Wpb 23988 disable smallstep

.github/workflows/changelog-verify.yml

@@ -1,9 +1,7 @@
 name: Changelog verification
 on:
   pull_request:
-    branches: [master]
-  push:
-    branches: [master]
+    branches: ["**"]
 
 permissions:
   contents: read

ansible/files/wiab_server_nftables.conf.j2

@@ -67,7 +67,9 @@ table ip nat {
   chain POSTROUTING {
     type nat hook postrouting priority 100;
     oifname != docker0 ip saddr 172.17.0.0/16 counter masquerade
+{% if not (private_deployment | default(false) | bool) %}
     oifname $INF_WAN counter masquerade comment "{{ wire_comment }} masquerade outgoing traffic"
+{% endif %}
   }
   chain DOCKER {
     iifname docker0 counter return

ansible/inventory/demo/host.yml

@@ -57,7 +57,6 @@ wiab:
       - databases-ephemeral
       - postgresql
       - reaper
-      - smallstep-accomp
       - wire-server
       - webapp
       - account-pages

ansible/inventory/demo/wiab-staging.yml

@@ -6,4 +6,6 @@ wiab-staging:
       ansible_user: 'demo'
       ansible_ssh_private_key_file: "~/.ssh/id_ed25519"
   vars:
-    artifact_hash: 82edf88d9193e9f7e0a62ee4b287fd0c7cebb1bd
+    artifact_hash: 7da2319729ba792f91d7ccba4e026c21cd3a3691
+    # it will disable internet access to VMs created on the private network
+    private_deployment: true

ansible/wiab-demo/wire_secrets.yml

@@ -418,6 +418,9 @@
               galley:
                 secrets:
                   pgPassword: "{{ pgpassword }}"
+              background-worker:
+                secrets:
+                  pgPassword: "{{ pgpassword }}"
           when: "'postgresql' in charts_to_deploy"
 
         - name: Update secrets in-place

ansible/wiab-staging-provision.yml

@@ -298,9 +298,8 @@
         kubenode2_ip: "{{ kubenode_ip_result.results[1].stdout }}"
         kubenode3_ip: "{{ kubenode_ip_result.results[2].stdout }}"
         wire_comment: "wiab-stag"
-
     tags: always
 
 - name: Configure nftables
   import_playbook: ./wiab-staging-nftables.yaml
-  tags: nftables
+  tags: [never, nftables]

bin/helm-operations.sh

@@ -5,7 +5,7 @@ set -Eeo pipefail
 # Read values from environment variables with defaults
 BASE_DIR="${BASE_DIR:-/wire-server-deploy}"
 TARGET_SYSTEM="${TARGET_SYSTEM:-example.com}"
-CERT_MASTER_EMAIL="certmaster@${CERT_MASTER_EMAIL}:-certmaster@${TARGET_SYSTEM}"
+CERT_MASTER_EMAIL="${CERT_MASTER_EMAIL:-certmaster@example.com}"
 
 # DEPLOY_CERT_MANAGER env variable is used to decide if cert_manager and nginx-ingress-services charts should get deployed
 # default is set to TRUE to deploy it unless changed
@@ -60,7 +60,7 @@ process_values() {
 
   ENV=$1
   TYPE=$2
-  charts=(fake-aws smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager)
+  charts=(fake-aws smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager)
 
   if [[ "$ENV" != "prod" ]] || [[ -z "$TYPE" ]] ; then
     echo "Error: This function only supports prod deployments with TYPE as values or secrets. ENV must be 'prod', got: '$ENV' and '$TYPE'"
@@ -214,7 +214,7 @@ sync_pg_secrets
 configure_values
 
 # deploying with external datastores, useful for prod setup
-deploy_charts cassandra-external elasticsearch-external minio-external postgresql-external fake-aws smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller
+deploy_charts cassandra-external elasticsearch-external minio-external postgresql-external fake-aws smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller
 
 # deploying cert-manager only when the env var DEPLOY_CERT_MANAGER is set to TRUE 
 if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then 

bin/offline-secrets.sh

@@ -51,8 +51,6 @@ brig:
     rabbitmq:
       username: guest
       password: guest
-    # These are only necessary if you wish to support sign up via SMS/calls
-    # And require accounts at twilio.com / nexmo.com
 
 cargohold:
   secrets:
@@ -105,6 +103,7 @@ team-settings:
     configJson: "e30K"
 background-worker:
   secrets:
+    pgPassword: verysecurepassword
     rabbitmq:
       username: guest
       password: guest

changelog.d/3-deploy-builds/disable-smallstep

@@ -0,0 +1 @@
+Fixed: stop deploying smallstep in wiab-staging and wiab-dev environments

changelog.d/3-deploy-builds/wiab-dev-5.25-fixes

@@ -0,0 +1,4 @@
+Fixed: sync offline-secrets and prod-secrets.example.yaml and add comments
+Added: enable postgresql secret for background-worker in wiab-dev
+Fixed: sync wire-server helm chart values for wiab-dev from prod values for 5.25
+Fixed: sync wire-server helm chart secrets for wiab-dev from prod values for 5.25

changelog.d/3-deploy-builds/wiab-stag-nftables-snat-fix

@@ -0,0 +1,5 @@
+Added: variable private_deployment with default true to disable SNAT on adminhost
+Fixed: cert_master_email env var parsing in helm-operations.sh 
+Fixed: made running wiab-staging-nftables.yaml playbook explicit
+Added: wiab-staging.md documentation to add details about default SNAT access being denied and how to enable it
+Added: wiab-staging.md network flow diagram