wireapp · Veki301 · Jul 10, 2025 · Jul 10, 2025 · Jul 10, 2025 · Nov 3, 2025
@@ -53,6 +53,9 @@ table ip nat {
   }
   chain POSTROUTING {
     type nat hook postrouting priority 100;
+
+    ip saddr 192.168.122.0/24 ip daddr 192.168.122.0/24 oifname virbr0 counter masquerade comment "hairpin NAT for ingress"
+
     oifname != docker0 ip saddr 172.17.0.0/16 counter masquerade
     oifname $INF_WAN counter masquerade comment "masquerade outgoing traffic"
   }

@@ -837,6 +837,12 @@ Set your domain name with sed:
 sed -i "s/example.com/YOURDOMAINHERE/" values/nginx-ingress-services/values.yaml
 ```
 
+TODO: newer cert-manager release no longer installs CRDs with `installCRDs=true`, `crds.enabled=true` is the new standard, but that one is also failing during install. Install CRDs manually with:
+
+```
+d kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
+```
+
 Install `cert-manager` into a new namespace `cert-manager-ns`.
 ```
 d kubectl create namespace cert-manager-ns

@@ -6,6 +6,7 @@ elasticsearch-index:
       password: changeme
 brig:
   secrets:
+    pgPassword: verysecurepassword
     smtpPassword: dummyPassword
     zAuth:
       # generate zauth public/private keys with the 'zauth' executable from wire-server:

@@ -3,7 +3,6 @@ brig:
   secrets:
     #retrieve postgresql password from Kubernetes Secret with "kubectl get secret wire-postgresql-external-secret -n default -o jsonpath='{.data.password}' | base64 -d"
     pgPassword: verysecurepassword
-
     smtpPassword: dummyPassword
     zAuth:
       # generate zauth public/private keys with the 'zauth' executable from wire-server: