WPB:18722: Remove Postgres and smtp hard coded passwords (#817)

sghosh23 · web-flow · commit ce3506f3a83d · 2025-11-03T13:19:26.000Z
* patch the postgresql password to the k8s cluster

* Update demo setup script and secrets example

* add changelog

* Add label specfic build for the CI

* Remove conditional logics form dependent steps

* hand wire-server chart installation with k8s pg password

* refactor the pg secret name

* update the secret reference

* Utilize sync script to sync k8s postgres secret with wire helm secret
diff --git a/.github/workflows/offline.yml b/.github/workflows/offline.yml
@@ -1,3 +1,18 @@
+# Offline Build Workflow
+#
+# This workflow builds offline deployment artifacts for different profiles:
+#   - default: Production deployment (includes external charts, ansible, terraform)
+#   - demo: Demo/WIAB deployment (includes databases-ephemeral)
+#   - min: Minimal deployment
+#
+# Build Optimization via PR Labels:
+#   - No label: Builds default + demo + min (all profiles)
+#   - 'demo-only': Builds only demo profile
+#   - 'min-only': Builds only min profile
+#   - 'build-all': Explicitly builds all profiles (useful for workflow changes)
+#
+# Push to master/develop: Always builds all profiles regardless of labels
+#
 on:
   push:
     branches: [master, develop]
@@ -14,7 +29,12 @@ jobs:
   # Build default profile and create local assets
   build-default:
     name: Build default profile
-    if: "!contains(github.event.head_commit.message, 'skip ci')"
+    if: |
+      !contains(github.event.head_commit.message, 'skip ci') &&
+      (github.event_name == 'push' ||
+       contains(github.event.pull_request.labels.*.name, 'build-all') ||
+       (!contains(github.event.pull_request.labels.*.name, 'demo-only') &&
+        !contains(github.event.pull_request.labels.*.name, 'min-only')))
     runs-on:
       group: wire-server-deploy
     outputs:
@@ -54,7 +74,6 @@ jobs:
   # Upload to S3 in parallel with deployment
   upload-s3:
     name: Upload default build to S3
-    if: "!contains(github.event.head_commit.message, 'skip ci')"
     needs: build-default
     runs-on:
       group: wire-server-deploy
@@ -81,7 +100,6 @@ jobs:
   # Deploy to Hetzner in parallel with S3 upload
   deploy-hetzner:
     name: Deploy default build to Hetzner
-    if: "!contains(github.event.head_commit.message, 'skip ci')"
     needs: build-default
     runs-on:
       group: wire-server-deploy
@@ -118,7 +136,6 @@ jobs:
   # Build container in parallel
   build-container:
     name: Build container
-    if: "!contains(github.event.head_commit.message, 'skip ci')"
     needs: build-default
     runs-on:
       group: wire-server-deploy
@@ -144,7 +161,12 @@ jobs:
   # Build demo profile
   build-demo:
     name: Build demo profile
-    if: "!contains(github.event.head_commit.message, 'skip ci')"
+    if: |
+      !contains(github.event.head_commit.message, 'skip ci') &&
+      (github.event_name == 'push' ||
+       contains(github.event.pull_request.labels.*.name, 'build-all') ||
+       contains(github.event.pull_request.labels.*.name, 'demo-only') ||
+       !contains(github.event.pull_request.labels.*.name, 'min-only'))
     runs-on:
       group: wire-server-deploy
     steps:
@@ -185,7 +207,12 @@ jobs:
   # Build min profile
   build-min:
     name: Build min profile
-    if: "!contains(github.event.head_commit.message, 'skip ci')"
+    if: |
+      !contains(github.event.head_commit.message, 'skip ci') &&
+      (github.event_name == 'push' ||
+       contains(github.event.pull_request.labels.*.name, 'build-all') ||
+       contains(github.event.pull_request.labels.*.name, 'min-only') ||
+       !contains(github.event.pull_request.labels.*.name, 'demo-only'))
     runs-on:
       group: wire-server-deploy
     steps:
diff --git a/bin/demo-setup.sh b/bin/demo-setup.sh
@@ -96,18 +96,53 @@ for chart in "${phase_1_charts_pre[@]}"; do
     fi
 done
 
+# Retrieve PostgreSQL password from databases-ephemeral for later use
+echo "######################################################"
+echo "Retrieving PostgreSQL password..."
+echo "######################################################"
+if command -v kubectl &> /dev/null; then
+    if kubectl get secret wire-postgresql-secret -n "${NAMESPACE}" &>/dev/null; then
+        PG_PASSWORD_B64=$(kubectl get secret wire-postgresql-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}')
+        if [ -n "$PG_PASSWORD_B64" ]; then
+            echo "✓ PostgreSQL password retrieved successfully"
+            # Decode password for use in helm --set
+            PG_PASSWORD_PLAIN=$(echo "$PG_PASSWORD_B64" | base64 -d)
+            export PG_PASSWORD_B64
+            export PG_PASSWORD_PLAIN
+        else
+            echo "⚠️ Warning: PostgreSQL secret exists but password is empty"
+        fi
+    else
+        echo "⚠️ Warning: PostgreSQL secret 'wire-postgresql-secret' not found in namespace '${NAMESPACE}'"
+        echo "    PostgreSQL password will need to be synced manually"
+    fi
+else
+    echo "⚠️ Warning: kubectl not found, PostgreSQL password will need to be synced manually"
+fi
+echo ""
+
 echo "Installing wire-server, this may take a long time, and take a long time before reporting errors. (timeout of $timeout seconds.) You may check for potential problems with 'kubectl -n $NAMESPACE get pods -w' or 'kubectl -n $NAMESPACE get all' and look for errors/pending."
 for chart in "${phase_2_charts_main[@]}"; do
     valuesfile="${DIR}/values/${chart}/${valuesfilename}"
     secretsfile="${DIR}/values/${chart}/${secretsfilename}"
+
+    # Build helm command with PostgreSQL password injection if available
+    HELM_EXTRA_ARGS=""
+    if [ -n "${PG_PASSWORD_PLAIN:-}" ]; then
+        HELM_EXTRA_ARGS="--set brig.secrets.pgPassword=${PG_PASSWORD_PLAIN} --set galley.secrets.pgPassword=${PG_PASSWORD_PLAIN}"
+        echo "Injecting PostgreSQL password into brig and galley secrets"
+    fi
+
     if [ -f "$secretsfile" ]; then
         helm upgrade --install --namespace "${NAMESPACE}" "${NAMESPACE}-${chart}" "${DIR}/charts/${chart}" \
             -f "$valuesfile" \
             -f "$secretsfile" \
+            ${HELM_EXTRA_ARGS} \
             --wait --timeout 900
     else
         helm upgrade --install --namespace "${NAMESPACE}" "${NAMESPACE}-${chart}" "${DIR}/charts/${chart}" \
             -f "$valuesfile" \
+            ${HELM_EXTRA_ARGS} \
             --wait --timeout 900
     fi
 done
diff --git a/bin/wiab-demo/offline_deploy_k8s.sh b/bin/wiab-demo/offline_deploy_k8s.sh
@@ -17,15 +17,17 @@ COTURN_NODE="K8S_COTURN_NODE"
 # keeping it empty to be replaced
 HOST_IP="WIRE_IP"
 
-# it creates the values.yaml from prod-values.example.yaml and secrets.yaml from prod-secrets.example.yaml, it works on the directory $BASE_DIR"/values/ in the bundle
-process_charts() {  
-  
+# Creates values.yaml from demo-values.example.yaml and secrets.yaml from demo-secrets.example.yaml
+# This script is for WIAB/demo deployments only
+# Works on all chart directories in $BASE_DIR/values/
+process_charts() {
+
   ENV=$1
 
-  if [ "$ENV" != "prod" ] && [ "$ENV" != "demo" ]; then
-    echo "ENV is neither prod nor demo"
+  if [ "$ENV" != "demo" ]; then
+    echo "Error: This script only supports demo deployments. ENV must be 'demo', got: '$ENV'"
     exit 1
-  fi 
+  fi
 
   for chart_dir in "$BASE_DIR"/values/*/; do
 
@@ -83,7 +85,7 @@ process_values() {
       "$BASE_DIR/values/ingress-nginx-controller/values.yaml" > "$TEMP_DIR/ingress-nginx-controller-values.yaml"
   if ! grep -q "kubernetes.io/hostname: $NGINX_K8S_NODE" "$TEMP_DIR/ingress-nginx-controller-values.yaml"; then
     echo -e "    nodeSelector:\n      kubernetes.io/hostname: $NGINX_K8S_NODE" >> "$TEMP_DIR/ingress-nginx-controller-values.yaml"
-  fi 
+  fi
 
   # Fixing SFTD hosts and setting the cert-manager to http01
   sed -e "s/webapp.example.com/webapp.$TARGET_SYSTEM/" \
@@ -161,6 +163,22 @@ deploy_charts() {
       helm_command+=" --values $secrets_file"
     fi
 
+    # handle wire-server to inject PostgreSQL password from databases-ephemeral
+    if [[ "$chart" == "wire-server" ]]; then
+
+      echo "Retrieving PostgreSQL password from databases-ephemeral for wire-server deployment..."
+      if kubectl get secret wire-postgresql-secret &>/dev/null; then
+      # Usage: sync-k8s-secret-to-wire-secrets.sh <secret-name> <secret-key> <yaml-file> <yaml-path's>
+         "$BASE_DIR/bin/sync-k8s-secret-to-wire-secrets.sh" \
+          wire-postgresql-secret password \
+          "$BASE_DIR/values/wire-server/secrets.yaml" \
+          .brig.secrets.pgPassword .galley.secrets.pgPassword
+      else
+        echo "⚠️  Warning: PostgreSQL secret 'wire-postgresql-secret' not found, skipping secret sync"
+        echo "    Make sure databases-ephemeral chart is deployed before wire-server"
+      fi
+    fi
+
     echo "Deploying $chart as $helm_command"
     eval "$helm_command"
   done
@@ -192,7 +210,7 @@ deploy_calling_services() {
 
 # if required, this function can be run manually
 run_manually() {
-# process_charts can process demo or prod values
+# process_charts processes demo values for WIAB deployment
 process_charts "demo"
 process_values
 # deploying cert manager to issue certs, by default letsencrypt-http01 issuer is configured
diff --git a/changelog.d/3-deploy-builds/wpb-18722-hardcoded-pass b/changelog.d/3-deploy-builds/wpb-18722-hardcoded-pass
@@ -0,0 +1 @@
+Changed: Remove hardcoded PostgreSQL passwords from demo-secrets.example.yaml and automatically inject passwords from databases-ephemeral chart during deployment. Updated demo-setup.sh and bin/wiab-demo/offline_deploy_k8s.sh to retrieve and inject PostgreSQL passwords using --set flags. Add PR label-based build optimization to offline.yml workflow (use 'demo-only' or 'min-only' labels to skip unnecessary builds)
diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml
@@ -24,7 +24,10 @@ brig:
     rabbitmq:
       username: wire-server
       password: verysecurepassword
-    pgPassword: verysecurepassword
+    # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster
+    # To extract the secret from an existing Kubernetes cluster:
+    #   kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d
+    pgPassword: dummyPassword # gets replaced by the actual secret
     setTwilio: |-
       sid: "dummy"
       token: "dummy"
@@ -57,7 +60,10 @@ galley:
     # these only need to be changed if using real AWS services
     awsKeyId: dummykey
     awsSecretKey: dummysecret
-    pgPassword: verysecurepassword
+    # PostgreSQL password is synced with the wire-postgresql-secret from k8s cluster
+    # To extract the secret from an existing Kubernetes cluster:
+    #   kubectl get secret wire-postgresql-secret -n postgresql -o jsonpath='{.data.password}' | base64 -d
+    pgPassword: dummyPassword # gets replaced by the actual secret
     rabbitmq:
       username: wire-server
       password: verysecurepassword

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Changed: Remove hardcoded PostgreSQL passwords from demo-secrets.example.yaml and automatically inject passwords from databases-ephemeral chart during deployment. Updated demo-setup.sh and bin/wiab-demo/offline_deploy_k8s.sh to retrieve and inject PostgreSQL passwords using --set flags. Add PR label-based build optimization to offline.yml workflow (use 'demo-only' or 'min-only' labels to skip unnecessary builds)`