wireapp · mohitrajain · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
@@ -1,9 +1,7 @@
 name: Changelog verification
 on:
   pull_request:
-    branches: [master]
-  push:
-    branches: [master]
+    branches: ["**"]
 
 permissions:
   contents: read

@@ -6,4 +6,4 @@ wiab-staging:
       ansible_user: 'demo'
       ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
   vars:
-    artifact_hash: 82edf88d9193e9f7e0a62ee4b287fd0c7cebb1bd
+    artifact_hash: 2200257f7a528f3a8157e8878fc7ee1c945594d1
@@ -418,6 +418,9 @@
               galley:
                 secrets:
                   pgPassword: "{{ pgpassword }}"
+              background-worker:
+                secrets:
+                  pgPassword: "{{ pgpassword }}"
           when: "'postgresql' in charts_to_deploy"
 
         - name: Update secrets in-place

@@ -51,8 +51,6 @@ brig:
     rabbitmq:
       username: guest
       password: guest
-    # These are only necessary if you wish to support sign up via SMS/calls
-    # And require accounts at twilio.com / nexmo.com
 
 cargohold:
   secrets:
@@ -105,6 +103,7 @@ team-settings:
     configJson: "e30K"
 background-worker:
   secrets:
+    pgPassword: verysecurepassword
     rabbitmq:
       username: guest
       password: guest

@@ -0,0 +1,4 @@
+Fixed: sync offline-secrets and prod-secrets.example.yaml and add comments
+Added: enable postgresql secret for background-worker in wiab-dev
+Fixed: sync wire-server helm chart values for wiab-dev from prod values for 5.25
+Fixed: sync wire-server helm chart secrets for wiab-dev from prod values for 5.25
@@ -1,66 +1,93 @@
-# CHANGEME-DEMO: All values here should be changed/reviewed
+# CHANGEME-DEV: All values here should be changed/reviewed
+# check the ansible playbook ansible/wiab-demo/wire_secrets.yml on how these secrets are being randomly generated and rotated
+# make sure that any secrets related to external services like AWS, giphy, youtube, spotify etc are being updated before running the random secret generation (ansible/wiab-demo/wire_secrets.yml) at demo-secrets.example.yaml and before deploying the helm charts using the playbook (ansible/wiab-demo/helm_install.yml)
+
+# The secrets for services like elasticsearch, postgresql, rabbitmq and AWS (fake) secretID and key are configured in their helm charts. The values passed to these charts can be modified at wire-server-deploy/service-name/demo-[values|secrets].example.yaml
+# postgresql - https://github.com/wireapp/helm-charts/tree/dev/charts/postgresql
+# elasticsearch - https://github.com/wireapp/wire-server/blob/develop/charts/elasticsearch-ephemeral
+# rabbitMQ - https://github.com/wireapp/wire-server/tree/develop/charts/rabbitmq
+# fake-aws - https://github.com/wireapp/wire-server/tree/develop/charts/fake-aws
+# AWS - this needs to be checked with wire support if needs to use real AWS services
+
 elasticsearch-index:
   secrets:
     elasticsearch:
-      username: elastic
-      password: changeme
+      username: "elastic"
+      password: "changeme"
+
 brig:
   secrets:
+    pgPassword: verysecurepassword
     smtpPassword: dummyPassword
     zAuth:
       # generate zauth public/private keys with the 'zauth' executable from wire-server:
-      # ./dist/zauth -m gen-keypair -i 1
+      # sudo docker run $ZAUTH_CONTAINER -m gen-keypair
       publicKeys: "<public key>"
       privateKeys: "<private key>"
     turn:
       # generate a high-entropy random string, e.g. using
-      # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 42
+      # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 64
       secret: CHANGEMEE6KHMJU1uDhhgvsVWoIyzmn3u3GHRoWjTp
-    # these only need to be changed if using real AWS services
     awsKeyId: dummykey
     awsSecretKey: dummysecret
-    # These are only necessary if you wish to support sign up via SMS/calls
-    # And require accounts at twilio.com / nexmo.com
     rabbitmq:
       username: wire-server
       password: verysecurepassword
-    # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster
-    # To extract the secret from an existing Kubernetes cluster:
-    #   kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d
-    pgPassword: dummyPassword # gets replaced by the actual secret
     elasticsearch:
       username: "elastic"
       password: "changeme"
     elasticsearchAdditional:
       username: "elastic"
       password: "changeme"
-cannon:
+
+cargohold:
   secrets:
+    awsKeyId: dummykey
+    awsSecretKey: dummysecret
     rabbitmq:
       username: wire-server
       password: verysecurepassword
 
-cargohold:
+cannon:
   secrets:
-    # these only need to be changed if using real AWS services
-    awsKeyId: dummykey
-    awsSecretKey: dummysecret
     rabbitmq:
       username: wire-server
       password: verysecurepassword
 
 galley:
   secrets:
-    # these only need to be changed if using real AWS services
-    awsKeyId: dummykey
-    awsSecretKey: dummysecret
-    # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster
-    # To extract the secret from an existing Kubernetes cluster:
-    #   kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d
-    pgPassword: dummyPassword # gets replaced by the actual secret
     rabbitmq:
       username: wire-server
       password: verysecurepassword
+    pgPassword: verysecurepassword
+    # these only need to be changed if using real AWS services
+    awsKeyId: dummykey
+    awsSecretKey: dummysecret
+
+    # Generate MLS private keys using openssl
+    # readonly MLS_KEY_INDENT="          "
+    # Keys need 10 spaces indent (5 levels deep: galley.secrets.mlsPrivateKeys.removal.keyname)
+    # generate_mls_key() { openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}'}
+    # mls_ed25519_key="$(generate_mls_key -algorithm ed25519)"
+    # mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)"
+    # mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)"
+    # mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)" 
+
+    # this will get initialized from wire_secrets.yml playbook or can be generated using above logic
+    # mlsPrivateKeys:
+    #   removal:
+    #     ed25519: |
+    #       -----BEGIN PRIVATE KEY-----
+    #       -----END PRIVATE KEY-----
+    #     ecdsa_secp256r1_sha256: |
+    #       -----BEGIN PRIVATE KEY-----
+    #       -----END PRIVATE KEY-----
+    #     ecdsa_secp384r1_sha384: |
+    #       -----BEGIN PRIVATE KEY-----
+    #       -----END PRIVATE KEY-----
+    #     ecdsa_secp521r1_sha512: |
+    #       -----BEGIN PRIVATE KEY-----
+    #       -----END PRIVATE KEY-----
 
 gundeck:
   secrets:
@@ -71,19 +98,19 @@ gundeck:
       username: wire-server
       password: verysecurepassword
 
-proxy:
-  secrets:
-    # If you desire proxying/previews for the following services,
-    # set 'tags.proxy: true' in demo-values.yaml,
-    # create accounts with them and fill in these values:
-    proxy_config: |-
-      secrets {
-              youtube    = "..."
-              googlemaps = "..."
-              soundcloud = "..."
-              giphy      = "..."
-              spotify    = "Basic ..."
-      }
+# proxy:
+#   secrets:
+#     # If you desire proxying/previews for the following services,
+#     # set 'tags.proxy: true' in demo-values.yaml,
+#     # create accounts with them and fill in these values:
+#     proxy_config: |-
+#       secrets {
+#               youtube    = "..."
+#               googlemaps = "..."
+#               soundcloud = "..."
+#               giphy      = "..."
+#               spotify    = "Basic ..."
+#       }
 
 nginz:
   secrets:
@@ -93,9 +120,11 @@ nginz:
     # only necessary in test environments (env="staging"). See charts/nginz/README.md
     basicAuth: "<username>:<htpasswd-hashed-password>"
 
+
 # RabbitMQ credentials for background-worker.
 background-worker:
   secrets:
+    pgPassword: verysecurepassword
     rabbitmq:
       username: wire-server
       password: verysecurepassword