WPB-4657 Disabling development versions

changelog.d/0-release-notes/WPB-4657

@@ -0,0 +1,3 @@
+The settings `setDisabledAPIVersions` (brig) and `disabledAPIVersions` (in cannon, cargohold, galley, gundeck, proxy, and spar) are now required.
+The default defined in `charts/<service>/values.yaml` is set to `[ development ]` and disables all development API versions.
+For more information see <https://docs.wire.com/developer/reference/config-options.html#disabling-api-versions>

changelog.d/5-internal/WPB-4657

@@ -0,0 +1 @@
+The development API version is now disabled by default

charts/brig/templates/configmap.yaml

@@ -323,9 +323,7 @@ data:
       {{- if .setOAuthEnabled }}
       setOAuthEnabled: {{ .setOAuthEnabled }}
       {{- end }}
-      {{- if .setDisabledAPIVersions }}
       setDisabledAPIVersions: {{ .setDisabledAPIVersions }}
-      {{- end }}
       {{- if .setOAuthRefreshTokenExpirationTimeSecs }}
       setOAuthRefreshTokenExpirationTimeSecs: {{ .setOAuthRefreshTokenExpirationTimeSecs }}
       {{- end }}

charts/brig/values.yaml

@@ -107,7 +107,7 @@ config:
     setOAuthMaxActiveRefreshTokens: 10
     # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
     # brig, cannon, cargohold, galley, gundeck, proxy, spar.
-    # setDisabledAPIVersions: [ v3 ]
+    setDisabledAPIVersions: [ development ]
     setFederationStrategy: allowNone
     setFederationDomainConfigsUpdateFreq: 10
   smtp:

charts/cannon/templates/configmap.yaml

@@ -19,9 +19,7 @@ data:
       millisecondsBetweenBatches: {{ .Values.config.drainOpts.millisecondsBetweenBatches }}
       minBatchSize: {{ .Values.config.drainOpts.minBatchSize }}
 
-    {{- if .Values.config.disabledAPIVersions }}
     disabledAPIVersions: {{ .Values.config.disabledAPIVersions }}
-    {{- end }}
 
 kind: ConfigMap
 metadata:

charts/cannon/values.yaml

@@ -24,7 +24,7 @@ config:
 
   # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
   # brig, cannon, cargohold, galley, gundeck, proxy, spar.
-  # disabledAPIVersions: [ v3 ]
+  disabledAPIVersions: [ development ]
 
 metrics:
   serviceMonitor:

charts/cargohold/templates/configmap.yaml

@@ -56,7 +56,5 @@ data:
       downloadLinkTTL: {{ .downloadLinkTTL }}
       {{- end }}
       federationDomain: {{ .federationDomain }}
-      {{- if .disabledAPIVersions }}
       disabledAPIVersions: {{ .disabledAPIVersions }}
       {{- end }}
-      {{- end }}

charts/cargohold/values.yaml

@@ -32,7 +32,7 @@ config:
     downloadLinkTTL: 300 # Seconds
     # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
     # brig, cannon, cargohold, galley, gundeck, proxy, spar.
-    # disabledAPIVersions: [ v3 ]
+    disabledAPIVersions: [ development ]
 
 serviceAccount:
   # When setting this to 'false', either make sure that a service account named

charts/galley/templates/configmap.yaml

@@ -79,10 +79,8 @@ data:
         removal:
           ed25519: "/etc/wire/galley/secrets/removal_ed25519.pem"
         {{- end }}
-      {{- end -}}
-      {{- if .settings.disabledAPIVersions }}
-      disabledAPIVersions: {{ .settings.disabledAPIVersions }}
       {{- end }}
+      disabledAPIVersions: {{ .settings.disabledAPIVersions }}
       {{- if .settings.featureFlags }}
       {{- if .settings.guestLinkTTLSeconds }}
       guestLinkTTLSeconds: {{ .settings.guestLinkTTLSeconds }}

charts/galley/values.yaml

@@ -57,7 +57,7 @@ config:
     multiIngress: null
     # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
     # brig, cannon, cargohold, galley, gundeck, proxy, spar.
-    # disabledAPIVersions: [ v3 ]
+    disabledAPIVersions: [ development ]
     # The lifetime of a conversation guest link in seconds. Must be a value 0 < x <= 31536000 (365 days)
     # Default is 31536000 (365 days) if not set
     guestLinkTTLSeconds: 31536000

charts/gundeck/templates/configmap.yaml

@@ -60,9 +60,7 @@ data:
       {{- if hasKey . "perNativePushConcurrency" }}
       perNativePushConcurrency: {{ .perNativePushConcurrency }}
       {{- end }}
-      {{- if .disabledAPIVersions }}
       disabledAPIVersions: {{ .disabledAPIVersions }}
-      {{- end }}
       # disabledAPIVersions: [ 2 ]
       maxConcurrentNativePushes:
         soft: {{ .maxConcurrentNativePushes.soft }}

charts/gundeck/values.yaml

@@ -44,7 +44,7 @@ config:
     soft: 1000
   # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
   # brig, cannon, cargohold, galley, gundeck, proxy, spar.
-  # disabledAPIVersions: [ v3 ]
+  disabledAPIVersions: [ development ]
 
   # Maximum number of bytes loaded into memory when fetching (referenced) payloads.
   # Gundeck will return a truncated page if the whole page's payload sizes would exceed this limit in total.

charts/proxy/templates/configmap.yaml

@@ -7,9 +7,7 @@ data:
     logFormat: {{ .Values.config.logFormat }}
     logLevel: {{ .Values.config.logLevel }}
     logNetStrings: {{ .Values.config.logNetStrings }}
-    {{- if .Values.config.disabledAPIVersions }}
     disabledAPIVersions: {{ .Values.config.disabledAPIVersions }}
-    {{- end }}
     host: 0.0.0.0
     port: {{ .Values.service.internalPort }}
     httpPoolSize: 1000

charts/proxy/values.yaml

@@ -21,7 +21,7 @@ config:
   proxy: {}
   # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
   # brig, cannon, cargohold, galley, gundeck, proxy, spar.
-  # disabledAPIVersions: [ v3 ]
+  disabledAPIVersions: [ development ]
 
 podSecurityContext:
   allowPrivilegeEscalation: false

charts/spar/templates/configmap.yaml

@@ -36,9 +36,7 @@ data:
 
     maxScimTokens: {{ .maxScimTokens }}
 
-    {{- if .disabledAPIVersions }}
     disabledAPIVersions: {{ .disabledAPIVersions }}
-    {{- end }}
 
     saml:
       version:     SAML2.0

charts/spar/values.yaml

@@ -34,7 +34,7 @@ config:
   proxy: {}
   # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
   # brig, cannon, cargohold, galley, gundeck, proxy, spar.
-  # disabledAPIVersions: [ v3 ]
+  disabledAPIVersions: [ development ]
 
 podSecurityContext:
   allowPrivilegeEscalation: false

docs/src/developer/reference/config-options.md

@@ -591,10 +591,6 @@ See {ref}`configure-federation-strategy-in-brig` (since [PR#3260](https://github
 
 ### API Versioning
 
-#### `setEnableDevelopmentVersions`
-
-This options determines whether development versions should be enabled. If set to `False`, all development versions are removed from the `supported` field of the `/api-version` endpoint. Note that they are still listed in the `development` field, and continue to work normally.
-
 ### OAuth
 
 For more information on OAuth please refer to <https://docs.wire.com/developer/reference/oauth.html>.
@@ -654,10 +650,9 @@ It is possible to disable one ore more API versions. When an API version is disa
 
 Each of the services brig, cannon, cargohold, galley, gundeck, proxy, spar should to be configured with the same set of disable API versions in each service's values.yaml config files.
 
-
 For example to disable API version v3, you need to configure:
 
-```
+```yaml
 # brig's values.yaml
 config.optSettings.setDisabledAPIVersions: [ v3 ]
 
@@ -671,7 +666,7 @@ config.settings.disabledAPIVersions: [ v3 ]
 config.settings.disabledAPIVersions: [ v3 ]
 
 # gundecks' values.yaml
-config.disabledAPIVersions: [ v3 ]
+config.settings.disabledAPIVersions: [ v3 ]
 
 # proxy's values.yaml
 config.disabledAPIVersions: [ v3 ]
@@ -680,7 +675,15 @@ config.disabledAPIVersions: [ v3 ]
 config.disabledAPIVersions: [ v3 ]
 ```
 
-The default setting is that no API version is disabled.
+The development API version(s) can be disabled either explicitly or by adding the `development` keyword to the list of disabled API versions. E.g.:
+
+```yaml
+config.disabledAPIVersions: [ v3, development ]
+```
+
+This setting is required to be present for all the services (brig, cannon, cargohold, galley, gundeck, proxy, and spar).
+
+The default value (provided under `charts/<service>/values.yaml`) is `[ development ]` and disables the development versions. To enable all versions including the development versions set the value to be empty: `[]`.
 
 ## Settings in cargohold
 

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -95,6 +95,7 @@ brig:
       setFederationDomain: integration.example.com
       setFederationStrategy: allowAll
       setFederationDomainConfigsUpdateFreq: 10
+      setDisabledAPIVersions: []
       set2FACodeGenerationDelaySecs: 5
       setNonceTtlSecs: 300
       setDpopMaxSkewSecs: 1
@@ -169,6 +170,8 @@ cannon:
     limits:
       memory: 512Mi
   drainTimeout: 0
+  config:
+    disabledAPIVersions: []
 cargohold:
   replicaCount: 1
   imagePullPolicy: {{ .Values.imagePullPolicy }}
@@ -184,6 +187,7 @@ cargohold:
     settings:
       # See helmfile for the real value
       federationDomain: integration.example.com
+      disabledAPIVersions: []
   secrets:
     awsKeyId: dummykey
     awsSecretKey: dummysecret
@@ -218,6 +222,8 @@ galley:
       conversationCodeURI: https://kube-staging-nginz-https.zinfra.io/conversation-join/
       # See helmfile for the real value
       federationDomain: integration.example.com
+      disabledAPIVersions: []
+
       featureFlags:
         sso: disabled-by-default  # this needs to be the default; tests can enable it when needed.
         legalhold: whitelist-teams-and-implicit-consent
@@ -289,6 +295,7 @@ gundeck:
       queueName: integration-gundeck-events
       sqsEndpoint: http://fake-aws-sqs:4568
       snsEndpoint: http://fake-aws-sns:4575
+    disabledAPIVersions: []
     bulkPush: true
     setMaxConcurrentNativePushes:
       hard: 30
@@ -341,6 +348,8 @@ proxy:
               giphy      = "..."
               spotify    = "Basic ..."
        }
+  config:
+    disabledAPIVersions: []
 spar:
   replicaCount: 1
   imagePullPolicy: {{ .Values.imagePullPolicy }}
@@ -368,6 +377,7 @@ spar:
     - type: ContactSupport
       company: Example Company
       email: email:backend+spar@wire.com
+    disabledAPIVersions: []
   tests:
     {{- if .Values.uploadXml }}
     config:

integration/integration.cabal

@@ -138,6 +138,7 @@ library
     Test.Services
     Test.Swagger
     Test.User
+    Test.Version
     Testlib.App
     Testlib.Assertions
     Testlib.Cannon

integration/test/API/Brig.hs

@@ -394,18 +394,16 @@ replaceKeyPackages cid suites kps = do
       & addJSONObject ["key_packages" .= map (T.decodeUtf8 . Base64.encode) kps]
 
 -- | https://staging-nginz-https.zinfra.io/v6/api/swagger-ui/#/default/get_self
-getSelf :: (HasCallStack, MakesValue caller) => caller -> App Response
-getSelf caller = do
-  req <- baseRequest caller Brig Versioned "/self"
-  submit "GET" req
+getSelf :: (HasCallStack, MakesValue user) => user -> App Response
+getSelf = getSelfWithVersion Versioned
+
+getSelfWithVersion :: (HasCallStack, MakesValue user) => Versioned -> user -> App Response
+getSelfWithVersion v user = baseRequest user Brig v "/self" >>= submit "GET"
 
 -- | https://staging-nginz-https.zinfra.io/v6/api/swagger-ui/#/default/get_self
 -- this is a low-level version of `getSelf` for testing some error conditions.
 getSelf' :: HasCallStack => String -> String -> App Response
-getSelf' domain uid = do
-  let user = object ["domain" .= domain, "id" .= uid]
-  req <- baseRequest user Brig Versioned "/self"
-  submit "GET" req
+getSelf' domain uid = getSelfWithVersion Versioned $ object ["domain" .= domain, "id" .= uid]
 
 data PutSelf = PutSelf
   { accent :: Maybe Int,

integration/test/Test/Demo.hs

@@ -105,7 +105,7 @@ testDynamicBackend = do
   ownDomain <- objDomain OwnDomain
   user <- randomUser OwnDomain def
   uid <- objId user
-  bindResponse (BrigP.getSelf' ownDomain uid) $ \resp -> do
+  bindResponse (BrigP.getSelf user) $ \resp -> do
     resp.status `shouldMatchInt` 200
     (resp.json %. "id") `shouldMatch` objId user
 
@@ -123,7 +123,7 @@ testDynamicBackend = do
     -- now create a user in the dynamic backend
     userD1 <- randomUser dynDomain def
     uidD1 <- objId userD1
-    bindResponse (BrigP.getSelf' dynDomain uidD1) $ \resp -> do
+    bindResponse (BrigP.getSelf userD1) $ \resp -> do
       resp.status `shouldMatchInt` 200
       (resp.json %. "id") `shouldMatch` objId userD1
 

integration/test/Test/Swagger.hs

@@ -23,13 +23,6 @@ testSwagger = do
       dev <- resp.json %. "development" & asSetOf asIntegral
       pure $ sup <> dev
     assertBool ("unexpected actually existing versions: " <> show actualVersions) $
-      -- make sure nobody has added a new version without adding it to `existingVersions`.
-      -- make sure nobody has added a new version without adding it to `existingVersions`.
-      -- ("subset" because blocked versions like v3 are not actually existing, but still
-      -- ("subset" because blocked versions like v3 are not actually existing, but still
-      -- documented.)
-      -- documented.)
-
       -- make sure nobody has added a new version without adding it to `existingVersions`.
       -- ("subset" because blocked versions like v3 are not actually existing, but still
       -- documented.)