Wpb 23988 fix internet access wiab stag

ansible/files/wiab_server_nftables.conf.j2

@@ -67,7 +67,9 @@ table ip nat {
   chain POSTROUTING {
     type nat hook postrouting priority 100;
     oifname != docker0 ip saddr 172.17.0.0/16 counter masquerade
+{% if not (private_deployment | default(false) | bool) %}
     oifname $INF_WAN counter masquerade comment "{{ wire_comment }} masquerade outgoing traffic"
+{% endif %}
   }
   chain DOCKER {
     iifname docker0 counter return

ansible/inventory/demo/wiab-staging.yml

@@ -6,4 +6,6 @@ wiab-staging:
       ansible_user: 'demo'
       ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
   vars:
-    artifact_hash: 2200257f7a528f3a8157e8878fc7ee1c945594d1
+    artifact_hash: 7da2319729ba792f91d7ccba4e026c21cd3a3691
+    # it will disable internet access to VMs created on the private network
+    private_deployment: true

ansible/wiab-staging-provision.yml

@@ -298,9 +298,8 @@
         kubenode2_ip: "{{ kubenode_ip_result.results[1].stdout }}"
         kubenode3_ip: "{{ kubenode_ip_result.results[2].stdout }}"
         wire_comment: "wiab-stag"
-
     tags: always
 
 - name: Configure nftables
   import_playbook: ./wiab-staging-nftables.yaml
-  tags: nftables
+  tags: [never, nftables]

bin/helm-operations.sh

@@ -5,7 +5,7 @@ set -Eeo pipefail
 # Read values from environment variables with defaults
 BASE_DIR="${BASE_DIR:-/wire-server-deploy}"
 TARGET_SYSTEM="${TARGET_SYSTEM:-example.com}"
-CERT_MASTER_EMAIL="certmaster@${CERT_MASTER_EMAIL}:-certmaster@${TARGET_SYSTEM}"
+CERT_MASTER_EMAIL="${CERT_MASTER_EMAIL:-certmaster@example.com}"
 
 # DEPLOY_CERT_MANAGER env variable is used to decide if cert_manager and nginx-ingress-services charts should get deployed
 # default is set to TRUE to deploy it unless changed

changelog.d/3-deploy-builds/wiab-stag-nftables-snat-fix

@@ -0,0 +1,5 @@
+Added: variable private_deployment with default true to disable SNAT on adminhost
+Fixed: cert_master_email env var parsing in helm-operations.sh 
+Fixed: made running wiab-staging-nftables.yaml playbook explicit
+Added: wiab-staging.md documentation to add details about default SNAT access being denied and how to enable it
+Added: wiab-staging.md network flow diagram