From dc9d0afa1cb9d8caf4e994ca8a48699d3ee9f09b Mon Sep 17 00:00:00 2001 From: sghosh23 Date: Fri, 27 Feb 2026 16:48:29 +0100 Subject: [PATCH 01/13] Remove obsolete secrets from the brig config --- bin/offline-secrets.sh | 7 +------ bin/secrets.sh | 9 +-------- values/wire-server/demo-secrets.example.yaml | 6 ------ values/wire-server/prod-secrets.example.yaml | 6 ------ 4 files changed, 2 insertions(+), 26 deletions(-) diff --git a/bin/offline-secrets.sh b/bin/offline-secrets.sh index c483830bd..76756a1a6 100755 --- a/bin/offline-secrets.sh +++ b/bin/offline-secrets.sh @@ -53,12 +53,7 @@ brig: password: guest # These are only necessary if you wish to support sign up via SMS/calls # And require accounts at twilio.com / nexmo.com - setTwilio: |- - sid: "dummy" - token: "dummy" - setNexmo: |- - key: "dummy" - secret: "dummy" + cargohold: secrets: awsKeyId: "$minio_cargohold_access_key" diff --git a/bin/secrets.sh b/bin/secrets.sh index 06c1dc40b..e7a3e06a3 100755 --- a/bin/secrets.sh +++ b/bin/secrets.sh @@ -104,14 +104,7 @@ brig: # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - # These are only necessary if you wish to support sign up via SMS/calls - # And require accounts at twilio.com / nexmo.com - setTwilio: |- - sid: dummy - token: dummy - setNexmo: |- - key: dummy - secret: dummy + cargohold: secrets: awsKeyId: dummykey diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml index 8a47a055d..7bc5ecad3 100644 --- a/values/wire-server/demo-secrets.example.yaml +++ b/values/wire-server/demo-secrets.example.yaml @@ -28,12 +28,6 @@ brig: # To extract the secret from an existing Kubernetes cluster: # kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d pgPassword: dummyPassword # gets replaced by the actual secret - setTwilio: |- - sid: "dummy" - token: "dummy" - setNexmo: |- - key: "dummy" - secret: "dummy" elasticsearch: username: "elastic" password: "changeme" diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml index 30ab8e519..23365c9af 100644 --- a/values/wire-server/prod-secrets.example.yaml +++ b/values/wire-server/prod-secrets.example.yaml @@ -22,12 +22,6 @@ brig: rabbitmq: username: guest password: guest - setTwilio: |- - sid: "dummy" - token: "dummy" - setNexmo: |- - key: "dummy" - secret: "dummy" cannon: secrets: From 22513088376ae26f3a43b287ad0cf2e01fd6fe19 Mon Sep 17 00:00:00 2001 From: sghosh23 Date: Fri, 27 Feb 2026 16:59:47 +0100 Subject: [PATCH 02/13] add the changelog --- changelog.d/3-deploy-builds/remove-oboslete-secrets | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/3-deploy-builds/remove-oboslete-secrets diff --git a/changelog.d/3-deploy-builds/remove-oboslete-secrets b/changelog.d/3-deploy-builds/remove-oboslete-secrets new file mode 100644 index 000000000..ad21ac021 --- /dev/null +++ b/changelog.d/3-deploy-builds/remove-oboslete-secrets @@ -0,0 +1 @@ +Removed: obsolete secrets from scripts and references for improved security and clarity. \ No newline at end of file From 44ce29e7cd44da70319cc9b4d221dcb17f20f1a2 Mon Sep 17 00:00:00 2001 From: sghosh23 Date: Fri, 27 Feb 2026 17:01:57 +0100 Subject: [PATCH 03/13] add the important line --- changelog.d/3-deploy-builds/remove-oboslete-secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/3-deploy-builds/remove-oboslete-secrets b/changelog.d/3-deploy-builds/remove-oboslete-secrets index ad21ac021..f36e227bb 100644 --- a/changelog.d/3-deploy-builds/remove-oboslete-secrets +++ b/changelog.d/3-deploy-builds/remove-oboslete-secrets @@ -1 +1 @@ -Removed: obsolete secrets from scripts and references for improved security and clarity. \ No newline at end of file +Removed: obsolete secrets from scripts and references for improved security and clarity. From e32dbd2259a342468c58e46c40b38f97ec97da8a Mon Sep 17 00:00:00 2001 From: mohit rajain Date: Mon, 2 Mar 2026 11:02:04 +0100 Subject: [PATCH 04/13] feat: wpb-23712 creating a release for 5.23 for all solutions (#873) * feat: wpb-23712 creating a release for 5.23 for all solutions with clean changelogs * fix: wpb-23712 add a changelog * fix: wpb-23712 rebase master and consider last changelog --- CHANGELOG.md | 60 +++++++++++++++++++ .../add-iam-user-for-cargohold | 1 - changelog.d/0-release-notes/release-5.23 | 1 + .../add-postgresql-backup-before-cleanup | 1 - .../configure-pg-values-for-brig | 1 - changelog.d/2-wire-builds/demo-values-changes | 3 - changelog.d/2-wire-builds/fix-build-tasks | 3 - .../2-wire-builds/optimize-offline-env | 1 - .../2-wire-builds/reaper-kubectl-image | 1 - .../unsupported-grafana-dashboards | 1 - .../2-wire-builds/update-cassandra-version | 1 - changelog.d/2-wire-builds/update-pg-binaries | 1 - changelog.d/2-wire-builds/wire-server-5.23.0 | 3 - changelog.d/2-wire-builds/zauth-wiab-demo-fix | 1 - changelog.d/3-deploy-builds/cd-demo-wiab | 2 - changelog.d/3-deploy-builds/cert-manager | 1 - changelog.d/3-deploy-builds/changes-in-cd | 3 - .../3-deploy-builds/demo-wiab-ansible-fixes | 12 ---- .../3-deploy-builds/demo-wiab-ansible-only | 8 --- .../fix-chart-patching-broken-pipe | 1 - .../3-deploy-builds/fix-demo-inventory | 1 - changelog.d/3-deploy-builds/kubelet_log_path | 1 - .../3-deploy-builds/move-repmgr-secret-to-k8s | 1 - .../optimize-default-build-deploy-process | 5 -- changelog.d/3-deploy-builds/pg_ha_cluster | 1 - .../postgresql_repmgr_node_config | 1 - .../rabbitmq-external-example-file | 1 - .../3-deploy-builds/standardize-yq-version | 1 - .../3-deploy-builds/update-cassandra-version | 1 - changelog.d/3-deploy-builds/update-wiab | 1 - changelog.d/3-deploy-builds/wiab-staging | 9 --- changelog.d/3-deploy-builds/wpb-17218 | 1 - .../3-deploy-builds/wpb-18722-hardcoded-pass | 1 - .../3-deploy-builds/wpb-22405-git-lable | 1 - .../wpb-22439-enable-rabbitmq-ansible | 1 - .../3-deploy-builds/wpb-22439-helm-operations | 4 -- changelog.d/4-docs/dkim-docs | 1 - changelog.d/4-docs/enable-changelog | 1 - changelog.d/4-docs/fix-private-ca-docs | 1 - changelog.d/4-docs/fix-wiab-docs | 1 - changelog.d/4-docs/rename-postgresql-cleanup | 1 - .../5-bug-fixes/fix-changelog-for-cotrun | 1 - .../5-bug-fixes/fix-changelog-for-zebot | 2 - .../5-bug-fixes/fix-postgres-exporter-auth | 1 - .../fix-postgresql-atomic-installation | 1 - .../fix-postgresql-upgrade-detection | 1 - .../fix-postgresql-version-detection | 1 - changelog.d/5-bug-fixes/redis-ephemeral | 1 - changelog.d/5-bug-fixes/remove-migrate-job | 1 - changelog.d/5-bug-fixes/standardize-features | 3 - 50 files changed, 61 insertions(+), 93 deletions(-) delete mode 100644 changelog.d/0-release-notes/add-iam-user-for-cargohold create mode 100644 changelog.d/0-release-notes/release-5.23 delete mode 100644 changelog.d/1-debian-builds/add-postgresql-backup-before-cleanup delete mode 100644 changelog.d/2-wire-builds/configure-pg-values-for-brig delete mode 100644 changelog.d/2-wire-builds/demo-values-changes delete mode 100644 changelog.d/2-wire-builds/fix-build-tasks delete mode 100644 changelog.d/2-wire-builds/optimize-offline-env delete mode 100644 changelog.d/2-wire-builds/reaper-kubectl-image delete mode 100644 changelog.d/2-wire-builds/unsupported-grafana-dashboards delete mode 100644 changelog.d/2-wire-builds/update-cassandra-version delete mode 100644 changelog.d/2-wire-builds/update-pg-binaries delete mode 100644 changelog.d/2-wire-builds/wire-server-5.23.0 delete mode 100644 changelog.d/2-wire-builds/zauth-wiab-demo-fix delete mode 100644 changelog.d/3-deploy-builds/cd-demo-wiab delete mode 100644 changelog.d/3-deploy-builds/cert-manager delete mode 100644 changelog.d/3-deploy-builds/changes-in-cd delete mode 100644 changelog.d/3-deploy-builds/demo-wiab-ansible-fixes delete mode 100644 changelog.d/3-deploy-builds/demo-wiab-ansible-only delete mode 100644 changelog.d/3-deploy-builds/fix-chart-patching-broken-pipe delete mode 100644 changelog.d/3-deploy-builds/fix-demo-inventory delete mode 100644 changelog.d/3-deploy-builds/kubelet_log_path delete mode 100644 changelog.d/3-deploy-builds/move-repmgr-secret-to-k8s delete mode 100644 changelog.d/3-deploy-builds/optimize-default-build-deploy-process delete mode 100644 changelog.d/3-deploy-builds/pg_ha_cluster delete mode 100644 changelog.d/3-deploy-builds/postgresql_repmgr_node_config delete mode 100644 changelog.d/3-deploy-builds/rabbitmq-external-example-file delete mode 100644 changelog.d/3-deploy-builds/standardize-yq-version delete mode 100644 changelog.d/3-deploy-builds/update-cassandra-version delete mode 100644 changelog.d/3-deploy-builds/update-wiab delete mode 100644 changelog.d/3-deploy-builds/wiab-staging delete mode 100644 changelog.d/3-deploy-builds/wpb-17218 delete mode 100644 changelog.d/3-deploy-builds/wpb-18722-hardcoded-pass delete mode 100644 changelog.d/3-deploy-builds/wpb-22405-git-lable delete mode 100644 changelog.d/3-deploy-builds/wpb-22439-enable-rabbitmq-ansible delete mode 100644 changelog.d/3-deploy-builds/wpb-22439-helm-operations delete mode 100644 changelog.d/4-docs/dkim-docs delete mode 100644 changelog.d/4-docs/enable-changelog delete mode 100644 changelog.d/4-docs/fix-private-ca-docs delete mode 100644 changelog.d/4-docs/fix-wiab-docs delete mode 100644 changelog.d/4-docs/rename-postgresql-cleanup delete mode 100644 changelog.d/5-bug-fixes/fix-changelog-for-cotrun delete mode 100644 changelog.d/5-bug-fixes/fix-changelog-for-zebot delete mode 100644 changelog.d/5-bug-fixes/fix-postgres-exporter-auth delete mode 100644 changelog.d/5-bug-fixes/fix-postgresql-atomic-installation delete mode 100644 changelog.d/5-bug-fixes/fix-postgresql-upgrade-detection delete mode 100644 changelog.d/5-bug-fixes/fix-postgresql-version-detection delete mode 100644 changelog.d/5-bug-fixes/redis-ephemeral delete mode 100644 changelog.d/5-bug-fixes/remove-migrate-job delete mode 100644 changelog.d/5-bug-fixes/standardize-features diff --git a/CHANGELOG.md b/CHANGELOG.md index ccdba0a54..1da4b625a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,66 @@ --> +# Relase 5.23 + +## release-notes + +* Changed: wire-server updated to version 5.23.0 for prod, wiab-staging and wiab-dev/demo +* Changed: cargohold service will use the scoped `cargohold` user with least privilege, with access limited to its `assets` bucket only (#814) +* Changed: Enable Ansible-based RabbitMQ deployment and fix RabbitMQ host configuration for wire-server (#861) + +### Data stores (PostgreSQL, Cassandra) + +* Added: enable support for PostgreSQL deployment via Ansible (#797) +* Added: PostgreSQL high availability cluster with repmgr (#807) +* Changed: PostgreSQL password management is now centralized in Kubernetes Secrets (repmgr and wire-server credentials), eliminating hardcoded passwords from inventory (#819) +* Changed: update Cassandra from 3.11.16 to 3.11.19 (#831) + +### Features / configuration +* Added: config for MLS deployment into example files (#824) + +## wire-builds + +* Changed: pre_clean_values_0.sh to clean unnecessary files + * Removed: `patch-chart-images.sh` as it is not required anymore + * Fixed: default|demo|min-build definitions to have more precise values and chart definitions (#825) +* Changed: Standardized all scripts to use `yq-go` (v4+) for YAML processing, replacing deprecated `python-yq`. Updated syntax in offline deployment scripts (`cd.sh`, `cd-with-retry.sh`), build scripts (`build_adminhost_containers.sh`), demo deployment (`offline_deploy_k8s.sh`), secret sync utilities, and chart image extraction to ensure reliable YAML manipulation and fix CI build errors (#820) + +## deploy-builds + +### WIAB demo / staging (high‑level) + +* Fixed: coturn and PostgreSQL secrets for demo-wiab + * Added: `kube-prometheus-stack` values and enabled monitoring support from wire-server for demo-wiab + * Added: values for wire-utility in demo-wiab (#826) +* Added: enable `cd-demo.sh` to verify demo-wiab builds (#826) +* Changed: add Ansible playbook for wiab-staging VM provisioning + * Added: Terraform resources for wiab-staging + * Added: `cd_staging` script to verify the default build bundle + * Changed: restructured `offline.yml` flow – introduced wiab-staging build and split bundle processing with default-build (#861) + +### Offline / CI / deployment pipeline + +* Added: `bin/helm-operations.sh` to replace `offline-helm` and more closely follow production instructions + * Changed: `bin/offline-secrets.sh` to support `helm-operations.sh` and add support for coturn secret (#858) +* Changed: Optimize Wire offline deployment pipeline with parallel job execution and S3 direct downloads + * Added: retry logic with progressive server type fallbacks for Hetzner Cloud resource availability issues (#815) +* Changed: offline workflow to require explicit labels for PR builds (`build-default`, `build-demo`, `build-min`, `build-all`); PRs without labels no longer trigger builds (#836) +* Changed: remove hardcoded PostgreSQL passwords from `demo-secrets.example.yaml` and automatically inject passwords from `databases-ephemeral` chart during deployment (#817) + +## docs + +* Added: documentation on how to set up DKIM for SMTP in wire-server (#793) +* Added: enable cert-manager Helm chart deployment with example values files (#805) +* Added: wiab-staging documentation to wire-server-deploy and fixed coturn port ranges (#861) +* Added: Enable changelog management in wire-server-deploy (#764) + +## bug-fixes +* Fixed: Optimize the `offline-env` load and add pipe/redirect functionality with `d` (#812) +* Fixed: add localhost authentication for `postgres_exporter`, upgrade to v0.18.1, and enable `stat_checkpointer` collector for PostgreSQL 17 checkpoint metrics (#832) +* Fixed: changelog-verify.yml workflow to allow Zebot pushes to master (#806) +* Changed: offline-vm-setup.sh script now uses an Ubuntu cloud image and local seed ISO (#861) +* Fixed: Update kubernetes_logging.yml to use the standard kubelet log path instead of Docker-specific paths. (#864) # 2021-08-27 diff --git a/changelog.d/0-release-notes/add-iam-user-for-cargohold b/changelog.d/0-release-notes/add-iam-user-for-cargohold deleted file mode 100644 index 9ba0ca253..000000000 --- a/changelog.d/0-release-notes/add-iam-user-for-cargohold +++ /dev/null @@ -1 +0,0 @@ -Changed: cargohold service will use the scoped `cargohold user` with least privilege, so that it has the necessary access to its bucket `assets` only diff --git a/changelog.d/0-release-notes/release-5.23 b/changelog.d/0-release-notes/release-5.23 new file mode 100644 index 000000000..d31657a30 --- /dev/null +++ b/changelog.d/0-release-notes/release-5.23 @@ -0,0 +1 @@ +Removed: removing all old changelogs to cut a release for wire-server-deploy 5.23 for prod, wiab-staging and wiab-dev diff --git a/changelog.d/1-debian-builds/add-postgresql-backup-before-cleanup b/changelog.d/1-debian-builds/add-postgresql-backup-before-cleanup deleted file mode 100644 index 11ce0cfe7..000000000 --- a/changelog.d/1-debian-builds/add-postgresql-backup-before-cleanup +++ /dev/null @@ -1 +0,0 @@ -Added: backup step before cleanup in PostgreSQL deployment pipeline; removed backup duplication from cleanup playbook diff --git a/changelog.d/2-wire-builds/configure-pg-values-for-brig b/changelog.d/2-wire-builds/configure-pg-values-for-brig deleted file mode 100644 index 4048268dd..000000000 --- a/changelog.d/2-wire-builds/configure-pg-values-for-brig +++ /dev/null @@ -1 +0,0 @@ -Configure postgresql values and secrets in the wire-server values for brig component. \ No newline at end of file diff --git a/changelog.d/2-wire-builds/demo-values-changes b/changelog.d/2-wire-builds/demo-values-changes deleted file mode 100644 index 139115083..000000000 --- a/changelog.d/2-wire-builds/demo-values-changes +++ /dev/null @@ -1,3 +0,0 @@ -Fixed: coturn and postgresql secrets for demo-wiab -Added: kube-prometheus-stack values and enabled monitoring support from wire-server for demo-wiab -Added: add values for wire-utility in demo-wiab \ No newline at end of file diff --git a/changelog.d/2-wire-builds/fix-build-tasks b/changelog.d/2-wire-builds/fix-build-tasks deleted file mode 100644 index 305d7ef46..000000000 --- a/changelog.d/2-wire-builds/fix-build-tasks +++ /dev/null @@ -1,3 +0,0 @@ -Changed: pre_clean_values_0.sh to clean unnecessary files -Removed: patch-chart-images.sh as it is not required anymore -Fixed: default|demo|min-build definitions to have more precise values and chart definitions diff --git a/changelog.d/2-wire-builds/optimize-offline-env b/changelog.d/2-wire-builds/optimize-offline-env deleted file mode 100644 index 48caaf379..000000000 --- a/changelog.d/2-wire-builds/optimize-offline-env +++ /dev/null @@ -1 +0,0 @@ -Fixed: Optimize the offline-env load and add pipe/redirect functionality with `d` diff --git a/changelog.d/2-wire-builds/reaper-kubectl-image b/changelog.d/2-wire-builds/reaper-kubectl-image deleted file mode 100644 index 65eab9724..000000000 --- a/changelog.d/2-wire-builds/reaper-kubectl-image +++ /dev/null @@ -1 +0,0 @@ -Fixed: reaper kubectl image diff --git a/changelog.d/2-wire-builds/unsupported-grafana-dashboards b/changelog.d/2-wire-builds/unsupported-grafana-dashboards deleted file mode 100644 index 7bff71cad..000000000 --- a/changelog.d/2-wire-builds/unsupported-grafana-dashboards +++ /dev/null @@ -1 +0,0 @@ -add unsupported dir with grafana dashboards \ No newline at end of file diff --git a/changelog.d/2-wire-builds/update-cassandra-version b/changelog.d/2-wire-builds/update-cassandra-version deleted file mode 100644 index e91d1dc8a..000000000 --- a/changelog.d/2-wire-builds/update-cassandra-version +++ /dev/null @@ -1 +0,0 @@ -Changed: update Cassandra from 3.11.16 to 3.11.19 diff --git a/changelog.d/2-wire-builds/update-pg-binaries b/changelog.d/2-wire-builds/update-pg-binaries deleted file mode 100644 index dae1e98f6..000000000 --- a/changelog.d/2-wire-builds/update-pg-binaries +++ /dev/null @@ -1 +0,0 @@ -Changed: update PostgreSQL to 17.7-3, postgresql-common to 287, libpq5 to 18.1-1, repmgr to debpgdg-3, remove postgresql-common-dev (not needed for runtime), and add postgres_exporter v0.18.1 diff --git a/changelog.d/2-wire-builds/wire-server-5.23.0 b/changelog.d/2-wire-builds/wire-server-5.23.0 deleted file mode 100644 index 970b4537b..000000000 --- a/changelog.d/2-wire-builds/wire-server-5.23.0 +++ /dev/null @@ -1,3 +0,0 @@ -Changed: wire-server updated to version 5.23.0 -Changed: wire-server reverted from 529dbaf859df934b6407e05dff8384051acd8ddc -Changed: wire-server reverted from 44445d98b0295f7530755f056acb89d85b7be66c diff --git a/changelog.d/2-wire-builds/zauth-wiab-demo-fix b/changelog.d/2-wire-builds/zauth-wiab-demo-fix deleted file mode 100644 index 8900b206d..000000000 --- a/changelog.d/2-wire-builds/zauth-wiab-demo-fix +++ /dev/null @@ -1 +0,0 @@ -Fixed: Changed from Ansible variable slicing (which failed with binary data) to file-based operations diff --git a/changelog.d/3-deploy-builds/cd-demo-wiab b/changelog.d/3-deploy-builds/cd-demo-wiab deleted file mode 100644 index 83dd6b2ac..000000000 --- a/changelog.d/3-deploy-builds/cd-demo-wiab +++ /dev/null @@ -1,2 +0,0 @@ -Added: enable cd-demo.sh to verify the demo-wiab builds -Changed: add a note in old demo-staging playbooks and scripts that they aren't up-to-date and to also check demo-wiab diff --git a/changelog.d/3-deploy-builds/cert-manager b/changelog.d/3-deploy-builds/cert-manager deleted file mode 100644 index 1556945b3..000000000 --- a/changelog.d/3-deploy-builds/cert-manager +++ /dev/null @@ -1 +0,0 @@ -Added: Enable cert-manager helm chart deployment with example values files diff --git a/changelog.d/3-deploy-builds/changes-in-cd b/changelog.d/3-deploy-builds/changes-in-cd deleted file mode 100644 index eb4852914..000000000 --- a/changelog.d/3-deploy-builds/changes-in-cd +++ /dev/null @@ -1,3 +0,0 @@ -Removed: github artifact dependency from offline.yml and simplified default-build process -Fixed: cd.sh for manual values patch for ingress-nginx-controller and cleaning s3 download logic -Fixed: Hetzner terraform to create a demo user and changes for soon to be deprecated VM types diff --git a/changelog.d/3-deploy-builds/demo-wiab-ansible-fixes b/changelog.d/3-deploy-builds/demo-wiab-ansible-fixes deleted file mode 100644 index 347bfec31..000000000 --- a/changelog.d/3-deploy-builds/demo-wiab-ansible-fixes +++ /dev/null @@ -1,12 +0,0 @@ -Fixed: ansible playbooks for demo-wiab for the tags -Fixed: ansible playbooks for demo-wiab for the directory usage -Changed: refactor deploy_wiab to have common inventory together and stop asset service post deploy -Added: hairpin_networking check and rules placement for demo_wiab deployments -Changed: refactor helm_install to have separate values processing and enable wire-utility deployment -Fixed: dependecy on yq-go and making docker installation idempotent -Changed: refactor iptables_rules, add additional checks for system and fix port ranges for calling -Added: added a check for SPF TXT record in verify_dns -Changed: docker load logic for zuath image, containers_adminhost and fixed expected kube_config path -Added: a separate playbook and tag to allow bringing old values in a demo_wiab deloyment -Fixed: calling components deployment and archiving old values when processing them -Changed: enable deployment of smtp, postgresql and kube-prometheus-stack, update artifact hash diff --git a/changelog.d/3-deploy-builds/demo-wiab-ansible-only b/changelog.d/3-deploy-builds/demo-wiab-ansible-only deleted file mode 100644 index d16158884..000000000 --- a/changelog.d/3-deploy-builds/demo-wiab-ansible-only +++ /dev/null @@ -1,8 +0,0 @@ -Fixed: the values for demo deployments as per new wiab process -Changed: introduced the flags for cert_manager, clean old kubectl commands and fix ansible tags -Changed: move helm values handling logic from offline_deploy_k8s.sh to wire_values, made it idempotent -Added: helm secrets handling moved from offline_deploy_k8s.sh to wire_secrets playbook, removed zauth container dependency -Changed: added helm and kubernetes packages to install_pkgs, converted native kubectl commands to ansible native tasks -Changed: improved wiab-demo documentation and refactored clean_cluster playbook according to new changes -Removed: zauth container from demo bundle, copy only offline-env.sh -Fixed: Pip --break-system-packages fix for k8s python module management and general optimzations diff --git a/changelog.d/3-deploy-builds/fix-chart-patching-broken-pipe b/changelog.d/3-deploy-builds/fix-chart-patching-broken-pipe deleted file mode 100644 index 53d0beb98..000000000 --- a/changelog.d/3-deploy-builds/fix-chart-patching-broken-pipe +++ /dev/null @@ -1 +0,0 @@ -Fixed: Chart patching script broken pipe error caused by set -euo pipefail interaction with non-zero return codes diff --git a/changelog.d/3-deploy-builds/fix-demo-inventory b/changelog.d/3-deploy-builds/fix-demo-inventory deleted file mode 100644 index 5225c7cda..000000000 --- a/changelog.d/3-deploy-builds/fix-demo-inventory +++ /dev/null @@ -1 +0,0 @@ -Fixed: fix the artifact for demo-wiab deployment diff --git a/changelog.d/3-deploy-builds/kubelet_log_path b/changelog.d/3-deploy-builds/kubelet_log_path deleted file mode 100644 index d34546b7b..000000000 --- a/changelog.d/3-deploy-builds/kubelet_log_path +++ /dev/null @@ -1 +0,0 @@ -Fixed: Update kubernetes_logging.yml to use the standard kubelet log path instead of Docker-specific paths. diff --git a/changelog.d/3-deploy-builds/move-repmgr-secret-to-k8s b/changelog.d/3-deploy-builds/move-repmgr-secret-to-k8s deleted file mode 100644 index 5e89cae5c..000000000 --- a/changelog.d/3-deploy-builds/move-repmgr-secret-to-k8s +++ /dev/null @@ -1 +0,0 @@ -Changed: PostgreSQL password management is now centralized in Kubernetes Secrets (repmgr and wire-server credentials) eliminating hardcoded passwords from inventory. diff --git a/changelog.d/3-deploy-builds/optimize-default-build-deploy-process b/changelog.d/3-deploy-builds/optimize-default-build-deploy-process deleted file mode 100644 index 90041f97c..000000000 --- a/changelog.d/3-deploy-builds/optimize-default-build-deploy-process +++ /dev/null @@ -1,5 +0,0 @@ -Changed: Optimize Wire offline deployment pipeline with parallel job execution and S3 direct downloads -Added: Retry logic with progressive server type fallbacks for Hetzner Cloud resource availability issues -Changed: Implement parallel terraform operations (15 parallelism) and fast SSH connection multiplexing -Changed: Move ansible execution directly to adminhost for faster private network connectivity -Changed: Reduce CI deployment time from 60+ minutes to ~30-40 minutes through parallel builds and optimized deployment process diff --git a/changelog.d/3-deploy-builds/pg_ha_cluster b/changelog.d/3-deploy-builds/pg_ha_cluster deleted file mode 100644 index fccc06593..000000000 --- a/changelog.d/3-deploy-builds/pg_ha_cluster +++ /dev/null @@ -1 +0,0 @@ -Added: PostgreSQL high availability cluster with repmgr diff --git a/changelog.d/3-deploy-builds/postgresql_repmgr_node_config b/changelog.d/3-deploy-builds/postgresql_repmgr_node_config deleted file mode 100644 index 161d93894..000000000 --- a/changelog.d/3-deploy-builds/postgresql_repmgr_node_config +++ /dev/null @@ -1 +0,0 @@ -Changed: remove repmgr_node_config from group_vars and put with node inventory diff --git a/changelog.d/3-deploy-builds/rabbitmq-external-example-file b/changelog.d/3-deploy-builds/rabbitmq-external-example-file deleted file mode 100644 index f9ac6c789..000000000 --- a/changelog.d/3-deploy-builds/rabbitmq-external-example-file +++ /dev/null @@ -1 +0,0 @@ -Add RabbitMq external example values file \ No newline at end of file diff --git a/changelog.d/3-deploy-builds/standardize-yq-version b/changelog.d/3-deploy-builds/standardize-yq-version deleted file mode 100644 index 57cadb69a..000000000 --- a/changelog.d/3-deploy-builds/standardize-yq-version +++ /dev/null @@ -1 +0,0 @@ -Changed: Standardized all scripts to use yq-go (v4+) for YAML processing, replacing deprecated python-yq. Updated syntax in offline deployment scripts (cd.sh, cd-with-retry.sh), build scripts (build_adminhost_containers.sh), demo deployment (offline_deploy_k8s.sh), secret sync utilities, and chart image extraction. This fixes CI build errors with helm template YAML parsing and ensures consistent, reliable YAML manipulation across the codebase. diff --git a/changelog.d/3-deploy-builds/update-cassandra-version b/changelog.d/3-deploy-builds/update-cassandra-version deleted file mode 100644 index 4d35d13cd..000000000 --- a/changelog.d/3-deploy-builds/update-cassandra-version +++ /dev/null @@ -1 +0,0 @@ -Changed: upgrade Cassandra from 3.11.16 to 3.11.19 and fix upgrade playbooks for Ansible 2.16+ compatibility and offline environments diff --git a/changelog.d/3-deploy-builds/update-wiab b/changelog.d/3-deploy-builds/update-wiab deleted file mode 100644 index 0b9088ee9..000000000 --- a/changelog.d/3-deploy-builds/update-wiab +++ /dev/null @@ -1 +0,0 @@ -Fixed: fix wiab for the zauth and demo-smtp change diff --git a/changelog.d/3-deploy-builds/wiab-staging b/changelog.d/3-deploy-builds/wiab-staging deleted file mode 100644 index 046d08f5b..000000000 --- a/changelog.d/3-deploy-builds/wiab-staging +++ /dev/null @@ -1,9 +0,0 @@ -Changed: offline-vm-setup.sh script now uses an ubuntu cloud image and local seed iso. -Added: now offline-vm-setup.sh waits on VMs to be alive, and health checks them. -Changed: Add ansible playbook for wiab-staging VM provisioning -Fixed: offline-deploy.sh for SSH_AUTH_SOCK handling and remove defunct passwords for postgresql -Added: terraform resources for wiab-staging -Added: cd_staging script to verify the default build bundle -Changed: changed the flow of offline.yml - introduced wiab-staging build and split bundle processing with default-build -Added: wiab-staging documentation to wire-server-deploy and fix coturn port ranges -Fixed: remove reference of hetzner-ci.example.yaml as it has been renamed to prod-values.example.yaml diff --git a/changelog.d/3-deploy-builds/wpb-17218 b/changelog.d/3-deploy-builds/wpb-17218 deleted file mode 100644 index 2875c6c25..000000000 --- a/changelog.d/3-deploy-builds/wpb-17218 +++ /dev/null @@ -1 +0,0 @@ -Added: Enable support for postgres deployment via ansible diff --git a/changelog.d/3-deploy-builds/wpb-18722-hardcoded-pass b/changelog.d/3-deploy-builds/wpb-18722-hardcoded-pass deleted file mode 100644 index 06f81129a..000000000 --- a/changelog.d/3-deploy-builds/wpb-18722-hardcoded-pass +++ /dev/null @@ -1 +0,0 @@ -Changed: Remove hardcoded PostgreSQL passwords from demo-secrets.example.yaml and automatically inject passwords from databases-ephemeral chart during deployment. Updated demo-setup.sh and bin/wiab-demo/offline_deploy_k8s.sh to retrieve and inject PostgreSQL passwords using --set flags. Add PR label-based build optimization to offline.yml workflow (use 'demo-only' or 'min-only' labels to skip unnecessary builds) diff --git a/changelog.d/3-deploy-builds/wpb-22405-git-lable b/changelog.d/3-deploy-builds/wpb-22405-git-lable deleted file mode 100644 index 230da6bd4..000000000 --- a/changelog.d/3-deploy-builds/wpb-22405-git-lable +++ /dev/null @@ -1 +0,0 @@ -Changed: offline workflow to require explicit labels for PR builds (build-default, build-demo, build-min, build-all); PRs without labels no longer trigger builds diff --git a/changelog.d/3-deploy-builds/wpb-22439-enable-rabbitmq-ansible b/changelog.d/3-deploy-builds/wpb-22439-enable-rabbitmq-ansible deleted file mode 100644 index 1d86cd0ae..000000000 --- a/changelog.d/3-deploy-builds/wpb-22439-enable-rabbitmq-ansible +++ /dev/null @@ -1 +0,0 @@ -Changed: Enable ansible based rabbitmq deployment and fix rabbitmq host accordingly for wire-server diff --git a/changelog.d/3-deploy-builds/wpb-22439-helm-operations b/changelog.d/3-deploy-builds/wpb-22439-helm-operations deleted file mode 100644 index e11aef9ee..000000000 --- a/changelog.d/3-deploy-builds/wpb-22439-helm-operations +++ /dev/null @@ -1,4 +0,0 @@ -Added: bin/helm-operations.sh to replace offline-helm to be more closer to our production instrcutions -Changed: bin/offline-secrets.sh to support helm-operations.sh script and add support for coturn secret -Changed: reduce replica count for sftd and coturn to support wiab-staging -Changed: make using daemonset with nodePort for ingress-nginx-controller default for prod and make load-balancer an example diff --git a/changelog.d/4-docs/dkim-docs b/changelog.d/4-docs/dkim-docs deleted file mode 100644 index 5fba7a388..000000000 --- a/changelog.d/4-docs/dkim-docs +++ /dev/null @@ -1 +0,0 @@ -Add documentation on how to set up DKIM for smtp in wire-server \ No newline at end of file diff --git a/changelog.d/4-docs/enable-changelog b/changelog.d/4-docs/enable-changelog deleted file mode 100644 index 71ea2fca1..000000000 --- a/changelog.d/4-docs/enable-changelog +++ /dev/null @@ -1 +0,0 @@ -Added: Enable changelog management in wire-server-deploy diff --git a/changelog.d/4-docs/fix-private-ca-docs b/changelog.d/4-docs/fix-private-ca-docs deleted file mode 100644 index 902c1e19c..000000000 --- a/changelog.d/4-docs/fix-private-ca-docs +++ /dev/null @@ -1 +0,0 @@ -Fixed: documentation for nginx-ingress-services with private certs diff --git a/changelog.d/4-docs/fix-wiab-docs b/changelog.d/4-docs/fix-wiab-docs deleted file mode 100644 index 3b5fbb9b2..000000000 --- a/changelog.d/4-docs/fix-wiab-docs +++ /dev/null @@ -1 +0,0 @@ -Fixed: Fixed wiab-staging documentation diff --git a/changelog.d/4-docs/rename-postgresql-cleanup b/changelog.d/4-docs/rename-postgresql-cleanup deleted file mode 100644 index 8787870ad..000000000 --- a/changelog.d/4-docs/rename-postgresql-cleanup +++ /dev/null @@ -1 +0,0 @@ -Changed: renamed clean_existing_setup.yml to postgresql-cleanup.yml and updated documentation to clarify cleanup only resets HA cluster configuration without deleting PostgreSQL data diff --git a/changelog.d/5-bug-fixes/fix-changelog-for-cotrun b/changelog.d/5-bug-fixes/fix-changelog-for-cotrun deleted file mode 100644 index 393053eb5..000000000 --- a/changelog.d/5-bug-fixes/fix-changelog-for-cotrun +++ /dev/null @@ -1 +0,0 @@ -Fixed: Include cotrun chart in the default bundle diff --git a/changelog.d/5-bug-fixes/fix-changelog-for-zebot b/changelog.d/5-bug-fixes/fix-changelog-for-zebot deleted file mode 100644 index 68395dcf0..000000000 --- a/changelog.d/5-bug-fixes/fix-changelog-for-zebot +++ /dev/null @@ -1,2 +0,0 @@ -Fixed: fixed changelog-verify.yml workflow to allow Zebot pushes to master - \ No newline at end of file diff --git a/changelog.d/5-bug-fixes/fix-postgres-exporter-auth b/changelog.d/5-bug-fixes/fix-postgres-exporter-auth deleted file mode 100644 index 6b5111959..000000000 --- a/changelog.d/5-bug-fixes/fix-postgres-exporter-auth +++ /dev/null @@ -1 +0,0 @@ -Fixed: add localhost authentication for postgres_exporter to access postgres database, upgrade to v0.18.1, and enable stat_checkpointer collector for PostgreSQL 17 checkpoint metrics diff --git a/changelog.d/5-bug-fixes/fix-postgresql-atomic-installation b/changelog.d/5-bug-fixes/fix-postgresql-atomic-installation deleted file mode 100644 index 449d311d5..000000000 --- a/changelog.d/5-bug-fixes/fix-postgresql-atomic-installation +++ /dev/null @@ -1 +0,0 @@ -Fixed: postgresql package installation dependency conflicts by installing packages atomically diff --git a/changelog.d/5-bug-fixes/fix-postgresql-upgrade-detection b/changelog.d/5-bug-fixes/fix-postgresql-upgrade-detection deleted file mode 100644 index 31311b683..000000000 --- a/changelog.d/5-bug-fixes/fix-postgresql-upgrade-detection +++ /dev/null @@ -1 +0,0 @@ -Fixed: postgresql package installation now detects version mismatches and performs upgrades instead of skipping already-installed packages diff --git a/changelog.d/5-bug-fixes/fix-postgresql-version-detection b/changelog.d/5-bug-fixes/fix-postgresql-version-detection deleted file mode 100644 index 377683907..000000000 --- a/changelog.d/5-bug-fixes/fix-postgresql-version-detection +++ /dev/null @@ -1 +0,0 @@ -Fixed: postgresql package version detection for postgresql-common packages preventing false upgrade warnings diff --git a/changelog.d/5-bug-fixes/redis-ephemeral b/changelog.d/5-bug-fixes/redis-ephemeral deleted file mode 100644 index 94f4bfa4d..000000000 --- a/changelog.d/5-bug-fixes/redis-ephemeral +++ /dev/null @@ -1 +0,0 @@ -Changed: example values for `redis-ephemeral` to follow upcoming release. diff --git a/changelog.d/5-bug-fixes/remove-migrate-job b/changelog.d/5-bug-fixes/remove-migrate-job deleted file mode 100644 index 656e5222c..000000000 --- a/changelog.d/5-bug-fixes/remove-migrate-job +++ /dev/null @@ -1 +0,0 @@ -Remove unneccesary migrate-features.yaml which is failing sonarqube analysis \ No newline at end of file diff --git a/changelog.d/5-bug-fixes/standardize-features b/changelog.d/5-bug-fixes/standardize-features deleted file mode 100644 index 8601b0a0a..000000000 --- a/changelog.d/5-bug-fixes/standardize-features +++ /dev/null @@ -1,3 +0,0 @@ -Added: missing webapp feature flags to webapp example values -Added: config for MLS deployment into example files -Added: config for Federation deployment into example files From 6d61a05720f1f1876ec0653e07cc0fb60cf74826 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 5 Mar 2026 12:14:23 +0100 Subject: [PATCH 05/13] Fixed: debug_logs.sh to log only the pods for default and cert-manager-ns namespace and limit log lines --- bin/debug_logs.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/debug_logs.sh b/bin/debug_logs.sh index 8a40701b3..6660cd22a 100755 --- a/bin/debug_logs.sh +++ b/bin/debug_logs.sh @@ -4,14 +4,14 @@ set -euo pipefail echo "Printing all pods status" kubectl get pods --all-namespaces echo "------------------------------------" -namespaces=$(kubectl get ns -o=jsonpath='{.items[*].metadata.name}') +namespaces="cert-manager-ns default" echo "Namespaces = $namespaces" for ns in $namespaces; do - pods=$(kubectl get pods --all-namespaces -o=jsonpath='{.items[*].metadata.name}') + pods=$(kubectl get pods -n $ns -o=jsonpath='{.items[*].metadata.name}') echo "Pods in namespace: $ns = $pods" for pod in $pods; do echo "Logs for pod: $pod" - kubectl logs --all-containers -n "$ns" "$pod" || true + kubectl logs --tail 30 --all-containers -n "$ns" "$pod" || true echo "Description for pod: $pod" kubectl describe pod -n "$ns" "$pod" || true echo "------------------------------------" From 5e833f23c99a075c9587365b819e4a6da84af534 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 5 Mar 2026 12:16:11 +0100 Subject: [PATCH 06/13] fixed: env vars to helm_operations.sh to improve UX while configuring variables, added: enabled debug_logs.sh on helm install failures (helm_operations.sh) with a flag DUMP_LOGS_ON_FAIL, Fixed: sync_pg_secrets operation in helm_operations.sh and clean the deploy_charts logic, Added: wait and timeout on cert-manager and calling_services helm chart operations --- bin/helm-operations.sh | 85 +++++++++++++++++++++++++++--------------- 1 file changed, 54 insertions(+), 31 deletions(-) diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh index b95ac416c..ad82ff671 100755 --- a/bin/helm-operations.sh +++ b/bin/helm-operations.sh @@ -3,17 +3,33 @@ set -Eeo pipefail # Read values from environment variables with defaults -BASE_DIR="/wire-server-deploy" -TARGET_SYSTEM="example.dev" -CERT_MASTER_EMAIL="certmaster@${TARGET_SYSTEM}" +BASE_DIR="${BASE_DIR:-/wire-server-deploy}" +TARGET_SYSTEM="${TARGET_SYSTEM:-example.com}" +CERT_MASTER_EMAIL="certmaster@${CERT_MASTER_EMAIL}:-certmaster@${TARGET_SYSTEM}" + +# DEPLOY_CERT_MANAGER env variable to decide to check if cert_manager and nginx-ingress-services charts should get deployed +# default is set to TRUE to deploy it unless changed +DEPLOY_CERT_MANAGER="${DEPLOY_CERT_MANAGER:-TRUE}" + +# DUMP_LOGS_ON_FAIL to dump logs on failure +# it is false by default +DUMP_LOGS_ON_FAIL="${DUMP_LOGS_ON_FAIL:-FALSE}" # this IP should match the DNS A record value for TARGET_SYSTEM # assuming it to be the public address used by clients to reach public Address -HOST_IP="" +HOST_IP="${HOST_IP:-}" + if [ -z "$HOST_IP" ]; then HOST_IP=$(wget -qO- https://api.ipify.org) fi +function dump_debug_logs { + if [[ "$DUMP_LOGS_ON_FAIL" == "TRUE" ]]; then + $BASE_DIR/bin/debug_logs.sh + fi +} +trap dump_debug_logs ERR + # picking a node for calling traffic (3rd kube worker node) CALLING_NODE=$(kubectl get nodes --no-headers | tail -n 1 | awk '{print $1}') if [[ -z "$CALLING_NODE" ]]; then @@ -21,6 +37,20 @@ if [[ -z "$CALLING_NODE" ]]; then exit 1 fi +sync_pg_secrets() { + echo "Retrieving PostgreSQL password from databases-ephemeral for wire-server deployment..." + if kubectl get secret wire-postgresql-external-secret &>/dev/null; then + # Usage: sync-k8s-secret-to-wire-secrets.sh + "$BASE_DIR/bin/sync-k8s-secret-to-wire-secrets.sh" \ + wire-postgresql-external-secret password \ + "$BASE_DIR/values/wire-server/secrets.yaml" \ + .brig.secrets.pgPassword .galley.secrets.pgPassword + else + echo "⚠️ Warning: PostgreSQL secret 'wire-postgresql-secret' not found, skipping secret sync" + echo " Make sure databases-ephemeral chart is deployed before wire-server" + fi +} + # Creates values.yaml from prod-values.example.yaml and secrets.yaml from prod-secrets.example.yaml # Works on all chart directories in $BASE_DIR/values/ process_values() { @@ -136,22 +166,6 @@ deploy_charts() { helm_command+=" --values $secrets_file" fi - # handle wire-server to inject PostgreSQL password from databases-ephemeral - if [[ "$chart" == "wire-server" ]]; then - - echo "Retrieving PostgreSQL password from databases-ephemeral for wire-server deployment..." - if kubectl get secret wire-postgresql-secret &>/dev/null; then - # Usage: sync-k8s-secret-to-wire-secrets.sh - "$BASE_DIR/bin/sync-k8s-secret-to-wire-secrets.sh" \ - wire-postgresql-secret password \ - "$BASE_DIR/values/wire-server/secrets.yaml" \ - .brig.secrets.pgPassword .galley.secrets.pgPassword - else - echo "⚠️ Warning: PostgreSQL secret 'wire-postgresql-secret' not found, skipping secret sync" - echo " Make sure databases-ephemeral chart is deployed before wire-server" - fi - fi - echo "Deploying $chart as $helm_command" eval "$helm_command" done @@ -163,7 +177,7 @@ deploy_charts() { deploy_cert_manager() { kubectl get namespace cert-manager-ns || kubectl create namespace cert-manager-ns - helm upgrade --install -n cert-manager-ns cert-manager "$BASE_DIR/charts/cert-manager" --values "$BASE_DIR/values/cert-manager/values.yaml" + helm upgrade --install --wait --timeout=5m0s -n cert-manager-ns cert-manager "$BASE_DIR/charts/cert-manager" --values "$BASE_DIR/values/cert-manager/values.yaml" # display running pods kubectl get pods --sort-by=.metadata.creationTimestamp -n cert-manager-ns @@ -174,36 +188,45 @@ deploy_calling_services() { echo "Deploying sftd and coturn" # select the node to deploy sftd kubectl annotate node "$CALLING_NODE" wire.com/external-ip="$HOST_IP" --overwrite - helm upgrade --install sftd "$BASE_DIR/charts/sftd" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/sftd/values.yaml" + helm upgrade --install --wait --timeout=5m0s sftd "$BASE_DIR/charts/sftd" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/sftd/values.yaml" kubectl annotate node "$CALLING_NODE" wire.com/external-ip="$HOST_IP" --overwrite - helm upgrade --install coturn "$BASE_DIR/charts/coturn" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/coturn/values.yaml" --values "$BASE_DIR/values/coturn/secrets.yaml" + helm upgrade --install --wait --timeout=5m0s coturn "$BASE_DIR/charts/coturn" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/coturn/values.yaml" --values "$BASE_DIR/values/coturn/secrets.yaml" + + # display running pods post deploying all helm charts in default namespace + kubectl get pods --sort-by=.metadata.creationTimestamp } main() { + # Create prod-values.example.yaml to values.yaml and take backup process_values "prod" "values" # Create prod-secrets.example.yaml to secrets.yaml and take backup process_values "prod" "secrets" +# Sync postgresql secret +sync_pg_secrets + # configure chart specific variables for each chart in values.yaml file configure_values # deploying with external datastores, useful for prod setup deploy_charts cassandra-external elasticsearch-external minio-external postgresql-external fake-aws smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller -# deploying cert manager to issue certs, by default letsencrypt-http01 issuer is configured -deploy_cert_manager +# deploying cert-manager only when the env var DEPLOY_CERT_MANAGER is set to TRUE +if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then + # deploying cert manager to issue certs, by default letsencrypt-http01 issuer is configured + deploy_cert_manager -# nginx-ingress-services chart needs cert-manager to be deployed -deploy_charts nginx-ingress-services + # nginx-ingress-services chart needs cert-manager to be deployed + deploy_charts nginx-ingress-services + + # print status of certs + kubectl get certificate +fi # deploying sft and coturn services -# not implemented yet deploy_calling_services - -# print status of certs -kubectl get certificate } main From d22b40b725321deb6a0dfbdb274a30167396fb70 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 5 Mar 2026 12:16:32 +0100 Subject: [PATCH 07/13] Fixed: offline-cluster.sh to run helm-operations.sh using new env vars and with default DUMP_LOGS_ON_FAIL=TRUE --- bin/offline-deploy.sh | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/bin/offline-deploy.sh b/bin/offline-deploy.sh index 33dba374a..3bede967a 100755 --- a/bin/offline-deploy.sh +++ b/bin/offline-deploy.sh @@ -41,15 +41,4 @@ fi $DOCKER_RUN_BASE $SSH_MOUNT $WSD_CONTAINER ./bin/offline-cluster.sh -# Sync PostgreSQL password from K8s secret to secrets.yaml -echo "Syncing PostgreSQL password from Kubernetes secret..." -sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/sync-k8s-secret-to-wire-secrets.sh \ - wire-postgresql-external-secret \ - password \ - values/wire-server/prod-secrets.example.yaml \ - .brig.secrets.pgPassword \ - .galley.secrets.pgPassword \ - .spar.secrets.pgPassword \ - .gundeck.secrets.pgPassword - -sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/helm-operations.sh +sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" DEPLOY_CERT_MANAGER=TRUE DUMP_LOGS_ON_FAIL=TRUE ./bin/helm-operations.sh' From 268c81a9e2fca76a2baa63cb5e3d4ad08845f3b2 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 5 Mar 2026 12:16:53 +0100 Subject: [PATCH 08/13] Fixed: documentation for wiab-staging.md based on a user feedback --- offline/wiab-staging.md | 133 +++++++++++++++++++++++----------------- 1 file changed, 76 insertions(+), 57 deletions(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 1fa85aef9..4165e5711 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -90,6 +90,7 @@ We need the whole ansible directory as ansible-playbook uses some templates for **Option A: Download as ZIP** ```bash +# requirements: wget and unzip wget https://github.com/wireapp/wire-server-deploy/archive/refs/heads/master.zip unzip master.zip cd wire-server-deploy-master @@ -97,6 +98,7 @@ cd wire-server-deploy-master **Option B: Clone with Git** ```bash +# requirements: git git clone https://github.com/wireapp/wire-server-deploy.git cd wire-server-deploy ``` @@ -105,7 +107,7 @@ cd wire-server-deploy A sample inventory is available at [ansible/inventory/demo/wiab-staging.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/wiab-staging.yml). -*Note: Replace example.com with your physical machine address where KVM is available and adjust other variables accordingly.* +*Note: Replace example.com with your physical machine address where KVM is available and adjust other variables like ansible_user and ansible_ssh_private_key_file. The SSH user for ansible `ansible_user` should have password-less `sudo` access. The physical host should be running Ubuntu 22.04.* **Step 3: Run the VM and network provision** @@ -140,7 +142,7 @@ Since the inventory is ready, please continue with the following steps: ### Helm Operations to install wire services and supporting helm charts -**Helm chart deployment (automated):** The script `bin/helm-operations.sh` will deploy the charts for you. It prepares `values.yaml`/`secrets.yaml`, customizes them for your domain/IPs, then runs Helm installs/upgrades in the correct order. +**Helm chart deployment (automated):** The script `bin/helm-operations.sh` will deploy the charts for you. It prepares `values.yaml`/`secrets.yaml`, customizes them for your domain/IPs, then runs Helm installs/upgrades in the correct order. Prepare the values before running it. **User-provided inputs (set these before running):** - `TARGET_SYSTEM`: your domain (e.g., `wire.example.com` or `example.dev`). @@ -149,11 +151,15 @@ Since the inventory is ready, please continue with the following steps: **TLS / certificate behavior (cert-manager vs. Bring Your Own):** - By default, `bin/helm-operations.sh` runs `deploy_cert_manager`, which installs cert-manager and configures a Let’s Encrypt (HTTP-01) issuer for the ingress charts. -- If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)** or you cannot satisfy HTTP-01 requirements), disable this step by commenting out the `deploy_cert_manager` call inside `bin/helm-operations.sh`. - - After disabling cert-manager, ensure your ingress is configured with your own TLS secret(s) as described in the TLS documentation below. +- If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**), disable this step by passing env variable `DEPLOY_CERT_MANAGER=FALSE` when running `bin/helm-operations.sh`. + - When choosing `DEPLOY_CERT_MANAGER=FALSE`, ensure your ingress is configured with your own TLS secret(s) as described at [Acquiring / Deploying SSL Certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates). + - When choosing `DEPLOY_CERT_MANAGER=TRUE`, ensure if further network configuration is required by following [cert-manager behaviour in NAT / bridge environments](#cert-manager-behaviour-in-nat--bridge-environments). -**To run the automated helm chart deployment**: -`d ./bin/helm-operations.sh` +**To run the automated helm chart deployment with your variables**: +```bash +# example command - verify the variables before running it +d sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" DEPLOY_CERT_MANAGER=TRUE ./bin/helm-operations.sh' +``` **Charts deployed by the script:** - External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `demo-smtp`. @@ -223,57 +229,70 @@ calling_node_ip=192.168.122.13 inf_wan=eth0 ``` -> **Note (cert-manager & hairpin NAT):** -> When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can hairpin (Pod → Node → host public IP → DNAT → Node → Ingress). -> If your nftables rules DNAT in `PREROUTING` without a matching SNAT on `virbr0 → virbr0`, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts, resulting in certificate verification failure. -> Additionally, strict `rp_filter` can drop asymmetric return packets. -> If cert-manager is deployed in a NAT/bridge (`virbr0`) environment, first verify whether certificate issuance is failing before applying hairpin handling. -> Check whether certificates are successfully issued: -> ```bash -> d kubectl get certificates -> ``` -> If certificates are not in `Ready=True` state, inspect cert-manager logs for HTTP-01 self-check or timeout errors: -> ```bash -> d kubectl logs -n cert-manager-ns -> ``` -> If you observe HTTP-01 challenge timeouts or self-check failures in a NAT/bridge environment, hairpin SNAT and relaxed reverse-path filtering handling may be required. - > - Relax reverse-path filtering to loose mode to allow asymmetric flows: - > ```bash - > sudo sysctl -w net.ipv4.conf.all.rp_filter=2 - > sudo sysctl -w net.ipv4.conf.virbr0.rp_filter=2 - > ``` - > These settings help conntrack reverse DNAT correctly and avoid drops during cert-manager’s HTTP-01 challenges in NAT/bridge (virbr0) environments. - > - > - Enable Hairpin SNAT (temporary for cert-manager HTTP-01): - > ```bash - > sudo nft insert rule ip nat POSTROUTING position 0 \ - > iifname "virbr0" oifname "virbr0" \ - > ip daddr 192.168.122.0/24 ct status dnat \ - > counter masquerade \ - > comment "wire-hairpin-dnat-virbr0" - > ``` - > This forces DNATed traffic that hairpins over the bridge to be masqueraded, ensuring return traffic flows back through the host and conntrack can correctly reverse the DNAT. - > Verify the rule was added: - > ```bash - > sudo nft list chain ip nat POSTROUTING - > ``` - > You should see a rule similar to: - > ``` - > iifname "virbr0" oifname "virbr0" ip daddr 192.168.122.0/24 ct status dnat counter masquerade # handle - > ``` - > - > - Remove the rule after certificates are issued - > ```bash - > d kubectl get certificates - > ``` - > - Once Let's Encrypt validation completes and certificates are issued, remove the temporary hairpin SNAT rule. Use the following pipeline to locate the rule handle and delete it safely: - > ```bash - > sudo nft list chain ip nat POSTROUTING | \ - > grep wire-hairpin-dnat-virbr0 | \ - > sed -E 's/.*handle ([0-9]+).*/\1/' | \ - > xargs -r -I {} sudo nft delete rule ip nat POSTROUTING handle {} - > ``` - +### cert-manager behaviour in NAT / bridge environments + +When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can hairpin: + +- Pod → Node → host public IP → DNAT → Node → Ingress + +In NAT/bridge setups (for example, using `virbr0` on the host): + +- If nftables rules DNAT in `PREROUTING` without a matching SNAT on `virbr0 → virbr0`, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts and certificate verification failures. +- Strict `rp_filter` can drop asymmetric return packets. + +Before changing anything, first verify whether certificate issuance is actually failing: + +1. Check whether certificates are successfully issued: + ```bash + d kubectl get certificates + ``` +2. If certificates are not in `Ready=True` state, inspect cert-manager logs for HTTP-01 self-check or timeout errors: + ```bash + d kubectl logs -n cert-manager-ns + ``` + +If you observe HTTP-01 challenge timeouts or self-check failures in a NAT/bridge environment, hairpin SNAT and relaxed reverse-path filtering handling may be required. One possible approach is: + +- Relax reverse-path filtering to loose mode to allow asymmetric flows: + ```bash + sudo sysctl -w net.ipv4.conf.all.rp_filter=2 + sudo sysctl -w net.ipv4.conf.virbr0.rp_filter=2 + ``` + These settings help conntrack reverse DNAT correctly and avoid drops during cert-manager’s HTTP-01 challenges in NAT/bridge (`virbr0`) environments. + +- Enable Hairpin SNAT (temporary for cert-manager HTTP-01): + ```bash + sudo nft insert rule ip nat POSTROUTING position 0 \ + iifname "virbr0" oifname "virbr0" \ + ip daddr 192.168.122.0/24 ct status dnat \ + counter masquerade \ + comment "wire-hairpin-dnat-virbr0" + ``` + This forces DNATed traffic that hairpins over the bridge to be masqueraded, ensuring return traffic flows back through the host and conntrack can correctly reverse the DNAT. + + Verify the rule was added: + ```bash + sudo nft list chain ip nat POSTROUTING + ``` + You should see a rule similar to: + ``` + iifname "virbr0" oifname "virbr0" ip daddr 192.168.122.0/24 ct status dnat counter masquerade # handle + ``` + +- Remove the rule after certificates are issued, confirm by running the following: + ```bash + d kubectl get certificates + ``` + + Once Let’s Encrypt validation completes and certificates are issued, remove the temporary hairpin SNAT rule. Use the following pipeline to locate the rule handle and delete it safely: + ```bash + sudo nft -a list chain ip nat POSTROUTING | \ + grep wire-hairpin-dnat-virbr0 | \ + sed -E 's/.*handle ([0-9]+).*/\1/' | \ + xargs -r -I {} sudo nft delete rule ip nat POSTROUTING handle {} + ``` + +For additional background on when hairpin NAT is required and how it relates to WIAB Dev and WIAB Staging, see [Hairpin networking for WIAB Dev and WIAB Staging](tls-certificates.md#hairpin-networking-for-wiab-dev-and-wiab-staging). ## Further Reading From c92f735de1daf5904b677d8165498fca4ac9cb2e Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 5 Mar 2026 12:17:20 +0100 Subject: [PATCH 09/13] Fixed: sftd helm chart values for joinCall component which fails to find hashbased images --- changelog.d/3-deploy-builds/minor-deploy-fixes | 8 ++++++++ values/sftd/demo-values.example.yaml | 4 ++++ values/sftd/prod-values.example.yaml | 10 ++++++++++ 3 files changed, 22 insertions(+) create mode 100644 changelog.d/3-deploy-builds/minor-deploy-fixes diff --git a/changelog.d/3-deploy-builds/minor-deploy-fixes b/changelog.d/3-deploy-builds/minor-deploy-fixes new file mode 100644 index 000000000..c27d2b844 --- /dev/null +++ b/changelog.d/3-deploy-builds/minor-deploy-fixes @@ -0,0 +1,8 @@ +Fixed: debug_logs.sh to log only the pods for default and cert-manager-ns namespace and limit log lines +Added: enabled debug_logs.sh on helm install failures (helm_operations.sh) with a flag DUMP_LOGS_ON_FAIL +Added: env vars to helm_operations.sh to improve UX while configuring variables +Fixed: sync_pg_secrets operation in helm_operations.sh and clean the deploy_charts logic +Added: wait and timeout on cert-manager and calling_services helm chart operations +Fixed: offline-cluster.sh to run helm-operations.sh using new env vars and with default DUMP_LOGS_ON_FAIL=TRUE +Fixed: documentation for wiab-staging.md based on a user feedback +Fixed: sftd helm chart values for joinCall component which fails to find hashbased images diff --git a/values/sftd/demo-values.example.yaml b/values/sftd/demo-values.example.yaml index 566db6bc4..91dc2c885 100644 --- a/values/sftd/demo-values.example.yaml +++ b/values/sftd/demo-values.example.yaml @@ -3,6 +3,10 @@ host: sftd.example.com replicaCount: 1 joinCall: replicaCount: 1 + image: + repository: docker.io/bitnamilegacy/nginx + pullPolicy: IfNotPresent + tag: "1.27.3-debian-12-r5" tls: issuerRef: name: letsencrypt-http01 diff --git a/values/sftd/prod-values.example.yaml b/values/sftd/prod-values.example.yaml index ac48178f3..1c2374f9e 100644 --- a/values/sftd/prod-values.example.yaml +++ b/values/sftd/prod-values.example.yaml @@ -9,6 +9,16 @@ tls: issuerRef: name: letsencrypt-http01 kind: ClusterIssuer + +joinCall: +# this value should be set to 3 when deployed in a full production DMZ manner +# replicaCount = 1 is to support the simple wiab-staging solution + replicaCount: 1 + image: + repository: docker.io/bitnamilegacy/nginx + pullPolicy: IfNotPresent + tag: "1.27.3-debian-12-r5" + # Uncomment to enable SFT to SFT communication for federated calls # multiSFT: # enabled: true From de6316109a163e5b27e3956b0afae7aea2c45449 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 5 Mar 2026 15:50:48 +0100 Subject: [PATCH 10/13] fix: update bash scripts for issues highlighted by linting and update the wiab-staging artifact hash --- ansible/inventory/demo/wiab-staging.yml | 2 +- bin/debug_logs.sh | 2 +- bin/helm-operations.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/inventory/demo/wiab-staging.yml b/ansible/inventory/demo/wiab-staging.yml index 7652ce731..3ddf4aa6f 100644 --- a/ansible/inventory/demo/wiab-staging.yml +++ b/ansible/inventory/demo/wiab-staging.yml @@ -6,4 +6,4 @@ wiab-staging: ansible_user: 'demo' ansible_ssh_private_key_file: "~/.ssh/id_ed25519" vars: - artifact_hash: f1f624256bdab0f9f76158c7f45e0618ee641237 + artifact_hash: 78a52d4686b6de91853d715fd08ef42fe8e2fd20 diff --git a/bin/debug_logs.sh b/bin/debug_logs.sh index 6660cd22a..3138e025f 100755 --- a/bin/debug_logs.sh +++ b/bin/debug_logs.sh @@ -7,7 +7,7 @@ echo "------------------------------------" namespaces="cert-manager-ns default" echo "Namespaces = $namespaces" for ns in $namespaces; do - pods=$(kubectl get pods -n $ns -o=jsonpath='{.items[*].metadata.name}') + pods=$(kubectl get pods -n "$ns" -o=jsonpath='{.items[*].metadata.name}') echo "Pods in namespace: $ns = $pods" for pod in $pods; do echo "Logs for pod: $pod" diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh index ad82ff671..4baca7533 100755 --- a/bin/helm-operations.sh +++ b/bin/helm-operations.sh @@ -25,7 +25,7 @@ fi function dump_debug_logs { if [[ "$DUMP_LOGS_ON_FAIL" == "TRUE" ]]; then - $BASE_DIR/bin/debug_logs.sh + "$BASE_DIR"/bin/debug_logs.sh fi } trap dump_debug_logs ERR From 20f142dadd1d7755cb0d47d98c65d287b4baf6b6 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Fri, 6 Mar 2026 16:09:06 +0100 Subject: [PATCH 11/13] patched documentation further --- offline/wiab-staging.md | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 4165e5711..c16900751 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -107,7 +107,7 @@ cd wire-server-deploy A sample inventory is available at [ansible/inventory/demo/wiab-staging.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/wiab-staging.yml). -*Note: Replace example.com with your physical machine address where KVM is available and adjust other variables like ansible_user and ansible_ssh_private_key_file. The SSH user for ansible `ansible_user` should have password-less `sudo` access. The physical host should be running Ubuntu 22.04.* +*Note: Replace example.com with your physical machine (adminhost) address where KVM is available and adjust other variables like ansible_user and ansible_ssh_private_key_file. The SSH user for ansible `ansible_user` should have password-less `sudo` access. The physical host should be running Ubuntu 22.04.* **Step 3: Run the VM and network provision** @@ -127,6 +127,8 @@ Ensure the inventory file `ansible/inventory/offline/inventory.yml` in the direc Since the inventory is ready, please continue with the following steps: +> **Note**: All next steps assume that the wire-server-deploy artifact has been downloaded on the `adminhost` (your physical machine) and extracted at `/home/ansible_user/wire-server-deploy`. All commands from here on will be issued from this directory on the `adminhost`, ssh on the node before proceeding. + ### Environment Setup - **[Making tooling available in your environment](docs_ubuntu_22.04.md#making-tooling-available-in-your-environment)** @@ -150,7 +152,7 @@ Since the inventory is ready, please continue with the following steps: - `HOST_IP`: public IP that matches your DNS A record (auto-detected if empty). **TLS / certificate behavior (cert-manager vs. Bring Your Own):** -- By default, `bin/helm-operations.sh` runs `deploy_cert_manager`, which installs cert-manager and configures a Let’s Encrypt (HTTP-01) issuer for the ingress charts. +- By default, `bin/helm-operations.sh` has `DEPLOY_CERT_MANAGER=TRUE`, which installs cert-manager and configures a Let’s Encrypt (HTTP-01) issuer for the ingress charts. - If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**), disable this step by passing env variable `DEPLOY_CERT_MANAGER=FALSE` when running `bin/helm-operations.sh`. - When choosing `DEPLOY_CERT_MANAGER=FALSE`, ensure your ingress is configured with your own TLS secret(s) as described at [Acquiring / Deploying SSL Certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates). - When choosing `DEPLOY_CERT_MANAGER=TRUE`, ensure if further network configuration is required by following [cert-manager behaviour in NAT / bridge environments](#cert-manager-behaviour-in-nat--bridge-environments). @@ -162,7 +164,7 @@ d sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" ``` **Charts deployed by the script:** -- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `demo-smtp`. +- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`,`postgresql-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `demo-smtp`. - Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`, `smallstep-accomp`. - Ingress and certificates: `ingress-nginx-controller`, `cert-manager`, `nginx-ingress-services`. - Calling services: `sftd`, `coturn`. @@ -171,23 +173,17 @@ d sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" - Creates `values.yaml` and `secrets.yaml` from `prod-values.example.yaml` and `prod-secrets.example.yaml` for each chart under `values/`. - Backs up any existing `values.yaml`/`secrets.yaml` before replacing them. -**Values configured by the script:** -- Replaces `example.com` with `TARGET_SYSTEM` in Wire and webapp hostnames. -- Enables cert-manager and sets `certmasterEmail` using `CERT_MASTER_EMAIL`. -- Sets SFTD hosts and switches issuer to `letsencrypt-http01`. -- Sets coturn listen/relay/external IPs using the calling node IP and `HOST_IP`. - *Note: The `bin/helm-operations.sh` script above deploys these charts; you do not need to run the Helm commands manually unless you want to customize or debug.* ## Network Traffic Configuration ### Bring traffic from the physical machine to Wire services in the k8s cluster -If you used the Ansible playbook earlier, nftables firewall rules are pre-configured to forward traffic. If you set up VMs manually with your own hypervisor, you must manually configure network traffic flow using nftables. +If you used the Ansible playbook earlier, nftables firewall rules are pre-configured to forward traffic. If you set up VMs manually with your own hypervisor, you must manually configure network traffic flow using nftables as descibed below. **Required Network Configuration:** -The physical machine must forward traffic from external clients to the Kubernetes cluster running Wire services. This involves: +The physical machine (adminhost) must forward traffic from external clients to the Kubernetes cluster running Wire services. This involves: 1. **HTTP/HTTPS Traffic (Ingress)** - Forward ports 80 and 443 to the nginx-ingress-controller running on a Kubernetes node - Port 80 (HTTP) → Kubernetes node port 31772 @@ -199,19 +195,20 @@ The physical machine must forward traffic from external clients to the Kubernete **Implementation:** -Use the detailed nftables rules in [../ansible/files/wiab_server_nftables.conf.j2](../ansible/files/wiab_server_nftables.conf.j2) as the template. The guide covers: +Use the detailed nftables rules in [../ansible/files/wiab_server_nftables.conf.j2](../ansible/files/wiab_server_nftables.conf.j2) as the template. The nftable configuration template covers: - Defining your network variables (Coturn IP, Kubernetes node IP, WAN interface) - Creating NAT rules for HTTP/HTTPS ingress traffic -- Setting up TURN protocol forwarding for Coturn -- Restarting nftables to apply changes +- Setting up TURN protocol forwarding for Coturn and traffic for SFTD + +*Note: If you have already ran the playbook wiab-staging-provision.yml then it is already be configured for you. Confirm it by checking if the wire endpoint `https://webapp.TARGET_SYSTEM` is reachable from public internet or your private network (in case of private network), but not from the adminhost itself.* -You can also apply these rules using the Ansible playbook, by following: +You can also apply these rules using the Ansible playbook against your adminhost, by following: ```bash ansible-playbook -i inventory.yml ansible/wiab-staging-nftables.yml ``` -*Note: If you ran the playbook wiab-staging-provision.yml then it might already be configured for you. Please confirm before running.* +You can run the above playbook from local system or where you have cloned/downloaded the [Wire server deploy ansible playbooks](#getting-the-ansible-playbooks). The inventory should define the following variables: @@ -227,6 +224,12 @@ calling_node_ip=192.168.122.13 # Host WAN interface name inf_wan=eth0 + +# These are the same as wiab-staging.yml +# user and ssh key for adminhost +ansible_user='demo' +ansible_ssh_private_key_file='~/.ssh/id_ed25519' + ``` ### cert-manager behaviour in NAT / bridge environments From 10c696a9197db4366a1a17bd090468d095a37e9a Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Fri, 6 Mar 2026 16:09:44 +0100 Subject: [PATCH 12/13] updated artifact hash post fixing issues shown by linter --- ansible/inventory/demo/wiab-staging.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/inventory/demo/wiab-staging.yml b/ansible/inventory/demo/wiab-staging.yml index 3ddf4aa6f..cb95c01aa 100644 --- a/ansible/inventory/demo/wiab-staging.yml +++ b/ansible/inventory/demo/wiab-staging.yml @@ -6,4 +6,4 @@ wiab-staging: ansible_user: 'demo' ansible_ssh_private_key_file: "~/.ssh/id_ed25519" vars: - artifact_hash: 78a52d4686b6de91853d715fd08ef42fe8e2fd20 + artifact_hash: 82edf88d9193e9f7e0a62ee4b287fd0c7cebb1bd From 2cb66ab9e69b9d8ccb189db840353fe43c339b5c Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Tue, 10 Mar 2026 14:15:42 +0100 Subject: [PATCH 13/13] fix: helm-operations.sh for sonarcloud exceptions and update wiab-staging based on review --- bin/helm-operations.sh | 5 ++++- offline/wiab-staging.md | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh index 4baca7533..eedc3adc0 100755 --- a/bin/helm-operations.sh +++ b/bin/helm-operations.sh @@ -7,7 +7,7 @@ BASE_DIR="${BASE_DIR:-/wire-server-deploy}" TARGET_SYSTEM="${TARGET_SYSTEM:-example.com}" CERT_MASTER_EMAIL="certmaster@${CERT_MASTER_EMAIL}:-certmaster@${TARGET_SYSTEM}" -# DEPLOY_CERT_MANAGER env variable to decide to check if cert_manager and nginx-ingress-services charts should get deployed +# DEPLOY_CERT_MANAGER env variable is used to decide if cert_manager and nginx-ingress-services charts should get deployed # default is set to TRUE to deploy it unless changed DEPLOY_CERT_MANAGER="${DEPLOY_CERT_MANAGER:-TRUE}" @@ -24,9 +24,11 @@ HOST_IP=$(wget -qO- https://api.ipify.org) fi function dump_debug_logs { + local exit_code=$? if [[ "$DUMP_LOGS_ON_FAIL" == "TRUE" ]]; then "$BASE_DIR"/bin/debug_logs.sh fi + return $exit_code } trap dump_debug_logs ERR @@ -49,6 +51,7 @@ sync_pg_secrets() { echo "⚠️ Warning: PostgreSQL secret 'wire-postgresql-secret' not found, skipping secret sync" echo " Make sure databases-ephemeral chart is deployed before wire-server" fi + return $? } # Creates values.yaml from prod-values.example.yaml and secrets.yaml from prod-secrets.example.yaml diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index c16900751..d3a3de4ea 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -153,7 +153,7 @@ Since the inventory is ready, please continue with the following steps: **TLS / certificate behavior (cert-manager vs. Bring Your Own):** - By default, `bin/helm-operations.sh` has `DEPLOY_CERT_MANAGER=TRUE`, which installs cert-manager and configures a Let’s Encrypt (HTTP-01) issuer for the ingress charts. -- If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**), disable this step by passing env variable `DEPLOY_CERT_MANAGER=FALSE` when running `bin/helm-operations.sh`. +- If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**), disable this step by passing the environment variable `DEPLOY_CERT_MANAGER=FALSE` when running `bin/helm-operations.sh`. - When choosing `DEPLOY_CERT_MANAGER=FALSE`, ensure your ingress is configured with your own TLS secret(s) as described at [Acquiring / Deploying SSL Certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates). - When choosing `DEPLOY_CERT_MANAGER=TRUE`, ensure if further network configuration is required by following [cert-manager behaviour in NAT / bridge environments](#cert-manager-behaviour-in-nat--bridge-environments). @@ -240,8 +240,8 @@ When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can h In NAT/bridge setups (for example, using `virbr0` on the host): -- If nftables rules DNAT in `PREROUTING` without a matching SNAT on `virbr0 → virbr0`, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts and certificate verification failures. -- Strict `rp_filter` can drop asymmetric return packets. +- If nftables DNAT rules exist in `PREROUTING` without a matching SNAT on `virbr0 → virbr0`, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts and certificate verification failures. +- too strict of `rp_filter` settings can drop asymmetric return packets. Before changing anything, first verify whether certificate issuance is actually failing: