fix: wpb-22439 disable MLS secret and postgresql secret generation, disable postgresql deployment for 5.14 release

Author: mohitrajain

ansible/helm_external.yml

@@ -49,6 +49,7 @@
 
 - hosts: "postgresql"
   become: false
+  tags: postgresql-external
   tasks:
   - name: Create external IP directory for postgresql
     file:

bin/offline-cluster.sh

@@ -50,11 +50,12 @@ ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/kubernetes.yml --skip-tags boot
 ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/cassandra.yml
 ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/elasticsearch.yml
 ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/minio.yml
-ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/postgresql-deploy.yml
+
+#ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/postgresql-deploy.yml
 
 # Uncomment to deploy external RabbitMQ (temporarily commented out until implemented in CD), PS. remote --skip-tags=rabbitmq-external from the next section
 #ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/roles/rabbitmq-cluster/tasks/configure_dns.yml
 #ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/rabbitmq.yml
 
 # create helm values that tell our helm charts what the IP addresses of cassandra, elasticsearch and minio are:
-ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/helm_external.yml --skip-tags=rabbitmq-external
+ansible-playbook -i $INVENTORY_FILE $ANSIBLE_DIR/helm_external.yml --skip-tags=rabbitmq-external,postgresql-external

bin/offline-deploy.sh

@@ -42,15 +42,15 @@ fi
 $DOCKER_RUN_BASE $SSH_MOUNT $WSD_CONTAINER ./bin/offline-cluster.sh
 
 # Sync PostgreSQL password from K8s secret to secrets.yaml
-echo "Syncing PostgreSQL password from Kubernetes secret..."
-sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/sync-k8s-secret-to-wire-secrets.sh \
-  wire-postgresql-external-secret \
-  password \
-  values/wire-server/secrets.yaml \
-  .brig.secrets.pgPassword \
-  .galley.secrets.pgPassword \
-  .spar.secrets.pgPassword \
-  .gundeck.secrets.pgPassword
+#echo "Syncing PostgreSQL password from Kubernetes secret..."
+#sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/sync-k8s-secret-to-wire-secrets.sh \
+#  wire-postgresql-external-secret \
+#  password \
+#  values/wire-server/secrets.yaml \
+#  .brig.secrets.pgPassword \
+#  .galley.secrets.pgPassword \
+#  .spar.secrets.pgPassword \
+#  .gundeck.secrets.pgPassword
 
 
 sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/offline-helm.sh

bin/offline-helm.sh

@@ -3,25 +3,25 @@
 set -euo pipefail
 set -x
 
-sync_pg_secrets() {
-  # Sync postgresql secret
-  ./bin/sync-k8s-secret-to-wire-secrets.sh \
-    wire-postgresql-external-secret \
-    password \
-    values/wire-server/secrets.yaml \
-    .brig.secrets.pgPassword \
-    .galley.secrets.pgPassword \
-    .spar.secrets.pgPassword \
-    .gundeck.secrets.pgPassword
-}
+#sync_pg_secrets() {
+#  # Sync postgresql secret
+#  ./bin/sync-k8s-secret-to-wire-secrets.sh \
+#    wire-postgresql-external-secret \
+#    password \
+#    values/wire-server/secrets.yaml \
+#    .brig.secrets.pgPassword \
+#    .galley.secrets.pgPassword \
+#    .spar.secrets.pgPassword \
+#    .gundeck.secrets.pgPassword
+#}
 
 helm upgrade --install --wait cassandra-external ./charts/cassandra-external --values ./values/cassandra-external/values.yaml
-helm upgrade --install --wait postgresql-external ./charts/postgresql-external --values ./values/postgresql-external/values.yaml
+#helm upgrade --install --wait postgresql-external ./charts/postgresql-external --values ./values/postgresql-external/values.yaml
 helm upgrade --install --wait elasticsearch-external ./charts/elasticsearch-external --values ./values/elasticsearch-external/values.yaml
 helm upgrade --install --wait minio-external ./charts/minio-external --values ./values/minio-external/values.yaml
 helm upgrade --install --wait fake-aws ./charts/fake-aws --values ./values/fake-aws/prod-values.example.yaml
 
-sync_pg_secrets
+#sync_pg_secrets
 
 # ensure that the RELAY_NETWORKS value is set to the podCIDR
 SMTP_VALUES_FILE="./values/smtp/prod-values.example.yaml"

bin/offline-secrets.sh

@@ -24,22 +24,21 @@ prometheus_pass="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16)"
 
 # Generate MLS private keys using openssl
 # Keys need 10 spaces indent (5 levels deep: galley > secrets > mlsPrivateKeys > removal > keyname)
-readonly MLS_KEY_INDENT="          "
-generate_mls_key() {
-    openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}'
-}
+#readonly MLS_KEY_INDENT="          "
+#generate_mls_key() {
+#    openssl genpkey "$@" 2>/dev/null | awk -v indent="$MLS_KEY_INDENT" '{printf "%s%s\n", indent, $0}'
+#}
 
-mls_ed25519_key="$(generate_mls_key -algorithm ed25519)"
-mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)"
-mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)"
-mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)"
+#mls_ed25519_key="$(generate_mls_key -algorithm ed25519)"
+#mls_ecdsa_p256_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-256)"
+#mls_ecdsa_p384_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-384)"
+#mls_ecdsa_p521_key="$(generate_mls_key -algorithm ec -pkeyopt ec_paramgen_curve:P-521)"
 
 if [[ ! -f $VALUES_DIR/wire-server/secrets.yaml ]]; then
   echo "Writing $VALUES_DIR/wire-server/secrets.yaml"
   cat <<EOF > $VALUES_DIR/wire-server/secrets.yaml
 brig:
   secrets:
-    pgPassword: verysecurepassword
     smtpPassword: dummyPassword
     zAuth:
       publicKeys: "$zauth_public"
@@ -76,19 +75,8 @@ galley:
     rabbitmq:
       username: guest
       password: guest
-    pgPassword: verysecurepassword
     awsKeyId: dummykey
     awsSecretKey: dummysecret
-    mlsPrivateKeys:
-      removal:
-        ed25519: |
-$mls_ed25519_key
-        ecdsa_secp256r1_sha256: |
-$mls_ecdsa_p256_key
-        ecdsa_secp384r1_sha384: |
-$mls_ecdsa_p384_key
-        ecdsa_secp521r1_sha512: |
-$mls_ecdsa_p521_key
 gundeck:
   secrets:
     awsKeyId: dummykey