Skip to content

Standardize deployment features #824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Veki301 wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Standardize deployment features #824

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
88dd7f3
add missing feature flags to webapp
Veki301 Nov 14, 2025
ab6707a
fix rabbitmq reference and add a missing one to gundeck
Veki301 Nov 14, 2025
b291fd4
changelog for webapp feature flags [skip ci]
Veki301 Nov 14, 2025
4acf6b3
standardize MLS deployment
Veki301 Nov 25, 2025
cbc23f6
standardize Federation deployment
Veki301 Nov 25, 2025
f8822eb
fix rabbitmq deployment for federation, now deploys rabbitmq-manageme…
Veki301 Nov 25, 2025
28d8f31
fix "bad" default credentials for rabbitmq
Veki301 Nov 25, 2025
4cccc60
add more content to changelog [skip ci]
Veki301 Nov 25, 2025
2e4b060
add missing config for SFT federation [skip ci]
Veki301 Nov 25, 2025
f66a764
fix failing cmd in CD
Veki301 Nov 25, 2025
7d5bd94
better changelog message
Veki301 Nov 25, 2025
3afb179
fix indentation
Veki301 Nov 25, 2025
7a9648c
debug statement for CI
Veki301 Nov 28, 2025
5842f28
remove debug statement, add temporary hack for rabbitmq
Veki301 Dec 1, 2025
28cf960
change rabbitmq defaults for cd
Veki301 Dec 2, 2025
c48afa2
test: trigger workflow with empty commit
sghosh23 Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 7 additions & 10 deletions ansible/roles/rabbitmq-cluster/tasks/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
group: root
mode: 0644
with_items:
- { src: etc/default/rabbitmq-server.j2 , dest: /etc/default/rabbitmq-server }
- { src: etc/default/rabbitmq-server.j2, dest: /etc/default/rabbitmq-server }
- { src: etc/rabbitmq/rabbitmq.config.j2, dest: /etc/rabbitmq/rabbitmq.config }
# - { src: etc/rabbitmq/rabbitmq-env.conf.j2, dest: /etc/rabbitmq/rabbitmq-env.conf }
notify:
Expand All @@ -18,15 +18,12 @@
name: rabbitmq-server
state: restarted

# - name: Enable the plugins is installed
# rabbitmq_plugin:
# names: "{{ item }}"
# prefix: /usr/lib/rabbitmq
# state: enabled
# new_only: yes
# with_items: "{{ rabbitmq_plugins }}"
# notify:
# restart rabbitmq-server
- name: Enable the plugins is installed
command: rabbitmq-plugins enable --offline {{ item }}
with_items: "{{ rabbitmq_plugins }}"
register: plugin_result
changed_when: "'already enabled' not in plugin_result.stdout"
notify: restart rabbitmq-server

- name: restart rabbitmq-server
service:
Expand Down
4 changes: 2 additions & 2 deletions bin/offline-helm.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ else
fi
helm upgrade --install --wait smtp ./charts/smtp --values $SMTP_VALUES_FILE

# remove postgresql chart as postgresql is now external
# helm upgrade --install --wait postgresql ./charts/postgresql --values ./values/postgresql/prod-values.example.yaml --values ./values/postgresql/prod-secrets.example.yaml
# HACK: remove after implementing rabbitmq-external deployment
sed -i 's/rabbitmq-external/rabbitmq/g' ./values/wire-server/prod-values.example.yaml
Copy link
Contributor

@sghosh23 sghosh23 Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using sed here we could adjust the rabbitmq host parameter in the prod-values.example.yaml file with comment that the default value is for CI and ephemeral deployment. Though we need to make our CI to deploy rabbitmq-external but that is a task on it's own.

Copy link
Contributor Author

@Veki301 Veki301 Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, dirty hacks begone :D

helm upgrade --install --wait rabbitmq ./charts/rabbitmq --values ./values/rabbitmq/prod-values.example.yaml --values ./values/rabbitmq/prod-secrets.example.yaml
# it will only deploy the redis cluster
helm upgrade --install --wait databases-ephemeral ./charts/databases-ephemeral --values ./values/databases-ephemeral/prod-values.example.yaml
Expand Down
39 changes: 29 additions & 10 deletions bin/offline-secrets.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,12 @@

prometheus_pass="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16)"

# Generate MLS private keys using openssl
mls_ed25519_key="$(openssl genpkey -algorithm ed25519 2>/dev/null | awk '{printf " %s\n", $0}')"
mls_ecdsa_p256_key="$(openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 2>/dev/null | awk '{printf " %s\n", $0}')"
mls_ecdsa_p384_key="$(openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-384 2>/dev/null | awk '{printf " %s\n", $0}')"
mls_ecdsa_p521_key="$(openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 2>/dev/null | awk '{printf " %s\n", $0}')"

Check warning on line 29 in bin/offline-secrets.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Define a constant instead of using the literal '{printf \" %s\n\", $0}' 4 times. 


See more on https://sonarcloud.io/project/issues?id=wireapp_wire-server-deploy&issues=AZq73rQWA9spYGtXYSd6&open=AZq73rQWA9spYGtXYSd6&pullRequest=824
Copy link
Contributor

@sghosh23 sghosh23 Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a recommendation here, by reading the lines its a bit hard to understand key generate function and how its going to be used the secrets.yaml. Here is my proposal.

Lets add the YAML indentation as constant with a comment like:

# YAML formatting configuration
# Keys need 10 spaces indent (5 levels deep: galley > secrets > mlsPrivateKeys > removal > keyname)
readonly MLS_KEY_INDENT="          "

And the add simple function to add indentation for each key we generate here with:

# Generate MLS private keys with proper YAML indentation
generate_mls_key() {
    openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}'
}

Finally generate the keys with this functon:

mls_ed25519_key="$(generate_mls_key -algorithm ed25519)"
mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)"
mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)"
mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)"

The benefit of this approach is if the indentation changes we just can change the parameter and Kinda DRY.

Copy link
Contributor Author

@Veki301 Veki301 Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay, agreed, this would be more readable, ill do it 👍


if [[ ! -f $VALUES_DIR/wire-server/secrets.yaml ]]; then
echo "Writing $VALUES_DIR/wire-server/secrets.yaml"
cat <<EOF > $VALUES_DIR/wire-server/secrets.yaml
Expand All @@ -37,8 +43,8 @@
awsKeyId: dummykey
awsSecretKey: dummysecret
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest
# These are only necessary if you wish to support sign up via SMS/calls
# And require accounts at twilio.com / nexmo.com
setTwilio: |-
Expand All @@ -52,25 +58,38 @@
awsKeyId: "$minio_cargohold_access_key"
awsSecretKey: "$minio_cargohold_secret_key"
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest
cannon:
secrets:
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest
galley:
secrets:
rabbitmq:
username: guest
password: guest
pgPassword: verysecurepassword
awsKeyId: dummykey
awsSecretKey: dummysecret
mlsPrivateKeys:
removal:
ed25519: |
$mls_ed25519_key
ecdsa_secp256r1_sha256: |
$mls_ecdsa_p256_key
ecdsa_secp384r1_sha384: |
$mls_ecdsa_p384_key
ecdsa_secp521r1_sha512: |
$mls_ecdsa_p521_key
gundeck:
secrets:
awsKeyId: dummykey
awsSecretKey: dummysecret
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest
nginz:
secrets:
zAuth:
Expand All @@ -86,8 +105,8 @@
background-worker:
secrets:
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest
EOF

fi
Expand Down
3 changes: 3 additions & 0 deletions changelog.d/5-bug-fixes/standardize-features
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Added: missing webapp feature flags to webapp example values
Added: config for MLS deployment into example files
Added: config for Federation deployment into example files
29 changes: 28 additions & 1 deletion values/coturn/prod-values.example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,28 @@
# using upstream values for coturn helm
# using upstream values for coturn helm
replicaCount: 3
# image:
# tag: some-tag # (only override if you want a newer/different version than what is in the chart)
config:
verboseLogging: false
# rateLimit:
# allowlist: # List of IPs to be excluded from rate limiting
# -
coturnTurnExternalIP: "__COTURN_EXT_IP__"
coturnTurnListenIP: "__COTURN_HOST_IP__"
coturnTurnRelayIP: "__COTURN_HOST_IP__"
coturnFederationListeningIP: "__COTURN_HOST_IP__"
# Uncomment to enable federation
# federate:
# enabled: true
# port: 9191
# dtls:
# enabled: true
# tls:
# issuerRef: letsencrypt-http01
# kind: ClusterIssuer
# certificate:
# dnsNames:
# - coturn.example.com
# - coturn-0.example.com
# - coturn-1.example.com
# - coturn-2.example.com
4 changes: 4 additions & 0 deletions values/nginx-ingress-services/prod-secrets.example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@
# as the ingress seems to simply "swallow" errors if any (and serve the Fake default certificate
# which is highly confusing)
secrets:
tlsClientCA: | # for federating backends root CA certificates
-----BEGIN CERTIFICATE-----
.... THEIR CERTIFICATE ....
-----END CERTIFICATE-----
tlsWildcardCert: |
-----BEGIN CERTIFICATE-----
.... OWN CERTIFICATE ......
Expand Down
4 changes: 2 additions & 2 deletions values/rabbitmq/prod-secrets.example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
rabbitmq:
auth:
username: wire-server
password: verysecurepassword
username: guest
password: guest
12 changes: 11 additions & 1 deletion values/sftd/prod-values.example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,17 @@
replicaCount: 3
# image:
# tag: some-tag # (only override if you want a newer/different version than what is in the chart)
allowOrigin: https://webapp.example.com
host: sftd.example.com
replicaCount: 3
tls:
issuerRef:
name: letsencrypt-http01
kind: ClusterIssuer
# Uncomment to enable SFT to SFT communication for federated calls
# multiSFT:
# enabled: true
# discoveryRequired: false
# turnServerURI: "turn:coturn.public.ip.address:3478?transport=udp"
# secret: "coturn_zrest_secret"
# Turn on secondary IP listener (for internal IP) when using federation
# internalIpListener: false
7 changes: 7 additions & 0 deletions values/webapp/prod-values.example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,14 @@ envVars:
FEATURE_ENABLE_DEBUG: "false"
FEATURE_ENABLE_PHONE_LOGIN: "false"
FEATURE_ENABLE_SSO: "false"
FEATURE_ENABLE_IN_CALL_REACTIONS: "true"
FEATURE_ENABLE_IN_CALL_HAND_RAISE: "true"
FEATURE_ENABLE_DETACHED_CALLING_WINDOW: "true"
FEATURE_ENABLE_MESSAGE_FORMAT_BUTTONS: "true"
FEATURE_SHOW_LOADING_INFORMATION: "false"
FEATURE_ENABLE_CHANNELS: "false"
FEATURE_ENABLE_CHANNELS_HISTORY_SHARING: "false"
FEATURE_ENABLE_PUBLIC_CHANNELS: "false"
URL_ACCOUNT_BASE: "https://account.example.com"
#URL_MOBILE_BASE: "https://wire-pwa-staging.zinfra.io" # TODO: is this needed?
URL_PRIVACY_POLICY: "https://www.example.com/terms-conditions"
Expand Down
38 changes: 26 additions & 12 deletions values/wire-server/prod-secrets.example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ brig:
# These are only necessary if you wish to support sign up via SMS/calls
# And require accounts at twilio.com / nexmo.com
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest
setTwilio: |-
sid: "dummy"
token: "dummy"
Expand All @@ -32,8 +32,8 @@ brig:
cannon:
secrets:
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest

cargohold:
secrets:
Expand All @@ -42,8 +42,8 @@ cargohold:
awsKeyId: dummykey # replace with minio_cargohold_access_key
awsSecretKey: dummysecret # replace with minio_cargohold_secret_key
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest

galley:
secrets:
Expand All @@ -53,17 +53,31 @@ galley:
awsKeyId: dummykey
awsSecretKey: dummysecret
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest
mlsPrivateKeys:
removal:
ed25519: |
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
ecdsa_secp256r1_sha256: |
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
ecdsa_secp384r1_sha384: |
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
ecdsa_secp521r1_sha512: |
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

gundeck:
secrets:
# these only need to be changed if using real AWS services
awsKeyId: dummykey
awsSecretKey: dummysecret
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest

proxy:
secrets:
Expand Down Expand Up @@ -92,8 +106,8 @@ nginz:
background-worker:
secrets:
rabbitmq:
username: wire-server
password: verysecurepassword
username: guest
password: guest

# Uncomment for legalhold. Set values accordingly

Expand Down
47 changes: 45 additions & 2 deletions values/wire-server/prod-values.example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ brig:
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
multiSFT:
enabled: false # enable to turn on SFT to SFT communication for federated calls
cassandra:
host: cassandra-external
elasticsearch:
Expand Down Expand Up @@ -51,10 +53,12 @@ brig:
teamMemberWelcome: https://wire.example.com/download # change this
enableFederation: false # Enable to use federation
optSettings:
setEnableMLS: false # Enable for MLS protocol use
setFederationDomain: example.com # change this
# Sync the domain with the 'host' variable in the sftd chart
# Comment the next line (by adding '#' before it) if conference calling is not used
setSftStaticUrl: "https://sftd.example.com:443"
# setSftListAllServers: "enabled" # Uncomment for Federation!
# If set to true, creating new personal users or new teams on your instance from
# outside your backend installation is disabled
setRestrictUserCreation: false
Expand Down Expand Up @@ -127,6 +131,8 @@ cannon:
# For demo mode only, we don't need to keep websocket connections open on chart upgrades
drainTimeout: 10
config:
rabbitmq:
host: rabbitmq-external
cassandra:
host: cassandra-external
metrics:
Expand Down Expand Up @@ -163,7 +169,7 @@ galley:
cassandra:
host: cassandra-external
rabbitmq:
host: rabbitmq # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq`
host: rabbitmq-external # name of the rabbitmq service, either `rabbitmq-external` or `rabbitmq`
postgresql:
host: postgresql-external-rw # DNS name without protocol
port: "5432"
Expand All @@ -176,7 +182,33 @@ galley:
federationDomain: example.com # change this
# see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/)
featureFlags:
sso: disabled-by-default
mls:
defaults:
status: enabled
config:
protocolToggleUsers: []
defaultProtocol: mls
allowedCipherSuites: [2]
defaultCipherSuite: 2
supportedProtocols: [proteus, mls]
lockStatus: unlocked
mlsMigration:
defaults:
status: enabled
config:
startTime: null
finalizeRegardlessAfter: null
usersThreshold: 100
clientsThreshold: 100
lockStatus: unlocked
sso: enabled-by-default
# channels: # Uncomment to enable channels by default for all newly created teams
# defaults:
# status: enabled
# config:
# allowed_to_create_channels: team-members
# allowed_to_open_channels: team-members
# lockStatus: unlocked
# NOTE: Change this to "disabled-by-default" for legalhold support
# legalhold: disabled-by-default
legalhold: disabled-permanently
Expand All @@ -197,6 +229,8 @@ gundeck:
# image:
# tag: some-tag (only override if you want a newer/different version than what is in the chart)
config:
rabbitmq:
host: rabbitmq-external
cassandra:
host: cassandra-external
aws:
Expand Down Expand Up @@ -286,13 +320,22 @@ legalhold:
enabled: false
# Only needed when federation is enabled
federator:
# config:
# optSettings:
# federationStrategy:
# allowedDomains:
# - example.com
tls:
useSharedFederatorSecret: true
# remoteCAContents: | # Uncomment and place the federating backends root CA certificates in chain (if there are multiple)
metrics:
serviceMonitor:
enabled: false
background-worker:
config:
# logLevel: Debug
rabbitmq:
host: rabbitmq-external
cassandra:
host: cassandra-external
# Enable for federation
Expand Down