Merge pull request #867 from wireapp/fix/bump-wire-server-5.25-pg-secrets

Bump wire-server to 5.25.0

Author: sghosh23

bin/helm-operations.sh

@@ -140,14 +140,15 @@ deploy_charts() {
     if [[ "$chart" == "wire-server" ]]; then
 
       echo "Retrieving PostgreSQL password from databases-ephemeral for wire-server deployment..."
-      if kubectl get secret wire-postgresql-secret &>/dev/null; then
+      if kubectl get secret wire-postgresql-external-secret &>/dev/null; then
       # Usage: sync-k8s-secret-to-wire-secrets.sh <secret-name> <secret-key> <yaml-file> <yaml-path's>
          "$BASE_DIR/bin/sync-k8s-secret-to-wire-secrets.sh" \
-          wire-postgresql-secret password \
+          "wire-postgresql-external-secret" \
+          "password" \
           "$BASE_DIR/values/wire-server/secrets.yaml" \
-          .brig.secrets.pgPassword .galley.secrets.pgPassword
+          .brig.secrets.pgPassword .galley.secrets.pgPassword .background-worker.secrets.pgPassword
       else
-        echo "⚠️  Warning: PostgreSQL secret 'wire-postgresql-secret' not found, skipping secret sync"
+        echo "⚠️  Warning: PostgreSQL secret 'wire-postgresql-external-secret' not found, skipping secret sync"
         echo "    Make sure databases-ephemeral chart is deployed before wire-server"
       fi
     fi
@@ -178,6 +179,9 @@ deploy_calling_services() {
 
   kubectl annotate node "$CALLING_NODE" wire.com/external-ip="$HOST_IP" --overwrite
   helm upgrade --install coturn "$BASE_DIR/charts/coturn" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/coturn/values.yaml" --values "$BASE_DIR/values/coturn/secrets.yaml"
+
+  # display running pods post deploying all helm charts in default namespace
+  kubectl get pods --sort-by=.metadata.creationTimestamp
 }
 
 main() {

bin/offline-deploy.sh

@@ -41,15 +41,4 @@ fi
 
 $DOCKER_RUN_BASE $SSH_MOUNT $WSD_CONTAINER ./bin/offline-cluster.sh
 
-# Sync PostgreSQL password from K8s secret to secrets.yaml
-echo "Syncing PostgreSQL password from Kubernetes secret..."
-sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/sync-k8s-secret-to-wire-secrets.sh \
-  wire-postgresql-external-secret \
-  password \
-  values/wire-server/prod-secrets.example.yaml \
-  .brig.secrets.pgPassword \
-  .galley.secrets.pgPassword \
-  .spar.secrets.pgPassword \
-  .gundeck.secrets.pgPassword
-
 sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/helm-operations.sh

bin/offline-helm-deprecated.sh

@@ -12,7 +12,8 @@ sync_pg_secrets() {
     .brig.secrets.pgPassword \
     .galley.secrets.pgPassword \
     .spar.secrets.pgPassword \
-    .gundeck.secrets.pgPassword
+    .gundeck.secrets.pgPassword \
+    .background-worker.secrets.pgPassword
 }
 
 helm upgrade --install --wait cassandra-external ./charts/cassandra-external --values ./values/cassandra-external/values.yaml

changelog.d/0-release-notes/fix-bump-wire-server-5.25-pg-secrets

@@ -0,0 +1 @@
+Added: bump wire-server to 5.25.0, add background-worker postgresql config and pgPassword secret sync, add explicit postgresMigration.conversation=cassandra for galley and background-worker, and update prod values defaults for federation/MLS and external dependencies

offline/tasks/proc_pull_charts.sh

@@ -94,5 +94,5 @@ pull_charts() {
   #fi
 }
 
-wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/7b0217a27c1b127bf8f1fedbea9ec03a1e277d5a/build.json"
+wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/pinned-offline-multi-20260224-142104/build.json"
 wire_build_chart_release "$wire_build" | pull_charts

values/wire-server/prod-secrets.example.yaml

@@ -99,6 +99,7 @@ nginz:
 # RabbitMQ credentials for background-worker.
 background-worker:
   secrets:
+    pgPassword: verysecurepassword
     rabbitmq:
       username: guest
       password: guest

values/wire-server/prod-values.example.yaml

@@ -28,8 +28,9 @@ brig:
     elasticsearch:
       host: elasticsearch-external
     rabbitmq:
-      host: rabbitmq-external 
-      # For k8s-based RabbitMQ for k8s based rabbitmq. Use 'rabbitmq-external' for production external RabbitMQ VMs
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
+      host: rabbitmq-external
     postgresql:
       host: postgresql-external-rw # DNS name without protocol
       port: "5432"
@@ -52,11 +53,10 @@ brig:
       teamSettings: https://teams.example.com # change this (or unset if team settings are not used)
       teamCreatorWelcome: https://teams.example.com/login # change this
       teamMemberWelcome: https://wire.example.com/download # change this
-    # TODO: BUG! 5.23 brig charts wont deploy in CI unless federation is enabled!
-    enableFederation: true # Enable to use federation
+    enableFederation: false # Keep false unless federation is explicitly configured
     optSettings:
       setEnableMLS: false # Enable for MLS protocol use
-      setFederationDomain: example.com # change this
+      setFederationDomain: example.com # change this per host deployment
       # Sync the domain with the 'host' variable in the sftd chart
       # Comment the next line (by adding '#' before it) if conference calling is not used
       setSftStaticUrl: "https://sftd.example.com:443"
@@ -92,7 +92,9 @@ brig:
         deletionUrl: https://account.example.com/d/?key=${key}&code=${code}
         invitationUrl: https://account.example.com/i/${code}
     smtp:
-      host: smtp # change this if you want to use your own SMTP server
+      # Default: smtp (for CI/demo environments with demo-smtp chart)
+      # Production: Change to your actual SMTP server hostname
+      host: smtp
       port: 25        # change this
       connType: plain # change this. Possible values: plain|ssl|tls
 #    proxy:
@@ -133,7 +135,9 @@ cannon:
   # For demo mode only, we don't need to keep websocket connections open on chart upgrades
   drainTimeout: 10
   config:
-    rabbitmq: # Default value for CI, for on-prem deployment, use rabbitmq-external
+    rabbitmq:
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
       host: rabbitmq-external
     cassandra:
       host: cassandra-external
@@ -170,33 +174,39 @@ galley:
   config:
     cassandra:
       host: cassandra-external
-    rabbitmq: # Default value for CI, for on-prem deployment, use rabbitmq-external
+    rabbitmq:
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
       host: rabbitmq-external
     postgresql:
       host: postgresql-external-rw # DNS name without protocol
       port: "5432"
       user: wire-server
       dbname: wire-server
+    # Explicitly set postgresMigration to cassandra for fresh deployments.
+    # This controls whether galley reads conversations from Cassandra or PostgreSQL.
+    postgresMigration:
+      conversation: cassandra
     enableFederation: false # Enable to use federation
     settings:
       # prefix URI used when inviting users to a conversation by link
       conversationCodeURI: https://account.example.com/conversation-join/ # change this
       federationDomain: example.com # change this
       # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/)
       featureFlags:
-        mls:
+        mls: # Keep disabled unless MLS is explicitly configured
           defaults:
-            status: enabled
+            status: disabled
             config:
               protocolToggleUsers: []
               defaultProtocol: mls
               allowedCipherSuites: [2]
               defaultCipherSuite: 2
               supportedProtocols: [proteus, mls]
             lockStatus: unlocked
-        mlsMigration:
+        mlsMigration: # Keep disabled unless MLS migration is explicitly configured
           defaults:
-            status: enabled
+            status: disabled
             config:
               startTime: null
               finalizeRegardlessAfter: null
@@ -231,7 +241,11 @@ gundeck:
 #  image:
 #    tag: some-tag (only override if you want a newer/different version than what is in the chart)
   config:
-    rabbitmq: # Default value for CI, for on-prem deployment, use rabbitmq-external
+    redis:
+      host: databases-ephemeral-redis-ephemeral # Updated hostname for redis-ephemeral chart
+    rabbitmq:
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
       host: rabbitmq-external
     cassandra:
       host: cassandra-external
@@ -337,14 +351,28 @@ background-worker:
   config:
     federationDomain: example.com
     # logLevel: Debug
-    rabbitmq: # Default value for CI, for on-prem deployment, use rabbitmq-external
+    rabbitmq:
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
       host: rabbitmq-external
     cassandra:
       host: cassandra-external
     cassandraGalley:
       host: cassandra-external
     cassandraBrig:
       host: cassandra-external
+    postgresql:
+      host: postgresql-external-rw # DNS name without protocol
+      port: "5432"
+      user: wire-server
+      dbname: wire-server
+    # IMPORTANT: At Chart 5.25.0, the background-worker Helm chart incorrectly defaults
+    # postgresMigration.conversation to "postgresql" instead of "cassandra".
+    # This MUST be explicitly set to "cassandra" unless you have already migrated
+    # conversations to PostgreSQL. Without this override, User Group to Channel sync
+    # jobs will silently skip member synchronization.
+    postgresMigration:
+      conversation: cassandra
     # Enable for federation
     enableFederation: false
   metrics: