Merge pull request #4820 from wireapp/release_2025-10-21_10_25

[WPB-21261] Release 2025-10-21 - (expected chart version 5.23.0)

Author: fisx

.github/workflows/build.yaml

@@ -32,8 +32,7 @@ jobs:
               CURRENT_BRANCH="${GITHUB_REF#refs/heads/}"
           fi
 
-          sed -i "s|url = https://github.com/wireapp/wire-server.git|url = ${CURRENT_REPO_URL}|g" .gitmodules
-          sed -i "s|branch = clean-wire-server-docs|branch = ${CURRENT_BRANCH}|g" .gitmodules
+          git config -f .gitmodules submodule.wire-server.branch ${CURRENT_BRANCH}
           
           cat .gitmodules
           make build

.gitignore

@@ -105,3 +105,6 @@ logs-integration
 
 # BOM file - https://github.com/wireapp/tom-bombadil
 sbom.json
+
+# HLS config for haskell-tools plugin (Neovim)
+hls.json

CHANGELOG.md

@@ -1,3 +1,137 @@
+# [2025-10-21] (Chart Release 5.23.0)
+
+## Release notes
+
+
+* Team user search role filter has been fixed and results now include each member's team role. Note: existing search index documents will only show roles after a reindex or when users get updated; newly created or updated users populate their role automatically. (#4728)
+
+* Elasticsearch/OpenSearch mapping updated for team user search to support filtering by unverified email addresses. For the new filter `email=verified|unverified` on `GET /teams/{tid}/search` to work as intended, it is necessary to create a new index and re-index the data either by [migrating to a new index](https://docs.wire.com/latest/developer/reference/elastic-search.html?h=#migrate-to-a-new-index) or by [recreating the index](https://docs.wire.com/latest/developer/reference/elastic-search.html?h=#recreate-an-index-requires-downtime).
+
+* Allow storing conversation data in postgres.
+
+  This is currently not the default and is experimental.
+  The migration path from Cassandra is yet to be programmed.
+
+  However, new installations can use this by configuring the wire-server helm
+  chart like this:
+
+  ```yaml
+  galley:
+    config:
+      postgresqlMigration:
+        conversation: postgresql
+  ``` (#4764)
+
+
+## API changes
+
+
+* Stub endpoints for enterprise provisioning (only in V13) (#4743)
+
+* Finalize API Version V12, start new develop version V13. (#4817)
+
+* The blocked domains feature
+  (`optSettings.setCustomerExtensions.domainsBlockedForRegistration`) is now
+  more strict: It is not only forbidden to register users with these domains in
+  their email addresses, but also to change a user's email address to one of
+  these domains.
+
+  This affects the endpoints:
+  - `/register` (as before)
+  - `/activate/send`
+  - `/users/{uid}/email`
+  - `/i/self/email` (internal endpoint)
+  - `/access/self/email`
+  - `/i/teams/{tid}/invitations` (internal endpoint)
+  - `/teams/{tid}/invitations` (#4624)
+
+
+## Features
+
+
+* Allow collaborator to be removed from a team. (#4694)
+
+* Add PodDisruptionBudget for Backoffice (#4751)
+
+* Implement user-groups channels association (`/user-groups/{gid}/channels`). (#4783)
+
+* Implement `channels` and `channelsCount` in `user-groups` endpoints. (#4776)
+
+* Add `entreprise-provisioning`, a CLI to batch provision various entities, currently, creates and associate channels to existing user-groups. (#4790)
+
+* Brig: Add optional `email` query parameter to `GET /teams/{tid}/search` ("browse-team"). (#4774)
+
+* Add feature flag for "simplified user connection requests" QR codes
+  (`simplifiedUserConnectionRequestQRCode`). As it has been implicitly enabled
+  before - there was no way to turn it off - it's enabled by default. (#4763)
+
+* Added user group endpoints to nginz config (#4744)
+
+* New endpoint to update the users of a user group (#4768)
+
+* Include total count in user group list/search responses (#4773)
+
+* Allow updates of SCIM users by SCIM even if E2EID is enabled (#4772)
+
+* Add global `AssetAuditLog` feature flag (#4779)
+
+* cargohold: add asset audit logging (#4782, #4784, #4787)
+
+* Add `searchable` field to users, users who have it set to `false` won't be found by the public endpoint.
+  Add `POST /users/:uid/searchable` endpoint where team admin can change it for user.
+  Add `/teams/:tid/search?searchable=false`, where the query parameter makes it return only non-searchable users. (#4786)
+
+* Add user group ids to team member search result (#4809)
+
+* Add endpoint for a team admin to get a new app cookie (#4769)
+
+* Introduce apps and the corresponding creation endpoint `POST /teams/:tid/apps`. (#4696)
+
+* Add `stealthUsers` feature flag (#4803)
+
+* Remove user from all user groups on deletion (#4781)
+
+* Add `type` field to user profiles. The possible values are "regular" for regular users, "bot" for services and "app" for apps. (#4758)
+
+
+## Bug fixes and other updates
+
+
+* The role filter of the team search is fixed (#4728)
+
+* Changed Swagger data type `Pict` from `{}` which is interpreted as `string` to
+  `{"type":"object"}`. Also, static Swagger specifications of earlier API versions
+  have been adapted. (#4785)
+
+* Added nginz rules for missing endpoints (#4808)
+
+
+## Documentation
+
+
+* add documentation on setting up federated calling (#4796)
+
+* Update multi-ingress deeplink documentation to have a better example (#4807)
+
+
+## Internal changes
+
+
+* Add a preStopHook to gundeck helm chart to avoid spurious 500s on gundeck restarts. (#4730)
+
+* Add `hls.json` to `.gitignore`. It's only useful in specific editor setups. (#4747)
+
+* New make rule and python script for creating `/postgres-schema.sql`. (not hooked into CI yet) (#4760)
+
+* Add postgres dynamic query builder (#4812)
+
+* charts/{redis-ephemeral,reaper}: switch away from non-working bitnami registry (#4792)
+
+* Update kubectl, restund, redis-cluster, and rabbitmq images to use bitnamilegacy registry (#4791)
+
+* Switch reaper and restund kubectl images to bitnamilegacy registry to ensure shell access compatibility (#4801)
+
+
 # [2025-09-02] (Chart Release 5.22.0)
 
 ## Release notes

Makefile

@@ -21,7 +21,9 @@ ingress-nginx-controller nginx-ingress-services reaper restund \
 k8ssandra-test-cluster ldap-scim-bridge wire-server-enterprise
 KIND_CLUSTER_NAME     := wire-server
 HELM_PARALLELISM      ?= 1 # 1 for sequential tests; 6 for all-parallel tests
-PSQL_DB               ?= wire-server
+# (run `psql -h localhost -p 5432 -d backendA -U wire-server -w` for the list of options for PSQL_DB)
+PSQL_DB               ?= backendA
+export PSQL_DB
 
 package ?= all
 EXE_SCHEMA := ./dist/$(package)-schema
@@ -100,10 +102,10 @@ endif
 	./hack/bin/cabal-install-artefacts.sh $(package)
 
 # ci here doesn't refer to continuous integration, but to cabal-run-integration.sh
-# Usage: make ci                        - build & run all tests, excluding integration
-#        make ci package=all            - build & run all tests, including integration
-#        make ci package=brig           - build brig & run "brig-integration"
-#        make ci package=integration    - build & run "integration"
+# Usage: make ci-fast                     - build & run all tests, excluding integration
+#        make ci-fast package=all         - build & run all tests, including integration
+#        make ci-fast package=brig        - build brig & run "brig-integration"
+#        make ci-fast package=integration - build & run "integration"
 #
 # You can pass environment variables to all the suites, like so
 # TASTY_PATTERN=".."  make ci package=brig
@@ -128,7 +130,7 @@ ci:
 	@echo -en "\n\n\nplease choose between goals ci-fast and ci-safe.\n\n\n"
 
 # Compile and run services
-# Usage: make crun `OR` make crun package=galley
+# Usage: make cr `OR` make cr package=galley
 .PHONY: cr
 cr: c db-migrate
 	./dist/run-services
@@ -170,6 +172,7 @@ devtest-package:
 sanitize-pr: check-weed treefmt
 	make lint-all-shallow
 	make cassandra-schema
+	make postgres-schema
 	@git diff-files --quiet -- || ( echo "There are unstaged changes, please take a look, consider committing them, and try again."; exit 1 )
 	@git diff-index --quiet --cached HEAD -- || ( echo "There are staged changes, please take a look, consider committing them, and try again."; exit 1 )
 	make list-flaky-tests
@@ -320,20 +323,27 @@ upload-hoogle-image:
 	./hack/bin/upload-image.sh wireServer.hoogleImage
 
 #################################
-## cassandra management
+## cassandra / postgres management
 
 .PHONY: git-add-cassandra-schema
 git-add-cassandra-schema:
 	@echo "deprecated.  use 'make cassandra-schema' instead."
 	@false
 
 .PHONY: cassandra-schema
-cassandra-schema: db-migrate git-add-cassandra-schema-impl
+cassandra-schema: db-migrate cassandra-schema-impl
 
 .PHONY: cassandra-schema-impl
 cassandra-schema-impl:
 	./hack/bin/cassandra_dump_schema > ./cassandra-schema.cql
 
+.PHONY: postgres-reset postgres-schema-impl
+postgres-schema: postgres-reset postgres-schema-impl
+
+.PHONY: postgres-schema-impl
+postgres-schema-impl:
+	./hack/bin/postgres_dump_schema > ./postgres-schema.sql
+
 .PHONY: cqlsh
 cqlsh:
 	$(eval CASSANDRA_CONTAINER := $(shell docker ps | grep '/cassandra:' | perl -ne '/^(\S+)\s/ && print $$1'))
@@ -344,7 +354,7 @@ cqlsh:
 psql:
 	@grep -q wire-server:wire-server ~/.pgpass || \
 	  echo "consider running 'echo localhost:5432:wire-server:wire-server:posty-the-gres > ~/.pgpass ; chmod 600 ~/.pgpass '"
-	psql -h localhost -p 5432 -d $(PSQL_DB) -U wire-server -w || \
+	pg_dump -h localhost -p 5432 $(PSQL_DB) -U wire-server -w --schema-only || \
 	  echo 'if the database is missing, consider running "make postgres-reset", or setting $$PSQL_DB to the correct table space.'
 
 .PHONY: db-reset-package

cabal.project

@@ -60,6 +60,7 @@ packages:
   , tools/stern/
   , tools/mlsstats/
   , tools/test-stats/
+  , tools/entreprise-provisioning/
 
 tests: True
 benchmarks: True

cassandra-schema.cql

@@ -1622,12 +1622,12 @@ CREATE TABLE galley_test.conversation (
     group_id blob,
     message_timer bigint,
     name text,
+    parent_conv uuid,
     protocol int,
     public_group_state blob,
     receipt_mode int,
     team uuid,
-    type int,
-    parent_conv uuid
+    type int
 ) WITH bloom_filter_fp_chance = 0.1
     AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
     AND comment = ''

charts/backoffice/templates/poddisruptionbudget.yaml

@@ -0,0 +1,16 @@
+{{- if gt (int .Values.replicaCount) 1 }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: backoffice
+  labels:
+    app: backoffice
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  maxUnavailable: {{ sub (int .Values.replicaCount) 1 }}
+  selector:
+    matchLabels:
+      app: backoffice
+{{- end }}

charts/cargohold/templates/configmap.yaml

@@ -55,6 +55,7 @@ data:
       {{- if .downloadLinkTTL }}
       downloadLinkTTL: {{ .downloadLinkTTL }}
       {{- end }}
+      assetAuditLogEnabled: {{ .assetAuditLogEnabled }}
       federationDomain: {{ .federationDomain }}
       disabledAPIVersions: {{ toJson .disabledAPIVersions }}
       {{- end }}

charts/cargohold/values.yaml

@@ -30,6 +30,7 @@ config:
   settings:
     maxTotalBytes: 104857632 # limit to 100 MiB + 32 bytes
     downloadLinkTTL: 300 # Seconds
+    assetAuditLogEnabled: false
     # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
     # brig, cannon, cargohold, galley, gundeck, proxy, spar.
     disabledAPIVersions: [ development ]

charts/galley/templates/configmap.yaml

@@ -66,6 +66,8 @@ data:
       endpoint: {{ .journal.endpoint }}
     {{- end }}
 
+    postgresMigration: {{- toYaml .postgresMigration | nindent 6 }}
+
     settings:
       httpPoolSize: {{ .settings.httpPoolSize }}
       intraListing: {{ .settings.intraListing }}
@@ -187,6 +189,10 @@ data:
         allowedGlobalOperations:
           {{- toYaml .settings.featureFlags.allowedGlobalOperations | nindent 10 }}
         {{- end }}
+        {{- if .settings.featureFlags.assetAuditLog }}
+        assetAuditLog:
+          {{- toYaml .settings.featureFlags.assetAuditLog | nindent 10 }}
+        {{- end }}
         {{- if .settings.featureFlags.consumableNotifications }}
         consumableNotifications:
           {{- toYaml .settings.featureFlags.consumableNotifications | nindent 10 }}
@@ -199,5 +205,13 @@ data:
         apps:
           {{- toYaml .settings.featureFlags.apps | nindent 10 }}
         {{- end }}
+        {{- if .settings.featureFlags.simplifiedUserConnectionRequestQRCode }}
+        simplifiedUserConnectionRequestQRCode:
+          {{- toYaml .settings.featureFlags.simplifiedUserConnectionRequestQRCode | nindent 10 }}
+        {{- end }}
+        {{- if .settings.featureFlags.stealthUsers }}
+        stealthUsers:
+          {{- toYaml .settings.featureFlags.stealthUsers | nindent 10 }}
+        {{- end }}
       {{- end }}
   {{- end }}