From 63e73489c5b432e0a9a4cc639591fdb014fe56e1 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 18 Mar 2026 15:26:08 +0100 Subject: [PATCH 1/6] fix: wpb-23988 update the wiab-staging.md to improve documentation around running commands --- offline/wiab-staging.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index ff698bba0..48f407892 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -117,7 +117,7 @@ cd wire-server-deploy **Step 2: Configure your Ansible inventory for your physical machine** A sample inventory is available at [ansible/inventory/demo/wiab-staging.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/wiab-staging.yml). -Replace example.com with the address of your physical machine (`adminhost`) where KVM is available. Make sure you set `ansible_user` and `ansible_ssh_private_key_file`. For `ansible_user`, The SSH user must have password-less `sudo` access. The adminhost must be running Ubuntu 22.04. From here on, we will refer the physical machine as `adminhost`. +Replace example.com with your physical machine (`adminhost`) address where KVM is available and adjust other variables like `ansible_user` and `ansible_ssh_private_key_file`. The SSH user for ansible `ansible_user` should have password-less `sudo` access. The adminhost should be running Ubuntu 22.04. From here on, we would refer the physical machine as `adminhost`. The `private_deployment` variable determines whether the VMs created below will have internet access. When set to `true` (default value), no internet access is available to VMs. Check [Internet access for VMs](#internet-access-for-vms) to understand more about it. @@ -321,7 +321,7 @@ When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can h > **Note**: Using Let's encrypt with `cert-manager` requires internet access ([to at least `acme-v02.api.letsencrypt.org`](https://letsencrypt.org/docs/acme-protocol-updates/)) to issue TLS certs. If you have chosen to keep the network private i.e. `private_deployment=true` for the VMs when applying nftables rules aka no internet access to VMs, then we need to make a temporary exception for this. > -> To add a nftables masquerading rule for all outgoing traffic from your Wire environment, run the following command on the `adminhost`: +> To add a nftables masquerading rule for all outgoing traffic run the following command on the `adminhost` or make a similar change in your firewall: > > ```bash > # Host WAN interface name @@ -360,6 +360,8 @@ Before changing anything, first verify whether certificate issuance is actually If you observe HTTP-01 challenge timeouts or self-check failures in a NAT/bridge environment, hairpin SNAT and relaxed reverse-path filtering handling may be required. One possible approach is by making following changes to the adminhost: +> **Note:** All `nft` and `sysctl` commands should run on the adminhost. + - Relax reverse-path filtering to loose mode to allow asymmetric flows: ```bash sudo sysctl -w net.ipv4.conf.all.rp_filter=2 From b1e47e5de39056eeeec58520fb1d290184ec2a37 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 18 Mar 2026 18:05:33 +0100 Subject: [PATCH 2/6] fix: wpb-23988 stop deploying smallstep by default in wiab-staging and wiab-dev --- ansible/inventory/demo/host.yml | 1 - bin/helm-operations.sh | 4 ++-- offline/wiab-staging.md | 3 +-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/ansible/inventory/demo/host.yml b/ansible/inventory/demo/host.yml index 0caa01901..e1274101a 100644 --- a/ansible/inventory/demo/host.yml +++ b/ansible/inventory/demo/host.yml @@ -57,7 +57,6 @@ wiab: - databases-ephemeral - postgresql - reaper - - smallstep-accomp - wire-server - webapp - account-pages diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh index 30b645d80..10c57fed2 100755 --- a/bin/helm-operations.sh +++ b/bin/helm-operations.sh @@ -60,7 +60,7 @@ process_values() { ENV=$1 TYPE=$2 - charts=(fake-aws smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager) + charts=(fake-aws smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager) if [[ "$ENV" != "prod" ]] || [[ -z "$TYPE" ]] ; then echo "Error: This function only supports prod deployments with TYPE as values or secrets. ENV must be 'prod', got: '$ENV' and '$TYPE'" @@ -214,7 +214,7 @@ sync_pg_secrets configure_values # deploying with external datastores, useful for prod setup -deploy_charts cassandra-external elasticsearch-external minio-external postgresql-external fake-aws smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller +deploy_charts cassandra-external elasticsearch-external minio-external postgresql-external fake-aws smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller # deploying cert-manager only when the env var DEPLOY_CERT_MANAGER is set to TRUE if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 48f407892..54a7fb6a8 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -194,7 +194,7 @@ d sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" **Charts deployed by the script:** - External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`,`postgresql-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `demo-smtp`. -- Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`, `smallstep-accomp`. +- Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`. - Ingress and certificates: `ingress-nginx-controller`, `cert-manager`, `nginx-ingress-services`. - Calling services: `sftd`, `coturn`. @@ -424,7 +424,6 @@ For additional background on when hairpin NAT is required and how it relates to - **[Deploying webapp](docs_ubuntu_22.04.md#deploying-webapp)**: Read more about webapp deployment and domain configuration. - **[Deploying team-settings](docs_ubuntu_22.04.md#deploying-team-settings)**: Read more about team settings services. - **[Deploying account-pages](docs_ubuntu_22.04.md#deploying-account-pages)**: Read more about account management services. -- **[Deploying smallstep-accomp](docs_ubuntu_22.04.md#deploying-smallstep-accomp)**: Read more about the ACME companion. - **[Enabling emails for wire](smtp.md)**: Read more about SMTP options for onboarding email delivery and relay setup. - **[Deploy ingress-nginx-controller](docs_ubuntu_22.04.md#deploy-ingress-nginx-controller)**: Read more about ingress configuration and traffic forwarding requirements. - **[Acquiring / Deploying SSL Certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**: Read more about TLS options (Bring Your Own or cert-manager) and certificate requirements. From e734120a208cc8873f7a24b564d21b574d9a3328 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 18 Mar 2026 18:06:28 +0100 Subject: [PATCH 3/6] fix: wpb-23988 changelog --- changelog.d/3-deploy-builds/disable-smallstep | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/3-deploy-builds/disable-smallstep diff --git a/changelog.d/3-deploy-builds/disable-smallstep b/changelog.d/3-deploy-builds/disable-smallstep new file mode 100644 index 000000000..2f3741837 --- /dev/null +++ b/changelog.d/3-deploy-builds/disable-smallstep @@ -0,0 +1 @@ +Fixed: stop deploying smallstep in wiab-staging and wiab-dev environments From ae665c62a048fd231cbfbdb2132ce828dfc6cd8a Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 25 Mar 2026 12:52:55 +0100 Subject: [PATCH 4/6] fix wpb-23988: replace demo-smtp with smtp --- offline/wiab-staging.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 54a7fb6a8..39c77bef0 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -193,7 +193,7 @@ d sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" ``` **Charts deployed by the script:** -- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`,`postgresql-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `demo-smtp`. +- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`,`postgresql-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `smtp`. - Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`. - Ingress and certificates: `ingress-nginx-controller`, `cert-manager`, `nginx-ingress-services`. - Calling services: `sftd`, `coturn`. From ddc104ff3fb7e239ca37be41cb5bffd000656cad Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 25 Mar 2026 12:56:43 +0100 Subject: [PATCH 5/6] fix wpb-23988: push action on master branch only --- .github/workflows/changelog-verify.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/changelog-verify.yml b/.github/workflows/changelog-verify.yml index 164e6beb8..13ef3fe19 100644 --- a/.github/workflows/changelog-verify.yml +++ b/.github/workflows/changelog-verify.yml @@ -2,6 +2,8 @@ name: Changelog verification on: pull_request: branches: ["**"] + push: + branches: ["master"] permissions: contents: read From 9a95ba5de52226ef1e3a74ab462ecc957000697a Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 20:36:10 +0200 Subject: [PATCH 6/6] fix wpb-23988: update documentation based on wire-docs pr101 --- offline/wiab-staging.md | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 39c77bef0..5b37f53b2 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -9,7 +9,7 @@ **Architecture Overview:** - Multiple VMs (7) are deployed to simulate production infrastructure with separate roles (Kubernetes, data services, asset storage) - All VMs share the same physical node and storage, creating a single failure domain -- [Calling services](https://docs.wire.com/latest/understand/overview.html#calling) will share the same k8s cluster as Wire services hence, all infrastructure will be DMZ (De-militarized zone). +- [Calling services](https://docs.wire.com/latest/understand/overview.html#calling) are deployed in the same Kubernetes cluster as Wire services. This setup does not implement a separate DMZ, and all components share the same network boundary, reducing the level of isolation compared to a production deployment. - This solution helps developers understand Wire's infrastructure requirements and test deployment processes **Resource Requirements:** @@ -17,19 +17,18 @@ - **Memory:** 55 GiB RAM - **Compute:** 29 vCPUs - **Storage:** 850 GB disk space (thin-provisioned) - - 7 VMs with [Ubuntu 22](https://releases.ubuntu.com/jammy/) as per [required resources](#vm-provisioning) - **DNS Records**: - - a way to create DNS records for your domain name (e.g. wire.example.com) + - A method to create DNS records for your domain name (e.g. wire.example.com) - Find a detailed explanation at [How to set up DNS records](https://docs.wire.com/latest/how-to/install/demo-wiab.html#dns-requirements) - **SSL/TLS certificates**: - - a way to create SSL/TLS certificates for your domain name (to allow connecting via https://) + - A method to create SSL/TLS certificates for your domain name (to allow connecting via https://) - To ease out the process of managing certs, we recommend using [Let's Encrypt](https://letsencrypt.org/getting-started/) & [cert-manager](https://cert-manager.io/docs/tutorials/acme/http-validation/) - **Network**: No interference from UFW or other system specific firewalls, and IP forwarding enabled between network cards. An IP address reachable for ssh and which can act as entry point for Wire traffic. - **Wire-server-deploy artifact**: A tar bundle containing all the required bash scripts, deb packages, ansible playbooks, helm charts and docker images to help with the installation. Reach out to [Wire support](https://support.wire.com/) to get access to the latest stable Wire artifact. ## VM Provisioning -We would require 7 VMs as per the following details, you can choose to use your own hypervisor to manage the VMs or use our [Wiab staging ansible playbook](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-staging-provision.yml) against your physical node to setup the VMs. +Our deployment will be into 7 VMs with [Ubuntu 22](https://releases.ubuntu.com/jammy/), shown in the below VM Archetecture and Resource Allocation table, You can choose to use your own hypervisor to manage the VMs or use our [Wiab staging ansible playbook](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-staging-provision.yml) against your physical node to setup the VMs. **VM Architecture and Resource Allocation:** @@ -139,12 +138,20 @@ The purpose of secondary ansible inventory is to interact only with the VMs. All ## Next steps -Since the inventory is ready, please continue with the following steps: +Once the inventory is ready, please continue with the following steps: > **Note**: All next steps assume that the wire-server-deploy artifact has been downloaded on the `adminhost` (your physical machine) and extracted at `/home/ansible_user/wire-server-deploy`. All commands from here on will be issued from this directory on the `adminhost`. Make sure you SSH into the node before proceeding. ### Environment Setup +- **[Making tooling available in your environment](docs_ubuntu_22.04.md#making-tooling-available-in-your-environment)** + - Source the `bin/offline-env.sh` shell script by running following command to set up a `d` alias that runs commands inside a Docker container with all necessary tools for offline deployment. + ```bash + source bin/offline-env.sh + ``` + - You can always use this alias `d` later to interact with the ansible playbooks, k8s cluster and the helm charts. + - The docker container mounts everything here from the `wire-server-deploy` directory, hence this acts an entry point for all the future interactions with ansible, k8s and helm charts. + - **[Generating secrets](docs_ubuntu_22.04.md#generating-secrets)** - Run `bin/offline-secrets.sh` to generate fresh secrets for Minio and coturn services. It uses the docker container images shipped inside the `wire-server-deploy` directory. ```bash @@ -155,14 +162,6 @@ Since the inventory is ready, please continue with the following steps: - `values/wire-server/secrets.yaml` - `values/coturn/prod-secrets.example.yaml` -- **[Making tooling available in your environment](docs_ubuntu_22.04.md#making-tooling-available-in-your-environment)** - - Source the `bin/offline-env.sh` shell script by running following command to set up a `d` alias that runs commands inside a Docker container with all necessary tools for offline deployment. - ```bash - source bin/offline-env.sh - ``` - - You can always use this alias `d` later to interact with the ansible playbooks, k8s cluster and the helm charts. - - The docker container mounts everything here from the `wire-server-deploy` directory, hence this acts an entry point for all the future interactions with ansible, k8s and helm charts. - ### Kubernetes & Data Services Deployment - **[Deploying Kubernetes and stateful services](docs_ubuntu_22.04.md#deploying-kubernetes-and-stateful-services)** @@ -193,7 +192,7 @@ d sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" ``` **Charts deployed by the script:** -- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`,`postgresql-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `smtp`. +- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `postgresql-external`, `minio-external`, `rabbitmq-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `smtp`. - Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`. - Ingress and certificates: `ingress-nginx-controller`, `cert-manager`, `nginx-ingress-services`. - Calling services: `sftd`, `coturn`.