Wpb 21356 wiab changes (#826)

* fix: wpb-17321 fix coturn secrets for demo-wiab

* fix: wpb-17321 fix postgresql secrets for demo-wiab

* enable: wpb-17321 kube-prometheus-stack values and enabled monitoring support from wire-server

* enable: wpb-17321 add values for wire-utility in demo-wiab

* enable: wpb-17321 sync serviceMonitor for ingress-nginx-controller for prod to disable monitoring

* enable: wpb-17321 add changelogs

* enable: wpb-17321 refactor and fixes for wiab-demo (#827)

* enable: wpb-17321 refactor and fixes for wiab-demo, added all changes in changelog

* fix: create a new tag for wire_secrets and handle errors from zauth  wpb-17321

* fix wpb-17321: made wire_secrets playbook idempotent

* fix wpb-17321: handle wire-utility deploy issues and update documentation for demo-wiab

* Update changelog.d/3-deploy-builds/demo-wiab-ansible-fixes

Co-authored-by: Sukanta <[email protected]>

* Update changelog.d/3-deploy-builds/demo-wiab-ansible-fixes

Co-authored-by: Sukanta <[email protected]>

* fix wpb-17321: parameterize y-go version in install_pkgs playbook

* fix wpb-17321: change http check to netcat based check in hairpin networking

* fix wpb-17321: refactor offline_deploy_k8s.sh to work with envs and update wire_values accoordingly

* fix wpb-17321: refactor wire_secrets to be idempotent and move all secret management to it

* fix wpb-17321: when conditions in deploy_wiab to better manage common tasks for minikube networking

* fix wpb-17321: cert-manager deploy control with cert_manager_networking tag

* fix wpb-17321: update the documentation for demo-wiab

* fix wpb-17321: added minio secrets in demo-values and removed extra BASE_DIR in wire_values

* fix wpb-17321: move away from yq-go to ansible native yaml updates and added minio creds

* fix wpb-17321: fix basc script suggestions from sonarcloud

* fix wpb-17321: fix wire_secrets for cargohold

* fix wpb-17321: fix wire_secrets for fake-aws-s3

* fix wpb-17321: fix clean_cluster permissions

* fix: wpb-17321 add coturn empty values file, ignore the download task file permissions error

* fix: wpb-17321 fix wire_secrets for non-prepared secrets, fixed flow using tags in deploy_wiab and update the documentation

* Wpb 17321 enable demo cd (#828)

* enable: wpb-17321 add terraform and bash scripts to enable cd-demo

* enable: wpb-17321 added changelog and a note to old wiab-staging scripts

* fix: wpb-17321 remove the debugging statements from cd-demo.sh

---------

Co-authored-by: Sukanta <[email protected]>

* fix: wpb-21356 suggestions highligted by shellcheck.sh linting

* fix: wpb-21356 fix the when condition for wire_values and cert manager task

* Update cd_demo.sh to test cert_manager deployment

---------

Co-authored-by: Sukanta <[email protected]>

Author: mohitrajain

.github/workflows/deploy-wiab.yml

@@ -1,3 +1,5 @@
+# This playbook is not-up-to-date, requires to be updated to match with current developments
+# A new WIAB (wire in a box) dev solution has been created https://docs.wire.com/latest/how-to/install/demo-wiab.html and can be used until this (wiab-staging) gets updated
 name: Deploy on Hetzner WIAB setup
 on:
   workflow_run:

.github/workflows/offline.yml

@@ -157,6 +157,23 @@ jobs:
           AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
           AWS_REGION: "eu-west-1"
 
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.3.7"
+          terraform_wrapper: false
+
+      - name: Deploy offline demo-wiab environment to hetzner
+        run: ./offline/cd_demo.sh
+        env:
+          HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
+
+      - name: Clean up hetzner wiab environment; just in case
+        if: always()
+        run: (cd terraform/examples/wiab-demo-hetzner ; terraform init && terraform destroy -auto-approve)
+        env:
+          HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
+
       - name: Cleanup demo build assets
         run: rm -rf offline/demo-build/output/
 

ansible/hetzner-single-deploy.yml

@@ -1,3 +1,5 @@
+# This playbook is not-up-to-date, requires to be updated to match with current developments
+# A new WIAB (wire in a box) dev solution has been created https://docs.wire.com/latest/how-to/install/demo-wiab.html and can be used until this (wiab-staging) gets updated
 - hosts: all
   become: true
   vars:

ansible/inventory/demo/host.yml

@@ -1,8 +1,9 @@
+
 wiab:
   hosts:
     deploy_node:
       ansible_host: example.com
-      ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+      ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o TCPKeepAlive=yes'
       ansible_user: 'ubuntu'
       ansible_ssh_private_key_file: "~/.ssh/wiab-demo.pem"
 
@@ -17,7 +18,7 @@ wiab:
     wire_ip: ""
 
     # artifact_hash
-    artifact_hash: "89e4fa122e6ddba9df2f81612de1ee45ec2238b3"
+    artifact_hash: "8e5087a0d9c58a9bd34c6c02f87514abe8b3ce0e"
 
     # docker vars
     docker_ce_version: "5:28.1.1-1~ubuntu.24.04~noble"
@@ -47,14 +48,16 @@ wiab:
     # list of helm charts to deploy
     charts_to_deploy:
       - fake-aws
-      - demo-smtp
+      - smtp
       - rabbitmq
       - databases-ephemeral
+      - postgresql # postgresql chart should be deployed before deploying wire-server
       - reaper
+      - smallstep-accomp
+      - kube-prometheus-stack
       - wire-server
       - webapp
       - account-pages
       - team-settings
-      - smallstep-accomp
       - ingress-nginx-controller
       - nginx-ingress-services

ansible/wiab-demo/clean_cluster.yml

@@ -1,10 +1,9 @@
 - name: Clean the installation
   hosts: deploy_node
-  become: yes
   tasks:
   # stopping the cluster defined in minikube_cluster playbook
   - name: clean minikube
-    become_user: "{{ ansible_user }}"
+    tags: [never, remove_minikube]
     block:
     - name: Check if Minikube is running
       shell: minikube status --profile="{{ minikube_profile }}"
@@ -22,11 +21,11 @@
         minikube delete --profile="{{ minikube_profile }}"
       when: "'Running' in minikube_status.stdout"
 
-    when: "remove_minikube is defined and remove_minikube | bool"
-
   # following packages were installed in install_pkgs playbook
   # these packages can only be removed post stopping the minikube cluster
   - name: remove packages
+    tags: [never, remove_packages]
+    become: yes
     block:
     - name: Remove Minikube
       file:
@@ -75,11 +74,11 @@
       apt:
         update_cache: yes
 
-    when: (uninstall_pkgs | default(false) | bool) and (remove_minikube | default(false) | bool)
-
   # remove the iptables rules defined by iptables_rules playbook
   # it makes sense to remove them when removing the k8s cluster or individually to clean them
   - name: remove iptables rules
+    tags: [never, remove_iptables]
+    become: yes
     vars:
       iptables_rules_comment: "Wire Iptables Rules"
       iptables_save_dir: "/home/{{ ansible_user }}/wire-iptables-rules"
@@ -135,28 +134,30 @@
         - "{{ iptables_save_dir }}/rules_post_wire.v4"
         - "{{ iptables_save_dir }}"
 
-    when: (remove_iptables | default(false) | bool) or (remove_minikube | default(false) | bool)
-
   - name: Remove ssh keys
+    tags: [never, remove_ssh]
+    become_user: "{{ ansible_user }}"
     block:
     - name: Remove SSH key if it exist
       shell: |
-        if [ -f "/home/{{ ansible_user }}/.ssh/id_rsa_wire" ]; then
-          rm "/home/{{ ansible_user }}/.ssh/id_rsa_wire"
+        if [ -f "{{ ansible_user_dir }}/.ssh/id_rsa_wire" ]; then
+          rm "{{ ansible_user_dir }}/.ssh/id_rsa_wire"
         fi
-    when: "remove_ssh is defined and remove_ssh | bool"
-  
+
   - name: remove the downloaded artifacts 
+    tags: [never, remove_artifacts]
     file:
       path: "{{ item }}"
       state: absent
     loop:
-      - "/home/{{ ansible_user }}/wire-server-deploy"
-      - "/home/{{ ansible_user }}/wire-server-deploy-static-demo-{{ artifact_hash }}.tgz"
-      - "/home/{{ ansible_user }}/wire_ip"
-    when: "remove_artifacts is defined and remove_artifacts | bool"
+      - "{{ ansible_user_dir }}/wire-server-deploy"
+      - "{{ ansible_user_dir }}/wire-server-deploy-static-demo-{{ artifact_hash }}.tgz"
+      - "{{ ansible_user_dir }}/wire_ip"
+      - "{{ ansible_user_dir }}/wire_secrets"
 
   - name: clean asset_host artifacts and remove service
+    tags: [never, clean_assethost]
+    become: yes
     block:
     - name: Stop and disable serve-assets systemd service
       systemd:
@@ -178,5 +179,3 @@
       file:
         path: /opt/assets/containers-helm
         state: absent
-
-    when: "clean_assethost is defined and clean_assethost | bool"