From ffd936351d388c435c391c1bbb46a1f95699f9ef Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 12 Mar 2026 15:10:59 +0100 Subject: [PATCH 1/9] fix: wpb-23988 sync offline-secrets and prod-secrets.example.yaml and add comments --- bin/offline-secrets.sh | 3 +- values/wire-server/prod-secrets.example.yaml | 29 ++++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/bin/offline-secrets.sh b/bin/offline-secrets.sh index 76756a1a6..bb8d1f990 100755 --- a/bin/offline-secrets.sh +++ b/bin/offline-secrets.sh @@ -51,8 +51,6 @@ brig: rabbitmq: username: guest password: guest - # These are only necessary if you wish to support sign up via SMS/calls - # And require accounts at twilio.com / nexmo.com cargohold: secrets: @@ -105,6 +103,7 @@ team-settings: configJson: "e30K" background-worker: secrets: + pgPassword: verysecurepassword rabbitmq: username: guest password: guest diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml index c60a0f434..fee8c28d6 100644 --- a/values/wire-server/prod-secrets.example.yaml +++ b/values/wire-server/prod-secrets.example.yaml @@ -1,30 +1,25 @@ # CHANGEME-PROD: All values here should be changed/reviewed +# check the script bin/offline-secrets.sh on how these secrets are being randomly generated. +# check the script bin/helm-operations.sh on how the secrets are being rotated and updated. +# make sure that any secrets related to external services like AWS, giphy, youtube, spotify etc are being updated post running the random secret generation by bin/offline-secrets.sh and before deploying the helm charts using the script bin/helm-operations.sh + brig: secrets: #retrieve postgresql password from Kubernetes Secret with "kubectl get secret wire-postgresql-external-secret -n default -o jsonpath='{.data.password}' | base64 -d" pgPassword: verysecurepassword - smtpPassword: dummyPassword zAuth: # generate zauth public/private keys with the 'zauth' executable from wire-server: - # ./dist/zauth -m gen-keypair -i 1 + # sudo docker run $ZAUTH_CONTAINER -m gen-keypair publicKeys: "" privateKeys: "" turn: # generate a high-entropy random string, e.g. using - # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 42 + # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 64 secret: CHANGEMEE6KHMJU1uDhhgvsVWoIyzmn3u3GHRoWjTp # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - # These are only necessary if you wish to support sign up via SMS/calls - # And require accounts at twilio.com / nexmo.com - rabbitmq: - username: guest - password: guest - -cannon: - secrets: rabbitmq: username: guest password: guest @@ -39,16 +34,22 @@ cargohold: username: guest password: guest +cannon: + secrets: + rabbitmq: + username: guest + password: guest + galley: secrets: + rabbitmq: + username: guest + password: guest #retrieve postgresql password from Kubernetes Secret with "kubectl get secret wire-postgresql-external-secret -n default -o jsonpath='{.data.password}' | base64 -d" pgPassword: verysecurepassword # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - rabbitmq: - username: guest - password: guest mlsPrivateKeys: removal: ed25519: | From aa995ae5089ba44b524c90f6b8b8af42ebe975a6 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 12 Mar 2026 15:12:06 +0100 Subject: [PATCH 2/9] fix: wpb-23988 enable postgresql secret for background-worker inwiab-dev --- ansible/wiab-demo/wire_secrets.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/wiab-demo/wire_secrets.yml b/ansible/wiab-demo/wire_secrets.yml index 8b1ef9681..4afd87b8f 100644 --- a/ansible/wiab-demo/wire_secrets.yml +++ b/ansible/wiab-demo/wire_secrets.yml @@ -418,6 +418,9 @@ galley: secrets: pgPassword: "{{ pgpassword }}" + background-worker: + secrets: + pgPassword: "{{ pgpassword }}" when: "'postgresql' in charts_to_deploy" - name: Update secrets in-place From af08fab9c765ab997a58717cf557cab3b29cca86 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 12 Mar 2026 15:14:55 +0100 Subject: [PATCH 3/9] fix: wpb-23988 sync wire-server helm chart values for wiab-dev from prod values --- values/wire-server/demo-values.example.yaml | 127 ++++++++++++++++---- 1 file changed, 103 insertions(+), 24 deletions(-) diff --git a/values/wire-server/demo-values.example.yaml b/values/wire-server/demo-values.example.yaml index fed128a0a..75d0456f8 100644 --- a/values/wire-server/demo-values.example.yaml +++ b/values/wire-server/demo-values.example.yaml @@ -1,3 +1,4 @@ +# CHANGEME-PROD: All values here should be changed/reviewed tags: proxy: false # enable if you want/need giphy/youtube/etc proxying legalhold: false # Enable if you need legalhold @@ -15,18 +16,21 @@ elasticsearch-index: host: elasticsearch-ephemeral cassandra: host: cassandra-ephemeral - brig: replicaCount: 1 # image: # tag: some-tag (only override if you want a newer/different version than what is in the chart) config: + multiSFT: + enabled: false # enable to turn on SFT to SFT communication for federated calls cassandra: host: cassandra-ephemeral elasticsearch: host: elasticsearch-ephemeral rabbitmq: - host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq postgresql: host: postgresql # DNS name without protocol port: "5432" @@ -34,27 +38,29 @@ brig: dbname: wire-server useSES: false # Set to false if you want to hand out DynamoDB to store prekeys - randomPrekeys: true + randomPrekeys: true aws: # change if using real AWS region: "eu-west-1" sqsEndpoint: http://fake-aws-sqs:4568 - #dynamoDBEndpoint: http://fake-aws-dynamodb:4567 - + # dynamoDBEndpoint: http://fake-aws-dynamodb:4567 + # these must match the table names created on fake or real AWS services internalQueue: integration-brig-events-internal prekeyTable: integration-brig-prekeys externalUrls: nginz: https://nginz-https.example.com # change this - teamSettings: https://teams.example.com # change this (on unset if team settings are not used) + teamSettings: https://teams.example.com # change this (or unset if team settings are not used) teamCreatorWelcome: https://teams.example.com/login # change this teamMemberWelcome: https://wire.example.com/download # change this - enableFederation: false # Enable to use federation + enableFederation: false # Keep false unless federation is explicitly configured optSettings: - setFederationDomain: example.com # change this + setEnableMLS: false # Enable for MLS protocol use + setFederationDomain: example.com # change this per host deployment # Sync the domain with the 'host' variable in the sftd chart # Comment the next line (by adding '#' before it) if conference calling is not used setSftStaticUrl: "https://sftd.example.com:443" + # setSftListAllServers: "enabled" # Uncomment for Federation! # If set to true, creating new personal users or new teams on your instance from # outside your backend installation is disabled setRestrictUserCreation: false @@ -86,7 +92,9 @@ brig: deletionUrl: https://account.example.com/d/?key=${key}&code=${code} invitationUrl: https://account.example.com/i/${code} smtp: - host: smtp # change this if you want to use your own SMTP server + # Default: smtp (for CI/demo environments with demo-smtp chart) + # Production: Change to your actual SMTP server hostname + host: smtp port: 25 # change this connType: plain # change this. Possible values: plain|ssl|tls # proxy: @@ -127,12 +135,15 @@ cannon: # For demo mode only, we don't need to keep websocket connections open on chart upgrades drainTimeout: 10 config: - cassandra: + rabbitmq: + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq + cassandra: host: cassandra-ephemeral metrics: serviceMonitor: enabled: true - cargohold: replicaCount: 1 # image: @@ -142,8 +153,9 @@ cargohold: # change if using real AWS region: "eu-west-1" s3Bucket: assets - s3Endpoint: http://fake-aws-s3:9000 + s3Endpoint: http://minio-external:9000 s3DownloadEndpoint: https://assets.example.com + enableFederation: false # Enable to use federation settings: federationDomain: example.com # change this # proxy: @@ -155,7 +167,6 @@ cargohold: metrics: serviceMonitor: enabled: true - galley: replicaCount: 1 # image: @@ -164,12 +175,18 @@ galley: cassandra: host: cassandra-ephemeral rabbitmq: - host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq` + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq postgresql: host: postgresql # DNS name without protocol port: "5432" user: wire-server dbname: wire-server + # Explicitly set postgresMigration to cassandra for fresh deployments. + # This controls whether galley reads conversations from Cassandra or PostgreSQL. + postgresMigration: + conversation: cassandra enableFederation: false # Enable to use federation settings: # prefix URI used when inviting users to a conversation by link @@ -177,7 +194,33 @@ galley: federationDomain: example.com # change this # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/) featureFlags: + mls: # Keep disabled unless MLS is explicitly configured + defaults: + status: disabled + config: + protocolToggleUsers: [] + defaultProtocol: mls + allowedCipherSuites: [2] + defaultCipherSuite: 2 + supportedProtocols: [proteus, mls] + lockStatus: unlocked + mlsMigration: # Keep disabled unless MLS migration is explicitly configured + defaults: + status: disabled + config: + startTime: null + finalizeRegardlessAfter: null + usersThreshold: 100 + clientsThreshold: 100 + lockStatus: unlocked sso: disabled-by-default + # channels: # Uncomment to enable channels by default for all newly created teams + # defaults: + # status: enabled + # config: + # allowed_to_create_channels: team-members + # allowed_to_open_channels: team-members + # lockStatus: unlocked # NOTE: Change this to "disabled-by-default" for legalhold support # legalhold: disabled-by-default legalhold: disabled-permanently @@ -193,12 +236,17 @@ galley: metrics: serviceMonitor: enabled: true - gundeck: replicaCount: 1 # image: # tag: some-tag (only override if you want a newer/different version than what is in the chart) config: + redis: + host: databases-ephemeral-redis-ephemeral # Updated hostname for redis-ephemeral chart + rabbitmq: + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq cassandra: host: cassandra-ephemeral aws: @@ -218,7 +266,6 @@ gundeck: metrics: serviceMonitor: enabled: true - nginz: replicaCount: 1 config: @@ -281,19 +328,51 @@ spar: enabled: true # Only needed when legalhold is enabled -#legalhold: -# host: "legalhold.example.com" -# wireApiHost: "https://nginz-https.example.com" - +legalhold: + host: "legalhold.example.com" + wireApiHost: "https://nginz-https.example.com" + metrics: + serviceMonitor: + enabled: true # Only needed when federation is enabled -#federator: -# tls: -# useSharedFederatorSecret: true - +federator: + # config: + # optSettings: + # federationStrategy: + # allowedDomains: + # - example.com + tls: + useSharedFederatorSecret: true + # remoteCAContents: | # Uncomment and place the federating backends root CA certificates in chain (if there are multiple) + metrics: + serviceMonitor: + enabled: true background-worker: config: + federationDomain: example.com + # logLevel: Debug + rabbitmq: + # Default: rabbitmq-external (for production external RabbitMQ VMs) + # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral + host: rabbitmq cassandra: host: cassandra-ephemeral + cassandraGalley: + host: cassandra-ephemeral + cassandraBrig: + host: cassandra-ephemeral + postgresql: + host: postgresql # DNS name without protocol + port: "5432" + user: wire-server + dbname: wire-server + # IMPORTANT: At Chart 5.25.0, the background-worker Helm chart incorrectly defaults + # postgresMigration.conversation to "postgresql" instead of "cassandra". + # This MUST be explicitly set to "cassandra" unless you have already migrated + # conversations to PostgreSQL. Without this override, User Group to Channel sync + # jobs will silently skip member synchronization. + postgresMigration: + conversation: cassandra # Enable for federation enableFederation: false metrics: From 0be0065f1cf24453413d3e6a82f9d90b2650af4d Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 12 Mar 2026 15:17:59 +0100 Subject: [PATCH 4/9] fix: wpb-23988 sync wire-server helm chart secrets for wiab-dev from prod values for 5.25 --- values/wire-server/demo-secrets.example.yaml | 66 +++++++++++++------- values/wire-server/demo-values.example.yaml | 2 +- 2 files changed, 43 insertions(+), 25 deletions(-) diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml index 7bc5ecad3..f12b1214b 100644 --- a/values/wire-server/demo-secrets.example.yaml +++ b/values/wire-server/demo-secrets.example.yaml @@ -1,66 +1,82 @@ -# CHANGEME-DEMO: All values here should be changed/reviewed +# CHANGEME-DEV: All values here should be changed/reviewed +# check the ansible playbook ansible/wiab-demo/wire_secrets.yml on how these secrets are being randomly generated and rotated +# make sure that any secrets related to external services like AWS, giphy, youtube, spotify etc are being updated before running the random secret generation (ansible/wiab-demo/wire_secrets.yml) at demo-secrets.example.yaml and before deploying the helm charts using the playbook (ansible/wiab-demo/helm_install.yml) + +# The secrets for services like elasticsearch, postgresql, rabbitmq and AWS (fake) secretID and key are configured in their helm charts. The values passed to these charts can be modified at wire-server-deploy/service-name/demo-[values|secrets].example.yaml +# postgresql - https://github.com/wireapp/helm-charts/tree/dev/charts/postgresql +# elasticsearch - https://github.com/wireapp/wire-server/blob/develop/charts/elasticsearch-ephemeral +# rabbitMQ - https://github.com/wireapp/wire-server/tree/develop/charts/rabbitmq +# fake-aws - https://github.com/wireapp/wire-server/tree/develop/charts/fake-aws +# AWS - this needs to be checked with wire support if needs to use real AWS services + elasticsearch-index: secrets: elasticsearch: - username: elastic - password: changeme + username: "elastic" + password: "changeme" + brig: secrets: + pgPassword: verysecurepassword smtpPassword: dummyPassword zAuth: # generate zauth public/private keys with the 'zauth' executable from wire-server: - # ./dist/zauth -m gen-keypair -i 1 + # sudo docker run $ZAUTH_CONTAINER -m gen-keypair publicKeys: "" privateKeys: "" turn: # generate a high-entropy random string, e.g. using - # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 42 + # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 64 secret: CHANGEMEE6KHMJU1uDhhgvsVWoIyzmn3u3GHRoWjTp - # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - # These are only necessary if you wish to support sign up via SMS/calls - # And require accounts at twilio.com / nexmo.com rabbitmq: username: wire-server password: verysecurepassword - # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster - # To extract the secret from an existing Kubernetes cluster: - # kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d - pgPassword: dummyPassword # gets replaced by the actual secret elasticsearch: username: "elastic" password: "changeme" elasticsearchAdditional: username: "elastic" password: "changeme" -cannon: + +cargohold: secrets: + awsKeyId: dummykey + awsSecretKey: dummysecret rabbitmq: username: wire-server password: verysecurepassword -cargohold: +cannon: secrets: - # these only need to be changed if using real AWS services - awsKeyId: dummykey - awsSecretKey: dummysecret rabbitmq: username: wire-server password: verysecurepassword galley: secrets: - # these only need to be changed if using real AWS services - awsKeyId: dummykey - awsSecretKey: dummysecret - # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster - # To extract the secret from an existing Kubernetes cluster: - # kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d - pgPassword: dummyPassword # gets replaced by the actual secret rabbitmq: username: wire-server password: verysecurepassword + pgPassword: verysecurepassword + # these only need to be changed if using real AWS services + awsKeyId: dummykey + awsSecretKey: dummysecret + mlsPrivateKeys: + removal: + ed25519: | + -----BEGIN PRIVATE KEY----- + -----END PRIVATE KEY----- + ecdsa_secp256r1_sha256: | + -----BEGIN PRIVATE KEY----- + -----END PRIVATE KEY----- + ecdsa_secp384r1_sha384: | + -----BEGIN PRIVATE KEY----- + -----END PRIVATE KEY----- + ecdsa_secp521r1_sha512: | + -----BEGIN PRIVATE KEY----- + -----END PRIVATE KEY----- gundeck: secrets: @@ -93,9 +109,11 @@ nginz: # only necessary in test environments (env="staging"). See charts/nginz/README.md basicAuth: ":" + # RabbitMQ credentials for background-worker. background-worker: secrets: + pgPassword: verysecurepassword rabbitmq: username: wire-server password: verysecurepassword diff --git a/values/wire-server/demo-values.example.yaml b/values/wire-server/demo-values.example.yaml index 75d0456f8..bda10b12c 100644 --- a/values/wire-server/demo-values.example.yaml +++ b/values/wire-server/demo-values.example.yaml @@ -1,4 +1,4 @@ -# CHANGEME-PROD: All values here should be changed/reviewed +# CHANGEME-DEV: All values here should be changed/reviewed tags: proxy: false # enable if you want/need giphy/youtube/etc proxying legalhold: false # Enable if you need legalhold From 113d8bfe0ba77fc3bce5395255c2a70baf8ab57f Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 12 Mar 2026 15:23:36 +0100 Subject: [PATCH 5/9] fix: wpb-23988 add a changelog file --- changelog.d/3-deploy-builds/wiab-dev-5.25-fixes | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 changelog.d/3-deploy-builds/wiab-dev-5.25-fixes diff --git a/changelog.d/3-deploy-builds/wiab-dev-5.25-fixes b/changelog.d/3-deploy-builds/wiab-dev-5.25-fixes new file mode 100644 index 000000000..0b7a84bad --- /dev/null +++ b/changelog.d/3-deploy-builds/wiab-dev-5.25-fixes @@ -0,0 +1,4 @@ +Fixed: sync offline-secrets and prod-secrets.example.yaml and add comments +Added: enable postgresql secret for background-worker in wiab-dev +Fixed: sync wire-server helm chart values for wiab-dev from prod values for 5.25 +Fixed: sync wire-server helm chart secrets for wiab-dev from prod values for 5.25 From a0a04d2d8d1bb8b99fb910ffbe72b94c71efae57 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 12 Mar 2026 15:26:07 +0100 Subject: [PATCH 6/9] fix: wpb-23988 fix the changelog verification workflow to consider the non-master branches as well --- .github/workflows/changelog-verify.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/changelog-verify.yml b/.github/workflows/changelog-verify.yml index 79441a420..37cf5f6ab 100644 --- a/.github/workflows/changelog-verify.yml +++ b/.github/workflows/changelog-verify.yml @@ -1,9 +1,9 @@ name: Changelog verification on: pull_request: - branches: [master] + branches: ["**"] push: - branches: [master] + branches: ["**"] permissions: contents: read From 84615b2ab8c37eae43df76b3523af72542c9eada Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 12 Mar 2026 15:27:19 +0100 Subject: [PATCH 7/9] fix: wpb-23988 remove the changelog trigger for every push operation --- .github/workflows/changelog-verify.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/changelog-verify.yml b/.github/workflows/changelog-verify.yml index 37cf5f6ab..164e6beb8 100644 --- a/.github/workflows/changelog-verify.yml +++ b/.github/workflows/changelog-verify.yml @@ -2,8 +2,6 @@ name: Changelog verification on: pull_request: branches: ["**"] - push: - branches: ["**"] permissions: contents: read From efa297efb2d53f5af2f9686e52b3edb057fb0984 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Fri, 13 Mar 2026 11:41:22 +0100 Subject: [PATCH 8/9] fix: wpb-23988 comment out empty mls secrets for wiab-dev --- values/wire-server/demo-secrets.example.yaml | 65 ++++++++++++-------- 1 file changed, 38 insertions(+), 27 deletions(-) diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml index f12b1214b..0780cc146 100644 --- a/values/wire-server/demo-secrets.example.yaml +++ b/values/wire-server/demo-secrets.example.yaml @@ -63,20 +63,31 @@ galley: # these only need to be changed if using real AWS services awsKeyId: dummykey awsSecretKey: dummysecret - mlsPrivateKeys: - removal: - ed25519: | - -----BEGIN PRIVATE KEY----- - -----END PRIVATE KEY----- - ecdsa_secp256r1_sha256: | - -----BEGIN PRIVATE KEY----- - -----END PRIVATE KEY----- - ecdsa_secp384r1_sha384: | - -----BEGIN PRIVATE KEY----- - -----END PRIVATE KEY----- - ecdsa_secp521r1_sha512: | - -----BEGIN PRIVATE KEY----- - -----END PRIVATE KEY----- + + # Generate MLS private keys using openssl + # readonly MLS_KEY_INDENT=" " + # Keys need 10 spaces indent (5 levels deep: galley.secrets.mlsPrivateKeys.removal.keyname) + # generate_mls_key() { openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}'} + # mls_ed25519_key="$(generate_mls_key -algorithm ed25519)" + # mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)" + # mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)" + # mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)" + + # this will get initialized from wire_secrets.yml playbook or can be generated using above logic + # mlsPrivateKeys: + # removal: + # ed25519: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + # ecdsa_secp256r1_sha256: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + # ecdsa_secp384r1_sha384: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + # ecdsa_secp521r1_sha512: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- gundeck: secrets: @@ -87,19 +98,19 @@ gundeck: username: wire-server password: verysecurepassword -proxy: - secrets: - # If you desire proxying/previews for the following services, - # set 'tags.proxy: true' in demo-values.yaml, - # create accounts with them and fill in these values: - proxy_config: |- - secrets { - youtube = "..." - googlemaps = "..." - soundcloud = "..." - giphy = "..." - spotify = "Basic ..." - } +# proxy: +# secrets: +# # If you desire proxying/previews for the following services, +# # set 'tags.proxy: true' in demo-values.yaml, +# # create accounts with them and fill in these values: +# proxy_config: |- +# secrets { +# youtube = "..." +# googlemaps = "..." +# soundcloud = "..." +# giphy = "..." +# spotify = "Basic ..." +# } nginz: secrets: From 5ffd32155a93308e61f263955a1197cb6be9c210 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Fri, 13 Mar 2026 11:43:40 +0100 Subject: [PATCH 9/9] fix: wpb-23988 update wiab-stag artifact hash --- ansible/inventory/demo/wiab-staging.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/inventory/demo/wiab-staging.yml b/ansible/inventory/demo/wiab-staging.yml index cb95c01aa..fb3ee33fd 100644 --- a/ansible/inventory/demo/wiab-staging.yml +++ b/ansible/inventory/demo/wiab-staging.yml @@ -6,4 +6,4 @@ wiab-staging: ansible_user: 'demo' ansible_ssh_private_key_file: "~/.ssh/id_ed25519" vars: - artifact_hash: 82edf88d9193e9f7e0a62ee4b287fd0c7cebb1bd + artifact_hash: 2200257f7a528f3a8157e8878fc7ee1c945594d1