Merge pull request #4688 from wireapp/release_2025-07-28_13_19

Release 2025-07-28 - (expected chart version 5.19.0)

Author: akshaymankar

CHANGELOG.md

@@ -1,3 +1,58 @@
+# [2025-07-28] (Chart Release 5.19.0)
+
+## Release notes
+
+
+* Galley now requires a connection to PostgreSQL. This can be configured similar to brig using configs `galley.config.postgresql` and `galley.secrets.pgPassword`. Galley must use the same PostgreSQL instance as brig. (#4677)
+
+
+## API changes
+
+
+* Create new API version V11 and finalize V10 (#4510, #4684)
+
+
+## Features
+
+
+* New immutable feature config `allowedGlobalOperations` with MLS conversation reset option (#4671)
+
+* Add endpoints to add team collaborators ("bots") and query all for a team. (#4659)
+
+* Add option to check group info consistency on every MLS commit (#4670)
+
+* Allow team collaborators to create team conversations. (#4677)
+
+
+## Bug fixes and other updates
+
+
+* Prevent typing indicator notification being send to own clients (#4658)
+
+* background-worker: Set metric gauge `wire_background_worker_running_workers` to 1 when a worker is running instead of 0. (#4662)
+
+
+## Internal changes
+
+
+* The chart for `nginx-ingress-controller` has been removed (#4675)
+
+* Do not log KilledByHttp2ThreadManager error thrown by http2 client (#4672)
+
+* A rate limit error from an internal call to `i/users/:uid/reauthenticate` will now be propagated to the external caller (#4673)
+
+* Dedicated error label for MLS leaf node signature validation failure (#4665)
+
+* Include the new group ID in the MLS conversation reset event (#4669)
+
+* Log AMQP consumer cancellations in backend notification pusher. (#4634)
+
+* Decrease `backendNotificationPusher.remotesRefreshInterval` for local
+  integration tests to give it a better chance to run between test executions. (#4634)
+
+* Make `make devtest` make rule work for other packages. (#4667)
+
+
 # [2025-07-11] (Chart Release 5.18.0)
 
 ## Release notes

Makefile

@@ -7,7 +7,7 @@ DOCKER_TAG            ?= $(USER)
 # default helm chart version must be 0.0.42 for local development (because 42 is the answer to the universe and everything)
 HELM_SEMVER           ?= 0.0.42
 # The list of helm charts needed on internal kubernetes testing environments
-CHARTS_INTEGRATION    := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-controller nginx-ingress-services fluent-bit kibana restund k8ssandra-test-cluster wire-server-enterprise
+CHARTS_INTEGRATION    := wire-server databases-ephemeral redis-cluster rabbitmq fake-aws ingress-nginx-controller nginx-ingress-services fluent-bit kibana restund k8ssandra-test-cluster wire-server-enterprise
 # The list of helm charts to publish on S3
 # FUTUREWORK: after we "inline local subcharts",
 # (e.g. move charts/brig to charts/wire-server/brig)
@@ -17,7 +17,7 @@ CHARTS_RELEASE := wire-server redis-ephemeral redis-cluster rabbitmq rabbitmq-ex
 fake-aws fake-aws-s3 fake-aws-sqs aws-ingress fluent-bit kibana backoffice		\
 calling-test demo-smtp elasticsearch-curator elasticsearch-external				\
 elasticsearch-ephemeral minio-external cassandra-external						\
-nginx-ingress-controller ingress-nginx-controller nginx-ingress-services reaper restund \
+ingress-nginx-controller nginx-ingress-services reaper restund \
 k8ssandra-test-cluster ldap-scim-bridge wire-server-enterprise
 KIND_CLUSTER_NAME     := wire-server
 HELM_PARALLELISM      ?= 1 # 1 for sequential tests; 6 for all-parallel tests
@@ -64,6 +64,7 @@ full-clean: clean
 	make rabbit-clean
 	rm -rf ~/.cache/hie-bios
 	rm -rf ./dist-newstyle ./.env
+	find . -name '*.hie' -type d -exec rm -rf {} \;
 	direnv reload
 	@echo -e "\n\n*** NOTE: you may want to also 'rm -rf ~/.cabal/store \$$CABAL_DIR/store', not sure.\n"
 
@@ -137,27 +138,37 @@ crm: c db-migrate
 # Run integration from new test suite
 # Usage: make devtest
 # Usage: TEST_INCLUDE=test1,test2 make devtest
-.PHONY: devtest
-devtest:
-	ghcid --command 'cabal repl lib:integration' --test='Testlib.Run.mainI []'
-
-# Run unit tests for a package in a loop, re-loading and -running on
-# file change in the unit tests.
+#
+# Now also supports running unit tests for a package in a loop,
+# re-loading and -running on file change in the unit tests *and* the
+# library.  Just say `make devtest package=wire-subsystems`.  If this
+# doesn't work for some package, compare the cabal file with
+# wire-subsystems.cabal (eg., name of test suite needs to follow a
+# pattern).
 #
 # There some alternatives, but they are all either too slow or do not
 # watch / compile enough modules, or both.  Here is one just running
 # make c on a package in a loop for all package changes:
 #
 # find . -name '*.hs' | entr -s 'make -C ~/src/wire-server c package=wire-subsystems test=1'
+.PHONY: devtest
+devtest:
+ifeq ("$(package)", "all")
+	ghcid --command 'cabal repl lib:integration' --test='Testlib.Run.mainI []'
+else
+	@ghcid --command 'cabal repl $(package):${package}-tests lib:$(package)' --test='Main.main' \
+	  || echo -e "\n\n\n*** usage: make devtest-package package=<package>.\n*** this works for wire-subsystems; for other packages, you may need to edit the cabal file.\n\n"
+endif
+
 .PHONY: devtest-package
 devtest-package:
-	@ghcid --command 'cabal repl $(package):tests lib:$(package)' --test='main' \
-	  || echo -e "\n\n\n*** usage: make devtest-package package=<package>.\n*** this works for wire-subsystems; for other packages, you may need to edit the cabal file.\n\n"
+	@echo "deprecated: use 'make devtest package=<package>' instead."
+	@false
 
 .PHONY: sanitize-pr
 sanitize-pr: check-weed treefmt
 	make lint-all-shallow
-	make git-add-cassandra-schema
+	make cassandra-schema
 	@git diff-files --quiet -- || ( echo "There are unstaged changes, please take a look, consider committing them, and try again."; exit 1 )
 	@git diff-index --quiet --cached HEAD -- || ( echo "There are staged changes, please take a look, consider committing them, and try again."; exit 1 )
 	make list-flaky-tests
@@ -311,12 +322,16 @@ upload-hoogle-image:
 ## cassandra management
 
 .PHONY: git-add-cassandra-schema
-git-add-cassandra-schema: db-migrate git-add-cassandra-schema-impl
+git-add-cassandra-schema:
+	@echo "deprecated.  use 'make cassandra-schema' instead."
+	@false
 
-.PHONY: git-add-cassandra-schema-impl
-git-add-cassandra-schema-impl:
+.PHONY: cassandra-schema
+cassandra-schema: db-migrate git-add-cassandra-schema-impl
+
+.PHONY: cassandra-schema-impl
+cassandra-schema-impl:
 	./hack/bin/cassandra_dump_schema > ./cassandra-schema.cql
-	git add ./cassandra-schema.cql
 
 .PHONY: cqlsh
 cqlsh:
@@ -463,14 +478,15 @@ kube-integration-teardown:
 kube-integration-e2e-telepresence:
 	./services/brig/federation-tests.sh $(NAMESPACE)
 
+.PHONY: helm-oci-login
+helm-oci-login:
+	./hack/bin/helm-oci-login.sh
+
 .PHONY: kube-restart-%
 kube-restart-%:
 	kubectl delete pod -n $(NAMESPACE) -l app=$(*)
 	kubectl delete pod -n $(NAMESPACE)-fed2 -l app=$(*)
 
-helm-oci-login:
-	./hack/bin/helm-oci-login.sh
-
 .PHONY: latest-tag
 latest-tag:
 	./hack/bin/find-latest-docker-tag.sh

cassandra-schema.cql

@@ -1,4 +1,4 @@
--- automatically generated with `make git-add-cassandra-schema`
+-- automatically generated with `make cassandra-schema`
 
 CREATE KEYSPACE brig_test WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'}  AND durable_writes = true;
 

charts/galley/templates/configmap.yaml

@@ -25,6 +25,11 @@ data:
       tlsCa: /etc/wire/galley/cassandra/{{- (include "tlsSecretRef" . | fromYaml).key }}
       {{- end }}
 
+    postgresql: {{ toYaml .postgresql | nindent 6 }}
+    {{- if hasKey $.Values.secrets "pgPassword" }}
+    postgresqlPassword: /etc/wire/galley/secrets/pgPassword
+    {{- end }}
+
     brig:
       host: brig
       port: 8080
@@ -101,6 +106,9 @@ data:
       {{- end }}
       passwordHashingOptions: {{ toYaml .settings.passwordHashingOptions | nindent 8 }}
       passwordHashingRateLimit: {{ toYaml .settings.passwordHashingRateLimit | nindent 8 }}
+      {{- if .settings.checkGroupInfo }}
+      checkGroupInfo: {{ .settings.checkGroupInfo }}
+      {{- end }}
       featureFlags:
         sso: {{ .settings.featureFlags.sso }}
         legalhold: {{ .settings.featureFlags.legalhold }}
@@ -175,5 +183,9 @@ data:
         cells:
           {{- toYaml .settings.featureFlags.cells | nindent 10 }}
         {{- end }}
+        {{- if .settings.featureFlags.allowedGlobalOperations }}
+        allowedGlobalOperations:
+          {{- toYaml .settings.featureFlags.allowedGlobalOperations | nindent 10 }}
+        {{- end }}
       {{- end }}
   {{- end }}

charts/galley/templates/deployment.yaml

@@ -53,6 +53,9 @@ spec:
           secret:
             secretName: {{ .Values.config.rabbitmq.tlsCaSecretRef.name }}
         {{- end }}
+        {{- if .Values.additionalVolumes }}
+        {{ toYaml .Values.additionalVolumes | nindent 8 }}
+        {{- end }}
       containers:
         - name: galley
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -74,6 +77,9 @@ spec:
           - name: "rabbitmq-ca"
             mountPath: "/etc/wire/galley/rabbitmq-ca/"
           {{- end }}
+          {{- if .Values.additionalVolumeMounts }}
+          {{ toYaml .Values.additionalVolumeMounts | nindent 10 }}
+          {{- end }}
           env:
           {{- if hasKey .Values.secrets "awsKeyId" }}
           - name: AWS_ACCESS_KEY_ID

charts/galley/templates/secret.yaml

@@ -20,3 +20,7 @@ data:
   rabbitmqUsername: {{ .Values.secrets.rabbitmq.username | b64enc | quote }}
   rabbitmqPassword: {{ .Values.secrets.rabbitmq.password | b64enc | quote }}
   {{- end }}
+
+  {{- if .Values.secrets.pgPassword }}
+  pgPassword: {{ .Values.secrets.pgPassword | b64enc | quote }}
+  {{- end }}

charts/galley/values.yaml

@@ -33,6 +33,25 @@ config:
   #   tlsCaSecretRef:
   #     name: <secret-name>
   #     key: <ca-attribute>
+
+  # Postgres connection settings
+  #
+  # Values are described in https://www.postgresql.org/docs/17/libpq-connect.html#LIBPQ-PARAMKEYWORDS
+  # To set the password via a brig secret see `secrets.pgPassword`.
+  #
+  # `additionalVolumeMounts` and `additionalVolumes` can be used to mount
+  # additional files (e.g. certificates) into the galley container. This way
+  # does not work for password files (parameter `passfile`), because
+  # libpq-connect requires access rights (mask 0600) for them that we cannot
+  # provide for random uids.
+  #
+  # Below is an example configuration we're using for our CI tests.
+  postgresql:
+    host: postgresql # DNS name without protocol
+    port: "5432"
+    user: wire-server
+    dbname: wire-server
+
   enableFederation: false # keep in sync with background-worker, brig and cargohold charts' config.enableFederation as well as wire-server chart's tags.federation
   # Not used if enableFederation is false
   rabbitmq:
@@ -91,6 +110,8 @@ config:
       ipAddressExceptions: []
       maxRateLimitedKeys: 100000 # Estimated memory usage: 4 MB
 
+    checkGroupInfo: false
+
     # To disable proteus for new federated conversations:
     # federationProtocols: ["mls"]
 
@@ -185,6 +206,10 @@ config:
             allowed_to_create_channels: team-members
             allowed_to_open_channels: team-members
           lockStatus: locked
+      allowedGlobalOperations:
+        status: enabled
+        config:
+          mlsConversationReset: false
 
   aws:
     region: "eu-west-1"