET /teams/invitation/info
endpoint. (#4332)
Bug fixes and other updates
-
Updated
nginz
config for personal user to team flow (#4334) -
Freeze API version 7, create new dev version 8. Also update checklist. (#4356, #4356)
-
Fixed config for personal user to team invitation URL template. (#4341)
-
Fixed search index after personal user creates team (#4362)
Documentation
- Add a few more swagger descriptions and examples. (#4323)
Internal changes
-
charts/wire-server-enterprise
is a Helm chart to run thewire-server-enterprise
service. This service can only be deployed with an image pull secret (the
registry is not open to public.) (#4359) -
[Polysemy] Move email update and remove operations to effects (#4316, #4316)
-
Log uncaught IO exceptions in cargohold (#4352)
-
Updated email templates to v1.0.124 (#4328)
-
charts/galley: Make missing mls keys a templating error. Update MLS docs. (#4369)
-
[RabbitMQ events] New endpoint
GET /events
for consuming events is added (in API V8).- When a client misses notifications because it was offline for too long, it needs to know this information so it can do a full synchronisation. This appears as the first notification in
GET /events
endpoint whenever the system detects this happening. The next acknowledgement of the message makes this notification not appear anymore until the next notification is missed. (#4272) - New internal endpoint
POST /i/users/:uid/clients/:cid/consumable-notifications
is added (#4272) - Connection pooling in cannon (#4348)
- Add consumers to the draining step on Cannon, in case of termination. (#4342)
- List queues more efficiently. (#4351)
- When a client misses notifications because it was offline for too long, it needs to know this information so it can do a full synchronisation. This appears as the first notification in
2024-11-04 (Chart Release 5.7.0)
Bug fixes and other updates
- galley: Use bulk query when getting all feature configs for a team user (#4325)
Internal changes
2024-10-30 (Chart Release 5.6.0)
Release notes
-
To remove phone keys from brig's
user_keys
table an ad hoc data-migration can be run. See PR #4146 which contains the implementation. (#4130) -
Because the
phone
column is deleted from Brig'suser
table in a schema
migration, temporarily there might be 5xx errors during deployment if Wire
server 5.4.0 was not deployed previously. To avoid these errors, please deploy
the Wire server 5.4.0 release first. (#4130) -
With this release it will be possible to invite personal users to teams. In
brig
's config,emailSMS.team.tExistingUserInvitationUrl
is required to be set to a value that points to the correct teams/account page.
IfemailSMS.team
is not defined at all in the current environment, the value ofexternalUrls.teamSettings
(or, if not present,externalUrls.nginz
) will be used to construct the correct url, and no configuration change is necessary. (#4229) -
charts/wire-server: There is a new config value called
background-worker.config.enableFederation
which defaults tofalse
. This must be kept in sync withtags.federation
. (#4243) -
If you are mapping an email address to the
externalId
field in the
scim schema, please check the following list for items that apply to
you and recommended steps before/during/after upgrade.-
Situation: the
emails
field of in your scim user records is
empty.What you need to do: change your schema mapping to contain the
same address inexternalId
and (as a record with one element) in
emails
. -
Situation: the
emails
field of your scim user records is
non-empty.What you need to do: make sure
emails
contains exactly one
entry, which is the email fromexternalId
. If there is a
discrepancy, the address fromemails
will become the new
(unvalidated) address of the user, and the user will receive an
email to validate it. If the email cannot be sent or is ignored
by the recipient, the valid address will not be changed. (#4221)
-
-
A schema migration drops column 'phone' from Brig's 'team_invitation' table. Previous releases were still reading this column. As there is no Team Settings UI action to enter a phone number, this reading will not miss to read actual phone numbers. Therefore, during deployment this will lead to benign 5xx errors. (#4149)
-
Password hashing can now be done using argon2id instead of scrypt. The argon2id parameters can be configured using these options:
brig: optSettings: setPasswordHashingOptions: algorithm: argon2id iterations: ... memory: ... # memory needed in KiB parallelism: ... galley: settings: passwordHashingOptions: algorithm: argon2id iterations: ... memory: ... # memory needed in KiB parallelism: ...
The default option is still to use scrypt as moving to argon2id might require
allocating more resources according to configured parameters.When configured to use argon2id, the DB will be migrated slowly over time as the
users enter their passwords (either to login or to do other operations which
require explicit password entry). This migration is NOT done in reverse,
i.e., if a deployment started with argon2id as the algorithm then chose to move
to scrypt, the passwords will not get rehashed automatically, instead the users
will have to reset their passwords if that is desired.NOTE It is highly recommended to move to argon2id as it will be made the
only available choice for thealgorithm
config option in future. -
Config value
gundeck.config.bulkPush
has been removed. This is purely an
internal change, in case the value was overriden tofalse
, operators might see
more spiky usage of CPU and memory from gundeck due to bulk processing. (#4290)
API changes
-
A new endpoint
POST /teams/invitations/accept
allows a non-team user to accept an invitation to join a team (#4229) -
Services allowlist are blocked by 409 (mls-services-not-allowed) for teams with default protocol MLS. (#4266)
-
The
POST /clients
andPUT /clients/:cid
endpoints support a new capability "consume-notifications" (#4259) -
New variant in API version 7 of endpoints for creating and listing SCIM tokens that support a
name
field. New endpoint in version 7 for updating a SCIM token name. (#4307) -
All the phone number-based functionality is removed from the client API v6 (#4149)
-
The team CSV export endpoint has gained two extra columns:
last_active
andstatus
. The streaming behaviour has also been improved. (#4293) -
The changes to the
capabilities
field of theClient
structure, introduced in v6, have now been postponed to v7 (#4179) -
Finalise version 6 and introduce new development version 7 (#4179, #4179)
-
From API version 7 the
GET /mls/public-key
andGET /conversations/one2one/:domain/:uid
endpoints now take aformat
query parameter which can be eitherraw
(default, for raw base64-encoded keys) orjwk
(for JWK keys) (#4216, #4224) -
GET /conversations/one2one/:domain/:uid
now returnspublic_keys
along with the conversation containing all MLS public keys for the backend which will host this conversation (since v6). (#4224) -
Remove the ability to set the TTL of a feature flag. Existing TTLs are still retrieved and returned as before. Note that this only applies to the conferenceCalling feature, as none of the others supported TTL anyway. (#4164)
-
Add useSFTForOneToOneCalls as a config option for the Conference Calling feature flag and make its lock status explicit. (#4164)
-
Add endpoint to upgrade a personal user to a team owner (#4251)
Features
-
DB migration for dropping
phone
column fromuser
table (#4130) -
A text status field was added to user and user profile (#4155)
-
Allow an existing non-team user to migrate to a team (#4229, #4268, #4315)
-
Makes it impossible for a user to join an MLS conversation while already under legalhold (at least pending)
This implies two things:
- If a user is under legalhold they cannot ever join an MLS conversation, not even an MLS self conversation.
- A user has to reject to be put under legalhold when they want to join an MLS conversation (ignoring the request to be put under legalhold is not enough). (#4242)
-
Email template for inviting a personal user to a team added (#4310)
-
Clients can declare to be supporting a capability for consuming notifications (#4259)
-
New endpoint to revoke an OAuth session (#4213)
-
Adds a field which contains a list of all active sessions to each OAuth application in the response of
GET /oauth/applications
(#4211) -
SCIM's emails field is now handled and the external ID is not restricted to being an email anymore (#4221)
-
Added human readable names for SCIM tokens (#4307)
-
allow subconversations for MLS 1-1 conversations (#4133)
-
Allow choosing hashing algorithm and configuring argon2id parameters (#4291, #4291)
-
Deny requests for a legalhold device for users who are part of any MLS conversations (#4245)
-
Allow setting of Kubernetes annotations for the
coturn
Service. (#4189) -
Add
initialConfig
setting for themls
feature flag (#4262) -
Add
federationProtocols
setting to galley, which can be used to disable the creation of federated conversations with a given protocol (#4278) -
added open telemetry instrumentation for brig, galley, gundeck and cannon (#3901)
-
Send confirmation email after adding a personal user to a new team (#4253)
-
The SFT and turn usernames returned by
/calls/config/v2
are now deterministically computed from the user ID (#4156) -
Use latest stable RabbitMQ version (
3.13.7
) and Helm chart (14.6.9
). Please
note that this minor RabbitMQ version upgrade (3.11.x
to3.13.x
) may need
special treatment regarding existing RabbitMQ instances. See
https://www.rabbitmq.com/docs/upgrade#rabbitmq-version-upgradability . The major
Helm chart version upgrade may (depending on your setup/values) need attention
as well: https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq#upgrading (#4227)
Bug fixes and other updates
-
Fixed API version check. It has now precedence over other checks like e.g. method check. (#4152)
-
Fix handling of defaults of
mlsE2EID
feature config (#4233) -
Match cipher suite tag in query parameters against key packages on replacing key packages (#4158)
-
Users with SAML-SSO are allowed to delete their email address on the rest api. If they do that, the search indices are not updated correctly, and finding the user by the removed email address is still possible. (#4260)
-
Re-add accidentally removed add-bot@v6 route in nginz, fixes #4302 (#4318)
-
Exclude exception message from error response (#4153)
-
Return HTTP 400 instead of 500 when property key is not printable ASCII (#4148)
-
move cipher suite updates into the commit lock (#4151)
-
Fix feature flag default calculation for
mlsMigration
andenforceFileDownloadLocation
(#4265) -
Allow setting existing properties even if we have max properties (#4148)
-
removed spam from nginx (nginz) by using the new style http/2 directive (#3901)
-
brig: Make
GET /services/tags
work again (#4250) -
Process bounce and complaint notifications from SES correctly. (#4301)
Documentation
-
Call graph of federated endpoints was removed from the docs (#4299)
-
Restored LegalHold internal API swagger as part of Brig. (#4191)
-
Fix: show openapi docs for blocked versions (#4309)
-
Move docs from docs.wire.com to generated helper page served by brig (#4311)
-
Deleted proteus-specific test documentation tags and added some new ...
2024-07-09 (Chart Release 5.5.0)
Bug fixes and other updates
- Fix names of metrics so they do not contain any dots (#4134)
2024-07-08 (Chart Release 5.4.0)
- Phone registration and login is not supported anymore. All API endpoints dealing with phone numbers and phone activation codes now fail with a 400 error. Brig options related to phone number support have now been deleted, namely:
setTwilio
setNexmo
setAllowlistPhonePrefixes
. (#4045)
API changes
-
Internal API endpoints related to phone numbers have been removed.
In brig:
iGetPhonePrefix
iDeletePhonePrefix
iPostPhonePrefix
.
In stern:
get-users-by-phone
put-phone
. (#4045)
Features
-
charts/coturn: support putting coturn into 'drain' mode when terminating pods, denying new incoming client connections. This speeds up graceful coturn restarts significantly. (#4098)
-
Set SFT usernames's
shared
field according to team settings (#4117) -
Updated the
mlsE2EId
feature config with two additional fieldscrlProxy
anduseProxyOnMobile
(#4051) -
reject MLS messages for future epochs (#4110)
-
Introduce more configuration options to the
coturn
helm chart (#4083) -
Update email templates to v1.0.121. (#4064)
-
Support connecting to RabbitMQ over TLS. See "Configure RabbitMQ" section in the documentation for details. (#4094)
-
Support connecting to Redis over TLS
It can be enabled by setting these options on the wire-server helm chart:
gundeck: config: redis: enableTls: true # When custom CAs are required, one of these must be set: tlsCa: <PEM encoded CA certificates> tlsCaSecretRef: name: <Name of the secret> key: <Key in the secret containing pem encoded CA Cert> # When TLS needs to be used without verification: insecureSkipVerifyTls: true
(#4016)
Bug fixes and other updates
-
fixed stern endpoint
/i/users/meta-info
(#4101) -
Log password reset errors instead of propagating them (#4114)
-
Log request ids in brig. (#4086)
-
Do not set update origin "scim" in public brig api. (#4072)
-
Disabling legalhold before user's approval doesn't result in an error (#4104)
-
Make scim-delete-user idempotent. Hide information about existing users (make delete idempotent) (#4120)
-
Expose /providers/assets via nginz (#4082)
-
federator: Expect a client certificate to be the certificate chain
Without this openssl doesn't forward to whole chain causing mTLS to not succeed. (#4089)
-
Only resend proposals once after external commit (#4103)
-
gundeck: Better tolerance for redis-cluster restarts (#4084)
-
GHC does not support repeated --with-rtsopts options, and it simply applies the last one. This means many of the baked-in options were actually not being passed, including -N for some of the services and -T for cannon. (#4118)
-
Ensure that a Request ID is logged whenever unexpected errors are caught in any service (#4059)
-
charts/coturn: use allowed dir to write PID file (#4098)
-
Make pending LH requests (with no LH devices listening yet) not throw LH policy errors. This helps eg. in cases where a LH request is issued to the wrong user by accident, and the user can clear up the mistake. (#4056)
Documentation
- Adjust documentation for migrated helm charts (#4058)
Internal changes
-
Adapt EJPD data to current requirements. (#3945)
-
Port team feature tests to the
integration
package (#4063) -
Ported flaky legalhold test to the new integration test suite (#4057)
-
Added profile update operations to the user subsystem. (#4046)
-
Introduce authentication subsystem with password reset. (#4086)
-
update nixpkgs and hence GHC version as well as some other tooling. (#4071)
-
nginz: Added
allowlisted_fqdn_origins
tonginx_conf
value (#4087) -
Add weeder for dead code elimination. (#4088)
-
Introduce email subsystem (#4111)
-
replace cabal.project.local template and update cabal.project (#4119)
-
Add HTTP proxy in the local setup for elasticsearch in federation-v0. This makes it possible to use a single elasticsearch instance for both the main backends and federation-v0. (#4062)
-
federator: Add metrics for garbage collections and unexpected errors that were caught (#4085)
-
federator: Simplify polysemy setup to make it similar to other services so the
interpreter is only used for hoisting the servant application and not explicitly
inside handler of an endpoint (#4059) -
Added prometheus enable and datacenter size variables for k8ssandra-test-cluster helm chart. (#4011)
-
Make
Handle
type abstract to guarantee it always contains valid Handles. (#4076) -
metrics-core: Delete
Data.Metrics
in favour of defining metrics closer to where they are being emitted (#4085) -
add more metadata into the meta attribute of all nix derivations produced locally (#4069)
-
Do not log anything when warp kills a worker thread. (#4112)
-
Introduce VerificationCodSubsystem (#4121)
-
add tests for bots that use self-signed certs and add documentation on why we cannot test the bots to work with PKI (#4027)
2024-05-21 (Chart Release 5.3.0)
API changes
-
/mls/keys use JWK instead of bare keys as MLS removal keys (#3548)
-
The
cipher_suite
field is not present anymore in objects corresponding to newly created conversations (#4009)
Features
-
Upgrade
rusty-jwt-tools
to supportecdsa_secp256r1_sha256
(#4035) -
gundeck: Delete all APNS_VOIP and APNS_VOIP_SANDBOX push tokens (#4044)
Bug fixes and other updates
-
gundeck: Fix parsing errors for SNS ARN for VOIP Tokens (#4040)
-
Fix hardcoded ciphersuite when switching to mixed (#4048)
Internal changes
-
Add tool to determine number of phone-only users (#4024)
-
Log federator request ID on exceptions (#4037)
-
Update mls-test-cli to version 0.12 (#4039)
-
Remove inbucket helm chart. (#4032)
-
Finish servantifying galley and remove wai-routing dependency (#4018)
-
New subsystem for user management. (#3977)
-
Clean up syntax of test cases that occur in BSI audit. (#4041)
2024-04-29 (Chart Release 5.2.0)
Important: Do not upgrade
If you're upgrading to this version, if there were users using the APNS_VOIP tokens this will cause issues with notifications to those users.
Bug fixes and other updates
- charts/brig: Fix template for settings ES CA certs (#4022)
2024-04-25 (Chart Release 5.1.0)
Release notes
-
There is a new optional Boolean in Brig's Helm chart,
config.multiSFT.enabled
,
signalling whether calls between federated SFT servers are allowed. (#3915)IMPORTANT: The value of this new option needs be set to the value of
multiSFT.enabled
in SFT's Helm chart. Otherwise federated SFT servers won't
work.If provided, the field
is_federating
in the response of/calls/config/v2
will reflectmultiSFT.enabled
's value.Example:
# [brig/values.yaml] multiSFT: enabled: true
Also, the optional object
sftToken
with its fieldsttl
andsecret
define
whether an SFT credential would be rendered in the response of
/calls/config/v2
. The fieldttl
determines the seconds for the credential to
be valid andsecret
is the path to the secret shared with SFT to create
credentials.Example:
# [brig.yaml] sft: sftBaseDomain: sft.wire.example.com sftSRVServiceName: sft sftDiscoveryIntervalSeconds: 10 sftListLength: 20 sftToken: ttl: 120 secret: /path/to/secret
-
The "addClient" internal endpoint of galley has been changed. This can cause temporary failures during upgrades if brig attempts to use this endpoint on a different version of galley. (#3904)
-
Removed the deprecated and unused field
geoDb
from Brig's config. (#3975) -
Added support for 3 more MLS ciphersuites. To enable MLS, all supported signature schemes (ed25519 and the three ecdsa variants) now need to have private keys specified in galley's configuration file. (#3964)
API changes
-
Create version 6 of client-related endpoints, fixing an oddity in the serialisation of capabilities. (#3904)
-
Add gzip request support to spar and proxy (#4013)
Features
-
Backend validates display name during DPoP challenge (#3890)
-
Add Helm chart
smallstep-accomp
that provides a CRL endpoint proxy for federated E2EI (#3896) -
Support for Elasticsearch password authentication (#3989, #3959, #3994, #3984, #2093, #2079)
-
Support unblocking a user in an MLS 1-to-1 conversation (#3940)
-
Add E2EI configuration setup to smallstep-accomp chart (#3944)
-
Remove Helm migrated charts webapp, team-settings, account-pages, sftd (#3927)
-
charts/nginz: Rate limiting claiming MLS key-pacakges by requesting and target user (#3918)
-
Support connecting to Elasticsearch over TLS
It can be enabled by setting these options on the wire-server helm chart (#3989):
brig: config: elasticsearch: scheme: https # When custom CAs are required, one of these must be set: tlsCa: <PEM encoded CA certificates> tlsCaSecretRef: name: <Name of the secret> key: <Key in the secret containing pem encoded CA Cert> # When TLS needs to be used without verification: insecureSkipVerifyTls: true elasticsearch-index: elasticsearch: scheme: https # When custom CAs are required, one of these must be set: tlsCa: <PEM encoded CA certificates> tlsCaSecretRef: name: <Name of the secret> key: <Key in the secret containing pem encoded CA Cert> # When TLS needs to be used without verification: insecureSkipVerifyTls: true
-
Make gundeck's notificationTTL configurable. The value defines how long
notifications are (at most) stored in the database. Decreasing this value e.g.
helps to safe database space on test environments. (#3960) -
charts/nginz: Allow 3000 reqs/min on /conversations/one2one/:user_domain/:user (#3918)
-
Support authenticating to redis (#3971)
Bug fixes and other updates
-
Send connection cancelled event to local pending connection when user gets deleted (#3861)
-
Optional
apiProxy
attribute added todeeplink.json
in nginz chart (#3933) -
coturn cert-reloader sidecar config: process name should not contain the path (helm chart) (#3916)
-
Prevent conflict on subsequent tries to provision a SCIM user (#3914)
-
Avoid IO Exception when querying
GET /converations/{cnv_domain}/{cnv}/groupinfo
with public group state not set in galley.converation. (#3939)
-
Return an actual list of other users in a remote MLS 1-to-1 conversation (#3998)
-
charts/background-worker: Fix name of the service monitor (#3913)
-
Fix crash when enqueing an empty list of notifications and federation is disabled (#PR_NOT_FOUND)
-
Add the request ID to the request's execution environment in gundeck, such that it can be logged. (#3903)
-
The AWS SNS ARN was parsed by accumulating the environment name up to the first
dash ('-') such that parts of this name spilled over into the app name. Now, we
accumulate up to the last dash. (#3894) -
Fix bug where welcome notifications were generated for each client instead of for each user (#3907)
-
Do not deliver MLS one-to-one conversation messages to a user that blocked the sender (#3889, #3906)
-
Optimize getting all feature configs (#4002)
Documentation
-
adds new coding-conventions.md and talks about the decision we made for
cs
(#4006) -
Distinguish UTCTime and UTCTimeMillis in swagger (#3899)
-
Patch hole in scim docs regarding wire team role manipulation. (#3897)
Internal changes
-
Create a new script (
Sbom.hs
) to generate the wire-server sbom (bill of material) file. (#3942) -
port flaking LH tests to new integration and improve the ergonomics of our testing library (#3876)
-
some small refactorings to make it more clear in code what is happening when registering a scim token and an IdP (#3966)
-
In order for the CRL-proxy to function correctly, it needs to have CORS headers set.
We are now setting the CORS headers on the ingress level. (#3956) -
drop cs in all production code and from Imports (#4001)
-
Galley's internal
DELETE /i/client/:clientID
now early-exits before visiting all conversations if the client is already gone.
Galley now reports debug logs for every call to Cassandra. (#3985) -
move formatting and linting of haskell files to treefmt, remove some of the now unneeded rules (#4000)
-
Integration test cases for strangely behaving feature config settings. (#4007)
-
Add ldap-scim-bridge chart to the wire-server release (#3999)
-
Disable
integration
subchart ofwire-server
by default (#3682) -
Provide password as value in
elasticsearch-ephemeral
. This way we can use
different passwords on our test systems. Ensuring that the password is really
configurable (and not accidentally hardcoded somewhere.) (#3994) -
Upgraded fluent-bit chart to version 0.46.2
Added example values for fluent-bit helm chart for output to syslog server (#4012) -
Ported 2FA tests to the new integration test suite (#3986)
-
To ensure certificate revocations get active in a short time frame, disable
caching of proxy results on client side by setting respective HTTP headers. (#3952) -
Ensure that targets of the smallstep nginx proxy are resolved at runtime via the
configured DNS server. This has two benefits: The target gets adjusted when it's
changed at the DNS server. And, nginx doesn't fail to start when the target
doesn't exist yet. (#3947) -
Use schema-profunctor for user event serialisation and introduce golden tests (#3912)
-
Setup federation-v0 environment for use in integration tests:
-
Add assets to output of ejpd-info end-point in stern; also:
- [brig] now talks to carghold for profile picture extraction;
- [integration] migrate ejpd tests;
- [integration] enhanced
shouldMatch
shows a diff on failure now; - [integration] added
shouldMatchLeniently
for rule-based canonicalization of arguments (#3875)
-
Bump hsaml2, saml2-web-sso dependencies. (#3995)
-
Remove support for push token transport types APNSVoIP, APNSVoIPSandbox from gundeck. (#3967)
-
Include remote domain in federator error logs (#3919)
-
Remove remaining splinters of wai-routing, wai-predicate from brig. (#3996)
Federation changes
-
The on-conversation-updated notification is now queued instead of being sent directly. A new version of the notification has been introduced with a different JSON format for the body, mostly for testing purposes of the versioning system.
Since the notification is now sent asynchronously, some error conditions in case of unreachable backends cannot be triggered anymore. (#3831)
-
Versioning of backend to backend notifications. Notifications are now stored in "bundles" containing a serialised payload for each supported version. The background worker then dynamically selects the best version to use and sends only the notification corresponding to that version.
(#3831)
2024-02-12 (Chart Release 4.41.0)
Release notes
- Updates Gundeck to remove unused
APNS_VOIP
related code. - This supersedes 2024-02-12 (Chart Release 4.40.0)