From d090d5971200bde5194146057f7f1236f6771150 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 5 Jan 2026 11:31:38 +0100 Subject: [PATCH 01/22] test: wpb-21356 test for 5.14 backend version --- offline/tasks/proc_pull_charts.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/offline/tasks/proc_pull_charts.sh b/offline/tasks/proc_pull_charts.sh index 0ee754d9e..97cee1d17 100755 --- a/offline/tasks/proc_pull_charts.sh +++ b/offline/tasks/proc_pull_charts.sh @@ -94,5 +94,5 @@ pull_charts() { #fi } -wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/7b0217a27c1b127bf8f1fedbea9ec03a1e277d5a/build.json" +wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/refs/heads/wiab-dev-514/build.json" wire_build_chart_release "$wire_build" | pull_charts From b463f5020869a74250aa9646467b175694f53215 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 5 Jan 2026 12:14:58 +0100 Subject: [PATCH 02/22] fix: wpb-22439 fix handling of bitnami images for old charts --- offline/tasks/proc_pull_charts.sh | 11 ----------- offline/tasks/process_charts.sh | 8 ++++++++ 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/offline/tasks/proc_pull_charts.sh b/offline/tasks/proc_pull_charts.sh index 97cee1d17..53801aa80 100755 --- a/offline/tasks/proc_pull_charts.sh +++ b/offline/tasks/proc_pull_charts.sh @@ -81,17 +81,6 @@ pull_charts() { (cd "${OUTPUT_DIR}"/charts; helm pull --version "$version" --untar "$repo_short_name/$name") done echo "Pulling charts done." - - # Patch bitnami repository references in pulled charts - # Remove the extraction and replacement when there will be no more bitnami charts - #echo "Patching bitnami repository references..." - #SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - #PATCH_SCRIPT="${SCRIPT_DIR}/patch-chart-images.sh" - #if [[ -f "$PATCH_SCRIPT" ]]; then - # "$PATCH_SCRIPT" "${OUTPUT_DIR}/charts" - #else - # echo "Warning: patch-chart-images.sh not found at $PATCH_SCRIPT, skipping chart patching" - #fi } wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/refs/heads/wiab-dev-514/build.json" diff --git a/offline/tasks/process_charts.sh b/offline/tasks/process_charts.sh index f1c6f997d..6bb9823c8 100755 --- a/offline/tasks/process_charts.sh +++ b/offline/tasks/process_charts.sh @@ -53,6 +53,14 @@ done | list-helm-containers VALUES_DIR="${OUTPUT_DIR}"/values HELM_IMAGE_TREE_FI # containers (e.g. `quay.io_wire_galley-integration_4.22.0`.) sed -i '/-integration/d' "${HELM_IMAGE_TREE_FILE}" +# Replace docker.io/bitnami with docker.io/bitnamilegacy and log updated images +# https://github.com/bitnami/charts/issues/35164 +echo "Replacing bitnami with bitnamilegacy..." +sed -i 's|bitnami/|bitnamilegacy/|g' "${OUTPUT_DIR}"/images +sed -i 's|bitnami/|bitnamilegacy/|g' "${HELM_IMAGE_TREE_FILE}" +echo "Updated images:" +grep "bitnamilegacy" "${OUTPUT_DIR}"/images || echo "No bitnami images found" + grep -vE "$EXCLUDE_PATTERN" "${OUTPUT_DIR}"/images | create-container-dump "${OUTPUT_DIR}"/containers-helm tar cf "${OUTPUT_DIR}"/containers-helm.tar -C "${OUTPUT_DIR}" containers-helm From aab28ebb15adf2c52e138a03879dd6e28d828a0c Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 5 Jan 2026 14:34:46 +0100 Subject: [PATCH 03/22] fix: wpb-22439 handle zauth key generation logic for 5.14 --- bin/offline-secrets.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/offline-secrets.sh b/bin/offline-secrets.sh index 158c06ba5..cddc9c5fc 100755 --- a/bin/offline-secrets.sh +++ b/bin/offline-secrets.sh @@ -15,7 +15,7 @@ minio_secret_key="$(tr -dc A-Za-z0-9 Date: Tue, 6 Jan 2026 13:14:43 +0100 Subject: [PATCH 04/22] fix: wpb-22439 disable MLS secret and postgresql secret generation, disable postgresql deployment for 5.14 release --- ansible/helm_external.yml | 1 + bin/offline-cluster.sh | 5 +++-- bin/offline-deploy.sh | 18 +++++++++--------- bin/offline-helm.sh | 26 +++++++++++++------------- bin/offline-secrets.sh | 28 ++++++++-------------------- 5 files changed, 34 insertions(+), 44 deletions(-) diff --git a/ansible/helm_external.yml b/ansible/helm_external.yml index 669d5a72f..df43b2108 100644 --- a/ansible/helm_external.yml +++ b/ansible/helm_external.yml @@ -49,6 +49,7 @@ - hosts: "postgresql" become: false + tags: postgresql-external tasks: - name: Create external IP directory for postgresql file: diff --git a/bin/offline-cluster.sh b/bin/offline-cluster.sh index 7b2a77586..f0c6fe597 100755 --- a/bin/offline-cluster.sh +++ b/bin/offline-cluster.sh @@ -50,10 +50,11 @@ ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/kubernetes.yml --skip-tags boot ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/cassandra.yml ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/elasticsearch.yml ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/minio.yml -ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/postgresql-deploy.yml + +#ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/postgresql-deploy.yml ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/roles/rabbitmq-cluster/tasks/configure_dns.yml ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/rabbitmq.yml # create helm values that tell our helm charts what the IP addresses of cassandra, elasticsearch and minio are: -ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/helm_external.yml +ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/helm_external.yml --skip-tags=postgresql-external diff --git a/bin/offline-deploy.sh b/bin/offline-deploy.sh index 4b38097fa..bcee6ccea 100755 --- a/bin/offline-deploy.sh +++ b/bin/offline-deploy.sh @@ -42,15 +42,15 @@ fi $DOCKER_RUN_BASE $SSH_MOUNT $WSD_CONTAINER ./bin/offline-cluster.sh # Sync PostgreSQL password from K8s secret to secrets.yaml -echo "Syncing PostgreSQL password from Kubernetes secret..." -sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/sync-k8s-secret-to-wire-secrets.sh \ - wire-postgresql-external-secret \ - password \ - values/wire-server/secrets.yaml \ - .brig.secrets.pgPassword \ - .galley.secrets.pgPassword \ - .spar.secrets.pgPassword \ - .gundeck.secrets.pgPassword +#echo "Syncing PostgreSQL password from Kubernetes secret..." +#sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/sync-k8s-secret-to-wire-secrets.sh \ +# wire-postgresql-external-secret \ +# password \ +# values/wire-server/secrets.yaml \ +# .brig.secrets.pgPassword \ +# .galley.secrets.pgPassword \ +# .spar.secrets.pgPassword \ +# .gundeck.secrets.pgPassword sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/offline-helm.sh diff --git a/bin/offline-helm.sh b/bin/offline-helm.sh index 8da9ec9de..1747d3a2e 100755 --- a/bin/offline-helm.sh +++ b/bin/offline-helm.sh @@ -3,26 +3,26 @@ set -euo pipefail set -x -sync_pg_secrets() { - # Sync postgresql secret - ./bin/sync-k8s-secret-to-wire-secrets.sh \ - wire-postgresql-external-secret \ - password \ - values/wire-server/secrets.yaml \ - .brig.secrets.pgPassword \ - .galley.secrets.pgPassword \ - .spar.secrets.pgPassword \ - .gundeck.secrets.pgPassword -} +#sync_pg_secrets() { +# # Sync postgresql secret +# ./bin/sync-k8s-secret-to-wire-secrets.sh \ +# wire-postgresql-external-secret \ +# password \ +# values/wire-server/secrets.yaml \ +# .brig.secrets.pgPassword \ +# .galley.secrets.pgPassword \ +# .spar.secrets.pgPassword \ +# .gundeck.secrets.pgPassword +#} helm upgrade --install --wait cassandra-external ./charts/cassandra-external --values ./values/cassandra-external/values.yaml -helm upgrade --install --wait postgresql-external ./charts/postgresql-external --values ./values/postgresql-external/values.yaml +#helm upgrade --install --wait postgresql-external ./charts/postgresql-external --values ./values/postgresql-external/values.yaml helm upgrade --install --wait elasticsearch-external ./charts/elasticsearch-external --values ./values/elasticsearch-external/values.yaml helm upgrade --install --wait minio-external ./charts/minio-external --values ./values/minio-external/values.yaml helm upgrade --install --wait rabbitmq-external ./charts/rabbitmq-external --values ./values/rabbitmq-external/values.yaml helm upgrade --install --wait fake-aws ./charts/fake-aws --values ./values/fake-aws/prod-values.example.yaml -sync_pg_secrets +#sync_pg_secrets # ensure that the RELAY_NETWORKS value is set to the podCIDR SMTP_VALUES_FILE="./values/smtp/prod-values.example.yaml" diff --git a/bin/offline-secrets.sh b/bin/offline-secrets.sh index cddc9c5fc..07bff7987 100755 --- a/bin/offline-secrets.sh +++ b/bin/offline-secrets.sh @@ -24,22 +24,21 @@ prometheus_pass="$(tr -dc A-Za-z0-9 secrets > mlsPrivateKeys > removal > keyname) -readonly MLS_KEY_INDENT=" " -generate_mls_key() { - openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}' -} +#readonly MLS_KEY_INDENT=" " +#generate_mls_key() { +# openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}' +#} -mls_ed25519_key="$(generate_mls_key -algorithm ed25519)" -mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)" -mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)" -mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)" +#mls_ed25519_key="$(generate_mls_key -algorithm ed25519)" +#mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)" +#mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)" +#mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)" if [[ ! -f $VALUES_DIR/wire-server/secrets.yaml ]]; then echo "Writing $VALUES_DIR/wire-server/secrets.yaml" cat < $VALUES_DIR/wire-server/secrets.yaml brig: secrets: - pgPassword: verysecurepassword smtpPassword: dummyPassword zAuth: publicKeys: "$zauth_public" @@ -76,19 +75,8 @@ galley: rabbitmq: username: guest password: guest - pgPassword: verysecurepassword awsKeyId: dummykey awsSecretKey: dummysecret - mlsPrivateKeys: - removal: - ed25519: | -$mls_ed25519_key - ecdsa_secp256r1_sha256: | -$mls_ecdsa_p256_key - ecdsa_secp384r1_sha384: | -$mls_ecdsa_p384_key - ecdsa_secp521r1_sha512: | -$mls_ecdsa_p521_key gundeck: secrets: awsKeyId: dummykey From 5d3b65729f631ae5e2e14874113bba87d9ac5f06 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 7 Jan 2026 20:43:53 +0100 Subject: [PATCH 05/22] fix: wpb-22439 fix rabbitmq, redis and smtp helm charts to work with 5.14 --- .../demo-values.example.yaml | 4 ++++ values/demo-smtp/prod-values.example.yaml | 23 +++++++++++++++++++ values/rabbitmq/prod-values.example.yaml | 4 ++++ 3 files changed, 31 insertions(+) create mode 100644 values/demo-smtp/prod-values.example.yaml diff --git a/values/databases-ephemeral/demo-values.example.yaml b/values/databases-ephemeral/demo-values.example.yaml index 4114af7b7..9788f4e17 100644 --- a/values/databases-ephemeral/demo-values.example.yaml +++ b/values/databases-ephemeral/demo-values.example.yaml @@ -13,3 +13,7 @@ redis-ephemeral: requests: cpu: "500m" memory: "512Mi" + image: + registry: docker.io + repository: bitnamilegacy/redis + tag: 7.2.5 diff --git a/values/demo-smtp/prod-values.example.yaml b/values/demo-smtp/prod-values.example.yaml new file mode 100644 index 000000000..87cc4a162 --- /dev/null +++ b/values/demo-smtp/prod-values.example.yaml @@ -0,0 +1,23 @@ +# CHANGEME-PROD: This is often a good default when using calico's default CIDR +# https://github.com/kubernetes-sigs/kubespray/blob/master/docs/calico.md#optional--define-the-default-pool-cidr +# or flannel's https://github.com/kubernetes-sigs/kubespray/blob/master/docs/flannel.md#flannel +# If you override those values, etc., then verify that this CIDR still makes sense +# For all variables the "ixdotai/smtp" image supports see: https://github.com/ix-ai/smtp#readme +envVars: + RELAY_NETWORKS: ":10.233.0.0/16" +# +# PORT: "25" +# NET_DEV: eth0 +# OTHER_HOSTNAMES: other.example.com +# DISABLE_IPV6: 1 +# BIND_IP: 0.0.0.0 +# BIND_IP6: ::0 +# MAILNAME: mail.example.com +# DKIM_KEY_PATH: /etc/exim4/dkim.key +# KEY_PATH: /path/to/key.crt +# CERTIFICATE_PATH: /path/to/certificate.crt +# SMARTHOST_ADDRESS: mail.example.com +# SMARTHOST_PORT: "587" +# SMARTHOST_USER: exampleuser +# SMARTHOST_PASSWORD: secret +# SMARTHOST_ALIASES: "*.example.com" diff --git a/values/rabbitmq/prod-values.example.yaml b/values/rabbitmq/prod-values.example.yaml index cc6b67dbf..7f9bc6999 100644 --- a/values/rabbitmq/prod-values.example.yaml +++ b/values/rabbitmq/prod-values.example.yaml @@ -10,3 +10,7 @@ rabbitmq: ### also, you can refer to offline/local_persistent_storage_k8s.md ### for deploying openebs for dynamic volume provisioning # storageClass: openebs-hostpath + image: + registry: docker.io + repository: bitnamilegacy/rabbitmq + tag: 3.13.7-debian-12-r2 From c7007c6a66e2fc63bb2b96188bac751a4c6b4ee0 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 7 Jan 2026 20:45:00 +0100 Subject: [PATCH 06/22] fix: wpb-22439 fix offline-helm.sh and wire-server values for 5.14 --- bin/offline-helm.sh | 4 ++-- values/wire-server/prod-values.example.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/offline-helm.sh b/bin/offline-helm.sh index 1747d3a2e..bf6ddf2bf 100755 --- a/bin/offline-helm.sh +++ b/bin/offline-helm.sh @@ -25,7 +25,7 @@ helm upgrade --install --wait fake-aws ./charts/fake-aws --values ./values/fake- #sync_pg_secrets # ensure that the RELAY_NETWORKS value is set to the podCIDR -SMTP_VALUES_FILE="./values/smtp/prod-values.example.yaml" +SMTP_VALUES_FILE="./values/demo-smtp/prod-values.example.yaml" podCIDR=$(kubectl get configmap -n kube-system kubeadm-config -o yaml | grep -i 'podSubnet' | awk '{print $2}' 2>/dev/null) if [[ $? -eq 0 && -n "$podCIDR" ]]; then @@ -33,7 +33,7 @@ if [[ $? -eq 0 && -n "$podCIDR" ]]; then else echo "Failed to fetch podSubnet. Attention using the default value: $(grep -i RELAY_NETWORKS $SMTP_VALUES_FILE)" fi -helm upgrade --install --wait smtp ./charts/smtp --values $SMTP_VALUES_FILE +helm upgrade --install --wait demo-smtp ./charts/demo-smtp --values $SMTP_VALUES_FILE # helm upgrade --install --wait rabbitmq ./charts/rabbitmq --values ./values/rabbitmq/prod-values.example.yaml --values ./values/rabbitmq/prod-secrets.example.yaml diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml index 9af281071..c720010ee 100644 --- a/values/wire-server/prod-values.example.yaml +++ b/values/wire-server/prod-values.example.yaml @@ -92,7 +92,7 @@ brig: deletionUrl: https://account.example.com/d/?key=${key}&code=${code} invitationUrl: https://account.example.com/i/${code} smtp: - host: smtp # change this if you want to use your own SMTP server + host: demo-smtp # change this if you want to use your own SMTP server port: 25 # change this connType: plain # change this. Possible values: plain|ssl|tls # proxy: From 2cd30abf07b5c5138a4f9666af460f6fbcb5d574 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 8 Jan 2026 11:34:11 +0100 Subject: [PATCH 07/22] fix: wpb-22439 databases-ephemeral docker image values --- values/databases-ephemeral/demo-values.example.yaml | 4 ---- values/databases-ephemeral/prod-values.example.yaml | 4 ++++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/values/databases-ephemeral/demo-values.example.yaml b/values/databases-ephemeral/demo-values.example.yaml index 9788f4e17..4114af7b7 100644 --- a/values/databases-ephemeral/demo-values.example.yaml +++ b/values/databases-ephemeral/demo-values.example.yaml @@ -13,7 +13,3 @@ redis-ephemeral: requests: cpu: "500m" memory: "512Mi" - image: - registry: docker.io - repository: bitnamilegacy/redis - tag: 7.2.5 diff --git a/values/databases-ephemeral/prod-values.example.yaml b/values/databases-ephemeral/prod-values.example.yaml index 67a481b01..635f7513f 100644 --- a/values/databases-ephemeral/prod-values.example.yaml +++ b/values/databases-ephemeral/prod-values.example.yaml @@ -13,3 +13,7 @@ redis-ephemeral: requests: cpu: "500m" memory: "512Mi" + image: + registry: docker.io + repository: bitnamilegacy/redis + tag: 7.2.5 From bdb9809a87e024e8b7ec143c8a4c5a2343465e05 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 8 Jan 2026 16:12:44 +0100 Subject: [PATCH 08/22] fix: wpb-22439 fix smallsetp-accomp for 514 wire-builds --- values/smallstep-accomp/prod-values.example.yaml | 9 +++++++++ values/wire-server/prod-secrets.example.yaml | 4 ++-- values/wire-server/prod-values.example.yaml | 12 ++++++------ 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/values/smallstep-accomp/prod-values.example.yaml b/values/smallstep-accomp/prod-values.example.yaml index 9fc03e8a5..e53ab4b56 100644 --- a/values/smallstep-accomp/prod-values.example.yaml +++ b/values/smallstep-accomp/prod-values.example.yaml @@ -1,4 +1,13 @@ +global: + security: + allowInsecureImages: true + nginx: + image: + registry: docker.io + repository: bitnamilegacy/nginx + tag: "1.27.3-debian-12-r5" + pullPolicy: IfNotPresent existingServerBlockConfigmap: "smallstep-accomp-server-block" service: diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml index 30ab8e519..a397769c6 100644 --- a/values/wire-server/prod-secrets.example.yaml +++ b/values/wire-server/prod-secrets.example.yaml @@ -2,7 +2,7 @@ brig: secrets: #retrieve postgresql password from Kubernetes Secret with "kubectl get secret wire-postgresql-external-secret -n default -o jsonpath='{.data.password}' | base64 -d" - pgPassword: verysecurepassword + #pgPassword: verysecurepassword smtpPassword: dummyPassword zAuth: @@ -48,7 +48,7 @@ cargohold: galley: secrets: #retrieve postgresql password from Kubernetes Secret with "kubectl get secret wire-postgresql-external-secret -n default -o jsonpath='{.data.password}' | base64 -d" - pgPassword: verysecurepassword + #pgPassword: verysecurepassword # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml index c720010ee..fd55006b1 100644 --- a/values/wire-server/prod-values.example.yaml +++ b/values/wire-server/prod-values.example.yaml @@ -172,11 +172,11 @@ galley: host: cassandra-external rabbitmq: # Default value for CI, for on-prem deployment, use rabbitmq-external host: rabbitmq-external - postgresql: - host: postgresql-external-rw # DNS name without protocol - port: "5432" - user: wire-server - dbname: wire-server + #postgresql: + # host: postgresql-external-rw # DNS name without protocol + # port: "5432" + # user: wire-server + # dbname: wire-server enableFederation: false # Enable to use federation settings: # prefix URI used when inviting users to a conversation by link @@ -262,7 +262,7 @@ nginz: # tag: some-tag (only override if you want a newer/different version than what is in the chart) nginx_conf: # using prod means mostly that some internal endpoints are not exposed - dns_resolver: coredns + # dns_resolver: coredns env: prod external_env_domain: example.com deeplink: From 6697ff6ae96647d72dbc4cf66220daba9bbddbb6 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Fri, 9 Jan 2026 12:35:38 +0100 Subject: [PATCH 09/22] fix: wpb-22439 rebase --- ansible/inventory/offline/staging.yml | 29 +-------------------------- 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/ansible/inventory/offline/staging.yml b/ansible/inventory/offline/staging.yml index 4c4bf4dbf..1a50266fe 100644 --- a/ansible/inventory/offline/staging.yml +++ b/ansible/inventory/offline/staging.yml @@ -82,31 +82,4 @@ rmq-cluster: # host name here must match each node's actual hostname rabbitmq_cluster_master: datanode1 -postgresql: - children: - datanodes: {} - vars: - wire_dbname: wire-server - postgresql_network_interface: enp1s0 - repmgr_node_config: - datanode1: # Maps to postgresql_rw group - node_id: 1 - priority: 150 - role: primary - datanode2: # Maps to first postgresql_ro - node_id: 2 - priority: 100 - role: standby - datanode3: # Maps to second postgresql_ro - node_id: 3 - priority: 50 - role: standby - -postgresql_rw: - hosts: - datanode1: {} - -postgresql_ro: - hosts: - datanode2: {} - datanode3: {} +postgresql: {} From d9cb1e9384e9f3bc8affc2df76ce072c484de5f7 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Fri, 16 Jan 2026 18:17:50 +0100 Subject: [PATCH 10/22] fix: wpb-22439 remove mls config from wire-server 514 --- values/wire-server/prod-values.example.yaml | 30 --------------------- 1 file changed, 30 deletions(-) diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml index fd55006b1..8dd1ead23 100644 --- a/values/wire-server/prod-values.example.yaml +++ b/values/wire-server/prod-values.example.yaml @@ -55,7 +55,6 @@ brig: # TODO: BUG! 5.23 brig charts wont deploy in CI unless federation is enabled! enableFederation: true # Enable to use federation optSettings: - setEnableMLS: false # Enable for MLS protocol use setFederationDomain: example.com # change this # Sync the domain with the 'host' variable in the sftd chart # Comment the next line (by adding '#' before it) if conference calling is not used @@ -184,35 +183,6 @@ galley: federationDomain: example.com # change this # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/) featureFlags: - mls: - defaults: - status: enabled - config: - protocolToggleUsers: [] - defaultProtocol: mls - allowedCipherSuites: [2] - defaultCipherSuite: 2 - supportedProtocols: [proteus, mls] - lockStatus: unlocked - mlsMigration: - defaults: - status: enabled - config: - startTime: null - finalizeRegardlessAfter: null - usersThreshold: 100 - clientsThreshold: 100 - lockStatus: unlocked - sso: enabled-by-default - # channels: # Uncomment to enable channels by default for all newly created teams - # defaults: - # status: enabled - # config: - # allowed_to_create_channels: team-members - # allowed_to_open_channels: team-members - # lockStatus: unlocked - # NOTE: Change this to "disabled-by-default" for legalhold support - # legalhold: disabled-by-default legalhold: disabled-permanently teamSearchVisibility: disabled-by-default aws: From f03775b238bad9ab6f14f486bb41aa05a3d35b58 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 19 Jan 2026 19:04:36 +0100 Subject: [PATCH 11/22] fix: wpb-22439 bring changes from PR848 --- bin/offline-deploy.sh | 14 +------------ bin/offline-secrets.sh | 27 ++++++++++---------------- values/coturn/prod-values.example.yaml | 4 ++-- values/sftd/prod-values.example.yaml | 2 +- 4 files changed, 14 insertions(+), 33 deletions(-) diff --git a/bin/offline-deploy.sh b/bin/offline-deploy.sh index bcee6ccea..61c7d3dfa 100755 --- a/bin/offline-deploy.sh +++ b/bin/offline-deploy.sh @@ -41,16 +41,4 @@ fi $DOCKER_RUN_BASE $SSH_MOUNT $WSD_CONTAINER ./bin/offline-cluster.sh -# Sync PostgreSQL password from K8s secret to secrets.yaml -#echo "Syncing PostgreSQL password from Kubernetes secret..." -#sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/sync-k8s-secret-to-wire-secrets.sh \ -# wire-postgresql-external-secret \ -# password \ -# values/wire-server/secrets.yaml \ -# .brig.secrets.pgPassword \ -# .galley.secrets.pgPassword \ -# .spar.secrets.pgPassword \ -# .gundeck.secrets.pgPassword - - -sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/offline-helm.sh +sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/helm-operations.sh diff --git a/bin/offline-secrets.sh b/bin/offline-secrets.sh index 07bff7987..5539ccf55 100755 --- a/bin/offline-secrets.sh +++ b/bin/offline-secrets.sh @@ -22,21 +22,8 @@ zauth_private=$(echo "$zauth" | awk 'NR==2{ print $2}') prometheus_pass="$(tr -dc A-Za-z0-9 secrets > mlsPrivateKeys > removal > keyname) -#readonly MLS_KEY_INDENT=" " -#generate_mls_key() { -# openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}' -#} - -#mls_ed25519_key="$(generate_mls_key -algorithm ed25519)" -#mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)" -#mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)" -#mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)" - -if [[ ! -f $VALUES_DIR/wire-server/secrets.yaml ]]; then - echo "Writing $VALUES_DIR/wire-server/secrets.yaml" - cat < $VALUES_DIR/wire-server/secrets.yaml +echo "Writing $VALUES_DIR/wire-server/prod-secrets.example.yaml" +cat < $VALUES_DIR/wire-server/prod-secrets.example.yaml brig: secrets: smtpPassword: dummyPassword @@ -103,7 +90,13 @@ background-worker: password: guest EOF -fi +echo "Writing $VALUES_DIR/coturn/prod-secrets.example.yaml" +cat < $VALUES_DIR/coturn/prod-secrets.example.yaml +secrets: + zrestSecrets: + - "$zrest" +EOF + if [[ ! -f $ANSIBLE_DIR/inventory/offline/group_vars/all/secrets.yaml ]]; then echo "Writing $ANSIBLE_DIR/inventory/offline/group_vars/all/secrets.yaml" @@ -115,7 +108,7 @@ minio_cargohold_secret_key: "$minio_cargohold_secret_key" EOT fi -PROM_AUTH_FILE="$VALUES_DIR/kube-prometheus-stack/secrets.yaml" +PROM_AUTH_FILE="$VALUES_DIR/kube-prometheus-stack/prod-secrets.example.yaml" if [[ ! -f $PROM_AUTH_FILE ]]; then echo "Writing $PROM_AUTH_FILE" cat < $PROM_AUTH_FILE diff --git a/values/coturn/prod-values.example.yaml b/values/coturn/prod-values.example.yaml index adde645db..9725dfa4f 100644 --- a/values/coturn/prod-values.example.yaml +++ b/values/coturn/prod-values.example.yaml @@ -1,5 +1,5 @@ # using upstream values for coturn helm -replicaCount: 3 +replicaCount: 1 # image: # tag: some-tag # (only override if you want a newer/different version than what is in the chart) config: @@ -10,7 +10,7 @@ config: coturnTurnExternalIP: "__COTURN_EXT_IP__" coturnTurnListenIP: "__COTURN_HOST_IP__" coturnTurnRelayIP: "__COTURN_HOST_IP__" -coturnFederationListeningIP: "__COTURN_HOST_IP__" +# coturnFederationListeningIP: "__COTURN_HOST_IP__" # Uncomment to enable federation # federate: # enabled: true diff --git a/values/sftd/prod-values.example.yaml b/values/sftd/prod-values.example.yaml index 1455a180c..e10f2d60a 100644 --- a/values/sftd/prod-values.example.yaml +++ b/values/sftd/prod-values.example.yaml @@ -1,4 +1,4 @@ -replicaCount: 3 +replicaCount: 1 # image: # tag: some-tag # (only override if you want a newer/different version than what is in the chart) allowOrigin: https://webapp.example.com From 97091679da471b883a58a3936912d88017cfee2d Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 19 Jan 2026 19:04:47 +0100 Subject: [PATCH 12/22] fix: wpb-22439 bring changes from PR848 --- offline/helm-operations.sh | 193 +++++++++++++++++++++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100755 offline/helm-operations.sh diff --git a/offline/helm-operations.sh b/offline/helm-operations.sh new file mode 100755 index 000000000..6be1fa3b1 --- /dev/null +++ b/offline/helm-operations.sh @@ -0,0 +1,193 @@ +#!/usr/bin/env bash +# shellcheck disable=SC2087 +set -Eeo pipefail + +# Read values from environment variables with defaults +BASE_DIR="/wire-server-deploy" +TARGET_SYSTEM="example.dev" +CERT_MASTER_EMAIL="certmaster@${TARGET_SYSTEM}" + +# this IP should match the DNS A record value for TARGET_SYSTEM +# assuming it to be the public address used by clients to reach public Address +HOST_IP="" +if [ -z "$HOST_IP" ]; then +HOST_IP=$(wget -qO- https://api.ipify.org) +fi + +# picking a node for calling traffic (3rd kube worker node) +CALLING_NODE=$(kubectl get nodes --no-headers | tail -n 1 | awk '{print $1}') +if [[ -z "$CALLING_NODE" ]]; then + echo "Error: could not determine the last kube worker node via kubectl" + exit 1 +fi + +# Creates values.yaml from prod-values.example.yaml and secrets.yaml from prod-secrets.example.yaml +# Works on all chart directories in $BASE_DIR/values/ +process_values() { + + ENV=$1 + TYPE=$2 + charts=(fake-aws demo-smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager) + + if [[ "$ENV" != "prod" ]] || [[ -z "$TYPE" ]] ; then + echo "Error: This function only supports prod deployments with TYPE as values or secrets. ENV must be 'prod', got: '$ENV' and '$TYPE'" + exit 1 + fi + timestp=$(date +"%Y%m%d_%H%M%S") + + for chart in "${charts[@]}"; do + chart_dir="$BASE_DIR/values/$chart" + if [[ -d "$chart_dir" ]]; then + if [[ -f "$chart_dir/${ENV}-${TYPE}.example.yaml" ]]; then + if [[ ! -f "$chart_dir/${TYPE}.yaml" ]]; then + cp "$chart_dir/${ENV}-${TYPE}.example.yaml" "$chart_dir/${TYPE}.yaml" + echo "Used template ${ENV}-${TYPE}.example.yaml to create $chart_dir/${TYPE}.yaml" + else + echo "$chart_dir/${TYPE}.yaml already exists, archiving it and creating a new one." + mv "$chart_dir/${TYPE}.yaml" "$chart_dir/${TYPE}.yaml.bak.$timestp" + cp "$chart_dir/${ENV}-${TYPE}.example.yaml" "$chart_dir/${TYPE}.yaml" + fi + fi + fi + done +} + +# selectively setting values of following charts which requires additional values +# wire-server, webapp, team-settings, account-pages, nginx-ingress-services, sftd and coturn +configure_values() { + + TEMP_DIR=$(mktemp -d) + trap 'rm -rf $TEMP_DIR' EXIT + + # to find IP address of calling NODE + CALLING_NODE_IP=$(kubectl get node "$CALLING_NODE" -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}') + + # Fixing the hosts with TARGET_SYSTEM and setting the turn server + sed -e "s/example.com/$TARGET_SYSTEM/g" \ + "$BASE_DIR/values/wire-server/values.yaml" > "$TEMP_DIR/wire-server-values.yaml" + + # fixing the turnStatic values + yq eval -i ".brig.turnStatic.v2 = [\"turn:$HOST_IP:3478\", \"turn:$HOST_IP:3478?transport=tcp\"]" "$TEMP_DIR/wire-server-values.yaml" + + # Fixing the hosts in webapp team-settings and account-pages charts + for chart in webapp team-settings account-pages; do + sed "s/example.com/$TARGET_SYSTEM/g" "$BASE_DIR/values/$chart/values.yaml" > "$TEMP_DIR/$chart-values.yaml" + done + + # Setting certManager and DNS records + sed -e 's/useCertManager: false/useCertManager: true/g' \ + -e "/certmasterEmail:$/s/certmasterEmail:/certmasterEmail: $CERT_MASTER_EMAIL/" \ + -e "s/example.com/$TARGET_SYSTEM/" \ + "$BASE_DIR/values/nginx-ingress-services/values.yaml" > "$TEMP_DIR/nginx-ingress-services-values.yaml" + + # Fixing SFTD hosts and setting the cert-manager to http01 + sed -e "s/webapp.example.com/webapp.$TARGET_SYSTEM/" \ + -e "s/sftd.example.com/sftd.$TARGET_SYSTEM/" \ + -e 's/name: letsencrypt-prod/name: letsencrypt-http01/' \ + "$BASE_DIR/values/sftd/values.yaml" > "$TEMP_DIR/sftd-values.yaml" + + # Setting coturn node IP values + yq eval -i ".coturnTurnListenIP = \"$CALLING_NODE_IP\"" "$BASE_DIR/values/coturn/values.yaml" + yq eval -i ".coturnTurnRelayIP = \"$CALLING_NODE_IP\"" "$BASE_DIR/values/coturn/values.yaml" + yq eval -i ".coturnTurnExternalIP = \"$HOST_IP\"" "$BASE_DIR/values/coturn/values.yaml" + + # Compare and copy files if different + for file in wire-server-values.yaml webapp-values.yaml team-settings-values.yaml account-pages-values.yaml \ + nginx-ingress-services-values.yaml sftd-values.yaml; do + if ! cmp -s "$TEMP_DIR/$file" "$BASE_DIR/values/${file%-values.yaml}/values.yaml"; then + cp "$TEMP_DIR/$file" "$BASE_DIR/values/${file%-values.yaml}/values.yaml" + echo "Updating $BASE_DIR/values/${file%-values.yaml}/values.yaml" + fi + done + +} + +deploy_charts() { + + local charts=("$@") + echo "Following charts will be deployed: ${charts[*]}" + + for chart in "${charts[@]}"; do + chart_dir="$BASE_DIR/charts/$chart" + values_file="$BASE_DIR/values/$chart/values.yaml" + secrets_file="$BASE_DIR/values/$chart/secrets.yaml" + + if [[ ! -d "$chart_dir" ]]; then + echo "Error: Chart directory $chart_dir does not exist. Exiting fix the charts" + exit 1 + fi + + if [[ ! -f "$values_file" ]]; then + echo "Warning: Values file $values_file does not exist. Deploying without values." + values_file="" + fi + + if [[ ! -f "$secrets_file" ]]; then + secrets_file="" + fi + + helm_command="helm upgrade --install --wait --timeout=15m0s $chart $chart_dir" + + if [[ -n "$values_file" ]]; then + helm_command+=" --values $values_file" + fi + + if [[ -n "$secrets_file" ]]; then + helm_command+=" --values $secrets_file" + fi + + echo "Deploying $chart as $helm_command" + eval "$helm_command" + done + + # display running pods post deploying all helm charts in default namespace + kubectl get pods --sort-by=.metadata.creationTimestamp +} + +deploy_cert_manager() { + + kubectl get namespace cert-manager-ns || kubectl create namespace cert-manager-ns + helm upgrade --install -n cert-manager-ns cert-manager "$BASE_DIR/charts/cert-manager" --values "$BASE_DIR/values/cert-manager/values.yaml" + + # display running pods + kubectl get pods --sort-by=.metadata.creationTimestamp -n cert-manager-ns +} + +deploy_calling_services() { + + echo "Deploying sftd and coturn" + # select the node to deploy sftd + kubectl annotate node "$CALLING_NODE" wire.com/external-ip="$HOST_IP" --overwrite + helm upgrade --install sftd "$BASE_DIR/charts/sftd" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/sftd/values.yaml" + + kubectl annotate node "$CALLING_NODE" wire.com/external-ip="$HOST_IP" --overwrite + helm upgrade --install coturn "$BASE_DIR/charts/coturn" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/coturn/values.yaml" --values "$BASE_DIR/values/coturn/secrets.yaml" +} + +main() { +# Create prod-values.example.yaml to values.yaml and take backup +process_values "prod" "values" +# Create prod-secrets.example.yaml to secrets.yaml and take backup +process_values "prod" "secrets" + +# configure chart specific variables for each chart in values.yaml file +configure_values + +# deploying with external datastores, useful for prod setup +deploy_charts cassandra-external elasticsearch-external minio-external fake-aws demo-smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller + +# deploying cert manager to issue certs, by default letsencrypt-http01 issuer is configured +deploy_cert_manager + +# nginx-ingress-services chart needs cert-manager to be deployed +deploy_charts nginx-ingress-services + +# deploying sft and coturn services +# not implemented yet +deploy_calling_services + +# print status of certs +kubectl get certificate +} + +main \ No newline at end of file From f8ef143ab28fc0593ce445582824792c3a0d8773 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 19 Jan 2026 23:02:55 +0100 Subject: [PATCH 13/22] fix: wpb-22439 fix bin/helm-operations.sh file name --- {offline => bin}/helm-operations.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {offline => bin}/helm-operations.sh (100%) diff --git a/offline/helm-operations.sh b/bin/helm-operations.sh similarity index 100% rename from offline/helm-operations.sh rename to bin/helm-operations.sh From 3f34b93185e55ed3e8d5cde4636e7a0d0eb027fa Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 26 Jan 2026 11:30:44 +0100 Subject: [PATCH 14/22] fix: wpb-22439 make using daemonset with nodePort for ingress-nginx-controller default for prod and make load-balancer an example --- ...etzner-ci.example.yaml => load-balancer.example.yaml} | 9 +++++---- values/ingress-nginx-controller/prod-values.example.yaml | 9 ++++----- 2 files changed, 9 insertions(+), 9 deletions(-) rename values/ingress-nginx-controller/{hetzner-ci.example.yaml => load-balancer.example.yaml} (66%) diff --git a/values/ingress-nginx-controller/hetzner-ci.example.yaml b/values/ingress-nginx-controller/load-balancer.example.yaml similarity index 66% rename from values/ingress-nginx-controller/hetzner-ci.example.yaml rename to values/ingress-nginx-controller/load-balancer.example.yaml index 83ea7458d..c6b5f1077 100644 --- a/values/ingress-nginx-controller/hetzner-ci.example.yaml +++ b/values/ingress-nginx-controller/load-balancer.example.yaml @@ -3,10 +3,6 @@ # `containerd`. ingress-nginx: controller: - # There's no loadbalancer support in the Hetzner CI environment - kind: DaemonSet - service: - type: NodePort image: tag: "v1.10.6" digest: "" @@ -16,3 +12,8 @@ ingress-nginx: image: tag: "v20220916-gd32f8c343" digest: "" + # Enable prometheus operator to scrape metrics from the ingress-nginx controller with servicemonitor. + metrics: + enabled: false + serviceMonitor: + enabled: false diff --git a/values/ingress-nginx-controller/prod-values.example.yaml b/values/ingress-nginx-controller/prod-values.example.yaml index c6b5f1077..83ea7458d 100644 --- a/values/ingress-nginx-controller/prod-values.example.yaml +++ b/values/ingress-nginx-controller/prod-values.example.yaml @@ -3,6 +3,10 @@ # `containerd`. ingress-nginx: controller: + # There's no loadbalancer support in the Hetzner CI environment + kind: DaemonSet + service: + type: NodePort image: tag: "v1.10.6" digest: "" @@ -12,8 +16,3 @@ ingress-nginx: image: tag: "v20220916-gd32f8c343" digest: "" - # Enable prometheus operator to scrape metrics from the ingress-nginx controller with servicemonitor. - metrics: - enabled: false - serviceMonitor: - enabled: false From 9a2fead6ea48c6610e5501b7ff3065c0050089c9 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 26 Jan 2026 12:10:10 +0100 Subject: [PATCH 15/22] fix: wpb-22439 cd.sh and cd_staging.sh for ingress-nginx-controller file changes --- offline/cd.sh | 3 --- offline/cd_staging.sh | 3 --- 2 files changed, 6 deletions(-) diff --git a/offline/cd.sh b/offline/cd.sh index 6af2cc7d6..a86daf701 100755 --- a/offline/cd.sh +++ b/offline/cd.sh @@ -123,9 +123,6 @@ ssh $SSH_OPTS "root@$adminhost" wget -q "https://s3-eu-west-1.amazonaws.com/publ ssh $SSH_OPTS "root@$adminhost" tar xzf "$ARTIFACT.tgz" -# override for ingress-nginx-controller values for hetzner environment $TF_DIR/setup_nodes.yml -scp $SSH_OPTS "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "root@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml" - scp $SSH_OPTS inventory.yml "root@$adminhost":./ansible/inventory/offline/inventory.yml ssh $SSH_OPTS "root@$adminhost" cat ./ansible/inventory/offline/inventory.yml || true diff --git a/offline/cd_staging.sh b/offline/cd_staging.sh index d70028468..733302945 100755 --- a/offline/cd_staging.sh +++ b/offline/cd_staging.sh @@ -124,9 +124,6 @@ ssh $SSH_OPTS "demo@$adminhost" wget -q "https://s3-eu-west-1.amazonaws.com/publ ssh $SSH_OPTS "demo@$adminhost" tar xzf "$ARTIFACT.tgz" -# override for ingress-nginx-controller values for hetzner environment $TF_DIR/setup_nodes.yml -scp $SSH_OPTS "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "demo@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml" - # Source and target files SOURCE="inventory.yml" cp "${CD_DIR}/../ansible/inventory/offline/staging.yml" "inventory-secondary.yml" From cc327cb077b84361cfbfc2b30d87b34ae2931f0c Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 26 Jan 2026 18:55:16 +0100 Subject: [PATCH 16/22] fix: wpb-22439 enable rabbitmq-external to replace in-k8s rabbitmq deployment --- bin/helm-operations.sh | 4 ++-- values/wire-server/prod-values.example.yaml | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh index 6be1fa3b1..1298ed065 100755 --- a/bin/helm-operations.sh +++ b/bin/helm-operations.sh @@ -27,7 +27,7 @@ process_values() { ENV=$1 TYPE=$2 - charts=(fake-aws demo-smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager) + charts=(fake-aws demo-smtp databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager) if [[ "$ENV" != "prod" ]] || [[ -z "$TYPE" ]] ; then echo "Error: This function only supports prod deployments with TYPE as values or secrets. ENV must be 'prod', got: '$ENV' and '$TYPE'" @@ -174,7 +174,7 @@ process_values "prod" "secrets" configure_values # deploying with external datastores, useful for prod setup -deploy_charts cassandra-external elasticsearch-external minio-external fake-aws demo-smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller +deploy_charts cassandra-external elasticsearch-external minio-external rabbitmq-external fake-aws demo-smtp databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller # deploying cert manager to issue certs, by default letsencrypt-http01 issuer is configured deploy_cert_manager diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml index 8dd1ead23..0e6d33047 100644 --- a/values/wire-server/prod-values.example.yaml +++ b/values/wire-server/prod-values.example.yaml @@ -29,12 +29,12 @@ brig: host: elasticsearch-external rabbitmq: host: rabbitmq-external - # For k8s-based RabbitMQ for k8s based rabbitmq. Use 'rabbitmq-external' for production external RabbitMQ VMs - postgresql: - host: postgresql-external-rw # DNS name without protocol - port: "5432" - user: wire-server - dbname: wire-server + # For k8s-based RabbitMQ (default). Use 'rabbitmq-external' for production external RabbitMQ VMs + #postgresql: + # host: postgresql-external-rw # DNS name without protocol + # port: "5432" + # user: wire-server + # dbname: wire-server useSES: false # Set to false if you want to hand out DynamoDB to store prekeys randomPrekeys: true From 833d6f082882db9a377969f7149da4734a5f73ff Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 29 Jan 2026 20:42:57 +0100 Subject: [PATCH 17/22] fix: wpb-22439 remove the postgresql interface update command --- ansible/wiab-staging-provision.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/wiab-staging-provision.yml b/ansible/wiab-staging-provision.yml index d72b8622f..9a22799f5 100644 --- a/ansible/wiab-staging-provision.yml +++ b/ansible/wiab-staging-provision.yml @@ -257,7 +257,6 @@ yq -i ".minio.vars.minio_network_interface |= \"$GATEWAY_NAME\"" "{{ inventory_file }}" yq -i ".rmq-cluster.vars.rabbitmq_network_interface |= \"$GATEWAY_NAME\"" "{{ inventory_file }}" yq -i ".rmq-cluster.vars.rabbitmq_cluster_master |= \"datanode1\"" "{{ inventory_file }}" - yq -i ".postgresql.vars.postgresql_network_interface |= \"$GATEWAY_NAME\"" "{{ inventory_file }}" args: executable: /bin/bash From 334c22ee18dac2c670379cbb463af46164b195ff Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Fri, 30 Jan 2026 15:26:34 +0100 Subject: [PATCH 18/22] fix: wpb-22439 remove postgresql network interface change --- offline/cd_staging.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/offline/cd_staging.sh b/offline/cd_staging.sh index 733302945..c83dba1d1 100755 --- a/offline/cd_staging.sh +++ b/offline/cd_staging.sh @@ -165,7 +165,6 @@ NETWORK_INTERFACE=$(yq eval '.datanode.vars.datanode_network_interface' "$SOURCE yq eval -i ".cassandra.vars.cassandra_network_interface = \"$NETWORK_INTERFACE\"" "$TARGET" yq eval -i ".elasticsearch.vars.elasticsearch_network_interface = \"$NETWORK_INTERFACE\"" "$TARGET" yq eval -i ".minio.vars.minio_network_interface = \"$NETWORK_INTERFACE\"" "$TARGET" -yq eval -i ".postgresql.vars.postgresql_network_interface = \"$NETWORK_INTERFACE\"" "$TARGET" yq eval -i ".rmq-cluster.vars.rabbitmq_network_interface = \"$NETWORK_INTERFACE\"" "$TARGET" # re-writing sub-groups for rabbitmq_cluster_master, cassandra_seed, postgresql_rw and postgresql_ro From 0eda2b1cbf225c706ae7b8d81a91a83fcc413cef Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Fri, 30 Jan 2026 18:45:40 +0100 Subject: [PATCH 19/22] fix: wpb-22439 update wiab-staging documentation for 5.14 --- offline/wiab-staging.md | 107 ++++++++++++++++++++-------------------- 1 file changed, 54 insertions(+), 53 deletions(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 30c230878..3cf537b8e 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -138,66 +138,36 @@ Since the inventory is ready, please continue with the following steps: - **[Deploying Kubernetes and stateful services](docs_ubuntu_22.04.md#deploying-kubernetes-and-stateful-services)** - Run `d ./bin/offline-cluster.sh` to deploy Kubernetes and stateful services (Cassandra, PostgreSQL, Elasticsearch, Minio, RabbitMQ). This script deploys all infrastructure needed for Wire backend operations. -*Note: Ensure all Helm charts use the values and secrets files in their `values/` directories—do not run `helm install` without them, or it will fall back to defaults and the artifact-provided values won’t apply. Sample commands can be found at [offline-helm.sh](https://github.com/wireapp/wire-server-deploy/blob/master/bin/offline-helm.sh)* - -### Wire Components Deployment - -- **Deploying Helm charts** - - **[Deploying stateless services and other dependencies](docs_ubuntu_22.04.md#deploying-stateless-dependencies)** - - Deploy cassandra-external, elasticsearch-external, minio-external, rabbitmq-external and databases-ephemeral helm charts to set up connections to external data services and stateless database dependencies. - - - **[Deploying Wire Server](docs_ubuntu_22.04.md#deploying-wire-server)** - - Install the core Wire backend platform with `d helm install wire-server ./charts/wire-server`. Update `values/wire-server/values.yaml` with your domain and inspect `values/wire-server/secrets.yaml` for required secrets. - - - **[Deploying webapp](docs_ubuntu_22.04.md#deploying-webapp)** - - Deploy the Wire web application frontend. Set your domain name and configure it for user access to the Wire interface. - - - **[Deploying team-settings](docs_ubuntu_22.04.md#deploying-team-settings)** - - Install team management and settings services for enterprise features and team administration. - - - **[Deploying account-pages](docs_ubuntu_22.04.md#deploying-account-pages)** - - Deploy account management pages for user profile, password reset, and account-related functionalities. - - - **[Deploying smallstep-accomp](docs_ubuntu_22.04.md#deploying-smallstep-accomp)** - - Install the smallstep ACME companion for certificate management integration. - -### Network & Security - -- **[Enabling emails for wire](smtp.md)** - - Configure SMTP for user onboarding via email. Deploy either a temporary SMTP service included in the bundle or integrate with your existing SMTP relay, and ensure proper network configuration for email delivery. - -- **[Deploy ingress-nginx-controller](docs_ubuntu_22.04.md#deploy-ingress-nginx-controller)** - - Install nginx ingress controller as the entry point for HTTP/HTTPS traffic routing to Wire services. This component is required for all traffic forwarding methods. - -- **[Acquiring / Deploying SSL Certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)** - - Configure SSL/TLS certificates either by bringing your own or using cert-manager with Let's Encrypt. SSL certificates are required by the nginx-ingress-services helm chart for secure HTTPS connections. +### Helm Operations to install wire services and supporting helm charts - > **Note (cert-manager & hairpin NAT):** When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can hairpin (Pod → Node → host public IP → DNAT → Node → Ingress). If your nftables rules DNAT in PREROUTING without a matching SNAT on virbr0→virbr0, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts. Also, strict rp_filter can drop asymmetric return packets. If cert-manager is deployed, verify whether hairpin handling is needed: - > - > - Enable hairpin SNAT for DNATed traffic (forces return traffic through the host): - > ```bash - > sudo nft insert rule ip nat POSTROUTING position 0 \ - > iifname "virbr0" oifname "virbr0" \ - > ct status dnat counter masquerade - > ``` - > - Relax reverse-path filtering to loose mode to allow asymmetric flows: - > ```bash - > sudo sysctl -w net.ipv4.conf.all.rp_filter=2 - > sudo sysctl -w net.ipv4.conf.virbr0.rp_filter=2 - > ``` - > These settings help conntrack reverse DNAT correctly and avoid drops during cert-manager’s HTTP-01 challenges in NAT/bridge (virbr0) environments. +**Helm chart deployment (automated):** The script `bin/helm-operations.sh` will deploy the charts for you. It prepares `values.yaml`/`secrets.yaml`, customizes them for your domain/IPs, then runs Helm installs/upgrades in the correct order. + +**User-provided inputs (set these before running):** +- `TARGET_SYSTEM`: your domain (e.g., `wire.example.com` or `example.dev`). +- `CERT_MASTER_EMAIL`: email used by cert-manager for ACME registration. +- `HOST_IP`: public IP that matches your DNS A record (auto-detected if empty). -### Calling Services +**Charts deployed by the script:** +- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `demo-smtp`. +- Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`, `smallstep-accomp`. +- Ingress and certificates: `ingress-nginx-controller`, `cert-manager`, `nginx-ingress-services`. +- Calling services: `sftd`, `coturn`. -- **[Installing SFTD](docs_ubuntu_22.04.md#installing-sftd)** - - Deploy the Selective Forwarding Unit (SFT) calling server for Wire's voice and video calling capabilities. Optionally enable cooperation with TURN servers and configure appropriate node annotations for external IPs. +**Values and secrets generation:** +- Creates `values.yaml` and `secrets.yaml` from `prod-values.example.yaml` and `prod-secrets.example.yaml` for each chart under `values/`. +- Backs up any existing `values.yaml`/`secrets.yaml` before replacing them. -- **[Installing Coturn](coturn.md)** - - Deploy TURN/STUN servers for WebRTC connectivity, enabling peer-to-peer communication for calling services and ensuring connectivity through firewalls and NATs. +**Values configured by the script:** +- Replaces `example.com` with `TARGET_SYSTEM` in Wire and webapp hostnames. +- Enables cert-manager and sets `certmasterEmail` using `CERT_MASTER_EMAIL`. +- Sets SFTD hosts and switches issuer to `letsencrypt-http01`. +- Sets coturn listen/relay/external IPs using the calling node IP and `HOST_IP`. + +*Note: The `bin/helm-operations.sh` script above deploys these charts; you do not need to run the Helm commands manually unless you want to customize or debug.* ## Network Traffic Configuration -### Bring traffic from Physical machine to Wire services in k8s cluster +### Bring traffic from the physical machine to Wire services in the k8s cluster If you used the Ansible playbook earlier, nftables firewall rules are pre-configured to forward traffic. If you set up VMs manually with your own hypervisor, you must manually configure network traffic flow using nftables. @@ -244,3 +214,34 @@ calling_node_ip=192.168.122.13 # Host WAN interface name inf_wan=eth0 ``` + + > **Note (cert-manager & hairpin NAT):** When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can hairpin (Pod → Node → host public IP → DNAT → Node → Ingress). If your nftables rules DNAT in PREROUTING without a matching SNAT on virbr0→virbr0, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts. Also, strict rp_filter can drop asymmetric return packets. If cert-manager is deployed, verify whether hairpin handling is needed: + > + > - Enable hairpin SNAT for DNATed traffic (forces return traffic through the host): + > ```bash + > sudo nft insert rule ip nat POSTROUTING position 0 \ + > iifname "virbr0" oifname "virbr0" \ + > ct status dnat counter masquerade + > ``` + > - Relax reverse-path filtering to loose mode to allow asymmetric flows: + > ```bash + > sudo sysctl -w net.ipv4.conf.all.rp_filter=2 + > sudo sysctl -w net.ipv4.conf.virbr0.rp_filter=2 + > ``` + > These settings help conntrack reverse DNAT correctly and avoid drops during cert-manager’s HTTP-01 challenges in NAT/bridge (virbr0) environments. + + +## Further Reading + +- **[Deploying stateless services and other dependencies](docs_ubuntu_22.04.md#deploying-stateless-dependencies)**: Read more about external datastores and stateless dependencies. +- **[Deploying Wire Server](docs_ubuntu_22.04.md#deploying-wire-server)**: Read more about core Wire backend deployment and required values/secrets. +- **[Deploying webapp](docs_ubuntu_22.04.md#deploying-webapp)**: Read more about webapp deployment and domain configuration. +- **[Deploying team-settings](docs_ubuntu_22.04.md#deploying-team-settings)**: Read more about team settings services. +- **[Deploying account-pages](docs_ubuntu_22.04.md#deploying-account-pages)**: Read more about account management services. +- **[Deploying smallstep-accomp](docs_ubuntu_22.04.md#deploying-smallstep-accomp)**: Read more about the ACME companion. +- **[Enabling emails for wire](smtp.md)**: Read more about SMTP options for onboarding email delivery and relay setup. +- **[Deploy ingress-nginx-controller](docs_ubuntu_22.04.md#deploy-ingress-nginx-controller)**: Read more about ingress configuration and traffic forwarding requirements. +- **[Acquiring / Deploying SSL Certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**: Read more about TLS options (Bring Your Own or cert-manager) and certificate requirements. +- **[Installing SFTD](docs_ubuntu_22.04.md#installing-sftd)**: Read more about the Selective Forwarding Unit (SFT) and related configuration. +- **[Installing Coturn](coturn.md)**: Read more about TURN/STUN setup for WebRTC connectivity and NAT traversal. +- **[Configure the port redirection in Nftables](coturn.md#configure-the-port-redirection-in-nftables)**: Read more about configuring Nftables rules From 248a2ffb6448daba309b18ba188799598644b9e3 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 19 Feb 2026 10:40:00 +0100 Subject: [PATCH 20/22] fix: wpb-22439 ansible/wiab-staging-provision.yml for ssh_private_key update --- ansible/wiab-staging-provision.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/wiab-staging-provision.yml b/ansible/wiab-staging-provision.yml index 9a22799f5..f0bff10c4 100644 --- a/ansible/wiab-staging-provision.yml +++ b/ansible/wiab-staging-provision.yml @@ -257,6 +257,10 @@ yq -i ".minio.vars.minio_network_interface |= \"$GATEWAY_NAME\"" "{{ inventory_file }}" yq -i ".rmq-cluster.vars.rabbitmq_network_interface |= \"$GATEWAY_NAME\"" "{{ inventory_file }}" yq -i ".rmq-cluster.vars.rabbitmq_cluster_master |= \"datanode1\"" "{{ inventory_file }}" + + # setting up ansible_ssh_private_key_file to access VMs for secondary ansible operations + yq -i ".all.vars.ansible_ssh_private_key_file |= \"ssh/id_ed25519\"" "{{ inventory_file }}" + args: executable: /bin/bash From a6360cbce96aa5605fdd04a12ad0166ce07dd109 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 19 Feb 2026 10:41:15 +0100 Subject: [PATCH 21/22] fix: wpb-22439 update cert-manager & hairpin NAT documentation --- offline/wiab-staging.md | 52 ++++++++++++++++++++++++++++++++++------- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 3cf537b8e..8b8c70f57 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -215,20 +215,56 @@ calling_node_ip=192.168.122.13 inf_wan=eth0 ``` - > **Note (cert-manager & hairpin NAT):** When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can hairpin (Pod → Node → host public IP → DNAT → Node → Ingress). If your nftables rules DNAT in PREROUTING without a matching SNAT on virbr0→virbr0, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts. Also, strict rp_filter can drop asymmetric return packets. If cert-manager is deployed, verify whether hairpin handling is needed: +> **Note (cert-manager & hairpin NAT):** +> When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can hairpin (Pod → Node → host public IP → DNAT → Node → Ingress). +> If your nftables rules DNAT in `PREROUTING` without a matching SNAT on `virbr0 → virbr0`, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts, resulting in certificate verification failure. +> Additionally, strict `rp_filter` can drop asymmetric return packets. +> If cert-manager is deployed in a NAT/bridge (`virbr0`) environment, first verify whether certificate issuance is failing before applying hairpin handling. +> Check whether certificates are successfully issued: +> ```bash +> d kubectl get certificates +> ``` +> If certificates are not in `Ready=True` state, inspect cert-manager logs for HTTP-01 self-check or timeout errors: +> ```bash +> d kubectl logs -n cert-manager-ns +> ``` +> If you observe HTTP-01 challenge timeouts or self-check failures in a NAT/bridge environment, hairpin SNAT and relaxed reverse-path filtering handling may be required. + > - Relax reverse-path filtering to loose mode to allow asymmetric flows: + > ```bash + > sudo sysctl -w net.ipv4.conf.all.rp_filter=2 + > sudo sysctl -w net.ipv4.conf.virbr0.rp_filter=2 + > ``` + > These settings help conntrack reverse DNAT correctly and avoid drops during cert-manager’s HTTP-01 challenges in NAT/bridge (virbr0) environments. > - > - Enable hairpin SNAT for DNATed traffic (forces return traffic through the host): + > - Enable Hairpin SNAT (temporary for cert-manager HTTP-01): > ```bash > sudo nft insert rule ip nat POSTROUTING position 0 \ - > iifname "virbr0" oifname "virbr0" \ - > ct status dnat counter masquerade + > iifname "virbr0" oifname "virbr0" \ + > ip daddr 192.168.122.0/24 ct status dnat \ + > counter masquerade \ + > comment "wire-hairpin-dnat-virbr0" > ``` - > - Relax reverse-path filtering to loose mode to allow asymmetric flows: + > This forces DNATed traffic that hairpins over the bridge to be masqueraded, ensuring return traffic flows back through the host and conntrack can correctly reverse the DNAT. + > Verify the rule was added: > ```bash - > sudo sysctl -w net.ipv4.conf.all.rp_filter=2 - > sudo sysctl -w net.ipv4.conf.virbr0.rp_filter=2 + > sudo nft list chain ip nat POSTROUTING + > ``` + > You should see a rule similar to: + > ``` + > iifname "virbr0" oifname "virbr0" ip daddr 192.168.122.0/24 ct status dnat counter masquerade # handle + > ``` + > + > - Remove the rule after certificates are issued + > ```bash + > d kubectl get certificates + > ``` + > - Once Let's Encrypt validation completes and certificates are issued, remove the temporary hairpin SNAT rule. Use the following pipeline to locate the rule handle and delete it safely: + > ```bash + > sudo nft list chain ip nat POSTROUTING | \ + > grep wire-hairpin-dnat-virbr0 | \ + > sed -E 's/.*handle ([0-9]+).*/\1/' | \ + > xargs -r -I {} sudo nft delete rule ip nat POSTROUTING handle {} > ``` - > These settings help conntrack reverse DNAT correctly and avoid drops during cert-manager’s HTTP-01 challenges in NAT/bridge (virbr0) environments. ## Further Reading From 23847ba803d2196f23768fb8a7b5b24c06986db9 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 23 Feb 2026 18:05:12 +0100 Subject: [PATCH 22/22] fix: wpb-23462 update wiab-staging.md documentation --- offline/wiab-staging.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 8b8c70f57..1fa85aef9 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -128,7 +128,7 @@ Since the inventory is ready, please continue with the following steps: ### Environment Setup - **[Making tooling available in your environment](docs_ubuntu_22.04.md#making-tooling-available-in-your-environment)** - - Source the `bin/offline-env.sh` shell script to set up a `d` alias that runs commands inside a Docker container with all necessary tools for offline deployment. + - Source the `bin/offline-env.sh` shell script by running `source bin/offline-env.sh` to set up a `d` alias that runs commands inside a Docker container with all necessary tools for offline deployment. - **[Generating secrets](docs_ubuntu_22.04.md#generating-secrets)** - Run `./bin/offline-secrets.sh` to generate fresh secrets for Minio and coturn services. This creates two secret files: `ansible/inventory/group_vars/all/secrets.yaml` and `values/wire-server/secrets.yaml`. @@ -147,6 +147,14 @@ Since the inventory is ready, please continue with the following steps: - `CERT_MASTER_EMAIL`: email used by cert-manager for ACME registration. - `HOST_IP`: public IP that matches your DNS A record (auto-detected if empty). +**TLS / certificate behavior (cert-manager vs. Bring Your Own):** +- By default, `bin/helm-operations.sh` runs `deploy_cert_manager`, which installs cert-manager and configures a Let’s Encrypt (HTTP-01) issuer for the ingress charts. +- If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)** or you cannot satisfy HTTP-01 requirements), disable this step by commenting out the `deploy_cert_manager` call inside `bin/helm-operations.sh`. + - After disabling cert-manager, ensure your ingress is configured with your own TLS secret(s) as described in the TLS documentation below. + +**To run the automated helm chart deployment**: +`d ./bin/helm-operations.sh` + **Charts deployed by the script:** - External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `demo-smtp`. - Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`, `smallstep-accomp`.